The United States is days away from an important deadline for stablecoin regulation.
The GENIUS Act requires the U.S. Department of the Treasury and other payment stablecoin regulators to issue implementing regulations by July 18, 2026, one year after the law was enacted. Among the most important are rules from the Financial Crimes Enforcement Network, or FinCEN, and the Office of Foreign Assets Control, or OFAC, covering anti-money laundering and sanctions compliance.
FinCEN and OFAC proposed their rules in April. At the time of publication, that rule remained a proposal as the statutory deadline approached. A separate customer identification proposal was published in June.
The final requirements will help determine what it means to operate a regulated payment stablecoin in the United States.
For permitted payment stablecoin issuers, or PPSIs, compliance will no longer be something added near the end of product development. Anti-money laundering controls, sanctions screening, transaction monitoring, customer due diligence, and regulatory reporting will need to be built into the company’s technology and daily operations.
Key Takeaways
- The GENIUS Act requires implementing regulations by July 18, 2026.
- PPSIs will be treated as financial institutions under the Bank Secrecy Act.
- Issuers will need formal, risk-based AML and sanctions compliance programs.
- The proposal includes SAR filing, customer due diligence, recordkeeping, and Travel Rule obligations.
- Issuers must have the technical ability to block, freeze, and reject prohibited transactions.
- Some of the hardest questions involve stablecoins traded between third parties on the secondary market.
- The final rule will establish the clearest roadmap yet for building compliant stablecoin payment infrastructure.
What Is a Payment Stablecoin?
A payment stablecoin is a digital asset designed to be used for payment or settlement. Its issuer must agree to redeem or repurchase it for a fixed amount of monetary value and must create a reasonable expectation that its value will remain stable.
For example, a U.S. dollar payment stablecoin may be designed to maintain a value of one dollar.
The GENIUS Act does not apply equally to every digital asset or every stablecoin. It creates a regulated category of permitted payment stablecoin issuers. These can include approved subsidiaries of insured banks or credit unions, federally qualified issuers, and certain state-qualified issuers.
Only companies that meet the law’s requirements and receive the proper approval will qualify as PPSIs.
What the GENIUS Act Changes for Stablecoin Compliance
The GENIUS Act directs regulators to treat PPSIs as financial institutions under the Bank Secrecy Act. It also subjects them to federal laws involving economic sanctions, money laundering prevention, customer identification, and due diligence.
This does not mean every stablecoin issuer is starting from zero.
Many existing stablecoin issuers already qualify as money services businesses. As a result, they may already maintain written AML programs, file Suspicious Activity Reports, and follow certain recordkeeping requirements. The GENIUS Act, however, creates a separate financial institution category for PPSIs and establishes a more specific federal framework for stablecoin issuance.
The shift is still significant.
PPSIs will need to show that compliance controls are connected to the design of their products, smart contracts, customer relationships, transaction processes, and secondary-market capabilities.
What Would the Proposed AML Program Require?
Under FinCEN’s April proposal, a PPSI would need a written AML and countering the financing of terrorism program that is based on the issuer’s actual risks.
The program would need approval from the board, an equivalent governing body, or appropriate senior management. It would also need to include:
- Internal policies, procedures, and controls
- A documented risk assessment process
- Ongoing customer due diligence
- Independent testing
- Employee training
- A qualified AML officer located in the United States
- Processes for updating the program as the issuer’s risks change
The proposal emphasizes effectiveness rather than simple technical compliance. An issuer would be expected to direct more attention and resources toward higher-risk customers and activities instead of treating every transaction the same.
That means the program cannot be limited to a policy document.
Risk findings must influence screening thresholds, transaction monitoring, customer reviews, escalation decisions, staffing, and the way suspicious activity is investigated.
Stablecoin Issuers Would Need to File SARs
The proposal would require PPSIs to file Suspicious Activity Reports for qualifying transactions conducted or attempted by, at, or through the issuer.
FinCEN proposed a reporting threshold of at least $5,000 in funds or other assets. An issuer would need to report a transaction or pattern when it knows, suspects, or has reason to suspect that the activity involves illegal funds, attempts to hide illegal funds, avoids Bank Secrecy Act requirements, lacks an apparent lawful purpose, or uses the issuer to support criminal activity.
Under the proposed timeline, a SAR would generally be due within 30 days after the issuer first detects facts that may support a filing. When no suspect can be identified, the issuer could receive up to 60 days.
For a stablecoin company, that creates several operational needs:
- Reliable transaction monitoring
- Clear alert investigation workflows
- Access to customer and wallet information
- Case documentation
- Escalation procedures
- SAR preparation and filing controls
- Records showing why a report was or was not filed
A blockchain may provide a detailed public transaction history, but raw transaction data does not automatically explain who controls a wallet, why funds moved, or whether the activity is illegal.
