FinCEN and OFAC Just Put Stablecoin Issuers Under Bank-Level AML Rules — Here's What to Build Before January 2027

TL;DR

• On April 8, 2026, FinCEN and OFAC jointly proposed the first-ever AML and sanctions compliance framework for payment stablecoin issuers under the GENIUS Act
• PPSIs must file SARs at $5,000, implement CDD, designate a U.S.-based compliance officer, and maintain a formal sanctions program — the same playbook as banks
• Penalties top $100,000/day for sanctions violations; criminal penalties apply to willful AML failures
• Comment period closes 60 days after publication; compliance required by January 18, 2027 at the latest

If you’ve been operating a stablecoin and telling yourself “we’re a tech company, not a bank” — that position just expired.

On April 8, 2026, FinCEN and OFAC jointly issued a proposed rule that applies bank-level BSA/AML and sanctions compliance requirements to payment stablecoin issuers. This is the first time the U.S. government has imposed a formal sanctions compliance mandate on an entire category of U.S. persons. The comment period is open. The compliance clock is running.

Here’s what you need to know and what to start building.

What Is the GENIUS Act and Who Does This Apply To?

The GENIUS Act — Guiding and Establishing National Innovation for U.S. Stablecoins — was signed into law on July 18, 2025. It created the first federal licensing framework for payment stablecoins in the U.S. and directed federal agencies to implement implementing regulations within 12 months.

FinCEN and OFAC’s April 8 proposed rule is one of those implementing regulations. It targets permitted payment stablecoin issuers (PPSIs) — specifically:

• Federally chartered stablecoin issuers (licensed by OCC or the Federal Reserve)
• Bank subsidiaries issuing payment stablecoins
• State-licensed issuers whose state frameworks have been certified as meeting GENIUS Act federal standards

Non-licensed entities that continue issuing stablecoins are already illegal under the GENIUS Act. This rule is about the licensed ones — and it makes clear that getting a GENIUS Act license means accepting BSA and OFAC obligations in full.

What the Proposed Rule Requires

The proposed rule doesn’t create a lighter-touch crypto version of AML. It largely mirrors what FinCEN already requires of banks.

AML Program Requirements

PPSIs must establish a risk-based AML/CFT program with four core components:

1. Internal policies, procedures, and controls — including written AML program documentation, risk assessment processes, and ongoing customer due diligence
2. Independent program testing — periodic audits of the AML program by an independent function
3. Designated U.S.-based compliance officer — with appropriate authority and resources
4. Employee training — ongoing, documented training on AML obligations

If those four pillars sound familiar, it’s because they’re the same four pillars from FinCEN’s April 2026 AML program reform NPRM that applies to banks. FinCEN is deliberately harmonizing the frameworks.

Customer Due Diligence

PPSIs must implement CDD procedures covering:

• Identity verification for customers (KYC)
• Beneficial ownership collection for business customers — the same 25% threshold rule that banks follow
• Enhanced due diligence for high-risk accounts and relationships
• Ongoing monitoring to detect unusual transaction patterns

Suspicious Activity Reporting

The SAR threshold is $5,000 — the bank standard. PPSIs must file SARs when they detect:

• Transactions involving funds from illegal activity
• Transactions designed to evade reporting requirements
• Patterns suggesting structuring, layering, or other money laundering indicators

One important carve-out: FinCEN preliminarily declined to impose SAR obligations on secondary market stablecoin transactions, citing the limited counterparty information available to issuers in those contexts. That said, issuers still need to monitor secondary market activity for sanctions compliance purposes.

Record Retention

Transfers of $3,000 or more require records of:

• Sender/recipient identity
• Account information
• Date, amount, and type of transaction

This mirrors the bank Funds Transfer Rule requirements.

Sanctions Compliance Program

OFAC’s portion of the proposed rule is, in some ways, the bigger deal. This is the first time any category of U.S. person has been required by federal regulation to maintain a formal sanctions compliance program.

The required sanctions program must include:

• Risk-based internal controls to identify, block, and reject sanctionable transactions
• Screening transactions against OFAC’s Specially Designated Nationals (SDN) and other OFAC lists
• Technical capability to block, freeze, and seize stablecoins per lawful government orders — in both primary and secondary markets
• Policies for willful violation reporting

PPSIs that have been watching the Iran sanctions landscape should already understand why this matters. The Iran crypto sanctions enforcement actions from earlier this year made clear that OFAC treats stablecoin transactions to sanctioned parties the same as wire transfers.

