GENIUS Act · OCC · FDIC · FinCEN/OFAC · Treasury · Jan 2027 Effective Date

The law is signed.
The NPRs are written.
The examiner arrives in 12 months.

A complete compliance and assurance program for Permitted Payment Stablecoin Issuers — six sections tracing GENIUS Act obligations through four agency NPRs into three taxonomies (Process, Risk, Control), a sequential assessment pipeline, SOC and Audit assurance, and technology-enabled monitoring solutions. The only published program that answers simultaneously: why a control is required, what it must look like, and what it looks like in practice.

OCC · FDIC · FinCEN/OFAC · Treasury
6 Program Sections · 13 Pages
11 ICA Layers · Process Taxonomy · 63 Steps · PPSI Risk Taxonomy
Gap Assessment → Exam Readiness → SOC → Audit
OCC Examination
Annual default cycle
Weekly reports · Quarterly call reports · From day one
Final Rules Deadline
July 18, 2026
OCC · FDIC · FinCEN/OFAC · Treasury — All finalizing
Effective Date
January 18, 2027
Or 120 days after final rules — whichever is earlier
Jul 18
Final rules deadline · 2026
Jan 2027
GENIUS Act effective date · or earlier
Annual
Default OCC examination cycle
OCC · FDIC
FinCEN · Treasury
Agencies with active rulemakings
Building a PPSI
Start with Regulation — trace obligations to controls
Start at the Regulatory Library. The program traces the GENIUS Act's statutory obligations through four agency NPRs into a framework and examination mapping — producing the control requirements that feed the Control Standard. New PPSI applicants need this sequence complete before their first OCC examination.
Go to Regulatory Library →
Process, Risk & Control
The three taxonomies — Process, Risk, and Control
The Process Taxonomy (63 steps, 8 PPSI domains), Risk Taxonomy (~50 risk scenarios across 8 domains with inherent ratings), and Control Standard (11 ICA layers) are the three core reference documents. Together they constitute the PPSI audit universe and the foundation for all assessment work.
Go to Process Taxonomy →
Maturity & Assessment
Gap Assessment — the convergence point
The Gap Assessment systematically compares the Control Standard ("should be") against the PCR ("as is"), weighted by the Risk Taxonomy. Three gap types: missing control, design weakness, operating gap. Outputs a risk-weighted deficiency register that feeds Multi-Regulator Review and Compliance Readiness scoring.
Go to Gap Assessment →
Staffing an Engagement
Senior practitioner — TradFi audit and Stablecoin controls
30 years across Goldman Sachs, Tradeweb, and six global institutions. SOX 404, FFIEC IT examination, and blockchain control architecture — the combination the GENIUS Act requires and the market does not have at volume.
Get in touch →
Compliance Program Architecture
The ICA Methodology — How the Program Was Built

A dual-track methodology built from first principles. Track 1 (top-down): GENIUS Act → four agency NPRs → NIST CSF 2.0 → FFIEC guidance → OCC CSW examination procedures → control requirements → Control Standard. Track 2 (bottom-up): PPSI business lifecycle → 63 process steps → risk statements → controls → Process Taxonomy. The convergence of both tracks produces the Gap Assessment, which feeds the assessment and assurance pipeline. Every control traces from statutory citation through examination procedure to audit evidence.

From Law to Examination-Ready
The GENIUS Act produces obligations. The NPRs write the rules. The frameworks and supervisory examination layer translate those rules into testable controls. Phase 6 integrates everything into the ICA architecture. Phases 7–9 assess and validate across two parallel tracks. Phase 10 converges both tracks into full integrated assurance.
Phase 1 — Legislation
GENIUS Act
The statutory foundation — every obligation in the architecture originates here
Phase 2 — Agency NPRs
OCC NPR
Charter, reserve requirements, capital standards, and examination framework
FDIC NPR
Requirements for bank-subsidiary issuers and FDIC-supervised custodians
FinCEN / OFAC NPR
AML program obligations, financial crimes controls, and sanctions requirements
Phase 4 — Frameworks & Guidance
NIST CSF 2.0
Governance, protection, detection, and response control functions
FFIEC
IT examination guidance and BSA/AML examination procedures
COSO
Internal control and enterprise risk management
ISO 27001
Information security management standards
Phase 5 — Supervisory Examination Layer
OCC Cybersecurity Supervision Work Program (CSW)
What the OCC examiner will test for each control domain
FDIC IT Examination Procedures
IT safety, soundness, and resilience examination procedures
Fed SR 11-7
Model risk management and AML model validation standards
OCC NPR § 15.14
Annual PPSI examination scope and regulator access requirements
FDIC NPR § 350.7
FDIC PPSI examination cycle aligned to IDI standards
Legislation
Agency NPRs
Regulatory Reference
Frameworks & Guidance
Supervisory Layer
Design Input (Phase 6A)
Process Input (Phase 6B)
Program Stream (Phases 7–9)
Operations Stream (Phases 7–9)
Full Integrated Assurance
ICA Control Standard
ICA Control Standard — 11 ICA Layers
Open full Control Stack ↗

