Program Overview Process, Risk & Control Risk Taxonomy
Process, Risk & Control ·← Domain View (L01–L11)
c2 · Process, Risk & Control · Derived from Both Tracks

PPSI Risk Taxonomy

The consolidated PPSI risk universe — approximately 50 risk scenarios organized into 8 domains with inherent risk ratings. Derived from two sources: regulatory obligation failure modes from the Regulatory Traceability (Track 1) and process risk statements from the PCR (Track 2). This is the PPSI audit universe — the risk reference for Gap Assessment, examination readiness, and audit planning.

8 risk domains
~50 risk scenarios
Inherent risk rating (H / M / L)
PPSI · Covered Custodian · DASP applicability
8
Risk Domains
~50
Risk Scenarios
H/M/L
Inherent Rating
Regulatory Traceability (b3)
85 obligation → risk translations + Process Taxonomy (c1)
63 process risk statements Risk Taxonomy (c2)
De-duplicated · 8 domains · inherent rated Gap Assessment (d1)
Risk-weighted gap register
30
High Risk (H)
14
Medium Risk (M)
6
Low Risk (L)
8
Risk Domains
Rating scale:
HIGH Regulatory criminal exposure · examination failure · systemic risk · OCC enforcement trigger
MEDIUM Regulatory deficiency · operational disruption · examination finding
LOW Best-practice gap · process inefficiency · low regulatory consequence
🏛
D1 · 5 risk scenarios
Governance & Program Risk
ICA L01 — Governance & Risk Oversight · L02 — Legal Entity & Regulatory Perimeter
L01 · L02
R01
Charter / licensing failure — unauthorized stablecoin issuance
PPSI operates without regulatory approval, triggering criminal penalties up to $1M per violation and imprisonment under GENIUS Act § 3(f)
HIGH
PPSI
L02
Regulatory Source
GENIUS Act § 3(f) · OCC 12 CFR Part 15 NPR § 15.3 (authorization requirements)
Failure Scenario
Issuer mints and distributes stablecoins prior to receiving OCC/state PPSI authorization, or continues operations after revocation
Control Objective
L02 — Legal Entity & Regulatory Perimeter: chartered, licensed, and operating within approved scope before first issuance
PPSI onlyCriminal exposure
R02
Governance framework failure — undefined board accountability
Absent board oversight structure, undefined risk appetite, or missing WISP — OCC examination grounds for supervisory action at first safety and soundness review
HIGH
PPSI
L01
Regulatory Source
GENIUS Act § 4(a)(3) · OCC NPR § 15.4 (governance requirements) · FFIEC IT Management Handbook
Failure Scenario
Board has not formally approved issuance policy, risk appetite statement, and written information security program before launch
Control Objective
L01 — Governance & Risk Oversight: board-approved foundational documents with signed minutes as primary examination evidence
R03
Capital adequacy shortfall — insufficient operating reserves
Issuer fails to maintain 12-month operating expense reserve, giving OCC grounds to deny or revoke PPSI authorization
HIGH
PPSI
L01
Regulatory Source
OCC NPR § 15.6 ($5M minimum + 12-month OPEX reserve) · FDIC NPR § 350.9(b) (operational backstop)
Failure Scenario
Capital calculation not performed quarterly; backstop pool falls below 12-month OPEX threshold; board sign-off not obtained
Control Objective
Board-approved capital adequacy framework with quarterly automated dashboard alert at minimum threshold
R04
AML officer designation failure — program accountability gap
No qualified AML officer designated before operations commence — GENIUS Act § 4(a)(4) express requirement, immediate examination finding
HIGH
PPSIDASP
L01 · L06
Regulatory Source
GENIUS Act § 4(a)(4) · FinCEN/OFAC NPR — 5-element AML program (element 1: compliance officer)
Failure Scenario
Operations commence without formally designated AML/BSA officer with appropriate authority, resources, and board-level reporting
Control Objective
Named, qualified AML officer with board appointment documented before first transaction processed
PPSIDASP
R05
Management fitness screening failure — prohibited persons in key roles
Senior executive or board member fails background check; prohibited person in key role creates supervisory liability
MEDIUM
PPSI
L01
Regulatory Source
OCC NPR § 15.4(d) (fitness and probity standards) · GENIUS Act § 4(a)(3)
Failure Scenario
Background screening not conducted at onboarding or upon role change; convicted person placed in BSA officer, CEO, or board position
Control Objective
Independent background screening with documented results required as mandatory gate before appointment to key roles