Penalty Framework

The proposed rule comes with serious enforcement teeth.

These aren’t the startup-sized fines that some crypto enforcement actions have looked like. A six-month pattern of material sanctions violations — 180 days at $100,000/day — is $18 million before the additional “knowing” kicker.

The Timeline

The GENIUS Act gives regulators until July 18, 2026 to finalize implementing regulations. Compliance is required by the earlier of:

• January 18, 2027 (12 months after the GENIUS Act’s effective date), or
• 120 days after final regulations are published

If FinCEN finalizes this rule by July 2026, the 120-day clock puts effective compliance at approximately November 2026. Either way, you’re looking at well under 18 months to build a functional BSA/AML program from scratch if you don’t have one already.

The comment period closes 60 days after Federal Register publication. This is worth engaging — the secondary market SAR exclusion, the scope of “state-licensed issuer,” and the beneficial ownership triggers are all areas where industry input could shape the final rule.

Control Gap Analysis: What Stablecoin Issuers Are Missing

Most PPSIs — especially those that launched before or alongside the GENIUS Act — weren’t built to comply with BSA. Here’s where the gaps typically show up:

The technical freeze capability gap is particularly acute. Many stablecoin smart contracts don’t include a pause or freeze function, or it’s controlled by the core dev team rather than a compliance function. Building this capability into a live protocol isn’t a software sprint — it requires governance changes, smart contract upgrades, and legal review.

What to Start Building Now

If you’re a PPSI — or if you’re advising one — here’s the build order:

Before the comment deadline:

• Review the proposed rule and decide whether to submit comments (especially on secondary market SAR exclusion and beneficial ownership scope)
• Conduct a gap assessment against the four-pillar AML program requirements
• Inventory your current OFAC screening coverage: where does screening happen, at what frequency, and does it cover the SDN list plus OFAC sector-specific lists?

By July 2026 (regulatory deadline):

• Designate a U.S.-based BSA officer with formal authority and board-approved mandate
• Draft written AML program documentation (policies, procedures, controls)
• Evaluate your smart contract architecture for freeze/block/seize capability
• Map beneficial ownership collection to your customer onboarding workflow

By October 2026 (before effective date):

• Register with FinCEN for BSA E-Filing and test your SAR submission capability
• Implement transaction monitoring controls with $5,000 SAR threshold logic
• Stand up record-keeping for $3,000+ transfers
• Complete your first independent AML program audit
• Train all relevant employees with documented completion records

The FinCEN BSA enforcement action against Canaccord Genuity from earlier this year is a useful preview of what happens when broker-dealers run insufficient AML programs. For stablecoin issuers, the same control failures will produce the same outcomes — with a faster enforcement timeline given the elevated scrutiny the space is under.

One Line on Scope

FinCEN’s definition of “payment stablecoin issuer” is broader than it might look. If you issue a stablecoin redeemable for fiat, even if you primarily think of yourself as a DeFi protocol, a treasury management platform, or a corporate settlement rail — check whether your issuance structure qualifies you as a PPSI. The licensing requirement is self-triggering once you meet the statutory definition.

30/60/90 Day Checklist

This month:

• Map your stablecoin issuance structure against GENIUS Act PPSI definition
• Identify whether you need to file a comment by the 60-day deadline
• Assess whether your smart contract has freeze/block/seize capability
• Inventory OFAC screening coverage across primary and secondary market transactions

Next 60 days:

• Draft or update written AML program documentation (four pillars)
• Designate formal U.S.-based BSA officer
• Implement customer identification and beneficial ownership procedures
• Engage legal counsel on comment letter if applicable

By Q4 2026:

• SAR filing capability live and tested with FinCEN BSA E-Filing
• Transaction monitoring for $5,000+ SAR threshold
• Record retention for $3,000+ transfers
• Independent AML audit scheduled
• Employee training program documented and completed

If you’re working through an RCSA for your compliance program — or building one for the first time — the RCSA Template maps control gaps to risk ratings and can anchor your AML build against the proposed rule’s four-pillar structure.

Sources:

• Treasury Press Release: GENIUS Act AML Proposed Rule
• Federal Register: Permitted Payment Stablecoin Issuer AML/Sanctions NPRM
• FinCEN Fact Sheet: PPSI Program NPRM
• King & Spalding via JD Supra: Stablecoin Issuers as Banks
• Stinson: GENIUS Act Signed Into Law