For years, stablecoin issuers operated in a regulatory grey zone — treated, if at all, as money transmitters under a money services business (MSB) framework that was never designed for tokens that move value on public blockchains. That ambiguity is ending. On April 8, 2026, FinCEN and OFAC jointly issued a Notice of Proposed Rulemaking (NPRM) implementing the anti-financial-crime provisions of the GENIUS Act, and the comment window closes on June 9, 2026. For any business issuing — or planning to issue — a U.S. payment stablecoin, this is the moment the rules of the game became real.
From MSB Ambiguity to a Purpose-Built BSA Regime
The headline structural change: the NPRM would expressly carve permitted payment stablecoin issuers (PPSIs) out of the MSB definition and place them in a stand-alone Bank Secrecy Act framework under a new Part 1033. PPSIs would be treated as “financial institutions” in their own right, with obligations tailored to the mechanics of issuing, redeeming, and burning tokens rather than borrowed wholesale from the money-transmission rulebook.
This is more than housekeeping. A purpose-built regime means issuers can no longer rely on MSB-era assumptions — and firms that operate across multiple charters (say, a stablecoin arm inside a trust bank or MSB) may face overlapping obligations they must reconcile under a single enterprise-wide program.
A Five-Pillar Program, Now Judged on Effectiveness
The proposed AML/CFT program tracks the familiar core pillars, but with the effectiveness-based lens running through Treasury’s broader 2026 BSA modernization. PPSIs would be required to establish and maintain an “effective” program built on:
- Risk-based internal policies, procedures, and controls, anchored in a documented risk assessment that accounts for the AML/CFT National Priorities;
- Independent testing of the program;
- A designated AML/CFT compliance officer;
- Ongoing, role-appropriate employee training; and
- Customer due diligence, with resources steered toward higher-risk activity.
Notably, a customer identification program (CIP) is reserved for a separate rulemaking, so issuers should expect that piece to follow. The signal is clear: a paper program that checks boxes will not satisfy examiners. Firms with well-implemented programs would be shielded from enforcement absent “significant or systemic” failures — a meaningful incentive to get the build right now rather than retrofit later.
A First in U.S. Law: A Mandatory Sanctions Compliance Program
The most consequential element is OFAC’s proposed Part 502. For the first time in U.S. history, federal law would expressly require a defined category of U.S. persons — PPSIs — to maintain an effective sanctions compliance program as a condition of operating. The program must reflect the five elements of OFAC’s 2019 Framework: senior management commitment, risk assessment, internal controls, testing and auditing, and training.
The teeth are sharp. Material violations of the sanctions-program requirement could draw civil penalties of up to $100,000 per day, with an additional $100,000 per day where an issuer knowingly participates in a violation. Issuers would also face new recordkeeping duties — retaining audit results and program enhancements, and producing, on OFAC’s request, the certifications filed with their primary regulator. Sanctions compliance is no longer a voluntary best practice for this sector; it is a license condition.
Where the Controls Bite: Primary vs. Secondary Markets
The NPRM draws a pragmatic line. Primary-market activity — issuance, redemption, repurchase, burning, where the PPSI is a direct party — carries the full weight of due diligence, monitoring, and suspicious-activity reporting. Secondary-market activity — peer-to-peer transfers and exchange trades where the issuer is not a party except through a smart contract — would not trigger CDD, monitoring, or SAR obligations, because FinCEN preliminarily judged the burden to outweigh the benefit.
But there is a critical catch: because most illicit finance occurs on the secondary market, PPSIs must build the technical capability to identify, block, freeze, and reject impermissible transactions — even those they are not party to. That is a demanding engineering and governance requirement, and FinCEN is actively asking commenters what those controls should look like in practice. The NPRM also clarifies that an order to pay a stablecoin is a “transmittal order,” confirming Travel Rule recordkeeping applies.
FinCheck’s Perspective & The Way Forward
In our work standing up and auditing AML programs for crypto exchanges, MSBs, and BaaS-enabled fintechs, we see this rule as the inflection point that converts stablecoins from a compliance afterthought into a regulated payments business. The firms that thrive will not wait for a final rule — they will treat the June 9 comment deadline as a planning trigger.
Three priorities stand out. First, map your token activity to the primary/secondary distinction now, and scope which obligations attach where. Second, invest early in on-chain technical controls — address screening, freeze-and-reject capability, and Travel Rule data handling — because these cannot be bolted on overnight. Third, treat the sanctions program as a board-level mandate, not a checklist; strict-liability exposure at $100,000 per day rewards demonstrable governance and documentation. Issuers still operating under MSB-era assumptions should reassess their licensing, risk assessment, and independent-testing cadence against the proposed Part 1033 and Part 502 standards.
Whether you submit a comment or simply prepare, the direction of travel is unmistakable: stablecoins are entering the BSA era, and the operational bar is rising fast.
Let’s Strengthen Your Stablecoin Compliance Program
FinCheck LLC helps crypto issuers, MSBs, and fintechs build effectiveness-based AML and sanctions programs — independent audits, risk assessments, and fractional compliance leadership — that meet evolving regulatory expectations while keeping you focused on growth. Connect with us to assess your readiness for the GENIUS Act stablecoin framework.