🏦
D2 · 7 risk scenarios
Reserve & Financial Integrity Risk
ICA L03 — Reserve & Financial Integrity
L03
R06
Reserve shortfall — 1:1 backing ratio violation
Reserve assets fall below par value of outstanding stablecoins — the defining GENIUS Act obligation; immediate OCC/FDIC enforcement trigger
HIGH
PPSI
L03
Regulatory Source
GENIUS Act § 4(a)(1)(A) · OCC NPR § 15.10 (daily fair value from independent sources)
Failure Scenario
Reserve composition drifts below 100% par; daily fair value not computed from independent sources; intraday redemptions cause temporary shortfall
Control Objective
Real-time reserve coverage dashboard with automated alerts at 102% warning and 100% hard stop; daily fair value from custodian
Systemic risk
R07
WAM violation — weighted average maturity exceeds 20-day limit
Reserve portfolio WAM breaches OCC hard limit of 20 days — automatic OCC enforcement trigger with no cure period
HIGH
PPSI
L03
Regulatory Source
OCC NPR § 15.10(b) — WAM ≤20 days is a hard limit with no exception process
Failure Scenario
Reserve manager purchases longer-duration assets without running pre-trade WAM check; WAM calculation not updated daily
Control Objective
Pre-trade WAM check blocks purchases that would breach limit; automated daily recalculation; alert at 18-day warning threshold
R08
Liquidity ladder breach — insufficient overnight or 30-day liquidity
Reserve composition falls below ≥10% overnight or ≥30% within 30 days — redemption stress cannot be funded
HIGH
PPSI
L03
Regulatory Source
OCC NPR § 15.11 — ≥10% immediately liquid; ≥30% within 30 days; ≥50% within 90 days
Failure Scenario
Treasury market stress reduces overnight liquidity; concentration in 30–90 day T-bills exceeds bucket limits
Control Objective
Automated liquidity bucket monitoring with daily bucket calculation and pre-trade bucket impact check
R09
CEO/CFO certification failure — 18 U.S.C. § 1001 criminal exposure
Monthly reserve certification filed with false or unsupported data — federal criminal liability for certifying officers
HIGH
PPSI
L03
Regulatory Source
OCC NPR § 15.12 · FDIC NPR § 350.15 — monthly CEO/CFO certification with 18 U.S.C. § 1001 criminal liability briefing required
Failure Scenario
Certification filed without supporting data reconciliation; reserve calculation errors not corrected before certification; officers not briefed on criminal exposure
Control Objective
Auto-populated certification package from reserve monitoring system; reconciliation sign-off before officer certification; documented §1001 briefing
Criminal exposure
R10
Concentration limit violation — single institution exceeds 40%
Excessive single-institution concentration in reserve portfolio — FDIC § 350.39 limit breach
MEDIUM
PPSI
L03
Regulatory Source
FDIC NPR § 350.39 — single institution concentration limit 40%
Failure Scenario
Reserve concentrated at single custodian or in securities from single issuer above permitted threshold
Control Objective
Real-time concentration monitoring with pre-trade concentration check blocking transactions that would breach 40% limit
R11
Operational backstop shortfall — insufficient HQLA for 12-month OPEX
Operational backstop pool falls below 12-month trailing OPEX in HQLA — FDIC § 350.9(b) violation
HIGH
PPSI
L03
Regulatory Source
FDIC NPR § 350.9(b) — operational backstop must equal trailing 12-month OPEX in HQLA, segregated from reserves
Failure Scenario
Backstop pool not established; OPEX calculation stale; backstop assets not segregated from reserve assets; HQLA eligibility not verified
Control Objective
Quarterly backstop recalculation with automated alert when pool approaches minimum; segregated custodian account
R12
FDIC 10% single-day redemption threshold — notification failure
Single-day redemption exceeds 10% of outstanding stablecoins without mandatory FDIC notification — § 350.5(c)(1) violation
HIGH
PPSI
L03
Regulatory Source
FDIC NPR § 350.5(c)(1) — significant redemption event triggers mandatory FDIC notification
Failure Scenario
Mass redemption event not detected in real time; notification workflow not triggered; FDIC not contacted within required timeframe
Control Objective
Automated intraday monitoring with 8% warning alert and automated FDIC notification workflow at 10% trigger
D3 · 5 risk scenarios
Issuance & Token Lifecycle Risk
ICA L04 — Mint/Burn & Token Lifecycle
L04
R13
Unauthorized mint event — supply inflation beyond authorized amount
