Prior to operations, the Legal and Compliance team prepares and submits the PPSI charter application—including the business plan, 3-year financial projections, and technology descr

Missing or failed charter application will result in unauthorized stablecoin issuance, exposing the firm to criminal penalties of up to $1,000,000 per violation and imprisonment under GENIUS Act § 3(f), and rendering all tokens issued without authorization legally invalid.

Preventive manual control: Legal counsel independently reviews the complete application package before submission, validating PPSI eligibility, charter pathway selection, and regulatory classification. Outside counsel sign-off and board approval are required as mandatory gates before the application is filed with the OCC.

Prior to launch and quarterly thereafter, the CFO and Finance team verify and document that the issuer maintains a minimum 12-month operating expense reserve in liquid assets and m

Missing or failed capital adequacy verification will result in insufficient operating reserves, exposing the issuer to insolvency before regulatory approval is finalized and giving the OCC grounds to deny or revoke the PPSI authorization.

Preventive manual and automated control: A board-approved capital adequacy framework documents the reserve calculation methodology. Finance recomputes the 12-month operating expense reserve quarterly, with board sign-off required. An automated dashboard alert fires when capital approaches minimum thresholds, triggering a management action.

Prior to launch and on an annual basis thereafter, the Board of Directors formally approves the issuance policy, risk appetite statement, and written information security program (

Missing or failed board governance setup will result in undefined accountability, undocumented risk tolerance, and an absent WISP—control gaps that OCC examiners will identify at the first safety and soundness review as grounds for supervisory action or license conditions.

Preventive manual control: The board formally approves and minutes all three foundational documents at a scheduled board meeting before launch. The board secretary retains signed board minutes and policy documents as primary examination evidence. Annual re-approval cycle is calendar-tracked with documented board acknowledgment.

At onboarding of all board members and senior executives, and annually thereafter, the Chief Compliance Officer conducts independent OFAC, PEP, and criminal background screening th

Missing or failed fitness checks will result in a board member or officer with undisclosed regulatory history, OFAC exposure, or a disqualifying felony conviction remaining in place—triggering license rejection, revocation, or criminal referral under GENIUS Act § 4(f).

Preventive manual control: An independent background screening firm conducts OFAC/PEP/sanctions interdiction and criminal background checks for all board members and senior executives. Results are documented, reviewed by the board audit committee, and retained in personnel files. Screening is repeated annually. Any adverse finding is escalated immediately to the board chair and general counsel.

Daily, the Reserve Management team uses automated market data feeds to value all reserve assets at current fair market price and compute the coverage ratio against on-chain totalSu

Missing or failed daily reserve valuation will result in an undetected reserve deficiency—allowing the coverage ratio to fall below 1:1 without triggering remediation—a direct violation of GENIUS Act § 4(a)(1)(A) that may only become visible at the monthly RPAF examination.

Detective automated control: Automated market data integration values all reserve assets daily using real-time fair-value pricing—amortized cost is explicitly prohibited. Coverage ratio is computed and logged automatically after each valuation cycle. An automated breach alert fires if the ratio approaches or falls below 1.0, requiring same-day management action and potential OCC notification.

Daily and weekly, the Reserve Management team monitors reserve asset liquidity against regulatory thresholds (≥10% immediately liquid daily; ≥30% redeemable within 5 business days

Missing or failed liquidity bucket monitoring will result in insufficient immediately liquid reserves to fund redemption requests—forcing delays beyond T+2 and triggering the OCC stress redemption extension—a supervisory escalation event with public confidence implications.

Detective automated control: Automated liquidity dashboards monitor the 10%/30% bucket thresholds against real-time reserve valuations. Automated alerts fire on approach to and breach of either threshold, requiring immediate management response. A documented monetization playbook is validated periodically through live T-bill liquidation exercises to confirm execution capability under stress.

Daily and before each reserve asset purchase, the Reserve Management team and portfolio system enforce the ≤20-day weighted average maturity limit and ≤93-day individual T-bill mat

Missing or failed WAM monitoring will result in the reserve portfolio drifting beyond permitted maturity limits—increasing interest rate and liquidity risk—and if corrected through forced sales at unfavorable prices, potentially producing a mark-to-market loss that temporarily reduces coverage below 1:1.

Preventive automated control: The portfolio management system enforces WAM ≤20 days and individual T-bill maturity ≤93 days as hard pre-trade limits. Non-compliant purchases are blocked at the transaction entry point. WAM is recalculated after every trade and displayed on the real-time reserve dashboard. Pre-trade compliance checks run before any order is submitted to market.

Daily and at each reserve asset transaction, the Reserve Management team monitors and enforces concentration limits (≤40% per eligible financial institution) to prevent over-relian

Missing or failed concentration monitoring will result in excessive reserves concentrated at a single institution—rendering a large portion of reserves temporarily inaccessible during stress at that institution, preventing timely redemptions and triggering OCC enforcement.

Preventive automated and contractual control: The portfolio system enforces a ≤40% EFI concentration hard limit at the point of transaction. Pre-trade checks block purchases that would breach concentration limits. All custody agreements include explicit contractual no-rehypothecation clauses. Right-to-audit provisions are included in every custody contract to enable independent verification.

