[Federal Register Volume 91, Number 69 (Friday, April 10, 2026)]
[Proposed Rules]
[Pages 18582-18667]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2026-06963]
[[Page 18581]]
Vol. 91
Friday,
No. 69
April 10, 2026
Part III
Department of the Treasury
-----------------------------------------------------------------------
Office of Foreign Assets Control
-----------------------------------------------------------------------
31 CFR Part 502
Financial Crimes Enforcement Network
-----------------------------------------------------------------------
31 CFR Parts 1010 and 1033
Permitted Payment Stablecoin Issuer Anti-Money Laundering/Countering
the Financing of Terrorism Program and Sanctions Compliance Program
Requirements; Proposed Rule
��Federal Register / Vol. 91 , No. 69 / Friday, April 10, 2026 /
Proposed Rules��
[[Page 18582]]
-----------------------------------------------------------------------
DEPARTMENT OF THE TREASURY
Office of Foreign Assets Control
31 CFR Part 502
Financial Crimes Enforcement Network
31 CFR Parts 1010 and 1033
[Docket No. FINCEN-2026-0100]
RIN 1506-AB73
Permitted Payment Stablecoin Issuer Anti-Money Laundering/
Countering the Financing of Terrorism Program and Sanctions Compliance
Program Requirements
AGENCY: Financial Crimes Enforcement Network, Office of Foreign Assets
Control, Treasury.
ACTION: Joint proposed rule.
-----------------------------------------------------------------------
SUMMARY: The Department of the Treasury's Financial Crimes Enforcement
Network (FinCEN) and Office of Foreign Assets Control (OFAC) are
jointly issuing this proposed rule to implement provisions of the
Guiding and Establishing National Innovation for U.S. Stablecoins Act
(GENIUS Act). Specifically, it implements the GENIUS Act's directive to
treat permitted payment stablecoin issuers (PPSIs) as financial
institutions for purposes of the Bank Secrecy Act, proposes anti-money
laundering obligations for PPSIs, and proposes certain specific
obligations required by the GENIUS Act for PPSIs. It also implements
the GENIUS Act's directive to require PPSIs to maintain effective
sanctions compliance programs.
DATES: Comments must be received by June 9, 2026.
ADDRESSES: Comments must be submitted in one of the following two ways
(please choose only one of the ways listed):
Electronically at https://www.regulations.gov. Follow the
``Submit a comment'' instructions under Docket FINCEN-2026-0100. If you
are reading this document on federalregister.gov, you may use the green
``SUBMIT A PUBLIC COMMENT'' button beneath this rulemaking's title to
submit a comment to the regulations.gov docket.
You may mail written comments to the following address:
Regulatory and Strategic Affairs Division, Financial Crimes Enforcement
Network, P.O. Box 39, Vienna, VA 22183. Mailed comments must be
received by the close of the comment period.
Do not include any personally identifiable information (such as
name, address, or other contact information) or confidential business
information that you do not want publicly disclosed. All comments are
public records; they are publicly displayed exactly as received, and
will not be deleted, modified, or redacted. Comments may be submitted
anonymously. Follow the search instructions on https://www.regulations.gov to view public comments.
In accordance with 5 U.S.C. 553(b)(4), a summary of this rule may
be found at https://www.regulations.gov under Docket FINCEN-2026-0100.
FOR FURTHER INFORMATION CONTACT:
FinCEN: The FinCEN Regulatory Support Section by submitting an
inquiry at www.fincen.gov/contact.
OFAC: Assistant Director for Regulatory Affairs, 202-622-4855 or
https://ofac.treasury.gov/contact-ofac.
SUPPLEMENTARY INFORMATION:
I. Executive Summary
Payment stablecoins could revolutionize payment systems, but the
U.S. financial system's strength, size, and reliability make its
payment systems a notable target for misuse by illicit actors, which
jeopardizes U.S. national security. To combat illicit finance risk,
this notice of proposed rulemaking (NPRM) implements the GENIUS Act's
directive to subject PPSIs to anti-money laundering (AML) requirements,
including Bank Secrecy Act (BSA) requirements, and to require PPSIs to
maintain an effective economic sanctions compliance program.
Although issued jointly by FinCEN and OFAC, the NPRM outlines
independent changes to two different chapters of Title 31 of the Code
of Federal Regulations. First, FinCEN is proposing changes to its
existing regulations and creation of a new part of chapter X to
effectuate the GENIUS Act's directive to apply BSA and AML obligations
to PPSIs. Second, OFAC is proposing a new part to chapter V to
effectuate the GENIUS Act's directive that PPSIs maintain an effective
economic sanctions compliance program.
II. Statutory Authority
A. The Guiding and Establishing National Innovation for U.S.
Stablecoins Act
The GENIUS Act provides a comprehensive framework for the
regulation of payment stablecoins.\1\ The GENIUS Act outlines the
reserve, capital, liquidity, and risk management requirements for PPSIs
and tasks implementing those requirements to the Office of the
Comptroller of the Currency (OCC), the Board of Governors of the
Federal Reserve System (Board), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA),
and, as applicable, any State payment stablecoin regulators.\2\ The
OCC, Board, FDIC, and NCUA are responsible for establishing a process
and framework for the licensing, regulation, examination, and
supervision of PPSIs under their respective purviews.\3\ The GENIUS Act
requires that a PPSI ``be treated as a financial institution for
purposes of the Bank Secrecy Act, and as such, shall be subject to all
Federal laws applicable to a financial institution located in the
United States relating to economic sanctions, prevention of money
laundering, customer identification, and due diligence.'' \4\ The
GENIUS Act directs the Secretary of the Treasury to issue regulations,
tailored to the size and complexity of the PPSI, implementing this
provision of the GENIUS Act.\5\
---------------------------------------------------------------------------
\1\ GENIUS Act, Public Law 119-27, 139 Stat. 419 (2025)
(codified at 12 U.S.C. 5901-5916).
\2\ See 12 U.S.C. 5901(25), (30); see also 12 U.S.C.
5903(a)(4)(A), 5906(d).
\3\ 12 U.S.C. 5901(25) (defining ``primary Federal payment
stablecoin regulator'' and outlining jurisdiction regarding specific
types of PPSIs), 5904 (directing the primary Federal payment
stablecoin regulators to ``establish a process and framework for the
licensing, regulation, examination, and supervision'' for PPSIs
under their respective jurisdictions).
\4\ 12 U.S.C. 5903(a)(5)(A).
\5\ 12 U.S.C. 5903(a)(5)(B). In addition to rulemaking authority
codified in the ``Treatment Under the Bank Secrecy Act and Sanctions
Law'' section, the GENIUS Act also generally calls for the Secretary
of the Treasury to promulgate regulations ``to carry out [the GENIUS
Act] through appropriate notice and comment rulemaking.'' 12 U.S.C.
5913(a). In accordance with Treasury Order 101-05 and 31 U.S.C.
321(b)(2), the authority vested in the Secretary under the GENIUS
Act to issue regulations related to prevention of money laundering
and countering the financing of terrorism and related to economic
sanctions has been delegated to the Director of FinCEN and to the
Director of OFAC, respectively.
---------------------------------------------------------------------------
Regarding the BSA and AML, in addition to its clear, general
directive that PPSIs be treated as financial institutions for purposes
of the BSA and be subject to ``all Federal laws'' related to preventing
money laundering, the GENIUS Act specifies that a PPSI's obligations
include: (i) maintenance of an effective AML program, which includes
appropriate risk assessments and designation of an officer to supervise
the program; (ii) retention of appropriate records; (iii) monitoring
and reporting any suspicious transaction relevant to a possible
violation of law or regulation; (iv) maintenance of technical
capabilities, policies, and procedures to
[[Page 18583]]
block, freeze, and reject specific or impermissible transactions that
violate Federal or State law, rules, or regulations; and (v)
maintenance of an effective customer identification program,\6\
including identifying and verifying the PPSI's account holders, high-
value transactions, and appropriate enhanced due diligence.\7\ The
GENIUS Act contains other provisions that control illicit risk in the
payment stablecoin ecosystem. One of these provisions is the
requirement that PPSIs only issue payment stablecoins if the issuer has
the technological capability to comply and will comply with the terms
of any ``lawful order,'' which the GENIUS Act defines, in part, as an
order issued or promulgated by a Federal agency or court to seize,
freeze, burn, or prevent the transfer of payment stablecoins.\8\
---------------------------------------------------------------------------
\6\ The GENIUS Act's customer identification program requirement
is expected to be the subject of a separate rulemaking.
\7\ 12 U.S.C. 5903(a)(5)(A)(i)-(v).
\8\ 12 U.S.C. 5903(a)(6)(B), 5901(16) (defining ``lawful
order'').
---------------------------------------------------------------------------
Regarding sanctions, the GENIUS Act expressly subjects PPSIs to
``all Federal laws applicable to a financial institution located in the
United States relating to economic sanctions'' \9\ and requires PPSIs
to maintain ``an effective economic sanctions compliance program,
including verification of sanctions lists, consistent with Federal
law.'' \10\
---------------------------------------------------------------------------
\9\ 12 U.S.C. 5903(a)(5)(A).
\10\ 12 U.S.C. 5903(a)(5)(A)(vi).
---------------------------------------------------------------------------
This NPRM represents one piece of the comprehensive regulatory
framework for PPSIs set out in the GENIUS Act.\11\
---------------------------------------------------------------------------
\11\ On September 19, 2025, the Department of the Treasury
issued an advance notice of proposed rulemaking concerning the
GENIUS Act. See Treasury, GENIUS Act Implementation, 90 FR 45159
(Sept. 19, 2025); see also FDIC, Approval Requirements for Issuance
of Payment Stablecoins by Subsidiaries of FDIC-Supervised Insured
Depository Institutions, 90 FR 59409 (Dec. 19, 2025); NCUA,
Investments in and Licensing of Permitted Payment Stablecoins
Issuers, 91 FR 6531 (Feb. 12, 2026); OCC, Implementing the Guiding
and Establishing National Innovation for U.S. Stablecoins Act for
the Issuance of Stablecoins by Entities Subject to the Jurisdiction
of the Office of the Comptroller of the Currency, 91 FR 10202 (Mar.
2, 2026); Treasury, GENIUS Act Broad-Based Principles for
Determining Whether a State-Level Regulatory Regime Is Substantially
Similar to the Federal Regulatory Framework, 91 FR 16844 (Apr. 3,
2026).
---------------------------------------------------------------------------
B. The Bank Secrecy Act
The Bank Secrecy Act, or ``BSA,'' is the common name for a
collection of statutory authorities designed to safeguard the national
security of the United States by combating money laundering, the
financing of terrorism, and other illicit finance activity.\12\ Under
the BSA, Congress authorized the Secretary to impose various
obligations on financial institutions, including requiring risk-based
programs to prevent money laundering and the financing of terrorism.
The BSA also enables the Secretary to require financial institutions to
file reports and keep records that ``are highly useful'' including ``in
criminal, tax, or regulatory investigations, risk assessments, or
proceedings,'' or in the conduct of ``intelligence or
counterintelligence activities, including analysis, to protect against
terrorism.'' \13\ In order to enable both the public and private
sectors to identify and stop illicit actors, the BSA also directed the
establishment of appropriate frameworks for information sharing among
various actors, including financial institutions and law enforcement
authorities.\14\ The Secretary has delegated the authority to
implement, administer, and enforce the BSA and its associated
regulations to the Director of FinCEN.\15\
---------------------------------------------------------------------------
\12\ See 31 U.S.C. 5311. Certain parts of the Currency and
Foreign Transactions Reporting Act, its amendments, and the other
statutes relating to the subject matter of that Act, have come to be
referred to as the BSA. These statutes are codified at 12 U.S.C.
1829b, 12 U.S.C. 1951-1960, and 31 U.S.C. 5311-5314 and 5316-5336
and notes thereto, with implementing regulations at 31 CFR chapter
X. Consistent with that understood meaning, as codified, the GENIUS
Act defines the ``Bank Secrecy Act'' to mean ``(A) section 1829b of
[title 12]; (B) chapter 2 of title I of Public Law 91-508 (12 U.S.C.
1951 et seq.); and (C) subchapter II of chapter 53 of title 31.'' 12
U.S.C. 5901(2).
\13\ See 31 U.S.C. 5311(1); see also 5313, 5318(g).
\14\ See 31 U.S.C. 5311(5), 5311 note (``Cooperation Among
Financial Institutions, Regulatory Authorities, and Law Enforcement
Authorities''); see also 31 U.S.C. 310.
\15\ See Treasury Order 180-01 (Jan. 14, 2020), para. 3,
available at https://home.treasury.gov/about/general-information/orders-and-directives/treasury-order-180-01; see also 31 U.S.C.
310(b)(2)(I) (providing that the Director of FinCEN shall
``[a]dminister the requirements of subchapter II of chapter 53 of
this title, chapter 2 of title I of Public Law 91-508, and section
21 of the Federal Deposit Insurance Act, to the extent delegated
such authority by the Secretary'').
---------------------------------------------------------------------------
Many of the obligations included in the BSA are explicitly included
in the GENIUS Act as obligations imposed on PPSIs. For example, in both
the BSA and the GENIUS Act, Congress authorized Treasury to impose
obligations to maintain effective AML programs; \16\ retain records;
\17\ monitor and report suspicious activity; \18\ maintain customer
identification programs; \19\ and conduct enhanced due diligence.\20\
---------------------------------------------------------------------------
\16\ See 31 U.S.C. 5318(h); 12 U.S.C. 5903(a)(5)(A)(i).
\17\ See, e.g., 31 U.S.C. 5318(a)(2); 12 U.S.C. 1826b; 12 U.S.C.
1953; 12 U.S.C. 5903(a)(5)(A)(ii).
\18\ See 31 U.S.C. 5318(g); 12 U.S.C. 5903(a)(5)(A)(iii).
\19\ See 31 U.S.C. 5318(l); 12 U.S.C. 5903(a)(5)(A)(v).
\20\ See 31 U.S.C. 5318(i); 12 U.S.C. 5903(a)(5)(A)(v).
---------------------------------------------------------------------------
C. Office of Foreign Assets Control Statutory Authority
OFAC acts under Presidential national emergency powers, as well as
various statutory authorities, and has been delegated responsibility by
the Treasury Secretary for developing, administering, and enforcing
U.S. economic sanctions. The International Emergency Economic Powers
Act (IEEPA), enacted in 1977, is a key authority for imposing economic
sanctions.\21\ IEEPA authorizes the President to declare a national
emergency in response to an unusual or extraordinary threat to the
United States that has its source in whole or substantial part outside
the United States.\22\ Upon declaration of a national emergency, IEEPA
authorizes the President to, among other actions, investigate, block,
regulate, or prohibit transactions and dealings in property subject to
U.S. jurisdiction when a foreign national or country has an
interest.\23\ IEEPA also provides the President with the authority to
issue regulations as may be necessary to exercise the authorities
granted in IEEPA.\24\ The President typically delegates the authority
to administer economic sanctions pursuant to IEEPA to the Secretary,
who redelegates the implementation authority to OFAC.\25\
---------------------------------------------------------------------------
\21\ See 50 U.S.C. 1701 et seq.
\22\ See 50 U.S.C. 1701.
\23\ See 50 U.S.C. 1702.
\24\ See 50 U.S.C. 1704.
\25\ See, e.g., 31 CFR 525.106, 548.802, 591.802.
---------------------------------------------------------------------------
Through the exercise of its delegated IEEPA authority and other
authorities, OFAC administers and enforces economic sanctions to
prohibit certain transactions and to block assets under U.S.
jurisdiction, including by issuing civil money penalties. OFAC
sanctions include sanctions that block the property or interests in
property of, or prohibit certain transactions or dealings with,
sanctioned individuals and entities, including foreign governments and
officials, terrorists, international narcotics traffickers, and those
engaged or who have engaged in activities such as serious human rights
abuse, corruption, the proliferation of weapons of mass destruction,
transnational organized crime, sanctions evasion, or the provision of
material support to sanctioned individuals and entities. OFAC also
administers comprehensive sanctions that broadly prohibit
[[Page 18584]]
transactions and dealings involving an entire country or geographic
region or a particular sector of a country's economy.
III. Advance Notice of Proposed Rulemaking
Treasury issued an advance notice of proposed rulemaking (ANPRM) in
September 2025 seeking public comment on potential Treasury regulations
implementing the GENIUS Act.\26\ Pertinent to this proposal, the ANPRM
asked questions related to definitions used in the GENIUS Act; the
GENIUS Act's BSA, AML, and sanctions program provisions; and the
potential costs and benefits associated with BSA and sanctions
obligations.\27\
---------------------------------------------------------------------------
\26\ GENIUS Act Implementation, 90 FR 45159. The ANPRM solicited
comment on a range of potential Treasury efforts related to the
GENIUS Act and payment stablecoins that are outside the purview of
this rulemaking. For example, the ANPRM included questions related
to the GENIUS Act prohibition on digital asset service providers
offering and selling a payment stablecoin to any person in the
United States unless the payment stablecoin is issued by a PPSI or a
foreign payment stablecoin issuer that meets certain requirements.
Id. at 45160-61. It also included questions related to Treasury's
role in determining whether a state-level regulatory regime is
substantially similar to the Federal framework and whether a foreign
country's regulatory and supervisory regime is comparable to the
U.S. framework. Id. at 45162-63.
\27\ Id. at 45161-63.
---------------------------------------------------------------------------
In response to this ANPRM, Treasury received approximately 450
timely comments from a variety of stakeholders, including banks and
credit unions, stablecoin issuers, digital asset exchanges, analytics
companies, law firms, trade associations, non-governmental
organizations, technology firms, academics, and members of the public.
Treasury reviewed and considered the pertinent comments in crafting
this proposal.
In general, commenters supported applying BSA and sanctions program
obligations to PPSIs. For BSA obligations, some commenters advocated
these requirements mirror existing obligations and risk-based
frameworks. Some commenters generally asserted that different
obligations should apply with regards to transactions on the primary
market versus transactions on the secondary market.\28\ On costs and
benefits, some commenters acknowledged meaningful upfront costs
associated with complying with the BSA, sanctions program obligations,
and the GENIUS Act, particularly for new or unregulated entrants, but
also stated that clearer rules would lower long-term compliance
friction, reduce illicit finance risks, improve supervisory efficiency,
and ultimately strengthen market confidence and U.S. competitiveness.
---------------------------------------------------------------------------
\28\ See infra section IV.C discussing the meaning of primary
and secondary market for purposes of this rulemaking.
---------------------------------------------------------------------------
IV. Stablecoin Ecosystem
The GENIUS Act only governs a subcategory of stablecoins, namely
``payment stablecoins'' as defined by the GENIUS Act, and a subcategory
of actors in the payment stablecoin ecosystem, most critically for this
rulemaking, PPSIs.\29\ Thus, under the GENIUS Act, not all stablecoins
are payment stablecoins and not all stablecoin issuers will be eligible
to be PPSIs. Because the GENIUS Act framework is not yet in place, it
is not yet determined which specific stablecoins will be payment
stablecoins and which specific issuers will be PPSIs. An understanding
of the stablecoin ecosystem, uses of stablecoins, and risks associated
with stablecoins generally informs the parameters of the proposed rule,
including the rationale behind certain proposed obligations.
---------------------------------------------------------------------------
\29\ See, e.g., 12 U.S.C. 5902, 5903.
---------------------------------------------------------------------------
A. Overview of Stablecoins and Stablecoin Issuers
Stablecoins are a blockchain-based \30\ digital asset \31\ designed
to maintain a stable value relative to an underlying asset, most often,
but not always, a fiat currency.\32\ Many stablecoin issuers represent
that their stablecoin can be redeemed at par upon request, although
redemption terms and rights vary by stablecoin. The asserted redemption
value of a stablecoin is generally tied to the value of the pool of
reserve assets that ``backs'' the stablecoin.\33\
---------------------------------------------------------------------------
\30\ A blockchain is ``any technology where data is: (i) shared
across a network to create a public ledger of verified transactions
or information among network participants; (ii) linked using
cryptography to maintain the integrity of the public ledger and to
execute other functions; (iii) distributed among network
participants in an automated fashion to concurrently update network
participants on the state of the public ledger and any other
functions; and (iv) composed of source code that is publicly
available.'' See Executive Order (E.O.) 14178, Strengthening
American Leadership in Digital Financial Technology, 90 FR 8647,
sec. 2(b) (Jan. 31, 2025).
\31\ For this proposed rule, a ``digital asset'' is ``any
digital representation of value that is recorded on a
cryptographically secured distributed ledger.'' See 12 U.S.C.
5901(6).
\32\ White House, Strengthening American Leadership in Digital
Financial Technology, p. 88 (July 2025) [hereinafter E.O. 14178
Report], available at https://www.whitehouse.gov/wp-content/uploads/2025/07/Digital-Assets-Report-EO14178.pdf. This report was issued by
the President's Working Group on Digital Asset Markets, of which the
Secretary is a member, pursuant to E.O. 14178.
\33\ See id. at p. 90. As discussed in the E.O. 14178 Report, as
of July 2025, more than 99 percent of the outstanding value of
stablecoins in circulation is pegged to the U.S. dollar. Id. Other
types of assets that may back different forms of stablecoins include
digital assets, precious metals, or corporate bonds with lower
credit ratings. See id.
---------------------------------------------------------------------------
Most stablecoins backed by financial assets, including fiat
currency, have centralized control, meaning that one company, or a
group of companies, are responsible for governance functions, including
defining and ensuring compliance with standards related to the
issuance, purchase, redemption, custody, and transfer of the
stablecoin. Generally, a stablecoin issuer will issue a stablecoin when
a user provides the issuer funds denominated in the fiat currency of
the stablecoin's peg. Similarly, a stablecoin is redeemed when a user
exchanges stablecoins with the stablecoin issuer for funds valued at
the corresponding amount of fiat currency.
Currently, many stablecoin issuers generally interact directly with
a small number of larger companies, which are often institutional
participants in the trading of digital assets (i.e., digital asset
exchanges).\34\ Those companies, in turn, interact with a larger and
more diverse group of users. Many stablecoin issuers predominantly
offer issue and redemption services to financial institutions,
including digital asset exchanges that may be regulated under the BSA
as money services businesses (MSBs).\35\ Generally, once an issuer
issues stablecoins to such financial institutions, those institutions
put the stablecoins into broader circulation to other users, such as
individual, retail users. Similarly, individual users generally do not
redeem stablecoins through a stablecoin issuer but rather interact with
a digital asset exchange or platform.\36\ However, in the future,
issuers could more commonly interact directly with retail users,
including issuing and redeeming payment stablecoins.
---------------------------------------------------------------------------
\34\ See Watsky, Cy, et al., Primary and Secondary Markets for
Stablecoins, FEDS Notes, Washington: Board of Governors of the
Federal Reserve System (Feb. 23, 2024), available at https://doi.org/10.17016/2380-7172.3447.
\35\ See id.; see also E.O. 14178 Report, supra note 32, pp.
104-05.
\36\ See, e.g., E.O. 14178 Report, supra note 32, p. 18.
---------------------------------------------------------------------------
Most stablecoin issuers use smart contracts \37\ to issue
stablecoins, enable
[[Page 18585]]
or prohibit subsequent transactions in the stablecoin, and redeem
stablecoins. The smart contracts underlying most stablecoins maintain a
ledger of the number of stablecoins ``owned by a set of accounts where
each account is owned by a blockchain address'' or wallet.\38\ Smart
contracts generally allow for programmability that can enable a
stablecoin issuer to maintain control over and alter the use of its
stablecoin.
---------------------------------------------------------------------------
\37\ A smart contract is a ``collection of code and data . . .
that is deployed using cryptographically signed transactions'' on a
blockchain network, which is executed by nodes on a blockchain to
perform any given set of pre-determined functions or conditions that
are recorded on a blockchain. See National Institute of Standards
and Technology (NIST), NISTIR 8202, Blockchain Technology Overview,
p. 32 (Oct. 2018), available at https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8202.pdf (``A smart contract can perform
calculations, store information, expose properties to reflect a
publicly exposed state and, if appropriate, automatically send funds
to other accounts.'').
\38\ NIST, NISTIR 8408, Understanding Stablecoin Technology and
Security Considerations, p. 6 (Sept. 2023), available at https://nvlpubs.nist.gov/nistpubs/ir/2023/NIST.IR.8408.pdf. The lynchpin of
a blockchain is asymmetric (public key) cryptography, which is used
to secure and send transactions on a blockchain. See Blockchain
Technology Overview, supra note 37, p. 11. First, a user generates a
private key (a string of characters that function like a password)
and uses that private key to generate a public key (an account
number on a blockchain known as an address). Without the private key
associated with an address or public key, a user cannot access the
digital assets contained within. Developers have created software or
hardware wallets to enable users to manage their public and private
keys. See E.O. 14178 Report, supra note 32, pp. 9-10.
---------------------------------------------------------------------------
In the current environment, control capabilities vary depending on
how the stablecoin issuer designed the stablecoin, including the
associated smart contract and the blockchain on which the smart
contracts are deployed. For example, a stablecoin issuer may be able to
prohibit specific wallet addresses from interacting with the stablecoin
and its smart contract. Applying such controls to a particular wallet
address would effectively prevent the holder of a stablecoin from
transferring, redeeming, or otherwise moving the stablecoin.
Additionally, some stablecoin issuers can send stablecoins in
circulation to an unrecoverable wallet address, commonly referred to as
``burning,'' effectively removing the stablecoins from a given wallet
and from circulation in general.\39\ In some cases, including when
required by a lawful order, stablecoin issuers reissue stablecoins
equivalent to burned or frozen funds to different wallets as part of
efforts to recover and return funds to victims of criminal activity.
---------------------------------------------------------------------------
\39\ Understanding Stablecoin Technology and Security
Considerations, supra note 38, p. 8.
---------------------------------------------------------------------------
B. Stablecoin Use Cases
Currently, most stablecoin users primarily rely on stablecoins to
store value, facilitate trades in other digital assets, or to interact
with smart contracts. Payment stablecoins could, however, become a more
widely adopted form of payment.\40\ U.S. consumers and businesses
process trillions of dollars of payments daily.\41\ Although
innovations like real-time payment networks \42\ decrease settlement
times, particularly for domestic transfers, cross-border payments
through traditional payment mechanisms remain more costly and
slower.\43\ Innovation in cross-border payments could support economic
growth, including by facilitating international trade. Payment
stablecoins may be able to mitigate some of the challenges individuals
and small businesses face in navigating cross-border payments by
increasing speed, decreasing cost, and enabling transactions with fewer
intermediaries.\44\
---------------------------------------------------------------------------
\40\ See E.O. 14178 Report, supra note 32, p. 91.
\41\ Id. at p. 88.
\42\ See id. at p. 89; see, e.g., Fed. Reserve, About the FedNow
Service (n.d.), available at https://www.frbservices.org/financial-services/fednow/about.html.
\43\ See E.O. 14178 Report, supra note 32, p. 88.
\44\ See id. at pp. 90-91.
---------------------------------------------------------------------------
C. Payment Stablecoin Activity
Due to the use of smart contracts underlying stablecoin
transactions and how users interact with stablecoin issuers, the
ecosystem can, broadly speaking, be divided into two components, the
primary market and the secondary market. For the purposes of this
rulemaking, FinCEN and OFAC use these terms to help describe categories
of payment stablecoin activity and articulate the parameters of
particular obligations.
FinCEN and OFAC will use the term ``primary market'' to generally
describe a PPSI interacting directly with a user or holder of a payment
stablecoin, such as when a PPSI engages in issuing, converting,
redeeming, repurchasing, burning, and reissuing payment stablecoins, as
well as providing associated services, such as providing custodial
services.\45\ Generally speaking, primary market activity will involve
activity where a PPSI and a user have a relationship or direct
interaction beyond the involvement of a PPSI's smart contract (e.g.,
the PPSI's maintenance of an account through which the transactions of
such user or customer may be effectuated).
---------------------------------------------------------------------------
\45\ If consistent with the law and authorized by a primary
Federal payment stablecoin regulator or the State payment stablecoin
regulator, as applicable, PPSIs can also engage in activities as a
``digital asset service provider,'' as defined by the GENIUS Act,
and activities incidental thereto. Such activities include
exchanging and transferring digital assets. See 12 U.S.C.
5903(a)(7)(B), 5901(7). Such activity would also constitute primary
market activity.
---------------------------------------------------------------------------
FinCEN and OFAC will use the term ``secondary market'' to describe
payment stablecoin activity that does not directly involve the PPSI as
a party to the transaction other than via a smart contract. For
example, secondary market activity could include an individual
purchasing payment stablecoins from an intermediary, an individual
sending payment stablecoins from a self-hosted wallet to a vendor to
purchase goods, an individual exchanging payment stablecoins for
another digital asset via a digital asset exchange, or person-to-person
transactions in payment stablecoins.
D. Illicit Finance Risks Associated With Stablecoins
The liquidity and stability of stablecoins relative to other
digital assets and rapid settlement of stablecoins make them appealing
to illicit actors as well as legitimate users.\46\ As a result, in
general, illicit actors have increasingly used stablecoins to
facilitate transactions and store proceeds.\47\ The illicit finance
risks discussed below related to stablecoins are likely to generally
also apply to payment stablecoins, particularly because the most
prolific stablecoins carry indicators they could be payment
stablecoins.
---------------------------------------------------------------------------
\46\ See Treasury, 2026 National Money Laundering Risk
Assessment, p. 50 (Mar. 2026) [hereinafter 2026 NMLRA], available at
https://home.treasury.gov/system/files/246/2026-NMLRA.pdf; E.O.
14178 Report, supra note 32, p. 94.
\47\ See 2026 NMLRA, supra note 46, p. 50.
---------------------------------------------------------------------------
The U.S. government has linked stablecoins to a range of illicit
activities and bad actors, including scammers and fraudsters; \48\
Democratic People's Republic of Korea (DPRK) information technology
(IT) workers, cybercriminal groups and related money laundering
networks; \49\ drug traffickers; \50\ terrorist
[[Page 18586]]
groups; \51\ and sanctions evasion and money laundering networks; \52\
among others. Between January 1, 2015, and November 21, 2025, FinCEN
received approximately 55,000 suspicious activity reports (SARs) that
referenced one or more specific stablecoins in the narrative, as well
as an additional approximately 8,400 reports that included a general
reference to the term ``stablecoin.'' Also, between January 1, 2015,
and November 21, 2025, OFAC received approximately 5,800 reports on
blocked property and 3,000 reports on rejected transactions that
referenced one or more specific stablecoins in the narrative, as well
as approximately six reports that included a general reference to the
term ``stablecoin''. Furthermore, the Financial Action Task Force noted
in 2025 that ``[e]stimates suggest that a majority of all on-chain
illicit activity is now transacted in stablecoins,'' aligning with the
trend of overall growth in stablecoin adoption.\53\
---------------------------------------------------------------------------
\48\ See, e.g., Compl., United States v. Approximately
225,364,961 USDT, No. 25-cv-1907 (D.D.C. June 18, 2025) (civil
forfeiture action against more than $225.3 million in stablecoins
allegedly involved in concealing proceeds of digital assets
investment fraud); United States v. Su, No. 25-cr-362 (C.D. Cal.
Jan. 27, 2026) (defendant sentenced to 46 months in prison for role
in digital investment scam involving $36.9 million where victim
funds were converted to stablecoins).
\49\ See, e.g., Indictment, United States v. Sop, No. 23-cr-128
(D.D.C. Mar. 18, 2023) (indictment alleging defendant laundered
proceeds of DPRK IT workers in violation of sanctions, including
through use of stablecoins); DOJ, Press Release, Department Files
Civil Forfeiture Complaint Against Over $7.74M Laundered on Behalf
of the North Korean Government (June 5, 2025), available at https://www.justice.gov/opa/pr/department-files-civil-forfeiture-complaint-against-over-774m-laundered-behalf-north-korean; United States of
America v. Approximately 1,159,834.52 USDT, No. 25-cv-3771 (D.D.C.
Oct. 24, 2025) (civil forfeiture complaint of stablecoins related to
virtual currency heists perpetrated by DPRK hacking groups).
\50\ See, e.g., United States v. Zhang et al., No. 22-cr-10279
(Aug. 15, 2025) (defendants sentenced to prison in connection with
drug trafficking scheme involving conversion of proceeds to
stablecoins); see also, DOJ, Press Release, Two Men Sentenced for
Role in International Money Laundering and Drug Trafficking
Conspiracy (Aug. 15, 2025), available at https://www.justice.gov/usao-ma/pr/two-men-sentenced-role-international-money-laundering-and-drug-trafficking-conspiracy.
\51\ See, e.g., DOJ, Press Release, Justice Department Disrupts
Hamas Terrorist Financing Scheme Through Seizure of Cryptocurrency
(Mar. 27, 2025), available at https://www.justice.gov/opa/pr/justice-department-disrupts-hamas-terrorist-financing-scheme-through-seizure-cryptocurrency; United States of America v. Nine
Cryptocurrency Wallets Held by Tether Ltd. and Seven Cryptocurrency
Wallets Held by Binance Holdings Ltd., No. 24-cv-01251 (D.D.C. Nov.
13, 2025) (involving a civil forfeiture of approximately $2 million
dollars in digital currency connected to a Gaza-based money transfer
business that was involved in financially supporting Hamas).
\52\ Treasury, Press Release, Treasury Exposes Money Laundering
Network Using Digital Assets to Evade Sanctions (Dec. 4, 2024),
available at https://home.treasury.gov/news/press-releases/jy2735.
\53\ Financial Action Task Force (FATF), Targeted Update on
Implementation of the FATF Standards on Virtual Assets and Virtual
Assets Service Providers, ] 35 (June 2025), available at https://www.fatf-gafi.org/content/dam/fatf-gafi/recommendations/2025-Targeted-Upate-VA-VASPs.pdf.coredownload.pdf.
---------------------------------------------------------------------------
Some illicit transactions leveraging stablecoins involve one or
more financial institutions, such as a digital asset exchange, that are
subject to U.S. anti-money laundering and countering the financing of
terrorism (AML/CFT) obligations. In other instances, however,
stablecoin holders conduct transactions on the secondary market without
an intermediary (i.e., person-to-person) or through foreign digital
asset exchanges in jurisdictions with inadequate or no AML/CFT
obligations for such actors.\54\ BSA data indicates that financial
services providers in jurisdictions with lax AML/CFT standards use
accounts with stablecoin issuers to convert funds on behalf of their
customers from local currencies into stablecoins, which can then be
laundered and ultimately exchanged for U.S. dollars.
---------------------------------------------------------------------------
\54\ Id.
---------------------------------------------------------------------------
1. Laundering of Illicit Proceeds
Illicit actors have turned to stablecoins to launder illicit
proceeds in part because, relative to other digital assets, they are
more stable and have better liquidity.\55\ Some facilitators involved
in exchanging illicit proceeds in digital assets for fiat currency
request stablecoins instead of other digital assets.\56\
---------------------------------------------------------------------------
\55\ 2026 NMLRA, supra note 46, p. 52.
\56\ Id.
---------------------------------------------------------------------------
At times, stablecoins are one element of a complex money laundering
process that may include the use of digital asset exchanges, conversion
between stablecoins and other digital assets, and transfers between
wallets not hosted by a financial institution.\57\ For example, in June
2025, DOJ filed a civil forfeiture complaint against more than $225.3
million in stablecoins, alleging that the addresses holding those
stablecoins were part of a sophisticated money laundering network that
executed hundreds of thousands of transactions and were used to conceal
the nature, source, control, and ownership of proceeds derived from
digital asset investment fraud.\58\
---------------------------------------------------------------------------
\57\ Id.
\58\ DOJ, Press Release, Largest Ever Seizure of Funds Related
to Crypto Confidence Scams (June 18, 2025), available at https://www.justice.gov/usao-dc/pr/largest-ever-seizure-funds-related-crypto-confidence-scams.
---------------------------------------------------------------------------
Stablecoins may also appeal to illicit laundering networks because
they enable actors to rapidly move large amounts of value around the
globe.\59\ Chinese money laundering networks, which serve as the
dominant professional money laundering networks for drug trafficking
and transnational criminal organizations, are also increasingly
exchanging illicit proceeds in the form of U.S. dollars for digital
assets, particularly stablecoins, in part to avoid large intra-China
bank transfers that may raise capital flight suspicions.\60\
---------------------------------------------------------------------------
\59\ International Monetary Fund, Understanding Stablecoins, p.
30 (2025), available at https://www.imf.org/-/media/files/publications/dp/2025/english/usea.pdf.
\60\ 2026 NMLRA, supra note 46, p. 26.
---------------------------------------------------------------------------
2. Illicit Uses of Payment Stablecoins
i. Scams and Fraud
Perpetrators of scams and other fraud schemes--most notably digital
asset investment scams--use digital assets, including stablecoins, to
generate and launder illicit proceeds.\61\ The United States government
has sought seizure of substantial amounts of stablecoin, including the
$225 million forfeiture pursued by the Department of Justice as
discussed above \62\ and a $61 million seizure,\63\ in connection with
investigations into such schemes. Perpetrators and facilitators of such
scams may solicit and receive victim funds in financial accounts under
their control, convert those funds to stablecoins, and then distribute
those stablecoins to co-conspirator-controlled digital asset
wallets.\64\
---------------------------------------------------------------------------
\61\ Id. at p. 5, 52.
\62\ See Largest Ever Seizure of Funds Related to Crypto
Confidence Scams, supra note 58.
\63\ See, e.g., DOJ, Press Release, U.S. Attorney's Office EDNC
Announces Seizure of $61 Million Dollars' Worth of Cryptocurrency,
(Feb. 24, 2026), available at https://www.justice.gov/usao-ednc/pr/us-attorneys-office-ednc-announces-seizure-61-million-dollars-worth-cryptocurrency; see also DOJ, Press Release, Ohio Woman Loses Life
Savings in Cryptocurrency Investment Scam (Feb. 28, 2025), available
at https://www.justice.gov/usao-ndoh/pr/ohio-woman-loses-life-savings-cryptocurrency-investment-scam (discussing seizure of $8.2
million in stablecoins); see also DOJ, Press Release, Cyber Scam
Organization Disrupted Through Seizure of Nearly $9M in Crypto (Nov.
21, 2023), available at https://www.justice.gov/usao-ndca/pr/cyber-scam-organization-disrupted-through-seizure-nearly-9m-crypto.
\64\ See, e.g., Judgment, United States v. Li, 2:23-cr-596 (C.D.
Cal. Feb. 10, 2026) (defendant sentenced to 240 months); see also
DOJ, Press Release, Man Sentenced to 20 Years in Prison for role in
$73 Million Global Cryptocurrency Investment Scam (Feb. 9, 2026),
available at https://www.justice.gov/archives/opa/pr/foreign-national-pleads-guilty-laundering-millions-proceeds-cryptocurrency-investment-scams. See Plea, United States v. He, 2:25-cr-175 (C.D.
Cal. Apr 7, 2025); see also DOJ, Press Release, California Man
Sentenced for Role in Global Digital Asset Investment Scam
Conspiracy Resulting in Theft of More than $36.9M from Victims
(Sept. 8, 2025), available at https://www.justice.gov/opa/pr/california-man-sentenced-role-global-digital-asset-investment-scam-conspiracy-resulting.
---------------------------------------------------------------------------
ii. Terrorist Financing and Weapons Proliferation
Certain terrorist groups, such as the Islamic State of Iraq and
Syria-Khorasan (ISIS-K) and Hamas, use various types of digital assets,
including stablecoins.\65\ In some instances, terrorist organizations
generate revenue in digital assets, including stablecoins, through
online donation drives.\66\ One long-running online ISIS-K fundraiser,
for example, collected $2 million in stablecoins in 2022.\67\ Terrorist
groups
[[Page 18587]]
soliciting donations of digital assets turn to stablecoins to avoid the
volatility and price fluctuations that impact other digital assets and
to facilitate more seamless conversion to fiat currency.\68\
---------------------------------------------------------------------------
\65\ Treasury, 2026 National Terrorist Financing Risk
Assessment, p. 19 (Mar. 2026) [hereinafter 2026 NTFRA], available at
https://home.treasury.gov/system/files/246/2026-NTFRA.pdf.
\66\ See, e.g., Justice Department Disrupts Hamas Terrorist
Financing Scheme Through Seizure of Cryptocurrency, supra note 51.
\67\ United Nations Security Council Counter Terrorism Committee
Executive Directorate, Evolving Trends in the Financing of Foreign
Terrorist Fighters' Activity, 2014-2024, p. 11 (Nov. 2024),
available at https://www.un.org/securitycouncil/ctc/sites/www.un.org.securitycouncil.ctc/files/cted_trends_tracker_evolving_trends_in_the_financing_of_foreign_terrorist_fighters_activity_2014_-_2024.
\68\ 2026 NTFRA, supra note 65, p. 26.
---------------------------------------------------------------------------
Terrorist organizations have also utilized stablecoins as a means
of transferring funds. For example, DOJ unsealed a civil forfeiture
action in July 2025 against approximately $2 million worth of digital
assets connected with a Gaza-based money transfer business that was
involved in financially supporting Hamas. The complaint describes a
detailed scheme whereby users utilized the money transfer business to
fund accounts at a digital asset exchange and to fund wallet addresses
containing stablecoins to obfuscate their financial support of
international terrorist organizations, including Hamas.\69\
---------------------------------------------------------------------------
\69\ See Justice Department Disrupts Hamas Terrorist Financing
Scheme Through Seizure of Cryptocurrency, supra note 51.
---------------------------------------------------------------------------
Iran has increasingly turned to digital assets to conduct illicit
financial activity, obtain drone components and other high-tech
equipment, accept payments for weapons, and transfer funds to
sanctioned actors in the region. Iranian illicit actors often prefer
stablecoins over other digital assets for these transactions due to
stablecoins' superior ability to finance international trade.\70\
---------------------------------------------------------------------------
\70\ FATF, Targeted Report on Stablecoins and Unhosted Wallets:
Peer-to-Peer Transactions, ] 36 (Mar. 2025), available at https://www.fatf-gafi.org/content/dam/fatf-gafi/publications/targeted-report-on-stablecoins-and-unhosted-wallets.pdf.coredownload.inline.pdf.
---------------------------------------------------------------------------
iii. Narcotics Production and Trafficking
Transnational criminal organizations (TCOs) also use stablecoins to
procure components for the manufacturing of illegal drugs and to
launder the proceeds of illegal drug sales. For example, Mexico-based
drug cartels are increasingly purchasing fentanyl precursor chemicals
and manufacturing equipment from People's Republic of China-based
suppliers using digital assets, including stablecoins.\71\
Additionally, prosecutors have charged that, in some cases, TCOs use
money brokers to pick up bulk cash derived from drug sales in the
United States; exchange the cash for digital assets, including
stablecoins; and send the digital assets to wallets controlled by
brokers or co-conspirators.\72\ According to DOJ, in some instances,
the digital assets are then converted into cash and delivered to cartel
leaders in Mexico and Colombia.\73\ In November 2024 for instance, DOJ
filed a civil forfeiture complaint against more than $5.5 million in
stablecoins allegedly involved in a money laundering operation related
to drug trafficking.\74\
---------------------------------------------------------------------------
\71\ FinCEN, Supplemental Advisory on the Procurement of
Precursor Chemicals and Manufacturing Equipment Used for the
Synthesis of Illicit Fentanyl and Other Synthetic Opioids, p. 9
(June 20, 2024), available at https://www.fincen.gov/system/files/advisory/2024-06-20/FinCEN-Supplemental-Advisory-on-Fentanyl-508C.pdf.
\72\ See, e.g., Superseding Indictment, United States v. Duarte
et al., No. 24-cr-20367 (S.D. Fla. Nov. 19, 2024).
\73\ Id.
\74\ Compl. United States v. Approximately 114,366.044785 Tether
(USDT) Cryptocurrency from Binance Account User ID Ending in 7382,
No. 24-cv-01503, (E.D. Wisc. Nov. 20, 2024); see also Decision and
Order, United States v. Approximately 114,366.044785 Tether (USDT)
Cryptocurrency from Binance Account User ID Ending in 7382, No. 24-
cv-01503, (E.D. Wisc. Feb. 6, 2026) (default judgment ordering
assets to be forfeited).
---------------------------------------------------------------------------
3. Sanctions Evasion
Sanctions evasion and money laundering networks have leveraged
stablecoins to move funds on behalf of numerous sanctioned actors,
including Russian elites, sanctioned digital asset exchanges, the DPRK
government, Iranian actors, foreign terrorist organizations, and global
terrorists. For example, in December 2024, OFAC designated as Specially
Designated Nationals (SDNs) five individuals and four entities that are
associated with or leverage the TGR Group, a sprawling international
network of businesses and employees that works to obfuscate the illicit
activities of its clients, which include sanctioned Russian elites,
including by facilitating exchanges of bulk cash for stablecoins.\75\
---------------------------------------------------------------------------
\75\ Treasury, Press Release, Treasury Exposes Money Laundering
Network Using Digital Assets to Evade Sanctions (Dec. 4, 2024),
available at https://home.treasury.gov/news/press-releases/jy2735.
---------------------------------------------------------------------------
Additionally, in August 2025, OFAC redesignated as an SDN Garantex
Europe OU (Garantex), a virtual currency exchange that directly
facilitated notorious ransomware actors and other cybercriminals by
processing over $100 million in transactions linked to illicit
activities since 2019.\76\ Garantex was originally designated as an SDN
in April 2022.\77\ According to an indictment against two Garantex
operators, Garantex, beginning in and around early 2023, maintained at
least some of its operational accounts in stablecoins.\78\ The
operators allegedly moved the exchange's operational wallets storing
stablecoins to a new digital asset wallet on a daily basis to evade
detection by blockchain analytics services.\79\
---------------------------------------------------------------------------
\76\ Treasury, Press Release, Treasury Sanctions Cryptocurrency
Exchange and Network Enabling Sanctions Evasion and Cyber Criminals
(Aug. 14, 2025), available at https://home.treasury.gov/news/press-releases/sb0225.
\77\ Treasury, Press Release, Treasury Sanctions Russia-Based
Hydra, World's Largest Darknet Market, and Ransomware-Enabling
Virtual Currency Exchange Garantex (Apr. 05, 2022), available at
https://home.treasury.gov/news/press-releases/jy0701.
\78\ Indictment ] 29, United States v. Besciokov and Mira Serda,
No. 25-cr-39, (E.D. Va. Feb. 27, 2025), https://www.justice.gov/opa/media/1392316/dl.
\79\ Id.
---------------------------------------------------------------------------
The U.S. government has pursued cases involving DPRK IT workers and
co-conspirators involved in money laundering alleged to have leveraged
stablecoins as part of schemes to evade sanctions and generate revenue
for the DPRK regime, in part because they found stablecoins susceptible
to laundering. For example, in June 2025, a forfeiture complaint
alleged that the DPRK government generated digital assets, in part,
through remote work done by DPRK IT workers deployed around the
globe.\80\ The complaint also alleges that DPRK IT workers requested to
be paid in stablecoins because they (and their alleged money laundering
co-conspirators) retain a consistent value and can more easily trade
stablecoins for fiat currency.\81\
---------------------------------------------------------------------------
\80\ Compl. ]] 48-49, United States v. Virtual Currency
Associated with North Korean IT Worker Money Laundering and
Sanctions Evasion Conspiracies, No. 25-cv-1769, (D.D.C. June 5,
2025).
\81\ Id. at ]] 50, 59.
---------------------------------------------------------------------------
The U.S. government has identified the use of stablecoin connected
to Iranian actors' provision of material support to the Iranian
Revolutionary Guard Corps (IRGC). For example, in September 2025, DOJ
filed a civil forfeiture action to recover approximately $584,741 in
stablecoins alleged to be the property of Mohammad Abedininajafabadi or
of his company,\82\ who was charged with conspiring to export
sophisticated electronic components from the United States to Iran in
violation of U.S. export control and sanctions laws.\83\ Additionally,
in sanctions actions targeting Iran's IRGC-Quds Force-backed Ansarallah
(Houthi) operatives, OFAC has identified digital asset wallet addresses
that have been used by the Houthis to transfer funds
[[Page 18588]]
associated with their activities. Many of the identified wallet
addresses have been used to transact stablecoins.\84\ Furthermore, on
January 30, 2026, OFAC designated as SDNs two UK-based exchanges with
connections to notorious Iranian financier Babak Zanjani.\85\ These
exchanges processed approximately $1 billion in funds linked to the
IRGC. One of the designated exchanges, Zedxion Exchange, Ltd., issued a
stablecoin.\86\
---------------------------------------------------------------------------
\82\ DOJ, Press Release, United States Seeks Civil Forfeiture of
Cryptocurrency Associated with Iranian National Mohammad Abedini
(Sept. 11, 2025), available at https://www.justice.gov/usao-ma/pr/united-states-seeks-civil-forfeiture-cryptocurrency-associated-iranian-national-mohammad.
\83\ Compl., United States v. Sadeghi and Abedininajafabadi, No.
24-cr-10391 (D. Mass. Dec. 13, 2024).
\84\ See, e.g., Treasury, Press Release, Treasury Sanctions
Houthi Network Procuring Weapons and Commodities from Russia (Apr.
2, 2025), available at https://home.treasury.gov/news/press-releases/sb0068; Treasury, Counter Terrorism Designations and
Designation Update; Russia-related Designation Removal; Reports for
Licensing Activities Undertaken Pursuant to the Trade Sanctions
Reform and Export Enhancement Act (TSRA) (Apr. 2, 2024), available
at https://ofac.treasury.gov/recent-actions/20250402.
\85\ Treasury, Press Release, Treasury Sanctions Iranian Regime
Officials for Violent Repression and Corruption (Jan. 30, 2026),
available at https://home.treasury.gov/news/press-releases/sb0375.
\86\ See TRM Labs, How Two UK-registered Companies Moved Over a
Billion in Stablecoins for the IRGC (Jan. 9, 2026), available at
https://www.trmlabs.com/resources/blog/how-two-uk-registered-companies-moved-over-a-billion-in-stablecoins-for-the-irgc.
---------------------------------------------------------------------------
V. Existing Regulatory Framework for Stablecoin Issuers
A. Existing Bank Secrecy Act Obligations
Currently, stablecoin issuers generally are subject to BSA
obligations as financial institutions, specifically money transmitters,
which are a type of MSB. The BSA statutory definition of ``financial
institution'' includes a ``person who engages as a business in the
transmission of currency, funds, or value that substitutes for
currency.'' \87\ FinCEN's regulations define ``money services
business,'' one category of which is a ``money transmitter'' that
``provides money transmission services.'' \88\ ``Money transmission
services'' is in turn defined as ``the acceptance of currency, funds,
or other value that substitutes for currency from one person and the
transmission of currency, funds or other value that substitutes for
currency to another location or person by any means.'' \89\ ``Value
that substitutes for currency'' includes ``virtual'' currencies (also
called convertible virtual currencies or ``CVCs''), such as
stablecoins, that either have an equivalent value in real currency or
act as a substitute for real currency.\90\ FinCEN has further clarified
that, unless a limitation or exception applies, persons engaged in
issuing and redeeming a virtual currency (i.e., ``administrators'') are
money transmitters and thus subject to BSA obligations as MSBs.\91\
Stablecoin issuers are, thus, money transmitters because they, for
example, issue and redeem virtual currencies and accept and transmit
value that substitutes for currency when issuing and converting,
redeeming, or repurchasing stablecoins.
---------------------------------------------------------------------------
\87\ 31 U.S.C. 5312(a)(2)(J), 5312(a)(2)(R) (defining, in part,
a ``financial institution'' a ``business engaged in the exchange of
currency, funds, or value that substitutes for currency or funds,''
or ``a licensed sender of money or any other person who engages as a
business in the transmission of currency, funds, or value that
substitutes for currency''). As part of the AML Act, Congress
amended 31 U.S.C. 5312 to add this ``value that substitutes for
currency'' language. See Public Law 116-283, sec. 6102(d), 134 Stat.
4547 (2021). In the AML Act, Congress also reaffirmed FinCEN's
existing regulatory framework applying MSB obligations to persons
engaged in certain activities related to ``value that substitutes
for currency,'' including the issuing and redeeming of virtual
currencies. See FinCEN, Bank Secrecy Act Regulations; Definitions
and Other Regulations Relating to Money Services Businesses, 76 FR
43585, 43586 (July 21, 2011); see also FinCEN Guidance, FIN-2013-
G001, Application of FinCEN's Regulations to Persons Administering,
Exchanging, or Using Virtual Currencies (Mar. 18, 2013) [hereinafter
2013 CVC Guidance], available at https://www.fincen.gov/resources/statutes-regulations/guidance/application-fincens-regulations-persons-administering; FinCEN, FIN-2019-G001, Application of
FinCEN's Regulations to Certain Business Models Involving
Convertible Virtual Currencies (May 9, 2019) [hereinafter 2019 CVC
Guidance], available at https://www.fincen.gov/resources/statutes-regulations/guidance/application-fincens-regulations-certain-business-models.
\88\ 31 CFR 1010.100(ff)(5).
\89\ 31 CFR 1010.100(ff)(5)(i)(A) (emphasis in original).
\90\ 2013 CVC Guidance, supra note 87, p 3.
\91\ See id. at p. 2 (concluding administrators are generally
MSBs and stating that ``An administrator is a person engaged as a
business in issuing (putting into circulation) a virtual currency,
and who has the authority to redeem (to withdraw from circulation)
such virtual currency''); see also 2019 CVC Guidance, supra note 87,
p. 13.
---------------------------------------------------------------------------
As MSBs, stablecoin issuers are currently subject to a range of BSA
obligations. MSBs are required to, for instance: (i) establish written
AML programs; \92\ (ii) file currency transaction reports (CTRs) \93\
and SARs; \94\ and (iii) maintain certain records, including those
relating to certain transmittals of funds.\95\ MSBs are subject to
examination for BSA compliance by the Internal Revenue Service (IRS)
under a delegation of authority by FinCEN.\96\
---------------------------------------------------------------------------
\92\ See 31 CFR 1022.210.
\93\ See 31 CFR 1022.310.
\94\ See 31 CFR 1022.320.
\95\ See 31 CFR 1022.400, 1010.410(e)-(f).
\96\ See 31 CFR 1010.810(b)(8).
---------------------------------------------------------------------------
As required by the GENIUS Act, FinCEN is proposing certain
obligations that differ in some material respects from current
obligations that stablecoin issuers are subject to as MSBs, as well as
some PPSI-specific obligations required by the GENIUS Act. However, in
many respects, FinCEN expects that the proposed requirements for PPSIs
would be comparable to stablecoin issuers' existing requirements as
MSBs.
B. Existing Sanctions Obligations
The GENIUS Act provides that PPSIs are persons \97\ formed in the
United States \98\ and that PPSIs shall be subject to ``all Federal
laws applicable to a financial institution located in the United States
relating to economic sanctions.'' \99\ Because the GENIUS Act requires
PPSIs to be formed in the United States, PPSIs will be ``U.S. persons''
under existing OFAC regulations \100\ once the Act takes effect.\101\
Therefore, stablecoin issuers qualifying as PPSIs will be subject to
the same U.S. sanctions obligations that currently apply to all other
U.S. persons, including those that are stablecoin issuers.
---------------------------------------------------------------------------
\97\ 12 U.S.C. 5901(24) (defining a ``person'' as ``an
individual, partnership, company, corporation, association, trust,
estate, cooperative organization, or other business entity,
incorporated or unincorporated'').
\98\ 12 U.S.C. 5901(23) (defining a ``permitted payment
stablecoin issuer'' as ``a person formed in the United States that
is--(A) a subsidiary of an insured depository institution that has
been approved to issue payment stablecoins under 12 U.S.C. 5904; (B)
a Federal qualified payment stablecoin issuer; or (C) a State
qualified payment stablecoin issuer'').
\99\ See 12 U.S.C. 5903(a)(5)(A).
\100\ See, e.g., 31 CFR 510.326, 555.313, 583.314.
\101\ See 12 U.S.C. 5901(23).
---------------------------------------------------------------------------
As discussed in section II.C, U.S. sanctions require U.S. persons,
including U.S. person stablecoin issuers, to block the property and
interests in property of blocked persons that are in their possession
or control and report them to OFAC. This blocking prohibition requires
U.S. persons, including those that are stablecoin issuers, to ensure
that property and interests in property of such blocked persons,
including stablecoins, that are in their possession or control are not
transferred, withdrawn, or otherwise dealt in, unless authorized by
OFAC or exempt. More broadly, U.S. persons, including those that are
stablecoin issuers, are also generally prohibited from engaging in most
transactions with blocked persons, including making any contribution or
provision of funds, goods, or services to or for the benefit of blocked
persons or receiving any contribution or funds, goods, or services from
blocked persons, unless authorized by OFAC or exempt. Blocked persons
subject to these restrictions include individuals and entities listed
on OFAC's Specially Designated Nationals and Blocked Persons List
(``SDN
[[Page 18589]]
List'').\102\ In addition, any entities that are owned, directly or
indirectly, individually or in the aggregate, 50 percent or more by one
or more blocked persons are also blocked and subject to the above
restrictions, even if they are not specifically named on OFAC's SDN
List.\103\
---------------------------------------------------------------------------
\102\ See OFAC, Specially Designated Nationals List, available
at https://sanctionslist.ofac.treas.gov/Home/SdnList.
\103\ See OFAC, Revised Guidance on Entities Owned by Persons
Whose Property and Interests in Property Are Blocked (Aug. 13,
2014), available at https://ofac.treasury.gov/media/6186/download?inline.
