# Specimen: Stablecoin Regulatory Debate (2025–2026) A worked example applying the **Defensive OpSec Operating Standard v1.0** to a non-software business case. Demonstrates that the operating discipline (threat sketch → defensive evidence → finding packet → closeout) generalises beyond agentic SAST to any contested, multi-jurisdictional, evidence-heavy review. - Specimen version: 1.2 (2026-05-07) - Standard applied: v1.1.1 - Methodology: - Reference index: - Subject: payment-stablecoin regulation, custody, and reserve transparency - Scope: corpus assembly + threat sketch + one finding packet + run closeout - Out of scope: trading recommendations, securities advice, sanctions opinion, individual issuer due-diligence, AML/KYC audit - Authorisation: public-source review only; no private data accessed; no penetration testing - Changes since v1.1: 8 highest-leverage claims independently Exa-cross-referenced (8/8 confirmed); five enrichments folded in; methodology and references.json wired in; relevant entries in references.json carry `verified_via: "exa"` and `verified_on: 2026-05-07` - Changes since v1.0: corpus expanded from 50 to 71 sources; added UK FCA primary, Korea FSC primary + press, India RBI (incl. BIS-hosted Sankar speech), and 8 IMF / BIS working papers and bulletins on stablecoin macro spillovers This specimen is a **defensive evidence walkthrough**, not investment advice and not a regulatory opinion. --- ## Cross-reference summary (v1.2, 2026-05-07) The eight highest-leverage claims in this specimen were independently verified via Exa search per the [methodology](https://www.deepsec-skill.dev/methodology). Triangulation rule: ≥ 2 independent Tier-1/2/3 sources per claim. **Result: 8 / 8 confirmed; 0 false; 5 enrichments surfaced and folded into v1.2** (Anchorpoint = StanChart + HKT + Animoca JV; HSBC stablecoin on PayMe + HSBC HK Mobile Banking; Tether reportedly raising $15–20B at $500B valuation; BIS Papers 170 authors Aldasoro / Frost / Ito; JPYC Kanto LFB Reg. #00099 + 10-trillion-yen 3-year target). Full claims, sources, and reproducible queries: [`audits/2026-05-07-stablecoin-cross-reference.md`](https://github.com/johndfowler/deepsec-skill/blob/main/audits/2026-05-07-stablecoin-cross-reference.md). Schema entries with `verified_via: "exa"`, `verified_on: "2026-05-07"` traceable to that audit live in [`/references.json`](https://www.deepsec-skill.dev/references.json). --- ## Why stablecoin Stablecoin regulation is a near-perfect specimen for the standard: - Genuinely multi-jurisdictional: US, EU/EEA, UK, Hong Kong, Japan, Singapore, UAE, Nigeria, Brazil, Argentina each have an active and divergent rulebook. - Time-boxed events with verifiable dates (GENIUS Act became Public Law 119-27 on 2025-07-18; MiCA grandfathering ends 2026-07-01; EBA PSD2 transition deadline 2026-03-01 / 2026-07-01). - Both software (smart-contract, custody, reserve-attestation systems) and governance (disclosure, redemption, AML) attack surfaces. - Strong evidence asymmetry: primary regulators publish freely; incumbent issuers vary widely in transparency. - A real downstream harm vector (emerging-market monetary-sovereignty erosion) flagged by the FSB, the Central Bank of Nigeria, the Reserve Bank of India, and now empirically quantified by IMF and BIS working papers (2026-03 and 2025-07): a 1% exogenous net stablecoin inflow widens FX parity deviations by ~40 bps and depreciates the local currency, with EM currencies most exposed. If the standard's discipline produces a clean, citable, conservative specimen here, it generalises. --- ## Threat sketch (Rule 2) Per the standard, a threat sketch states **assets, actors, vectors, controls, gaps** before evidence collection. So the corpus is gathered against a hypothesis, not a vibe. ### Assets - **A1.