GENIUS Act · OCC · FDIC · FinCEN/OFAC · Treasury · Jan 2027 Effective Date
The law is signed. The NPRs are written. The examiner arrives in 12 months.
A complete compliance and assurance program for Permitted Payment Stablecoin Issuers — six sections tracing GENIUS Act obligations through four agency NPRs into three taxonomies (Process, Risk, Control), a sequential assessment pipeline, SOC and Audit assurance, and technology-enabled monitoring solutions. The only published program that answers simultaneously: why a control is required, what it must look like, and what it looks like in practice.
A dual-track methodology built from first principles. Track 1 (top-down): GENIUS Act → four agency NPRs → NIST CSF 2.0 → FFIEC guidance → OCC CSW examination procedures → control requirements → Control Standard. Track 2 (bottom-up): PPSI business lifecycle → 63 process steps → risk statements → controls → Process Taxonomy. The convergence of both tracks produces the Gap Assessment, which feeds the assessment and assurance pipeline. Every control traces from statutory citation through examination procedure to audit evidence.
From Law to Examination-Ready
The GENIUS Act produces obligations. The NPRs write the rules. The frameworks and supervisory examination layer translate those rules into testable controls. Phase 6 integrates everything into the ICA architecture. Phases 7–9 assess and validate across two parallel tracks. Phase 10 converges both tracks into full integrated assurance.
Phase 1 — Legislation
GENIUS Act
The statutory foundation — every obligation in the architecture originates here
Phase 2 — Agency NPRs
OCC NPR
Charter, reserve requirements, capital standards, and examination framework
FDIC NPR
Requirements for bank-subsidiary issuers and FDIC-supervised custodians
FinCEN / OFAC NPR
AML program obligations, financial crimes controls, and sanctions requirements
The central organizing framework of the Stablecoin ICA program. Eleven control layers — Governance through Real-Time Monitoring & Analytics — each mapped to key risks, key controls, NIST CSF 2.0 function codes, FFIEC handbook guidance, and GENIUS Act section citations. This is the Design Input at Phase 6 that feeds the Program Stream through Phases 7–10. Click any layer to expand the full traceability mapping.
Program Sections & Pages
16 Pages Across 7 Program Sections
Seven sections covering the full PPSI compliance lifecycle — from regulatory obligation mapping through process and control taxonomy, risk-weighted gap assessment, examination readiness, SOC and audit assurance, domain-level operational resilience deep dives, and ongoing monitoring solutions. Three existing pages are updated; thirteen new pages complete the program. Use the nav to move between sections.
// Regulation
b1 — Regulatory Library
Regulatory Library
~85 PPSI obligations consolidated across GENIUS Act + OCC 12 CFR Part 15 + FDIC 12 CFR Part 350 + FinCEN/OFAC Joint NPR + Treasury NPR. Each obligation cross-referenced by ICA layer. The obligation inventory that feeds all downstream work.
GENIUS ActOCCFDICFinCEN · Treasury
b2 — Regulatory Roadmap
Regulatory Roadmap
Temporal sequencing of all ~85 obligations by effective date trigger: immediate, pre-issuance, 180-days post-approval, monthly from Day 1, and Jan 18 2027 statutory effective date. Converts the obligation inventory into a compliance build schedule.
OCCFDICEffective Dates
b3 — Regulatory Traceability
Regulatory Traceability
7-column mapping chain: statute → NPR → cross-regulator coverage → effective date → NIST CSF 2.0 → FFIEC handbook → OCC CSW examination procedure → implementation requirement. The analytical core that makes every control traceable to a specific examination procedure.
OCC CSWNIST CSF 2.0FFIEC
// Process, Risk & Control
c1 — Process Taxonomy
Process Taxonomy
63 process steps across 8 PPSI operational domains — Issuance Authorization through Monthly Attestation. Each step: who, when, what, risk statement, control description. Mapped to COSO, NIST CSF 2.0, FFIEC, ISO 27001, SOC 1, SOC 2. Source data: Stablecoin_PCR_20260513.xlsx.
8 Domains63 StepsCOSO · NIST · ISO
c2 — Risk Taxonomy
Risk Taxonomy
~50 risk scenarios across 8 domains with inherent risk ratings (H/M/L). Derived from regulatory obligation failure modes (Track 1) and PCR process risk statements (Track 2). The PPSI audit universe — the risk reference document for all assessment and audit work.
8 Domains~50 ScenariosInherent Rating
c3 — Control Standard
Control Standard
11 ICA control layers — Governance through Real-Time Monitoring. The "should be" design standard for each layer derived from Regulatory Traceability Column 8. Specific mandatory controls with OCC/FDIC metrics (WAM ≤20 days, liquidity ladder ≥10% overnight, etc.).
OCCFDICFinCEN · TreasuryGENIUS Act
// Assessment
d1 — Gap Assessment
Gap Assessment
Risk-weighted comparison of Control Standard ("should be") vs PCR ("as is") across all 11 layers. Three gap types: missing control, design weakness, operating gap. Outputs a prioritized deficiency register and the 5 PPSI Critical Risks — the convergence point of both analytical tracks.
