Framework Architecture
The Compliance Pipeline
A ten-tier architecture tracing federal legislation through four agency rulemakings, NIST CSF 2.0, FFIEC guidance, and OCC/FDIC supervisory procedures — into an 11-layer control stack and three assurance execution tiers. Audience-routed: DeFi startups enter at Tier 8, FinTechs build toward SOC 2 at Tier 9, and PPSI charter applicants execute the full integrated audit at Tier 10.
Regulatory-to-Audit Pipeline
Tier 1 — Legislation
GENIUS Act
Public Law 119-27 · Federal stablecoin law · 2025
Tier 2 — Agency NPRs
OCC NPR
12 CFR Part 15
Charter + issuer reqs
Charter + issuer reqs
FDIC NPR
12 CFR Part 350
Deposit insurance reqs
Deposit insurance reqs
Treasury / FinCEN NPR
Joint AML/CFT
+ sanctions reqs
+ sanctions reqs
Tier 3 — Regulatory Reference
Tier 4 — Framework & Guidance
NIST CSF 2.0
Control taxonomy
Identify · Protect · Detect · Respond · Recover
Identify · Protect · Detect · Respond · Recover
FFIEC IT Handbook
Control expectations
IS · BCP · Audit · Mgmt · D&A
IS · BCP · Audit · Mgmt · D&A
Tier 5 — Supervisory Layer
OCC CSW
Cybersecurity Supervision
Work Program
Work Program
FDIC IT Exam
IT Examination
Procedures
Procedures
Fed SR 11-7
Model Risk Management
Supervisory Guidance
Supervisory Guidance
Tier 6 — Control Hub
Tier 7 — Risk & Gap Assessment
Tier 8 — Multi-Regulator Compliance Validation
Tier 9 — Maturity & SOC 2 Readiness
Legislation
NPRs / Regulatory
Reference Docs
Framework & Guidance
Supervisory Layer
Control Stack Hub
OCC-scoped only
Final Output
Control Stack Framework
11-Layer Stablecoin Control Stack
The central organizing framework. Each layer maps regulatory requirements, NIST CSF functions, and FFIEC guidance to operational controls. Click any layer to expand the full traceability mapping.
Stablecoin Control Stack Framework · IT Audit Consulting
·
Open full screen ↗
Document Suite
9-Document Compliance Suite
Nine purpose-built documents spanning the full 10-tier pipeline — from regulatory reference and process-risk-control mapping through risk and gap assessment and into three audience-routed assurance tiers: compliance baseline (Tier 8), maturity and SOC 2 readiness (Tier 9), and full integrated audit execution (Tier 10).
DOC 1 · TIER 3 — REGULATORY REFERENCE
Stablecoin Regulatory Library
Consolidated regulatory landscape — GENIUS Act statutory obligations, OCC 12 CFR Part 15, FDIC 12 CFR Part 350, FinCEN/OFAC Joint NPR, and Treasury NPR. Reporting calendar, reserve requirements, and technical architecture across all four rulemakings.
GENIUS Act
OCC
FDIC
FinCEN · Treasury
DOC 2 · TIER 6 — CONTROL STACK FRAMEWORK
11-Layer Stablecoin Control Stack
The central organizing framework. Eleven control layers — Governance through Real-Time Monitoring — each mapped to key risks, key controls, NIST CSF 2.0 function codes, FFIEC handbook guidance, and GENIUS Act section citations. The hub the entire pipeline flows through.
OCC
FDIC
FinCEN · Treasury
GENIUS Act
DOC 3 · TIER 6 — PROCESS · RISK · CONTROL
Process-Risk-Control Mapping
Business process reality lens for the control stack. Eight operational domains — Issuance Authorization through Attestation & Reporting — each with process steps, inherent risks, control activities, and framework alignment. Primary process-lens input into the Tier 7 gap assessment.
OCC NPR
GENIUS Act
8 Domains
DOC 4 · TIERS 4–6 — EXAMINATION BRIDGE
Framework-to-Control Bridge
Framework traceability lens spanning Tiers 4–6: NIST CSF 2.0 function codes → FFIEC handbook guidance → OCC CSW supervisory examination procedures → Control Stack layer → implementation requirements. Primary framework-lens input into the Tier 7 gap assessment.
OCC CSW
FFIEC
NIST CSF 2.0
DOC 5 · TIER 7 — RISK & GAP ASSESSMENT
Risk & Gap Assessment
Synthesis engine: DOC 4 framework lens + DOC 3 process lens → gap heat map across 11 layers → prioritized control deficiency register → routing to Tiers 8–10. The gap assessment step is more critical than the audit itself — it determines where to focus and how urgently.
