Feature Regulatory Compliance
FinCEN and OFAC Just Put Stablecoin Issuers Under Bank-Level AML Rules — Here's What to Build Before January 2027
The GENIUS Act's AML proposed rule imposes SAR filing, CDD, and sanctions compliance on payment stablecoin issuers. Compliance teams have until January 2027.
Table of Contents
TL;DR
- On April 8, 2026, FinCEN and OFAC jointly proposed the first-ever AML and sanctions compliance framework for payment stablecoin issuers under the GENIUS Act
- PPSIs must file SARs at $5,000, implement CDD, designate a U.S.-based compliance officer, and maintain a formal sanctions program — the same playbook as banks
- Penalties top $100,000/day for sanctions violations; criminal penalties apply to willful AML failures
- Comment period closes 60 days after publication; compliance required by January 18, 2027 at the latest
If you’ve been operating a stablecoin and telling yourself “we’re a tech company, not a bank” — that position just expired.
On April 8, 2026, FinCEN and OFAC jointly issued a proposed rule that applies bank-level BSA/AML and sanctions compliance requirements to payment stablecoin issuers. This is the first time the U.S. government has imposed a formal sanctions compliance mandate on an entire category of U.S. persons. The comment period is open. The compliance clock is running.
Here’s what you need to know and what to start building.
What Is the GENIUS Act and Who Does This Apply To?
The GENIUS Act — Guiding and Establishing National Innovation for U.S. Stablecoins — was signed into law on July 18, 2025. It created the first federal licensing framework for payment stablecoins in the U.S. and directed federal agencies to implement implementing regulations within 12 months.
FinCEN and OFAC’s April 8 proposed rule is one of those implementing regulations. It targets permitted payment stablecoin issuers (PPSIs) — specifically:
- Federally chartered stablecoin issuers (licensed by OCC or the Federal Reserve)
- Bank subsidiaries issuing payment stablecoins
- State-licensed issuers whose state frameworks have been certified as meeting GENIUS Act federal standards
Non-licensed entities that continue issuing stablecoins are already illegal under the GENIUS Act. This rule is about the licensed ones — and it makes clear that getting a GENIUS Act license means accepting BSA and OFAC obligations in full.
What the Proposed Rule Requires
The proposed rule doesn’t create a lighter-touch crypto version of AML. It largely mirrors what FinCEN already requires of banks.
AML Program Requirements
PPSIs must establish a risk-based AML/CFT program with four core components:
- Internal policies, procedures, and controls — including written AML program documentation, risk assessment processes, and ongoing customer due diligence
- Independent program testing — periodic audits of the AML program by an independent function
- Designated U.S.-based compliance officer — with appropriate authority and resources
- Employee training — ongoing, documented training on AML obligations
If those four pillars sound familiar, it’s because they’re the same four pillars from FinCEN’s April 2026 AML program reform NPRM that applies to banks. FinCEN is deliberately harmonizing the frameworks.
Customer Due Diligence
PPSIs must implement CDD procedures covering:
- Identity verification for customers (KYC)
- Beneficial ownership collection for business customers — the same 25% threshold rule that banks follow
- Enhanced due diligence for high-risk accounts and relationships
- Ongoing monitoring to detect unusual transaction patterns
Suspicious Activity Reporting
The SAR threshold is $5,000 — the bank standard. PPSIs must file SARs when they detect:
- Transactions involving funds from illegal activity
- Transactions designed to evade reporting requirements
- Patterns suggesting structuring, layering, or other money laundering indicators
One important carve-out: FinCEN preliminarily declined to impose SAR obligations on secondary market stablecoin transactions, citing the limited counterparty information available to issuers in those contexts. That said, issuers still need to monitor secondary market activity for sanctions compliance purposes.
Record Retention
Transfers of $3,000 or more require records of:
- Sender/recipient identity
- Account information
- Date, amount, and type of transaction
This mirrors the bank Funds Transfer Rule requirements.
