In April 2026, the U.S. Treasury Department’s Financial Crimes Enforcement Network \(FinCEN\) and the Office of Foreign Assets Control \(OFAC\) jointly released a Notice of Proposed Rulemaking \(NPRM\) regarding Anti-Money Laundering and Countering the Financing of Terrorism \(AML/CFT\). This proposed rule was published in the Federal Register on April 10, 2026, with the public comment period closing on June 9, 2026. If the proposed rule is finalized, Permitted Payment Stablecoin Issuers \(PPSI\) will be required to follow AML/CFT compliance standards aligned with traditional financial institutions and establish an OFAC sanctions compliance program. This is a major shift from the previous regulatory requirements for these issuers as Money Service Businesses \(MSBs\). It changes existing compliance costs for issuers while further influencing the redistribution of compliance obligations among stablecoin issuers, exchanges, custodians, and on-chain risk management service providers within the U.S. market.
This article provides a systematic analysis of the proposed rule from the perspectives of its legislative background, core obligations, and market impact.
The introduction of this proposed rule is closely linked to the rapid growth of the global stablecoin market and the accompanying risks of illicit finance. As of the first quarter of 2026, the global stablecoin market size has exceeded $316 billion, and the penetration of illegal finance has intensified simultaneously. In a special report in March 2026, the Financial Action Task Force \(FATF\) clearly warned that stablecoins "have become the most widely used virtual assets in illicit transactions," and sanctioned state actors such as Iran and North Korea are using stablecoins for weapons proliferation financing and cross-border payments. The "2026 Crypto Crime Report" released by Chainalysis shows that at least $154 billion flowed to illegal cryptocurrency addresses in 2025, a year-on-year increase of 162%, with stablecoins accounting for 84% of that total. Data from TRM Labs shows that in 2025 alone, illicit entities obtained stablecoins worth $141 billion, hitting a five-year high; OFAC imposed cumulative penalties exceeding $34 billion between 2016 and 2025, issuing fines to crypto companies such as Exodus and ShapeShift consecutively from late 2025 to early 2026.
In sharp contrast to these federal enforcement actions is the industry's lagging compliance preparation. An S&P Global Market Intelligence survey report from April 2026 noted that among 100 banks surveyed in the first quarter of that year, only 7% were developing related strategic frameworks, and no institutions had launched pilot projects. How to regulate stablecoin transactions without hindering their payment efficiency and innovative features has become a pressing regulatory challenge.
In 2025, the U.S. Congress accelerated the legislative process for the GENIUS Act. This bill passed the Senate with a 68-30 vote on June 17, 2025, passed the House with a 308-122 vote on July 17, and was signed into law by then-President Trump on July 18. This is the first federal-level legislation in the United States specifically targeting payment stablecoins. A subsequent White House briefing emphasized that the act clearly brings stablecoin issuers under the jurisdiction of the Bank Secrecy Act and requires them to establish effective anti-money laundering and sanctions compliance programs. It also mandates that they possess the technical ability to seize, freeze, or destroy stablecoins according to lawful orders. The joint proposed rule released by FinCEN and OFAC focuses on the specific implementation of AML and sanctions compliance, forming part of a multi-layered implementation system for the GENIUS Act alongside regulations from other agencies.
The formal name of the proposed rule jointly released by FinCEN and OFAC in the Federal Register is "Permitted Payment Stablecoin Issuer Anti-Money Laundering/Countering the Financing of Terrorism Program and Sanctions Compliance Program Requirements." Hereinafter referred to as the "Proposed Rule" or the "Rule."
Broadly speaking, the proposed rule revolves around the following five aspects:
1. Formally including Permitted Payment Stablecoin Issuers in the definition of "financial institutions" under the Bank Secrecy Act \(BSA\), clearly separating them from the Money Service Business \(MSB\) framework;
2. Setting a set of AML/CFT program requirements for Permitted Payment Stablecoin Issuers that align with bank standards, with customer due diligence procedures at the core;
3. Clarifying the boundaries of Suspicious Activity Report \(SAR\) obligations for Permitted Payment Stablecoin Issuers in both primary and secondary markets;
4. Requiring Permitted Payment Stablecoin Issuers, for the first time, to establish an OFAC sanctions compliance program containing five core elements, based on the authorization of the GENIUS Act;
5. Stipulating that Permitted Payment Stablecoin Issuers must possess the technical ability to freeze, reject, and block non-compliant transactions, and this capability must extend to the secondary market.
