Institutional Oversight and the Role of Assurance Professionals

The global stablecoin market now exceeds $250 billion in circulating value, placing it within the size range of mid-tier sovereign bond markets and large-cap financial institutions. Despite its scale and integration into critical financial infrastructure, the assurance environment surrounding stablecoins remains fragmented and non-standardized. Over 70% of circulating stablecoins are not subject to full-scope external audits, and there is no unified framework for attestation of reserves, collateral disclosure, or operational control. The absence of binding assurance requirements has contributed to inconsistent practices across issuers.

Among the ten largest stablecoin providers, only 62% currently publish monthly third-party reserve attestations. These attestations vary in depth and format and are not governed by common assurance standards. None of the top ten stablecoins undergo annual financial audits conducted under Public Company Accounting Oversight Board (PCAOB) guidelines, nor are they held to International Standards on Auditing (ISA) protocols. As a result, stablecoin issuers are able to make broad claims about 1:1 fiat backing, reserve security, and liquidity coverage without subjecting those claims to regulated verification by licensed accounting professionals.

This uneven assurance landscape creates multiple structural limitations:

• Disparity in disclosure formats: Attestation reports vary by issuer in terms of asset detail, timing frequency, collateral valuation methodology, and legal enforceability.
• Lack of custodial verification: Few reports include third-party confirmation of bank accounts, asset segregation, or chain-of-custody for incoming and outgoing reserves.
• Unverified redemption mechanisms: There is no standardized external testing of redemption speed, queue protocols, or asset liquidity under market stress conditions.
• Regulatory inconsistency: Issuers are spread across jurisdictions with divergent financial reporting obligations, complicating regulatory supervision and enforcement.

While stablecoins function as operational equivalents to sovereign currency within blockchain-based payment, lending, and derivatives ecosystems, they do so without the corresponding regulatory assurances found in traditional finance. Their status as de facto digital dollars introduces systemic exposure without the institutional validation required of banks, money market funds, or payment processors.

In June 2025, the American Institute of Certified Public Accountants (AICPA) issued an exposure draft establishing the first formal attestation framework for stablecoin issuers. The draft introduces a standardized set of procedures designed to verify reserve sufficiency, segregation of custodial accounts, token issuance mechanics, and smart contract controls. It defines a structure for CPA engagement that draws on existing attestation standards but is tailored to digital asset instruments.

Key elements of the AICPA initiative include:

• Introduction of minimum procedural requirements for reserve evaluation, including asset reconciliation and account confirmation.
• Incorporation of SOC 1/SOC 2-style control assessments, adapted for stablecoin issuance, redemption, and reporting infrastructure.
• Recognition of jurisdictional risk factors, requiring CPA firms to evaluate legal frameworks governing reserve access and tokenholder rights.
• Distinction between attestation and audit, enabling engagement flexibility while preserving professional accountability.

The draft does not impose audit obligations or assess full financial statements. Instead, it provides a repeatable method for evaluating whether core financial claims made by stablecoin issuers are supported by independent evidence. In doing so, it creates a mechanism for enhancing comparability across issuers, facilitating institutional due diligence, and supporting future regulatory integration.

The AICPA framework reflects a broader trend toward institutionalizing the digital asset ecosystem by importing financial discipline from traditional assurance models. As adoption expands and stablecoins are used in regulated contexts (such as tokenized securities, CBDC pilots, and cross-border finance platforms) the existence of an enforceable, profession-led assurance standard may become a prerequisite for market access.

Scope of the June 2025 Exposure Draft

The AICPA exposure draft released in June 2025 introduces a formalized attestation structure for stablecoin issuers, grounded in existing professional assurance standards but adapted for digital asset ecosystems. The scope of the draft reflects the unique operational risks posed by programmable tokens and custodial infrastructure while preserving core accounting principles such as evidence-based evaluation, professional independence, and representational clarity. The framework applies attestation logic to stablecoin-specific domains including reserve adequacy, custody arrangements, issuance logic, and legal enforceability.

The draft does not introduce new assurance categories but applies the AICPA’s established Statements on Standards for Attestation Engagements (SSAE) to the digital asset domain, incorporating elements from SOC 1 and SOC 2 evaluations and tailoring them to blockchain-based financial instruments.

