When President Trump signed the Guiding and Establishing National Innovation for U.S. Stablecoins Act (the “GENIUS Act”) into law on July 18, 2025, the reaction across the digital asset industry was almost uniformly positive. At long last, the United States had delivered what the industry had been requesting for years: a comprehensive regulatory framework for dollar-backed stablecoins. Industry leaders and market participants welcomed the legislation and the clarity that it would offer the crypto industry.
On April 8, 2026, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) and the Office of Foreign Assets Control (“OFAC”) announced a joint notice of proposed rulemaking (the “Proposed Rule”) that would operationalize the GENIUS Act’s mandates. The Proposed Rule would classify permitted payment stablecoin issuers (“PPSIs”) as a new category of financial institution under the Bank Secrecy Act (“BSA”), separate from money services businesses (“MSBs”), and impose a comprehensive suite of anti-money laundering (“AML”), countering the financing of terrorism (“CFT”), and sanctions compliance obligations on PPSIs. Notably, the Proposed Rule would also be the first federal regulation to codify what constitutes an “effective” OFAC sanctions compliance program, attaching penalties for PPSIs that fail to maintain required program elements—even absent underlying sanctions violations.
The FinCEN/OFAC Proposed Rule does not exist in isolation. As described below, it is part of a broader, multi-agency implementation effort under the GENIUS Act. Stablecoin issuers should be monitoring these rulemakings in parallel, particularly those subject to overlapping federal and state jurisdiction. Separately, FinCEN has also issued a proposed rule that would overhaul AML/CFT program requirements more broadly for a wider range of financial institutions, which shares structural similarities with the PPSI-specific rule and may result in overlapping obligations for companies subject to both.
The Proposed Rule has significant implications for current and prospective stablecoin issuers, their parent institutions, and the broader digital asset ecosystem. Comments are due June 9, 2026, and final regulations are expected by July 18, 2026, with the effective date scheduled for January 2027.
This article discusses the Proposed Rule’s key elements, beginning with a primer on the GENIUS Act framework.
The GENIUS Act
Understanding the Proposed Rule requires a brief detour through the statute it implements. The GENIUS Act is the first U.S. federal regulatory framework for payment stablecoins—defined under the statute as a digital asset that is used or designed for use as a means of payment or settlement, where the issuer is obligated to redeem it for a fixed monetary value and represents that it will maintain a stable value relative to that amount (in practice, one U.S. dollar). The statute provides the answers to questions regulators had been sidestepping for years: What exactly is a stablecoin, who is permitted to issue one, and how are they regulated?
The statute answers the last question with a licensing framework. Only “permitted payment stablecoin issuers,” or PPSIs, may issue payment stablecoins in the United States. There are three pathways to PPSI status: a PPSI may be (1) a subsidiary of an insured depository institution approved by its primary federal banking regulator to issue stablecoins; (2) a federally qualified payment stablecoin issuer, including nonbank entities chartered by the Office of the Comptroller of the Currency (“OCC”); or (3) a state-qualified payment stablecoin issuer approved by a state regulator meeting federal standards. Knowingly issuing payment stablecoins without PPSI authorization can result in fines of up to $1 million per violation and imprisonment for up to five years under the GENIUS Act.
The GENIUS Act also constrains what PPSIs can do. Their authorized activities are limited to issuing and redeeming payment stablecoins, managing reserve assets (which must back outstanding stablecoins on at least a 1:1 basis), and providing custodial services.
Two additional features of the GENIUS Act are worth flagging. First, the statute amends the federal securities laws and the Commodity Exchange Act to provide that qualifying payment stablecoins issued by PPSIs are excluded from the definitions of both “security” and “commodity.” This is a significant jurisdictional carve-out: The Securities and Exchange Commission and Commodity Futures Trading Commission do not regulate payment stablecoins under the GENIUS Act. Instead, oversight falls to banking regulators—the OCC, the Federal Deposit Insurance Corporation (“FDIC”), the Board of Governors of the Federal Reserve System, the National Credit Union Administration (“NCUA”), and state banking regulators—along with FinCEN and OFAC for illicit finance and sanctions. Second, the GENIUS Act contains bankruptcy protections for stablecoin holders, including a priority claim senior to all other creditors and an exclusion of reserve assets from the bankruptcy estate.
