On April 8, 2026, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) and Office of Foreign Assets Control (“OFAC”) jointly issued a Notice of Proposed Rulemaking (“NPRM”) to implement the anti-financial crime provisions of the Guiding and Establishing National Innovation for U.S. Stablecoins Act (“GENIUS Act”).
The NPRM would establish a comprehensive anti-money laundering and countering the financing of terrorism (“AML/CFT”) framework for permitted payment stablecoin issuers (“PPSIs”) under the Bank Secrecy Act (“BSA”). Significantly, the NPRM implements the first requirement under federal law that a particular type of U.S. person (i.e., PPSIs) affirmatively maintain an “effective sanctions compliance program.”
The NPRM is the latest in a series of rulemakings to implement the GENIUS Act, including a proposed rule addressing the licensing, supervision and enforcement framework for PPSIs issued in February. The substance of the rule builds on the Treasury Department’s broader AML/CFT modernization efforts, including FinCEN’s recent proposal to reform AML/CFT program requirements across existing categories of BSA-regulated financial institutions, as discussed in our prior alert.
Taken together, the proposed AML/CFT and sanctions program requirements would bring PPSIs within the BSA framework through a set of tailored, programmatic obligations that align with recent reforms while accounting for the technological and operational features of stablecoin‑based payment activity.
FinCEN and OFAC are requesting comments on all aspects of the NPRM by June 9, 2026, notably including a series of specific topics/questions that are set out in the NPRM.
1. The NPRM would establish a stand-alone BSA framework for PPSIs.
The NPRM would implement the GENIUS Act’s directive that PPSIs be treated as “financial institutions” for purposes of the BSA. FinCEN proposes to do so by establishing a stand‑alone BSA framework for PPSIs in a new Part 1033 of 31 C.F.R. chapter X. Currently, stablecoin issuers may be subject to BSA obligations as money transmitters, a type of money service business (“MSB”). The NPRM would expressly carve PPSIs out of the definition of MSB, clarifying that PPSIs would be subject to a distinct set of obligations and supervisory expectations tailored to payment stablecoin issuance.
2. The proposed AML/CFT program requirements align with those in FinCEN’s recent BSA reform proposal for banks and other financial institutions, with targeted PPSI-specific modifications.
Under proposed Part 1033, the NPRM would impose on PPSIs a set of AML/CFT program requirements that largely track the core programmatic obligations applicable to other BSA‑regulated financial institutions, including as reflected in FinCEN’s recent proposals to reform AML/CFT program requirements across existing financial institution categories, which we discussed in our prior alert.
Specifically, the NPRM would require PPSIs to establish and maintain an “effective” AML/CFT program by incorporating (1) risk‑based internal policies, procedures, and controls; (2) independent testing; (3) designation of an AML/CFT officer; (4) ongoing employee training; and (5) customer due diligence. The proposal would also expressly codify risk assessment requirements as part of the AML/CFT program rule, including consideration of the AML/CFT National Priorities,[1] and would require PPSIs to allocate resources toward higher‑risk activities in a manner consistent with the effectiveness‑based approach reflected in FinCEN’s broader BSA modernization efforts.
Although specifically required by the GENIUS Act, the NPRM does not impose a customer identification program obligation, which “is the subject of a separate rulemaking.”
The NPRM includes several targeted requirements specific to payment stablecoin issuance, particularly with respect to the technical controls PPSIs must maintain as part of their AML/CFT compliance framework. For example, and as discussed further below, the NPRM would require PPSIs to establish technical capabilities, policies, and procedures designed to enable the blocking, freezing, or rejection of impermissible transactions and to ensure compliance with lawful orders relating to payment stablecoins.
Where a PPSI is subject to overlapping BSA obligations — such as where the PPSI operates as, or within, a depository institution, national trust bank, or MSB — the NPRM contemplates that the PPSI would be required to comply with both sets of obligations. This is similar to the current approach for complex institutions that operate, for example, both banking and broker-dealer entities, and FinCEN anticipates that such institutions will continue to be permitted to maintain a single, enterprise-wide AML/CFT program, so long as that program appropriately accounts for all applicable obligations.
BSA examination authority would be delegated to primary federal payment stablecoin regulators, which generally comprise the federal banking agencies and the National Credit Union Administration. Consistent with FinCEN and the banking agencies’ recently proposed approach for banks, PPSIs with properly established AML/CFT programs would not be subject to enforcement or significant supervisory action absent “significant or systemic” implementation failures.
3. The NPRM implements a statutory sanctions compliance program requirement for PPSIs – the first such requirement for a particular type of U.S. person.
In addition to the proposed AML/CFT program requirements, the NPRM would implement the GENIUS Act’s requirement that PPSIs establish and maintain an effective economic sanctions compliance program as a condition of operating as a PPSI. The GENIUS Act requires PPSIs to be formed in the United States, so PPSIs would be considered U.S. persons under existing OFAC regulations.[2] Because OFAC sanctions compliance programs apply on a strict liability basis, most U.S. persons typically adopt sanctions compliance programs to help control risk and mitigate penalties in the event of violations. These programs may track the Framework for OFAC Compliance Commitments (the “OFAC Framework”), compliance with which has been voluntary. However, as the NPRM notes, “[t]he sanctions compliance program requirement in the GENIUS Act . . . represents the first time that Federal law has explicitly mandated that a particular U.S. person have an effective sanctions compliance program.”