Monthly, the Legal team obtains and retains independent written confirmation from outside counsel that all reserve assets remain held in a properly constituted trust, correctly tit

Missing or failed segregation verification will result in reserve assets losing their bankruptcy-remote status through commingling with operational funds—directly exposing stablecoin holders to the loss of their § 11 priority claim in insolvency proceedings.

Preventive manual control: Outside legal counsel provides a monthly written confirmation that reserve assets are properly trust-held, correctly titled, and free of commingling with operating funds. The trust agreement and all legal opinions are retained as permanent examination evidence. The board audit committee reviews segregation status annually and in response to any material operational chang

Weekly, the Regulatory Reporting team submits a confidential reserve total report to the OCC before the designated deadline—sourced automatically from the reserve management system

Missing or failed reporting infrastructure will result in the weekly OCC report being late, inaccurate, or manually compiled—each of which independently constitutes a regulatory violation under the OCC NPR, triggering enforcement action and eroding supervisory confidence.

Preventive automated control: An automated reporting data pipeline pulls reserve valuation, token supply, and reconciliation data continuously. The weekly report is generated by automated pull—not manual compilation—eliminating transcription error. System availability monitoring ensures pipeline operation; a pre-deadline checkpoint alert fires if the report has not been generated by the required i

Monthly, the Registered Public Accounting Firm (RPAF) examines the previous month-end reserve composition report, outstanding token supply, and three-ledger reconciliation—providin

Missing or failed RPAF examination readiness will result in an insufficient or incomplete audit trail causing the attestation to be qualified or withheld—an OCC-notifiable event that immediately triggers supervisory escalation and damages issuer credibility.

Detective independent control: A continuous tamper-evident audit trail automatically logs all mint, burn, reserve movement, and valuation events in a system directly exportable for RPAF examination without manual extraction. The RPAF is engaged pre-launch to validate evidence architecture readiness before the first live certification cycle. This ensures the trail is examination-ready from day one.

Monthly, after the RPAF examination is complete, the CEO and CFO review the examination findings, assemble the evidence package with legal counsel, and sign the reserve accuracy ce

Missing or failed CEO/CFO certification controls will result in executives signing inaccurate attestations without adequate evidence review—exposing them personally to federal criminal liability of up to 20 years imprisonment for knowingly false certification under 18 U.S.C. § 1001.

Preventive manual control: A structured CEO/CFO certification workflow assembles a pre-reviewed evidence package before executives sign. Legal counsel reviews the evidence package for accuracy and completeness before signature is authorized. All signed certificates are retained with supporting evidence. Board members and certifying executives receive formal criminal liability briefings at onboardi

Quarterly, the Finance and Regulatory Affairs team compiles and submits financial and operational metrics to the OCC—with formal board attestation on risk management adequacy—withi

Missing or failed quarterly board attestation will result in board members who have not been briefed on their criminal liability signing attestations without understanding their personal exposure—creating both governance credibility risk with the OCC and individual liability for inaccurate certification.

Preventive manual control: A board education program on criminal liability under 18 U.S.C. § 1001 is delivered to all board members and certifying executives at onboarding and annually. Documented acknowledgment is retained in the governance file. Quarterly submission is calendar-tracked with automated reminders. Late submissions trigger escalation to the Chief Compliance Officer and General Couns

Annually, a PCAOB-registered accounting firm performs a full financial statement audit in accordance with PCAOB standards—for issuers exceeding $50 billion in outstanding token iss

Missing or failed audit readiness will result in the PCAOB firm issuing a qualified or adverse opinion—triggering mandatory OCC notification, public disclosure obligations, and a heightened examination cycle that materially damages issuer credibility with regulators, counterparties, and holders.

Preventive independent control: The RPAF is engaged during the pre-launch period to review the evidence architecture and attestation workflow before the first live certification cycle—ensuring the audit trail, evidence package process, and internal controls are examination-ready from the start rather than retrofitted after a first qualification.

At each client fiat deposit event, the Reserve Management system automatically confirms receipt from the custodian and validates that the 1:1 HQLA reserve coverage is in place—enfo

Missing or failed reserve deposit confirmation will result in tokens being minted without confirmed reserve backing, breaking the 1:1 peg—the core GENIUS Act § 4(a)(1)(A) violation that directly triggers OCC enforcement action and potential receivership proceedings.

Preventive automated control: The reserve management system enforces a hard protocol gate—the smart contract cannot execute mint() unless the custodian has issued a confirmed 1:1 HQLA coverage signal. No human override bypasses this gate. Over-issuance is not possible regardless of human instruction if the system gate has not cleared.

At each minting event, the off-chain reserve management system automatically computes the current coverage ratio and validates it is at or above 1.0 before issuing the mint authori

Missing or failed off-chain verification gate will result in a coverage ratio calculation error issuing a mint authorization when reserves are actually insufficient, causing a silent reserve deficiency that may accumulate undetected until the next reconciliation cycle.

Preventive automated control: The reserve management system computes the coverage ratio using real-time, fair-value pricing data—not amortized cost—from verified custodian feeds before generating the mint authorization signal. The calculation result is logged with timestamp before every mint. A minimum 3-of-5 multi-signature quorum is required to proceed after the coverage gate clears.

