The FinTech Supply Chain Nobody Audits

Many things happen when a FinTech grows fast. Sales move, partnerships get signed, integrations go live. APIs connect to APIs. Payment rails plug into wallet providers. A new data vendor gets added on a Friday afternoon before a product launch.  

Nobody writes it down properly, and by the time the company has 500 employees and processes millions of transactions a day, the original list of third-party connections is somewhere between incomplete and fictional.

Jordan Lawrence has spent twenty years in this industry, and he has seen large, sophisticated companies with compliance teams and annual vendor assessments that cannot tell you, with any confidence, who they are currently connected to.

He joined me on the latest episode of our podcast All Things Cyber. The insights and stories he shared reminded me how deep the rabbit hole goes: payments, supply chains, forgotten endpoints. Pull on one thread and you find three more underneath it.

In their speed of growth, they plugged in so many different partners, they've now forgotten who they plugged in. And every single one of those endpoints is a threat to the business.
Jordan Lawrence, CEO, Damisa

Why stablecoin infrastructure makes supply chain visibility harder

Stablecoins are changing the payments landscape at a pace that compliance programs were not designed for. Tether and USDC are already the infrastructure of choice for cross-border B2B payments in markets where fiat rails are slow, expensive, or unreliable.  

In Nigeria, Jordan paid for goods directly in USDT. In Brazil, the government changed regulations in response to businesses bypassing IOF tax using stablecoin transfers. This is not a future trend. It’s the current operating environment.

For FinTechs and payment companies adopting stablecoin infrastructure, this creates a new category of third-party exposure. Stablecoins sit in custodial or non-custodial wallets. Those wallets are run by third-party providers. Those providers have their own technology stacks, their own infrastructure dependencies, their own third parties. The supply chain behind a single stablecoin payment can run three or four layers deep before you reach a company you have never heard of, let alone assessed.

As Jordan put it during our conversation: the whole risk picture has shifted. The correspondent bank problem, where a SWIFT payment might touch four different institutions and the money could go missing for months, has not disappeared. It has moved to a new layer where the exposure is less visible and less understood.

What the Numbers Say About Third-Party Risk

According to the 2025 Verizon Data Breach Investigations Report, third-party involvement in breaches doubled year-over-year, now accounting for 30% of all confirmed breaches analyzed.  

That number comes up often in supply chain risk discussions, and it tends to prompt the same response from CISOs and security architects: they acknowledge it, then continue managing their known vendor list.

These breaches come from the suppliers you have not thought about in two years, or the ones that got connected during a product sprint and never formally onboarded, or the ones that came in through an acquisition. Fiserv, which had a breach traced to old technology deeply embedded in its infrastructure, took three to four days just to identify the source. The company has 40,000 employees, a dedicated security function, and years of compliance investment. The breach still moved through a part of the supply chain that was not visible enough to respond to quickly.

That is why Supply Chain Intelligence is different from TPRM, EASM, and GRC: the tools most companies use to manage third-party risk were built to assess vendors you know about. They were not built to discover the ones you forgot.

What a modern supply chain audit needs to cover

A meaningful audit of a FinTech's supply chain today has to go beyond the vendor register. It needs to start from the outside and map what is actually connected, including the technology infrastructure those vendors use, the concentration risk that sits at the fourth party level, and the continuous signals that indicate when something in the ecosystem is changing.

The questions that matter are not just: who do we work with? They are:  

• Who are they connected to?  

• Where do we have concentration risk across multiple vendors using the same cloud provider or payment processor?  

• What happened to a vendor in the last thirty days that we do not know about yet?

This is why external dependencies increase supply chain risk in ways that annual assessments are structurally unable to capture. A point-in-time review cannot tell you what changed last week.

For companies adopting stablecoin infrastructure specifically, the audit also needs to cover the wallet providers, the custody arrangements, the technology stack behind each stablecoin issuer, and the regulatory licensing of every entity handling funds in transit. That is a larger surface than most FinTechs have mapped.

The opportunity in the shift

Jordan made an observation in our conversation that stayed with me. The shift to stablecoin infrastructure, and the complexity it introduces into the supply chain, creates a genuine opportunity for companies that can provide visibility into that ecosystem.  

Most FinTechs operating in this space today cannot answer the question: who is in my stablecoin supply chain?

The companies that get ahead of this question, before a breach forces them to answer it under pressure, will be better positioned on every dimension: regulatory compliance, operational resilience, and the ability to respond when something goes wrong in a connected ecosystem.

The FinTech supply chain has never been audited properly. The stablecoin layer is making that gap more consequential by the day.

‍