In order to effectuate the GENIUS Act’s effective sanctions compliance program requirement, OFAC has proposed a new Part 502 to Chapter V of the CFR that would require PPSIs to adopt a sanctions compliance program that includes five key elements outlined in the OFAC Framework, which was originally published in 2019. These five core elements are: (1) senior management commitment; (2) risk assessments; (3) internal controls; (4) testing and auditing; and (5) training. The NPRM would also require that sanctions compliance programs be risk‑based and tailored to a PPSI’s size, activities, and sanctions risk profile, including risks arising from payment stablecoin issuance and related activities.
Notably, the NPRM would impose certain recordkeeping requirements on PPSIs that extend beyond current obligations on U.S. persons under existing regulations administered by OFAC. First, PPSIs would be required to maintain records of the results and enhancements that are made to a PPSI’s sanctions compliance program in line with the testing and auditing mandated by the NPRM. Second, PPSIs would be required to provide upon request to OFAC any and all certifications submitted to the PPSI’s primary federal payment stablecoin regulator or state payment stablecoin regulator certifying that the PPSI has implemented an effective sanctions compliance program.
The NPRM would impose civil monetary penalties of not more than $100,000 per day for PPSIs that materially violate the requirement to maintain an effective sanctions compliance program, and would provide for an additional $100,000 penalty for each day during which a PPSI knowingly participates in a violation of the same.
4. The NPRM draws a distinction between transactions on the primary and secondary markets.
The NPRM distinguishes between primary market transactions and secondary market transactions, as defined below:
- Primary Market Transactions. Activity that involves a user or holder of a payment stablecoin as a party to a transaction, including issuing, redeeming, repurchasing, burning, and reissuing payment stablecoins.
- Secondary Market Transactions. Activity that does not involve the PPSI as a party to a transaction other than via a smart contract, including an individual purchasing payment stablecoins from an intermediary, an individual sending payment stablecoins from a self-hosted wallet to a vendor to purchase goods, an individual exchanging payment stablecoins for another digital asset via a digital asset exchange, or person-to-person transactions in payment stablecoins.
As “the majority of illicit finance involving payment stablecoins occurs on the secondary market,” the proposed rule would require PPSIs to maintain targeted technical capabilities to identify, block, freeze, and/or reject secondary market transactions; the proposed rule asks commenters for views on what these controls might look like in practice. At the same time, the proposed rule would not impose customer due diligence, ongoing monitoring, or suspicious activity reporting obligations with respect to secondary market activity. FinCEN explains in the NPRM that it has preliminarily assessed that the burden of requiring, for example, suspicious activity reports relating to secondary market transactions “would potentially outweigh the likely benefits.” Consistent with FinCEN’s longstanding approach, however, a PPSI would remain eligible for the statutory safe harbors under the BSA for any suspicious activity report that it voluntarily files.
5. Proposed definitions and Travel Rule clarifications may have broader implications beyond PPSIs.
The NPRM proposes a range of definitional additions and clarifications across FinCEN and OFAC regulations, including amendments to existing definitions and the introduction of several new defined terms. While directed at implementation of the GENIUS Act, these clarifications may have implications for other participants in the digital asset and payments ecosystem, including banks, MSBs, and digital asset intermediaries. With regard to FinCEN’s regulations, the NPRM would:
- Define the term “digital asset”. The NPRM would define “digital asset” as “any digital representation of value that is recorded on a cryptographically secured distributed ledger,” providing the first definition for a term that has appeared in various FinCEN guidance. The term appears, for example, in FinCEN’s widely cited 2019 Convertible Virtual Currency (“CVC”) Guidance. However, the NPRM states that the proposed definition is not intended to “alter or displace” existing aspects of FinCEN’s regulatory framework applicable to value that substitutes for currency or CVC.
- Amend the term “transmittal order”. The proposed rule would amend the definition of “transmittal order” to clarify that an order to pay a payment stablecoin constitutes a transmittal order for purposes of the BSA Recordkeeping and Travel Rules. The proposal builds upon FinCEN’s 2019 CVC Guidance, which previously identified certain transmittal orders involving CVC as subject to the Travel Rule. The NPRM explains that the proposed amendment is intended to confirm—rather than expand—the application of those requirements in the payment stablecoin context.
For more information about the NPRM, please contact the members of Covington’s Financial Services, Trade Controls, and White Collar Investigations practice.
[1] The Anti‑Money Laundering and Countering the Financing of Terrorism National Priorities issued pursuant to Section 6101(b) of the Anti-Money Laundering Act of 2020, codified at 31 U.S.C. § 5318(h)(4) (the “AML/CFT Priorities”).
[2] Under proposed 31 C.F.R. § 502.304, a “PPSI” is defined to be an “individual, partnership, company, corporation, association, trust, estate, cooperative organization, or other business entity, incorporated or unincorporated, that is formed in the United States and is: (a) a subsidiary of either an insured depository institution, as defined in section 3 of the Federal Deposit Insurance Act, 12 U.S.C. 1813, or an insured credit union, as defined in section 101 of the Federal Credit Union Act, 12 U.S.C. 1752, that has been approved to issue payment stablecoins, as defined in section 2(22) of the GENIUS Act, by a primary federal payment stablecoin regulator, as defined in section 2(25) of the GENIUS Act; (b) a federal qualified payment stablecoin issuer, as defined in section 2(11) of the GENIUS Act; or (c) a state qualified payment stablecoin issuer, as defined in section 2(31) of the GENIUS Act.”
Back