At each minting event, the Issuer Officer, Custodian, and Compliance Officer must each independently sign the mint authorization through the multi-signature workflow, with a minimu

Missing or failed multi-party authorization will result in a single compromised key or insider threat being able to execute mint() unilaterally—inflating token supply without reserve backing and without triggering any co-approver detection control.

Preventive automated control: Multi-signature authorization with a minimum 3-of-5 quorum is enforced at the smart contract level—not at the application layer. A single party cannot authorize a mint regardless of role. All authorization events are logged on-chain with individual party attribution. The quorum threshold and authorized signer list are hard-coded in the contract and require a governanc

Upon quorum authorization, the smart contract automatically executes the mint() function on-chain, generating an immutable, timestamped event log that captures the authorization si

Missing or failed smart contract controls will result in a code vulnerability in the mint() logic being exploited to double-mint, bypass the authorization gate, or inflate supply—causing immediate reserve deficiency and holder confidence loss with no on-chain rollback capability.

Preventive application control: The mint() function is deployed to mainnet only after independent third-party security audit with no critical findings outstanding. Every on-chain mint event generates an immutable audit log with timestamp, signer identities, quantity, and block hash—extractable directly for OCC examination without manual data compilation.

After every minting event, the Finance and Technology teams run automated three-ledger reconciliation—comparing on-chain token supply, custodian balance, and internal ledger—alerti

Missing or failed post-mint reconciliation will result in divergence between the on-chain supply, custodian records, and internal ledger going undetected—creating hidden reserve exposure that accumulates silently across multiple mint events until it surfaces at the monthly RPAF examination.

Detective automated control: Real-time three-ledger reconciliation runs automatically after every mint event, comparing on-chain totalSupply(), the custodian balance feed, and the internal ledger. Any variance above zero triggers an immediate automated alert to the Reserve Manager. Oracle data is sourced from multiple independent price feeds to prevent single-source manipulation.

At each holder redemption request, the Operations and Compliance teams receive, identity-verify, timestamp, and log the request in the redemption management system—starting the T+2

Missing or failed redemption intake controls will result in requests not being logged with accurate timestamps—making it impossible to demonstrate T+2 SLA compliance to the OCC, and creating consumer harm liability for any holder denied timely redemption.

Preventive automated control: A burn escrow with wire-confirmation gate is enforced at the smart contract level—burn() can only execute after a confirmed wire receipt signal from the correspondent bank. All redemption requests are logged with OCC-auditable timestamps at the moment of receipt. Escrow prevents tokens from being re-spent during the pending settlement window.

Within the T+2 window, the Reserve Management team liquidates sufficient HQLA (T-bills, repos) to fund the fiat payout, moves proceeds to the settlement account, and monitors all o

Missing or failed reserve liquidation controls will result in premature token burning before wire settlement is confirmed—leaving holders with neither tokens nor fiat—creating direct legal liability and triggering an OCC-reportable redemption failure event under the GENIUS Act framework.

Detective automated and manual control: T+2 SLA monitoring tracks all open redemptions automatically, escalating to senior management when SLA breach risk is detected. The reserve liquidation playbook is validated periodically through live T-bill monetization exercises. All SLA breaches are documented and reported to the OCC per the incident response plan.

Simultaneously with redemption request receipt, the smart contract locks the submitted tokens in a burn escrow contract—preventing re-use or double-spend—holding them in escrow unt

Missing or failed escrow controls will result in fraudulent or manipulated redemption requests triggering unauthorized token burns that reduce circulating supply without corresponding fiat payment—disrupting the supply-reserve balance and potentially masking reserve deficiency.

Preventive application control: Tokens are transferred to a burn escrow smart contract upon redemption request initiation. They are locked and cannot be transferred or re-spent during the pending settlement period. Liquidity stress testing validates the issuer's ability to fund redemptions within T+2 under defined stress scenarios. Stress test results are documented and retained for OCC examinatio

Upon successful reserve liquidation, the Operations team executes the fiat wire to the holder's designated account and obtains written wire confirmation from the correspondent bank

Missing or failed wire settlement confirmation controls will result in the token burn executing before fiat delivery is confirmed—leaving the holder without tokens or fiat—and if the SLA is breached, triggering automatic OCC receivership provisions under GENIUS Act § 11.

Preventive manual and automated control: Wire confirmation from the correspondent bank is an explicit system gate before burn() authorization is issued. A public redemption policy published on the issuer's website per OCC requirements discloses all fees, SLAs, the T+7 stress trigger (>10% supply in 24 hours), and the dispute resolution process. T+2 SLA automated monitoring escalates approaching

Immediately upon wire confirmation receipt, the smart contract executes burn() to permanently destroy the escrowed tokens on-chain—and the system automatically reconciles the updat

Missing or failed post-burn reconciliation will result in the reserve-to-supply ratio being disrupted if reserve liquidation partially fails but the burn executes—creating a silent coverage deficit that may persist undetected until the next daily reserve valuation cycle.

Detective automated control: Coverage ratio is automatically recomputed immediately after every burn() execution. An automated alert fires if the post-burn ratio deviates from the expected 1:1 by more than a defined tolerance threshold. This provides a real-time, post-transaction integrity check independent of the daily reserve valuation, ensuring any coverage gap is identified within minutes.

