On April 8, 2026, the Department of the Treasury's Financial Crimes Enforcement Network (FinCEN) and Office of Foreign Assets Control (OFAC) announced a joint proposed rule to implement anti-money laundering and countering the financing of terrorism (AML/CFT) and sanctions compliance requirements to permitted payment stablecoin issuers (PPSIs). The proposal is designed to implement provisions of the Guiding and Establishing National Innovation for U.S. Stablecoins Act (the GENIUS Act), signed into law on July 18, 2025. The GENIUS Act established a federal regulatory framework for payment stablecoins, including rules on who may issue stablecoins, reserve requirements, and required disclosures. The new proposed rule is, in part, intended to address illicit finance risks associated with payment stablecoins, including money laundering, terrorist financing, and sanctions evasion.

FinCEN and OFAC welcome public comments on the proposed rule by June 9, 2026. The agencies proposed an effective date of one year after the publication of the Final Rule, which will follow after the comment period.

Stablecoins – which are blockchain-based digital assets designed to maintain a stable value relative to an underlying asset, such as the U.S. dollar or other fiat currencies, or backed by reserves – passed $300 billion in market capitalization in early 2026. Usually, stablecoin issuers use smart contracts to issue, redeem, burn, or even, in some cases, restrict transfer of their tokens. FinCEN and OFAC's proposed rule, like the GENIUS Act, does not apply to all digital assets or stablecoins, but only to those that are "payment stablecoins." The GENIUS Act defines "payment stablecoins" as digital assets designed or used as a means of payment or settlement, the issuer of which is obligated to redeem, repurchase, or convert for a fixed amount of monetary value, and that are not a national currency, deposit, or security. 

Under the Act, only PPSIs may issue payment stablecoin to persons in the U.S. PPSIs must be incorporated in the U.S. and must be (1) subsidiaries of insured depository institutions or credit unions, (2) federally qualified payment stablecoin issuers approved by the Office of the Comptroller of the Currency (OCC), or (3) registered with and approved by applicable state authorities as nonbank stablecoin issuers. On the federal level, the OCC is responsible for approving and regulating stablecoin issuers and published related proposed rulemaking in February 2026. PPSIs may choose to be regulated under a state-level regime, but only if their stablecoin issuance is $10 billion or less and the state regime is substantially similar to the federal framework. 

Currently, stablecoin issuers are regulated as money services businesses (MSBs), which subjects them to FinCEN oversight and AML/CFT program requirements under the Bank Secrecy Act (BSA). However, in the proposed rule, FinCEN proposes carving out PPSIs from the definition of MSB and applying a distinct regulatory framework. Both the MSB framework and the proposed requirements for PPSIs contemplate risk-based AML/CFT programs, but the proposed PPSI regulations would require additional, and in some respects, more stringent requirements. For instance, while MSBs have Know Your Customer (KYC) obligations, they are not subject to FinCEN's Customer Due Diligence (CDD) Rule in the same way as other financial institutions such as banks, broker-dealers, mutual funds, futures commission merchants, and introducing brokers. Under the proposed rule, PPSIs would be subject to the CDD Rule, including a requirement to establish written procedures to identify and verify the beneficial owners of legal entity customers. FinCEN describes beneficial ownership information collection as a core element of effective CDD, which would be required for new primary market customers. The proposed rule also notes that additional GENIUS Act requirements, such as Customer Identification Program (CIP) rules, will be addressed in future rulemaking. As we discuss further below, the proposed rule also includes a requirement for PPSIs to establish technical requirements to block, freeze, or reject transactions, which are not explicit requirements for MSBs. 

AML/CFT Requirements

The proposed rule, which mirrors, in part, FinCEN's recently proposed AML/CFT program updates (discussed here), would require PPSIs to maintain AML/CFT programs, develop appropriate technical abilities, report suspicious activity, and maintain records, among other obligations. 

