On April 8, 2026, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) and the Office of Foreign Assets Control (“OFAC”) jointly issued a notice of proposed rulemaking (“NPR”) to address anti-money laundering (“AML”) and countering the financing of terrorism (“CFT”) and sanctions-compliance requirements for permitted payment stablecoin issuers (“PPSIs”) under the Guiding and Establishing National Innovation for U.S. Stablecoins or GENIUS Act.[1] This NPR is part of the broader rulemaking effort to implement the GENIUS Act, which was enacted in July 2025 to establish a federal regulatory framework for payment stablecoins and their issuers.

Comments on the NPR are due by June 9, 2026.

Overview

The NPR would provide important clarity regarding AML/CFT and sanctions-compliance obligations applicable to PPSIs. In addition to implementing express provisions of the GENIUS Act—such as updating FinCEN’s definition of “financial institution” to include PPSIs—the NPR also would address important areas of uncertainty under the GENIUS Act and with respect to AML and sanctions-compliance matters in the digital asset space more broadly. Notably, the NPR would establish a distinction between primary- and secondary-market payment stablecoin transactions and delineate the compliance obligations of PPSIs with regard to transactions occurring in the secondary market. More broadly, the NPR seeks to balance the burdens of compliance against anticipated financial-crime reduction, consistent with the administration’s efforts to recalibrate financial crime compliance frameworks to promote a risk-based approach focused on core policy goals rather than mere technical compliance.

Analysis

Primary Market v. Secondary Market

The NPR would define “primary market” and “secondary market” payment stablecoin activities and clarify the AML/CFT and sanctions-compliance obligations applicable to PPSIs with respect to each type of activity.

• Primary Market. FinCEN and OFAC would define “primary market” activities to include a “PPSI interacting directly with the user or holder of a payment stablecoin.”[2] For example, a PPSI that is “issuing, converting, redeeming, repurchasing, burning, and reissuing” would be engaged in primary-market transactions.
• Secondary Market. In contrast, “secondary market” activities would describe “any payment stablecoin activity that does not directly involve the PPSI as a party to the transaction, other than via a smart contract.”[3] Activities such as an individual purchasing stablecoins from an intermediary or engaging in person-to-person transactions in payment stablecoins would be considered secondary-market activity.

FinCEN and OFAC propose that certain requirements to which financial institutions are customarily subject would be required of PPSIs only when engaged in primary-market activity. These would include complying with Customer Due Diligence (“CDD”) requirements; reporting beneficial ownership information to FinCEN; and filing suspicious activity reports (“SARs”).[4]

Notably, however, the NPR would provide that a PPSI’s obligation to “to block, freeze, and reject” certain transactions “extends beyond a PPSI’s customers and accounts, i.e. to secondary market activity.”[5] The GENIUS Act requires that PPSIs have the “technical capabilities, policies, and procedures to block, freeze, and reject specific or impermissible transactions that violate Federal or State laws, rules, or regulations.”[6] The Act also requires that PPSIs have the “technological capability to comply . . . with the terms of any lawful order.” The NPR would establish the contours of both (1) a PPSI’s obligations to “block, freeze, and reject” transactions effected on primary and secondary markets; and (2) the meaning of the term “lawful order,” which includes various legal actions that “require[] a person to seize, freeze, burn, or prevent the transfer of payment stablecoins issued by the person.” In justifying the extension of certain of these PPSI obligations to cover transactions that occur in the secondary market, the NPR sets out its reasons for concluding that these obligations would have limited effectiveness if they were to apply only to primary market transactions.[7]

• Obligation to “block, freeze, and reject” transactions. The NPR would require PPSIs to have the technology necessary to block, freeze and reject transactions on both the primary and secondary markets involving payment stablecoins they issue.[8] The NPR describes that some stablecoin issuers already implement these capabilities through the programming of smart contracts. However, the NPR would not prescribe how PPSIs must satisfy the obligation to “block, freeze, and reject.” Rather, it recognizes that “PPSIs are best positioned to determine how to effectively and efficiently comply with the obligation.” The NPR explains that the actual circumstances in which these “technological capabilities” will be deployed will be dictated by “federal or state laws, rules, or regulations, as well as court orders, some of which will require PPSIs to take action with regards to transactions occurring on the secondary market.”[9] Nonetheless, FinCEN and OFAC describe the obligation of PPSIs to block, freeze and reject transactions as applying principally in the context of economic sanctions administered by OFAC.
• “Lawful order.” The NPR’s definition of “lawful order” would be nearly identical to the definition provided in the GENIUS Act itself.[10] Nonetheless, FinCEN and OFAC’s discussion of the term would clarify compliance obligations for PPSIs. First, PPSIs would be expected to take action to comply with lawful orders pertaining to both primary- and secondary-market activities involving payment stablecoins they issue. Second, although the NPR would not define the term “burn” (an action that could be required under the terms of a “lawful order”), the NPR explains that the term “is generally understood in the industry and by law enforcement to mean taking action such that the payment stablecoin is permanently removed from circulation, which can be effected through different tactics.” Third, the NPR notes that a “quintessential type of lawful order . . . would be a seizure warrant.” Such warrants “frequently include requirements to respond within a certain amount of time and prohibitions on frustrating the[ir] implementation.”[11]

