FinCEN and OFAC Propose AML/CFT Sanctions Framework for Payment Stablecoin Issuers Under GENIUS Act

On July 18, 2025, Congress enacted the GENIUS Act, establishing the first comprehensive federal regulatory framework for payment stablecoins in the United States.[1] The GENIUS Act provides that PPSIs be treated as financial institutions under the BSA and be subject to all federal laws applicable to financial institutions in the United States relating to economic sanctions, AML, customer identification, and due diligence. The GENIUS Act tasks the Secretary of the Treasury with implementing these provisions through regulations tailored to the size and complexity of PPSIs.

Pursuant to this mandate, on April 10, 2026, FinCEN and OFAC jointly issued the Proposed Rule to implement the GENIUS Act’s AML/CFT and sanctions compliance directives. The Proposed Rule addresses two distinct but complementary regulatory frameworks: (1) FinCEN's proposed changes to 31 C.F.R. Chapter X to impose BSA and AML/CFT obligations on PPSIs, and (2) OFAC’s proposed new 31 C.F.R. Part 502 establishing sanctions compliance program requirements for PPSIs.

If adopted in its current form, the Proposed Rule would, among other things: (1) define PPSIs as financial institutions under the BSA; (2) require PPSIs to establish and maintain effective, risk-based AML/CFT programs; (3) mandate suspicious activity reporting (SAR) obligations for primary market transactions; (4) impose recordkeeping and Travel Rule requirements; (5) require technical capabilities to block, freeze, and reject impermissible transactions and comply with lawful orders; and (6) require PPSIs to maintain an effective sanctions compliance program incorporating five core elements drawn from OFAC’s 2019 Compliance Framework and its 2021 Sanctions Compliance Guidance for the Virtual Currency Industry.[2]

The Proposed Rule would take effect 12 months from the date a final rule is issued. Comments are due June 9, 2026.

A.  Defining PPSIs as Financial Institutions Under the BSA

FinCEN proposes to expressly add PPSIs to the regulatory definition of “financial institution” in 31 C.F.R. Section 1010.100(t) and carve PPSIs out of the definition of money services business (MSB) at 31 C.F.R. Section 1010.100(ff). FinCEN notes that stablecoin issuers are generally subject to BSA obligations as financial institutions, specifically as money transmitters. However, as required by the GENIUS Act, FinCEN proposes obligations that differ in some material respects from current MSB obligations, along with certain PPSI-specific obligations required by the GENIUS Act.

B.  AML/CFT Program Requirements

Consistent with FinCEN’s BSA/AML program modernization efforts under the Anti-Money Laundering Act of 2020 (AML Act), the Proposed Rule would require PPSIs to establish and maintain “effective” AML/CFT programs.[3] A program would be “effective” if the PPSI: (1) properly establishes and keeps current on an ongoing basis as its risk profile evolves, a program incorporating the four core pillars described below; and (2) maintains the program by implementing it in all material respects. The AML/CFT program must be written, approved by the PPSI’s board of directors, equivalent governing body, or appropriate senior management, and made available to FinCEN or its designees upon request.[4]

A PPSI’s AML/CFT program must include, at a minimum, the following four core pillars:

1.  Risk-Based Internal Policies, Procedures, and Controls. The Proposed Rule would require PPSIs to establish a risk-based set of internal policies, procedures, and controls reasonably designed to ensure compliance with the BSA and 31 C.F.R. Chapter X. Consistent with the AML Act’s directive, AML/CFT programs must be risk-based, directing greater attention and resources to higher-risk customers and activities consistent with the PPSI’s risk profile.

