Can You Draft an RFP Checklist for Selecting a Multi-Chain Stablecoin Wallet Provider?

Summary: This post gives decision‑makers a concrete, up‑to‑date RFP checklist to evaluate multi‑chain stablecoin wallet providers, covering chain coverage, cross‑chain USDC via CCTP v2, account abstraction, passkeys, sanctions/Travel Rule controls, policy engines, SLAs, and pricing. It includes practical scoring rubrics, example questions, and implementation tips aligned to 2026 realities.

---

Why this matters in 2026

Stablecoin operations are now inherently multi‑chain. USDC moves natively across chains via Circle’s CCTP v2 with “seconds‑level” settlement and a published deprecation path for CCTP v1 beginning July 31, 2026; wallet providers that haven’t upgraded are already behind. Meanwhile, Ethereum’s Pectra upgrade (May 7, 2025) introduced EIP‑7702, letting EOAs temporarily act like smart accounts—unlocking paymasters and stablecoin‑paid gas at scale. Circle’s own Paymaster now enables USDC‑denominated gas across major EVM chains, with EOA support post‑Pectra. In the EU, the Transfer of Funds Regulation (TFR) “Travel Rule” has been applicable since December 30, 2024, with EBA guidelines specifying what data must accompany crypto transfers—including when interacting with self‑hosted wallets. Your RFP must test for all three vectors: cross‑chain USDC, smart‑account UX, and compliance-by-design. (circle.com)

Also note market reality: USDT liquidity is heavily concentrated on Tron (over half of supply during 2025), while USDC’s cross‑chain reach relies on CCTP. Your provider should handle both the liquidity you need (e.g., TRC‑20 USDT) and the controls you require (e.g., sanctions, Travel Rule, reporting). (cointelegraph.com)

---

What “multi‑chain stablecoin wallet” means now

• Native USDC bridging via CCTP v2 (burn‑and‑mint, not lock‑and‑mint), with v1 deprecation milestones and a distinct v2 contract network. Require evidence of v2 integration on the chains you care about. (circle.com)
• Smart‑account functionality through ERC‑4337 and EIP‑7702: stablecoin‑as‑gas via paymasters, batched transactions, and programmable controls. (ercs.ethereum.org)
• Passkey‑based, phishing‑resistant authentication that meets modern assurance (NIST SP 800‑63‑4 recognizes syncable authenticators at AAL2). (csrc.nist.gov)
• Built‑in AML controls: Travel Rule data handling in the EU; on‑chain/off‑chain sanctions screening; and risk‑scoring integrations. (eba.europa.eu)

---

The 7Block Labs RFP checklist

Use the following sections and sample questions directly in your RFP. Weighting guidance and scoring rubric appear at the end.

1) Supported chains, stablecoins, and cross‑chain USDC orchestration

Ask vendors to prove end‑to‑end coverage—not just “wallet connect.”

• Enumerate supported chains and native stablecoin contracts per chain (USDC, USDT, EURC). Require a maintained list of contract addresses and chain IDs in a versioned repo.
• USDC via CCTP v2:
  • Confirm v2 contract integration on your target chains and the vendor’s migration plan from v1 (include cutover timeline and fallbacks before the July 31, 2026 v1 phase‑out). (circle.com)
  • Ask for measured settlement times (p50, p95) and failure‑handling procedures for attestation fetch; require logs that distinguish on‑chain revert vs. attestation unavailability. (btcc.com)
• Explicit bridge policy:
  • Require “native first” (CCTP for USDC) and written exceptions when falling back to lock‑and‑mint bridges. Document the risk controls if a non‑burn‑and‑mint path is used. (circle.com)
• Tron USDT:
  • Confirm TRC‑20 USDT handling, fee estimation, and any RPC throughput limits, given USDT’s large share on Tron. (cointelegraph.com)
• Chainlink CCIP readiness:
  • If your roadmap includes non‑USDC cross‑chain assets, request CCIP support (GA since 2024; >50 chains in 2025) and implementation experience with Cross‑Chain Token (CCT) standard. (prnewswire.com)

Sample RFP questions:

• Provide your CCTP v2 integration status per chain (Ethereum, Base, Arbitrum, Polygon PoS, Solana, etc.). Include test evidence of v2 “Fast Transfer” where applicable and a rollback plan if attestation services degrade. (btcc.com)
• List all bridges you may use for stablecoins by default and under exception; detail monitoring and circuit breakers.

