FinCEN and OFAC Propose AML Sanctions Rules for Stablecoin Issuers Under GENIUS Act

April 22, 2026

FinCEN and OFAC Propose AML/Sanctions Rules for Stablecoin Issuers Under GENIUS Act

Andrew Balthazor, Gabriel Caballero Jr., Stephanie Connor, Siana Danch, Andres Fernandez, Peter Hardy, Kristen Jimenez, Camila Lopez, Daniel Noste, Matt Rosenbaum, Madeline Schonberger Holland & Knight LLP + Follow Contact LinkedIn Facebook X ;) Embed

Highlights

• The Financial Crimes Enforcement Network (FinCEN) and U.S. Department of the Treasury's Office of Foreign Asset Control (OFAC) on April 8, 2026, jointly published a proposed rule to implement the Guiding and Establishing National Innovation for U.S. Stablecoins Act (GENIUS Act), a 2025 law creating the first federal regulatory framework for U.S. payment stablecoins.
• The GENIUS Act mandated that permitted payment stablecoin issuers (PPSIs) be treated as financial institutions for purposes of the Bank Secrecy Act (BSA), requiring certain anti-money laundering and countering the financing of terrorism (AML/CFT) compliance obligations. Critically, PPSIs will be required to maintain effective sanctions compliance programs, the first time that such compliance programs have been mandated by law.
• This Holland & Knight alert summarizes the key requirements and identifies critical considerations for prospective PPSIs. The Financial Crimes Enforcement Network (FinCEN) and U.S. Department of the Treasury's Office of Foreign Asset Control (OFAC) on April 8, 2026, jointly published a Notice of Proposed Rulemaking (Proposed Rule) implementing the Guiding and Establishing National Innovation for U.S. Stablecoins Act's (GENIUS Act) directive to treat permitted payment stablecoin issuers (PPSIs) as financial institutions for purposes of the Bank Secrecy Act (BSA). The agencies also issued a corresponding fact sheet.

As mandated by the GENIUS Act, the Proposed Rule:

1. treats PPSIs as "financial institutions" covered by the BSA
2. outlines anti-money laundering and countering the financing of terrorism (AML/CFT) obligations for PPSIs
3. requires PPSIs to maintain effective sanctions compliance programs, the first time that such compliance programs have been mandated by law In addition to requiring sanctions compliance programs, the Proposed Rule also requires risk assessments and sets forth a complicated examination and enforcement framework. Certain aspects of the Proposed Rule – such as those pertaining to risk assessments, FinCEN's consultative role in significant supervisory actions, and an emphasis on the need to focus attention and resources to higher-risk customers/activities – mirror FinCEN's proposals in an April 10, 2026, Notice of Proposed Rulemaking (AML/CFT Reform NPRM), which purports to "fundamentally reform the requirements for financial institutions' anti-money laundering and countering the financing of terrorism (AML/CFT) programs."

A Deliberately Narrow Framework

The GENIUS Act tightly defines what counts as a "payment stablecoin" and what entity may qualify as a PPSI. A qualifying stablecoin must be a digital asset "used or designed for payment or settlement," with the issuer "obligated to convert, redeem, or repurchase for a fixed amount of monetary value." Furthermore, PPSIs must maintain reserves backing each stablecoin on at least a one-to-one basis, "with reserves composed of certain specific, high-quality and liquid assets, including United States coins and currency; demand deposits; and Treasury bills, notes, or bonds."

A PPSI must be one of three entity types:

• a subsidiary of an insured depository institution or credit union approved by a primary federal payment stablecoin regulator
• a federal-qualified payment stablecoin issuer
• a state-qualified issuer A technology company cannot simply decide to enter this market – it must acquire or become a PPSI, or partner with one as a subsidiary. The Proposed Rule anticipates that many PPSIs will exist as subsidiaries of insured depository institutions or as uninsured national banks.

