From the content of the published text, the jointly proposed rules released by FinCEN and OFAC this time do not attempt to solve all issues regarding stablecoin regulation at once, but rather specify regulatory requirements such as AML/CFT, sanctions compliance, and suspicious activity reporting.

Written by: FinTax

In April 2026, the Financial Crimes Enforcement Network (FinCEN) and the Office of Foreign Assets Control (OFAC) of the U.S. Treasury jointly published a proposed rule notice regarding Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT). The proposed rule was published in the Federal Register on April 10, 2026, with the public comment deadline set for June 9, 2026. If the proposed rule comes into effect, Permitted Payment Stablecoin Issuers (PPSI) will be required to follow AML/CFT compliance standards aligned with traditional financial institutions, and to establish an OFAC sanctions compliance program. This is markedly different from the regulatory requirements previously accepted by Permitted Payment Stablecoin Issuers as money services businesses, further affecting the redistribution of compliance obligations among stablecoin issuers, exchanges, custodians, and on-chain risk control service providers in the U.S. market, while causing changes to existing compliance costs for issuers.

This article systematically analyzes the proposed rule from the perspectives of legislative background, core obligations, and market impact.

1 Background of the Joint Proposed Rule

The issuance of this proposed rule is closely related to the rapid growth of the stablecoin market in the U.S. and globally, along with the accompanying illegal financial risks. As of the first quarter of 2026, the global stablecoin market size has surpassed $316 billion, with illegal financial penetration simultaneously intensifying. The Financial Action Task Force (FATF) issued a special report in March 2026, explicitly warning that stablecoins "have become the most widely used virtual assets in illegal transactions," and that actors from sanctioned countries like Iran and North Korea are using stablecoins for financing weapons proliferation and cross-border payments. The 2026 Cryptocurrency Crime Report released by Chainalysis indicates that funds flowing to illegal cryptocurrency addresses reached at least $154 billion in 2025, a year-on-year increase of 162%, with stablecoins accounting for as much as 84%. Data from TRM Labs shows that illegal entities obtained stablecoins worth $141 billion in 2025, setting a five-year record; OFAC imposed penalties exceeding $3.4 billion from 2016 to 2025, continuously issuing fines to crypto companies like Exodus and ShapeShift from late 2025 to early 2026.

In stark contrast to the federal series of enforcement actions, the industry’s compliance preparation has lagged. According to an investigation report by S&P Global Market Intelligence in April 2026, among 100 banks surveyed in the first quarter of the year, only 7% were developing related strategic frameworks, with no institutions having initiated pilot projects. How to regulate stablecoin transactions without impacting their payment efficiency and innovative characteristics has become a pressing regulatory challenge.

In 2025, the U.S. Congress accelerated the legislative process for the GENIUS Act. The Act passed in the Senate on June 17, 2025, by a vote of 68 to 30, and in the House of Representatives on July 17, 2025, by a vote of 308 to 122, and was signed into law by then-President Trump on July 18. This is the first federal-level legislation in the U.S. specifically targeting payment stablecoins. In a subsequent briefing, the White House emphasized that the Act explicitly subjects stablecoin issuers to the Bank Secrecy Act jurisdiction and requires them to implement effective anti-money laundering and sanctions compliance programs, while possessing the technical capability to seize, freeze, or destroy stablecoins under lawful orders. The joint proposed rule issued by FinCEN and OFAC focuses on the specific implementation of anti-money laundering and sanctions compliance, forming a multi-layered implementation system for the GENIUS Act in conjunction with other agencies' regulations.

2 Overview of the Joint Proposed Rule

The official title of the proposed rule jointly released by FinCEN and OFAC in the Federal Register is "Permitted Payment Stablecoin Issuer Anti-Money Laundering/Countering the Financing of Terrorism Program and Sanctions Compliance Program Requirements". Hereinafter referred to as "the proposed rule" or "the rule".

2.1 Main Framework of the Proposed Rule

In summary, the proposed rule mainly revolves around the following five aspects:

(1) Officially includes Permitted Payment Stablecoin Issuers in the definition of "financial institution" under the Bank Secrecy Act, clarifying the separation from the money services business (MSB) framework;

(2) Sets a suite of AML/CFT program requirements for Permitted Payment Stablecoin Issuers aligned with bank standards, centering on customer due diligence procedures;

(3) Clarifies the boundaries of suspicious activity reporting (SAR) obligations for Permitted Payment Stablecoin Issuers in both the primary and secondary markets;

(4) Requires Permitted Payment Stablecoin Issuers to establish an OFAC sanctions compliance program containing five key elements pursuant to the authorization of the GENIUS Act;

(5) Mandates that Permitted Payment Stablecoin Issuers must possess the technical capability to freeze, reject, and block prohibited transactions, and that this capability must take the secondary market into consideration.

2.2 Legal Status of Permitted Payment Stablecoin Issuers

2.2.1 Permitted Payment Stablecoin Issuers to be Listed as "Financial Institutions"

The most significant difference between the proposed rule and the existing regulatory framework is the inclusion of Permitted Payment Stablecoin Issuers in the definition of "financial institutions" under the Bank Secrecy Act. If the proposed rule is formally passed, the regulatory model faced by Permitted Payment Stablecoin Issuers will move closer to the standards of traditional financial institutions.

