Section 1 · Business Impact Analysis
Critical Function Identification & Impact Tolerances
The BIA is the foundation of the OR program under NIST SP 800-34, FFIEC BCP guidance, and ISO 22301. It identifies the critical business functions of the reserve management domain, quantifies the impact of disruption at each tolerance threshold, and establishes the RTO, RPO, and MTPD that all controls and recovery plans must be designed to meet.
Impact Tolerance — Redemptions
24 hrs
Maximum permissible disruption to redemption processing. Beyond this ceiling, holder confidence and regulatory standing are materially impaired. Anchored: GENIUS Act §7; FFIEC BCP "impact tolerance" concept.
RTO — Core Treasury Ledger
4 hrs
Recovery Time Objective for the internal treasury ledger system. Failure to meet this RTO directly threatens the 24-hour redemption tolerance. Anchored: NIST SP 800-34; FFIEC BCP §III.C recovery objectives.
RPO — Reserve Records
~0
Near-zero data loss tolerance (≤60 seconds) for reserve ledger records. Given criminal liability for false CEO/CFO certifications, any data loss materially impairs attestation integrity. Anchored: OCC NPR §15.12; 18 U.S.C. §1001.
| Critical Function | MTPD | Impact if Exceeded | Priority |
| Redemption processing & fiat disbursement | 24 hrs | Holder rights violated; GENIUS Act §7 breach; potential bank-run contagion; regulatory enforcement | CRITICAL |
| Three-ledger reconciliation engine | 4 hrs | Mint gate disabled; inability to confirm reserve integrity; GENIUS Act §4(a)(1) compliance gap | CRITICAL |
| Primary banking rail (fiat in/out) | 4 hrs → failover | Redemption queue accumulates; secondary rail must activate within 4 hrs to preserve 24-hr tolerance | CRITICAL |
| Dual-control mint authorization workflow | 8 hrs | New issuance suspended; existing holders unaffected but growth and partner SLAs at risk | HIGH |
| CEO/CFO monthly certification package | 5 business days | Regulatory disclosure obligation missed; OCC NPR §15.12 compliance failure; criminal liability trigger | HIGH |
| Treasury investment execution (HQLA mgmt) | 24 hrs | WAM drift possible if prolonged; operational backstop pool absorbs short-term; no immediate holder impact | MEDIUM |
BCP/DR Framework Applicability: For US-domiciled issuers operating under OCC and FDIC supervision, NIST SP 800-34 and FFIEC BCP booklet are the primary applicable standards. ISO 22301 applies for internationally operating entities or as a voluntary best-practice overlay. Both frameworks require the same core elements: BIA → BCP/DRP documentation → testing & exercises → RTO/RPO measurement → continuous improvement. Rulemaking status (as of June 2026): Six federal agencies have issued proposed rules; final rules are expected by July 18, 2026, with the GENIUS Act taking effect January 18, 2027 (or 120 days after final rules, if earlier). All NPR quantitative thresholds remain proposed — issuers should calibrate controls to the final rule in effect at the time of implementation.
Section 2 · Reserve Operations Lifecycle
End-to-End Reserve Operations — 8 Steps
The granular operational workflow from fiat receipt through token issuance, daily treasury management, independent reconciliation, and final fiat redemption disbursement. Each step maps to the impact tolerances and recovery objectives established in the BIA above.
Regulatory anchor: GENIUS Act §4(a)(1) mandates reserves equal to outstanding tokens at all times. §4(b) prohibits redemption refusals beyond contractual periods. OCC NPR §15.10 requires 1:1 HQLA backing. FDIC NPR §350.5(c)(1) requires notification for single-day redemptions exceeding 10% of supply. Monthly CEO/CFO certification under OCC NPR §15.12 creates personal criminal liability under 18 U.S.C. §1001.