Stablecoins minted without confirmed reserve deposit or multi-sig authorization — on-chain supply exceeds backing
HIGH
PPSI
L04
Regulatory Source
GENIUS Act § 4(a)(1) (1:1 reserve requirement) · OCC NPR § 15.10 (reserve composition confirmed before issuance)
Failure Scenario
Off-chain verification gate bypassed; reserve deposit not confirmed before mint transaction signed; multi-sig threshold not met
Control Objective
L04 — automated off-chain reserve confirmation gate and multi-sig authorization required as mandatory prerequisites for every mint transaction
R14
Block / freeze / reject capability failure — OFAC enforcement non-compliance
Smart contract cannot execute mandatory OFAC enforcement action — GENIUS Act § 4(a)(5)(iv) technical capability requirement not met
HIGH
PPSIDASP
L04 · L06
Regulatory Source
GENIUS Act § 4(a)(5)(iv) — mandatory block/freeze/reject technical capability · FinCEN/OFAC NPR Apr 8, 2026 — primary and secondary market scope
Failure Scenario
Smart contract does not include block/freeze/reject function; function present but not tested; function scope limited to primary market only
Control Objective
Independent smart contract audit confirms block/freeze/reject capability deployed and tested for both primary and secondary market transactions
R15
Smart contract supply manipulation — unauthorized on-chain mint/burn
Smart contract vulnerability or admin key abuse enables unauthorized token supply change outside normal workflow
HIGH
PPSI
L04 · L07
Regulatory Source
GENIUS Act § 109 (smart contract governance) · OCC NPR § 15.8 (technology controls)
Failure Scenario
Unaudited smart contract contains reentrancy or access control vulnerability; admin key not stored in HSM; single-person signing authority
Control Objective
Pre-deployment independent smart contract audit; HSM-based admin key; multi-sig governance for any supply-changing transaction
R16
Off-chain verification gate failure — on-chain issuance without reserve confirmation
Mint transaction executes before off-chain reserve deposit is confirmed — timing gap creates momentary under-backing
HIGH
PPSI
L04
Regulatory Source
GENIUS Act § 4(a)(1) — 1:1 reserve must be confirmed before issuance
Failure Scenario
Reserve management system approves mint before custodian settlement confirms; webhook failure causes gate bypass; latency in reserve feed
Control Objective
Automated confirmation gate with 3-way verification (issuer system + custodian confirmation + reserve dashboard) before mint authorization signed
R17
Burn without redemption reconciliation — token supply imbalance
Tokens burned without corresponding reserve release reconciliation — creates supply/reserve mismatch in accounting records
MEDIUM
PPSI
L04
Regulatory Source
GENIUS Act § 4(a)(1) — reserve and supply must remain in balance · OCC NPR § 15.10 (reserve composition reported accurately)
Failure Scenario
Burn transaction recorded on-chain but reserve system not simultaneously updated; three-ledger reconciliation gap persists
Control Objective
Automated three-ledger reconciliation (on-chain, issuer system, custodian) run at each burn event with exception alert for imbalance > $1,000
🗝
D4 · 5 risk scenarios
Custody & Key Management Risk
ICA L05 — Custody & Key Management
L05
R18
Private key compromise — irreversible loss of reserve assets
Signing key exposure leads to unauthorized reserve asset transfer — irreversible on-chain transaction cannot be recovered
HIGH
PPSICustodian
L05
Regulatory Source
OCC NPR § 15.10 (reserve asset safeguarding) · GENIUS Act § 115 (bankruptcy-remote segregation)
Failure Scenario
HSM not used; key stored in software wallet; single custodian without multi-sig; key ceremony not conducted with witnesses
Control Objective
L05 — all signing keys generated in HSM; 3-of-5 multi-sig for any reserve transaction; annual key ceremony with documented attendees
R19
Key ceremony failure — single-point-of-failure in signing authority
Key generation ceremony not properly conducted; fewer signers than threshold available; key shard storage insecure
HIGH
PPSICustodian
L05
Regulatory Source
OCC NPR § 15.10 (key management program) · FFIEC Information Security Handbook (cryptographic key management)
Failure Scenario
Key generation in software; threshold signers not available for recovery; key ceremony not documented; shards stored in same physical location
Control Objective