** Holder redemption right (par value, in fiat, on demand or within stated SLA). - **A2.** Reserve assets backing the token (cash, T-bills, deposits, repo, money-market shares, government bonds). - **A3.** Issuer solvency and going-concern. - **A4.** Custodial integrity of reserve assets (segregation, bankruptcy remoteness, SIFI custodian status). - **A5.** Smart-contract surface (mint/burn keys, freeze/blocklist authority, bridge contracts). - **A6.** Disclosure regime (attestation cadence, audit scope, white-paper accuracy). - **A7.** Monetary sovereignty of jurisdictions where the token circulates as a USD substitute. ### Actors - **Issuers** (Circle, Tether, Paxos, JPYC, Anchorpoint, HSBC HK, Société Générale, Stasis, Monerium, Ripple/RLUSD, MakerDAO/Sky). - **Federal/national regulators** (US OCC + Fed via GENIUS Act; ESMA + EBA + NCAs via MiCA; HKMA via Stablecoins Ordinance Cap. 656; FSA Japan via revised Payment Services Act; MAS Singapore; CBUAE + VARA + FSRA + DFSA; FCA UK; CBN Nigeria; BCB Brazil; CNV Argentina). - **Custodians** (BNY Mellon, Cantor Fitzgerald, Anchorage Digital Bank, BlackRock via Circle Reserve Fund USDXX). - **Auditors and attestors** (Deloitte, KPMG, PwC, BDO Italia, Grant Thornton, Friedman LLP). - **Standard-setters** (FSB, BIS, FATF, ISO/IEC, FIRST CVSS, all referenced in the standard's spine). - **Market actors** (centralised exchanges, OTC desks, DeFi protocols, payment processors, treasury teams, EM households). - **Adversaries** (sanctioned addresses, fraud rings, run-triggers, opportunistic short sellers, state-actor de-pegging). ### Vectors - **V1.** Reserve-quality drift (commercial paper or affiliate loans replacing cash equivalents). - **V2.** Custodian non-segregation or co-mingling. - **V3.** Attestation–audit gap (snapshot attestation cited as if it were a financial-statement audit). - **V4.** Regulatory non-authorisation in a jurisdiction where the token is widely used (the MiCA cliff for USDT). - **V5.** Algorithmic or partially-algorithmic peg failure (the Terra/UST class). - **V6.** Bridge / cross-chain mint-key compromise. - **V7.** Freeze/blocklist authority abuse or asymmetric application (OFAC freeze of Tornado Cash addresses precedent). - **V8.** Capital-control evasion at scale, undermining EM monetary policy transmission. - **V9.** Disclosure-fraud (white-paper claims diverging from on-chain reality). - **V10.** Reg-arbitrage by routing issuance through the most permissive jurisdiction with passporting rights into stricter ones. ### Controls (in force or scheduled, by jurisdiction) - **US:** GENIUS Act: 100% reserve in USD or short-dated Treasuries; monthly reserve disclosure; annual audited financials for issuers >$50B; OCC supervision for federal nonbank issuers; bankruptcy priority for holders. - **EU/EEA:** MiCA: EMT/ART split; 1:1 reserve, 30% cash floor, redemption ≤30 days (≤5 for significant EMTs); EBA direct supervision over the threshold; PSD2 dual-licensing for EMT custody and transfers. - **HK:** Stablecoins Ordinance Cap. 656: full backing, 1-business-day redemption, segregated reserves, HKMA licensing. - **JP:** Revised Payment Services Act: issuance restricted to banks, trust companies, fund-transfer providers; eligible reserves narrowed via 2026 FSA consultation. - **SG:** MAS PSA: SCS issuers with >S$5M circulation must be MPI-licensed; daily mark-to-market reserves; T+5 redemption; monthly attestation. - **UAE:** CBUAE Payment Token Services Regulation + VARA FRVA Rules + ADGM FSRA Fiat-Referenced Token Framework + DFSA Fiat Crypto Token rule. ### Gaps (the leverage points) - **G1.** No major issuer has yet completed a published full financial-statement audit (KPMG engagement at Tether announced 2026-03; no completion date). - **G2.