Stablecoins now account for a significant majority of illicit cryptocurrency transaction volume, with some 2026 blockchain intelligence reports (including TRM Labs and Chainalysis) estimating this share to exceed 80%. That single statistic explains why FinCEN, in coordination with OFAC, moved quickly to regulate them. On April 8, 2026, FinCEN issued a proposed rule under the GENIUS Act, in coordination with OFAC, outlining parallel sanctions compliance expectations under which stablecoin issuers would be treated as financial institutions under the BSA for the first time. This GENIUS Act stablecoin AML compliance framework brings payment stablecoin issuers into the full scope of the Bank Secrecy Act (BSA), complete with anti-money laundering, counter-terrorist financing and sanctions compliance obligations.
The comment period closes on June 9, 2026. If your organization issues, plans to issue or interacts with payment stablecoins, this proposed rule demands your immediate attention.
What the GENIUS act changed for stablecoin issuers
The Guiding and Establishing National Innovation for U.S. Stablecoins Act (GENIUS Act) was signed into law on July 18, 2025. It created the first comprehensive federal regulatory framework for payment stablecoins in the United States. Among its most significant provisions, the GENIUS Act directed the U.S. Treasury to classify a new category of regulated entity: the Permitted Payment Stablecoin Issuer or PPSI.
PPSIs can obtain their designation through three pathways. Subsidiaries of insured depository institutions can apply through their primary federal regulator. Federal qualified payment stablecoin issuers go through the Office of the Comptroller of the Currency (OCC). State-qualified payment stablecoin issuers receive approval from their state regulator.
Regardless of the pathway, once designated, PPSIs are classified as financial institutions under the BSA. This classification triggers the full range of AML/CFT obligations that banks and money services businesses already know well. The April 2026 proposed rule from FinCEN and OFAC spells out exactly what those obligations look like for stablecoin issuers.
GENIUS act stablecoin AML compliance: The five core obligations
The proposed rule establishes five primary compliance obligations for PPSIs. Each one mirrors requirements already imposed on traditional financial institutions, but with adaptations for the unique characteristics of blockchain-based payment systems.
1. Risk-based AML/CFT program
Every PPSI would be required to establish and maintain a written AML/CFT program that is reasonably designed to prevent the misuse of payment stablecoins for illicit finance. The program must be tailored to the issuer’s specific risk profile, taking into account the types of customers served, the blockchains on which stablecoins are deployed and the distribution channels used to reach end users.
FinCEN has drawn these requirements from the same framework it applies to the 11 existing categories of BSA-regulated financial institutions. However, the agency has made adjustments to reflect the realities of stablecoin operations. For instance, program design must account for risks specific to decentralized distribution and cross-chain transfers.
2. Customer identification and due diligence
PPSIs would be required to implement an effective Customer Identification Program (CIP) to verify the identity of account holders. Beyond basic identification, ongoing customer due diligence (CDD) is required to understand the nature and purpose of customer relationships.
This requirement presents a practical challenge for stablecoin issuers who operate through intermediaries or allow peer-to-peer transfers. The proposed rule acknowledges this complexity but does not exempt issuers from the obligation. Compliance teams will need to design CDD processes that work within the constraints of blockchain architecture while still meeting regulatory expectations.
3. Suspicious activity monitoring and reporting
PPSIs would be required to monitor transactions for suspicious activity and file Suspicious Activity Reports (SARs) with FinCEN when warranted. This includes implementing transaction monitoring systems capable of flagging patterns associated with money laundering, terrorist financing, sanctions evasion and fraud.
One notable carve-out: FinCEN has indicated that SAR reporting obligations may not extend to certain secondary market transactions due to limited visibility into counterparties. However, sanctions obligations may still require issuers to maintain the capability to restrict or freeze tokens associated with sanctioned parties, even on permissionless networks. This distinction is significant for issuers whose stablecoins trade actively on secondary platforms.
4. Designation of a U.S.-based compliance officer
Each PPSI would be required to appoint a qualified AML/CFT compliance officer located in the United States. This individual is responsible for overseeing the program, ensuring regulatory filings are submitted on time and serving as the primary point of contact with FinCEN. Senior management and the board retain ultimate accountability for program effectiveness.
5. Independent testing and ongoing training
Regular independent testing of the AML/CFT program would be required to assess whether controls are working as intended. Testing should evaluate not just procedural compliance but actual effectiveness in detecting and preventing illicit activity.
Ongoing employee training must also be tailored to the issuer’s risk profile. As blockchain technology and criminal typologies evolve, training program need to keep pace. Compliance staff should understand both the technical mechanics of stablecoin transactions and the regulatory expectations that apply to them.
The sanctions compliance mandate: A first in U.S. law
Alongside the AML/CFT requirements, the proposed rule introduces a mandatory sanctions compliance program for PPSIs. This represents one of the first instances where U.S. law explicitly mandates a formal sanctions compliance program for a specific category of financial entity.
