How Regulated Institutions Are Evaluating WaaS Provider Lock-In Risk Before Committing to a Long-Term API Integration
The foundational infrastructure for digital asset operations must be Secure. Efficient. Compliant. Once a regulated institution embeds a provider's APIs into its core infrastructure, switching costs can become significant. The smartest institutions are not asking "which WaaS provider has the best features?" They are asking "what happens if this relationship ends badly?" This article examines how banks, payment service providers, and financial institutions are building vendor risk frameworks to evaluate the trust layer before they sign any long-term integration agreement.
TL;DR
- WaaS lock-in risk is a vendor risk management issue, not just a procurement decision.
- Regulators expect regulated institutions to assess, monitor, and plan exits from third-party technology relationships [federalreserve.gov].
- The key dimensions of lock-in risk are: data portability, key custody architecture, contractual exit rights, and compliance ownership.
- Institutions should apply the same third-party risk lifecycle to WaaS providers that they apply to core banking vendors.
- The right infrastructure layer reduces lock-in by design, through open standards, self-custody options, and transparent controls.
Why Is Lock-In Risk a Regulatory Concern, Not Just a Business One?
Lock-in risk in WaaS is the operational and financial exposure that arises when an institution becomes structurally dependent on a single vendor for a critical function it cannot easily replicate or migrate away from.
This is not a new concept. Banking regulators have formalized third-party risk management requirements that apply directly to technology providers handling critical functions [federalreserve.gov]. The Federal Reserve's guidance on third-party risk explicitly covers the full lifecycle: planning, due diligence, contract negotiation, ongoing monitoring, and termination [moneylaunderingnews.com]. The NCUA similarly expects institutions to address risk assessment and monitoring of external relationships as a supervisory matter [ncua.gov].
WaaS providers sit squarely in this framework. When a provider holds cryptographic key material, controls wallet generation logic, or serves as the settlement layer for client funds, the relationship is not a software subscription. It is a critical operational dependency with systemic implications.
What Are the Five Dimensions Institutions Should Audit Before Integration?
Building on the regulatory expectation above, institutions need a structured evaluation framework, not just a checklist. The five dimensions below map directly to how examiners assess third-party relationships [federalreserve.gov] [moneylaunderingnews.com].
1. Key Custody Architecture
Who holds the cryptographic keys? This is the foundational question. Providers that retain unilateral control over private keys create a hard dependency. If the provider fails, is acquired, or withdraws service, the institution may lose access to client funds entirely.
The safer model is self-custodial infrastructure, where key material is distributed across parties using protocols like Multi-Party Computation (MPC), and the institution retains a key shard. No single party, including the provider, can reconstruct the full key alone.
2. Data Portability
Can the institution export wallet addresses, transaction histories, and user mappings in a standard format? Proprietary data schemas that cannot be migrated are a hidden lock-in mechanism. Before signing, institutions should request a data portability specification and test it.
3. Contractual Exit Rights
Contracts should specify transition assistance obligations, data return timelines, and what happens to active wallets during a wind-down period. Many standard vendor agreements are silent on these points. Regulators expect institutions to negotiate these terms explicitly [federalreserve.gov].
4. Compliance Ownership
In Banking as a Service and WaaS arrangements, compliance accountability can blur between parties [castellum.ai]. Institutions need contractual clarity on who performs AML screening, who retains audit logs, and who is responsible for regulatory reporting. Shared responsibility without clear assignment is a compliance gap.
5. Operational Continuity
What are the provider's uptime commitments, disaster recovery capabilities, and incident response procedures? A provider without documented business continuity plans introduces operational risk that regulators will scrutinize during examinations [ncua.gov].
How Should Institutions Structure the Due Diligence Process?
Stepping back from the technical dimensions, the process itself matters as much as the criteria. Federal guidance describes a five-stage lifecycle for managing third-party relationships [moneylaunderingnews.com]:
| Stage | Key Actions for WaaS Evaluation |
|---|---|
| Planning | Define criticality of the WaaS function; set risk tolerance |
| Due Diligence | Assess key custody model, certifications, financials, exit terms |
| Contract Negotiation | Lock in data portability, SLAs, compliance ownership, exit assistance |
| Ongoing Monitoring | Review audit reports (SOC 2), test exit procedures, track incidents |
| Termination | Execute planned migration; confirm data deletion and key handover |
Most institutions spend disproportionate effort on due diligence and underinvest in contract negotiation and termination planning. Regulators now expect all five stages to receive attention [moneylaunderingnews.com].
One practical addition: institutions should conduct a "day one failure" simulation before go-live. This means modeling what would happen to client wallets and funds if the provider became unavailable 24 hours after integration. The answer to that simulation shapes every negotiation point that follows.
