backOn April 8, 2026, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) and the Office of Foreign Assets Control (“OFAC”) issued a joint notice of proposed rulemaking (the “Proposed Rule”), which would treat payment stablecoin issuers (“PPSIs”) as financial institutions under the Bank Secrecy Act (“BSA”) and mandate that they comply with a comprehensive suite of anti-money laundering (“AML”), countering the financing of terrorism (“CFT”), and sanctions compliance obligations.
The Proposed Rule has significant implications for current and prospective stablecoin issuers, their parent institutions, and the broader digital asset ecosystem—namely, stablecoin issuers should begin evaluating their compliance programs now, as the rules impose new AML obligations and, for the first time, mandate formal sanctions compliance programs for stablecoin issuers.
The Proposed Rule is part of a broader, multi-agency effort to implement the Guiding and Establishing National Innovation for U.S. Stablecoins Act (the “GENIUS Act”), with the Office of the Comptroller of the Currency (“OCC”), Federal Deposit Insurance Corporation, and National Credit Union Administration having each published their own proposed rules—we have covered some of these rules in a separate client alert here. Stablecoin issuers may be subject to overlapping agency jurisdiction and requirements.
Key Elements of the Proposed Rule
The joint FinCEN/OFAC rulemaking addresses two of the GENIUS Act’s core mandates: (1) that PPSIs be treated as a new category of financial institution under the BSA, subject to AML/CFT obligations tailored to their size and complexity; and (2) that PPSIs maintain an effective sanctions compliance program consistent with federal law. Key elements of the Proposed Rule include:
- New financial institution category. Stablecoin issuers will be classified as a new category of financial institution, separate from money services businesses, with obligations that largely mirror those applicable to banks.
- Primary vs. secondary markets. FinCEN and OFAC divide the stablecoin ecosystem into primary and secondary markets, requiring unique compliance requirements across each. “Primary market” generally describes when a PPSI interacts directly with a user or holder of a payment stablecoin, and “secondary market” activity occurs when there is no direct interaction except via a smart contract.
- Comprehensive AML/CFT program requirements. Requirements include customer due diligence, suspicious activity reporting, and beneficial ownership collection. The framework for these requirements mirrors the requirements outlined by FinCEN in another significant proposed rule it issued this week, which are detailed in our client alert here.
- Effective sanctions compliance program requirements. Stablecoin issuers must maintain a formal sanctions compliance program. OFAC would—for the first time in its regulations—outline what constitutes an effective sanctions program, attaching penalties if a program is ineffective.
- Technical capabilities for transaction control. Issuers must be able to block, freeze, and reject transactions on both primary and secondary markets.
The new requirements apply to all bank subsidiaries approved to issue stablecoins, federally chartered stablecoin issuers (including nonbank entities chartered by the OCC), and state-licensed stablecoin issuers that meet federal standards.
Many stablecoin issuers have historically been subject to BSA obligations as money transmitters, a type of money services business (“MSB”). By expressly defining PPSIs as a separate type of financial institution, PPSIs that are MSBs would no longer be subject to regulation and supervision as MSBs and instead will be subject to a regulatory framework with AML/CFT program obligations that largely mirror those applicable to banks. These include requirements that currently apply to banks but not to MSBs, such as enhanced due diligence for correspondent and private banking accounts, information-sharing obligations under the USA PATRIOT Act, and compliance with special measures when foreign financial institutions or transactions are of primary money laundering concern. PPSIs, however, would also be subject to certain novel requirements not applicable to banks, including technical capabilities to block, freeze, and reject impermissible transactions and compliance with “lawful orders” to seize, freeze, or burn payment stablecoins in both primary and secondary markets.
The Proposed Rule is intended to address stablecoin-specific illicit finance risks motivating the rulemaking, such as the use of stablecoins in money laundering chains, DPRK cyber theft, sanctions evasion networks, fentanyl precursor procurement, and terrorist financing. According to the Proposed Rule, between January 2015 and November 2025, FinCEN received approximately 55,000 suspicious activity reports referencing specific stablecoins, and OFAC received approximately 5,800 blocked property reports and 3,000 rejected transaction reports referencing stablecoins. These figures underscore the Administration’s view that, notwithstanding its broader push to reduce regulatory burdens on the crypto industry, a purpose-built compliance framework is necessary to address the unique illicit finance risks that stablecoins present.
AML/CFT and Sanctions Compliance Program Requirements
The Proposed Rule would require PPSIs to establish and maintain both an AML/CFT program and a sanctions compliance program. These programs share several common elements:
- Risk assessments. Issuers must conduct regular risk assessments and update them as circumstances change.
- Compliance officer. Issuers must designate a compliance officer based in the United States who is responsible for day-to-day program implementation.
- Independent testing. Issuers must arrange for independent testing or audits of their compliance programs.
- Employee training. Issuers must provide ongoing compliance training for employees and relevant personnel.
- Management commitment. Senior management or the board must approve and oversee the compliance program, which must be documented in writing.