---------------------------------------------------------------------------
There are a variety of scenarios where these prohibitions apply to
U.S. person stablecoin issuers. For example, U.S. person stablecoin
issuers are generally prohibited from engaging in primary market
activities with blocked persons, such as issuing stablecoins to blocked
persons or redeeming stablecoins belonging to blocked persons; such
transactions, if consummated, would constitute a prohibited dealing in
blocked property, unless authorized or exempt. In such instances, a
stablecoin issuer is required to block these stablecoins because the
blocked person has a property interest in the stablecoin and such
stablecoins are in the possession or control of the stablecoin issuer,
a U.S. person, at the time of the transaction. To effectively block
such stablecoins, the stablecoin issuer must ensure that it has denied
all parties access to the stablecoins, ensure that it complies with
OFAC regulations related to the holding and reporting of blocked assets
(discussed further below), and implement controls that align with a
risk-based approach.\104\
---------------------------------------------------------------------------
\104\ See OFAC, Frequently Asked Question 646, available at
https://ofac.treasury.gov/faqs/646.
---------------------------------------------------------------------------
U.S. person stablecoin issuers are also prohibited from engaging in
secondary market activities with blocked persons. For example, a U.S.
person stablecoin issuer would engage in a prohibited provision of
services to a blocked person if it allowed the blocked person to engage
with the stablecoin issuer's smart contract to facilitate trades of
stablecoins on the secondary market. In this instance, the stablecoin
issuer would also be required to block such stablecoins because the
blocked person has an interest in the stablecoins, which the issuer
controls via its smart contract.
OFAC sanctions prohibitions may also take other forms that do not
require blocking but prohibit U.S. persons, including stablecoin
issuers, from engaging in trade or financial transactions or other
dealings with certain persons or geographic regions or countries, such
as North Korea, Cuba, Iran, and Crimea, unless authorized by OFAC or
exempt.\105\ In cases where an underlying transaction is prohibited but
there is no blockable interest, all U.S. persons, including those that
are stablecoin issuers, are required to reject such transactions and
report them to OFAC. For example, U.S. sanctions against Iran generally
prohibit U.S. persons from directly or indirectly providing services to
persons in Iran, unless otherwise authorized or exempt.\106\
Accordingly, U.S. person stablecoin issuers are generally prohibited
from engaging in primary or secondary market activities with persons in
Iran, including issuing stablecoins to persons in Iran, redeeming
stablecoins of persons in Iran, or allowing persons in Iran to engage
with the issuer's smart contracts to facilitate trades of stablecoins,
as any of these activities would constitute a provision of financial
services to Iran. However, unlike when a blocked person is directly or
indirectly involved in a transaction, a stablecoin issuer would only be
required to reject such transactions and report them to OFAC.
---------------------------------------------------------------------------
\105\ See 31 CFR part 510, part 515, part 560, part 589.
\106\ See 31 CFR 560.204, 560.410, 560.427.
---------------------------------------------------------------------------
OFAC's regulations also require U.S. persons, including stablecoin
issuers, to comply with certain reporting and recordkeeping
requirements, pursuant to OFAC's Reporting, Procedures and Penalties
Regulations (RPPR).\107\ Among other requirements, the RPPR require
U.S. persons, including stablecoin issuers, to submit reports of
blocked property and rejected transactions to OFAC within 10 business
days and annual reports of blocked property by September 30 each
year.\108\ Persons engaging in transactions subject to the provisions
of OFAC's regulations are also required to preserve such records for at
least 10 years.\109\
---------------------------------------------------------------------------
\107\ See 31 CFR part 501.
\108\ See 31 CFR 501.603, 501.604.
\109\ See 31 CFR 501.601.
---------------------------------------------------------------------------
OFAC's basic regulatory requirement for all U.S. persons, including
those that are stablecoin issuers, is that they do not violate the
sanctions that OFAC administers. The ramifications of non-compliance,
inadvertent or otherwise, can jeopardize critical foreign policy and
national security goals. Violations of OFAC sanctions may result in the
imposition of civil or criminal penalties. OFAC may impose civil
penalties for sanctions violations on a strict liability basis, meaning
that U.S. persons, including those that are stablecoin issuers, may be
held civilly liable for sanctions violations even if such person did
not know or have reason to know that it was engaging in a prohibited
transaction.
As a general matter, however, OFAC also takes into consideration
the totality of facts and circumstances surrounding an apparent
violation to determine the appropriate enforcement response. OFAC's
Economic Sanctions Enforcement Guidelines, 31 CFR part 501, Appendix A
(``Enforcement Guidelines''), lay out a set of 11 factors that OFAC
will generally consider in determining the appropriate administrative
action in response to an apparent violation of U.S. sanctions,
including the amount of the penalty, to the extent that a civil
monetary penalty is appropriate.\110\ Any of the 11 factors may be
considered aggravating or mitigating and may therefore result in
adjustments to the proposed penalty. One of those factors includes the
existence, nature, and adequacy of a subject person's risk-based
sanctions compliance program at the time of the apparent violation.
Accordingly, when applying the Enforcement Guidelines to a given
factual situation, OFAC considers favorably the presence of an
effective sanctions compliance program at the time of an apparent
violation.
---------------------------------------------------------------------------
\110\ 31 CFR part 501, Appendix A.
---------------------------------------------------------------------------
VI. Proposed AML/CFT Regulation
This proposed rule implements the GENIUS Act's requirement that
PPSIs be treated as financial institutions under the BSA. In doing so,
it applies the BSA obligations currently applicable to existing
financial institutions that are specifically enumerated in the GENIUS
Act,\111\ other quintessential BSA obligations, and GENIUS Act
obligations specific to PPSIs. It also proposes regulatory
infrastructure, including definitions, to effectuate the obligations.
---------------------------------------------------------------------------
\111\ Although specifically enumerated in the GENIUS Act, this
proposed rule does not impose a customer identification program
obligation, which is the subject of a separate rulemaking.
---------------------------------------------------------------------------
In crafting this proposed rule, FinCEN is mindful that some
entities may transition from the current MSB framework to the new PPSI
framework. FinCEN is also cognizant that some PPSIs will be closely
affiliated with or part of institutions with existing BSA obligations.
To promote regulatory clarity and efficiency, FinCEN used its well-
established regulatory obligations for banks, MSBs, and other financial
institutions as points of reference for its proposed PPSI obligations.
A. Permitted Payment Stablecoin Issuers
Before turning to the specifics of the proposed regulation, FinCEN
first outlines several broader considerations
[[Page 18590]]
that impact how FinCEN proposes to regulate PPSIs and how it expects
PPSIs will operationalize the proposed obligations. FinCEN first
explains its assessment of how PPSI activities compare to those of
other types of financial institutions defined in the BSA and proposes
using its authority under 31 U.S.C. 5312(a)(2)(Y). It then describes
how entities that are PPSIs may relate to other categories of BSA-
defined financial institutions. Finally, FinCEN briefly discusses how
it is proposing to apply obligations with regards to different types of
market activity.
1. Defining PPSI as a Type of Financial Institution
The GENIUS Act directs that a ``permitted payment stablecoin issuer
shall be treated as a financial institution for purposes of the Bank
Secrecy Act'' and ``shall be subject to all Federal laws applicable to
a financial institution located in the United States relating to . . .
prevention of money laundering.'' \112\ However, the GENIUS Act does
not specify how PPSIs should be mechanically codified into the existing
BSA framework.
---------------------------------------------------------------------------
\112\ 12 U.S.C. 5903(a)(5)(A).
---------------------------------------------------------------------------
The BSA defines ``financial institution'' as a range of entities,
all of which could be subject to statutory obligations and FinCEN's
regulations.\113\ These institutions include insured banks; commercial
banks and trust companies; businesses engaged in the exchange of
currency, funds, or value that substitutes for currency or funds; and
any person who engages as a business in the transmission of currency,
funds, or value that substitutes for currency.\114\ Notably,
designation as a ``financial institution'' under 31 U.S.C. 5312(a)(2)
affects treatment not only under the BSA but also under other statutes
that address money laundering or predicate crimes that can underpin
money laundering. These laws include those relating to federal third-
party subpoenas \115\ to access to financial records by U.S. law
enforcement,\116\ criminal money laundering \117\ and terrorist
financing offenses,\118\ as well as other provisions of federal and
state law.\119\
---------------------------------------------------------------------------
\113\ See 31 U.S.C. 5312(a)(2); see also, e.g., 31 U.S.C. 5318.
\114\ 31 U.S.C. 5312(a)(2)(A), (B), (J), (R).
\115\ 18 U.S.C. 986(a).
\116\ 12 U.S.C. 3414.
\117\ 18 U.S.C. 1956.
\118\ 18 U.S.C. 2339B.
\119\ See, e.g., 50 U.S.C. 3164(5) (defining financial
institution for purposes of subchapter); Ariz. Rev. Stat. Ann. 6-
1241(3) (defining money transmitter under Arizona law by referencing
``financial institution'' as defined under 31 U.S.C 5312).
---------------------------------------------------------------------------
In the BSA, Congress provided authority for FinCEN to, through
regulation, expand the categories of financial institutions enumerated
in 31 U.S.C. 5312(a)(2) to include a business engaging in activities
``similar to, related to, or a substitute for'' the activities of an
enumerated financial institution.\120\ FinCEN has determined that PPSIs
provide services that are similar to or related to services authorized
to be provided by BSA-defined financial institutions, and is
accordingly, proposing to exercise its authority under 31 U.S.C.
5312(a)(2)(Y). Doing so fulfills Congress's directive that PPSIs be
subject to ``all Federal laws'' applicable to financial institutions
related to money laundering; promotes consistent treatment of PPSIs
under federal and state laws that reference the BSA definition of
``financial institution;'' and reduces uncertainty for PPSIs, their
prudential regulators, law enforcement, and other market participants.
---------------------------------------------------------------------------
\120\ 31 U.S.C. 5312(a)(2)(Y).
---------------------------------------------------------------------------
As discussed in this proposal, stablecoin issuers are currently
regulated under the BSA and FinCEN's implementing regulations as money
transmitters, a type of MSB, and MSBs fall under the definition of a
financial institution.\121\ In that capacity, issuers engage in the
transmission of currency, funds, or value that substitutes for
currency. Under the GENIUS Act's regime, PPSIs will continue to perform
these kinds of activities when issuing or redeeming a payment
stablecoin. Additionally, the GENIUS Act explicitly preserves the
ability of PPSIs to engage in MSB-like activities, including exchanging
digital assets for monetary value, exchanging digital assets for other
digital assets, and transferring digital assets to a third party, so
long as the activity is authorized by the PPSI's primary Federal
payment stablecoin regulator or State payment stablecoin regulator and
consistent with all other federal and state laws.\122\
---------------------------------------------------------------------------
\121\ See 31 U.S.C. 5312(a)(2)(R); 31 CFR 1010.100(t)(3),
(ff)(5).
\122\ See 12 U.S.C. 5903(a)(7)(B) (including as a rule of
construction that ``Nothing in [12 U.S.C. 5903(a)(7)(A)] shall limit
a permitted payment stablecoin issuer from engaging in payment
stablecoin activities or digital asset service provider activities .
. . that are authorized by the primary Federal payment stablecoin
regulator or the State payment stablecoin regulator, as applicable,
consistent with all other Federal and State laws, provided that the
claims of payment stablecoin holders rank senior to any potential
claims of non-stablecoin creditors with respect to the reserve
assets. . . .'').
---------------------------------------------------------------------------
The activities of MSBs can overlap substantially with those of
other types of financial institutions, particularly banks. Indeed, so
significantly can the activities of these two types of financial
institutions overlap that FinCEN carved out MSBs from its regulatory
definition of ``bank'' (and vice versa), making them mutually
exclusive.\123\ Just as the business activities of MSBs overlap
substantially with those of banks, the business activities of PPSIs can
overlap with those of banks. Notably, at least some PPSIs may have bank
charters,\124\ and PPSIs' activities have similarities to the business
activities of more ``conventional'' or ``traditional'' banks. For
example, the GENIUS Act authorizes PPSIs to custody payment stablecoins
and, thus, like some banks, PPSIs will hold assets for customers.\125\
Accordingly, in critical respects, PPSIs may offer services that are
similar to some services provided by some banks.
---------------------------------------------------------------------------
\123\ See 31 CFR 1010.100(d)(7) (defining a bank, in part, as
``Any other organization (except a money services business)
chartered under the banking laws of any state and subject to the
supervision of the bank supervisory authorities of a State''),
1010.100(ff)(8)(i) (definition of money services business ``shall
not include . . . a bank or foreign bank'').
\124\ See 12 U.S.C. 5901(11)(B) (including uninsured national
banks within the definition of ``Federal qualified payment
stablecoin issuer,'' a type of PPSI under 12 U.S.C. 5901(23)(B)).
\125\ See 12 U.S.C. 5903(a)(7)(A)(iii)-(v).
---------------------------------------------------------------------------
In addition, it is expected PPSIs will often operate in close
coordination with other financial institutions, i.e., they will engage
in activities related to the activities of BSA-defined financial
institutions. For example, some PPSIs may partner with digital asset
exchanges (i.e., MSBs) and other financial institutions to distribute
payment stablecoins or facilitate their use in payments. It is expected
that some PPSIs may also rely on banks and other financial institutions
to perform key fiat on- and off-ramp functions, such as accepting fiat
currency from a bank account when payment stablecoins are issued or
transmitting fiat currency to a bank account when payment stablecoins
are redeemed. PPSIs often may maintain their own bank accounts, with
bank deposits comprising permissible reserve assets backing outstanding
stablecoins.\126\ These interconnections reinforce certain functional
similarities between PPSIs and other BSA-regulated financial
institutions.
---------------------------------------------------------------------------
\126\ See 12 U.S.C. 5903(a)(1)(A)(ii).
---------------------------------------------------------------------------
In light of the GENIUS Act's directive, the existing treatment of
many stablecoin issuers as MSBs, the functional similarities between
PPSIs and BSA-defined financial institutions, and, the
interconnectedness between PPSIs and BSA-defined financial
institutions, FinCEN has determined that PPSIs engage in activities
that are ``similar to'' as well as ``related to'' financial services in
which other
[[Page 18591]]
financial institutions identified in 31 U.S.C. 5312(a)(2) are
authorized to engage, and thus proposes exercising its 31 U.S.C.
5312(a)(2)(Y) authority to expressly define PPSIs as financial
institutions under the BSA.
2. PPSIs' Relationship to Other Types of Financial Institutions
PPSIs will be uniquely positioned relative to other kinds of
financial institutions. In some cases, PPSIs may be subsidiaries of
depository institutions. In other cases, a single institution may be
subject to BSA obligations as both a bank and a PPSI. Stablecoin
issuers that may become PPSIs are currently regulated as MSBs. FinCEN
seeks to promote a clear and efficient BSA regulatory regime and,
accordingly, outlines its current thinking regarding how a PPSI's
obligations will interact with the obligations of other BSA-regulated
institutions. FinCEN seeks comment on its proposed approaches.
i. Subsidiaries of Insured Depository Institutions
Under the GENIUS Act, one of the three subcategories of PPSIs is a
``subsidiary of an insured depository institution,'' which includes
insured depository institutions (as defined by 12 U.S.C. 1813) and
insured credit unions.\127\ Because all insured depository institutions
in the United States are subject to regulation under the BSA, at least
some PPSIs will likely be the subsidiaries of parents that are subject
to their own AML/CFT obligations under FinCEN's regulations.\128\ PPSIs
that are subsidiaries of insured depository institutions in the United
States may be required by certain Federal functional regulators to
generally comply with a parent entity's AML/CFT obligations. The
question naturally arises whether, and if so how, the parent's AML/CFT
program obligation affects that of the subsidiary PPSI and, conversely,
how the subsidiary PPSI's obligations under this proposed rule could
affect that of the parent. Overall, FinCEN expects that the
similarities among its regulations will facilitate coordination between
subsidiary and parent, and conversely, how the subsidiary PPSI's
program under this proposed rule affects that of the parent.
---------------------------------------------------------------------------
\127\ See 12 U.S.C. 5901(23)(A); 12 U.S.C. 5901(15) (defining
``insured depository institution'' as ``(A) an insured depository
institution, as defined in section 3 of the Federal Deposit
Insurance Act (12 U.S.C. 1813); and (B) an insured credit union'');
see infra section VI.C.1.ix (discussing proposed definition of
permitted payment stablecoin issuer).
\128\ See 12 U.S.C. 5901(23)(A); 31 CFR part 1020.
---------------------------------------------------------------------------
Under this proposed rule and FinCEN's existing regulations, FinCEN
expects its regulations that are applicable to a parent insured
depository institution and its subsidiary PPSI could be similar to one
another. If so, a PPSI and its parent would be able to coordinate
compliance practices and share compliance resources, and the PPSI, as
part of the insured depository institution as a whole, can leverage the
parent's program. For example, FinCEN is proposing to impose an AML/CFT
program on PPSIs that largely mirrors its proposed programs for
banks.\129\ FinCEN recognizes the value of enterprise-wide compliance
efforts, but also that such efforts must account for obligations unique
to a particular entity. For example, where a PPSI is a subsidiary of an
insured depository institution, FinCEN anticipates that the enterprise
may elect to extend a single AML/CFT program to both entities. FinCEN
assesses that doing so would be permissible so long as a comprehensive
AML/CFT program is reasonably designed to identify and mitigate the
risks posed by the different aspects of each entity's business and
activities and satisfies each of the AML/CFT program and other BSA
requirements to which the PPSI and parent are subject.
---------------------------------------------------------------------------
\129\ See infra section VI.C.3.
---------------------------------------------------------------------------
Where a PPSI is subject to obligations that differ from those of
its parent, a PPSI must comply with the PPSI-specific provision. For
instance, as the GENIUS Act directs and this proposed rule would
require, a PPSI must have the ``technical capabilities, policies, and
procedures to block, freeze, and reject specific or impermissible
transactions that violate Federal or State laws, rules, or
regulations.'' \130\ That statutory requirement will necessarily mean a
PPSI must have internal policies, procedures, and controls to comply
with the obligation to block, freeze, and reject applicable
transactions, which could be part of enterprise-wide policies and
procedures or unique in the corporate structure to PPSIs.\131\
---------------------------------------------------------------------------
\130\ 12 U.S.C. 5903(a)(5)(A)(iv).
\131\ Id.; see also infra section VI.C.6 for a discussion of
additional technical capabilities, policies, and procedure
requirements specific to PPSIs.
---------------------------------------------------------------------------
It is also possible that a subsidiary PPSI may be subject to an
obligation parallel to that of its parent in a situation where a
Federal functional regulator requires a subsidiary to comply with its
parent's regulatory obligations. FinCEN addressed such a situation in a
2012 administrative ruling.\132\ When FinCEN issued that ruling, loan
and finance companies had just been added to the list of financial
institutions under the BSA, and FinCEN had just issued regulations
requiring loan and finance companies to develop and implement written
AML programs.\133\ FinCEN's ruling stated that when a loan or finance
company subsidiary and a parent financial institution are subject to
the same rule and are examined by the same regulator, the subsidiary is
``deemed to comply with FinCEN's regulations[.]'' \134\ FinCEN requests
comment on whether it would be appropriate to apply the logic of this
administrative ruling to PPSIs that are subsidiaries of insured
depository institutions, or conversely whether the holding of the
administrative ruling should be broadened to apply to subsidiaries and
parents that are subject to similar rules but not the same rule. FinCEN
also requests comment on whether it is proposing any obligations on
PPSIs that would conflict with existing obligations of an insured
depository institution such that complying with both would be legally
or practically impossible.
---------------------------------------------------------------------------
\132\ FinCEN, FIN-2012-R005, Compliance Obligations of Certain
Loan or Finance Company Subsidiaries of Federally Regulated Banks
and Other Financial Institutions (Aug. 13, 2012) available at
https://www.fincen.gov/system/files/administrative_ruling/FIN-2012-R005.pdf.
\133\ See FinCEN, Anti-Money Laundering Program and Suspicious
Activity Report Filing Requirements for Residential Mortgage Lenders
and Originators, 77 FR 8157 (Feb. 14, 2012).
\134\ FinCEN, FIN-2012-R005, supra note 132, p. 2.
---------------------------------------------------------------------------
ii. Uninsured National Banks
The GENIUS Act also permits certain uninsured national banks to be
PPSIs.\135\ Such an institution would potentially be subject to BSA
obligations both as a bank and as a PPSI. Much like with PPSIs that are
a subsidiary of an insured depository institution, FinCEN expects that
its efforts to harmonize obligations for various types of financial
institutions will facilitate such an entity's ability to efficiently
comply with both bank and PPSI obligations. Moreover, as explained
below, some of the obligations proposed in this rule are similar to
those currently imposed on banks. Where obligations differ, an
institution that is both a bank and a PPSI, however, will be required
to comply with both sets of obligations. FinCEN requests comment on
whether it is proposing any obligations that would
[[Page 18592]]
conflict with existing obligations such that complying with both would
be legally or practically impossible. FinCEN also requests comment on
whether it can take steps to promote efficiencies where a single entity
is subject to two obligations.
---------------------------------------------------------------------------
\135\ See 12 U.S.C. 5901(11)(B); see also Implementing the
Guiding and Establishing National Innovation for U.S. Stablecoins
Act for the Issuance of Stablecoins by Entities Subject to the
Jurisdiction of the Office of the Comptroller of the Currency, 91 FR
10202, 10232, 10296 (Mar. 2, 2026).
---------------------------------------------------------------------------
iii. Money Services Businesses
Finally, the activities in which PPSIs will engage constitute money
transmission, the logic under which stablecoin issuers are currently
regulated as MSBs. To limit overlapping obligations and confusion,
FinCEN proposes affirmatively carving out PPSIs from the definition of
MSB.\136\ FinCEN requests comment on whether this carve out is
appropriate and results in any ambiguity.
---------------------------------------------------------------------------
\136\ See infra section VI.C.1.ii.
---------------------------------------------------------------------------
This carve out only applies to PPSIs, and not to other persons
engaged in activities involving the issuance of stablecoins that are
not payment stablecoins. In general, FinCEN is not changing the
regulatory framework that currently applies to activities involving
CVCs and to entities other than PPSIs engaging in those activities. For
example, stablecoin issuers that issue tokens that are not payment
stablecoins, i.e., value that substitutes for currency, will remain
subject to the MSB framework. Other than changes specific to PPSIs,
FinCEN does not intend for this proposal to change any aspect of
FinCEN's framework relating to value that substitutes for currency or
entities that engage in activity related to the same.
B. Obligations for Primary and Secondary Market Activity
FinCEN is proposing that some PPSI obligations will apply to the
secondary market, while others will not. In doing so, FinCEN has
attempted to balance what it currently assesses is the burden of
secondary market obligations against the prospective benefit. FinCEN is
proposing applying secondary market obligation where PPSIs can most
directly mitigate illicit finance in the U.S. financial system. Notably
both obligations where FinCEN is proposing secondary market obligations
are imposed on PPSIs directly by the GENIUS Act. FinCEN is proposing
PPSIs have obligations with regards to the secondary market as part of
technical capabilities and policies and procedures to block, freeze,
and reject impermissible transactions and technical capabilities to
comply, and complying, with the terms of lawful orders. In some cases,
stablecoin issuers already have such capabilities and leverage them to
comply with existing law.
In contrast, FinCEN is not proposing to require a PPSI as part of
an AML/CFT program to monitor secondary market activity, although a
PPSI will be required to understand the risk its customers pose as part
of its due diligence, as well as its distribution channels, including
the blockchains on which its payment stablecoins are deployed. FinCEN
is also not proposing to require PPSIs to file SARs on secondary market
transactions as FinCEN has preliminarily assessed that the burden of
requiring PPSIs to file SARs concerning secondary market activity could
potentially outweigh the potential benefits. FinCEN requests comment on
its proposed approach.
C. Section-by-Section Analysis
FinCEN is proposing changes to its existing regulations, as well as
creation of a new part applicable to PPSIs, proposed part 1033.\137\
Section VI.C.1 describes changes proposed to FinCEN's existing
definitions as well as proposes new definitions. Section VI.C.2
describes FinCEN's proposed delegation of its examination authority.
Section VI.C.3 describes FinCEN's proposed requirement for PPSIs to
establish AML/CFT programs, to include risk-based procedures for
conducting ongoing customer due diligence (CDD). Section VI.C.4
describes FinCEN's proposal related to supervision and enforcement.
Section VI.C.5 describes FinCEN's proposal relating to collection of
beneficial ownership information for legal entity customers. Section
VI.C.6 describes FinCEN's proposals for additional technical
capabilities, policies, and procedure requirements specific to PPSIs,
as mandated by the GENIUS Act. Section VI.C.7 describes FinCEN's
proposal related to PPSIs currency transaction reporting requirements.
Section VI.C.8 describes FinCEN's proposal for PPSI suspicious activity
reporting requirements. Section VI.C.9 describes FinCEN's proposal
relating to records PPSIs will be required to maintain, including under
the Recordkeeping and Travel Rules. Section VI.C.10 describes FinCEN's
proposals relating to information sharing authorities. Finally, section
VI.C.11 describes FinCEN's proposals relating to enhanced due diligence
PPSIs will be required to undertake, as well as application of special
measures.
---------------------------------------------------------------------------
\137\ As part of proposed part 1033, FinCEN proposes that if one
portion of the proposed regulation, if finalized, is found to be
invalid, the invalidated portion of the regulation should be severed
with the remaining portions of the regulation remaining in full
force and effect. FinCEN's position is that invalidation of any one
provision, or application thereof to any one person or circumstance,
does not, and should not, affect any other provision in this
proposed regulation. Each provision serves an important, related,
but distinct purpose and application, designed to benefit the public
by protecting the U.S. financial system from illicit financial
activity. FinCEN accordingly has proposed each provision such that
invalidity to one provision would not undermine the operability or
usefulness of the other provisions.
---------------------------------------------------------------------------
1. Definitions
FinCEN is proposing to amend four existing definitions and add nine
new terms to the general definitions section of its regulations, 31 CFR
1010.100. Where it is adding new terms, in large part, FinCEN is
proposing promulgating the same language as the GENIUS Act. In a few
instances, however, FinCEN's proposed language diverges from the
statutory text in order to reconcile differences between how the GENIUS
Act defines a term and how the same term is defined in FinCEN's
existing regulations or to avoid confusion when similar terms are
defined both by the GENIUS Act and FinCEN's existing regulations.
FinCEN is also proposing modifications to improve readability,
including not adopting GENIUS Act language where it is unnecessary for
purposes of this proposed rule.
Relatedly, FinCEN is not proposing to promulgate regulatory
definitions for the GENIUS Act definitions for some words even though
FinCEN is proposing rule text for terms that reference those words. For
instance, both the GENIUS Act and FinCEN's proposed definition of
``permitted payment stablecoin issuer'' use the term ``subsidiary,''
which is in turn defined by the GENIUS Act by reference to section 3 of
the Federal Deposit Insurance Act (12 U.S.C. 1813).\138\ With limited
exceptions, FinCEN assesses that while these additional definitions may
be essential for other regulatory authorities to discharge their
regulatory obligations relating to approving issuers, they are not
necessary to understand the scope of FinCEN's proposed obligations or
the population on which those obligations will be imposed.
---------------------------------------------------------------------------
\138\ See 12 U.S.C. 5901(32) (defining ``subsidiary''); see also
12 U.S.C. 5901(23) (defining ``permitted payment stablecoin
issuer'').
---------------------------------------------------------------------------
None of these proposed changes to the GENIUS Act's language are
intended to substantively alter the GENIUS Act's requirements as
implemented through this propose rule. FinCEN seeks comment on the
clarity of these definitions, including whether any deviation that
FinCEN is proposing from the GENIUS Act's language could be read as
changing the intended effect of
[[Page 18593]]
the Act, and whether any additional terms should be defined.
FinCEN is reserving two subparagraphs, (nnn) and (ooo), expecting
they will contain definitions proposed in a previously issued FinCEN
rulemaking related to AML/CFT programs for the 11 types of existing
financial institutions.
i. Proposed Amendment to 31 CFR 1010.100(t)--Financial Institution
The GENIUS Act directs that a ``permitted payment stablecoin issuer
shall be treated as a financial institution for purposes of the''
BSA.\139\ To implement this directive and ensure that PPSIs are subject
to the appropriate BSA obligations in a clear and consistent manner--
and because, as discussed above in section VI.A.1, FinCEN proposes
exercising its 31 U.S.C. 5312(a)(2)(Y) authority to define PPSIs as
financial institutions under the BSA--FinCEN is proposing to amend the
definition of ``financial institution'' at 31 CFR 1010.100(t) to
expressly include ``permitted payment stablecoin issuer.'' Consistent
with other financial institutions, ``permitted payment stablecoin
issuer'' will be defined separately in a new paragraph.
---------------------------------------------------------------------------
\139\ See 12 U.S.C. 5903(a)(5)(A).
---------------------------------------------------------------------------
ii. Proposed Amendment to 31 CFR 1010.100(ff)--Money Services Business
FinCEN is proposing to amend the definition of ``money services
business,'' 31 CFR 1010.100(ff), to add PPSIs to the list of financial
institutions that the term ``money services business'' shall not
include. The amendment makes clear that PPSIs are subject to
obligations as a PPSI and not as a money services business.
iii. Proposed Amendment to 31 CFR 1010.100(bbb)--Transaction
FinCEN is proposing to amend the definition of ``transaction,'' 31
CFR 1010.100(bbb), to add the issuance or redemption of a payment
stablecoin as a type of transaction. This amendment clarifies that
these activities qualify as transactions. It should not be construed,
including by negative inference, that issuance and redemption of other
kinds of value that substitute for currency are not a transaction.\140\
Moreover, it should not be construed, including by negative inference,
that issuing and redeeming payment stablecoins are the only kinds of
transactions in which a PPSI will engage.
---------------------------------------------------------------------------
\140\ See 2019 CVC Guidance, supra note 87, p. 13 (discussing
that an ``administrator'' engages in issuing and redeeming a virtual
currency and is generally a money transmitter).
---------------------------------------------------------------------------
iv. Proposed Amendment to 31 CFR 1010.100(eee)--Transmittal Order
FinCEN is proposing to amend the definition of ``transmittal
order,'' 31 CFR 1010.100(eee), to add a payment stablecoin as a subject
of an order. As discussed in greater detail below, this amendment is
intended to clarify that a transmittal order to pay payment stablecoins
is a transmittal order like an order to pay traditional money. It
should not be construed, including by negative inference, that orders
to pay other kinds of value that substitute for currency are not
transmittal orders.\141\
---------------------------------------------------------------------------
\141\ See infra section VI.C.9.ii.a; see also 2019 CVC Guidance,
supra note 87, p. 11.
---------------------------------------------------------------------------
v. Proposed 31 CFR 1010.100(ppp)--Digital Asset
FinCEN is proposing to define the term ``digital asset'' as
provided in the GENIUS Act, 12 U.S.C. 5901(6). Under the proposed rule,
the term ``digital asset'' would mean any digital representation of
value that is recorded on a cryptographically secured distributed
ledger. FinCEN considers it useful to define this term explicitly in
its regulations in order to enhance the clarity and conciseness of its
regulations. Many of the regulatory obligations that FinCEN is
proposing to impose on PPSIs take into account, in one way or another,
the concept of digital assets. Most notably, the term ``digital
assets'' is used in ``payment stablecoin.''
FinCEN's use of the term ``digital asset'' is limited currently to
proposed obligations to be imposed on PPSIs. FinCEN is aware that the
addition of ``digital asset'' adds a term related to other terms used
in the BSA, its own regulations and its guidance--most notably ``value
that substitutes for currency'' and ``convertible virtual currency.''
FinCEN's defining and use of the term ``digital asset'' in proposed
obligations to be imposed on PPSIs should not be construed, including
by negative inference, to alter or displace anything about FinCEN's
regulatory infrastructure related to value that substitutes for
currency or CVC. Digital assets may be value that substitutes for
currency, and vice versa, but the two are not synonymous, and the
regulatory requirements that may be associated with one must be
evaluated independently of the requirements that may be associated with
the other.
vi. Proposed 31 CFR 1010.100(qqq)--Distributed Ledger
FinCEN is proposing to define the term ``distributed ledger'' as
provided in the GENIUS Act, 12 U.S.C. 5901(8). Under the proposed rule,
the term ``distributed ledger'' would mean a technology in which data
is shared across a network that creates a public digital ledger of
verified transactions or information among network participants and
cryptography is used to link the data to maintain the integrity of the
public ledger and execute other functions. The term distributed ledger
is used both in the term digital asset and payment stablecoin.
vii. Proposed 31 CFR 1010.100(rrr)--Lawful Order
FinCEN is proposing to define the term ``lawful order'' as provided
in the GENIUS Act, 12 U.S.C. 5901(16), with certain modifications in
light of a preexisting FinCEN regulatory definition. Under the proposed
rule the term ``lawful order'' would mean any final and valid writ,
process, order, rule, decree, command, or other requirement issued or
promulgated under Federal law, issued by a court of competent
jurisdiction or by an authorized Federal agency pursuant to its
statutory authority, that (1) requires an individual, partnership,
company, corporation, association, trust, estate, cooperative
organization, or other business entity, incorporated or unincorporated,
to seize, freeze, burn, or prevent the transfer of payment stablecoins
that the individual or entity issued; (2) specifies the payment
stablecoins or accounts subject to blocking with reasonable
particularity; and (3) is subject to judicial or administrative review
or appeal as provided by law.
The proposed definition modifies the GENIUS Act definition of
lawful order by replacing the statutory term ``person'' with language
used in the GENIUS Act definition of ``person,'' as provided in 12
U.S.C. 5901(24).\142\ The term ``person'' is already defined in FinCEN
regulations at 31 CFR 1010.100(mm) \143\ and differs from the GENIUS
Act definition of ``person.'' In particular, FinCEN's regulatory
definition of ``person'' includes Indian Tribes as defined in the
Indian Gaming Regulatory Act, which the GENIUS Act definition of person
does not include.
[[Page 18594]]
Further, FinCEN's regulatory definition also does not characterize the
entities that comprise the category as ``business'' entities, as the
GENIUS Act definition does. To ensure the definition of ``lawful
order'' for PPSIs accurately applies to the ``persons'' that Congress
intended, as evidenced by the GENIUS Act definition of the term, FinCEN
accordingly proposes to, instead of using the term person, incorporate
the language the GENIUS Act uses to define person into the regulatory
definition of ``lawful order.'' FinCEN solicits comments on whether the
incorporation of the specific GENIUS Act language is necessary, or
whether, if FinCEN reverts to the use of the term ``person'' as
currently defined in its regulations, this will change the intended
meaning or effect of the GENIUS Act.
---------------------------------------------------------------------------
\142\ See 12 U.S.C. 5901(24) (defining ``person'' as ``an
individual, partnership, company, corporation, association, trust,
estate, cooperative organization, or other business entity,
incorporated or unincorporated'').
\143\ See 31 CFR 1010.100(mm) (defining ``Person'' as ``An
individual, a corporation, a partnership, a trust or estate, a joint
stock company, an association, a syndicate, joint venture, or other
unincorporated organization or group, an Indian Tribe (as that term
is defined in the Indian Gaming Regulatory Act), and all entities
cognizable as legal personalities.'').
---------------------------------------------------------------------------
Additionally, the GENIUS Act uses the term ``account'' in the
definition of lawful order and FinCEN proposes to do the same.\144\ A
number of other terms currently codified in FinCEN's general definition
section, 31 CFR 1010.100 also use the term ``account'' without defining
the term.\145\ As discussed in greater detail below, and consistent
with that approach, FinCEN proposes not further elaborating on the
meaning of account within the definition of lawful order and requests
comment on this approach.\146\
---------------------------------------------------------------------------
\144\ See 12 U.S.C. 5901(16) (defining, in part, ``lawful
order'' as one that ``specifies the payment stablecoins or accounts
subject to blocking with reasonable particularity'' (emphasis
added)).
\145\ See, e.g., 31 CFR 1010.100(p) (defining ``established
customer''); 1010.100(bbb) (defining ``transaction''). For financial
institutions with customer identification program (CIP) obligations,
those institution's subparts often include a definition of
``account.'' However, those definitions are limited to CIP
obligations unless expressly noted elsewhere. See 31 CFR 1020.100(a)
(defining ``account'' for CIP purposes in bank subpart); 1023.100(a)
(defining ``account'' for CIP purposes in brokers or dealers in
securities subpart); see also 1010.230 (defining ``account'' in
obligation related to legal entity customers by explicit reference
to CIP definitions of ``account'').
\146\ See infra section VI.C.6.ii discussing proposed
obligations related to lawful order compliance and technical
capabilities.
---------------------------------------------------------------------------
viii. Proposed 31 CFR 1010.100(sss)--Payment Stablecoin
FinCEN is proposing to define the term ``payment stablecoin'' as
provided in the GENIUS Act, 12 U.S.C. 5901(22), with certain
modifications in light of preexisting FinCEN regulatory definitions and
technical changes. Additionally, FinCEN proposes embedding within the
definition of payment stablecoin two other terms defined in the GENIUS
Act.
Under the proposed rule, the term ``payment stablecoin'' would mean
a digital asset (i) that is, or is designed to be, used as a means of
payment or settlement and (ii) the issuer of which: (A) is obligated to
convert, redeem, or repurchase for a fixed amount of monetary value,
but not for a digital asset denominated in a fixed amount of a monetary
value; and (B) represents that such issuer will maintain, or create the
reasonable expectation that it will maintain, the digital asset at a
stable value relative to the value of a fixed amount of monetary value.
The proposed definition also provides that a ``payment stablecoin''
does not include a digital asset that is: (i) a national currency; (ii)
a deposit (as defined in section 3 of the Federal Deposit Insurance Act
(12 U.S.C. 1813)) including a deposit recorded using distributed ledger
technology; or (iii) a security, as defined in section 2 of the
Securities Act of 1933 (15 U.S.C. 77b), section 3 of the Securities
Exchange Act of 1934 (15 U.S.C. 78c), or section 2 of the Investment
Company Act of 1940 (15 U.S.C. 80a-2). For purposes of the definition
of ``payment stablecoin,'' FinCEN intends for the definition of
``security'' provided in paragraph (iii) of the proposed definition to
apply and not the preexisting regulatory definition of ``security'' at
31 CFR 1010.100(ss).
The GENIUS Act's definition of ``payment stablecoin'' contains
language clarifying that ``no bond, note, evidence of indebtedness, or
investment contract that was issued by a permitted payment stablecoin
issuer shall qualify as a security solely [because the issuer
satisfies] the conditions in [paragraph (1) of the proposed ``payment
stablecoin'' definition], consistent with section 17 of the Act.''
FinCEN has determined that this ``for avoidance of doubt'' language is
unnecessary for its regulatory definition of payment stablecoin. The
GENIUS Act includes amendments to the cited statutes covered in
proposed paragraph (iii) that clarify that payment stablecoins are not
securities.\147\ Accordingly, while this clarification may have been
necessary to understand the intent of the GENIUS Act at the time it was
passed, the Act's amendments of security-related statutory provisions
obviate the need to include this language in FinCEN's regulations.
---------------------------------------------------------------------------
\147\ See section 17 of the GENIUS Act, Public Law 119-27.
---------------------------------------------------------------------------
The proposed definition of ``payment stablecoin'' also includes
definitions of the terms ``national currency'' and ``monetary value''
within the definition of ``payment stablecoin'' consistent with the
definition of the terms in the GENIUS Act, 12 U.S.C. 5901(19) and (17),
with certain modifications. Although the GENIUS Act defines both terms
independently from payment stablecoin, neither term is used outside of
payment stablecoin as pertinent to this rulemaking. Moreover, adding
the GENIUS Act definitions of ``national currency'' or ``monetary
value'' as separately defined terms in 31 CFR 1010.100 could have an
unintended impact on other FinCEN regulations that already use similar
terms to mean different things, and could therefore have unintended
impact on the regulatory obligations of other types of financial
institutions or create unnecessary confusion about those regulatory
obligations. Relatedly, within the definition of ``national currency,''
FinCEN proposes replacing the statutory term ``money'' with the GENIUS
Act's definition of ``money.'' This should avoid confusion as ``money''
appears elsewhere in FinCEN's regulations.
FinCEN proposes that for purposes of the definition of ``payment
stablecoin'' the term--(i) National currency means each of the
following--(A) A Federal Reserve note (as the term is used in the first
undesignated paragraph of section 16 of the Federal Reserve Act (12
U.S.C. 411)); or (B) A medium of exchange currently authorized or
adopted by a domestic or foreign government including a monetary unit
of account established by an intergovernmental organization or by
agreement between two or more countries that is: (1) standing to the
credit of an account with a Federal Reserve Bank; (2) issued by a
foreign central bank; or (3) issued by an intergovernmental
organization pursuant to an agreement by two or more governments; and
(ii) Monetary value means national currency or deposit (as defined in
section 3 of the Federal Deposit Insurance Act (12 U.S.C. 1813))
denominated in a national currency. The proposed definition of
``national currency'' reformats and modifies the definition in the
GENIUS Act, 12 U.S.C. 5901(19), by including the GENIUS Act definition
of ``money,'' 12 U.S.C. 5901(18) within the definition, in paragraph
(B), and making statutory paragraphs (B), (C), and (D) into proposed
paragraphs (1), (2), and (3) for grammatical consistency. The proposed
definition of ``monetary value'' within the definition of ``payment
stablecoin'' is consistent with the definition of the term in the
GENIUS Act, 12 U.S.C. 5901(17).
ix. Proposed 31 CFR 1010.100(ttt)--Permitted Payment Stablecoin Issuer
FinCEN is proposing to define the term ``permitted payment
stablecoin issuer'' as provided in the GENIUS Act, 12 U.S.C. 5901(23),
with certain
[[Page 18595]]
modifications in light of preexisting FinCEN regulatory definitions.
Under the proposed rule, the term permitted payment stablecoin issuer
would mean an individual, partnership, company, corporation,
association, trust, estate, cooperative organization, or other business
entity, incorporated or unincorporated formed in the United States that
is: (1)(A) a subsidiary of an insured depository institution that has
been approved to issue payment stablecoins by a primary Federal payment
stablecoin regulator; or (B) a subsidiary of an insured credit union
that has been approved to issue payment stablecoins by a primary
Federal payment stablecoin regulator; (2) a Federal qualified payment
stablecoin issuer; or (3) a State qualified payment stablecoin issuer.
The proposed definition modifies the definition of permitted payment
stablecoin issuer provided in the GENIUS Act by replacing the statutory
term ``person'' with the language the GENIUS Act uses to define
``person'' as provided in 12 U.S.C. 5901(24).\148\ As described above,
the term ``person'' is already defined in FinCEN regulations at 31 CFR
1010.100(mm) \149\ and differs from the GENIUS Act definition of
person. To ensure the definition of ``permitted payment stablecoin
issuer'' accurately applies only to ``persons'' as defined in the
GENIUS Act, FinCEN proposes adding the GENIUS Act definition of
``person'' within the ``permitted payment stablecoin issuer''
definition.
---------------------------------------------------------------------------
\148\ See 12 U.S.C. 5901(24) (defining the term ``person'' to
mean ``an individual, partnership, company, corporation,
association, trust, estate, cooperative organization, or other
business entity, incorporated or unincorporated'').
\149\ See 31 CFR 1010.100(mm) (stating ``Person. An individual,
a corporation, a partnership, a trust or estate, a joint stock
company, an association, a syndicate, joint venture, or other
unincorporated organization or group, an Indian Tribe (as that term
is defined in the Indian Gaming Regulatory Act), and all entities
cognizable as legal personalities.'').
---------------------------------------------------------------------------
Additionally, the proposed definition modifies statutory paragraph
(A) by replacing the term ``insured depository institution'' with the
GENIUS Act definition of ``insured depository institution,'' in 12
U.S.C. 5901(15), which includes two subparagraphs one applying to
insured depository institutions as defined in section 3 of the Federal
Deposit Insurance Act and a second for insured credit unions. FinCEN is
also omitting from the GENIUS Act's definition ``insured depository
institution'' the phrase ``as defined in section 3 of the Federal
Deposit Insurance Act (12 U.S.C. 1813).'' While this language may be
essential for regulators responsible for approving issuers, FinCEN does
not believe it is necessary to understand the scope of the obligations
it proposes to impose or the population on which those obligations are
imposed. Finally, the definition also replaces the statutory reference
``has been approved to issue payment stablecoins under section 5'' with
``has been approved to issued payment stablecoins by a primary Federal
payment stablecoin regulator'' in both proposed paragraph (1)(A) and
(1)(B).
x. Proposed 31 CFR 1010.100(uuu)--Primary Federal Payment Stablecoin
Regulator
FinCEN is proposing to define the term ``primary Federal payment
stablecoin regulator'' as provided in the GENIUS Act, 12 U.S.C.
5901(25), with certain modifications. Under the proposed rule, the term
``primary Federal payment stablecoin regulator'' would mean (1) for a
subsidiary of an insured depository institution, as described in
paragraph (ttt)(1)(A) of this section, the appropriate Federal banking
agency of such insured depository institution; (2) for a subsidiary of
an insured credit union, as described in paragraph (ttt)(1)(B), the
NCUA; (3) for a State chartered depository institution not covered in
subparagraph (1), the FDIC, the OCC, or the Board; or (4) for a Federal
qualified payment stablecoin issuer, the OCC.
The proposed definition modifies the statutory definition by
including cross references to the proposed definition of ``permitted
payment stablecoin issuer'' to describe a subsidiary of an insured
depository institution and a subsidiary of an insured credit union. The
definition also uses the full agency names for each Federal banking
agency named in the definition for stylistic consistency with other
FinCEN regulations.
xi. Proposed 31 CFR 1010.100(vvv)--Federal Qualified Payment Stablecoin
Issuer
FinCEN is proposing to define the term ``Federal qualified payment
stablecoin issuer'' as provided in the GENIUS Act, 12 U.S.C. 5901(11),
with certain technical modifications for conciseness and in deference
to another agency's authority. Under the proposed rule, the term
``Federal qualified payment stablecoin issuer'' would mean an entity
that is approved by the OCC under 12 U.S.C. 5903 to issue payment
stablecoins and is either--(1) a nonbank entity; (2) an uninsured
national bank; or (3) a Federal branch.
The GENIUS Act definition of Federal qualified payment stablecoin
issuer contains for the three subtypes of institutions--nonbank
entities, uninsured national banks, and foreign bank branches--
references to OCC approval and in one case OCC's statutory authority.
FinCEN proposes to consolidate references to OCC approval and remove
reference to the OCC's statutory authority. FinCEN considers this
approach appropriate in light of the fact that the OCC, not FinCEN, has
the authority to determine how, using what terms and establishing what
categories, to discharge the OCC's regulatory obligations in connection
with Federal qualified payment stablecoin issuers as required by the
GENIUS Act. FinCEN conceives of its responsibility in this connection
as establishing a smooth interface between its own regulations on the
subject and those of the OCC, and it regards the proposed language as
the best way to do so. In addition, the proposed language has the
benefit of conciseness.
xii. Proposed 31 CFR 1010.100(www)--State Payment Stablecoin Regulator
FinCEN is proposing to define the term ``State payment stablecoin
regulator'' as provided in the GENIUS Act, 12 U.S.C. 5901(30), with
certain modifications in light of preexisting FinCEN regulatory
definitions. Under the proposed rule, the term ``State payment
stablecoin regulator'' would mean a state agency that has the primary
regulatory and supervisory authority in such state over entities that
issue payment stablecoins. Under the GENIUS Act, the term ``State''
includes ``each of the several States of the United States, the
District of Columbia, and each territory of the United States.'' \150\
FinCEN proposes modifying the GENIUS Act's definition of ``State
payment stablecoin regulator'' to account for FinCEN's existing
definition of ``State,'' \151\ which does not include any U.S.
territories. FinCEN is thus adding its existing regulatory phrase
``Territory and Insular Possession'' to make clear that for purposes of
this definition ``State'' includes territories.\152\
---------------------------------------------------------------------------
\150\ See 12 U.S.C. 5901(28).
\151\ See 31 CFR 1010.100(vv) (defining ``State'' as ``The
States of the United States and, wherever necessary to carry out the
provisions of this chapter, the District of Columbia.'').
\152\ See 31 CFR 1010.100(zz) (defining ``Territories and
Insular Possessions'' as ``The Commonwealth of Puerto Rico, the
United States Virgin Islands, Guam, the Commonwealth of the Northern
Mariana Islands, and all other territories and possessions of the
United States other than the Indian lands and the District of
Columbia.'').
---------------------------------------------------------------------------
[[Page 18596]]
xiii. Proposed 31 CFR 1010.100(xxx)--State Qualified Payment Stablecoin
Issuer
FinCEN is proposing to define the term ``State qualified payment
stablecoin issuer'' as provided in the GENIUS Act, 12 U.S.C. 5901(31),
with certain modifications in light of preexisting FinCEN regulatory
definitions. Under the proposed rule, the term ``State qualified
payment stablecoin issuer'' would mean an entity that is: (1) legally
established under the laws of a State or Territory and Insular
Possession and approved to issue payment stablecoins by a State payment
stablecoin regulator; and (2) not an uninsured national bank chartered
by the OCC pursuant to title LXII of the Revised Statutes; a Federal
branch or an insured depository institution, or a subsidiary, of such
national bank, Federal branch, or insured depository institution. For
meaning of ``insured depository institution'' this definition would
reference the proposed definition of ``permitted payment stablecoin
issuer'' at proposed 1010.100(ttt), clarifying that, consistent with
the GENIUS Act, ``insured depository institution,'' includes insured
depository institutions and insured credit unions.\153\
---------------------------------------------------------------------------
\153\ 12 U.S.C. 5901(15).
---------------------------------------------------------------------------
As with the definition of ``State qualified payment stablecoin
issuer,'' FinCEN is adding ``Territorial and Insular Possessions'' to
clarify that, consistent with the GENIUS Act, issuers legally
established under the laws of a Territory and Insular Possession can
qualify as a State qualified payment stablecoin issuer.
2. Proposed Amendment to 31 CFR 1010.810--Delegation of Examination
Authority
As administrator of the BSA, FinCEN has overall authority for
enforcement and compliance with the BSA and its implementing
regulations.\154\ FinCEN, however, may delegate examination authority
to appropriate agencies while retaining authority for the coordination
and direction of procedures and activities of these agencies.\155\
FinCEN has delegated examination authority for various financial
institutions, as reflected at Sec. 1010.810(b), and is proposing the
same approach with regards to examination authority for PPSIs.
---------------------------------------------------------------------------
\154\ See Treasury Order 180-01, supra note 15, para. 3; see
also 31 CFR 1010.810(a).
\155\ 31 U.S.C. 5318(a)(1); 31 CFR 1010.810(a); Treasury Order
180-1, supra note 15, paras. 3(b), 4(b).
---------------------------------------------------------------------------
Broadly speaking, the GENIUS Act divides PPSIs into two categories:
PPSIs that are regulated for safety and soundness by a primary Federal
payment stablecoin regulator (which includes the OCC, Board, FDIC, and
NCUA) and PPSIs that are regulated for safety and soundness by a State
payment stablecoin regulator.\156\ FinCEN proposes delegating
examination authority over PPSIs to federal agencies responsible for
examining the same entities for safety and soundness and, where no such
federal agency exists, to the IRS.\157\
---------------------------------------------------------------------------
\156\ See, e.g., 12 U.S.C. 5905 (outlining supervision by
primary Federal payment stablecoin regulators); 12 U.S.C. 5906
(outlining supervision by State payment stablecoin regulators).
\157\ Compare 31 CFR 1010.810(b)(1)-(6) with 31 CFR
1010.810(b)(8).
---------------------------------------------------------------------------
i. State Qualified Payment Stablecoin Issuers
Under the GENIUS Act, generally, a State qualified payment
stablecoin issuer with a consolidated total outstanding issuance of not
more than $10 billion payment stablecoins may opt for regulation under
a State-level regulatory regime, provided that the State-level
regulatory regime is substantially similar to the Federal regulatory
framework under the GENIUS Act.\158\ State qualified payment stablecoin
issuers that exceed the $10 billion in outstanding issuance of payment
stablecoins must either transition to the regulatory framework of the
primary Federal payment stablecoin regulator, which is then jointly
administered by the State payment stablecoin regulator and the primary
Federal payment stablecoin regulator, or obtain a waiver permitting the
State qualified payment stablecoin issuer to remain solely supervised
by a State payment stablecoin regulator.\159\
---------------------------------------------------------------------------
\158\ See 12 U.S.C. 5903(c), 5906.
\159\ 12 U.S.C. 5903(d).
---------------------------------------------------------------------------
Where a financial institution is not examined for compliance with
the BSA and FinCEN's regulations by the OCC, Board, FDIC, or NCUA, and
is not otherwise supervised by a Federal functional regulator, FinCEN
has delegated its examination authority to the IRS in Sec.
1010.810(b)(8). Likewise, here FinCEN proposes delegating its
examination authority to the IRS for PPSIs not examined by the OCC,
Board, FDIC, and NCUA--i.e., a primary Federal payment stablecoin
regulator--for safety and soundness. This population will include State
qualified payment stablecoin issuers not supervised by a primary
Federal payment stablecoin regulator, either because the State
qualified payment stablecoin issuer's outstanding issuance is not more
than $10 billion or because the primary Federal payment stablecoin
regulator has granted the PPSI a waiver to allow the PPSI to remain
supervised by a State payment stablecoin regulator. FinCEN believes the
IRS is well positioned to conduct BSA examinations for PPSIs not
examined by a primary Federal payment stablecoin regulator. As the BSA
examiner for a range of institutions not otherwise examined by another
agency, the IRS has staff trained in BSA examinations and a strong
relationship with FinCEN and various state regulators. Relatedly, the
IRS currently examines money transmitters, including stablecoin
issuers, for BSA compliance and is, thus, well positioned to assess
PPSI compliance with the BSA and ensure consistent application of BSA
provisions across PPSIs based in various states.
To effectuate this delegation of BSA examination, FinCEN believes
that no changes are necessary to Sec. 1010.810(b)(8), which already
states that such authority is delegated with respect to ``financial
institutions . . . not currently examined by Federal bank supervisory
agencies for soundness and safety.'' FinCEN believes the proposed text
ensures that each PPSI not examined by a primary Federal payment
stablecoin regulator for safety and soundness is examined by the IRS.
This delegation will not grant authority to the IRS where a State
qualified payment stablecoin issuer is subject to a primary Federal
payment stablecoin regulator's framework that is jointly administered
by the federal and state regulator and results in a primary Federal
payment stablecoin regulator examining for safety and soundness.
ii. Proposed 31 CFR 1010.810(b)(8)--Federal Qualified Payment
Stablecoin Issuers
Under the GENIUS Act, the OCC, Board, FDIC, and NCUA are the
primary Federal payment stablecoin regulators and responsible for,
among other things, assessing a PPSI's safety and soundness.\160\
Additionally, the GENIUS Act requires the primary Federal payment
stablecoin regulators to issue regulations relating to, among other
things, risk management principles-based requirements and standards,
including relating to the BSA.\161\
---------------------------------------------------------------------------
\160\ 12 U.S.C. 5905(a)(3); 12 U.S.C. 5901(25).
\161\ 12 U.S.C. 5903(a)(4)(A)(iv).
---------------------------------------------------------------------------
With regards to banks, FinCEN has delegated its authority to
examine financial institutions for chapter X compliance to the agency
that examines
[[Page 18597]]
the institution for safety and soundness.\162\ Consistent with that
approach, FinCEN's proposal adds a new paragraph to Sec. 1010.810(b)
to delegate examination authority to the primary Federal payment
stablecoin regulators responsible for assessing a PPSI's safety and
soundness. FinCEN believes the primary Federal payment stablecoin
regulator responsible for promulgating standards related to BSA and
examining particular PPSIs for safety and soundness is best positioned
to carry out effective and efficient BSA exams. As the definition of
primary Federal payment stablecoin regulator outlines the agency
responsible for oversight of various categories of PPSIs, FinCEN is not
proposing to detail in Sec. 1010.810(b)(11) which agency is
responsible for which subcategory of PPSIs.\163\
---------------------------------------------------------------------------
\162\ See 31 CFR 1010.810(b)(1)-(3), (5).
\163\ See infra section VI.C.1.x.
---------------------------------------------------------------------------
3. Proposed 31 CFR 1033.210--AML/CFT Program Requirements for PPSIs
The GENIUS Act directs that PPSIs be subject to ``maintenance of an
effective anti-money laundering program, which shall include
appropriate risk assessments and designation of an officer to supervise
the program.'' \164\ Effective AML/CFT programs safeguard national
security and generate significant public benefits by preventing the
flow of illicit funds in the financial system and by assisting law
enforcement and national security agencies with the identification and
prosecution of persons attempting to launder money and undertake other
illicit activity through the financial system.\165\
---------------------------------------------------------------------------
\164\ See 12 U.S.C. 5903(a)(5)(A)(i); see also 31 U.S.C.
5318(h).
\165\ 31 U.S.C. 5318(h)(2)(B)(iii).
---------------------------------------------------------------------------
FinCEN has separately issued a notice of proposed rulemaking that
would amend FinCEN's regulations that prescribe AML/CFT program
requirements for current financial institutions program rules under the
BSA. Updating the AML/CFT program requirements across financial
institution types is part of FinCEN's efforts to reform and modernize
the BSA, as well as implement the Anti-Money Laundering Act of 2020
(AML Act).\166\ That proposed rule is designed to help ensure that
financial institutions' AML/CFT programs are appropriately risk-based,
such that compliance with their program obligations is focused on the
goals of the BSA, including combatting and preventing money laundering,
the financing of terrorism, and other illicit finance activity risks
(collectively, ML/TF risks), rather than mere technical compliance.
Furthermore, that proposed rule for banks would help ensure that
supervisory and enforcement actions related to AML/CFT programs are
focused on significant or systemic failures to implement an effective
AML/CFT program (i.e., deficiencies or issues that arise from failing
to implement, in all material respects, a properly established AML/CFT
program).
---------------------------------------------------------------------------
\166\ Anti-Money Laundering Act of 2020, Public Law 116-283,
Div. F, sections 6001-6511, 134 Stat. 3388, 4547-4633 (Jan. 1,
2021).
