Bank AML Rules Hit Stablecoin Issuers Under GENIUS Act

Picture a stablecoin desk that used to think about minting, burning, and reserve management. Overnight, the vocabulary shifts to suspicious activity reports, sanctions screening, model governance, and board-approved policies. That is the compliance dragnet arriving at crypto’s most bank-like businesses.

In late May and early June 2026, U.S. regulators moved to place permitted payment stablecoin issuers (PPSIs) squarely under bank-style AML and sanctions regimes. The shift will make leading issuers look operationally indistinguishable from mid-sized banks.

On May 22, 2026, the FDIC Board approved a Notice of Proposed Rulemaking (NPRM) to require FDIC-supervised PPSIs to comply with Bank Secrecy Act (BSA)/AML and OFAC sanctions requirements. The public comment period opened with publication in the Federal Register on June 5, 2026 (91 FR 34171). Comments are due by August 4, 2026.

In parallel, Treasury components (FinCEN for AML/CFT and OFAC for sanctions) are developing complementary rules under the GENIUS Act for payment stablecoins. On June 10, 2026, SIFMA and SIFMA AMG pressed for clarity on secondary-market obligations, safe harbors, and alignment with risk-based standards (SIFMA press release / comment letter).

The essence of the GENIUS Act AML/sanctions effort and the FDIC’s PPSI NPRM formalizes something many issuers already do informally: operate like regulated custodians of fiat-linked value. The difference is enforcement scope, accountability, and auditability.

The precise contours will be finalized post-comment. The thrust is clear. FDIC-supervised issuers of permitted payment stablecoins must maintain BSA/AML programs and comply with OFAC. Treasury’s companion rules aim to ensure consistent coverage across the issuer landscape.

Stablecoins are the de facto settlement asset of crypto market structure and an increasingly important bridge into traditional finance. As usage spreads, regulators want issuer-level controls to match systemic relevance. Bank rules now apply to a new wrapper: the token.

Most large issuers already perform KYC on direct customers, monitor issuer-controlled mints and burns, and screen addresses. The proposed regime formalizes and extends those practices with the governance, documentation, and testing discipline banks live under.

Without prejudging the final text, BSA/OFAC programs share common elements that stablecoin issuers should expect to demonstrate consistently, and under exam conditions.

Where policy collides with protocol is secondary-market activity: peer-to-peer transfers among self-custodied wallets, DEX pools, and centralized exchanges outside the issuer’s direct customer base.

During the June comment window, crypto policy advocates pushed to confine issuer duties to the primary market. They argued that requiring surveillance of every downstream hop is neither feasible nor proportionate. Paradigm and the Hyperliquid Policy Center jointly urged regulators to narrow scope accordingly (Decrypt).

Major bank trade groups went the other way. The Bank Policy Institute and The Clearing House argued the rules must also address secondary-market gaps to prevent illicit finance leakage. This sharp policy divide highlights enforceability and liability allocation (Decrypt).

A viable path may blend risk-based expectations (issuer controls at mint/burn and for direct counterparties) with safe harbors for reasonable on-chain analytics. Standardized attestations from intermediaries and targeted blocking capabilities where technically feasible could also feature. SIFMA’s June 10 letter pressed for operational flexibility and alignment with existing AML program standards.

Bank-grade compliance is less about buzzwords than sequencing. Issuers that treat this like a core systems build will move faster and spend less.

Expect heavier third-party risk management. On-chain analytics providers, KYC platforms, oracles, custodians, and cloud/data infrastructure will all face scrutiny. Bank-style vendor due diligence becomes mandatory: SLAs, model explainability, uptime guarantees, and breach reporting.

Stablecoin compliance runs on data. The challenge is stitching pseudonymous ledgers to real-world identities without over-collecting or drifting into dragnet surveillance.

Issuers have strong leverage at the edges: onboarding, mint/burn, primary market distributions, and relationships with centralized venues. They can require KYC for direct counterparties and set redemption limits, and they may deny service based on sanctions.

Secondary-market flows in self-custody are difficult to police. Wallet risk scoring is probabilistic. Mixers and privacy tools complicate attribution. Smart contracts abstract counterparties. Demanding bank-like certainty in these zones could push activity offshore or into less transparent rails.

Risk-based standards, as SIFMA emphasized in its June 10 letter, give regulators levers to calibrate expectations. Issuers should focus on where they can demonstrably mitigate risk and document why certain controls are technically or operationally infeasible beyond that perimeter.

Compliance spend will rise. Issuers may pass costs to institutional clients and raise redemption fees. They might also push activity toward KYC’d venues.

For developers, the message is to architect with compliance hooks: event logs that facilitate monitoring and upgrade paths to implement sanctions actions. APIs that help intermediaries attest to their own program quality are also useful. For users, expect clearer rules of the road at on/off-ramps and fewer surprises when interacting with blacklisted addresses.

Comments on the NPRM are due August 4, 2026. The FDIC will review feedback before finalizing the rule. For broader crypto market context, the shift aligns stablecoin oversight with existing bank regulatory frameworks.