Treasury Proposes New AML/CFT and Sanctions Obligations for Payment Stablecoin Issuers Under the GENIUS Act

Key Takeaways

• Permitted payment stablecoin issuers (PPSIs) would be excluded from the definition of “money services business” (MSBs) and included as a new category of financial institution in FinCEN’s regulations.
• PPSIs would be required to implement an AML/CFT program tailored to the PPSI business model, including customer due diligence (CDD), beneficial ownership information (BOI) collection for legal entity customers, and risk assessment processes. Generally, these customer-facing requirements would extend only to “primary market” relationships.
• For the first time, the Proposed Rule would require a specific category of U.S. person to maintain a sanctions compliance program modeled on OFAC’s 2019 Compliance Framework. PPSIs would also be required to maintain the capability to block transactions that would violate U.S. sanctions or otherwise be unlawful, including on the secondary market, and OFAC proposes additional civil penalties for knowing violations.
• The Proposed Rule would not implement the GENIUS Act’s customer identification program (CIP) requirement, which FinCEN states will be addressed in a separate rulemaking.
• Comments on the NPRM are due on June 9, 2026, and Treasury proposes that any final rule become effective 12 months after issuance.

On April 8, 2026, the U.S. Department of the Treasury issued a joint notice of proposed rulemaking (the NPRM or Proposed Rule) through the Financial Crimes Enforcement Network (FinCEN) and Office of Foreign Assets Control (OFAC) to implement the anti-money laundering/countering the financing of terrorism (AML/CFT), and sanctions provisions of the Guiding and Establishing National Innovation for U.S. Stablecoins Act (the GENIUS Act) for PPSIs. The NPRM signals Treasury’s intent to integrate PPSIs into the United States’ core AML/CFT compliance framework through a combination of familiar Bank Secrecy Act (BSA) and OFAC requirements and new, stablecoin-specific controls. In practical terms, Treasury would expect PPSIs to operate with compliance programs resembling those of other regulated financial institutions while also addressing risks and controls specific to payment stablecoins.

Bringing PPSIs within the BSA Framework

A key theme of the NPRM is Treasury’s distinction between the “primary market,” where a PPSI interacts directly with a “user or holder,” and the “secondary market,” where activity occurs without the issuer acting as a direct counterparty (other than through smart contracts or related technical infrastructure). Under the Proposed Rule, Treasury would extend certain obligations—notably, technical controls and sanctions controls—to secondary market activity, while declining to impose others, such as a blanket requirement for filing suspicious activity reports (SARs) related to secondary market transactions.

FinCEN proposes to amend its regulations to include PPSIs within the definition of “financial institution” (FI) and to exclude PPSIs from the definition of MSBs (which, themselves, are FIs under the BSA). The Proposed Rule would also add or revise a series of definitions intended to integrate payment stablecoins into existing BSA concepts, including “digital asset,” “lawful order,” “transaction,” and “transmittal order.” Collectively, these changes would create a distinct regulatory category for PPSIs.

Some of these definitional changes may also have an impact beyond PPSIs themselves. In particular, FinCEN’s proposed definition of “digital asset” and amendment to “transmittal order” could affect how other FIs and counterparties analyze payment stablecoin transfers under existing BSA concepts. By expressly providing that a transmittal order to pay payment stablecoins is a “transmittal order” like an order to pay traditional money, the Proposed Rule would make explicit that payment stablecoin transfers fall within FinCEN’s existing Recordkeeping Rule and Travel Rule framework.

At the same time, FinCEN states that its new “digital asset” definition is being added for clarity in the PPSI context and should not be read to displace its existing regulatory treatment of “value that substitutes for currency” or “convertible virtual currency” (CVC), suggesting that the Proposed Rule aims to provide greater clarity on the treatment of payment stablecoins under the BSA without altering the broader framework applicable to other digital assets.

PPSIs Would Be Subject to Core AML/CFT Program Requirements

The centerpiece of the FinCEN portion of the NPRM is the proposal at 31 C.F.R. § 1033.210 to require PPSIs to establish and maintain an “effective” AML/CFT program. Treasury explains that the Proposed Rule is intended to align with FinCEN’s broader effectiveness-based AML/CFT modernization effort while being tailored to PPSIs’ products, customers, distribution channels, and risk profile.

