# Stablecoin AML and sanctions compliance: what businesses need to know

> Payment stablecoin issuers in the US are now treated as financial institutions under the Bank Secrecy Act, with mandatory AML/CFT programs and — for the first time — explicit statutory sanctions compliance obligations. A FinCEN/OFAC proposed rule published 10 April 2026 fills in the specifics: written programs, risk assessments, SAR filing at a $5,000 threshold, and technical controls to freeze and reject sanctioned transactions.

6 min read · Updated 2026-06-09 · Topic: regulation

Canonical: https://tempo.dataos.so/articles/stablecoin-aml-sanctions-compliance

Until the GENIUS Act, stablecoin issuers occupied an awkward middle space in US financial regulation. They were arguably money services businesses under FinCEN rules, but the specific obligations — and who actually examined them — were contested. The GENIUS Act, signed **18 July 2025**, closed that ambiguity. Payment stablecoin issuers are now financial institutions under the Bank Secrecy Act. And on **10 April 2026**, FinCEN and OFAC jointly published a proposed rule filling in what that means in practice.

Comments on the proposed rule were due **9 June 2026**. Final rules are expected to become effective 12 months after issuance. This article explains the framework that is taking shape.

## Who it covers: Permitted Payment Stablecoin Issuers

The GENIUS Act creates a category called **Permitted Payment Stablecoin Issuers (PPSIs)**. This covers:

- Subsidiaries of FDIC-insured depository institutions issuing under their bank charter
- Federally qualified nonbank issuers approved by the OCC
- State-qualified issuers operating under a state framework certified as substantially equivalent to federal standards (capped at $10 billion in outstanding stablecoins, unless waived)

Foreign issuers serving US persons through US digital-asset service providers may also be treated as PPSIs for compliance purposes, depending on their home-country regulatory regime.

If a company issues a payment stablecoin and offers it to US persons, it needs to be a PPSI. If it is not a PPSI, it cannot legally issue to US persons.

## The AML/CFT program requirements

The FinCEN proposed rule requires each PPSI to establish and maintain a **written AML/CFT program** covering five elements:

| Program element | What it requires |
|---|---|
| Policies, procedures, and controls | A documented, risk-based framework for detecting and preventing money laundering and terrorist financing |
| Risk assessment | A mandatory, documented evaluation of ML/TF risks — updated promptly when significant changes occur, including new products, new markets, or regulatory changes |
| Independent testing | Objective, periodic review of the program's effectiveness |
| Designated compliance officer | A named, US-based individual responsible for day-to-day compliance |
| Ongoing training | Regular AML/CFT training for relevant staff |

The risk assessment requirement is notably more prescriptive than voluntary practice at other institutions. PPSIs must explicitly "evaluate ML/TF risks and review and incorporate the AML/CFT Priorities" published by FinCEN — the agency's list of current national illicit finance threats.

The program must be **approved by the board of directors or senior management**, not simply maintained by the compliance team.

## Suspicious Activity Reports

PPSIs must file **Suspicious Activity Reports (SARs)** for transactions that involve or are suspected to involve:

- Funds from illegal activity
- Attempts to evade BSA reporting or recordkeeping requirements
- Transactions with no lawful purpose
- Use of the stablecoin system to facilitate criminal activity

The reporting threshold is **$5,000** — matching the bank standard, not the $2,000 threshold applicable to money services businesses. This is a notable choice: it signals that regulators view PPSIs as closer to banks than to traditional MSBs in terms of compliance expectations.

**Secondary market transactions are excluded.** FinCEN explicitly declined to require secondary market transaction monitoring or SAR reporting, recognising that "defensive SARs can have little value for law enforcement." PPSIs are responsible for their own issuance and redemption activity, not for what holders do with the tokens after purchase.

## Sanctions compliance: a first in US law

The OFAC component of the proposed rule represents a statutory first. For the first time, US law **explicitly mandates** that a specific category of entity maintain a formal sanctions compliance program. Prior to the GENIUS Act, OFAC's compliance framework was based on guidance and enforcement practice — not a statutory requirement.

The required sanctions compliance program mirrors OFAC's 2019 Compliance Framework, which sets out five components:

1. **Management commitment** — senior leadership endorsement of the compliance function
2. **Risk assessment** — documented analysis of sanctions exposure across counterparties, geographies, products, and services
3. **Internal controls** — policies and procedures for screening transactions, onboarding customers, and escalating potential matches
4. **Testing and auditing** — periodic review of program effectiveness
5. **Training** — regular sanctions training for staff with relevant responsibilities

### Technical controls

Beyond program governance, PPSIs must have the **technical capability** to:

- Block transactions involving sanctioned parties or jurisdictions
- Freeze assets on demand in response to lawful orders
- Reject attempted transactions before they settle

For a blockchain-based issuer, this typically requires integration with real-time address screening services — tools like Chainalysis, Elliptic, or TRM Labs — that cross-reference wallet addresses against OFAC's Specially Designated Nationals (SDN) list and other sanctions lists before a transaction is finalised. For issuers whose tokens support it (such as TIP-20 tokens on Tempo), protocol-level compliance controls can enforce whitelist/blacklist policies at the token layer itself.

## Who examines PPSIs

The proposed rule establishes three examination tracks:

| Issuer type | Primary examiner |
|---|---|
| Federally chartered (OCC pathway) | OCC, FRB, FDIC, or NCUA depending on charter |
| State-chartered, ≤$10B outstanding | State regulator |
| State-chartered, unsupervised | IRS |

FinCEN has signalled a "notice and consultation framework" for significant supervisory actions — it will coordinate with the primary examiner before taking major enforcement steps. The rule also notes that FinCEN will consider, as a mitigating factor in enforcement, whether a PPSI deployed "AI-driven analytics, federated learning, or other advanced tools" in its compliance program.