Industry comment considerations — NPR thresholds pending final rule: Several OCC NPR proposed safe harbor thresholds referenced in this program are under active industry comment and may be revised in the final rule. Issuers should treat these as reference baselines, not settled requirements, and calibrate controls to the final rule in effect. Key contested areas raised in issuer comment letters include: (1) Concentration limits — commenters argue custodied non-cash assets (legally segregated, bankruptcy-remote) carry fundamentally different risk than unsecured deposits and should be assessed separately; principles-based concentration assessment is preferred over a rigid percentage cap; (2) WAM ceiling — the proposed 20-day WAM is seen by some as overly conservative given the statute already restricts assets to ≤93-day maturity; demonstrated monetization capacity through liquidity planning and stress testing is the more direct test of redemption readiness; (3) Insured-deposit minimum — at scale, this requirement adds operational complexity through sweep program dependencies with limited prudential benefit; reserve safety is better anchored in asset quality, legal segregation, and operational access; (4) Redemption notification threshold and extension window — a mandatory extended-redemption window tied to a fixed volume threshold may function as a public stress signal; a single timeliness standard with supervisory discretion in stress is preferred by several commenters; (5) Custodian count minimums — prescriptive diversification minimums can increase settlement, reconciliation, and contingency risk; the better test is whether the issuer can demonstrate monetization capacity and redemption readiness under stress; (6) Operational backstop sizing — calibrating the backstop to non-discretionary wind-down costs rather than full trailing OPEX better reflects the minimum-viability objective of the requirement.
01
Fiat Deposit Intake & Bank Confirmation
Customer or institutional partner initiates fiat wire transfer to designated reserve bank account. Treasury Operations verifies receipt against originating transaction record. Banking confirmation message (SWIFT MT910 or ACH receipt) is captured and timestamped. No token minting is authorized until confirmed receipt is logged.
Treasury Ops
Banking Partner
Compliance
02
Dual-Control Mint Authorization
Treasury Operations submits mint request to the minting system with bank confirmation reference. Independent Compliance Officer verifies the bank confirmation record independently before approving. Programmatic gate checks that confirmed fiat credit ≥ requested mint amount before on-chain execution is permitted. Both approvals are logged with timestamps and reference IDs.
Treasury Ops
Compliance Officer
Smart Contract
Per mint request
within 2 hrs of
bank confirm
03
On-Chain Token Minting
Upon dual approval, the minting multisig executes the on-chain mint transaction. Transaction hash, block number, and minted amount are captured and written to the issuer's internal ledger. The mint event triggers an immediate three-ledger reconciliation check: on-chain supply vs. issuer ledger vs. custodian confirmation.
Key Mgmt (OR-02)
Treasury Ops
Reconciliation
04
Treasury Investment Execution
Reserve fiat is deployed into eligible high-quality liquid assets under the applicable regulatory framework: overnight repos, T-bills ≤93-day maturity, cash deposits at eligible financial institutions, and government money market funds (SEC Rule 2a-7). Pre-trade system checks verify that the proposed investment does not breach the issuer's documented portfolio limits before execution. Treasury investment instructions require dual sign-off from Treasury Manager and CIO/CFO. Note on proposed NPR thresholds: The OCC NPR proposes WAM ≤20 days, liquidity ladder minimums (overnight ≥10%, 30-day ≥30%, 90-day ≥50%), and single-institution concentration ≤40% as safe harbor conditions — all subject to final rulemaking. Industry commenters argue these should be calibrated to demonstrated monetization capacity rather than fixed percentages. Issuers should configure controls to the final rule; in the interim, the primary test is whether reserves can be liquidated and redemptions met within the impact tolerance ceiling under stress.
Treasury Mgmt
CIO / CFO
External Custodian
Same-day or
next business day
05
Independent Daily Reconciliation
Automated reconciliation engine executes daily end-of-day three-ledger match: (a) on-chain token supply from blockchain query, (b) issuer internal ledger balance, (c) external custodian statement. Any discrepancy exceeding $1,000 triggers an immediate exception alert to Compliance. A discrepancy exceeding 0.01% of total supply triggers automatic minting suspension. Reconciliation results are stored in immutable audit log.
Reconciliation (Indep.)
Compliance
External Custodian
Daily EOD +
each mint/burn event
06
Reserve Attestation & CEO/CFO Certification
Monthly reserve attestation package is auto-populated from reconciliation data. External custodian provides independent asset confirmation. Compliance Officer performs secondary review of reconciliation findings. CEO and CFO sign the monthly certification attesting to reserve compliance. Certification package, supporting data, and criminal liability briefing acknowledgments are retained for examination.