Prior to any key generation or wallet provisioning, the Technology and Security teams design and formally document the tiered hot/warm/cold wallet architecture, specifying per-tier

Missing or failed wallet architecture design will result in a flat key structure where a single compromised key enables unlimited unauthorized transactions without detection—creating total reserve asset loss exposure with no architectural barrier to prevent it.

Preventive design control: A formally documented tiered wallet architecture policy is produced and approved by the CISO and CTO before any keys are generated. The policy specifies hot/warm/cold tiers, per-tier transaction dollar limits, reserve key segregation requirements, and access protocol per tier. This document serves as the baseline for all subsequent key ceremony and access provisioning ac

Prior to launch and quarterly thereafter, the CISO and Compliance Officer define and certify the signing authority matrix—specifying which roles may authorize transactions, at what

Missing or failed wallet governance policy will result in high-value transactions being executed without appropriate role-based authorization, enabling unauthorized fund movement or reserve depletion without a documented approval chain that can withstand OCC examination.

Preventive manual control: A board-approved, version-controlled signing authority matrix documents transaction limits and multi-sig quorum requirements for each wallet tier. The policy is reviewed and recertified quarterly by the CISO and Compliance Officer. Any amendment requires dual sign-off and version-controlled change documentation before deployment.

At new-joiner onboarding and upon each role change, the Security Operations team conducts a formal, witnessed key generation ceremony and provisions role-based wallet access creden

Missing or failed wallet provisioning controls will result in credential sprawl—over-provisioned access rights or undocumented credentials creating unauthorized access paths that persist after personnel changes, enabling unauthorized transactions by former or mis-provisioned users.

Preventive manual control: A formal key generation ceremony with at least two independent witnesses is required for each credential issuance. Role-based access is assigned strictly per the board-approved signing authority matrix using least-privilege. All credentials are registered in the access inventory. An independent party certifies the access list quarterly.

Continuously and quarterly, the Security Operations team monitors wallet balances for anomalous activity and conducts access recertification, requiring wallet owners to re-confirm

Missing or failed wallet monitoring will result in stale or terminated-employee access credentials remaining active, enabling former signers or attackers to execute unauthorized transactions without detection—a risk that compounds as personnel rotate over time.

Detective automated and periodic manual control: Automated balance monitoring with configurable threshold alerts runs continuously. Quarterly access recertification requires all wallet owners to review and actively reconfirm each access right. Stale or terminated access is revoked within 24 hours. Recertification completion records and revocation logs are retained as examination evidence.

At initial setup and at each scheduled key rotation event, the Security Operations team generates all private keys exclusively inside a FIPS 140-2 Level 3 validated HSM with at lea

Missing or failed key generation controls will result in private key material being exposed in plaintext outside the HSM boundary—enabling external attackers or malicious insiders to exfiltrate keys and execute unlimited unauthorized reserve asset transfers with no detection mechanism.

Preventive manual and technical control: All private keys are generated exclusively inside validated FIPS 140-2 Level 3 HSMs. Key material never exists in plaintext outside the HSM boundary. A documented key generation ceremony requires at least two independent witnesses. Ceremony documentation—including witness identities, timestamp, and HSM validation record—is retained permanently as examinatio

On an ongoing basis, the Security Operations team maintains all private keys in tiered hot/warm/cold custody vaults with a mandatory two-person dual-control rule for all key access

Missing or failed key tiering and dual control will result in a single individual having unchecked access to sign-capable keys—enabling unauthorized asset transfers without a co-approver, the most prevalent insider theft vector in digital asset operations.

Preventive technical and procedural control: No single individual may access or authorize key operations; all key ceremonies and transaction signings require two authorized personnel present simultaneously (dual-control/two-man rule). Cold storage keys remain offline in geographically distributed, air-gapped facilities. Warm storage requires hardware MFA. Every key access event is logged with full

At custodian onboarding and annually thereafter, the Risk and Compliance teams conduct due diligence on all covered custodians to verify OCC Subpart C eligibility (national bank, F

Missing or failed custodian oversight will result in reserve assets being held by an ineligible or inadequately controlled custodian—exposing the issuer to custodian insolvency or operational failure that renders reserves inaccessible and breaks the 1:1 backing requirement without remedy.

Preventive manual control: All custody agreements require right-to-audit, independent SOC reporting, and explicit no-rehypothecation covenants. Annual due diligence re-evaluates each custodian's OCC Subpart C eligibility. Sub-custodian arrangements are documented and subject to the same oversight standards. The custodian due diligence file is retained for OCC examination.

On a defined rotation schedule and annually, the Security Operations team rotates all active private keys and tests encrypted backup recovery from at least two geographically separ

Missing or failed key rotation and backup controls will result in physical security breach exposing long-lived keys, or irrecoverable key loss permanently locking reserve assets and blocking all future redemptions—a catastrophic, potentially unrecoverable operational failure.

Preventive manual and technical control: Private keys are rotated on a defined schedule. Encrypted backups are maintained in a minimum of two geographically separated, air-gapped facilities with independent access controls. Backup recovery is tested annually with documented results and remediation tracking. All backup access requires dual control and is logged with full attribution.

When a private key is decommissioned, the Security Operations team destroys it through a certified process with at least one independent witness present—logging the destruction eve

Missing or failed key destruction controls will result in decommissioned keys remaining accessible to former signers or attackers—enabling unauthorized transactions using retired credentials, a risk that compounds as personnel rotate and key generations accumulate over time.

