Framework Architecture
The Compliance Pipeline
Eight-tier flow from federal legislation through agency rulemaking, framework and guidance layers, supervisory work programs, and into the operational control stack, working documents, and audit output.
Regulatory-to-Audit Pipeline
Tier 1 — GENIUS Act (Law) → Tier 2 — Agency NPRs (Rule) → Tier 3 — Regulatory Library → Tier 4 — Framework & Guidance (NIST CSF · FFIEC) → Tier 5 — Supervisory Layer (OCC CSW · FDIC IT Exam · Fed SR 11-7) → Tier 6 — Control Stack → Tier 7 — Working Documents → Tier 8 — Audit Work Program
Tier 1 — Legislation
GENIUS Act
Public Law 119-27 · Federal stablecoin law · 2025
Tier 2 — Agency NPRs
OCC NPR
12 CFR Part 15
Charter + issuer reqs
Charter + issuer reqs
FDIC NPR
12 CFR Part 350
Deposit insurance reqs
Deposit insurance reqs
Treasury / FinCEN NPR
Joint AML/CFT
+ sanctions reqs
+ sanctions reqs
Tier 3 — Regulatory Reference
Tier 4 — Framework & Guidance
NIST CSF 2.0
Control taxonomy
Identify · Protect · Detect · Respond · Recover
Identify · Protect · Detect · Respond · Recover
FFIEC IT Handbook
Control expectations
IS · BCP · Audit · Mgmt · D&A
IS · BCP · Audit · Mgmt · D&A
Tier 5 — Supervisory Layer
OCC CSW
Cybersecurity Supervision
Work Program
Work Program
FDIC IT Exam
IT Examination
Procedures
Procedures
Fed SR 11-7
Model Risk Management
Supervisory Guidance
Supervisory Guidance
Tier 6 — Control Hub
Tier 7 — Working Documents
Legislation
NPRs / Regulatory
Reference Docs
Framework & Guidance
Supervisory Layer
Control Stack Hub
OCC-scoped only
Final Output
Control Stack Framework
11-Layer Stablecoin Control Stack
The central organizing framework. Each layer maps regulatory requirements, NIST CSF functions, and FFIEC guidance to operational controls. Click any layer to expand the full traceability mapping.
Stablecoin Control Stack Framework · IT Audit Consulting
·
Open full screen ↗
Document Suite
Working Documents
Six purpose-built documents derived from the control stack. Each is scoped and aligned to the 8-tier pipeline from legislation through supervisory examination.
DOC 01 — REGULATORY REFERENCE
Stablecoin Regulatory Library
Consolidated regulatory landscape covering GENIUS Act, OCC Charter Pathway, Reserve Management, Reporting Calendar, and Technical Architecture. Covers OCC, FDIC, and Treasury NPR requirements.
GENIUS Act
OCC
FDIC
Treasury
DOC 02 — PROCESS · RISK · CONTROL
Process-Risk-Control Mapping
End-to-end lifecycle mapping across 8 operational domains — from issuance authorization through redemption and burning. Mapped to COSO, NIST CSF 2.0, FFIEC, and ISO 27001.
OCC NPR
GENIUS Act
DOC 03 — OCC SUPERVISORY RISK
PPSI 5 Critical Risks
Five principal risks identified under OCC's Proposed Prudential Standards for Issuers. Applies exclusively to OCC-chartered stablecoin issuers. Aligned to the control stack framework layers.
OCC only
DOC 04 — FRAMEWORK-TO-CONTROL BRIDGE
Framework-to-Control Bridge Guide
Explicit traceability bridge: NIST CSF function → FFIEC guidance → OCC CSW examination procedure → Control Stack layer → Implementation. Designed to be presented to an examiner to demonstrate control alignment end-to-end.
OCC
FDIC
Treasury
DOC 05 — READINESS CHECKLIST
Unified Compliance Checklist
Expanded readiness checklist covering OCC, FDIC, and Treasury requirements plus supervisory readiness columns for OCC CSW, FDIC IT Exam, and Fed SR 11-7 examination procedures. Organized by control stack layer.
OCC
FDIC
Treasury
DOC 06 — INTERNAL AUDIT
Stablecoin Audit Work Program
Lifecycle-aligned audit work program: Issuance Auth & Wallet · Minting · Reserve Management · Custody · Distribution & AML · Smart Contract Mgmt · Redemption & Burning. Each stage includes audit objectives, test procedures, evidence requirements, and control stack references.
OCC
FDIC
Treasury
Regulatory Traceability Matrix
Law to Examination — End-to-End Traceability
Tracing each control domain from federal legislation through supervisory examination procedures. Every control in the stack connects back to a legal obligation and forward to how regulators will test it. This is the document you hand an examiner.
