Advisories July 13, 2026

Financial Services / White Collar, Government & Internal Investigations Advisory | Combating Illicit Use of Payment Stablecoins: Proposed AML/CFT and Sanctions Rules Under the GENIUS Act

Executive Summary
Minute Read

Several federal regulators, both on their own and in tandem, are moving to apply bank-like rules for anti-money laundering / countering the financing of terrorism (AML/CFT), sanctions, and customer identification to payment stablecoin issuers. Our Financial Services and White Collar, Government & Internal Investigations teams investigate how the related rulemakings will affect new and existing participants in the stablecoin industry.

  • Issuers would need risk-based AML/CFT and sanctions programs covering issuance, redemption, wallets, and transactions
  • Customer identification program obligations would focus on “direct” customers, not every downstream holder
  • Firms should start benchmarking controls, reviewing intermediary reliance, and preparing for unresolved compliance questions

U.S. federal regulators have now proposed the core anti-money laundering (AML), countering the financing of terrorism (CFT), sanctions, and customer identification requirements that would apply to permitted payment stablecoin issuers (PPSIs) under the GENIUS Act. Taken together, the Financial Crimes Enforcement Network (FinCEN) and Office of Foreign Assets Control (OFAC) AML/CFT and sanctions program proposals, corresponding prudential regulator proposals for issuers affiliated with banks and credit unions, and an interagency customer identification program (CIP) proposal would apply a familiar set of financial crime compliance standards to GENIUS Act PPSIs. The proposals would implement the GENIUS Act’s requirement that PPSIs be considered financial institutions under the Bank Secrecy Act (BSA). They would require risk-based AML/CFT and sanctions compliance programs, impose CIP obligations for “direct” customers, and establish supervisory and enforcement mechanisms for issuers subject to federal banking agency oversight.

A Comprehensive Series of Related Rulemakings

FinCEN and OFAC (both units of the U.S. Treasury Department) have noted the potential for payment stablecoins to revolutionize payment systems in ways having many public benefits but also the reality that the U.S. financial system is a sizeable target for abuse by illicit actors. In light of these competing interests and related GENIUS Act mandates, regulators have approached AML/CFT and sanctions compliance for PPSIs through a series of interrelated proposed rulemakings. The foundational proposal is the April 2026 joint FinCEN and OFAC proposed rule. That proposal, to modify and expand existing regulations separately administered by these agencies, would implement the GENIUS Act’s directive to treat PPSIs as financial institutions for BSA purposes and would require those issuers to maintain AML/CFT programs and effective sanctions compliance programs. Comments on that proposal were due June 9, 2026.

The second set of proposals consists of primary regulator rules that would apply to federally supervised issuers. In late June 2026, the Office of the Comptroller of the Currency (OCC) proposed BSA and sanctions compliance standards for OCC-supervised PPSIs, with comments due July 24, 2026. The Federal Deposit Insurance Corporation (FDIC) and National Credit Union Administration (NCUA) each previously issued parallel proposals for FDIC- and NCUA-supervised issuers. These proposals would integrate FinCEN and OFAC requirements into the supervisory and enforcement frameworks that apply to stablecoin issuers affiliated with banks and credit unions, just as the banking regulators have integrated them into depository institution rules. The Board of Governors of the Federal Reserve System has not yet published such a proposal for issuers subject to its jurisdiction but can be expected to do so soon.

The third pillar of this framework is the June 2026 interagency CIP proposal issued by FinCEN together with the OCC, FDIC, NCUA, and Board. That proposal would require PPSIs to maintain a written CIP for what the agencies characterize as “direct” customers, building out a key element of the required AML/CFT program envisioned by FinCEN and OFAC. Comments on the interagency CIP proposal are due August 21, 2026.

FinCEN and OFAC Proposal: Payment Stablecoin Issuers as Financial Institutions

The FinCEN and OFAC joint proposal is the substantive core of the AML/CFT and sanctions framework that the agencies have outlined. By defining PPSIs as financial institutions under the BSA as mandated by the GENIUS Act, the proposal would subject issuers to core AML/CFT program expectations, including risk assessment, internal controls, independent testing, designated compliance personnel, training, and ongoing monitoring requirements. The proposal would also establish reporting and recordkeeping requirements designed to address the specific illicit finance risks associated with stablecoin issuance, redemption, transfer activity, and intermediary relationships. Notably, just as banks and credit unions are expressly excluded from the definition of a money services business (MSB) requiring FinCEN registration under existing FinCEN rules, a blanket exclusion would be added for PPSIs, a significant result for providers that currently maintain this registration. FinCEN's proposal reinforces that its landmark 2019 guidance on the application of the BSA to convertible virtual currency (CVC) businesses currently treats stablecoin issuers (and certain other CVC businesses) as MSBs.