Formal key ceremony protocol with HSM generation, documented witnesses, geographically distributed shard storage, and annual ceremony for rotation
R20
Custodian failure — reserve asset loss at qualified custodian
Qualified custodian insolvency or operational failure causes temporary or permanent loss of reserve assets
HIGH
PPSICustodian
L05
Regulatory Source
GENIUS Act § 10 (covered custodian requirements) · OCC NPR Subpart C · FDIC NPR § 350.4 (reserve asset custody)
Failure Scenario
Custodian not a "covered custodian" under GENIUS Act § 10; no sub-custodian due diligence; concentration at single custodian exceeding limits
Control Objective
Custodian meets GENIUS Act § 10 definition; annual due diligence on custodian financial health; multi-custodian diversification
R21
Reserve asset commingling — issuer proprietary assets mixed with reserve
Reserve assets not segregated from issuer's proprietary assets — GENIUS Act § 115 bankruptcy-remote requirement violated
HIGH
PPSI
L05
Regulatory Source
GENIUS Act § 115 — bankruptcy-remote trust structure required · OCC NPR § 15.10 · FDIC NPR § 350.4
Failure Scenario
Reserve and operational accounts at same custodian without legal segregation; trust structure not established; no independent legal opinion on bankruptcy-remoteness
Control Objective
Legal trust structure with independent counsel opinion; dedicated reserve custody accounts separate from all operational accounts
R22
HSM failure — key unavailability causing operational disruption
Hardware security module failure prevents signing operations — temporary inability to mint, burn, or execute reserve transactions
MEDIUM
PPSICustodian
L05 · L08
Regulatory Source
OCC NPR § 15.8 (operational resilience) · FFIEC Business Continuity Planning Handbook
Failure Scenario
Single HSM with no hot standby; backup HSM not tested; recovery procedure not documented; vendor support response time inadequate
Control Objective
Redundant HSMs across geographically separated facilities; documented recovery procedure tested annually; vendor SLA with 4-hour response
🔍
D5 · 7 risk scenarios
Financial Crime & Sanctions Risk
ICA L06 — Financial Crime & Sanctions
L06
R23
AML program deficiency — 5-element program absent or inadequate
Stablecoin issuer lacks a compliant BSA/AML program — FinCEN/OFAC NPR Apr 8, 2026 makes this a GENIUS Act violation with OCC examination consequences
HIGH
PPSIDASP
L06
Regulatory Source
FinCEN/OFAC Joint NPR Apr 8, 2026 — 5-element program: (1) AML officer (2) policies (3) training (4) independent testing (5) CDD
Failure Scenario
One or more of the 5 elements absent; AML policy not updated for stablecoin-specific risks; training not conducted; independent testing not completed
Control Objective
All 5 elements documented and operational; annual BSA/AML exam by independent party; event-triggered risk assessment update (FinCEN NPR mandate)
R24
OFAC sanctions exposure — strict-liability civil penalty
Transaction with OFAC-designated counterparty — OFAC strict liability imposes civil penalty regardless of knowledge or intent
HIGH
PPSIDASP
L06
Regulatory Source
31 CFR Part 502 (first binding OFAC sanctions program requirement for this entity class) · GENIUS Act § 4(a)(5)(iii)
Failure Scenario
Customer onboarding not screened against OFAC SDN list; secondary market wallet not screened; screening list not updated to current OFAC version
Control Objective
Real-time OFAC screening at onboarding and transaction level; automated SDN list updates; secondary market on-chain analytics coverage
Strict liability
R25
SAR non-filing — FinCEN enforcement action for unreported suspicious activity
Suspicious transaction identified but SAR not filed within 30 days — FinCEN civil money penalty and potential criminal referral
HIGH
PPSI
L06
Regulatory Source
FinCEN/OFAC NPR — SAR scope limited to primary market only for PPSIs (secondary market smart contracts excluded) · 31 CFR § 1010.320
Failure Scenario
Transaction monitoring system not tuned to stablecoin typologies; alert not escalated to compliance for SAR decision; 30-day filing deadline missed
Control Objective
Stablecoin-specific transaction monitoring rules; documented SAR decision workflow; 30-day filing calendar with escalation alerts
R26
Travel Rule non-compliance — GENIUS Act AML violation for transfers ≥$3,000
Stablecoin transfers without required counterparty information transmission — direct GENIUS Act AML obligation
HIGH
PPSIDASP
L06
Regulatory Source