Preventive manual control: Key destruction follows a documented, board-approved procedure requiring certified physical destruction of HSM key material witnessed by at least one independent party. Every destruction event generates a log entry with individual attribution, timestamp, and witness confirmation. Destruction records are retained permanently as examination evidence. Annual key inventory r

Prior to contract execution with any new vendor, the Third-Party Risk and Legal teams conduct risk-proportionate due diligence—securing contractual right-to-audit, SLA commitments,

Missing or failed vendor due diligence will result in undisclosed control gaps, financial instability, or unverifiable controls entering the PPSI's operating environment—and the absence of a right-to-audit prevents independent verification of vendor controls during OCC examination.

Preventive manual control: A formal TPRM program mandates pre-contract due diligence proportional to vendor criticality tier. Right-to-audit clauses are required in all Critical/High vendor contracts. Documented SLA and uptime requirements are incorporated. Covered custodian OCC Subpart C eligibility is verified before any custodial relationship commences. TPRM files are retained for OCC examinati

Continuously and quarterly, the Third-Party Risk team monitors all vendor performance against contracted SLAs—conducting annual SOC report reviews for Critical/High vendors and mai

Missing or failed vendor performance monitoring will result in undetected SLA breaches creating hidden operational risk—and undisclosed fourth-party concentration (e.g. a single cloud provider underlying multiple critical vendors) creating systemic exposure that could cascade into reserve or redemption processing failu

Detective automated and periodic manual control: Real-time SLA monitoring with automated breach escalation is configured for all Critical/High vendors. Annual SOC report review and gap analysis is performed for Critical/High vendors. A fourth-party inventory is maintained and reviewed annually for Critical vendors. Concentration limits are enforced—no single provider above approved thresholds for

Annually, the Third-Party Risk and Operations teams review and validate exit plans for all Critical vendors—conducting tabletop transition exercises every two years—to confirm the

Missing or failed vendor exit planning will result in critical vendor lock-in where a disorderly provider exit disrupts core stablecoin operations—breaching T+2 SLA and triggering OCC enforcement—with no documented recovery path and no pre-negotiated data portability to enable rapid transition.

Preventive manual control: Validated exit plans are maintained and reviewed annually for all Critical vendors. A tabletop transition exercise simulates Critical vendor departure every two years with documented results. Data portability requirements are contractually secured in Critical/High vendor agreements. A redundant vendor strategy is documented and maintained for the highest-criticality func

Quarterly, the Risk and Legal teams trace the full custody chain for all reserve assets—from the issuer through any sub-custodians to the ultimate custodian—confirming no commingli

Missing or failed custody look-through will result in undiscovered commingling or an ineligible sub-custodian arrangement—destroying the bankruptcy-remote structure and directly exposing stablecoin holders to the loss of their § 11 priority claim in an insolvency proceeding.

Preventive manual control: A custody look-through program traces the full custody chain quarterly. Sub-custodian financial condition and SOC reports are reviewed annually. Right-to-audit sub-custodians is contractually secured in all primary custody agreements. Covered custodian OCC Subpart C eligibility is re-verified annually. No-commingling status is confirmed by periodic independent legal opin

At initial customer onboarding, the AML/Compliance team verifies customer identity, beneficial ownership, PEP status, and OFAC/sanctions screening—completing all checks before perm

Missing or failed KYC at onboarding will result in sanctioned parties, shell entities, or PEP-linked customers obtaining access to primary market stablecoin services—creating direct GENIUS Act § 4(a)(5) BSA/AML violations and OFAC strict liability exposure that attaches regardless of knowledge.

Preventive manual and automated control: A board-certified BSA/AML program with risk-based CDD requires identity verification, beneficial ownership confirmation, and OFAC/PEP screening before account activation. The program is administered by a US-based AML officer, subject to annual independent testing, and documented in a written risk assessment per FinCEN NPR requirements.

At each qualifying fund transfer of $3,000 or more, the compliance system automatically collects required originator and beneficiary data and transmits it to the receiving financia

Missing or failed Travel Rule compliance will result in required originator or beneficiary data not being collected or transmitted for qualifying transfers—creating a FinCEN regulatory violation that triggers enforcement fines, potential license suspension, and AML program deficiency findings.

Preventive automated control: A Travel Rule solution with VASP interoperability automatically collects and transmits required originator/beneficiary data for all transfers at or above the $3,000 threshold. Transfers lacking required data are suspended pending investigation rather than rejected outright. Compliance efficacy is validated through quarterly independent testing with documented results.

Continuously, the AML/Analytics platform screens all on-chain wallet addresses interacting with the issued stablecoin against the OFAC SDN list, known illicit wallet clusters, and

Missing or failed on-chain transaction monitoring will result in transactions with OFAC-sanctioned wallets, crypto mixing services, or darknet-linked addresses going undetected—creating OFAC strict liability exposure and a systemic AML/CFT program failure triggering FinCEN enforcement action.