As proposed, a PPSI’s AML/CFT program would need to include risk-based internal policies, procedures, and controls; documented risk assessment processes; measures to mitigate identified money laundering, terrorist financing, and other illicit finance risks; ongoing CDD; independent testing; an AML/CFT compliance officer located in the United States; ongoing training for relevant employees; and a written program approved by the board or senior management. The Proposed Rule would also amend FinCEN’s beneficial ownership rule to require PPSIs to collect BOI for their legal entity customers.

The BOI requirement could cause considerable friction in practice, however. Treasury’s discussion of the current stablecoin ecosystem indicates that many PPSIs interact directly with larger companies and FIs rather than with retail customers, and FinCEN’s own regulatory impact analysis separately treats BOI collection for legal entity customers as a meaningful incremental burden for non-bank PPSIs. For PPSIs that today think of themselves primarily as stablecoin issuers rather than as customer-facing regulated financial institutions, CDD and BOI collection may therefore become a significant operational challenge.

The NPRM also reinforces FinCEN’s emphasis on effectiveness and risk-based resource allocation. PPSIs would be expected to identify, assess, and document risk across products, services, distribution channels, customers, and geographies, and to incorporate federal AML/CFT priorities as appropriate. Treasury also indicates that PPSIs may need to consider both off-chain and on-chain information in understanding customer risk, including public blockchain activity, where relevant. At the same time, FinCEN stops short of requiring PPSIs to maintain a standalone AML/CFT monitoring program for secondary market activity independent of other obligations.

Treasury Would Require Technical Controls, Including for Secondary Market Activity

One of the most consequential features of the FinCEN portion of the NPRM is the proposal at 31 C.F.R. § 1033.240 to require PPSIs to maintain technical capabilities, policies, and procedures to block, freeze, and reject specific or impermissible transactions that violate federal or state law, rules, or regulations. Under the Proposed Rule, FinCEN would also require PPSIs to have the technological ability to comply—and to actually comply—with the terms of any “lawful order,” such as an order requiring the issuer to seize, freeze, burn, or prevent the transfer of issued payment stablecoins.

Treasury expressly provides that these obligations would extend to secondary market activity. FinCEN explains that limiting these requirements to primary market activity would be of limited practical value, because PPSIs are expected to have a relatively small number of direct (generally institutional) customers, while much of the illicit activity involving payment stablecoins occurs on the secondary market. Treasury therefore takes the position that PPSIs must be able—when legally required—to act with respect to payment stablecoins they have issued, even after those stablecoins circulate beyond the direct issuer-to-customer relationship.

The NPRM’s discussion of smart contract functionality is especially important. FinCEN notes that some stablecoin issuers already use smart contract programming to ban specific wallet addresses from interacting with the relevant contracts, freeze stablecoins at specified addresses, burn stablecoins, or otherwise prevent transfers. The NPRM does not prescribe a single technological architecture, but it assumes that at least some PPSIs will be able to exercise meaningful control over their issued stablecoins via technical controls, including in the secondary market.

Similarly, in the sanctions context, Treasury explains that a PPSI’s technical capabilities, policies, and procedures should account for identifying and blocking or rejecting payment stablecoin-related transactions that would violate U.S. sanctions, including secondary market transactions where the PPSI exercises possession or control “including through smart contracts.” The Proposed Rule therefore appears to reflect the view that a PPSI’s ability to exercise control through smart contracts may bear on whether the issuer’s compliance obligations extend to certain secondary market activity.

At the same time, FinCEN does not propose to require PPSIs to determine, in the abstract, whether downstream activity is unlawful. Rather, Treasury’s approach is to require PPSIs to have the relevant capabilities and procedures in place and to use them when legally required. For PPSIs, this is likely one of the central issues in the Proposed Rule: Treasury is not mandating a particular technical design, but it is clearly expecting real compliance capability where legal obligations attach.

