Drawn from the OCC Proposed Rule (12 CFR Part 15), the GENIUS Act, and the Stablecoin Process, Risk & Control (PRC) Taxonomy. Each risk represents a control gap that surfaces during exam preparation — and that most applicants discover too late.
Most issuers assume an internal policy stating "only mint when reserves are sufficient" constitutes a control. It does not. A policy is documentation; a control is a mechanism that prevents the action from executing when the precondition is not met. The OCC NPR cites a $300 trillion technical minting error as the canonical example of what happens when that distinction is ignored.
The smart contract mint() function must be technically incapable of
executing without a confirmed authorization signal from the custodian's reserve
management system — confirming that reserve assets have been received and
classified before a single token is issued.
OCC § 15.11(b)(6) contains an absolute prohibition on pledging, lending, or reusing reserve assets. Standard institutional custody agreements frequently include securities lending provisions. Unless explicitly prohibited, rehypothecation may occur without the issuer's awareness — a compliance failure that originates in contract review, not operations.
Every custody agreement requires an explicit written no-rehypothecation clause, plus a right-to-audit provision enabling independent verification of reserve segregation. Legal review of all contracts must be completed before any deposits are made.
A single-owner admin key on an upgradeable proxy contract is a single point of
authority. Any modification to mint(), burn(), or
transfer() logic can occur without multi-party approval, timelocks,
or audit trails. Under ITGC frameworks, this is a segregation of duties failure —
one that examiners will look for immediately.
All contract deployments and upgrades require M-of-N multi-signature authorization (3-of-5 recommended). A timelock mechanism must provide a governance review period before changes take effect. Independent third-party security audits are required before any material upgrade is deployed.
The GENIUS Act's monthly reserve certification carries criminal liability under 18 U.S.C. 1001. Manual month-end processes create personal exposure for executives when reconciliation breaks or data errors are discovered after certification has been submitted.
Reserve valuation, token supply, and reconciliation data must be generated continuously by an automated pipeline. Executives must sign a structured evidence package produced from source systems — not a manually assembled summary report assembled hours before the deadline.
Holding reserve assets in a custodian account is not equivalent to a bankruptcy-remote trust. Without a proper legal structure, assets may be treated as general creditor assets during insolvency — making the issuer's reserve backing functionally meaningless to token holders at the moment it is needed most.
An independent legal opinion confirming bankruptcy-remote status is required before charter application. The assets must be legally owned by the trust structure — not available to general creditors of either party. This opinion must be reconfirmed annually.
These risks are drawn from the Stablecoin Process, Risk & Control (PRC) Taxonomy — a practitioner-built framework mapping OCC, GENIUS Act, and FFIEC requirements to operational controls across eleven domains. The full taxonomy and OCC Charter Readiness Checklist are available at itauditconsulting.com.