Of note, the NPR states that “most of the illicit activity involving stablecoins occurs on the secondary market,” and that extending the obligations of PPSIs to address to secondary-market activity “is consistent with the GENIUS Act.”[12] Although the NPR is subject to comments, the proposed requirement that PPSIs must meet compliance obligations in relation to secondary market transactions addresses a key outstanding point of uncertainty that had existed regarding the GENIUS Act’s implementation.[13]

Sanctions-Compliance Requirements in Secondary-Market Transactions

Among the most noteworthy aspects of the NPR are the sanctions-compliance obligations that would be imposed on PPSIs with regard to secondary-market transactions involving payment stablecoins that they issue. The NPR would confirm that because PPSIs must be U.S. persons under the GENIUS Act (i.e., they must be legal entities “formed in the United States”[14]), they will be “subject to the same U.S. sanctions obligations that currently apply to all other U.S. persons, including those that are stablecoin issuers.”[15]The NPR further specifies that:

[A] U.S. person stablecoin issuer would engage in a prohibited provision of services to a blocked person if it allowed the blocked person to engage with the stablecoin issuer’s smart contract to facilitate trades of stablecoins on the secondary market. In this instance, the stablecoin issuer would also be required to block such stablecoins because the blocked person has an interest in the stablecoins, which the issuer controls via its smart contract.[16]

This explanation clarifies that according to the terms of the NPR a PPSI would “control” a stablecoin in the secondary market through its smart contract.

The NPR also describes, with respect to a PPSI’s obligations to “block, freeze, and reject” transactions, that PPSIs would be subject to sanctions-compliance requirements for both primary- and secondary-market transactions. The NPR notes that U.S. sanctions are a strict-liability regime, such that PPSIs may be held civilly liable for violations “even without having knowledge or reason to know that it was engaging in such a violation.”[17] It then says that PPSIs would be required:

to have technical capabilities, policies, and procedures to identify and block stablecoins traded by blocked persons on the secondary market when PPSIs exercise possession or control of such stablecoins, including through smart contracts.[18]

When coupled with earlier references to strict liability, the phrase “traded by blocked persons” could be read to suggest that PPSIs would be expected to screen both primary- and secondary-market transactions involving their payment stablecoins not only for wallets and accounts already included on OFAC’s SDN List, but also for whether the persons engaging in the transactions are themselves blocked or otherwise targets of sanctions. However, it is not clear the extent to which PPSIs would be able to identify whether a transaction involves a sanctioned party if the relevant wallet addresses are not listed on OFAC’s SDN List, and if the addresses otherwise are not known to the PPSI (e.g., because they are wallet addresses associated with existing customers of the PPSI). Nonetheless, the reference to “control . . . through smart contracts” again indicates that PPSIs would be considered to “control” stablecoins they issue, including when they are transferred and held on the secondary market, including by persons that are not customers of a PPSI.

The GENIUS Act itself does not address the extent to which PPSIs must comply with U.S. sanctions in respect of secondary-market transactions. The NPR would resolve this uncertainty by providing that (1) PPSIs would be responsible for both identifying and taking appropriate action in instances in which sanctioned persons hold or trade their stablecoins, and (2) failing to take appropriate action could expose PPSIs to the risk of criminal penalties and civil penalties imposed on a strict-liability basis.[19]

Anti-Money Laundering Obligations

As noted above, the NPR would define PPSIs as a type of financial institution subject to regulation under the Bank Secrecy Act (“BSA”), as required in the GENIUS Act. The NPR would set out AML program requirements for PPSIs, and the NPR describes that FinCEN “proposes to impose on PPSIs an AML/CFT program obligation consistent with the program being proposed” for financial institutions currently covered by the BSA. This statement references FinCEN’s separate notice of proposed rulemaking issued on April 7, 2026 (the “Program Rule”). The Program Rule proposes to recalibrate AML/CFT program requirements to provide financial institutions with greater flexibility to allocate compliance resources towards higher-risk activities and away from lower-risk activities. Similarly, the Program Rule proposes to reduce the impact on financial institutions of overly burdensome “red tape” by de-emphasizing policing of minor program deficiencies. The overall principles reflected in the Program Rule are reiterated in the NPR’s discussion of AML program requirements for PPSIs. The NPR would encourage PPSIs to direct “more attention and resources toward higher-risk customers…rather than lower-risk customers and activities.”[20] Both the NPR and the Program Rule signal a shift in FinCEN priorities away from a mere “check-the-box” compliance approach toward programs that support the underlying goals of the BSA.