The proposal would require issuers to maintain an effective program reasonably designed to prevent transactions prohibited by OFAC-administered sanctions programs. In practice, this means issuers would need to consider how sanctions controls apply across the full stablecoin life cycle, including onboarding, issuance, redemption, hosted and unhosted wallet interactions, and blocking or rejecting transactions. The proposal underscores that stablecoin issuers cannot rely solely on conventional account opening controls where their products can move rapidly across wallets, platforms, and jurisdictions.

This proposal’s definition of “lawful order” would implement a significant provision of the GENIUS Act requiring an issuer to take action—such as freezing, blocking, rejecting, or otherwise restricting stablecoin-related activity—based on directives from FinCEN, OFAC, law enforcement, courts, or other competent authorities. Issuers will need to ensure they are prepared to take the mandatory action triggered by a lawful order, including the operational ability to identify affected wallets, counterparties, tokens, or redemption requests, and to document the basis for the action.

OCC, FDIC, and NCUA Proposals: Supervisory Overlay for Issuers Affiliated with Banks and Credit Unions

The OCC, FDIC, and NCUA proposals are directed at issuers subject to those agencies’ jurisdiction. For the OCC, that means national banks and their subsidiaries, federal savings associations and their subsidiaries, federal branches and their subsidiaries, nonbank entities that seek to be or are approved as federal qualified payment stablecoin issuers, foreign payment stablecoin issuers subject to OCC oversight, and state qualified payment stablecoin issuers the OCC has regulatory or enforcement authority over through the GENIUS Act. The FDIC’s proposal applies to PPSIs that are subsidiaries of insured state nonmember banks (that is, state-chartered banks that are not members of the Federal Reserve system) and state savings associations approved to issue payment stablecoins. The NCUA’s proposal applies to NCUA-licensed PPSIs that are subsidiaries of federally insured credit unions, including credit union service organizations and other credit union subsidiary structures eligible for NCUA approval under the GENIUS Act.

Each of these prudential regulators’ proposals would require covered issuers to comply with applicable AML/CFT, sanctions, reporting, and related requirements established by FinCEN and OFAC while also preserving the prudential regulators’ responsibilities through supervisory and enforcement provisions.

These proposals also reflect an effort to coordinate enforcement with FinCEN, consistent with the agencies’ recently proposed amendments to existing bank and credit union rules. Specifically, the agencies have described (or are considering, in the case of the Board) a framework under which each prudential regulator (such as the FDIC for institutions it supervises) would consult with FinCEN before initiating certain AML/CFT enforcement or other supervisory actions against a covered institution. That coordination is intended to avoid duplicative or inconsistent application of AML/CFT standards, as we described in a prior advisory.

Customer Identification Program Proposal: Direct Customers and Reliance

The interagency CIP proposal would require PPSIs to adopt a written program appropriate for the issuer’s size, business model, and risk profile. Consistent with existing CIP concepts for banks and other financial institutions, the program must include procedures for identifying and verifying the identity of each customer, providing a related customer notice, maintaining records, screening against sanctions and other government lists, and addressing circumstances in which the issuer cannot form a reasonable belief that it knows the true identity of a customer. The required identifying information would largely track the familiar bank and credit union CIP framework—name, date of birth for individuals, address, and taxpayer identification number or other government-issued identification number—rather than create a fundamentally different stablecoin-specific identification standard. (FinCEN’s separate AML/CFT program proposal would require issuers to collect ultimate beneficial ownership information for its legal entity customers in the same way that banks and credit unions are required to do.)

One departure from the legacy bank and credit union CIP formulation is the proposed requirement to collect a business or other nonindividual customer’s date of formation, effectively creating an entity analog to an individual’s date of birth; although not part of the CIP minimum information required of banks and credit unions, a similar formulation appeared in the SEC and FinCEN 2024 proposed CIP rule for investment advisers. Generally speaking, though, the proposal would formalize PPSI CIP requirements that align more directly with those that apply to banks and credit unions than to the more general rules that apply to MSBs, though many MSBs already collect and verify similar information as a matter of risk-based compliance practice or in light of state money transmission licensing compliance obligations.

The proposal also includes a discussion, which may be of independent interest to banks and other existing BSA financial institutions, interpreting the use of a virtual office or commercial mail service office as a customer’s address as unacceptable for CIP purposes. According to the agencies, like a P.O. box, this type of address is unacceptable because it “is not an actual place of business or residence for the entity or individual and does not evidence a physical location for the customer.”

