Stable Rules for Stablecoins: Treasury Proposes AML and Sanctions Framework for Issuers

On April 8, 2026, the US Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) and Office of Foreign Assets Control (“OFAC”) issued a joint Notice of Proposed Rulemaking (the “Proposed Rule”) to implement the anti-money laundering (“AML”) and sanctions compliance provisions of the Guiding and Establishing National Innovation for US Stablecoins Act (the “GENIUS Act”) for permitted payment stablecoin issuers (“PPSIs”).

The Proposed Rule would treat PPSIs as “financial institutions” under the Bank Secrecy Act (“BSA”), require PPSIs to establish and maintain AML and countering the financing of terrorism (“AML/CFT”) programs, and—for the first time—explicitly mandate that a category of US persons maintain an effective sanctions compliance program. FinCEN and OFAC propose that the final rules become effective 12 months after issuance to allow PPSIs sufficient time to implement the requirements. Comments are due June 9, 2026.

Background

The GENIUS Act, signed into law on July 18, 2025, establishes a federal regulatory framework for payment stablecoins and restricts their issuance to PPSIs. The Act directs Treasury to promulgate regulations ensuring that PPSIs are “subject to all Federal laws applicable to a financial institution located in the United States relating to economic sanctions, prevention of money laundering, customer identification, and due diligence.”¹ The Proposed Rule addresses the AML/CFT and sanctions compliance program components, while a separate forthcoming rulemaking will address customer identification program (“CIP”) requirements.

The Proposed Rule applies to the three PPSI pathways established by the GENIUS Act: subsidiaries of insured depository institutions (“IDIs”) approved by their primary federal regulator; federal qualified payment stablecoin issuers (“FQPSIs”) approved by the Office of the Comptroller of the Currency (“OCC”); and state qualified payment stablecoin issuers (“SQPSIs”) approved by state regulators. Notably, the Proposed Rule does not impose AML/CFT requirements on foreign payment stablecoin issuers (“FPSIs”), though FinCEN solicits comment on whether it should.

Key Takeaways

AML/CFT obligations mirror bank-like requirements: While FinCEN acknowledges that existing stablecoin issuers are generally subject to AML/CFT obligations as money services businesses (“MSBs”), the Proposed Rule would require PPSIs to establish risk-based AML/CFT programs that more closely adhere to the requirements applicable to banks and similar covered financial institutions. Programs must include internal policies, procedures, and controls; ongoing customer due diligence; independent testing; a designated AML/CFT officer located in the United States; and ongoing employee training. Notably, many of these elements, including the explicit requirement for documented risk assessment processes, the “establish and maintain” program framework, and the requirement that the AML/CFT officer be located in the United States, parallel obligations FinCEN has separately proposed for all covered financial institutions under its concurrent AML program modernization rulemaking. To address any potential overlapping requirements, the Proposed Rule would expressly exclude PPSIs from the definition of MSB.

SAR filing threshold set at $5,000—higher than current MSB threshold: PPSIs would be required to file suspicious activity reports (“SARs”) for suspicious transactions involving or aggregating at least $5,000 in funds or other assets. This is notably higher than the $2,000 threshold currently applicable to MSBs, reflecting FinCEN’s view that PPSIs will have CIP obligations analogous to banks and other higher-threshold institutions.

No secondary market monitoring or SAR obligations: The Proposed Rule explicitly scopes out secondary market activity from monitoring and SAR reporting obligations because FinCEN preliminarily determined that the burden of requiring PPSIs to file SARs on secondary market transfers would outweigh the likely benefits, particularly given that PPSIs may have limited information about transactions occurring solely via smart contract interactions. PPSIs would, however, be required to understand the risks posed by customers, the PPSI’s distribution channels, and the blockchains on which its payment stablecoins are deployed. These considerations would inform the PPSI’s risk assessment processes and the development of customer risk profiles, and may require PPSIs to consider observable secondary market activity—such as on-chain interactions by customers with addresses attributed to illicit actors—in conducting ongoing customer due diligence. Notably, while PPSIs would have no obligation to file SARs on secondary market activity they do not formally monitor, they may nevertheless become aware of suspicious secondary market activity through their risk assessment processes or blockchain analytics tools—and would be protected by safe harbor if they voluntarily report such activity. This may create an informal “see-something-say-something” expectation without a formal monitoring mandate.