The biggest difference between this proposed rule and the existing regulatory system is the inclusion of Permitted Payment Stablecoin Issuers in the definition of "financial institutions" under the Bank Secrecy Act. If the proposed rule is formally passed, the regulatory model for these issuers will move toward the standards of traditional financial institutions.
Before the GENIUS Act, stablecoin issuers were primarily regulated at the federal level as Money Service Businesses \(MSBs\). MSBs must register with FinCEN and undergo periodic examinations by the Internal Revenue Service \(IRS\). In the proposed rule, FinCEN delegates the AML/CFT supervision of Permitted Payment Stablecoin Issuers to the appropriate federal regulatory agencies: Federal Qualified Payment Stablecoin Issuers \(FQPSI\) are regulated by the Office of the Comptroller of the Currency \(OCC\), while subsidiaries of Insured Depository Institutions \(IDI\) are regulated by their corresponding federal banking regulators. For "State Qualified Payment Stablecoin Issuers" \(SQPSI\) regulated only by state-level agencies, their Bank Secrecy Act compliance examinations remain the responsibility of the IRS.
The rule also simultaneously modifies the definition of MSB to explicitly exclude Permitted Payment Stablecoin Issuers. This design aims to avoid confusion caused by dual regulation and to establish an independent compliance standard system for these issuers that is not bound by the historical MSB framework. FinCEN cited relevant authority in the rule, determining that the business activities of Permitted Payment Stablecoin Issuers are "similar or related" to those of traditional financial institutions, thereby providing a legal basis for exercising its rulemaking power.
The GENIUS Act requires Permitted Payment Stablecoin Issuers to have the technical capability to freeze, reject, and block non-compliant transactions. This proposed rule further clarifies that this requirement applies not only to primary market issuance and redemption activities but also explicitly covers the secondary market—namely, peer-to-peer transfers between third parties. The rule also points out that an issuer's "technical capabilities, policies, and procedures must cover transactions conducted through the Permitted Payment Stablecoin Issuer as well as transactions involving smart contract interactions with third parties."
In practical operation, this means that issuers must prove they have the ability to take blocking, freezing, and rejection measures against specific or unauthorized transactions and execute lawful orders. If the proposed rule is ultimately approved, issuers who cannot achieve the same effects technically will have to upgrade or redeploy existing smart contracts for their stablecoin projects to meet compliance requirements.
For Permitted Payment Stablecoin Issuers, after clarifying their legal status, the proposed rule sets up two parallel and complementary compliance obligation systems: one is the AML/CFT framework led by FinCEN, and the other is the economic sanctions compliance framework led by OFAC. The former focuses on preventing general illicit financial activities such as money laundering, fraud, and terrorist financing, while the latter focuses on blocking transactions with sanctioned entities or individuals.
In the proposed rule, FinCEN requires Permitted Payment Stablecoin Issuers to establish and maintain an effective AML/CFT program. According to relevant provisions, the program intends to set specific customer due diligence requirements for issuers and clarify the boundaries of their Suspicious Activity Report obligations in the primary and secondary markets.
In the current regulatory system, "Customer Due Diligence" \(CDD\) is the fifth statutory element of a bank's AML/CFT program, while MSBs have never been required to implement a full CDD procedure; their obligations are basically limited to customer identification. Once Permitted Payment Stablecoin Issuers are no longer managed as MSBs, FinCEN will require them to implement ongoing customer due diligence. The CDD requirements in the proposed rule specifically include three levels:
\(1\) Understanding the nature and purpose of customer relationships to establish a customer risk profile;
\(2\) Ongoing monitoring of transactions to identify and report suspicious activity;
\(3\) Maintaining and updating customer information based on risk principles, including information regarding the beneficial owners of legal entity customers.
A beneficial owner is defined as a natural person who directly or indirectly holds more than 25% of the equity, as well as a natural person with control. It is evident that the AML obligation level for Permitted Payment Stablecoin Issuers has been substantially raised to the same standard as banks.
The proposed rule requires Permitted Payment Stablecoin Issuers to file a Suspicious Activity Report \(SAR\) for suspicious transactions in the primary market, with a reporting threshold of $5,000. This threshold is a significant increase from the current $2,000 for MSBs, aligning it with traditional financial institutions like banks and broker-dealers. FinCEN explained in the rule that this adjustment considers factors such as the requirement for issuers to implement customer identification procedures, the rarity of low-value transactions in the primary market, and the absence of agency relationships unique to MSBs in the stablecoin ecosystem. However, in the secondary market, the rule provides a clear exemption. The mere fact that a transfer between third parties triggers a smart contract interaction with the issuer does not immediately trigger a SAR reporting obligation.