Detective automated control: Real-time blockchain analytics screens all transaction counterparties against the OFAC SDN list, known illicit wallet clusters, and high-risk jurisdiction databases. Automated alerts route confirmed matches to the AML investigations team for same-day disposition. Monitoring rules and thresholds are documented in the transaction monitoring program and updated as threat

At onboarding of unhosted wallet relationships and upon elevated-risk indicators, the AML/Compliance team conducts enhanced due diligence through micropayment verification or crypt

Missing or failed unhosted wallet controls will result in an inability to verify wallet ownership—creating an AML blind spot that allows tokens to reach anonymous or high-risk wallets without triggering investigation, reporting obligations, or sanctions compliance actions.

Preventive and detective control: Wallet ownership verification (micropayment test or cryptographic message signing) is required for unhosted wallets above defined transaction thresholds. Enhanced monitoring is applied to elevated-risk wallets. The smart contract freeze/burn capability provides the technical enforcement mechanism for OFAC compliance on both primary and secondary market wallets, as

Before every transaction execution, the compliance system runs an automated OFAC screening gate—no transaction proceeds until the check clears—and the AML investigations team files

Missing or failed OFAC screening will result in a transaction with an SDN-listed entity being processed—triggering strict civil and criminal OFAC liability under IEEPA regardless of knowledge—with penalties that can exceed the transaction value and include reputational sanctions.

Preventive automated control: An automated OFAC screening gate runs before every transaction execution. No transaction proceeds until the check clears. Potential matches trigger an escalation workflow requiring documented compliance officer disposition before release or rejection. The 5-element OFAC sanctions compliance program (senior management commitment, risk assessment, internal controls, tes

Continuously, the AML/Analytics platform monitors all holder-to-holder (secondary market) transfers involving the issued stablecoin for OFAC sanctions exposure—applying OFAC screen

Missing or failed secondary market monitoring will result in sanctioned parties transferring tokens holder-to-holder without detection—triggering OFAC strict liability exposure that attaches to the issuer regardless of direct involvement, because block/freeze/reject obligations apply to all stablecoin-related activity.

Detective automated control: Real-time blockchain analytics covers all on-chain addresses interacting with the issued stablecoin across both primary and secondary markets. Secondary market OFAC hits generate alerts routed to the AML investigations team for same-day review and disposition. Monitoring coverage, rules, and escalation paths are documented in the AML/CFT program and reviewed quarterly.

On demand when triggered by a sanctioned transaction, lawful order, or compliance directive, the Security Operations and Legal teams activate the smart contract block/freeze/reject

Missing or failed block/freeze/reject technical capability will result in the PPSI being unable to comply with OFAC obligations or lawful orders on secondary market transactions—a systemic AML/CFT failure that exposes the issuer to strict liability and GENIUS Act enforcement action on both market segments.

Preventive technical and procedural control: Smart contract block/freeze/reject functions are deployed and tested quarterly for both primary and secondary market scenarios. The board-approved execution authority matrix specifies who may authorize activation. Legal counsel authorization is required before any freeze or burn is executed. Quarterly testing results are documented and retained for FinC

When a lawful order is received, the Legal and Compliance teams validate it against all three GENIUS Act § 2(16) criteria, obtain internal legal authorization, execute the required

Missing or failed lawful order validation will result in either non-execution—creating enforcement liability—or over-execution against orders that fail the § 2(16) definition—creating civil liability to innocent holders—both of which are independent GENIUS Act violations with separate penalty exposures.

Preventive manual control: All received orders undergo legal review against GENIUS Act § 2(16) criteria (specifies stablecoins with reasonable particularity; issued by competent authority; subject to judicial/administrative review) before any action is taken. A documented chain of custody tracks intake, review decision, execution, and OCC notification. Coordination with Treasury under § 4(a)(6)(A)

Continuously and within 24 hours of each new Treasury Federal Register designation, the Compliance team identifies non-compliant foreign stablecoin issuers and activates secondary

Missing or failed foreign issuer monitoring will result in the PPSI unknowingly facilitating secondary trading of designated non-compliant tokens after the restriction effective date—triggering civil penalties of $100,000 per violation per day under GENIUS Act § 8(b)(4)(A) for each day of continued facilitation.

Preventive automated and manual control: Compliance receives automated alerts from Federal Register monitoring within 24 hours of any new non-compliant foreign issuer designation. A trading restriction protocol is activated within the 30-day effective window. A documented waiver/specific license review process under GENIUS Act § 8(c) handles exceptions. Quarterly review of all registered foreign i

Prior to development, the Product, Technology, and Security teams formally document the smart contract's functional requirements, mint/burn/freeze authorization logic, and security

Missing or failed contract design documentation will result in ambiguous or undocumented authorization conditions in the deployed code—creating exploit vectors from logic gaps or edge cases that an independent audit may not fully surface without explicit specifications to test against.

Preventive manual control: Full functional requirements, authorization conditions, and security specifications are documented and co-signed by the CTO, CISO, and Compliance Officer before development begins. This specification document is provided to the independent auditor as the primary testing reference. Deviations discovered during audit are treated as defects requiring resolution before deplo

During development, the Engineering team builds and tests all smart contract code in fully isolated dev, test, and production environments—with mandatory peer code review gates at

Missing or failed SDLC environment segregation will result in untested or unauthorized code being deployed directly to production, potentially introducing logic errors, access control bypasses, or supply inflation vulnerabilities into the live stablecoin system with no rollback capability.