GENIUS Act AML provisions · FinCEN/OFAC NPR Apr 8, 2026 · 31 CFR § 1010.410 (Travel Rule ≥$3,000)
Failure Scenario
Travel Rule messaging not implemented for on-chain transfers; receiving entity not verified as VASP; beneficiary information not collected at origination
Control Objective
Travel Rule messaging system integrated at transfer origination; VASP registry verification for receiving entities; ≥$3,000 threshold automation
R27
CDD / KYC failure — customer risk misclassification at onboarding
Inadequate customer due diligence at onboarding results in high-risk customer classified as low-risk — subsequent AML monitoring insufficient
HIGH
PPSIDASP
L06
Regulatory Source
FinCEN/OFAC NPR — element 5 (CDD) · FFIEC BSA/AML Examination Manual (customer risk rating)
Failure Scenario
Risk scoring model not validated; PEP screening absent; beneficial ownership not collected for legal entities; enhanced due diligence not triggered for high-risk classification
Control Objective
Documented customer risk rating methodology; PEP + adverse media screening; UBO collection for entities; EDD workflow for high-risk customers
R28
Secondary market OFAC screening gap — sanctioned counterparty in on-chain trading
On-chain analytics insufficient to detect OFAC-designated wallet interacting with stablecoin in secondary market
HIGH
PPSIDASP
L06 · L11
Regulatory Source
31 CFR Part 502 · FinCEN/OFAC NPR — secondary market OFAC coverage required through on-chain analytics (not SAR scope)
Failure Scenario
On-chain analytics platform not deployed; coverage limited to custodied wallets; SDN list not cross-referenced against on-chain activity
Control Objective
On-chain analytics platform covering all wallets interacting with issued stablecoins; OFAC wallet screening for secondary market transactions above threshold
R29
314(a) / 314(b) non-compliance — FinCEN information sharing failure
Failure to respond to 314(a) requests or maintain 314(b) registration — FinCEN examination finding
MEDIUM
PPSI
L06
Regulatory Source
31 CFR § 1010.520 (314(a) — mandatory) · 31 CFR § 1010.540 (314(b) — voluntary but expected)
Failure Scenario
314(a) email inbox not monitored; 14-day response deadline missed; 314(b) registration not renewed annually
Control Objective
Dedicated 314(a) inbox with 24-hour monitoring; documented response workflow; annual 314(b) registration renewal calendar
💻
D6 · 6 risk scenarios
Technology & Cybersecurity Risk
ICA L07 — Technology & Cybersecurity
L07
R30
Smart contract vulnerability — exploit leading to fund drain
Unaudited or inadequately audited smart contract contains exploitable vulnerability; attacker drains reserve or user funds
HIGH
PPSI
L07
Regulatory Source
GENIUS Act § 109 (smart contract governance) · OCC NPR § 15.8 (technology controls and software assurance)
Failure Scenario
Smart contract deployed without independent audit; reentrancy, integer overflow, or access control vulnerability not identified; post-deployment monitoring absent
Control Objective
Pre-deployment independent audit by two separate firms; formal code review in segregated SDLC environment; post-deployment on-chain monitoring for anomalous behavior
R31
Unauthorized upgrade / admin key abuse — protocol manipulation
Smart contract upgraded or protocol parameter changed without proper multi-sig governance — unauthorized control change
HIGH
PPSI
L07
Regulatory Source
GENIUS Act § 109 · OCC NPR § 15.8 · FFIEC Development & Acquisition Handbook (change management)
Failure Scenario
Single admin key holder executes upgrade without approval; upgrade bypasses security audit; governance token concentration allows protocol takeover
Control Objective
Multi-sig governance (3-of-5 minimum) for all upgrades; mandatory re-audit for any logic change; timelock on upgrades (minimum 48-hour delay)
R32
SDLC environment segregation failure — untested code in production
Development code deployed directly to production without test environment validation — OCC examination control failure
HIGH
PPSI
L07
Regulatory Source
OCC NPR § 15.8 · FFIEC Development & Acquisition Handbook (environment segregation) · OCC CSW Domain 4 (change management)
Failure Scenario
No infrastructure-level separation of dev/test/prod; developer with direct production access; code review bypassed for urgent patches
Control Objective
Infrastructure-enforced environment separation; no developer production access without emergency access control procedure; all changes through tested code path