Illicit Finance and National Security Concerns

The Proposed Rule devotes considerable attention to how illicit actors have exploited stablecoins. The U.S. government has linked stablecoins to a broad range of illicit activity, including laundering of illicit proceeds, scams and frauds, terrorist financing and weapons proliferation, and narcotics production and trafficking. Bad actors use stablecoins to circumvent sanctions and move funds on behalf of sanctioned actors, including Russian elites, sanctioned digital asset exchanges and the Democratic People's Republic of Korea. As FinCEN and OFAC explain, terrorist organizations prefer stablecoins "to avoid the volatility and price fluctuations that impact other digital assets and to facilitate more seamless conversion to fiat currency." Thus, illicit actors gravitate to stablecoins for the same reasons as legitimate users: stability and fungibility with the dollar.

A Targeted Approach: Not a Dragnet, Specific to the Digital Asset Economy

Throughout the Proposed Rule, FinCEN frequently draws on parallels to money transmitters, one of several types of money service businesses (MSBs) covered by the BSA. Currently, the BSA applies to many digital asset industry participants because they meet the definition of an MSB. A company qualifying as an MSB must, for example, establish written AML programs, file Currency Transaction Reports (CTRs) and Suspicious Activity Reports (SARs), and maintain certain records. And because every U.S. person must comply with OFAC sanctions, a MSB also must – under sanctions laws – block, freeze or reject and report certain transactions. To limit overlapping obligations and confusion, FinCEN proposes a definition for PPSI separate from that of an MSB. In other words, a PPSI is not a sub-type of MSB but a standalone financial institution.

The proposed AML/CFT framework for PPSIs generally envisions a risk-tailored, efficiency- focused approach. Crucial to understanding the agencies' vision for PPSIs' compliance framework is understanding the technical nuances (both good and bad) of stablecoins and digital assets and how the underlying technology interplays with FinCEN's and OFAC's risk-tailored expectations. Indeed, owing to the public nature of blockchain-based transaction data, PPSIs have a wealth of transaction history for all addresses interacting with their issued assets – substantially more transaction information than is available to traditional financial institutions, including information that is required to "travel" between financial institutions. It remains to be seen how this bounty of information affects regulators' risk-tailored expectations regarding PPSIs' AML programs, although the Proposed Rule provides limits with respect to monitoring secondary market transactions – as explained further below.

Expected AML/CFT and Sanctions Compliance Requirements for PPSIs

In FinCEN's own words, the AML/CFT obligations for PPSIs "largely mirror" existing requirements applicable to other financial institutions covered by the BSA. Under the Proposed Rule, a PPSI would need to:

• establish and maintain a written AML/CFT program that is appropriately risk-based and approved by the board of directors or an equivalent governing body or appropriate senior management
• maintain internal policies, procedures and controls reasonably designed to ensure compliance with the BSA and applicable regulations; the internal policies, procedures and controls would need to include risk assessment processes, mitigation of money laundering/terrorist financing risks and ongoing Customer Due Diligence
• establish independent AML/CFT program testing based on objective criteria
• designate an individual located in the United States responsible for establishing and implementing the AML/CFT program, as well as coordinating and monitoring day-to-day compliance
• establish an ongoing employee training program Although many financial institutions covered by the BSA have been implementing voluntary risk assessment processes for years, the Proposed Rule would make those risk assessment processes mandatory. This obligation tracks the AML/CFT Reform NPRM's new requirement for a risk assessment.

A First-of-Its-Kind Sanctions Mandate

Critically, the GENIUS Act's sanctions compliance program requirement represents "the first time that Federal law has explicitly mandated that a particular U.S. person have an effective sanctions compliance program."

These requirements incorporate the compliance best practices previously recommended by OFAC in its 2019 Compliance Framework. OFAC's proposed sanctions compliance program strongly overlaps with the key provisions for FinCEN's proposed AML/CFT program: senior management and organizational commitment, risk assessments, internal controls, testing and auditing, and training.

Additionally, both FinCEN and OFAC stress the importance of a culture of compliance to be fostered and supported by the company's management. Such a culture "involves demonstrable support and visible commitment from leadership, the dedication of adequate resources to AML/CFT compliance … and understanding across leadership and staff levels of the importance of BSA reports [such as SARs]."

AML/CFT and Sanctions Considerations Tailored to PPSIs

Terms of Significance

The Proposed Rule relies on three key terms: smart contracts, primary market and secondary market. An understanding of all three terms is key to the proposed compliance framework, particularly when it comes to the scope of SAR filing and transaction monitoring.

