Skip to content
RiskTemplates · The Daily Brief Thursday, July 9, 2026
Wire CFPB's New Enforcement Principles: What the Bilt Case Tells You About How the Bureau Intends to Police Consumer Finance JUN 22

Feature Regulatory Compliance

GENIUS Act AML/CFT Compliance: Breaking Down the FinCEN and OFAC Rule That Drops July 18

The FinCEN/OFAC joint proposed rule for stablecoin issuers establishes a full BSA/AML compliance program requirement — SAR filing, CTR filing, CIP, CDD, and OFAC sanctions screening — with a technical wallet-blocking mandate that has no precedent in traditional financial services. Here's what Permitted Payment Stablecoin Issuers and their bank partners need to build.

By Rebecca Leung · July 4, 2026 ·
Table of Contents

TL;DR

  • The FinCEN/OFAC joint proposed rule (April 9, 2026) establishes a full BSA/AML compliance program requirement for Permitted Payment Stablecoin Issuers — SAR filing at a $5,000 threshold, CTRs at $10,000, CIP, CDD, and OFAC sanctions screening with technical wallet-blocking capability
  • The July 18 deadline is when GENIUS Act implementing regulations are expected to be finalized; effective date is approximately 120 days after finalization, with enforcement beginning January 18, 2027
  • The OFAC requirement is technically distinct from anything in traditional bank compliance — PPSIs need blockchain analytics tooling capable of blocking at the wallet level, not just screening names against a list
  • Sponsor banks and PPSI custodians face their own compliance exposure: TPRM programs must assess PPSI partners’ AML programs as high-risk financial institution clients

The GENIUS Act’s AML/CFT requirements have been described as “applying bank-like AML rules to stablecoin issuers.” That framing understates both the complexity and the novel technical requirements involved.

The FinCEN/OFAC joint proposed rule published April 9, 2026 does apply the Bank Secrecy Act framework to Permitted Payment Stablecoin Issuers. But the OFAC component goes beyond anything in the existing bank compliance toolkit — requiring technical capability to block at the blockchain wallet level, not just screen names against a list. And the SAR threshold ($5,000) matches money services businesses rather than banks, creating a lower reporting bar than most compliance officers familiar with banking standards would expect.

Thirteen days from now, on July 18, the regulatory framework is expected to be finalized. PPSIs and their bank partners have roughly six months to build programs that have no precise precedent in traditional financial services. Here’s what the rule requires and what the compliance architecture needs to look like.


What the GENIUS Act Requires by July 18

The GENIUS Act (signed into law June 2026) established the legal framework for payment stablecoins. July 18 is the deadline for implementing regulators — OCC for federally chartered PPSIs, state banking authorities for state-chartered PPSIs, and the Federal Reserve for PPSI subsidiaries of depository institutions — to finalize implementing regulations.

The FinCEN/OFAC joint proposed rule is the AML and sanctions component of those implementing regulations. It was published April 9, 2026, with a 60-day comment period that closed June 9. Finalization is expected in conjunction with the July 18 deadline.

Compliance timeline:

  • April 9, 2026: Proposed rule published in Federal Register
  • June 9, 2026: Comment period closed
  • ~July 18, 2026: Finalization expected
  • ~November 18, 2026: Effective date (approximately 120 days post-finalization)
  • January 18, 2027: Enforcement begins

Six months from enactment to enforcement sounds manageable. It isn’t, if you’re building a SAR filing infrastructure, wallet screening capability, and CIP procedures from scratch while also establishing the rest of a PPSI compliance program.

The GENIUS Act stablecoin compliance overview covers the broader regulatory framework; this post focuses on the AML/CFT and sanctions program requirements in the FinCEN/OFAC joint rule specifically.


The 4-Element AML Program Requirement

The proposed rule requires PPSIs to maintain an AML program with four elements — identical in structure to the requirement for money services businesses under 31 CFR 1022.210:

1. Policies, procedures, and internal controls. Written policies covering all aspects of BSA compliance: customer identification, transaction monitoring, SAR filing, CTR filing, recordkeeping, and OFAC screening. For most PPSIs, this is the starting point — existing compliance programs are typically focused on fraud or consumer protection, not regulatory AML compliance.

