In July 2025, the U.S. took a landmark step in digital asset regulation with the passage of the Guiding and Establishing National Innovation for U.S. Stablecoins Act (GENIUS Act). The GENIUS Act provides long-awaited clarity by defining who may issue stablecoins, how they must be backed, and what disclosures are required.
At the heart of the GENIUS Act is the recognition that stablecoins are digital representations of value recorded on a blockchain, typically pegged to fiat currencies like the U.S. dollar. These tokens must be 100% backed by reserves such as cash or short-term U.S. Treasuries to maintain their peg and help ensure market confidence. To instill trust and transparency, the act requires issuers to obtain monthly attestation reports from independent public accounting firms, verifying that reserves at least match the outstanding stablecoin supply in a 1:1 or greater ratio.
This requirement for regular attestations signals to regulators, investors, and users that the digital tokens circulating on-chain are reliably anchored to real-world assets off-chain. As the stablecoin market continues to expand into mainstream financial infrastructure, the GENIUS Act’s attestation mandate was codified into the final bill to help instill trust and reduce risk.
This article explores the GENIUS Act’s disclosure requirements, the role of attestation in fostering stablecoin credibility, and how the American Institute of CPAs’ (AICPA) 2025 Criteria for Stablecoin Reporting provides a standardized framework for issuers and auditors alike.
GENIUS Act Disclosure Requirements
The GENIUS Act establishes a clear set of requirements for fiat-backed stablecoin issuers that include (but are not limited to) three core components:
- 1:1 Reserve Backing: Issuers must maintain reserves equal to the total number of outstanding tokens. These reserves must consist of the following:
- U.S. currency
- Deposits at insured depository institutions
- Short-term U.S. Treasury bills, notes, or bonds
- Money market funds invested solely in the above
- Tokenized versions of any of the above assets
- Short-term repurchase agreements
Note that these reserves cannot be pledged or rehypothecated, except for limited regulatory-approved purposes.
- Public Disclosures: Permitted payment stablecoin issuers are required to publicly disclose:
- Redemption policies
- Fees associated with purchasing or redeeming the payment stablecoin
- The total number of outstanding payment stablecoins issued
- The amount and composition of reserves, including the average tenor and geographic location of custody of each category of reserve instrument
- Independent Monthly Attestation: Each month, stablecoin issuers must issue a report of the issuer’s reserves and total outstanding stablecoins issued. This report must be examined by a registered public accounting firm, and the CEO and chief financial officer must certify to its accuracy. The goal of this requirement is to have an independent third party attest that management’s assertions are materially correct as outlined in the issuer’s monthly report.
In addition to these obligations, the act specifies that annual U.S. GAAP-compliant financial statements (audited under auditing standards of the PCAOB) are required for issuers with more than $50 billion of stablecoins in circulation. These requirements are designed to help protect consumers, prevent redemption runs, and reduce systemic risk. Issuers with less than $50 billion of stablecoins in circulation may have another threshold or requirement already triggering an annual financial statement requirement.
Not All Assurance Is the Same
It is important to note that attestations are not the same as traditional financial statement audits. Both services are forms of assurance, performed by CPAs, and governed by professional standards; however, the objective, scope, frequency, and result differ significantly.
This chart shows the key differences between attestations and traditional financial statement audits:
| Characteristic | Stablecoin Reserve Attestation | Traditional Financial Statement Audit |
|---|---|---|
| Objective | Examinations include an opinion on whether management’s defined assertions are fairly stated, based on an examination of the subject matter and relevant criteria as defined by management. In the case of a stablecoin monthly reserve attestation report, the subject matter is the issuer’s reserve position and the outstanding token obligations. | Express an opinion on financial statements as to whether they are presented fairly in accordance with accounting standards. |
| Scope | Narrow, e.g., token supply versus fair value of reserves at a point in time. | Broad with respect to the entire set of financial statements. |
| Frequency (generally) | Monthly | Annually |
| Standards | Attestation Standards | Auditing Standards |
| Result | Examination report with an opinion on fair presentation of management’s written assertion. Typically, management will assert the total tokens outstanding and total fair value of assets held in reserve at a point in time. | Audit opinion on the fair presentation of the financial statements in accordance with the relevant reporting framework, e.g., U.S. GAAP. |
Annual financial statement audits are intended to be comprehensive and reflective of activity over an entire year, whereas monthly reserve attestations are intended to be targeted, as of a point in time and more frequent.
AICPA Disclosure Framework
To provide consistency and structure, the AICPA released its 2025 Criteria for Stablecoin Reporting1 that provides a standardized, regulatory approach for evaluating the presentation and disclosure of stablecoins and the availability of assets for redemption.
The AICPA’s criteria reporting framework for asset-backed, fiat-pegged tokens was developed by the Assurance Services Executive Committee for the AICPA and specifies three criteria includable in the reports.
- Redeemable Tokens Outstanding: Number of tokens in circulation eligible for redemption at a point in time.
- Redemption Assets Available: Assets held by the issuer to supply redemption demands.
