Troutman Pepper Locke | GENIUS Act AML and Sanctions Rules for Stablecoin Issuers: A Few Surprises but Broadly as Expected

On April 10, the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) and Office of Foreign Assets Control (OFAC) jointly issued a notice of proposed rulemaking (NPRM) setting out their view of how sanctions, anti-money laundering and countering the financing of terrorism (AML/CFT) compliance requirements should apply to permitted payment stablecoin issuers (PPSIs) under the Guiding and Establishing National Innovation for U.S. Stablecoins (GENIUS) Act. The agencies also issued an accompanying fact sheet.

This NPRM follows Treasury’s earlier proposal on principles for acceptable state stablecoin regulatory regimes under the GENIUS Act, and reflects many of the same concepts in Treasury’s broader AML compliance program reform proposal, including the associated rulemaking from the federal banking agencies. Yet another proposed rule from the Federal Deposit Insurance Corporation (FDIC), also released on April 10, sets out how a number of other GENIUS Act provisions may be implemented for FDIC-supervised insured depository institutions (IDIs) and IDI subsidiaries that act as PPSIs, including AML and sanctions compliance certifications.

Overview and Key Takeaways

The GENIUS Act requires FinCEN to treat PPSIs as financial institutions subject to the Bank Secrecy Act (BSA), and this proposed rule starts to define what that will mean in practice. The statutory mandate itself was not very meaningful, given that stablecoin issuers generally are already subject to BSA obligations as money transmitters, a type of money services business (MSB). But FinCEN noted in the rulemaking that about half of the stablecoin issuers of which it is aware have not registered as MSBs (though these represent a small market share). The GENIUS Act framework will bring them into the fold, if they try to become PPSIs, by subjecting them to federal and/or state regulation and supervision. Where a PPSI is not examined by one of the federal banking agencies or otherwise supervised by a federal functional regulator, FinCEN has proposed delegating examination authority to the Internal Revenue Service (IRS), reflecting the current arrangement for stablecoin issuers as a type of money transmitter under the BSA.

Similarly, FinCEN’s proposed rule leaves much of the current regulatory landscape for stablecoin issuers largely unchanged. For example, MSBs are already required to register with FinCEN, establish written AML compliance programs, verify customer identification, establish internal controls, designate a compliance officer, file currency transaction reports (CTRs) and suspicious activity reports (SARs), conduct training, provide for independent reviews, and maintain records. The proposed rule for PPSIs builds on and modifies some of these standards (e.g., a higher SAR filing threshold, and imposing customer identification program (CIP) obligations, which do not apply to MSBs).

Still, there are important changes that the proposed rule would introduce. PPSIs would no longer be regulated as MSBs, but rather would be subject to their own unique set of regulations as a standalone category of financial institution, under a new proposed Part 1033 in FinCEN’s regulations.

Perhaps the biggest impact of the proposed rule is how FinCEN has tried to bring some clarity to PPSI secondary market monitoring and intervention expectations. The NPRM defines the “secondary market” as “payment stablecoin activity that does not directly involve the PPSI as a party to the transaction other than via a smart contract.” The proposed rule confirms that PPSIs will be subject to both BSA and sanctions compliance requirements with respect to secondary markets, but FinCEN has commendably attempted to craft these rules in light of the unique features of blockchain and stablecoin technology. Because blockchain transaction data is inherently public, and because PPSIs may issue and control their stablecoins through smart contracts, FinCEN needed to draw a line to limit how far a PPSI must go in mining blockchain data and building features into its smart contracts to control against financial crimes risks. Otherwise, PPSI obligations could go far beyond those of banks and other traditional financial institutions that generally have very limited or no visibility into or control over transactions in which they are not directly involved.

While FinCEN has limited PPSI compliance obligations on the secondary market, these obligations are still not well-defined. On the one hand, PPSIs would not generally be required to monitor secondary market activity or file secondary market SARs (however, they would not be restricted from filing voluntary SARs based on their monitoring of secondary market activity). On the other hand, FinCEN will require that PPSIs understand their customers’ risk profiles, including their distribution channels, which inherently touch on secondary market activity to some degree (e.g., the blockchains on which the PPSI’s stablecoins are deployed). This highlights one of the main tensions in the NPRM that PPSIs will need to wrestle with in each case in order to land on a defensible secondary market transaction monitoring approach.