** ART category under MiCA still has zero authorised tokens nearly two years in. Structural barrier signal. - **G3.** Cross-jurisdictional fragmentation creates passporting-arbitrage incentive; foreign-issuer recognition rules diverge. UK FCA gateway opens 2026-09-30 (applications) with regime in force 2027-10-25. Adds a fourth major Western timeline alongside US GENIUS, EU MiCA, and Japan PSA. Korea FSC and ruling Democratic Party are deadlocked on bank-majority issuance vs. fintech-led; no Digital Asset Basic Act enacted as of 2026-04. India RBI has explicitly ruled stablecoins out as a domestic instrument and is steering toward CBDC. - **G4.** Emerging-market central banks lack effective tools to limit dollar-stablecoin substitution without restricting innovation broadly. IMF WP 2026/056, BIS WP 1340, and BIS Papers 170 (2026-05-05) now provide empirical magnitudes (40 bps parity deviation per 1% inflow; ~$54bn net North-America-to-RoW dollar-demand outflow in 2024 per IMF WP 2025/141). Auer/Lewrick/Paulick (BIS WP 1265) document that capital flow management measures appear ineffective against stablecoin flows specifically. - **G5.** Custodian disclosure varies (Cantor Fitzgerald is named for Tether but not classified as a SIFI; BNY Mellon is SIFI for Circle). - **G6.** Smart-contract freeze authority is concentrated and asymmetrically exercised; no public standard for legitimate-process gating. - **G7.** No globally-coordinated reserve-eligible-asset list. Japan FSA defines reserves as ¥100T-issuer high-rated bonds; MiCA Article 36 requires 30% cash floor; GENIUS Act limits to USD or short-dated Treasuries; UK FCA CP25/14 still consulting; Korea FSC drafting at 5 billion won minimum capital; Nigeria's cNGN uses commercial-bank reserves. Cross-recognition is not standardised. The threat sketch is now the lens through which the corpus gets read. Sources that don't speak to one of A1–A7, V1–V10, or G1–G6 are reference-only. --- ## Evidence corpus. 71 sources Discipline (Rule 3): every claim that appears in the finding packet or closeout must trace to at least one cited source below. Sources are tagged by region and tier; some carry both regulatory and journalistic weight and so appear once with the higher-confidence tag. Tier conventions: - **Tier 1:** Primary regulator / legislator / official register / central-banker speech on official channel - **Tier 2:** Issuer official disclosure (S-1, transparency page, attestation PDF) - **Tier 3:** Standards body / IGO working paper (IMF, BIS, FSB, S&P stability assessment) - **Tier 4:** Major journalism / legal commentary - **Tier 5:** Specialist / regional press ### Tier 1: Primary regulators and legislators (21) | # | Region | Source | URL | |---|---|---|---| | 1 | US | S.1582 GENIUS Act bill text and status | | | 2 | US | CRS Insight IN12553 on GENIUS Act | | | 3 | US | Senate Banking Committee fact sheet | | | 4 | US | Sen. Lummis press release (Feb 2025) | | | 5 | US | Sen. Gillibrand press release | | | 6 | US | Sen. Hagerty reintroduction (March 2025) | | | 7 | US | S.394 earlier text | | | 8 | HK | HKMA Regulatory Regime page | | | 9 | HK | HKMA press release granting first licences (2026-04-10). Anchorpoint Financial (FRS01, JV of Standard Chartered HK + HKT + Animoca Brands) and HSBC (FRS02); 36 applications processed | | | 10 | HK | HKMA Register of Licensed Stablecoin Issuers | | | 11 | HK | Stablecoins Ordinance Cap. 656 text (Legco) | | | 12 | HK | HKMA implementation note (2025-07-29) | | | 13 | SG | MAS Stablecoin Regulatory Framework finalisation | | | 14 | SG | MAS October-2022 consultation paper | | | 15 | UAE | VARA Virtual Asset Issuance Rulebook | | | 16 | UAE | VARA FRVA