Feature Regulatory Compliance
GENIUS Act AML/CFT Compliance: Breaking Down the FinCEN and OFAC Rule That Drops July 18
The FinCEN/OFAC joint proposed rule for stablecoin issuers establishes a full BSA/AML compliance program requirement — SAR filing, CTR filing, CIP, CDD, and OFAC sanctions screening — with a technical wallet-blocking mandate that has no precedent in traditional financial services. Here's what Permitted Payment Stablecoin Issuers and their bank partners need to build.
Table of Contents
TL;DR
- The FinCEN/OFAC joint proposed rule (April 9, 2026) establishes a full BSA/AML compliance program requirement for Permitted Payment Stablecoin Issuers — SAR filing at a $5,000 threshold, CTRs at $10,000, CIP, CDD, and OFAC sanctions screening with technical wallet-blocking capability
- The July 18 deadline is when GENIUS Act implementing regulations are expected to be finalized; effective date is approximately 120 days after finalization, with enforcement beginning January 18, 2027
- The OFAC requirement is technically distinct from anything in traditional bank compliance — PPSIs need blockchain analytics tooling capable of blocking at the wallet level, not just screening names against a list
- Sponsor banks and PPSI custodians face their own compliance exposure: TPRM programs must assess PPSI partners’ AML programs as high-risk financial institution clients
The GENIUS Act’s AML/CFT requirements have been described as “applying bank-like AML rules to stablecoin issuers.” That framing understates both the complexity and the novel technical requirements involved.
The FinCEN/OFAC joint proposed rule published April 9, 2026 does apply the Bank Secrecy Act framework to Permitted Payment Stablecoin Issuers. But the OFAC component goes beyond anything in the existing bank compliance toolkit — requiring technical capability to block at the blockchain wallet level, not just screen names against a list. And the SAR threshold ($5,000) matches money services businesses rather than banks, creating a lower reporting bar than most compliance officers familiar with banking standards would expect.
Thirteen days from now, on July 18, the regulatory framework is expected to be finalized. PPSIs and their bank partners have roughly six months to build programs that have no precise precedent in traditional financial services. Here’s what the rule requires and what the compliance architecture needs to look like.
What the GENIUS Act Requires by July 18
The GENIUS Act (signed into law June 2026) established the legal framework for payment stablecoins. July 18 is the deadline for implementing regulators — OCC for federally chartered PPSIs, state banking authorities for state-chartered PPSIs, and the Federal Reserve for PPSI subsidiaries of depository institutions — to finalize implementing regulations.
The FinCEN/OFAC joint proposed rule is the AML and sanctions component of those implementing regulations. It was published April 9, 2026, with a 60-day comment period that closed June 9. Finalization is expected in conjunction with the July 18 deadline.
Compliance timeline:
- April 9, 2026: Proposed rule published in Federal Register
- June 9, 2026: Comment period closed
- ~July 18, 2026: Finalization expected
- ~November 18, 2026: Effective date (approximately 120 days post-finalization)
- January 18, 2027: Enforcement begins
Six months from enactment to enforcement sounds manageable. It isn’t, if you’re building a SAR filing infrastructure, wallet screening capability, and CIP procedures from scratch while also establishing the rest of a PPSI compliance program.
The GENIUS Act stablecoin compliance overview covers the broader regulatory framework; this post focuses on the AML/CFT and sanctions program requirements in the FinCEN/OFAC joint rule specifically.
The 4-Element AML Program Requirement
The proposed rule requires PPSIs to maintain an AML program with four elements — identical in structure to the requirement for money services businesses under 31 CFR 1022.210:
1. Policies, procedures, and internal controls. Written policies covering all aspects of BSA compliance: customer identification, transaction monitoring, SAR filing, CTR filing, recordkeeping, and OFAC screening. For most PPSIs, this is the starting point — existing compliance programs are typically focused on fraud or consumer protection, not regulatory AML compliance.