OFAC’s proposed framework requires five core elements: senior management commitment to compliance, a thorough risk assessment of sanctions exposure, internal controls to screen transactions and customers against sanctions lists, regular testing and auditing of the compliance program and targeted training for all relevant personnel.
Technical capabilities: Block, Freeze and Reject
The GENIUS Act goes further than traditional sanctions compliance by mandating specific technical capabilities. PPSIs would be expected to have the policies, procedures and technical infrastructure to block, freeze and reject transactions that violate federal or state laws. In practice, this means stablecoin smart contracts or administrative controls must be capable of preventing transfers involving sanctioned persons, jurisdictions or entities in real time.
For issuers operating on permissionless blockchains, this requirement creates significant engineering and operational challenges. Compliance teams and technology teams will need to work closely together to build solutions that satisfy both the regulatory mandate and the technical realities of distributed ledger systems.
Why this rule matters beyond the United States
The proposed rule carries implications well beyond U.S. borders. Stablecoins operate on global, borderless networks. A PPSI issuing dollar-denominated stablecoins may have users in dozens of countries, intermediaries across multiple jurisdictions and transactions flowing through various blockchain ecosystems simultaneously.
International regulators are watching closely. The Financial Action Task Force (FATF) has repeatedly called for consistent regulation of virtual asset service providers (VASPs) and stablecoin arrangements. The EU’s Markets in Crypto-Assets Regulation (MiCA) already imposes AML requirements on stablecoin issuers operating in Europe. By bringing PPSIs under the BSA, the United States is closing a regulatory gap that FATF and other international bodies have flagged.
This approach aligns with evolving global standards promoted by the Financial Action Task Force on regulating stablecoin arrangements and virtual asset service providers.
For stablecoin issuers with cross-border operations, the proposed rule means navigating overlapping compliance obligations across multiple jurisdictions. Building a program that satisfies U.S. requirements while remaining compatible with international frameworks will require careful planning and expert guidance.
Practical steps for stablecoin issuers and crypto businesses
The comment period closes on June 9, 2026. FinCEN and OFAC have proposed a 12-month implementation window after the final rule is published. That timeline may sound generous, but building a compliant AML/CFT and sanctions program from the ground up takes considerable effort. Here is what issuers should prioritize now.
Conduct a gap analysis. Compare your current compliance framework against the proposed rule’s requirements. Identify where your program falls short on risk assessment, CDD, transaction monitoring, sanctions screening or independent testing.
Engage with the rulemaking process. Submit public comments before June 9. Areas where industry input could shape the final rule include the scope of the secondary market exemption, the definition of “effective” sanctions compliance and the technical standards for blocking and freezing transactions.
Invest in technology. The requirement to block, freeze and reject transactions in real time demands robust technical infrastructure. Evaluate whether your current smart contract architecture and compliance tooling can meet this standard.
Hire or designate a qualified compliance officer. The U.S.-based compliance officer requirement means you need someone with deep AML/CFT expertise, not just a blockchain developer with a passing interest in regulation. Consider whether your current team has the right skills or whether you need external support.
Start training early. Build a training program that covers both the regulatory requirements and the crypto-specific typologies your team needs to understand. Sanctions evasion through stablecoins is an active and evolving threat and your staff need to recognise the red flags.
GENIUS Act FAQ
What is the GENIUS Act?
The GENIUS Act is a U.S. law that establishes a regulatory framework for payment stablecoin issuers, including AML and sanctions compliance obligations.
Are stablecoin issuers financial institutions?
Under the GENIUS Act framework, permitted stablecoin issuers would be treated as financial institutions under the Bank Secrecy Act.
Do stablecoins fall under sanctions laws?
Yes, U.S. sanctions laws apply broadly and the GENIUS Act framework further formalizes compliance expectations for stablecoin issuers.
Key takeaways
The GENIUS Act stablecoin AML compliance framework is a watershed moment for crypto regulation in the United States. By treating stablecoin issuers as financial institutions under the BSA, FinCEN and OFAC have made clear that the era of light-touch oversight for stablecoins is over. The proposed rule’s AML/CFT program requirements, combined with the first-ever mandatory sanctions compliance program, set a new standard that issuers must meet.
The 12-month implementation window after the final rule means preparation should start now, not later. Issuers who wait until the rule is finalized will find themselves scrambling to build programs, hire compliance talent and deploy technology under pressure.
If your organization needs help building or strengthening its AML/CFT and sanctions compliance program for stablecoin operations, Compliance7 can help. Our CAMS-certified team works with crypto exchanges, VASPs and financial institutions across multiple jurisdictions. Book a free consultation to discuss how the GENIUS Act affects your compliance obligations.
This article is for informational purposes only and does not constitute legal or regulatory advice. For guidance specific to your business, consult a qualified compliance professional.