The Proposed Rule would require PPSIs to conduct ongoing customer due diligence (CDD) to understand the nature and purpose of customer relationships for purposes of developing a customer risk profile, monitor transactions on an ongoing basis to identify and report suspicious activity, and, on a risk basis, maintain and update customer information — including information regarding the beneficial owners (BOI) of legal entity customers. CDD and BOI obligations would apply to primary market activity only (i.e., where the PPSI and user have a direct relationship or interaction beyond the involvement of a PPSI’s smart contract) and do not extend to secondary market activity.[5]

The Proposed Rule would require PPSIs to establish and maintain formal risk assessment processes. These processes must: (1) evaluate money laundering, terrorist financing, and other illicit finance activity (ML/TF) risks of the PPSI’s business activities, including products, services, distribution channels, customers, and geographic locations; (2) review and, as appropriate, incorporate FinCEN’s published AML/CFT[6] Priorities (AML/CFT Priorities);[7] and (3) be updated promptly upon any change that the PPSI knows or has reason to know significantly changes its ML/TF risk profile.[8]

2.  Independent AML/CFT Program Testing. The Proposed Rule would requires PPSIs to establish independent AML/CFT program testing, which may be conducted by PPSI personnel or an outside party, but must be independent in all cases. FinCEN expects independent testers to have sufficient knowledge of the PPSI’s risk profile and applicable AML/CFT laws and regulations to perform testing effectively.

3.  AML/CFT Officer Requirements. The Proposed Rule would implement the GENIUS Act’s directive that PPSIs designate an “officer” responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance. The AML/CFT officer must: (1) be located in the United States; (2) be accessible to, and subject to oversight and supervision by, FinCEN and its designees; and (3) not have been convicted of a felony offense involving insider trading, embezzlement, cybercrime, money laundering, financing of terrorism, or financial fraud — a restriction expressly required under the GENIUS Act.

4.  Ongoing Employee Training Program. The Proposed Rule would require PPSIs to establish an ongoing employee training program. The frequency and content of training should be commensurate with the PPSI’s ML/TF risk profile and the specific roles and responsibilities of those being trained.

C.  Supervision and Enforcement Framework

The Proposed Rule would establish a supervision and enforcement framework for PPSIs modeled on the framework FinCEN has proposed for banks. Under this framework: (1) a PPSI that has properly established an AML/CFT program would not be subject to AML/CFT enforcement or supervisory actions absent a significant or systemic failure to implement the program; (2) primary federal payment stablecoin regulators must provide FinCEN’s Director with at least 30 days’ written notice before initiating an AML/CFT supervisory action, accompanied by relevant examination materials; and (3) FinCEN’s Director must consider, among other factors, the PPSI’s efforts to advance AML/CFT priorities, including through the provision of highly useful information to law enforcement, proactive analytics, and the effective use of artificial intelligence or other advanced monitoring tools.

D.  Technical Capabilities, Policies, and Procedures

The GENIUS Act requires PPSIs to have “technical capabilities, policies, and procedures to block, freeze, and reject specific or impermissible transactions that violate [f]ederal or [s]tate laws, rules, or regulations.”[9] The Proposed Rule would implement this requirement and extend it to secondary market activity. Separately, the Proposed Rule would require PPSIs to maintain the technological capability to comply with, and actually comply with, the terms of any “lawful order,” defined as a final and valid court or Federal agency order, issued under Federal law, requiring a PPSI to seize, freeze, burn, or prevent the transfer of payment stablecoins it issued, with reasonable particularity, and subject to judicial or administrative review.

E.  Suspicious Activity Reporting

PPSIs would have SAR filing obligations under the Proposed Rule, consistent with those applicable to most other financial institutions, including a $5,000 reporting threshold (compared to the $2,000 threshold currently applicable to MSBs). The Proposed Rule would exclude secondary market transactions from SAR reporting obligations. FinCEN has invited comment on this determination and notes that PPSIs retain the ability to file voluntary SARs on secondary market activity and would be protected from liability for doing so.[10]

F.  Recordkeeping and Travel Rule

The Proposed Rule would subject PPSIs to the BSA’s Recordkeeping Rule and Travel Rule, requiring PPSIs to collect and retain records for funds transfers and transmittals of funds of $3,000 or more and to pass identifying information to other financial institutions participating in the payment chain. To eliminate ambiguity, the Proposed Rule would amend the definition of “transmittal order” to include payment stablecoins — confirming prior FinCEN guidance that convertible virtual currency transfers are subject to these obligations.

