Skip to content
RiskTemplates · The Daily Brief Thursday, July 9, 2026
Wire CFPB's New Enforcement Principles: What the Bilt Case Tells You About How the Bureau Intends to Police Consumer Finance JUN 22

Feature Third-Party Risk

GENIUS Act Stablecoin Custody: The Due Diligence Framework Your TPRM Program Doesn't Cover Yet

The GENIUS Act's July 18, 2026 rulemaking deadline is 16 days away. When final rules land, every bank acting as a stablecoin custodian — or relying on one — will face vendor oversight obligations your standard TPRM template wasn't built to address. Here's the framework.

By Rebecca Leung · July 1, 2026 ·
Table of Contents

TL;DR

  • The GENIUS Act’s July 18, 2026 rulemaking deadline is 16 days away; the Act takes effect approximately November 15, 2026 if final rules are issued on time — or January 18, 2027 automatically if not
  • Every PPSI must use a “covered custodian” from a restricted eligible list: national banks, federal savings associations, federal branches of foreign banks, or other PPSIs
  • Reserve assets cannot be rehypothecated through third-party custodians; sub-custodian chains require explicit oversight documentation
  • Covered custodians must separately account for reserves, maintain written policies, and publish monthly disclosures — creating a monitoring workflow your standard TPRM program wasn’t designed for
  • Standard TPRM questionnaires don’t cover custody eligibility verification, reserve segregation audits, or sub-custodian oversight chains — this is new due diligence territory

Your TPRM program knows how to onboard a cloud vendor. It has a questionnaire for ACH processors and a review cycle for loan origination software. The categories are familiar. The risks map to things you’ve seen before.

Stablecoin custody doesn’t map to anything in your standard vendor inventory.

When the GENIUS Act takes effect — approximately November 15, 2026 if final rules land by the July 18, 2026 statutory deadline, or January 18, 2027 automatically if regulators miss it — any bank acting as a stablecoin reserve custodian, or any institution relying on one, will have vendor oversight obligations your current TPRM framework wasn’t built to address. The custody agreement specifications, reserve segregation requirements, sub-custodian chain oversight, and monthly disclosure monitoring are all new categories. None of them appear on a standard vendor risk questionnaire.

The rulemaking deadline is 16 days away. The implementation window after that is approximately four months. Build the framework now, not after the effective date passes.

The GENIUS Act Custody Architecture

The GENIUS Act — enacted July 18, 2025 — created a federal framework for Permitted Payment Stablecoin Issuers (PPSIs). Six agencies issued proposed rules: OCC (Bulletin 2026-3), FDIC (Federal Register 2026-06974), NCUA, FinCEN, OFAC, and Treasury. The Federal Reserve had not yet issued its proposed rule as of May 2026; the Chapman and Cutler rulemaking tracker is the authoritative source for current status across all agencies.

The custody structure is the piece most financial institutions haven’t focused on. Every PPSI must hold its reserve assets — the assets backing its outstanding stablecoins — with a “covered custodian.” A covered custodian is not just any regulated financial institution. The GENIUS Act restricts eligibility to:

  • National banks
  • Federal savings associations
  • Federal branches of foreign banks
  • Other PPSIs

This is a statutory approved vendor list. A stablecoin issuer cannot use its existing cash management bank for reserve custody unless that bank specifically qualifies under one of these categories and has executed a compliant custody agreement.

For the TPRM practitioner, this creates two distinct operating scenarios:

Scenario A: Your institution is a PPSI. You need to select a covered custodian, conduct due diligence, negotiate a qualifying custody agreement, and establish ongoing monitoring — including monthly reserve disclosure review.

Scenario B: Your institution is considering becoming a covered custodian. Your TPRM program needs to address the reverse relationship: the PPSIs you serve become material counterparties, and your sub-custodian arrangements (if any) become fourth-party risk in your clients’ TPRM programs.

Either way, your existing vendor oversight framework doesn’t cover it.

What Covered Custodians Must Do — And What You Must Verify

The OCC’s proposed rules (OCC Bulletin 2026-3) and the FDIC’s proposed rules (Federal Register 2026-06974) establish what a covered custodian must do when holding stablecoin reserves. These requirements define your due diligence checklist:

Asset segregation. Covered assets must be separately accounted for and not commingled with the custodian’s proprietary assets. This is not a paper requirement — your due diligence should confirm the operational mechanics of how segregation is maintained, not just the policy that says it will be.

Customer property treatment. Covered assets are not the custodian’s balance sheet. The rules require custodians to treat reserve assets as customer property, which has implications for what happens in a custodian insolvency scenario. Your due diligence should address this explicitly.

Written policies and procedures. Custodians must maintain documented policies governing their custody operations. Request and review these as part of initial due diligence and on an ongoing cycle — this is new category documentation that your standard questionnaire won’t automatically surface.