The central organizing framework of the Stablecoin ICA program. Eleven control layers — Governance through Real-Time Monitoring & Analytics — each mapped to key risks, key controls, NIST CSF 2.0 function codes, FFIEC handbook guidance, and GENIUS Act section citations. This is the Design Input at Phase 6 that feeds the Program Stream through Phases 7–10. Click any layer to expand the full traceability mapping.

Program Sections & Pages
13 Pages Across 6 Program Sections

Six sections covering the full PPSI compliance lifecycle — from regulatory obligation mapping through process and control taxonomy, risk-weighted gap assessment, examination readiness, SOC and audit assurance, and ongoing monitoring solutions. Three existing pages are updated; ten new pages complete the program. Use the nav to move between sections.

// Regulation
b1 — Regulatory Library
Regulatory Library
~85 PPSI obligations consolidated across GENIUS Act + OCC 12 CFR Part 15 + FDIC 12 CFR Part 350 + FinCEN/OFAC Joint NPR + Treasury NPR. Each obligation cross-referenced by ICA layer. The obligation inventory that feeds all downstream work.
GENIUS ActOCCFDICFinCEN · Treasury
b2 — Regulatory Roadmap
Regulatory Roadmap
Temporal sequencing of all ~85 obligations by effective date trigger: immediate, pre-issuance, 180-days post-approval, monthly from Day 1, and Jan 18 2027 statutory effective date. Converts the obligation inventory into a compliance build schedule.
OCCFDICEffective Dates
b3 — Regulatory Traceability
Regulatory Traceability
7-column mapping chain: statute → NPR → cross-regulator coverage → effective date → NIST CSF 2.0 → FFIEC handbook → OCC CSW examination procedure → implementation requirement. The analytical core that makes every control traceable to a specific examination procedure.
OCC CSWNIST CSF 2.0FFIEC
// Process, Risk & Control
c1 — Process Taxonomy
Process Taxonomy
63 process steps across 8 PPSI operational domains — Issuance Authorization through Monthly Attestation. Each step: who, when, what, risk statement, control description. Mapped to COSO, NIST CSF 2.0, FFIEC, ISO 27001, SOC 1, SOC 2. Source data: Stablecoin_PCR_20260513.xlsx.
8 Domains63 StepsCOSO · NIST · ISO
c2 — Risk Taxonomy
Risk Taxonomy
~50 risk scenarios across 8 domains with inherent risk ratings (H/M/L). Derived from regulatory obligation failure modes (Track 1) and PCR process risk statements (Track 2). The PPSI audit universe — the risk reference document for all assessment and audit work.
8 Domains~50 ScenariosInherent Rating
c3 — Control Standard
Control Standard
11 ICA control layers — Governance through Real-Time Monitoring. The "should be" design standard for each layer derived from Regulatory Traceability Column 8. Specific mandatory controls with OCC/FDIC metrics (WAM ≤20 days, liquidity ladder ≥10% overnight, etc.).
OCCFDICFinCEN · TreasuryGENIUS Act
// Assessment
d1 — Gap Assessment
Gap Assessment
Risk-weighted comparison of Control Standard ("should be") vs PCR ("as is") across all 11 layers. Three gap types: missing control, design weakness, operating gap. Outputs a prioritized deficiency register and the 5 PPSI Critical Risks — the convergence point of both analytical tracks.
Control Arch vs PCRRisk Weighted11 Layers
d2 — Multi-Regulator Review
Multi-Regulator Review
4-regulator compliance validation grid (OCC · FDIC · FinCEN/OFAC · Treasury) organized by ICA layer. Pass/Fail/N/A per control requirement per regulator. Simulates an OCC examination — designed to be submitted as a pre-examination self-assessment package.
OCC CSWFDIC IT ExamFinCEN/OFAC
d3 — Compliance Readiness
Compliance Readiness
4-level CMMI-aligned maturity model per ICA layer: Policy → Operational → Tested → Continuous. SOC 2 Type I readiness requires all layers at Level 2+. SOC 2 Type II requires Level 3+ sustained 6+ months. Layer-by-layer dashboard and improvement roadmap.
4-Level Model11 LayersSOC 2 Gates
// Assurance
e1 — SOC Readiness
SOC Readiness
SOC 1 AT-C §320 (reserve financial controls), SOC 2 Type I / Type II (all 11 ICA layers × Trust Services Criteria), SOX ICFR for L03 + L05 (PCAOB AS 2201). Evidence requirements per layer per TSC criterion. Closes the statute-to-audit-evidence traceability loop.
SOC 1 · SOC 2SOX ICFRAICPA AT-C §205
e2 — Audit Work Program
Audit Work Program
Integrated technology audit across all 11 ICA layers. Special focus: AML model governance (Fed SR 11-7), block/freeze/reject smart contract technical testing, FinCEN NPR event-triggered risk assessment evidence. Produces audit work papers organized for OCC/FDIC submission.
OCC CSWAML ModelFFIEC Handbook
— Program Summary
Program Summary (PDF)
End-to-end program overview for board reporting, OCC charter application exhibits, and client presentations. Covers all 6 sections, all 13 pages, source instruments, and the end-to-end traceability chain.
All Sections
// Solutions
f1 — Reserve Integrity Monitoring
Reserve Integrity Monitoring
Real-time 1:1 reserve coverage · WAM vs 20-day limit · liquidity ladder (≥10% overnight) · FDIC 10% redemption threshold notification trigger · CEO/CFO monthly certification workflow. Continuous audit evidence for OCC examination. Directly addresses the highest-systemic-risk PPSI domain.
OCC §15.10–15.12FDIC §350.5/350.9L03 Reserve
f2 — OPERA Platform
OPERA · AI-Enabled Operational Assurance
Continuous monitoring, validation, and evidence generation across critical stablecoin functions. Six AI assessment agents validate reserve sufficiency, liquidity, concentration, reconciliation, resilience, and regulatory evidence in real time. Reserve Management domain is live.
GENIUS Act §§4,7,113OCC §15.10NYDFS 2026
Seven-Level Traceability — Statute to Audit Evidence
Every control traces from GENIUS Act obligation through examination procedure to audit evidence
Statute → NPR → NIST CSF 2.0 → FFIEC handbook → OCC CSW examination procedure → control design → operational process → audit evidence. Seven levels. Designed to be presented directly to an OCC or FDIC examiner on day one.
View Traceability Map →
11 ICA Layers · Multi-Framework Alignment
Each control layer maps to NIST CSF 2.0, FFIEC, COSO, and ISO 27001 simultaneously
The Control Standard defines the "should be" design standard for every mandatory PPSI control — with specific metrics, evidence requirements, and examination procedure references for each of the 11 layers.
View Control Standard →
Live Platforms & Tools
See It in Action.

