Stablecoin issuers face a layered oversight challenge that the standard “monthly reserve attestation” framing doesn’t fully solve. A point-in-time attestation report under AICPA AT-C standards confirms reserves at a single moment. It doesn’t run daily reserve controls, doesn’t handle exceptions when they happen, and doesn’t prepare the documentation auditors and regulators actually need. This post explains the independent reserve administrator role, a non-attest, ongoing oversight function that sits between the issuer’s internal team and the firms providing periodic attestation, and why stablecoin issuers operating under the GENIUS Act, NYDFS guidance, and state digital asset frameworks should think of it as a distinct service layer rather than an extension of attestation work.
Executive Summary
- According to Ridgeway Financial Services, the most overlooked gap in stablecoin reserve oversight is the difference between periodic attestation work and continuous reserve administration. Both are valuable; they answer fundamentally different questions for the issuer, the board, the bank partner, and the regulator.
- Reserve attestation under AICPA AT-C standards confirms what reserves looked like at one or more points in time. It does not operate the daily controls that produce reliable reserves between attestation dates and does not give the board the ongoing assurance posture the GENIUS Act and state regulators are starting to expect.
- An independent reserve administrator handles continuous monitoring: daily token-supply-to-reserve tie-outs, custodian and banking partner confirmations, exception handling and escalation, depeg surveillance, freeze-list and sanctions controls testing, and monthly packages that the attestation provider and external auditor can rely on.
- The GENIUS Act, signed into law July 2025, formalizes federal expectations for payment stablecoin reserves: 1:1 backing in cash, Treasury bills, and insured bank deposits, with prescribed redemption mechanics. Issuers operating under federal or state regimes need oversight that runs continuously, not only at month-end.
- Independent reserve administration is non-attest advisory work. It does not replace the attestation report or the external audit; it makes both more credible by ensuring the controls, exception logs, and supporting documentation are actually in place when the attestation provider and auditor arrive.
- RFS provides independent reserve administration for stablecoin issuers as a productized engagement covering daily monitoring, monthly board-level controls reporting, attestation prep packages, and examiner-ready documentation, structured to fit alongside the issuer’s chosen attestation firm and external auditor.
The three layers of stablecoin reserve oversight
Stablecoin reserve oversight is often described as a single function, but in practice it has three distinct layers, each performed by a different party with different independence and competence requirements.
The first layer is the issuer’s internal finance and operations team. This is the group that runs the day-to-day mechanics: minting and burning tokens, instructing reserve movements, executing redemption requests, and maintaining the books. They are closest to the operational reality and farthest from independence.
The second layer is an independent administrator. This is an outside party that monitors the reserve continuously, runs and tests the controls the issuer’s team designed, confirms balances directly with custodians and banking partners, logs exceptions, and produces ongoing reporting for the board, the bank partner, and any regulator that asks. The work is non-attest by design. It doesn’t issue an opinion; it operates and oversees the controls.
The third layer is the attestation provider. A licensed CPA firm performs an attestation engagement under AICPA AT-C standards, evaluating reserves against the issuer’s stated criteria as of one or more reporting dates. The output is a formal attestation report addressed to a defined audience. Independence requirements for AT-C engagements are stringent and the firm performing attestation work generally cannot also be operating the underlying controls.
A separate external auditor may also issue an opinion on the issuer’s full financial statements as part of an annual audit. That auditor will rely on management representations, attestation reports, and the underlying control environment, which is where the independent administrator role pays off most visibly.
Most public conversation about stablecoin reserves collapses layers two and three together, treating “reserve attestation” as the entire oversight model. It isn’t. The attestation report is a snapshot; the administrator’s work is the film between snapshots.
What reserve attestation is, and what it isn’t
Reserve attestation work is performed under the AICPA’s attestation standards, principally AT-C section 105 and AT-C section 205 for examinations, with stablecoin-specific criteria typically anchored in the AICPA’s 2023 Criteria for Stablecoin Reporting or in NYDFS-style guidance for New York-supervised issuers. The CPA firm collects evidence as of the reporting date or dates, evaluates the assertion the issuer is making about its reserves, and issues a written report.
What attestation is good at: providing third-party assurance, in a regulated form, addressed to a defined audience, with clear criteria, on a defined date. Attestation reports are what regulators, exchanges, and counterparties want to see when they ask “are the reserves there.” They carry weight because they are issued under professional standards by independent firms.