No rehypothecation. Reserve assets cannot be rehypothecated, pledged, or encumbered through a third-party custodian arrangement, except in narrow regulatory-approved circumstances the final rules will specify. Your custody agreement needs explicit covenants confirming this prohibition — and ongoing monitoring to confirm compliance.

Monthly reserve disclosures. Covered custodians must publish monthly disclosures about the reserve assets they hold. For PPSIs relying on a custodian, these disclosures become a recurring monitoring data point. You need to build monthly disclosure review into your ongoing vendor oversight cycle — not just the annual review.

The Sub-Custodian Problem: Fourth-Party Risk in Stablecoin Reserves

Covered custodians may delegate some custody functions to sub-custodians, subject to maintaining oversight and control. From a TPRM perspective, this creates a fourth-party risk chain that standard vendor frameworks don’t typically reach:

PPSI → Covered Custodian → Sub-Custodian → (Sub-Sub-Custodian)

The proposed rules require the covered custodian to maintain possession or control of covered assets even when using sub-custodians. But “maintain control” is a legal concept that doesn’t automatically give the PPSI visibility into the sub-custodian chain.

This is one of the documented gaps in TPRM examination findings more broadly — programs that stop at their direct vendor relationship and don’t see the vendor’s vendor. For stablecoin reserves, the stakes are higher because the assets at the end of that chain are regulatory reserves backing outstanding payment instruments.

Your custody agreement with the covered custodian should require:

  • Disclosure of all sub-custodian arrangements at onboarding and upon any change
  • Your right to request information about sub-custodian oversight arrangements
  • Confirmation that the custodian maintains legally meaningful control over delegated custody
  • Defined procedures for asset retrieval if a sub-custodian fails

The Due Diligence Framework Your TPRM Program Needs

Standard TPRM questionnaires assess information security controls, business continuity, regulatory compliance history, and financial stability. None of those categories maps cleanly to stablecoin custody. Here’s what a custody-specific due diligence framework adds:

Due Diligence CategoryStandard TPRMStablecoin Custody Addition
Eligibility verificationConfirm vendor is authorized to provide servicesConfirm custodian qualifies under GENIUS Act (national bank, FSA, federal branch, or PPSI)
Regulatory complianceReview exam findings, consent ordersVerify no restrictions on stablecoin custody; confirm applicable OCC/FDIC Bulletin compliance
Operational controlsInfoSec questionnaire, SOC 2Segregation mechanics, commingling controls, customer property accounting procedures
Financial stabilityCredit assessmentInsolvency analysis — what happens to reserve assets if the custodian fails?
Contract reviewStandard MSA termsCustody agreement review against GENIUS Act specifications: no-rehypothecation, segregation, disclosure access, sub-custodian rights
Sub-vendor oversightThird-party listSub-custodian disclosure, oversight rights, control confirmation for each layer
Ongoing monitoringAnnual review cycleMonthly reserve disclosure review plus material change notification process

The contract piece requires specific attention. Custody agreements for GENIUS Act purposes need provisions that don’t exist in standard vendor contracts. Your vendor contract review process needs stablecoin-specific addenda covering the regulatory requirements — no-rehypothecation covenants, reserve segregation mechanics, eligibility maintenance obligations, and monthly disclosure access rights.

The GENIUS Act and Its Companion Requirements

The custody framework doesn’t operate in isolation. The GENIUS Act’s FinCEN customer identification requirements — which create new CIP obligations for stablecoin issuers — apply alongside the custody framework. A PPSI standing up its operations needs to address both simultaneously: who custodies the reserves and how KYC/CIP applies to stablecoin holders.

The same institutional design question applies to both: which vendors do you need, do those vendors exist and qualify under the statute, and what do your contracts with them need to include? The vendor universe for compliant stablecoin operations is narrow by statutory design.

The July 18 Deadline and What It Means for Implementation

The statutory deadline for final rules is July 18, 2026 — 16 days away. Two possible outcomes:

If final rules are issued by July 18: The Act takes effect 120 days later, approximately November 15, 2026. Institutions have roughly four months to build out custody arrangements, execute qualifying agreements, and stand up ongoing monitoring workflows.

If regulators miss the deadline: The Act takes effect automatically on January 18, 2027. This scenario creates implementation ambiguity — institutions would be operating under the Act’s statutory requirements with proposed-rule guidance that wasn’t finalized. Those relying on proposed-rule specifics that change in final rules could face compliance gaps.

As of the Chapman and Cutler tracker’s last update, no agency had announced finalized rules. The Federal Reserve’s proposed rule was still outstanding as of May 2026. Watch the tracker for real-time status as July 18 approaches.

Either way, the implementation window is short. Building a custody due diligence framework from scratch takes longer than a questionnaire refresh. The custody agreement negotiation alone — with a covered custodian that may not have executed GENIUS Act-compliant agreements before — could take weeks.

So What?