The GENIUS Act requires that the Department of the Treasury, including FinCEN and OFAC, as well as the federal banking agencies, promulgate rules to implement the GENIUS Act. The Proposed Rule addressed in this article is part of this multi-agency effort, and its implications for stablecoin issuers’ compliance infrastructure are among the most significant of the proposed rules to date. Since the GENIUS Act’s enactment, the designated regulatory agencies have moved quickly to implement the statute. The OCC published a proposed rule in February 2026 establishing a comprehensive prudential, operational, and supervisory framework for PPSIs under its jurisdiction. The FDIC followed in April 2026 with a proposed rule addressing PPSI subsidiaries of FDIC-supervised insured depository institutions. The NCUA has published proposed rules as well. The Treasury Department established principles determining whether state-level regulatory regimes are “substantially similar” to the federal framework. In addition, FinCEN issued a separate proposed rule in the same week as the Proposed Rule that would overhaul AML/CFT program requirements for a wider range of financial institutions, including by encouraging financial institutions to consider the use of digital identity, blockchain analytics, and generative artificial intelligence to prevent financial crime.
A New Category of Financial Institution
The Proposed Rule’s most consequential result is the creation of a new, standalone category of financial institution under the BSA. Many stablecoin issuers have historically been subject to BSA obligations as money transmitters, a subcategory of MSBs, under FinCEN rules. Under the Proposed Rule, PPSIs would no longer be classified as MSBs. Instead, they would be regulated under a separate framework with some obligations mirroring those applicable to banks.
This is not a cosmetic change, as PPSIs will become subject to a range of requirements that MSBs are not, including enhanced due diligence for correspondent and private banking accounts and compliance with special measures when foreign financial institutions or transactions are deemed to be of primary money laundering concern. In practice, this means that if FinCEN designates a foreign jurisdiction or institution as being of primary money laundering concern—as the Trump administration has recently done with certain Mexican financial institutions in its push to address illicit drug trafficking—PPSIs with exposure to those jurisdictions or institutions would need to comply with any restrictions or enhanced due diligence requirements imposed.
The reclassification also reflects FinCEN’s stated assessment in the Proposed Rule that the economic functions PPSIs perform more closely resemble those of banks than those of traditional money transmitters. In short, PPSIs issue a widely used medium of exchange, maintain reserve assets, and facilitate payments—functions that in key respects more closely resemble banking than traditional money transmission. The Proposed Rule relies on FinCEN’s authority under the BSA to designate PPSIs as businesses engaged in activities “similar to, related to, or a substitute for” the activities of enumerated financial institutions.
Primary and Secondary Markets
The Proposed Rule divides the stablecoin ecosystem into primary and secondary markets, with different compliance obligations in each.
The “primary market” covers transactions where a PPSI interacts directly with a user or holder of a payment stablecoin. Issuance, redemption, and direct transfers are primary market activity. In the primary market, the full suite of AML/CFT obligations applies: customer identification, ongoing due diligence, suspicious activity monitoring, and the other requirements discussed below.
The “secondary market” covers transactions where the PPSI has no direct interaction with the transacting parties. Value moves between users through the PPSI’s smart contract without any direct customer relationship. This is the peer-to-peer transfer environment, the on-chain world where stablecoins circulate between wallets, exchanges, and DeFi protocols without the issuer’s active involvement in any given transaction.
The Proposed Rule does not require PPSIs to file suspicious activity reports or conduct customer due diligence on secondary market activity. However, it does require PPSIs to maintain the technical ability to block, freeze, and reject transactions across their entire network, including the secondary market. This is where much of the real compliance cost resides. If OFAC designates a wallet address, the issuer must be able to prevent that address from transacting with its stablecoin, even though the issuer has no customer relationship with the owner of the wallet. In other words, PPSIs would bear no affirmative obligation to monitor or report on secondary market transactions, but they would bear a full obligation to intervene in those same transactions when directed by law, regulation, or sanctions designation. That tension—between passive observation and active enforcement capability—is where much of the industry commentary is likely to focus.