G.  Sanctions Compliance Program Requirements

The Proposed Rule would implement the GENIUS Act’s requirement that PPSIs maintain “an effective economic sanctions compliance program, including verification of sanctions lists, consistent with [f]ederal law.”[11] This requirement would represent the first time federal law has mandated that a particular category of U.S. person maintain a formal sanctions compliance program (SCP), though the underlying obligation to comply with U.S. sanctions has always applied to PPSIs as U.S. persons.

The Proposed Rule would ground the five minimum elements of an effective SCP in OFAC’s 2019 Compliance Framework and its 2021 Sanctions Compliance Guidance for the Virtual Currency Industry.[12]

1.  The Five Minimum Elements of an Effective SCP. A PPSI’s SCP must be risk-based and reasonably designed to ensure compliance with all applicable U.S. sanctions and must apply to all payment stablecoin-related activity, whether on the primary or secondary market.[13] At a minimum, an effective SCP would be required to include the following five elements:

(a) Senior Management and Organizational Commitment: Senior management must review and approve the SCP and ensure it is adequately resourced, integrated into ongoing stablecoin-related operations, and that the sanctions compliance function has sufficient authority and autonomy to manage U.S. sanctions risks across the organization.

(b) Risk Assessments: PPSIs must conduct holistic assessments of U.S. sanctions risks at appropriate intervals, use those assessments to inform and revise internal controls and training, and update assessments upon identification of violations, new products or services, or other risk profile changes. The Proposed Rule does not prescribe a fixed assessment frequency, instead requiring that assessments be conducted at a cadence appropriate to the PPSI’s risk profile and complexity.

(c) Internal Controls: PPSIs must establish and maintain a system of risk-based internal controls[14] — including both technical capabilities and written policies and procedures — applicable to all payment stablecoin-related activity on the primary and secondary market, sufficient to identify, block, or reject prohibited transactions and retain required records.

(d) Testing and Auditing: PPSIs must establish and maintain an independent testing or audit function, accountable to senior management, with sufficient resources and authority to identify U.S. sanctions compliance weaknesses and deficiencies, including in products and services under development. PPSIs must retain records of testing and audit results and any resulting program enhancements and must make such records available to OFAC upon request.

(e) Training: PPSIs must maintain a risk-based compliance training program conducted at least annually — with additional frequency as warranted by the PPSI's risk profile and assessment findings — provided to all relevant personnel and stakeholders, tailored to each trainee's role, modified to reflect risk assessment and audit findings and identified deficiencies, and designed to ensure that resources and materials are readily accessible.

2.  Recordkeeping, Reporting, and Certification Obligations. The Proposed Rule would require PPSIs to comply with standard recordkeeping and reporting requirements in 31 C.F.R. Part 501. The Proposed Rule would also require PPSIs to provide OFAC, upon request, any certifications submitted to the PPSI’s primary federal or state payment stablecoin regulator certifying, pursuant to the GENIUS Act, that the PPSI has implemented an effective SCP.

3.  Civil Penalties. Under the Proposed Rule, a PPSI that materially violates the requirement to maintain an effective SCP would be subject to a civil penalty of up to $100,000 per day during which the violation continues. An additional penalty of up to $100,000 per day may be imposed where the PPSI knowingly violates the requirement.[15] These penalties would be in addition to, and independent of, civil penalties that may be imposed under OFAC’s existing sanctions enforcement authorities, including the International Emergency Economic Powers Act, for underlying sanctions violations.[16]

Next Steps

The Proposed Rule would introduce a comprehensive BSA and sanctions compliance framework for PPSIs. Stablecoin issuers currently regulated as MSBs should evaluate the proposed transition from the MSB framework to the PPSI framework. While many program elements are similar, the Proposed Rule would introduce notable differences, including the $5,000 SAR threshold (versus $2,000 for MSBs), the explicit exclusion of secondary market activity from SAR obligations, new technical capabilities and lawful order compliance obligations, and a formal SCP requirement that, while consistent with OFAC’s existing guidance, is now legally mandated.

