The past month has seen two significant developments in the implementation of anti-money laundering and countering the financing of terrorism (“AML/CFT”) requirements for Permitted Payment Stablecoin Issuers (“PPSIs”) under the Guiding and Establishing National Innovation for U.S. Stablecoins Act (“GENIUS Act”).
First, on June 9, 2026, the comment period closed on a proposed rule issued by the Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) and Office of Foreign Assets Control (“OFAC”). The proposed rule (“AML/CFT Program NPRM”), which we addressed in a prior Client Alert, is intended to implement the requirement that PPSIs maintain AML/CFT and sanctions compliance programs. FinCEN and OFAC received nearly ninety comments on the AML/CFT Program NPRM from a range of stakeholders, including PPSIs, digital asset industry groups, financial institutions, and public interest organizations.
Second, on June 18, 2026, FinCEN and the federal prudential regulators issued a Notice of Proposed Rulemaking (“CIP NPRM”) to implement a customer identification program (“CIP”) requirement for PPSIs.
This client alert highlights key takeaways from comments on the AML/CFT Program NPRM and from the CIP NPRM.
Commenters expressed a range of views on how AML/CFT obligations should apply to “secondary market” transactions where the PPSI is not directly a party to the relevant transaction. Such transactions could include, for example, the purchase of a stablecoin from an intermediary or the transmittal of a stablecoin from a self-hosted or third-party wallet. In the AML/CFT Program NPRM, FinCEN imposed only specific, defined obligations on PPSIs with respect to secondary market activity.
Reacting to this proposal, several commenters argued that the boundary between primary and secondary transactions is open to interpretation. For example, one commenter noted that FinCEN’s proposed § 1033.320(g) would exclude secondary market transactions from suspicious activity report (“SAR”) obligations on the basis that such transactions are not conducted “by, at, or through” a PPSI. By contrast, OFAC’s definition of “payment stablecoin-related activity” would encompass all activity involving a payment stablecoin “from the time of issuance until removal from circulation,” potentially subjecting the same transactions to sanctions compliance obligations. In light of this tension, industry commenters urged the Treasury Department to anchor AML/CFT and sanctions obligations to circumstances in which PPSIs are acting as issuers or custodial intermediaries, rather than extending such obligations to transactions involving non-custodial participants or infrastructure providers that do not themselves qualify as PPSIs.
Other commenters raised concerns that the primary and secondary market distinction may create regulatory gaps. One commenter, a financial institution trade association, observed that primary market transactions—often limited to interactions between PPSIs and large financial institutions that distribute stablecoins to end users—may not capture much of the activity that presents AML/CFT and sanctions risks. Another commenter argued that PPSIs should be subject to ecosystem-wide monitoring expectations and that the Treasury Department clarify that certain smart contract interactions could give rise to SAR obligations.
The AML/CFT Program NPRM would require PPSIs to maintain technical capabilities to “block, freeze, and reject” transactions across both primary and secondary market activity and to comply with “lawful orders,” defined to include orders issued by a court or authorized federal agency that require the seizure, freezing, burning, or prevention of the transfer of payment stablecoins. This proposed framework prompted significant comment.
First, some commenters urged the Treasury Department to clarify the definition and scope of a “lawful order.” In particular, one commenter noted that PPSIs may currently be capable of only freezing or seizing entire wallets—rather than individual coins—raising questions about the feasibility of implementing certain orders. Commenters also sought greater clarity regarding the technical requirements associated with key concepts such as “seize,” “freeze,” and “burn.” While some commenters favored a more flexible, principles‑based approach, others advocated for more defined standards to promote consistency in implementation.
Second, commenters raised concerns regarding the proposed standard of “reasonable particularity” for lawful orders, noting that its ambiguity could lead to divergent approaches across PPSIs, depending on risk tolerance. Some commenters urged the Treasury Department to adopt clearer, bright‑line requirements—such as mandating identification of specific wallet addresses—while others supported a more flexible standard under which PPSIs would act only where an order is sufficiently precise in context.
Finally, commenters questioned how the definition of “account” should apply in the context of lawful orders. Some commenters urged FinCEN to clarify that wallet addresses are within scope, asserting that law enforcement typically identifies on‑chain activity at that level and that relevant technical controls should operate accordingly. Others cautioned that expanding the definition could extend customer identification and due diligence obligations to anonymous or indirect secondary market participants.
Commenters raised concerns regarding potential liability exposure, particularly with respect to good‑faith compliance efforts and the operation of sanctions compliance programs.