AML/CFT Program Requirements
In the primary market, the Proposed Rule would explicitly require PPSIs to conduct ongoing customer due diligence, including complying with “know your customer” requirements and monitoring accounts for suspicious transactions. Many stablecoin issuers that currently operate as MSBs conduct some form of customer identification, but the Proposed Rule would implement new expectations.
The Proposed Rule would require PPSIs to file suspicious activity reports (“SARs”) with FinCEN for any primary market transaction involving $5,000 or more, adopting the same dollar threshold that currently applies to banks. This is a notable departure from the MSB framework, where the SAR filing threshold for money transmitters is $2,000. The higher threshold may reduce volume, but the underlying obligation to detect and report suspicious activity across the full range of primary market transactions is no less demanding.
PPSIs would be required to retain records on transfers of $3,000 or more and to share specified information with other financial institutions involved in fund transfers. This recordkeeping threshold mirrors the existing requirement for financial institutions under the BSA’s funds transfer rules. The information-sharing obligation is designed to create an auditable trail across institutions, enabling regulators and law enforcement to reconstruct the flow of funds when investigating potential illicit activity.
The Proposed Rule would require PPSIs to collect beneficial ownership information for business customers, an obligation that does not currently apply to MSBs and that represents one of the more operationally significant new requirements. Issuers will need to build infrastructure for identifying and verifying the natural persons who ultimately own or control their business counterparties. For issuers whose customer base includes institutional participants, exchanges, or other entities, this requirement may necessitate new data collection workflows.
The Proposed Rule would extend to PPSIs two obligations drawn directly from the USA PATRIOT Act that apply to banks: enhanced due diligence programs for correspondent and private banking accounts, and the obligation to respond to government information-sharing requests. In the PPSI context, correspondent account due diligence would require issuers to assess and manage the risks posed by relationships with foreign financial institutions that hold accounts with the PPSI or use the PPSI’s payment infrastructure, while private banking account due diligence would impose heightened scrutiny on high-value individual accounts. For issuers that serve institutional customers, foreign exchanges, or other entities that function as intermediaries, these requirements could necessitate substantial new compliance processes for onboarding and ongoing monitoring of those relationships.
PPSIs would become subject to both the mandatory and voluntary information-sharing provisions of Section 314 of the USA PATRIOT Act. Under the mandatory provision (Section 314(a)), FinCEN and law enforcement agencies can query PPSIs about whether they maintain accounts or have conducted transactions for specified individuals or entities. Under the voluntary provision (Section 314(b)), PPSIs would be permitted to share information with one another and with other financial institutions for purposes of identifying and reporting potential money laundering or terrorist financing activity, with a safe harbor from liability for such sharing.
The illicit finance data motivating these requirements is substantial. According to the Proposed Rule, between January 2015 and November 2025, FinCEN received approximately 55,000 suspicious activity reports referencing specific stablecoins, and OFAC received approximately 5,800 blocked property reports and 3,000 rejected transaction reports referencing stablecoins. The Proposed Rule cites the use of stablecoins in money laundering chains, North Korean cyber theft, sanctions evasion networks, fentanyl precursor procurement, and terrorist financing as the specific risks driving the rulemaking.
The First Codified Sanctions Compliance Program Requirements
Perhaps the most significant regulatory development in the Proposed Rule is OFAC’s decision to codify, for the first time in its regulations, what constitutes an “effective” sanctions compliance program and penalties for failing to maintain one.
All U.S. persons are already required to comply with OFAC-administered sanctions, including stablecoin issuers. But until now, OFAC has never required any category of U.S. person to maintain a formal compliance program with potential penalties for failure to do so. OFAC’s longstanding “Framework for OFAC Compliance Commitments,” published in 2019, laid out a five-element structure for an effective sanctions program: management commitment, risk assessment, internal controls, testing and auditing, and training. Additionally, OFAC’s 2021 “Sanctions Compliance Guidance for the Virtual Currency Industry” specifically addressed sanctions compliance best practices for the virtual currency industry. However, both materials represented regulatory guidance, not a binding legal obligation.
The GENIUS Act changes this. The statute directs that PPSIs maintain an “effective economic sanctions compliance program . . . consistent with [f]ederal law,” and the Proposed Rule operationalizes that directive by incorporating OFAC’s five-element framework into binding regulation. A PPSI’s sanctions compliance program must include: management commitment from senior leadership; a risk assessment process that identifies sanctions risks specific to the issuer’s products, customers, and geographic exposure; risk-based internal controls to identify, block, and reject transactions that may violate sanctions; independent testing and auditing of the program’s effectiveness; and training for all relevant personnel.