R33
Privileged access control breach — unauthorized system compromise
Excessive or unmonitored privileged access enables unauthorized system changes, data exfiltration, or configuration manipulation
HIGH
PPSI
L07
Regulatory Source
OCC CSW Domain 1 (access controls) · FFIEC Information Security Handbook · NIST CSF 2.0 PR.AC-3
Failure Scenario
Privileged accounts shared; PAM solution not deployed; privileged sessions not recorded; access reviews not conducted quarterly
Control Objective
PAM solution with session recording; quarterly privileged access reviews; just-in-time access for emergency production tasks; MFA required for all privileged sessions
R34
Patch management failure — known vulnerability exploitation
Critical security patch not applied within required timeframe — known CVE exploited in production environment
MEDIUM
PPSI
L07
Regulatory Source
OCC CSW Domain 3 (vulnerability management) · FFIEC Information Security Handbook · NIST CSF 2.0 DE.CM-8
Failure Scenario
Patch cadence not defined; critical patches not tracked against CVE database; production environment not scanned quarterly
Control Objective
Documented patch management policy (critical ≤7 days, high ≤30 days); quarterly vulnerability scanning; patch compliance dashboard
R35
Cybersecurity incident — material breach without adequate response
Cybersecurity incident materially affects operations or customer assets without documented incident response plan — OCC § 113 notification trigger
HIGH
PPSI
L07 · L08
Regulatory Source
GENIUS Act § 113 (OCC/FDIC/FinCEN incident notification) · OCC NPR § 15.8 · FFIEC Business Continuity Planning Handbook
Failure Scenario
No documented IRP; incident not classified using severity tiers; notification obligations to OCC/FDIC not understood or triggered; post-incident review not conducted
Control Objective
Documented IRP with severity tiers and notification thresholds; pre-populated GENIUS Act § 113 notification templates; tabletop exercise annually
🚨
D7 · 7 risk scenarios
Operational Resilience Risk
ICA L08 — Resilience & Business Continuity
L08
R36
Blockchain outage — payment system unavailability
Underlying blockchain experiences chain halt or extended unavailability — stablecoin becomes non-functional as payment instrument
HIGH
PPSI
L08
Regulatory Source
GENIUS Act § 113 (incident notification) · OCC NPR § 15.8 (operational resilience) · FFIEC BCP Handbook
Failure Scenario
Chain halt on primary blockchain with no contingency plan; RTO not defined for blockchain-specific outage; no multi-chain redundancy strategy
Control Objective
Blockchain uptime monitoring; documented RTO ≤4 hours for critical operations; § 113 notification workflow triggered at threshold downtime
R37
T+2 redemption failure — settlement interruption from operational outage
Operational disruption prevents T+2 redemption processing — OCC enforcement trigger and consumer protection violation
HIGH
PPSI
L08 · L09
Regulatory Source
GENIUS Act § 4(a)(2) (T+2 redemption requirement) · OCC NPR § 15.8 · FDIC NPR § 350.9(b)
Failure Scenario
BCP does not include redemption continuity plan; blockchain outage without alternative settlement path; operational backstop insufficient to cover T+2 settlement during disruption
Control Objective
Redemption continuity plan with documented alternative settlement procedures; operational backstop sufficient to cover T+2 obligations during extended disruption
R38
Validator concentration — single-point-of-failure in consensus
Excessive dependence on concentrated validator set creates governance/operational risk — FDIC § 350.39 concentration limit applies
HIGH
PPSI
L08
Regulatory Source
FDIC NPR § 350.39 (40% single-vendor concentration) · OCC NPR § 15.8 · GENIUS Act § 109
Failure Scenario
Issuer's chosen blockchain has concentrated validator set; no validator diversity monitoring; single cloud provider hosts majority of validators
Control Objective
Validator diversity monitoring; blockchain selection criteria include validator decentralization; quarterly concentration report against 40% limit
R39
Cloud provider concentration — infrastructure-wide disruption
Excessive dependence on single cloud provider creates systemic operational risk — regulatory concentration limit applies
HIGH
PPSI
L08 · L13
Regulatory Source
FDIC NPR § 350.39 (40% single-vendor concentration) · OCC NPR § 15.8 · FFIEC BCP Handbook (third-party concentration)
Failure Scenario
