Treasury’s stablecoin rule: GENIUS Act effect on compliance

The comment window on Treasury’s joint stablecoin Notice of Proposed Rulemaking closes June 9, 2026. If your compliance team hasn’t engaged yet, here is what you need to understand – and why the next three weeks matter.

On April 7, 2026, the Financial Crimes Enforcement Network (FinCEN) and the Office of Foreign Assets Control (OFAC) jointly issued this NPRM implementing the anti-money laundering and sanctions provisions of the GENIUS Act. The proposal contains a genuine first: the first-time federal law has explicitly required a specific category of US persons to maintain an effective sanctions compliance program.

That single fact is reshaping how compliance teams at exchanges, banks, and law enforcement agencies should think about the stablecoin perimeter. This post walks through what the rule does – and why the most consequential element is not the AML/CFT program, but the way it extends compliance into the secondary market.

Key takeaways

• The NPRM creates permitted payment stablecoin issuers (PPSIs) as a new, stand-alone category of financial institution under the Bank Secrecy Act

• PPSIs are the first category of financial institution to have a formal sanctions compliance program written into law from day one – not as guidance, but as a regulatory requirement with independent penalties for non-compliance

• PPSIs are not required to monitor secondary market activity for AML purposes, but sanctions blocking obligations apply across both primary and secondary markets

• Technical capabilities like freeze, block, and reject are now enforceable compliance infrastructure – not optional features

• Comments are due June 9, 2026, with a 12-month implementation runway after finalization

What does the rule do?

The NPRM establishes two parallel regulatory frameworks. FinCEN proposes a new 31 CFR Part 1033 designating PPSIs as a stand-alone category of financial institution under the Bank Secrecy Act – distinct from money services businesses, banks, and broker-dealers.

OFAC proposes a new 31 CFR Part 555.502 requiring every PPSI to maintain a sanctions compliance program with five mandatory elements: senior management commitment, risk assessment, internal controls, testing and auditing, and training.

If finalized as proposed, the rules would take effect 12 months after publication, aligning with the broader GENIUS Act regulatory regime that becomes operational in January 2027.

Most of the AML/CFT obligations will look familiar to compliance professionals. PPSIs would file Suspicious Activity Reports, implement a Customer Identification Program, conduct customer due diligence (including beneficial ownership collection), comply with the Travel Rule, designate a US-based compliance officer, run independent testing, and maintain ongoing training.

Treasury has signaled that programs should be risk-based and that enforcement will focus on overall effectiveness rather than technical lapses. The unfamiliar pieces are where your attention belongs.

Why is the statutory sanctions program historic?

OFAC has issued sanctions compliance guidance for years, most notably the 2019 Framework for OFAC Compliance Commitments and the 2021 sanctions compliance guidance for the virtual currency industry. Until now, those documents represented a strong regulatory expectation – the kind any prudent firm treats as binding, because OFAC enforces sanctions on a strict-liability basis. But they were not, technically, statutory mandates.

The GENIUS Act changes that. By creating PPSIs as a new, standalone category of financial institution – distinct from money services businesses, banks, and broker-dealers – the statute builds a sanctions compliance program into the regulatory framework from the start.

For compliance teams familiar with BSA/AML obligations, much of the program structure will look familiar. The significant shift is that maintaining a formal sanctions compliance program is now a regulatory requirement in its own right, not just OFAC guidance. The failure to have a program is itself a violation, independent of any underlying sanctions breach.

What makes the PPSI framework distinct from existing MSB obligations is scope.

The rule requires issuers to maintain technical capabilities to block, freeze, and reject sanctioned transactions across both primary and secondary markets – including peer-to-peer transfers that never touch the issuer’s own systems. That operational perimeter goes well beyond what traditional money transmission requires.

This structural shift matters because it sets a regulatory template. The five-pillar framework will likely be referenced in future US sanctions rulemakings affecting other financial actors, including digital asset exchanges and payment intermediaries. If you are a compliance officer, read the proposal not just as a stablecoin rule but as a preview of where US sanctions enforcement is heading across the digital asset stack.

What is the secondary market paradox?

The most analytically interesting feature of the NPRM is how it handles secondary market activity – transactions that do not involve the PPSI as a counterparty and occur solely through on-chain smart contract interactions.

FinCEN draws a clear line on monitoring. PPSIs are not required to monitor secondary market activity, file secondary market SARs, or conduct due diligence on secondary market participants. The rationale is practical: SARs on every wallet-to-wallet transfer would generate immense reporting volume with limited investigative value. Issuers also have far less visibility into peer-to-peer transfers than into their primary customers.

OFAC draws a different line. Sanctions compliance applies in both markets. A PPSI must have the technical capability to block, freeze, and reject transactions involving sanctioned persons or jurisdictions – whether with a primary customer or between two unhosted wallets it has never onboarded.

OFAC has signaled that a stablecoin moving through a PPSI’s smart contract may be treated as within the issuer’s control, triggering blocking obligations even in peer-to-peer transfers. This invokes the possession-or-control doctrine – essentially, if your smart contract touches the transaction, you may be on the hook.

The result is a regulatory geometry that compliance teams need to internalize. There is no formal AML monitoring obligation in the secondary market, but there is a continuous obligation to identify, block, freeze, and reject sanctioned transactions there. The rule also requires issuers to understand the risks posed by distribution channels and the chains on which their token is deployed.

In practice, that demands two layers of visibility. Crystal Expert provides the sanctions screening, wallet attribution, and cross-chain tracing needed to identify and block sanctioned transactions. Crystal Foresight adds market-level intelligence – tracking stablecoin flows, mint/burn activity, and liquidity shifts across chains – so issuers can understand the broader risk landscape their token operates in.