Technical capabilities required for both primary and secondary market activity:² PPSIs would be required to have technical capabilities, policies, and procedures to block, freeze, and reject impermissible transactions, including those occurring on the secondary market via smart contracts, and to comply with lawful orders. Although separate from the secondary market monitoring and SAR reporting carve-out discussed above, this obligation ensures that PPSIs maintain the infrastructure necessary to act when legally required (e.g., to comply with OFAC sanctions prohibitions or federal seizure warrants targeting payment stablecoins held by third parties).

First-ever mandatory sanctions compliance program: The GENIUS Act’s requirement that PPSIs maintain an “effective sanctions compliance program” represents the first time federal law has explicitly mandated such a program for any category of US persons, notwithstanding the general applicability of underlying sanctions laws. OFAC’s proposed framework would require five core elements: senior management commitment, risk assessments, internal controls, testing and auditing, and training. This framework is consistent with OFAC’s other public guidance on establishing effective sanctions compliance programs, including previous guidance tailored specifically to the virtual currency industry.³ The Proposed Rule would also impose substantial civil monetary penalties for failure to maintain such a sanctions compliance program.

Overview of Proposed AML/CFT Obligations

AML/CFT Program Requirements

The Proposed Rule would create a new 31 CFR Part 1033 governing PPSIs. A PPSI would have an “effective” AML/CFT program if it: (1) establishes the program in accordance with the prescribed requirements and (2) maintains the program by implementing it in all material respects. Where a PPSI is also subject to existing BSA obligations as a bank under 31 CFR Part 1020—as may be the case for uninsured national banks chartered by the OCC—FinCEN expects the parallel requirements to be manageable. Notably, however, the Proposed Rule does not address the position of uninsured state-chartered institutions, such as state trust companies used by certain existing stablecoin issuers, that may face similar overlapping obligations.

Internal policies, procedures, and controls: A PPSI’s risk-based internal policies, procedures, and controls would need to be reasonably designed to: identify, assess, and document money laundering and terrorist financing (“ML/TF”) risks through risk assessment processes; mitigate those risks by directing more attention and resources toward higher-risk customers and activities; and conduct ongoing customer due diligence.

Risk assessment processes: The Proposed Rule would require PPSIs to establish risk assessment processes that evaluate ML/TF risks of the PPSI’s business activities—including products, services, distribution channels, customers, and geographic locations—and incorporate the AML/CFT Priorities published by FinCEN. While risk assessment processes have long been a supervisory expectation, the Proposed Rule makes this an explicit regulatory requirement, consistent with Treasury’s broader effort to codify risk assessment obligations for all financial institutions under its AML modernization initiative.

Ongoing customer due diligence: The Proposed Rule would require PPSIs to conduct ongoing customer due diligence (“CDD”) to understand the nature and purpose of customer relationships for the purpose of developing a customer risk profile, and to conduct ongoing monitoring to identify and report suspicious transactions. This “fifth pillar” requirement mirrors existing CDD rules for banks and other covered financial institutions. As with banks and other covered financial institutions, PPSIs would be required to collect beneficial ownership information for legal entity customers in primary market transactions, which FinCEN regards as a “core element” of effective due diligence.

Account vs. transfer distinction: The Proposed Rule’s CDD obligations apply to “account” relationships—defined for PPSIs as “a formal relationship between a customer and a permitted payment stablecoin issuer established to provide or engage in services, dealings, or other financial transactions.” This definition distinguishes primary market activity (where PPSIs maintain ongoing customer relationships) from secondary market transfers (where PPSIs interact with stablecoins via smart contracts). The distinction is consequential: most AML obligations would apply to primary market customers, while secondary market activity would be subject primarily to the technical capabilities requirement to block, freeze, and reject impermissible transactions.

AML/CFT officer: The Proposed Rule would require designation of an AML/CFT officer who must be located in the United States, accessible to FinCEN oversight, and not convicted of certain felony offenses involving insider trading, embezzlement, cybercrime, money laundering, terrorist financing, or financial fraud.

Future CIP rulemaking: The Proposed Rule acknowledges that PPSIs will be subject to a CIP requirement, noting the GENIUS Act-specific requirements that an effective program include “identifying and verifying the PPSI’s account holders, high-value transactions, and appropriate enhanced due diligence.” However, the Proposed Rule does not implement the Act’s CIP requirements; instead, FinCEN notes that the Act’s CIP requirements are expected to be the subject of a separate rulemaking.

Suspicious Activity Reporting

PPSIs would be required to file SARs for any suspicious transaction relevant to a possible violation of law or regulation that is conducted or attempted by, at, or through the PPSI and involves or aggregates at least $5,000.