2. A designated Bank Secrecy Act compliance officer. A named individual responsible for day-to-day BSA/AML compliance with authority to implement the program and direct compliance resources. Stablecoin issuers that have treated AML as a product function rather than a compliance function will need to restructure.
3. Independent testing. Annual independent review of the AML program — by an internal audit function independent of BSA operations or by a qualified external party. The testing must evaluate all program elements, not just transaction monitoring outputs.
4. Ongoing training. BSA/AML training for all relevant personnel, documented and tracked. Annual training is typically the minimum standard, with role-specific training for higher-risk positions (BSO, customer onboarding, transaction monitoring analysts).
This four-element baseline is the floor. On top of it sit the specific transaction reporting, customer identification, and sanctions requirements.
SAR Filing: The $5,000 Threshold
The proposed rule sets the SAR filing threshold for PPSIs at $5,000 — the money services business threshold, not the $10,000 bank threshold. This distinction matters operationally: transaction monitoring must be calibrated to a lower threshold, and the SAR filing obligation covers a broader range of activity.
What triggers a SAR:
- A transaction involving $5,000 or more where the PPSI knows, suspects, or has reason to suspect that the transaction involves proceeds of criminal activity
- A transaction that involves known or suspected structuring to avoid reporting requirements
- A transaction that serves no apparent lawful purpose
What’s different about on-chain transactions: For traditional financial institutions, transaction monitoring analyzes transfers between customer accounts. For stablecoin issuers, the monitored activity is on-chain — blockchain transactions visible to all, but pseudonymous by default. Blockchain analytics tooling is required to make the activity interpretable for SAR purposes: linking wallet addresses to known entities, identifying transaction patterns, flagging mixers and obfuscation techniques, and identifying high-risk counterparties.
Filing mechanics: SARs must be filed within 30 days of identification, with a 60-day extension available when additional information is needed. Records must be retained for five years.
The BSA/AML KRI framework covers the monitoring metrics that drive SAR quality — the same metrics examiners review when evaluating whether a transaction monitoring program is catching what it should.
CTR Filing: $10,000 Threshold on On/Off Ramps
Currency Transaction Reports are required for cash-equivalent transactions exceeding $10,000. For stablecoin issuers, CTR filing applies to stablecoin issuances and redemptions — the points where dollars move in and out of the stablecoin — since those transactions involve actual dollar flows. On-chain wallet-to-wallet transfers don’t trigger CTRs in the same way.
What this means operationally:
- A customer depositing $12,000 to mint stablecoins triggers a CTR filing obligation
- A customer redeeming $15,000 of stablecoins for dollars triggers a CTR filing obligation
- Structuring to avoid CTR reporting (multiple transactions designed to stay below $10,000) must be identified and SAR-filed
CTR aggregation rules apply: transactions must be aggregated for the same customer on the same day, so multiple smaller transactions from the same customer that together exceed $10,000 trigger the same filing obligation as a single large transaction.
CIP and CDD: The Wallet Identity Problem
Customer Identification Program requirements under the proposed rule require PPSIs to verify customer identity before providing stablecoin services. For traditional financial institutions, CIP means verifying name, date of birth, address, and identification document for account holders.
For stablecoin issuers, CIP requirements apply at the on/off ramps — the points where dollars move in (minting) or out (redemption) of the stablecoin ecosystem. Wallet-to-wallet transfers between addresses don’t trigger CIP in the same way, because the PPSI typically isn’t a party to those transactions.
What CIP must cover:
- Identity verification for customers minting stablecoins (depositing funds)
- Identity verification for customers redeeming stablecoins (withdrawing dollars)
- Recordkeeping of identity information and verification methods, with five-year retention
- Procedures for customers who don’t provide required documentation (rejection and SAR as appropriate)
CDD requirements under the proposed rule require two of four elements:
- Understanding the nature and purpose of the customer relationship
- Customer risk rating based on anticipated activity
- Ongoing monitoring for changes in customer behavior
- Beneficial ownership identification for legal entity customers
The beneficial ownership component intersects with FinCEN’s existing CDD rule — PPSIs providing services to corporate customers must identify and verify beneficial owners consistent with FinCEN’s rule, which requires identification of natural persons owning 25% or more and a single controlling person.
