Feature Third-Party Risk
GENIUS Act Stablecoin Custody: The Due Diligence Framework Your TPRM Program Doesn't Cover Yet
The GENIUS Act's July 18, 2026 rulemaking deadline is 16 days away. When final rules land, every bank acting as a stablecoin custodian — or relying on one — will face vendor oversight obligations your standard TPRM template wasn't built to address. Here's the framework.
Table of Contents
TL;DR
- The GENIUS Act’s July 18, 2026 rulemaking deadline is 16 days away; the Act takes effect approximately November 15, 2026 if final rules are issued on time — or January 18, 2027 automatically if not
- Every PPSI must use a “covered custodian” from a restricted eligible list: national banks, federal savings associations, federal branches of foreign banks, or other PPSIs
- Reserve assets cannot be rehypothecated through third-party custodians; sub-custodian chains require explicit oversight documentation
- Covered custodians must separately account for reserves, maintain written policies, and publish monthly disclosures — creating a monitoring workflow your standard TPRM program wasn’t designed for
- Standard TPRM questionnaires don’t cover custody eligibility verification, reserve segregation audits, or sub-custodian oversight chains — this is new due diligence territory
Your TPRM program knows how to onboard a cloud vendor. It has a questionnaire for ACH processors and a review cycle for loan origination software. The categories are familiar. The risks map to things you’ve seen before.
Stablecoin custody doesn’t map to anything in your standard vendor inventory.
When the GENIUS Act takes effect — approximately November 15, 2026 if final rules land by the July 18, 2026 statutory deadline, or January 18, 2027 automatically if regulators miss it — any bank acting as a stablecoin reserve custodian, or any institution relying on one, will have vendor oversight obligations your current TPRM framework wasn’t built to address. The custody agreement specifications, reserve segregation requirements, sub-custodian chain oversight, and monthly disclosure monitoring are all new categories. None of them appear on a standard vendor risk questionnaire.
The rulemaking deadline is 16 days away. The implementation window after that is approximately four months. Build the framework now, not after the effective date passes.
The GENIUS Act Custody Architecture
The GENIUS Act — enacted July 18, 2025 — created a federal framework for Permitted Payment Stablecoin Issuers (PPSIs). Six agencies issued proposed rules: OCC (Bulletin 2026-3), FDIC (Federal Register 2026-06974), NCUA, FinCEN, OFAC, and Treasury. The Federal Reserve had not yet issued its proposed rule as of May 2026; the Chapman and Cutler rulemaking tracker is the authoritative source for current status across all agencies.
The custody structure is the piece most financial institutions haven’t focused on. Every PPSI must hold its reserve assets — the assets backing its outstanding stablecoins — with a “covered custodian.” A covered custodian is not just any regulated financial institution. The GENIUS Act restricts eligibility to:
- National banks
- Federal savings associations
- Federal branches of foreign banks
- Other PPSIs
This is a statutory approved vendor list. A stablecoin issuer cannot use its existing cash management bank for reserve custody unless that bank specifically qualifies under one of these categories and has executed a compliant custody agreement.
For the TPRM practitioner, this creates two distinct operating scenarios:
Scenario A: Your institution is a PPSI. You need to select a covered custodian, conduct due diligence, negotiate a qualifying custody agreement, and establish ongoing monitoring — including monthly reserve disclosure review.
Scenario B: Your institution is considering becoming a covered custodian. Your TPRM program needs to address the reverse relationship: the PPSIs you serve become material counterparties, and your sub-custodian arrangements (if any) become fourth-party risk in your clients’ TPRM programs.
Either way, your existing vendor oversight framework doesn’t cover it.
What Covered Custodians Must Do — And What You Must Verify
The OCC’s proposed rules (OCC Bulletin 2026-3) and the FDIC’s proposed rules (Federal Register 2026-06974) establish what a covered custodian must do when holding stablecoin reserves. These requirements define your due diligence checklist:
Asset segregation. Covered assets must be separately accounted for and not commingled with the custodian’s proprietary assets. This is not a paper requirement — your due diligence should confirm the operational mechanics of how segregation is maintained, not just the policy that says it will be.
Customer property treatment. Covered assets are not the custodian’s balance sheet. The rules require custodians to treat reserve assets as customer property, which has implications for what happens in a custodian insolvency scenario. Your due diligence should address this explicitly.
Written policies and procedures. Custodians must maintain documented policies governing their custody operations. Request and review these as part of initial due diligence and on an ongoing cycle — this is new category documentation that your standard questionnaire won’t automatically surface.