Against this backdrop, the NPR outlines expectations for PPSI compliance with certain key BSA obligations, including:

• Customer Due Diligence Requirements. PPSIs would be required to undertake CDD for primary-market activity as a part of their AML/CFT compliance programs.[21] PPSIs would need to establish “appropriate risk-based procedures” to “understand[] the nature and purpose of customer relationships for developing a customer risk profile” and conduct “ongoing monitoring to identify and report suspicious transactions.”[22] The NPR explains that “PPSIs may also need to consider information more narrowly tailored to the stablecoin market, including both information available from public blockchains and relevant off-chain considerations.”[23] The NPR would “not contempla[te] application of CDD to secondary market activity”[24]—and would not “impose a standalone independent obligation on a PPSI to monitor secondary market transactions.” Nonetheless, FinCEN notes that “consideration of such activity may be appropriate in the PPSI’s development and maintenance of a customer risk profile.”[25]
• Beneficial Ownership Information Reporting. The NPR would subject PPSIs to the same identity verification procedures for beneficial owners of legal entity customers as apply to banks. FinCEN describes that, for the purposes of the requirement, an “account” would be any formal relationship between a customer and a PPSI for the provision of financial services.[26] As with CDD, this requirement would not extend to secondary-market activity.[27]
• Suspicious Activity Report Filing. The NPR includes a lengthy discussion of whether SAR reporting should be required for secondary-market activities involving payment stablecoins. Ultimately FinCEN assessed that “the burden of requiring PPSIs to file SARs concerning secondary market activity would potentially outweigh the likely benefits.”[28] Instead PPSIs would be required to file SARs only on primary-market transactions. Outside of the context of payment stablecoins, financial institutions are generally required to file SARs on transactions conducted or attempted “by, at, or through” the institution. To make clear that PPSIs are not required to file SARs for secondary-market transactions, the NPR would specify that, for the purposes of SAR filing, a transfer is not a “transaction” through a PPSI if the PPSI is only interacting with the transaction through a smart contract.[29]

FinCEN invites comments with respect to these provisions, with a particular focus on whether they strike the appropriate balance between addressing financial crime risks and minimizing burdens, while tailoring requirements to the “size and complexity” of issuers.[30] In addition (and consistent with similar guidance outlined in the April 7, 2026 Program Rule proposal), the NPR would establish that FinCEN would be unlikely to pursue an enforcement action against a PPSI for AML/CFT program violations unless there is evidence of a “significant or systemic failure” to implement a functioning AML program.[31] Moreover, FinCEN would require other federal agencies contemplating pursuing AML/CFT supervisory action against a PPSI to consult with FinCEN before initiating any action.[32]

Sanctions-Compliance Program Requirements

The GENIUS Act represents the first time any U.S. person will be required in regulation to establish and maintain a sanctions-compliance program.[33] In general, U.S. persons must comply with OFAC’s sanctions regime, but OFAC’s regulations have not historically specified how they must do so—that is, U.S. persons may be penalized on a strict-liability basis for substantive violations of OFAC sanctions, but not for failing to maintain a sanctions-compliance program. In establishing the new legal requirement for PPSIs, the NPR utilizes and builds on concepts in prior OFAC guidance, including A Framework for OFAC Compliance Commitments(2019), Sanctions-Compliance Guidance for the Virtual Currency Industry (2021), and certain previously issued FAQs. Under the proposal contained in the NPR, OFAC would establish not only recordkeeping and reporting requirements to align with a PPSI’s status as a U.S. person, but also five general pillars of an effective sanctions-compliance program. These pillars are based on the 2019 Framework and include the following: (1) senior management and organizational commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training.[34]

OFAC would mandate these five elements as part of an effective program, but would refrain from imposing specific guidelines or requirements as to how these elements should be implemented in order to allow for compliance programs to be tailored to the size and complexity of each PPSI.[35] The NPR describes that penalties for sanctions violations would be consistent with those described by both the GENIUS Act and IEEPA. Accordingly, PPSIs that fail to maintain an effective sanctions-compliance program could be subject to “civil monetary penalties of no more than $100,000 per day where the PPSI knowingly violates the requirement to maintain an effective compliance program.”[36]

Comments and Effective Date

FinCEN and OFAC request comments on the NPR, with comments due by June 9, 2026. FinCEN and OFAC have identified several areas with respect to which they solicit particular focus by commenters, including the extent to which a PPSI’s AML program should account for risks in the secondary market.[37]

The NPR describes that the final rules will become effective 12 months after issuance. The GENIUS Act, including its financial crimes-related provisions, will take effect on the earlier of 18 months from enactment (i.e., January 18, 2027) and 120 days after the date on which the primary federal payment stablecoin regulators issue any final regulations implementing the statute.[38]

ENDNOTES

[1] Permitted Payment Stablecoin Issuer Anti-Money Laundering/Countering the Financing of Terrorism Program and Sanctions-Compliance Program Requirements, 91 Fed Reg. at 18,582 (Apr. 10, 2026).

