| Col 1–2ICA Layer · Effective Date | Col 1GENIUS Act / Statute | Col 2Agency NPR Citation | Col 3NIST CSF 2.0 | Col 4FFIEC IT Handbook | Col 5OCC CSW | Col 6 — Implementation Requirement → feeds Control StandardControl Design Standard |
|---|---|---|---|---|---|---|
|
L01 Governance & Risk Oversight Immediate on enactment
|
GENIUS Act § 4(a)(3) | OCC NPR § 15.4 · FDIC NPR § 350.3 | GV.OC-1 · GV.RM-1 | FFIEC IT Management — Section II (Governance) | Domain 1 — Governance (D1-1) | Board-approved risk appetite statement, stablecoin issuance policy, and WISP. Board risk committee with documented cadence. Signed board minutes as primary examination evidence. |
|
L01 Governance & Risk Oversight Immediate on enactment
|
GENIUS Act § 4(a)(4) | FinCEN/OFAC NPR Apr 8, 2026 — Element 1 | GV.RR-1 · GV.RR-2 | FFIEC BSA/AML Examination Manual — BSA/AML Program | Domain 4 — BSA/AML (D4-1) | Named, qualified AML/BSA officer with formal board appointment, documented authority, adequate resources, and direct board-level reporting line. Designation letter as examination evidence. |
|
L01 Governance & Risk Oversight Immediate on enactment
|
GENIUS Act § 4(a)(3) | OCC NPR § 15.4(c) · FDIC NPR § 350.3(b) | GV.RM-2 · GV.RM-3 | FFIEC IT Management — Section III (Risk Management) | Domain 1 — Risk Management (D1-2) | 3 Lines of Defense formally documented with defined roles. Risk management framework with risk identification, assessment, and reporting processes. Internal audit independence from first line. |
|
L02 Legal Entity & Regulatory Perimeter Pre-issuance
|
GENIUS Act § 3(a) · § 3(f) | OCC NPR § 15.3 · FDIC NPR § 350.2 | GV.OC-2 · GV.PO-1 | FFIEC IT Management — Regulatory Compliance | Domain 1 — Authorization (D1-3) | OCC PPSI charter or state PPSI authorization received before first stablecoin minted or distributed. Charter/authorization letter maintained in governance records. Unauthorized issuance: criminal penalties under § 3(f). |
|
L02 Legal Entity & Regulatory Perimeter Pre-issuance
|
GENIUS Act § 4(a) | OCC NPR § 15.3(b) (permissible activities list) · Treasury NPR (state substantially-similar) | GV.OC-3 · GV.OC-4 | FFIEC IT Management — Regulatory Compliance | Domain 1 — Scope (D1-4) | Board-approved permissible activities document defining scope limits. Legal opinion on activity boundaries. State substantially-similar determination filed with Treasury if using state pathway. |
|
L03 Reserve & Financial Integrity Monthly from Day 1 of issuance
|
GENIUS Act § 4(a)(1)(A) | OCC NPR § 15.10 (daily fair value from independent sources) | ID.AM-5 · DE.CM-8 | FFIEC Wholesale Payments — Settlement and Liquidity | Domain 2 — Reserve Composition (D2-1) | 1:1 reserve-to-supply coverage ratio monitored continuously. Daily fair value computed from independent custodian sources. Automated alert at ≤102% warning and ≤100% hard stop. |
|
L03 Reserve & Financial Integrity Monthly from Day 1
|
(No express statutory WAM limit) | OCC NPR § 15.10(b) — WAM ≤20 days HARD LIMIT · No exception process | DE.CM-8 · PR.DS-1 | FFIEC Wholesale Payments — Portfolio Management | Domain 2 — WAM Monitoring (D2-2) | Automated daily WAM calculation. Pre-trade WAM check blocks any purchase that would breach 20-day limit. Alert at 18-day warning threshold. WAM calculation methodology board-approved. |
|
L03 Reserve & Financial Integrity Monthly from Day 1
|
(No express statutory liquidity ladder) | OCC NPR § 15.11 — ≥10% overnight · ≥30% within 30 days · ≥50% within 90 days | ID.AM-5 · DE.CM-8 | FFIEC Wholesale Payments — Liquidity Risk | Domain 2 — Liquidity (D2-3) | Automated liquidity bucket monitoring. Pre-trade bucket impact check. Intraday alerts below each threshold. Bucket calculation included in daily fair value reporting. |