Deployable platforms alongside the documentation — proof that the architecture operates under real conditions.

Live Reserve Integrity Monitor Eight L03 monitoring controls — 1:1 coverage, WAM, liquidity ladder, custodian concentration, CEO/CFO certification, 10% FDIC notification, and three-ledger reconciliation. Open Monitor → Live · AI-Enabled OPERA · Operational Assurance Six AI agents continuously validate reserve sufficiency, liquidity, concentration, reconciliation, resilience, and regulatory evidence. Reserve Management domain live. Open OPERA → Live Demo OPERA Reserve Management Demo Full dashboard: Assurance Score, six agent panels, alert management, regulatory readiness, evidence log, and natural language Q&A with current reserve data. Open Live Demo →
// How to Engage
The framework is built.
The question is whether it fits what you need.

A short conversation is the right first step — whether you are a Stablecoin issuer building toward your first examination, a custodian assessing GENIUS Act custody obligations, or a firm placing senior controls expertise on a client engagement.

Embedded Execution
Building the control program alongside your team
For issuers and custodians building from scratch — architecture design, documentation, and examination package delivery.
Independent Assessment
Gap assessment before a deadline or examination
For operators and custodians who have existing programs but need an independent view of where the gaps are before a regulator finds them.
Reserve Attestation Readiness →
Placed or Retained
Senior expertise placed on your engagement
For firms staffing a GENIUS Act engagement for a client. Available embedded, co-sourced, or on a retained advisory basis.
Start a Conversation →