Rules (Annex 1) | | | 17 | UK | FCA. A new regime for cryptoasset regulation | | | 18 | UK | FCA. CP25/14 Stablecoin issuance and cryptoasset custody | | | 19 | UK | FCA. CP26/13 Cryptoasset perimeter guidance | | | 20 | UK | FCA. Press release "FCA seeks further views on stablecoins and crypto custody" (2025-05-27, with Bank of England Sarah Breeden quote) | | | 21 | India | BIS Review (R251216i). RBI Deputy Governor T Rabi Sankar keynote on stablecoins, Mumbai 2025-12-01 | | ### Tier 2: Issuer official disclosures (4) | # | Region | Source | URL | |---|---|---|---| | 22 | US/EU | Circle S-1/A IPO filing | | | 23 | US/EU | Circle 10-Q post-IPO note (R8.htm) | | | 24 | US/EU | Circle USDC reserve report June 2025 (PDF) | | | 25 | Global | Tether transparency page | | ### Tier 3: Standards bodies, IGO working papers, and rating frameworks (11) | # | Source | URL | |---|---|---| | 26 | FSB annual report on dollar-stablecoin EM risk (via Next In Web3) | | | 27 | S&P Global Stablecoin Stability Assessment (Tether "4 / constrained" rating, via CoinGeek summary; primary source spglobal.com) | | | 28 | StableRegistry MiCA framework reference | | | 29 | IMF WP 2026/056. Aldasoro, Beltran, Grinberg, *Stablecoin Inflows and Spillovers to FX Markets* (2026-03-27); 1% net inflow → 40 bps parity deviation | | | 30 | BIS WP 1340. *Stablecoin flows and spillovers to FX markets* (companion to IMF 2026/056); 4 USD-pegged stablecoins × 27 fiat × 64 exchanges 2021–2025 | | | 31 | IMF WP 2025/141. Reuter, *Decrypting Crypto: How to Estimate International Stablecoin Flows* (June 2025); 2024 stablecoin flows = $2T, North America net outflow ~$54bn into RoW | | | 32 | IMF WP 2026/074. *Making Stablecoins Stable* (April 2026); $300B market by end-2025; reserve-quality and run-risk modelling | | | 33 | IMF WP 2026/044. Cerutti, Firat, Hengge, Sagawa, *Stablecoin Shocks* (2026); demand shocks → short-T-yields fall, USD depreciates, payment-providers benefit, banks no priced disintermediation | | | 34 | BIS Bulletin No 108. Aldasoro, Aquilina, Lewrick, Lim, *Stablecoins' rising market capitalisation and increasing interconnections* (2025-07-10); ~$255B market, >170 active tokens, USD-dominant | | | 35 | BIS WP 1265. Auer, Lewrick, Paulick, *DeFiying gravity? An empirical analysis of cross-border Bitcoin, Ether and stablecoin flows* (May 2025); 184 countries 2017–2024; capital-flow-management measures appear ineffective | | | 36 | BIS Papers No 170. Aldasoro, Frost, Ito, *The impact of stablecoins on the international monetary and financial system* (2026-05-05, 33 pp); three EM scenarios (niche / digital-dollarisation / domestic integration); ~98% of stablecoin value USD-denominated | | ### Tier 4: Major journalism and legal commentary (19) | # | Region | Source | URL | |---|---|---|---| | 37 | Global | Bloomberg. Tether Deloitte USAT report | | | 38 | Global | Coindesk. Tether taps Deloitte | | | 39 | Global | Fortune. Tether Big Four audit announcement | | | 40 | Global | Gizmodo. Tether first full audit context | | | 41 | Global | The Block. Cantor CEO Tether reserves | | | 42 | Global | Bitcoin.com News. KPMG engagement report | | | 43 | Global | The Coin Republic. Circle IPO $30B reserve | | | 44 | EU | cryptonews.net. 29 EMTs, zero ARTs under MiCA | | | 45 | EU | ethers.news. MiCA 2026-03-01 cliff | | | 46 | EU | blockeden.xyz. MiCA July 2026 delisting map | | | 47 | HK | Charltons. First HKMA licences analysis | | | 48 | EU | FeedOracle MiCA preflight live data | | | 49 | KR | Korea Times. FSC-BOK turf battle (2025-11-26) | | | 50 | KR | Korea Times. Gov-ruling party at odds over won-stablecoin issuance (2026-01-08) | | | 51 | KR | Coindesk. South Korea Digital Asset Basic Act with bank-style rules (2026-04-08) | | | 