Treasury has moved from stablecoin policy messaging to actual rule text. In a new joint proposal, FinCEN and OFAC laid out the first federal AML and sanctions framework under the GENIUS Act for permitted payment stablecoin issuers, or PPSIs, treating them as financial institutions for Bank Secrecy Act purposes and requiring a formal sanctions compliance program.
The real significance is structural. This is not just a generic “crypto firms must do KYC” proposal. It sketches what regulated U.S. stablecoin compliance could actually look like: risk assessments, SAR filing, recordkeeping, Travel Rule coverage, sanctions screening, and the technical ability to block, freeze or reject impermissible transfers, including in some third-party and smart contract settings.
Washington is moving from stablecoin politics to stablecoin rule text
Treasury’s press release frames the proposal as an effort to encourage innovation in payment stablecoins while creating a tailored regime for illicit-finance risk. The GENIUS Act, as Treasury describes it, requires stablecoin issuers covered by the law to be treated as BSA financial institutions and to maintain an effective sanctions compliance program.
FinCEN’s executive summary makes the same point more bluntly. The agency says payment stablecoins could reshape payments, but also make a large U.S. payment system a target for illicit misuse, which is why the proposal would apply AML, BSA and sanctions requirements directly to PPSIs. It also confirms this is a joint rulemaking split across two regulatory tracks: FinCEN for AML/BSA and OFAC for sanctions.
The proposal would push stablecoin issuers into a bank-style AML perimeter
One of the most important sections of the NPRM is scope. FinCEN proposes to define a permitted payment stablecoin issuer as a U.S.-formed entity that is either an approved subsidiary of an insured depository institution or insured credit union, a federal qualified payment stablecoin issuer, or a state qualified payment stablecoin issuer. In other words, this proposal is aimed at the regulated issuer class created by the GENIUS Act, not at every crypto company in the market.
Once inside that perimeter, the obligations get much heavier. The proposal says PPSIs must maintain an effective AML/CFT program with appropriate risk assessments and an officer to supervise the program, retain appropriate records, monitor and report suspicious transactions, and comply with core BSA recordkeeping rules. FinCEN also says the Recordkeeping Rule and Travel Rule would apply clearly to payment stablecoin transfers.
The risk assessment piece is especially important because it makes the framework more operational than symbolic. FinCEN says PPSIs would need to evaluate money laundering and terrorist financing risk across products, services, distribution channels, customers and geographies, and update those processes when their risk profile changes. The agency also explicitly points to sources such as blockchain analytics, IP and geolocation data, law-enforcement feedback and inter-institution information sharing as inputs that can inform those assessments.
The most aggressive part of the rule reaches into secondary markets and smart contracts
The most consequential section for the stablecoin industry may be the one on technical controls. FinCEN proposes that PPSIs must have the technical capabilities, policies and procedures to block, freeze and reject specific or impermissible transactions that violate federal or state law. It also says those capabilities must account not only for transactions occurring by, at or through the issuer, but also for third-party activity, including where a transaction results in an interaction with the issuer’s smart contract.
That is a bigger statement than it may first appear. FinCEN says most illicit activity involving stablecoins occurs on the secondary market, and its discussion makes clear that the agency expects U.S.-regulated issuers to be able to act even where risk does not originate only inside their own customer base. This is a major compliance signal for anyone who has assumed issuer obligations stop neatly at issuance and redemption.
The proposal goes further on lawful orders. FinCEN says PPSIs must be able to comply with lawful orders involving payment stablecoins held by third parties, including in accounts not with or controlled by the issuer, and in transactions that interact with the issuer’s smart contract. That pushes stablecoin compliance beyond normal onboarding and into network-level controllability.
OFAC is not asking for wallet screening alone
The sanctions side is not light-touch either. OFAC says the proposal would establish a floor for an effective sanctions compliance program built on five elements: senior management and organizational commitment, risk assessment, internal controls, testing and auditing, and training. Senior management would need to approve the sanctions program, resource it properly and ensure it covers all payment stablecoin-related activity.
The internal-controls discussion is where the proposal becomes especially concrete for digital asset firms. OFAC says sanctions screening should, at a minimum, include tools sufficient to identify and block transactions associated with digital currency addresses on the SDN List, and it says those controls should apply on a risk-based basis even to secondary-market activity. OFAC also says controls should be updated continually as sanctions authorities and designations change.
Training is part of the floor too. OFAC says PPSIs would need a risk-based compliance training program conducted at least annually and tailored to relevant personnel and stakeholders. Independent testing is also expected, and FinCEN says testers must be sufficiently independent from the AML/CFT function they review.
FinCEN is also leaving itself room to reward more advanced monitoring
One underappreciated part of the proposal is how FinCEN says it may evaluate issuer effectiveness. In discussing enforcement and supervisory considerations, the NPRM says FinCEN may take into account whether a PPSI has advanced AML/CFT priorities through highly useful information to law enforcement, proactive analytics, or other innovative activities that produce demonstrable outputs, including the effective use of artificial intelligence, federated learning and other advanced monitoring tools.
That does not mean AI becomes a safe harbor. But it does suggest Treasury is trying to leave space for more technologically sophisticated compliance models rather than prescribing a single legacy workflow. For regulated stablecoin issuers, that could become an important policy signal if the final rule keeps this language intact.
What this proposal still does not settle
For all its breadth, the NPRM does not complete the GENIUS compliance framework on its own. FinCEN says the customer identification program requirement is expected to be the subject of a separate rulemaking, so one of the most important onboarding obligations for PPSIs is still not fully proposed here.
There is also still a timing gap. The PDF says comments are due 60 days after publication in the Federal Register, but the public draft still carries placeholder language rather than a final deadline. That means the policy direction is clear, but the formal clock is not yet fully fixed in the document itself.
Why it matters for crypto
- It is the first real federal blueprint for how licensed U.S. stablecoin issuers could be supervised on AML and sanctions, beyond broad political promises.
- The proposal would pull PPSIs into a much more bank-like compliance perimeter, with risk assessments, SARs, recordkeeping and Travel Rule obligations clearly attached to payment stablecoins.
- The most disruptive compliance signal is that Treasury expects technical controls that can reach secondary-market activity, third-party holdings and some smart contract interactions.
- OFAC is also making clear that sanctions compliance for stablecoins will not be treated as a narrow wallet-screening exercise, but as a full governance, controls, testing and training regime.
What to watch next
- Whether issuers and industry groups push back hardest on the secondary-market and smart-contract control language during the comment period. This is the part of the proposal most likely to trigger technical and policy debate.
- How Treasury handles the separate CIP rulemaking, since customer identification is explicitly left unfinished here.
- Whether the final rule preserves FinCEN’s openness to AI, federated learning and advanced monitoring as evidence of AML/CFT effectiveness.
- Whether this framework becomes the model for U.S. bank-led stablecoins and state-qualified issuers, or whether the final version narrows key technical obligations after public comment. This is an inference based on the breadth of the current draft and the formal notice-and-comment process.