PPSIs Would Be Subject to Reporting, Recordkeeping, Information-Sharing, and Other BSA Obligations

The Proposed Rule would subject PPSIs to other familiar BSA obligations. Proposed subpart C of Part 1033 would apply SAR requirements; proposed §§ 1033.400 and 1033.410 would apply the BSA recordkeeping regime, including the Recordkeeping Rule and Travel Rule; proposed §§ 1033.520 and 1033.540 would bring PPSIs into the USA PATRIOT Act’s sections 314(a) and 314(b) information-sharing frameworks; and proposed provisions in subpart F would apply special standards of diligence and certain special measures. As noted above, the SAR proposal includes an important limitation: FinCEN proposes a $5,000 SAR threshold for PPSIs, aligning them with many other BSA-regulated FIs rather than the $2,000 threshold currently applicable to MSBs. At the same time, FinCEN expressly declines to impose a blanket SAR obligation with respect to secondary market activity. Treasury reasons that requiring PPSIs to report suspicious activity across the secondary market could impose substantial monitoring burdens while yielding limited useful information to law enforcement and encouraging defensive filing. FinCEN therefore proposes to clarify that a transfer is not conducted or attempted “by, at, or through” a PPSI solely because it interacts with the PPSI’s smart contract, while preserving the ability for PPSIs to file voluntary SARs where appropriate.

As discussed above, Treasury also proposes to make explicit that the Recordkeeping Rule and Travel Rule apply in the PPSI context by amending the definition of “transmittal order” to include payment stablecoins. Treasury specifically asks for comment on whether the resulting framework is sufficiently clear or whether PPSI-specific Recordkeeping and Travel Rules would be preferable. This change could impact not only PPSIs but also counterparties and other FIs assessing how payment stablecoin transfers should be treated under existing funds-transfer concepts. Notably, the rule does not address the practical challenges that entities engaged in the transfer of payment stablecoins and other forms of virtual currency face in determining the identity of their counterparty and the ultimate recipient of the transfer.

For PPSIs that are affiliated with depository institutions or otherwise operate in already regulated industries, the NPRM addresses how FinCEN may handle overlapping AML/CFT and sanctions obligations. FinCEN states, for example, that where a PPSI is a subsidiary of an insured depository institution, the enterprise may generally elect to extend a single AML/CFT program to both entities, so long as the program is reasonably designed to identify and mitigate risks across both entities and satisfies all applicable requirements. FinCEN notes, however, that where a PPSI is subject to different obligations from those of its parent, it must comply with the PPSI-specific requirements.

Taken together, the Proposed Rule’s changes would more firmly situate PPSIs within the mainstream BSA compliance framework applicable to other regulated FIs.

OFAC Would Require PPSIs to Maintain an Effective Sanctions Compliance Program

The OFAC portion of the NPRM is also significant. Although PPSIs are, by definition, already U.S. persons that are required to comply with U.S. sanctions laws and regulations, the GENIUS Act goes further by expressly requiring PPSIs to maintain an effective sanctions compliance program. This requirement would be the first time federal law has explicitly mandated that a particular category of U.S. person maintain such a program. To implement that requirement, OFAC proposes to create a new Part 502 of the OFAC regulations.

Under proposed § 502.201, an effective sanctions compliance program would need to be risk-based and reasonably designed to ensure compliance with applicable U.S. sanctions and would need to include (at minimum) five key elements: (1) senior management and organizational commitment; (2) risk assessment; (3) internal controls; (4) independent testing/auditing; and (5) training. Treasury explains that this framework draws heavily from OFAC’s 2019 “Framework for OFAC Compliance Commitments” and its 2021 “Sanctions Compliance Guidance for the Virtual Currency Industry,” but under this regulation maintaining a program aligned with this guidance would now become an explicit requirement for PPSIs.

The breadth of the OFAC proposal is reinforced by the NPRM’s definition of “payment stablecoin-related activity,” which would include issuing, trading, holding, transacting, transferring, redeeming, or any other activity involving a payment stablecoin issued by a PPSI from the time of issuance until removal from circulation, whether on the primary or secondary market. OFAC explains that this definition is intended to capture the full lifecycle of a payment stablecoin and to “future-proof” the regulations.

With respect to internal controls, OFAC would require PPSIs to maintain technical capabilities and written policies and procedures, applicable to all payment stablecoin-related activity, whether on the primary or secondary market, to identify, block, and/or reject transactions that may or would violate U.S. sanctions. OFAC emphasizes that, although PPSIs generally are neither the originator nor the beneficiary of transactions beyond the point of issuance and redemption, the GENIUS Act nevertheless contemplates that PPSIs may have obligations with respect to secondary market activity involving stablecoins they have issued.