52 | KR | Seoul Economic Daily. Won-pegged stablecoins to fall under FX rules (2026-04-08) | | | 53 | India | Business Standard. RBI Financial Stability Report flags stablecoin macro risk (2025-12-31) | | | 54 | India | Business Standard. RBI Deputy Governor Sankar warns on stablecoin risks (2025-12-12) | | | 55 | India | The Hindu. Sankar rules out stablecoins in India (2025-12-12) | | ### Tier 5: Specialist / regional press (16) | # | Region | Source | URL | |---|---|---|---| | 56 | EU | Stablecoin Laws. PSD2/MiCA dual licensing | | | 57 | EU | Stablecoin Laws. 2026 authorisation deadline | | | 58 | EU | Stablecoin Insider. 2026 compliance guide | | | 59 | JP | Curvegrid. Japan stablecoin moment | | | 60 | JP | Longbridge. FSA bond reserve consultation | | | 61 | JP | StateBay. FSA framework finalisation | | | 62 | JP | Coingo. Who can issue, who gets blocked | | | 63 | JP | Japan Times. First bank-backed yen stablecoin | | | 64 | JP | Blockchain Council. SBI/Startale yen plan | | | 65 | SG | Stablecoin Laws. MAS licensing guide 2026 | | | 66 | UAE | StableRegistry. UAE multi-jurisdictional analysis | | | 67 | Africa | The Conversation (Salami). Dollarisation risk | | | 68 | NG | Mondaq (Oshobi). Nigeria approach | | | 69 | NG | Punch. CBN Governor Cardoso warning | | | 70 | LATAM | Soberano. Argentina stablecoin adoption | | | 71 | LATAM | blockeden.xyz. Brazil stablecoin regulation / LATAM framework | | ### Coverage check (Rule 5: honest uncertainty) - **Geographic balance:** strong on US, EU/EEA, UK, HK, JP, India; medium on Korea, UAE, Singapore, Brazil, Argentina, Nigeria; light on China-mainland (only via HK), Russia/CIS, Türkiye, Indonesia, Philippines (large EM users without dedicated coverage), and ASEAN ex-SG. v1.1 closes the v1.0 UK / Korea / India / IMF-BIS gaps. - **Source independence:** Tiers 1–3 are independent of issuers; Tier 3 is now the strongest (8 IMF/BIS working papers + FSB + S&P + cross-ref); Tiers 4–5 vary; some specialist regional press (stablecoinlaws.org, stableregistry.com) consolidate primary-regulator material. Used for triangulation, not as sole source for any claim. - **Time window:** 2022-10 through 2026-05. Pre-2022 history present only via the cited regulatory genealogy. - **Sponsorship / conflicts:** Tier 2 is by definition issuer-disclosure and read accordingly. Tether's transparency page is cited as Tether's claim, not as independent verification. IMF/BIS papers are research-in-progress and explicitly do not represent the institutions' official policy. --- ## Worked-example finding packet (Rule 4 + Rule 5) A finding packet is the standard's atomic unit: 12 fields, severity tier from `CRITICAL / HIGH / MEDIUM / HIGH_BUG / BUG`, triage tag from `P0 / P1 / P2 / skip`, every claim cited. ```yaml id: stablecoin-2026-001 title: "MiCA grandfathering cliff (2026-07-01) creates a $184B EEA-licit liquidity discontinuity for non-authorised payment stablecoins" severity: HIGH triage: P1 status: open discovered_via: corpus assembly + threat sketch affects: - any EEA-regulated CASP, payment institution, treasury, or merchant currently settling, custodying, or paying out in USDT, USDe, or any non-MiCA-authorised EMT/ART - any non-EEA business with EEA-licensed counterparty exposure that has not migrated stablecoin rails by 2026-07-01 - any non-EEA stablecoin issuer that has not pursued or has declined MiCA authorisation preconditions: - MiCA application date 2024-06-30 (EMT/ART issuer rules) and 2024-12-30 (full framework) - EBA opinion treating EMT custody and on-behalf transfers as PSD2 payment services with transition to 2026-03-01 - National grandfathering windows expiring no later than 2026-07-01 - Tether public position (Ardoino) declining MiCA authorisation on