In addition to the common program elements above, AML compliance requires issuers to implement specific procedures for monitoring customer activity and reporting suspicious transactions. These additional AML requirements include:
- Customer due diligence. Issuers must conduct ongoing customer due diligence, develop customer risk profiles, and monitor for suspicious transactions.
- Suspicious activity reporting. Issuers must file suspicious activity reports for transactions involving $5,000 or more.
- Recordkeeping and information sharing. Issuers must retain records of transfers of $3,000 or more and share specified information with other financial institutions when transferring funds.
- Government requests and correspondent accounts. Issuers must respond to government information-sharing requests and establish due diligence programs for correspondent and private banking accounts.
- Beneficial ownership. Issuers must collect beneficial ownership information for business customers—a new requirement that does not currently apply to money services businesses.
- Secondary market exclusion. FinCEN has preliminarily determined not to impose suspicious activity reporting obligations on secondary market transactions, citing the limited information issuers would have about counterparties in those transactions.
While all U.S. persons must already comply with OFAC sanctions, the Proposed Rule represents the first time that federal law has explicitly required any category of U.S. person to maintain a formal sanctions compliance program. The GENIUS Act transforms OFAC’s longstanding “A Framework for OFAC Compliance Commitments” into a binding legal obligation. The sanctions program must incorporate OFAC’s five-element framework, which largely overlaps with BSA requirements. In addition to the common program elements above, the additional sanctions requirements include internal sanctions controls—requiring issuers to establish risk-based internal controls to identify, block, and reject transactions that may violate sanctions.
Consistent with the GENIUS Act’s directive that regulations be “tailored to the size and complexity” of each issuer, both programs are principles-based and do not prescribe specific technologies or screening tools.
Violations of the sanctions compliance program requirement could result in civil monetary penalties of up to $100,000 per day for material violations, with an additional $100,000 per day for knowing violations. These penalties are prescribed by the GENIUS Act itself and differ from traditional OFAC enforcement for sanctions violations, which assesses base penalties based on the greater of a statutory maximum for the applicable statute (e.g., currently $377,700 under IEEPA) or twice the transaction value for each violation.
Failure to implement and maintain an AML program that meets the requirements of the BSA could also lead to enforcement for noncompliance with the BSA. Unlike sanctions compliance program violations, there are no separate daily penalties under the Proposed Rule for AML program failures. Instead, AML program violations remain subject to existing BSA enforcement mechanisms, which include civil monetary penalties of up to $71,545 per day for willful AML program violations, and criminal penalties of up to $250,000 in fines and five years' imprisonment (or up to $500,000 and ten years if the violation involves other illegal activity).
In alignment with FinCEN’s proposed rule to modernize AML/CFT compliance, under the Proposed Rule FinCEN generally would not take enforcement action against an issuer with a compliant AML/CFT program absent a “significant or systemic failure” to implement it. Notably, this applies only to FinCEN enforcement of AML/CFT program requirements and does not extend to OFAC enforcement of sanctions compliance program violations. In determining whether to take enforcement action, FinCEN would consider whether the issuer has advanced compliance priorities through innovative approaches, including the “effective use of artificial intelligence, federated learning, and other advanced monitoring tools.” This provides meaningful protection for issuers that invest in robust compliance infrastructure.
Block, Freeze, and Reject
One of the most significant operational challenges in the Proposed Rule is the requirement that PPSIs maintain technical capabilities to block, freeze, and reject impermissible transactions, as well as comply with lawful orders to seize, freeze, burn, or prevent the transfer of payment stablecoins. Critically, these requirements extend to secondary market activity—transactions where the PPSI is not a direct party other than through its smart contract. This is a novel requirement with no direct parallel for other BSA-regulated financial institutions, which are not required to control transactions between third parties with whom they have no customer relationship.
The Proposed Rule does not prescribe how PPSIs should implement these capabilities, affording flexibility to adapt to technological changes. The obligation to act would be triggered by federal or state laws, rules, regulations, or court orders. Nevertheless, the tension between blockchain immutability and the expectation that issuers can block or freeze transactions in real time will be a key area for comment. These technical capabilities represent one of the most significant operational challenges in the Proposed Rule and will require careful assessment of existing systems and potential technology investments.
Practical Recommendations
- Evaluate compliance programs. Current and prospective stablecoin issuers should evaluate existing compliance programs against the new requirements and identify gaps that may require new policies, procedures, or technology investments. We recommend considering how to align compliance programs now rather than waiting for final rules may be beneficial.
- Assess technical infrastructure for secondary market controls. The block/freeze/reject requirements for secondary market transactions are unprecedented and may require significant technical modifications. Issuers should consider beginning to evaluate whether their current architecture can support real-time transaction controls.
- Consider engaging in the rulemaking process. The 60-day comment period provides an opportunity to engage with regulators and shape the final rules. Stablecoin issuers may want to focus comments on specific areas where clarification would be helpful.
- Plan for implementation timing. The GENIUS Act becomes effective January 18, 2027, or 120 days after final regulations are issued, whichever is earlier. FinCEN and OFAC propose that their rules take effect 12 months after the effective date of the GENIUS Act, providing additional implementation time.