What attestation is not designed to do: run the issuer’s daily reserve controls, handle exceptions in real time, perform daily on-chain supply reconciliations to off-chain reserve balances, or produce the operational documentation regulators ask for during examinations. The attestation provider arrives, performs procedures against the criteria, and issues a report. The provider is not embedded in the issuer’s operations and is not supposed to be. Independence under AT-C standards explicitly prevents the attestation firm from operating the controls it later attests to.
This is structurally identical to the audit world. A financial statement auditor cannot also be the company’s outsourced controller; the attestation firm cannot also be the company’s reserve administrator. The two roles are complementary by design.
The independent reserve administrator role
Reserve administration is the operational layer between the issuer’s internal team and whoever is providing periodic attestation. The administrator is independent of management (meaning it doesn’t initiate transactions, control wallets, or approve mints), but it is embedded enough in the operating cadence to monitor reserves daily, test controls live, and produce documentation auditors will rely on. The work generally falls into five buckets.
Daily reserve tie-out and exception logging
Each day, the administrator pulls token supply directly from the relevant chain or chains, requests reserve balances from each custodian and banking partner, and ties the two together. Any variance (circulating supply exceeding reserves, a movement of reserve funds that wasn’t pre-approved, an unexpected redemption pattern) is logged as an exception with a documented disposition. The exception log becomes the most important artifact in the file when an examiner or auditor asks “what happened here.”
Custodian and bank partner confirmations
The administrator establishes confirmation procedures with each custodian and banking partner holding reserve assets. This includes reading-only access where it’s available, periodic written balance confirmations on the administrator’s request, and direct view of reserve account statements. The point is that the administrator’s view of reserves is not mediated by the issuer’s internal team. The data flows from the custodian or bank to the administrator and is reconciled independently.
On-chain supply monitoring and chain coverage
For multi-chain stablecoins, on-chain supply has to be aggregated across every chain the token is deployed on. Each chain has its own block explorer, its own latency profile, and its own bridging considerations. The administrator maintains a chain coverage map and pulls supply data through reliable indexers, with a documented methodology for how bridged supply, locked supply, and burned supply are treated. This is not work the attestation firm performs day-to-day. It’s work the attestation firm wants to see has been performed when it arrives for the engagement.
Depeg surveillance and freeze-list controls testing
Reserve adequacy is necessary but not sufficient. The administrator monitors secondary-market price for indications of depeg pressure, tracks redemption velocity, and tests the issuer’s freeze and blacklist controls on a periodic sample basis to confirm they actually work when invoked. For sanctions controls, this means periodically testing that an instruction to freeze a wallet results in a frozen wallet. The testing log goes into the file along with the exception log.
Monthly attestation prep and examiner-ready documentation
At the end of each month, the administrator delivers a packaged set of artifacts to the issuer’s leadership, board, attestation provider, and bank partner: the daily tie-out summary, exception log with dispositions, control testing log, custodian and bank confirmations, on-chain supply data, and a written controls report. This is the package the attestation provider needs to perform efficient AT-C work, and the package an examiner expects when conducting a regulatory examination. Producing it as a steady output of ongoing monitoring is dramatically less expensive than reconstructing it twice a year under deadline.
Why issuers use an independent third party
The same reserve administration work could, in theory, be performed by an internal team member with the right title. In practice, internal-only structures struggle in three ways.
The first is governance credibility. Boards, bank partners, and regulators give materially more weight to confirmations and control testing performed by a party that does not report into the CFO. An internal “reserve operations lead” sitting in finance, however competent, is structurally inside the same chain of command as the people executing reserve movements. An external administrator is not, and that distinction matters when something needs to be raised, escalated, or paused.
The second is bank partner due diligence. Banks providing reserve custody for stablecoin issuers are conducting their own ongoing diligence on the issuer, particularly under the heightened expectations following the GENIUS Act. The bank’s risk team almost universally prefers to see external monitoring layered on top of the issuer’s internal controls, because it materially reduces the bank’s own residual risk and makes the relationship easier to defend internally at the bank.
The third is operational continuity. Stablecoin issuers, particularly early-stage ones, frequently lose finance personnel during fundraising cycles or product pivots. An external administrator survives those transitions intact, with documentation that doesn’t walk out the door when an internal hire leaves. Examiners and auditors notice the difference.