100% of infrastructure on single cloud provider; no multi-region or multi-cloud strategy; cloud outage takes down all PPSI operations simultaneously
Control Objective
Multi-cloud or multi-region architecture with active/active failover; single cloud provider ≤40% of critical workloads; annual BCP test including cloud failover
R40
BCP/DR failure — extended unavailability exceeding RTO/RPO
BCP and DR plans not tested or inadequate; recovery takes longer than defined RTO — OCC examination finding
HIGH
PPSI
L08
Regulatory Source
OCC NPR § 15.8 (RTO ≤4 hours / RPO ≤1 hour for critical operations) · FFIEC BCP Handbook
Failure Scenario
BCP/DR plans not tested in 12+ months; RTO/RPO targets not defined per critical service; DR failover not validated in test environment; BIA not current
Control Objective
Annual BCP/DR test with documented results; RTO ≤4 hours / RPO ≤1 hour for stablecoin core operations; current Business Impact Analysis
R41
§ 113 incident notification failure — OCC/FDIC/FinCEN regulatory violation
Material operational or cybersecurity incident not reported to OCC, FDIC, and FinCEN within required timeframes under GENIUS Act § 113
HIGH
PPSI
L08
Regulatory Source
GENIUS Act § 113 — mandatory incident notification to OCC, FDIC, and FinCEN within defined timeframes
Failure Scenario
Incident severity classification criteria not defined; notification obligations not known to operations team; pre-populated notification templates not prepared
Control Objective
Incident classification matrix with § 113 notification triggers; pre-populated templates for each regulator; annual tabletop exercise testing notification workflow
R42
Bridge failure — cross-chain settlement interruption
Bridge protocol failure or exploit interrupts cross-chain stablecoin settlement — payment system contagion pathway
MEDIUM
PPSI
L08 · L10
Regulatory Source
OCC NPR § 15.8 · GENIUS Act § 109 (cross-chain governance) · FFIEC Third-Party Risk Management Handbook
Failure Scenario
Bridge smart contract not audited; bridge operator not subject to PPSI-equivalent standards; no bridge outage contingency in BCP
Control Objective
Bridge allowlisting framework; independent audit of bridge smart contracts; bridge included in BCP/DR scope with defined alternative settlement path
🛡
D8 · 8 risk scenarios
Legal, Consumer & Cross-Chain Risk
ICA L09 — Consumer Protection · L10 — DeFi Risk · L11 — Real-Time Monitoring
L09 · L10 · L11
R43
Yield / interest prohibition violation — securities or deposit characterization
PPSI pays yield or interest to stablecoin holders — GENIUS Act § 4(a)(11) absolute prohibition; may trigger SEC securities classification
HIGH
PPSI
L09
Regulatory Source
GENIUS Act § 4(a)(11) — absolute prohibition on yield/interest to stablecoin holders · SEC investment contract analysis
Failure Scenario
Product branded as "rewards" or "incentives" that effectively constitute yield; marketing materials imply investment return; loyalty programs structured as yield
Control Objective
Legal product governance review for any rewards program; board-level zero yield attestation; marketing compliance review for investment language
SEC jurisdiction trigger
R44
Redemption right failure — T+2 consumer protection breach
Holder unable to redeem stablecoin at par within T+2 — GENIUS Act § 4(a)(2) consumer protection requirement violated
HIGH
PPSI
L09
Regulatory Source
GENIUS Act § 4(a)(2) — T+2 redemption at par; right must be published in terms and enforced
Failure Scenario
Redemption processing system offline; liquidity insufficient for T+2 settlement; redemption right not published in terms and conditions
Control Objective
Automated T+2 SLA monitoring with alert at T+1 for at-risk redemptions; liquidity reserve pre-positioned for expected redemption volumes
R45
Disclosure gap — misleading or incomplete consumer information
Stablecoin terms, reserve composition, or redemption conditions not fully or accurately disclosed to holders
MEDIUM
PPSI
L09
Regulatory Source
GENIUS Act § 4(a)(9) (monthly public reserve disclosure) · OCC NPR § 15.12 (public availability of reserve composition) · CFPB oversight
Failure Scenario
Monthly reserve disclosure not published within 5 business days of month-end; reserve composition understated; redemption conditions not prominently disclosed
Control Objective
Automated monthly disclosure publication workflow; legal review of all consumer-facing disclosures; redemption terms prominently displayed at point of purchase