Preventive technical control: Strict infrastructure-level separation of dev/test/prod environments is enforced—no developer has direct production access. All code promotions require documented peer code review, compliance sign-off, and CISO approval before advancing to the next environment. The change management process records all promotions with reviewer identities and approval timestamps.

Prior to mainnet deployment and before any material upgrade, an independent third-party security firm audits the complete smart contract code—and all critical and high findings mus

Missing or failed independent smart contract audit will result in logic defects, access control vulnerabilities, or supply manipulation bugs reaching production—where exploitation is irrevocable, remediation requires a governance-approved upgrade with potential downtime, and harm to holders cannot be undone.

Preventive independent control: A qualified third-party security firm performs a complete code review against the functional specification document before mainnet deployment. All critical and high findings must be remediated and re-tested before go-live authorization is granted. Audit reports and remediation evidence are retained for OCC examination. A re-audit is required for any material contrac

For every production deployment or contract upgrade, the Technology team obtains M-of-N multi-party authorization through the governance workflow—including a timelock period for co

Missing or failed deployment governance will result in a single developer deploying unauthorized code to production—including modifications to supply caps, authorization thresholds, or admin access controls—without any oversight, creating potential for catastrophic and irreversible supply manipulation.

Preventive automated control: Contract deployment and all upgrade operations are gated at the smart contract level behind M-of-N multi-signature authorization enforced on-chain. Timelocks on upgrades provide a review window. A circuit breaker/pause function is available for emergency use; pause authority is itself governance-controlled and cannot be exercised unilaterally. All deployment events ar

Continuously after mainnet deployment, the Security Operations Center monitors all smart contract function calls, state changes, and event logs in real time—firing automated alerts

Missing or failed post-deployment monitoring will result in a zero-day exploit or unauthorized administrative action going undetected until material on-chain harm has occurred—with no pause capability activated in time to limit the blast radius before the attacker exits.

Detective automated control: Continuous smart contract event monitoring fires real-time alerts on anomalous activity patterns. Alert rules are documented and reviewed monthly by the security team. Critical alerts trigger sub-15-minute escalation per the incident response playbook, activating the circuit breaker/pause procedure if exploit indicators are confirmed. Monitoring coverage extends to all

Continuously and in real time, the Security Operations Center detects and classifies security, operational, and compliance incidents using correlated SIEM alerting across on-chain,

Missing or failed incident detection will result in a smart contract exploit or reserve system failure compounding without containment—converting a manageable control failure into a systemic market confidence event that escalates faster than manual detection would allow and may require emergency OCC notification.

Detective automated control: Layered SIEM monitoring with correlated alerting spans on-chain analytics, infrastructure, AML, and compliance layers. An incident classification matrix maps event types to severity thresholds. Automated escalation SLAs are enforced and monitored. 24/7 on-call coverage with documented coverage roster and quarterly escalation drills ensures the response capability is al

Upon incident classification, the Incident Response team and Legal function activate the documented IR plan—containing and remediating the incident—and notify the OCC within requir

Missing or failed incident containment or OCC notification will result in uncontrolled lateral movement or ongoing unauthorized access—and separately, a notification violation that constitutes an independent enforcement action regardless of the severity of the underlying incident.

Preventive manual control: A documented incident response plan with annual tabletop testing defines playbooks for cyber, operational, and compliance incidents. OCC notification SLAs are documented per incident category. Legal counsel is notified immediately for any incident with potential regulatory reporting obligations. The incident log is maintained in a tamper-evident system and reviewed withi

Annually and upon activation triggers, the Technology and Operations teams execute BCP/DR procedures to maintain critical stablecoin operations through outages—targeting RTO ≤4 hou

Missing or failed BCP/DR will result in extended system unavailability preventing T+2 redemptions—an OCC enforcement trigger—and potentially impairing reserve attestation integrity if the outage coincides with a reporting cycle, combining an operational failure with a regulatory reporting violation.

Preventive operational control: BCP and DR plans with documented RTO/RPO targets are tested annually with results and remediation plans retained. Active/active multi-zone cloud architecture eliminates single-region failure. An operational backstop reserve pool (segregated from 1:1 redemption reserves) funds operations during disruption. Vendor concentration limits prevent critical single-provider

Within 30 days of every Critical or High incident, the Security, Technology, and Risk teams conduct a structured root cause analysis, document lessons learned, update affected cont

Missing or failed post-incident review will result in recurring incidents from the same root causes—a pattern that OCC examiners interpret as systemic governance weakness and that demonstrates the issuer's controls are not improving in response to failure signals.

Detective manual control: A mandatory post-incident review program requires root cause analysis for all Critical/High incidents within 30 days. Remediation action items are assigned to named owners with defined closure dates in the issue management system. Risk assessments are updated if the incident materially changes the risk profile. Board risk committee receives reporting on all material incid

Upon receipt and within 5 business days, the Customer Service and Compliance teams acknowledge, categorize, and log all consumer complaints in the case management system across all

Missing or failed complaint intake controls will result in untracked or unacknowledged complaints creating examination evidence gaps at the OCC review—and undetected complaint volume patterns may signal systemic control failure requiring immediate escalation to senior management and potential OCC notification.

