Skip to main content

GENIUS Act: FinCEN/OFAC Proposal on AML/CFT and Sanctions Compliance

New rules of the road for permitted payment stablecoin issuers and regulators

Download the Regulatory Alert

Download PDF

KPMG Regulatory Insights

  • Payment Stablecoin Framework: FinCEN and OFAC’s joint proposal establishes stablecoin issuers as a new category of financial institution, separate from money services businesses; working in tandem with the implementing regulations put forth by the federal and state payment stablecoin regulators.
  • AML/CFT Reforms: Rules for payment stablecoin issuers would align with FinCEN’s AML/CFT proposals for U.S. financial institutions more broadly, emphasizing program effectiveness, risk-based assessments, and the allocation of resources to higher-risk areas.
  • Sanctions Compliance Program: The proposal is the first time that federal law would explicitly require a category of financial institution to maintain a formal sanctions compliance program.
  • Secondary Market Responsibilities: Issuers would have certain requirements to meet AML/CFT and sanctions compliance concerning secondary market activities, including the ability to block, freeze, or reject impermissible transactions. Notably, suspicious activity reporting obligations would not extend to the secondary market under the proposal.
May 2026

The Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) and Office of Foreign Assets Control (OFAC) have issued a joint proposal to implement the anti-money laundering and combatting the financing of terrorism (AML/CFT) and sanctions compliance program requirements of the GENIUS Act (the Guiding and Establishing National Innovation for U.S. Stablecoins Act – see KPMG Regulatory Alert here) as they apply to a permitted payment stablecoin issuer (PPSI). The GENIUS Act requires that a PPSI “be treated as a financial institution for purposes of the Bank Secrecy Act, and as such, shall be subject to all Federal laws applicable to a financial institution located in the United States relating to economic sanctions, prevention of money laundering, customer identification, and due diligence.”

FinCEN and OFAC propose a regulatory framework to implement the GENIUS Act’s requirements for PPSIs, including:

  • Provisions to update existing regulations to add PPSIs
  • AML/CFT requirements (e.g., program, reporting, information sharing)
  • Sanctions compliance

FinCEN and OFAC invite comments on the proposal through June 9, 2026; the agencies propose that their respective rules would take effect 12 months after the issuance of a final rulemaking.

Updates to Existing Regulations

PPSI Relationship to Financial Institutions: The proposal would formally define PPSIs as financial institutions subject to the Bank Secrecy Act (BSA). However, the proposed regulations would reflect how PPSIs are “uniquely positioned”, including as a(n):

  • Subsidiary of an insured depository institution (including insured credit unions). In cases where a single AML/CFT program would be extended to both entities, on any point where PPSI-specific obligations differ, the PPSI-specific obligation would apply to the PPSI subsidiary.
  • Uninsured national bank. Where an institution that qualifies as both a PPSI and an uninsured national bank would be required to comply with both sets of obligations.
  • Money Services Business (MSB). Recognizing that stablecoin issuers (distinct from the PPSI under the GENIUS Act) are currently subject to the BSA as money transmitters and therefore as MSBs, PPSIs would be affirmatively carved out from the definition of MSBs to “limit overlapping obligations.”

Defining PPSI-Related Terms for AML/CFT: Terms related to PPSIs beyond the formal definition of PPSIs as financial institutions and as excluded from MSBs would be formally defined under the proposal. New terms consistent with the GENIUS Act would include “digital asset,” “distributed ledger,” “lawful order,” “payment stablecoin,” “permitted payment stablecoin issuer,” “Federal qualified payment stablecoin issuer,” and “State qualified payment stablecoin issuer.”

Examination Authority: FinCEN would delegate examination authority to the appropriate federal agencies while retaining authority for coordination and direction. FinCEN states that the GENIUS Act divides PPSIs into two categories:

  1. PPSIs that are regulated for safety and soundness by a primary federal payment stablecoin regulator (FRB, OCC, FDIC, NCUA), and
  2. PPSIs that are regulated for safety and soundness by a state payment stablecoin regulator.

FinCEN proposes delegating examination authority over PPSIs to federal agencies responsible for examining those same entities for safety and soundness and, where no such federal agency exists, to the Internal Revenue Service (IRS).