• AML/CFT programs: The proposed rule would require PPSIs to establish and maintain risk-based, written AML/CFT programs that include risk assessment processes, ongoing due diligence, independent testing, an identified and responsible AML/CFT officer based in the U.S., and regular training. 
  • Internal policies, procedures, and controls: The proposed rule would require PPSIs to establish a set of internal policies, procedures, and controls "reasonably designed" to ensure compliance with the BSA and 31 C.F.R. chapter X. The policies, procedures, and controls must include: (1) documented risk assessment processes; (2) documented efforts to mitigate risks by directing more attention and resources toward higher-risk customers and activities, consistent with the risk assessment processes; and (3) conducting ongoing customer due diligence and monitoring.
  • Independent testing: According to the proposed rule, PPSIs should conduct independent testing and auditing to assess the effectiveness of the institution's AML/CFT compliance relative to its risk profile and allocated resources consistent with its risk assessment processes. Testing should be based on objective criteria and may be conducted by outside auditors, consultants, or internal audit personnel, or staff otherwise independent of the function being tested.
  • Ongoing training: The proposed rule formally adopts the BSA's "ongoing employee training" language, and requires training to educate employees on internal policies, procedures, controls, risk assessment processes, and updates to the AML/CFT regulatory requirements.
  • AML/CFT officer: The proposed rule would require PPSIs to designate an AML/CFT officer responsible for establishing and implementing the program and monitoring day-to-day adherence with applicable regulations. Consistent with FinCEN's recently published proposed rule updating AML/CFT programs more broadly, PPSIs would be required to appoint an officer located in the U.S. and subject to supervision by FinCEN. However, personnel located outside the U.S. would still be permitted to perform AML/CFT functions. 
  • Written AML/CFT program and approval: The proposed rule would require the AML/CFT program to be in writing and made available to FinCEN upon request. Consistent with the proposed rule updating the AML/CFT programs more broadly, the program would also need to be approved by the PPSI's board of directors, appropriate senior management, or an equivalent governing body.
  • FinCEN supervision and enforcement: The proposed rule also contemplates a potential FinCEN enforcement and supervisory approach for PPSI's AML/CFT programs. Under the approach, where a PPSI has established an AML/CFT program in accordance with the proposed rule, FinCEN generally would not pursue enforcement actions absent a "significant or systemic failure" to maintain the program. The proposed rule would further reinforce FinCEN's central role in AML/CFT supervision by establishing a notice-and-consultation framework between FinCEN and the primary federal payment stablecoin regulators with respect to significant AML/CFT supervisory actions. Notably, this proposed framework is similar to the proposed enforcement framework applicable to banks that FinCEN recently proposed. 
• Technical capabilities: Under the proposed rule, PPSIs would be required to have the technical capabilities, policies, and procedures to block, freeze, and reject transactions that violate federal or state laws, rules, or regulations and to comply with lawful orders. Importantly, these obligations would extend beyond a PPSI's own customers and accounts and apply to secondary market activity. For purposes of the proposed rule, "secondary market" refers to payment stablecoin activity in which the PPSI is not directly a party to the transaction other than through its smart contract, such as person-to-person transfers or transactions through intermediaries.
• Suspicious Activity Reports (SARs): The proposed rule would require PPSIs to file SARs on primary market activity. FinCEN does not, however, propose to impose a secondary-market SAR reporting obligation. 
• Recordkeeping: PPSIs would be required to comply with the Recordkeeping Rule including by collecting and retaining records of funds transfers and transmittals of $3,000 or more, as well as the Travel Rule, requiring them to transmit certain information to other financial institutions involved in those transactions.
• Information sharing: At the request of FinCEN, PPSIs would be required to search their records to determine whether they maintain or have ever maintained any accounts for or have transacted with individuals or entities identified by FinCEN. 

Sanctions Compliance Requirements

As U.S. incorporated entities, PPSIs are "U.S. persons" subject to OFAC's sanctions requirements. Notably, the GENIUS Act represents the first time that federal law has mandated that a particular U.S. person – here, PPSIs – adopt and maintain an effective sanctions compliance program. 

The proposed rule includes two general categories of sanctions-related requirements: First, PPSIs must maintain an effective sanctions compliance program that includes five pillars and incorporates OFAC's 2019 framework, and second, PPSIs are obligated to comply with OFAC's recordkeeping and reporting obligations (which are distinct from the AML/CFT recordkeeping and reporting requirements).

• Effective sanctions compliance program: Under the proposed rule, an effective sanctions compliance program includes five core elements: commitment from senior management, regular and in-depth risk assessments, strong risk-based internal controls, independent testing and auditing functions, and regular training. 
• Recordkeeping and reporting: The proposed rule would require PPSIs to adhere to OFAC's standard recordkeeping and reporting requirements, including maintaining a full and accurate record of any transactions subject to OFAC regulations, and to provide OFAC, upon request, any certifications submitted to federal or state payment stablecoin regulators attesting the implementation of an effective sanctions compliance program.