Regarding the exemption, FinCEN noted that requiring issuers to monitor all on-chain transfers and report suspicious transactions would create two problems: first, issuers lack identity information for secondary market participants, making reports empty and useless; second, it might lead to "defensive filing"—where institutions over-report to protect themselves, causing truly valuable leads to be buried in a sea of defensive reports. Therefore, the rule draws a clear line for SAR obligations but maintains the issuer's ability to act: issuers must still retain the technical ability to freeze or reject non-compliant secondary market transactions and must execute lawful orders issued by courts or other federal agencies. The technical capability requirements for issuers are key to supporting this retained right.
Unlike FinCEN's regulatory requirements, OFAC's sanctions compliance program emphasizes proactive blocking and follows a principle of strict liability. In this proposed rule, OFAC has written the five elements of a sanctions compliance program into the regulations, making them a statutory obligation for Permitted Payment Stablecoin Issuers. Previously, OFAC suggested companies establish sanctions compliance systems through guiding documents like the 2019 "Framework for Compliance Commitments," but never elevated it to a mandatory legal requirement. The proposed rule specifies that issuers must establish and maintain an "effective sanctions compliance program" containing the following elements:
\(1\) Commitment from senior management and at the organizational level;
\(2\) Risk assessment;
\(3\) Internal controls;
\(4\) Testing and auditing;
\(5\) Training.
The rule defines "payment stablecoin-related activities" as: activities involving the issuance, transaction, holding, processing, transfer, redemption, or any other activity related to a payment stablecoin from the time of issuance until it exits circulation, whether occurring in the primary or secondary market. This broad definition means that an issuer's responsibility for sanctions screening does not end when the token is transferred to a third party. Even if a transaction occurs between two wallets with no direct customer relationship with the issuer, as long as it involves the issuer's stablecoin and is completed through its smart contract, the issuer would, at least in principle, continue to bear sanctions-screening obligations.
Regarding the consequences of non-compliance, the rule sets clear penalties: major violations can result in a maximum fine of $100,000 per day; knowing violations incur an additional $100,000 per day. Given OFAC's strict liability principle—where civil liability can be pursued regardless of whether the violation was intentional—the deterrent power of these penalties is obvious.
AML/CFT Program \+ Customer Due Diligence
Strict Liability \+ Up to $100,000 per day
For stablecoin issuers, the proposed rule uses specific institutional design to quantify what were previously vague compliance costs, effectively raising the market entry barrier.
Section 12 of the proposed rule provides a detailed regulatory impact analysis. According to FinCEN and OFAC projections, the incremental compliance cost for each non-bank Permitted Payment Stablecoin Issuer in the first year will be approximately $52,453, while for bank-affiliated issuers \(as subsidiaries of existing banks\), it will be approximately $24,983. This significant difference is related to whether the issuers already have compliance infrastructure. Bank-affiliated issuers can reuse their parent company's existing BSA/AML compliance teams, OFAC screening systems, and beneficial owner identification processes, resulting in lower marginal costs. In contrast, non-bank issuers need to build an entire compliance infrastructure from scratch. Additionally, each issuer will need to invest $10,000 to $20,000 in the first year to deploy blockchain analysis tools, sanctions screening software, and transaction monitoring systems.
For small entities, the rule adopts an asset-based identification standard—issuers with total assets below $200 million are identified as small entities. Among the estimated 50 potential Permitted Payment Stablecoin Issuers, about 19 fall into this category. For these small issuers, first-year compliance costs could account for 1% to 3% of their annualized revenue. While this ratio does not necessarily constitute an entry barrier, small issuers will have to factor compliance costs into the break-even logic of their business models, which may change their original issuance strategies or revenue models.
Looking at the content of the published text, the proposed rule jointly released by FinCEN and OFAC does not attempt to solve all stablecoin regulatory issues at once. Instead, it specifies regulatory requirements for AML/CFT, sanctions compliance, and suspicious activity reporting. For the U.S. stablecoin market, an issuer's technical architecture, customer management, and compliance systems will be included in the entry conditions and play a more important role in market competition. However, the proposed rule is still in the public comment period, and there is still room for adjustment in the final rule regarding secondary market technical capability requirements, customer due diligence boundaries, and sanctions compliance arrangements. Whether the dual compliance obligation system under the published text can be finally established remains to be seen. Examining the series of implementation measures under the GENIUS Act from a medium-to-long-term perspective, a regulatory environment with clear rules and defined responsibilities may be the only way for stablecoins to truly integrate into the global financial infrastructure.
FinTax offers crypto accounting suite, tax calculator and professional tax consulting services.