The FinCEN CIP rule for stablecoin issuers covers the identity verification requirements in detail, including the documentation standards for digital identity verification methods.
OFAC Sanctions Compliance: The Technical Problem Nobody Is Talking About
The OFAC compliance requirement in the proposed rule is the most technically demanding piece — and the most unlike anything in traditional bank compliance.
What the rule requires: PPSIs must screen customers and transactions against OFAC’s Specially Designated Nationals (SDN) list and comply with geographic sanctions programs. Standard so far.
What’s not standard: the rule also requires that PPSIs have technical capability to block transactions involving addresses identified as belonging to sanctioned parties or sanctioned jurisdictions. This goes beyond name-screening. It requires:
1. Blockchain analytics integration. The ability to identify whether a wallet address is associated with a sanctioned entity or jurisdiction. OFAC maintains a list of sanctioned cryptocurrency addresses published on the SDN list with digital currency address identifiers, but attribution of additional addresses requires blockchain analytics tooling that can trace transaction history, identify clustering patterns, and flag indirect exposure.
2. Technical blocking capability. The ability to refuse a transaction at the protocol level when a sanctioned address is identified — not just flag it for manual review. For some stablecoin architectures, this requires smart contract-level controls. For others, gateway-level blocking at the on/off ramp. The rule doesn’t prescribe the technical mechanism; it requires the outcome.
3. Near-real-time address monitoring. Newly designated addresses appear on the SDN list without advance notice. PPSIs need processes to update blocked address lists promptly and screen against them. A compliance program that reviews the SDN list weekly is exposed to the gap between designation and implementation.
OFAC’s September 2021 guidance on virtual currency sanctions compliance established the baseline expectations; the proposed rule extends those expectations specifically to PPSIs. The guidance is explicit that pseudonymity of blockchain transactions is not an excuse for inadequate screening.
The implementation implication: building OFAC-compliant sanctions screening for a stablecoin issuer requires a blockchain analytics vendor relationship, not just a sanctions database subscription. The vendors that provide this capability — Chainalysis, Elliptic, TRM Labs — provide address attribution data and real-time SDN integration. Selecting, contracting, and integrating with one takes months.
What This Means for Sponsor Banks and PPSI Partners
Banks that provide services to PPSIs — as sponsor banks, custodians, or payment rails — face their own compliance exposure under the proposed rule and related guidance.
Third-party risk management implications: A PPSI is a high-risk financial institution client. Banks providing correspondent or custodial services to PPSIs should apply due diligence standards equivalent to those applied to money services business clients: AML program review, SAR filing performance assessment, ongoing monitoring for changes in the PPSI’s risk profile, and documented escalation procedures.
BSA officer responsibility: Banks bear AML risk from their PPSI relationships. A bank that provides services to a PPSI without assessing the PPSI’s AML program has failed to manage that relationship risk. The OCC and Federal Reserve have been explicit that the BSA officer is responsible for that assessment — not just the relationship manager.
What bank TPRM review of PPSIs should include:
- Request and review the PPSI’s written AML program documentation
- Confirm the PPSI has designated a BSO with appropriate authority
- Assess whether the PPSI has blockchain analytics tooling for OFAC compliance
- Review the PPSI’s SAR and CTR filing history and methodology (if available)
- Confirm CIP procedures cover on/off ramp transactions
- Include PPSI relationships in annual TPRM review cycles with enhanced scrutiny relative to standard vendor relationships
The Compliance Essentials bundle includes AML program templates, OFAC compliance documentation frameworks, and third-party AML due diligence checklists applicable to PPSI relationships — updated to reflect the April 2026 proposed rule requirements.
