GENIUS Act Compliance: What the New FinCEN and OFAC Rules Mean for Stablecoin Issuers and Their Banking Partners

The Treasury Department's Financial Crimes Enforcement Network and Office of Foreign Assets Control jointly issued a notice of proposed rulemaking on April 10, 2026, that begins to put regulatory flesh on the bones of the GENIUS Act. The Guiding and Establishing National Innovation for U.S. Stablecoins Act required FinCEN to treat permitted payment stablecoin issuers, abbreviated as PPSIs, as financial institutions subject to the Bank Secrecy Act. The NPRM defines what that statutory mandate actually means in practice, and it does so in a way that is both expected in many respects and surprising in a few important ones. Comments on the proposed rule are due June 9, 2026. For Houston businesses with exposure to the stablecoin sector, including energy traders accepting stablecoin payments, fintech ventures, and the banks that partner with stablecoin issuers, the time to evaluate the framework is now.

What is a permitted payment stablecoin issuer under the GENIUS Act?

The most basic structural change is that PPSIs are no longer regulated as money services businesses under the BSA. They become a standalone category of financial institution under a new proposed Part 1033 of FinCEN's regulations. The change is substantive rather than cosmetic. MSBs operate under one set of rules. PPSIs will operate under their own. The new framework retains the five pillars of AML compliance that have characterized FinCEN regulation since the customer due diligence rule took effect in 2018, but adds modifications and nuances that reflect the unique features of stablecoin issuance.

What AML obligations apply to PPSIs under the new framework?

A PPSI must establish and maintain a written AML compliance program approved by the board or senior management and appropriately risk-based. The program must cover internal policies, procedures, and controls, the designation of a compliance officer, training, independent audits, and customer due diligence. The CDD obligation, including beneficial ownership verification, is limited to direct customers in the primary market, meaning the entities that purchase or redeem stablecoins directly from the issuer. CDD does not extend to every counterparty in the secondary market, which is the universe of holders and recipients of stablecoins after they have left the issuer's hands. This limitation is sensible and reflects the practical impossibility of conducting full CDD on every wallet that touches a stablecoin.

Do PPSIs have to monitor secondary market transactions?

The harder question is how far secondary market monitoring obligations extend. FinCEN has tried to draw a workable line. The general rule is that PPSIs are not required to monitor secondary market activity or file secondary market suspicious activity reports. They retain the safe harbor for voluntary SARs filed in good faith under the BSA. But the CDD process for direct customers requires the PPSI to develop an understanding of the customer's nature and purpose sufficient to build a risk profile, and that includes the customer's distribution channels, jurisdictions, scope of services, and partners. In practice, a PPSI that sells stablecoins to a digital asset exchange that the PPSI knows or should know is engaging in deposits and withdrawals with addresses attributed to illicit actors cannot defensibly ignore that information. FinCEN's framing acknowledges this tension and signals that the limited secondary market relief is preliminary.

What is the SAR threshold for PPSIs?

The SAR threshold is set at five thousand dollars rather than the two thousand dollars that applies to most MSBs. The threshold matches the bank threshold and reflects the larger transaction sizes typical in the stablecoin context. CTR requirements apply to PPSIs in principle, but the requirement is limited to physical transfers of currency, which means actual cash, and does not extend to stablecoin transactions. FinCEN justified imposing the CTR rule on the basis that PPSI activity could expand into retail or kiosk channels where currency might change hands.

Why is the OFAC compliance program requirement significant?

The most striking piece of the NPRM is on the OFAC sanctions side. Under proposed Part 502 of OFAC's regulations, PPSIs would be subject for the first time in U.S. history to an explicit affirmative requirement that a category of U.S. persons implement an effective sanctions compliance program. All U.S. persons have always been required to comply with OFAC sanctions, including by blocking or rejecting transactions involving sanctioned persons, but no rule has previously mandated that any specific category of U.S. person establish a compliance program. The OFAC mandate ties to OFAC's 2019 Framework for OFAC Compliance Commitments and the 2020 Sanctions Compliance Guidance for the Virtual Currency Industry. The substantive elements overlap heavily with FinCEN's AML compliance framework, including senior management commitment, risk assessment, internal controls, testing and auditing, and training. But the standalone affirmative requirement has the practical consequence of expanding enforcement risk. OFAC and the Department of Justice can pursue civil and criminal cases not only for actual sanctions violations but also for failure to maintain an effective program. Given the high-level nature of OFAC's compliance standards, the regime is likely to function as regulation by enforcement.

How do the OFAC obligations differ from FinCEN's for the secondary market?

For PPSIs, the secondary market sanctions obligations are more demanding than the AML obligations. OFAC explicitly takes the position that a stablecoin interacting with a PPSI's smart contract, even on the secondary market, may be within the possession or control of the PPSI for sanctions purposes when an OFAC-blocked person has an interest in the transaction. In practice, this requires the PPSI to block, freeze, or reject any of its tokens reaching a sanctioned wallet, even in peer-to-peer transfers in which the issuer is not a direct party. Major issuers such as Circle, Paxos, and Tether have built blocking and freezing capabilities into their smart contracts already, and OFAC's position formalizes the expectation that other issuers will do the same. The Virtual Currency Industry Guidance suggests blockchain analytics as a tool for monitoring secondary market activity, and OFAC does not impose the FinCEN-style limitation on secondary market obligations. OFAC's general risk-based standards govern.

What does this mean for Houston energy traders and banks?

