BIS Research Shows Rigid Reserve Rules Can Backfire: What Risk Officers at Regulated VASPs Need to Reconsider
A working paper from the BIS models how stablecoin issuers optimise capital and reserve allocations under different regulatory constraints, and the results challenge a core assumption embedded in current compliance architecture. The thresholds work through asymmetric channels: while a liquidity threshold only raises cash holdings, a capital threshold increases both capital and cash. Both thresholds mitigate default and spillover risks, suggesting they are substitutes. The implication for regulated intermediaries is counterintuitive: adding compliance requirements does not necessarily reduce risk exposure in proportion to the operational burden they create.
The research, authored by Tirupam Goel, Ulf Lewrick and Isha Agarwal, examines how issuers balance the trade-off between holding cash for redemptions versus interest-bearing bonds for revenue. Absent regulation, the issuer holds little capital and favours interest-bearing but less-liquid bonds over cash. This exposes coin-holders to default risks and poses systemic spillovers via price impact of bond fire-sales. The model demonstrates that regulatory thresholds function as usable buffers that discipline issuers by triggering additional redemptions when breached, but the channels through which they operate differ fundamentally.
This matters because the two major regulatory regimes now taking effect, the EU's MiCAR and the US GENIUS Act, have chosen different calibrations. The Regulation requires stablecoin issuers to hold at least 30% (60% for significant issuers) of their reserve assets with credit institutions, while the remainder must consist of low-risk, highly liquid financial instruments, such as sovereign bonds. The European approach mandates bank deposit exposure at precisely the scale where the March 2023 stress event demonstrated acute vulnerability.
The GENIUS Act requires 100% reserve backing with liquid assets like U.S. dollars or short-term Treasuries and requires issuers to make monthly, public disclosures of the composition of reserves. The American framework, by contrast, permits reserves held entirely in sovereign debt, avoiding mandated bank deposit concentrations. The GENIUS Act demands reserves be held in cash or short-term U.S. Treasuries, and forces banks to issue from a bankruptcy-remote subsidiary. This insulates the reserves from the bank's own credit risk.
The divergence is not academic. In March 2023, Circle, the issuer of USDC, publicly announced that it was unable to access a portion of its dollar reserves held as (uninsured) deposits at SVB. This announcement precipitated a surge in redemption requests by holders of USDC, causing the stablecoin to lose its peg against the dollar on secondary markets when Circle shut down primary market operations over the weekend. At its trough, USDC traded at 86 cents to the dollar. Public commitment from Circle, to stand behind USDC using "external capital," on Saturday, March 11 provided price support but did not restore the peg.
The contagion did not stop with USDC. This episode illustrates how a negative shock arising from increased transparency of reserves led to a shift in the aggregate behavior of coin holders. USDC had served as a stable reserve asset for other stablecoins such as Dai, which shortly thereafter lost its peg as well. The interconnection was not a design flaw, it was an emergent property of how compliance requirements distributed exposure across the system.
MiCAR's concentration limits compound this dynamic. Concentration limits restrict deposits: no more than 25% with systemically important institutions, 15% with large credit institutions, 5% with smaller banks. Issuers must cultivate relationships with multiple banking partners where "crypto-friendly banks in Europe" remain scarce. The regulation forces issuers to maintain relationships with at least four credit institutions, and for significant stablecoins, substantially more. Each relationship represents a distinct counterparty exposure, a separate contractual arrangement, and an independent failure point.
For e-money institutions, large required reserves (e.g. 30% or 60% deposited with EU banks for (non-)significant issuers) mean that redemptions could strain the liquidity positions of associated banks, especially those with concentrated exposure to crypto-asset players. The risk is heightened by the likely development of 'crypto-friendly' banks: with no overall cap on the aggregate stablecoin-related liability any one bank can have, the rise of banks heavily reliant on crypto sector funding is likely, amplifying systemic risk.
For VASPs operating in this environment, the operational implications extend beyond stablecoin issuers to the entire infrastructure stack. An exchange or broker with separate custody, execution, and banking providers faces the same dynamic: each vendor added to satisfy a compliance requirement introduces its own counterparty risk profile. When regulations tighten, the instinct is to add providers, another custodian, another liquidity source, another banking relationship, to distribute exposure. The BIS research suggests this instinct may be precisely wrong.
The model shows that capital requirements pull on multiple levers simultaneously, while liquidity requirements pull on only one. A capital rule, by contrast, makes issuers raise more capital and hold more cash. The logic is the stablecoin issuer is motivated to hold extra cash to reduce the likelihood of a fire sale of bonds which would erode capital. So a capital requirement ends up pulling on both levers, whereas a liquidity requirement only pulls on one. Translated to operational architecture: a vendor stack designed purely around liquidity buffers at each node does not accumulate the capital cushions that would absorb correlated stress across those nodes.
If stablecoins need to draw down on their bank deposits to meet large redemptions, financial stress could spread rapidly to the banking sector and then to other parts of the financial system. While fees and other redemption restrictions on stablecoins can reduce this risk, they detract from stablecoins' moneyness, making them less suitable for payments. The trade-off is not between safety and efficiency, it is between different types of fragility.
The practical question for risk officers is not whether to comply with reserve and custody requirements, that is not optional. The question is whether the architecture that satisfies those requirements should be designed around vendor diversification or around consolidated oversight. A fragmented setup may check every compliance box while distributing exposure across entities whose correlations are invisible until they materialise simultaneously.
A significant problem with GENIUS is that the permissible reserve assets include uninsured deposits in banks and shares of credit unions. But uninsured deposits are risky and illiquid, raising the possibility that stablecoins backed by these assets will not offer a stable value and will be prone to runs, unless these risks are mitigated by capital, liquidity, and risk management standards. Moreover, allowing stablecoins to hold uninsured bank deposits creates direct two-way interconnections between the risk of banks and the risk of stablecoins.
The timing matters. Federal agencies must complete 21 separate rulemakings, with most due by July 18, 2026. As implementation deadlines approach for both MiCAR technical standards and GENIUS Act regulations, VASPs face pressure to build or expand compliance infrastructure. The instinct will be to add vendors to satisfy each requirement independently.
The BIS research suggests a different posture: counterparty exposure should be managed strategically rather than assembled accidentally through compliance checkbox exercises. Whether the answer is consolidation under a single regulated umbrella or more sophisticated correlation analysis across a multi-vendor stack, the underlying insight is the same. Rigid rules create predictable responses, and predictable responses can concentrate risk in ways that rigid rules were not designed to anticipate.
References
[2] Regulation (EU) 2023/1114 (MiCAR)