Issuers will need systems that connect blockchain activity with customer information, sanctions data, ownership records, adverse media, and other risk signals.
Travel Rule and Recordkeeping Requirements Would Apply
FinCEN’s proposal would clearly apply the Recordkeeping Rule and Travel Rule to payment stablecoin transactions.
The Recordkeeping Rule generally requires covered financial institutions to collect and retain information for qualifying transfers of $3,000 or more. The Travel Rule requires certain information to move with a transfer as it passes between financial institutions.
For stablecoin issuers, compliance may become difficult when transactions involve several wallets, exchanges, custodians, or other service providers.
The issuer must determine:
- Which party is sending the payment
- Which party is receiving it
- Which institutions are involved
- What information must accompany the transfer
- Whether the required data is complete and reliable
- How the information will be retained and retrieved
These requirements must work at the speed of digital payments. A process that depends on manual research after every transaction will not scale.
OFAC Would Require a Formal Sanctions Compliance Program
The GENIUS Act creates an unusually direct sanctions requirement.
According to Treasury and Holland & Knight, it is the first federal law to expressly require a particular type of U.S. person to maintain an effective sanctions compliance program.
OFAC’s proposed framework contains five core areas:
- Senior management and organizational commitment
- A sanctions risk assessment
- Internal controls
- Independent testing and auditing
- Employee training
The program would need to be risk-based, reasonably designed, properly funded, and applied across the issuer’s payment stablecoin activities.
This requires more than checking a wallet or customer name against the Specially Designated Nationals List when an account is opened.
An issuer may need to evaluate:
- Customers and beneficial owners
- Wallet addresses
- Geographic exposure
- Sanctioned jurisdictions
- Direct and indirect ownership
- Transaction counterparties
- Links to sanctioned services or exchanges
- Changes to OFAC lists
- Attempts to avoid or bypass controls
The issuer must also be able to show regulators that its screening decisions are consistent, tested, and supported by evidence.
Blocking, Freezing, and Rejecting Transactions Is a Technical Requirement
One of the most important differences between traditional banking compliance and stablecoin compliance is the role of the token’s technical design.
The GENIUS Act requires PPSIs to maintain the technical capabilities, policies, and procedures needed to block, freeze, and reject prohibited transactions. The proposal explains that these capabilities may need to reach beyond direct customers and into secondary-market activity.
The law also requires issuers to comply with lawful orders to seize, freeze, burn, or prevent the transfer of payment stablecoins.
This can affect how a stablecoin’s smart contract is designed.
An issuer may need the ability to prevent a listed wallet from transferring tokens, freeze stablecoins controlled by a blocked person, or respond to a government order involving tokens held outside the issuer’s direct platform.
Those capabilities cannot be added quickly after a sanctions issue occurs. They must be considered during product and infrastructure design.
The Secondary Market Remains a Major Open Question
The proposal distinguishes between the primary and secondary markets.
The primary market includes direct interactions between an issuer and a customer, such as issuing or redeeming stablecoins. The secondary market includes transactions between other parties, such as transfers through exchanges, custodians, decentralized platforms, or personal wallets.
FinCEN stated that most illicit stablecoin activity occurs on the secondary market. However, the April proposal would not impose a blanket requirement for PPSIs to file SARs on all secondary-market transactions.
FinCEN explained that issuers may see a stablecoin move through a smart contract but lack enough information about the people or purpose behind the transfer to prepare a useful SAR. It also warned that a broad requirement could create large numbers of defensive reports with limited value.
Banks and banking trade groups have raised concerns about this approach.
The Bank Policy Institute and The Clearing House argued that secondary-market exchanges, custodians, digital asset service providers, and decentralized participants may not face AML and sanctions requirements comparable to those applied to banks. They warned that the lack of clear duties for these participants could leave significant regulatory gaps.
The final rule may provide more guidance, but the basic challenge will remain: an issuer can have technical visibility into a token without having complete information about every person who uses it.
When Will the Rules Take Effect?
Several dates are involved.
The GENIUS Act requires regulators to issue implementing regulations no later than July 18, 2026. The law’s broader framework takes effect on the earlier of:
- January 18, 2027, which is 18 months after enactment, or
- 120 days after the primary federal payment stablecoin regulators issue final implementing regulations.
FinCEN and OFAC separately proposed that their AML and sanctions rules become effective 12 months after the final rules are issued. The agencies requested public feedback on that proposed implementation period.
The final rule will determine whether that 12-month period remains in place.