R46
DeFi protocol exposure — uncontrolled cross-chain risk
Stablecoin used in unapproved DeFi protocols without concentration limits or governance controls
MEDIUM
PPSI
L10
Regulatory Source
GENIUS Act § 109 (cross-chain governance) · OCC NPR § 15.8 (third-party risk) · FFIEC Third-Party Risk Management Handbook
Failure Scenario
No DeFi protocol allowlisting; stablecoin used in unaudited protocols; concentration in single protocol above defined threshold with no monitoring
Control Objective
DeFi protocol allowlisting governance framework; protocol concentration limits enforced; daily on-chain monitoring of protocol exposure inventory
R47
New blockchain deployment without AML risk assessment update — FinCEN NPR violation
Stablecoin deployed on new blockchain without updating AML risk assessment — FinCEN NPR event-triggered requirement violated
HIGH
PPSI
L10 · L06
Regulatory Source
FinCEN/OFAC NPR Apr 8, 2026 — event-triggered AML risk assessment update required before deploying stablecoin on new blockchain
Failure Scenario
Business team deploys token on new chain without notifying compliance; AML risk assessment not updated; new chain's on-chain analytics not deployed
Control Objective
Mandatory pre-deployment compliance approval gate; AML risk assessment update completed before new blockchain launch; on-chain analytics deployed simultaneously
R48
Smart contract change without AML risk assessment update — FinCEN NPR violation
Significant smart contract functionality change deployed without updating AML risk assessment — second FinCEN NPR event-trigger
HIGH
PPSI
L10 · L06
Regulatory Source
FinCEN/OFAC NPR Apr 8, 2026 — AML risk assessment must be updated when smart contract functionality materially changes
Failure Scenario
Smart contract upgrade includes new transfer logic without AML review; compliance not in change approval workflow; monitoring model not re-validated after change
Control Objective
Compliance sign-off required in change management workflow for any smart contract change with AML implications; monitoring model re-validation within 30 days of change
R49
Monitoring model stale — on-chain analytics not current for deployed ecosystem
Transaction monitoring model not updated to reflect current protocol integrations, smart contract changes, or new blockchain deployments
HIGH
PPSI
L11
Regulatory Source
FinCEN/OFAC NPR — monitoring model governance · Fed SR 11-7 (model risk management) · OCC CSW Domain 5 (monitoring program)
Failure Scenario
Model not re-validated after smart contract change; new DeFi protocol integration not reflected in monitoring rules; false positive/negative rates not tracked
Control Objective
Documented model governance with event-trigger re-validation; quarterly false positive/negative rate reporting; model change log maintained
R50
Third-party risk management failure — vendor concentration or inadequate due diligence
Critical third-party (custodian, cloud provider, oracle, bridge) fails without adequate contingency — FDIC § 350.39 concentration limit or GENIUS Act § 10 custodian standard breached
HIGH
PPSICustodian
L08 · L10
Regulatory Source
FDIC NPR § 350.39 (40% single-vendor concentration) · GENIUS Act § 10 (covered custodian) · OCC NPR § 15.8 · FFIEC TPRM Handbook
Failure Scenario
No vendor inventory or tiering; critical vendor not subject to annual due diligence; no concentration risk monitoring across vendors; custodian SLA not tested
Control Objective
Tiered vendor risk program; annual due diligence for critical vendors; real-time concentration monitoring with 40% alert; vendor concentration report to board quarterly
How Risk Taxonomy feeds downstream
Gap Assessment (d1)
Risk Taxonomy provides the weighting dimension — a missing control over a HIGH-rated risk = Critical gap; over a LOW-rated risk = Medium gap. This converts a control inventory gap into a risk-prioritized deficiency register.
Multi-Regulator Examination (d2)
HIGH-rated risks with inadequate controls become the focal examination themes. Each regulator's examination procedures are mapped to the risk scenarios they test — OCC CSW → Domain 1–5 maps to specific risk IDs.
Compliance Readiness (d3)
Maturity scores are assigned per risk domain — D1 through D8 — not just per ICA layer. A domain with multiple HIGH risks and low maturity scores receives priority investment in the maturity improvement roadmap.
Go to Gap Assessment → Control Standard → Process Taxonomy →