Key requirements outlined in the scope include:

• Reserve sufficiency assessment CPA firms are expected to evaluate whether fiat or cash-equivalent reserves fully cover the circulating supply of tokens. This includes review of reconciliation data, examination of reserve ledgers, and third-party confirmation of account balances held by custodial institutions. Stablecoin liabilities are to be matched against documented assets with timing consistency and valuation clarity.
• Custodial segregation verification The framework requires that stablecoin reserves be held in accounts separate from the issuer’s operational capital or affiliated entities. Firms must confirm that legal and operational safeguards exist to prevent co-mingling, diversion, or premature liquidation of backing assets. Custodial arrangements must include enforceable rights of redemption and evidence of beneficial ownership traceable to token holders.
• Internal control testing (SOC alignment) Engagements must apply SOC 1 and SOC 2 methodologies to assess the design and operational effectiveness of internal controls across financial and IT systems. Control reviews must address token issuance pathways, redemption functionality, system access controls, incident response procedures, and audit logging. The evaluation must be tailored to digital issuance platforms but remain consistent with SOC reporting principles.
• Legal and jurisdictional analysis Firms are instructed to assess the legal domicile of the issuer and analyze jurisdiction-specific risks that may affect access to reserves or enforcement of redemption rights. This includes the evaluation of applicable insolvency laws, regulatory recognition of digital claims, and potential barriers to fiat asset recovery in the event of issuer failure or custodial dispute. The legal structure of the issuing entity must be documented as part of the engagement file.

The scope of the exposure draft is confined to attestation services and does not require the issuance of an audit opinion on full financial statements. It does not extend to revenue, profitability, or valuation claims and excludes any analysis of capital adequacy unrelated to reserve matching. The purpose of the engagement is to assess whether the issuer’s specific representations about reserve sufficiency, operational separation, and issuance control can be supported through objective evidence and procedural testing.

This approach allows for focused evaluation of systemic risk factors without imposing the procedural burden of a full financial audit. It also enables recurring engagements (such as monthly or quarterly attestations) designed to reflect the real-time liquidity and operational dynamics of stablecoin systems. By applying standardized scope boundaries across issuers, the framework introduces baseline comparability and provides a formal mechanism for establishing assurance credibility in tokenized financial markets.

Core Assurance Mechanisms

The AICPA exposure draft defines five procedural domains that form the core of any stablecoin attestation engagement. These domains are not optional features but standardized components designed to address recurring risks observed in digital asset markets: undisclosed reserve gaps, custodial uncertainty, code-level failure, and inconsistent redemption practices. Each mechanism introduces a structured process for testing and documentation, aligning with existing attestation standards while adapting to the operational realities of blockchain-native financial infrastructure.

The framework supports both periodic engagements (such as monthly reserve attestations) and targeted reviews conducted in response to supervisory requests or market disruptions. Its goal is not to evaluate issuer profitability or business risk but to provide assurance over the structural claims that define stablecoin functionality and solvency.

Reserve Verification

Stablecoin reserve verification requires confirmation that fiat or cash-equivalent assets exist and are sufficient to cover all outstanding tokens in circulation. The exposure draft mandates monthly attestation of these reserves using standardized financial verification procedures.

• CPA firms must conduct reconciliation of token liabilities against reserve account balances on a defined attestation date.
• Confirmation of account balances must be obtained directly from custodial banks or financial institutions holding the reserves.
• Reviews must include historical account activity to detect discrepancies, reserve drift, or timing mismatches between issuance and funding.
• Procedures must be sufficient to verify that total asset value at time of attestation equals or exceeds total token supply, without double-counting or unrecognized encumbrances.

Reserve sufficiency forms the foundation of stablecoin solvency. This mechanism establishes whether issuers can meet redemption demands under baseline conditions.

Segregation of Reserves

The exposure draft emphasizes the legal and operational separation of reserves from issuer operating capital. Segregated reserves must be protected from diversion, insolvency, or unauthorized access.

• Firms must validate that reserves are held in accounts designated solely for token backing purposes and are not used to fund operations or settle liabilities unrelated to stablecoin issuance.
• Documentation must confirm account ownership, access restrictions, and segregation terms as defined in custodial contracts or internal policies.
• Rights of redemption must be structured such that tokenholders retain a claim over reserved assets distinct from issuer creditors.
• Attestation procedures must include a review of internal controls limiting fund transfer authority, change management protocols, and multi-signature or escrow conditions where applicable.

This mechanism addresses the risk of co-mingling and ensures that token-backed claims are not diluted or subordinated by unrelated financial activity.

Collateral Composition Disclosure

Stablecoin reserves must not only be sufficient in size but must also meet liquidity and maturity requirements necessary to support timely redemptions. The framework requires detailed disclosure of asset composition.

