{"id":10489,"date":"2026-04-27T22:33:38","date_gmt":"2026-04-27T22:33:38","guid":{"rendered":"https:\/\/usatrustedlawyers.com\/blog\/stable-rules-for-stablecoins-treasury-proposes-aml-and-sanctions-framework-for-issuers-mayer-brown\/"},"modified":"2026-04-27T22:33:38","modified_gmt":"2026-04-27T22:33:38","slug":"stable-rules-for-stablecoins-treasury-proposes-aml-and-sanctions-framework-for-issuers-mayer-brown","status":"publish","type":"post","link":"https:\/\/usatrustedlawyers.com\/blog\/stable-rules-for-stablecoins-treasury-proposes-aml-and-sanctions-framework-for-issuers-mayer-brown\/","title":{"rendered":"Stable Rules for Stablecoins: Treasury Proposes AML and Sanctions Framework for Issuers | Mayer Brown"},"content":{"rendered":"\n
\n

On April 8, 2026, the US Department of the Treasury\u2019s Financial Crimes Enforcement Network (\u201cFinCEN\u201d) and Office of Foreign Assets Control (\u201cOFAC\u201d) issued a joint Notice of Proposed Rulemaking (the \u201cProposed Rule\u201d) to implement the anti-money laundering (\u201cAML\u201d) and sanctions compliance provisions of the Guiding and Establishing National Innovation for US Stablecoins Act (the \u201cGENIUS Act\u201d) for permitted payment stablecoin issuers (\u201cPPSIs\u201d).<\/span><\/span><\/p>\n

The Proposed Rule would treat PPSIs as \u201cfinancial institutions\u201d under the Bank Secrecy Act (\u201cBSA\u201d), require PPSIs to establish and maintain AML and countering the financing of terrorism (\u201cAML\/CFT\u201d) programs, and\u2014for the first time\u2014explicitly mandate that a category of US persons maintain an effective sanctions compliance program. FinCEN and OFAC propose that the final rules become effective 12 months after issuance to allow PPSIs sufficient time to implement the requirements. Comments are due June 9, 2026.<\/span><\/span><\/p>\n

BACKGROUND<\/span><\/span><\/h4>\n

The GENIUS Act, signed into law on July 18, 2025, establishes a federal regulatory framework for payment stablecoins and restricts their issuance to PPSIs. The Act directs Treasury to promulgate regulations ensuring that PPSIs are \u201csubject to all Federal laws applicable to a financial institution located in the United States relating to economic sanctions, prevention of money laundering, customer identification, and due diligence.\u201d<\/span><\/span>1<\/sup><\/span><\/span><\/span><\/span><\/a> The Proposed Rule addresses the AML\/CFT and sanctions compliance program components, while a separate forthcoming rulemaking will address customer identification program (\u201cCIP\u201d) requirements.<\/span><\/span><\/p>\n

The Proposed Rule applies to the three PPSI pathways established by the GENIUS Act: subsidiaries of insured depository institutions (\u201cIDIs\u201d) approved by their primary federal regulator; federal qualified payment stablecoin issuers (\u201cFQPSIs\u201d) approved by the Office of the Comptroller of the Currency (\u201cOCC\u201d); and state qualified payment stablecoin issuers (\u201cSQPSIs\u201d) approved by state regulators. Notably, the Proposed Rule does not impose AML\/CFT requirements on foreign payment stablecoin issuers (\u201cFPSIs\u201d), though FinCEN solicits comment on whether it should.<\/span><\/span><\/p>\n

KEY TAKEAWAYS<\/span><\/span><\/h4>\n

AML\/CFT obligations mirror bank-like requirements:<\/span><\/span> While FinCEN acknowledges that existing stablecoin issuers are generally subject to AML\/CFT obligations as money services businesses (\u201cMSBs\u201d), the Proposed Rule would require PPSIs to establish risk-based AML\/CFT programs that more closely adhere to the requirements applicable to banks and similar covered financial institutions. Programs must include internal policies, procedures, and controls; ongoing customer due diligence; independent testing; a designated AML\/CFT officer located in the United States; and ongoing employee training. Notably, many of these elements, including the explicit requirement for documented risk assessment processes, the \u201cestablish and maintain\u201d program framework, and the requirement that the AML\/CFT officer be located in the United States, parallel obligations FinCEN has separately proposed for all covered financial institutions under its concurrent AML program modernization rulemaking. To address any potential overlapping requirements, the Proposed Rule would expressly exclude PPSIs from the definition of MSB.<\/span><\/span><\/p>\n