Before the introduction of the GENIUS Act, stablecoin issuers were primarily regulated at the federal level as money services businesses (MSB). MSBs are required to register with FinCEN and undergo regular inspections by the IRS. In the proposed rule, FinCEN delegates the AML/CFT regulation of Permitted Payment Stablecoin Issuers to the relevant federal regulators: the Federal Qualified Payment Stablecoin Issuer (FQPSI) will be regulated by the Office of the Comptroller of the Currency (OCC), while the regulatory authority for the subsidiary of the insured depository institution (IDI) will be its corresponding federal banking regulator. For "State Qualified Payment Stablecoin Issuers" (SQPSI) that are only regulated by state-level agencies, compliance inspections under the Bank Secrecy Act will still be conducted by the IRS.

2.2.2 Separation of Permitted Payment Stablecoin Issuers from MSB Regulation

The rule also simultaneously amends the definition of MSB, explicitly excluding Permitted Payment Stablecoin Issuers. This design aims to avoid confusion arising from dual regulation and establishes an independent compliance standard system for Permitted Payment Stablecoin Issuers that is not bound by the historical MSB framework. FinCEN cites relevant authorizations in the rule, affirming that the business activities of Permitted Payment Stablecoin Issuers are "similar or related" to those of traditional financial institutions, thereby providing a legal basis for exercising rulemaking authority.

2.2.3 Technical Capability Requirements for Permitted Payment Stablecoin Issuers

The GENIUS Act requires Permitted Payment Stablecoin Issuers to have the technical capability to freeze, reject, and block prohibited transactions. The proposed rule further clarifies that this requirement applies not only to issuance and redemption activities in the primary market but explicitly covers the secondary market — that is, peer-to-peer transfers between third parties. The rule also states that the "technical capabilities, policies, and procedures of Permitted Payment Stablecoin Issuers must encompass transactions conducted through Permitted Payment Stablecoin Issuers as well as transactions involving interactions with third parties through smart contracts."

In practical terms, this means that Permitted Payment Stablecoin Issuers must demonstrate their capability to take blocking, freezing, and rejecting measures against specific or prohibited transactions and to execute lawful orders. If the proposed rule is ultimately approved, issuers that fail to technically achieve the same effects will have to upgrade or redeploy the smart contracts of their existing stablecoin projects to meet compliance requirements.

3 Dual Compliance Obligation System Under the Joint Proposed Rule

For Permitted Payment Stablecoin Issuers, the proposed rule, after clarifying their legal status, further establishes two parallel and complementary compliance obligation systems from FinCEN and OFAC: one is the AML/CFT framework dominated by FinCEN, and the other is the economic sanctions compliance framework led by OFAC; the former focuses on preventing general illegal financial activities such as money laundering, fraud, and terrorist financing, while the latter focuses on blocking transactions with sanctioned entities or individuals.

3.1 FinCEN's AML/CFT Requirements

In the proposed rule, FinCEN requires Permitted Payment Stablecoin Issuers to establish and maintain an effective AML/CFT program. According to the relevant provisions of the rule, this program aims to set specific customer due diligence requirements for Permitted Payment Stablecoin Issuers and to clarify the boundaries of the obligations for suspicious activity reporting by issuers in both the primary and secondary markets.

3.1.1 Customer Due Diligence Requirements

In the current regulatory framework, "Customer Due Diligence" (CDD) is the fifth statutory element of a bank's AML/CFT program, while MSBs have never been required to implement a complete customer due diligence procedure, with their obligations primarily limited to customer identity recognition. Once Permitted Payment Stablecoin Issuers are no longer managed as MSBs, FinCEN will require them to implement ongoing customer due diligence. The customer due diligence requirements in the proposed rule specifically include three levels:

(1) Understanding the nature and purpose of customer relationships to establish customer risk profiles;

(2) Continuously monitoring transactions to identify and report suspicious activities;

(3) Maintaining and updating customer information based on a risk-based approach, including information related to the beneficial owners of corporate clients.

Here, a beneficial owner is defined as a natural person holding more than 25% of the ownership rights, as well as a natural person with control. It is evident that the obligations of Permitted Payment Stablecoin Issuers in terms of anti-money laundering have been substantially elevated to meet the standards of banks.

3.1.2 Suspicious Activity Reporting Obligations

The proposed rule requires Permitted Payment Stablecoin Issuers to submit reports for suspicious transactions in the primary market (Suspicious Activity Report, SAR) with a triggering amount threshold of $5,000. This threshold is significantly higher than the existing $2,000 for MSBs, aligning with traditional financial institutions such as banks and brokerages. FinCEN explains in the rule that this adjustment takes into account the requirement for Permitted Payment Stablecoin Issuers to implement customer identification programs, the rarity of low-value transactions in the primary market, and the absence of MSB-specific agency relationships in the stablecoin issuance ecosystem; however, in the secondary market, the rule provides for explicit exemptions. Just because a transfer between third parties triggers the interaction of the Permitted Payment Stablecoin Issuer's smart contracts does not immediately initiate their SAR reporting obligations.