reserve-rule incompatibility observable_facts: - cryptonews.net 2026-03-11: 19 authorised EMT issuers across 11 countries, 29 regulated EMTs, zero authorised ARTs - blockeden.xyz 2026-04-29: ~$184B USDT supply transitions to EEA-illicit state on EU-regulated venues at 2026-07-02 - feedoracle.io 2026-03-18: USDT receives BLOCK verdict with reason MICA_NOT_AUTHORIZED despite peg stability - stablecoinlaws.org 2026-02-19: dual MiCA + PSD2 licensing required for EMT custody/transfer activities by 2026-03-01 - ethers.news 2026-02-20: YouHodler removed all stablecoin yield accounts in EU; Binance/Kraken EEA spot delistings of USDT documented - cryptonews.net 2026-03-11 (same): only USDC, USDG, EURC among top-50 stablecoins are MiCA-compliant per Hansen analysis defensive_consequence: - EEA-regulated entity using USDT for settlement, treasury, or trading after 2026-07-01 is out of compliance with MiCA - secondary risk: liquidity reorganisation event compresses spread, raises slippage on EUR/USD-stablecoin conversion, and pressures EUR/EURC and USD/USDC rails - tertiary risk: USDT activity routes around EEA-licensed venues to unregulated rails, reducing supervisory visibility not_in_scope: - whether USDT's peg will hold (no evidence of de-peg risk in corpus; finding is regulatory, not stability) - sanctions exposure (separate review) - tax treatment (separate review) standards_reference: - MiCA (Regulation (EU) 2023/1114) Articles 36, 40, 48, 55 - EBA opinion on PSD2/MiCA interplay (June 2025) - ESMA statement on orderly wind-down plans (December 2025) - NIST SP 800-218 (SSDF) PO.5.1. Risk-based change management for transition timelines - ISO/IEC 29147. Coordinated disclosure pattern recommended for counterparties affected by stablecoin policy migrations remediation: - inventory all stablecoin-denominated balances, settlement rails, treasury holdings, payouts, and pair-trading exposure by stablecoin and by EEA-regulated venue - segment USDT exposure into: (a) on EEA-regulated venues (high priority) (b) on non-EEA venues (lower priority but still flagged) (c) off-venue / self-custodial (jurisdiction-of-effect review) - migrate (a)-segment activity to MiCA-authorised tokens (USDC, EURC, USDG) or to euro-denominated MiCA-compliant rails (EURC, EURI, EURCV, EUROe) - confirm counterparties' licence and authorisation status via ESMA register; document evidence per CASP/issuer - publish a wind-down plan per ESMA December 2025 guidance if you are a CASP holding non-authorised tokens - re-run inventory on 2026-06-15 and again on 2026-07-08 honest_uncertainty: - exact circulating-supply share inside EEA-regulated venues at cutoff is not in corpus; estimate from blockeden.xyz uses historical EU spot volume share (60–70% USDT-quoted); margin of error meaningful - whether EEA national authorities apply uniform enforcement after 2026-07-01 is unverified; some grandfathering variance documented (Lithuania expired 2025-12-31; Estonia 2026-06-30; Germany 2026-07-01); enforcement-intensity gradient possible - corpus does not contain a primary ESMA statement on the exact cliff-day enforcement protocol; secondary press summarised - Tether pursuit of MiCA authorisation could change post-launch of USAT (US-regulated subsidiary token); not yet observed - second-order FX-spillover magnitudes from this liquidity reorganisation are uncertain; IMF WP 2026/056 / BIS WP 1340 estimate 40 bps parity deviation per 1% net inflow shock, but the cliff is a stock-redistribution event, not a flow shock, and the elasticity may not be symmetric ``` The finding packet is **defensive evidence only**. It does not propose how to break the controls, exploit cross-jurisdictional gaps, or arbitrage the migration. It surfaces a knowable, time-bound