No rehypothecation. Reserve assets cannot be rehypothecated, pledged, or encumbered through a third-party custodian arrangement, except in narrow regulatory-approved circumstances the final rules will specify. Your custody agreement needs explicit covenants confirming this prohibition — and ongoing monitoring to confirm compliance.
Monthly reserve disclosures. Covered custodians must publish monthly disclosures about the reserve assets they hold. For PPSIs relying on a custodian, these disclosures become a recurring monitoring data point. You need to build monthly disclosure review into your ongoing vendor oversight cycle — not just the annual review.
The Sub-Custodian Problem: Fourth-Party Risk in Stablecoin Reserves
Covered custodians may delegate some custody functions to sub-custodians, subject to maintaining oversight and control. From a TPRM perspective, this creates a fourth-party risk chain that standard vendor frameworks don’t typically reach:
PPSI → Covered Custodian → Sub-Custodian → (Sub-Sub-Custodian)
The proposed rules require the covered custodian to maintain possession or control of covered assets even when using sub-custodians. But “maintain control” is a legal concept that doesn’t automatically give the PPSI visibility into the sub-custodian chain.
This is one of the documented gaps in TPRM examination findings more broadly — programs that stop at their direct vendor relationship and don’t see the vendor’s vendor. For stablecoin reserves, the stakes are higher because the assets at the end of that chain are regulatory reserves backing outstanding payment instruments.
Your custody agreement with the covered custodian should require:
- Disclosure of all sub-custodian arrangements at onboarding and upon any change
- Your right to request information about sub-custodian oversight arrangements
- Confirmation that the custodian maintains legally meaningful control over delegated custody
- Defined procedures for asset retrieval if a sub-custodian fails
The Due Diligence Framework Your TPRM Program Needs
Standard TPRM questionnaires assess information security controls, business continuity, regulatory compliance history, and financial stability. None of those categories maps cleanly to stablecoin custody. Here’s what a custody-specific due diligence framework adds:
| Due Diligence Category | Standard TPRM | Stablecoin Custody Addition |
|---|---|---|
| Eligibility verification | Confirm vendor is authorized to provide services | Confirm custodian qualifies under GENIUS Act (national bank, FSA, federal branch, or PPSI) |
| Regulatory compliance | Review exam findings, consent orders | Verify no restrictions on stablecoin custody; confirm applicable OCC/FDIC Bulletin compliance |
| Operational controls | InfoSec questionnaire, SOC 2 | Segregation mechanics, commingling controls, customer property accounting procedures |
| Financial stability | Credit assessment | Insolvency analysis — what happens to reserve assets if the custodian fails? |
| Contract review | Standard MSA terms | Custody agreement review against GENIUS Act specifications: no-rehypothecation, segregation, disclosure access, sub-custodian rights |
| Sub-vendor oversight | Third-party list | Sub-custodian disclosure, oversight rights, control confirmation for each layer |
| Ongoing monitoring | Annual review cycle | Monthly reserve disclosure review plus material change notification process |
The contract piece requires specific attention. Custody agreements for GENIUS Act purposes need provisions that don’t exist in standard vendor contracts. Your vendor contract review process needs stablecoin-specific addenda covering the regulatory requirements — no-rehypothecation covenants, reserve segregation mechanics, eligibility maintenance obligations, and monthly disclosure access rights.
The GENIUS Act and Its Companion Requirements
The custody framework doesn’t operate in isolation. The GENIUS Act’s FinCEN customer identification requirements — which create new CIP obligations for stablecoin issuers — apply alongside the custody framework. A PPSI standing up its operations needs to address both simultaneously: who custodies the reserves and how KYC/CIP applies to stablecoin holders.
The same institutional design question applies to both: which vendors do you need, do those vendors exist and qualify under the statute, and what do your contracts with them need to include? The vendor universe for compliant stablecoin operations is narrow by statutory design.
The July 18 Deadline and What It Means for Implementation
The statutory deadline for final rules is July 18, 2026 — 16 days away. Two possible outcomes:
If final rules are issued by July 18: The Act takes effect 120 days later, approximately November 15, 2026. Institutions have roughly four months to build out custody arrangements, execute qualifying agreements, and stand up ongoing monitoring workflows.
If regulators miss the deadline: The Act takes effect automatically on January 18, 2027. This scenario creates implementation ambiguity — institutions would be operating under the Act’s statutory requirements with proposed-rule guidance that wasn’t finalized. Those relying on proposed-rule specifics that change in final rules could face compliance gaps.