---------------------------------------------------------------------------
In this proposed rule FinCEN proposes to impose on PPSIs an AML/CFT
program obligation consistent with the program being proposed for the
11 types of financial institutions currently covered by BSA program
requirements, with some modifications due to the GENIUS Act's specific
provisions. FinCEN assesses that such consistency across the types of
financial institutions promotes clarity, creates efficiencies, and best
protects the U.S. financial system from illicit actors. As described
below, under FinCEN's proposal, an AML/CFT program is inherently
tailored to the risk and operations of a PPSI, meeting the GENIUS Act's
directive that rules are tailored to an issuer's size and
complexity.\167\
---------------------------------------------------------------------------
\167\ See 12 U.S.C. 5903(a)(5)(B).
---------------------------------------------------------------------------
i. AML/CFT Program Overview
A central objective of Treasury and FinCEN's BSA modernization
efforts is to create an AML/CFT supervisory and regulatory regime that
is more effective in achieving the purposes of the BSA and promoting
better outcomes for law enforcement and national security
agencies.\168\ This proposed rule would further that objective by
explicitly defining the requirements for a PPSI to establish and
maintain an effective AML/CFT program. Consistent with the changes that
the AML Act made for other types of financial institutions, it would
also adopt into regulation the AML Act's expectation that AML/CFT
programs should be risk-based, including ensuring that PPSIs direct
more attention and resources toward higher-risk customers and
activities, consistent with the risk profile of the PPSI, rather than
toward lower-risk customers and activities.\169\
---------------------------------------------------------------------------
\168\ 31 U.S.C. 5311.
\169\ 31 U.S.C. 5318(h)(2)(B)(iv)(II).
---------------------------------------------------------------------------
Under proposed Sec. 1033.210 PPSIs would have an effective AML/CFT
program and comply with the requirements of 31 U.S.C. 5318(h)(1) and
Sec. 1033.210 if the PPSI: (1) establishes an AML/CFT program in
accordance with paragraph (b) of Sec. 1033.210; and (2) maintains an
AML/CFT program by implementing the AML/CFT program in accordance with
paragraph (c) of Sec. 1033.210. As part of the program, and consistent
with the mandate in the GENIUS Act, PPSIs would be required to conduct
ongoing customer due diligence.
a. Factors That FinCEN Considered
The AML Act requires FinCEN to take into account certain factors
when prescribing minimum AML/CFT program standards. FinCEN has
considered all these factors in developing this proposed rule.\170\
---------------------------------------------------------------------------
\170\ See 31 U.S.C. 5318(h)(2)(B). Per the BSA, the factors
FinCEN considered include, ``(i) Financial institutions are spending
private compliance funds for a public and private benefit, including
protecting the United States financial system from illicit finance
risks. (ii) The extension of financial services to the underbanked
and the facilitation of financial transactions, including
remittances, coming from the United States and abroad in ways that
simultaneously prevent criminal persons from abusing formal or
informal financial services networks are key policy goals of the
United States. (iii) Effective anti-money laundering and countering
the financing of terrorism programs safeguard national security and
generate significant public benefits by preventing the flow of
illicit funds in the financial system and by assisting law
enforcement and national security agencies with the identification
and prosecution of persons attempting to launder money and undertake
other illicit activity through the financial system. (iv) Anti-money
laundering and countering the financing of terrorism programs [. .
.] should be--(I) reasonably designed to assure and monitor
compliance with the requirements of this subchapter and regulations
promulgated under this subchapter; and (II) risk-based, including
ensuring that more attention and resources of financial institutions
should be directed toward higher-risk customers and activities,
consistent with the risk profile of a financial institution, rather
than toward lower-risk customers and activities.''
---------------------------------------------------------------------------
As stated in 31 U.S.C. 5318(h)(2)(B)(iii), effective AML/CFT
programs safeguard national security and generate significant public
benefits by preventing the flow of illicit funds in the financial
system and by assisting law enforcement and national security agencies
with the identification and prosecution of persons attempting to
launder money or undertake other illicit activity through the financial
system. The proposed rule would advance the BSA modernization and
reform goals of the AML Act by providing PPSIs and their regulators
with clarity about the requirements to have effective AML/CFT programs.
Likewise, 31 U.S.C. 5318(h)(2)(B)(iv)(I) provides that AML/CFT
programs should be ``reasonably designed to assure and monitor
compliance'' with the BSA and its implementing regulations and be risk-
based. The proposed rule advances these objectives by explicitly
requiring PPSIs to have effective AML/CFT programs and by describing
the
[[Page 18598]]
minimum components for an AML/CFT program to be effective.
Specifically, as part of an effective AML/CFT program, the proposed
rule requires that a PPSI establish and maintain a risk-based set of
internal policies, procedures, and controls that are reasonably
designed to ensure compliance with the BSA and FinCEN's regulations.
The internal policies, procedures, and controls requirement in the
proposed rule also demonstrates FinCEN's consideration of 31 U.S.C.
5318(h)(2)(B)(iv)(II), which states that AML/CFT programs should be
risk-based, including ensuring that more attention and resources of a
PPSI should be directed toward higher-risk customers and activities,
consistent with a PPSI's risk profile, rather than toward lower-risk
customers and activities. The proposed rule incorporates this directive
by explicitly requiring, as part of a PPSI's risk-based internal
policies, procedures, and controls, that a PPSI identify, assess, and
document its ML/TF risks through risk assessment processes. These risk
assessment processes require a PPSI to evaluate ML/TF risks and review
and incorporate the AML/CFT Priorities, as appropriate, with updates to
risk assessment processes promptly upon any change that the PPSI knows
or has reason to know significantly changes the PPSI's ML/TF risks.
These risk assessment processes are designed to help PPSIs mitigate ML/
TF risks and ensure that they are allocating resources commensurate
with their documented ML/TF risks, directing more attention and
resources toward higher-risk customers rather than toward lower-risk
customers and activities.
Finally, 31 U.S.C. 5318(h)(2)(B)(ii) requires FinCEN to consider
the extension of financial services to the underbanked and the
facilitation of financial transactions, including remittances, while
preventing criminal persons from abusing formal or informal financial
services networks. Through its emphasis on risk-based AML/CFT programs,
the proposed rule seeks to provide PPSIs with the flexibility to serve
a broad range of customers and avoid one-size-fits-all approaches to
customer risk that can lead to PPSIs declining to provide financial
services to entire categories of customers. The proposed rule would
help ensure that decisions taken by PPSIs with respect to closing
customer accounts are based on legitimate ML/TF risks and informed by
relevant facts and circumstances. The proposed rule is intended to
mitigate the risks of PPSIs potentially being inappropriately pressured
into closing customer accounts by emphasizing the risk-based nature of
AML/CFT programs. In doing so, the proposed rule also furthers the
objectives of E.O. 14331, Guaranteeing Fair Banking for All Americans,
which seeks to combat ``politicized or unlawful debanking.'' \171\
---------------------------------------------------------------------------
\171\ E.O. 14331, Guaranteeing Fair Banking for All Americans,
90 FR 38925 (Aug. 12, 2025).
---------------------------------------------------------------------------
b. Program Overview
The proposed rule would require a PPSI to establish an AML/CFT
program and then maintain the AML/CFT program by implementing, in all
material respects, the established AML/CFT program. In prescribing the
minimum standards for an AML/CFT program and in supervising and
examining compliance with those standards, the AML Act requires the
Secretary and the appropriate Federal functional regulator to take into
account that effective AML/CFT programs safeguard national security and
help law enforcement prevent the flow of illicit funds in the financial
system.\172\ An AML/CFT program can be effective without preventing
every minor instance of a financial institution falling prey to illicit
finance misuse. Accordingly, the proposed rule would set out that an
AML/CFT program is ``effective'' and complies with the requirements of
31 U.S.C. 5318(h)(1) so long as it is established and maintained in
accordance with applicable requirements.
---------------------------------------------------------------------------
\172\ See 31 U.S.C. 5318(h)(2)(B)(iii).
---------------------------------------------------------------------------
A PPSI would be required to establish a risk-based set of internal
policies, procedures, and controls that are reasonably designed to
ensure compliance with the BSA and 31 CFR chapter X. The risk-based
internal policies, procedures, and controls must also be reasonably
designed to: (1) identify, assess, and document the PPSI's ML/TF risks
through risk assessment processes that evaluate the risks of the PPSI's
business activities, review and, as appropriate, incorporate the AML/
CFT Priorities, and are updated promptly upon any change that the PPSI
knows or has reason to know significant changes in the PPSI's ML/TF
risks; (2) mitigate the PPSI's ML/TF risks, consistent with the PPSI's
risk assessment processes; and, (3) conduct ongoing customer due
diligence.
The proposed rule would also require a PPSI to establish an ongoing
employee training program and independent AML/CFT program testing as
part of its AML/CFT program.
Finally, the proposed rule would require a PPSI to designate an
individual responsible for establishing and implementing the AML/CFT
program and coordinating and monitoring day-to-day compliance; that
individual would be required to be located in the United States and
accessible to, and subject to oversight and supervision by, FinCEN and
its designee, including the appropriate primary Federal payment
stablecoin regulator. That individual also could not have been
convicted of a felony offense involving certain kinds of activity, as
required by the GENIUS Act.\173\
---------------------------------------------------------------------------
\173\ See 12 U.S.C. 5903(f).
---------------------------------------------------------------------------
Under the proposed rule, having an effective AML/CFT program would
be more than a one-time adoption of a risk-based set of internal
policies, procedures, and controls. Rather, a PPSI would be required to
keep its risk-based set of internal policies, procedures, and
controls--and the risk assessment processes that inform them--current
as the PPSI's risk profile changes. Similarly, an AML/CFT program would
involve more than a one-time creation of an employee training program
or initiation of an independent testing mechanism: the PPSI would also
be required to keep such aspects of the AML/CFT program current as the
PPSI's risk profile changes. Thus, even where a PPSI has previously
established an AML/CFT program in accordance with the proposed rule, a
failure to update the program to reflect significant changes to the
PPSI's risk profile may result in the program no longer meeting the
program establishment requirements, and the PPSI may accordingly be
subject to supervisory or enforcement action for failure to establish
an effective AML/CFT program.
Once a PPSI has properly ``established'' an AML/CFT program, the
PPSI must ``maintain'' the program by implementing it, in all material
respects. Minor deficiencies of an AML/CFT program would not
necessarily mean that a PPSI has failed to implement the program.
ii. Proposed 31 CFR 1033.210(b)--Program Establishment
The AML/CFT program requirements for PPSI's must have certain
minimum elements comprised of: (1) internal policies, procedures, and
controls; (2) an independent audit function to test programs; (3) a
designated compliance officer; and (4) an ongoing employee training
program.
a. Proposed 31 CFR 1033.210(b)(1)--Internal Policies, Procedures, and
Controls
The BSA requires financial institutions to develop ``internal
[[Page 18599]]
policies, procedures, and controls'' as part of their AML/CFT
programs.\174\ Proposed Sec. 1033.210(b)(1) provides that a PPSI's
risk-based set of internal policies, procedures, and controls must be
reasonably designed to: (1) identify, assess, and document ML/TF risks
through risk assessment processes; (2) mitigate ML/TF risks consistent
with the risk assessment processes, including by allocating more
attention and resources toward higher-risk customers and activities
rather than toward lower-risk customers and activities; and (3) conduct
ongoing CDD.
---------------------------------------------------------------------------
\174\ 31 U.S.C. 5318(h)(1)(A).
---------------------------------------------------------------------------
Under this proposal, a PPSI's risk-based set of internal policies,
procedures, and controls should be based upon, informed by, and
consistent with a PPSI's risk assessment processes. The level of
sophistication of the internal policies, procedures, and controls
should be commensurate with the size, structure, risk profile, and
complexity of the PPSI.
The requirement that a PPSI's risk-based set of internal policies,
procedures, and controls be ``reasonably designed'' gives PPSIs
flexibility in how they achieve compliance with the BSA and the
proposed rule's other requirements. As part of having risk-based set of
internal policies, procedures, and controls reasonably designed to
ensure compliance with the BSA and FinCEN's regulations, PPSIs may
choose to responsibly adopt new technologies or innovative approaches
to comply with BSA requirements.
1. Proposed 31 CFR 1033.210(b)(1)(i)--Risk Assessment Processes
FinCEN is proposing in Sec. 1033.210(b)(1)(i) that, as part of a
PPSI's risk-based set of internal policies, procedures, and controls,
the PPSI establish and maintain risk assessment processes to: (1)
evaluate the ML/TF risks of the PPSI's business activities, including
products, services, distribution channels, customers, and geographic
locations; (2) review and, as appropriate, incorporate the AML/CFT
Priorities; and (3) be updated promptly upon any change that the PPSI
knows or has reason to know significantly changes the PPSI's ML/TF
risks. This provision implements the GENIUS Act's directive that PPSI
AML/CFT programs include appropriate risk assessments.\175\
---------------------------------------------------------------------------
\175\ See 12 U.S.C. 5903(a)(5)(A)(i).
---------------------------------------------------------------------------
The proposed rule requires, as part of a PPSI's risk-based internal
policies, procedures and controls, that it identify, assess, and
document its ML/TF risks using risk assessment processes. This risk
assessment process, generally conducted on an annual basis, results in
a documented ML/TF risk assessment.
FinCEN believes PPSIs are best positioned to identify and evaluate
their ML/TF risk and is therefore not prescribing any particular risk
assessment processes or methodologies other than the critical elements
described in this proposed rule. Under the proposed rule, PPSIs will be
examined for whether they have established and implemented, in all
material respects, reasonably designed risk assessment processes--which
need not be in the form of a singular risk assessment process.
Furthermore, FinCEN is not prescribing any particular timeframe for
PPSIs to update their risk assessment processes.
i. Proposed 31 CFR 1033.210(b)(1)(i)(A)--ML/TF Risks
Proposed Sec. 1033.210(b)(1)(i)(A) would require a PPSIs' risk
assessment processes to evaluate the ML/TF risks its business
activities, including products, services, distribution channels,
customers, and geographic locations. These factors are generally well
known and often incorporated into current risk assessment processes of
some stablecoin issuers and banks. For clarity's sake, FinCEN considers
``distribution channels'' to refer to the methods and tools through
which a PPSI opens accounts and provides products or services
(including payment stablecoins), including, for example through remote
or other non-face-to-face means. Thus, for example, PPSIs should
consider how accounts are opened, as well as the blockchains to which
its payment stablecoins are issued.
PPSIs may use a variety of sources to inform their risk assessment
processes. Such sources may include information obtained from other
financial institutions, such as emerging risks and typologies
identified through 314(b) information sharing or payment transactions
that other financial institutions returned or flagged due to ML/TF
risks.\176\ Information a PPSI generates or maintains could be another
source, including information acquired from blockchain analytics. Such
internal information may include, for example, customer internet
protocol (IP) addresses or device logins and related geolocation
information.
---------------------------------------------------------------------------
\176\ See FinCEN, Section 314(b) Fact Sheet, (Dec. 2020),
available at https://www.fincen.gov/system/files/shared/314bfactsheet.pdf.
---------------------------------------------------------------------------
Feedback from FinCEN, law enforcement, and financial regulators may
also inform risk assessment processes. For example, if a PPSI receives
feedback from law enforcement about a report it has filed or potential
risks at the PPSI, the PPSI may incorporate that information into its
risk assessment processes. Similarly, PPSIs may consider information
identified from responding to section 314(a) requests. Certain FinCEN
advisories or guidance may also be particularly relevant to the PPSI's
business activities, thereby warranting consideration when evaluating
ML/TF risks. Regardless of the source, PPSIs should take measures in
their risk assessment processes to ensure this information is
reasonably current, complete, and accurate.
ii. Proposed 31 CFR 1033.210(b)(1)(i)(B)--AML/CFT Priorities
Proposed Sec. 1033.210(b)(1)(i)(B) would require PPSIs to review
and incorporate the AML/CFT Priorities. The AML/CFT Priorities set out
the priorities for the U.S. government's AML/CFT policy as required by
the AML Act and are designed to ensure that PPSIs' AML/CFT programs are
aligned with those priorities. Recognizing the diverse nature of ML/TF
threats facing the U.S. financial system and national security, and
that PPSI AML/CFT programs will benefit U.S. national security by
safeguarding the financial system from ML/TF risk, the AML/CFT
Priorities are intended to ensure that PPSIs are focusing on the
greatest threats to U.S. national security, as defined by Treasury.
FinCEN understands that the AML/CFT Priorities may not always be
applicable to a PPSI's risk profile and activities. Therefore, FinCEN
requires the incorporation of the AML/CFT Priorities in PPSI's risk
assessment processes, as appropriate. This means that, having reviewed
the AML/CFT Priorities, a PPSI may determine the extent to which a
particular priority is applicable and whether and how a particular AML/
CFT Priority should be incorporated into its risk assessment processes.
Further, a PPSI may use its judgment and apply a reasonable, risk-
based determination on whether to focus on a specific aspect of an AML/
CFT Priority (e.g., cyber-enabled fraud), rather than addressing all
aspects of an AML/CFT Priority that may either not be applicable or
pose lower risks to the PPSI. However, FinCEN cautions that a surface-
level, perfunctory review of an AML/CFT Priority by a PPSI and the
foreseeable ways in which it may manifest itself within the PPSI's
customers, products and services, geographies, and distribution
channels would not satisfy this requirement.
[[Page 18600]]
FinCEN anticipates that some PPSIs may ultimately determine that
their business models and risk profiles have limited exposure to some
of the threats addressed in the AML/CFT Priorities but instead have
greater exposure to other ML/TF risks not addressed in the AML/CFT
Priorities. Additionally, some PPSIs' risk assessment processes may
determine that their AML/CFT programs already sufficiently take into
account some, or all, of the AML/CFT Priorities. In either case, any
changes to PPSIs' AML/CFT program, such as internal policies,
procedures, or controls, would be based on the results of risk
assessment processes and their impact on the AML/CFT program, including
how to review and, as appropriate, incorporate the AML/CFT Priorities
before making these determinations.
iii. Proposed 31 CFR 1033.210(b)(1)(i)(C)--Update Risk Assessment
Processes
Proposed Sec. 1033.210(b)(1)(i)(C) would require PPSIs to update
their risk assessment processes promptly upon any change that the PPSI
knows or has reason to know significantly changes its ML/TF risk
profile. For example, a PPSI may need to update its risk assessment
when new products, services, and customer types are introduced; or
existing products, services, and customer types undergo significant
changes; or when the PPSI adopts new risk mitigation technology; or if
the PPSI as a whole expands or contracts through mergers, acquisitions,
divestitures, dissolutions, and liquidations. This would include, for
example, when a payment stablecoin is deployed on a new blockchain or
new features are coded into the smart contract. A PPSI may also need to
update its risk assessment process based on factors external to its
operations that it knows or has reason to know significantly changes
its ML/TF risk profile.
2. Proposed 31 CFR 1033.210(b)(1)(ii)--Mitigate ML/TF Risks
Under the proposed rule, a PPSI's efforts to mitigate its ML/TF
risks would involve directing more attention and resources toward
higher-risk customers and activities, consistent with the risk profile
of the PPSI, rather than toward lower risk customers and
activities.\177\ The goal of risk-based allocation is for PPSIs to
spend less time, energy, and resources on lower priority activities
that may result in fewer resources devoted to, and potentially distract
from, more serious threats. The proposed rule would thus enable PPSIs
to focus more on higher risk customers and activities, which FinCEN has
determined should result in PPSIs being more effective at detecting,
reporting, and preventing the flow of illicit funds and providing law
enforcement with more valuable BSA reporting.
---------------------------------------------------------------------------
\177\ 31 U.S.C. 5318(h)(2)(B)(iv)(II).
---------------------------------------------------------------------------
As noted above, FinCEN believes that PPSIs are best positioned to
identify and evaluate their ML/TF risk and to make decisions related to
risk identification and resource allocation in accordance with risk
identification. The proposed rule, therefore, does not contemplate
regulatory second-guessing of a PPSI's reasonable determinations
regarding appropriate resource allocation or conclusions regarding
specific risks. However, while FinCEN does not believe that an examiner
should substitute his or her own subjective judgment in place of the
PPSIs, examiners will be expected to assess whether: (1) a PPSI's
resource allocation decisions are informed by, and consistent with,
reasonably designed risk assessment processes; and (2) with respect to
implementation, specifically, whether the PPSI knows or should know of
resource-related issues involving its internal policies, procedures,
and controls and other mandatory elements that may result in the PPSI
failing to implement its AML/CFT program in all material respects and
failing to address such issues.
3. Proposed 31 CFR 1033.210(b)(1)(iii)--Conduct Ongoing Customer Due
Diligence
The GENIUS Act specifies that PPSIs should be subject to all
Federal laws applicable to a financial institution located in the
United States relating to ``due diligence.'' \178\ The existing program
rules for certain financial institutions contain CDD requirements that
have commonly been referred to as the ``fifth pillar'' of AML program
rules for those types of financial institutions.\179\ Under these
requirements, covered financial institutions must establish and
maintain a written AML/CFT program that includes: ``appropriate risk-
based procedures for conducting ongoing customer due diligence, to
include, but not be limited to: understanding the nature and purpose of
customer relationships for the purpose of developing a customer risk
profile; and conducting ongoing monitoring to identify and report
suspicious transactions and, on a risk basis, to maintain and update
customer information.'' \180\
---------------------------------------------------------------------------
\178\ See 12 U.S.C. 5903(a)(5)(A).
\179\ See applicable program rules with CDD requirements for
covered financial institutions are located at 31 CFR
1020.210(a)(2)(v) and (b)(2)(v) (banks), 1023.210(b)(5) (broker-
dealers), 1024.210(b)(5) (mutual funds), and 1026.210(b)(5) (futures
commission merchants and introducing brokers in commodities). FinCEN
in February 2026 issued an order granting exceptive relief to
covered financial institutions from the requirements in 31 CFR
1010.230(b) to identify and verify the identities of beneficial
owners of legal entity customers at each new account opening. See
FinCEN, Exceptive Relief from Requirement to Identify and Verify
Beneficial Owners at Each Account Opening (Feb. 13, 2026), available
at https://www.fincen.gov/system/files/2026-02/FinCEN-Order-CCDExceptiveRelief.pdf.
\180\ See 31 CFR 1020.210(a)(2)(v) and (b)(2)(v) (banks);
1023.210(b)(5) (broker-dealers); 1024.210(b)(5) (mutual funds);
1026.210(b)(5) (futures commission merchants and introducing brokers
in commodities).
---------------------------------------------------------------------------
Proposed Sec. 1033.210(b)(1)(iii) would require PPSIs to conduct
ongoing CDD as part of their AML/CFT program obligations. To
effectively mitigate the illicit finance risks in customer
relationships, PPSIs need to obtain and maintain information sufficient
to develop an understanding of normal and expected customer activity.
This in turn requires development of an understanding of the ``nature
and purpose,'' or in other words the intent, of the customer in
initiating and maintaining the relationship. The PPSI can draw
conclusions about the type of activity and transactions the customer
can be expected to engage in, setting a ``baseline against which
aberrant, suspicious transactions are identified.'' \181\ These are
core elements and fundamental expectations of FinCEN's regulations
implementing the BSA.
---------------------------------------------------------------------------
\181\ See FinCEN, Customer Due Diligence Requirements for
Financial Institutions, 81 FR 29398, 29419 (May 11, 2016); FinCEN,
Frequently Asked Questions Regarding Customer Due Diligence
Requirements for Financial Institutions, Question 36 (Apr. 3, 2018),
available at https://www.fincen.gov/system/files/2018-04/FinCEN_Guidance_CDD_FAQ_FINAL_508_2.pdf.
---------------------------------------------------------------------------
For PPSIs, some considerations of the nature and purpose of
customer relationships will be similar to existing practices for other
regulated financial institutions. However, some factors may also be new
or unique due to the characteristics of the products and services being
offered. PPSIs may need to consider, among other factors, the type of
entity seeking to establish a customer relationship, the jurisdiction
in which they are domiciled, the AML/CFT obligations they are subject
to (and potentially the rigor of supervisory oversight of those
obligations), the customer's operating history, the services the
customer offers to its users, the markets that the customer serves, and
the agents or intermediaries through which the customer may provide its
services. Such business, product,
[[Page 18601]]
service, and geographic risk considerations are well established
components of existing BSA programs. PPSIs may also need to consider
information more narrowly tailored to the stablecoin market, including
both information available from public blockchains and relevant off-
chain considerations. Notably, as stated above, FinCEN assesses that
the majority of illicit activity involving stablecoins occurs on the
secondary market.\182\ Although the proposed rule would not impose a
standalone, independent obligation on a PPSI to monitor secondary
market transactions, consideration of such activity may be appropriate
in the PPSI's development and maintenance of a customer risk profile
(e.g., public blockchains may indicate that a digital assets exchange
that is a PPSI customer is engaged in deposits or withdrawal activity
of the PPSI's stablecoin with addresses attributed to illicit actors).
---------------------------------------------------------------------------
\182\ See supra section IV.D.
---------------------------------------------------------------------------
b. Proposed 31 CFR 1033.210(b)(2)--Independent Testing
The purpose of independent testing is to assess the PPSI's
compliance with AML/CFT statutory and regulatory requirements, relative
to its risk profile. This evaluation helps to inform the PPSI of
weaknesses or areas in need of enhancement or stronger controls.
Typically, this evaluation includes a conclusion about the PPSI's
overall compliance with AML/CFT statutory and regulatory requirements
and sufficient information for the reviewer (e.g., board of directors,
senior management, AML/CFT officer, outside auditor, or an examiner) to
reach a conclusion about whether the risk-based set of internal
policies, procedures, and controls are reasonably designed and
resources are well-allocated consistent with the PPSI's risk assessment
processes.
Additionally, while PPSIs retain some flexibility regarding who
conducts the audit or testing, the proposed rule would require that
testing be independent. PPSIs that do not employ outside auditors or
consultants or that do not have internal audit departments may comply
with this requirement by using internal staff who are not involved in
the function being tested. For these PPSIs and PPSIs with other types
of arrangements for independent testing, the AML/CFT officer or any
party who directly, and in some cases, indirectly reports to the AML/
CFT officer, or an equivalent role, would generally not be considered
sufficiently independent. Any individual conducting the testing,
whether internal or external, would be required to be independent of
other parts of the PPSI's AML/CFT program, including its oversight. For
PPSIs that engage outside auditors or consultants, the PPSI would be
required to ensure that the outside parties conducting the independent
testing are not involved in functions related to the AML/CFT program at
the PPSI that may present a conflict of interest or lack of
independence, such as AML/CFT training or the development or
enhancement of internal policies, procedures, and controls.
Additionally, for the purposes of the independent testing component,
outside parties would not include government agencies, entities, or
instrumentalities, such as a PPSI's primary Federal payment stablecoin
regulator or State payment stablecoin regulator. PPSIs with less
complex operations, and lower risk profiles may consider utilizing a
shared resource as part of a collaborative arrangement to conduct
testing, as long as the testing is independent.\183\ FinCEN would
generally expect, as with the AML/CFT officer component, independent
testers to have the expertise and experience to satisfactorily perform
such a duty, including having sufficient knowledge of the PPSI's risk
profile and AML/CFT laws and regulations.
---------------------------------------------------------------------------
\183\ See Board, FDIC, NCUA, OCC, and FinCEN, Interagency
Statement on Sharing Bank Secrecy Act Resources (Oct. 3, 2018),
available at https://www.fincen.gov/news/news-releases/interagency-statement-sharing-bank-secrecy-act-resources.
---------------------------------------------------------------------------
c. Proposed 31 CFR 1033.210(b)(3)--Designate an AML/CFT Officer
Under the GENIUS Act and the BSA, an ``officer'' oversees an AML/
CFT program.\184\
---------------------------------------------------------------------------
\184\ See 12 U.S.C. 5903(a)(5)(A)(i); 31 U.S.C. 5318(h)(1)(B).
---------------------------------------------------------------------------
1. Proposed 31 CFR 1033.210(b)(3)(iii)--Duties of the AML/CFT Officer
Proposed Sec. 1033.210(b)(3)(iii) would require PPSIs to designate
an individual (referred to as an AML/CFT officer) responsible for
establishing and implementing the AML/CFT program and coordinating and
monitoring day-to-day compliance with the requirements and prohibitions
of the BSA and FinCEN's implementing regulations. FinCEN's view is that
the individual serving as the AML/CFT officer must be qualified for
that role and not overburdened with other responsibilities at the
institution.
The proposed rule is not intended to be primarily concerned about
the formal title of the individual responsible for establishing and
implementing the AML/CFT program and coordinating and monitoring day-
to-day compliance; instead, the proposed rule focuses on the AML/CFT
officer's position in the PPSI's organizational structure that enables
the AML/CFT officer to effectively establish and implement the PPSI's
AML/CFT program. The AML/CFT officer's authority, independence, and
access to resources within the PPSI are critical. An AML/CFT officer
should have decision-making capability regarding the AML/CFT program
and sufficient functional stature within the organization to ensure
that the program meets BSA requirements.
The AML/CFT officer's access to resources may include the
following: adequate compliance funds and staffing with the skills and
expertise appropriate to the PPSI's risk profile, size, and complexity;
an organizational structure that supports compliance and effectiveness;
and sufficient technology and systems to support the timely
identification, measurement, monitoring, reporting, and management of
the PPSI's ML/TF risks. An AML/CFT officer with conflicting
responsibilities that adversely impact the officer's ability to
effectively coordinate and monitor day-to-day AML/CFT compliance
generally would not fulfill this requirement.
2. Proposed 31 CFR 1033.210(b)(3)(i) and (ii)--The AML/CFT Officer
Located in the United States and Accessible to Regulators
Proposed Sec. 1033.210(b)(3)(i) and (ii) would require a PPSI's
AML/CFT officer be located in the United States and accessible to, and
subject to oversight and supervision by FinCEN and its designee. Under
the proposed rule, while the AML/CFT officer must be located in the
United States, personnel located outside of the United States would
still be permitted to perform certain AML/CFT functions. This language
does not alter existing regulations and guidance that generally
prohibit the sharing of SARs with personnel located outside of the
United States other than limited circumstances such as a bank's foreign
head office or controlling company.\185\
---------------------------------------------------------------------------
\185\ See, e.g., FinCEN, Financial Crimes Enforcement Network;
Confidentiality of Suspicious Activity Reports, 75 FR 75593 (Dec. 3,
2010); see also FinCEN, the Board, FDIC, OCC, and Office of Thrift
Supervision, Interagency Guidance on Sharing Suspicious Activity
Reports with Head Offices and Controlling Companies (Jan. 20, 2006),
available at https://www.fincen.gov/system/files/guidance/sarsharingguidance01122006.pdf.
---------------------------------------------------------------------------
[[Page 18602]]
3. Proposed 31 CFR 1033.210(b)(3)(iv)--Restriction on Officers With
Felony Convictions
Under the GENIUS Act, PPSIs must designate an ``officer'' to
supervise its AML/CFT program.\186\ This GENIUS Act provision reflects
the BSA requirement that a financial institution designate a
``compliance officer'' for its AML/CFT program.\187\ The GENIUS Act
further provides that no individual who has been convicted of a
``felony offense involving insider trading, embezzlement, cybercrime,
money laundering, financing of terrorism, or financial fraud'' may
serve as an ``officer'' or director of a PPSI.\188\
---------------------------------------------------------------------------
\186\ See 12 U.S.C. 5903(a)(5)(A)(i).
\187\ See 31 U.S.C. 5318(h)(1)(B).
\188\ See 12 U.S.C. 5903(f).
---------------------------------------------------------------------------
Given the use of the term ``officer'' in the GENIUS Act's
prohibition on individuals being convicted of felonies involving
certain activity and the use of the same term in the GENIUS Act and BSA
provisions regarding AML/CFT programs, FinCEN proposes to apply this
restriction to AML/CFT officers and, accordingly, is proposing adding
this requirement to the AML/CFT program's provision relating to the
individual responsible for overseeing the AML/CFT program. FinCEN
expects PPSIs would ensure an individual does not have a disqualifying
felony prior to designating an individual as responsible for the AML/
CFT program, as well as require the individual to report any such
conviction and monitor for whether the individual receives such a
conviction.
d. Proposed 31 CFR 1033.210(b)(4)--Ongoing Employee Training Program
The BSA requires AML/CFT programs to include an ``ongoing employee
training program.'' \189\ Proposed Sec. 1033.210(b)(4) would require
PPSIs establish an ongoing employee training program. FinCEN would
generally expect training to cover the PPSI's internal policies,
procedures, and controls, which should in turn reflect the results of
the PPSI's risk assessment processes, the latest AML/CFT regulatory
requirements, and other relevant information. The frequency with which
the training would occur, and the content of the training, would depend
on the PPSI's ML/TF risk profile and the roles and responsibilities of
the persons receiving the training.
---------------------------------------------------------------------------
\189\ See 31 U.S.C. 5318(h)(1)(C).
---------------------------------------------------------------------------
iii. Proposed 31 CFR 1033.210(d)--Written AML/CFT Program and Approval
Proposed Sec. 1033.210(d) would require that a PPSI's AML/CFT
program be written, and that a PPSI, upon request, make available a
copy of its written AML/CFT program to FinCEN or its designee, which
can include the appropriate agency with examination authorities
delegated by FinCEN.\190\
---------------------------------------------------------------------------
\190\ See 31 CFR 1010.810(b); see also supra section VI.C.2.
---------------------------------------------------------------------------
Proposed Sec. 1033.210(d) would also require that a PPSI's written
AML/CFT program be approved by the PPSI's board of directors or an
equivalent governing body within the PPSI, or appropriate senior
management. The proposed rule specifies that approval encompasses each
of the components of the AML/CFT program.
The proposed rule provides PPSIs with significant flexibility in
its chosen approval method. While some PPSIs may choose to have its
board approve the written AML/CFT program, for others, an equivalent
governing body might be a sole proprietor, general partner, or trustee,
or a grouping of owners, senior officers (including board committees or
other groups with oversight responsibilities), senior management, or
other persons having functions and authority similar to that of a
board.
The proposed rule's provision requiring the approval of the AML/CFT
program by a PPSI's board of directors, equivalent body, or appropriate
senior management reflects the importance of PPSIs maintaining a strong
culture of compliance. A culture of compliance involves demonstrable
support and visible commitment from leadership, the dedication of
adequate resources to AML/CFT compliance, effective information sharing
throughout the PPSI, qualified and independent testing, and
understanding across leadership and staff levels of the importance of
BSA reports. Adherence to these principles is critical to ensuring that
AML/CFT programs are effective.
iv. Proposed 31 CFR 1033.210(e)--AML/CFT Program Certifications
The proposed rule would also require PPSIs to make available to
FinCEN, or its designee, upon request any and all certifications
submitted to the PPSI's primary Federal payment stablecoin regulator or
State payment stablecoin regulator certifying that the PPSI has
implemented an AML/CFT program.\191\ While the GENIUS Act specifies
that the primary Federal payment stablecoin regulator or State payment
stablecoin regulator shall make this certification available upon
Treasury request, FinCEN's authority under the BSA also enables it to
require PPSIs to provide a copy of such certifications to FinCEN as
part of FinCEN's efforts to ensure compliance with the BSA.\192\
---------------------------------------------------------------------------
\191\ See 12 U.S.C. 5904(i)(l).
\192\ See 31 U.S.C. 5318(a)(2).
---------------------------------------------------------------------------
4. Proposed 31 CFR 1033.221--Supervision and Enforcement
As previously noted, FinCEN is proposing delegating authority to
examine PPSIs for compliance with the proposed rules to the primary
Federal payment stablecoin regulators.\193\ In another rulemaking,
FinCEN has proposed that where it has delegated its examination
authority to the OCC, Board, FDIC, and NCUA (the ``Agencies''), those
Agencies be required to consult with FinCEN prior to taking significant
AML/CFT supervisory actions and outlined FinCEN's own considerations in
determining when it will take certain enforcement actions. The proposal
also outlined that a bank would only be subject to certain kinds of
enforcement actions and significant supervisory actions for significant
and systemic failures to implement an AML/CFT program. In that
proposal, FinCEN requested comments on whether the framework outlined
in the proposal should be extended to financial institutions beyond
banks.
---------------------------------------------------------------------------
\193\ See supra section VI.C.2.
---------------------------------------------------------------------------
The GENIUS Act similarly identifies these Agencies--the OCC, Board,
FDIC, and NCUA--as primary Federal payment stablecoin regulators for
certain PPSIs as discussed in section VI.C.2.ii. Additionally, as
discussed in section IV, some stablecoin issuers engage in certain
activities that are similar to those of banks. Accordingly, in light of
the same Agencies that serve as the primary Federal payment stablecoin
regulators and certain similarities in activities as banks, FinCEN
proposes to set forth a supervision and enforcement framework that
would subject PPSIs to the same framework proposed for banks.
Specifically, the proposed rule would add Sec. 1033.221 to set forth a
supervision and enforcement framework for PPSIs' AML/CFT programs that
is aligned with the AML Act's emphasis on effectiveness and risk-based
supervision. This proposal includes three elements: the first defining
key terms; the second outlining when FinCEN or the primary Federal
payment stablecoin regulators would take enforcement or supervisory
action regarding certain kinds of AML/CFT
[[Page 18603]]
program violations; and the third outlining when the primary Federal
payment stablecoin regulators would consult with FinCEN on potential
supervisory actions. FinCEN welcomes comment on whether this
supervisory and enforcement framework should apply to PPSIs, as well as
the consultation proposal. The enforcement requirements do not apply to
and in no way affect criminal enforcement liability under the BSA.
i. Proposed 31 CFR 1033.221(a)--Definitions
Proposed Sec. 1033.221(a) would define several terms used
throughout the section.
The term ``AML/CFT enforcement action'' as proposed in Sec.
1033.221(a)(1) would mean any formal or informal action taken by FinCEN
that seeks to penalize, remedy, prevent, or respond to noncompliance
with past or ongoing violations of, or past or ongoing deficiencies
relating to, an AML/CFT requirement.
The term ``AML/CFT requirement'' as proposed in Sec.
1033.221(a)(2) would mean a requirement of the BSA, 12 U.S.C.
5903(a)(5)(A)(i)-(v), 12 U.S.C. 5903(a)(6)(B), 12 U.S.C. 5903(f)(1)(A),
or 31 CFR chapter X.
The term ``significant AML/CFT supervisory action'' as proposed in
Sec. 1033.221(a)(3) would mean any written communication or other
formal supervisory determination issued by FinCEN or a primary Federal
payment stablecoin regulator, when acting under supervisory authority
delegated by FinCEN, that identifies one or more alleged deficiencies,
weaknesses, violations of law, or unsafe or unsound practices or
conditions relating to an AML/CFT requirement; communicates supervisory
expectations regarding actions or remedial measures required to correct
the issue; and contemplates significant or programmatic actions or
remedial measures to be taken by the PPSI. Examiner observations,
suggestions, or other informal comments would be expressly excluded
from this definition.
ii. Proposed 31 CFR 1033.221(b)--Enforcement and Supervision Policy
Proposed Sec. 1033.221(b) would articulate FinCEN's enforcement
and supervision policy as it relates to AML/CFT requirements for
PPSIs.\194\ Except with respect to a significant or systemic failure to
implement an effective AML/CFT program (i.e., deficiencies or issues
that arise from failing to implement, in all material respects, a
properly established AML/CFT program), a PPSI that has properly
established an AML/CFT program would not be subject to an AML/CFT
enforcement action based on a violation of proposed Sec. 1033.210 by
FinCEN or to a significant AML/CFT supervisory action based on a
violation of proposed Sec. 1033.210 by FinCEN or by a primary Federal
payment stablecoin regulator, when acting under supervisory authority
delegated by FinCEN.
---------------------------------------------------------------------------
\194\ The proposal is not intended to and does not affect
criminal enforcement liability under the BSA, or the related
authority of the Department of Justice.
---------------------------------------------------------------------------
The proposed rule would clarify that nothing in this policy would
restrict an AML/CFT enforcement action or a significant AML/CFT
supervisory action with respect to a failure to properly establish an
AML/CFT program. Moreover, the proposed rule would not affect the
factors that FinCEN applies in the disposition of a violation once
FinCEN has determined that such violation involves either: (1) a
failure to properly establish an AML/CFT program, or (2) a significant
or systemic failure to implement an AML/CFT program.\195\
---------------------------------------------------------------------------
\195\ FinCEN, FinCEN Statement on Enforcement of the Bank
Secrecy Act, pp. 2-3 (Aug. 18, 2020), available at https://www.fincen.gov/system/files/shared/FinCEN%20Enforcement%20Statement_FINAL%20508.pdf.
---------------------------------------------------------------------------
iii. Proposed 31 CFR 1033.221(c) and (d)--FinCEN Consultation and
Consideration
Proposed Sec. 1033.221(c) would establish a notice and
consultation framework applicable when a primary Federal payment
stablecoin regulator, acting under supervisory authority delegated by
FinCEN, intend to initiate a significant AML/CFT supervisory action.
Before initiating such an action, the primary Federal payment
stablecoin regulator would be required to provide the Director of
FinCEN with an opportunity to review the action and consider any input
offered by the Director, which may include any view as to the
effectiveness of the PPSI's AML/CFT program. To facilitate that review,
the primary Federal payment stablecoin regulator would be required to
provide written notice to the Director of their intent to take the
action at least 30 days in advance of the proposed action, unless a
shorter period is necessary, in the sole discretion of the primary
Federal payment stablecoin regulators, to remedy, prevent, or respond
to an unsafe or unsound practice or condition.
The notice would be accompanied by the relevant AML/CFT information
underlying the proposed action. Relevant AML/CFT information may
include, but is not limited to: the relevant portions of the draft
report enforcement action; the relevant examination workpapers
supporting the proposed action and the relevant AML/CFT information
submitted by the PPSI to the primary Federal payment stablecoin
regulator. FinCEN notes the primary Federal payment stablecoin
regulators would not be obligated to provide information over which the
PPSI may claim privilege under Federal or State law. The primary
Federal payment stablecoin regulators would also be required to respond
to requests for additional AML/CFT information from the Director
regarding the proposed action.
Finally, proposed Sec. 1033.221(d) specifies the factors that the
Director of FinCEN would consider in determining whether to take an
enforcement action or significant supervisory action with respect to
PPSIs, or when reviewing a proposed action by a primary Federal payment
stablecoin regulator. These factors would include the factors set forth
in 31 U.S.C. 5318(h)(2)(B), as applicable; the extent, if any, to which
the PPSI--where appropriate in light of its size, complexity, and risk
profile--has advanced the AML/CFT Priorities by providing highly useful
information to law enforcement or national security officials,
conducting proactive analytics or performing other innovative
activities producing demonstrable outputs evincing the effectiveness of
the PPSI's AML/CFT program (including effective use of artificial
intelligence, federated learning, or other advanced monitoring tools);
and any other factor the Director deems appropriate, including the
PPSI's size, complexity, and risk profile, and, as relevant,
circumstances in which the PPSI's low-risk customers or limited
business activities naturally limit the extent to which the PPSI can
meaningfully contribute to AML/CFT Priorities.
The FinCEN Director's consideration of the extent to which a PPSI
has provided highly useful information to law enforcement or national
security agencies reflects that FinCEN considers information sharing to
be an important element of an effective AML/CFT program. PPSIs may
share useful information by responding to 314(a) requests, or may use
314(b) authorities to share information with other financial
institutions to identify and report to the federal government
activities that may involve ML/TF. PPSIs may also elect to participate
in the FinCEN Exchange Program, a voluntary public-private information
sharing partnership among FinCEN, law enforcement agencies, national
security
[[Page 18604]]
agencies, and financial institutions and other private sector entities
that aims to support priority national security and counter-illicit
finance objectives.\196\ FinCEN strongly encourages information sharing
for the purpose of advancing the AML/CFT Priorities.
---------------------------------------------------------------------------
\196\ FinCEN, FinCEN Exchange, available at https://www.fincen.gov/resources/fincen-exchange.
---------------------------------------------------------------------------
The Director of FinCEN may consider the above alongside other
factors, including those outlined in the FinCEN Statement on
Enforcement of the Bank Secrecy Act, such as the nature and seriousness
of violations, including the extent of possible harm to the public and
amounts involved; impact or harm of the violations on FinCEN's mission
to safeguard the financial system from illicit use, combat money
laundering, and promote national security; or financial gain or other
benefit resulting from, or attributable to, the violations, amongst
others.\197\
---------------------------------------------------------------------------
\197\ FinCEN, FinCEN Statement on Enforcement of the Bank
Secrecy Act (Aug. 18, 2020), available at https://www.fincen.gov/system/files/shared/FinCEN%20Enforcement%20Statement_FINAL%20508.pdf.
---------------------------------------------------------------------------
5. Proposed Amendment to 31 CFR 1010.230--Collection of Beneficial
Ownership Information
FinCEN is proposing to require PPSIs to collect beneficial
ownership information about legal entity customers, which is critical
for a PPSI to effectively carry out its due diligence obligations as
provided in the GENIUS Act.\198\ This proposed obligation is
effectuated through FinCEN's proposed AML/CFT program obligation, its
proposed amendment to Sec. 1010.605(e)(1), and its proposed amendment
to Sec. 1010.230(b)(2) and (c).\199\ Collecting information on legal
entity customers helps a financial institution assess and mitigate
risk, as well as the ability of law enforcement to identify assets and
accounts connected with illicit activity. FinCEN is not contemplating
application of CDD to secondary market activity. Accordingly, FinCEN is
not extending the collection of beneficial ownership information to
secondary market activity.
---------------------------------------------------------------------------
\198\ See 12 U.S.C. 5903(a)(5)(A).
\199\ See Customer Due Diligence Requirements for Financial
Institutions, 81 FR at 29398. As previously highlighted, FinCEN in
February 2026 issued an order granting exceptive relief to covered
financial institutions from the requirements in 31 CFR 1010.230(b)
to identify and verify the identities of beneficial owners of legal
entity customers at each new account opening. See Exceptive Relief
from Requirement to Identify and Verify Beneficial Owners at Each
Account Opening, supra note 179.
---------------------------------------------------------------------------
Pursuant to Sec. 1010.230(a) ``covered financial institutions''
are required ``to establish and maintain written procedures that are
reasonably designed to identify and verify beneficial owners of legal
entity customers and to include such procedures in their anti-money
laundering compliance program required under 31 U.S.C. 5318(h) and its
implementing regulations.'' Section 1010.230(f) defines ``covered
financial institution'' for purposes of the section by referencing
Sec. 1010.605(e)(1), to which FinCEN is proposing to add PPSIs.
Section 1010.230 provides further specificity on the kinds of
procedures that must be established and maintained and the meaning of
account, including in Sec. 1010.230(b)(2) and (c). For financial
institutions currently required to collect beneficial ownership
information, Sec. 1010.230(b)(2) and (c) reference the customer
identification program regulation in the respective parts for those
institutions. Given that no such regulation currently exists for PPSIs,
FinCEN proposes language generally describing identification
verification procedures and the meaning of account. More specifically,
FinCEN is currently proposing requiring procedures relating to
verifying the identity of beneficial owners that would contain the same
elements as 31 CFR 1022.220(a)(2), the customer identification program
rule for banks. FinCEN proposes that in explaining the meaning of
account in Sec. 1010.230(c), FinCEN clarify that for PPSIs an account
is a formal relationship between a customer and a permitted payment
stablecoin issuer established to provide or engage in services,
dealings, or other financial transactions. FinCEN anticipates further
modifications to its proposed language based on its expected
forthcoming rulemaking implementing the GENIUS Act's requirement that
PPSIs maintain customer identification programs.\200\ Ultimately,
FinCEN expects the requirement under Sec. 1010.230 for PPSIs will
closely adhere to existing BSA requirements that apply to many other
types of financial institutions, including banks.
---------------------------------------------------------------------------
\200\ 12 U.S.C. 5903(a)(5)(A)(v).
---------------------------------------------------------------------------
6. Proposed 31 CFR 1033.240--Additional Technical Capabilities,
Policies, and Procedures for PPSIs
The GENIUS Act requires that PPSIs have ``technical capabilities,
policies, and procedures to block, freeze, and reject specific or
impermissible transactions that violate Federal or State laws, rules,
or regulations.'' \201\ The GENIUS Act also requires that PPSIs ``issue
payment stablecoins only if the issuer has the technological capability
to comply, and will comply, with the terms of any lawful order.'' \202\
FinCEN assesses that these obligations are distinct but complementary
and, accordingly, proposes implementing both requirements at Sec.
1033.240, categorized as additional technical capabilities, policies,
and procedures for PPSIs. Paragraph (a) would implement the block,
freeze, and reject requirement and paragraph (b) would implement the
lawful order requirement. Both obligations would apply to secondary
market activity. Additionally, the obligations would also apply where a
PPSI is authorized by its primary Federal payment stablecoin regulator
or State payment stablecoin regulator to engage in digital assert
service provider activities.\203\
---------------------------------------------------------------------------
\201\ See 12 U.S.C. 5903(a)(5)(A)(iv).
\202\ See 12 U.S.C. 5903(a)(6)(B).
\203\ See 12 U.S.C. 5903(a)(7)(B), 5901(7) (defining ``digital
asset service provider'').
---------------------------------------------------------------------------
Although both of these requirements will be unique obligations
under chapter X, FinCEN expects that some stablecoin issuers may have
in place technical capabilities and policies and procedures relating to
taking action regarding impermissible transactions and adhering to
lawful orders because of existing legal requirements, including
complying with OFAC sanctions and court orders.
i. Proposed 31 CFR 1033.240(a)--Obligations Relating to Blocking,
Freezing, and Rejecting Certain Transactions
The proposed rule would effectuate the GENIUS Act's directive that
PPSIs have technical capabilities, policies, and procedures to block,
freeze, and reject specific or impermissible transactions that violate
Federal or State laws, rules, or regulations by proposing to promulgate
the same language used in the GENIUS Act, with additional language
clarifying that this obligation extends beyond a PPSI's customers and
accounts, i.e., to secondary market activity.
FinCEN recognizes that some stablecoin issuers are currently able
to block, freeze, or reject transactions involving their stablecoin by
programming the stablecoin's smart contracts. Stablecoin issuers
leverage this capability on secondary as well as primary market
activity. Some stablecoin issuers use the programmability afforded in
smart contracts to ban specific wallet addresses from interacting with
stablecoin smart contracts, effectively ``freezing'' the stablecoins
held at those addresses, or to permanently remove stablecoins from
circulation (i.e., ``burning'' them).
[[Page 18605]]
The proposed rule neither prescribes how PPSIs should implement the
technical capability requirement nor the policies and procedures that
are specifically required to meet the proposed obligation. FinCEN
considered providing more prescriptive regulatory text, but has
preliminary assessed that PPSIs are best positioned to determine how to
effectively and efficiently comply with the obligation, particularly in
light of potential technological changes. Accordingly, the proposal
provides PPSIs the flexibility to use various methods to meet the
proposed obligation and account for the development and implementation
of new technology.
The proposed rule, consistent with the GENIUS Act, would require
PPSIs to have the infrastructure necessary to block, freeze, and reject
transactions, but does not identify in which instances PPSIs are
required to act on those capabilities. Put differently, this provision
would not require a PPSI to make an independent determination that a
transaction violates federal or state law. Instead, the use of
technological capabilities will be dictated by other federal or state
laws, rules, or regulations, as well as court orders, some of which
will require PPSIs to take action with regards to transactions
occurring on the secondary market. For example, as discussed in section
V.B, U.S. sanctions administered by OFAC are a strict liability regime,
meaning that U.S. persons, including PPSIs, may be held civilly liable
for sanctions violations even without having knowledge or reason to
know that it was engaging in such a violation. As such, PPSI's
technical capabilities, policies, and procedures should account for
identifying and blocking or rejecting payment stablecoin-related
transactions that would violate U.S. sanctions, including to identify
and block stablecoins that are issued to or redeemed by blocked
persons. This would also require PPSIs to have technical capabilities,
policies, and procedures to identify and block stablecoins traded by
blocked persons on the secondary market when PPSIs exercise possession
or control of such stablecoins, including through smart contracts.
Federal or state court or administrative orders may also require a PPSI
to act on its block, freeze, and reject capabilities--including
transactions occurring on the secondary market--which should be
accounted for in policies and procedures, as well as technical
capabilities.
Because these sources of law may require PPSIs to take action on
secondary market transactions, PPSIs would be expected to have the
technical capabilities, policies, and procedures for both primary and
secondary market activity. FinCEN believes extending these provisions
to secondary market activity is consistent with the GENIUS Act, as well
as critical to controlling illicit finance risk associated with PPSI
activity. Imposing this obligation only on primary market activity
would be of limited utility, as FinCEN assesses that PPSIs currently
have a small number of large, generally institutional customers. FinCEN
assesses that most of the illicit activity involving stablecoins occurs
on the secondary market, and it is critical that PPSIs operating in the
U.S. implement these obligations to protect U.S. national security and
the U.S. financial system.
Notwithstanding the requirement to maintain technical capabilities,
policies, and procedures to block, freeze, and reject specific or
impermissible transactions that violate Federal or State laws, rules,
or regulations, a PPSI would not be required to block, freeze, or
reject a transaction when it is under no legal obligation to take
action and this proposal would not require PPSIs to maintain separate
internal policies, procedures, or controls as part of required AML/CFT
programs to monitor secondary market activity independent of other
obligations.
FinCEN welcomes comment on this proposal, including its approach,
its clarity, and whether it should provide greater specificity.
ii. Proposed 31 CFR 1033.240(b)--Obligations Relating to Lawful Order
Compliance and Technical Capabilities
Proposed Sec. 1033.240(b) would implement the GENIUS Act's
requirement that a PPSI ``may issue payment stablecoins only if the
issuer has the technological ability to comply, and will comply, with
the terms of any lawful order.'' \204\ A lawful order as defined by the
GENIUS Act and FinCEN's proposal, is--in part--an order that specifies
with reasonable particularity a payment stablecoin or account and
requires a person to seize, freeze, burn, or prevent the transfer of
payment stablecoins it issued.\205\
---------------------------------------------------------------------------
\204\ See 12 U.S.C. 5903(a)(6)(B). Although codified outside the
GENIUS Act section specifically dealing with the BSA, Congress
provided Treasury general rulemaking authority to implement the
GENIUS Act. See 12 U.S.C. 5913. This provision directly implicates
illicit finance considerations and, as such, is appropriately
overseen by FinCEN at Treasury as part of efforts to combat money
laundering and the financing of terrorism.
\205\ See 12 U.S.C. 5901(16); see also section VI.C.1.vii.
---------------------------------------------------------------------------
FinCEN is proposing to promulgate this obligation by closely
adhering to the GENIUS Act's precise language, but with some clarifying
modifications. Proposed Sec. 1033.240(b) would reflect that the GENIUS
Act obligation related to lawful orders is ongoing rather than only in
existence at the time a stablecoin is issued, which FinCEN believes is
both consistent with the GENIUS Act and necessary for the obligation to
be meaningful. As with the obligation to have technical capabilities
and policies and procedures to block, freeze, and reject impermissible
transactions, FinCEN proposes to include some language clarifying that
PPSIs must account for and abide by lawful orders requiring them to
take action with regards to the secondary market, but does not intend
to provide prescriptive regulatory text relating to technological
capabilities, providing PPSIs the flexibility to use various methods to
meet the proposed obligation and account for the development and
implementation of new technology.
As previously described, FinCEN proposes promulgating the term
``lawful order'' as provided in the GENIUS Act, with limited
modifications to account for existing regulatory language. The GENIUS
Act does not define terms used within that definition, including the
word ``burn'' and ``account.'' FinCEN believes that ``burn'' is
generally understood in the industry and by law enforcement to mean
taking action such that the payment stablecoin is permanently removed
from circulation, which can be effected through different tactics.
Further, FinCEN is aware that lawful orders often specify particular
addresses or wallets for which an issuer is under obligation to take
action, and assess such addresses fall within the meaning of
``account'' for purposes of this provision. FinCEN has not proposed
regulatory text defining either ``burn'' or ``account'' for the
purposes of lawful orders, but requests comment on that approach.
Under this obligation, PPSIs would be required to consider and
comply with all terms contained in lawful orders. For example, a
quintessential type of lawful order, assuming it meets the GENIUS Act's
requirements, would be a seizure warrant.\206\ Those warrants
frequently include requirements to respond within a certain amount of
time and prohibitions on frustrating the implementation of the warrant.
Additionally, with some regularity, Federal court orders require
stablecoin
[[Page 18606]]
issuers to burn and reissue an equivalent amount of stablecoins to a
government-controlled wallet. Having the technical capabilities and
complying with terms such as these would be part of a PPSI's
obligations under proposed Sec. 1033.240(b). FinCEN recognizes that
over time the terms contained in lawful orders might change and would
expect that as a PPSI learns of new lawful order terms, such terms will
be incorporated into its lawful order compliance processes.
---------------------------------------------------------------------------
\206\ See DOJ, Asset Forfeiture Policy Manual (2025), chap. 4,
sec. I.B., available at https://www.justice.gov/usdoj-media/criminal/media/1140236/dl?inline.
---------------------------------------------------------------------------
As with the requirement to have technical capabilities and policies
and procedures relating to blocking, freezing, and rejecting
impermissible transactions, this obligation would apply to any lawful
order, including lawful orders that relate to primary or secondary
market activity. FinCEN believes the vast majority of lawful orders
currently relate to secondary market activity and are likely to
continue to do so in the future. FinCEN proposes promulgating language
that would make clear the lawful order obligations extend to secondary
market activity. Public law enforcement cases demonstrate the value of
stablecoin issuers having the capability to comply with lawful orders
and carry out actions to seize, freeze, and burn or prevent the
transfer of their stablecoins in secondary market transactions. Law
enforcement has used lawful orders to seize hundreds of millions of
dollars' worth of stablecoins involved in illicit activity.\207\
---------------------------------------------------------------------------
\207\ See U.S. Attorney's Office EDNC Announces Seizure of $61
Million Dollars' Worth of Cryptocurrency, Cyber Scam Organization
Disrupted Through Seizure of Nearly $9M in Crypto supra note 63;
Largest Ever Seizure of Funds Related to Crypto Confidence Scam
supra note 58.