SAR filing threshold set at $5,000\u2014higher than current MSB threshold:<\/span><\/span> PPSIs would be required to file suspicious activity reports (\u201cSARs\u201d) for suspicious transactions involving or aggregating at least $5,000 in funds or other assets. This is notably higher than the $2,000 threshold currently applicable to MSBs, reflecting FinCEN\u2019s view that PPSIs will have CIP obligations analogous to banks and other higher-threshold institutions.<\/span><\/span><\/p>\n

No secondary market monitoring or SAR obligations:<\/span><\/span> The Proposed Rule explicitly scopes out secondary market activity from monitoring and SAR reporting obligations because FinCEN preliminarily determined that the burden of requiring PPSIs to file SARs on secondary market transfers would outweigh the likely benefits, particularly given that PPSIs may have limited information about transactions occurring solely via smart contract interactions. PPSIs would, however, be required to understand the risks posed by customers, the PPSI\u2019s distribution channels, and the blockchains on which its payment stablecoins are deployed. These considerations would inform the PPSI\u2019s risk assessment processes and the development of customer risk profiles, and may require PPSIs to consider observable secondary market activity\u2014such as on-chain interactions by customers with addresses attributed to illicit actors\u2014in conducting ongoing customer due diligence. Notably, while PPSIs would have no obligation to file SARs on secondary market activity they do not formally monitor, they may nevertheless become aware of suspicious secondary market activity through their risk assessment processes or blockchain analytics tools\u2014and would be protected by safe harbor if they voluntarily report such activity. This may create an informal \u201csee-something-say-something\u201d expectation without a formal monitoring mandate.<\/span><\/span><\/p>\n

Technical capabilities required for both primary and secondary market activity:<\/span><\/span>2<\/sup><\/span><\/span><\/span><\/span><\/a> PPSIs would be required to have technical capabilities, policies, and procedures to block, freeze, and reject impermissible transactions, including those occurring on the secondary market via smart contracts, and to comply with lawful orders. Although separate from the secondary market monitoring and SAR reporting carve-out discussed above, this obligation ensures that PPSIs maintain the infrastructure necessary to act when legally required (e.g., to comply with OFAC sanctions prohibitions or federal seizure warrants targeting payment stablecoins held by third parties).<\/span><\/span><\/p>\n

First-ever mandatory sanctions compliance program:<\/span><\/span> The GENIUS Act\u2019s requirement that PPSIs maintain an \u201ceffective sanctions compliance program\u201d represents the first time federal law has explicitly mandated such a program for any category of US persons, notwithstanding the general applicability of underlying sanctions laws. OFAC\u2019s proposed framework would require five core elements: senior management commitment, risk assessments, internal controls, testing and auditing, and training. This framework is consistent with OFAC\u2019s other public guidance on establishing effective sanctions compliance programs, including previous guidance tailored specifically to the virtual currency industry.<\/span><\/span>3<\/sup><\/span><\/span><\/span><\/span><\/a> The Proposed Rule would also impose substantial civil monetary penalties for failure to maintain such a sanctions compliance program.<\/span><\/span><\/p>\n

OVERVIEW OF PROPOSED AML\/CFT OBLIGATIONS<\/span><\/span><\/h4>\n
AML\/CFT PROGRAM REQUIREMENTS<\/span><\/span><\/h5>\n

The Proposed Rule would create a new 31 CFR Part 1033 governing PPSIs. A PPSI would have an \u201ceffective\u201d AML\/CFT program if it: (1) establishes the program in accordance with the prescribed requirements and (2) maintains the program by implementing it in all material respects. Where a PPSI is also subject to existing BSA obligations as a bank under 31 CFR Part 1020\u2014as may be the case for uninsured national banks chartered by the OCC\u2014FinCEN expects the parallel requirements to be manageable. Notably, however, the Proposed Rule does not address the position of uninsured state-chartered institutions, such as state trust companies used by certain existing stablecoin issuers, that may face similar overlapping obligations.<\/span><\/span><\/p>\n