2) Key management architecture and cryptography

Wallet security starts with keys—insist on specifics.

• MPC vs. HSM:
  • Describe MPC protocol (ECDSA, EdDSA), threshold (e.g., 2‑of‑3/3‑of‑5), signing environment (pure MPC vs. MPC + TEE), shard storage, and disaster recovery. Validate algorithm coverage for ECDSA chains (BTC/ETH) and EdDSA chains (Solana). (ncw-developers.fireblocks.com)
• Open‑source posture:
  • Ask whether the MPC implementation is published and audited (e.g., Fireblocks open‑sourced MPC‑CMP library; verify license/scope). (fireblocks.com)
• Enterprise governance:
  • Require policy‑controlled approvals, programmable spend limits, and human‑in‑the‑loop flows for high‑risk actions. Institutional providers like Fordefi highlight policy engines, transaction enrichment, and SOC 2 Type II—ask others to match or exceed. (fordefi.com)
• Attestations:
  • Request SOC 2 Type II and ISO/IEC 27001:2022 certificates from an accredited body; define scope boundaries (hosting, key ceremonies, custodial ops). (aicpa-cima.com)

Sample RFP questions:

• Provide your MPC protocol details, audit reports, and a recovery runbook for a lost shard scenario on both ECDSA and EdDSA wallets. (ncw-developers.fireblocks.com)
• Share last SOC 2 Type II and ISO/IEC 27001:2022 certificates with control scope; identify sub‑processors in scope. (aicpa-cima.com)

3) Smart accounts, paymasters, and stablecoin‑as‑gas

Modern UX requires account abstraction.

• ERC‑4337 support:
  • Confirm EntryPoint versions (v0.7/v0.8), bundler SLA, mempool compatibility, and simulation/sandbox tooling. (ercs.ethereum.org)
• Paymaster options:
  • Require support for token‑paid gas (USDC) and sponsorship modes. Evaluate third‑party stacks (Pimlico, Biconomy) and native solutions (Circle Paymaster) including rate‑limiters, oracles, and fee disclosures. (docs.pimlico.io)
• EIP‑7702 readiness:
  • Verify EOA → temporary smart‑account flows and how paymasters extend to EOAs post‑Pectra. (coindesk.com)
• Pricing transparency:
  • Circle Paymaster charges end‑users a 10% gas uplift (waived until June 30, 2025); insist any vendor disclose comparable fees and who bears them. (circle.com)

Sample RFP questions:

• Provide evidence of ERC‑4337 UserOperation success rates and average time‑to‑inclusion with your bundler on target L2s.
• Detail paymaster modes supported (ERC‑20, sponsored), chain coverage, oracle dependencies, and fee schedule. Include Circle Paymaster integration where available. (circle.com)

4) Authentication, recovery, and user access

Treat wallet auth like a regulated login, not a hobby.

• Passkeys by default:
  • Require WebAuthn/FIDO2 passkeys, device‑bound and syncable, with cross‑platform portability; FIDO Alliance guidance and NIST SP 800‑63‑4 treat passkeys as phishing‑resistant and AAL2‑capable. (fidoalliance.org)
• Passkey management:
  • Insist on passkey lifecycle controls and user guidance similar to Coinbase Smart Wallet best practices (cloud keychains, avoiding mass deletion, YubiKey options). (help.coinbase.com)
• MFA and server‑side authorization:
  • For embedded wallets, ask about MFA on sign/transfer (TOTP/SMS/passkeys) and server‑authorized actions with explicit ownership keys (e.g., Privy patterns). (docs.privy.io)
• Recovery:
  • Demand break‑glass procedures that do not compromise custody (e.g., guardian recovery for smart accounts, MPC shard re‑issuance, and well‑documented revocation flows).

Sample RFP questions:

• Describe your passkey enrollment UX, backup/sync, and portability; specify how you prevent social‑engineering prompts that would rotate keys unexpectedly. (fidoalliance.org)
• For embedded wallets, show MFA gating on sign/transfer and evidence that passkeys can be used as an MFA factor. (docs.privy.io)

5) AML, sanctions, and Travel Rule compliance

Compliance must be built‑in—not bolted on.

