Treasury proposes anti-money laundering, countering the financing of terrorism, and sanctions compliance rules for stablecoin issuers under the GENIUS Act

The Financial Crimes Enforcement Network (FinCEN) and Office of Foreign Assets Control (OFAC) within the United States Department of the Treasury (Treasury) published a joint notice of proposed rulemaking (PPSI NPRM) that would implement the anti-money laundering (AML), countering the financing of terrorism (CFT), and sanctions compliance provisions of the Guiding and Establishing National Innovation for US Stablecoins Act (GENIUS Act). 

Released on April 10, 2026, the PPSI NPRM marks a milestone in the federal regulation of digital assets, establishing for the first time a comprehensive, tailored AML/CFT and sanctions compliance framework specifically designed for permitted payment stablecoin issuers (PPSIs). Comments to the PPSI NPRM must be submitted by June 9, 2026. In February 2026, the Office of the Comptroller of the Currency announced a notice of proposed rulemaking to implement certain provisions of the GENIUS Act, although that rulemaking excluded AML/CFT and sanctions regulations specific to the institutions it supervises; these will be addressed in a separate rulemaking in coordination with the Treasury.  

This alert summarizes the key elements of the PPSI NPRM and its practical implications for stablecoin issuers and the broader digital asset industry. 

Background: The GENIUS Act

On July 18, 2025, President Donald Trump signed the GENIUS Act into law, establishing a comprehensive regulatory framework for payment stablecoins in the US. The GENIUS Act defines “payment stablecoins” as digital assets used or designed for payment or settlement and which the issuer is obligated to redeem at a fixed monetary value. The GENIUS Act also tasks federal banking regulators and state regulators with licensing and supervising permitted payment stablecoin issuers (PPSIs). The GENIUS Act directs that PPSIs “be treated as a financial institution for purposes of the Bank Secrecy Act” (BSA), and the PPSI NPRM implements that statutory obligation by bringing them within the scope of applicable federal AML/CFT, sanctions, customer identification, and due diligence requirements. The GENIUS Act tasks the Secretary of the Treasury with issuing implementing regulations tailored to the size and complexity of PPSIs.

Overview of the PPSI NPRM 

The PPSI NPRM reflects Treasury’s assessment of illicit finance risks associated with stablecoins. Treasury has linked stablecoins to investment fraud, terrorist financing, narcotics trafficking, and sanctions evasion, and FinCEN received approximately 55,000 suspicious activity reports (SARs) referencing stablecoins between January 2015 and November 2025 alone. The PPSI NPRM encompasses FinCEN’s imposition of BSA and AML/CFT obligations on PPSIs, as well as a first-of-its-kind requirement by OFAC for PPSIs to maintain an effective sanctions compliance program. Notably, the proposed changes primarily apply to a PPSI’s relationship with direct counterparties. The PPSI NPRM does not impose monitoring requirements on “secondary market” transactions, which are defined as payment stablecoin activity that does not “directly involve the PPSI as a party to the transaction other than via a smart contract.” Examples of secondary market transactions include an “individual purchasing payment stablecoins from an intermediary, an individual sending payment stablecoins from a self-hosted wallet to a vendor to purchase goods, an individual exchanging payment stablecoins for another digital asset via a digital asset exchange, or person-to-person transactions in payment stablecoins.”

FinCEN and OFAC propose that their respective rules in the PPSI NPRM would take effect 12 months after issuance of the final rules. Both agencies have requested public comment on this proposed effective date.

FinCEN’s proposed AML/CFT program requirements

The PPSI NPRM would require PPSIs to establish and maintain AML/CFT programs that are similar, but (as described below) not identical, to the program obligations FinCEN has established for the 11 existing types of financial institutions currently subject to the BSA. 

Relationship to the AML Program Rule NPRM

One day before the PPSI NPRM was announced, FinCEN separately announced a notice of proposed rulemaking (Program Rule NPRM) that would modernize AML/CFT program requirements for these 11 types of financial institutions. The PPSI NPRM is designed to be consistent with the Program Rule NPRM and adopts its emphasis on risk-based, effectiveness-focused compliance rather than only technical compliance, as well as its “significant or systemic failure” standard for enforcement and supervisory actions. For more on the Program Rule NPRM, see our alert.