---------------------------------------------------------------------------
FinCEN welcome comment on this proposal, including its approach,
its clarity, and whether it should provide greater specificity.
7. Proposed 31 CFR 1033.310 Through 1033.315--Reports of Transactions
in Currency
Beyond suspicious activity reporting, the GENIUS Act does not
specify additional reporting obligations to be imposed on PPSIs. The
BSA authorizes FinCEN to promulgate regulations requiring financial
institutions to file reports when they participate in certain types of
financial transactions.\208\ Pursuant to this authority, 31 CFR
1010.310 through 1010.314 requires ``financial institutions'' (other
than casinos) to file currency transaction reports (CTRs) for ``each
deposit, withdrawal, exchange of currency or other payment or transfer,
by, through, or to such financial institution which involves a
transaction in currency of more than $10,000,'' unless subject to an
applicable exemption.\209\ FinCEN proposes applying the CTR reporting
provisions to PPSIs through proposed Sec. Sec. 1033.310 through
1033.315, which would cross reference corresponding provisions in
Sec. Sec. 1010.310 through 1010.315.
---------------------------------------------------------------------------
\208\ See, e.g., 31 U.S.C. 5313(a), 5326. This proposal also
implements the GENIUS Act's requirements related to high value
transactions. See 12 U.S.C. 5903(a)(5)(A)(v).
\209\ 31 CFR 1010.311.
---------------------------------------------------------------------------
Application of Sec. Sec. 1010.310 through 1010.315 would not
require reporting of transactions in payment stablecoins. As defined in
Sec. 1010.100(bbb)(2), for the purposes of provisions related solely
to the report required by Sec. Sec. 1010.311 and 1010.313, the term
``transaction in currency'' means a transaction involving the physical
transfer of currency from one person to another. Moreover, the
definition of ``currency,'' as defined in Sec. 1010.100(m), does not
include a payment stablecoin, and thus, Sec. Sec. 1033.310 through
1033.314 do not require reports of transactions in payment
stablecoins.\210\ This approach is consistent with Sec.
1010.100(bbb)(2) which also states that a physical transfer of currency
does not include bank checks, bank drafts, wire transfers or other
written orders.
---------------------------------------------------------------------------
\210\ 31 CFR 1010.100(m) (defining, in part, ``currency'' as
``[t]he coin and paper money of the United States or of any other
country'').
---------------------------------------------------------------------------
FinCEN recognizes that, presently, stablecoin issuers rarely
transact in physical transfers of currency. FinCEN nevertheless
considers it prudent to allow for the possibility that this could
change, with PPSI activity expanding to encompass retail, brick-and-
mortar locations where currency could be used, or even kiosks that
resemble automated teller machines (ATMs).\211\ If such an expansion
does occur, FinCEN considers it prudent to adopt CTR obligations for
PPSIs as it assesses that PPSIs should be subject to the same currency
reporting obligations as most other financial institutions as cash
enables anonymous, difficult to trace transactions. If a PPSI does not
transact in physical transfers of currency, the PPSI would, of course,
not file CTRs and would not be expected to create policies and
procedures relating to the filing obligation.
---------------------------------------------------------------------------
\211\ Kiosks, for example, which are ATM-like devices that allow
customers to exchange real (or fiat) currency for virtual currency
and vice versa, are already used to exchange CVC for fiat currency
including cash. See FinCEN, FIN-2025-NTC1, FinCEN Notice on the Use
of Convertible Virtual Currency Kiosks for Scam Payments and Other
Illicit Activity (Aug. 4, 2025), available at https://www.fincen.gov/system/files/2025-08/FinCEN-Notice-CVCKIOSK.pdf. Such
devices could be leveraged by PPSIs as an additional means to
interact with customers.
---------------------------------------------------------------------------
FinCEN's proposal would require PPSIs to comply with the series of
provisions comprising CTR obligations. The threshold in Sec. 1010.311
applies to transactions in currency of more than $10,000 conducted
during a single business day. Section 1010.312 specifies when a
financial institution is required to verify and record information
about an individual conducting a reportable transaction or on whose
behalf the transaction is conducted. Under Sec. 1010.313 a financial
institution must treat multiple transactions conducted in one business
day as a single transaction if the financial institution has knowledge
that the transactions are conducted by, or on behalf of, the same
person. And Sec. 1010.314 outlines the prohibition on structuring
transactions to avoid the reporting requirement. Finally, Sec.
1010.315 exempts non-bank financial institutions from filing reports
with respect to transactions between the institution and a commercial
bank. Where a PPSI is also a bank, this exemption and not the
exemptions applicable to banks would control. FinCEN does not believe
it is necessary to clarify in the regulatory text that when an entity
is acting as a PPSI, the non-bank exemptions apply. Notably, banks can
avail themselves of a greater number of CTR exemptions,\212\ and FinCEN
welcomes feedback on whether additional exemptions are appropriate for
PPSIs.
---------------------------------------------------------------------------
\212\ See 31 CFR 1020.315.
---------------------------------------------------------------------------
8. Proposed 31 CFR 1033.320--Reports of Suspicious Transactions
The GENIUS Act explicitly requires PPSIs to be subject to BSA
requirements relating to ``monitoring and reporting of any suspicious
transaction relevant to a possible violation of law or regulation.''
\213\ Under the BSA, FinCEN has authority to require any financial
institution to ``report any suspicious transaction relevant to a
possible violation of law or regulation.'' \214\ Nearly all financial
institutions subject to FinCEN regulations are required to identify and
report suspicious activity.\215\ These reports provide highly useful
information that is leveraged by authorized users as part of criminal,
tax, and regulatory investigations; risk assessments; and intelligence
and counterintelligence activities.\216\
---------------------------------------------------------------------------
\213\ See 12 U.S.C. 5903(a)(5)(A)(iii).
\214\ See 31 U.S.C. 5318(g)(1).
\215\ See 31 CFR 1020.320, 1021.320, 1022.320, 1023.320,
1024.320, 1025.320, 1026.320, 1029.320, 1030.320.
\216\ See 31 U.S.C. 5311(1); see also, e.g., FinCEN, Financial
Crimes Enforcement Network (FinCEN) Year in Review for Fiscal Year
2024, available at https://www.fincen.gov/system/files/2025-08/FinCEN-Infographic-Public-2025-508.pdf.
---------------------------------------------------------------------------
[[Page 18607]]
This proposed rule would promulgate at Sec. 1033.320 a requirement
that PPSIs file SARs for any suspicious transaction relevant to a
possible violation of law or regulation. FinCEN expects that requiring
PPSIs to report suspicious activity would similarly provide highly
useful information for investigations and proceedings involving
domestic and international money laundering, terrorist financing, and
other illicit finance activity, as well as for intelligence purposes.
The proposed requirement is generally consistent with the existing SAR
filing requirements for stablecoin issuers regulated as MSBs, as well
as other financial institutions with SAR filing requirements.
i. PPSI SAR Obligation With Regards to Secondary Market Activity
FinCEN recognizes that the majority of illicit finance involving
payment stablecoins occurs on the secondary market. FinCEN also
recognizes that certain aspects of how PPSIs and payment stablecoins
operate could raise questions about the appropriate scope of SAR
obligations relating to secondary market activity. Specifically, due to
the nature of how transactions occur on the secondary market via smart
contract, a PPSI can see the movement of its payment stablecoin even
when the transfer occurs between individuals or entities with which the
PPSI has no established direct customer relationship and when the PPSI
is not a party to the transfer other than via operation of its smart
contracts.
PPSIs may have less information on secondary market transactions
than on primary market transactions. When a payment stablecoin transfer
occurs in the secondary market, generally, the PPSI's interaction with
the transfer is through the smart contract. When such a transfer occurs
in the normal course of business, while the PPSI may be privy to
certain information for secondary market transactions, such information
may not be highly useful for SAR reporting purposes. For example, in
many cases the information would not enable a PPSI to make an informed
assessment of the transfer for SAR reporting purposes. At times, a PPSI
could not identify an actor behind a secondary market transaction.
PPSIs, like other financial institutions and law enforcement, can rely
on the blockchain and analytical tools to gain greater insight into the
risk associated with a particular transfer, but the PPSI may have
limited distinct insight particularly as to the parties associated
with, or the purpose of, the transfer. As such, the information
available to PPSIs may present challenges as to how and when they are
able to identify and report suspicious activity for secondary market
transactions. SARs conveying only limited information are less useful
to regulators and law enforcement.
Relatedly, at times, secondary market transfers for which PPSIs
have some visibility due to the smart contract may be subject to more
ready observation by other BSA-regulated institutions or foreign
financial institutions subject to reporting obligations. Such
institutions may be better positioned to assess the suspiciousness of a
transaction and may be obligated to collect identifying information
associated with a transfer, which can be reported via a SAR as
appropriate.
Still, there may be instances in which a PPSI has reason to suspect
that a transaction is related to criminal activity or has no business
or apparent lawful purpose and, thus, could be required to report the
activity. PPSIs may also suspect suspicious activity based on public
information, information from other compliance efforts, or other
information sources. FinCEN also understands that some PPSIs currently
devote resources to monitoring secondary market activity to identify
illicit finance risks.
FinCEN has preliminarily assessed that the burden of requiring
PPSIs to file SARs concerning secondary market activity would
potentially outweigh the likely benefits. The requirement would
essentially require global monitoring of transfers but could result in
SARs containing minimal information. While in some instances, FinCEN
expects the reporting could net highly useful information, particularly
where the transfers do not occur through BSA-regulated institutions,
FinCEN preliminarily has determined that the substantial burden imposed
would outweigh the potential benefit it reasonably anticipates could be
gained from requiring such reporting. Moreover, a blanket obligation to
report suspicious activity on secondary market transactions could lead
to PPSIs being overly cautious and filing a substantial number of
defensive SARs to avoid criticism from examiners about underreporting.
Such defensive SARs can have little value for law enforcement and other
users attempting to combat illicit finance.
Accordingly, this proposal does not impose a secondary market SAR
reporting obligation. However, consistent with FinCEN's longstanding
position, a PPSI would be afforded the protections from liability
provided by the BSA for any SAR voluntarily filed reporting a possible
violation of law or regulation in good faith.\217\ To ensure clarity
regarding the SAR reporting obligation, FinCEN proposes adding a new
paragraph, Sec. 1033.320(g), to clarify that, for purposes of the SAR
obligation, a transfer is not a ``transaction'' conducted or attempted
by, at, or through a PPSI only due to an interaction with a smart
contract. This language should not be construed as changing or opining
on SAR regulations applicable to other types of financial institutions.
---------------------------------------------------------------------------
\217\ See infra section VI.C.8.ii. and vi.
---------------------------------------------------------------------------
FinCEN considered alternatives that would have instead imposed
limited secondary market SAR reporting obligations. For example, FinCEN
considered a SAR obligation where a PPSI has reason to know a
transaction to which it is not a party is designed to evade a lawful
order. FinCEN also considered, requiring a PPSI to file a SAR when it
is notified in some way, such as through an order, legal process, or
via an information sharing channel, that authorities suspect a transfer
is associated with illicit activity. But FinCEN assesses that SAR
reporting where authorities are aware of suspicious activity and alert
a PPSI to activity is of limited utility relative to the reporting
burden. FinCEN also considered imposing a SAR obligation when a PPSI
learns through any means, such as part of its secondary market risk
monitoring, that a secondary market transfer is suspicious. But, as
discussed above, FinCEN assesses such an obligation would outweigh the
benefit accrued from the obligation due to, among other things, the
information available to the PPSI.
FinCEN, however, seeks comment on its preliminary determination
that PPSIs should not be obligated to provide SAR reporting on the
secondary market. It also seeks comment on whether its proposed
regulatory text relating to secondary market activity provides
sufficiently clear and accurate guardrails. FinCEN seeks comment on
policy alternatives (including the imposition of limited, bespoke
reporting obligations about secondary market transfers) and the
benefits and drawbacks of such alternatives as well. For any such
bespoke SAR obligation recommended, FinCEN requests commenters
elaborate on the kinds of information a PPSI could reasonably be
expected to provide based on current or expected technical and
operational capabilities, the uniqueness of such information (i.e.,
commenters should
[[Page 18608]]
identify the useful information a PPSI could provide about secondary
market transfers that could not be readily obtained from other
sources).
ii. Proposed 31 CFR 1033.320(a)--Reports by PPSIs of Suspicious
Transactions
Proposed Sec. 1033.320(a) sets forth the criteria for which a PPSI
would be obligated to report suspicious transactions that are conducted
or attempted by, at, or through a PPSI and involve or aggregate at
least $5,000 in funds or other assets.
Proposed Sec. 1033.320(a)(1) contains the general statement of the
obligation to file reports of suspicious transactions, including that
transactions must be reported if conducted or attempted by, at, or
through a PPSI. FinCEN proposes referencing a clarification to be
codified in Sec. 1033.320(g) on the meaning of ``transaction'' for the
PPSI SAR reporting obligation, which as proposed would state that ``A
transaction is not conducted or attempted by, at, or through a
permitted payment stablecoin issuer only because a transfer by third
parties results in an interaction with a permitted payment stablecoin
issuer's smart contract.'' To clarify that the proposed rule imposes a
reporting requirement that is consistent with those for other financial
institutions, Sec. 1033.320(a)(1) incorporates language from the SAR
rules applicable to other financial institutions, such as banks,
broker-dealers in securities, mutual funds, casinos, and MSBs,
including clarifying that the SAR reporting obligations relates not
only to discrete transactions but also to patterns of transactions that
in aggregate are suspicious and meet the reporting threshold.
Proposed Sec. 1033.330(a)(1) makes clear that a PPSI is permitted
to report voluntarily any transaction the PPSI believes is relevant to
the possible violation of any law or regulation but that is not
otherwise required to be reported by this proposed rule. Thus, the rule
would afford PPSIs the protection from liability for the voluntary
reporting of such suspicious transactions, including those occurring on
the secondary market.
Proposed Sec. 1033.320(a)(2) would require the reporting of
suspicious activity that involves or aggregates at least $5,000 in
funds or other assets. The $5,000 threshold in this proposed rule is
consistent with the SAR filing requirements for most other financial
institutions.\218\ Currently, stablecoin issuers regulated as MSBs have
SAR filing obligations at the monetary threshold of $2,000.\219\ FinCEN
proposes the $5,000 monetary threshold for PPSIs because $5,000 is the
reporting threshold that FinCEN's regulations use for financial
institution types that are subject to customer identification program
requirements, and the GENIUS Act requires PPSIs to have customer
identification programs.\220\ The $2,000 threshold for MSBs was
established in a March 2000 final rule, which highlighted specific
characteristics for MSBs that do not apply in the PPSI context. In
particular, the final rule explained that the threshold for MSBs was
less than several other financial institution types due to the
relationship between transmitters and their agents; a desire to account
for transfers below the existing $3,000 recordkeeping requirement with
respect to funds transfers conducted through MSBs; the fact that BSA
regulations for MSBs were new and existing state-level regulations were
uneven; and feedback from law enforcement about serious abuse of money
transmission at levels below $2,000.\221\ The proposed $5,000 threshold
takes into account the current status of the payment stablecoin
ecosystems, where primary market transactions below $5,000 are rare;
the lack of transmitter/agent relationships in the PPSI ecosystem; and
the required imposition of customer identification program obligations
on PPSIs.
---------------------------------------------------------------------------
\218\ See 31 CFR 1020.320(a), 1021.320(a), 1023.320(a),
1024.320(a), 1026.320(a), 1029.320(a) (requiring banks, casinos,
broker-dealers in securities, mutual funds, futures commission
merchants and introducing brokers, and loan or finance companies to
report suspicious transactions if they involve in the aggregate at
least $5,000).
\219\ 31 CFR 1022.320(a)(2).
\220\ 12 U.S.C. 5903(a)(5)(A)(v).
\221\ See FinCEN, Amendments to the Bank Secrecy Act
Regulations-Requirement that Money Transmitters and Money Order and
Traveler's Check Issuers, Sellers, and Redeemers Report Suspicious
Transactions, 65 FR 13683 (Mar. 14, 2000).
---------------------------------------------------------------------------
Section 1033.320(a)(2)(i) through (iv) specifies that a PPSI would
be required to report a transaction if it knows, suspects, or has
reason to suspect that the transaction (or a pattern of transactions of
which the transaction is a part): (i) involves funds derived from
illegal activity or is intended or conducted to hide or disguise funds
or assets derived from illegal activity as a part of a plan to violate
or evade any Federal law or regulation or to avoid any transaction
reporting requirement under Federal law or regulation; (ii) is
designed, whether through structuring or other means, to evade the
requirements of the BSA; (iii) has no business or apparent lawful
purpose, and the PPSI knows of no reasonable explanation for the
transaction after examining the available facts; or (iv) involves the
use of the PPSI to facilitate criminal activity. FinCEN notes that
paragraph (iv) is included in all SAR rules enacted after 2001.\222\
The bank SAR rule does not contain an equivalent to paragraph (iv),
because it was issued prior to 2001. To maintain standard language
across financial institution types, FinCEN proposes paragraph (iv) for
PPSIs, which FinCEN does not believe adds substantially to the
reporting obligation already mandated by paragraphs (i) through (iii).
---------------------------------------------------------------------------
\222\ See 31 CFR 1021.320(a)(2)(iv), 1022.320(a)(2)(iv),
1023.320(a)(2)(iv), 1024.320(a)(2)(iv), 1025.320(a)(2)(iv),
1026.320(a)(2)(iv), 1029.320(a)(2)(iv), 1030.320(a)(2)(iv).
---------------------------------------------------------------------------
Section 1033.320(a)(3) recognizes that one or more financial
institutions may have an obligation to report the same suspicious
transaction and that other financial institutions may have separate
obligations to report suspicious activity with respect to the same
transaction pursuant to other provisions in the BSA. Under this
proposed provision, where more than one financial institution with a
separate suspicious activity reporting obligation \223\ is involved in
the same transaction, only one report jointly filed on behalf of all
involved financial institutions would be required, provided that the
joint report contained all relevant facts and that each institution
maintained a copy of the report and any supporting documentation.
Accordingly, where a PPSI is a subsidiary of a parent insured
depository institution and both institutions are required to file a
SAR, the parent will be permitted to file SARs on behalf of its PPSI
subsidiary (and vice versa).
---------------------------------------------------------------------------
\223\ Other BSA-defined financial institutions, such as banks,
broker-dealers in securities, and mutual funds have separate
reporting obligations that may involve the same suspicious activity.
See 31 CFR 1020.320, 1023.320, 1024.320.
---------------------------------------------------------------------------
iii. Proposed 31 CFR 1033.320(b)--Filing and Notification Procedures
Proposed Sec. 1033.320(b)(1) through (4) sets forth the filing and
notification procedures a PPSI would need to follow to make reports of
suspicious transactions. If the PPSI identifies a suspect, within 30
days of initial detection by the reporting PPSI of facts that may
constitute a basis for filing a SAR, the PPSI would need to report the
transaction by completing and filing a SAR with FinCEN in accordance
with all form instructions. If a PPSI does not identify a suspect, a
PPSI may delay filing for 30 days to identify a suspect. The PPSI would
also need to collect and
[[Page 18609]]
maintain supporting documentation relating to each SAR.
For situations requiring immediate attention, such as suspected
terrorist financing or ongoing money laundering schemes, PPSIs would be
required under Sec. 1033.320(b)(4) to notify immediately by telephone
the appropriate law enforcement authority in addition to filing a
timely SAR.
Finally, Sec. 1033.320(b)(5) provides that a PPSI wishing to
voluntarily report suspicious transactions that may relate to terrorist
activity may call FinCEN's Financial Institutions Hotline at 1-866-556-
3974 in addition to filing timely a SAR if required by this section.
The PPSI may also, but is not required to, contact its primary Federal
payment stablecoin regulator to report such situations.
iv. Proposed 31 CFR 1033.320(c)--Retention of Records
Proposed Sec. 1033.320(c) would provide that PPSIs must maintain
copies of filed SARs and the underlying related documentation for a
period of five years from the date of filing. Supporting documentation
would need to be made available to FinCEN, any Federal, State, or local
law enforcement agency; or any Federal regulatory authority that
examines the PPSI for compliance with the BSA under the proposed rule,
upon request of that agency or authority.
v. Proposed 31 CFR 1033.320(d)--Confidentiality of SARs
Consistent with BSA provisions regarding SAR confidentiality,\224\
proposed Sec. 1033.320(d) would provide that a SAR and any information
that would reveal the existence of a SAR are confidential and shall not
be disclosed except as authorized in Sec. 1033.320(d)(1)(ii). Section
1033.320(d)(1)(i) would generally provide that no PPSI, and no current
or former director, officer, employee, or agent of any PPSI, shall
disclose a SAR or any information that would reveal the existence of a
SAR. This provision of the proposed rule would further provide that any
PPSI and any current or former director, officer, employee, or agent of
any PPSI that is subpoenaed or otherwise requested to disclose a SAR or
any information that would reveal the existence of a SAR, would decline
to produce the SAR or such information and would be required to notify
FinCEN of such a request and any response thereto. In addition to
reports of suspicious activity required by the proposed rule, PPSIs
would be prohibited from disclosing voluntary reports of suspicious
activity.
---------------------------------------------------------------------------
\224\ 31 U.S.C. 5318(g)(2).
---------------------------------------------------------------------------
Proposed Sec. 1033.320(d)(1)(ii) would provide three rules of
construction that clarify the scope of the prohibition against the
disclosure of a SAR by a PPSI. The rules of construction proposed would
remain qualified by, and subordinate to, the statutory mandate that
revealing to one or more subjects of a SAR of the SAR's existence would
remain a crime.\225\ The first rule of construction, in Sec.
1033.320(d)(1)(ii)(A)(1), would authorize a PPSI, or any director,
officer, employee or agent of a PPSI, to disclose a SAR, or any
information that would reveal the existence of a SAR, to various
specified authorities provided that no person involved in the reported
transaction is notified that the transaction has been reported. The
second rule of construction, in Sec. 1033.320(d)(1)(ii)(A)(2), would
provide two instances where disclosures of underlying facts,
transactions, and documents upon which a SAR was based would be
permissible: in connection with (i) preparation of a joint SAR or (ii)
certain employment references or termination notices.
---------------------------------------------------------------------------
\225\ See 31 U.S.C. 5318(g)(2)(A)(i), 5322.
---------------------------------------------------------------------------
The third rule of construction, in Sec. 1033.320(d)(1)(ii)(B),
would authorize sharing of a SAR within a PPSI's corporate
organizational structure for purposes consistent with the BSA as
determined by regulation or in guidance. FinCEN proposes specifying in
this rule of construction that a PPSI subsidiaries and its insured
depository institution parent can share SARs between the two entities
as doing so is consistent with Title II of the Bank Secrecy Act.
Specifically, such sharing enables a parent company to discharge its
oversight responsibilities with respect to enterprise-wide risk
management.\226\ This provision is intended to make it clear that PPSIs
will be permitted to share SARs, as well as the underlying facts,
transactions, and documents upon which a SAR was based, with its parent
insured depository institution (and vice versa).
---------------------------------------------------------------------------
\226\ In reaching this conclusion, FinCEN considered and found
persuasive the rationale underlying interagency guidance issued by
FinCEN, the Board, FDIC, OCC, and Office of Thrift Supervision,
which determined ``a U.S. bank or savings association may disclose a
Suspicious Activity Report to its controlling company.'' See FinCEN,
the Board, FDIC, OCC, and Office of Thrift Supervision, Interagency
Guidance on Sharing Suspicious Activity Reports with Head Offices
and Controlling Companies (Jan. 20, 2006), available at https://www.fincen.gov/system/files/guidance/sarsharingguidance01122006.pdf.
---------------------------------------------------------------------------
Section 1032.330(d)(2) would also incorporate the statutory
prohibition against disclosure of SAR information by government
authorities that have access to SARs other than in fulfillment of their
official duties consistent with the BSA. The paragraph would clarify
that official duties do not include the disclosure of SAR information
in response to a request by a non-governmental entity for non-public
information \227\ or for use in a private legal proceeding, including a
request under 31 CFR 1.11.\228\
---------------------------------------------------------------------------
\227\ For purposes of this rulemaking, ``non-public
information'' refers to information that is exempt from disclosure
under the Freedom of Information Act.
\228\ 31 CFR 1.11 is Treasury's regulation governing demands for
testimony or the production of records of Department employees and
former employees in a court or other proceeding.
---------------------------------------------------------------------------
vi. Proposed 31 CFR 1033.320(e)--Limitation of Liability
Proposed Sec. 1033.320(e) would provide protection from liability,
also known as a safe harbor, for making either required or voluntary
reports of suspicious transactions, or for failures to provide notice
of such disclosure to any person identified in the disclosure to the
full extent provided by 31 U.S.C. 5318(g)(3).\229\ This protection
would extend to a PPSI and any current or former director, officer,
employee, or agent of a PPSI.
---------------------------------------------------------------------------
\229\ As previously referenced, to encourage the reporting of
possible violations of law or regulation and the filing of SARs, the
BSA contains a safe harbor provision that shields financial
institutions making such reports from civil liability. In 2001, the
USA PATRIOT Act clarified that the safe harbor also covers voluntary
disclosure of possible violations of law and regulations to a
government agency and expanded the scope of the safe harbor to cover
any civil liability which may exist under any contract or other
legally enforceable agreement (including any arbitration agreement).
See USA PATRIOT Act, Public Law 107-56, sec. 351(a), 115 Stat. 272,
321 (2001); 31 U.S.C. 5318(g)(3).
---------------------------------------------------------------------------
vii. Proposed 31 CFR 1033.320(f)--Compliance
Proposed Sec. 1033.320(f) would note that FinCEN or its delegates
will examine PPSIs' compliance with their obligation to report
suspicious transactions. Proposed Sec. 1033.320(f) would also provide
that a PPSI's failure to comply with FinCEN's SAR filing requirements
may constitute a violation of the BSA and FinCEN's regulations.
viii. Proposed 31 CFR 1033.320(g)--Clarification Regarding Transactions
Proposed Sec. 1033.320(g) would effectuate FinCEN's intent to
explicitly scope out secondary market transfers from a PPSI's SAR
reporting obligation. It would state that, for the purposes of the PPSI
SAR regulation, ``A transaction, for purposes of Sec. 1033.320, is not
conducted or attempted by, at, or
[[Page 18610]]
through a permitted payment stablecoin issuer only because a transfer
by third parties results in an interaction with a permitted payment
stablecoin issuer's smart contract.''
FinCEN also considered, instead of clarifying what transfers are
scoped out of the rule, specifying transfers scoped into the rule, by
outlining that ``transactions'' include (1) issuances or redemptions of
a payment stablecoin; (2) transfers, payments, or withdrawals of funds
or value related to issuing or redeeming a payment stablecoin, (3)
transfers, payments, or withdrawals of funds or value related to
managing reserve assets; (4) transfers, payments, or withdrawals of
funds or value related to providing custodial or safekeeping services
for payment stablecoins, required reserves; or private keys of payment
stablecoins; (5) transfers, payments, or withdrawals of funds or value
related to any activities that support (1)-(4); and (6) transfers,
deposits or withdrawals relating to any activity in which a PPSI is
authorized to engage. FinCEN preliminarily believes, however, that
attempting to further outline ``transaction'' adds unnecessary
complexity; may result in confusion because ``transaction'' is
otherwise defined in FinCEN's regulations; and could lead to the PPSI
SAR obligation being overly or underly inclusive as the kinds of
activities in which PPSIs engage, and how they engage in those
activities, could evolve. As indicated above, FinCEN welcomes comment
on its proposed approach.
9. Proposed 31 CFR 1033.400 and 1033.410--Recordkeeping Requirements
for PPSIs
The GENIUS Act requires that PPSIs be subject to requirements
relating to ``retention of appropriate records.'' \230\ Under the BSA,
FinCEN has authority to impose on financial institutions obligations
relating to requiring, retaining, and maintaining records.\231\
Financial institutions subject to the BSA obligations have these
recordkeeping requirements.\232\ These records enhance law
enforcement's ability to detect, investigate, and prosecute money
laundering, financial crimes, and have a high degree of usefulness in
criminal, tax, or regulatory investigations.\233\ Consistent with its
treatment of other financial institutions under the BSA, FinCEN
proposes amendments to Sec. 1010.410 and adding Sec. Sec. 1033.400
and 1033.410 to apply these recordkeeping requirements to PPSIs.
---------------------------------------------------------------------------
\230\ See 12 U.S.C. 5903(a)(5)(A)(ii).
\231\ See 12 U.S.C. 1953; 31 U.S.C. 5318(a)(2); see also 12
U.S.C. 5901(2) (defining ``Bank Secrecy Act'' to include 12 U.S.C.
1951 et seq.); 31 U.S.C. 5311(1) (stating purpose of the BSA
includes requiring records that are highly useful for law
enforcement and regulatory investigations and intelligence and
counterintelligence activities).
\232\ See 31 CFR 1020 subpart D, 1021 subpart D, 1022 subpart D,
1023 subpart D, 1024 subpart D, 1025 subpart D, 1026 subpart D, 1027
subpart D, 1028 subpart D, 1029 subpart D, and 1030 subpart D.
\233\ See 31 CFR 1010.401.
---------------------------------------------------------------------------
Proposed Sec. 1033.400 would state generally that PPSIs are
subject to the recordkeeping requirement of subpart D of part 1010,
which would include Sec. 1010.430 that, among other things, requires
records to be kept for five years and Sec. 1010.415. Proposed Sec.
1033.410 would cross-reference Sec. 1010.410 which details the
specific recordkeeping requirements explained in detail below.
i. Application of Recordkeeping Obligations in Sec. 1010.410(a)-(d)
The proposal would require PPSIs to comply with the recordkeeping
obligations outlined in Sec. 1010.410(a) through (c). The
recordkeeping obligations would require PPSIs to create and retain
certain records for extensions of credit in excess of $10,000; \234\
and certain records of cross-border transfers of currency, monetary
instruments, funds, checks, investment securities, and credit worth
more than $10,000. Section 1010.410(d) would require also a PPSI to
maintain records related to any order issued under Sec. 1010.370(a)
for up to five years.
---------------------------------------------------------------------------
\234\ FinCEN recognizes that it is unlikely PPSIs will engage in
extensions of credit, but in the event the ability of PPSI to extend
credit is not fully foreclosed, FinCEN believes it prudent to apply
the obligation. A PPSI not engaged in such activity would not be
expected to take any action to implement it, including creating
policies and procedures, and accordingly would accrue no burden from
the application of this obligation.
---------------------------------------------------------------------------
ii. Application of Recordkeeping Obligations in Sec. 1010.410(e) and
(f)
The proposal would also require PPSIs to comply with the
Recordkeeping Rule and Travel Rule, which are complementary obligations
codified in Sec. Sec. 1010.410(e) and 1010.410(f), respectfully.\235\
The Recordkeeping Rule requires financial institutions to collect and
retain records for funds transfers and transmittals of funds in amounts
of $3,000 or more. The Travel Rule requires financial institutions to
transmit information on certain funds transfers and transmittals of
funds to other financial institutions participating in the transfer or
transmittal. As such, the information ``travels'' with the transmittal
to the next financial institution in the payment chain.\236\ Under the
current regulatory regime, stablecoin issuers are subject to the
Recordkeeping Rule and Travel Rule as MSBs. The proposed requirement is
generally consistent with existing recordkeeping requirements for
stablecoin issuers regulated as MSBs, as well as other financial
institutions with recordkeeping requirements. FinCEN is not proposing
to substantively change the Recordkeeping Rule and Travel Rule
requirements via this rulemaking other than clearly imposing those
requirements on PPSIs, consistent with the GENIUS Act, and ensuring it
is clear that transmittal orders involving payment stablecoins are
covered by the Recordkeeping Rule and Travel Rule.\237\
---------------------------------------------------------------------------
\235\ The Recordkeeping Rule for nonbank financial institutions
is codified at 31 CFR 1010.410(e). The Travel Rule is codified at 31
CFR 1010.410(f) and applies to both bank and nonbank financial
institutions. See Treasury, Board, Amendment to the Bank Secrecy Act
Regulations Relating to Recordkeeping for Funds Transfers and
Transmittals of Funds by Financial Institutions, 60 FR 220 (Jan. 3,
1995).
\236\ See 31 CFR 1010.410(e).
\237\ In addition to implementing the GENIUS Act's directive
that PPSIs be subject to recordkeeping obligations, this proposal
also implements its requirements related to high value transactions
by requiring collection of information for certain transactions. See
12 U.S.C. 5903(a)(5)(A)(v).
---------------------------------------------------------------------------
a. Proposed Amendment to 31 CFR 1010.100(eee)--Definition of
Transmittal Order
Both the Recordkeeping Rule, Sec. 1010.410(e),\238\ and Travel
Rule, Sec. 1010.410(f), rely on the definition of ``transmittal
order'' in Sec. 1010.100(eee), which states, in part, that a
transmittal order causes another financial institution to pay a fixed
amount of ``money.'' FinCEN has clarified in guidance that transmittal
orders relating to transfers involving CVC, of which payment
stablecoins are one type, are subject to the Recordkeeping and Travel
Rules, presuming the Rules' other conditions are met.\239\
Nevertheless, to avoid any doubt regarding the application of the term
transmittal order to payment stablecoins in light of the GENIUS Act's
direction to issue regulations setting out requirements for PPSIs,
FinCEN proposes amending the definition of transmittal order in Sec.
1010.100(eee) to expressly include payment stablecoins in addition to
``money.'' \240\ This change should not be
[[Page 18611]]
construed, including by negative inference, to imply that orders to pay
other kinds of value that substitute for currency are not transmittal
orders.\241\
---------------------------------------------------------------------------
\238\ Section 1010.410(e) applies to ``nonbank financial
institutions.'' FinCEN recognizes that some PPSIs may also be banks
but believes further clarifying in the regulatory text that when an
entity acts as a PPSI it is acting as a nonbank financial
institution is not necessary.
\239\ See 2019 CVC Guidance, supra note 87.
\240\ Under 31 U.S.C. 5318(a)(2), FinCEN can require financial
institutions to maintain appropriate procedures, including to
collect and report information. to guard against money laundering,
the financing of terrorism, or other forms of illicit finance.
Additionally, 12 U.S.C. 1953 provides the Secretary the ability to,
for any financial institution other than an insured bank, promulgate
rules related to maintenance of appropriate records including
relating to funds transfers. While FinCEN assesses its inclusion of
``payment stablecoin'' is no more than a clarification, it also has
and is using its authority under 12 U.S.C. 1953 and 31 U.S.C.
5318(a)(2) to independently add payment stablecoin to the
Recordkeeping and Travel Rule's purview.
\241\ See supra section VI.C.1.iv; see also 2019 CVC Guidance,
supra note 87, p. 11.
---------------------------------------------------------------------------
FinCEN previously discussed its treatment of CVCs for purposes of
the Recordkeeping and Travel Rules. FinCEN's 2019 guidance clarified
the application of the Recordkeeping and Travel Rules to CVCs:
``because a transmittal order involving CVC is an instruction to pay `a
determinable amount of money,' transactions involving CVC qualify as
transmittals of funds, and thus may fall within'' these
obligations.\242\ FinCEN recognizes various definitions and treatment
of the term ``money.'' Notably, under the GENIUS Act, the term
``money'' means ``(A) [ ] a medium of exchange currently authorized or
adopted by a domestic or foreign government; and (B) includes a
monetary unit of account established by an intergovernmental
organization or by agreement between 2 or more countries.'' \243\ As
FinCEN explained in its 2020 notice of proposed rulemaking related to
the Recordkeeping and Travel Rules, in the preamble to the original
Recordkeeping Rule, FinCEN indicated non-defined terms should be given
the meaning given to the term in Article 4A of the Uniform Commercial
Code (UCC), which, at the time, defined ``money'' as ``a medium of
exchange currently authorized or adopted by a domestic or foreign
government.'' \244\ Since 2020, however, additional CVCs and digital
assets have emerged. As recognized by Congress in the AML Act, these
new forms of assets are intended to operate as value that substitutes
for traditional forms of money.\245\ Based on prior FinCEN guidance,
stablecoin issuers do constitute money for purpose of the Recordkeeping
and Travel Rules,\246\ and, accordingly, FinCEN proposes adding payment
stablecoin to the definition of transmittal order to ensure the
application to payment stablecoins is clear in light of the GENIUS Act.
---------------------------------------------------------------------------
\242\ See 2019 CVC Guidance, supra note 87, p. 11.
\243\ 12 U.S.C. 5901(18).
\244\ See FinCEN, Board, Threshold for the Requirement To
Collect, Retain, and Transmit Information on Funds Transfers and
Transmittals of Funds That Begin or End Outside the United States,
and Clarification of the Requirement To Collect, Retain, and
Transmit Information on Transactions Involving Convertible Virtual
Currencies and Digital Assets With Legal Tender Status, 85 FR 68005,
68009 (Oct. 27, 2020). FinCEN intends to withdraw this proposal. See
E.O. 14178 Report, supra note 32, p. 100.
\245\ See, e.g., AML Act, Public Law 116-283 (2021). Section
6102(d) of the AML Act adding ``value that substitutes for
currency'' to clarify the application of the BSA to those assets,
including clarifying that ``monetary instruments'' can include
``value that substitutes for any monetary instrument.''
\246\ See 2019 CVC Guidance, supra note 87, p. 11.
---------------------------------------------------------------------------
b. Proposed Amendment to 31 CFR 1010.410(e)(6)--Scope of Recordkeeping
Obligation
FinCEN proposes amending Sec. 1010.410(e)(6) to add PPSIs to the
list of entities excepted from the requirements in Sec. 1010.410(e)
when the transfer is between the entities listed. Under this proposal,
PPSIs would be treated in the same manner--and with the same exceptions
for transfers to certain other entities--such as banks, broker-dealers,
futures commission merchants, introducing brokers in commodities, and
mutual funds. In other words, the recordkeeping requirements of the
Recordkeeping Rule would not apply to transmittals of funds in which
both the transmittor and the recipient are either a PPSI, bank, broker-
dealer, futures commission merchant, introducing broker in commodities,
or mutual fund.
10. Proposed 31 CFR 1033.520 and 1033.540--Special Information-Sharing
Procedures
The GENIUS Act generally directs that PPSIs be treated as financial
institutions under the BSA and be subject to ``all laws'' relating to
``prevention of money laundering.'' \247\ Although the GENIUS Act does
not explicitly direct FinCEN to apply its provisions relating to
information sharing to PPSIs, information sharing authorities are
established components of the BSA, which, among other purposes, seek to
``prevent laundering of money.'' \248\ Indeed, in the AML Act, Congress
declared that one purpose of the BSA is to ``establish appropriate
frameworks for information sharing.'' \249\ The USA PATRIOT Act, which
amended the BSA, provides in section 314(a) that the Secretary should
adopt regulations to encourage the further cooperation and sharing of
information regarding credible evidence of terrorist acts or money
laundering activities among financial institutions, their regulatory
authorities, and law enforcement authorities.\250\ Section 314(b)
further provides financial institutions with the ability to voluntarily
share information regarding parties suspected of possible terrorist or
money laundering activities with another financial institution upon
notice to the Treasury under a safe harbor that offers protections from
liability.
---------------------------------------------------------------------------
\247\ 12 U.S.C. 5903(a)(5)(A).
\248\ 31 U.S.C. 5311(2), (5).
\249\ See 31 U.S.C. 5311(5); see also AML Act, Public Law 116-
283.
\250\ See 31 U.S.C. 5311 note (``Cooperation Among Financial
Institutions, Regulatory Authorities, and Law Enforcement
Authorities'').
---------------------------------------------------------------------------
FinCEN's regulations at 31 CFR 1010.520 and 1010.540 implement
sections 314(a) and 314(b) of the USA PATRIOT Act, respectively.
Section 1010.520 applies to financial institutions generally and, as
explained below, requires a financial institution to search its records
upon receipt of a request from FinCEN and provide information in
return. Section 1010.540 applies to financial institutions that are
required to have AML/CFT programs, or are treated as having satisfied
that requirement, and is a voluntary information sharing tool of which
a financial institution may, but is not required, to avail itself.
Consistent with its treatment of other financial institutions under
the BSA, FinCEN proposes adding Sec. Sec. 1033.500, 1033.520, and
1033.540 to its regulations to expressly apply the information-sharing
provisions of Sec. Sec. 1010.520 and 1010.540 to PPSIs. FinCEN is
proposing to apply these provisions to PPSIs so that law enforcement
would be able to request information from PPSIs where there is
reasonable suspicious and credible evidence that an individual, entity,
or organization is involved in terrorist acts or money laundering,
potentially resulting in lead information that might otherwise never be
uncovered.\251\ Further, PPSIs would be able to participate in
voluntary information sharing arrangements, through which they can
share and receive information from other financial institutions to
identify and, where appropriate, report activities that may involve
terrorist activity or money laundering. As FinCEN has previously noted,
under 314(b) financial institutions can share information about
transactions involving the proceeds of specified unlawful activities,
which include an array of fraudulent and other criminal activities,
such as fraud against
[[Page 18612]]
individuals, organizations, or governments, computer fraud and abuse,
and other crimes.\252\ Such sharing could, for example, enable broader
understanding of customer risk and filing of more comprehensive
SARs.\253\
---------------------------------------------------------------------------
\251\ FinCEN, FinCEN's 314(a) Fact Sheet (last updated Feb. 3,
2026), available at https://www.fincen.gov/sites/default/files/shared/314afactsheet.pdf. Covered financial institutions are
instructed not to reply to the 314(a) request if a search does not
uncover any matching accounts or transactions.
\252\ See FinCEN, Section 314(b) Fact Sheet (Dec. 2020),
available at https://www.fincen.gov/system/files/shared/314bfactsheet.pdf.
\253\ Id.
---------------------------------------------------------------------------
In particular, proposed Sec. 1033.500 would state generally that
PPSIs are subject to the special information sharing procedures of
subpart E of part 1010. In addition to Sec. Sec. 1010.520 and
1010.540, subpart E of part 1010 contains a brief definition section,
Sec. 1010.505, containing definitions for, among other things,
account. FinCEN assesses that the already codified definition of
account is sufficiently broad to cover accounts established with PPSIs,
but requests comment on whether this or any other definition in that
section, including transaction, should be modified to clarify
obligations of PPSIs.
Proposed Sec. 1033.520 would cross-reference Sec. 1010.520 and
require a PPSI, upon request from FinCEN, to expeditiously search its
records for specific information to determine whether the PPSI
maintains or has maintained an account for, or has engaged in any
transaction with, an individual, entity, or organization named in
FinCEN's request.\254\ A PPSI would then be required to report any such
identified information to FinCEN.\255\
---------------------------------------------------------------------------
\254\ See 31 CFR 1010.520(b)(3)(i).
\255\ See 31 CFR 1010.520(b)(3)(ii).
---------------------------------------------------------------------------
Proposed Sec. 1033.540 would cross-reference Sec. 1010.540 and
permit PPSIs to, upon providing notice to FinCEN, transmit, receive, or
otherwise share information with other financial institutions or
associations of financial institutions in order to identify and report
to the federal government activities that may involve money laundering
or terrorist activity.
11. Proposed 31 CFR 1033.600 Through 1033.630--Special Standards of
Diligence; Prohibitions; and Special Measures
The GENIUS Act mandated that a PPSI maintain ``appropriate enhanced
due diligence,'' \256\ and the BSA directs that financial institutions
establish appropriate enhanced due diligence for correspondent accounts
and private banking accounts.\257\ Congress has also authorized
Treasury to impose special measures to guard the U.S. financial system
when foreign financial institutions or transactions are of primary
money laundering concern.\258\ FinCEN's regulations implementing these
BSA provisions are contained in 31 CFR part 1010, subpart F. FinCEN has
applied enhanced due diligence and special measures to financial
institutions who typically maintain account-based relationships with
customers.
---------------------------------------------------------------------------
\256\ See 12 U.S.C. 5903(a)(5)(A)(v).
\257\ See 31 U.S.C. 5318(i)(1).
\258\ See 31 U.S.C. 5318A and note; 21 U.S.C. 2313a; see also 31
CFR 1010.651-664.
---------------------------------------------------------------------------
Consistent with that practice, FinCEN is proposing to apply most of
the provisions in part 1010 subpart F to PPSIs, including enhanced due
diligence for correspondent and private banking accounts and some
special measures. Proposed Sec. 1033.600 would state generally that
PPSIs are subject to the special standards of diligence, prohibitions,
and special measures of part 1010 subpart F. FinCEN is not proposing to
apply to PPSIs Sec. 1010.630, which prohibits correspondent accounts
for foreign shell banks, or Sec. 1010.670, which relates to summons
and subpoenas on foreign banks, as the statutory authority authorizing
those provisions apply only to certain types of financial
institutions.\259\
---------------------------------------------------------------------------
\259\ See 31 U.S.C. 5318(j)(1) (specifying prohibition on
correspondent accounts for shell banks is limited to financial
institutions defined in 31 U.S.C. 5312(A) though (G)); 31 U.S.C.
5318(k)(1)(B) (specifying application of subsection only to covered
financial institutions as specified in 31 U.S.C. 5318(j)(1)).
---------------------------------------------------------------------------
i. Definition of ``Correspondent Account'' and ``Covered Financial
Institution''
FinCEN is proposing to amend two definitions in Sec. 1010.605, the
definition section for subpart F. In addition to amending these terms
to account for PPSIs, FinCEN is also making non-substantive edits to
Sec. 1010.605(c)(2)(ii) through (iv) to correct cross references.\260\
---------------------------------------------------------------------------
\260\ Currently, cross references in Sec. 1010.605(c)(2)(ii)
through (iv) to corresponding paragraphs in (e)(1) are misaligned.
For example, Sec. 1010.605(c)(2)(ii), which deals with broker
dealers, should cross the corresponding paragraph in (e)(1) that
deals with broker dealers, paragraph (e)(1)(ii), but instead
references paragraph (e)(1)(viii). FinCEN's proposed changes to
paragraphs 1010.605(c)(2)(ii) through (iv) clean up the cross
references and do not result in any substantive change to the rule.
---------------------------------------------------------------------------
First, FinCEN proposes amending the definition of ``account'' in
Sec. 1010.605(c), as applied to the meaning of correspondent account
to include accounts with PPSIs. FinCEN recognizes that the term
correspondent account is not typically used in the stablecoin industry.
In a prior rulemaking FinCEN concluded that in enacting the BSA
provisions relating to enhanced due diligence for correspondent
accounts, Congress intended the term ``correspondent account'' to
capture more than traditional bank relationships.\261\ Rather its goal
in enacting BSA provisions related to correspondent accounts was
preventing ``money laundering through accounts that give foreign
financial institutions a base for moving funds through the U.S.
financial system.'' \262\ Accordingly, FinCEN extended the term
``correspondent account'' to non-bank financial institutions that
``offer accounts that provide foreign financial institutions a conduit
for engaging in ongoing transactions in the U.S. financial system
either on their own behalf or for their customers.''
---------------------------------------------------------------------------
\261\ FinCEN, Anti-Money Laundering Programs; Special Due
Diligence Programs for Certain Foreign Accounts, 71 FR 496, 497-98
(Jan. 4, 2006).
\262\ Id. at 499.
---------------------------------------------------------------------------
To effectuate the GENIUS Act's requirement that PPSIs maintain
``enhanced due diligence,'' FinCEN is proposing to amend the definition
of ``correspondent account'' so that PPSIs are required to implement
obligations related to the BSA's explicit references to ``enhanced due
diligence.'' Accordingly, FinCEN proposes here, as it has before,
extending the term correspondent account beyond its traditional use in
banking and incorporating certain accounts established by PPSIs.
FinCEN proposes adding a new paragraph, Sec. 1010.605(c)(2)(v),
defining ``account,'' as applied to the meaning of ``correspondent
account'' in Sec. 1010.605(c), to include, as applied to a PPSI, ``any
formal relationship established by a permitted payment stablecoin
issuer to provide regular services, dealings, and other financial
transactions.'' This definition is intended to include the range of
activities in which a PPSI may engage as articulated in 12 U.S.C.
5903(a)(7), which include issuing and redeeming payment stablecoin,
managing reserves, and providing custodial services, as well as
activities that support any of those efforts. It would also cover where
a PPSI engages in activities as a digital asset service provider.
Second, FinCEN is proposing to amend Sec. 1010.605(e)(1) to
include PPSIs in the definition of ``covered financial institution,''
which results in PPSIs being subject to provisions implementing special
standards of due diligence for correspondent accounts established or
maintained for foreign financial institutions and private
[[Page 18613]]
banking accounts established or maintained for non-U.S. persons.\263\
---------------------------------------------------------------------------
\263\ See 31 CFR 1010.610-620.
---------------------------------------------------------------------------
As part of its implementation of BSA obligations related to
enhanced due diligence for private banking accounts, FinCEN has already
defined the term private banking account in Sec. 1010.605(m). That
definition provides, in part, that a private banking account means an
account (or collection of accounts) with minimum aggregate assets of
more than $1 million, established on behalf of a non-U.S. person, and
assigned or administered by the covered financial institution. FinCEN
assesses that this definition covers the kinds of account relationships
PPSIs could maintain for a non-U.S. person and is proposing no changes,
but seeks comment on that approach.
ii. Special Standards for Diligence
To implement the GENIUS Act's directive to apply BSA obligations
related to ``enhanced due diligence,'' FinCEN proposes adding
Sec. Sec. 1033.610 and 1033.620, which adopt by reference Sec. Sec.
1010.610 and 1010.620. Sections 1010.610 and 1010.620 implement BSA
obligations related to enhanced due diligence for correspondent
accounts and private banking accounts, respectively.
Sections 1010.610 and 1010.620 require that covered financial
institutions maintain due diligence programs for correspondent accounts
for foreign financial institutions and banks and for private banking
accounts that include policies, procedures, and controls that are
reasonably designed to detect and report any known or suspected money
laundering or suspicious activity conducted through or involving any
such correspondent or private banking accounts.\264\ These provisions
also set certain minimum standards for such due diligence programs, as
well as procedures for enhanced due diligence for correspondent
accounts for foreign banks \265\ and private banking accounts for
senior foreign political figures.\266\
---------------------------------------------------------------------------
\264\ See 31 CFR 1010.610-620.
\265\ See 31 CFR 1010.610(b).
\266\ See 31 CFR 1010.620(c).
---------------------------------------------------------------------------
Applying these special standards of due diligence to PPSIs would
help PPSIs in understanding risk and identifying illicit activity in
certain relationships with foreign financial institutions.
Specifically, these standards would address relationships with high-net
worth non-U.S. customers and foreign financial institutions that may be
acting on behalf of higher-risk non-U.S. customers, when those
relationships involve correspondent accounts for foreign financial
institutions or private banking accounts.
FinCEN requests comment on the application of these provisions,
including whether additional amendments should be made to account for
any uniqueness of PPSIs.
iii. Special Measures
Under the BSA, FinCEN can require U.S. financial institutions to
implement certain special measures pursuant to section 311 of the USA
PATRIOT Act (section 311) if the Secretary finds that reasonable
grounds exist to conclude that a foreign jurisdiction, institution,
class of transaction, or type of account is a ``primary money
laundering concern.'' \267\ Section 9714(a) of the Combatting Russian
Money Laundering Act \268\ and section 7213A Fentanyl Sanctions Act (as
amended by section 3201 the of FEND Off Fentanyl Act)--the latter
codified in 21 U.S.C. 2313a and referred to colloquially as section
2313a--allow for similar special measures in the context of Russian
illicit finance and illicit opioid trafficking, respectively. As
financial institutions, FinCEN is proposing that PPSIs be required to
comply with special measures issued pursuant to sections 311, 9714(a),
and 2313a to maintain the options available under these sections to
protect the U.S. financial system from certain illicit finance threats.
---------------------------------------------------------------------------
\267\ Section 311 is codified at 31 U.S.C. 5318A.
\268\ Section 9714(a) of the Combating Russian Money Laundering
Act, as amended by section 6106(b) of the National Defense
Authorization Act for Fiscal Year 2022. Section 9714 (as amended)
can be found in a note to 31 U.S.C. 5318A.
---------------------------------------------------------------------------
Additionally, by incorporating PPSIs into the definition of
``covered financial institutions'' in Sec. 1010.605(e)(1), FinCEN
consequently imposes the special measures codified in Sec. 1010.658
(relating to FBME Bank, Ltd.); Sec. 1010.659 (relating to North
Korea); Sec. 1010.660 (relating to Bank of Dandong); Sec. 1010.661
(relating to Iran); Sec. 1010.663 (relating to Al-Huda Bank); and
Sec. 1010.664 (relating to Huione Group).\269\ FinCEN is also
proposing to amend Sec. 1010.651 (relating to Burma) \270\ and Sec.
1010.653 (relating to the Commercial Bank of Syria) to apply those
special measures to PPSIs.\271\
---------------------------------------------------------------------------
\269\ Additionally, FinCEN has proposed special measures that,
if finalized, could also require PPSIs to take special measures. See
FinCEN, Proposal of Special Measure Regarding MBaer Merchant Bank AG
as a Financial Institution Operating Outside of the United States of
Primary Money Laundering Concern, 91 FR 10034 (Mar. 2, 2026);
FinCEN, Proposal of Special Measure Regarding Transactions Involving
Ten Mexican Gambling Establishments as a Class of Transactions of
Primary Money Laundering Concern, 90 FR 51234 (Nov. 17, 2025).
\270\ In October 2016, FinCEN issued conditional exceptive
relief permitting covered financial institutions to maintain
correspondent accounts for Burmese banks under certain conditions.
See FinCEN, Conditional Exception to Bank Secrecy Act Regulations
Relating to the Burma Section 311 Final Rule, 81 FR 71986 (Oct. 19,
2016).
\271\ In May 2025, FinCEN issued conditional exceptive relief
permitting covered financial institutions to open and maintain
correspondent accounts for the Commercial Bank of Syria under
certain conditions. FinCEN, Exception to Prohibition Imposed by
Section 311 of the USA PATRIOT Act Against the Commercial Bank of
Syria (May 23, 2025), available at https://www.fincen.gov/system/files/2025-08/Commercial-Bank-of-Syria-Exceptive-Relief.pdf.
---------------------------------------------------------------------------
VII. Proposed Application of Sanctions Program Requirement
The GENIUS Act requires PPSIs to maintain ``an effective sanctions
compliance program, including verification of sanctions lists,
consistent with Federal law.'' \272\ As discussed in section V.B above,
PPSIs are U.S. persons under OFAC's existing regulations because the
GENIUS Act requires PPSIs to be formed in the United States.\273\
Accordingly, like all other U.S. persons, stablecoin issuers that
qualify as PPSIs will be required to comply with U.S. sanctions under
existing Federal law, meaning they must generally block the property
and interests in property of blocked persons; reject prohibited
transactions involving certain persons, jurisdictions, or activities;
and retain certain records and file reports with OFAC. The sanctions
compliance program requirement in the GENIUS Act, however, represents
the first time that Federal law has explicitly mandated that a
particular U.S. person have an effective sanctions compliance program,
although IEEPA and other statutory authorities authorize the President
to, among other actions, investigate, block, regulate, or prohibit
transactions and dealings in property subject to U.S. jurisdiction when
a foreign national or country has an interest.\274\
---------------------------------------------------------------------------
\272\ 12 U.S.C. 5903(a)(5)(A)(vi).
\273\ 12 U.S.C. 5901(23) (defining, in part, ``permitted payment
stablecoin issuer'' as ``a person formed in the United States'').
\274\ See 50 U.S.C. 1702.
---------------------------------------------------------------------------
Accordingly, OFAC is proposing a new part 502 to chapter V of the
CFR entitled the ``Permitted Payment Stablecoin Issuer Effective
Sanctions Compliance Program Regulations'' to effectuate the GENIUS
Act's effective sanctions compliance program requirement,\275\
consistent with statutory authorities that authorize OFAC to administer
sanctions.\276\
[[Page 18614]]
Section VII.A below describes the recordkeeping and reporting
requirement for a PPSI in line with standard OFAC requirements for all
U.S. persons,\277\ as well as an additional requirement that PPSIs
provide to OFAC upon request certain certifications required by the
GENIUS Act and relevant to OFAC's role administering and enforcing the
requirement that PPSIs maintain an effective sanctions compliance
program.\278\ Section VII.B then outlines the five elements of an
effective sanctions compliance program proposed at Sec. 502.201(b),
including an explanation and rationale for each component. Section
VII.C discusses terms OFAC proposes to define in the definitions
section in subpart C to part 502. Finally, section VII.D provides an
overview of the proposed penalties for materially or knowingly
violating the effective sanctions compliance program requirement
contained in proposed 31 CFR part 502, consistent with the GENIUS Act
\279\ and pursuant to statutory authorities authorizing OFAC to impose
civil monetary penalties, including IEEPA.\280\
---------------------------------------------------------------------------
\275\ 12 U.S.C. 5903(a)(5)(A)(vi).
\276\ See, e.g., 50 U.S.C. 1702.
\277\ See, e.g., 31 CFR 525.102, 583.102, 587.601.
\278\ See 12 U.S.C. 5904(i)(1).
\279\ 12 U.S.C. 5905(b)(5)(B)-(C).
\280\ See, e.g., 50 U.S.C. 1705(b), 4315(b).