Secondary market activity explicitly excluded: The Proposed Rule would clarify that “a transaction, for purposes of [SAR filing], is not conducted or attempted by, at, or through a permitted payment stablecoin issuer only because a transfer by third parties results in an interaction with a permitted payment stablecoin issuer’s smart contract.” FinCEN acknowledges that the majority of illicit finance involving payment stablecoins occurs on the secondary market, but concludes that requiring secondary market SAR reporting could result in “substantial burden” yielding SARs with “minimal information.”

Coordination provision for bank-affiliated PPSIs: Where a PPSI is a subsidiary of a parent IDI and both institutions have a SAR filing obligation for the same suspicious activity, the Proposed Rule would permit the parent to file SARs on behalf of its PPSI subsidiary (and vice versa), so long as the joint report contains all relevant facts. This provision would also permit sharing of SARs and underlying documentation between a PPSI and its parent IDI within the corporate organizational structure. For bank-affiliated PPSIs, this coordination provision will facilitate enterprise-wide compliance but will require careful attention to ensuring that PPSI-specific risks and transactions are adequately captured in joint filings.

Recordkeeping and Travel Rule

The Proposed Rule would require PPSIs to comply with the BSA’s Recordkeeping Rule, obligating PPSIs to collect and retain records for funds transfers and transmittals of funds in amounts of $3,000 or more. The Travel Rule would also apply, requiring PPSIs to transmit information on certain funds transfers and transmittals to other participating financial institutions. To clarify the application of these rules to stablecoin transactions, FinCEN proposes amending the definition of “transmittal order” to expressly include payment stablecoins in addition to “money.” The Proposed Rule would also add PPSIs to the list of entities excepted from recordkeeping requirements for transfers between regulated financial institutions, and thus the Recordkeeping Rule would not apply to transmittals of funds where both the transmittor and recipient are a PPSI, bank, or other covered financial institution. Notably, FinCEN did not address the well-documented implementation challenges that digital asset service providers have faced in complying with Travel Rule requirements for blockchain-based transfers.

Enhanced Due Diligence and Special Measures

FinCEN proposes extending to PPSIs the enhanced due diligence requirements for correspondent accounts for foreign financial institutions and private banking accounts. For these purposes, FinCEN would define a “correspondent account” for a PPSI as any formal relationship established to provide regular services, dealings, or other financial transactions—capturing, for example, relationships with foreign financial institutions that access the PPSI for minting, redemption, or custodial services. PPSIs would also be required to comply with special measures issued pursuant to Section 311 of the USA PATRIOT Act when foreign financial institutions or transactions are of primary money laundering concern. With respect to private banking accounts—defined in part under existing regulations as accounts with minimum aggregate assets exceeding $1 million, on behalf of a non-US person, and assigned or administered by the covered financial institution—FinCEN proposes no changes to the existing definition and seeks comment on whether it appropriately addresses PPSIs. Given that payment stablecoins are designed for payment and settlement rather than wealth management, it remains to be seen whether such relationships will arise frequently in practice.

Overview of Proposed Sanctions Compliance Requirements

First Mandatory Sanctions Compliance Program Requirement

While all US persons are currently required to comply with US sanctions under OFAC regulations, the GENIUS Act’s requirement that PPSIs maintain an “effective sanctions compliance program” is the first time federal law has explicitly mandated that a specific category of US persons establish and maintain such a program. OFAC proposes codifying this requirement at new 31 CFR Part 502.

Five Elements of an Effective Program

Drawing on OFAC’s 2019 Framework for OFAC Compliance Commitments, the Proposed Rule would require PPSIs to adopt a sanctions compliance program including five key elements:

• Senior management commitment: Senior management would be required to review and approve the sanctions compliance program and support its effective implementation by ensuring it applies to all payment stablecoin-related activity, has sufficient resources, is fully integrated into ongoing operations, provides routine risk updates to management, and provides sufficient authority and autonomy to the compliance function.
• Risk assessments: PPSIs would be required to conduct holistic assessments of US sanctions risks at appropriate intervals, use assessments to inform program operations including revising internal controls and training as appropriate, and revise assessments as appropriate to account for identified violations, deficiencies, new products or services, mergers or acquisitions, and other factors affecting the risk profile.
• Internal controls: PPSIs would be required to establish and maintain a system of risk-based internal controls—including technical capabilities and written policies and procedures—applicable to all payment stablecoin-related activity, whether on the primary or secondary market, that identifies, blocks, and/or rejects transactions that may violate US sanctions and retains relevant records.
• Testing and auditing: PPSIs would be required to establish and maintain an independent testing or audit function, accountable to senior management, with sufficient resources, expertise, and authority to identify sanctions compliance weaknesses and deficiencies.
• Training: PPSIs would be required to establish a risk-based sanctions compliance training program performed at least annually, provided to all relevant personnel, appropriately tailored to each trainee’s role, and modified to reflect risk assessment findings and identified deficiencies.