• EU Travel Rule (TFR) and EBA Guidelines:
  • Require conformance to EBA “information requirements” for crypto transfers from December 30, 2024, including interactions with self‑hosted wallets (originator/beneficiary data and procedures for missing data). (eba.europa.eu)
• Sanctions screening:
  • On‑chain gating via Chainalysis oracle and off‑chain APIs for multi‑chain addresses (OFAC/EU/UN lists), or equivalents (Elliptic/TRM). Demand rate limits, uptime SLAs, and audit trails. (go.chainalysis.com)
• Policy engine integration:
  • Risk‑based controls that halt high‑risk flows, enforce allowlists/denylists, and trigger additional approvals.

Sample RFP questions:

• Show how your wallet enforces EU Travel Rule data capture and rejection handling on transfers lacking required fields; include data schemas and retention schedules. (eba.europa.eu)
• Demonstrate sanctions screening at address entry and pre‑sign, with Chainalysis/Elliptic/TRM coverage and on‑chain oracles where possible. (go.chainalysis.com)

6) Operational resilience, audits, and controls

If you can’t trust uptime or change management, don’t ship.

• SLAs and SLOs:
  • Require published SLAs for API uptime, signing services, bundlers, paymasters, and cross‑chain relays; include incident response and status page history.
• Certifications:
  • SOC 2 Type II and ISO/IEC 27001:2022 (from accredited bodies) as table stakes; request control mappings for key ceremonies, CI/CD, vulnerability management, and secrets handling. (aicpa-cima.com)
• Third‑party risk:
  • List of sub‑processors (RPCs, oracles, relayers). Require data residency options if regulated.
• Disaster recovery:
  • Evidence of tested DR (RPO/RTO) and periodic key‑recovery drills, including customer‑managed shard storage options.

Sample RFP questions:

• Provide your most recent SOC 2 Type II and ISO/IEC 27001:2022 certs, annexes, and scope statements; map controls to wallet operations. (aicpa-cima.com)
• Share uptime metrics for wallet APIs, bundlers, and paymasters over the past 12 months, with root‑cause analyses for Sev‑1 incidents.

7) Developer experience and observability

Developer velocity correlates with incident avoidance.

• SDKs and docs:
  • Multi‑language SDKs, typed clients, and quickstarts for ERC‑4337, CCTP v2, paymasters, and sanctions integrations. Require a public changelog and version pinning guidance. (developers.circle.com)
• Observability:
  • Webhooks and logs for sign attempts, policy hits, Travel Rule payloads, CCTP states (burn, attest, mint), and UserOperation lifecycle; export to SIEMs.
• Sandboxes:
  • Testnets and “dry‑run” simulators for paymasters and cross‑chain flows; mock sanctions and Travel Rule endpoints.

Sample RFP questions:

• Show an end‑to‑end sample app: mint USDC, CCTP transfer, ERC‑4337 call with USDC paymaster, sanctions check, and Travel Rule payload emission.

8) Pricing and total cost of ownership

• Gas UX fees:
  • Disclose paymaster fees (e.g., Circle Paymaster’s 10% end‑user gas uplift; developer fee waived until June 30, 2025). (circle.com)
• Platform fees:
  • Transparent pricing for seats, policies, per‑op signing, bundler ops, and cross‑chain relays. Require caps or enterprise tiers.
• Compliance cost:
  • Include Travel Rule messaging, sanctions API usage, and audit logging storage in TCO projections.

---

A scoring rubric you can adopt

Weight categories to align with your risk profile. Example (100 points total):

• Chain, stablecoin, cross‑chain USDC (CCTP v2): 20
• Security/keys (MPC/HSM, audits): 20
• Smart accounts and gas UX (ERC‑4337, EIP‑7702, paymasters): 15
• Authentication/recovery (passkeys, MFA): 10
• AML/Travel Rule/sanctions: 15
• Resilience/SLAs/certs: 10
• DevEx/observability: 5
• Pricing/TCO: 5

Set pass/fail gates: no SOC 2 Type II and ISO/IEC 27001:2022 → disqualify; no CCTP v2 on target chains → disqualify. (aicpa-cima.com)

---

Three practical vendor‑test scenarios

1. Cross‑chain USDC treasury move

• Task: Burn 1,000 USDC on Base; mint on Ethereum via CCTP v2; produce an artifact with tx hashes, Circle attestation status transitions, and timestamps.
• Success criteria: p95 end‑to‑end < 90s under normal network conditions; circuit‑breaker if attestation fails; no wrapped USDC minted. (circle.com)