The Proposed Rule explains that most stablecoin issuers use "smart contracts" to issue stablecoins and control post-issuance transactions involving those stablecoins. Smart contracts provide a body of rules governing stablecoin transactions, including governing how those transactions take place and with whom those stablecoins may be transacted. Unlike a traditional financial institution issuing conventional derivatives or other financial instruments, a stablecoin issuer has the novel capability to control the issued asset – even when held by third parties. Most major stablecoin issuers use a smart contract blacklist function to prohibit specific addresses from interacting with stablecoins, which can also be employed to permanently remove stablecoin from circulation. Other token issuers may employ a whitelist to achieve a greater degree of control over who may transact their tokens. Indeed, the GENIUS Act requires PPSIs to have the technical capability to block, freeze, and reject specific or impermissible stablecoin transactions, including primary and secondary market transactions.

The Proposed Rule uses the term ''primary market'' to generally describe a PPSI interacting directly with a user or holder of a payment stablecoin, such as when a PPSI engages in issuing and redeeming a payment stablecoins. The term "secondary market" describes payment stablecoin activity that does not directly involve the PPSI as a party to the transaction other than via a smart contract. Secondary market transactions include, for example, an individual purchasing payment stablecoins from an intermediary, exchanging payment stablecoins for another digital asset via a digital asset exchange, or person-to-person transactions in payment stablecoins.

The Targeted Scope of SAR Reporting for PPSIs Aligns with a Focus on Effectiveness

PPSIs will be required to file SARs. FinCEN proposes a monetary SAR filing threshold of $5,000 for PPSIs, which is the same threshold for banks rather than MSBs (which is $2,000), because, amongst other reasons, FinCEN found that primary market transactions below $5,000 are rare.

Further, FinCEN explicitly limited the breadth of potential SAR reporting for PPSIs by not imposing a secondary market SAR reporting obligation. FinCEN recognizes "that the majority of illicit finance involving payment stablecoins occurs on the secondary market." Nonetheless, FinCEN reasons that "a blanket obligation to report suspicious activity on secondary market transactions could lead to PPSIs being overly cautious and filing a substantial number of defensive SARs to avoid criticism from examiners about underreporting. Such defensive SARs can have little value for law enforcement and other users attempting to combat illicit finance." Further – and aligned with the scope of SAR reporting for PPSIs – FinCEN is not proposing to require a PPSI, as part of an AML/CFT program, to monitor secondary market activity. The proposed compliance framework focuses on where PPSIs have meaningful information and control: primary market activities, including issuance, redemption and direct customer relationships.

The circumscribed SAR obligation aligns with the agencies' tailored compliance focus, to be codified in the regulation itself at proposed 31 C.F.R. § 1033.210: "directing more attention and resources toward higher-risk customers and activities, consistent with the risk profile of the permitted payment stablecoin issuer, rather than toward lower-risk customers and activities." A flexible approach is also evident in the risk-assessment requirement: PPSIs must "evaluate ML/TF risks and review and incorporate the AML/CFT Priorities, as appropriate, with updates to risk assessment processes promptly upon any change that the PPSI knows or has reason to know significantly changes the PPSI's ML/TF risks." Ultimately, the Proposed Rule, as well as the AML/CFT Reform NPRM, emphasizes that compliance obligations and expectations should focus on effectiveness "rather than mere technical compliance."

PPSIs still will need to be vigilant as to changes to risk exposure and timely remediation. FinCEN reiterates that an effective AML/CFT program cannot be a one-time creation but rather a PPSI must keep its program "current as the PPSI's risk profile changes[.]" Although FinCEN may not require a PPSI to monitor secondary market activity, it expects a PPSI to "understand the risk its customers pose as part of its due diligence, as well as its distribution channels, including the blockchains on which its payment stablecoins are deployed." Failing to update the program to reflect significant changes to the PPSI's risk profile may subject the PPSI to potential enforcement.

Reconciling the GENIUS Act's Technical Mandates with the Primary and Secondary Markets

A PPSI must have "technical capabilities, policies, and procedures to block, freeze, and reject specific or impermissible transactions that violate Federal or State laws, rules, or regulations."