The population of entities under IRS examination authority will include state qualified payment stablecoin issuers (a subset of PPSIs as defined by the GENIUS Act) with outstanding issuances of not more than $10 billion or those with more than $10 billion in issuances that have been granted a waiver to allow the PPSI to remain supervised by a State payment stablecoin regulator.  

Supervision and Enforcement. The PPSI supervision and enforcement framework must emphasize effectiveness and risk-based supervision. An AML/CFT enforcement action or “significant” supervisory action by FinCEN would follow only from either a failure to establish an AML/CFT program or a “significant or systemic” failure to implement that program. As such, a primary federal payment stablecoin regulator that intends to take a significant supervisory action would be required to (1) allow the FinCEN Director opportunity to review the action, and (2) consider the Director’s input.

AML/CFT Program Requirements

Mirroring the recent FinCEN proposal for AML/CFT program requirements for financial institutions (see KPMG Regulatory Alert, here), PPSIs would be required to establish an AML/CFT program and maintain the program by implementing it in “all material aspects” across  the “four pillars”:

Key AML/CFT Program Components – As Proposed

Pillar One: Internal Policies, Procedures, and Controls

Internal policies, procedures, and controls must be reasonably designed to:

  • “Identify, assess, and document” money laundering, terrorist financing risks, and other illicit finance risks (together, “ML/TF risks”) through risk assessment processes.
  • Mitigate ML/TF risks consistent with the risk assessment processes, including by allocating more attention and resources to higher-risk customers and activities.
  • Conduct ongoing customer due diligence, including the customer’s type of entity, home jurisdiction, AML/ CFT obligations, operating history, services offered, and beneficial ownership/legal entity information.

Risk assessment processes must:

  • Evaluate the ML/TF risks of the PPSI’s business activities, including products, services, distribution channels, customers, and geographic locations.
  • Review and, as appropriate, incorporate FinCEN’s AML/CFT Priorities.
  • Be updated promptly upon any change that the PPSI knows or has reason to know significantly changes the PPSI’s ML/TF risks.

Pillar Two: Independent Testing

AML/CFT programs must undergo independent, periodic testing by individuals who are independent of the AML/CFT function (whether internal or external parties).

Independent testing should be based on objective criteria designed to assess whether a PPSI has effectively established, implemented, and resourced an AML/CFT program consistent with its risk assessment processes.

Treasury and FinCEN expect that an independent auditor should not substitute his or her own subjective judgment in place of the PPSI.

Pillar Three: Designation of AML/CFT Program Officer(s)

One or more qualified individuals must be designated as an AML/CFT officer responsible for establishing, implementing, and overseeing day-to-day compliance with BSA requirements.

The AML/CFT officer must be located in the United States and accessible to FinCEN. Other personnel located outside of the United States would still be permitted to perform certain AML/CFT functions.

A “felony offense involving insider trading, embezzlement, cybercrime, money laundering, financing of terrorism, or financial fraud” would disallow a person from holding this designation.

Pillar Four: Ongoing Employee Training

Employee training programs must be ongoing, risk-based, and focused on current regulatory requirements as well as the PPSI’s internal controls and risk assessment results. The frequency of training should be commensurate with the risk profile of the PPSI and targeted to the roles and responsibilities of employees.


Additional features to the AML/CFT program would include:

Additional AML/CFT Program Features – As Proposed

Program Approval

The program must be approved by the PPSI’s board of directors, an equivalent governing body, or appropriate senior management and maintained as in written form that is available to FinCEN, appropriate federal regulators, and their designee.

Certifications

Any certification of the AML/CFT program that is submitted to a state or primary federal regulator must be provided to FinCEN upon request.

Reporting and Recordkeeping

A PPSI would be required to:

  • File currency transaction reports (CTRs) for transactions in physical currency (which does not include stablecoins) past a $10,000 threshold, barring certain exceptions; structuring transactions to avoid the requirement is prohibited.
  • File suspicious activity reports (SARs) for suspicious transactions meeting at least a $5,000 threshold (though this obligation would not extend to secondary market activity) within 30 days of recognition of the suspicious activity.
  • Comply with certain recordkeeping requirements, including those related to the Recordkeeping Rule and the Travel Rule.