FinCEN and OFAC have requested comment on numerous specific policy choices, including the secondary market SAR exclusion, the appropriate scope of technical capability requirements, the application of BOI collection obligations, the supervision and enforcement framework, and the effective date. Stakeholders across the payment stablecoin ecosystem — including issuers, exchanges, financial institutions, and technology providers — should consider submitting comments during the 60-day comment period.

[1] GENIUS Act, Pub. L. No. 119–27, §§ 13(a), 20, 139 Stat. 459, 466 (2025) (codified at 12 U.S.C. §§ 5901 et seq.) (mandating issuance of final regulations by July 18, 2026, and establishing an effective date of the earlier of January 18, 2027, or 120 days after implementing regulations are finalized).

[2] OFAC, A Framework for OFAC Compliance Commitments (May 2, 2019); OFAC, Sanctions Compliance Guidance for the Virtual Currency Industry (October 2021).

[3] See our April 2026 GT Alert for more details.

[4] FinCEN also expressly grants PPSIs the flexibility to responsibly adopt innovative technologies as part of their reasonably designed internal policies, procedures, and controls. 91 Fed. Reg. at 18599.

[5] For PPSIs, FinCEN notes that relevant CDD considerations may include the type of entity seeking to establish a customer relationship, the jurisdiction of domicile, applicable AML/CFT obligations they are subject to and supervisory oversight, operating history, services offered, markets served, and agents or intermediaries through which services are provided. 91 Fed. Reg. at 18600.

[6] FinCEN, AML and CFT Priorities (June 30, 2021).

[7] FinCEN emphasizes that the incorporation of the AML/CFT Priorities is required “as appropriate”—a PPSI may determine, having reviewed the AML/CFT Priorities, that a particular priority is not applicable to its specific business model.

[8] Examples of triggering events that would require risk assessment updates include deployment of a payment stablecoin on a new blockchain, introduction of new product features via smart contract, or changes in the customer base. 91 Fed. Reg. at 18600.

[9] 12 U.S.C. § 5903(a)(5)(A)(iv).

[10] FinCEN’s rationale is that requiring PPSIs to monitor and report on secondary market transfers – where the PPSI is not a party to the transaction beyond its smart contract – would impose substantial compliance burdens while generating reports of limited utility to law enforcement. This is particularly true given that the PPSI generally lacks sufficient contextual or customer-level information to form a reasonable suspicion that such transactions are related to criminal activity, and such transactions may already be subject to reporting obligations by other BSA-regulated intermediaries. 91 Fed. Reg. at 18607.

[11] 12 U.S.C. § 5903(a)(5)(A)(vi).

[12] OFAC, A Framework for OFAC Compliance Commitments (May 2, 2019); OFAC, Sanctions Compliance Guidance for the Virtual Currency Industry (Oct. 2021).

[13] The term “payment stablecoin activity” is defined broadly in the Proposed Rule to encompass issuing, trading, holding, transacting, transferring, redeeming, or any other activity involving a PPSI’s payment stablecoin from issuance through removal from circulation.

[14] Written policies and procedures must be clearly communicated to all relevant personnel and stakeholders and must be routinely reviewed and updated to address identified gaps, newly designated persons or jurisdictions, and guidance issued by OFAC or other relevant government agencies. OFAC does not prescribe the specific form that internal controls must take. PPSIs may draw on a range of tools calibrated to their specific operations and risk profiles.

[15] For purposes of the Proposed Rule, “knowingly” means that the person has actual knowledge, or should have known, of the conduct, circumstance, or result at issue.

[16] See, e.g., 50 U.S.C. §§ 1705(b), 4315(b).