Treasury’s sanctions-related discussion gives a clear example of how the Proposed Rule may operate. The NPRM states that a U.S. person stablecoin issuer would engage in the prohibited provision of services to a blocked person if it allowed that person to interact with the issuer’s smart contract to facilitate secondary market trades. Treasury adds that, in such circumstances, the issuer would be required to block the stablecoins, because the blocked person has an interest in them and the issuer controls them through its smart contract. This guidance clarifies regulator expectations for related controls.

The Proposed Rule would also subject PPSIs to OFAC’s standard recordkeeping and reporting requirements under Part 501 and would require PPSIs to provide to OFAC, upon request, certifications submitted to their federal or state stablecoin regulators regarding implementation of an effective sanctions compliance program. Finally, OFAC proposes civil penalties of up to $100,000 per day for material violations of the program requirement and up to an additional $100,000 per day for knowing violations of it, with “knowingly” defined to mean that a person has actual knowledge, or should have known, of the relevant conduct, circumstance, or result.

The Proposed Rule Intersects with Other GENIUS Act Rulemakings and Obligations

While the NPRM creates distinct and detailed AML/CFT and sanctions obligations, it cannot be read in a vacuum. The obligations imposed on PPSIs in the NPRM intersect with proposed rules that either have been or will be issued by both Treasury and the primary Federal payment stablecoin regulators (the Office of the Comptroller of the Currency (OCC), the Federal Reserve Board, the Federal Deposit Insurance Corporation, and the National Credit Union Administration).

As an example, in the OCC’s recent notice of proposed rulemaking implementing the GENIUS Act requirements for entities under its jurisdiction, the OCC asks whether it should define the term “stablecoin holder” to encompass persons that beneficially own a payment stablecoin or alternatively based on possession via digital wallets or control of cryptographic keys. How the OCC defines this term may alter the parameters of PPSIs’ obligations to monitor primary market participants under the Proposed Rule.

Entities considering becoming state-qualified issuers should additionally monitor the progress of Treasury’s separate notice of proposed rulemaking, issued April 3, 2026, that outlines principles for determining whether a state’s regulatory framework meets the “substantial similarity” requirement imposed by the GENIUS Act. In the Proposed Rule, Treasury states that it expects state regulatory regimes to be uniform with federal requirements for BSA and sanctions programs, with the exception of technical, non-substantive amendments, and generally anticipates that states will cross-reference the federal requirements.

Lastly, as outlined above, the NPRM would not implement the GENIUS Act’s CIP requirement. Treasury notes that this requirement will be addressed in a separate forthcoming rulemaking and that its approach will “closely adhere to existing BSA requirements.”

Enforcement and Examination

FinCEN proposes a calibrated approach to supervision and enforcement whereby, once a PPSI has established an appropriate AML/CFT program, FinCEN generally would reserve significant action for significant or systemic failures to maintain the program rather than for minor shortcomings or technical deficiencies. Treasury also proposes a notice and consultation framework requiring primary federal payment stablecoin regulators to consult with FinCEN before taking certain significant AML/CFT supervisory actions.

State-Qualified PPSIs

The Proposed Rule delegates FinCEN’s examination authority over PPSIs to the primary federal payment stablecoin regulators. For state-qualified issuers below the $10 billion in consolidated total outstanding issuance threshold and other PPSIs that are not examined by a primary federal payment stablecoin regulator, FinCEN proposes delegating its examination authority to the Internal Revenue Service, mirroring how FinCEN delegates its examination authority over MSBs to the IRS. Issuers considering a state pathway such as New York’s BitLicense regime or California’s new DFAL framework may wish to take this into account when evaluating licensing strategy and regulatory oversight.

Practical Implications

Ultimately, Treasury’s request for comment suggests that the debate over the Proposed Rule is likely to focus less on whether PPSIs should be subject to AML/CFT and sanctions obligations in principle and more on how those obligations should operate in practice, particularly with respect to technical control requirements, secondary market activity, and the Recordkeeping Rule/Travel Rule framework.

While awaiting publication of the final rule, current stablecoin issuers and prospective PPSIs should continue to comply with existing MSB registration requirements and AML/CFT obligations, plan to strengthen their sanctions compliance program to meet the requirements outlined in the rule, and ensure they have the capability to block, freeze, and reject transactions on the secondary market via smart contract architecture or other means.

Comments on the NPRM are due on June 9, 2026, and Treasury proposes that any final rule become effective 12 months after issuance.