Secondary Market Obligations

PPSI must have the technical capabilities and procedures to block, freeze and reject impermissible transactions and comply with lawful orders, as well as to perform customer due diligence and to understand the risks of its supply chains, including blockchains. However, a PPSI would not be required to monitor secondary market activity under its AML/CFT program or file SARs for such activity.

Information Sharing; Due Diligence

  • PPSIs would be expressly included in information-sharing requirements as defined by the BSA, the Anti-Money Laundering Act and the USA PATRIOT Act. Upon request, a PPSI must provide information to FinCEN on any account or transaction associated with any individual, entity or organization named in the request.
  • Existing requirements for enhanced due diligence related to correspondent and private banking accounts would be extended to PPSIs as would special measures associated with entities or transactions identified as a “primary money laundering concern. ”

Sanctions Compliance Program

Pursuant to the GENIUS Act, PPSIs are required to have an effective sanctions compliance program and, as such, to block the property and interests in property of blocked persons; reject prohibited transactions involving certain persons, jurisdictions, or activities; and retain certain records and file reports with OFAC. FinCEN notes that this is the “first time” a federal law has explicitly mandated that a particular U.S. person have an effective sanctions compliance program.  

OFAC proposes that a PPSI’s sanctions compliance program include these elements:

Key Sanctions Compliance Program Components – As Proposed

Senior Management and Organizational Commitment

Senior management review and approval of a program and supporting implementation, ensuring that, at a minimum, it:

  • Applies to all payment stablecoin-related activity.
  • Has necessary and sufficient resources.
  • Is fully integrated into ongoing stablecoin-related operations.
  • Provides regular risk updates to senior management and appropriate personnel.
  • Provides sufficient expertise, authority and autonomy to the compliance function to identify U.S. sanctions compliance-related weaknesses and deficiencies.

Risk Assessment

Regular and holistic assessments to inform the sanctions compliance program (e.g., internal controls, training).

Internal Controls

Requirements to identify, block and/or reject transactions that would violate U.S. sanctions - in the primary or secondary market - by using risk-based sanctions controls for all payment stablecoin-related activity, including technical capabilities.

Testing and Auditing

Establish and maintain an independent testing or audit function, accountable to senior management, with sufficient resources, expertise and authority to identify U.S. sanctions compliance-related weaknesses and deficiencies.

Training

Maintain a risk-based training program that is:

  • Performed at least annually and with a frequency. appropriate to risk assessments and risk profile for the PPSI.
  • Provided to all relevant personnel and stakeholders.
  • Appropriately tailored to trainees’ roles and responsibilities.
  • Modified to reflect findings of risk assessments and deficiencies identified in the sanctions compliance program.
  • Designed to include easily accessed resources and materials for all relevant personnel and stakeholders.


Defining PPSI-Related Terms for Sanctions Compliance: For purposes of OFAC, the proposal would formally define:

  • “Knowingly,” to mean that a person has actual knowledge of, or should have known, the conduct, the circumstance, or the result (related to violations/enforcement).
  • “Payment stablecoin-related activity,” to mean “issuing, trading, holding, transacting, transferring, redeeming, or any other activity involving a payment stablecoin” issued by a PPSI from the time it is issued until the payment stablecoin is removed from circulation, whether on the primary or secondary market, including through redemption or other means.

Penalties: Civil monetary penalties would be imposed up to $100,000 per day for material violations of the requirement to maintain an effective sanctions compliance program. An additional penalty up to $100,000 per day would be assessed for each day a PPSI knowingly participates in such a violation. If a PPSI does not pay the penalty, OFAC would be authorized to refer the matter for administrative collection measures by Treasury or for civil action by the Justice Department in federal district court.

Appendix

The Guiding and Establishing National Innovation for U.S. Stablecoins Act (GENIUS Act or the Act) was signed into law on July 18, 2025. The law will go into effect on the earlier of January 18, 2027, or 120 days after the primary Federal Payment Stablecoin Regulators (defined to include FDIC, FRB, NCUA, OCC) issue final implementing regulations. The law establishes a regulatory framework for “payment stablecoins” – generally defined as digital assets redeemable at a fixed monetary value and used for payments or settlement.