Similarly, PPSIs will be required to prevent parties subject to OFAC sanctions prohibitions from engaging with their smart contracts in the secondary market, and to freeze blocked property. Again, this will require some monitoring and ability to control those transactions. Major issuers today already have blocking/freezing and rejecting/blacklisting capabilities in their smart contracts, so this is not altogether new. But the vast universe of new ventures in this space that have emerged and will continue to emerge will need to build these capabilities under the new and still developing standards of the GENIUS Act.

Looking at the bigger picture of OFAC’s proposal on the sanctions side, at one level, there’s nothing new here. All U.S. persons are already required to comply with OFAC’s regulations, including blocking or rejecting transactions, and PPSIs will be U.S. persons subject to these general rules. What’s interesting is that OFAC has — for the first time ever — proposed an affirmative requirement under its regulations for a category of U.S. persons, PPSIs, to establish an effective sanctions compliance program. There will be a new Part 502 of OFAC’s regulations that will set out these requirements, which would be unique for PPSIs. This will, of course, increase sanctions enforcement risk, as OFAC (on the civil side) or prosecutors (on the criminal side) can pursue not only actual sanctions violations but also charges based merely on a failure to maintain an effective program. Given the high-level nature of OFAC’s compliance standards, this is likely to function as a regulation-by-enforcement regime.

Below, we delve deeper into the details of the proposed rule, first from FinCEN’s perspective, followed by OFAC’s.

AML Compliance Program Obligations

The proposed rule reflects FinCEN’s five-pillar AML compliance standard as it has stood since the customer due diligence (CDD) rule took effect in 2018, with a number of additions and nuances for the PPSI context.

As the starting point, PPSIs would need to establish and maintain a written AML compliance program that is appropriately risk-based and approved by the board or senior management. The program must cover all five pillars: 1) internal policies, procedures, and controls, 2) the designation of a compliance officer, 3) training, 4) independent audits, and 5) CDD.

The CDD requirement, including beneficial ownership verification, would be limited to a PPSI’s direct (primary market) customers. However, the CDD process includes developing an understanding of the nature and purpose of a customer relationship sufficient to build a customer risk profile, including a normal baseline of expected customer activity, and conducting ongoing monitoring in order to report deviations or otherwise suspicious transactions. This requires PPSIs to look at how their direct customers interact in the secondary market. Specifically, CDD may need to factor in the customer’s jurisdiction (and the applicable regulatory environment), operating history, scope of services, markets/customers, and agents, intermediaries or other partners. In practice, for a PPSI, this will often require some use of blockchain analytics as well as off-chain resources. FinCEN describes this expectation in typical FinCEN fashion:

• Although the proposed rule would not impose a standalone, independent obligation on a PPSI to monitor secondary market transactions, consideration of such activity may be appropriate in the PPSI’s development and maintenance of a customer risk profile (e.g., public blockchains may indicate that a digital assets exchange that is a PPSI customer is engaged in deposits or withdrawal activity of the PPSI’s stablecoin with addresses attributed to illicit actors).

What FinCEN may giveth with one hand, it taketh away with the other, and the secondary market comfort for PPSIs is cold indeed. While acknowledging that PPSIs are drastically different from banks, FinCEN expects these requirements (including following the future issuance of a companion PPSI CIP rule) “will closely adhere to existing BSA requirements that apply to many other types of financial institutions, including banks.”

The proposed rule is clearer when it comes to SAR filing obligations for PPSIs, which will not apply to secondary market transactions. As FinCEN put it, a SAR filing obligation is not triggered by third party transfers that merely result “in an interaction with a permitted payment stablecoin issuer’s smart contract.” Even though the secondary market is where illicit activity is concentrated, FinCEN imposed this limitation because the government does not want a tsunami of useless, defensive SARs by PPSIs that do not have unique information to offer about secondary market transactions.

But storm clouds may be on the horizon, depending on what happens with the GENIUS Act’s “DeFi loophole,” as FinCEN acknowledged that secondary market SARs by PPSIs “could net highly useful information, particularly where the transfers do not occur through BSA-regulated institutions,” underscoring that this leniency is only based on a “preliminary determination.”

The PPSI SAR filing obligations that have been proposed are consistent with the existing requirements for stablecoin issuers regulated as MSBs, though with a higher $5,000 (rather than $2,000) threshold, aligning the PPSI SAR threshold with the bank threshold. Consistent with FinCEN’s longstanding rule, a PPSI would enjoy the safe harbor under the BSA for any SAR that it files voluntarily and in good faith.