[2] 91 Fed Reg. at 18,585.

[3] Id.

[4] Note, the NPR’s expectations with regard to these obligations is discussed in greater detail below.

[5] 91 Fed. Reg. at 18,604.

[6] 12 U.S.C. §5903 (a)(6).

[7] The NPR includes a lengthy recitation of financial crime associated with stablecoins, focusing especially on secondary-market activity. See 91 Fed. Reg. 18,586-18,588.

[8] FinCEN does not draw any distinction between “block,” “freeze” and “reject” but is requesting comment on whether additional clarity is needed. See 98 Fed. Reg. at 18,621.

[9] 91 Fed. Reg. at 18,605.

[10] The NPR would replace references to “a person” with the definition of that term in the GENIUS Act (i.e., “an individual, partnership, company, corporation, association, trust, estate, cooperative organization, or other business entity, incorporated or unincorporated”). See 12 U.S.C. § 15901(24).

[11] 91 Fed. Reg. at 18,605.

[12] Id.

[13] The NPR addresses requirements for PPSIs and does not address foreign payment stablecoin issuers (“FPSIs”)—a separate category of stablecoin issuers contemplated by the GENIUS Act.  The GENIUS Act indicates that an FPSI must have the “technological capability to comply . . . with the terms of any lawful order,” among other requirements. 12 U.S.C. § 5902(b)(2), 5907(a). In the NPR, FinCEN asks: “Are there particular requirements that FinCEN has proposed to apply to PPSIs that should or should not apply to foreign payment stablecoin issuers?”

[14] 12 U.S.C. § 5901(23).

[15] 91 Fed. Reg. at 18,588.

[16] 91 Fed. Reg. at 18,589.

[17] 91 Fed. Reg. at 18,605.

[18] Id.

[19] The NPR contains extensive discussion of financial crime associated with stablecoins, including several examples of sanctions evasion can be found at 91 Fed. Reg. at 18,588.

[20] 91 Fed. Reg. at 18,597.

[21] See 91 Fed. Reg. at 18,604.

[22] 91 Fed. Reg. at 18,600.

[23] 91 Fed. Reg. at 18,601.

[24] 91 Fed. Reg. at 18,604.

[25] 91 Fed. Reg. at 18,601.

[26] 91 Fed. Reg. at 18,604.

[27] Note, the NPR states that “FinCEN anticipates further modifications to its proposed language based on its expected forthcoming rulemaking implementing the GENIUS Act’s requirement that PPSIs maintain customer identification programs.” Id.

[28] 91 Fed. Reg. at 18,607.

[29] 91 Fed. Reg. at 18,608. The NPR would require SAR filing for transactions above $5,000 in funds or other assets. Id. This increases the $2,000 threshold currently applicable to stablecoin issuers that are “money services businesses” under FinCEN’s regulations, based on FinCEN’s assessment that primary stablecoin market transactions are rarely below $5,000. Id.

[30] Tailoring AML/CFT and sanctions-compliance requirements to the “size and complexity” of PPSIs is required under the GENIUS Act. 12 U.S.C. § 5903(a)(5)(B).

[31] 91 Fed. Reg. at 18,604. Note that this change applies only for program violations and might not indicate an adjustment of enforcement priorities for other violations of AML policy.

[32] The NPR proposes that federally regulated PPSIs will be examined with respect to compliance with the BSA and its implementing regulations by a primary Federal payment stablecoin regulator and that PPSIs subject to a state regulatory regime would be subject to such examination by the Internal Revenue Service. See 91 Fed. Reg. at 18,596.

[33] 91 Fed. Reg. at 18,613 (“The sanctions-compliance program requirement in the GENIUS Act, however, represents the first time that Federal law has explicitly mandated that a particular U.S. person have an effective sanctions-compliance program”); see 12 U.S.C. § 5903(a)(5)(A)(vi).

[34] 91 Fed. Reg. at 18,615.

[35] 91 Fed. Reg. at 18,614.

[36] The NPR defines “knowingly” to mean “that a person has actual knowledge, or should have known, of the conduct, the circumstance, or the result.” 91 Fed. Reg. at 18,619.

[37] 91 Fed. Reg. at 18,620.

[38] 12 U.S.C. § 5901 note.

This post is based on a Sullivan & Cromwell LLP memorandum, “GENIUS Act Implementation – FinCEN, OFAC Propose Rule on AML and Sanctions-Compliance Requirements,” dated April 17, 2026, and available here.