---------------------------------------------------------------------------
A. Recordkeeping and Reporting
Consistent with OFAC's requirements for all U.S. persons, proposed
Sec. 502.102(a) imposes on PPSIs standard recordkeeping and reporting
requirements as found in 31 CFR part 501. These requirements align with
PPSIs' status as U.S. persons, making them subject to the requirements
found in subpart C of part 501. OFAC's experience in enforcing U.S.
sanctions and supporting compliance by regulated persons has found
these requirements to be essential to the integrity of the U.S.
sanctions regime.
Proposed Sec. 502.102(b) would require PPSIs provide to OFAC upon
request, given OFAC's role in administering and enforcing economic
sanctions and issuing sanctions compliance program requirements under
the GENIUS Act, any and all certifications submitted to the PPSI's
primary Federal payment stablecoin regulator or State payment
stablecoin regulator certifying, pursuant to the GENIUS Act, that the
PPSI has implemented an effective sanctions compliance program.\281\
OFAC intends to interpret the terms ``primary Federal payment
stablecoin regulator'' and ``State payment stablecoin regulator''
consistent with how those terms are defined in the GENIUS Act.\282\
---------------------------------------------------------------------------
\281\ See 12 U.S.C. 5904(i)(1).
\282\ See 12 U.S.C. 5901(25), 5901(30).
---------------------------------------------------------------------------
B. Effective Sanctions Compliance Program
The GENIUS Act requires both that PPSIs maintain an ``effective
sanctions compliance program'' \283\ and that regulations promulgated
under the Act are ``tailored to the size and complexity'' \284\ of a
PPSI. Based on decades of experience administering and enforcing U.S.
sanctions, OFAC has found across multiple sectors that an entity's size
and complexity are significant factors in assessing sanctions risk. A
larger sized entity can mean greater exposure to transactions that
could involve a blocked person, sanctioned jurisdictions, or
interaction with other OFAC-administered prohibitions or restrictions.
Likewise, greater complexity in an entity's operations can necessitate
more sophisticated controls to mitigate sanctions risk. Therefore,
based on OFAC's historical experience, OFAC assesses that the best way
to implement the GENIUS Act's instructions is to delineate effective
sanctions compliance elements that provide PPSIs discretion to make
risk-based judgments in light of, among other factors, their size and
complexity.
---------------------------------------------------------------------------
\283\ 12 U.S.C. 5903(a)(5)(A)(vi).
\284\ 12 U.S.C. 5903(a)(5)(B).
---------------------------------------------------------------------------
In 2019, OFAC published ``A Framework for OFAC Compliance
Commitments'' (the ``2019 Compliance Framework'') to support the
regulated public's development of effective sanctions compliance
programs with guidance on tailoring risk-based principles to an
organization's unique characteristics and sanctions risk exposure.\285\
In addition to being a cornerstone of OFAC's public outreach to all
regulated industries, the compliance guidance and expectations detailed
in the 2019 Compliance Framework consistently form the basis of OFAC's
published guidance (e.g., sanctions advisories, compliance
communiqu[eacute]s, and frequently asked questions), as well as
specific guidance issued in response to public inquiries.
---------------------------------------------------------------------------
\285\ See OFAC, A Framework for OFAC Compliance Commitments (May
2, 2019) [hereinafter 2019 Compliance Framework], available at
https://ofac.treasury.gov/media/16331/download?inline.
---------------------------------------------------------------------------
Subsequently, in 2021, OFAC provided additional guidance to the
digital assets industry grounded in the Framework by publishing the
``Sanctions Compliance Guidance for the Virtual Currency Industry''
(``Virtual Currency Industry Guidance'') and several Frequently Asked
Questions on Virtual Currency.\286\ One of OFAC's main objectives in
issuing the Virtual Currency Industry Guidance was to explain how
actors in the broader digital assets industry could mitigate sanctions
risk by adopting a risk-based approach to sanctions compliance. The
Virtual Currency Industry Guidance also highlighted specific risks
facing actors in the digital assets industry and identified best
practices to support industry stakeholders with sanctions compliance,
such as the use of geolocation and blockchain analytics tools for
screening and transaction monitoring.\287\ Many in the compliance
community noted that the document provided clear guidance on digital
asset providers' sanctions obligations and valuable best practices for
ensuring compliance in that space.
---------------------------------------------------------------------------
\286\ See OFAC, Sanctions Compliance Guidance for the Virtual
Currency Industry (Oct. 2021) [hereinafter Virtual Currency Industry
Guidance], available at https://ofac.treasury.gov/media/913571/download?inline; see also OFAC, Questions on Virtual Currency,
available at https://ofac.treasury.gov/faqs/topic/1626.
\287\ See Virtual Currency Industry Guidance, supra note 286, at
pp. 14, 16.
---------------------------------------------------------------------------
In addition to OFAC's existing guidance, OFAC's extensive
experience administering and enforcing U.S. sanctions has also
demonstrated that a risk-based approach is an effective way to mitigate
sanctions risk. Promoting compliance is a core objective in pursuing
enforcement actions. As outlined in the preamble to the Final Rule
establishing OFAC's Enforcement Guidelines,\288\ the purpose of OFAC's
enforcement actions are to raise awareness, increase compliance, and
deter ``conduct that undermines the goals of [U.S.] sanctions
programs.'' \289\ Accordingly, OFAC's enforcement settlement agreements
with parties usually insist on implementation of a sanctions compliance
program in line with the 2019 Compliance Framework. Consequently,
across both OFAC's history of guidance and enforcement, OFAC has
consistently observed that an effective sanctions compliance program
contains certain key elements.
---------------------------------------------------------------------------
\288\ OFAC, Economic Sanctions Enforcement Guidelines, 74 FR
57593 (Nov. 9, 2009).
\289\ Id. at 57594.
---------------------------------------------------------------------------
Based on that experience, OFAC is now proposing requiring PPSIs
adopt a sanctions compliance program including the five key elements in
line with the 2019 Compliance Framework:
[[Page 18615]]
(1) Senior Management and Organizational Commitment; (2) Risk
Assessment; (3) Internal Controls; (4) Testing and Auditing; and (5)
Training. OFAC assesses that a risk-based approach and a sanctions
compliance program grounded in the five enumerated elements best
implements the GENIUS Act's requirement that Treasury adopt rules
tailored to the size and complexity of PPSIs while ensuring that PPSIs
maintain an effective sanctions compliance program.\290\ Specifically,
by mandating the five elements as a minimum for an effective sanctions
compliance program, the proposed rule intentionally sets a necessary
floor for an effective sanctions compliance program while leaving space
for PPSIs to take additional or refined compliance measures that
account for the specific circumstances of individual PPSIs. Finally,
OFAC notes the proposed rule's focus on a risk-based approach and the
five enumerated elements of an effective sanctions compliance program
intends to provide flexibility to account for rapidly evolving payment
stablecoin technologies in the digital assets ecosystem. As PPSIs
utilize the GENIUS Act's framework to support innovation and the
responsible growth and use of payment stablecoins, OFAC anticipates the
development of new stablecoin-related products and services that may
differ from those provided or used by stablecoin issuers today. Such
products and services, in turn, may require new approaches to sanctions
compliance to mitigate sanctions risks and meet OFAC's regulatory
obligations.
---------------------------------------------------------------------------
\290\ 12 U.S.C. 5903(a)(5)(B).
---------------------------------------------------------------------------
In sections VII.B.1 through VII.B.5 below, OFAC provides further
details regarding the five elements that constitute the effective
sanctions compliance program requirements that OFAC proposes for PPSIs
pursuant to the GENIUS Act and consistent with statutory authorities
that OFAC administers as described above.
1. Proposed 31 CFR 502.201(b)(1)--Senior Management and Organizational
Commitment
Proposed Sec. 502.201(b)(1) would require a PPSI's senior
management to review and approve a PPSI's sanctions compliance program
and to support the sanctions compliance program's effective
implementation, including by ensuring the sanctions compliance program,
at a minimum: (i) applies to all payment stablecoin-related activity;
(ii) has sufficient resources, including necessary investments in human
capital, expertise, and information technology, to carry out the
requirement that PPSIs conduct risk assessments, maintain internal
controls, conduct testing and auditing, and maintain a risk-based
sanctions compliance training program, as described in the proposed
Sec. 502.201(b)(2) through (b)(5) (see sections VII.B.2 through
VII.B.5 below); (iii) is fully integrated into the PPSI's ongoing
stablecoin-related operations; (iv) routinely provides risk updates,
including test results, to senior management and other appropriate
personnel within the PPSI; and (v) provides sufficient authority and
autonomy to the compliance function to manage effectively U.S.
sanctions risk for the entire PPSI.
A PPSI's senior management includes individuals responsible for
monitoring performance across the organization, including its sanctions
compliance program. As applicable, senior management could include
supervisory, managerial, and executive employees, and can also include
its board of directors, owners, operators, and other leadership
personnel depending on the PPSI's governance structure. The particular
composition of a PPSI's senior management is a fact-specific matter
depending on each individual PPSI, and in this proposed rule, OFAC
proposes to provide PPSIs with flexibility in determining which members
of senior management ensure an effective sanctions compliance program.
Nevertheless, based on its experience administering and enforcing U.S.
sanctions, including providing guidance to industry, OFAC views senior
management engagement as essential to the effectiveness of any person's
sanctions compliance program.\291\ A PPSI's senior management's
combination of its vantage point across the entire organization's
activities and its decision-making authority uniquely positions it to
review a sanctions compliance program with a comprehensive
understanding of the PPSI's operations and credibly approve a program
as meeting that PPSI's particular circumstances. Additionally, the
requirement that senior management approve the sanctions compliance
program demonstrates senior management support and buy-in, which is
critical to building a culture of compliance by establishing ultimate
responsibility at the PPSI's senior levels.
---------------------------------------------------------------------------
\291\ See, e.g., OFAC, OFAC Settles with Murad, LLC for
$3,334,286 and with a Former Senior Executive of Murad, LLC for
$175,000 Related to Apparent Violations of the Iranian Transactions
and Sanctions Regulations (May 17, 2023), available at https://ofac.treasury.gov/media/931761/download?inline=.
---------------------------------------------------------------------------
Furthermore, the proposed Sec. 502.201(b)(1) would require senior
management to support the sanctions compliance program's effective
implementation by ensuring the program includes, at a minimum, certain
key components. First, senior management would be required to ensure
the sanctions compliance program applies to all payment stablecoin-
related activity. As outlined, a PPSI's senior management operates from
a distinct vantage point compared to other personnel, enabling broader
awareness and oversight across an entire organization that uniquely
positions them to monitor the creation and implementation of a
sanctions compliance program. That perspective supports making sure the
compliance program does not only apply to discrete parts of a PPSI's
operations. While, as outlined below in this section, an effective
sanctions compliance program requires a measure of delegation and
autonomy to the compliance function to deploy established compliance
policies and procedures, senior management's visibility across a PPSI's
operations during the creation of a sanctions compliance program is
vital to avoiding gaps that create heightened risks of sanctions
violations.
Second, senior management would be required to ensure the sanctions
compliance program has adequate resources. OFAC's experience has
demonstrated that adequate resourcing is particularly crucial for PPSIs
given the nature of the rapidly evolving technologies underpinning
payment stablecoins and attendant sanctions risks. OFAC does not
propose to prescribe specific resourcing levels or breakdowns in
resources for various elements of a compliance program. Senior
management should tailor those decisions to a PPSI's particular
circumstances. Nonetheless, ensuring adequate resources would entail
senior management knowledge of and engagement on how the PPSI allocates
resources for compliance functions across the organization and how that
allocation is commensurate with current levels of sanctions risk
exposure, including in the form of human capital, expertise,
information technology, such as the tools described in section VII.B.3
below, and other resources, as appropriate.
Third, senior management would be required to ensure the sanctions
compliance program is fully integrated into a PPSI's ongoing
stablecoin-related operations. The active incorporation of the
compliance program into ongoing
[[Page 18616]]
operations is critical to both timely and effective responses to
sanctions risk. In line with section VII.B.3 below, a senior management
commitment with respect to ongoing operations would entail ensuring a
sanctions compliance function has the necessary tools to identify and
respond to sanctions risks judiciously. Simultaneously, in addition to
resourcing necessary tools, this commitment could also be expressed by
ensuring written policies and procedures (see section VII.B.3) that
enable PPSI personnel to respond expeditiously when confronting
sanctions risk.
Fourth, senior management would be required to ensure senior
management, and other appropriate personnel, routinely receive risk
updates, including test results, from the sanctions compliance program.
OFAC's experience providing guidance to the regulated public and
enforcing U.S. sanctions has shown that absent a senior management
commitment to an entity's sanctions compliance program, staff
implementing the program will have less routine access to senior
management to provide risk updates, including test results. Such
routine updates are necessary to support senior management's continued
appreciation of the organization's sanctions obligations and timely
awareness of sanctions risks, as well as then facilitating informed
decisions. In the proposed rule OFAC does not prescribe a cadence for
these routine risk updates, as they should be tailored to the
particular circumstance of each PPSI.
Finally, while routine updates to senior management are essential,
under the proposed rule, senior management would also be required to
ensure that the sanctions compliance program has sufficient authority
and autonomy to function and conduct timely and effective operations.
The proposed rule would require that a PPSI's sanctions compliance
program be empowered to work independently to take appropriate actions
to address and mitigate sanctions risks for the entire organization,
which is critical to the integrity of the PPSI's compliance functions.
The sanctions compliance program must be able to act efficiently and
effectively within the organization to be able to respond to timely
sanctions-related developments. Accordingly, the proposed rule would
require, as a key element, that senior management ensure that the
sanctions compliance program is able to manage effectively U.S.
sanctions risks for the entire organization.
Critically, senior management's active support for the five
requirements proposed in Sec. 502.201(b)(1)(i) through (v) constitute
a minimum set of activities that OFAC would expect when considering
whether a PPSI's sanctions compliance program is effective. Additional
activities may be relevant to a PPSI's compliance program under a risk-
based approach. In accordance with the GENIUS Act's mandate to tailor
rules to the size and complexity of each PPSI's operations,\292\ the
proposed rule leaves discretion for PPSI's to adopt additional measures
in line with their circumstances.
---------------------------------------------------------------------------
\292\ See 12 U.S.C. 5903(a)(5)(B).
---------------------------------------------------------------------------
2. Proposed 31 CFR 502.201(b)(2)--Risk Assessments
Proposed Sec. 502.201(b)(2) would require a PPSI conduct
sanctions-related risk assessments by: (i) conducting holistic
assessments of U.S. sanctions risks at appropriate intervals; (ii)
using the risk assessments to inform the PPSI's operation of its
sanctions compliance program, including revising internal controls and
training as appropriate; and (iii) revising risk assessments as
appropriate to account for any identified U.S. sanctions violations or
deficiencies, new products, services, mergers, or acquisitions, and any
other factors that may affect a PPSI's risk profile.
In the sanctions context, risks are potential threats or
vulnerabilities that, if ignored or not properly handled, can lead to
violations of the regulations administered by OFAC. Holistic risk
assessments allow an organization to identify these threats or
vulnerabilities. OFAC has found, through its enforcement actions for
violations of sanctions and engagement with private industry, that
regular risk assessments are foundational for sanctions compliance
programs to be effective. In keeping with the GENIUS Act's requirement
to tailor rules to the size and complexity of each PPSI's
operations,\293\ OFAC does not propose a uniform frequency for
conducting risk assessments. Similarly, while risk assessments should
be holistic reviews--for instance, evaluating a PPSI's touchpoints with
external parties and jurisdictions, including customers, vendors, and
intermediaries, in order to identify direct and indirect sources of
sanctions risk--OFAC does not propose a uniform criteria for a holistic
review, again recognizing the GENIUS Act's tailoring requirement.\294\
---------------------------------------------------------------------------
\293\ Id.
\294\ Id.
---------------------------------------------------------------------------
Use of risk assessment results to develop and revise a sanctions
compliance program ensures a program is grounded in the most current
understanding of the various sources of sanctions risks. As OFAC has
determined through various enforcement actions, a sanctions compliance
program's internal controls (see section VII.B.3) and training (see
section VII.B.5) are only effective if an organization has an accurate
understanding of the sanctions risks it faces. Therefore, holistic and
appropriately frequent risk assessments are essential to the proper
implementation of the other elements of an effective sanctions
compliance program outlined in this section VII.B.
Additionally, to be effective, risk assessments themselves must be
revised to account for new information or changing circumstances that
impact a PPSI's risk profile. Identification of U.S. sanctions
violations or deficiencies in an existing compliance program naturally
suggest the presence of vulnerabilities necessitating revisions or
remediation. Similarly, with respect to new products, services,
mergers, or acquisitions, OFAC has on multiple occasions entered into
settlement agreements with entities in the digital assets industry for
apparent violations that arose from the development and release of a
product or service without having given sufficient consideration of
attendant sanctions risks or compliance implications.\295\ A holistic
assessment of the sanctions-related risks that such a new product or
service could create is necessary to understand what additional or
revised controls may be necessary.\296\ Without these steps pre-launch,
the new products or services themselves may immediately give rise to
sanctions compliance-related gaps, possibly seriously undermining the
effectiveness of a sanctions compliance program.
---------------------------------------------------------------------------
\295\ See, e.g., OFAC, Key Holding, LLC Settles with OFAC for
$608,825 Related to Apparent Violations of Cuban Assets Control
Regulations (July 2, 2025) [hereinafter Key Holding], available at
https://ofac.treasury.gov/media/934456/download?inline.
\296\ See Virtual Currency Industry Guidance, supra note 286, at
p. 11.
---------------------------------------------------------------------------
3. Proposed 31 CFR 502.201(b)(3)--Internal Controls
Proposed Sec. 502.201(b)(3) would require a PPSI \297\ to
establish and maintain a system of risk-based internal controls--
including technical capabilities and written policies and procedures--
applicable to all payment
[[Page 18617]]
stablecoin-related activity, whether on the primary or secondary
market, that identifies, blocks, and/or rejects transactions that may
violate or would violate U.S. sanctions and retains relevant records in
accordance with OFAC regulations. OFAC assesses that a dynamic internal
controls system that adapts to new regulatory and risk-related
developments is critical to fulfilling key obligations imposed under
the GENIUS Act.
---------------------------------------------------------------------------
\297\ The PPSI as an entity would be required to establish and
maintain the internal controls as part of the compliance program,
which senior management would be required to review and approve as
part of reviewing and approving the compliance program writ large.
See supra section VII.B.1 for discussion of the role of senior
management.
---------------------------------------------------------------------------
First, the technical components of a PPSI's internal control system
are paramount. In particular, the GENIUS Act requires that a PPSI must
be able to ``block, freeze, and reject specific or impermissible
transactions that violate Federal or State laws, rules, or
regulations,'' \298\ which includes transactions that violate or would
violate U.S. sanctions regulations. Although PPSIs are generally
neither the originator nor the beneficiary of transactions, other than
issuing or redeeming a payment stablecoin, the GENIUS Act makes clear
that a PPSI is nonetheless obligated to block and reject impermissible
transactions--including on the secondary market--involving a payment
stablecoin it has issued. The proposed rule's requirement that each
PPSI establish and maintain technical capabilities to block or reject
any payment stablecoin-related activity that violates or would violate
U.S. sanctions directly tracks the GENIUS Act's mandate that PPSIs
maintain such technical control over impermissible transactions that
violate Federal laws, including sanctions regulations.
---------------------------------------------------------------------------
\298\ 12 U.S.C. 5903(a)(5)(A)(iv).
---------------------------------------------------------------------------
In practical terms, PPSIs should implement risk-based sanctions
controls on transactions, including on the secondary market, to satisfy
this requirement. OFAC's Virtual Currency Industry Guidance provides
examples of best practices of internal controls, including with respect
to transaction monitoring and sanctions screening, for digital asset
participants, which will likely be relevant for PPSIs.\299\ For
example, at a minimum, such sanctions screening should include tools
sufficient to identify and block transactions associated with digital
currency addresses included on OFAC's SDN List.\300\ In addition, the
technical internal controls should enable the PPSI to clearly and
effectively identify, interdict, escalate, and report (as necessary and
appropriate) activity that may be prohibited by the regulations and
laws administered by OFAC. Furthermore, PPSIs should generate and
maintain records pertaining to activity that may be prohibited by OFAC
as part of their internal controls regime. OFAC has imposed penalties
on entities not solely because prohibited transactions occurred, but
because organizations failed to maintain complete records or submit
timely reports.\301\
---------------------------------------------------------------------------
\299\ See Virtual Currency Industry Guidance, supra note 286, at
pp. 13-17.
\300\ See id. at p. 15.
\301\ See, e.g., OFAC, OFAC Imposes $7,139,305 Penalty on
Gracetown, Inc. for Violating Ukraine-/Russia-Related Sanctions and
Reporting Obligations (Dec. 4, 2025), available at https://ofac.treasury.gov/media/934796/download?inline.
---------------------------------------------------------------------------
As described, proposed Sec. 502.201(b)(3) would also mandate that
the PPSI continually update the technical internal controls (including
risk-based sanctions screening), which ensures the internal controls
effectively address amended or updated U.S. sanctions authorities and
applicable U.S. sanctions risks. Given the dynamic nature of OFAC
sanctions, internal controls should be capable of adjusting rapidly to
new OFAC designations, prohibitions, requirements, and guidance, and of
effectively identifying risk exposure that may warrant heightened due
diligence.\302\ Relevant guidance may, as noted in the proposed rule,
include risks identified in advisories, alerts, or notices issued by
the Department of the Treasury or other relevant U.S. government
agencies. These reports often enumerate specific red flags and
typologies indicative of sanctions evasion trends. PPSIs should
consider using such information, along with other open source and
proprietary information, in order to conduct proactive diligence to
identify and mitigate potential sanctions risks. Information obtained
by a PPSI for purposes of complying with the BSA may also be relevant
in identifying and mitigating sanctions risks. By establishing and
maintaining technical internal control mechanisms, including the
ability to effectively identify sources of sanctions risk, PPSIs are
able to maintain the technical capacity necessary to comply with OFAC's
blocking and non-blocking sanctions programs.
---------------------------------------------------------------------------
\302\ See, e.g., OFAC, OFAC Settles with Toll Holdings Limited
for $6,131,855 Related to Apparent Violations of Multiple Sanctions
Programs (Apr. 25, 2022), available at https://ofac.treasury.gov/media/922441/download?inline=.
---------------------------------------------------------------------------
Second, the written policies and procedures requirement of proposed
Sec. 502.201(b)(3) prescribes that the risk-based internal controls
established by the PPSI are documented in writing and are clearly
communicated to all relevant personnel and stakeholders (e.g., clients,
business partners, counterparties). OFAC is proposing written policies
and procedures because they ensure that compliance measures (like
screening the SDN List) are applied consistently across an entire
organization, preventing fragmented, decentralized, or ad-hoc practices
that can lead to sanctions violations.\303\ OFAC has finalized numerous
civil monetary penalties or settlements since publishing the 2019
Compliance Framework in which an organization's decentralized
compliance function was one of the root causes of the sanctions
violations identified during the course of the investigation. Written
policies and procedures can clearly define the roles and
responsibilities of compliance staff, ensuring accountability and
proper oversight. Written policies also ensure that compliance
protocols are communicated to all relevant stakeholders, minimizing
inadvertent violations caused by misunderstanding or lack of training.
Proposed Sec. 502.201(b)(3) also stipulates that such internal control
documents must be routinely reviewed and revised such that there is
timely and appropriate action to remediate any identified compliance
gaps or deficiencies. The process of routinely reviewing and revising
written policies and procedures should incorporate frequent testing of
technical internal controls to ensure effectiveness and sufficiency. If
and when a PPSI identifies a weakness in its internal controls system,
the PPSI should take immediate and effective action, to the extent
possible, to identify and implement compensating controls until the
root cause of the weakness can be determined and remediated.
---------------------------------------------------------------------------
\303\ See, e.g., Key Holding, supra note 295.
---------------------------------------------------------------------------
Finally, OFAC notes that the exact form of internal controls is not
prescribed by this proposed rule. In keeping with the GENIUS Act's
requirement to tailor rules to the size and complexity of each PPSI's
operations,\304\ OFAC does not propose a uniform or ``one-size-fits-
all'' internal control system. Rather, the specific internal control
system should be risk-based and will depend, among other things, on the
PPSI's products, services, geographical scope of operations, direct
customers, end users or holders, and on the sanctions risks the PPSI
identifies during its risk assessment process or through any other
measures.
---------------------------------------------------------------------------
\304\ 12 U.S.C. 5903(a)(5)(B).
---------------------------------------------------------------------------
PPSIs may consider using a variety of tools to develop and
implement internal controls, including external resources. In the
financial industry, internal controls often include software for
sanctions screening, investigations, transaction monitoring, and other
[[Page 18618]]
purposes. For digital assets industry participants in particular, these
tools typically function as a linchpin of the organization's internal
controls. OFAC does not require PPSIs to use any specific tool or
software, and OFAC's engagement with the private sector has found that
the specific tools employed vary widely by industry. Digital assets
industry participants routinely report using blockchain analysis, open-
source intelligence, geolocation tools, and media monitoring tools,
among other solutions, whether developed internally or sourced from a
vendor. OFAC's Virtual Currency Industry Guidance provides other
examples of internal controls best practices that PPSIs may consider
adopting.\305\ Whether a PPSI uses these or other tools will depend on
specifics of each PPSIs operations.
---------------------------------------------------------------------------
\305\ See generally Virtual Currency Industry Guidance, supra
note 286.
---------------------------------------------------------------------------
Ultimately, the internal controls required by the proposed rule
will allow PPSIs to comply with the numerous other mandates in the
GENIUS Act.
4. Proposed 31 CFR 502.201(b)(4)--Testing and Auditing
Proposed Sec. 502.201(b)(4) would require that a PPSI establish
and maintain an independent testing or audit function, accountable to
senior management, with sufficient resources, expertise, and authority
to identify U.S. sanctions compliance-related weaknesses and
deficiencies. In addition, each PPSI would also have to ensure that
qualified personnel routinely perform comprehensive, independent, and
objective testing or auditing of the effectiveness of the sanctions
compliance program and its functions. And finally, the proposed rule
would require that such testing and auditing results are used to
identify and implement any needed updates or enhancements to the
sanctions compliance program, and that PPSIs maintain and provide to
OFAC upon request records of any such testing and auditing results and
enhancements.
An independent testing or audit function can be either external or
internal to a PPSI. If internal, controls must be in place to ensure
audits or testing are sufficiently independent. Criteria relevant to
establish ``independence'' may vary based on a range of factors,
including a PPSI's internal corporate structure, the internal auditor's
accountability to senior leadership and or the PPSI's board of
directors, as well as the training and expertise possessed by the
internal auditor. With the appropriate independence, expertise, and
resources, internal audits may be effective and may be a reasonable
part of a compliance program, depending on a PPSI's individualized risk
profile. However, OFAC's experience administering and enforcing U.S.
sanctions has also shown that internal audits can lack the
independence, expertise, and resources to conduct objective and
thorough evaluations of an entity's own compliance efforts, while
external audits often provide more effective and comprehensive
assessments.
Routine, comprehensive, independent, and objective testing or
auditing of a sanctions compliance program is essential to the
program's continued effectiveness.\306\ OFAC has observed cases of
apparent violations resulting from compliance, testing, or audit
software that was improperly configured, deactivated, or modified over
time, including following updates, changes, or the deployment of new
technology by the broader organization. Human error and lack of
attention to changes in testing and audit results can compound these
issues as can the speed and volume of payment stablecoin-related
activity that PPSIs and other digital assets industry participants may
face.
---------------------------------------------------------------------------
\306\ See, e.g., OFAC, OFAC Enters Into $1,385,901.40 Settlement
with Payoneer Inc. for Apparent Violations of Multiple Sanctions
Programs (Jul. 23, 2021), available at https://ofac.treasury.gov/media/911571/download?inline.
---------------------------------------------------------------------------
Again, in line with the GENIUS Act's requirement to tailor rules to
the size and complexity of each PPSI's operations,\307\ proposed Sec.
502.201(b)(4) does not specify the precise contours of what the testing
and audit function should include. However, based on the existing 2019
Compliance Framework, PPSIs should be prepared to implement a testing
and audit function that can identify weaknesses and deficiencies in
their sanctions compliance, including in products or services still
under development. In addition, based on the existing 2019 Compliance
Framework, a testing and auditing program should be tailored to address
the sanctions risks accompanying the PPSI's operations, and results
should be used to implement updates, remediate compliance gaps, and
make the PPSI aware of how its products and services are performing
against the sanctions compliance program's internal control benchmarks.
---------------------------------------------------------------------------
\307\ 12 U.S.C. 5903(a)(5)(B).
---------------------------------------------------------------------------
5. Proposed 31 CFR 502.201(b)(5)--Training
Proposed Sec. 502.201(b)(5) would require a PPSI establish and
maintain a risk-based compliance training program that is: (i)
performed at least annually and with a frequency appropriate to the
PPSI's risk assessments and risk profile; (ii) provided to all relevant
personnel and stakeholders; (iii) appropriately tailored to each
trainee's role and responsibilities; (iv) modified to reflect risk
assessments findings and identified deficiencies in the sanctions
compliance program, including testing and audit findings; and (v)
designed to include easily accessible resources and materials for all
relevant personnel and stakeholders. Based on OFAC's experience
investigating and enforcing sanctions violations and providing
compliance guidance to private industry, OFAC has found the
establishment and maintenance of a risk-based sanctions compliance
training program to be critical to ensuring that the benefits and
expertise cultivated by the PPSI's compliance efforts are shared across
an organization and not limited to compliance program personnel and
senior management.\308\
---------------------------------------------------------------------------
\308\ See, e.g., OFAC, OFAC Settles with 3M Company for
$9,618,477 Related to Apparent Violations of the Iranian
Transactions and Sanctions Regulations (Sept. 21, 2023), available
at https://ofac.treasury.gov/media/932161/download?inline.
---------------------------------------------------------------------------
In keeping with the GENIUS Act's requirement to tailor rules to the
size and complexity of each PPSI's operations,\309\ OFAC proposes PPSI
discretion in setting a training cadence that aligns with a PPSI's
particular circumstances, provided a PPSI meets the minimum of an
annual training. Based on industry practice, OFAC views annual training
as an appropriate minimum, recognizing that certain PPSIs may
determine, based on their assessment of risk, that more frequent
trainings may be necessary, either for all or certain personnel and
stakeholders, including after a knowing or material violation of the
GENIUS Act has occurred or an apparent violation of U.S. sanctions, to
understand root causes and avoid repeated issues.
---------------------------------------------------------------------------
\309\ 12 U.S.C. 5903(a)(5)(B).
---------------------------------------------------------------------------
OFAC proposes training be provided to all relevant personnel and
stakeholders \310\ to support the type of comprehensive risk
assessments and testing and auditing that an effective sanctions
compliance program requires. Broad awareness of an organization's
sanctions compliance obligations, policies, and available tools is
necessary to identify and surface information regarding potential
sanctions risks and to support timely action to address those risks.
Based on OFAC's
[[Page 18619]]
experience engaging with private sector entities of various sizes and
sanctions risk profiles, a ``one-size-fits-all'' training requirement
would both be less effective and run counter to the principle of
supporting private actors to make their own circumstance-based
prioritizations in furtherance of compliance. Furthermore, the
requirement that training-related resources and materials be made
easily available to all relevant personnel and stakeholders likewise
supports the essential flow of information and a well-trained
workforce. Employees or stakeholders with insufficient or inaccessible
training may overlook or fail to understand the significance of
relevant information at key junctures, causing sanctions violations to
go unnoticed, while properly trained employees will be equipped to spot
red flags and identify sanctions risk in real time.
---------------------------------------------------------------------------
\310\ Relevant stakeholders can include clients, suppliers,
business partners, and counterparties. 2019 Compliance Framework,
supra note 285, at p. 7.
---------------------------------------------------------------------------
Finally, the proposed requirement that organizations modify
training programs to reflect findings of risk assessments and
identified deficiencies in their sanctions compliance program is
essential to keeping trainings current and effective. Training programs
that do not incorporate new information and corrections to past
deficiencies are inherently less effective than training programs that
account for such developments.
C. Definitions
OFAC is proposing to define four terms in the definitions section
of the new 31 CFR part 502. OFAC proposes to define two terms--
``knowingly'' and ``OFAC''--at Sec. 502.301 and Sec. 502.302,
respectively, consistent with other OFAC regulations. OFAC proposes to
define ``payment stablecoin-related activity'' at Sec. 502.303 to
capture the range of activities involving a PPSI's payment stablecoin
from the time of issuance until the payment stablecoin's removal from
circulation, including activity on the secondary market, and to future-
proof the regulations. Finally, OFAC proposes to define the term
``permitted payment stablecoin issuer'' at Sec. 502.304 consistent
with the definition of that term contained in the GENIUS Act, with
slight modifications to reconcile differences between how the GENIUS
Act defines the term ``person'' and how that term is defined in OFAC's
regulations, as well as to synthesize definitions contained within the
GENIUS Act for ease of understanding by the regulated public.
With the exception of the term ``OFAC,'' which simply refers to the
``Office of Foreign Assets Control,'' OFAC below provides additional
explanations of the terms described above.
1. Proposed 31 CFR 502.301--Knowingly
Consistent with the GENIUS Act, OFAC's proposed rule provides for
civil monetary penalties, including penalties for each day during which
a PPSI knowingly violates the GENIUS Act's requirement that PPSI's
maintain an effective sanctions program.\311\ However, the GENIUS Act
does not define the term ``knowingly.'' Under the proposed rule, OFAC
defines ``knowingly'' with respect to conduct, a circumstance, or a
result, as meaning that a person has actual knowledge, or should have
known, of the conduct, the circumstance, or the result. OFAC is
proposing this definition because it is consistent with how OFAC
defines that term across multiple sanctions programs and will be
familiar to the sanctions compliance community.\312\
---------------------------------------------------------------------------
\311\ 12 U.S.C. 5905(b)(5)(B).
\312\ See, e.g., 31 CFR 561.314, 566.312, 589.322, 594.321.
---------------------------------------------------------------------------
2. Proposed 31 CFR 502.303--Payment Stablecoin-Related Activity
OFAC proposes to define ``payment stablecoin-related activity'' to
include issuing, trading, holding, transacting, transferring,
redeeming, or any other activity involving a payment stablecoin issued
by a PPSI from the time of issuance until the payment stablecoin's
removal from circulation, whether on the primary or secondary market,
including through redemption or by any other means. OFAC intends to
interpret the term ``payment stablecoin'' consistent with how that term
is defined in the GENIUS Act.\313\ As discussed in section V.B above,
there are a variety of scenarios under which PPSIs may be required to
block or reject transactions under U.S. sanctions, whether on the
primary or secondary market. For example, a PPSI is prohibited from
issuing payment stablecoins to a blocked person and from allowing
blocked persons to engage with its smart contracts to facilitate trades
of its payment stablecoins. Accordingly, OFAC's proposed definition
ensures that a PPSI's sanctions compliance obligations apply to all
activity involving its payment stablecoins, whether on the primary or
secondary market. OFAC's proposed definition is also appropriately
scoped to ensure that the proposed rule captures future technological
developments, whether in the issuance of payment stablecoins or in the
trading thereof.
---------------------------------------------------------------------------
\313\ See 12 U.S.C. 5901(22).
---------------------------------------------------------------------------
3. Proposed 31 CFR 502.304--Permitted Payment Stablecoin Issuer; PPSI
OFAC proposes to define the term ``permitted payment stablecoin
issuer'' or ``PPSI'' consistent with the definition provided in the
GENIUS Act.\314\ To ensure the definition of ``permitted payment
stablecoin issuer'' accurately applies only to ``persons'' as defined
in the GENIUS Act, rather than ``person'' as defined differently in
other regulations administrated by OFAC, OFAC is replacing the word
``person'' with ``individual, partnership, company, corporation,
association, trust, estate, cooperative organization, or other business
entity, incorporated or unincorporated,'' which is how ``person'' is
defined in the GENIUS Act.\315\
---------------------------------------------------------------------------
\314\ See 12 U.S.C. 5901(23).
\315\ See 12 U.S.C. 5901(24).
---------------------------------------------------------------------------
D. Proposed 31 CFR 502.401 and 502.402--Penalties
Proposed Sec. 502.401(a) would impose civil monetary penalties of
not more than $100,000 per day for PPSIs that materially violate the
requirement to maintain an effective sanctions compliance program.
Proposed Sec. 502.401(b) would provide for an additional $100,000
penalty for each day during which a PPSI knowingly participates in a
violation of the same. If a PPSI does not pay the penalty imposed
pursuant to Sec. 502.401, proposed Sec. 502.402 authorizes OFAC to
refer the matter for administrative collection measures by the
Department of the Treasury or to the Department of Justice for
appropriate action to recover the penalty in a civil suit in a federal
district court.
The proposed penalties are consistent with those prescribed in the
GENIUS Act, which provides for a civil penalty of not more than
$100,000 for each day during which a PPSI materially violates any
regulation issued under the GENIUS Act and an additional penalty of not
more than $100,000 per day during which a PPSI knowingly violates any
regulation issued under the GENIUS Act.\316\ Additionally, the
penalties are consistent with those permitted under IEEPA, which allows
for the imposition of civil penalties of the greater of $377,700 or
twice the amount of the underlying transaction for each violation,\317\
as well as the Trading with
[[Page 18620]]
the Enemy Act (TWEA), the sanctions authority that underpins OFAC's
Cuba sanctions program, which allows OFAC to impose penalties of up to
$111,308 for each violation.\318\
---------------------------------------------------------------------------
\316\ See 12 U.S.C. 5905(b)(5)(B)-(C).
\317\ See 50 U.S.C. 1705(b), as adjusted pursuant to the Federal
Civil Penalties Inflation Adjustment Act of 1990 (28 U.S.C. 2461
note).
\318\ See 50 U.S.C. 4315(b)(1), as adjusted pursuant to the
Federal Civil Penalties Inflation Adjustment Act of 1990 (28 U.S.C.
2461 note).
---------------------------------------------------------------------------
VIII. Final Rule Effective Dates
FinCEN and OFAC are proposing that their respective rules will
become effective 12 months after issuance of final rules to allow
sufficient time for PPSIs to review and implement the requirements of
the proposed rule. We seek comment on the proposed effective date.
IX. AML/CFT Request for Comment
FinCEN seeks comments on all aspects of the proposed rule and
specifically seeks comments on the following topics. For all responses,
commenters are encouraged to provide the basis for any conclusions
drawn in their comments. FinCEN is also requesting commenters consider
whether any obligation can be better tailored to the size and
complexity of an issuer and how such tailoring would impact burden and
risk of illicit finance.
A. Questions on PPSI Relationships to Other Types of Financial
Institutions
1. Where PPSIs are subsidiaries of insured depository institutions,
do any of FinCEN's proposals for PPSIs present legal challenges or
substantial operational challenges such that implementation would be
practically impossible? How can FinCEN's regulatory infrastructure
promote an efficient and effective BSA regime where a PPSI and its
parent may be subject to similar or overlapping obligations?
2. Where PPSIs are also uninsured national banks, do any of
FinCEN's proposals present legal challenges or substantial operational
challenges such that implementation would be practically impossible?
How can FinCEN's regulatory infrastructure promote an efficient and
effective BSA regime where a PPSI may be subject to similar or
overlapping obligations as both a PPSI and an uninsured national bank?
Should FinCEN carve out PPSIs from rules that apply to banks for some
or all obligations?
3. What would be the benefits and drawbacks of FinCEN extending the
logic of its 2012 administrative ruling \319\ to PPSIs that are a
subsidiary of an insured depository institution subject to a parallel
regulation?
---------------------------------------------------------------------------
\319\ FinCEN, FIN-2012-R005, Compliance Obligations of Certain
Loan or Finance Company Subsidiaries of Federally Regulated Banks
and Other Financial Institutions (Aug. 13, 2012), available at
https://www.fincen.gov/system/files/administrative_ruling/FIN-2012-R005.pdf.
---------------------------------------------------------------------------
4. Should FinCEN carve PPSIs out of the MSB definition? Are there
circumstances in which an entity could reasonably be uncertain whether
it should be treated as a PPSI or as an MSB under the proposed
definitions? If so, please describe.
B. Questions on Proposed Definitions
5. Are FinCEN's proposed definitions sufficiently clear? Should the
definitions be expanded or narrowed in any respect? Should FinCEN
define additional terms or amend additional existing terms?
6. Are there products or arrangements that may fall near the
boundary of the proposed definition of payment stablecoin, and if so,
how should FinCEN address such cases?
7. Is FinCEN's proposed definition of ``lawful order'' sufficiently
clear? Should FinCEN further define any terms within ``lawful order''?
Should FinCEN, for example, specify that ``accounts'' for purposes of
lawful orders include any number or identifier used to identify a
holder of a payment stablecoin, including a wallet address?
C. Questions on Proposed AML/CFT Program
8. In what respects should a PPSI's AML/CFT program account for
risks on the secondary market?
9. The proposed rule sets forth the conditions for an effective
AML/CFT program. Is the description of an effective program
sufficiently clear or is there anything further that FinCEN should
consider adding in the final rule to clarify program effectiveness?
10. The proposed rule reflects a determination by FinCEN that PPSIs
are best placed to identify risks and allocate resources, and that
providing them with greater discretion in these areas will improve the
quality of AML/CFT compliance and reporting to law enforcement. Is this
correct or should FinCEN consider adding more requirements regarding
allocation of resources? How might PPSIs assess changes in the total
allocation of resources devoted to an AML/CFT program in a changing
risk and cost environment?
11. Should the proposed rule's distinction between ``establishing''
and ``maintaining'' a program be modified? Is the distinction between
``establishing'' and ``maintaining'' a compliance program useful for
PPSIs? Should FinCEN add anything to further define these terms in the
final rule?
12. What, if any, difficulties do PPSIs anticipate when
incorporating the AML/CFT Priorities as part of their risk assessment
processes?
13. Should risk assessment processes be required to take into
account additional or different criteria or risks than those listed in
the proposed rule? If so, what additional factors should FinCEN
consider requiring?
14. What risk factors should PPSIs consider when conducting risk
assessments under the proposed rule, including customer, product,
transaction, geographic, and technological risks?
15. Is additional explanation needed concerning when a PPSI would
be required to update its risk assessment? In particular, how might
FinCEN clarify how risk assessment processes would be updated
``promptly''? Would an alternative approach, such as periodic updates
or a set schedule for updates, be preferable? Would an alternative
standard, such as ``materially changes,'' be clearer than
``significantly changes''?
16. To what extent do the proposed AML/CFT program requirements
provide sufficient flexibility for PPSIs to design programs that are
appropriately risk-based and tailored to their size, complexity, and
business models?
17. To what extent should PPSIs consider information about
secondary market transactions as part of their customer due diligence
processes?
18. Should FinCEN further clarify which specific elements of an
institution's AML/CFT program must be written? Should FinCEN instead
eliminate the requirement that an AML/CFT program be expressly required
to be ``written'' because, among other reasons, financial institutions
may be subject to other applicable recordkeeping and documentation
requirements? What would be the benefits or drawbacks of not
prescribing a mandatory written requirement in the regulation?
19. The proposed rule would require that a PPSI's written AML/CFT
program be approved by its board of directors, an equivalent governing
body, or appropriate senior management. Should FinCEN further clarify
which aspects of the AML/CFT program must be subject to such approval?
In particular: (a) should approval be required for each of the core
program components, or would approval of the overall program framework
be sufficient; (b) should material revisions to particular components
(such as significant changes to the institution's risk assessment
methodology, monitoring architecture, or governance structure) require
re-
[[Page 18621]]
approval at the same level; and (c) what level of specificity should
the approving body be required to review and approve (e.g., high-level
program architecture versus detailed procedures or parameter-level
settings)? Should FinCEN instead eliminate the specified approval
requirement, allowing PPSIs flexibility in determining how leadership
oversight of the AML/CFT program is structured? What would be the
benefits or drawbacks of not prescribing a mandatory approval
requirement in the regulation? If FinCEN does not eliminate the
specified approval requirement, should FinCEN consider amending the
requirement? Are there alternatives to board of directors, an
equivalent governing body, or appropriate senior management that would
be more appropriate?
20. Should FinCEN impose the supervision and enforcement framework
outlined in this proposal for PPSIs?
21. If the supervision and enforcement framework is implemented for
PPSIs should FinCEN further refine or clarify any of the concepts or
definitions outlined in this proposal, including ``significant or
systemic failure,'' ``failure to establish an AML/CFT program,'' ``any
written communication,'' and ``significant AML/CFT supervisory
action''?
22. Should a revocation of a permitted payment stablecoin issuer's
application to a primary Federal payment stablecoin regulator be
accounted for in the supervision and enforcement framework?
23. Do any aspects of the GENIUS Act framework with regards to
supervision, examination, and enforcement need to be better accounted
for if the framework was implemented for PPSIs, including a
consultation framework when a primary Federal payment stablecoin
regulator intends to take an AML/CFT enforcement action or significant
AML/CFT supervisory action?
24. Should the proposed consultation process include an asset
threshold--i.e., consultation is required for any significant AML/CFT
supervisory actions involving PPSIs with $10 billion or more in assets?
In addition, or as an alternative, should the proposed rule provide the
option for PPSIs to request their primary Federal payment stablecoin
regulator consult with FinCEN prior to initiating a significant AML/CFT
supervisory action?
25. Notwithstanding the benefits of the proposed consultation
described above, the proposal may result in additional review during an
examination. How can FinCEN and the primary Federal payment stablecoin
regulator streamline the consultation process and prevent logistical
burdens for PPSIs or delays in exam report issuance?
26. FinCEN welcomes comment on how the Director of FinCEN may
consider the performance of innovative activities that produce
demonstrable outputs under the proposed supervision and enforcement
framework.
D. Questions on Proposed Additional Technical Capabilities
27. Should FinCEN refine or clarify the obligation related to
having the technical capabilities to block, freeze, and reject
impermissible transactions?
28. Are there aspects of the proposed requirement that could
unintentionally constrain PPSIs' choice of technical or operational
approaches? If so, please explain.
29. Is FinCEN's proposed language specifying PPSIs must have the
technical capabilities to block, freeze, and reject impermissible
transactions occurring on the secondary market appropriately scoped and
sufficiently clear? Does it capture activity it should not? Does it
leave out activity it should include?
30. What technical, operational, or architectural challenges, if
any, might PPSIs face in implementing block, freeze, and reject
capabilities? How can FinCEN account for such challenges in light of
the GENIUS Act's clear directive that PPSIs must have such technical
abilities?
31. Should FinCEN refine or clarify the obligation related to
having the technical capabilities to comply and actual compliance with
the terms of lawful orders?
32. Is FinCEN's proposed language specifying PPSIs must have the
technical capabilities to comply with the terms of lawful orders
regarding the secondary market appropriately scoped and sufficiently
clear? Does it capture activity it should not? Does it leave out
activity it should include?
E. Questions on Currency Transaction Reporting
33. Should FinCEN impose on PPSIs currency transaction reporting
obligations? What would be the risks in not doing so?
34. What, if any, additional exemptions should FinCEN promulgate
for PPSIs relating to currency transaction reporting obligations?
F. Questions on Proposed Suspicious Activity Reporting
35. Is FinCEN's proposal clear regarding SAR obligations relating
to secondary market activity. If not, why not and how can it be
improved?
36. Are there particular types of payment stablecoin transactions
or activities for which additional clarification regarding SAR
reporting obligations would be beneficial?
37. Should the proposed regulatory text be modified to clarify
joint SAR-filing and SAR sharing when a PPSI is a subsidiary of a
parent depository institution? Are other clarifications or
modifications needed with regards to SAR sharing?
38. Is clarification needed on how the proposed SAR reporting
requirements interact with PPSIs' obligations related to blocking,
freezing, and rejecting transactions, recordkeeping, or responding to
lawful orders?
39. Should FinCEN reconsider its decision not to impose any SAR
obligation with respect to secondary market activity? In what
circumstances would secondary market reporting be most beneficial and
how burdensome would such a reporting obligation be? For example,
should PPSIs be required to report secondary market suspicious activity
but only at a higher standard than in primary market transactions, such
as requiring reporting only when a PPSI ``knows'' a transaction meets
specified criteria?
G. Questions on Proposed Recordkeeping Requirements
40. To what extent is it clear how payment stablecoins should be
treated for purposes of FinCEN's recordkeeping requirements, including
whether payment stablecoins should be considered ``money,'' ``funds,''
``currency,'' or another category under the proposed rule?
41. Would Recordkeeping and Travel Rule obligations for PPSIs and
other financial institutions be clearer if FinCEN codified a PPSI-
specific Recordkeeping and Travel Rule in part 1033?
42. The Recordkeeping and Travel Rule proposal implements the
GENIUS Act's directive relative to ``high-value transaction.'' How else
could this provision of the GENIUS Act be implemented?
H. Questions on Proposed Special Information-Sharing Procedures
43. Are there aspects of the information sharing framework that
would benefit from clarification or modification when applied to PPSIs,
including definitions in 31 CFR 1010.505?
44. To what extent would PPSIs participate in voluntary information
sharing with other financial institutions under section 314(b)?
[[Page 18622]]
45. Are there legal, operational, or technical considerations that
could affect PPSIs' ability or willingness to engage in voluntary
information sharing related to payment stablecoin transactions?
I. Questions on Proposed Special Standard of Diligence
46. Are there aspects of the special standard of diligence
framework that would benefit from clarification or modification when
applied to PPSIs?
47. To what extent is it clear how the special standards of
diligence applicable to correspondent and private banking accounts
apply to PPSIs and to activities involving payment stablecoins?
48. Are there types of relationships, accounts, or arrangements
involving PPSIs that may raise questions about whether they should be
treated as correspondent accounts, private banking accounts, or
neither?
49. What challenges, if any, would PPSIs face in identifying,
collecting, or verifying information required to comply with the
special standards of diligence, including information related to
ownership, control, or source of funds?
J. Question on Proposed Effective Date
50. FinCEN is proposing an effective date of 12 months from the
date of issuance of the final rule to allow sufficient time for PPSIs
to review and implement its requirements. FinCEN solicits comment on
the proposed effective date.
K. Question on AML/CFT Requirements for Foreign Payment Stablecoin
Issuers
51. Through this rulemaking FinCEN is only proposing application of
AML/CFT requirements to PPSIs. Are there particular requirements that
FinCEN has proposed to apply to PPSIs that should or should not apply
to foreign payment stablecoin issuers? Please describe why and any
benefits and drawbacks.
X. Sanctions Request for Comment
OFAC seeks comments on the following topics. For all responses,
commenters are encouraged to provide the basis for any conclusions
drawn in their comments.
1. Are the proposed effective sanctions compliance program
regulations clear regarding the minimum elements PPSIs must include in
their programs? If not, which aspects would benefit from additional
clarification?
2. Is the proposed definition of ``Payment stablecoin-related
activity'' sufficiently clear and comprehensive to capture the full
lifecycle of a payment stablecoin?
3. What best practices would PPSIs consider in developing and
implementing policies, procedures, and internal controls designed to
ensure ongoing compliance with the proposed effective sanctions
compliance program requirements?
4. What technical, operational, or architectural controls might
PPSIs consider in implementing block, freeze, and reject capabilities
to comply with U.S. sanctions, including blocking stablecoins of
blocked persons traded on the secondary market or rejecting
transactions on the secondary market that involve sanctioned
jurisdictions, such as Iran?
5. To what extent does the proposed rule appropriately afford PPSIs
flexibility to determine how to implement the technical capability to
block, freeze, and reject transactions, consistent with their business
models, technologies, and risk profiles?
6. What risk factors should PPSIs consider when conducting risk
assessments under the proposed rule, including customer, product,
transaction, geographic, and technological risks?
7. OFAC is proposing an effective date of 12 months from the date
of issuance of the final rule to allow sufficient time to review and
implement the effective sanctions compliance program requirements. OFAC
solicits comment on the proposed effective date.
XI. Executive Order 14294 Fighting Overcriminalization in Federal
Regulations
A. Overview
Executive Order 14294 Fighting Overcriminalization in Federal
Regulations requires that agencies promulgating regulations potentially
subject to criminal enforcement explicitly describe the conduct subject
to criminal enforcement, the authorizing statutes, and the mens rea
standard applicable to those offenses.\320\ Section 5 of E.O. 14294
directs that all future notices of proposed rulemaking and final rules
published in the Federal Register, the violation of which may
constitute criminal regulatory offenses, should include a statement
identifying that the rule or proposed rule is a criminal regulatory
offense and the authorizing statute.\321\ E.O. 14294 directs agencies
to draft this statement in consultation with the Department of
Justice.\322\
---------------------------------------------------------------------------
\320\ E.O. 14292, Fighting Overcriminalization in Federal
Regulations, 90 FR 20363, 20364 (May 14, 2025).
\321\ Id.
\322\ Id.
---------------------------------------------------------------------------
E.O. 14294 further directs that the regulatory text of all NPRMs
and final rules with criminal consequences published in the Federal
Register after May 9, 2025 should explicitly state a mens rea
requirement for each element of a criminal regulatory offense,
accompanied by citations to the relevant provisions of the authorizing
statute.
B. Criminal Enforcement for Chapter X Obligations
Willful violations of the regulations proposed to be added to
Chapter X, if finalized, may be subject to criminal penalties pursuant
to 31 U.S.C. 5322 and regulations promulgated 31 CFR chapter X. The
statutory authority for criminal liability requires a mens rea of
willfulness as an element under 31 U.S.C. 5322(a) and 31 U.S.C.
5322(b). FinCEN's existing regulation, 31 CFR 1010.840, that sets out
criminal penalties for violations of regulations promulgated in 31 CFR
chapter X also includes a mens rea of willfulness. In drafting this
statement, FinCEN has consulted with the Department of Justice.
C. Criminal Enforcement for Chapter V Obligations
Willful violations of the regulations proposed to be added to
Chapter V, if finalized, may be subject to criminal penalties pursuant
to 50 U.S.C. 1705, 50 U.S.C. 4315, 19 U.S.C. 3907, 21 U.S.C. 1906, and
regulations promulgated thereunder. The statutory authority for
criminal liability under 50 U.S.C. 1705(c), 50 U.S.C. 4315(a), 19
U.S.C. 3907(a)(2), and 21 U.S.C. 1906(a) requires a mens rea of
willfulness as an element. OFAC's existing regulations that set out
criminal penalties for violations of regulations issued pursuant to
these statutes also include a mens rea of willfulness. In drafting this
statement, OFAC has consulted with the Department of Justice.
XII. Regulatory Impact Analysis
FinCEN and OFAC have analyzed the proposed rule as required under
E.O. 12866,\323\ E.O. 13563,\324\ E.O. 14192,\325\
[[Page 18623]]
the Regulatory Flexibility Act (RFA),\326\ the Unfunded Mandates Reform
Act of 1995 (UMRA),\327\ and the Paperwork Reduction Act (PRA).\328\
---------------------------------------------------------------------------
\323\ E.O. 12866, Regulatory Planning and Review, 58 FR 51735
(Oct. 4, 1993).
\324\ E.O. 13563, Improving Regulation and Regulatory Review, 76
FR 3821 (Jan. 21, 2011).
\325\ See E.O. 14192, Unleashing Prosperity Through
Deregulation, 90 FR 9065 (Feb. 6, 2025); Office of Management and
Budget (OMB), M-25-20, Guidance Implementing Section 3 of Executive
Order 14192, Titled ``Unleashing Prosperity Through Deregulation''
(Mar. 26, 2025), available at https://www.whitehouse.gov/wp-content/uploads/2025/02/M-25-20-Guidance-Implementing-Section-3-of-Executive-Order-14192-Titled-Unleashing-Prosperity-Through-Deregulation.pdf.
\326\ 5 U.S.C. 601 et seq.
\327\ 2 U.S.C. 1532.
\328\ 44 U.S.C. 3501 et seq.
---------------------------------------------------------------------------
This proposed rule has been determined to be a ``significant
regulatory action'' under section 3(f) of E.O. 12866. FinCEN and OFAC
have included an Initial Regulatory Flexibility Analysis (IRFA)
pursuant to the RFA as the proposed rule may have a significant
economic impact on a substantial number of certain types of affected
small entities.\329\ Pursuant to analysis required by UMRA, FinCEN and
OFAC conclude it is unlikely that the proposed rule, if implemented,
would result in a novel annual expenditure of more than $193 million by
State, local, and Tribal governments or by the private sector.\330\
---------------------------------------------------------------------------
\329\ This economic expectation is sensitive to key assumptions
about how potentially affected financial institutions would respond
to the proposed requirements. FinCEN and OFAC request comment on
whether it would instead be more reasonable to certify that the
proposed rule would not have a significant economic impact on a
substantial number of small entities.
\330\ The UMRA requires an assessment of any Federal mandates
that may result in annual expenditures of $100 million or more,
adjusted for inflation, before issuing a general notice of proposed
rulemaking. 2 U.S.C. 1532(a). FinCEN and OFAC have not anticipated
material changes in expenditures for State, local, and Tribal
governments, insofar as they would not participate in the primary
activities of monitoring or enforcing compliance of the newly
proposed requirements in a way that differs from current
involvement, thereby incurring novel incremental costs. But because
the proposed rule would affect entities in the private sector that
are covered financial institutions, FinCEN and OFAC have considered
expenditures these private entities may incur, pursuant to UMRA, as
part of the regulatory impact in its assessment below.
---------------------------------------------------------------------------
As described above,\331\ the proposed rule would require certain
issuers of ``payment stablecoins,'' referred to herein as PPSIs, to
``be treated as a financial institution for purposes of the Bank
Secrecy Act, and as such, shall be subject to all Federal laws
applicable to financial institutions located in the United States
relating to economic sanctions, prevention of money laundering,
customer identification, and due diligence.'' \332\ Specifically, this
NPRM, among other things, would implement the GENIUS Act's directive
for PPSIs to: (i) maintain an effective AML program, which includes
appropriate risk assessments and designation of an officer to supervise
the program; (ii) retain appropriate records; (iii) monitor and report
any suspicious transaction relevant to a possible violation of law or
regulation; and (iv) maintain the technical capabilities, policies, and
procedures to block, freeze, and reject specific or impermissible
transactions that violate Federal or State law, rules, or
regulations.\333\ It also requires PPSIs to maintain an effective
sanctions compliance program.\334\ The proposal would also implement a
GENIUS Act requirement that PPSIs have the technological capability to
comply and will comply with the terms of any lawful order in order to
issue payment stablecoins.\335\
---------------------------------------------------------------------------
\331\ See supra section VI.A.1.