CEO / CFO
Compliance
External Custodian
Monthly
(within 5 business
days of month-end)
07
Redemption Request Intake & Queue Management
Holder submits redemption request via API or portal. Redemption engine validates KYC/AML status. Industry best practice and emerging regulatory guidance (NYDFS, FCA, Bank of England) holds that time-bound redemption obligations should apply only after successful holder onboarding — rushing KYC/AML to meet a processing deadline creates compliance risk. Requests are queued by submission time. Intraday volume monitoring tracks redemption activity against the issuer's documented liquidity capacity and applicable regulatory notification thresholds. The FDIC NPR proposes a 10% single-day notification threshold; the OCC NPR proposes a discretionary T+7 extended-redemption window at that level — both subject to final rulemaking. Regardless of the final thresholds, the issuer's operational protocol should maintain pre-prepared regulatory communication packages for immediate dispatch at any elevated volume level and ensure redemption processing continues without mandatory pause.
Ops / Customer
Compliance / AML
Treasury Ops
Real-time intake
intraday monitoring
08
Fiat Disbursement & Token Burn
Treasury Operations initiates fiat wire to holder's designated bank account. Upon confirmed outbound payment, the burn multisig executes the on-chain token burn. Burn transaction hash is linked to the fiat disbursement record in the issuer ledger. Three-ledger reconciliation runs immediately post-burn. Completed redemption records are retained for regulatory examination and monthly CEO/CFO certification.
Treasury Ops
Key Mgmt (OR-02)
Reconciliation
Within 24 hrs of
validated request
(impact tolerance)
Section 3 · Functions & Roles
Operational Roles & Accountabilities
Treasury Operations
Executes deposit intake, investment instructions, and redemption disbursements. Initiates mint/burn requests. Primary operator of the reserve lifecycle.
Independent Compliance Officer
Provides second-approval on all mint authorizations. Monitors reconciliation exceptions. Manages FDIC notification workflow. Signs off on monthly certification package.
Treasury Manager / CIO / CFO
Dual sign-off on investment execution. CEO/CFO sign monthly reserve certification. Accountable for reserve composition, demonstrated monetization capacity, and compliance with applicable portfolio limits under the final rule in effect.
External Custodian
Holds and manages HQLA assets. Provides independent daily asset confirmation and monthly statements for three-ledger reconciliation. Subject to contractual SLA with substitution right.
Reconciliation Function (Independent)
Operates automated daily reconciliation engine. Reviews exception alerts. Independent of Treasury Operations — reports directly to Compliance or Internal Audit.
Banking Partners (Primary + Secondary + Tertiary)
Process inbound fiat deposits and outbound redemption wires. Each partner maintains independent rails and confirmation workflows to support failover under banking disruption.
Section 4 · Risk Register
Identified Risks — Reserve Management Domain
| Risk ID | Risk Statement | Trigger / Source | Inherent Likelihood | Inherent Impact | Inherent Risk Rating |
| RM-R01 | Primary reserve bank failure or prolonged outage | Bank insolvency, regulatory closure, system outage ≥24 hrs | MEDIUM | CRITICAL | CRITICAL |
| RM-R02 | Three-ledger reconciliation gap or mismatch | System error, unauthorized transaction, data feed failure | MEDIUM | CRITICAL | CRITICAL |
| RM-R03 | Unauthorized token minting without matching fiat reserve | Internal control bypass, system error, fraud | LOW | CRITICAL | HIGH |
| RM-R04 | Redemption surge exceeding liquid asset availability | Market shock, loss of confidence, coordinated redemption | MEDIUM | CRITICAL | CRITICAL |
| RM-R05 | External custodian insolvency or operational failure | Custodian financial distress, operational disruption | LOW | CRITICAL | HIGH |
| RM-R06 | Portfolio limit breach (WAM / liquidity / concentration) | Poor investment decisions, market movements, treasury error; applicable thresholds determined by the final rule in effect — OCC NPR proposed safe harbor values (WAM ≤20d, overnight ≥10%, 40% cap) subject to final rulemaking | MEDIUM | HIGH | HIGH |
| RM-R07 | Custodian / counterparty concentration risk | Portfolio drift, custodian consolidation, market conditions; risk assessment should distinguish between unsecured deposit exposure and legally segregated, bankruptcy-remote custodied non-cash assets — these carry different credit risk profiles | MEDIUM | HIGH | HIGH |