Control Arch vs PCRRisk Weighted11 Layers
d2 — Multi-Regulator Review
Multi-Regulator Review
4-regulator compliance validation grid (OCC · FDIC · FinCEN/OFAC · Treasury) organized by ICA layer. Pass/Fail/N/A per control requirement per regulator. Simulates an OCC examination — designed to be submitted as a pre-examination self-assessment package.
OCC CSWFDIC IT ExamFinCEN/OFAC
d3 — Compliance Readiness
Compliance Readiness
4-level CMMI-aligned maturity model per ICA layer: Policy → Operational → Tested → Continuous. SOC 2 Type I readiness requires all layers at Level 2+. SOC 2 Type II requires Level 3+ sustained 6+ months. Layer-by-layer dashboard and improvement roadmap.
4-Level Model11 LayersSOC 2 Gates
// Assurance
e1 — SOC Readiness
SOC Readiness
SOC 1 AT-C §320 (reserve financial controls), SOC 2 Type I / Type II (all 11 ICA layers × Trust Services Criteria), SOX ICFR for L03 + L05 (PCAOB AS 2201). Evidence requirements per layer per TSC criterion. Closes the statute-to-audit-evidence traceability loop.
SOC 1 · SOC 2SOX ICFRAICPA AT-C §205
e2 — Audit Work Program
Audit Work Program
Integrated technology audit across all 11 ICA layers. Special focus: AML model governance (Fed SR 11-7), block/freeze/reject smart contract technical testing, FinCEN NPR event-triggered risk assessment evidence. Produces audit work papers organized for OCC/FDIC submission.
OCC CSWAML ModelFFIEC Handbook
— Program Summary
Program Summary (PDF)
End-to-end program overview for board reporting, OCC charter application exhibits, and client presentations. Covers all 7 sections, all 16 pages, source instruments, and the end-to-end traceability chain.
All Sections
// Resilience
Each domain below is a full risk-and-control program — an inherent risk register (risk ID, statement, trigger, likelihood, impact, rating) and a control library (control ID, name, risk(s) addressed, type, description, regulatory anchor), the format a second-line risk function owns and would recognize as an RCSA. Every program pairs with an independent Audit Work Program that follows the same ten-section structure in each domain — objective, scope and regulatory anchor, risk assessment, control design assessment, control effectiveness testing, impact tolerance verification, scenario stress test evidence review, exception escalation thresholds, regulatory readiness sign-off, and finding log template — testing whether those controls actually operate as designed. This scope is distinct from, and in addition to, any SOC 1 or SOC 2 engagement the issuer separately commissions.
f1 — Reserve Management
Reserve Management
8-step reserve lifecycle — fiat deposit intake through treasury investment, three-ledger reconciliation, and redemption. 10 inherent risks, 9 controls, including the fiduciary segregation and joint-custody control required under Reg 9 for reserves held in trust. Stress-tested against a 48-hour banking outage combined with a 30% redemption surge.
GENIUS Act §§4,7,113Reg 9 §§9.9,9.13L03 Reserve
f2 — Key Management
Key Management
7-step multi-signature governance lifecycle — signer onboarding, HSM/MPC provisioning, transaction authorization, key rotation, emergency revocation. 10 inherent risks, 9 controls, including a Reg 9 joint-custody standard mapped directly onto multisig threshold design for wallets holding customer-linked assets.
OCC NPR §15.14Reg 9 §§9.6,9.13L05 Custody & Key
f3 — Smart Contract Management
Smart Contract Management
9-step secure development lifecycle — threat modeling through proxy-governed deployment and post-deploy invariant monitoring. 9 inherent risks, 8 controls, anchored to NIST SP 800-218 and stress-tested against a live production bug or Layer-1 blockchain halt.
Continuous monitoring, validation, and evidence generation across critical stablecoin functions. Six AI assessment agents validate reserve sufficiency, liquidity, concentration, reconciliation, resilience, and regulatory evidence in real time. Reserve Management domain is live.
GENIUS Act §§4,7,113OCC §15.10NYDFS 2026
Seven-Level Traceability — Statute to Audit Evidence
Every control traces from GENIUS Act obligation through examination procedure to audit evidence
Statute → NPR → NIST CSF 2.0 → FFIEC handbook → OCC CSW examination procedure → control design → operational process → audit evidence. Seven levels. Designed to be presented directly to an OCC or FDIC examiner on day one.
Each control layer maps to NIST CSF 2.0, FFIEC, COSO, and ISO 27001 simultaneously
The Control Standard defines the "should be" design standard for every mandatory PPSI control — with specific metrics, evidence requirements, and examination procedure references for each of the 11 layers.
The framework is built. The question is whether it fits what you need.
A short conversation is the right first step — whether you are a Stablecoin issuer building toward your first examination, a custodian assessing GENIUS Act custody obligations, or a firm placing senior controls expertise on a client engagement.
Embedded Execution
Building the control program alongside your team
For issuers and custodians building from scratch — architecture design, documentation, and examination package delivery.
Independent Assessment
Gap assessment before a deadline or examination
For operators and custodians who have existing programs but need an independent view of where the gaps are before a regulator finds them.