Internal policies, procedures, and controls:<\/span><\/span> A PPSI\u2019s risk-based internal policies, procedures, and controls would need to be reasonably designed to: identify, assess, and document money laundering and terrorist financing (\u201cML\/TF\u201d) risks through risk assessment processes; mitigate those risks by directing more attention and resources toward higher-risk customers and activities; and conduct ongoing customer due diligence.<\/span><\/span><\/p>\n

Risk assessment processes:<\/span><\/span> The Proposed Rule would require PPSIs to establish risk assessment processes that evaluate ML\/TF risks of the PPSI\u2019s business activities\u2014including products, services, distribution channels, customers, and geographic locations\u2014and incorporate the AML\/CFT Priorities published by FinCEN. While risk assessment processes have long been a supervisory expectation, the Proposed Rule makes this an explicit regulatory requirement, consistent with Treasury\u2019s broader effort to codify risk assessment obligations for all financial institutions under its AML modernization initiative.<\/span><\/span><\/p>\n

Ongoing customer due diligence:<\/span><\/span> The Proposed Rule would require PPSIs to conduct ongoing customer due diligence<\/span><\/span> (\u201c<\/span><\/span>CDD\u201d) to understand the nature and purpose of customer relationships for the purpose of developing a customer risk profile, and to conduct ongoing monitoring to identify and report suspicious transactions. This \u201cfifth pillar\u201d requirement mirrors existing CDD rules for banks and other covered financial institutions. As with banks and other covered financial institutions, PPSIs would be required to collect beneficial ownership information for legal entity customers in primary market transactions, which FinCEN regards as a \u201ccore element\u201d of effective due diligence.<\/span><\/span><\/p>\n

Account vs. transfer distinction:<\/span><\/span> The Proposed Rule\u2019s CDD obligations apply to \u201caccount\u201d relationships\u2014defined for PPSIs as \u201ca formal relationship between a customer and a permitted payment stablecoin issuer established to provide or engage in services, dealings, or other financial transactions.\u201d This definition distinguishes primary market activity (where PPSIs maintain ongoing customer relationships) from secondary market transfers (where PPSIs interact with stablecoins via smart contracts). The distinction is consequential: most AML obligations would apply to primary market customers, while secondary market activity would be subject primarily to the technical capabilities requirement to block, freeze, and reject impermissible transactions.<\/span><\/span><\/p>\n

AML\/CFT officer:<\/span><\/span> The Proposed Rule would require designation of an AML\/CFT officer who must be located in the United States, accessible to FinCEN oversight, and not convicted of certain felony offenses involving insider trading, embezzlement, cybercrime, money laundering, terrorist financing, or financial fraud.<\/span><\/span><\/p>\n

Future CIP rulemaking:<\/span><\/span> The Proposed Rule acknowledges that PPSIs will be subject to a CIP requirement, noting the GENIUS Act-specific requirements that an effective program include \u201cidentifying and verifying the PPSI\u2019s account holders, high-value transactions, and appropriate enhanced due diligence.\u201d However, the Proposed Rule does not implement the Act\u2019s CIP requirements; instead, FinCEN notes that the Act\u2019s CIP requirements are expected to be the subject of a separate rulemaking.<\/span><\/span><\/p>\n

SUSPICIOUS ACTIVITY REPORTING<\/span><\/span><\/h5>\n

PPSIs would be required to file SARs for any suspicious transaction relevant to a possible violation of law or regulation that is conducted or attempted by, at, or through the PPSI and involves or aggregates at least $5,000.<\/span><\/span><\/p>\n

Secondary market activity explicitly excluded:<\/span><\/span> The Proposed Rule would clarify that \u201ca transaction, for purposes of [SAR filing], is not conducted or attempted by, at, or through a permitted payment stablecoin issuer only because a transfer by third parties results in an interaction with a permitted payment stablecoin issuer\u2019s smart contract.\u201d FinCEN acknowledges that the majority of illicit finance involving payment stablecoins occurs on the secondary market, but concludes that requiring secondary market SAR reporting could result in \u201csubstantial burden\u201d yielding SARs with \u201cminimal information.\u201d<\/span><\/span><\/p>\n