Key Takeaways

1. Cross-agency implementation: The proposed rule underscores that the GENIUS Act's illicit finance provisions are designed to integrate AML/CFT and sanctions compliance into a single PPSI framework. Although FinCEN and OFAC operate under distinct legal authorities, the proposal reflects a broader interagency effort to align regulatory and enforcement approaches to illicit finance risks associated with payment stablecoins. FinCEN and OFAC are not acting alone: the OCC and the Federal Deposit Insurance Corporation (FDIC) have also recently issued proposed rules implementing aspects of the GENIUS Act, highlighting coordinated cross-agency implementation of the statute's stablecoin framework. 
2. Primary vs. secondary market activity: A key feature of the proposed rule is how it seeks to align compliance obligations with the operational realities of payment stablecoins. In the primary market – where a PPSI interacts directly with its own customers, such as when issuing, redeeming, or repurchasing stablecoins – Treasury expects traditional customer-facing controls, including CDD, beneficial ownership information collection, and SARs. By contrast, in the secondary market, a PPSI may not have the same visibility into the end user, as transactions may occur through exchanges, self-hosted wallets, or peer-to-peer transfers outside the PPSI's onboarding ramp. Accordingly, Treasury does not impose as stringent of compliance obligations in the secondary market context. The proposed rule, however, requires that a PPSI's smart contracts have the ability to freeze, block, burn, or otherwise restrict movement of tokens, and to exercise those capabilities when legally required to do so. 
3. Emphasis on tailoring controls to risk profile: The proposed rule adopts a risk-based approach, rather than a one-size-fits-all model, and expects PPSIs to build AML/CFT and sanctions compliance programs that are tailored to their size, activities, customers, distribution channels, and overall risk profile. In practice, this means that a PPSI's controls should reflect the particular risks its business presents, including risks associated with secondary-market activity, self-hosted wallets, fiat on- and off-ramps, and high-risk persons or jurisdictions, among others. 
4. Balancing innovation in digital finance with stronger regulatory oversight: The second Trump administration has signaled its intent to promote U.S. leadership in digital finance. Although the proposed rule would increase regulatory requirements for PPSIs, it can also be understood as part of a broader strategy to integrate cryptocurrency and payment stablecoins more closely into the U.S. financial system by enhancing oversight of fiat-pegged digital asset issuers. The expanded AML/CFT and sanctions compliance obligations are intended to increase reliability and transparency in both domestic and cross-border digital currency transactions. In announcing the proposed rule, Secretary of the Treasury Scott Bessent emphasized that "[t]his proposal will protect the U.S. financial system from national security threats without hindering American companies' ability to forge ahead in the payment stablecoin ecosystem."

Although the implementation of the final rule is some time away, the U.S. government is displaying coordinated and bipartisan efforts to regulate stablecoin issuers. Impacted companies and individuals should watch these efforts. Miller & Chevalier can assist with and provide guidance on ensuring compliance with the coming stablecoin AML/CFT and sanctions requirements.

For more information, please contact:

Ian A. Herbert, iherbert@milchev.com, 202-626-1486

Leah Moushey, lmoushey@milchev.com, 202-626-5896

Timothy P. O'Toole, totoole@milchev.com, 202-626-5552

Collmann Griffin, cgriffin@milchev.com, 202-626-5836

Arooshe P. Giroti, agiroti@milchev.com, 202-626-6060

Peter Kentz, pkentz@milchev.com, 202-626-5891

Franco Jofré, fjofre@milchev.com, 202-626-1585

The information contained in this communication is not intended as legal advice or as an opinion on specific facts. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. For more information, please contact one of the senders or your existing Miller & Chevalier lawyer contact. The invitation to contact the firm and its lawyers is not to be construed as a solicitation for legal work. Any new lawyer-client relationship will be confirmed in writing.

This, and related communications, are protected by copyright laws and treaties. You may make a single copy for personal use. You may make copies for others, but not for commercial purposes. If you give a copy to anyone else, it must be in its original, unmodified form, and must include all attributions of authorship, copyright notices, and republication notices. Except as described above, it is unlawful to copy, republish, redistribute, and/or alter this presentation without prior written consent of the copyright holder.