Two groups need to act before the effective date arrives:

If your institution is considering stablecoin custody services (as a PPSI or as a covered custodian for PPSIs): The TPRM infrastructure needs to exist before you go to market. “We’ll figure out the due diligence when we have our first custody client” is the wrong sequencing. The custody agreement template, sub-custodian oversight framework, monthly disclosure monitoring process, and ongoing vendor review cycle need to be operational before the client relationship starts.

If your institution isn’t in the stablecoin space: This is worth understanding anyway. The GENIUS Act’s custody framework — statutory eligible vendor list, written policies, no-rehypothecation requirements, monthly disclosures — represents how regulators think about high-stakes third-party relationships where the assets involved are regulatory requirements, not just operational dependencies. That framework will influence how examiners think about similar relationships elsewhere.

The deadline is 16 days away. The implementation window after that is four months. Build the due diligence framework before both of those dates close.


Sources:

The Third-Party Risk Management (TPRM) Kit includes vendor due diligence templates, risk assessment frameworks, and contract review checklists — customizable for emerging asset classes and new regulatory requirements.

◆ Need the working template?

Start with the source guide.

These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.

◆ Immaterial Findings · Weekly

Sharp risk & compliance insights. No fluff.

◆ FAQ

Frequently asked questions.

What is the GENIUS Act custodian requirement and who qualifies as an eligible covered custodian?
The GENIUS Act restricts stablecoin reserve asset custody to a narrow list of eligible financial institutions: national banks, federal savings associations, federal branches of foreign banks, or other Permitted Payment Stablecoin Issuers (PPSIs). This is effectively a statutory approved vendor list. A PPSI cannot place its reserve assets with any custodian — it must use a 'covered custodian' that meets these eligibility requirements and has signed a custody agreement meeting regulatory specifications.
When do GENIUS Act final rules take effect and what's the implementation timeline?
The GENIUS Act was enacted July 18, 2025. The statute requires primary federal regulators to issue final rules by July 18, 2026 — that deadline is 16 days away as of July 2, 2026. Six agencies (OCC, FDIC, NCUA, FinCEN, OFAC, and Treasury) issued proposed rules; the Federal Reserve had not yet issued its proposed rule as of May 2026. If final rules are issued by July 18, 2026, the Act takes effect 120 days later — approximately November 15, 2026. If regulators miss the deadline, the Act takes effect automatically on January 18, 2027.
What does 'covered custodian' due diligence look like under GENIUS Act proposed rules?
Covered custodians must maintain written custody policies and procedures, separately account for covered stablecoin reserve assets, refrain from commingling covered assets with proprietary assets, treat covered assets as customer property (not balance sheet), and publish monthly reserve asset disclosures. For a PPSI selecting a custodian, due diligence must verify eligibility status, review the custody agreement against regulatory specifications, audit the custodian's segregation and disclosure practices, and establish ongoing monitoring of the monthly reserve disclosures.
Can a covered custodian delegate reserve custody to a sub-custodian under the GENIUS Act?
Yes, with limitations. The GENIUS Act proposed rules permit sub-custodian arrangements, but require that the covered custodian maintain possession or control of the covered assets and that proper oversight of any sub-custodian is in place. For TPRM purposes, this creates a fourth-party risk scenario: the PPSI relies on a custodian who relies on a sub-custodian. Your due diligence framework needs to address not just the covered custodian but the sub-custodian chain — especially because reserve assets cannot be rehypothecated through a third-party custodian except in narrow regulatory-approved circumstances.
What should a custody agreement for GENIUS Act purposes include?
At minimum: explicit identification of covered assets, segregation requirements and how they're maintained operationally, no-rehypothecation covenants, sub-custodian disclosure and oversight rights, monthly reserve disclosure access, audit rights for the PPSI or its representatives, eligibility maintenance covenants (the custodian must remain an eligible institution), regulatory change notification provisions, and exit provisions protecting the PPSI's ability to retrieve assets within a defined timeframe if the custody relationship ends.
Are reserve assets protected from rehypothecation under the GENIUS Act?
Yes, with narrow exceptions. Under the proposed OCC and FDIC rules, covered custodians may not rehypothecate, pledge, or encumber reserve assets through a third-party custodian arrangement except in narrow circumstances the final rules will specify. This prohibition is significant for TPRM because it limits what a custodian can do with the assets it holds — and your custody agreement needs explicit covenants confirming that the custodian has not granted any third-party rights over the reserves.
Rebecca Leung

Author

Rebecca Leung

Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.

◆ Related framework

Third-Party Risk Management (TPRM) Kit

Complete vendor risk management lifecycle from initial due diligence to ongoing oversight.

◆ Keep reading

Related posts.

Immaterial Findings · Newsletter

The brief, in your inbox.

Enforcement of the week, a framework breakdown, and the prompts that are actually worth running. Delivered to your inbox. Free.