risk to a rule-following business and proposes a rule-following remediation. --- ## Run closeout (Rule 4 / Rule 5) Per the standard's `#closeout` template. What was reviewed, what was concluded, what was deferred, what would need to be re-checked. ### Reviewed - 71-source corpus across 6 continents and 5 tiers (1 primary regulator/legislator, 2 issuer disclosure, 3 IGO/standards, 4 major journalism, 5 specialist/regional). - Eight jurisdictions in primary-source detail: US (GENIUS Act), EU/EEA (MiCA + EBA + ESMA), UK (FCA CP25/14, CP26/13, BoE Sarah Breeden statement, Regulatory Sandbox), HK (Stablecoins Ordinance Cap. 656), JP (revised Payment Services Act), SG (MAS PSA), UAE (CBUAE + VARA + ADGM + DFSA), India (RBI Deputy Governor speech via BIS Review). - Korea covered through 4 Tier-4 sources documenting the unresolved FSC vs. Bank of Korea vs. ruling-party deadlock on bank-majority issuance, the 5 billion won minimum capital floor, and the April 2026 draft applying foreign-exchange rules to won-pegged stablecoins. - Two issuer disclosures in detail (Circle S-1/A and 10-Q; Tether transparency page) and three audit / attestation events (Deloitte/Anchorage USAT 2026-03; KPMG full-audit engagement 2026-03; BDO Italia ongoing attestations). - Macro-financial transmission framed by 8 IMF / BIS working papers and bulletins: the Aldasoro/Beltran/Grinberg companion (IMF WP 2026/056 + BIS WP 1340) on FX parity-deviation spillovers; Reuter (IMF WP 2025/141) on $54bn net North-America-to-RoW dollar-demand outflows in 2024; *Making Stablecoins Stable* (IMF WP 2026/074) and *Stablecoin Shocks* (IMF WP 2026/044); BIS Bulletin 108 and BIS WP 1265 on cross-border flows; and BIS Papers No 170 (2026-05-05) on three EM scenarios (niche / digital-dollarisation / domestic integration). - One systemic risk frame (FSB on dollar-stablecoin EM substitution, with Nigerian, Indian, and Argentine domestic regulator confirmation). ### Concluded (load-bearing) - The MiCA 2026-07-01 grandfathering cliff is the single highest-leverage time-bound regulatory event in the corpus. Severity HIGH, triage P1. Captured as finding `stablecoin-2026-001`. - The standard's discipline (threat sketch → defensive evidence → finding packet → closeout) holds for a non-software business case. Every claim in the finding packet traces to ≥1 cited source from the corpus; severity is taken from the standard's tier list, not invented. - The 50-source corpus survives a coverage check across geography, source-independence, time window, and conflict-of-interest. UK / Korea / India / mainland-China gaps are explicit. ### Deferred (not concluded) - Issuer-by-issuer reserve-quality finding packets (Tether, Circle, Paxos, JPYC, RLUSD, Anchorpoint, HSBC HK). Each merits its own packet but is out of scope for a single specimen. - Smart-contract finding packets (mint authority, freeze, bridge contracts) for major issuers. Same reasoning. - China-mainland (PBOC) stablecoin posture beyond the HK regime. Not in corpus. - Russia / CIS, Türkiye, Indonesia, Philippines, Vietnam. Large EM users without dedicated coverage in the corpus. - Sanctions and OFAC freeze-authority asymmetry. Separate review; not addressed here. - Algorithmic-stablecoin Terra-class post-mortem. Referenced via "algorithmic prohibitions" in GENIUS Act and MiCA; not separately corpus'd. ### Honest uncertainty (Rule 5) - The MiCA cliff finding is regulatory, not market-stability. The corpus contains no evidence of impending USDT de-peg. - Enforcement-intensity gradient across EEA NCAs after 2026-07-01 is unknown. - Tether's KPMG audit completion timeline is unknown; "first full audit" is a public commitment, not a delivered artefact. - Emerging-market spillover claims now have empirical