|
L03 Reserve & Financial Integrity Monthly from first issuance
|
(No express statutory certification requirement) | OCC NPR § 15.12 · FDIC NPR § 350.15 — monthly CEO/CFO certification · 18 U.S.C. § 1001 criminal exposure | GV.OC-1 · PR.DS-1 | FFIEC Management — Financial Reporting Controls | Domain 2 — Certification (D2-4) | Auto-populated monthly certification package from reserve monitoring system. Reconciliation sign-off required before officer signature. Documented 18 U.S.C. § 1001 briefing for each certifying officer. Criminal liability attaches to each false filing. |
|
L03 Reserve & Financial Integrity Before PPSI authorization (FDIC pathway)
|
(No GENIUS Act express requirement) | FDIC NPR § 350.9(b) — 12-month trailing OPEX in HQLA · segregated from reserves | ID.AM-5 · ID.RA-5 | FFIEC Management — Capital Planning | Domain 2 — Backstop (D2-5) | Operational backstop pool equal to trailing 12-month OPEX funded in HQLA and segregated in dedicated custodian account separate from reserve assets. Quarterly recalculation with board sign-off. |
|
L03 Reserve & Financial Integrity From first issuance
|
(No GENIUS Act express notification requirement) | FDIC NPR § 350.5(c)(1) — single-day redemption ≥10% of outstanding supply triggers mandatory FDIC notification | DE.CM-8 · RS.CO-3 | FFIEC Management — Reporting Obligations | Domain 2 — Notification (D2-6) | Automated intraday monitoring of single-day redemption volume as percentage of outstanding supply. 8% warning alert. Automated FDIC notification workflow triggers at 10% threshold with documented filing. |
|
L04 Mint/Burn & Token Lifecycle Pre-issuance
|
GENIUS Act § 4(a)(5)(iv) | FinCEN/OFAC NPR Apr 8, 2026 — primary AND secondary market scope · 31 CFR Part 502 | PR.AA-5 · DE.AE-2 | FFIEC Information Security — Access Control | Domain 3 — Technical Capability (D3-1) | Smart contract block/freeze/reject function independently tested for both primary market (new issuance) and secondary market (on-chain transfers). Testing on all deployed blockchain networks. Two independent audit firms. |
|
L04 Mint/Burn & Token Lifecycle Pre-issuance
|
GENIUS Act § 4(a)(1)(A) (1:1 reserve must be confirmed before issuance) | OCC NPR § 15.10 (reserve composition confirmed before issuance) | PR.DS-1 · DE.CM-8 | FFIEC Operations — Transaction Controls | Domain 2 — Issuance Control (D2-7) | 3-way off-chain verification gate (issuer system + custodian confirmation + reserve dashboard) as mandatory prerequisite before any mint transaction. Gate bypass blocked at infrastructure level. |
|
L04 Mint/Burn & Token Lifecycle Pre-issuance
|
GENIUS Act § 109 (smart contract governance) | OCC NPR § 15.8 (technology controls) | PR.AC-3 · PR.PS-4 | FFIEC Development & Acquisition — Change Control | Domain 1 — Governance (D1-5) | Multi-sig governance (minimum 3-of-5) required for all supply-changing transactions. Timelock on smart contract upgrades. Governance token concentration monitoring to prevent protocol takeover. |
|
L05 Custody & Key Management Pre-issuance
|
(No GENIUS Act express HSM requirement) | OCC NPR § 15.10 (reserve asset safeguarding) · OCC NPR Subpart C | PR.AC-3 · PR.DS-1 | FFIEC Information Security — Cryptographic Key Management | Domain 3 — Key Management (D3-2) | All signing keys generated and stored in FIPS 140-2 Level 3+ HSM. Software wallets prohibited for reserve or supply-changing operations. Annual key ceremony with formal witnesses and geographic shard distribution. |
|
L05 Custody & Key Management Pre-issuance
|