\332\ 12 U.S.C. 5903(a)(5)(A).
\333\ 12 U.S.C. 5903(a)(5)(A)(i)-(iv).
\334\ 12 U.S.C. 5903(a)(5)(A)(vi).
\335\ 12 U.S.C. 5903(a)(6)(B).
---------------------------------------------------------------------------
In so doing, FinCEN and OFAC contemplate a number of benefits for
PPSIs, law enforcement and national security agencies, and the general
public that would flow from (1) ensuring that a PPSI's AML/CFT program
is substantively consistent with the requirements of other financial
institution types, and where appropriate, that PPSI are subject to
additional provisions to further mitigate ML/TF risks unique to PPSIs;
and (2) codifying longstanding economic sanction compliance
expectations and establishing a minimum threshold for compliance
standards.
This regulatory impact analysis (RIA) begins by describing the
broad economic analysis undertaken to inform the expectations of the
proposed rule's economic impact and burden.\336\ This is followed by
pieces of additional and, in some cases, more specifically tailored
analysis as required by E.O.s 12866, 13563 and 14192,\337\ the
RFA,\338\ the UMRA,\339\ and the PRA.\340\ Requests for comments on the
RIA--regarding specific findings, assumptions, or expectations, or with
respect to the analysis in its entirety--can be found in the final
subsection.\341\ These requests for comments have been previewed
throughout the RIA.
---------------------------------------------------------------------------
\336\ See infra section XII.A.
\337\ See infra section XII.B.
\338\ See infra section XII.C.
\339\ See infra section XII.D.
\340\ See infra section XII.E.
\341\ See infra section XII.F.
---------------------------------------------------------------------------
A. Assessment of Impact
Consistent with best practices in regulatory economic analysis, the
assessment of impact begins with an overview of broad economic
considerations identifying, among other things, the need for the policy
intervention.\342\ Next, FinCEN and OFAC (1) describe the current
regulatory requirements and background practices against which the
proposed rule would introduce changes and (2) establish baseline
estimates of the number of covered financial institutions and other
entities that could be affected by the proposed rule.\343\ The analysis
then briefly reviews elements of the proposed rule that most directly
inform how foreseeable economic impacts would flow from how covered
financial institutions and their respective regulators would need to
newly undertake activities to comply with the proposed regulation in
which they would otherwise be unlikely to engage in the ordinary course
of business.\344\ Next, the RIA presents the anticipated benefits and
estimated costs to the respective affected parties that would be
associated with compliance.\345\ Finally, the assessment concludes with
a brief discussion of alternative policies FinCEN and OFAC considered
and could have proposed, including an evaluation of the relative
economic merits of each against the expected value of the rule as
proposed.\346\
---------------------------------------------------------------------------
\342\ See infra section XII.A.1.
\343\ See infra section XII.A.2.
\344\ See infra section XII.A.3.
\345\ See infra section XII.A.4.
\346\ See infra section XII.A.5.
---------------------------------------------------------------------------
1. Broad Economic Considerations
In performing its assessment of impact, FinCEN and OFAC took into
consideration certain fundamental economic problems that the proposed
rule is expected to address as well as the general social and economic
costs that may ensue from PPSIs with ineffective BSA compliance or
inadequate economic sanctions compliance programs. Because this NPRM is
being issued pursuant to statutory obligations,\347\ the necessity for
FinCEN and OFAC to independently identify and articulate fundamental
economic problems that the proposed rule is intended to address, as the
basis for regulatory action,\348\ is attenuated because, at best, this
activity would complement the problem identification already performed
by Congress.\349\
[[Page 18624]]
Nevertheless, FinCEN and OFAC have remained mindful of these animating
considerations as well as the general social and economic costs that
may ensue from an ineffective BSA and sanctions compliance regime.
---------------------------------------------------------------------------
\347\ See generally supra section II.
\348\ See E.O. 12866, section 1(b)(1) (``Each agency shall
identify the problem that it intends to address (including, where
applicable, the failures of private markets or public institutions
that warrant new agency action) as well as assess the significance
of that problem.'').
\349\ With respect to AML/CFT programs in particular, Congress
instructed FinCEN to consider the potential economic inefficiencies
engendered by the presence of market externalities when promulgating
implementing regulations. See 31 U.S.C. 5318(h)(2)(B)(i) (stating
financial institutions are spending private compliance funds for a
public and private benefit, including protecting U.S. financial
system from illicit finance risks); see also 31 U.S.C.
5318(h)(2)(B)(iii) (stating that AML/CFT programs safeguard national
security and generate significant public benefits by prevent illicit
flows of funds and assisting law enforcement and national security
agencies with information).
---------------------------------------------------------------------------
FinCEN and OFAC expect that the proposed rulemaking would
meaningfully alleviate certain underlying economic problems that could
otherwise impair the effective administration of the BSA and U.S.
sanctions laws, as well as potentially distort affected markets. These
include potential problems that flow from the incidence of both
positive and negative externalities in connection with BSA and
sanctions compliance activities, certain information asymmetries, and
the potential for regulatory arbitrage in the absence of uniform
minimum standards for PPSIs' BSA and sanctions compliance
obligations.\350\
---------------------------------------------------------------------------
\350\ See, e.g., FinCEN, Anti-Money Laundering and Countering
the Financing of Terrorism Programs, 89 FR 55428, 55451 (July 3,
2024).
---------------------------------------------------------------------------
The expected benefits of the proposed rule, as discussed below, are
therefore linked by the extent to which the proposed requirements would
address these fundamental economic problems.\351\
---------------------------------------------------------------------------
\351\ See infra section XII.A.4.i.
---------------------------------------------------------------------------
2. Institutional Baseline and Affected Parties
In proposing this rule, FinCEN and OFAC considered the incremental
impacts of the proposed requirements relative to the current state of
the affected markets and their participants.\352\ This baseline
analysis of the parties that would be affected by the proposed rule,
their current obligations and related activities, and currently accrued
costs and/or benefits satisfies analytical best practices by describing
the alternative of not pursuing the proposed, or any other, novel
regulatory action.\353\ In each case, for new proposed requirements,
FinCEN and OFAC have attempted to identify the incremental expected
economic effects of each component of the proposal as precisely as
practicable against this baseline. Nevertheless, in certain cases,
FinCEN and OFAC can only make qualitative assessments.
---------------------------------------------------------------------------
\352\ In this context, FinCEN and OFAC employ the term
``market'' in its broadest economic sense, referring to any set of
exchanges, transactions, or actions that involve counterparties with
unique objectives. The baseline here set forth also forms the
counterfactual against which the quantifiable effects of the rule
are measured; therefore, substantive errors in or omissions of
relevant data, facts, or other information may affect the
conclusions formed regarding the general and economically
significant impacts of the rule. FinCEN and OFAC invite comment on
the accuracy of the baseline population estimates as well as any
supporting studies, data, or anecdotes.
\353\ See E.O. 12866, section 1(a) (``In deciding whether and
how to regulate, agencies should assess all costs and benefits of
available regulatory alternatives, including the alternative of not
regulating'').
---------------------------------------------------------------------------
As a first step in the process of isolating these anticipated
marginal effects, FinCEN and OFAC assessed the regulatory and market
landscape facing current stablecoin issuers, and potential future
PPSIs, that would be affected by the proposed rule, including an
estimate of the expected near-term number of potential PPSIs, their
existing regulatory requirements, and the burden they either would or
currently face in connection with the compliance activities the
proposed rule would require. FinCEN and OFAC also briefly discuss other
categories of persons and entities (i.e., regulators, compliance
examiners, law enforcement and national security agencies, and certain
members of the general public) that are expected to be directly
affected by the proposed rule.
FinCEN acknowledges that the discussion below does not include an
assessment of the baseline level of general compliance with existing
BSA requirements and must therefore caveat that the incremental effects
estimated in subsequent sections are based on the presumption of full
compliance with the current rules.\354\ FinCEN does not attempt to
estimate a baseline population of currently non-compliant entities that
could be differently affected by the rule because it is unclear that
the proposed rule would alter the compliance choices already made by
those financial institutions. FinCEN invites comment on whether this
assumption, or the baseline it implies, is appropriate for the purposes
of this analysis.
---------------------------------------------------------------------------
\354\ See infra section XII.A.4; see also infra sections XII.C.
and XII.E.
---------------------------------------------------------------------------
Relatedly, prior to the passage of the GENIUS Act, there was no
explicit legal requirement for U.S. person stablecoin issuers to
establish and maintain a sanctions compliance program. However, as U.S.
persons, U.S. stablecoin issuers are, and from inception have always
been, required to comply with U.S. sanctions laws administered by OFAC.
OFAC acknowledges that the discussion below does not include an
assessment of the baseline level of general compliance by U.S. persons
with sanctions law as currently administered by OFAC and must therefore
caveat that the incremental effects estimated in subsequent sections
are similarly based on the presumption of full compliance as status
quo. OFAC invites comments on whether this assumption, or the baseline
it establishes, is the most appropriate and informative for the
purposes of this RIA.
i. Regulatory Baseline
FinCEN and OFAC took various components of the current regulatory
landscape into consideration when assessing the increments by which the
proposed rule would impose changes on the status quo.\355\
Specifically, FinCEN and OFAC considered (1) existing AML/CFT
requirements, (2) existing sanctions compliance requirements (3) state
regulations, and (4) required activities proposed here that would also
be necessary to satisfy requirements in other proposed related rules
that would implement the GENIUS Act but are not part of this NPRM.\356\
The extent to which each of these components of the regulatory baseline
is germane to the novel incremental burden of a given future PPSI is
expected to depend on the unique facts and circumstances of the PPSI
under consideration.\357\
---------------------------------------------------------------------------
\355\ Analyzing the anticipated effects of a rule requires first
establishing what the proposed changes will be measured against, and
establishing such a counterfactual often requires making numerous
assumptions. The extent to which the proposed rule would impose
incremental economic effects relies on a number of assumptions about
the strategic decisions current and future stablecoin issuers would
make, responsive to various factors, that include but are not
limited to: (1) the decision to remain/become a stablecoin issuer;
(2) the decision to pursue registration as a PPSI, and if so; (3)
the decision about which type of PPSI status to seek. These
assumptions, in turn, inform the selection of the most informative
counterfactual(s), including the appropriate regulatory baseline.
\356\ See supra note 11.
\357\ For example, if one assumes a current stablecoin issuer
decides to both remain an issuer and pursue registration as a PPSI,
the most relevant regulatory baseline comparison might be relative
to the current AML/CFT requirements for MSBs that are money
transmitters. Alternatively, if a decision is made to newly become a
stablecoin issuer, and to do so as a bank subsidiary, then the
current BSA requirements of the parent bank might be a more
appropriate regulatory baseline to assess the incremental burden of
that PPSI.
---------------------------------------------------------------------------
a. Existing AML/CFT Requirements
Through this rulemaking FinCEN proposes, as required by the GENIUS
Act, imposing certain novel obligations or obligations that differ in
some material respects from stablecoin issuers' current obligations. In
many respects, however, FinCEN expects issuers' obligations under this
proposal, if finalized, would be comparable to existing ones. If an
existing stablecoin
[[Page 18625]]
issuer's current regulatory obligations already include AML/CFT
requirements, FinCEN expects this to primarily flow from the
applicability of the BSA to that stablecoin issuer as an MSB that is a
money transmitter. The exposition on this in section V.A is adopted
here by reference as part of the RIA regulatory baseline.
Alternatively, a future PPSI might exist as the subsidiary of an
insured depository institution or as an uninsured national bank. In
this case, because such institutions are also currently subject to a
range of BSA obligations, including AML/CFT program obligations, it is
reasonable to consider the regulatory requirements of the parent
institution a more relevant baseline. In addition to the AML/CFT
requirements for MSBs discussed above, banks and credit unions are
subject to a number of additional FinCEN requirements, including: (1)
CIP requirements,\358\ (2) beneficial ownership information (BOI)
requirements for legal entity customers,\359\ (3) required reporting on
transactions of exempt persons,\360\ (4) additional recordkeeping
requirements,\361\ (5) due diligence programs for correspondent
accounts for foreign financial institutions and private banking
accounts,\362\ (6) requirements related to the prohibition on
correspondent accounts for foreign shell banks and records concerning
owners of foreign banks and agents for service of legal process,\363\
and (7) reporting obligations on foreign bank relationships with
Iranian-linked financial institutions designated under IEEPA and IRGC-
linked persons designated under IEEPA.\364\ Because the FinCEN
requirements for banks already encompass a broader set of elements, and
these elements are largely the same as the requirements being proposed
to apply to PPSIs, the incremental change to the regulatory baseline of
FinCEN requirements for future PPSIs that would be subsidiaries of
insured depository institutions or uninsured national banks is expected
to be smaller than for PPSIs that would transition into the status from
previously being MSBs.\365\
---------------------------------------------------------------------------
\358\ 31 CFR 1020.220; see generally Supporting Statement for
OMB Control No. 1506-0026: FinCEN, Customer Identification Program
Regulatory Requirements for Banks (Aug. 29, 2024), available at
https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202408-1506-003.
\359\ 31 CFR 1020.210(a)(2)(v) and (b)(2)(v), 1010.230(b)(c);
see generally Supporting Statement OMB Control No. 1506-0070:
FinCEN, Beneficial Ownership Requirements for Legal Entity Customers
(Apr. 30, 2024), available at https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202404-1506-004.
\360\ 31 CFR 1020.315; see generally Supporting Statement OMB
Control No. 1506-0012: FinCEN, Transactions of Exempt Persons
Regulations, and FinCEN Form 110, Designation of Exempt Persons
Report (Oct. 28, 2024), available at https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202410-1506-001.
\361\ 31 CFR 1020.410; see generally Supporting Statement OMB
Control No. 1506-0059: FinCEN, Additional Records to be Made and
Retained by Banks (Oct. 29, 2024), available at https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202410-1506-006.
\362\ 31 CFR 1020.610, 1020.620, 1010.610, 1010.620; see
generally Supporting Statement OMB Control No. 1506-0046: FinCEN,
Due Diligence Programs for Correspondent Accounts for Foreign
Financial Institutions and for Private Banking Accounts (Aug. 27,
2024), available at https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202408-1506-001.
\363\ 31 CFR 1020.630, 1010.630; see generally Supporting
Statement OMB Control No. 1506-0043: FinCEN, Prohibition on
Correspondent Accounts for Foreign Shell Banks; Records Concerning
Owners of Foreign Banks and Agents for Service of Legal Process
(July 31, 2025), available at https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202501-1506-001.
\364\ 31 CFR 1060.300; see generally Supporting Statement OMB
Control No. 1506-0066: FinCEN, Reporting Obligations on Foreign Bank
Relationships with Iranian-Linked Financial Institutions Designated
under IEEPA and IRGC-Linked Persons Designated under IEEPA (July 8,
2025), available at https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202507-1506-001.
\365\ If, under an effective GENIUS framework, the issuer of an
existing stablecoin product applies and is granted registration as a
PPSI, then its obligations under the BSA as an MSB would be
superseded by its new obligations as a PPSI.
---------------------------------------------------------------------------
b. Existing Sanctions Compliance Requirements
Prior to the passage of the GENIUS Act, there was no explicit
regulatory requirement for U.S. persons to establish and maintain a
sanctions compliance program. However, all U.S. persons, including
U.S.-based stablecoin issuers, are required to comply with U.S.
sanctions pursuant to regulations administered by OFAC. Therefore,
stablecoin issuers that would be subject to the proposed rule as PPSIs
would be independently required to comply with existing sanctions
obligations as U.S. persons,\366\ which as a practical matter typically
involves the development and implementation of a risk-based sanctions
compliance program in order to comply with such existing sanctions
obligations.\367\ Thus, OFAC expects PPSIs' obligations under this
proposed rule, if finalized, would be comparable to existing
obligations stemming from their status as U.S. persons subject to U.S.
sanctions laws. Furthermore, with respect to non-U.S. person stablecoin
issuers that would become U.S. persons to qualify as a PPSI, OFAC's
experience administering U.S. sanctions has demonstrated that
sophisticated multi-jurisdictional financial actors often maintain
sanctions compliance programs aligned with U.S. sanctions requirements
regardless of their status as U.S. persons.\368\ The exposition on this
in section V.B is adopted here by reference as part of the RIA
regulatory baseline.
---------------------------------------------------------------------------
\366\ In 12 U.S.C. 5901(23), the GENIUS Act defines PPSIs as
persons incorporated in the United States. As such, in order to
issue stablecoins, an issuer would need to register as a U.S. person
and would therefore become subject to U.S. sanctions laws and all
resulting obligations.
\367\ OFAC's Enforcement Guidelines, 31 CFR part 501, Appendix
A, include the existence, nature, and adequacy of a subject person
as a factor in determining what administrative action to take in
response to an apparent violation of U.S. sanctions.
\368\ This understanding aligns with OFAC's guidance in the 2019
Compliance Framework, which notes that ``OFAC strongly encourages
organizations subject to U.S. jurisdiction, as well as foreign
entities that conduct business in or with the United States, U.S.
persons, or using U.S.-origin goods or services, to employ a risk-
based approach to sanctions compliance by developing, implementing,
and routinely updating a sanctions compliance program (SCP).'' 2019
Compliance Framework, supra note 285, at p. 1.
\369\ 23 NYCRR Part 200; NYDFS, Guidance on the Issuance of U.S.
Dollar-Backed Stablecoins (June 8, 2022), available at https://www.dfs.ny.gov/industry_guidance/industry_letters/il20220608_issuance_stablecoins.
\370\ 23 NYCRR 200.4; see also NYDFS, Guidance on the Issuance
of U.S. Dollar-Backed Stablecoins (June 8, 2022), available at
https://www.dfs.ny.gov/industry_guidance/industry_letters/il20220608_issuance_stablecoins.
\371\ 23 NYCRR 200.10; see also NYDFS, Guidance on the Issuance
of U.S. Dollar-Backed Stablecoins (June 8, 2022).
\372\ NYDFS, Guidance on the Issuance of U.S. Dollar-Backed
Stablecoins (June 8, 2022).
---------------------------------------------------------------------------
c. State Regulations
Stablecoin issuers may also be subject to state regulations, which
can vary in (1) general level of detail and complexity, which as a
baseline matter would introduce variation in the incremental compliance
burden of the proposed rule's program requirements; and (2) nexus with
AML/CFT and sanctions compliance program requirements, from state to
state. For example, the New York State Department of Financial Services
(NYDFS) has detailed virtual currency regulations and guidance
specifically for stablecoins.\369\ When a stablecoin issuer applies for
a license or a charter, NYDFS reviews the issuers' business plan,
product offerings, and business model and may consider whether the
issuers is registered with FinCEN as an MSB as well as take into
consideration the issuer's AML program and sanctions compliance.\370\
After licensure, a stablecoin issuer must obtain NYDFS's written
approval before issuing a stablecoin.\371\ NYDFS looks at a range of
potential risks before authorizing a stablecoin issuer to issue a
stablecoin, including AML and sanctions
[[Page 18626]]
compliance.\372\ In other states, stablecoin issuers do not have
separate virtual currency regulations and are instead regulated as
money transmitters.\373\
---------------------------------------------------------------------------
\373\ See, e.g., Texas Dep't of Banking, GENIUS Act--Non
Depository (last accessed Apr. 6, 2026) (noting that Texas
``currently licenses and regulates issuers of fiat-currency backed
stablecoin as money transmitters), available at https://www.dob.texas.gov/money-services-business/genius-act-non-depository.
---------------------------------------------------------------------------
FinCEN and OFAC took these factors into consideration when
assessing the quantifiable incremental economic costs of the proposed
rule. In particular, FinCEN and OFAC were sensitive to the additional
challenges state regulatory requirements would present to successfully
disaggregating economic effects of the proposed rule from those
attributable to business activities otherwise undertaken with respect
to state-level regulatory requirements.
d. Other GENIUS Act Requirements for PPSIs
As part of their analysis, FinCEN and OFAC contemplated additional
prospective baseline requirements--once certain other, but related,
rules proposed pursuant to the GENIUS Act are adopted as final rules--
that would become part of a prospective future PPSI's regulatory
baseline. Under the GENIUS Act, a PPSI is required to certify to its
primary Federal payment stablecoin regulator or State payment
stablecoin regulator that it has implemented an AML program and
economic sanctions compliance program consistent with the requirements
of the GENIUS Act within 180 days of approval of its initial
application and annually thereafter.\374\ Additionally, each PPSI that
(1) is not a State qualified payment stablecoin issuer, (2) has a total
outstanding issuance of less than $10 billion, and (3) is supervised by
a primary Federal payment stablecoin regulator, is required, upon
request, to submit to its regulator a report on that FQPSI's compliance
with the requirements of the BSA and sanctions implemented by
OFAC.\375\ FinCEN and OFAC took these requirements into consideration,
noting that because the statutory registration requirements, which are
distinct from the ones covered in this proposed rulemaking, necessitate
the collection and production of certain information and records that
would flow from compliance with the requirements in this proposed rule,
it may not be practicable to artificially segregate the incremental
components of the same recordkeeping burden to fully avoid double-
counting the costs of PPSI efforts across all PRA analyses covering the
same activity.\376\
---------------------------------------------------------------------------
\374\ 12 U.S.C. 5904(i)(1).
\375\ 12 U.S.C. 5905(a)(2)(D).
\376\ See supra note11; see also infra section XII.E.
---------------------------------------------------------------------------
ii. Baseline of Affected Parties
FinCEN and OFAC expect the following populations to be directly
affected by the proposed rule: (1) certain financial institutions,
namely PPSIs and PPSI-affiliated insured depository institutions or
uninsured national banks; (2) regulators and other compliance
examiners; and (3) law enforcement and national security agencies.
FinCEN and OFAC also took into consideration that certain other
persons, including PPSI business counterparties, clients/customers of
PPSIs, and other members of the general public may be indirectly
affected by the proposed rule. However, for purposes of the remaining
analysis, it was determined that of these various groups of other
affected parties, it would be reasonable to limit further consideration
of the anticipated economic impact on specific subpopulations of the
general public, aside from to the general public as a whole,\377\ to
direct customers of PPSIs \378\ and to further limit consideration of
the impact on such customers as narrowly attributable to the proposed
AML/CFT and sanctions compliance requirements.\379\ To the extent that
economic impact on additional key, directly affected subpopulations of
the general public should be considered, FinCEN and OFAC invite
comment, data, studies, or reports that would enhance its ability to
identify and quantify such effects.
---------------------------------------------------------------------------
\377\ See infra section XII.A.2.ii.d.1.
\378\ See infra section XII.A.2.ii.d.2.
\379\ OFAC does not anticipate the proposed sanction compliance
program requirements would have an incremental direct economic
effect on a future PPSI's primary market customers because OFAC's
proposed rule applies only to the PPSIs themselves. Further, as
noted previously, future PPSIs would already be U.S. persons and
therefore subject to U.S. sanctions laws irrespective of any
regulations issued under the Act. As a result, they would have
already been prohibited from engaging in prohibited transactions
with or involving prospective primary market customers, and OFAC's
proposed additional requirement that the PPSI would need to maintain
an effective sanctions compliance program should not impose any
additional burden or economic impact on that PPSI's direct
customers. To the extent a non-U.S. person stablecoin issuer would
become U.S. persons to qualify as a PPSI, as discussed above in
section XII.A.2.i.b, OFAC's experience administering U.S. sanctions
has demonstrated that sophisticated multi-jurisdictional financial
actors, of the type that would seek to qualify as a PPSI, often
maintain sanctions compliance programs aligned with U.S. sanctions
requirements regardless of their status as U.S. persons.
Furthermore, where a future PPSI's direct customers are U.S.
persons, those direct customers would already also be subject to
existing U.S. sanctions requirements themselves. OFAC invites
comment on whether the reasoning that its proposed rule would not
have an economic impact on direct customers of PPSIs is reasonable.
---------------------------------------------------------------------------
a. Affected Financial Institutions
FinCEN and OFAC expect the proposed rule to directly affect the
financial institutions it would regulate. This includes all future
PPSIs. For specifically those PPSIs that would be subsidiaries of
insured depository institutions, FinCEN and OFAC considered that the
proposed rule may also economically affect the parent insured
depository institutions.
1. PPSIs
Because the proposed rule would specifically apply AML/CFT and
economic sanctions compliance program requirements on PPSIs, they are
expected to be the proposed rule's primary affected parties. To form an
estimate of the number of future PPSIs the proposed rule would cover,
FinCEN and OFAC attempted to account for both existing stablecoin
issuers, who may become PPSIs, as well as prospective future PPSIs
that, but for the GENIUS Act framework, would be unlikely to enter the
market.
To estimate the expected population of future PPSIs, FinCEN and
OFAC began by conducting a comprehensive review of current products
that were each individually identified by either the product issuer or
another market participant as a ``stablecoin.'' This scoping of the
initial review was intended to be sufficiently broad so as to encompass
all current products that could potentially meet the definitional
criteria set forth in the GENIUS Act for a future ``payment
stablecoin.'' \380\ The next step was to cull from this initial pool of
stablecoin issuers, offering approximately 350 products, the proper
subpopulation of potential future PPSIs that, following the GENIUS Act
taking effect, would be able to pursue registration as a PPSI without
first needing to make substantive changes to their current product
attributes.\381\
[[Page 18627]]
FinCEN and OFAC applied certain filters on product characteristics to
eliminate identified stablecoins that did not comport with the
definitional attributes of a payment stablecoin as defined by the
GENIUS Act and used this to sort the stablecoins' issuers.
---------------------------------------------------------------------------
\380\ See 12 U.S.C. 5901(22); see also supra section
VI.C.1.viii.
\381\ See 12 U.S.C. 5903(a)(11), PPSIs are not permitted to pay
the holder of any payment stablecoin any form of interest or yield
solely in connection with the holding, use, or retention of payment
stablecoins. See also 12 U.S.C. 5903(a)(1)(A). PPSIs are required to
maintain identifiable reserves backing its payment stablecoin, on at
least a one-to-one basis, with reserves composed of certain
specific, high-quality and liquid assets, including United States
coins and currency; demand deposits; and Treasury bills, notes, or
bonds. Accordingly, the GENIUS Act does not allow payment
stablecoins to be backed by, for example, other kinds of digital
assets, nor does the GENIUS Act allow payment stablecoins to be
algorithmic backed.
---------------------------------------------------------------------------
To be a payment stablecoin, under the GENIUS Act, a digital asset
must be used or designed for payment or settlement, its issuer must be
obligated to redeem or convert it for a fixed amount of monetary value
and not another digital asset, and its issuer must represent that it
will maintain a stable value relative to a fixed amount of monetary
value.\382\ A PPSI must maintain identifiable reserves backing the
payment stablecoin with specific, high quality, liquid assets, which
include U.S. coins and currency, demand deposits, and Treasury bills,
notes, and bonds.\383\ Consequently, issuers who did not offer products
pegged to the U.S. dollar were treated as unlikely to pursue PPSI
registration in the future. In addition, stablecoin products with no
central issuer were also considered unlikely to be associated with an
entity that would seek PPSI status.
---------------------------------------------------------------------------
\382\ 12 U.S.C. 5901(22).
\383\ 12 U.S.C. 5903(a)(1).
---------------------------------------------------------------------------
Table 1 provides a summary of how this review of identified current
stablecoins effectively narrowed the total population to those that
might, in the future, be eligible to be considered payment stablecoins.
Of the approximately 350 products examined, only 43 meet the above
criteria--i.e., were tri-partly fiat-backed, USD hard-pegged
centralized coins. Of these 43, five were precluded from potential
future payment stablecoin eligibility by their reserve holdings, nine
by their yield, and one by both of these features.
Table 1--Estimated Potential Payment Stablecoin Population by Criteria
----------------------------------------------------------------------------------------------------------------
Product Number of stablecoin
Stablecoin classification population Filtering criteria products excluded
----------------------------------------------------------------------------------------------------------------
Full population......................... 352 None...................... 0.
Able to meet payment stablecoin criteria 43 Fiat-backed, USD-pegged, 309 (from total).
without significant restructure. centralized issuance,
hard-peg \a\.
Technically compliant with payment 38 GENIUS Act defined reserve 5 (from technically
stablecoin reserves criteria. holdings \b\. eligible).
Technically compliant with payment 34 Non-yield bearing \c\..... 9 (from technically
stablecoin yield requirements. eligible).
Potential payment stablecoins........... 30 All....................... 322 (from total) 13 (from
technically eligible).
----------------------------------------------------------------------------------------------------------------
\a\ As defined in section 2(22)(A) of the GENIUS Act, a payment stablecoin must be a digital asset that is, or
designed to be, used as a means of payment or settlement, and, and as defined in section 2(22)(A)(ii)(II) of
the GENIUS Act, a payment stablecoin must be redeemable for a fixed amount, and the issuer represents that it
will maintain a stable value relative to the value of a fixed amount of monetary value. FinCEN and OFAC view
product pegging to the U.S. dollar as opposed to another currency as a practical requirement to hold only USD-
denominated reserve assets.
\b\ As required by section 4(a)(1)(A) of the GENIUS Act, the issuer of a payment stablecoin must only hold asset
types as provided by the Act as reserves.
\c\ As required by section 4(a)(11) of the GENIUS Act, a payment stablecoin must not offer yield.
Using this method, FinCEN and OFAC identified 30 products issued by
25 unique entities that matched the specified criteria. As such, there
are at least 25 existing issuers of stablecoins that, if the
regulations implementing the GENIUS Act were presently effective, would
appear to be eligible to apply to be PPSIs. Understanding that some of
these entities might still choose not to seek PPSI status,\384\ and
allowing that other current stablecoin issuers could, in the interim,
still modify the digital assets that they issue in order to be eligible
to seek PPSI status once the GENIUS Act becomes effective, FinCEN and
OFAC anticipate that the number of current entities that could be
potential future PPSIs subject to the proposed rule may be between 20
and 40.\385\ FinCEN and OFAC nonetheless acknowledge that a wide range
of factors that could potentially influence the choice of eligible
institutions to apply for PPSI status in the future, including market
demand, strategic operational decisions, and future developments in the
digital asset landscape.\386\ In general, where current stablecoin
issuers see PPSI standards as representing costs that would outweigh
the benefits of achieving the PPSI designation, they may voluntarily
choose another regulatory option despite being technically eligible to
register.\387\
---------------------------------------------------------------------------
\384\ The degree to which the current stablecoin market would
migrate to PPSI status under the proposal remains uncertain. The
issuers of several large products have made varying statements about
their interest in seeking PPSI status.
\385\ FinCEN and OFAC invite comments on the methodology and
assumptions used to derive this estimate.
\386\ FinCEN and OFAC invite comment on the driving factors that
would incentivize an issuer to apply for PPSI status.
\387\ FinCEN and OFAC expect that issuers of payment stablecoin
products may have several incentives to apply for status as a PPSI
instead of existing under another designation. First, because PPSIs
would be required by law to maintain certain standards (for example,
holding certain assets in their reserve portfolio), the designation
may be attractive to more risk-averse investors or payment
stablecoin customers. In addition, because potential PPSIs would be
required to apply for that status and be approved by the appropriate
regulatory agency to be entitled to the designation, the designation
may serve as a stronger signal of regulatory compliance in contrast
to a self-adopted designation. Other issuers may have alternative
incentives to avoid the PPSI designation, despite being technically
able to comply with its requirements.
---------------------------------------------------------------------------
FinCEN and OFAC's analysis also considered the need for this impact
assessment to, in some fashion, account for potential future PPSIs that
have not yet entered the stablecoin market. In the aforementioned
review of 350 current stablecoin products, 63 products were identified
as issued by an entity that appeared facially eligible for potential
future status as either a PPSI or a foreign payment stablecoin issuer
(FPSI).\388\ Of those issued since 2018, approximately 45 percent (28
stablecoins) were issued within the last two calendar years (2024 and
2025), with year-over-year growth
[[Page 18628]]
in 2025 slightly lower than the year prior. Because the stablecoin
market is still relatively nascent and has historically faced varying
levels of regulatory uncertainty, basing expectations of stable or
sustainable future growth rates on past trends would be exceedingly
speculative and generally inadvisable. On the one hand, the number of
stablecoin market entrants may increase in light of the enhanced
certainty and clarity afforded by the GENIUS Act framework. On the
other hand, it is also possible that a number of current stablecoin
issuers may exit the U.S. market, either because they are legally not
able to remain if not PPSIs, or because the market may naturally
consolidate as it matures.\389\
---------------------------------------------------------------------------
\388\ In addition to activities permitted for PPSIs, the GENIUS
Act allows for the offering and selling in the United States of
payment stablecoins issued by FPSIs subject to certain requirements.
See 12 U.S.C. 5902(b)(2).
\389\ To the extent that the evolution of the stablecoin market
is comparable to other technology sector models. See e.g., Steven
Klepper, ``Entry, Exit, Growth, and Innovation over the Product Life
Cycle,'' The American Economic Review, vol. 86, no. 3 (June 1996),
at pp. 562-83, available at https://www.jstor.org/stable/pdf/2118212.pdf.
---------------------------------------------------------------------------
To estimate the near-term expected inflow of future PPSIs, FinCEN
and OFAC looked to the companionate GENIUS Act-related analyses of
expected future PPSI registration requirements performed by OCC, FDIC,
and NCUA as additional sources of information.\390\ FinCEN and OFAC
expect that a substantial proportion of future PPSIs newly entering the
U.S. stablecoin market would be affiliated with an insured depository
institution or uninsured national bank and that, additionally, some
potential future PPSIs that currently do not have any such affiliation,
may newly become affiliated with an insured depository institution or
uninsured national bank. Insured depository institutions in particular
are well-suited to launch payment stablecoin products due to their
position within financial markets, customer base, and existing
technology and compliance infrastructure.
---------------------------------------------------------------------------
\390\ See supra note 11.
---------------------------------------------------------------------------
The OCC, FDIC, and NCUA have each conducted independent research
with a view to estimating the number of potential PPSIs that would
register as PPSIs in the near-term future.\391\ Summing across these
respective exercises yields a projection of up to 42 new PPSIs that
would initially register as entities affiliated with insured depository
institutions. Taking each of those independent analyses, their
respective methodologies, and expected levels of precision into
consideration, FinCEN and OFAC anticipate that the proposed rule could
be expected to apply to an average of approximately 50 PPSIs in each of
the first three years of the GENIUS Act being effective.\392\
---------------------------------------------------------------------------
\391\ See id.
\392\ Because no currently operating stablecoin issuers have
been identified that can, with more certainty than not, be expected
to become a SQPSI within the PPSI regulatory framework (as defined
in proposed 31 CFR 1010.100(ttt)(3) and 31 CFR 1010.100(xxx)), the
population used in this analysis does not include an estimate for
these types of potential future PPSIs.
---------------------------------------------------------------------------
FinCEN and OFAC project that of the 50 anticipated PPSIs,
approximately 60 percent would be subsidiaries of insured depository
institutions and 40 percent would be other PPSIs.\393\ Because this
projection represents best efforts given limited information, the
public is strongly encouraged to provide additional comments, data, and
other information that could enhance the accuracy and precision of
these estimates.
---------------------------------------------------------------------------
\393\ See supra sections VI.C.1.xi and xiii (discussing
potential definitions for FQPSIs and SQPSIs at 31 CFR 1010.100(vvv)
and (xxx), respectively); see also 12 U.S.C. 5901(11), (31).
---------------------------------------------------------------------------
2. Insured Depository Institutions With PPSI Subsidiaries
FinCEN and OFAC expect that certain financial institutions other
than future PPSIs themselves would be impacted by the rule. In
particular, insured depository institutions that would have a PPSI as a
subsidiary may incur additional costs integrating their PPSI
subsidiaries into their broader AML/CFT programs and sanctions
compliance framework.\394\ Because this RIA projects that there may be
up to 30 such PPSIs on average in the each of the first three effective
years of the GENIUS Act, the corresponding number of expected affected
insured depository institutions would also be up to 30. It is
anticipated that insured depository institutions would arrange for
their subsidiary PPSI's compliance policies, procedures, and activities
to nest within the preexisting overall programmatic compliance
structure of the parent organization. As such, parent organizations may
be economically affected by the need to revise, expand, or otherwise
tailor their existing practices. It is possible that similarities
between the existing requirements for banks and this proposal would
reduce, though not eliminate, these costs.
---------------------------------------------------------------------------
\394\ See supra section VI.A.2.i.
---------------------------------------------------------------------------
b. Regulators and Other Compliance Examiners
Examiners that would be required to assess future PPSIs' compliance
with AML/CFT and sanctions compliance program requirements are expected
to be directly affected by the proposed rule.\395\ With respect to the
proposed AML/CFT requirements, as discussed above in section VI.C.2,
the GENIUS Act distinguishes between the categories ``primary Federal
payment stablecoin regulator'' and ``State payment stablecoin
regulator,'' and this NPRM includes proposals to (1) amend Sec.
1010.810(b) to delegate examination authority to the primary Federal
payment stablecoin regulators and (2) apply the existing delegation to
the IRS at Sec. 1010.810(b)(8) for PPSIs regulated by State payment
stablecoin regulators.\396\ As a function of the proposed amendments,
this proposed rule is expected to directly affect FinCEN as well as
other Federal financial regulatory agencies and their compliance
examiners, who number approximately 7,500 from the Board, FDIC, NCUA,
and OCC,\397\ plus several hundred additional examiners from the
IRS.\398\
---------------------------------------------------------------------------
\395\ Certain state regulators may be affected in a way that is
comparable to the effects on Federal regulators. However, given that
the GENIUS Act sets out a federal regulatory framework with certain
tasks for Federal regulators, it is difficult at this time to do
more than speculate about what actions states may take, and
therefore FinCEN and OFAC did not attempt to estimate the effect of
this rule on state regulatory agencies. However, FinCEN and OFAC are
interested in receiving comments offering assessments on this
subject.
\396\ FinCEN is not proposing to amend Sec. 1010.810(b)(8) to
effectuate this because the existing delegation covers it. See supra
section VI.C.2.i.
\397\ This figure is based on the estimated number of compliance
examiners at the Board, FDIC, NCUA, and OCC.
\398\ These figures represent an approximate number of Federal
examiners provided by Federal functional regulators with AML/CFT
supervisory responsibilities.
---------------------------------------------------------------------------
With respect to the proposed sanctions compliance program
obligations, presented in section VII, this NPRM would require that
PPSIs maintain certain records related to their sanctions compliance
program, which can be made available to OFAC upon request.\399\ As
such, the proposed rule may affect OFAC's enforcement personnel, who
would investigate and enforce potential violations of the effective
sanctions compliance program requirement. Additionally, similar to
FinCEN's estimation above, the proposed rule is anticipated to directly
affect other Federal financial regulatory agencies and their compliance
examiners, who number approximately 7,500 from the Board, FDIC, NCUA,
and OCC, who already incorporate sanctions compliance review as part of
the examination process.\400\
---------------------------------------------------------------------------
\399\ See supra section VII.A.
\400\ On the listed figure, see supra note 398. See generally
OFAC, Examination Guidelines, (Jun. 30, 2005) available at https://ofac.treasury.gov/recent-actions/20050630a.
---------------------------------------------------------------------------
[[Page 18629]]
c. Law Enforcement and National Security Agencies
The proposed rule is intended to support the efforts of law
enforcement and national security agencies by promoting AML/CFT
compliance and sanctions compliance program implementation among
stablecoin issuers that become PPSIs, which should generate highly
useful reports and other data in addition to deterring predicate crimes
and violations of U.S. laws and regulations. Law enforcement and
national security agencies that enter into a memorandum of
understanding with FinCEN can directly access and use reports and data
provided to FinCEN in compliance with AML/CFT requirements. As of
fiscal year 2024, 432 Federal, State, and local law enforcement;
regulatory; and national security agencies had access to BSA reports
and BSA Search, and the BSA Portal had over 12,000 users.\401\ In
addition, reports of blocked property and rejected transactions
submitted to OFAC can be key to developing sanctions enforcement
actions that help protect U.S. national security interests.
---------------------------------------------------------------------------
\401\ See FinCEN, Financial Crimes Enforcement Network (FinCEN)
Year in Review for Fiscal Year 2024, p. 5. Note that not all users
are from external agencies. FinCEN employees are also among the
users with access to the BSA Portal.
---------------------------------------------------------------------------
d. Members of the General Public
FinCEN and OFAC expect the general public to be affected by the
proposed rule, with certain subpopulations affected more directly than
others in specific instances.\402\
---------------------------------------------------------------------------
\402\ See infra section XII.A.2.ii.d.2.
---------------------------------------------------------------------------
1. General Public
Implementing the proposed rule would ensure that PPSIs are
``subject to all Federal laws applicable to a financial institution
located in the United States relating to economic sanctions, prevention
of money laundering, customer identification, and due diligence.''
\403\ Ensuring these guardrails and infrastructure are in place is
fundamental to unlocking the potential benefits that a vibrant and
well-functioning payment stablecoin market can offer the public
(described above in section IV.B) because these regulatory guardrails
and infrastructure are necessary to insulate the system from abuse and
critical risks to its integrity (described in section IV.D). FinCEN and
OFAC also considered that the proposed rule could further benefit the
general public to the extent that AML/CFT and sanctions compliance
would deter the use of payment stablecoins to enable fraud \404\ and
help prevent the use of payment stablecoins to enable and fund illicit
activity counter to U.S. national security interests.\405\
---------------------------------------------------------------------------
\403\ 12 U.S.C. 5903(a)(5)(A).
\404\ The Federal Bureau of Investigation estimated that in 2025
direct losses to U.S. citizens resultant of crypto-related scammers
and fraudsters exceeded $7.2 billion. See Federal Bureau of
Investigation, 2025 internet Crime Report (2026), available at
https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf; see
also supra section IV.D.2.
\405\ See supra section IV.D.
---------------------------------------------------------------------------
2. PPSI Customers
Because the proposed AML/CFT requirements include obligations that
depend on information collected and produced by a PPSI's customers,
FinCEN considered the prospective customers of future PPSIs as uniquely
affected members of the general public. Although estimated payment
stablecoin users number in the hundreds of millions, a substantially
smaller number (in the hundreds of thousands) are likely to interact
with PPSIs in the primary market. Many of these customers are large
financial institutions, as described above in section IV.A, and most
large stablecoin issuers set significant financial requirements for
primary market participants that exclude retail-level participation.
Most primary market activity, as measured in transaction volume, is
attributable to these large entities. However, some issuers have
increasingly adopted wider-facing mint/redeem models that seek to
include smaller investors and businesses. To the extent that PPSI
markets continue to face large, or almost exclusively, larger clients
who are themselves legal entities, financial institutions, or other
non-natural persons, the typical future PPSI would be expected to face
a higher per-customer burden than other types of financial institutions
that currently have AML/CFT program obligations comparable to those
that would apply to PPSIs but a lower concentration of legal entity
customers to individuals. Because certain program requirements that
rely on customer information have burdens that scale with the
complexity of the customer and, in general, legal entity customers have
more complex information to provide than natural persons, both future
PPSIs and their typical prospective customers would face compliance-
related cost profiles that are unique to the industry.
OFAC also considered the impact of the proposed rule on the
relationship between PPSIs and their customers. Because PPSIs would be
considered U.S. persons, they are therefore subject to U.S. sanctions
laws, including obligations to block or reject unauthorized
transactions as they would apply on either the primary and secondary
market, regardless of the proposed rule's requirement that PPSIs
maintain an effective sanctions compliance program. Furthermore, PPSI
customers who are U.S. persons are already obligated to comply with
U.S. sanctions themselves. As a result, OFAC would not expect any
incremental costs to the customers of PPSIs as a result of the proposed
rule.
To estimate the number of expected primary market customers a
future PPSI might interact with and, therefore, need to collect certain
information and conduct due diligence on under the proposed AML/CFT
requirements, FinCEN and OFAC examined current on-chain minting and
redemption activity as observable from publicly available data. The
majority of stablecoin products meeting the GENIUS Act's definitional
criteria for future payment stablecoins that FinCEN and OFAC reviewed
had fewer than 1,000 primary market customers in a given year, which is
consistent with prior expectations of high barriers to market
participation. However, a small number of the stablecoins reviewed had
significantly more primary market contact (with up to as many as
250,000 customers) in a given year. In the sample of issuers FinCEN
reviewed, the average number of an issuer's primary market customers
was approximately 17,000, but this value appeared to be driven by
extreme outliers. The truncated average was approximately 1,000, and
the median value was 100.\406\
---------------------------------------------------------------------------
\406\ To address the impact of extreme outliers, the truncated
average was estimated by removing six percent of the sample from the
left and right tails of the distribution (the single smallest and
largest values). The largest value was more than three standard
deviations away from nearest value, making it a significant outlier.
---------------------------------------------------------------------------
Based on this analysis, FinCEN estimates that the ``average'' PPSI
would have approximately 1,000 primary market customers that it
interacts with directly, including issuing and redeeming payment
stablecoins and engaging in digital asset service provider activities
where those activities are authorized by the appropriate primary
Federal or the State payment stablecoin regulator and consistent with
all other federal and state laws. However, some PPSIs are expected to
have substantially more or substantially fewer. On aggregate, FinCEN
does not expect the total market population of identifiably unique
future primary market PPSI customers to exceed
[[Page 18630]]
300,000.\407\ However, FinCEN and OFAC anticipate that a substantial
number of these observably unique customers may be affiliates of a
single counterparty (i.e., not substantively unique or representative
of distinct legal entities) or associated with non-U.S. entities.\408\
As such, FinCEN and OFAC find that a more appropriate estimate of the
population of primary market customers that are unique U.S. businesses,
legal entities, or other non-natural person is much smaller than
300,000 and is closer to approximately 10,000. These businesses belong
to several categories, including digital asset exchanges, specialized
digital asset commodities traders, and other types of investment and
securities related businesses. Besides digital asset exchanges, FinCEN
and OFAC expect that most of a typical future PPSI's other customers
are likely to be financial institutions.\409\
---------------------------------------------------------------------------
\407\ A substantial portion of these customers may be affiliates
of a single counterparty or associated with non-U.S. entities. In
cases where these entities are not U.S. persons, the incremental
economic burdens of the proposed rule, while considered as part of
the broader economic analysis, are not included in the IRFA (see
infra section XII.C) because RFA considerations apply to U.S. small
entities only.
\408\ In cases where these entities are not U.S. persons, the
incremental economic burdens of the proposed rule, while considered
as part of the broader economic analysis, are not included in the
IRFA because RFA considerations apply to U.S. small entities only.
\409\ Such firms would be classified under North American
Industry Classification System (NAICS) industry code 523
(``Securities, Commodity Contracts, and Other Financial Investments
and Related Activities'').
---------------------------------------------------------------------------
FinCEN and OFAC also used publicly available data on on-chain
minting and redemption activity to analyze annual rates of customer
growth and turnover. Many of the stablecoin issuers reviewed retained
the same group of large ``core'' primary market customers year over
year but exhibited significant turnover among their smaller primary
market customers. In addition, most stablecoin issuers saw significant
growth in their primary market customer base during 2025. For purposes
of modelling expected economic effects, FinCEN and OFAC assume that
this growth will continue, particularly among stablecoin issuers that
are able to secure PPSI registration. Of the stablecoin issuers FinCEN
reviewed, the average rate of new customer inflow, year-over-year, was
approximately 65 percent of the number of existing, previous customers.
Therefore, FinCEN and OFAC apply this rate, where relevant, when
estimating the costs in the remaining analysis. FinCEN requests comment
on whether the assumptions regarding the number of primary market
customers are reasonable.
iii. Current Market Practices
In assessing the impact of the proposed rule, FinCEN and OFAC took
into consideration a number of current market features relevant to both
the proposed future AML/CFT obligations and the proposed sanctions
compliance program requirements of potential future PPSIs.\410\ FinCEN
then separately considered current practices of unique relevance to its
proposed AML/CFT requirements,\411\ while OFAC similarly considered
economic sanctions compliance-related current market practices.\412\
---------------------------------------------------------------------------
\410\ The term ``potential payment stablecoin'' is meant in this
analysis to refer to those products which, based on FinCEN's
analysis, possess the attributes that could qualify them as
``payment stablecoins'' as defined in the GENIUS Act.
\411\ See infra section XII.A.2.iii.b.
\412\ See infra section XII.A.2.iii.c.
---------------------------------------------------------------------------
a. Market Structure and Activities
At present, the stablecoin market is characterized by many features
of early stage development, and within this ecosystem, existing
stablecoins whose issuers would potentially be eligible to register as
a payment stablecoin issuers (PPSIs or FPSIs) in the future constitute
a small proportion of currently available products (less than one in
five) but a considerably larger share of current market capitalization,
ranging in expectation from approximately 75 to 81 percent, with
variation based on assumptions. Thus, the stablecoin market that future
PPSIs would face might reasonably be expected to persist in being
highly concentrated.
Current stablecoin issuers, particularly those with larger market
shares, also appear to be part of more complex corporate structures,
existing operationally within a framework of affiliated legal entities
that may be functionally unified but, for either tax or legal purposes,
considered technically distinct. It is unclear if these configurations
should be expected to persist in their current form once the GENIUS Act
becomes effective.
b. Current AML/CFT Compliance Practices
To inform its assessment of the expected incremental impact of the
proposed obligations, FinCEN considered several features related to
current stablecoin issuers' AML practices. In particular, FinCEN
performed additional analysis of the stablecoin issuers identified, as
discussed above in section XII.A.2.ii.a, as potential future PPSIs,
taking into account the observed incidence and rate of MSB registration
and BSA report-filing activity as well as the general utilization of
BSA filings by law enforcement and national security agencies' efforts
that PPSIs would contribute to under the proposed requirements, and
thereby indirectly benefit the general public.
1. Current Stablecoin Issuer MSB Registration
In its review of MSB registrations newly filed, revised, or renewed
by the issuers of stablecoin products at least once in the most recent
two calendar years, FinCEN observed that approximately 50 percent of
the stablecoin-issuing entities identified in section XII.A.2.ii.a.1
appear to have submitted the requisite filings to be registered as
MSBs, including one issuer also affiliated with a major international
bank. Current stablecoin products for which no associated MSB
registration activity could be identified, while representing nearly
half of the current stablecoin-issuing population, represented less
than one percent of the total market capitalization of all the likely
potential future payment stablecoin products.
2. Current Stablecoin Issuer AML/CFT Programs
Even without the AML/CFT requirements of the BSA or the GENIUS Act,
FinCEN expects that many stablecoin issuers would still be likely to
employ some AML/CFT measures in their current issuance and trading
frameworks. For example, nearly all centralized issuers collect
information on their direct customers (i.e., ``primary market''
customers) when minting or redeeming coins.\413\ Direct customers must
typically provide information such as name, address, Social Security
number/tax ID number (TIN), government ID, and often additional
business documentation.
---------------------------------------------------------------------------
\413\ The FATF identifies central governance bodies (issuers) as
``obliged entities'' responsible for customer due diligence and
transaction monitoring; they typically collect some customer
information from primary market customers. See FATF, Report to the
G20 on So-called Stablecoins, pp. 9-11 (Jun. 2020), available at
https://www.fatf-gafi.org/en/publications/Virtualassets/Report-g20-so-called-stablecoins-june-2020.html.
---------------------------------------------------------------------------
In order to collect, screen, and store customer information in the
ordinary course of business, stablecoin issuers and other financial
market participants often employ software technologies especially
suited for this purpose. These third-party services often provide
customer identity information verification and screening to collect and
verify personal information such as
[[Page 18631]]
name or address. These products provide a technical basis for many AML/
CFT compliance tasks, particularly with regard to primary market
customers.
As previously discussed in section XII.A.2.ii.d.2, many of the
potential future PPSIs identified by FinCEN have tended to retain the
same group of large ``core'' primary market customers year over year
but have exhibited significant turnover among smaller primary market
customer institutions focused on market arbitrage or other short-term
trading opportunities. In its review, FinCEN observed that turnover
rates were particularly high among issuers whose business models, from
inception, facilitated larger numbers of primary market customers.
These kinds of issuers appear to have had several thousand new primary
market participants in a given year, which suggests such firms are
likely to have automated screening functions to enable interaction with
such high volumes of new customers. Smaller or more centralized
stablecoin issuers generally had far fewer new customers (although
retention or growth may be similar from a percentage standpoint) and
have processes that may be more manual.
3. Current Stablecoin Issuer BSA Reporting Practices
In its assessment of current market practices, FinCEN evaluated the
SAR and CTR filing activity of current stablecoin issuers. This review
both (1) informed the estimates of expected BSA-reporting activity and
burden utilized in sections XII.A.4.ii.a and XII.E.1 below and (2)
illuminated aspects of certain stablecoin issuers' current
organizational features and practices in identifying and responding to
suspicious activity.
As a preliminary matter, FinCEN observed that BSA filing activity
generally followed the same distribution of attributes as stablecoin
issuer MSB registration but has, in relatively stable fashion, remained
concentrated to a smaller proportion of the population of stablecoin
issuers and exhibited more pronounced differences between high volume
and low volume report filers year over year.
FinCEN reviewed BSA available filings for the issuers of 17 of the
stablecoin products it identified in section XII.A.2.ii.a.1 as meeting
the definitional criteria set forth in the GENIUS Act to be eligible as
potential future PPSIs. Sixteen of these products had issuers who
registered at least once as an MSB within the past three years. The
number of annual SAR filings by these entities ranged from zero to over
4,000 per entity in calendar year 2025, the average was about 350, and
the truncated average was 104.\414\ In some cases, high filing counts
may have also been attributable to the stablecoin issuer's offering of
other products and services in addition to its stablecoin offerings
(resulting in a wider range of activity that could result in a SAR), so
the truncated average is likely a closer estimate for the average rate
of stablecoin-related SAR filing frequency for the typical future PPSI.
While FinCEN also observed that some stablecoin issuers have
historically filed CTRs, it notes that within the past five completed
calendar years, only one of the stablecoin issuers the analysis in
section XII.A.2.ii.a.1 identified as a potential future PPSI continued
to file through the end of the sample period.
---------------------------------------------------------------------------
\414\ The truncated average was calculated by removing the
single largest outlier, which had over 4,000 filings, significantly
more than the next highest value. This entity also offered other
retail products in addition to their stablecoin offering, resulting
in a number of SARs being filed unrelated to their stablecoin
product.
---------------------------------------------------------------------------
FinCEN found several pieces of anecdotal, qualitative, and
quantitative information that corroborate the agency's understanding of
certain baseline market features and activities in the SARs filed by
stablecoin issuers. In particular, the SAR narratives proved a rich
source of information. For example, data about the stablecoin-issuing
filers of BSA reports support FinCEN's general observations about the
structural complexity of potential future PPSIs as discussed above in
section XII.A.2.ii.a. Of the stablecoin issuers with BSA filings, the
average number of related but potentially distinct legal entities--as
measured by the number of unique filer TINs per issuer of stablecoin
products--associated with filing activity was more than one
(approximately two), but some stablecoin issuers had as many as eight.
In several cases, the legal entities filing SARs were distinct from the
legal entities registering as MSBs, even though they were affiliated
with the same issuer. FinCEN also examined Report of Foreign Bank and
Financial Account (FBAR) filing activity in which these issuers were
the subject, and found indications that a number of these issuers
maintain offshore accounts which may be associated with separate,
offshore entities.
These findings provide important insight into how a typical
stablecoin issuers may operate. Generally, such issuers establish
multiple legal aliases, often to serve separate functions. The legal
entities responsible for identifying and reporting suspicious activity
are often separate from the legal entities responsible for facilitating
money transmission as an MSB. However, based on the SAR filings that
FinCEN reviewed, it seems clear that these functions operate in close
coordination with one another. In addition, it appears plausible, based
on BSA filing data, that stablecoin issuers may use offshore entities
or accounts to achieve favorable tax treatment or additional legal
flexibility.
In addition to filing BSA reports, including SARs about their
customers, the potential future PPSIs that FinCEN identified were often
the subject of various filing types, including SARs, themselves. While
there were substantially fewer of these SAR filings about the
respective stablecoin issuers than there were filings by those issuers,
SARs that reported potential future PPSIs may serve as an additional
indication of the illicit activity risks associated with stablecoins,
as discussed above in section IV.D.
The SARs FinCEN reviewed that were filed by stablecoin issuers also
speak to the incidence of what FinCEN and OFAC have discussed and
referenced throughout as their expectations of certain current market
practices and activities. In particular, a review of SAR narratives
indicates that reporting stablecoin issuers commonly employ a variety
of technologies to conduct due diligence in connection with customer
relationships and to identify high-risk customers. Filers often
identified suspicious customers based on documentation provided by the
customer that appeared contradictory or falsified, indicating that
these issuers currently obtain and carefully review substantial amounts
of information collected by and from customers. From SAR filings,
FinCEN observed that it appears to be common practice, at least among
reporting stablecoin issuers, for customers to already be asked to
provide identifying information at a level equivalent to or exceeding
the minimum generally necessary to comply with the proposed rule.
Reporting issuers also appear to use technology service providers to
investigate linkages between customers and high-risk and/or sanctioned
entities.
Some filings appear to have, in part, been informed by a concern
about the apparent nature of the reported transaction activity, and in
some cases transactions with no apparent lawful purpose or with certain
identified high-risk on-chain addresses were flagged for investigation.