## What businesses using stablecoins need to know

The GENIUS Act and the proposed rule primarily target **issuers**, not ordinary businesses that accept or pay in stablecoins. But depending on what a business does, compliance obligations may already apply:

**Money services businesses (MSBs):** Any business that transmits stablecoins on behalf of others — wallets, payment processors, remittance providers — is likely already an MSB under FinCEN's existing rules and must have AML programs, file SARs, and screen for sanctions.

**Ordinary businesses:** A company accepting USDC as payment for a product or service generally does not have AML program obligations solely from that fact. However, OFAC sanctions obligations apply to **all US persons** regardless of industry — a business that receives payment from a sanctioned party, even inadvertently, can face liability. Best practice is to screen counterparties, particularly for cross-border transactions.

**Exchanges and custodians:** Platforms holding stablecoins on behalf of customers face the full MSB compliance stack, including KYC/AML obligations for account opening and transaction monitoring.

## The MiCA parallel

In the European Union, MiCA — in full effect since December 2024 — imposes similar AML/CFT obligations on issuers of e-money tokens (the MiCA category that covers fiat-backed stablecoins). EU issuers must hold authorisation from a national competent authority, maintain reserve backing, and comply with the Anti-Money Laundering Directive as applied to crypto-asset service providers. The frameworks differ in detail — MiCA covers a broader set of crypto-assets, while the GENIUS Act is narrower and more specific to payment stablecoins — but the compliance logic is consistent: licensed issuers, reserve transparency, and AML screening at the point of issuance.

## The bottom line

Stablecoin AML and sanctions compliance in 2026 is no longer a legal grey zone. The GENIUS Act established the statutory framework. The FinCEN/OFAC proposed rule — open for comment as of 9 June 2026 — fills in program requirements, SAR thresholds, and technical controls. Any business issuing payment stablecoins to US persons, or any MSB handling them, needs a compliance program built to the standards the rule describes.

For the broader regulatory picture, see [The GENIUS Act explained](/articles/genius-act-explained). For how banks have structured their stablecoin compliance operations, see [How banks adopted stablecoin rails in 2026](/articles/stablecoin-banking-adoption-2026).

## FAQ

**Are stablecoin issuers now covered by the Bank Secrecy Act?**

Yes. The GENIUS Act, signed 18 July 2025, explicitly treats permitted payment stablecoin issuers (PPSIs) as financial institutions under the BSA, subjecting them to the full AML/CFT obligations that banks and money services businesses face.

**What does the FinCEN/OFAC proposed rule require?**

The proposed rule (published 10 April 2026, comments due 9 June 2026) requires PPSIs to maintain a written AML/CFT program, conduct mandatory risk assessments, file Suspicious Activity Reports at a $5,000 threshold, designate a US-based compliance officer, and maintain an OFAC sanctions compliance program including technical controls to freeze, block, and reject transactions involving sanctioned parties.

**Do businesses that use stablecoins — not issue them — face compliance obligations?**

It depends on the business type. A money services business or payment processor handling stablecoin transactions is already covered by FinCEN rules. An ordinary business accepting stablecoin payment for goods or services has limited direct obligations, but should conduct OFAC screening to avoid liability for transactions with sanctioned counterparties.

**What is the SAR threshold for stablecoin issuers?**

The proposed rule sets the Suspicious Activity Report threshold at $5,000 — matching the standard bank threshold rather than the $2,000 threshold applicable to money services businesses. Secondary market transactions are not subject to SAR monitoring under the proposed rule.

**What technical controls do issuers need?**

Issuers must have the capability to block, freeze, and reject specific transactions involving sanctions violations, and to comply with lawful asset-freezing orders. This typically requires integration with blockchain analytics tools (such as Chainalysis, Elliptic, or TRM Labs) for real-time address screening.

## Sources

1. [FinCEN and OFAC Propose AML/Sanctions Rules for Stablecoin Issuers — Holland & Knight](https://www.hklaw.com/en/insights/publications/2026/04/fincen-and-ofac-propose-aml-sanctions-rules-for-stablecoin-issuers)
2. [Treasury Proposes Rule to Implement the GENIUS Act's Requirements to Counter Illicit Finance — US Treasury](https://home.treasury.gov/news/press-releases/sb0435)
3. [Stable Rules for Stablecoins: Treasury Proposes AML and Sanctions Framework — Mayer Brown](https://www.mayerbrown.com/en/insights/publications/2026/04/stable-rules-for-stablecoins-treasury-proposes-aml-and-sanctions-framework-for-issuers)
4. [GENIUS Act Implementation — FinCEN, OFAC Propose Rule — Sullivan & Cromwell](https://www.sullcrom.com/insights/memo/2026/April/GENIUS-Act-Implementation-FinCEN-OFAC-Propose-Rule-AML-Sanctions-Compliance-Requirements)
5. [Federal Register: Permitted Payment Stablecoin Issuer AML/CFT Program Requirements](https://www.federalregister.gov/documents/2026/04/10/2026-06963/permitted-payment-stablecoin-issuer-anti-money-launderingcountering-the-financing-of-terrorism)

---
Neutral, sourced explainer from tempowiki. Index: https://tempo.dataos.so/llms.txt