GENIUS Act § 10 (covered custodian definition) | OCC NPR Subpart C · FDIC NPR § 350.4 (reserve asset custody requirements) | ID.SC-2 · ID.SC-4 | FFIEC Management — Third-Party Risk Management | Domain 3 — Custodian (D3-3) | Each custodian confirmed as covered custodian per GENIUS Act § 10. Annual due diligence report covering custodian financial health, operational controls, and § 10 eligibility. Multi-custodian diversification against concentration limits. |
|
L05 Custody & Key Management Pre-issuance
|
GENIUS Act § 115 (bankruptcy-remote reserve segregation) | OCC NPR § 15.10 · FDIC NPR § 350.4 (trust structure) | PR.DS-1 · GV.OC-2 | FFIEC Management — Legal Risk | Domain 2 — Segregation (D2-8) | Independent legal counsel opinion on bankruptcy-remote trust structure. Dedicated reserve custody accounts with no commingling with operational accounts. Trust agreement reviewed and updated annually. |
|
L06 Financial Crime & Sanctions Immediate on enactment
|
GENIUS Act § 4(a)(4) | FinCEN/OFAC NPR Apr 8, 2026 — 5-element AML program requirement | GV.RM-4 · DE.CM-3 | FFIEC BSA/AML Examination Manual — BSA/AML Program Elements | Domain 4 — AML Program (D4-2) | All 5 elements operational: (1) designated BSA officer, (2) written policies & procedures, (3) training, (4) independent testing, (5) CDD. PPSI-specific stablecoin typologies addressed in each element. |
|
L06 Financial Crime & Sanctions Immediate on enactment
|
31 CFR Part 502 (first binding OFAC sanctions program for this entity class) | FinCEN/OFAC NPR Apr 8, 2026 — OFAC compliance program requirement | PR.AC-5 · DE.CM-1 | FFIEC BSA/AML — OFAC Compliance | Domain 4 — OFAC (D4-3) | Real-time OFAC SDN list screening at onboarding and for all primary market transactions. On-chain analytics platform for secondary market wallet screening. Automated SDN list updates. Strict-liability exposure under 31 CFR Part 502. |
|
L06 Financial Crime & Sanctions From first transaction
|
31 CFR § 1010.320 (SAR filing obligation) | FinCEN/OFAC NPR — SAR scope limited to primary market only (secondary market smart contracts excluded) | DE.CM-3 · DE.AE-4 | FFIEC BSA/AML — Suspicious Activity Reporting | Domain 4 — SAR (D4-4) | SAR workflow with stablecoin-specific suspicious activity typologies. 30-day filing calendar with escalation alerts. SAR scope correctly configured: primary market transactions only (secondary market smart contract transfers excluded per FinCEN NPR). |
|
L06 Financial Crime & Sanctions From first transaction
|
31 CFR § 1010.410 (Travel Rule ≥$3,000) | FinCEN/OFAC NPR · GENIUS Act AML provisions | PR.DS-5 · DE.CM-6 | FFIEC BSA/AML — Funds Transfer Rules | Domain 4 — Travel Rule (D4-5) | Travel Rule messaging system integrated at transfer origination for transactions ≥$3,000. VASP registry verification for receiving entities. Beneficiary/originator information collected at all originations above threshold. |
|
L06 Financial Crime & Sanctions From first deployment or change
|
(No prior regulatory precedent — new FinCEN NPR obligation) | FinCEN/OFAC NPR Apr 8, 2026 — event-triggered AML risk assessment update before (1) new blockchain deployment or (2) material smart contract change | GV.RM-2 · ID.RA-6 | FFIEC BSA/AML — Risk Assessment Methodology | Domain 4 — Event-Trigger (D4-6) | Mandatory compliance approval gate in SDLC workflow. AML risk assessment updated before each new blockchain deployment and before each material smart contract change. Evidence log of each event-trigger maintained. No retroactive cure. |
|
L07 Technology & Cybersecurity Pre-deployment
|
GENIUS Act § 109 (smart contract governance) | OCC NPR § 15.8 (technology controls and software assurance) | ID.RA-3 · PR.PS-4 | FFIEC Development & Acquisition — Software Assurance | Domain 3 — Smart Contract (D3-4) | Pre-deployment independent audit by two separate firms using different tooling. Critical/high findings remediated before deployment. Re-audit required for any logic-changing upgrade. Audit scope includes block/freeze/reject capability. |