Regarding the exemption arrangements, FinCEN notes that requiring issuers to monitor all on-chain transfers and report suspicious transactions would create two problems: first, issuers cannot grasp the identity information of parties in secondary market transactions, making the reports hollow and ineffective; second, it may induce "defensive reporting" — institutions over-reporting for self-protection, thereby burying genuinely valuable clues in a sea of defensive reports. Thus, the rule delineates clear boundaries on SAR reporting obligations while retaining the operational capacity of Permitted Payment Stablecoin Issuers: issuers must still retain the ability to take technical intervention against illegal transactions in the secondary market, such as freezing and rejecting, and must execute lawful orders issued by courts or other federal agencies. The technical capability requirements placed on issuers are crucial to support this retained right.

3.2 OFAC's Sanctions Compliance Program

Unlike FinCEN's regulatory requirements, OFAC's sanctions compliance program emphasizes proactive blocking in advance and adheres to a strict liability principle. In the proposed rule, OFAC enshrines the five elements of the sanctions compliance program into the regulation, making it a legal obligation for Permitted Payment Stablecoin Issuers. Previously, OFAC had suggested that companies establish sanctions compliance systems through guidance documents like the "Compliance Commitment Framework" issued in 2019, but it had never escalated this to a legal requirement. The proposed rule explicitly states that Permitted Payment Stablecoin Issuers must establish and maintain an "effective sanctions compliance program" that includes the following elements:

(1) Commitment from senior management and organizational levels;

(2) Risk assessments;

(3) Internal controls;

(4) Testing and auditing;

(5) Training.

For "payment stablecoin-related activities", the rule defines it as: from the issuance time until the stablecoin ceases to circulate, involving the issuance, trading, holding, processing, transferring, redeeming, or any other activities related to payment stablecoin, whether occurring in the primary or secondary market. This broad definition implies that Permitted Payment Stablecoin Issuers' responsibility for sanctions screening does not terminate when the tokens circulate to third parties. Even if a transaction occurs between two wallets that have no direct customer relationship with the issuer, as long as it involves the stablecoins issued by that issuer and is completed through their smart contracts, Permitted Payment Stablecoin Issuers theoretically still bear the obligation for sanctions screening.

For violations, the rule imposes clear penalties: substantial violations can incur fines of up to $100,000 per day; knowing violations incur an additional $100,000 per day. Given OFAC's strict liability principle for sanctions compliance, which holds civil liability regardless of knowledge as long as a violation occurs, the deterrent strength of this penalty is self-evident.

4 Challenges Faced by Stablecoin Issuers: Quantifying Compliance Costs

For stablecoin issuers, the proposed rule quantifies previously vague compliance costs through explicit institutional design, objectively raising the market entry threshold. Section Twelve of the proposed rule provides a detailed analysis of the regulatory impact. Based on projections from FinCEN and OFAC, the incremental compliance cost for each non-banking Permitted Payment Stablecoin Issuer in the first year is approximately $52,453, while for bank-affiliated issuers (as subsidiaries of existing banks) it is around $24,983. The vast difference in compliance costs is related to whether the two types of issuers already have compliance infrastructure; bank-affiliated issuers can reuse the BSA/AML compliance teams, OFAC screening systems, and beneficial owner identification processes of their parent companies, keeping marginal costs low; while non-bank issuers need to build a complete compliance infrastructure from scratch. Furthermore, each issuer must also invest $10,000 to $20,000 in the first year for deploying blockchain analysis tools, sanctions screening software, and transaction monitoring systems.

For smaller entities, the rule adopts an asset-based criteria — issuers with total assets under $200 million are categorized as small entities. Among the estimated 50 potential Permitted Payment Stablecoin Issuers, about 19 fall into this category. For these smaller issuers, the first-year compliance costs could account for 1% to 3% of their annual revenue. This proportion does not necessarily constitute an entry barrier, but smaller issuers must incorporate compliance costs into their business model's break-even logic, which may lead to changes in their original issuance strategies or revenue models.

5 Conclusion

From the content of the published text, the jointly proposed rules released by FinCEN and OFAC this time do not attempt to solve all the issues regarding stablecoin regulation at once, but rather specify regulatory requirements such as AML/CFT, sanctions compliance, and suspicious activity reporting. For the U.S. stablecoin market, the technical architecture, customer management, and compliance systems of issuers will be included as entry conditions and play a more significant role in market competition. However, the proposed rule is still in the public comment period, and there remains room for adjustment regarding whether the final rule retains the technical capability requirements for the secondary market, the boundaries of customer due diligence, and the sanctions compliance arrangements in the existing text. Whether the dual compliance obligation system under the published text can ultimately be established awaits further observation. From a medium- to long-term perspective on a series of implementation measures under the GENIUS Act, a clearly defined regulatory environment with well-defined rights and responsibilities may very well be the only pathway for stablecoins to truly integrate into the global financial infrastructure.