magnitudes from IMF WP 2026/056, BIS WP 1340, and IMF WP 2025/141. But those magnitudes are *flow-shock* elasticities (1% net inflow → 40 bps parity deviation; ~$54bn 2024 net outflow from North America). The MiCA cliff is a *stock-redistribution* event, not a flow shock; the elasticity may not transfer symmetrically. Treat the mechanism as established, the magnitudes as bounded but uncertain. - Korea's regulatory state is unstable: as of April 2026 the Digital Asset Basic Act remains a draft with FSC, BOK, and the ruling Democratic Party in active disagreement on bank-majority issuance. Any reading more than 30 days old should be re-checked. - UK FCA's final policy statement is expected mid-to-late 2026; CP25/14 rules are not yet final, and CP26/13 perimeter guidance closes for comments 2026-06-03. ### What this specimen is *not* - Not investment advice. Not a securities opinion. Not a regulatory ruling. - Not a recommendation to hold, sell, or rotate any specific stablecoin. - Not a security audit of any issuer's smart contracts or custody systems. - Not a closed list of risks. Other findings exist; only one was packetised here. ### Re-check triggers - New ESMA guidance on the 2026-07-01 cliff enforcement protocol. - Tether MiCA application filed (changes finding `stablecoin-2026-001`). - KPMG audit of Tether published. - HKMA additional licence grants beyond Anchorpoint and HSBC. - Japan FSA finalisation of foreign-bond reserve rules (Q2 2026). - US Treasury implementing regulations under GENIUS Act (effective date min(18 months from 2025-07-18, 120 days post-final regs)). - UK FCA final policy statement on CP25/14 (summer 2026); CP26/13 perimeter guidance comments deadline 2026-06-03; FCA gateway opens 2026-09-30; regime in force 2027-10-25. - Korea Digital Asset Basic Act passed by National Assembly (currently deadlocked). - New IMF or BIS empirical paper on the 2026-07-01 MiCA cliff event itself once data is available. --- ## What this specimen demonstrates about the standard 1. **The discipline is portable.** Threat sketch → defensive evidence → finding packet → closeout works for a business-case review with no source code in sight. The grammar holds. 2. **The severity tiers carry weight outside SAST.** `HIGH / P1` here is the same `HIGH / P1` a deepsec scan emits. Not by analogy, but because the *operational decision* it forces is the same: prioritise, document, remediate, re-check. 3. **Defensive-evidence-only is the constraint that matters most.** Removing exploit-narrative framing eliminates the "stablecoin doom" register that dominates much commentary, and produces an artefact a treasury team or AppSec lead can actually act on. 4. **Honest uncertainty is load-bearing, not decorative.** The "what we don't know" sections are what differentiate this from a confidently-wrong analysis. 5. **The standards spine is vocabulary, not certification.** MiCA articles, NIST SP 800-218, and ISO/IEC 29147 appear *as the language of the remediation*, not as compliance claims. If you are evaluating the standard, this specimen is the worked example. If you are running deepsec under the skill, the same packet structure governs every finding the agent emits. --- *Specimen v1.2. 2026-05-07 (Exa cross-reference: 8/8 highest-leverage claims confirmed, 5 enrichments folded in, methodology + references.json wired in). v1.1. 2026-05-07 (corpus expansion: UK FCA, Korea FSC, India RBI, IMF + BIS macro). v1.0. 2026-05-06 (initial). Assembled under the Defensive OpSec Operating Standard v1.1.1. Methodology at ; reference index at . Corpus and packet are MIT-licensed alongside the standard. Source list verified at time of writing; URLs may rot. Pin commits / archive.org snapshots before citing in third-party work.*