|
L07 Technology & Cybersecurity Ongoing
|
(No express statutory SDLC requirement) | OCC NPR § 15.8 · OCC CSW Domain 4 (change management) | PR.DS-7 · PR.PS-3 | FFIEC Development & Acquisition — Environment Segregation | Domain 4 — Change Management (D4-7) | Infrastructure-level separation of development, testing, and production environments. No developer direct production access. All changes through documented approval workflow. Emergency access procedure with full audit trail. |
|
L07 Technology & Cybersecurity Ongoing
|
(No express statutory PAM requirement) | OCC NPR § 15.8 · OCC CSW Domain 1 (access controls) | PR.AC-3 · PR.AC-5 | FFIEC Information Security — Privileged Access Management | Domain 1 — Access Controls (D1-6) | PAM solution deployed with session recording for all privileged sessions. Quarterly privileged access reviews. Just-in-time access for emergency production tasks. MFA required for all privileged accounts. |
|
L07 Technology & Cybersecurity Ongoing
|
(No express statutory patch requirement) | OCC NPR § 15.8 · OCC CSW Domain 3 (vulnerability management) | PR.MA-2 · DE.CM-8 | FFIEC Information Security — Vulnerability Management | Domain 3 — Patch Management (D3-5) | Documented patch management policy: critical CVEs ≤7 days, high ≤30 days. Quarterly vulnerability scanning of all production systems. Patch compliance dashboard with exception reporting. |
|
L08 Resilience & Business Continuity Before PPSI authorization
|
(No express statutory BCP requirement) | GENIUS Act § 113 · OCC NPR § 15.8 (operational resilience standards) | RC.RP-1 · RC.RP-2 | FFIEC Business Continuity Planning Handbook — BCP/DR | Domain 5 — Resilience (D5-1) | Annual BCP/DR test with documented results. RTO ≤4 hours and RPO ≤1 hour for core stablecoin operations. Business Impact Analysis current. Redemption continuity plan included in BCP scope. |
|
L08 Resilience & Business Continuity From first issuance
|
GENIUS Act § 113 (OCC + FDIC + FinCEN simultaneous notification) | OCC NPR § 15.8 · FDIC NPR § 350.9 (operational incident reporting) | RS.CO-3 · RS.CO-4 | FFIEC BCP Handbook — Incident Communication | Domain 5 — Incident Notification (D5-2) | Incident severity classification matrix with § 113 notification thresholds. Pre-populated notification templates for OCC, FDIC, and FinCEN. Three-regulator simultaneous notification workflow. Annual tabletop exercise testing the full notification sequence. |
|
L08 Resilience & Business Continuity From first issuance
|
(No GENIUS Act express concentration limit) | FDIC NPR § 350.39 — 40% single-vendor concentration limit (cloud + validator + custodian) | ID.SC-4 · DE.CM-8 | FFIEC Third-Party Risk Management — Concentration Risk | Domain 5 — Concentration (D5-3) | Real-time validator concentration monitoring. Cloud provider workload distribution report. Single-vendor concentration alert at ≥35% warning and ≥40% critical. Quarterly concentration report to board. |
|
L09 Consumer Protection & Market Integrity From first issuance
|
GENIUS Act § 4(a)(2) (T+2 redemption at par) | OCC NPR (redemption processing standards) | PR.DS-1 · DE.CM-8 | FFIEC IT Management — Customer Service Controls | Domain 1 — Consumer Protection (D1-7) | Automated T+2 SLA monitoring with alert at T+1 for at-risk redemptions. Liquidity pre-positioned for expected redemption volumes. T+2 redemption rights published in terms and conditions. |
|
L09 Consumer Protection & Market Integrity Immediate on enactment
|