Control Traceability Chain
GENIUS Act (Law) → Agency NPR (Rule) → NIST CSF Function (Framework) → FFIEC Guidance → OCC CSW Examination Procedure (Supervision) → Control Stack Layer (Execution)
| Tier 1 — Law | Tier 2 — Rule | Tier 4 — Framework | Tier 4 — Guidance | Tier 5 — Supervision | Tier 6 — Stack | |
|---|---|---|---|---|---|---|
| Control Domain | GENIUS Act Obligation | Agency Rule (NPR) | NIST CSF Function | FFIEC Guidance | OCC CSW — Supervisory Procedure | Control Stack Layer |
| Governance & Risk Oversight | Board risk management program, fitness & propriety standards, 3-year lookback (§§ 103, 106) | OCC NPR — risk appetite framework, 3 Lines of Defense, board reporting cadence | GV.OC Organizational Context GV.RM Risk Management Strategy |
Management Handbook — Governance Structure, Risk Management Framework | Review board minutes · assess risk appetite statements · evaluate 3 LoD effectiveness | Layer 01 Governance & Risk Oversight |
| Legal Entity & Licensing | Federal stablecoin permit, bankruptcy-remote entity structure (§§ 102, 115) | OCC 12 CFR Part 15 — charter application, permissible activities, capital requirements | GV.OC Organizational Context ID.BE Business Environment |
Management Handbook — Regulatory Compliance, Legal Entity Framework | Verify charter compliance · review licensing documents · validate entity structure | Layer 02 Legal Entity & Regulatory Perimeter |
| Reserve & Financial Integrity | 1:1 reserve backing, monthly public attestation, WAM limits (§§ 104–105) | OCC/Treasury NPR — reserve composition, daily reconciliation, independent audit, liquidity ratios | ID.AM Asset Management PR.DS Data Security |
Audit Handbook — Financial Controls · Management Handbook — ICFR, Reconciliation Procedures | Test reserve reconciliation · validate attestation process · review audit trail completeness | Layer 03 Reserve & Financial Integrity |
| Mint / Burn Lifecycle | Authorization controls for issuance, redemption within 1 business day (§§ 107–108) | OCC NPR — multi-authorization workflows, supply controls, burn verification, audit trail | PR.AC Identity Management DE.CM Continuous Monitoring |
Development & Acquisition Handbook — Change Management, Access Controls, Code Review | Review authorization workflows · test access controls · validate audit trail completeness | Layer 04 Mint / Burn & Token Lifecycle |
| Custody & Key Management | Segregated custody, custodian eligibility standards, safeguarding obligations (§ 110) | OCC NPR — HSM requirements, dual control procedures, custodian due diligence standards | PR.DS Data Security PR.AC Identity Management |
Information Security Handbook — Cryptographic Standards, Key Management Lifecycle | Inspect key management procedures · validate dual control · test custodian oversight program | Layer 05 Custody & Asset Safeguarding |
| Financial Crime & AML | BSA/AML program, FinCEN registration, travel rule compliance (§ 111) | Treasury/FinCEN NPR — KYC/CDD, transaction monitoring thresholds, SAR filing, OFAC screening | DE.CM Continuous Monitoring RS.AN Incident Analysis |
BSA/AML Examination Manual — Transaction Monitoring, Sanctions Screening, SAR Procedures | Review TM program effectiveness · validate SAR filing process · test OFAC screening controls | Layer 06 Financial Crime & Compliance |
| Technology & Cybersecurity | Operational resilience, system safeguarding, incident notification requirements (§§ 109, 113) | OCC NPR — continuous monitoring, anomaly detection, incident response, pen testing cadence | PR.AC Access Control DE.CM Continuous Monitoring RS.RP Response Planning |
Information Security Handbook — Network Security, SIEM Requirements, Incident Response | Review SIEM & EDR tools · validate alert escalation procedures · test incident response | Layer 07 Technology & Cybersecurity |
| Operational Resilience | Business continuity obligations, third-party risk management, concentration limits (§ 112) | OCC/FDIC NPR — BCP/DRP requirements, vendor oversight program, RTO/RPO standards | PR.IP Information Protection RC.RP Recovery Planning |
BCP Handbook — Recovery Objectives, Resilience Testing, Third-Party Risk Management | Test BCP/DR procedures · assess vendor oversight program · validate recovery testing docs | Layer 08 Operational Resilience |
Framework Crosswalk
Regulatory Applicability by Stack Layer
Quick-reference applicability matrix showing which regulatory standards apply to each control stack layer across all agencies and frameworks.
Control Stack × Regulatory Framework — Applicability Matrix
✔ = directly applicable standard · — = not primary for this layer
| Control Stack Layer | Primary Frameworks | OCC | FDIC | Treasury | GENIUS |
|---|---|---|---|---|---|
| 1. Governance & Risk Oversight | COSO ERM & IC · Federal Reserve SR 11-7 · OCC Heightened Standards | ✔ | ✔ | — | ✔ |
| 2. Legal Entity & Regulatory Perimeter | OCC Licensing · State MTL Laws · SEC / CFTC Rules | ✔ | ✔ | ✔ | ✔ |
| 3. Reserve & Financial Integrity | SOX 404 / COSO ICFR · PCAOB Standards · Basel III Liquidity | ✔ | ✔ | ✔ | ✔ |
| 4. Mint / Burn & Token Lifecycle | NIST SP 800-53 · SOC 2 (Change Mgmt) · Blockchain Controls | ✔ | — | — | ✔ |
| 5. Custody & Asset Safeguarding | FFIEC IT Handbook · SOC 1 / SOC 2 · NIST Cryptographic Standards | ✔ | ✔ | — | ✔ |
| 6. Financial Crime & Compliance | FFIEC BSA/AML · FinCEN · OFAC · SOC 1 / SOC 2 | ✔ | ✔ | ✔ | ✔ |
| 7. Technology & Cybersecurity | NIST CSF 2.0 · ISO 27001 · SOC 2 (Security, Availability) · OCC CSW | ✔ | ✔ | — | ✔ |
| 8. Operational Resilience | OCC 3rd Party Guidance · Fed Resilience Guidance · FFIEC BCP Handbook | ✔ | ✔ | — | ✔ |
| 9. Market Integrity & Consumer Protection | CFPB Consumer Protection · SEC Disclosure Guidelines | ✔ | ✔ | — | ✔ |
| 10. Ecosystem & DeFi Risk | DeFi Risk Assessments (Emerging) · FFIEC Third-Party Risk Management | ✔ | — | — | ✔ |
| 11. Real-Time Monitoring & Analytics | NIST SP 800-137 · NIST CSF DE.CM · FFIEC IS Handbook (SIEM) | ✔ | — | ✔ | ✔ |