The proposal’s distinction between “direct” and “indirect” customers is probably its most novel and significant element. As described by the agencies, stablecoin arrangements often involve layered distribution models, custodial and noncustodial wallets, exchanges, payment platforms, program managers, and enterprise users. Many issuers, according to the proposal, currently interact with a small number of larger intermediaries—exchanges—that in turn circulate stablecoins more broadly and otherwise interact with a larger and more diverse group of users on the secondary market. Those exchanges may themselves already be regulated as MSBs under existing FinCEN rules and guidance, which generally treat CVC exchanges and administrators as money transmitters if they accept and transmit value that substitutes for currency. The agencies appear to have given some weight to this consideration in determining how to approach secondary-market-related obligations of PPSIs. The rule would not necessarily require an issuer to identify every downstream holder in every circumstance, but issuers would need to understand when a person or entity is a direct customer, in which case initial and ongoing identification and monitoring obligations will generally apply.

This distinction around secondary market relationships would be implemented through a proposed exclusion from the definition of an “account” relationship otherwise triggering CIP and related obligations for “payment stablecoin activity that does not directly involve the permitted payment stablecoin issuer as a party to the transaction other than via a smart contract.” For purposes of the CIP requirement, the agencies would define an “account” for a PPSI in functional terms that focus on the issuer’s direct relationship with a person to issue or redeem payment stablecoins or provide other services incident to the issuer’s stablecoin business. This approach is analogous to the existing CIP rules for banks and credit unions, which define an account by reference to a formal banking or credit union relationship established to provide financial services, but it is adapted to the stablecoin context by focusing on primary market issuer activity rather than the full universe of secondary market transfers or downstream holders. In that respect, the proposal appears designed to preserve the familiar account opening trigger for CIP obligations while recognizing that a payment stablecoin may circulate after issuance through wallets, exchanges, custodians, and other intermediaries, or otherwise end up in the hands of secondary users, which the issuer may not have a direct customer relationship with or otherwise receive related information about.

The proposed definition also suggests that relationships ancillary to issuance and redemption may themselves create an “account” relationship where the issuer is providing financial services to an identifiable person or entity. This direction reflects the range of activities beyond issuance itself that PPSIs may be permitted to engage in under the GENIUS Act. For example, an issuer’s agreement to manage reserves for, or provide custodial services to, a customer could resemble the type of continuing financial relationship that triggers CIP obligations under existing bank and credit union rules. Similarly, a person that acquires payment stablecoins in the secondary market may not be a customer of the issuer merely by holding the tokens, but that status could change if the person seeks to redeem stablecoins directly from the issuer. At that point, the redemption request may convert the holder from an indirect market participant into a direct customer because the issuer is being asked to provide a covered financial service—redemption—directly to that person.

The proposal would also permit reliance on another federally regulated financial institution’s performance of CIP procedures if specified conditions are satisfied, just as existing rules permit banks, credit unions, and broker-dealers to do. This reliance concept may be especially important for issuers affiliated with banks or credit unions and for issuers that distribute stablecoins through partnerships with regulated intermediaries, such as exchanges registered with FinCEN as MSBs. Issuers would need to determine that reliance is reasonable, confirm that the other institution is subject to an AML/CFT program with CIP requirements and regulated by a federal functional regulator, and obtain annual contractual certifications that the other institution has implemented and will perform the required CIP obligations.

What Market Participants Should Do Now

Although the proposals are not final, market participants should begin preparing now. For rules specifically required by the GENIUS Act, the statute requires them to be issued by July 18, 2026.

First, prospective issuers should benchmark their current AML/CFT, sanctions, fraud, blockchain analytics, wallet-screening, transaction-monitoring, and customer-onboarding controls against the proposed requirements. For those that are currently registered MSBs, programs will likely need to be mapped to a similar, but more prescriptive and issuer-specific, set of obligations—particularly for written AML/CFT and sanctions programs, direct customer CIP, redemption-related controls, recordkeeping, reporting, and supervisory expectations.

Second, issuers should determine when they will rely on affiliates, distributors, custodians, exchanges, or other regulated financial institutions and whether contracts contain the certifications, audit rights, data-sharing provisions, and operational commitments likely to be necessary under the final rules.

Similarly, issuers affiliated with banks and credit unions should assess how the stablecoin business will rely on or fit within the parent institution’s enterprise-wide AML/CFT, sanctions, compliance, audit, model risk, vendor management, and information security frameworks. Regulators appear receptive to coordinated compliance infrastructure, particularly when a stablecoin issuer is part of an insured depository institution group. Shared infrastructure must still be tailored to the issuer’s products, customers, transaction flows, and technology risks.

Finally, firms should consider whether to participate in remaining formal public comment periods or engage with trade associations on unresolved issues. Areas likely to warrant attention include the concept of direct customer or “account” relationships, treatment of intermediated and omnibus relationships, expectations for unhosted wallet screening, feasibility of real-time transaction interdiction, reliance on third-party CIP performance, treatment of foreign intermediaries, and enforcement-related coordination between FinCEN and the federal banking agencies.


If you have any questions, or would like additional information, please contact one of the attorneys on our Financial Services team or one of the attorneys on our White Collar, Government & Internal Investigations team.

You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.


Media Contact
Alex Wolfe
Communications Director