Like other BSA-regulated financial institutions, a PPSI would, under the PPSI NPRM, be required to have in place a risk-based AML/CFT program. Key program components would include: 

• Internal policies, procedures, and controls (including risk assessments and ongoing customer due diligence)
  
  
• Independent testing
  
  
• A designated compliance officer located in the US
  
  
• An ongoing employee training program
  
  
• A written program approved by the board of directors or equivalent
  
  
• Procedures to identify and verify beneficial owners of legal entity customers

Unlike other BSA-regulated financial institutions, however, PPSIs would be required by the PPSI NPRM to address requirements unique to the GENIUS Act – such as the technical capabilities to block, freeze, and reject transactions, as well as to comply with lawful orders. 

“Notice and Consultation” supervision and enforcement framework

One notable feature of the PPSI NPRM is its contemplated supervision and enforcement framework for AML/CFT programs. FinCEN proposes that if a PPSI has properly established its AML/CFT program, FinCEN generally would not take an enforcement action – and FinCEN or other federal agencies acting on its behalf generally would not take major supervisory action – unless the PPSI has a “significant or systemic failure” to maintain that program. The PPSI NPRM would introduce a “notice and consultation” framework between primary federal payment stablecoin regulators and FinCEN before any significant AML/CFT supervisory actions are initiated. In determining whether to take enforcement or supervisory action, the Director of FinCEN would consider, among other factors, the extent to which the PPSI has advanced AML/CFT priorities by providing “highly useful information to law enforcement authorities or national security officials, conducting proactive analytics, or performing other innovative activities producing demonstrable outputs evincing the effectiveness” of the PPSI’s AML/CFT program, including the “effective use of artificial intelligence, federated learning, and other advanced monitoring tools.” 

Technical capabilities: Block, freeze, and reject

The PPSI NPRM would require PPSIs to have the technical capabilities, policies, and procedures to block, freeze, and reject specific or impermissible transactions that violate federal or state laws, rules, or regulations. This obligation extends beyond primary market customers to secondary market activity. However, the PPSI NPRM does not require PPSIs to independently determine that a secondary market transaction violates the law; rather, it requires maintaining the infrastructure to act with respect to these transactions when directed by law, regulation, or court order – including compliance with any “lawful order” specifying with reasonable particularity a payment stablecoin or account. The PPSI NPRM does not prescribe how PPSIs should implement these capabilities, which may provide flexibility for issuers to adopt technologies as they emerge. 

Suspicious activity reporting

Under the PPSI NPRM, PPSIs would be required to file SARs for any suspicious transaction, consistent with existing SAR filing requirements for the other existing types of BSA-regulated financial institutions. The PPSI NPRM would not, however, impose a secondary market SAR reporting obligation, reflecting FinCEN’s preliminary assessment that the burden of requiring PPSIs to file SARs concerning secondary market activity could outweigh the potential benefits. As FinCEN acknowledges, when a payment stablecoin transfer occurs on the secondary market, the PPSI’s only interaction is generally through its smart contract, and the PPSI may not be able to identify the parties behind the transaction. The PPSI NPRM explicitly clarifies that a transaction is not conducted or attempted by, at, or through a PPSI solely because a third-party transfer results in an interaction with the PPSI’s smart contract. FinCEN has specifically requested public comment on this approach.

Recordkeeping and Travel Rules

PPSIs would be required to comply with the nonbank provisions of the Recordkeeping Rule (collecting and retaining records for funds transfers of $3,000 or more) and the Travel Rule (transmitting certain information to other financial institutions participating in funds transfers of $3,000 or more). The PPSI NPRM does not address whether these rules apply to secondary market transactions. Nonetheless, FinCEN’s clarification that a transfer is not conducted by, at, or through a PPSI solely because of a smart contract interaction suggests these rules would apply only to primary market transactions where the PPSI is directly involved.

