GENIUS Act · OCC · FDIC · FinCEN/OFAC · Treasury · Jan 2027 Effective Date
The law is signed. The NPRs are written. The examiner arrives in 12 months.
A complete compliance and assurance program for Permitted Payment Stablecoin Issuers — six sections tracing GENIUS Act obligations through four agency NPRs into three taxonomies (Process, Risk, Control), a sequential assessment pipeline, SOC and Audit assurance, and technology-enabled monitoring solutions. The only published program that answers simultaneously: why a control is required, what it must look like, and what it looks like in practice.
A dual-track methodology built from first principles. Track 1 (top-down): GENIUS Act → four agency NPRs → NIST CSF 2.0 → FFIEC guidance → OCC CSW examination procedures → control requirements → Control Standard. Track 2 (bottom-up): PPSI business lifecycle → 63 process steps → risk statements → controls → Process Taxonomy. The convergence of both tracks produces the Gap Assessment, which feeds the assessment and assurance pipeline. Every control traces from statutory citation through examination procedure to audit evidence.
From Law to Examination-Ready
The GENIUS Act produces obligations. The NPRs write the rules. The frameworks and supervisory examination layer translate those rules into testable controls. Phase 6 integrates everything into the ICA architecture. Phases 7–9 assess and validate across two parallel tracks. Phase 10 converges both tracks into full integrated assurance.
Phase 1 — Legislation
GENIUS Act
The statutory foundation — every obligation in the architecture originates here
Phase 2 — Agency NPRs
OCC NPR
Charter, reserve requirements, capital standards, and examination framework
FDIC NPR
Requirements for bank-subsidiary issuers and FDIC-supervised custodians
FinCEN / OFAC NPR
AML program obligations, financial crimes controls, and sanctions requirements
The central organizing framework of the Stablecoin ICA program. Eleven control layers — Governance through Real-Time Monitoring & Analytics — each mapped to key risks, key controls, NIST CSF 2.0 function codes, FFIEC handbook guidance, and GENIUS Act section citations. This is the Design Input at Phase 6 that feeds the Program Stream through Phases 7–10. Click any layer to expand the full traceability mapping.
Program Sections & Pages
13 Pages Across 6 Program Sections
Six sections covering the full PPSI compliance lifecycle — from regulatory obligation mapping through process and control taxonomy, risk-weighted gap assessment, examination readiness, SOC and audit assurance, and ongoing monitoring solutions. Three existing pages are updated; ten new pages complete the program. Use the nav to move between sections.
// Regulation
b1 — Regulatory Library
Regulatory Library
~85 PPSI obligations consolidated across GENIUS Act + OCC 12 CFR Part 15 + FDIC 12 CFR Part 350 + FinCEN/OFAC Joint NPR + Treasury NPR. Each obligation cross-referenced by ICA layer. The obligation inventory that feeds all downstream work.
GENIUS ActOCCFDICFinCEN · Treasury
b2 — Regulatory Roadmap
Regulatory Roadmap
Temporal sequencing of all ~85 obligations by effective date trigger: immediate, pre-issuance, 180-days post-approval, monthly from Day 1, and Jan 18 2027 statutory effective date. Converts the obligation inventory into a compliance build schedule.
OCCFDICEffective Dates
b3 — Regulatory Traceability
Regulatory Traceability
7-column mapping chain: statute → NPR → cross-regulator coverage → effective date → NIST CSF 2.0 → FFIEC handbook → OCC CSW examination procedure → implementation requirement. The analytical core that makes every control traceable to a specific examination procedure.
OCC CSWNIST CSF 2.0FFIEC
// Process, Risk & Control
c1 — Process Taxonomy
Process Taxonomy
63 process steps across 8 PPSI operational domains — Issuance Authorization through Monthly Attestation. Each step: who, when, what, risk statement, control description. Mapped to COSO, NIST CSF 2.0, FFIEC, ISO 27001, SOC 1, SOC 2. Source data: Stablecoin_PCR_20260513.xlsx.
8 Domains63 StepsCOSO · NIST · ISO
c2 — Risk Taxonomy
Risk Taxonomy
~50 risk scenarios across 8 domains with inherent risk ratings (H/M/L). Derived from regulatory obligation failure modes (Track 1) and PCR process risk statements (Track 2). The PPSI audit universe — the risk reference document for all assessment and audit work.