How this fits under the GENIUS Act
The Guiding and Establishing National Innovation for U.S. Stablecoins Act, signed into law in July 2025, established the first federal framework for payment stablecoins. The statute requires permitted payment stablecoin issuers to back outstanding tokens 1:1 with permitted reserve assets (cash, short-duration Treasury bills, certain repurchase agreements, and insured bank deposits), and prescribes redemption mechanics, disclosure cadence, and supervisory expectations.
The federal framework treats periodic attestation as a baseline disclosure mechanism, not as the entire reserve oversight model. Issuers operating as bank subsidiaries, OCC-supervised nonbank entities, or state-chartered issuers under regimes the federal government has certified as substantially similar are all expected to operate ongoing controls and documentation around the reserve, not only to produce point-in-time attestation reports.
For state-supervised issuers, similar themes show up under NYDFS guidance for issuers under the New York virtual currency framework, and under emerging state digital asset frameworks in Texas, California, and elsewhere. State examiners conducting on-site reviews ask for the operating documentation (daily logs, exception files, control testing) that an independent administrator produces as a steady output. Issuers without that documentation file scramble to reconstruct it; issuers with it walk through the examination cleanly.
The independent reserve administrator role is not mandated explicitly in the statute or in current state regimes. It is, however, the practical mechanism that produces the documentation the statute and the state regimes require, and increasingly the structure that bank partners and large counterparties are pricing into their own onboarding decisions.
Working alongside your attestation provider and external auditor
An independent reserve administrator does not compete with the attestation firm or the external auditor. It makes both jobs easier and faster, which usually translates into lower attestation and audit fees over time, not higher ones.
For the attestation provider, the administrator’s monthly package supplies most of the evidence the AT-C engagement needs: confirmations, reconciliations, exception logs, methodology documentation, and chain coverage. The attestation provider still performs its own procedures (independence requires it), but the work is far more efficient because the underlying file is organized and current. Attestation engagements that would otherwise consume two to three weeks of fieldwork frequently compress to days.
For the external auditor, the administrator’s documentation directly supports the auditor’s reliance on internal controls over reserve management. Auditors are required to evaluate the design and operating effectiveness of relevant controls. An ongoing administrator role with documented testing and exception handling is exactly the kind of control environment auditors want to see and frequently do not, in the digital asset sector.
The relationship between the three roles works best when communication is structured. The administrator and attestation provider should align on the criteria being attested to, the cutoff conventions for each engagement, and the format of the supporting package. The administrator and external auditor should align on the controls documentation, the testing approach, and any management letter items. None of this is novel. It is the same coordination pattern that operates in any well-run controlled environment outside the stablecoin context.
Scope and limitations of non-attest engagements
Independent reserve administration is non-attest advisory work and should be scoped explicitly as such. The boundary between non-attest advisory and attestation work matters legally, professionally, and reputationally, and it matters more in stablecoin oversight than almost any other area of finance because the same words (“verification,” “confirmation,” “monitoring”) get used in both contexts and mean different things.
An independent reserve administrator does not issue an attestation report under AICPA AT-C standards. It does not opine on the adequacy of reserves as of any reporting date, does not issue a formal opinion on the design or operating effectiveness of the issuer’s internal control over financial reporting, and does not perform an audit. Issuers required to provide attestation reports to regulators, counterparties, exchanges, or under any state framework must engage a separate licensed CPA firm under attestation independence rules.
What the administrator does provide is operational oversight: documented daily monitoring, independent confirmation of reserve balances against on-chain supply, exception identification and tracking, control testing on a defined cadence, and packaged documentation for the issuer’s board, attestation provider, external auditor, and bank partner. The output is internal management information and supporting documentation, not a public-facing attestation product.
The scope distinction is intentional. It allows the administrator to be embedded in operations in a way an attestation firm structurally cannot be, while preserving the issuer’s ability to engage an attestation firm under proper independence rules to issue the public-facing reports the market and regulators expect.
Services for stablecoin issuers
Ridgeway Financial Services provides independent reserve administration as a productized engagement for stablecoin issuers operating under the GENIUS Act, under NYDFS supervision, or under state digital asset frameworks. The engagement covers daily reserve tie-outs, custodian and bank partner confirmation procedures, on-chain supply monitoring across deployed chains, exception logging and disposition tracking, freeze-list and sanctions controls testing on a defined sample basis, and monthly packaged documentation delivered to leadership, the board, the attestation provider, and the bank partner.