This is the secondary market paradox. The formal monitoring obligation is removed, but the practical need for network-wide monitoring remains. Issuers who try to comply with OFAC’s secondary market expectations without robust blockchain analytics will find themselves blocking only the wallets OFAC has already designated – a reactive model that systematically lags illicit flows.

How do technical capabilities become compliance infrastructure?

OFAC’s proposed five-pillar framework will look familiar to anyone who has read the 2019 Framework. The pillar that does the most work in the NPRM is the third: internal controls.

The proposed rule would require internal controls that include explicit technical capabilities. Specifically, a PPSI must be able to identify, block, freeze, and reject sanctioned transactions, and comply with lawful orders.

For traditional financial institutions, internal controls mean policies, procedures, screening tools, and case management workflows. For a PPSI, they are inseparable from product architecture.

Whether a stablecoin can be frozen – and on which chains – is determined by the design of its smart contract. Whether sanctioned wallets can be blocked depends on the contract’s blocklist mechanism. Whether the issuer can comply with a court-ordered seizure depends on whether the contract supports administrative actions on the networks where the token is deployed.

Sanctions compliance under the NPRM thus functions as a constraint on product design. Issuers who built tokens on truly immutable contracts, or on chains without administrative recovery mechanisms, need to redesign as a PPSI. The rule does not say so directly, but it is the inevitable consequence of an enforceable obligation to block, freeze, and reject across primary and secondary markets.

What should issuers and counterparties do now?

The NPRM provides a 60-day comment window and a proposed 12-month implementation runway. With the June 9 deadline approaching, if you are an issuer, exchange, or bank contemplating PPSI relationships, you have a narrow window to act on three fronts.

Comment substantively. Treasury has invited input on several open questions: whether to impose limited secondary-market reporting obligations, whether to extend AML/CFT requirements to foreign payment stablecoin issuers, and whether to expand the definition of “account” to include wallet addresses for lawful order compliance. These are not technical details. They will determine the operational shape of the regime and the resource burden on your compliance team.

Conduct a structured gap assessment against the five pillars. Many issuers have sanctions controls embedded in their broader compliance programs, but few have a formal, documented program that cleanly maps to OFAC’s framework. Documentation gaps that are tolerable today become enforcement exposure the moment the rule is final, because the absence of a program is itself a violation.

Build the intelligence infrastructure the rule implicitly requires. The NPRM creates obligations at two levels, and your tooling needs to cover both. For sanctions compliance – wallet attribution, cross-chain tracing, and screening against sanctioned addresses and high-risk VASPs – Crystal Expert provides the investigative and monitoring capability. For understanding your token’s broader risk landscape – which chains it trades on, where liquidity is moving, and how distribution patterns are shifting – Crystal Foresight delivers the stablecoin market intelligence that informs your risk assessment.

You do not need to file SARs on every secondary market transfer, but you must be able to act when one triggers a sanctions concern – and to show examiners that the capability exists and is maintained.

For exchanges, banks, and other counterparties evaluating which stablecoins to onboard, the NPRM reframes the diligence question. It is no longer “is this stablecoin permitted?” but “does the issuer have the program architecture and technical control surface to act when sanctions exposure surfaces?”

That question can only be answered with reference to the issuer’s smart contract design, blockchain analytics integration, and the maturity of its lawful order workflows.

FAQ

What is a permitted payment stablecoin issuer (PPSI)?

A PPSI is a new category of financial institution created by the GENIUS Act. It covers US-based issuers of payment stablecoins that meet specific reserve, redemption, and compliance requirements. PPSIs are regulated separately from money services businesses, banks, and broker-dealers under the Bank Secrecy Act.

When does the GENIUS Act NPRM take effect?

Comments are due June 9, 2026. If finalized as proposed, the rules take effect 12 months after publication in the Federal Register. This aligns with the broader GENIUS Act regulatory regime becoming operational in January 2027.

Are PPSIs required to monitor secondary market transactions?

Not for AML purposes. FinCEN explicitly excludes secondary market monitoring, SAR filing, and due diligence on secondary market participants. However, OFAC sanctions obligations apply across both primary and secondary markets. PPSIs must be able to block, freeze, and reject sanctioned transactions even in peer-to-peer transfers.

What are the five pillars of the OFAC sanctions compliance program?

The five mandatory elements are: senior management commitment, risk assessment, internal controls (including technical capabilities to block and freeze), testing and auditing, and training. This framework mirrors OFAC’s 2019 guidance but is now a statutory requirement with independent civil penalties for non-compliance.

How does this rule affect exchanges and banks that support stablecoins?

If you are evaluating which stablecoins to onboard, the NPRM reframes your diligence. The question is no longer whether a stablecoin is permitted, but whether the issuer has the technical architecture and compliance program to act on sanctions exposure across both primary and secondary markets.

A new kind of financial institution

The joint FinCEN-OFAC rule positions PPSIs as a new species of financial institution – one whose compliance perimeter extends to every wallet touching its smart contracts, not just the customers it has onboarded.

That is consistent with the technical properties of stablecoins, but it is meaningfully more demanding than the perimeter of a bank or money transmitter. It implies a level of monitoring infrastructure with no direct analog in traditional finance.

For compliance officers deciding which stablecoins to support, for law enforcement teams choosing where to direct seizure requests, and for regulators abroad watching how the US operationalizes the GENIUS Act – the NPRM defines what compliance-grade stablecoin issuance looks like. The first statutory sanctions program is here, the comment window closes June 9, and the 12-month clock starts when the rule is final.