Sanctions Compliance Program
OFAC’s portion of the proposed rule is, in some ways, the bigger deal. This is the first time any category of U.S. person has been required by federal regulation to maintain a formal sanctions compliance program.
The required sanctions program must include:
- Risk-based internal controls to identify, block, and reject sanctionable transactions
- Screening transactions against OFAC’s Specially Designated Nationals (SDN) and other OFAC lists
- Technical capability to block, freeze, and seize stablecoins per lawful government orders — in both primary and secondary markets
- Policies for willful violation reporting
PPSIs that have been watching the Iran sanctions landscape should already understand why this matters. The Iran crypto sanctions enforcement actions from earlier this year made clear that OFAC treats stablecoin transactions to sanctioned parties the same as wire transfers.
Penalty Framework
The proposed rule comes with serious enforcement teeth.
| Violation Type | Maximum Penalty |
|---|---|
| Sanctions — material violation | $100,000 per day |
| Sanctions — knowing violation | Additional $100,000 per day |
| AML — willful violation | $71,545 per day |
| AML — criminal (individual) | Up to $250,000 + 5 years imprisonment |
These aren’t the startup-sized fines that some crypto enforcement actions have looked like. A six-month pattern of material sanctions violations — 180 days at $100,000/day — is $18 million before the additional “knowing” kicker.
The Timeline
The GENIUS Act gives regulators until July 18, 2026 to finalize implementing regulations. Compliance is required by the earlier of:
- January 18, 2027 (12 months after the GENIUS Act’s effective date), or
- 120 days after final regulations are published
If FinCEN finalizes this rule by July 2026, the 120-day clock puts effective compliance at approximately November 2026. Either way, you’re looking at well under 18 months to build a functional BSA/AML program from scratch if you don’t have one already.
The comment period closes 60 days after Federal Register publication. This is worth engaging — the secondary market SAR exclusion, the scope of “state-licensed issuer,” and the beneficial ownership triggers are all areas where industry input could shape the final rule.
Control Gap Analysis: What Stablecoin Issuers Are Missing
Most PPSIs — especially those that launched before or alongside the GENIUS Act — weren’t built to comply with BSA. Here’s where the gaps typically show up:
| Required Control | Common Gap in Stablecoin Issuers |
|---|---|
| Customer identification (CIP) | Basic KYC at onboarding, no ongoing monitoring |
| Beneficial ownership | Collected for business accounts only if asked, not required |
| SAR filing capability | No process, no workflow, no relationship with FinCEN BSA E-Filing |
| OFAC screening | SDN list checks at onboarding, not transaction-level |
| Technical freeze/block capability | Smart contract may not include freeze mechanisms |
| Independent AML audit | Never done; compliance is internal-only |
| BSA officer designation | No U.S.-based compliance lead with formal authority |
| AML training program | Ad hoc, not documented, not tracked |
The technical freeze capability gap is particularly acute. Many stablecoin smart contracts don’t include a pause or freeze function, or it’s controlled by the core dev team rather than a compliance function. Building this capability into a live protocol isn’t a software sprint — it requires governance changes, smart contract upgrades, and legal review.
What to Start Building Now
If you’re a PPSI — or if you’re advising one — here’s the build order:
Before the comment deadline:
- Review the proposed rule and decide whether to submit comments (especially on secondary market SAR exclusion and beneficial ownership scope)
- Conduct a gap assessment against the four-pillar AML program requirements
- Inventory your current OFAC screening coverage: where does screening happen, at what frequency, and does it cover the SDN list plus OFAC sector-specific lists?
By July 2026 (regulatory deadline):
- Designate a U.S.-based BSA officer with formal authority and board-approved mandate
- Draft written AML program documentation (policies, procedures, controls)
- Evaluate your smart contract architecture for freeze/block/seize capability
- Map beneficial ownership collection to your customer onboarding workflow
By October 2026 (before effective date):
- Register with FinCEN for BSA E-Filing and test your SAR submission capability
- Implement transaction monitoring controls with $5,000 SAR threshold logic
- Stand up record-keeping for $3,000+ transfers
- Complete your first independent AML program audit
- Train all relevant employees with documented completion records
The FinCEN BSA enforcement action against Canaccord Genuity from earlier this year is a useful preview of what happens when broker-dealers run insufficient AML programs. For stablecoin issuers, the same control failures will produce the same outcomes — with a faster enforcement timeline given the elevated scrutiny the space is under.