2. A designated Bank Secrecy Act compliance officer. A named individual responsible for day-to-day BSA/AML compliance with authority to implement the program and direct compliance resources. Stablecoin issuers that have treated AML as a product function rather than a compliance function will need to restructure.

3. Independent testing. Annual independent review of the AML program — by an internal audit function independent of BSA operations or by a qualified external party. The testing must evaluate all program elements, not just transaction monitoring outputs.

4. Ongoing training. BSA/AML training for all relevant personnel, documented and tracked. Annual training is typically the minimum standard, with role-specific training for higher-risk positions (BSO, customer onboarding, transaction monitoring analysts).

This four-element baseline is the floor. On top of it sit the specific transaction reporting, customer identification, and sanctions requirements.


SAR Filing: The $5,000 Threshold

The proposed rule sets the SAR filing threshold for PPSIs at $5,000 — the money services business threshold, not the $10,000 bank threshold. This distinction matters operationally: transaction monitoring must be calibrated to a lower threshold, and the SAR filing obligation covers a broader range of activity.

What triggers a SAR:

  • A transaction involving $5,000 or more where the PPSI knows, suspects, or has reason to suspect that the transaction involves proceeds of criminal activity
  • A transaction that involves known or suspected structuring to avoid reporting requirements
  • A transaction that serves no apparent lawful purpose

What’s different about on-chain transactions: For traditional financial institutions, transaction monitoring analyzes transfers between customer accounts. For stablecoin issuers, the monitored activity is on-chain — blockchain transactions visible to all, but pseudonymous by default. Blockchain analytics tooling is required to make the activity interpretable for SAR purposes: linking wallet addresses to known entities, identifying transaction patterns, flagging mixers and obfuscation techniques, and identifying high-risk counterparties.

Filing mechanics: SARs must be filed within 30 days of identification, with a 60-day extension available when additional information is needed. Records must be retained for five years.

The BSA/AML KRI framework covers the monitoring metrics that drive SAR quality — the same metrics examiners review when evaluating whether a transaction monitoring program is catching what it should.


CTR Filing: $10,000 Threshold on On/Off Ramps

Currency Transaction Reports are required for cash-equivalent transactions exceeding $10,000. For stablecoin issuers, CTR filing applies to stablecoin issuances and redemptions — the points where dollars move in and out of the stablecoin — since those transactions involve actual dollar flows. On-chain wallet-to-wallet transfers don’t trigger CTRs in the same way.

What this means operationally:

  • A customer depositing $12,000 to mint stablecoins triggers a CTR filing obligation
  • A customer redeeming $15,000 of stablecoins for dollars triggers a CTR filing obligation
  • Structuring to avoid CTR reporting (multiple transactions designed to stay below $10,000) must be identified and SAR-filed

CTR aggregation rules apply: transactions must be aggregated for the same customer on the same day, so multiple smaller transactions from the same customer that together exceed $10,000 trigger the same filing obligation as a single large transaction.


CIP and CDD: The Wallet Identity Problem

Customer Identification Program requirements under the proposed rule require PPSIs to verify customer identity before providing stablecoin services. For traditional financial institutions, CIP means verifying name, date of birth, address, and identification document for account holders.

For stablecoin issuers, CIP requirements apply at the on/off ramps — the points where dollars move in (minting) or out (redemption) of the stablecoin ecosystem. Wallet-to-wallet transfers between addresses don’t trigger CIP in the same way, because the PPSI typically isn’t a party to those transactions.

What CIP must cover:

  • Identity verification for customers minting stablecoins (depositing funds)
  • Identity verification for customers redeeming stablecoins (withdrawing dollars)
  • Recordkeeping of identity information and verification methods, with five-year retention
  • Procedures for customers who don’t provide required documentation (rejection and SAR as appropriate)

CDD requirements under the proposed rule require two of four elements:

  1. Understanding the nature and purpose of the customer relationship
  2. Customer risk rating based on anticipated activity
  3. Ongoing monitoring for changes in customer behavior
  4. Beneficial ownership identification for legal entity customers

The beneficial ownership component intersects with FinCEN’s existing CDD rule — PPSIs providing services to corporate customers must identify and verify beneficial owners consistent with FinCEN’s rule, which requires identification of natural persons owning 25% or more and a single controlling person.

The FinCEN CIP rule for stablecoin issuers covers the identity verification requirements in detail, including the documentation standards for digital identity verification methods.