Coordination provision for bank-affiliated PPSIs:<\/span><\/span> Where a PPSI is a subsidiary of a parent IDI and both institutions have a SAR filing obligation for the same suspicious activity, the Proposed Rule would permit the parent to file SARs on behalf of its PPSI subsidiary (and vice versa), so long as the joint report contains all relevant facts. This provision would also permit sharing of SARs and underlying documentation between a PPSI and its parent IDI within the corporate organizational structure. For bank-affiliated PPSIs, this coordination provision will facilitate enterprise-wide compliance but will require careful attention to ensuring that PPSI-specific risks and transactions are adequately captured in joint filings.<\/span><\/span><\/p>\n

RECORDKEEPING AND TRAVEL RULE<\/span><\/span><\/h5>\n

The Proposed Rule would require PPSIs to comply with the BSA\u2019s Recordkeeping Rule, obligating PPSIs to collect and retain records for funds transfers and transmittals of funds in amounts of $3,000 or more. The Travel Rule would also apply, requiring PPSIs to transmit information on certain funds transfers and transmittals to other participating financial institutions. To clarify the application of these rules to stablecoin transactions, FinCEN proposes amending the definition of \u201ctransmittal order\u201d to expressly include payment stablecoins in addition to \u201cmoney.\u201d The Proposed Rule would also add PPSIs to the list of entities excepted from recordkeeping requirements for transfers between regulated financial institutions, and thus the Recordkeeping Rule would not apply to transmittals of funds where both the transmittor and recipient are a PPSI, bank, or other covered financial institution. Notably, FinCEN did not address the well-documented implementation challenges that digital asset service providers have faced in complying with Travel Rule requirements for blockchain-based transfers.<\/span><\/span><\/p>\n

ENHANCED DUE DILIGENCE AND SPECIAL MEASURES<\/span><\/span><\/h5>\n

FinCEN proposes extending to PPSIs the enhanced due diligence requirements for correspondent accounts for foreign financial institutions and private banking accounts. For these purposes, FinCEN would define a \u201ccorrespondent account\u201d for a PPSI as any formal relationship established to provide regular services, dealings, or other financial transactions\u2014capturing, for example, relationships with foreign financial institutions that access the PPSI for minting, redemption, or custodial services. PPSIs would also be required to comply with special measures issued pursuant to Section 311 of the USA PATRIOT Act when foreign financial institutions or transactions are of primary money laundering concern. With respect to private banking accounts\u2014defined in part under existing regulations as accounts with minimum aggregate assets exceeding $1 million, on behalf of a non-US person, and assigned or administered by the covered financial institution\u2014FinCEN proposes no changes to the existing definition and seeks comment on whether it appropriately addresses PPSIs. Given that payment stablecoins are designed for payment and settlement rather than wealth management, it remains to be seen whether such relationships will arise frequently in practice.<\/span><\/span><\/p>\n

OVERVIEW OF PROPOSED SANCTIONS COMPLIANCE REQUIREMENTS<\/span><\/span><\/h4>\n
FIRST MANDATORY SANCTIONS COMPLIANCE PROGRAM REQUIREMENT<\/span><\/span><\/h5>\n

While all US persons are currently required to comply with US sanctions under OFAC regulations, the GENIUS Act\u2019s requirement that PPSIs maintain an \u201ceffective sanctions compliance program\u201d is the first time federal law has explicitly mandated that a specific category of US persons establish and maintain such a program. OFAC proposes codifying this requirement at new 31 CFR Part 502.<\/span><\/span><\/p>\n

FIVE ELEMENTS OF AN EFFECTIVE PROGRAM<\/span><\/span><\/h5>\n

Drawing on OFAC\u2019s 2019 Framework for OFAC Compliance Commitments, the Proposed Rule would require PPSIs to adopt a sanctions compliance program including five key elements:<\/span><\/span><\/p>\n