• Issuers must classify reserve assets by type (e.g., cash, short-term U.S. Treasury bills, overnight repo), maturity band, and issuer credit rating where applicable.
• CPA firms must assess the liquidity ladder of the portfolio, including time to convert to cash under typical and stressed redemption volumes.
• Attestation procedures must document portfolio allocation thresholds, rebalancing policies, and exposure limits to individual issuers or instruments.
• Firms must evaluate whether reserve instruments are held in bearer form, custodial accounts, or pooled structures and confirm any redemption friction these arrangements introduce.

This mechanism enhances transparency of backing quality and informs the real-world accessibility of reserves during volume spikes or asset-specific disruptions.

Smart Contract Review

Where stablecoin issuance and redemption are governed by on-chain smart contracts, the framework requires code-level assurance procedures. These reviews are intended to test whether the logic governing supply control is sound, secure, and tamper-resistant.

• CPA firms must perform code walkthroughs of smart contracts handling minting, burning, redemption, and administrative controls.
• Procedures must test for known vulnerabilities such as reentrancy, overflow errors, oracle manipulation, or hardcoded privileges.
• Role-based access controls must be validated to ensure administrative keys are limited, auditable, and subject to dual-control mechanisms.
• The review must document upgradeability conditions, including whether contracts are immutable, modifiable by governance, or updatable by centralized actors.

This mechanism addresses the execution layer of issuance and ensures that systemic logic failures or privileged actions cannot be used to bypass collateral controls or inflate supply.

Chain-of-Custody Protocols

Stablecoin trust depends on the traceability of value movement between tokenholders and reserve accounts. The exposure draft requires CPA firms to validate the full path of fiat inflows and outflows connected to token transactions.

• Documentation must trace the creation and redemption of tokens to and from fiat accounts, including timestamps, amounts, and settlement status.
• Firms must examine whether user redemption requests are fulfilled within documented timeframes and whether automated mechanisms operate as intended.
• Event logs must be reviewed for transaction anomalies, failed redemptions, or processing errors across both blockchain and custodial systems.
• Firms must assess whether system availability and operational continuity plans support consistent execution of redemptions during network congestion or custodial downtime.

This mechanism addresses the operational interface between tokenholders and fiat infrastructure, ensuring that the path from request to delivery is auditable, timely, and technically coherent.

Each assurance mechanism provides a targeted lens through which CPA firms evaluate distinct components of the stablecoin architecture. Together, they offer a multi-dimensional assurance structure that balances attestation discipline with the operational complexity of programmable finance. The procedures are designed to be repeatable, evidence-based, and compatible with both voluntary reporting and statutory compliance pathways.

Intended Use and Regulatory Alignment

The AICPA exposure draft is designed to function as a professional assurance standard that complements statutory regulatory systems. It does not constitute legal regulation but serves as an enabling framework for licensed CPA firms to deliver structured attestation services that align with supervisory priorities. Its function is to bridge the gap between evolving financial oversight regimes and the technical realities of digital asset markets, particularly in contexts where legislative clarity is still in formation.

The framework is aligned with policy proposals under active review by the U.S. Senate Banking Committee. Several legislative drafts circulating as of June 2025 include provisions requiring stablecoin issuers to undergo recurring third-party attestation as a condition for accessing U.S. financial markets or onboarding with regulated financial institutions.

These proposals typically include:

• Mandatory monthly reserve verification to confirm asset sufficiency and prevent synthetic expansion of stablecoin supply
• Custodial segregation certification, ensuring reserve assets are held in legally distinct accounts from issuer operating capital
• Public disclosure requirements tied to attestation outputs, designed to standardize transparency and facilitate investor comparisons
• Eligibility conditions for custody, settlement, and exchange listing based on compliance with attestation benchmarks

In this regulatory context, the AICPA draft provides the procedural detail necessary to implement such requirements in practice. It offers an off-the-shelf assurance model that can be adopted by regulators without the need to author a new auditing standard from first principles. For stablecoin issuers, the framework creates a pathway for compliance that is clear, structured, and scalable.

Internationally, the AICPA exposure draft complements regulatory developments such as the European Union’s Markets in Crypto-Assets Regulation (MiCA), which entered its phased implementation in 2024. MiCA mandates that asset-referenced tokens (functionally equivalent to fiat-backed stablecoins) maintain documented reserves and undergo periodic external review by licensed audit firms. MiCA also sets minimum standards for capital buffers, conflict of interest controls, and technical white paper disclosures.