In certain instances, issuers reported transaction patterns
inconsistent with their customers' reported location information that
the
[[Page 18632]]
reporting stablecoin issuers had identified and tracked. In several
cases, SAR-filing stablecoin issuers reported subjecting high-risk
customers to transaction freezes. In one instance, a SAR-filing
stablecoin issuer reported having frozen the use of issued coins by a
particular secondary market user in response to a law enforcement
request. Reports such as these suggest that at least some stablecoin
issuers currently have the ability to, and do, monitor customer
activity including, in some cases, using geolocation technology and/or
monitoring observable transactions on the secondary market, and these
reporting issuers are also, in many cases, currently able to freeze the
use of their stablecoin products.
4. Current Use of BSA Information by Law Enforcement and National
Security Agencies
While results may not be published, FinCEN both routinely receives
reports \415\ and conduct surveys \416\ that speak to the use and
usefulness of BSA information to law enforcement and national security
agencies. An older, but broadly analogous, publicly available report
from the U.S. Government Accountability Office (GAO) found that in
2018, a majority of federal and state law enforcement agencies had
direct access to FinCEN's BSA database (i.e., 85 percent of federal
agencies and 54 percent of state agencies), though fewer than one
percent of local law enforcement agencies did.\417\ FinCEN believes
these survey results may underrepresent the extent to which local law
enforcement may benefit from BSA information insofar as the GAO study
could not directly account for the incidence of referrals to local law
enforcement of matters not otherwise pursued by federal or state
agencies directly. The study also surveyed 5,257 investigators,
analysts, and prosecutors at six federal law enforcement agencies and
found that these agencies used BSA data extensively, estimating that
approximately 72 percent of personnel conducting investigations from
2015 to 2018 used BSA reports to support their work.\418\
---------------------------------------------------------------------------
\415\ William M. (Mac) Thornberry National Defense Authorization
Act for Fiscal Year 2021, Public Law 116-283, 134 Stat. 3388 (Jan.
1, 2021), sec. 6201 (Annual reporting requirements).
\416\ FinCEN, Agency Information Collection Activities: Proposed
Renewal; Comment Request; Renewal Without Change of the Generic
Clearance for the Collection of Qualitative Feedback on Agency
Service Delivery, 88 FR 30383 (May 11, 2023).
\417\ See GAO, Anti-Money Laundering: Opportunities Exist to
Increase Law Enforcement Use of Bank Secrecy Act Reports, and Banks'
Costs to Comply with the Act Varied, GAO-20-574 (Sept. 2020),
available at https://www.gao.gov/assets/gao-20-574.pdf. GAO
conducted the survey from November 9, 2019, through March 16, 2020.
\418\ Based on a response rate of approximately 57 percent.
---------------------------------------------------------------------------
c. Current Sanctions Compliance Practices
As previously discussed in section XII.A.2.i.b, prior to the
enactment of the GENIUS Act, no U.S. person was explicitly required to
establish and maintain a sanctions compliance program. Nevertheless, in
practice, industry participants, including U.S.-based stablecoin
issuers, have long implemented risk-based sanctions compliance measures
consistent with OFAC's publicly issued guidance. Specifically, OFAC's
2019 Compliance Framework \419\ strongly encourages persons subject to
U.S. jurisdiction--including foreign entities engaging in business in
or with the United States, U.S. persons, or U.S.-origin goods or
services--to adopt and maintain a risk-based sanctions compliance
program. In current practice, these measures have been adopted to
ensure compliance with binding U.S. sanctions obligations, even in the
absence of a formal programmatic requirement. Additionally, in 2021,
OFAC issued the Virtual Currency Industry Guidance,\420\ which adapted
the five elements for a sanctions compliance program from the 2019
Compliance Framework for the digital assets industry and provided
guidance on specific risk typologies that may arise within the
industry. This guidance also highlighted best practices that can assist
companies in the industry with sanctions compliance, such as the use of
geolocation tools and transaction monitoring and investigation
software. OFAC has also issued guidance specifically related to digital
assets, including frequently asked questions (FAQs), that highlight
OFAC's practices and expectations for individuals and entities
operating in the digital assets industry.\421\
---------------------------------------------------------------------------
\419\ See OFAC, 2019 Compliance Framework, supra note 285.
\420\ See OFAC, Virtual Currency Industry Guidance, supra note
286.
\421\ See OFAC, Questions on Virtual Currency, available at
https://ofac.treasury.gov/faqs/topic/1626.
---------------------------------------------------------------------------
Based on current market research, FinCEN and OFAC observe that in
practice, sanctions compliance may be operationalized as an integrated
component of what is commonly referred to as an institution's broader
AML compliance framework. As a result, sanctions-related controls
commonly share training, technology, personnel, and governance
structures with AML compliance programs, making it difficult, for
purposes of this RIA, to meaningfully disaggregate certain costs
attributable solely to current or future sanctions compliance
requirements from broader AML/CFT market baseline activities.
Consistent with FinCEN's risk-based AML framework, institutions
generally already incorporate sanctions risk into enterprise-wide risk
assessments, customer due diligence, transaction screening, internal
controls, and escalation and remediation procedures that form part of
the overall AML compliance program.\422\
---------------------------------------------------------------------------
\422\ See FinCEN, Information on Complying with the Customer Due
Diligence (CDD) Final Rule, available at https://www.fincen.gov/resources/statutes-and-regulations/cdd-final-rule; see also FinCEN,
Fact Sheet: Proposed Rule to Strengthen and Modernize Financial
Institution AML/CFT Programs, FIN-2024-FCT1 (Jun. 28, 2024),
available at https://www.fincen.gov/system/files/shared/Program-NPRM-FactSheet-508.pdf; FinCEN, the Board, FDIC, NCUA, and OCC,
Interagency Statement on the Issuance of the AML/CFT Program Notices
of Proposed Rulemaking (Jul. 19, 2024), available at https://www.fincen.gov/system/files/shared/Interagency-Statement-on-the-Issuance-of-the-AML-CFT-Program-Notices-of-Proposed-Rulemaking-FINAL.pdf; see also FinCEN, Anti-Money Laundering and Countering the
Financing of Terrorism Programs, 89 FR 55428 (July 3, 2024).
---------------------------------------------------------------------------
As a matter of industry practice, sanctions compliance practices
are also typically both conceptually risk based and, operationally,
technology enabled. Such programs commonly incorporate screening
technology during customer- or client-onboarding and, on an ongoing
basis, screen against OFAC sanctions lists, as well as conduct due
diligence designed to identify sanctions-related risks that may not
explicitly be reflected in OFAC's lists, including indirect or layered
exposure.\423\ As observed, sanctions screening typically involves a
number of complex processes, and stablecoin issuers often adopt ``on-
chain'' screening technologies and processes to ensure that all
payments using stablecoins are compliant with U.S. sanctions.
Institutions typically first screen customer information against OFAC-
administered sanctions lists, including the SDN List, at the time of
onboarding. Procedures usually involve ongoing sanctions screening and
risk-based re-screening (for example, related to a historical lookback)
to account for updated customer information, updates to OFAC sanctions
lists, or changes in regulatory requirements. Screening techniques
attempt to identify addresses, including physical, digital wallet, and
IP addresses, and other relevant information with potential links (or
indirect exposure) to sanctioned persons
[[Page 18633]]
or jurisdictions, often utilizing screening tools' ``fuzzy logic''
capabilities to account for common name variations and misspellings
(e.g., ``Crimea'' versus ``Krimea''). ``Smart contracts'' are a
commonly utilized blockchain tool that, among other functions, may be
programmed to automatically identify and prevent transactions attempted
by sanctioned entities or rely on third-party data sources, such as
oracles, for sanctions screening.\424\ Based on market research, FinCEN
and OFAC find that while existing `off-the-shelf' software is already
available to meet many of these requirements, a future PPSI might
choose to create a bespoke system for its sanctions compliance needs.
---------------------------------------------------------------------------
\423\ See OFAC, Entities Owned by Blocked Persons (50% Rule)
(Aug. 13, 2024), available at https://ofac.treasury.gov/faqs/topic/1521.
\424\ See supra section IV.A, note 37.
---------------------------------------------------------------------------
3. Description of Proposed Requirements
For purposes of the RIA, FinCEN and OFAC considered the various
components of the proposed rule with a view towards the specific
features or elements that are expected to generate, either directly or
indirectly, an economic benefit or cost, or lead to changes in market
participant incentives in a way that may generate economic benefits or
costs.\425\ For components of the proposed rule that FinCEN and OFAC
analysis has not assigned a quantified burden (in hours or dollars),
the reason for doing so is briefly explained in the description of
expected costs in section XII.A.4.ii.
---------------------------------------------------------------------------
\425\ See infra section XII.A.4.
---------------------------------------------------------------------------
To balance the completeness of the RIA with the desire for
expositional clarity and ease of tractability between the proposed
regulatory text and sections VI and VII (section-by-section analyses)
and section XII. (regulatory impact analysis), FinCEN and OFAC have
included table 2, to provide a mapping of the various components of the
proposed rulemaking as presented in FinCEN and OFAC's respective
section-by-section analyses to their analogous categorization in the
RIA.
Table 2--Overview/Mapping of Regulatory Text and Analyses
----------------------------------------------------------------------------------------------------------------
Proposed
Scope of affected entities The proposed rule Section VI and Considered in RIA regulatory text
would . . . VII analysis subsection(s) location
----------------------------------------------------------------------------------------------------------------
PPSIs.......................... Amend the definition VI.C.1.i......... XII.A.3.i and 31 CFR
of ``financial iii.a. 1010.100(t)(11).
institution'' to
include ``a permitted
payment stablecoin
issuer'' for purposes
of the BSA.
Amend the definition VI.C.1.ii........ XII.A.3.i........ 31 CFR
of ``money services 1010.100(ff)(8).
business,'' by adding
``a permitted payment
stable coin issuer''
to the list of
entities excluded
from the definition.
Amend the definition VI.C.1.iii....... XII.A.3.i........ 31 CFR
of ``transaction,'' 1010.100(bbb)(1)
to add the issuance .
or redemption of a
payment stablecoin as
a type of transaction.
Amend the definition VI.C.1.iv........ XII.A.3.i........ 31 CFR
of ``transmittal 1010.100(eee).
order,'' to add a
payment stablecoin as
a subject of an order.
Define the terms VI.C.1.v-xiii.... XII.A.3.i........ 31 CFR
``digital asset,'' 1010.100(ppp),
``distributed (qqq), (rrr),
ledger,'' ``lawful (sss), (ttt),
order,'' ``payment (uuu), (vvv),
stablecoin,'' and (www).
``permitted payment
stablecoin issuer,''
``primary Federal
payment stablecoin
regulator,''
``Federal qualified
payment stablecoin
issuer,'' ``State
payment stablecoin
regulator,'' and
``State qualified
payment stablecoin
issuer.''.
Delegate examination VI.C.2........... XII.A.3.......... 31 CFR
authority for PPSIs. 1010.810(b)(11).
PPSIs with respect to their AML/ Require internal VI.C.3.ii.a...... XII.A.3.iii.a, 31 CFR
CFT Program Requirements. policies, procedures, XII.A.4.ii.a.1, 1033.210(b)(1).
and controls that (1) XII.A.4.ii.a.4,
identify, assess, and XII.E.1.
document ML/TF risks
through risk
assessment processes;
(2) mitigate ML/TF
risks consistent with
a PPSI's risk
assessment processes;
and (3) conduct
ongoing customer due
diligence.
Require that risk VI.C.3.ii.a...... XII.A.3.iii.a, 31 CFR
assessment processes XII.A.4.ii.a.1, 1033.210(b)(1)(i
(1) evaluate ML/TF XII.E.1. )(A), (B), and
risks from business (C).
activities; (2)
consider AML/CFT
Priorities; and (3)
update promptly
responsive to
significant changes
to ML/TF risks.
Require independent VI.C.3.ii.b...... XII.A.3.iii.a, 31 CFR
testing of the AML/ XII.A.4.ii.a.2. 1033.210(b)(2).
CFT program.
Require the VI.C.3.ii.c...... XII.A.3.iii.a, 31 CFR
designation of an AML/ XII.A.4.ii.a.1, 1033.210(b)(3).
CFT officer, require XII.E.1.
that the designated
individual is located
in the United States,
has not been
convicted of a
felony, and is
subject to oversight
and supervision by
FinCEN and its
designee, and is
responsible for
establishing and
implementing the AML/
CFT program and
coordinating and
monitoring day-to-day
compliance.
Require a PPSI AML/CFT VI.C.3.ii.d...... XII.A.3.iii.a, 31 CFR
program to include an XII.A.4.ii.a.3, 1033.210(b)(4).
``ongoing employee XII.E.1.ii.a.
training program.''.
Require the AML/CFT VI.C.3.iii....... XII.A.3.iii.a, 31 CFR
program be written, XII.A.4.ii.a.1, 1033.210(d).
made available upon XII.E.1.
request to FinCEN or
its designee, and
approved by the
PPSI's board of
directors, an
equivalent governing
body within the
issuer, or
appropriate senior
management.
Require any and all VI.C.3.iv........ XII.A.3.iii.a, 31 CFR
certifications XII.A.4.ii.a.1, 1033.210(e).
submitted to the XII.E.1.
PPSI's primary
Federal payment
stablecoin regulator
or State payment
stablecoin regulator
certifying that the
PPSI has implemented
an AML/CFT program be
made available upon
request to FinCEN or
its designee.
[[Page 18634]]
Define the terms/ VI.C.4.i......... XII.A.3.i........ 31 CFR
phrases ``AML/CFT 1033.221(a).
enforcement action,''
``AML/CFT
requirement,'' and
``significant AML/CFT
supervisory action.''.
Provide that a PPSI VI.C.4.ii........ XII.A.3.iii.a.... 31 CFR
with an AML/CFT 1033.221(b).
program established
in accordance with
proposed 31 CFR
1033.210(b) would not
be subject to an AML/
CFT enforcement
action or significant
AML/CFT supervisory
action absent a
significant or
systemic failure to
implement said
program within the
meaning of proposed
31 CFR 1033.210(c),
and provide that the
proposed 31 CFR
1033.221(b)(1)
provisions do not
apply when there is a
failure to establish
an AML/CFT program
within the meaning of
proposed 31 CFR
1033.210(b).
Provide that in VI.C.4.iii....... XII.A.3.iii.a.... 31 CFR
determining to take, 1033.221(d).
or in review of, an
AML/CFT enforcement
action or significant
AML/CFT supervisory
action, the Director
would take into
account factors under
31 U.S.C.
5318(h)(2)(B) and the
PPSI's unique ability
and efforts to
advance AML/CFT
priorities.
Amend 31 CFR 1010.230 VI.C.5........... XII.A.3.iii.c, 31 CFR 1010.230.
with respect to XII.A.4.ii.a.4,
PPSIs' obligation to XII.A.5.i.b,
collect and verify XII.E.1.
beneficial ownership
information about
legal entity
customers.
Require ``technical VI.C.6.i......... XII.A.3.iii.b, 31 CFR
capabilities, XII.A.4.ii.a.5, 1033.240(a).
policies, and XII.A.5.i.c.
procedures to block,
freeze, and reject
specific or
impermissible
transactions that
violate Federal or
State laws, rules, or
regulations.''.
Require a PPSI to (1) VI.C.6.ii........ XII.A.3.iii.b, 31 CFR
have the technical XII.A.4.ii.a.5,. 1033.240(b).
capabilities to
comply with the terms
of any lawful order
and (2) comply with
the terms of any
lawful order.
Require the filing of VI.C.7........... XII.A.3.iii.c, 31 CFR 1033.310-
CTRs. XII.A.4.ii.a.6, 315.
XII.E.1.
Require the filing of VI.C.8.i-iii..... XII.A.3.iii.c, 31 CFR
SARs. XII.A.4.ii.a.6, 1033.320(a),
XII.E.1. (b).
Require the retention VI.C.8.iv........ XII.A.3.iii.c, 31 CFR
of copies of filed XII.A.4.ii.a.6, 1033.320(c).
SARs and the XII.E.1.
underlying related
documentation for a
period of five years
from the date of
filing.
Prohibit the VI.C.8.v......... XII.A.3.iii.c.... 31 CFR
disclosure a SAR or 1033.320(d).
any information that
would reveal the
existence of a SAR.
Provide protection VI.C.8.vi........ XII.A.3.iii.c.... 31 CFR
from liability for 1033.320(e).
making required or
voluntary reports of
suspicious
transactions, or for
failures to provide
notice of such
disclosure to any
person identified in
the disclosure to the
full extent provided
by 31 U.S.C.
5318(g)(3).
Require examination of VI.C.8.vii....... XII.A.3.iii.c, 31 CFR
compliance with their XII.E.1. 1033.320(f).
obligation to report
suspicious
transactions by
FinCEN and its
delegees.
Exclude secondary VI.C.8.viii...... XII.A.3.iii.c, 31 CFR
market transfers from XII.A.4.ii.a.6, 1033.320(g).
a PPSI's SAR XII.E.1.
reporting obligations.
Require the retention VI.C.9.i......... XII.A.3.iii.d, 31 CFR 1033.410.
of appropriate XII.A.4.ii.a.7,
records. XII.E.1.
Apply the information- VI.C.10.......... XII.A.3.iii.e, 31 CFR 1033.520;
sharing provisions of XII.A.4.ii.a.8, 540
sections 314(a) and XII.E.1.
(b) of the USA
PATRIOT Act to PPSIs.
Require compliance VI.C.11.......... XII.A.3.iii.f, 31 CFR 1033.600-
with special XII.A.4.ii.a.9-1 630; 31 CFR
standards of 0, XII.E.1. 1010.651; 653;
diligence, 658-661; 663;
prohibitions, and and 664.
special measures
under section 311 of
the USA PATRIOT Act,
including enhanced
due diligence for
correspondent and
private banking
accounts and some
active special
measures.
PPSIs with respect to their Impose standard VII.A............ XII.A.3.iv, 31 CFR 502.102.
Sanction Compliance Program recordkeeping and XII.A.4.ii.a.1,
Requirements. reporting XII.A.4.ii.a.7,
requirements as found XII.E.1.
in 31 CFR part 501,
including requiring
any and all
certifications
submitted to the
PPSI's primary
Federal payment
stablecoin regulator
or State payment
stablecoin be
provided to OFAC.
Require senior VII.B.1.......... XII.A.3.iv, 31 CFR
management (1) review XII.A.4.ii.a.1, 502.201(b)(1).
and approval of a XII.E.1.
PPSI's sanctions
compliance program
and (2) support for
the sanctions
compliance program's
effective
implementation.
[[Page 18635]]
Require sanctions- VII.B.2.......... XII.A.3.iv, 31 CFR
related risk XII.A.4.ii.a.1, 502.201(b)(2).
assessments by: (i) XII.E.1.
conducting holistic
assessments of U.S.
sanctions risks at
appropriate
intervals; (ii) using
the risk assessments
to inform the PPSI's
operation of its
sanctions compliance
program, including
revising internal
controls and training
as appropriate; and
(iii) revising risk
assessments as
appropriate to
account for any
identified U.S.
sanctions violations
or deficiencies, new
products, services,
mergers, or
acquisitions, and any
other factors that
may affect a PPSI's
risk profile.
Require a system of VII.B.3.......... XII.A.3.iv, 31 CFR
risk-based internal XII.A.4.ii.a.5, 502.201(b)(3).
controls, including XII.A.4.ii.a.7,
technical XII.A.5.ii.
capabilities.
Require a system of VII.B.3.......... XII.A.3.iv, 31 CFR
risk-based internal XII.A.4.ii.a.1, 502.201(b)(3).
controls, including XII.A.5.ii,
written policies and XII.E.1.
procedures.
Require an independent VII.B.4.......... XII.A.3.iv, 31 CFR
testing or audit XII.A.4.ii.a.3, 502.201(b)(4).
function, accountable XII.A.5.ii,
to senior management, XII.E.1.
with sufficient
resources, expertise,
and authority to
identify U.S.
sanctions compliance-
related weaknesses
and deficiencies.
Require records of VII.B.4.......... XII.A.3.iv, 31 CFR
testing and auditing XII.A.4.ii.a.7, 502.201(b)(4)(iv
results and resulting XII.E.2. ).
updates or
enhancements to the
sanctions compliance
program be maintained
and provided upon
request to OFAC.
Require a risk-based VII.B.5.......... XII.A.3.iv, 31 CFR
compliance training XII.A.4.ii.a.2, 502.201(b)(5).
program. XII.A.5.ii,
XII.E.1.
Defines the terms VII.C.1-3........ XII.A.3.ii....... 31 CFR 301-304.
``knowingly,''
``OFAC,'' ``payment
stablecoin-related
activity,'' and
``permitted payment
stablecoin issuer;
PPSI.''.
Federal Financial Institutions Require an FFIRA VI.C.4.iii....... XII.A.3.iii.a, 31 CFR
Regulatory Agencies (FFIRAs). consultation with the XII.A.4.ii.b. 1033.221(c)(1).
Director before any
significant AML/CFT
supervisory action
pursuant to delegated
authority is
initiated.
Require, generally, an 31 CFR
FFIRA to provide 1033.221(c)(2)(i
written notice to the ).
Director of any
intent to take a
significant AML/CFT
supervisory action
pursuant to delegated
authority at least 30
days in advance of
the proposed action.
Require, to the extent 31 CFR
reasonably 1033.221(c)(2)(i
practicable, that an i).
FFIRA respond to
requests from the
Director for
additional
information regarding
a proposed
significant AML/CFT
supervisory action.
FinCEN and its Delegees........ Require examination of VI.C.8.vii....... XII.A.3.iii.c, 31 CFR
PPSIs' compliance XII.A.4.ii.b. 1033.320(f).
with their obligation
to report suspicious
transactions.
----------------------------------------------------------------------------------------------------------------
i. Proposed New and Amended FinCEN Definitions
As discussed in greater detail in section VI.C.1 above, FinCEN is
proposing to amend four existing definitions and add nine new terms to
the general definitions section of its regulations, 31 CFR 1010.100.
FinCEN is proposing three additional definitions in connection with the
proposed regulation and supervision of PPSI AML/CFT programs in 31 CFR
part 1033. Where it is adding new terms, in large part, FinCEN's
proposed definitions would embed the language of the GENIUS Act in
FinCEN regulations. In a few instances, however, FinCEN is proposing to
modify the statutory language.
As a general matter, definitions prescribe the scope of parties to
whom, and products to which, a regulation applies and are therefore
capable of generating economic effects as a consequence of the
delineations they set forth. However, because FinCEN's proposed
additions and changes to definitions are necessary to effectuate the
GENIUS Act's direction that PPSIs be subject to the BSA, or are
otherwise intended to harmonize the GENIUS Act definitions with
FinCEN's existing regulations, to improve readability, or to avoid
confusion with other similar terms defined by FinCEN's regulations
without changing the meaning of any defined terms, these components of
the proposed rule are not expected to independently generate
incremental direct economic effects. As such, these elements of the
proposed rule are not separately considered in the section XII.A.4
discussion below. Public comment is invited on whether FinCEN should
reconsider the potential standalone economic impact of the definitions,
collectively or individually, in the context of and as proposed
components of this NPRM.
ii. Proposed New OFAC Definitions
As discussed in greater detail in section VII.C above, OFAC is
proposing to define four terms in the definitions section of the new 31
CFR part 502. OFAC's proposed definitions of the terms ``knowingly''
and ``OFAC'' are consistent with other OFAC regulations. OFAC's
proposed definition of ``payment stablecoin-related activity'' is
scoped to cover the range of activities involving a PPSI's payment
stablecoin from the time of issuance until the payment stablecoin's
removal from circulation. Finally, OFAC's proposed definition of
``permitted payment stablecoin issuer'' is consistent with the
definition of that term contained in the GENIUS Act, with minor
modifications.
While OFAC recognizes that definitions can generate economic
effects, OFAC does not expect these components of the proposed rule to
independently generate incremental direct economic effects. OFAC's
proposed definitions are necessary to effectuate and enforce the GENIUS
Act's requirement that PPSIs maintain an effective sanctions compliance
program, including by emphasizing that a PPSI's sanctions compliance
obligations apply
[[Page 18636]]
to all activity involving its payment stablecoins,\426\ or are
otherwise intended to harmonize the GENIUS Act definitions with OFAC's
existing regulations. As such, these elements of the proposed rule are
not separately considered in section XII.A.4 discussion below. Public
comment is invited on whether OFAC should reconsider the potential
standalone economics impact of the definitions, collectively or
individually, in the context of and as proposed components of this
NPRM.
---------------------------------------------------------------------------
\426\ As noted in section V.B, U.S. persons, including U.S.
person stablecoin issuers, are and have always been subject to U.S.
sanctions laws, including with respect to transactions occurring on
the primary or secondary markets.
---------------------------------------------------------------------------
iii. Proposed New FinCEN Requirements
a. AML/CFT Program-Related Proposed Requirements
As discussed in greater detail in section VI.C.3, the proposed rule
includes new requirements for PPSIs to develop and implement AML/CFT
programs. The proposed rule would require AML/CFT programs to
reasonably manage and mitigate ML/TF risks through internal policies,
procedures, and controls that are commensurate with those risks and
ensure ongoing compliance with the BSA and its implementing
regulations. The proposed rule would require PPSIs to reasonably manage
and mitigate risks using internal policies, procedures, and controls
based on their institution-specific ML/TF risks as identified by the
risk assessment process(es) required. An effective, risk-based, and
reasonably designed AML/CFT program would continue to incorporate the
results of the applicable risk assessment process(es) through
appropriate changes to internal policies, procedures, and controls to
manage ML/TF risks on an ongoing basis as necessary. The procedures
must also integrate and support the conduct of ongoing customer due
diligence. The proposed rule would require PPSIs to conduct ongoing
customer due diligence as part of their AML/CFT program
obligations.\427\ The GENIUS Act requires that PPSIs are subject to due
diligence requirements including enhanced due diligence where
appropriate.\428\
---------------------------------------------------------------------------
\427\ See supra section VI.C.3.ii.a.3.
\428\ 12 U.S.C. 5903(a)(5), 5903(a)(5)(A)(v).
---------------------------------------------------------------------------
The proposed rule provides PPSIs with the regulatory flexibility to
consider innovative approaches to comply with BSA requirements as
FinCEN aims to encourage instances where a PPSI finds it beneficial to
consider and evaluate technological innovation and, as warranted by the
PPSI's risk profile, implement new technology or innovative approaches
in combating financial crime. Additionally, PPSIs may find it
beneficial to consider whether the AML/CFT program appropriately uses
the financial institution's existing internal capabilities,
technologies, product lines, and data. For example, if a PPSI's
issuance or financial risk management team monitors the lifecycle of
the PPSI's stablecoins for financial resilience, the PPSI may find it
beneficial for its AML/CFT program to consider using similar technology
or approaches in managing and mitigating its ML/TF risks.
The proposed rule also includes several other program requirements.
The BSA requires AML/CFT programs to have an ``independent audit
function to test programs.'' \429\ Under the proposed rule, a PPSI
would need to establish independent AML/CFT program testing to be
conducted by the PPSI's personnel or an outside party.\430\ The GENIUS
Act, 12 U.S.C. 5903(a)(5)(A)(i), and the BSA, 31 U.S.C. 5318(h)(1)(B),
also require PPSIs to designate an AML/CFT officer. Under the proposed
rule, PPSI's would be required to designate an individual, who is
located in the United States and accessible to, subject to oversight
and supervision by, FinCEN and its designee, and has not been convicted
of certain felony offenses.\431\ The AML/CFT officer would be
responsible for establishing and implementing the AML/CFT program and
coordinating and monitoring day-to-day compliance with the requirements
and prohibitions of the BSA and FinCEN's implementing regulations.\432\
The BSA additionally requires AML/CFT programs to have an ``ongoing
employee training program;'' \433\ accordingly, the proposed rule would
require PPSIs to have an ongoing employee training program.\434\
---------------------------------------------------------------------------
\429\ See 31 U.S.C. 5318(h)(1)(D).
\430\ See supra section VI.C.3.ii.b.
\431\ See supra section VI.C.3.ii.c.
\432\ This individual is also commonly referred to as a ``BSA
officer.'' However, as discussed below, the particular labels that
FinCEN or a PPSI may use to refer to this individual are immaterial.
\433\ See 31 U.S.C. 5318(h)(1)(C).
\434\ See supra section VI.C.3.ii.d.
---------------------------------------------------------------------------
The proposed rule would require PPSIs to have a written AML/CFT
program and would require the PPSI to make a copy of its written AML/
CFT program available to FinCEN or its designee upon request. The
proposed rule would also require that a PPSI's written AML/CFT program
be approved by the PPSI's board of directors or an equivalent governing
body within the PPIS, or appropriate senior management of the PPSI. The
proposed rule specifies that approval encompasses each of the
components of the AML/CFT program.\435\ In addition, the proposed rule
would require PPSIs to make available to FinCEN, or its designee, upon
request any and all certifications submitted to the PPSI's primary
Federal payment stablecoin regulator or State payment stablecoin
regulator certifying that the PPSI has implemented an AML/CFT program.
---------------------------------------------------------------------------
\435\ See supra sections VI.C.3.iii-iv.
---------------------------------------------------------------------------
FinCEN is proposing to require PPSIs to establish and maintain
written procedures that are reasonably designed to identify and verify
the beneficial owners of legal entity customers as part of a PPSI's
AML/CFT program obligations.\436\ These requirements mirror existing
BSA requirements that apply to many other financial institutions. The
GENIUS Act requires that PPSIs be subject to ``due diligence
requirements.'' Collection of beneficial ownership information is a
core element of effective due diligence.
---------------------------------------------------------------------------
\436\ See supra section VI.C.5.
---------------------------------------------------------------------------
The proposed rule also sets forth a supervision and enforcement
framework. FinCEN expects proposed 31 CFR 1033.221(d) to affect PPSIs'
incentives because it provides that in determining to take, or in
review of, an AML/CFT enforcement action or significant AML/CFT
supervisory action, the FinCEN Director would take certain factors into
consideration, including facts and circumstances unique to the PPSI in
question. In particular, Sec. 1033.221(d)(2) would require the
Director to consider the PPSI's demonstrable efforts to advance AML/CFT
priorities such as its production of highly useful information,
analytics, or other innovations. FinCEN expects that the proposed
regulation could reasonably be expected to generate economic effects
because it would likely change the scope or nature of activities
undertaken and/or investments made.
b. Proposed Additional Technical Capabilities, Policies, and Procedures
The GENIUS Act requires that PPSIs have ``technical capabilities,
policies, and procedures to block, freeze, and reject specific or
impermissible transactions that violate Federal or State laws, rules,
or regulations.'' \437\ This is a novel requirement that does not
currently apply to other types of financial institutions.\438\ GENIUS
Act
[[Page 18637]]
also requires that PPSIs ``issue payment stablecoins only if the issuer
has the technological capability to comply, and will comply, with the
terms of any lawful order.'' \439\ The GENIUS Act defines ``lawful
order,'' which states, in part, that a lawful order is an order that is
subject to judicial review and is issued under Federal law that
requires a person to ``seize, freeze, burn or prevent the transfer of''
payment stablecoins the person issued and specifies the payment
stablecoins or account with reasonable particularity.\440\
---------------------------------------------------------------------------
\437\ 12 U.S.C. 5903(a)(5)(A)(iv).
\438\ As noted in section V.B, however, U.S. persons, including
U.S. financial institutions, are required to comply with U.S.
sanctions laws, including obligations to block, reject, and report
certain prohibited transactions.
\439\ 12 U.S.C. 5903(a)(6)(B).
\440\ See 12 U.S.C. 5901(16).
---------------------------------------------------------------------------
Due to the overlap in terms between this requirement and the
requirement that PPSIs be able to ``block, freeze, and reject''
specific transactions, under the proposed rule the regulatory text
regarding the block/freeze/reject requirement also includes the
requirement that PPSIs have capabilities, policies, and procedures in
place to comply with lawful orders.\441\
---------------------------------------------------------------------------
\441\ See supra sections VI.C.6.ii.
---------------------------------------------------------------------------
c. Proposed Currency Transaction and Suspicious Activity Reporting
The proposed rule includes reporting requirements related to
currency transaction reporting,\442\ Specifically, the proposal
requires PPSIs to file CTRs for ``each deposit, withdrawal, exchange of
currency or other payment or transfer, by, through, or to such
financial institution which involves a transaction in currency of more
than $10,000,'' unless subject to an applicable exemption. As discussed
in section VI.C.7 and section XII.A.2.iii.b.3, FinCEN recognizes that,
presently, stablecoin issuers rarely transact in physical transfers of
currency.
---------------------------------------------------------------------------
\442\ See supra section VI.C.7.
---------------------------------------------------------------------------
The GENIUS Act explicitly requires PPSIs to be subject to BSA
requirements relating to ``monitoring and reporting of any suspicious
transaction relevant to a possible violation of law or regulation.''
Under the BSA, FinCEN has authority to require any financial
institution to report ``any suspicious transaction relevant to a
possible violation of law or regulation.'' With limited exceptions, all
financial institutions subject to the BSA are required to identify and
report suspicious activity. These reports provide highly useful
information that is leveraged by authorized users as part of criminal,
tax, and regulatory investigations; risk assessments; and intelligence
and counterintelligence activities. The proposed rule implements these
requirements for PPSIs.\443\ PPSIs would also be required to maintain
copies of filed SARs and the underlying related documentation for a
period of five years from the date of filing. The proposed rule also
applies standards for SARs relating to confidentiality and liability.
---------------------------------------------------------------------------
\443\ See supra section VI.C.8.
---------------------------------------------------------------------------
d. Proposed Recordkeeping
The GENIUS Act requires that PPSIs be subject to laws relating to
``retention of appropriate records.'' \444\ Under the BSA, FinCEN has
authority to impose on financial institutions obligations relating to
requiring, retaining, and maintaining records.\445\ Pursuant to this
authority, FinCEN has issued recordkeeping regulations, including those
codified as 31 CFR part 1010, subpart D, which apply broadly to
financial institutions subject to specified exceptions. These
recordkeeping obligations enhance law enforcement's ability to detect,
investigate, and prosecute money laundering and other financial crimes
by preserving an information trail about persons sending and receiving
funds. This proposed rule would apply these recordkeeping regulations
to PPSIs.\446\
---------------------------------------------------------------------------
\444\ See 12 U.S.C. 5903(a)(5)(A)(ii).
\445\ See 12 U.S.C. 1953; 31 U.S.C. 5318(a)(2); see also 12
U.S.C. 5901(2) (defining ``Bank Secrecy Act'' to include 12 U.S.C.
1951 et seq.); 31 U.S.C. 5311(1) (stating purpose of the BSA
includes requiring records that are highly useful for law
enforcement and regulatory investigations and intelligence and
counterintelligence activities).
\446\ See supra section VI.C.9.
---------------------------------------------------------------------------
The recordkeeping obligations would require PPSIs to create and
retain certain records for extensions of credit in excess of $10,000;
and certain records of cross-border transfers of currency, monetary
instruments, funds, checks, investment securities, and credit worth
more than $10,000. The proposal also requires financial institutions to
collect and retain records for funds transfers and transmittals of
funds in amounts of $3,000 or more. Lastly, The Travel Rule requires
financial institutions to transmit information on certain funds
transfers and transmittals of funds to other financial institutions
participating in the transfer or transmittal.
e. Special Information Sharing
The proposed rule would apply the information sharing provisions at
Sec. 1010.520 also known as 314(a) and Sec. 1010.540 also known as
314(b) to PPSIs. The description of requirements in section VI.C.10
above is adopted by reference.
f. Special Standards of Diligence, Prohibitions, and Special Measures
Finally, the proposal would require that PPSIs be subject to some
of the special standards of diligence, prohibitions, and special
measures under section 311 of the USA PATRIOT Act, including enhanced
due diligence for correspondent and private banking accounts and
additional special measures.\447\ As discussed in section VI.C.11,
FinCEN is not proposing to apply 31 CFR 1010.630 to PPSIs, which would
prohibit correspondent accounts for foreign shell banks. Thus, this
provision is not relevant to the cost of the proposed rule. The
proposed rule would require PPSIs to comply with special measures
issued pursuant to the sections 311, 9714(a), and 2313a to maintain the
options available under these sections to protect the U.S. financial
system from certain illicit finance threats.\448\
---------------------------------------------------------------------------
\447\ See supra section VI.C.11.
\448\ See supra section VI.C.11.iii.
---------------------------------------------------------------------------
iv. Proposed OFAC Sanctions Compliance Program Requirements
The GENIUS Act requires that PPSIs maintain an ``effective
sanctions compliance program'' \449\ and that regulations promulgated
under the Act are ``tailored to the size and complexity'' \450\ of a
PPSI. To implement this requirement, OFAC's proposed rule would require
PPSIs adopt a sanctions compliance program that includes, at a minimum,
five key elements outlined in OFAC's 2019 Compliance Framework: \451\
(1) senior management and organizational commitments,\452\ requiring
that a PPSI's senior management establish and maintain an effective
sanctions compliance program as prescribed in the proposed rule; (2)
risk assessments,\453\ requiring holistic assessments of sanctions
risks at appropriate intervals that are utilized and revised as
specified in the proposed rule; (3) internal controls,\454\ which are
applicable to all payment stablecoin-related activity, whether on the
primary or secondary market, that identify, block, and/or reject
transactions that may violate or would violate U.S. sanctions and
retains relevant records in accordance with OFAC regulations; (4) an
independent testing and auditing function,\455\ accountable to senior
[[Page 18638]]
management, with sufficient resources, expertise, and authority; and
(5) training,\456\ requiring PPSIs to establish and maintain a risk-
based sanctions compliance training program for all relevant personnel
and stakeholders.\457\
---------------------------------------------------------------------------
\449\ 12 U.S.C. 5903(a)(5)(A)(vi).
\450\ 12 U.S.C. 5903(a)(5)(B).
\451\ See supra section VII.B; OFAC, 2019 Compliance Framework,
supra note 285.
\452\ See supra section VII.B.1.
\453\ See supra section VII.B.2.
\454\ See supra section VII.B.3.
\455\ See supra section VII.B.4.
\456\ See supra section VII.B.5.
\457\ See OFAC, 2019 Compliance Framework, supra note 285.
---------------------------------------------------------------------------
The GENIUS Act's requirement that PPSIs maintain an effective
sanctions compliance program is a novel legal requirement that
currently does not apply to other U.S. persons.\458\ Nevertheless, the
five enumerated minimum elements for a sanctions compliance program
included in the proposed rule reflect a well-established risk-based
approach to sanctions compliance that OFAC has strongly encouraged and
for which OFAC has issued publicly available guidance, including the
2019 Compliance Framework.\459\ Accordingly, apart from one new
recordkeeping requirement discussed below, OFAC does not assess the
required elements of a sanctions compliance program as proposed would
impose novel incremental economic costs. OFAC's history of enforcing
U.S. sanctions has shown that, as a matter of current industry
practice, actors in the digital asset ecosystem--alongside numerous
other U.S. persons--employ sanctions compliance practices that are
typically risk based, technology enabled, and informed by the outlined
OFAC guidance.
---------------------------------------------------------------------------
\458\ A PPSI, by virtue of their status as a U.S. person would
be required to comply with U.S. sanctions obligations applicable to
U.S. persons under OFAC's existing regulations. See, e.g., 31 CFR
510.326, 555.313, 583.314.
\459\ See OFAC, 2019 Compliance Framework, supra note 285; OFAC,
Virtual Currency Industry Guidance, supra note 286.
---------------------------------------------------------------------------
The proposed rule would impose certain recordkeeping requirements
that extend beyond current obligations on U.S. persons pursuant to
existing regulations administered by OFAC.\460\ First, the proposed
rule would require a PPSI to maintain records of the results and
enhancements that are made to a PPSI's sanctions compliance program in
line with the testing and auditing mandated by the proposed rule.\461\
Second, the proposed rule would require PPSIs to provide upon request
to OFAC any and all certifications submitted to the PPSI's primary
Federal payment stablecoin regulator or State payment stablecoin
regulator certifying that the PPSI has implemented an effective
sanctions compliance program.\462\
---------------------------------------------------------------------------
\460\ See 31 CFR part 501.
\461\ See supra section VII.B.4.
\462\ See supra section VII.A.
---------------------------------------------------------------------------
4. Anticipated Economic Effects
This section provides FinCEN and OFAC's analysis of the estimated
benefits and costs of the proposed rule. While not all benefits and
costs are readily quantifiable, in this analysis FinCEN and OFAC have
sought to include an evaluation of certain foreseeable non-quantified
economic benefits in addition to quantified costs to more
comprehensively assess the potential net benefit of the proposed rule
and select alternatives.
i. Expected Benefits
The proposed rule is anticipated to result in certain
nonquantifiable benefits to covered PPSIs, law enforcement, national
security, U.S. foreign policy objectives and the general public. As
discussed in section XII.A.1, these benefits are expected to flow from
the extent to which BSA and sanctions compliance program requirements
reduce uncertainty, improve transparency, and increase adherence to
legal requirements in the stablecoin industry.
The benefits assessed here are more difficult to quantify than the
costs, but the proposed rule is nonetheless anticipated to add
substantial value directly and indirectly through effects that can
contribute to the detection and deterrence of money laundering and
terrorist financing, and that support broader policy goals.
Significant direct benefits of the proposed rule are expected to
accrue to the public sector, most notably to U.S. law enforcement and
the national security community, and to the stablecoin industry itself.
Further, the identification of illicit activity in, or malign uses of,
the stablecoin industry that would not occur but for the application of
specific program, sanctions compliance, technology, reporting, and
recordkeeping obligations to payment stablecoin issuers would (1)
result in more effective detection of illicit finance activity
occurring through the industry and (2) contribute to deterrence. This
would benefit society more generally through a range of economic,
security, and other effects.
The proposed rule is also expected to benefit participants in the
payment stablecoin industry by introducing greater regulatory clarity
and industry-specific standards around AML/CFT and sanctions compliance
program requirements. By introducing legal clarity around the status
and requirements of certain issuers of payment stablecoins, the GENIUS
Act and the proposed rule may reduce certain information asymmetries
between investors and stablecoin issuers. As discussed earlier,
regulatory uncertainty often increases investors' perceptions of risk
and reduces or otherwise distorts equilibrium levels of investment.
Regulatory measures affecting digital assets in U.S. states have been
found to be associated with significant increases in industry
investment activity.\463\
---------------------------------------------------------------------------
\463\ A BIS study found that a one-standard-deviation increase
in digital asset regulatory comprehensiveness, as measured by the
authors, was associated with a 30-percent increase in capital raised
by crypto-related firms located in those jurisdictions. See Matteo
Aquilina, Giulio Cornelli, and Marina Sanchez del Villar,
``Regulation, Information Asymmetries and the Funding of New
Ventures,'' BIS Working Papers, no. 1162, pp. 5-21 (Jan. 2024),
available at https://www.bis.org/publ/work1162.pdf.
---------------------------------------------------------------------------
In addition, the AML/CFT and sanctions compliance program
requirements in the proposed rule would provide further benefit by
addressing existing gaps and market externalities, with potentially
significant implications for detection and deterrence. For instance,
some anticipated results associated with the proposed rule include (1)
implementing enhanced technology standards for PPSIs that are not
currently applicable to MSBs or banks, (2) requiring non-IDI subsidiary
PPSIs to collect more detailed information on legal entities who are
their primary market customers, (3) setting clear standards for PPSIs
that prevent stablecoin products from exploiting or being exploited by
regulatory arbitrage or ambiguity, and (4) codifying sanctions
compliance requirements. These changes would support law enforcement by
ensuring the technological means to mitigate the use of illicit funds
by criminal actors. These changes would indirectly benefit the public
at large by reducing money laundering and sanction evasion activity,
which can distort legitimate markets, countering the financing of
terrorism and other illicit finance activity, and protecting national
security.
In addition, the newly proposed requirement for PPSIs to establish
and maintain an effective sanctions compliance program would increase
transparency and accountability, closing certain potential avenues for
sanctions evasion, and helping ensure consistent regulatory oversight.
ii. Expected Costs
This section assesses the potential incremental costs to PPSIs,
government agencies, and the customers of PPSIs associated with the
proposed rule, relative to the baseline over a three-year period in
which a final rule would be
[[Page 18639]]
effective.\464\ For PPSIs, this includes incremental costs associated
with the need to (1) establish and maintain a written AML/CFT program
and an effective sanctions compliance program in accordance with the
requirements of the proposed rule, (2) update training programs to
contain sanctions compliance, (3) conduct ongoing CDD and BOI
collection for legal entity customers, (4) store the results of the
testing and auditing of the sanctions compliance program and implement
required technology, and (5) comply with special measures. The section
also includes discussion of other costs to PPSIs associated with
requirements in the proposed rule that are not considered incremental.
The analysis then estimates costs to customers of providing information
to PPSIs that the proposed rule would require, and costs to the
government to support and enforce the totality of proposed requirements
described herein. Given the substantial, but not complete, overlap in
practice between an AML/CFT program and the proposed sanctions
compliance program, the remainder of section XII.A.4.ii. ascribes and
discusses certain expected costs to both FinCEN and OFAC requirements
jointly where appropriate. For elements applicable only to FinCEN or
OFAC requirements, only the relevant agency is included in that
subsection.
---------------------------------------------------------------------------
\464\ Note, the incremental costs presented in this subsection
differ in several ways from the PRA recordkeeping and reporting
costs presented in section XII.E below. The cost totals presented
here reflect the estimated incremental costs that would result from
this proposed rule, while the costs presented in section XII.E
analysis include pro forma accounting of all costs associated with
the PRA recordkeeping and reporting activities required by the
proposed rule, even if such activities are already being conducted
by the respondents.
---------------------------------------------------------------------------
In sum, FinCEN and OFAC expect the total incremental cost of the
proposed rule for PPSIs to be approximately $1.8 million in the first
year (approximately $24,983 per insured depository institution (IDI)-
subsidiary PPSI and $52,453 per non-IDI subsidiary PPSI), and $1
million in each year thereafter (approximately $10,249 per IDI-
subsidiary PPSI and $36,760 per non-IDI subsidiary PPSI).\465\ However,
the cost for smaller PPSIs is expected to be significantly less on
average, approximately $13,737 per IDI-subsidiary PPSI and $22,987 per
non-IDI subsidiary PPSI in the first year.\466\ FinCEN and OFAC
estimate that up to 19 of the 50 potential PPSIs could be small; \467\
thus, the average first-year cost to the small PPSIs is estimated to
range between $261,011 and $436,762. The cost to government is expected
to be $1.7 million in the year prior to the final rule's effective
date, $5.9 million in the first year, and $2.9 million in each year
thereafter. The cost to customers is expected to be approximately $1.2
million annually. In total, the quantified economic costs of the
proposed rule would amount to an average incremental expenditure of
approximately $6.5 million per year once a final rule became effective.
---------------------------------------------------------------------------
\465\ FinCEN estimates that the net present value of costs
associated with a three-year time horizon is $3.44 million ($3.68
million) using a 7 precent (3 percent) discount rate, respectively.
This equates to annualized costs of $1.31 million ($1.30 million)
using the same discount rates.
\466\ See infra section XII.A.4.ii.a for a discussion of the
basis for differential cost estimates by size. See specifically
sections XII.A.4.ii.a.1, 4, and 7.
\467\ This estimate was obtained by applying the equivalent
annual revenue threshold for small entities described and utilized
in the IRFA below. See infra section XII.C.2.i.b.
Table 3--Quantified Incremental Costs of the Proposed Rule by Year
----------------------------------------------------------------------------------------------------------------
Affected party Year (-1) Year 1 Year 2 Year 3 3-Year average
----------------------------------------------------------------------------------------------------------------
PPSIs........................... .............. $1,798,558 $1,042,670 $1,042,670 $1,294,633
Government...................... 1,713,930 5,871,244 2,938,297 2,938,297 3,915,946
New PPSI Customers.............. .............. 1,245,800 1,245,800 1,245,800 1,245,800
-------------------------------------------------------------------------------
Annual Incremental Costs.... 1,713,930 8,915,602 5,226,768 5,226,768 6,456,379
----------------------------------------------------------------------------------------------------------------
a. Costs for PPSIs
In this subsection, FinCEN and OFAC identify the costs associated
with (1) program development and maintenance; (2) audit and independent
testing, (3) training development and implementation; (4) customer due
diligence; (5) addition technical capabilities, policies, and
procedures; (6) BSA reporting; (7) recordkeeping and technology; (8)
information sharing; (9) special standards of diligence; and (10)
section 311 and other special measures. Some of these costs are
expected to flow from requirements proposed by FinCEN, others from
requirements proposed by OFAC, and others could not be meaningfully
disaggregated and separately attributed given the nature of how the
respective programs are expected to be jointly operationalized in an
integrated fashion by future PPSIs. FinCEN and OFAC further anticipate
that many of the costs articulated below would not represent
incremental costs uniquely attributable to the requirements of the
proposed rule. Where relevant, FinCEN and OFAC have provided
explanation below when the pro forma costs presented are expected to
differ from the anticipated incremental costs of the respective
proposed requirements.
1. Program Development and Maintenance
The proposed rule would require PPSIs to establish and maintain an
effective AML/CFT program and an effective sanctions compliance
program, described in sections VI.C.3 and VII.B, respectively. FinCEN
and OFAC outline the impacts of these requirements on incremental costs
below.
With respect to FinCEN requirements, PPSIs would be required to
establish and maintain an effective AML/CFT program comprised of: (1)
internal policies, procedures, and controls; (2) an independent audit
function; (3) a designated compliance officer; and (4) an ongoing
employee training program. A PPSI's internal policies, procedures, and
controls would need to be reasonably designed to identify, assess, and
document the PPSI's ML/TF risks through risk assessment processes and
mitigate the PPSI's ML/TF risks, consistent with the PPSI's risk
assessment processes, including by allocating more attention and
resources toward higher risk customers and activities rather than
toward lower-risk customers and activities. PPSIs would be required to
conduct independent testing to assess the PPSI's compliance with the
AML/CFT statutory and regulatory requirements. A PPSI would be required
to designate an individual responsible for establishing and
implementing the AML/CFT program. A PPSI would be required to establish
an ongoing employee training program. A PPSI would also be required to
keep its
[[Page 18640]]
risk-based internal policies, procedures, and controls, risk assessment
processes, and employee training program current as the PPSI's risk
profile changes.
The proposed rule would also require that PPSI's AML/CFT program be
written, and that a PPSI, upon request, make available a copy of its
written AML/CFT program to FinCEN or its designee. It would also
require the PPSI's AML/CFT program be approved by the PPSI's board of
directors or an equivalent governing body within the PPSI, or
appropriate senior management.
PPSIs that do not already have an AML/CFT program in place would
incur costs to establish such a program and have it approved by the
PPSI's board of directors or an equivalent governing body within the
PPSI, or appropriate senior management. A PPIS that already has a AML/
CFT program would need to review and/or modify its program to ensure it
complies with the requirements of the rule. In addition, all PPSIs
would incur costs for maintaining, updating, storing, and producing
upon request the written AML/CFT program.\468\
---------------------------------------------------------------------------
\468\ This includes both producing the program and any program
certifications upon request. See supra sections VI.C.3.iii and iv.
---------------------------------------------------------------------------
With respect to OFAC requirements, PPSIs would need to establish
and maintain an effective sanctions compliance program. The program
must be risk based and reasonably designed to ensure compliance with
all applicable U.S. sanctions. Entities that do not have a sanctions
compliance program in place would need to establish such a program, and
those with a sanctions compliance program would need to review and, as
necessary and appropriate, modify their programs to ensure they comply
with the requirements of the final rule. In line with an organizational
commitment to the compliance program, senior management would need to
review and approve the sanctions compliance program. Senior management
would also be required to support the effective implementation of the
sanctions compliance program, as previously described in section
VII.B.1, by ensuring that it is appropriately resourced, supported, and
integrated into a PPSI's operations. A key part of this program
implementation is the establishment and maintenance of a system of
risk-based internal controls, as described in section VII.B.3,
including technical capabilities and written policies and procedures,
to identify any activity prohibited by U.S. sanctions and take
appropriate action, including blocking, rejecting, and reporting
certain transactions in compliance with existing OFAC regulations.
In support of maintaining an effective sanctions compliance
program, OFAC's proposed rule would require the conduct of holistic
risk assessments at appropriate intervals, as outlined in VII.B.2.
These periodic risk assessments are essential to a current and
effective sanctions compliance program, including in terms of
understanding risk and maintaining up-to-date internal controls and
training programs. Internal controls and risk assessments are already a
key element of standard sanctions compliance practices common among
regulated actors and thus OFAC does not assess this requirement to
incur incremental economic costs, despite being a novel explicit
requirement.
In practice, FinCEN and OFAC expect that some elements of a PPSI's
AML/CFT program may overlap with its sanctions compliance program. For
instance, approval of the AML/CFT program would also likely include
approval of the sanctions compliance program, and risk assessments
could be conducted enterprise-wide to evaluate risks stemming from both
AML/CFT and sanctions compliance obligations. Thus, OFAC does not
expect that most requirements associated with sanctions compliance
program implementation would impose an incremental cost beyond the
overall AML/CFT program implementation.
As discussed in section XII.A.2.ii.a, FinCEN and OFAC expect that
most PPSIs would be U.S. persons that are likely successors to MSBs or
affiliated with insured depository institutions, which already have
AML/CFT program requirements and generally, in practice have systems to
comply with sanctions similar to the ones that would be required to
comply with the proposed rule. Thus, the incremental costs contemplated
here are only those entailed by the need for PPSIs to review the
regulation and make any changes or modifications to their AML/CFT or
sanctions compliance programs. The modified program would then be
approved and appropriate records retained to be produced upon request.
FinCEN and OFAC expect that on average, the incremental burden
associated with establishing and maintaining a written AML/CFT and
sanctions compliance program (including the time burden associated with
storing and producing the relevant program records upon request) would
take approximately 30 hours per PPSI in the first year and ten hours in
each subsequent year. However, because MSBs and insured depository
institutions already generally update their programs annually, FinCEN
and OFAC only account for the first-year burden as an incremental cost.
As presented in table 4, FinCEN and OFAC estimate an average
incremental cost of $3,737 per PPSI and a total incremental cost of
$186,870 in the first year associated with this activity.\469\
---------------------------------------------------------------------------
\469\ Throughout this analysis, FinCEN and OFAC apply an hourly
wage rate that is a general composite hourly wage rate ($87.61)
scaled by a private sector benefits factor of 1.42 ($124.58 = $87.61
x 1.42). This incorporates Bureau of Labor Statistics (BLS) mean
wage data associated with six occupational codes (11-1010: Chief
Executives; 11-3021: Computer and Information Systems Managers; 11-
3031: Financial Managers; 13-1041: Compliance Officers; 23-1010:
Lawyers and Judicial Law Clerks; 43-3099: Financial Clerks, All
Other) for each of the nine groupings of NAICS industry codes that
FinCEN and OFAC determined are most directly comparable to its 11
categories of potentially affected financial institutions as
delineated in 31 CFR parts 1020 to 1030. See BLS, May 2024--National
industry-specific and by ownership, available at https://www.bls.gov/oes/tables.htm. Given that many occupations provide
benefits beyond wages (e.g., insurance and paid leave), FinCEN and
OFAC apply the private sector benefit factor to the unloaded wage
rate to reflect the total cost to the employer. The benefit factor
is the ratio of total compensation (which includes wages and
benefits) to wages. Total compensation = 43.94 and Wages and
salaries = 30.90 (1.42 = 43.94 / 30.90) as of June 2024, based on
the private industry workers series data downloaded from BLS. BLS,
Employer Costs for Employee Compensation data, available at https://www.bls.gov/news.release/archives/ecec_09102024.pdf.
Table 4--Estimated First-Year Incremental Cost To Establish and Maintain a Written AML/CFT Program
----------------------------------------------------------------------------------------------------------------
Hours per PPSI Cost per PPSI Number of PPSIs Total cost
----------------------------------------------------------------------------------------------------------------
30........................................................... $3,737 50 $186,870
----------------------------------------------------------------------------------------------------------------
[[Page 18641]]
2. Audit and Independent Testing
FinCEN and OFAC also expect PPSIs to face costs associated with
independent testing of their AML/CFT program and sanctions compliance
program and associated systems.\470\ Because such testing often relates
closely to the technology services financial institutions typically
have in place for these compliance functions, the costs for such
testing are considered jointly with technology implementation. In
concordance with previous FinCEN analysis on this topic,\471\ FinCEN
and OFAC expect the cost of independent testing to be comparable to the
cost of technology implementation. However, because MSBs and banks are
already subject to audit and testing requirements, these costs are not
included in the estimate of novel incremental costs of the proposed
rule.
---------------------------------------------------------------------------
\470\ See supra sections VI.C.3.ii.b and VII.B.4.
\471\ In 2024, FinCEN's analysis of AML/CFT software
implementation and testing, based on a 2020 study by the GAO,
estimated independent AML/CFT testing for financial institutions to
cost approximately $17,000, which was 1.37 times more costly than
AML/CFT software implementation. See FinCEN, Financial Crimes
Enforcement Network: Anti-Money Laundering/Countering the Financing
of Terrorism Program and Suspicious Activity Report Filing
Requirements for Registered Investment Advisers and Exempt Reporting
Advisers, 89 FR 72230 (Sept. 4, 2024), at table 5.3.
---------------------------------------------------------------------------
To ensure the integrity of PPSIs' sanctions compliance programs and
internal controls, as outlined in VII.B.4., OFAC's proposed rule would
also require that PPSIs maintain an independent testing or audit
function to examine the effectiveness of their sanctions compliance
program, including their internal controls. PPSIs would also need to
utilize the results of such tests and audits to identify and implement
any needed changes to its sanctions compliance program. In practice,
OFAC expects that PPSIs would conduct any AML/CFT and sanctions
compliance program testing or audits jointly.