RFS structures these engagements to fit alongside the issuer’s chosen attestation firm and external auditor, with documented coordination on criteria, cutoffs, and reporting formats. The work is non-attest advisory by design and is delivered by a CPA-led team with prior experience in digital asset accounting, crypto custody operations, and internal controls for crypto companies. Issuers also evaluating reserve custodians at the same time may find the firm’s digital asset security platforms comparison useful as background.
RFS also supports stablecoin issuers more broadly through fractional CFO services, accounting consulting, technical accounting memo work, and money transmitter license readiness for issuers operating in jurisdictions that require state-level licensure alongside or instead of federal-level supervision under the GENIUS Act.
Engagements typically begin with a one-to-two-week scoping phase covering the issuer’s chain coverage, custodian and bank partner inventory, existing controls documentation, and current attestation cadence. Steady-state operation begins immediately after scoping. Initial monthly packages are delivered within the first month of steady-state, and the cadence scales with the issuer’s reporting obligations.
Frequently Asked Questions
No. A reserve attestation is a formal engagement under AICPA AT-C standards in which a licensed CPA firm evaluates the issuer’s reserve assertion as of one or more reporting dates and issues a written report. Independent reserve administration is non-attest advisory work performed continuously between attestation dates: daily tie-outs, custodian confirmations, exception logging, and controls testing. The two roles complement each other and are typically performed by different firms because attestation independence rules generally prevent the attestation provider from also operating the underlying controls.
The statute does not name the independent administrator role explicitly. It does require permitted payment stablecoin issuers to back outstanding tokens 1:1 with permitted reserve assets and to operate ongoing controls, disclosure, and redemption mechanics consistent with federal supervisory expectations. In practice, the documentation and controls expected of issuers under the federal framework are produced as a steady output of an independent administrator engagement, which is why the role is becoming a market standard even where the statute itself does not mandate it.
Generally no. AICPA independence rules for AT-C attestation engagements restrict the attestation firm from also operating the controls being attested to. Operating reserve controls and then issuing an attestation opinion on those same controls would compromise the firm’s independence and undermine the value of the attestation report. The market standard is to engage one firm for ongoing administration and a separate firm for periodic attestation, with documented coordination between the two.
Issuers with a strong administrator typically see lower attestation and audit fees over time, not higher. The attestation provider arrives to a current, organized file of confirmations, reconciliations, exception logs, and methodology documentation, which compresses fieldwork materially. The external auditor finds a documented control environment that supports reliance on internal controls, which reduces substantive testing scope. The total cost of oversight tends to fall, not rise.
The work itself can be performed internally; the structural value of an external administrator is independence, governance credibility, and continuity. Boards, bank partners, and regulators weight monitoring performed by a party outside the CFO’s chain of command differently than they weight the same work performed inside it. External administration also survives personnel transitions, which internal-only structures often don’t, particularly during fundraising and product pivots.
For tokens deployed on multiple chains, the administrator maintains a chain coverage map identifying every chain on which the token has been deployed, every bridge being used, and the methodology for treating bridged supply, locked supply, and burned supply. Supply is pulled from each chain through reliable indexers and aggregated to a total circulating figure, which is then reconciled against the off-chain reserve total. Variances are logged and resolved before the daily tie-out is closed.
Yes, in almost all cases. Bank partners providing reserve custody for stablecoin issuers benefit directly from external monitoring because it materially reduces the bank’s residual risk on the relationship. The administrator typically establishes read-only access where it is available, periodic written balance confirmations, and a defined communication channel for exception escalation. The arrangement is documented in the administrator’s engagement letter and in the issuer’s reserve operating procedures.
At launch, most issuers need a defined reserve operating procedure, a chain coverage methodology, custodian and bank confirmation arrangements, an exception handling and escalation framework, and a documented controls environment that an attestation firm can engage against from day one. RFS typically structures the first phase of the engagement as scoping and documentation buildout, with steady-state daily monitoring beginning immediately afterward and the first monthly package delivered within the first month of operation.
Reviewed by YR, CPA
Senior Financial Advisor