1. Gasless onboarding with stablecoin‑paid gas

• Task: New user with zero native gas performs two actions on Optimism via ERC‑4337 using a USDC paymaster.
• Success criteria: Proof of EIP‑7702 path for EOAs or smart‑account path; clear disclosure of any per‑tx uplift (e.g., 10% Circle fee) and accurate USDC permit usage. (circle.com)

1. Regulated transfer to a self‑hosted wallet (EU)

• Task: Initiate a €900 equivalent stablecoin transfer from a CASP wallet to a self‑hosted address; capture and store Travel Rule fields; demonstrate sanctions pre‑check and procedure for missing data. (eba.europa.eu)

---

Emerging best practices we recommend including

• Prefer burn‑and‑mint for USDC (CCTP v2) to avoid wrapped asset fragmentation; document fallback only for unsupported domains. (circle.com)
• Treat sanctions screening as layered defense:
  • On‑chain oracle gating where available plus off‑chain API screening with rate‑limit headroom and audit logs. (go.chainalysis.com)
• Make passkeys the default:
  • Offer both device‑bound and syncable options; reference FIDO and NIST 800‑63‑4; provide YubiKey fallback for regulated environments. (fidoalliance.org)
• Adopt stablecoin‑as‑gas for consumer UX:
  • Use ERC‑4337 paymasters; where feasible, leverage Circle Paymaster for USDC to simplify accounting. Track fee changes (10% uplift post‑June 30, 2025). (circle.com)
• Plan for Pectra/EIP‑7702 parity:
  • Ensure your provider can handle temporary smart‑account behavior for EOAs and verify EntryPoint compatibility. (coindesk.com)
• If your flows touch Tron (USDT):
  • Validate TRC‑20 support and enhanced monitoring given high stablecoin throughput on Tron. (cointelegraph.com)

---

Brief vendor landscape notes (to inform questions, not endorsements)

• Enterprise MPC platforms market their policy engines, transaction simulation, and SOC 2 Type II claims; test these with your own playbooks and require evidence. (fordefi.com)
• ERC‑4337 paymaster providers (e.g., Pimlico, Biconomy) offer ERC‑20 and sponsored modes; ask about EntryPoint versions and oracle dependencies. Circle Paymaster adds USDC‑native support, including for EOAs post‑Pectra. (docs.pimlico.io)
• Embedded wallet providers increasingly support passkey MFA and server‑authorized actions; verify passkey UX and recovery. (docs.privy.io)

---

30‑60‑90 day rollout checklist (post‑selection)

• Days 0–30:
  • Stand up dev/test with ERC‑4337, paymaster, CCTP v2; integrate sanctions API and on‑chain oracle; define Travel Rule schemas and storage. (circle.com)
• Days 31–60:
  • Pilot with real users: passkey enrollment, USDC‑paid gas, and CCTP transfers; measure p95 latencies and fallback rates; run a sanctions/Travel Rule tabletop exercise. (eba.europa.eu)
• Days 61–90:
  • Production hardening: SOC/ISO control mappings verified; DR rehearsal for MPC shard loss; finalize SLAs and on‑call rotations; go‑live with staged traffic.

---

Red flags

• “We support CCTP” without specifying v2 contracts and a v1 deprecation plan tied to July 31, 2026. (circle.com)
• No passkey roadmap or reliance on SMS‑only MFA for wallet access. (fidoalliance.org)
• ERC‑4337 claims but no evidence of EntryPoint v0.7/0.8 compatibility or paymaster audits. (ercs.ethereum.org)
• Hand‑wavy Travel Rule statements without explicit EBA guideline alignment and self‑hosted wallet procedures. (eba.europa.eu)

---

Final takeaway

Your RFP should force vendors to prove three things: they are CCTP v2‑native for USDC, they deliver modern UX with account abstraction and passkeys, and they operationalize sanctions/Travel Rule controls with auditable evidence. If they can’t demo these in a sandbox with your flows in under two weeks, keep looking.

7Block Labs routinely helps startups and enterprises run this RFP, score vendors, and stand up a compliant pilot in 90 days. If you want a copy‑and‑paste version of this checklist formatted for procurement, we’re happy to share.