Preventive automated control: Multi-channel intake with automated 5-business-day acknowledgment SLA enforcement is configured in the case management system. Automated breach alerts fire if acknowledgment SLA is missed. Each complaint is assigned a unique case number with category, priority, and owner at intake. Complaint data is retained and readily exportable for OCC examination on request.

Within defined SLAs by complaint category, the Customer Service and Legal teams investigate, resolve, and communicate outcomes to the consumer within 30 business days—escalating re

Missing or failed complaint resolution controls will result in patterns of unresolved complaints signaling failing controls—potentially triggering CFPB referral, OCC supervisory concern, or consumer financial law violations—each representing a separate and independent compliance risk.

Detective manual control with automated tracking: Defined investigation SLAs, a senior management escalation matrix for regulatory complaints, and a 30-business-day resolution target with automated tracking enforce consistent outcomes. Quarterly root cause trend analysis of complaint data is prepared by Compliance and reported to the board risk committee to surface any systemic issues requiring pr

Continuously and at least 7 days before any fee change, the Legal and Compliance teams maintain, publish, and update the redemption policy on the issuer's website—with all GENIUS A

Missing or failed redemption policy compliance will result in undisclosed fee changes or T+2/T+7 SLA violations under GENIUS Act § 4(a)(1)(B), or marketing language implying US Government backing under § 4(a)(9)—triggering Treasury penalties of up to $500,000 per violation.

Preventive manual and automated control: A board-approved redemption policy with all required disclosures is published on the issuer website and reviewed quarterly for accuracy. A 7-day fee change notice workflow with legal review and automated consumer notification is enforced. T+2 SLA and T+7 threshold monitoring alert on approach to trigger conditions. Pre-publication marketing review checklist

Annually and before any new distribution agreement or marketing publication, the Legal and Compliance teams enforce the GENIUS Act § 4(a)(11) yield prohibition—reviewing all distri

Missing or failed yield prohibition enforcement will result in the issuer unknowingly funding exchange rewards passed to stablecoin holders—constituting a § 4(a)(11) violation regardless of the indirect structure—or prohibited marketing triggering Treasury penalties of $500,000 per violation under § 4(e)(2)(B).

Preventive manual control: A board-level attestation of zero yield/interest policy is maintained and re-certified annually. All distribution and exchange agreements are reviewed by legal counsel for yield-equivalent pass-through arrangements before execution. Pre-publication marketing review against §§ 4(a)(9) and 4(a)(11) is required for all new materials. Legal sign-off is mandatory before any n

Prior to any new blockchain deployment, the Risk Committee, Legal, and Technology teams obtain formal board approval and complete the mandatory AML/CFT risk assessment update—requi

Missing or failed new chain deployment governance will result in a violation of FinCEN's event-triggered AML/CFT risk assessment update obligation—and potentially expose the issuer to unquantified AML/CFT risks from a blockchain with inadequate sanctions screening infrastructure or permissive transfer anonymity feature

Preventive manual control: A formal new blockchain deployment policy requires board/risk committee approval for all new chain deployments. An AML/CFT risk assessment update is mandatory at the deployment decision stage per FinCEN NPR Apr 8 2026. An independent smart contract audit is required for the new chain before activation. OCC pre-notification is completed for material expansion events. The

Within 10 business days of any material smart contract functionality change, the AML/Compliance Officer reviews and updates the AML/CFT risk assessment—as required by the FinCEN NP

Missing or failed risk assessment update following a smart contract change will result in the AML/CFT risk assessment misrepresenting the actual operational risk profile—a direct violation of the FinCEN NPR event-triggered obligation that constitutes a material program deficiency finding at examination.

Preventive manual control: Change management system integration triggers a mandatory AML/CFT risk assessment review for all material smart contract changes. The AML officer must sign off within 10 business days before production deployment is authorized. The risk profile impact assessment is documented in the change record and retained for FinCEN examination. Stale risk assessment flags are genera

Prior to activating any bridge integration and continuously thereafter, the Security and Technology teams require independent smart contract audits of all bridge code—and monitor b

Missing or failed bridge governance will result in an unaudited bridge vulnerability enabling unauthorized cross-chain token transfer or supply manipulation—as demonstrated in documented DeFi bridge exploits—with limited on-chain remediation capability once the exploit is executed.

Preventive and detective control: An independent smart contract audit is required before any new bridge integration is activated. Bridge exposure concentration limits are defined and monitored daily. Real-time alerting fires on anomalous bridge contract activity including unexpected state changes or transfer volumes. Risk committee approval is required for all new bridge and CCTP integrations. Pos

Periodically and when new regulatory guidance is published, the Technology and Compliance teams assess compliance with OCC and NIST interoperability standards per GENIUS Act § 12—m

Interoperability non-compliance — failure to comply with standards prescribed under GENIUS Act § 12 may result in OCC supervisory concern or limitation on permissible activities; incompatibility with accepted protocols limits payment utility, liquidity, and adoption of the issued stablecoin in the broader financial eco

Interoperability compliance monitoring program — periodic assessment against NIST and OCC-published interoperability standards (GENIUS Act § 12); compatibility matrix documenting alignment with accepted communications protocols and blockchains; regulatory horizon scan quarterly for new interoperability guidance; escalation to OCC for material interoperability gaps identified