| RM-R08 | False or inaccurate CEO/CFO monthly certification | Data error in reserve system, manual override, fraud | LOW | CRITICAL | HIGH |
| RM-R09 | Regulatory freeze of reserve assets | Enforcement action, sanctions, court order | LOW | CRITICAL | HIGH |
Section 5 · Control Framework
Structural Controls — Reserve Management
| Control ID | Control Name | Risk(s) Addressed | Control Type | Description | Regulatory Anchor |
| RM-C01 | Redundant Banking Rails (Primary / Secondary / Tertiary) | RM-R01, RM-R04 | PREVENTIVE | Three independent banking relationships with distinct FBO structures, separate API integrations, and independent confirmation workflows. Failover testing conducted quarterly. Secondary rail must be capable of processing full redemption volume within 4-hour RTO. | GENIUS Act §7 BCP |
| RM-C02 | Dual-Control Mint Gate (Technical + Operational) | RM-R02, RM-R03 | PREVENTIVE | No on-chain token minting can execute without: (1) verified bank confirmation reference logged in system, (2) independent Compliance Officer second approval, and (3) programmatic check confirming confirmed fiat ≥ mint amount. All three gates must clear; any failure blocks execution and triggers alert. | GENIUS Act §4(a)(1) |
| RM-C03 | Automated Three-Ledger Daily Reconciliation | RM-R02, RM-R03, RM-R08 | DETECTIVE | Automated engine runs daily EOD and at each mint/burn event. Matches on-chain supply, issuer ledger, and custodian statement. Exception threshold: $1,000 triggers alert; 0.01% of supply triggers automatic minting suspension. Results stored in immutable log. Reserve Integrity Monitoring platform provides real-time overlay. | GENIUS Act §4(a)(1) |
| RM-C04 | Pre-Trade Investment Compliance & Monetization Checks | RM-R06, RM-R07 | PREVENTIVE | System checks proposed investments against the issuer's documented portfolio limits before execution. Pending the final rule, the OCC NPR safe harbor values (WAM ≤20 days, overnight ≥10%, 30-day ≥30%, 90-day ≥50%, single-institution ≤40%) serve as a conservative reference baseline. Controls should also verify demonstrated monetization capacity — the issuer's ability to convert reserves to cash within the redemption impact tolerance ceiling under both normal and stressed conditions — as this is the core statutory objective. For custodied non-cash assets (legally segregated, bankruptcy-remote), concentration should be assessed separately from unsecured deposit exposure. Warning alerts at 90% of each applicable limit. Treasury dual sign-off required. | OCC NPR §15.10–15.11 ⚠ Thresholds subject to final rule |
| RM-C05 | Redemption Queue Management & Surge Protocol | RM-R04 | PREVENTIVE | Intraday redemption volume monitored against the issuer's documented early-warning thresholds and applicable regulatory notification limits. The FDIC NPR proposes a 10% single-day notification trigger with a discretionary T+7 extended-redemption window — both subject to final rulemaking and active industry comment. Regardless of the final threshold: redemption queue prioritizes by submission time; a pre-prepared regulatory communication package is maintained for immediate dispatch at any elevated volume level; operational backstop liquidity calibrated to actual redemption and wind-down costs provides a liquidity buffer. Industry commenters generally support a single timeliness standard with supervisory discretion, rather than an automatic volume-triggered redemption pause, to avoid market signaling effects. | FDIC NPR §350.5(c)(1) ⚠ Threshold subject to final rule |
| RM-C06 | Custodian & Counterparty Risk Management | RM-R05, RM-R07 | PREVENTIVE | Custodian arrangements structured to support prompt monetization and orderly redemption under normal and stressed conditions — the core statutory objective. The OCC NPR proposes prescriptive custodian diversification minimums subject to final rulemaking; industry commenters generally support a principles-based framework where issuers demonstrate strong counterparty quality, robust legal protections, tested operational access, and credible monetization capacity under stress. Custodied non-cash assets (legally segregated, bankruptcy-remote) should be assessed separately from unsecured deposit exposure as they carry different credit risk profiles. Where multiple custodians are used, agreements should include substitution rights exercisable without custodian consent. Annual counterparty creditworthiness and operational resilience review. Concentration and legal-access assessment documented and available for regulatory examination. | FDIC NPR §350.39 ⚠ Diversification thresholds subject to final rule |