OFAC Sanctions Compliance: The Technical Problem Nobody Is Talking About

The OFAC compliance requirement in the proposed rule is the most technically demanding piece — and the most unlike anything in traditional bank compliance.

What the rule requires: PPSIs must screen customers and transactions against OFAC’s Specially Designated Nationals (SDN) list and comply with geographic sanctions programs. Standard so far.

What’s not standard: the rule also requires that PPSIs have technical capability to block transactions involving addresses identified as belonging to sanctioned parties or sanctioned jurisdictions. This goes beyond name-screening. It requires:

1. Blockchain analytics integration. The ability to identify whether a wallet address is associated with a sanctioned entity or jurisdiction. OFAC maintains a list of sanctioned cryptocurrency addresses published on the SDN list with digital currency address identifiers, but attribution of additional addresses requires blockchain analytics tooling that can trace transaction history, identify clustering patterns, and flag indirect exposure.

2. Technical blocking capability. The ability to refuse a transaction at the protocol level when a sanctioned address is identified — not just flag it for manual review. For some stablecoin architectures, this requires smart contract-level controls. For others, gateway-level blocking at the on/off ramp. The rule doesn’t prescribe the technical mechanism; it requires the outcome.

3. Near-real-time address monitoring. Newly designated addresses appear on the SDN list without advance notice. PPSIs need processes to update blocked address lists promptly and screen against them. A compliance program that reviews the SDN list weekly is exposed to the gap between designation and implementation.

OFAC’s September 2021 guidance on virtual currency sanctions compliance established the baseline expectations; the proposed rule extends those expectations specifically to PPSIs. The guidance is explicit that pseudonymity of blockchain transactions is not an excuse for inadequate screening.

The implementation implication: building OFAC-compliant sanctions screening for a stablecoin issuer requires a blockchain analytics vendor relationship, not just a sanctions database subscription. The vendors that provide this capability — Chainalysis, Elliptic, TRM Labs — provide address attribution data and real-time SDN integration. Selecting, contracting, and integrating with one takes months.


What This Means for Sponsor Banks and PPSI Partners

Banks that provide services to PPSIs — as sponsor banks, custodians, or payment rails — face their own compliance exposure under the proposed rule and related guidance.

Third-party risk management implications: A PPSI is a high-risk financial institution client. Banks providing correspondent or custodial services to PPSIs should apply due diligence standards equivalent to those applied to money services business clients: AML program review, SAR filing performance assessment, ongoing monitoring for changes in the PPSI’s risk profile, and documented escalation procedures.

BSA officer responsibility: Banks bear AML risk from their PPSI relationships. A bank that provides services to a PPSI without assessing the PPSI’s AML program has failed to manage that relationship risk. The OCC and Federal Reserve have been explicit that the BSA officer is responsible for that assessment — not just the relationship manager.

What bank TPRM review of PPSIs should include:

  • Request and review the PPSI’s written AML program documentation
  • Confirm the PPSI has designated a BSO with appropriate authority
  • Assess whether the PPSI has blockchain analytics tooling for OFAC compliance
  • Review the PPSI’s SAR and CTR filing history and methodology (if available)
  • Confirm CIP procedures cover on/off ramp transactions
  • Include PPSI relationships in annual TPRM review cycles with enhanced scrutiny relative to standard vendor relationships

The Compliance Essentials bundle includes AML program templates, OFAC compliance documentation frameworks, and third-party AML due diligence checklists applicable to PPSI relationships — updated to reflect the April 2026 proposed rule requirements.


So What? Action Plan for PPSIs and Their Bank Partners

For PPSIs:

Step 1: Assess your current compliance program against the four-element AML requirement. Do you have written policies? A named BSO? Independent testing in the last 12 months? Training records? These are the baseline — anything missing needs to be built before November 2026.

Step 2: Implement blockchain analytics tooling. OFAC compliance for stablecoins requires more than downloading the SDN list. Identify a blockchain analytics vendor, confirm their attribution coverage for your chain, and validate near-real-time SDN address updates. This takes time to procure and integrate — start now.

Step 3: Build SAR and CTR filing procedures. The $5,000 SAR threshold is lower than most fintech compliance programs are calibrated for. Build transaction monitoring that identifies patterns triggering SAR obligations, and build CTR filing procedures for on/off ramp activity including aggregation across same-day transactions.