While the GENIUS Act does not require FinCEN to impose CTR requirements on PPSIs, FinCEN has proposed doing so. FinCEN acknowledged that “presently, stablecoin issuers rarely transact in physical transfers of currency. FinCEN nevertheless considers it prudent to allow for the possibility that this could change, with PPSI activity expanding to encompass retail, brick-and-mortar locations where currency could be used, or even kiosks that resemble automated teller machines (ATMs).” Importantly, though, the CTR requirement will not apply to stablecoin transactions (as it similarly excludes checks, wires, etc.), but will be limited to a “physical transfer of currency.”

The proposal would impose FinCEN’s Recordkeeping Rule on PPSIs (including the $3,000 threshold), as well as the Travel Rule, consistent with the existing obligations of MSBs.

Additionally, PPSIs would be required to implement FinCEN’s: 1) Enhanced Due Diligence rules for foreign financial institution correspondent accounts (defined broadly in the NPRM), as well as private banking accounts (retaining the existing definition), and 2) Special Measures (e.g., under Section 311 of the PATRIOT Act).

OFAC Sanctions Compliance Program Obligations

There’s much less nuance to the NPRM’s approach to PPSI sanctions compliance expectations, beyond the notable fact that this would be the first time that OFAC (or any federal law or regulation) has explicitly mandated that a particular category of U.S. person implement a sanctions compliance program.

Otherwise, the details are not new, and OFAC essentially ties this obligation for PPSIs to its 2019 “Framework for OFAC Compliance Commitments,” as well as the more granular “best practices” set out in OFAC’s “Sanctions Compliance Guidance for the Virtual Currency Industry.” Moreover, many elements of OFAC’s compliance program expectations overlap with FinCEN’s proposed AML compliance program requirements (i.e., senior management commitment, risk assessments, internal controls, testing and auditing, and training), only with a sanctions focus.

OFAC’s requirements are another reason why PPSIs will need to have a process to monitor, as well as capabilities to control, secondary market transactions. OFAC states this explicitly, and FinCEN provides its view that stablecoin issuers often already have these processes and capabilities in place. The GENIUS Act, and the NPRM, affirmatively require PPSIs to have the technical capabilities and policies and procedures to block and reject transactions and to comply with lawful orders (e.g., certain DOJ seizure warrants and court orders). OFAC states explicitly that a stablecoin interacting with a PPSI’s smart contract, even on the secondary market, may be viewed as being within the “possession or control” of the PPSI and in such cases must be blocked when an OFAC-blocked person has an “interest” in the transaction. In practice, this requires the PPSI to block, freeze, or reject any of its tokens reaching a sanctioned wallet, even in peer-to-peer transfers in which the issuer is not a direct party.

Furthermore, OFAC’s Virtual Currency Industry Guidance suggests, among other tools, the use of blockchain analytics to monitor the secondary market, and OFAC does not impose any specific limitations on PPSI secondary market obligations in the way FinCEN does. Rather, OFAC’s general risk-based standards and expectations will govern.

Additionally, PPSIs would be required to provide to OFAC, upon request, any certifications submitted to the PPSI’s primary payment stablecoin regulator regarding its implementation of an effective sanctions compliance program. Otherwise, OFAC’s standard recordkeeping and reporting requirements will apply. Notably, OFAC’s recordkeeping requirements have been extended to 10 years, to match the new statute of limitations.

Next Steps

Prospective PPSIs should begin building their AML and OFAC compliance programs now, and/or do a gap assessment against an existing program with a strategy for enterprise-wide integration. It is important to start from the outset with examination-ready documentation, including written AML and sanctions policies, a thoughtful risk assessment, a designated compliance officer, a training curriculum, an independent testing program, a reporting process, and a roadmap for integrating monitoring, blocking and rejecting capabilities into smart contracts. At the same time, institutions looking to partner with PPSIs, including banks, should refresh their third-party risk management frameworks to account for the unique attributes of PPSIs, particularly the secondary-market control obligations.

While the proposed rule provides more detail about how the government is thinking about financial crimes compliance expectations under the GENIUS Act, many questions remain unanswered, such as how PPSIs and others are to comply with the Travel Rule in the unique context of blockchain transactions, and what FinCEN’s forthcoming GENIUS Act CIP rule will say. Additionally, the NPRM would not impose its compliance obligations on foreign payment stablecoin issuers, which currently have less clarity about what will be expected of them. Moreover, FinCEN’s decision — at least for now — not to require PPSIs to submit SARs for secondary market transactions raises a question of how the government will approach that, particularly when it comes to peer-to-peer transactions and decentralized protocols.

Comments on the proposed rule are due June 9, 2026.