The passage of the GENIUS Act marks a turning point for U.S. stablecoin regulation, establishing a federal framework for payment stablecoins. However, the Act is intentionally light on specifics, deferring rulemaking to agencies like the OCC, Federal Reserve, and FDIC. This creates a significant challenge for issuers: what do 'security' and 'operational resilience' actually mean for blockchain-based stablecoin infrastructure? The absence of blockchain-specific controls in existing guidance forces issuers to self-determine compliance, risking unpreparedness for licensing or examinations. OpenZeppelin advocates for a bottom-up security standard covering smart contracts, blockchain protocol, and operational layers. In parallel, the EU's MiCA, DORA, and upcoming Cyber Resilience Act impose present obligations, putting pressure on U.S. issuers. The article argues waiting for final rules is risky, as security incidents can occur anytime. Issuers should conduct risk assessments now to bridge the gap and prepare for licensing. Industry involvement in standard-setting is crucial.

Key facts

• GENIUS Act sets high-level stablecoin rules but defers specifics to regulators.
• No clear blockchain security controls exist, creating compliance uncertainty.
• EU's MiCA, DORA, and Cyber Resilience Act already impose requirements.
• OpenZeppelin recommends risk assessments covering three layers: smart contract, protocol, operations.
• Waiting for final rules risks security incidents and unprepared licensing.

KeyAudit data perspective