GENIUS Act AML Rulemaking: Stablecoins Are Banks Now

On April 8, 2026, FinCEN and OFAC published a joint Notice of Proposed Rulemaking that should be required reading for anyone issuing, integrating, or building on top of a payment stablecoin. The headline is straightforward: Permitted Payment Stablecoin Issuers (PPSIs) will be required to implement full Bank Secrecy Act compliance programs, file Suspicious Activity Reports, and — for the first time ever as a legal mandate — maintain documented sanctions compliance programs under OFAC authority.

This isn't a tweak. The proposed rule redefines what it costs to be a stablecoin issuer in the United States. Not in compute costs or liquidity depth, but in legal and operational overhead that most teams simply aren't built for.

I've spent the last four years in regulated crypto infrastructure. The gap between "we have a compliance person" and "we have a bank-grade AML/CFT program with a defensible SAR workflow" is enormous. Most stablecoin projects have the former. This rule demands the latter.

What the April 8 NPRM Actually Requires

The proposed rule applies to any entity classified as a PPSI under the GENIUS Act — broadly, any issuer of a dollar-denominated payment stablecoin that isn't a federally insured depository institution. Key requirements from the NPRM text:

• AML/CFT Program: A written, board-approved program covering internal controls, designated compliance officer, ongoing employee training, and independent audit. Same four pillars as a bank.
• SAR Filing: Suspicious Activity Reports filed within 30 days of detecting a transaction meeting the threshold criteria. This means transaction monitoring infrastructure isn't optional.
• Customer Identification Program (CIP): KYC at account opening, beneficial ownership verification, and recordkeeping that survives regulatory examination.
• OFAC Sanctions Compliance Program: A first for stablecoin issuers as a statutory obligation — not just best practice, not a terms-of-service line. A documented, auditable, risk-based sanctions screening program.

The OFAC piece is the one most people are underweighting. OFAC compliance programs have specific documentation standards. You need a senior designee, a written policy, transaction screening against SDN and blocked-persons lists, and a process for handling hits. Banks have entire teams dedicated to this. Most stablecoin issuers have a checkbox.

Why This Redraws the PPSI Competitive Map

Compliance infrastructure is expensive to build and nearly impossible to fake under examination. The NPRM, if finalized as written, creates a structural moat that advantages incumbents with existing bank-grade programs — and puts real pressure on anyone who has been operating in the grey.

Circle has been building toward this for years. Their 2024 annual transparency report cited ongoing BSA compliance investment and existing SAR filing capabilities. They're not starting from zero. Tether's situation is more complicated: they're incorporated in El Salvador, their US market access relies on secondary distribution, and a formal PPSI designation would require them to bring infrastructure into domestic regulatory perimeter. Whether they pursue that or restructure around it is a meaningful strategic question, though I won't speculate on their choices.

Smaller issuers — particularly those operating cross-chain or via third-party custodians — face a harder math problem. They have to build or buy the compliance stack before they can legally issue under GENIUS Act authority. That's not a 60-day sprint. Building a defensible AML program from scratch takes 12 to 18 months when you account for policy writing, system integration, audit cycles, and regulator review.

SAR Filing Is Not a Simple Integration

I want to be specific about SAR filing because it's often treated as a software problem. It's not primarily a software problem.

Filing a SAR requires:

1. A transaction monitoring system tuned to detect relevant patterns (structuring, smurfing, sanctions evasion, layering).
2. A human review process — alerts need case management, analyst notes, and supervisor sign-off.
3. A secure FinCEN filing channel (BSA E-Filing or its successor).
4. 90-day lookback rules, continuation SARs, and strict confidentiality requirements that prohibit tipping off the subject.

On-chain transaction monitoring for stablecoins is actually more tractable than traditional finance in some ways — the ledger is public, tracing is deterministic, clustering heuristics work well on UTXO and account models. But the workflow around the monitoring is where most teams are underprepared. You need trained analysts, not just a Chainalysis API key.

If you're interested in how bridging infrastructure interacts with on-chain AML tracing, the earlier post on how stablecoin bridges actually fail covers some of the technical surface that makes monitoring harder than it looks.

The OFAC Mandate Changes the Liability Calculus

Prior to this NPRM, OFAC sanctions compliance for stablecoin issuers was effectively voluntary — recommended under OFAC's 2021 Sanctions Compliance Guidance for the Virtual Currency Industry, but not codified as a statutory requirement for issuers specifically. The proposed rule changes that.

A documented, risk-based sanctions compliance program means:

• Annual risk assessments tied to your product's geographic exposure and customer base.
• SDN screening at onboarding and on an ongoing basis (sanctions lists update daily).
• A process for blocking and rejecting transactions involving designated parties.
• Recordkeeping sufficient to demonstrate the program to an examiner.

The liability shift here is significant. Under the current framework, OFAC enforcement against stablecoin issuers has been largely discretionary. With a codified program requirement, failures become per-se violations with a clearer enforcement path. The 2023 Tornado Cash designations showed OFAC is willing to act on smart contract addresses; this rule creates the infrastructure to make such actions more systematic on the issuer side.

Who Benefits From This Complexity

The issuers who benefit most from the NPRM are the ones that have already made the compliance investment. Not because regulators are favoring them, but because sunk cost becomes competitive advantage when a fixed compliance overhead gets spread across a large balance sheet.

For context: the total stablecoin market cap crossed $230 billion in early 2026, with USDT and USDC holding roughly 85% of that. The marginal cost of a bank-grade AML program for an issuer at that scale is dramatically lower as a percentage of operations than it is for an issuer at $500 million outstanding. Compliance is a fixed cost that kills small competitors.

This dynamic plays out in traditional banking too. Basel III compliance costs were a primary driver of community bank consolidation in the US after 2010. Expect something similar in the PPSI space over the next 24 to 36 months.

The RWA tokenization buildout I've covered before connects directly here — institutions deploying tokenized treasuries and credit instruments need the stablecoin rails underneath them to be as clean as the instruments themselves. PPSI compliance is a prerequisite for institutional RWA adoption at scale, not a separate policy conversation.

The Comment Period Window

NPRMs require a public comment period before finalization — typically 60 to 90 days from publication. This is not academic. The final rule can and does change based on well-reasoned technical comments. If you're an issuer, a wallet provider, or a DeFi protocol that routes through PPSIs, you have standing to comment on the specific implementation details: SAR thresholds, CIP standards for self-custody wallets, treatment of smart contract intermediaries.

The proposed rule's treatment of decentralized or non-custodial intermediaries is one area where the current draft language is underspecified. That ambiguity will be resolved in the final rule, and the industry has an opportunity to provide concrete technical input on what's actually implementable versus what sounds reasonable to a policy drafter who hasn't seen the code.

Submit comments through FinCEN's official docket. Do it with specific technical arguments, not general objections to regulation.

The GENIUS Act has been building toward this moment for two years. The April 8 NPRM is the compliance backbone that turns the Act from a framework into an enforceable standard. Issuers who treat this as a paperwork exercise will find out what bank examiners already know: the program is either real or it fails on first contact with scrutiny.

Sources

• Federal Register: PPSI AML/CFT and Sanctions Compliance Program Requirements
• Treasury Proposes Rule to Implement GENIUS Act's Requirements to Counter Illicit Finance
• FinCEN and OFAC Propose AML/Sanctions Rules for Stablecoin Issuers – Holland & Knight
• Stable Rules for Stablecoins: Treasury Proposes AML and Sanctions Framework – Mayer Brown
• OFAC Sanctions Compliance Guidance for the Virtual Currency Industry (2021)