| RM-C07 | CEO/CFO Certification Workflow with Criminal Liability Briefing | RM-R08 | DETECTIVE | Monthly certification package auto-populated from reconciliation engine. Reconciliation sign-off required before package is submitted to CEO/CFO. Annual 18 U.S.C. §1001 briefing acknowledgment from each certifying officer. Certification records retained minimum 5 years. | OCC NPR §15.12 · FDIC NPR §350.15 |
| RM-C08 | Near-Zero RPO Reserve Data Backup & Recovery | RM-R01, RM-R02, RM-R09 | CORRECTIVE | Reserve records replicated in real-time to geographically separate secondary data store. Blockchain state is inherently immutable and recoverable. Issuer ledger backed up at transaction-level with RPO target of near-zero (maximum 60-second data loss tolerance). Recovery tested quarterly. | GENIUS Act §7 BCP/DR |
Section 6 · BCP/DR Scenario Stress Testing
Severe but Plausible Scenario — Recovery Protocol
Under NIST SP 800-34 and FFIEC BCP guidance, plans must be exercised regularly against realistic scenarios. The scenario below simulates the most severe plausible multi-layer failure and documents the step-by-step recovery protocol against the BIA-established tolerances. Tabletop and live failover exercises should be conducted at minimum annually, with results documented and reviewed by senior management.
Scenario RM-S01: 48-Hour Primary Bank Outage + 30% Redemption Surge
Multi-layered failure: primary reserve bank enters regulatory receivership at T+0 while simultaneous social media event drives 30% single-day redemption demand. Secondary bank API is degraded but functional. Scenario tests the 24-hour impact tolerance and redemption processing continuity — the core statutory obligation — regardless of where regulatory notification thresholds are ultimately set.
1
T+0: Detection & Immediate Response (0–30 min)
Primary bank outage detected by automated monitoring. Incident Commander declared. Treasury Operations activates secondary banking rail. Redemption queue is placed in managed processing mode (verified queue, not halted). Compliance notified of potential 10% threshold breach.
2
T+1 hr: Secondary Rail Activation & Liquidity Assessment
Secondary banking partner API confirmed operational. Intraday liquidity position reviewed against monetization capacity: overnight liquid assets verified sufficient to meet projected demand. If insufficient, tertiary custodian cash pool activated. Redemption processing resumes via secondary rail. Compliance monitors volume against issuer early-warning thresholds and pre-prepared regulatory communication package readied for dispatch at regulator-defined notification points.
3
T+4 hr: Treasury Ledger RTO Checkpoint
Core treasury ledger confirmed operational on secondary systems within 4-hour RTO. All pending mint/burn requests reviewed against updated bank confirmations from secondary rail. Three-ledger reconciliation runs on secondary data. Any exceptions escalated to Compliance immediately.
4
T+8 hr: Regulatory Communication & Volume Monitoring
Pre-prepared regulatory communication package dispatched at applicable notification thresholds per the final rule in effect. The FDIC NPR proposes a 10% single-day notification trigger; the OCC NPR includes a discretionary T+7 extended-redemption window at that level — both subject to final rulemaking. The issuer's operational protocol is to notify regulators proactively, maintain full redemption continuity, and demonstrate reserve integrity. Communication package includes: current reserve position, liquidity status, secondary rail confirmation, queue management status, and projected resolution timeline.
5
T+24 hr: Impact Tolerance Checkpoint
All pending redemptions submitted before T+0 must be fully processed or in confirmed queue with guaranteed execution within the 24-hour impact tolerance. If tertiary banking rail needed (secondary also degraded): tertiary rail activated with documented switch-over log. Holder communication issued via public status page.
6
T+48 hr: Primary Bank Substitution & Full Recovery
Primary bank formally removed from approved counterparty list. Custodian substitution right exercised if primary custodian linked to failed bank. Replacement banking relationship pre-activated from approved counterparty list. Post-incident reconciliation covers full 48-hour period. CEO/CFO briefed on reserve integrity status. Incident report prepared for regulator submission.