Information-sharing, enhanced due diligence, and special measures

The PPSI NPRM would also apply the BSA’s information-sharing provisions to PPSIs, including the record search requirements of Section 314(a) of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (PATRIOT) Act and eligibility for the PATRIOT Act's voluntary Section 314(b) information-sharing program and the voluntary FinCEN Exchange program. PPSIs would additionally be subject to enhanced due diligence requirements for correspondent and private banking accounts, as well as special measures that FinCEN may impose regarding foreign financial institutions or transactions of primary money laundering concern.

OFAC’s proposed sanctions compliance program requirements

OFAC is proposing a new part 502 to chapter V of title 31 of the Code of Federal Regulations to implement the GENIUS Act’s sanctions compliance program requirement. The proposal represents the first time that federal law has explicitly mandated that a particular US person maintain an effective sanctions compliance program. The proposed program would be required to include the following five key elements, drawn from OFAC’s 2019 Compliance Framework: 

1. Senior management commitment and adequate resourcing

2. Holistic, risk-based sanctions risk assessments at appropriate intervals

3. Risk-based internal controls – including technical capabilities and written policies – applicable to both primary and secondary market activity and designed to identify, block, and reject transactions that may violate US sanctions 

4. Independent testing or audit with sufficient resources, expertise, and authority

5. A risk-based training program performed at least annually for all relevant personnel

OFAC has designed these requirements to be risk-based, providing PPSIs with discretion to make compliance judgments in light of their size, complexity, and unique risk profile. For violations of the proposed FinCEN regulations, willful violations could result in criminal penalties. For violations of OFAC’s proposed sanctions compliance program requirements, OFAC may impose civil monetary penalties under existing sanctions authorities, including the International Emergency Economic Powers Act.

Practical implications

• The PPSI NPRM establishes a dedicated compliance framework. The AML/CFT obligations proposed for PPSIs are substantially consistent with those applicable to other financial institutions under the BSA, which means that stablecoin issuers already operating under registration as money services businesses or chartered as banks may find significant overlap with their existing compliance programs. Further, the requirements of the PPSI NPRM are designed to align with the modernized standards proposed in the separate Program Rule NPRM for the existing 11 types of BSA-covered financial institutions. 
  
  
• Secondary market obligations are limited but important. While the PPSI NPRM would not require PPSIs to monitor secondary market activity as part of their AML/CFT programs or to file SARs in connection with secondary market transactions, PPSIs would be required to maintain technical capabilities to block, freeze, and reject impermissible transactions and to comply with lawful orders, including in relation to secondary market activity.
  
  
• Innovation is incentivized. The proposed supervision and enforcement framework explicitly considers a PPSI’s use of innovative technologies – including AI, federated learning, and advanced monitoring tools – as a mitigating factor when evaluating enforcement or supervisory actions. This approach aligns with the findings and recommendations in Treasury’s March 2026 report on innovative technologies to counter illicit finance. 
  
  
• The sanctions compliance program requirement would introduce a new statutory obligation. While PPSIs are already subject to US sanctions obligations as US persons, the GENIUS Act’s mandate for an effective sanctions compliance program – and OFAC’s proposed implementing regulations – represent the first instance in which federal law expressly requires a defined category of US persons to maintain a formal sanctions compliance program. 
  
  
• Flexibility is a key feature. Both FinCEN and OFAC have designed the proposed requirements to be risk-based and to afford PPSIs discretion in how they implement compliance measures, taking into account their size, complexity, and evolving technologies. 
  
  
• Customer identification program requirements are expected to be addressed separately. The NPRM does not address the GENIUS Act’s customer identification program requirement, which is expected to be the subject of a separate rulemaking. 

Learn more

DLA Piper’s Blockchain and Digital Assets practice, Financial Services practice, and AML/CFT and sanctions lawyers monitor BSA developments and advise on requirements applicable to traditional financial institutions and blockchain-based businesses. To learn more about the PPSI NPRM, public comment opportunities, and BSA compliance strategies, please contact the authors of this alert or your DLA Piper relationship attorney.