As of the Chapman and Cutler tracker’s last update, no agency had announced finalized rules. The Federal Reserve’s proposed rule was still outstanding as of May 2026. Watch the tracker for real-time status as July 18 approaches.
Either way, the implementation window is short. Building a custody due diligence framework from scratch takes longer than a questionnaire refresh. The custody agreement negotiation alone — with a covered custodian that may not have executed GENIUS Act-compliant agreements before — could take weeks.
So What?
Two groups need to act before the effective date arrives:
If your institution is considering stablecoin custody services (as a PPSI or as a covered custodian for PPSIs): The TPRM infrastructure needs to exist before you go to market. “We’ll figure out the due diligence when we have our first custody client” is the wrong sequencing. The custody agreement template, sub-custodian oversight framework, monthly disclosure monitoring process, and ongoing vendor review cycle need to be operational before the client relationship starts.
If your institution isn’t in the stablecoin space: This is worth understanding anyway. The GENIUS Act’s custody framework — statutory eligible vendor list, written policies, no-rehypothecation requirements, monthly disclosures — represents how regulators think about high-stakes third-party relationships where the assets involved are regulatory requirements, not just operational dependencies. That framework will influence how examiners think about similar relationships elsewhere.
The deadline is 16 days away. The implementation window after that is four months. Build the due diligence framework before both of those dates close.
Sources:
- OCC Bulletin 2026-3: GENIUS Act Notice of Proposed Rulemaking
- Federal Register 2026-06974: FDIC Proposed Rules for GENIUS Act
- Chapman and Cutler: GENIUS Act Rulemaking and Reporting Tracker
- WilmerHale: What the GENIUS Act Means for Payment Stablecoin Issuers, Banks, and Custodians
- Gibson Dunn: OCC Proposes Comprehensive Stablecoin Regulatory Framework
The Third-Party Risk Management (TPRM) Kit includes vendor due diligence templates, risk assessment frameworks, and contract review checklists — customizable for emerging asset classes and new regulatory requirements.
◆ Need the working template?
Start with the source guide.
These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.
◆ Related template
Third-Party Risk Management (TPRM) Kit
Complete vendor risk management lifecycle from initial due diligence to ongoing oversight.
◆ Immaterial Findings · Weekly
Sharp risk & compliance insights. No fluff.
◆ FAQ
Frequently asked questions.
What is the GENIUS Act custodian requirement and who qualifies as an eligible covered custodian?
When do GENIUS Act final rules take effect and what's the implementation timeline?
What does 'covered custodian' due diligence look like under GENIUS Act proposed rules?
Can a covered custodian delegate reserve custody to a sub-custodian under the GENIUS Act?
What should a custody agreement for GENIUS Act purposes include?
Are reserve assets protected from rehypothecation under the GENIUS Act?
Author
Rebecca Leung
Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.
◆ Related framework
Third-Party Risk Management (TPRM) Kit
Complete vendor risk management lifecycle from initial due diligence to ongoing oversight.
◆ Keep reading
Related posts.
Third-Party Risk
The Marquis Software Breach: What 80 Banks and Credit Unions Need to Learn About Vendor Concentration Risk
In August 2025, Akira ransomware hit Marquis Software Solutions through an unpatched SonicWall firewall. By the time breach notifications went out—over two months later—80 banks and credit unions had been exposed, 824,000 consumers' data was compromised, and a ransom had reportedly been paid. Here's what your third-party risk program should take from it.
Jul 7, 2026
Third-Party Risk
AI Foundation Model Concentration Risk: When Your Entire AI Stack Depends on Three Vendors
The Cambridge Centre for Alternative Finance's 2026 report found 76% of financial institutions rely on OpenAI, 57% on Google, and 35% on Anthropic — while 63% build on external models rather than their own. Under OCC 2023-17 and DORA, that's not just an AI strategy question. It's a third-party concentration risk your TPRM program probably isn't mapped to address.
Jul 5, 2026
Third-Party Risk
Vendor Financial Health Monitoring: The Early Warning Program OCC 2023-17 Expects for Critical Third Parties
OCC 2023-17's ongoing monitoring phase requires active financial health surveillance for critical third-party vendors — but most institutions treat it as an annual renewal checkbox. Here's what a defensible early warning program looks like, what warning signs to track, and what the Synapse collapse demonstrated about gaps in current practice.
Jul 3, 2026