- Comparison Between Tokens & Reserves: Reconciliation between the two that includes timing and classification differences.
This criterion is designed to support attestation engagements under the AICPA’s Statements on Standards for Attestation Engagements (SSAEs) and is deemed suitable for both internal reporting purposes and external third-party attestation engagements, such as those mandated by the GENIUS Act. Below is an overview of some of the key criteria required in the AICPA framework.
Disclosure of Redeemable Tokens Outstanding
- Requires disclosure of the total natively minted token quantity, including the specific blockchains and smart contracts involved.
- Requires reconciliation between minted tokens and redeemable tokens, identifying any nonredeemable tokens, e.g., time-locked, test, or permanently restricted.
- Requires disclosure of unresolved events that materially affect token supply, e.g., forks or smart contract failures.
- Requires public disclosure of redemption terms and rights, including who can redeem and under what conditions.
Disclosure of Redemption Assets Available
- Requires disclosure of counterparties holding the assets, including their jurisdiction and whether they are related parties.
- Requires detailed breakdowns of asset types, e.g., cash, T-bills, or money market funds; geographic location; valuation methods; and maturity profiles.
- Requires disclosure of the nature of the issuer’s rights to the assets, e.g., custodial versus noncustodial, or bankruptcy remote structures.
- Requires disclosure of risk mitigation mechanisms, e.g., insurance, segregation, or credit enhancements.
Disclosure of the Comparison of the Redemption Assets Available & Redeemable Tokens Outstanding
- Requires a reconciliation of redeemable tokens to reserve assets, including:
- Surplus or deficit disclosures
- Timing differences, e.g., pending redemptions
- Temporary differences, e.g., access-restricted tokens
- Requires disclosure of material events after the measurement date, legal claims, market disruptions, and regulatory jurisdiction.
- Requires a reconciliation of redeemable tokens to reserve assets, which is intended to provide stakeholders, such as token holders and regulators, with the necessary transparency regarding redemption assets available to cover redemption requests.
Internal Control Considerations
While the AICPA’s 2025 reporting criteria established what must be disclosed regarding redeemable tokens and reserve assets, an exposure draft for Proposed Criteria for Controls Supporting Token Operations is in development to provide a complementary framework for evaluating the design and operating effectiveness of controls that serve to underpin the disclosures of the reserve attestations.2 The goal of this proposed criteria is to construct confidence that the disclosures with the reserve attestations are complete and accurate.
Below is a chart outlining the control areas identified and what they entail.
Note: The exposure draft provides a disclaimer that these control criteria are only applicable to asset-backed, fiat-pegged tokens and that token issuers will need to evaluate their specific risks based on individual facts and circumstances.
| Control Objective | Purpose Description |
|---|---|
| SC1–SC2: Token Generation & Management | Ensure tokens are minted/burned securely and reconciled accurately to on-chain data along with identification and validation of smart contracts and monitoring anomalies, e.g., forks, consensus failures, and security mechanisms. |
| SC3–SC4: Client Onboarding & Customer Transactions | Ensure client accounts are created and modified accurately in accordance with regulatory and contractual requirements; ensure customer redemption rights and transaction processing is timely, complete, accurate, and consistent with issuer terms. |
| SC5: Cryptographic Key & Backup Management | Seeks to protect smart contracts and token operations from compromise or loss through ensuring cryptographic key policies and procedures are defined and maintained related to the key management life cycle. |
| SC6: Redemption Asset Management | Ensure that reserve assets are held, valued, and managed in accordance with the issuer’s terms and regulatory requirements. Specifically related to redemption asset investment policies, segregation of assets and counterparty risk, and daily reconciliation and valuation of reserves. |
| SC7: Vendor Management | Identify and address risks from third-party service providers, e.g., custodians, auditors, or blockchain infrastructure, that affect redemption reliability, specifically in terms of due diligence and onboarding, continual communication, and termination and data recovery. |
| SC8: Reporting | Ensure that report disclosures about token supply and reserves are accurate, complete, and based on reliable data. Specifically addresses the three subject matters outlined in the reporting framework. |
| SC9–SC15: IT General Controls | Provide foundational security and reliability for systems, data, and infrastructure supporting token and reserve operations; specifically, logical and physical access, change management, backup, recovery, and incident response protocols, and data management (transmission and endpoint protection). |
Conclusion
The AICPA’s standards for stablecoin reporting paired with the proposed control framework helps equip payment stablecoin issuers with a practical road map to prepare and navigate the GENIUS Act monthly attestation requirement, as well as create a foundation of trust and transparency with stakeholders.
Forvis Mazars understands the intricacies of the digital asset ecosystems and possesses the rigor required to help you meet the GENIUS Act standards. Our team of professionals can deliver reliable, regulator-ready attestation services tailored to your token architecture, reserve structure, and operational controls. Trust demands teamwork—contact us today to learn how we can help your organization meet GENIUS Act requirements, implement controls, and elevate your stablecoin offering with confidence.