Stablecoin issuers should not wait for the effective date to begin planning. Designing a risk assessment, hiring compliance leadership, integrating screening technology, creating transaction monitoring scenarios, testing smart contract controls, and building SAR workflows can take months.
What Stablecoin Issuers Should Be Doing Now
Map the full transaction lifecycle
Issuers should document how stablecoins are issued, transferred, redeemed, frozen, and removed from circulation.
The map should include customers, banks, exchanges, custodians, wallets, smart contracts, and other parties involved in each stage.
Build a stablecoin-specific risk assessment
A general cryptocurrency policy is not enough.
The risk assessment should consider products, customers, wallet activity, blockchains, transaction types, geographic exposure, distribution channels, secondary markets, and technical design.
Connect sanctions screening to transaction infrastructure
Sanctions controls must be able to identify a risk and support an appropriate technical response.
Screening, decisioning, smart contract controls, case management, and regulatory reporting should operate as connected parts of one process.
Prepare explainable alert decisions
Issuers should be able to show why a customer, wallet, or transaction was cleared, escalated, rejected, or frozen.
That record should include the data used, matching logic, risk factors, analyst actions, and final decision.
Test secondary-market visibility
Issuers should determine what information they can collect from secondary-market activity and where major gaps remain.
This includes testing whether blockchain analytics, wallet attribution, adverse media, sanctions data, and network analysis provide enough context to support reliable decisions.
How Sigma360 Supports Stablecoin Compliance Infrastructure
Stablecoin compliance requires more than a list check. Issuers need an integrated view of customers, organizations, ownership, sanctions exposure, adverse media, geographic risk, and connected entities.
Sigma360 combines global sanctions and watchlist information with corporate registry data, adverse media, country risk, and network intelligence. Its extended OFAC coverage can also identify entities connected to sanctioned parties through ownership or association.
Context-aware screening can evaluate more than a name alone. Dates of birth, nationalities, ownership, aliases, transliterations, and related entities can help reduce false positives while maintaining strong risk detection.
Explainability is equally important. Sigma360’s AI governance framework includes clear reasoning, source attribution, model testing, human oversight, and escalation for uncertain or complex cases. These controls help institutions automate parts of the review process while maintaining an auditable decision trail.
For a global payments firm, Sigma360’s AI Investigator Agent automated the clearing of more than 93% of false positives during a proof of concept while providing transparent explanations and expert verification of sampled decisions.
These capabilities support a central requirement of the emerging stablecoin framework: compliance decisions must be fast enough for digital payments but clear enough to withstand regulatory review.
Compliance Must Be Built Into the Stablecoin
The GENIUS Act did more than create a licensing structure for stablecoins. It brought the full weight of AML, customer due diligence, regulatory reporting, and sanctions compliance into the payment stablecoin market.
The most successful issuers will treat those obligations as infrastructure.
Screening should connect to transaction execution. Risk assessments should affect daily decisions. SAR workflows should connect blockchain activity with real customer and counterparty information. Sanctions controls should support immediate, documented action when a prohibited transaction is identified.
The final rules will provide more detail, but the direction is already clear.
Stablecoin companies that build compliance into their products from the beginning will be better prepared to enter the regulated market, scale responsibly, and earn the trust of customers, banking partners, and regulators.
Learn how Sigma360 helps payments and digital asset companies strengthen sanctions screening, identify connected risk, automate alert review, and create explainable compliance decisions.
Frequently Asked Questions
When are the GENIUS Act’s stablecoin regulations due?
The law requires Treasury, the primary federal payment stablecoin regulators, and state regulators to issue implementing regulations by July 18, 2026.
What is a permitted payment stablecoin issuer?
A permitted payment stablecoin issuer is an approved U.S. entity authorized to issue payment stablecoins under the GENIUS Act. Categories include approved subsidiaries of insured depository institutions or credit unions, federally qualified issuers, and state-qualified issuers.
Will stablecoin issuers have to file SARs?
Under FinCEN’s proposal, PPSIs would generally file SARs for suspicious transactions of at least $5,000 conducted or attempted by, at, or through the issuer. The final rule may revise the proposed requirements.
Will the Travel Rule apply to stablecoin transactions?
The proposal would expressly apply the Recordkeeping Rule and Travel Rule to covered transfers involving payment stablecoins.
Must an issuer monitor every secondary-market stablecoin transfer?
The April proposal would not create a blanket SAR filing requirement for all secondary-market activity. However, issuers would still need certain sanctions, lawful-order, and technical blocking capabilities that reach secondary-market transactions.
When will the AML and OFAC rules become effective?
FinCEN and OFAC proposed making their rules effective 12 months after the final rules are issued. The final publication will confirm the actual compliance date.
This article is provided for informational purposes and does not constitute legal, regulatory, or compliance advice.