All Regulators
11 Layers
Routes T8–T10
DOC 6 · TIER 8 — COMPLIANCE VALIDATION
Multi-Regulator Compliance Validation
Complete 4-regulator validation grid with pass/fail tracking: OCC CSW examination procedures, FDIC prudential requirements (operational backstop, CEO/CFO certification), BSA/AML/CFT per FinCEN/OFAC April 8 NPR (block/freeze/reject, strict liability), and Treasury obligations. All audiences start here.
OCC
FDIC
BSA/AML/CFT
Treasury
DOC 7 · TIERS 7/8 — RISK INTELLIGENCE
PPSI 5 Critical Risks
Five critical control gaps most PPSI charter applicants underestimate — drawn directly from the Tier 7 gap register's top-ranked critical items. Each risk is embedded as a flagged critical item in the Tier 8 validation checklist. OCC examination intelligence for charter applicants.
OCC Charter
T7 Sourced · T8 Embedded
DOC 8 · TIER 9 — MATURITY & SOC 2 READINESS
Maturity Assessment & SOC 2 Readiness
Stablecoin-native 4-level maturity model (Policy → Operational → Tested → Continuous/DevSecOps). Layer-by-layer maturity scorecard. SOC 2 Type II readiness with DRIFT-paradigm 3-zone framework. DevSecOps pathway for blockchain builders. SOX ICFR readiness for reserve and custody.
CMMI-Aligned
SOC 2 Type II
DevSecOps
DOC 9 · TIER 10 — FULL ASSURANCE
Full Assurance — SOC 2 Type II + Integrated Audit
Full execution package: SOC 2 Type II testing program (Zone A Protocol Risk, Zone B Stablecoin Control Plane, Zone C Exit & Recovery), deficiency evaluation framework (CD / SD / MW), SOX ICFR for reserve and custody assertions, and 8-domain integrated technology audit work program.
SOC 2 Type II
SOX ICFR
OCC/FDIC Exam
Regulatory Traceability Matrix
Law to Examination — End-to-End Traceability
Every control in the stack traces back to a specific statutory obligation and forward to the examination procedure a regulator will use to test it. This is the traceability chain an OCC or FDIC examiner will follow on Day 1 of a target examination.
Control Traceability Chain
GENIUS Act (Law) → Agency NPR (Rule) → NIST CSF Function (Framework) → FFIEC Guidance → OCC CSW Examination Procedure (Supervision) → Control Stack Layer (Execution)
| Tier 1 — Law | Tier 2 — Rule | Tier 4 — Framework | Tier 4 — Guidance | Tier 5 — Supervision | Tier 6 — Stack | |
|---|---|---|---|---|---|---|
| Control Domain | GENIUS Act Obligation | Agency Rule (NPR) | NIST CSF Function | FFIEC Guidance | OCC CSW — Supervisory Procedure | Control Stack Layer |
| Governance & Risk Oversight | Board risk management program, fitness & propriety standards, 3-year lookback (§§ 103, 106) | OCC NPR — risk appetite framework, 3 Lines of Defense, board reporting cadence | GV.OC Organizational Context GV.RM Risk Management Strategy |
Management Handbook — Governance Structure, Risk Management Framework | Review board minutes · assess risk appetite statements · evaluate 3 LoD effectiveness | Layer 01 Governance & Risk Oversight |
| Legal Entity & Licensing | Federal stablecoin permit, bankruptcy-remote entity structure (§§ 102, 115) | OCC 12 CFR Part 15 — charter application, permissible activities, capital requirements | GV.OC Organizational Context ID.BE Business Environment |
Management Handbook — Regulatory Compliance, Legal Entity Framework | Verify charter compliance · review licensing documents · validate entity structure | Layer 02 Legal Entity & Regulatory Perimeter |
| Reserve & Financial Integrity | 1:1 reserve backing, monthly public attestation, WAM limits (§§ 104–105) | OCC/Treasury NPR — reserve composition, daily reconciliation, independent audit, liquidity ratios | ID.AM Asset Management PR.DS Data Security |
Audit Handbook — Financial Controls · Management Handbook — ICFR, Reconciliation Procedures | Test reserve reconciliation · validate attestation process · review audit trail completeness | Layer 03 Reserve & Financial Integrity |
| Mint / Burn Lifecycle | Authorization controls for issuance, redemption within 1 business day (§§ 107–108) | OCC NPR — multi-authorization workflows, supply controls, burn verification, audit trail | PR.AC Identity Management DE.CM Continuous Monitoring |
