The GENIUS Act's Stablecoin Rules: A Guide to the New US AML/CFT and Sanctions Compliance Mandates for Issuers

The era of stablecoins operating on the fringes of the U.S. financial system is coming to a close. Following the passage of the Guiding and Establishing National Innovation for U.S. Stablecoins (GENIUS) Act in July 2025, federal agencies have spent the past year drafting the rulebook that will govern the multi-hundred-billion-dollar sector. In June 2026, the Financial Crimes Enforcement Network (FinCEN), the Office of Foreign Assets Control (OFAC), and the Office of the Comptroller of the Currency (OCC) released a flurry of proposed rules detailing exactly how stablecoin issuers must police their networks. The mandate is clear: by the time the law takes full effect on January 18, 2027, any company minting dollar-backed tokens in the United States must operate with the same rigorous compliance infrastructure as a traditional bank.[1][2]

At the heart of the new regulatory framework is a fundamental reclassification. Under the GENIUS Act, a "Permitted Payment Stablecoin Issuer" (PPSI) is officially designated as a financial institution under the Bank Secrecy Act. This triggers a cascade of anti-money laundering (AML) and countering the financing of terrorism (CFT) obligations. Issuers can no longer rely on lightweight compliance checks; they must implement comprehensive, risk-based programs that include ongoing employee training, independent testing, and the appointment of a U.S.-based AML compliance officer. The White House has championed these provisions as essential tools for combating illicit finance and protecting national security, ensuring that digital dollars are not weaponized by adversarial actors.[3][8]

Beyond identity verification and transaction monitoring, the GENIUS Act fundamentally de-risks the asset side of the stablecoin equation. The law mandates that all permitted payment stablecoins be backed one-to-one by highly liquid reserves, strictly limited to assets like U.S. dollars and short-term Treasury bills. Issuers are required to publish monthly, audited disclosures detailing the exact composition of these reserves. By eliminating the use of volatile commercial paper or algorithmic backing mechanisms, the legislation ensures that the AML/CFT frameworks are applied to stable, systemic payment instruments rather than speculative investments, aligning the sector with traditional payment clearinghouses.[8]

The most unprecedented shift in the FinCEN and OFAC proposals is the explicit requirement for a formal sanctions compliance program. While traditional banks have long adhered to OFAC sanctions, the GENIUS Act marks the first time federal law explicitly mandates a specific category of financial institution to maintain such a program by statute. Issuers must possess the technical capability—built directly into their smart contracts or operational infrastructure—to block, freeze, and reject impermissible transactions. If a wallet address is added to the Specially Designated Nationals (SDN) list, the issuer must be able to halt the movement of its stablecoins associated with that address within 30 days of a lawful order.[1][4]

To navigate this new reality, the GENIUS Act establishes a dual-track regulatory system, forcing companies to weigh the trade-offs between two distinct compliance pathways: the Federal OCC Charter and the State-Level Certification. The federal route requires issuers to apply for a specialized trust bank charter supervised directly by the Office of the Comptroller of the Currency. This pathway fits well when an issuer operates at a massive scale, requires nationwide regulatory preemption, and has the capital to absorb the intense, continuous scrutiny of federal bank examiners.[2][5][7]

The OCC's June 2026 Conforming Notice of Proposed Rulemaking (NPRM) further clarifies the expectations for these federally supervised issuers. It formally incorporates FinCEN's AML/CFT requirements by reference and establishes a unique information-sharing corridor. Under the proposed rule, OCC-supervised issuers are permitted to share confidential supervisory information directly with the FinCEN Director in the context of enforcement actions. This tight integration ensures that federal banking regulators and financial intelligence units are operating from the same playbook, significantly raising the stakes for compliance failures.[2][4]

Conversely, the State-Level Certification pathway offers an alternative for smaller or regionally focused firms. The GENIUS Act allows issuers with less than $10 billion in consolidated outstanding stablecoins to opt into a state regulatory regime, provided a federal review committee certifies that the state's rules are "substantially similar" to the national baseline. This route fits well when a fintech startup is testing a novel stablecoin product and prefers to work with familiar local regulators. However, it does not fit when a company anticipates rapid hyper-growth, as crossing the $10 billion threshold forces a mandatory transition to federal oversight.[5]

While the dual-track system provides flexibility for issuers, the scope of the AML/CFT mandates has sparked intense debate regarding the secondary market. The proposed Customer Identification Program (CIP) rules require issuers to collect and verify the identities of customers with whom they directly mint or redeem stablecoins. However, the rules explicitly state that issuers are not required to apply CIP checks to downstream end-users who merely send or receive the tokens on secondary platforms or decentralized exchanges. Suspicious activity reporting (SAR) obligations similarly do not extend to these secondary market transfers.[1][4]

This limitation has drawn sharp criticism from lawmakers and national security advocates. Critics, including Senator Elizabeth Warren, argue that applying AML/CFT rules exclusively to the primary issuance layer creates a massive loophole. Because stablecoins frequently change hands across decentralized finance (DeFi) protocols and unhosted wallets after they are minted, critics warn that the legislation effectively signals an "open season" for illicit actors to exploit secondary channels. They contend that without expanding the regulatory perimeter to include digital asset service providers and protocol operators, the GENIUS Act fails to adequately disrupt terrorist financing and money laundering.[6]

Despite these debates, the compliance clock is ticking relentlessly toward the January 2027 enforcement deadline. Whether opting for the rigorous certainty of an OCC federal charter or the tailored approach of state-level certification, stablecoin issuers face a monumental engineering and legal lift. They must retrofit their blockchain architectures to support mandatory freezing capabilities, build out robust identity verification pipelines, and hire specialized compliance personnel. The era of the "Wild West" in digital assets is effectively over; the future of stablecoins will be defined by those who can successfully merge cryptographic innovation with the stringent demands of the Bank Secrecy Act.[3][7][9]