What Certifications and Audit Standards Reduce Lock-In Risk Indirectly?
A related but distinct question is whether a provider's compliance posture signals lower lock-in risk. The answer is yes, for two reasons.
First, providers with SOC 2 Type II, ISO 27001, and PCI DSS certifications have independently verified controls over data management, access, and security. These reports give institutions documentary evidence they can present to examiners without relying solely on vendor self-reporting [ncua.gov].
Second, as regulators revise model risk management frameworks in 2026 to focus on principles rather than prescriptive rules [orrick.com], institutions will need providers whose governance structures are transparent and auditable. A provider that cannot produce a clean SOC 2 report or explain its key management architecture in plain terms is a governance risk, regardless of its feature set.
The new OCC, Federal Reserve, and FDIC framework signals that regulators are moving toward outcome-based supervision [orrick.com] [mvalaw.com]. Institutions that have selected providers with robust, documented controls will be better positioned in that environment than those who relied on contractual assurances alone.
How Does Infrastructure Architecture Support Operational Independence?
The most durable way to reduce lock-in is to select infrastructure designed with structural openness rather than negotiating around a closed system.
The design features that reduce lock-in structurally include:
- Distributed key custody: MPC-based signing with institution-held key shards means the institution retains cryptographic control independent of the vendor relationship.
- Multi-network support: Providers supporting 40+ blockchain networks and 85+ tokens reduce the risk that future asset requirements force a platform migration.
- On-premise deployment options: Infrastructure that offers both cloud and self-hosted deployment gives institutions the ability to migrate hosting without migrating the entire stack.
- Open API standards: Documented, versioned APIs with backwards compatibility commitments reduce the cost of future integration changes.
Cregis operates as the trust layer of the digital asset economy, built on these structural principles. Its MPC architecture uses a 2-of-2 and M-of-N signing model where no single party holds a complete key. These design choices reflect how the infrastructure was conceived from the start.
Frequently Asked Questions
What is WaaS lock-in risk? It is the operational exposure that arises when an institution cannot easily migrate away from a WaaS provider without losing access to wallet infrastructure, key material, or client data.
Do regulators require institutions to assess WaaS provider risk? Yes. Third-party risk management guidance from the Federal Reserve, NCUA, and federal banking agencies applies to any critical technology relationship, including WaaS providers [federalreserve.gov] [moneylaunderingnews.com].
What is the most important contractual term to negotiate? Exit assistance and data portability provisions. Without them, an institution may be unable to migrate client wallets even if it has legal grounds to terminate the contract.
Does MPC eliminate lock-in risk? It reduces custody lock-in significantly by ensuring no single party holds complete key control. But MPC alone does not address data portability or contractual exit rights.
How often should institutions review their WaaS provider relationship? Ongoing monitoring is a regulatory expectation, not a one-time event [ncua.gov]. Annual reviews tied to SOC 2 report cycles are a practical minimum.
What happens to client wallets if a WaaS provider fails? This depends entirely on the custody architecture. With provider-held keys, access may be lost. With MPC and institution-held key shards, the institution retains the ability to reconstruct access independently.
Is compliance ownership negotiable in WaaS contracts? Yes, and it must be. Ambiguity about who performs AML screening and retains audit logs is a compliance gap that examiners will identify [castellum.ai].
About Cregis
Cregis provides enterprise-grade digital asset infrastructure for banks, payment service providers, exchanges, and institutional clients across 50+ countries. With nine years of operation and a track record of institutional-grade security, Cregis holds SOC 2 Type II, ISO 27001, PCI DSS, and CertiK certifications, and operates under Treasury and TCSP licensing. Its WaaS platform supports 40+ blockchain networks and 100 million+ wallet addresses, with MPC-based self-custody architecture designed to give institutions full operational control from day one. Cregis positions itself as the trust layer of the digital asset economy: secure, efficient, and compliant by design.
If your institution is evaluating WaaS providers and wants to understand how infrastructure architecture affects your long-term operational independence, visit Cregis to speak with their institutional team.
About Cregis
Founded in 2017, Cregis is a global leader in enterprise-grade digital asset infrastructure, providing secure, scalable and efficient management solutions for institutional clients.
Built to solve the challenges of fragmented blockchain systems and asset security risks, Cregis delivers MPC-based self-custody wallets, WaaS solutions, and Payment Engine, featuring collaborative asset control and a compliance-ready ecosystem.
To date, Cregis has served over 4,000 institutional clients globally. Our solutions empower exchanges, fintech platforms, and Web3 enterprises to adopt blockchain technology with confidence. Backed by years of proven expertise in blockchain and security, Cregis helps businesses accelerate their Web3 transformation and unlock global digital asset opportunities.