Even though this requirement is described as "novel," the agencies recognize that U.S. persons already have been subject for many years to sanctions compliance laws, and the Proposed Rule stresses that PPSIs must act appropriately with respect to transactions that violate or would violate U.S. sanctions regulations. This is true for both primary and secondary market transactions. For example, in the primary market, a stablecoin issuer is required to block a stablecoin transaction where a blocked person has an interest in the stablecoin. In the secondary market, a stablecoin issuer cannot allow a blocked person to engage with the stablecoin issuer's smart contract to facilitate trades of stablecoins on the secondary market. FinCEN explains that it considered alternative and more detailed provisions regarding technical capability but ultimately decided to grant PPSIs flexibility to implement the requirement and make any necessary adaptations.

Further, a PPSI can only issue payment stablecoins if the issuer has the technological capability to comply and will comply with the terms of any ''lawful order." Generalizing, this is an order issued or promulgated by a federal agency or court to seize, freeze, burn or prevent the transfer of payment stablecoin. Again, FinCEN declined to "provide regulatory text relating to technological capabilities, providing PPSIs the flexibility to use various methods to meet the proposed obligation and account for the development and implementation of new technology."

To fulfill these overlapping obligations, PPSIs are required to have insight and control over transactions on the secondary market through smart contracts. This proposal recognizes something unique about stablecoin issuers: Unlike traditional financial institutions, which lose visibility over funds once they leave custody, stablecoin issuers can exercise some control over their tokens wherever they flow on-chain. As previously explained, major issuers already employ freeze functions or blacklist capabilities in their smart contracts.

Examination, Enforcement and FinCEN Consultation

FinCEN proposes to delegate its authority to examine PPSIs to three groups.

First, PPSIs that are regulated for safety and soundness by a primary federal payment stablecoin regulator – the Office of the Comptroller of the Currency (OCC), Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC) and National Credit Union Association (NCUA) – will be examined by these same federal regulators.

Second, a state-qualified payment stablecoin issuer with a consolidated total outstanding issuance of not more than $10 billion payment stablecoins may opt for regulation under a state-level regulatory regime, but this is only possible where the state-level regulatory regime is "substantially similar" to the federal regulatory framework under the GENIUS Act. State-qualified payment stablecoin issuers that exceed the $10 billion threshold must either transition to the regulatory framework of the primary federal payment stablecoin regulator or obtain a waiver to remain solely supervised by a state payment stablecoin regulator. On April 3, 2026, the Treasury Department issued a notice of proposed rulemaking setting forth "broad-based principles for determining whether a State-level regulatory regime is substantially similar to the Federal regulatory framework[;]" this proposal includes requirements regarding reserve requirements, AML and sanctions compliance, the application process and other matters.

Third, the IRS will examine PPSIs not examined for BSA compliance by the OCC, FRB, FDIC, or NCUA, and are not otherwise supervised by a federal functional regulator. The IRS would examine in two scenarios. First, the state-qualified payment stablecoin issuer's outstanding issuance is not more than $10 billion. Second, and in the alternative, the primary federal payment stablecoin regulator has granted the PPSI a waiver to allow the PPSI to remain supervised by a state payment stablecoin regulator. FinCEN views the IRS as well-positioned to handle these PPSI examinations because it already conducts exams for other financial institutions (e.g., MSBs) and has a strong relationship with both FinCEN and state regulators. FinCEN anticipates several hundred examiners from the IRS – an expansion on the IRS' responsibilities at a time when the IRS has seen a dramatic reduction in its workforce and funding. It remains to be seen how the IRS handles its new responsibilities under the GENIUS Act while executing its primary taxing duties.

Just as FinCEN has done in the AML/CFT Reform NPRM, FinCEN proposes to establish a notice and consultation framework for when a primary federal payment stablecoin regulator initiates a "significant AML/CFT supervisory action" in order to allow FinCEN the opportunity to review and provide input on the potential action. The Proposed Rule defines a "significant action" as "any written communication or other formal supervisory determination issued by FinCEN or a primary Federal payment stablecoin regulator … that, in either case"

(i) Identifies one or more alleged deficiencies, weaknesses, violations of law, or unsafe or unsound practices or conditions relating to an AML/CFT requirement;

(ii) Communicates supervisory expectations to a permitted payment stablecoin issuer regarding actions or remedial measures required to correct the deficiency, weakness, violation, or practice or condition; and

(iii) Contemplates significant or programmatic actions or remedial measures to be taken by the permitted payment stablecoin issuer.