8 Domains~50 ScenariosInherent Rating
c3 — Control Standard
Control Standard
11 ICA control layers — Governance through Real-Time Monitoring. The "should be" design standard for each layer derived from Regulatory Traceability Column 8. Specific mandatory controls with OCC/FDIC metrics (WAM ≤20 days, liquidity ladder ≥10% overnight, etc.).
OCCFDICFinCEN · TreasuryGENIUS Act
// Assessment
d1 — Gap Assessment
Gap Assessment
Risk-weighted comparison of Control Standard ("should be") vs PCR ("as is") across all 11 layers. Three gap types: missing control, design weakness, operating gap. Outputs a prioritized deficiency register and the 5 PPSI Critical Risks — the convergence point of both analytical tracks.
Control Arch vs PCRRisk Weighted11 Layers
d2 — Multi-Regulator Review
Multi-Regulator Review
4-regulator compliance validation grid (OCC · FDIC · FinCEN/OFAC · Treasury) organized by ICA layer. Pass/Fail/N/A per control requirement per regulator. Simulates an OCC examination — designed to be submitted as a pre-examination self-assessment package.
OCC CSWFDIC IT ExamFinCEN/OFAC
d3 — Compliance Readiness
Compliance Readiness
4-level CMMI-aligned maturity model per ICA layer: Policy → Operational → Tested → Continuous. SOC 2 Type I readiness requires all layers at Level 2+. SOC 2 Type II requires Level 3+ sustained 6+ months. Layer-by-layer dashboard and improvement roadmap.
4-Level Model11 LayersSOC 2 Gates
// Assurance
e1 — SOC Readiness
SOC Readiness
SOC 1 AT-C §320 (reserve financial controls), SOC 2 Type I / Type II (all 11 ICA layers × Trust Services Criteria), SOX ICFR for L03 + L05 (PCAOB AS 2201). Evidence requirements per layer per TSC criterion. Closes the statute-to-audit-evidence traceability loop.
SOC 1 · SOC 2SOX ICFRAICPA AT-C §205
e2 — Audit Work Program
Audit Work Program
Integrated technology audit across all 11 ICA layers. Special focus: AML model governance (Fed SR 11-7), block/freeze/reject smart contract technical testing, FinCEN NPR event-triggered risk assessment evidence. Produces audit work papers organized for OCC/FDIC submission.
OCC CSWAML ModelFFIEC Handbook
— Program Summary
Program Summary (PDF)
End-to-end program overview for board reporting, OCC charter application exhibits, and client presentations. Covers all 6 sections, all 13 pages, source instruments, and the end-to-end traceability chain.
Continuous monitoring, validation, and evidence generation across critical stablecoin functions. Six AI assessment agents validate reserve sufficiency, liquidity, concentration, reconciliation, resilience, and regulatory evidence in real time. Reserve Management domain is live.
GENIUS Act §§4,7,113OCC §15.10NYDFS 2026
Seven-Level Traceability — Statute to Audit Evidence
Every control traces from GENIUS Act obligation through examination procedure to audit evidence
Statute → NPR → NIST CSF 2.0 → FFIEC handbook → OCC CSW examination procedure → control design → operational process → audit evidence. Seven levels. Designed to be presented directly to an OCC or FDIC examiner on day one.
Each control layer maps to NIST CSF 2.0, FFIEC, COSO, and ISO 27001 simultaneously
The Control Standard defines the "should be" design standard for every mandatory PPSI control — with specific metrics, evidence requirements, and examination procedure references for each of the 11 layers.
The framework is built. The question is whether it fits what you need.
A short conversation is the right first step — whether you are a Stablecoin issuer building toward your first examination, a custodian assessing GENIUS Act custody obligations, or a firm placing senior controls expertise on a client engagement.
Embedded Execution
Building the control program alongside your team
For issuers and custodians building from scratch — architecture design, documentation, and examination package delivery.
Independent Assessment
Gap assessment before a deadline or examination
For operators and custodians who have existing programs but need an independent view of where the gaps are before a regulator finds them.