This represents a meaningful paradigm shift. For years, OFAC’s enforcement posture relied on the implicit message that the voluntary framework was, in practical terms, non-optional. OFAC would consider a company’s compliance infrastructure, or lack thereof, when determining potential enforcement or penalties for sanctions violations. But the gap between favorable treatment for maintaining a good program and a legal requirement to have one, backed by penalties for failure to maintain it, is significant. Practitioners should expect it to serve as a template for other regulated industries. For this reason, we anticipate industry commentary to focus on this net-new requirement—especially as it is in direct tension with Treasury’s broader effort in a separate proposed rule to focus enforcement actions on outcomes rather than “foot fault” program deficiencies.
Block, Freeze, Reject, and Burn
The Proposed Rule’s most operationally demanding requirement is arguably its mandate that PPSIs maintain the technical capability to block, freeze, and reject impermissible transactions, as well as comply with lawful orders to seize, freeze, burn, or prevent the transfer of payment stablecoins.
These requirements extend to both primary and secondary market activity. In the primary market, where the issuer has a direct relationship with the customer, the block-and-freeze architecture maps reasonably well onto existing bank compliance workflows. In the secondary market, however, the requirement has no direct parallel for other BSA-regulated financial institutions. Banks are not generally required to control transactions between third parties with whom they have no customer relationship. But a stablecoin issuer, whose product circulates freely on public blockchains, would be required to maintain the infrastructure to intervene in peer-to-peer transfers if required by a lawful order or sanctions designation.
In practice, this means issuers will need on-chain compliance infrastructure that monitors activity with which they have no direct commercial relationship. That means transaction screening systems, smart-contract-level controls, and the engineering capacity to execute freezes and burns in response to regulatory directives. The engineering investment required to build and maintain these capabilities is substantial. The inclusion of “burn”—meaning the permanent and irreversible destruction of tokens, effectively removing them from circulation with no possibility of recovery by the holder—is notable. Unlike a freeze, which temporarily restricts access, or a block, which prevents a specific transaction, a burn eliminates the tokens entirely. While some issuers have built burn capabilities into their smart contracts, codifying this as a regulatory requirement raises novel questions about property rights, due process, and the limits of issuer control over circulating tokens.
This Is a Proposed Rule
Currently, this remains a notice of proposed rulemaking. The rule is not final and is subject to revision based on public comment. Those revisions could be meaningful.
The comment period is open, and comments are due June 9, 2026. Final regulations are expected by July 18, 2026, consistent with the GENIUS Act’s one-year implementation deadline, with enforcement beginning no later than January 2027.
The sixty-day comment period presents a genuine opportunity. Several aspects of the Proposed Rule invite industry input. The “burn” requirement and secondary market compliance obligations, particularly the scope of the block-and-freeze mandate for peer-to-peer transactions, are likely to generate significant comment. The codification of a burn requirement—authorizing the permanent destruction of tokens—raises novel questions about property rights and due process that are also likely to draw substantial feedback. The interaction between the new PPSI category and existing MSB registrations raises transitional questions that FinCEN has acknowledged but not fully resolved. The OFAC sanctions program requirements, while largely tracking the voluntary framework, introduce new specificity around what “effective” means in practice, and industry participants may have views on calibration. The SAR and recordkeeping thresholds, inherited from the bank framework, may warrant stablecoin-specific adjustments.
The final rule could differ meaningfully from the proposal based on feedback received. The rulemaking record will shape not only the contours of the final regulation but also the interpretive guidance and examination expectations that follow it. For issuers, exchanges, custodians, compliance technology providers, and the institutions that bank stablecoins, this is the moment to shape the framework that will govern the U.S. stablecoin market for the foreseeable future.
Nevertheless, payment stablecoin issuers should not wait for the final rule to begin preparing. The scope and detail of the Proposed Rule make clear that significant compliance changes are coming, and issuers should be evaluating their programs now to ensure they are positioned to meet these new obligations when enforcement begins.