Section 7 · Structural Redundancy & DR Architecture
Redundancy Mechanisms — Reserve Management
Banking Rail Redundancy & Monetization Architecture
Reserve banking infrastructure designed to ensure prompt monetization and orderly redemption under both normal and stressed conditions — the core statutory objective. The number and structure of banking relationships should reflect the issuer's redemption volume, settlement network, and liquidity demands. Primary banking partner provides integrated settlement, collateral management, and liquidity access. Secondary and tertiary arrangements are pre-tested and capable of processing full redemption volume. No two rails share the same banking correspondent. Tested at least quarterly. Additional counterparties increase operational complexity and reconciliation risk; each relationship should be justified by a genuine reduction in overall resilience risk.
Dual-Control Mint Gate (Technical Enforcement)
The minting gate is enforced programmatically — not by policy alone. The smart contract minting function is gated by an off-chain oracle that must receive (1) confirmed bank credit reference and (2) compliance officer second-approval signature before the mint call is executable. Neither condition alone is sufficient; both must clear.
Automated Reconciliation with Hard Pause
The reconciliation engine operates independently of Treasury Operations. It has the authority to suspend minting operations autonomously upon detecting a structural mismatch ≥0.01% of supply without requiring a human override. This prevents "solve first, disclose later" scenarios that can mask fraud or systemic errors.
Legal Segregation & Custodian Access Assurance
Reserve assets are legally segregated from issuer operating assets. Custodied non-cash assets (T-bills, repo collateral, government MMF shares) remain the beneficial owner's property, are bankruptcy-remote, and cannot be used by the custodian — applying concentration limits to these assets targets a form of custodian credit risk that does not exist in the way unsecured deposit exposure does. The operative risk management test is legal certainty of access and operationally tested access to reserves under stress. Custodian agreements include substitution rights exercisable without custodian consent. Annual creditworthiness and operational resilience review; resilience and monetization capacity are prioritized over fragmentation as an end in itself.
Section 8 · BCP/DR Testing & Continuous Improvement
Plan Testing, Exercises & Review Cadence
NIST SP 800-34, FFIEC BCP, and ISO 22301 all require documented test programs. Plans that have never been tested are not plans — they are hypotheses. The following cadence applies to the Reserve Management domain.
| Test Type | Frequency | Scope | Evidence Required |
| Tabletop Exercise | Semi-annual | RM-S01 (bank outage + surge) and one additional scenario selected by risk assessment. Full Reserve Management team including Compliance, Treasury Ops, and senior management. | Scenario script, attendance log, findings register, remediation items, sign-off by senior management |
| Secondary Banking Rail Failover Test | Quarterly | Live activation of secondary banking API. Process a test redemption transaction end-to-end on secondary rail. Verify RTO ≤4 hours for ledger failover. Tertiary rail connectivity test annually. | Test transaction hash, timestamp log, RTO measurement, exception report if target missed |
| Reconciliation Engine DR Test | Quarterly | Restore treasury ledger from secondary data store. Verify RPO ≤60 seconds (transaction-level backup). Run reconciliation on restored data and confirm match. Test automated minting suspension trigger. | Restoration log, RPO measurement, reconciliation output, suspension trigger test result |
| Full Simulation (Live Failover) | Annual | Unannounced or semi-announced full simulation: primary bank declared unavailable, secondary rail activated, reconciliation failover executed, redemption queue managed, FDIC notification workflow tested end-to-end. | Full test report signed by Compliance and Internal Audit; shared with OCC/FDIC examiners on request |
| BCP/DR Plan Review & Update | Annual + event-triggered | Review all BCP/DR documentation following each test, material change to banking partners, regulatory guidance update, or post-incident. Update impact tolerances, contact lists, and escalation trees. Reaffirm RTO/RPO targets against current operating environment. | Version-controlled plan document, change log, management sign-off, distribution list |
Continuous improvement principle (ISO 22301 §10 / NIST SP 800-34 §3.5): Each test must produce a findings register with tracked remediation items, assigned owners, and closure deadlines. Test results and open items must be reported to senior management and the board (or audit committee) at least annually. The OR program is considered not effective until all critical findings from the most recent test cycle are closed or have accepted risk documentation.