So What? Action Plan for PPSIs and Their Bank Partners
For PPSIs:
Step 1: Assess your current compliance program against the four-element AML requirement. Do you have written policies? A named BSO? Independent testing in the last 12 months? Training records? These are the baseline — anything missing needs to be built before November 2026.
Step 2: Implement blockchain analytics tooling. OFAC compliance for stablecoins requires more than downloading the SDN list. Identify a blockchain analytics vendor, confirm their attribution coverage for your chain, and validate near-real-time SDN address updates. This takes time to procure and integrate — start now.
Step 3: Build SAR and CTR filing procedures. The $5,000 SAR threshold is lower than most fintech compliance programs are calibrated for. Build transaction monitoring that identifies patterns triggering SAR obligations, and build CTR filing procedures for on/off ramp activity including aggregation across same-day transactions.
Step 4: Implement CIP for minting and redemption. Map your customer onboarding flow to identify where identity verification occurs and whether it meets BSA CIP standards. The gap is usually in digital identity verification methodology — not all KYC tools are designed to satisfy BSA CIP requirements specifically.
For bank partners of PPSIs:
Step 5: Treat PPSI AML due diligence as a high-risk TPRM requirement. Request AML program documentation from PPSI partners, review it against the four-element standard, and document the assessment. Include PPSI relationships in your TPRM review cycle with enhanced scrutiny. Don’t leave this to the relationship manager — it belongs on the BSA officer’s radar before the relationship starts.
The enforcement window opens January 18, 2027. Six months is enough time to build a functional AML compliance program for a stablecoin issuer — but only if the architecture decisions (blockchain analytics vendor, CIP methodology, SAR monitoring configuration) get made in the next 60 days, not the last 30 days before enforcement begins.
◆ Related template
Compliance Essentials
Multi-domain compliance coverage: data privacy, incident response, BCP/DR, and SOC 2 — 43% off.
◆ Immaterial Findings · Weekly
Sharp risk & compliance insights. No fluff.
◆ FAQ
Frequently asked questions.
What AML requirements does the GENIUS Act impose on stablecoin issuers?
When do GENIUS Act AML requirements take effect?
What is a Permitted Payment Stablecoin Issuer (PPSI) under the GENIUS Act?
What is the SAR threshold for stablecoin transactions under the GENIUS Act?
How does OFAC compliance work for stablecoin issuers given the pseudonymous nature of blockchain?
What does the GENIUS Act mean for banks that partner with stablecoin issuers?
Author
Rebecca Leung
Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.
◆ Related framework
Compliance Essentials
Multi-domain compliance coverage: data privacy, incident response, BCP/DR, and SOC 2 — 43% off.
◆ Keep reading
Related posts.
Regulatory Compliance
The Fed's Payment Account Proposal: What Fintechs and Digital Asset Firms Need to Know Before the July 27 Comment Deadline
The Federal Reserve proposed a special-purpose Payment Account in May 2026, offering eligible fintechs direct access to Fedwire Funds and FedNow without a bank charter. The comment period closes July 27. Here's who qualifies, what compliance the Fed requires, and why your institution should care even if you're not applying yet.
Jul 7, 2026
Regulatory Compliance
SEC Cyber Disclosure Rule: What 2.5 Years of Form 8-K Filings Reveal About Your Response Program Gaps
The SEC's 4-business-day cyber incident disclosure rule has 2.5 years of enforcement history. Here's what the filings and enforcement actions reveal about common materiality determination failures — and how to build a decision protocol that survives SEC scrutiny in 2026.
Jul 5, 2026
Regulatory Compliance
15 Days Until the GENIUS Act Regulatory Deadline: What Stablecoin Issuers Need Before July 18
Six federal agencies must finalize GENIUS Act implementing regulations by July 18, 2026. Here's what the OCC capital floor, FinCEN CIP rules, and the compliance timeline mean for stablecoin issuers right now.
Jul 2, 2026