GENIUS Act § 4(a)(11) (absolute yield/interest prohibition) | OCC NPR (product governance) | GV.OC-1 · GV.PO-2 | FFIEC IT Management — Product Governance | Domain 1 — Yield Prohibition (D1-8) | Board attestation on yield prohibition. Legal product review for any rewards or incentive program to confirm no yield/interest characterization. Marketing compliance review for investment language. |
|
L09 Consumer Protection & Market Integrity Monthly from first issuance
|
GENIUS Act § 4(a)(9) (monthly reserve disclosure) | OCC NPR § 15.12 (public availability of reserve composition) | PR.PS-1 · GV.OC-3 | FFIEC IT Management — Disclosure Obligations | Domain 1 — Disclosure (D1-9) | Automated monthly reserve composition disclosure published within 5 business days of month-end. Disclosure reviewed by compliance before publication. Archive of all prior disclosures maintained. |
|
L10 DeFi Risk & Cross-Chain Governance Before first DeFi integration
|
GENIUS Act § 109 (cross-chain governance) | OCC NPR § 15.8 (third-party risk in cross-chain context) | ID.SC-1 · ID.SC-3 | FFIEC Third-Party Risk Management — Vendor Governance | Domain 3 — DeFi Governance (D3-6) | DeFi protocol allowlisting governance framework with board-approved criteria. Concentration limits per protocol. Daily on-chain monitoring of protocol exposure. Bridge audit required as condition of allowlisting approval. |
|
L10 DeFi Risk & Cross-Chain Governance Before first deployment on any new chain
|
(No prior regulatory precedent — new FinCEN NPR obligation) | FinCEN/OFAC NPR Apr 8, 2026 — AML risk assessment update required before new blockchain deployment | GV.RM-2 · PR.PS-4 | FFIEC Development & Acquisition — New Product Approval | Domain 4 — New Blockchain Gate (D4-8) | Mandatory pre-deployment compliance approval gate in SDLC. AML risk assessment update completed and signed off by AML officer before any token deployment on a new blockchain network. On-chain analytics deployed simultaneously with token deployment. |
|
L11 Real-Time Monitoring & Analytics From first issuance
|
(No express statutory on-chain analytics requirement) | FinCEN/OFAC NPR Apr 8, 2026 — secondary market OFAC coverage required through on-chain analytics · 31 CFR Part 502 | DE.CM-1 · DE.CM-6 | FFIEC Information Security — Security Monitoring | Domain 5 — Monitoring Program (D5-4) | On-chain analytics platform deployed covering all wallet interactions with issued stablecoins on all deployed networks. OFAC wallet screening for secondary market. Alert-to-action workflow with documented escalation path. |
|
L11 Real-Time Monitoring & Analytics From first transaction processing
|
(No express statutory model governance requirement) | FinCEN/OFAC NPR (AML model update obligations) · Fed SR 11-7 (model risk management) | ID.RA-6 · DE.CM-3 | FFIEC Information Security — Technology Risk Management | Domain 5 — Model Governance (D5-5) | Transaction monitoring model documented per Fed SR 11-7 (conceptual soundness, data quality, implementation accuracy, outcomes analysis). Annual back-testing. False positive/negative tracking. Event-triggered re-validation after any smart contract change. |
How this feeds downstream: Column 6 (Control Design Standard) is extracted as the implementation requirement for each ICA layer and becomes the "should be" design standard in the Control Standard (page c3). The NIST CSF 2.0 codes (Column 3) serve as control identifiers in the SOC 2 engagement. The OCC CSW domain references (Column 5) become the examination procedures in the Multi-Regulator Examination grid (page d2). The Regulatory Library (page b1) provides the obligation inventory. The Regulatory Roadmap (page b2) adds the effective date sequencing.