Maturity Model
4-Level Stablecoin Program Maturity Model
A stablecoin-native adaptation of CMMI principles calibrated to the GENIUS Act compliance lifecycle. Each level describes both the state of the compliance program design and the evidence an OCC or FDIC examiner would expect to find at that level. SOC 2 Type I readiness requires Level 3. SOC 2 Type II readiness requires Level 3 sustained for 6+ months.
1
Policy
Controls are documented in written policies and procedures. Board has approved the framework. Roles and responsibilities are defined. Controls exist on paper but operational consistency is not verified.
- Written policies exist and are board-approved
- Control activities defined per ICA layer
- Responsible parties named
- Regulatory citations included in policy
- SOC 2: Pre-readiness — policy documentation complete
2
Operational
Controls are operating consistently in practice. Evidence of day-to-day execution exists. Personnel demonstrate awareness and compliance. Gaps between policy design and operational reality are closed.
- Controls operating as documented
- Evidence artifacts generated routinely
- Training program delivered and recorded
- Exception handling is documented
- SOC 2: Type I candidates — sufficient design evidence
3
Tested
Controls are independently tested with documented results. Test procedures aligned with OCC CSW examination procedures. Deficiencies are tracked to remediation. SOC 2 Type II audit-ready.
- Annual independent testing completed
- Test results documented with findings register
- Remediation tracking in place
- Evidence sufficient for 6-month SOC 2 period
- SOC 2: Type II ready — operating effectiveness demonstrable
4
Continuous
Controls are continuously monitored with automated evidence capture. DevSecOps integration embeds compliance into the engineering lifecycle. Metrics drive ongoing improvement. Phase 9 Operations Stream governance maintains the dynamic layer.
- Automated continuous monitoring active
- Evidence captured without manual process
- CI/CD pipeline includes compliance gates
- Metrics-driven improvement cycle
- SOC 2: Type II with enhanced opinion scope
Layer Scorecard
11-Layer Maturity Scorecard
Select your current maturity level for each ICA Control Stack layer. The scorecard shows what SOC 2 evidence is required at Level 3 and what gap exists to reach it. Levels 1–2 feed the Phase 8 Compliance Examination remediation backlog. Level 3+ feeds the Phase 10 SOC 2 Type II audit scope.
| Layer |
Control Domain |
Current Level |
SOC 2 Type II Evidence Required (Level 3) |
Gap to Level 3 / Notes |
SOC 2 Readiness
SOC 2 Type I & Type II Readiness Assessment
SOC 2 Type I assesses control design at a point in time — answering whether controls are suitably designed. SOC 2 Type II assesses operating effectiveness over a period (typically 6–12 months). For payment stablecoin PPSIs, Phase 10 Full Integrated Assurance incorporates the SOC 2 Type II opinion as the Program Stream assurance component.
Confirms that controls are suitably designed to meet the selected Trust Services Criteria as of a specific date
Requires written policies, defined procedures, and evidence that roles are assigned — Level 2 minimum across all 11 layers
Does not require evidence of operational consistency over time — design adequacy only
SOC 2 Type I is the milestone that unlocks the 6-month Type II observation period — begin with Type I before committing to Type II timeline
Primary audience: early-stage PPSIs demonstrating compliance program design to potential partners and regulators
Evaluates both the design AND operating effectiveness of controls throughout the audit period — auditor samples evidence from across the period
For PPSIs: SOC 2 Type II is the Program Stream component of Phase 10 Full Integrated Assurance. The Operations Stream adds AML model operational effectiveness testing that SOC 2 alone does not cover
Three zones for stablecoin context: Zone A Protocol Risk (Layers 4, 5, 7, 10), Zone B Control Plane (Layers 1, 2, 3, 6, 9), Zone C Exit & Recovery (Layers 8, 11)
SOX ICFR testing embedded for reserve assertions (Layer 03 financial controls) and custody assertions (Layer 05 key management)
OCC/FDIC examination package produced alongside SOC 2 Type II — single evidence collection, dual reporting output
DevSecOps Pathway
Compliance-in-the-Pipeline — DevSecOps Integration
For blockchain-native PPSI builders, Level 4 (Continuous) maturity requires embedding compliance controls into the engineering pipeline. This pathway maps ICA control requirements to CI/CD pipeline gates, enabling automated evidence capture and real-time maturity tracking.
Plan
Compliance Design Review
Risk assessment per feature · ICA layer impact analysis · FinCEN trigger check: does this change affect smart contract functionality? → if yes, Phase 7 ORA update required before merge
Code
Secure Development Gates
Block/freeze/reject logic peer review · Sanctions screening integration check · Supply control authorization verification · Dual-control enforcement validation in smart contract logic
Test
Automated Control Testing
Smart contract compliance test suite · Block/freeze/reject scenario tests (S1–S5 from Phase 7 ORA) · OFAC secondary market coverage test · Latency SLA regression tests
Deploy
Governance Gate
Smart contract upgrade: compliance sign-off required · New blockchain: Phase 7 ORA update completed before go-live · Evidence artifacts auto-generated for SOC 2 audit trail
Monitor
Continuous Evidence Capture
Alert disposition logs → SOC 2 evidence · Latency metrics → Phase 8 OCB performance data · Model change log → Phase 9 OPS governance record · Maturity score → auto-updated
Routing to Phase 10
From Program Maturity to Full Integrated Assurance
Layers at Level 3 or above
Feed directly into Phase 10 SOC 2 Type II audit scope. Auditor will sample evidence from the observation period for each control. Level 4 layers benefit from automated evidence capture reducing manual audit burden. All 11 layers must reach Level 3 before Phase 10 SOC 2 Type II audit can begin.
Layers below Level 3
Route back to Phase 8 Compliance Examination remediation backlog. Maturity gaps at Level 1 or 2 indicate that controls are designed but not yet operating consistently — the Phase 8 examination will show Fail or Partial for these items. Remediation must close the gap to Level 3 before SOC 2 Type II observation period begins.
SOX ICFR (Layer 03 + Layer 05)
Reserve financial controls (Layer 03) and custody key management controls (Layer 05) require SOX ICFR testing at Phase 10 in addition to SOC 2. Both layers must reach Level 3. PCAOB attestation standards apply to the reserve attestation function (CEO/CFO certification per FDIC NPR). Evidence requirements for SOX ICFR are more demanding than SOC 2 — begin building the ICFR evidence trail at Level 2.
OCC/FDIC Examination Package
Phase 10 produces the full examination package alongside the SOC 2 Type II report. The examination package maps all 11 layers to OCC CSW examination procedures and FFIEC handbook references — the same traceability shown in the Phase 4–6 Control Bridge. Maturity Level 3 across all layers is the minimum standard for a clean examination package.