Certain Sanctions Obligations Extend to Secondary Market Activity

Unlike the SAR reporting obligation, the Proposed Rule’s sanctions compliance requirements would apply to both primary and secondary market activity. While the Proposed Rule extends sanctions compliance requirements to secondary market activity, it does so in a targeted manner, requiring only technical blocking/freezing capabilities and compliance with lawful orders. OFAC notes that US persons—including stablecoin issuers—are already prohibited from engaging in secondary market activities with blocked persons, for example, by allowing a blocked person to engage with the issuer’s smart contract to facilitate trades. The Proposed Rule would formalize the expectation that PPSIs maintain technical capabilities to identify and block stablecoins traded by blocked persons on the secondary market when PPSIs exercise possession or control of such stablecoins through smart contracts. Although formal monitoring is not required for SAR purposes, PPSIs may use existing technical capabilities—including blockchain analytics, on-chain screening, and smart contract visibility—to identify when blocked persons interact with their stablecoins on the secondary market. The distinction is between mandatory transaction monitoring (for SAR filing purposes) and having the technical capability to respond when blocked persons are identified through screening tools. OFAC’s Virtual Currency Industry Guidance provides examples of best practices for internal controls, including transaction monitoring and sanctions screening, that PPSIs should consider adopting.

Penalties for Sanctions Compliance Program Violations

The GENIUS Act authorizes civil monetary penalties of up to $100,000 per day for material violations of the requirement to maintain an effective sanctions compliance program, with an additional $100,000 per day for knowing violations. OFAC defines “knowingly” for these purposes to mean that a person has actual knowledge, or should have known, of the conduct, the circumstance, or the result. These GENIUS Act-specific penalties are distinct from, and in addition to, the traditional OFAC enforcement penalties available pursuant to IEEPA and other relevant sanctions authorities for substantive sanctions violations. The availability of penalties specifically for program failures—as opposed to only for substantive violations—represents a significant shift in the enforcement landscape and underscores the importance of establishing robust sanctions compliance infrastructure.

Next Steps

The Proposed Rule provides the first comprehensive view of Treasury’s approach to AML/CFT and sanctions compliance for the emerging PPSI framework. Institutions considering entry into this space—whether as bank subsidiaries, federal charter applicants, or state-regulated issuers—should take the following steps:

• Assess current programs against PPSI-specific requirements: Institutions already operating as stablecoin issuers under MSB registration should evaluate whether their current AML/CFT programs satisfy the more prescriptive PPSI requirements—particularly the mandatory sanctions compliance program, documented risk assessment processes, and independent testing. Bank-affiliated entrants should assess opportunities for enterprise-wide program integration while ensuring PPSI-specific risks receive adequate treatment.
• Monitor forthcoming rulemakings: The Proposed Rule does not address CIP requirements, which FinCEN indicates will be the subject of a separate rulemaking. How CIP obligations are structured—particularly whether they extend beyond “account” relationships—will significantly affect the overall compliance burden.
• Consider submitting comments: FinCEN and OFAC have requested comment on several consequential issues, including: whether to impose limited secondary market reporting obligations; whether to extend AML/CFT requirements to foreign payment stablecoin issuers; and whether to expand the definition of “account” to include wallet addresses for purposes of lawful order compliance. Comments are due June 9, 2026.

¹ 12 U.S.C. § 5903(a)(5)(A).

² Under the Proposed Rule, a “primary market” transaction is a transaction directly involving the PPSI, such as issuance, redemption, or similar transactions directly between a PPSI and a user; conversely, a “secondary market” transaction is a transaction among users that does not involve the PPSI as a party beyond its operation of a smart contract.

³ For more information on the topics discussed in this Legal Update, please see our prior publications: Treasury Takes Initial Steps Towards GENIUS Act Rulemaking (October 2025), which discusses Treasury’s advance notice of proposed rulemaking and provides background on the GENIUS Act’s AML and sanctions provisions that inform this Proposed Rule; and Federal Appeals Court Tosses OFAC Sanctions on Tornado Cash and Limits Federal Government’s Ability to Police Crypto Transactions (December 2024), which analyzes the Fifth Circuit’s landmark ruling on OFAC’s authority to sanction smart contracts under IEEPA—a decision directly relevant to the Proposed Rule’s interpretation of PPSI “control” over stablecoins on the secondary market through smart contracts.