A recurring issue among commenters involved the treatment of actions taken in good faith absent a lawful order. Although FinCEN’s proposed 31 C.F.R. § 1033.320(e) would provide a safe harbor for making required or voluntary SARs and for declining to notify affected persons, commenters argued that comparable protections should apply to other actions, such as blocking transactions or freezing stablecoins. In their view, this asymmetry could create adverse incentives, including discouraging proactive monitoring and intervention.
Commenters proposed two principal approaches to addressing this gap. Some urged the Treasury Department to adopt a safe harbor modeled on Section 305 of the proposed Digital Asset Market Clarity Act (“CLARITY Act”), which would provide liability protections for good‑faith efforts to impose voluntary holds on transactions. Others acknowledged that the Treasury Department may lack authority to adopt such protections absent further congressional action, and instead encouraged the Department to highlight this limitation and work with Congress to establish an appropriate statutory safe harbor.
FinCEN and OFAC have proposed that the AML/CFT Program NPRM, if adopted, take effect one year after issuance of a final rule. Industry commenters, however, raised concerns regarding whether this timeline would provide sufficient opportunity for PPSIs to develop compliant systems and infrastructure. By contrast, some public interest commenters supported shorter timelines for core AML and sanctions controls, suggesting that baseline obligations could take effect within 180 days, with longer periods reserved for more complex technological changes.
The CIP NPRM would require all PPSIs to establish and maintain written, risk‑based CIPs as part of their broader BSA compliance frameworks. The proposal is broadly consistent with requirements applicable to banks, money services businesses, and other BSA‑regulated financial institutions.
Each PPSI must implement procedures enabling it to form a reasonable belief that it knows the true identity of its customers. As proposed, a PPSI’s CIP would include procedures to collect identifying information from each customer prior to account opening—including name, date of birth, address, and a taxpayer identification number or other government‑issued identification number—as well as risk‑based procedures to verify customer identity using documentary and/or non‑documentary methods. A PPSI is required to tailor its CIP to the PPSI’s size, type of business, accounts, and the type of identifying information available. The proposal also would require PPSIs to maintain records of identifying information and to implement procedures to determine whether a customer appears on applicable government lists, including lists of known or suspected terrorists.
Like the proposed AML/CFT Program NPRM, the CIP NPRM distinguishes between primary market activity, in which a PPSI interacts directly with a user or holder of a payment stablecoin, and secondary market activity, in which the PPSI is not a party to the transaction other than via a smart contract.
This distinction reflects a fundamental feature of the stablecoin ecosystem identified in the CIP NPRM: stablecoin issuers typically transact with a relatively small number of institutional counterparties—such as digital asset exchanges and other financial institutions—which in turn distribute stablecoins to a broader set of users. As a result, issuance and redemption activity generally occurs at the institutional level, while much of the downstream activity takes place through intermediaries or in decentralized environments where the stablecoin issuer does not maintain a direct relationship with end users.
The CIP NPRM would limit customer identification obligations to circumstances in which a PPSI forms a direct account relationship with a customer, principally in connection with primary market activity. In doing so, the proposal reflects a deliberate policy choice to anchor CIP requirements to formal customer relationships, rather than extending such obligations across all transactions involving a payment stablecoin.
The CIP NPRM adopts a risk‑based approach to customer identification and verification. Rather than prescribing uniform verification methods, the proposal would permit PPSIs to tailor their procedures based on their size, business model, customer base, and risk profile, consistent with the GENIUS Act’s directive that BSA obligations be calibrated to the size and complexity of each PPSI.[1]
The CIP NPRM contemplates that PPSIs may leverage existing onboarding frameworks, including enterprise‑wide compliance programs, provided that those programs are reasonably designed to address the risks and legal obligations applicable to each entity. For example, where a PPSI is a subsidiary of an insured depository institution, the enterprise may extend a single AML/CFT program and adopt an enterprise‑wide CIP.
Further, like banks, a PPSI may rely on another federally regulated institution’s CIP with respect to customers that maintain a relationship with that institution, provided that the institution is subject to AML/CFT requirements that include CIP obligations and is supervised by a federal functional regulator. Such reliance must be reasonable and supported by a contractual agreement under which the relied‑upon institution certifies annually that it maintains an AML/CFT program and will perform specified CIP functions. Reliance does not transfer ultimate responsibility, and PPSIs remain accountable for the effectiveness of their CIP and overall compliance. The proposal also identifies a potential “disparity,” in that reliance is limited to federally regulated financial institutions and therefore excludes entities not subject to a federal functional regulator, including certain state‑qualified PPSIs.
For more information about the AML/CFT Program NPRM, CIP NPRM, or GENIUS Act, please contact the members of Covington’s Financial Services, Trade Controls, and White Collar Investigations practice.
[1] 12 U.S.C. § 5903(a)(5)(B).