Step 4: Implement CIP for minting and redemption. Map your customer onboarding flow to identify where identity verification occurs and whether it meets BSA CIP standards. The gap is usually in digital identity verification methodology — not all KYC tools are designed to satisfy BSA CIP requirements specifically.

For bank partners of PPSIs:

Step 5: Treat PPSI AML due diligence as a high-risk TPRM requirement. Request AML program documentation from PPSI partners, review it against the four-element standard, and document the assessment. Include PPSI relationships in your TPRM review cycle with enhanced scrutiny. Don’t leave this to the relationship manager — it belongs on the BSA officer’s radar before the relationship starts.

The enforcement window opens January 18, 2027. Six months is enough time to build a functional AML compliance program for a stablecoin issuer — but only if the architecture decisions (blockchain analytics vendor, CIP methodology, SAR monitoring configuration) get made in the next 60 days, not the last 30 days before enforcement begins.

◆ Immaterial Findings · Weekly

Sharp risk & compliance insights. No fluff.

◆ FAQ

Frequently asked questions.

What AML requirements does the GENIUS Act impose on stablecoin issuers?
The GENIUS Act, combined with the April 2026 FinCEN/OFAC joint proposed rule, requires Permitted Payment Stablecoin Issuers (PPSIs) to implement a full BSA/AML compliance program: written policies and procedures, a designated Bank Secrecy Act officer, independent testing, and an ongoing training program. PPSIs must also file SARs (threshold: $5,000, matching money services business standards), file CTRs for transactions over $10,000, maintain Customer Identification Programs, conduct Customer Due Diligence, and maintain an OFAC sanctions compliance program with technical capability to block transactions involving sanctioned addresses.
When do GENIUS Act AML requirements take effect?
The GENIUS Act was enacted in June 2026. The FinCEN/OFAC proposed rule was published April 9, 2026, with a comment period that closed June 9. The rule is expected to be finalized around the July 18 regulatory deadline. If finalized on or near that date, the effective date would be approximately 120 days later — around mid-November 2026 — with enforcement beginning January 18, 2027.
What is a Permitted Payment Stablecoin Issuer (PPSI) under the GENIUS Act?
A PPSI is an entity authorized to issue payment stablecoins under the GENIUS Act's regulatory framework. PPSIs can be federally chartered (OCC-regulated), state-chartered (regulated by state banking authorities), or subsidiaries of insured depository institutions. Each category has a different primary regulator, but all PPSIs are subject to the FinCEN/OFAC AML and sanctions compliance requirements in the joint proposed rule.
What is the SAR threshold for stablecoin transactions under the GENIUS Act?
The April 2026 FinCEN/OFAC proposed rule sets the SAR filing threshold for PPSIs at $5,000 — the same threshold applied to money services businesses. This is lower than the $10,000 threshold applicable to banks and credit unions. A transaction or pattern of transactions involving $5,000 or more that involves known or suspected criminal activity, or where there is no reasonable lawful explanation, triggers a SAR filing obligation for a PPSI.
How does OFAC compliance work for stablecoin issuers given the pseudonymous nature of blockchain?
OFAC compliance for PPSIs requires both traditional name-screening against the SDN list and technical wallet-level blocking capability. The proposed rule requires that PPSIs be able to technically block or freeze transactions involving addresses identified as belonging to sanctioned parties or jurisdictions. This requires blockchain analytics tooling — not just name-screening — with near-real-time updates as OFAC adds new designated addresses.
What does the GENIUS Act mean for banks that partner with stablecoin issuers?
Banks providing services to PPSIs — as sponsor banks, custodians, or payment rails — face their own compliance exposure. Their third-party risk management programs must assess PPSI partners' AML program compliance, treating them as high-risk financial institution clients. The OCC and Federal Reserve have signaled that sponsor banks bear BSA/AML risk from their PPSI relationships, and the BSA officer is responsible for ensuring that risk is assessed and documented.
Rebecca Leung

Author

Rebecca Leung

Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.

◆ Related framework

Compliance Essentials

Multi-domain compliance coverage: data privacy, incident response, BCP/DR, and SOC 2 — 43% off.

Immaterial Findings · Newsletter

The brief, in your inbox.

Enforcement of the week, a framework breakdown, and the prompts that are actually worth running. Delivered to your inbox. Free.