Development & Acquisition Handbook — Change Management, Access Controls, Code Review | Review authorization workflows · test access controls · validate audit trail completeness | Layer 04 Mint / Burn & Token Lifecycle |
| Custody & Key Management | Segregated custody, custodian eligibility standards, safeguarding obligations (§ 110) | OCC NPR — HSM requirements, dual control procedures, custodian due diligence standards | PR.DS Data Security PR.AC Identity Management |
Information Security Handbook — Cryptographic Standards, Key Management Lifecycle | Inspect key management procedures · validate dual control · test custodian oversight program | Layer 05 Custody & Asset Safeguarding |
| Financial Crime & AML | BSA/AML program, FinCEN registration, travel rule compliance (§ 111) | FinCEN/OFAC NPR Apr 8, 2026 — KYC/CDD, transaction monitoring, SAR filing (primary market only), OFAC strict-liability screening, block/freeze/reject capability (primary and secondary markets) | DE.CM Continuous Monitoring RS.AN Incident Analysis |
BSA/AML Examination Manual — Transaction Monitoring, Sanctions Screening, SAR Procedures | Review TM program effectiveness · validate SAR filing process · test OFAC screening controls | Layer 06 Financial Crime & Compliance |
| Technology & Cybersecurity | Operational resilience, system safeguarding, incident notification requirements (§§ 109, 113) | OCC NPR — continuous monitoring, anomaly detection, incident response, pen testing cadence | PR.AC Access Control DE.CM Continuous Monitoring RS.RP Response Planning |
Information Security Handbook — Network Security, SIEM Requirements, Incident Response | Review SIEM & EDR tools · validate alert escalation procedures · test incident response | Layer 07 Technology & Cybersecurity |
| Operational Resilience | Business continuity obligations, third-party risk management, concentration limits (§ 112) | OCC/FDIC NPR — BCP/DRP requirements, vendor oversight program, RTO/RPO standards | PR.IP Information Protection RC.RP Recovery Planning |
BCP Handbook — Recovery Objectives, Resilience Testing, Third-Party Risk Management | Test BCP/DR procedures · assess vendor oversight program · validate recovery testing docs | Layer 08 Operational Resilience |
Framework Crosswalk
Regulatory Applicability by Stack Layer
Quick-reference applicability matrix showing which regulatory standards apply to each control stack layer across all agencies and frameworks.
Control Stack × Regulatory Framework — Applicability Matrix
✔ = directly applicable standard · — = not primary for this layer
| Control Stack Layer | Primary Frameworks | OCC | FDIC | Treasury | GENIUS |
|---|---|---|---|---|---|
| 1. Governance & Risk Oversight | COSO ERM & IC · Federal Reserve SR 11-7 · OCC Heightened Standards | ✔ | ✔ | — | ✔ |
| 2. Legal Entity & Regulatory Perimeter | OCC Licensing · State MTL Laws · SEC / CFTC Rules | ✔ | ✔ | ✔ | ✔ |
| 3. Reserve & Financial Integrity | SOX 404 / COSO ICFR · PCAOB Standards · Basel III Liquidity | ✔ | ✔ | ✔ | ✔ |
| 4. Mint / Burn & Token Lifecycle | NIST SP 800-53 · SOC 2 (Change Mgmt) · Blockchain Controls | ✔ | — | — | ✔ |
| 5. Custody & Asset Safeguarding | FFIEC IT Handbook · SOC 1 / SOC 2 · NIST Cryptographic Standards | ✔ | ✔ | — | ✔ |
| 6. Financial Crime & Compliance | FFIEC BSA/AML · FinCEN · OFAC · SOC 1 / SOC 2 | ✔ | ✔ | ✔ | ✔ |
| 7. Technology & Cybersecurity | NIST CSF 2.0 · ISO 27001 · SOC 2 (Security, Availability) · OCC CSW | ✔ | ✔ | — | ✔ |
| 8. Operational Resilience | OCC 3rd Party Guidance · Fed Resilience Guidance · FFIEC BCP Handbook | ✔ | ✔ | — | ✔ |
| 9. Market Integrity & Consumer Protection | CFPB Consumer Protection · SEC Disclosure Guidelines | ✔ | ✔ | — | ✔ |
| 10. Ecosystem & DeFi Risk | DeFi Risk Assessments (Emerging) · FFIEC Third-Party Risk Management | ✔ | — | — | ✔ |
| 11. Real-Time Monitoring & Analytics | NIST SP 800-137 · NIST CSF DE.CM · FFIEC IS Handbook (SIEM) | ✔ | — | ✔ | ✔ |