The term does not include examiner observations, suggestions or other informal comments.

It is unclear exactly how this notice and comment framework would work, and it raises numerous practical issues such as the real-world import of FinCEN's "input" to a fellow regulator. When reviewing a proposed action by a primary federal payment stablecoin regulator, FinCEN would consider several factors outlined in proposed 31 C.F.R. § 1033.221(d), including

the extent (if any) to which the permitted payment stablecoin issuer, where appropriate in light of its size, complexity, and risk profile, has advanced the AML/CFT priorities by providing highly useful information to law enforcement authorities or national security officials, conducting proactive analytics, or performing other innovative activities producing demonstrable outputs evincing the effectiveness of the permitted payment stablecoin issuer's AML/CFT program (including effective use of artificial intelligence, federated learning, and other advanced monitoring tools).

Accordingly, PPSIs that deploy AI-driven analytics, federated learning for privacy-preserving information sharing or other advanced tools – and can demonstrate their effectiveness – may receive more favorable treatment.

What This Means

Comments to the Proposed Rule are due June 9, 2026. FinCEN and OFAC have invited comments on many topics. Some of the most important and complex topics, which PPSIs will face well after the regulations are finalized as a matter of day-to-day compliance practicalities, include the following:

• What circumstances necessitate the updating of a risk assessment?
• Should PPSIs file SARs on secondary market transactions? If not, how might secondary market transactions nonetheless affect compliance relating to sanctions, customer due diligence and other issues?
• What technical or operational controls should PPSIs implement as to their capabilities to block, freeze and reject to comply with U.S. sanctions, including blocking stablecoins of blocked persons traded on the secondary market or rejecting transactions on the secondary market that involve sanctioned jurisdictions?
• Because PPSI's must have the capability to block certain transactions to comply with lawful orders or sanctions requirements, what are a PPSI's reporting requirements for attempted – but blocked – transactions?
• How will a PPSI be evaluated regarding the sufficiency of its technological capability to comply with the terms of any ''lawful order" regarding their issued stablecoin?
• How would the proposed "notice and consultation" framework for "significant AML/CFT supervisory actions" work in practice? The public comment period is an opportunity to address the business impact of the Proposed Rule before it is finalized.

;) ;) Report

Latest Posts

• CAPE Has Arrived: A Guide to Navigating the Next Phase of IEEPA Duty Refunds
• FinCEN and OFAC Propose AML/Sanctions Rules for Stablecoin Issuers Under GENIUS Act
• The Rise of Junk Fee Class Actions: What Companies Should Know
• Podcast - De genérica a icónica: El glow up de una marca Video
• Government Contract Claims 101: A Contractor's Guide to REA, Terminations and Other Resolutions See more »

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
Attorney Advertising.

©
Holland & Knight LLP

Written by:

Holland & Knight LLP Contact + Follow Andrew Balthazor + Follow Gabriel Caballero Jr. + Follow Stephanie Connor + Follow Siana Danch + Follow Andres Fernandez + Follow Peter Hardy + Follow Kristen Jimenez + Follow Camila Lopez + Follow Daniel Noste + Follow Matt Rosenbaum + Follow Madeline Schonberger + Follow more less

PUBLISH YOUR CONTENT ON JD SUPRA

• ✔ Increased readership
• ✔ Actionable analytics
• ✔ Ongoing writing guidance Join more than 70,000 authors publishing their insights on JD Supra

Start Publishing »

Published In:

AML/CFT + Follow Anti-Money Laundering + Follow Bank Secrecy Act + Follow Digital Assets + Follow Financial Institutions + Follow FinCEN + Follow Office of Foreign Assets Control (OFAC) + Follow Payment Processors + Follow Proposed Rules + Follow Risk Assessment + Follow Sanctions + Follow Stablecoins + Follow The GENIUS Act + Follow Finance & Banking + Follow International Trade + Follow Science, Computers & Technology + Follow more less

Holland & Knight LLP on:

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra: Sign Up Log in ** By using the service, you signify your acceptance of JD Supra's Privacy Policy.* - hide - hide