Among the provisions, the Act sets forth:

  1. Permitted Payment Stablecoin Issuers
  2. Requirements for Issuing Payment Stablecoins
  3. Capital, Liquidity and Risk Management Requirements
  4. Bank Secrecy Act and Sanctions Laws
  5. Other Provisions

 Permitted Payment Stablecoin Issuer. There are three categories of “permitted payment stablecoin issuers:"

  • Subsidiaries of insured depository institutions (IDIs), subject to approval by the relevant “federal payment stablecoin regulator” (the primary federal regulator of the IDI).
  • “Federal qualified payment stablecoin issuers,” defined to include nonbank entities (other than a state qualified payment stablecoin issuer), OCC-chartered uninsured national banks, and federal branches that have been approved by the OCC.
  • “State qualified payment stablecoin issuers,” defined to include entities that are established under state laws and approved to issue payment stablecoins by a “state payment stablecoin regulator” and are not an uninsured national bank chartered by the OCC, a federal branch, an insured depository institution, or a subsidiary of such national bank, federal branch, or insured depository institution.

Federal payment stablecoin regulators. In coordination with one another, federal payment stablecoin regulators are required to issue regulations to establish a payment stablecoin regulatory framework within one year of enactment.

State payment stablecoin regulators. State payment stablecoin regulators are permitted to issue orders and rules to same extent as the primary federal payment stablecoin regulators.

State qualified payment stablecoin issuers with a consolidated total outstanding issuance of not more than $10 billion would be allowed to opt for state-level regulation, provided the state-level regime is “substantially similar” to the federal regulatory framework. However, state qualified payment stablecoin issuers with a consolidated total outstanding issuance of more than $10 billion would be required to transition to the Federal regulatory framework (to be administered jointly by the state and federal regulators); those that are state chartered depository institutions would be subject to oversight by the primary federal payment stablecoin regulator of the state chartered depository institution, while all other state qualified payment stablecoin issuers would be subject to oversight by the state and the OCC.

Dive into our thinking:

GENIUS Act: FinCEN/OFAC Proposal on AML/CFT and Sanctions Compliance

New rules of the road for permitted payment stablecoin issuers and regulators

Download PDF

Explore more

Points of View

Points of View

Insights and analyses of emerging regulatory issues and their impact.

Read more
Regulatory Insights View

Regulatory Insights View

Series covering regulatory trends and emerging topics

Read more

Regulatory Alerts

Quick hitting summaries of specific regulatory developments and their impact.

Read more

Subscribe to receive regulatory and compliance transformation insights

By registering you will periodically receive additional compliance-related communications from KPMG.

Subscribe

Thank you

You are now subscribed to receive Regulatory and Compliance Transformation insights and will receive a confirmation email in your inbox.

Subscribe to receive regulatory and compliance transformation insights

By registering you will periodically receive additional compliance-related communications from KPMG.

All fields with an asterisk (*) are required.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's . Privacy Statement

An error occurred.

Meet our team

Image of Laura Byerly
Laura Byerly
Managing Director, KPMG Regulatory Insights, KPMG LLP
Read bio
Image of Michaela Soctomah
Michaela Soctomah
Principal, Advisory, Line of Business, Financial Services, KPMG US
Read bio
Image of Dustin Tupper
Dustin Tupper
Advisory Managing Director, Forensic, KPMG US
Read bio
Image of Laura Byerly
Laura Byerly
Managing Director, KPMG Regulatory Insights, KPMG LLP
Read bio
Image of Michaela Soctomah
Michaela Soctomah
Principal, Advisory, Line of Business, Financial Services, KPMG US
Read bio
Image of Dustin Tupper
Dustin Tupper
Advisory Managing Director, Forensic, KPMG US
Read bio

KPMG. Make the Difference.


Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. KPMG LLP does not provide legal services.

The information contained herein is not intended to be “written advice concerning one or more Federal tax matters” subject to the requirements of section 10.37(a)(2) of Treasury Department Circular 230.

© 2026 KPMG LLP, a Delaware limited liability partnership, and its subsidiaries are part of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

For more detail about the structure of the KPMG global organization please visit https://home.kpmg/governance.

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.
All fields with an asterisk (*) are required.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's . Privacy Statement

An error occurred.

Job seekers

Visit our careers section or search our jobs database.

Search now!

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Submit

Office locations

View locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Learn more

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.

Contact

Headline