For Houston-based businesses, the implications cut several ways. Energy traders and commodity merchants who have begun accepting stablecoin payments need to evaluate whether their issuer counterparties are positioned to comply with the new regime, and whether their own internal controls are sufficient to comply with the customer-side obligations of the BSA when transactions are denominated in stablecoins. Banks that provide services to stablecoin issuers, including custody, transaction processing, and treasury management, need to refresh their third-party risk management frameworks to account for the secondary market control obligations and the higher SAR threshold. Fintech ventures positioning themselves to apply for PPSI status must begin building examination-ready documentation now, including written AML and sanctions policies, a thoughtful risk assessment, designated compliance personnel, training curricula, independent testing, and integrated technical capabilities for blocking and rejecting transactions through smart contracts.

A few considerations specific to the Houston market are worth flagging. The energy commodities sector has been an early adopter of stablecoin payments for cross-border settlement, particularly in transactions involving counterparties in jurisdictions where U.S. dollar liquidity is constrained. A Houston energy trader using stablecoins for settlement is not itself a PPSI, but the trader's counterparty due diligence obligations as a U.S. person under OFAC's general regulations are heightened by the new framework. Energy trading desks should evaluate their internal controls for screening counterparty wallets, monitoring transaction patterns, and documenting the rationale for stablecoin denomination. The same is true for Houston-area banks and credit unions providing services to digital asset businesses; refreshed third-party risk management programs that account for the secondary market control obligations imposed on PPSIs are a near-term priority.

What questions does the NPRM leave open?

The NPRM leaves several questions open. The Travel Rule, which requires the transmission of certain originator and beneficiary information with funds transfers above three thousand dollars, is awkward in a blockchain context where the wallet addresses do not necessarily map to identifiable persons. FinCEN's forthcoming customer identification program rule for PPSIs is not yet released. Foreign payment stablecoin issuers are not subject to the proposed compliance obligations, leaving an asymmetry that may not survive subsequent rulemaking. And the so-called DeFi loophole, where stablecoins move through decentralized protocols that are not themselves BSA-regulated institutions, is a known concern that the rule does not resolve. FinCEN's grant of secondary market SAR relief is described as preliminary, suggesting that the agency may revisit the issue if the regime produces blind spots.

The NPRM also reflects a broader theme in current Treasury Department thinking about financial crimes compliance. The five-pillar framework, the affirmative compliance program mandate, the integration of AML and sanctions obligations, and the use of regulatory expectations to drive enforcement risk are all consistent with the broader AML compliance program reform proposal that has been working its way through the rulemaking process. The PPSI rules are not isolated. They are an early implementation of a compliance philosophy that will likely apply to other categories of financial institution in subsequent rulemaking.

When is the comment deadline and what comes next?

For Houston attorneys advising clients in the digital asset, banking, and fintech sectors, the NPRM is the first concrete view of what the GENIUS Act compliance environment will look like. Comments are due June 9, 2026. Substantive comments from market participants, particularly those with practical experience implementing OFAC compliance in the virtual currency context, are likely to influence the final rule.

The other Houston implication relates to FDIC-supervised institutions. The FDIC's parallel proposed rule released April 10 sets out compliance certifications and operational requirements for FDIC-supervised insured depository institutions and their subsidiaries acting as PPSIs. A Houston bank or its holding company that has been evaluating entry into the stablecoin issuance space now has a clearer regulatory pathway, though the AML and sanctions compliance demands are substantial and the build-out cost is real.

North Star Law Firm advises Houston-area businesses on the intersection of tax, regulatory, and financial crimes compliance, including evaluation of stablecoin-related counterparty exposure and the structuring of payment arrangements involving digital assets.

Frequently asked questions

What is a permitted payment stablecoin issuer under the GENIUS Act?

A permitted payment stablecoin issuer, or PPSI, is an entity authorized under the Guiding and Establishing National Innovation for U.S. Stablecoins Act to issue payment stablecoins. The April 10, 2026 NPRM by FinCEN and OFAC establishes the regulatory framework that will apply to PPSIs once finalized, including AML compliance obligations under proposed Part 1033 of FinCEN's regulations and sanctions compliance obligations under proposed Part 502 of OFAC's regulations.

Do PPSIs have to monitor secondary market transactions?

FinCEN does not require PPSIs to monitor secondary market activity or file secondary market suspicious activity reports as a general matter. However, the customer due diligence process for direct customers may require PPSIs to consider secondary market activity in building customer risk profiles. OFAC's sanctions framework imposes more demanding secondary market obligations, including blocking transactions involving sanctioned wallets even in peer-to-peer transfers.

What is the SAR threshold for PPSIs?

The proposed rule sets the suspicious activity report threshold at $5,000, matching the bank threshold and higher than the $2,000 threshold for most money services businesses. Voluntary SARs filed in good faith continue to enjoy the BSA safe harbor.

Why is the OFAC compliance program requirement significant?

Proposed Part 502 of OFAC's regulations would impose, for the first time in U.S. history, an explicit affirmative requirement that a category of U.S. persons maintain a sanctions compliance program. While all U.S. persons have always been required to comply with sanctions, no rule has previously mandated that any specific category establish a compliance program. The mandate expands enforcement risk to include failures to maintain an effective program, even absent an underlying sanctions violation.

When is the comment deadline?

Comments on the FinCEN and OFAC NPRM are due June 9, 2026. Substantive comments from market participants are likely to influence the final rule, particularly on open questions including the Travel Rule application to blockchain transactions, the forthcoming customer identification program rule for PPSIs, and the treatment of foreign-issued stablecoins.