One Line on Scope
FinCEN’s definition of “payment stablecoin issuer” is broader than it might look. If you issue a stablecoin redeemable for fiat, even if you primarily think of yourself as a DeFi protocol, a treasury management platform, or a corporate settlement rail — check whether your issuance structure qualifies you as a PPSI. The licensing requirement is self-triggering once you meet the statutory definition.
30/60/90 Day Checklist
This month:
- Map your stablecoin issuance structure against GENIUS Act PPSI definition
- Identify whether you need to file a comment by the 60-day deadline
- Assess whether your smart contract has freeze/block/seize capability
- Inventory OFAC screening coverage across primary and secondary market transactions
Next 60 days:
- Draft or update written AML program documentation (four pillars)
- Designate formal U.S.-based BSA officer
- Implement customer identification and beneficial ownership procedures
- Engage legal counsel on comment letter if applicable
By Q4 2026:
- SAR filing capability live and tested with FinCEN BSA E-Filing
- Transaction monitoring for $5,000+ SAR threshold
- Record retention for $3,000+ transfers
- Independent AML audit scheduled
- Employee training program documented and completed
If you’re working through an RCSA for your compliance program — or building one for the first time — the RCSA Template maps control gaps to risk ratings and can anchor your AML build against the proposed rule’s four-pillar structure.
Sources:
◆ Need the working template?
Start with the source guide.
These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.
◆ Related template
RCSA (Risk & Control Self-Assessment)
141 pre-populated fintech risks with control assessments, questionnaire framework, and testing calendar.
◆ Immaterial Findings · Weekly
Sharp risk & compliance insights. No fluff.
◆ FAQ
Frequently asked questions.
What is the GENIUS Act and when did it become law?
Who must comply with FinCEN's stablecoin AML proposed rule?
What SAR filing threshold applies to stablecoin issuers?
When do stablecoin issuers need to be compliant with GENIUS Act AML rules?
What are the penalties for stablecoin issuers that violate the AML or sanctions rules?
Is sanctions compliance required for secondary market stablecoin transactions?
Author
Rebecca Leung
Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.
◆ Related framework
RCSA (Risk & Control Self-Assessment)
141 pre-populated fintech risks with control assessments, questionnaire framework, and testing calendar.
◆ Keep reading
Related posts.
Regulatory Compliance
The Fed's Payment Account Proposal: What Fintechs and Digital Asset Firms Need to Know Before the July 27 Comment Deadline
The Federal Reserve proposed a special-purpose Payment Account in May 2026, offering eligible fintechs direct access to Fedwire Funds and FedNow without a bank charter. The comment period closes July 27. Here's who qualifies, what compliance the Fed requires, and why your institution should care even if you're not applying yet.
Jul 7, 2026
Regulatory Compliance
SEC Cyber Disclosure Rule: What 2.5 Years of Form 8-K Filings Reveal About Your Response Program Gaps
The SEC's 4-business-day cyber incident disclosure rule has 2.5 years of enforcement history. Here's what the filings and enforcement actions reveal about common materiality determination failures — and how to build a decision protocol that survives SEC scrutiny in 2026.
Jul 5, 2026
Regulatory Compliance
GENIUS Act AML/CFT Compliance: Breaking Down the FinCEN and OFAC Rule That Drops July 18
The FinCEN/OFAC joint proposed rule for stablecoin issuers establishes a full BSA/AML compliance program requirement — SAR filing, CTR filing, CIP, CDD, and OFAC sanctions screening — with a technical wallet-blocking mandate that has no precedent in traditional financial services. Here's what Permitted Payment Stablecoin Issuers and their bank partners need to build.
Jul 4, 2026