The AICPA framework is not legally enforceable within EU jurisdictions, but it aligns with MiCA's principles and offers a practical format for assurance services that may be used by multinational firms operating across U.S. and EU markets. By standardizing attestation language, review methodology, and reporting formats, it supports:

• Cross-border assurance equivalence, enabling CPA firms to work alongside European auditors without duplicating procedures
• Shared terminologies for reserve sufficiency, smart contract controls, and redemption logistics, facilitating regulator-to-regulator dialogue
• Parallel audit tracks, in which U.S.-based attestations can be integrated into consolidated compliance documentation for global stablecoin products

The exposure draft also reflects global supervisory thinking as expressed by institutions such as the International Organization of Securities Commissions (IOSCO) and the Financial Stability Board (FSB). Both have issued guidance in 2024-2025 advocating for standardized disclosures, third-party verification of asset reserves, and enforceable redemption protocols as foundational requirements for systemically significant stablecoin arrangements.

By aligning with these positions, the AICPA draft enables the accounting profession to contribute to regulatory harmonization without waiting for formal statutory convergence. It offers:

• A pre-regulatory assurance architecture that can be adopted by issuers voluntarily or mandated by regulators through reference
• Compatibility with global principles on financial integrity, including IOSCO’s cross-border supervisory cooperation and FSB’s standards on reserve transparency
• A uniform procedural base that regulators may use to define minimum thresholds for disclosure and control validation

The framework is structured to accommodate both domestic compliance and international assurance interoperability. It does not require jurisdictional equivalence to be useful and does not presume alignment of legal regimes. Instead, it enables multiple regulators and market participants to engage with stablecoin issuers under a consistent assurance logic, even in a fragmented legal landscape.

By creating a profession-led infrastructure for reserve attestation and operational control validation, the AICPA framework positions itself as a foundational component of stablecoin market supervision. Its utility lies in its neutrality, specificity, and adaptability to both voluntary and mandatory reporting environments.

Assurance Without Audit

The AICPA exposure draft explicitly differentiates attestation from audit, both in objective and procedural scope. This distinction is central to the framework’s applicability to stablecoin issuers, whose core financial representations relate not to business performance but to solvency, custody, and operational control of circulating digital tokens. While audits provide a formal opinion on the accuracy of full financial statements, attest engagements are narrower in focus, limited to verifying specific management assertions through documented evidence and standardized procedures.

In the context of stablecoin issuance, the framework identifies three primary assertions subject to attestation:

• The existence and sufficiency of reserve assets to match or exceed the volume of stablecoins in circulation, based on reconciled account balances, custodial confirmations, and valuation documentation
• The legal and operational segregation of reserves from the issuer’s general working capital or affiliated corporate assets, validated through custodial agreements, access controls, and governance structures
• The functional integrity of token issuance and redemption systems, including the correct operation of smart contracts, transaction logs, administrative controls, and redemption execution pathways

These limited-scope engagements allow firms to assess the foundational mechanics of stablecoin solvency without extending into broader areas such as revenue recognition, equity valuation, or enterprise risk modeling. This delineation lowers the liability exposure for accounting firms and facilitates higher-frequency reporting cycles. Under this framework, monthly or event-driven attestations become feasible and scalable, particularly in comparison to traditional audits, which are designed for annual cycles and full-spectrum financial review.

The attestation model supports modular oversight. Stablecoin issuers can select targeted assurance services for the financial conditions most relevant to risk monitoring or regulatory expectations.

For example:

• An issuer may pursue monthly reserve attestations to support custody onboarding with regulated financial institutions
• A DeFi-integrated stablecoin may request smart contract validation procedures to demonstrate compliance with platform listing standards
• A cross-border issuer may use segregation attestations to address local supervisory concerns about insolvency ring-fencing or asset custodianship

This modularity enables alignment with both voluntary transparency goals and jurisdiction-specific compliance obligations. Issuers are not required to disclose full corporate financials but can instead validate key structural claims that underpin token value and market stability.

By maintaining a boundary between attestation and audit, the framework preserves professional rigor without imposing an audit’s complexity, cost, or legal risk profile. It provides an actionable middle ground where accounting firms can offer meaningful, independent assurance while tailoring engagements to the unique demands of programmable financial instruments. This design is particularly useful in a transitional regulatory environment, where statutory audit mandates for stablecoins are not yet in place but market demands for verifiability are accelerating.

As supervisory regimes evolve, the attestation framework may serve as a precursor or complement to future audit requirements. It provides infrastructure for recurring financial verification and supports progressive adoption of assurance discipline across the stablecoin sector, either by issuer choice or through phased regulatory implementation.