3. Training Development and Implementation
The proposed rule would require a PPSI to provide ongoing employee
training as part of its AML/CFT program and to establish and maintain a
risk-based compliance training program as part of its sanctions
compliance program in accordance with the requirements as described in
sections VI.C.3.ii.d and VII.B.5, respectively. FinCEN and OFAC outline
the expected economic impacts of these requirements on incremental
costs below.
With respect to FinCEN requirements, a PPSI's AML/CFT program must
include an ongoing employee training program.\472\ The training should
generally cover the PPSI's internal policies, procedures, and controls,
which in turn reflect the results of the PPSI's risk assessment
processes, the latest AML/CFT regulatory requirements, and other
relevant information. While the proposed rule does not prescribe the
frequency with which the training should occur, PPSIs should conduct
the training as frequently as they deem necessary based on their
unique, individual ML/TF risk profiles and the specific roles and
responsibilities of the persons receiving the training.
---------------------------------------------------------------------------
\472\ See supra section VI.C.3.ii.d.
---------------------------------------------------------------------------
As described in section VII.B.5, OFAC's proposed rule would require
a PPSI to establish and maintain a risk-based compliance training
program that is conducted at least annually, provided to all relevant
personnel and stakeholders, appropriately tailored to each trainee's
role and responsibilities, and based appropriately on the PPSI's risk
assessment and risk profile.\473\ Additionally, OFAC would require that
a PPSI's compliance training program be modified to reflect risk
assessments findings and identified deficiencies as well as designed to
include easily accessible resources and materials for all.
---------------------------------------------------------------------------
\473\ See supra section VII.B.5.
---------------------------------------------------------------------------
Although these are separate requirements, it is common for
financial institutions to include sanctions in their AML/CFT training.
FinCEN and OFAC expect that PPSIs would face limited costs in training
development, implementation, and execution for employees relative to
other financial institutions like traditional large banks because
stablecoin issuers typically operate under a capital-intensive model
with fewer employees.\474\ Because overall AML/CFT training
requirements already exist for MSBs and banks, this proposed
requirement would only impose a small incremental cost associated with
updating training to contain sanctions compliance. Table 5 provides an
estimate of the one-time costs associated with establishing and
maintaining the employee training program in the first year. Because
annual ongoing costs associated with training programs already exist
for MSBs and banks, FinCEN and OFAC do not assign additional
incremental costs in subsequent years attributed to the proposed rule.
---------------------------------------------------------------------------
\474\ FinCEN and OFAC invite comment on whether these are
accurate assumptions.
Table 5--Estimated First-Year Incremental Costs To Establish and Maintain an Ongoing Employee Training Program
----------------------------------------------------------------------------------------------------------------
Hours per PPSI Cost per PPSI Number of PPSIs Total cost
----------------------------------------------------------------------------------------------------------------
8............................................................ $997 50 $49,832
----------------------------------------------------------------------------------------------------------------
4. Customer Due Diligence
The proposed rule would require PPSIs to conduct ongoing CDD as
part of their AML/CFT program. Specifically, PPSIs would be required to
(1) understand the nature and purpose of customer relationships for the
purpose of developing a customer risk profile; and (2) conduct ongoing
monitoring to identify and report suspicious transactions and, on a
risk basis, to maintain and update customer information, including
information regarding the beneficial owners of a legal entity customer.
This section estimates the cost to PPSIs of CDD activities and the
collection of BOI from legal entity customers.
Because ongoing CDD is a risk-based activity not inherently tied to
the number of customers a PPSI has, FinCEN estimates a fixed annual
burden of 50 hours per PPSI. This estimate reflects similar costs
expected to accrue to other financial institution types subject to CDD
requirements as proposed in another FinCEN rulemaking.\475\ Using the
annual average of 650 new customers per PPSI, as discussed in section
XII.A.2.ii.d.2, this estimate equates to nearly five minutes per
customer. However, as CDD activities need not be applied to every
customer if doing so would be inconsistent with an allocation of
resources that prioritizes higher risk,
[[Page 18642]]
this merely serves as an illustrative estimation. In practice, FinCEN
expects PPSIs might allocate a fixed amount of effort and resources to
the review of customers ranked by identified risk, meaning that some
customers would experience significant review, while others may not
experience any in a given year. In addition, because ongoing CDD is
already required of banks, this proposed requirement is not expected to
result in incremental costs for IDI-subsidiary PPSIs. As presented in
table 6, for 20 non-IDI subsidiary PPSI, the incremental cost of this
requirement amounts to an annual per-firm burden of 50 hours, a total
burden of 1,000 hours, a per-firm cost of $6,229, and a total cost of
$124,580.
---------------------------------------------------------------------------
\475\ See the 2026 NPRM, FinCEN, Anti-Money Laundering and
Countering the Financing of Terrorism Programs, at section X.E.2 of
that NPRM.
Table 6--Estimated Annual Incremental Costs Associated With Ongoing CDD for Non-IDI Subsidiary PPSIs
----------------------------------------------------------------------------------------------------------------
Hours per PPSI Cost per PPSI Number of PPSIs Total cost
----------------------------------------------------------------------------------------------------------------
50........................................................... $6,229 20 $124,580
----------------------------------------------------------------------------------------------------------------
In addition to ongoing CDD, PPSIs would be required to collect and
verify BOI of new accounts opened by legal entity customers.\476\ These
would represent new requirements not currently applicable to MSBs and
are therefore considered by FinCEN to result in incremental costs for
non-IDI subsidiary PPSIs. A PPSI may obtain the required identifying
information by either obtaining a prescribed certification form from
the individual opening the account on behalf of the legal entity
customer or by obtaining the required information directly from the
individual. PPSIs would be required to retain records used to identify
each beneficial owner of a legal entity customer for five years after
the date the account is closed.
---------------------------------------------------------------------------
\476\ See supra VI.C.5.
---------------------------------------------------------------------------
Some of the activities a PPSI would undertake to satisfy CDD
requirements are difficult to meaningfully separate from similar and
complementary activities that would be undertaken to satisfy a PPSI's
CIP requirements, which the GENIUS Act directs to be imposed on PPSIs.
Therefore, some burden elements associated with collecting customer
information that serves both CIP and CDD purposes would also be
accounted for in the regulatory analysis accompanying such a CIP-
specific proposal. However, the cost of beneficial ownership
verification, which extends beyond the basic customer information
collection requirements that would be contained in a PPSI CIP NPRM, are
estimated below.
FinCEN anticipates a population of approximately 20 non-IDI
subsidiary PPSIs that are not currently subject to any BOI collection
requirement for new customers.\477\ BOI collection would be required
only for new primary market customers. FinCEN anticipates the
additional BOI collection for new customers would require 15 minutes
(0.25 hours) on average per customer. PPSIs are expected to have an
average of 650 new customers per year,\478\ and virtually all of these
are expected to be legal entities. Thus, as presented in table 7,
FinCEN conservatively estimates that BOI collection would result in an
annual incremental cost of $20,244 per non-IDI subsidiary PPSI,
resulting in a total incremental cost of $404,885 per year. For small
PPSIs, the number of expected primary market customers is expected to
be closer to 100, or 65 new customers annually. Thus, the anticipated
cost for small PPSIs is expected to be substantially less than the
average presented here (approximately $2,024 per PPSI). As this section
does not apply to OFAC related requirements, no additional OFAC
associated costs were considered here.
---------------------------------------------------------------------------
\477\ See supra section XII.A.2.ii.a.
\478\ See supra section XII.A.2.ii.d.2.
Table 7--Estimated Annual Incremental Cost of BOI Collection for Legal Entity Customers
--------------------------------------------------------------------------------------------------------------------------------------------------------
Hours per
Number of new customers customer Hours per PPSI Cost per PPSI Number of PPSIs Total cost
--------------------------------------------------------------------------------------------------------------------------------------------------------
650................................................................ 0.25 162.5 $20,244 20 $404,885
--------------------------------------------------------------------------------------------------------------------------------------------------------
5. Additional Technical Capabilities, Policies, and Procedures
The proposed rule would require PPSIs to have technical
capabilities, policies, and procedures to block, freeze, and reject
specific or impermissible transactions that violate Federal or State
laws, rules, or regulations, described in VI.C.5.i. The requirement
would apply to both a PPSI's primary market and secondary market
activity. The proposed rule would also require PPSIs to have the
technological capability to comply, and to comply with the terms of any
lawful order, described in VI.C.5.ii. Although these are separate
obligations, FinCEN expects that PPSIs may use the same technological
capability to comply with both. FinCEN also expects that stablecoin
issuers may already have in place technical capabilities and policies
and procedures relating to taking action regarding impermissible
transactions and adhering to lawful orders because of existing legal
requirements, including complying with OFAC sanctions and court
orders.\479\
---------------------------------------------------------------------------
\479\ With respect to OFAC requirements, as described in section
VII.B.3, under the proposed rule, OFAC would require a PPSI to
establish and maintain risk-based controls, including technical
capabilities and written policies and procedures, to identify any
activity prohibited by U.S. sanctions and take appropriate action,
including blocking, rejecting, and reporting certain transactions in
compliance with existing OFAC regulations. While the technological
ability to block, freeze, and reject specific transactions would be
a new requirement, OFAC expects that most or all PPSIs would already
have this capability as a part of standard business practices.
---------------------------------------------------------------------------
For these reasons, the expected economic costs of the proposed
additional requirements with respect to technical capabilities,
policies, and procedures are not itemized separately or incrementally,
but are instead considered to be included in the costs associated with
the internal policies, procedures, and controls component of
establishing and maintaining an AML/CFT program and the broader general
technology costs of the proposed rule.
6. BSA Reporting
The proposed rule would require PPSIs to file BSA reports, namely
CTRs and SARs.
[[Page 18643]]
CTRs
As proposed, the rule would require a PPSI to file CTRs on
transactions in currency of more than $10,000, unless subject to an
applicable exemption, described in section VI.C.7 However, FinCEN
recognizes that, presently, stablecoin issuers rarely engage in
physical transfers of currency, and anticipate that because this would
likely also be the case for future PPSIs, the costs of actually filing
CTRs are expected to be de minimis. In addition, because CTR filing
requirements already exist for IDIs and MSBs, FinCEN does not consider
the costs of the proposed CTR filing obligation to represent a change
in requirements. Consequently, there is nothing to which a novel
incremental cost could attach.\480\
---------------------------------------------------------------------------
\480\ There are no OFAC associated costs considered here because
this section does not apply to OFAC related requirements.
---------------------------------------------------------------------------
SARs
The proposed rule would require PPSIs to file SARs for any
suspicious primary market transaction relevant to a possible violation
of law or regulation, described in section VI.C.8. In addition, PPSIs
would be required to maintain a copy of any SAR filed and the
supporting documentation for a period of five years from the date of
filing. Supporting documentation would need to be made available to
FinCEN and the prescribed law enforcement and regulatory authorities,
upon request.
Based on an analysis of SAR filings between 2021 and 2025 discussed
in section XII.A.2.iii.b, FinCEN estimates that PPSIs would each file
an average of 100 SARs per year, although some may file significantly
more than that. To estimate the range of costs associated with SAR
filing, FinCEN contemplated a range of potential filing scenarios, with
a low end of 100 and a high end of 1,000. FinCEN anticipates that each
SAR filing would take approximately 90 minutes (1.5 hours). Based on
market data, FinCEN estimates a distribution where five out of 50 PPSIs
would have stylized high reporting obligations in connection with more
widely used products with more, and more complex, SAR filings, and 45
out of 50 would have stylized low reporting obligations with fewer,
less complex SAR filings.\481\ Table 8 presents this distribution,
which results in a weighted annual average of 190 filings per PPSI,
resulting in an annual burden of 285 hours per PPSI.\482\
---------------------------------------------------------------------------
\481\ Among the products and issuers FinCEN examined, as
discussed in section XII.A.2.iii.b, the top five largest potential
PPSI issuers (each with reserve assets of over $300 million) filed
approximately 88 percent of the total SARs observed by FinCEN.
\482\ FinCEN and OFAC request public comment on the accuracy and
completeness of this estimate.
Table 8--Estimated Annual SAR Burden Associated With Filed Reports
----------------------------------------------------------------------------------------------------------------
Hours per Number of
Number of filings filing Total hours PPSIs
----------------------------------------------------------------------------------------------------------------
100............................................................. 1.5 150 45
1,000........................................................... 1.5 1,500 5
----------------------------------------------------------------------------------------------------------------
Based on survey responses reported in a 2018 Bank Policy Institute
report, of the suspicious activity alerts that are turned into full
case investigations (i.e., alerts that are not considered false
positives and involve additional documentation, which are hereafter
referred to as ``cases''), approximately 42 percent were turned into
SARs.\483\ Therefore, for each case filed as a SAR, approximately 1.4
cases were not filed. FinCEN estimates that each unfiled case would
take approximately 30 minutes (0.5 hours). Using the distribution
described above, FinCEN estimates a weighted annual average of 266
unfiled cases per PPSI, resulting in an additional annual burden of 133
hours per PPSI.
---------------------------------------------------------------------------
\483\ See Bank Policy Institute, Getting to Effectiveness--
Report on U.S. Financial Institution Resources Devoted to BSA/AML &
Sanctions Compliance (Oct. 29, 2018), table 1, p. 6, available at
https://bpi.com/wp-content/uploads/2018/10/BPI_AML_Sanctions_Study_vF.pdf.
Table 9--Estimated Annual SAR Burden Associated With Unfiled Cases
----------------------------------------------------------------------------------------------------------------
Number of Hours per Number of
Number of gilings unfiled cases unfiled case Total hours PPSIs
----------------------------------------------------------------------------------------------------------------
100............................................. 140 0.5 70 45
1,000........................................... 1,400 0.5 700 5
----------------------------------------------------------------------------------------------------------------
While these time estimates are used to provide a sense of the costs
associated with SAR reporting for PPSIs, because FinCEN assumes that as
the relevant counterfactual all future PPSIs would otherwise still have
SAR filing requirements either as an MSB or because of bank
affiliation, this proposed requirement is not expected to present a
novel incremental cost to PPSIs.\484\
---------------------------------------------------------------------------
\484\ This section does not apply to OFAC related requirements
and so OFAC associated costs are not considered here.
---------------------------------------------------------------------------
7. Recordkeeping and Technology
The proposed rule would require PPSIs be subject to recordkeeping
under the BSA and under OFAC regulations, described in sections VI.C.9
and VII.A, respectively. FinCEN and OFAC outline the impacts of these
requirements on incremental costs below.
With respect to FinCEN requirements, PPSIs would be required to
create and retain certain records for extension of credit in excess of
$10,000; and certain records of cross-border transfers of currency,
monetary instruments, funds, checks, investment securities, and credit
worth more than $10,000. PPSIs would be required to maintain records
related to any order issued under Sec. 1010.370(a) for up to five
years. PPSIs would also be required to comply with the Recordkeeping
Rule which would require PPSIs to collect and retain records for funds
transfers and transmittals of funds in amounts of $3,000 or more, and
the Travel Rule which would require PPSIs to transmit information on
certain funds transfers and transmittals of funds to other financial
institutions participating in the transfer or transmittal.
In practice, FinCEN expects that PPSIs would extend credit
infrequently and therefore expect the primary burden
[[Page 18644]]
from these proposed requirements to stem from compliance with the
Recordkeeping Rule and the Travel Rule. Cumulatively, FinCEN estimates
the annual recordkeeping burden per PPSI for these requirements would
be approximately 20 hours. However, because these requirements already
exist for banks and MSBs, FinCEN does not contemplate this as an
incremental cost attributable to the proposed rule.
With respect to OFAC requirements, the proposed rule includes a new
requirement that would require PPSIs to maintain records of the results
and enhancements from the testing and auditing components of their
sanction compliance programs, in addition to standard recordkeeping
requirements for U.S. persons pursuant to part 501 of title 31.\485\
This newly proposed recordkeeping requirement would apply only to the
results of the testing and auditing of the sanctions compliance program
component. However, OFAC acknowledges that in practice, many firms may
opt to store the results of their overarching AML/CFT program test, of
which sanctions compliance is an inseparable part. The average annual
cost of this specific recordkeeping activity, which is distinct from
the joint costs, is approximated in table 10.
---------------------------------------------------------------------------
\485\ See supra section VII.B.4.
Table 10--Estimated Incremental Annual Recordkeeping Cost
----------------------------------------------------------------------------------------------------------------
Hours per PPSI Cost per PPSI Number of PPSIs Total cost
----------------------------------------------------------------------------------------------------------------
2............................................................ $249 50 $12,458
----------------------------------------------------------------------------------------------------------------
FinCEN and OFAC also conservatively estimate a joint incremental
general technology cost associated with AML/CFT and sanctions
compliance obligations under the proposed rule. Based on market
research and given the wide range of customers that PPSIs interact
with,\486\ FinCEN and OFAC estimate that such technology costs, which
may include licensing fees for specialized software, would range from
approximately $10,000 to $20,000 per firm in the first year, and about
$5,000 to $10,000 annually thereafter (depending on firm size). For
purposes of cost estimation FinCEN and OFAC conservatively assign each
PPSI a $20,000 cost in the first year, for a maximum total incremental
cost of $1 million annually for 50 PPSIs. In subsequent years, FinCEN
and OFAC estimate they would each incur an annual cost of $10,000. This
includes the cost of technology implementation, annual transaction
screening, and recordkeeping.\487\ These costs are outlined in Table
11. Smaller PPSIs are expected to experience costs at the lower ends of
the ranges mentioned above.
---------------------------------------------------------------------------
\486\ See supra section XII.A.2.ii.d.2.
\487\ FinCEN and OFAC request public comment on the accuracy and
completeness of this estimate.
Table 11--Estimated Incremental Annual Technology Cost
------------------------------------------------------------------------
Estimated
Years Cost per number of Total cost
PPSI PPSIs
------------------------------------------------------------------------
1............................... $20,000 50 $1,000,000
2+.............................. 10,000 50 500,000
------------------------------------------------------------------------
8. Information Sharing
The proposed rule would apply the information sharing provisions at
Sec. 1010.520, also known as 314(a), and Sec. 1010.540, also known as
314(b), to PPSIs, described in section VI.C.10. Section 1010.520
requires a financial institution to search its records upon receipt of
a request from FinCEN and provide information in return. Section
1010.540 is a voluntary information sharing tool of which a financial
institution may, but is not required, to avail itself.
Because banks and MSBs are already required to comply with section
314(a), FinCEN does not contemplate this as an incremental cost. In
addition, FinCEN generally only transmits 314(a) requests to a limited
subset of the financial institutions that are required to comply with
314(a) requirements in any given year. Historically, the proportion of
potentially affected financial institutions required to provide a
response in a given year has remained below three percent.\488\ The
subjects of 314(a) requests are individuals and entities suspected by
law enforcement of engaging in money laundering or terrorist financing.
Most PPSIs' primary market customers are financial institutions or
other legal entities which have generally not been the subject of
314(a) requests. Because PPSIs nevertheless may receive 314(a) requests
in the future that require a response, FinCEN assigns a nominal annual
burden for this activity of one hour, commensurate with the expectation
that PPSIs may be less likely to maintain accounts or conduct
transactions with individuals or entities that are the subject of
314(a) requests.
---------------------------------------------------------------------------
\488\ See FinCEN, Agency Information Collection Activities;
Proposed Renewal; Comment Request; Renewal Without Change on
Information Sharing Between Government Agencies and Financial
Institutions, 90 FR 47125 (Sept. 30, 2025).
Table 12--Estimated Annual Cost Associated With 314(a) Requests
------------------------------------------------------------------------
Cost per Number of
Hours per PPSI PPSI PPSIs Total cost
------------------------------------------------------------------------
1................................... $125 50 $6,229
------------------------------------------------------------------------
[[Page 18645]]
Under section 314(b), PPSIs would be able to share information
about transactions involving the proceeds of specified unlawful
activities. This would be a voluntary information sharing tool of which
a financial institution may, but would not be required to, avail
itself. For this reason, FinCEN does not attribute an incremental
burden to activity conducted under section 314(b).\489\
---------------------------------------------------------------------------
\489\ This section does not apply to OFAC related requirements
and as such there were no OFAC associated costs to consider here.
---------------------------------------------------------------------------
9. Special Standards of Diligence
As described in section VI.C.11.ii, under the proposed rule, PPSIs
would be subject to special standards of diligence. PPSIs would be
required to maintain due diligence programs for correspondent accounts
for foreign financial institutions and banks and for private banking
accounts. These programs would include policies, procedures, and
controls that are reasonably designed to detect and report any known or
suspected money laundering or suspicious activity conducted through or
involving such correspondent or private banking accounts.
FinCEN estimates the annual hourly burden of maintaining and
updating the due diligence program for such correspondent or private
banking accounts would be approximately two hours for each regulated
entity--one hour to maintain and update the program and one hour to
obtain the approval of senior management.\490\ However, because these
requirements already exist for banks and MSBs, FinCEN does not
contemplate this as an incremental cost.\491\
---------------------------------------------------------------------------
\490\ FinCEN requests public comment on the accuracy and
completeness of this estimate.
\491\ As this section does not apply to OFAC related
requirements, no additional OFAC associated costs were considered
here.
Table 13--Estimated Annual Costs to Establish and Maintain an Enhanced
Due Diligence Program
------------------------------------------------------------------------
Cost per Number of
Hours per PPSI PPSI PPSIs Total cost
------------------------------------------------------------------------
2................................... $249 50 $12,458
------------------------------------------------------------------------
10. Section 311 and other Special Measures
The proposed rule would require that PPSIs comply with special
measures issued pursuant to section 311 of the USA PATRIOT Act, 2313a
of the Fentanyl Sanctions Act, and section 9714(a) of the Combating
Russian Money Laundering Act. To date, FinCEN has issued several final
rules pursuant to section 311 imposing the fifth special measure to
prohibit covered financial institutions from opening or maintaining a
correspondent account for, or on behalf of, specified entities.\492\
Future PPSIs would be expected to incur burden in complying with this
component of the proposed rule insofar as they would both (1) need to
establish and maintain the ability to comply with future impositions of
special measures and (2) ensure compliance with all existing section
311 final rules.
---------------------------------------------------------------------------
\492\ See supra section VI.C.11.iii.
---------------------------------------------------------------------------
For purposes of burden estimation, and taking into account the
intended scope of the defined term ``correspondent account'' as
presented in section VI.C.11.i, FinCEN conservatively assumes that all
projected 50 future PPSIs would be equally likely to maintain foreign
correspondent accounts and incur costs associated with the proposed
obligation to comply with the various types of special measures.
Borrowing from the approach FinCEN utilized in the most recent 60-day
notice renewing existing section 311 OMB control numbers,\493\ FinCEN
continues to apply a graduated burden model with an anticipated cost
profile that declines sharply in the years following the first
effective year of a given special measure. Thus, for future non-IDI
subsidiary PPSIs, who would be expected to face an immediate, full
start-up burden (because they are less familiar with the special
measures described above), FinCEN assigns a first-year average burden
of eight hours per expected future non-IDI subsidiary PPSIs and 0.5
hours for each of the 30 expected future IDI-subsidiary PPSIs. FinCEN
then applies the same graduated declining burden model as employed in
its section 311 60-day notice, estimating that in subsequent years, all
50 expected future PPSIs would incur an average annual burden of
approximately 18-minutes each. Because these requirements already exist
for IDIs, FinCEN does not consider the costs presented in table 14 as
novel incremental costs for future IDI-subsidiary PPSIs; however, the
costs presented in table 15 would be considered an incremental new
burden for PPSIs that are not IDI subsidiaries.\494\
---------------------------------------------------------------------------
\493\ FinCEN, Agency Information Collection Activities; Proposed
Renewal; Comment Request: Renewal Without Change of Information
Collection Requirements in Connection With the Imposition of Special
Measures, 90 FR 57279 (Dec. 10, 2025).
\494\ OFAC is not making a proposal under this section and as
such, there are no OFAC associated costs to be considered here.
Table 14--Estimated Costs Associated With Special Measures for IDI-Subsidiary PPSIs
----------------------------------------------------------------------------------------------------------------
Number of
Year Hours per PPSI Cost per PPSI PPSIs Total cost
----------------------------------------------------------------------------------------------------------------
1............................................... 0.5 $62 30 $1,869
2+.............................................. 0.3 37 30 1,121
----------------------------------------------------------------------------------------------------------------
Table 15--Estimated Incremental Costs Associated With Special Measures for Non-IDI Subsidiary PPSIs
----------------------------------------------------------------------------------------------------------------
Number of
Year Hours per PPSI Cost per PPSI PPSIs Total cost
----------------------------------------------------------------------------------------------------------------
1............................................... 8 $997 20 $19,933
[[Page 18646]]
2+.............................................. 0.3 37 20 747
----------------------------------------------------------------------------------------------------------------
b. Government
To implement the proposed rule, FinCEN expects to incur certain
operating costs that would include approximately $1.7 million in the
year prior to the final rule's effective date, $5.9 million in the
first effective year of the final rule, and approximately $2.9 million
in the average subsequent year. These estimates include anticipated
expenses related to stakeholder outreach and informational support,
compliance monitoring, and potential enforcement activities as well as
certain incremental increases to pre-existing technological and IT
infrastructure, administrative and logistic expenses, primarily related
to data collection and analysis.
FinCEN acknowledges that this treatment of cost estimates
implicitly assumes that increased resources commensurate with any novel
operating costs would exist. If this assumption does not hold, then
operating costs associated with this rule may impose certain economic
costs on the public in the form of opportunity costs from the agency's
forgone alternative activities and those activities' attendant
benefits. Benchmarking against FinCEN's appropriated budget for BSA
administration and analysis in fiscal year 2025 ($190,193,000),\495\
the corresponding opportunity cost could resemble forgoing up to 3.1
percent (1.5 percent) of current activities annually in the first year
(each subsequent year) in which a final rule was effective. However, to
the extent that activities FinCEN would undertake as a function of the
proposed rule would functionally substitute for or otherwise replace
foregone activities, such an estimate likely overstates the potential
economic costs to FinCEN and, consequently, the public.
---------------------------------------------------------------------------
\495\ See, FinCEN, Congressional Budget Justification FY 2026,
available at https://home.treasury.gov/system/files/266/11.-FinCEN-FY-2026-CJ.pdf.
---------------------------------------------------------------------------
FinCEN notes that these estimates do not include the potential
costs borne by other regulators or entities who might foreseeably be
engaged in informational outreach, examinations or related supervisory
actions or enforcement activities as a consequence of the proposal.
Such regulators and entities include the primary Federal payment
stablecoin regulators and the IRS. FinCEN acknowledges that the cost
estimates here would therefore understate the burden of activities
required to promote compliance with the rules as proposed and the full
scope of government costs.
As described above in section, the proposed rule would introduce
consultation requirements for primary Federal payment stablecoin
regulators before initiating significant AML/CFT supervisory actions.
FinCEN anticipates that the proposed consultation process is likely to
have direct economic effects on both FinCEN and the primary Federal
payment stablecoin regulators. The proposed process could also
reasonably be expected to have indirect effects on the PPSIs subject to
supervision and examination to the extent that the consultative process
is successful in better aligning supervisory and enforcement activities
with the efficient establishment and maintenance of AML/CFT programs.
Finally, while further downstream economic effects may also flow to the
general public from this improved alignment, these effects would be
third order at best, and difficult to distinguish from the effects of
other incremental components of the proposed rule. Thus, despite
acknowledging that economic effects of the proposed regulatory changes
applicable to primary Federal payment stablecoin regulators may reach
to PPSIs and the general public, they are not itemized or further
considered in the respective discussions of expected economic effects
on these specific parties.
OFAC does not expect to incur additional operating expenses to
implement the proposed rule. While OFAC's Enforcement Division will be
responsible for investigating and enforcing potential violations of the
proposed rule, OFAC expects that these efforts would be folded into
their existing enforcement responsibilities and that investigations
into violations of the sanctions compliance program requirement would
occur in conjunction with investigations into violations of other U.S.
sanctions regulations. As noted in section V.B, OFAC already considers
the existence, nature, and adequacy of a subject person's risk-based
sanctions compliance program when determining the appropriate
administrative action to take in response to an apparent violation of
U.S. sanctions.\496\ As FinCEN notes above, OFAC acknowledges that
these estimates do not include the potential costs borne by other
regulators, or entities who might foreseeably be engaged in
informational outreach, examinations (such as those by the IRS), or
related supervisory actions or enforcement activities as a consequence
of the proposed rule.
---------------------------------------------------------------------------
\496\ 31 CFR part 501, Appendix A.
---------------------------------------------------------------------------
c. PPSI Customers
As discussed earlier in this analysis,\497\ based on the median
value of customers, FinCEN and OFAC expect that the typical PPSI would
have approximately 100 legal entity clients that it interacts with
directly. However, some PPSIs are expected to have substantially more
than this, and FinCEN and OFAC apply an average of 1,000 customers per
PPSI. In total, FinCEN and OFAC do not expect the aggregate number of
direct PPSI customers to exceed 300,000. However, FinCEN and OFAC
estimate that a substantial portion of these may be affiliates of a
single counterparty or associated with non-U.S. entities. FinCEN and
OFAC estimate that the number of affected U.S. businesses is no more
than 10,000.
---------------------------------------------------------------------------
\497\ See supra section XII.A.2.ii.d.2.
---------------------------------------------------------------------------
As described earlier,\498\ these businesses belong to several
industrial categories, including digital asset exchanges, specialized
digital commodities traders, and other types of investment and
securities related businesses. Aside from digital asset exchanges,
FinCEN expects that nearly all of these firms would be part of the
NAICS classifications under industry code 523 (``Securities, Commodity
Contracts, and Other Financial Investments and Related Activities'').
Based on this assessment, FinCEN and OFAC applied the associated
standard wage rate to estimate the costs of PPSI customers' time.\499\
---------------------------------------------------------------------------
\498\ See id.
\499\ Because FinCEN and OFAC expect most primary market
customers to be legal entities in the financial sector, it applies
the standard wage rage, which is broadly reflective of expected wage
costs for a wide range of financial institutions. This hourly wage
rate is a general composite hourly wage rate ($87.61) scaled by a
private sector benefits factor of 1.42 ($124.58 = $87.61 x 1.42).
This incorporates BLS mean wage data associated with six
occupational codes (11-1010: Chief Executives; 11-3021: Computer and
Information Systems Managers; 11-3031: Financial Managers; 13-1041:
Compliance Officers; 23-1010: Lawyers and Judicial Law Clerks; 43-
3099: Financial Clerks, All Other) for each of the nine groupings of
NAICS industry codes that FinCEN determined are most directly
comparable to its 11 categories of potentially affected financial
institutions as delineated in 31 CFR parts 1020 to 1030. See BLS,
May 2024--National industry-specific and by ownership, available at
https://www.bls.gov/oes/tables.htm. Given that many occupations
provide benefits beyond wages (e.g., insurance and paid leave),
FinCEN applies the private sector benefit factor to the unloaded
wage rate to reflect the total cost to the employer. The benefit
factor is the ratio of total compensation (which includes wages and
benefits) to wages. Total compensation = 43.94 and Wages and
salaries = 30.90 (1.42 = 43.94 / 30.90) as of June 2024, based on
the private industry workers series data downloaded from BLS. BLS,
Employer Costs for Employee Compensation data, available at https://www.bls.gov/news.release/archives/ecec_09102024.pdf.
---------------------------------------------------------------------------
[[Page 18647]]
While FinCEN and OFAC estimate that a significant portion of these
entities may be subsidiaries of a single counterparty or connected to
non-U.S. entities, PPSIs would still be responsible for verifying the
identities of all connected counterparties in order to meet program
obligations. FinCEN and OFAC expect that each customer would be
required to spend approximately one hour to collect, review, and
transmit the required customer identification information to the
stablecoin issuing counterparty (specifically, information about
beneficial ownership). Table 16 provides a summary of the expected
costs to these customers. FinCEN and OFAC estimate that PPSI customers,
which are mostly financial institutions engaged in trading a broad
range of stablecoin products as part of their investment portfolios, or
exchanges seeking to provide off-chain liquidity to retail customers
for a similarly broad range of stablecoin products, will likely
initiate at least one new primary market relationship each year,
although this frequency may fluctuate. In order to generate a
conservative estimate, FinCEN and OFAC assume for purposes of this
analysis that all primary market participants would be required to
provide this information once during the course of business in a given
year when interacting with a new stablecoin issuer, while acknowledging
significant uncertainty around this estimate. FinCEN and OFAC request
public comment on this assumption.
Table 16--Estimated Annual Cost to Customers of Providing Required Identification Materials
----------------------------------------------------------------------------------------------------------------
Hours per Cost per
Total number of customers customer customer Total cost
----------------------------------------------------------------------------------------------------------------
10,000....................................................... 1 $125 $1,245,800
----------------------------------------------------------------------------------------------------------------
5. Consideration of Policy Alternatives
In developing the proposed rule, FinCEN and OFAC considered several
policy alternatives, including alternatives that would, if adopted,
imply differences in the cost profile of the requirements, particularly
for small entities. FinCEN and OFAC invite comment on these
alternatives, and on any other alternatives that were not considered
here.
i. FinCEN Alternatives
a. Size-Related Alternatives
First, FinCEN considered modifying the proposed rule's requirements
for small entities or establishing an asset threshold for certain
proposed compliance obligations. As discussed in more detail in the
IRFA analysis (section XII.C.2.i.b below), FinCEN utilizes a threshold
of $200 million in total reserve assets to define small PPSIs that are
not IDI subsidiaries. FinCEN considered using this threshold as a
tailoring benchmark, whereby PPSIs under the threshold might have been
afforded burden accommodations in the form of additional time to
transition, or additional time to undertake certain required
activities, potentially differential reporting thresholds, or other
modifications to AML/CFT program standards designed to reduce
compliance cost. However, FinCEN opted against this alternative.
Creating some category of PPSI for small issuers that would entail
lessened AML/CFT requirements would conceivably result in the targeting
of these PPSIs by illicit actors seeking to circumvent regulatory
scrutiny. Additionally, FinCEN's analysis indicates that most
technology services that enable AML/CFT functions as described here are
highly scalable, allowing small PPSIs to readily identify and employ
more cost-effective options.
b. Alternative Information Requirements
FinCEN separately considered a version of the proposed rule that
would have required PPSIs to collect, and customers to provide,
additional information beyond what this NPRM would require. For
example, in addition to the proposed rule's requirement that future
PPSIs collect the name, date of birth, address, and government-issued
identification number for the beneficial owners of a legal entity
customer (as defined under 31 CFR 1010.230, but generally meaning one
executive officer and all individuals with 25 percent or more equity
interest in the entity), FinCEN considered further requiring PPSIs to
collect customers' blockchain wallet addresses associated with the
legal entity, incorporation or tax documents, or certain identifying
financial information such as account numbers. However, FinCEN opted
not to require these items for several reasons. First, many issuers
already collect this additional information in the ordinary course of
business, and are best situated to determine what, if any, additional
information is necessary to make risk-based decisions about a customer.
Secondly, the absence of this information does not exempt an issuer
from the responsibility to assess the risk associated with a customer
or their transactions, and therefore it is the imperative of the issuer
to determine whether or not such additional information is necessary to
conduct risk-based screening and analysis. FinCEN concluded that it
would strike a more appropriate balance of anticipated benefits to
expected costs to refrain from imposing a unilateral requirement that
such additional information be collected in every instance and that
instead it would be more economically efficient to defer in these
aspects to the discretion of the PPSI's risk-based determinations. In
declining to pursue this alternative, FinCEN also took into
consideration that it may also comport more closely with the GENIUS Act
requirement that Treasury issue regulations tailored to the size and
complexity of the PPSI to limit the information requirements as
proposed. FinCEN requests comment on the extent to which this
assessment comports with market expectations and practices.
[[Page 18648]]
c. Block, Freeze, and Reject Alternative
FinCEN separately and additionally considered providing a more
detailed regulation related to the requirement for PPSIs to have the
technical capability, policies, and procedures to block, freeze, and
reject specific or impermissible transactions that violate Federal or
State laws, rules, or regulations. For example, FinCEN could have
provided details on the specific technical capability, policies, and
procedures that would be required or required a PPSI to take proactive
action related to this requirement. This might have required a PPSI to
act if it had a reason to know the transaction was impermissible.
However, FinCEN decided against these alternatives. Providing a more
detailed regulation could have limited how a PPSI could comply with
this requirement. FinCEN decided it was important for PPSIs to have the
flexibility to implement new technology, best practices, and adapt to
changing laws, rules, or regulations. FinCEN also considered that
proposing a more proactive requirement could increase the compliance
burden for PPSIs. In sum, FinCEN's decision not to pursue a proposed
rule that included this alternative formulation was informed by its
belief that the alternative would not strike a preferable balance
between the anticipated benefits and the expected costs or be as
economically efficient as the more flexible formulation proposed.
FinCEN is requesting comment on the extent to which this assessment
comports with market expectations.
ii. OFAC Alternatives
Additionally, OFAC considered basing the minimal elements for a
sanctions compliance program on FinCEN's current AML program
requirements for banks at 31 CFR 1020.210. For example, that
alternative regulatory foundation would require: (1) a system of
internal controls to assure ongoing sanctions compliance; (2)
independent testing for compliance to be conducted by the PPSI's
personnel or by an outside party; (3) designation of an individual or
individuals responsible for coordinating and monitoring day-to-day
compliance; (4) training for appropriate personnel; and (5) appropriate
risk-based procedures for conducting ongoing customer due diligence.
Although these requirements are similar in substance to the proposed
rule, OFAC chose to instead align the proposed minimal elements of a
sanctions compliance program with existing OFAC guidance, particularly
the 2019 Compliance Framework.
The 2019 Compliance Framework has been a cornerstone of OFAC's
regular public outreach to all regulated industries. Likewise, the
compliance guidance and expectations detailed in the 2019 Compliance
Framework consistently form the basis of OFAC's published guidance
(e.g., sanctions advisories, compliance communiqu[eacute]s, and
frequently asked questions). Consequently, the sanctions compliance
community is already highly familiar with the proposed rule's
requirements as consistent with existing OFAC guidance. Additionally,
FinCEN's AML requirements at 31 CFR 1020.210 and OFAC's existing
regulations differ in applicable scope; the former center on
traditional banks, whereas the latter apply to all U.S. persons. The
2019 Compliance Framework's focus on U.S. persons, rather than
financial institutions, is therefore better aligned with future PPSI's
obligations as U.S. persons under the GENIUS Act. Finally, the 2019
Compliance Framework is grounded in the principle of a risk-based
approach to sanctions compliance. This foundation supports PPSI
flexibility and discretion in how to meet the GENIUS Act's requirement
of an effective sanctions compliance program within the context of
maintaining the five minimal elements in the proposed rule. This
flexibility not only accounts for the development and implementation of
new technology but also is consistent with the GENIUS Act's direction
that regulations be tailored to the size and complexity of the
PPSI.\500\ OFAC is requesting comment on the extent to which this
assessment comports with market expectations and practices.
---------------------------------------------------------------------------
\500\ See 12 U.S.C. 5903(a)(5)(B).
---------------------------------------------------------------------------
B. Executive Orders 12866, 13563, and 14192
E.O. 12866 directs agencies to assess the costs and benefits of
available regulatory alternatives and, if regulation is necessary, to
select regulatory approaches that maximize net benefits (including
potential economic, environmental, and public health and safety
effects; distributive impacts; and equity). E.O. 13563 emphasizes the
importance of quantifying both costs and benefits, reducing costs,
harmonizing rules, and promoting flexibility. E.O. 13563 also
recognizes that some benefits are difficult to quantify and provides
that, where appropriate and permitted by law, agencies may consider and
discuss qualitatively values that are difficult or impossible to
quantify.
This proposed rule has been designated a ``significant regulatory
action''; accordingly, it has been reviewed by OMB.
E.O. 14192, entitled ``Unleashing Prosperity Through
Deregulation,'' was issued on January 31, 2025. Section 3(c) of the
order requires that any new incremental costs associated with new
regulations shall, to the extent permitted by law, be offset by the
elimination of existing costs associated with at least ten prior
regulations.
If finalized as proposed, this action is expected to be considered
an E.O. 14192 regulatory action.
C. Regulatory Flexibility Analysis
When an agency issues a proposed rulemaking, the RFA requires the
agency either to provide an IRFA or certify that the proposed rule
would not have a significant economic impact on a substantial number of
small entities. Because the proposed rule may have a significant
economic impact on a substantial number of certain types of PPSIs that
may qualify as small entities, FinCEN and OFAC undertook the following
analysis. In the event that FinCEN and OFAC have potentially
overestimated the anticipated economic burden of the proposed rule, and
certification would instead be more appropriate, comments to this
effect--including studies, data, or other evidence--are invited.
1. The Proposed Rule: Objectives, Description, and Legal Basis
The proposed rule would implement FinCEN's regulations that
prescribe BSA obligations and OFAC's sanctions compliance program
requirement for PPSIs as described in sections VI, VII, and XII.A.3.
The GENIUS Act, enacted on July 18, 2025, the legal basis for the
proposed rule, creates a regulatory framework for PPSIs in the United
States.\501\ The GENIUS Act provides a comprehensive framework for the
regulation of payment stablecoins.\502\ The GENIUS Act outlines the
reserve, capital, liquidity, and risk management requirements for PPSIs
and tasks the Board, FDIC, NCUA, and OCC, as well as any State payment
stablecoin regulators, with implementing those requirements and
establishing a process and framework for the licensing, regulation,
examination, and supervision of PPSIs.\503\
---------------------------------------------------------------------------
\501\ See GENIUS Act, Pub. L. 119-27.
\502\ See id.
\503\ See supra section II.A.
---------------------------------------------------------------------------
The proposed rule seeks to implement the GENIUS Act by requiring
that PPSIs
[[Page 18649]]
``be treated as a financial institution for purposes of the Bank
Secrecy Act, and as such, shall be subject to all Federal laws
applicable to financial institutions located in the United States
relating to economic sanctions, prevention of money laundering,
customer identification, and due diligence.'' \504\
---------------------------------------------------------------------------
\504\ 12 U.S.C. 5903(a)(5)(A).
---------------------------------------------------------------------------
The GENIUS Act directs the Secretary of the Treasury to issue
regulations, tailored to the size and complexity of the PPSI,
implementing the AML/CFT and sanctions compliance requirements directed
by the GENIUS Act.\505\
---------------------------------------------------------------------------
\505\ See 12 U.S.C. 5903(a)(5)(B); see also supra note 15
(discussing GENIUS Act delegation to Directors of FinCEN and OFAC).
---------------------------------------------------------------------------
2. The Expected Impact on Small Entities
i. Defining Small Affected Entities
The impact of the rule on small entities varies across the three
distinct types of PPSIs: those that are subsidiaries of banks
(including credit unions); those that are Federal qualified payment
stablecoin issuers (FQPSIs); \506\ and State qualified payment
stablecoin issuers (SQPSIs).\507\ FinCEN has incorporated the OCC,
FDIC, Board, and NCUA's RFA analyses with respect to their nexuses with
these respective types and limited its own further analysis below to
the remaining potential future PPSIs that it anticipates. As the
proposed rulemaking may also impact the small entities that are
customers of PPSIs, this population was also subject to IRFA
requirements and is included in section XII.C.2.i.d.
---------------------------------------------------------------------------
\506\ 12 U.S.C. 5901(11). FinCEN proposes to define this
category in its regulations using essentially the same language as
the statute. See supra section VI.C.1.xi.
\507\ 12 U.S.C. 5901(31). FinCEN proposes to define this
category in its regulations using essentially the same language as
the statute. See supra section VI.C.1.xiii.
---------------------------------------------------------------------------
a. Small PPSIs Regulated by the Agencies
As discussed in section II.A, the GENIUS Act tasks the OCC, Board,
FDIC, and NCUA (the ``Agencies'') with implementing reserve, capital,
liquidity, and risk management requirements for PPSIs. The OCC, FDIC,
and NCUA have recently published other NPRMs necessary to implement the
GENIUS Act.\508\ Because each of these proposed rules has already
provided the operational definition of ``small'' used to scope the
respective estimated populations of small IDIs that would also be
relevant for the RFA analysis in this proposed rule, FinCEN and OFAC
are adopting those analyses and estimates by reference. Table 17
provides a summary of the incorporated estimates below.
---------------------------------------------------------------------------
\508\ See supra note 11. See also infra section XII.C.3.
Table 17--RFA Populations Reported by the Agencies a
----------------------------------------------------------------------------------------------------------------
Number of
Agency Total small Percentage
population institutions small
----------------------------------------------------------------------------------------------------------------
FDIC............................................................ 2,772 2,064 74.5%
Board........................................................... 702 440 62.7
OCC............................................................. 997 609 61.1
NCUA............................................................ .............. .............. \b\ 19
----------------------------------------------------------------------------------------------------------------
\a\ Data is based on consultation with the Agencies. See also FDIC, Approval Requirements for Issuance of
Payment Stablecoins by Subsidiaries of FDIC-Supervised Insured Depository Institutions, 90 FR 59409 (Dec. 19,
2025); NCUA, Investments in and Licensing of Permitted Payment Stablecoins Issuers, 91 FR 6531 (Feb. 12,
2026); OCC, Implementing the Guiding and Establishing National Innovation for U.S. Stablecoins Act for the
Issuance of Stablecoins by Entities Subject to the Jurisdiction of the Office of the Comptroller of the
Currency, 91 FR 10202 (Mar. 2, 2026).
b. Other PPSIs
The SBA publishes annual size thresholds defining small businesses
by their classification under categories of the NAICS. While there is
currently no NAICS category specifically for stablecoin issuers, FinCEN
and OFAC anticipate that they would most appropriately fit within
several broader categories of financial institution. Most stablecoin
issuers meet the definition of MSBs, and therefore belong either to
Financial Transactions Processing, Reserve, and Clearinghouse
Activities (522320) (most appropriate for those that engage in money
transmitting), or Other Activities Related to Credit Intermediation
(522390). The SBA-defined threshold for a small business in these
categories is $47 million and $28.5 million in gross receipts,
respectively. In addition, because digital assets may sometimes be
classified as commodities, some stablecoin issuers might otherwise be
categorized under NAICS code 523160 as Commodity Contracts
Intermediation. The SBA-defined threshold for a small business in this
category is $47 million in gross receipts. Among these categories, the
most appropriate designation for stablecoin issuers, due to their role
as money transmitters, is Financial Transactions Processing, Reserve,
and Clearinghouse Activities (522320), with an SBA-defined threshold
for a small business of $47 million in annual gross receipts.
However, because the number of potential future PPSIs (as defined
under the GENIUS Act) is small relative to the number of total firms in
this NAICS category, and because most stablecoin issuers generate
revenue in a manner unlike other MSBs, FinCEN and OFAC considered that
an alternative threshold might be better suited to identify a ``small
entity'' based on the current distribution and characteristics of
entities in the stablecoin industry. Specifically, an asset-based
threshold is a standard better suited to identifying genuinely small
stablecoin issuers. As discussed earlier, stablecoin issuers primarily
generate revenue through capital appreciation and other investment
returns on their reserve holdings rather than receipts from the sale of
goods or services. Moreover, a stablecoin issuer's investment returns
may be attributable primarily to fluctuations in interest rates and
other market factors, meaning that a stablecoin issuer may produce
vastly different returns over time with virtually no change in size.
Accordingly, we do not believe that the gross receipts standard
provides an appropriate means for FinCEN and OFAC to identify small
stablecoin issuers for purposes of the RFA.
To determine an appropriate asset-based threshold, FinCEN and OFAC
developed a profile of the stablecoin sector, which includes all
affected
[[Page 18650]]
stablecoin issuers as well as small businesses. Stablecoin issuers
generally earn revenue using their reserve funds in a way similar to
many other types of asset managers. Therefore, total reserve fund
assets (``total assets'') is a good measure by which to define ``small
entities'' in this industry, similarly to the way banks or investment
companies are often measured. As discussed in section XII.A.2.ii.a,
FinCEN and OFAC examined public data on the issuers of over 350
stablecoin products using publicly available data from several sources,
which included metrics on the circulating value of each product.
Because every USD fiat currency-backed stablecoin issued is backed by
an equivalent value in USD, the circulating value is a good indication
of the size of the stablecoin issuer's reserve fund total assets.
Taken as a whole, stablecoin issuers managed a total of about $300
billion in total assets as of 2025, with about $250 billion of this
value being held by issuers of products likely to be eligible for
status as a payment stablecoin under the Act. Among the stablecoin
issuers reviewed, the mean total asset value was about $5.6 billion.
However, the distribution of assets across stablecoin issuer is highly
skewed, with a significant concentration of assets at the very largest
stablecoin issuers. Accordingly, the median value was significantly
less than the mean, about $14 million.
FinCEN and OFAC estimate that over 99 percent of potential payment
stablecoin total assets are held by the top five stablecoin issuers.
Table 18 provides a summary of total asset thresholds by percentile
based on public data about the total circulating value of issuer's
associated stablecoins. Considering this concentration, FinCEN and OFAC
propose using a threshold value of $200 million in total assets to
define a small PPSI, which is roughly the 80th percentile value. FinCEN
and OFAC request public comment on the suitability of this threshold.
This value also falls close to the mean total asset value for issuers
below the top five percent of firms. Using the proposed $200 million
total asset threshold would represent less than one percent of total
assets in the industry as being held by small entities but would
encompass 84 percent of likely payment stablecoin issuers for which
data could be obtained (approximately 40 entities, 19 of which were
identified as potential PPSIs). This results in a distribution of small
entities which is fairly robust to the threshold; doubling the
threshold $400 million would result in an identical distribution and
halving it to $100 million would result in the exclusion of six
issuers, resulting in 71 percent of stablecoin issuers being below the
threshold. Eighty-four percent of stablecoin issuers falling below the
threshold is consistent with the distributions of other similarly
concentrated finance-related industries.
In considering the adoption of a $200 million total asset threshold
to designate PPSI size for RFA purposes, FinCEN and OFAC considered the
following population distribution information for stablecoin issuers:
Table 18--Stablecoin Asset Threshold Analysis (All Stablecoins)
----------------------------------------------------------------------------------------------------------------
Percentage of
Net asset Percentage of aggregate net
Percentile threshold issuers below assets below
(%) (%)
----------------------------------------------------------------------------------------------------------------
10th........................................................ $300,660 11 0.0002
20th........................................................ 887,584 18 0.0007
30th........................................................ 3,952,000 22 0.0021
40th........................................................ 10,260,054 36 0.0172
50th........................................................ 13,670,000 47 0.0420
60th........................................................ 33,446,620 58 0.0788
70th........................................................ 62,497,337 67 0.1571
80th........................................................ 173,946,000 78 0.3486
90th........................................................ 734,997,872 87 0.7767
100th....................................................... 173,113,000,000 98 32.3282
----------------------------------------------------------------------------------------------------------------
c. Small SQPSIs
At this time there is insufficient data to separately forecast a
population of potential future SQPSIs. It is therefore not possible to
assess the proportion of that potential future population that would be
considered small for purposes of this analysis or assess the
appropriateness of an additional alternative definition of ``small''
uniquely applicable to SQPSIs with any meaningful degree of certainty.
Comments and data are invited to assist FinCEN and OFAC in analyzing
the potential effects of the proposed requirements on SQPSIs,
generally, and small SQPSIs in particular.
d. Small Entity PPSI Customers
Additionally, as discussed in section XII.A.2.ii.d.2, FinCEN and
OFAC expect that the proposed rule, if adopted, may impose costs on the
primary market customers of future PPSIs that are legal entities
because these PPSI customers would need to collect and provide
information to their respective PPSIs, who would have initiated the
requests for customers' information as a consequence of the need to
satisfy certain requirements in the proposed rule. FinCEN and OFAC
anticipate that many of these affected PPSI customers would be digital
asset exchanges, specialized digital commodities traders, and other
types of investment and securities-related firms, at least some of whom
may be small businesses for purposes of the RFA. As described
earlier,\509\ FinCEN and OFAC estimate that there are approximately
300,000 primary market customers that could, in the future, interact
directly with PPSIs, of which the number of affected customers that may
be U.S. businesses is expected to be no more than 10,000. As described
earlier,\510\ these businesses belong to several categories, including
digital asset exchanges, specialized digital commodities traders, and
other types of investment and securities related businesses, the
majority of which would be classified under NAICS code 523
(``Securities, Commodity Contracts, and Other Financial Investments and
Related Activities''). Table 19 summarizes FinCEN and OFAC's analysis
of the most recent vintage of Census Bureau data
[[Page 18651]]
corresponding to this NAICS code, which indicates that small business
comprise the majority of the industries that are expected to be the
primary market customers of future PPSIs.
---------------------------------------------------------------------------
\509\ See supra section XII.A.2.ii.d.2.
\510\ Id.
Table 19--Description of PPSI Customer Small Entities
----------------------------------------------------------------------------------------------------------------
Average annual
Approximate SBA small- Percentage revenue of
Primary market customer type number of NAICS code business considered small entities
customers threshold small \a\ \b\
----------------------------------------------------------------------------------------------------------------
Digital Exchanges............ 300 523210 $47 million.... 70% (about 210 $5.85 million.
firms).
Other Investment Firms....... 10,000 523 $47 million.... 97.7% (about $1.55 million.
9,770 firms).
----------------------------------------------------------------------------------------------------------------
\a\ To estimate the number of small entities in this sector, FinCEN and OFAC used the U.S. Census Bureau, 2022
Statistics of U.S. Businesses Data by Enterprise Receipts Size, available at https://www.census.gov/data/tables/2022/econ/susb/2022-susb-annual.html (``2022 SUSB Data''). FinCEN and OFAC counted the proportion of
small businesses in NAICS code 523 with less than $50 million in annual receipts (the closest available
threshold). For Digital Exchanges, FinCEN used internal data.
\b\ Revenue data for NAICS code 523 and Digital Exchanges was collected from the 2022 SUSB Data and internal
data.
ii. Estimating the Economic Impact on Small Future PPSIs
a. Small IDI Subsidiaries
As in section XII.C.2.i.a, FinCEN and OFAC are adopting by
reference the applicable RFA analyses performed by the OCC, FDIC, and
NCUA. FinCEN and OFAC are relying on the data provided and
determinations already made by the Agencies with respect to the
characteristics of expected future PPSIs under their jurisdictions
because such agencies are better positioned to understand the nature of
their regulated entities in a manner that could reasonably inform
future expectations.\511\ As discussed in the Agencies' analyses, there
is a general anticipation that future PPSIs that would be IDI
subsidiaries would not be able to qualify as small by virtue of the
dollar amount of their own offering/issuance. Additionally, it is not
clear that the subsidiary of an institution that is not itself small
would be eligible to obtain an independent designation as small. For
these reasons, it may be unlikely that a small IDI-subsidiary PPSI
could exist. FinCEN and OFAC are requesting comment on (1) the
reasonableness of an expectation that a future small IDI-subsidiary
PPSI might exist and, if so (2) the expected significance of the
proposed rule's economic impact on such a small entity.
---------------------------------------------------------------------------
\511\ See supra table 17 endnote a.
---------------------------------------------------------------------------
b. Other PPSIs
To examine the expected impact of the proposed rule on small
entities, FinCEN and OFAC used two steps: the first step estimates the
total number of small entities affected by the proposed rule, and the
second step estimates the significance of this impact on those
entities.
1. Estimated Number of Small Potential PPSIs
The SBA definition of ``small entity'' at 13 CFR 121.201 includes
businesses, nonprofits, and small government entities with less than
50,000 residents. It is worth noting that some stablecoin issuers are
organized as nonprofit entities and are included in this count.
Based on analysis of the distribution of data described above,\512\
FinCEN and OFAC are proposing a ``small entity'' definition that
corresponds closely to the 80th percentile threshold, which was rounded
to $200 million for convenience in the proposed rule. The proposed $200
million threshold would capture approximately 84 percent of stablecoin
issuers, which together hold approximately one percent of aggregate
average total assets.
---------------------------------------------------------------------------
\512\ See supra section XII.C.2.i.b.
---------------------------------------------------------------------------
Using the same methods discussed earlier,\513\ FinCEN and OFAC
identified 25 potential future PPSIs from among these stablecoin
issuers, and among these, approximately 19 had fewer than $200 million
in total circulating stablecoin product values.
---------------------------------------------------------------------------
\513\ Id.
---------------------------------------------------------------------------
2. Expected Effect on FQPSIs
To contextualize the relative significance of costs associated with
the proposed rule for small stablecoin issuing entities, FinCEN and
OFAC used the estimates of total assets described earlier to estimate
likely revenues for such issuers.\514\ As referenced earlier,\515\
stablecoin issuers generally derive revenue from investment returns on
their reserve holdings. As stated in the Act, PPSIs are permitted to
invest reserve funds in several different types of asset class,
including government backed securities. Based on prevailing interest
rates, FinCEN and OFAC estimated that stablecoin issuers were likely to
receive returns of about five percent on invested funds. While actual
returns may fluctuate and fall below or above this estimate, this value
represents an average for estimation purposes. To validate this
assumption, FinCEN reviewed actual reported revenue values. While five
percent of total assets was generally within the same order of
magnitude as actual reported revenue, actual revenues often exceeded
five percent.
---------------------------------------------------------------------------
\514\ Id.
\515\ Id.
---------------------------------------------------------------------------
Returns more than prevailing rates for government-issued fixed
income securities can be due to several factors. First, issuers often
``over collateralize'' their products, meaning that they hold larger
reserve portfolios than are required to redeem every coin at par value.
This practice helps protect from market fluctuations and affords
issuers greater flexibility during times of financial stress. In such
cases, stablecoin issuers have reserve portfolios that are larger than
the circulating value of their products, leading to returns in excess
of those implied by multiplying their circulating value by prevailing
rates of return for common reserve investments. Stablecoin issuers may
also invest excess reserves in higher-yielding products or loans whose
rates of return exceed those of government-backed securities. In
addition to this, several other factors might lead to larger returns.
For example, stablecoin issuers may offer certain fee-based services to
customers, and may account for certain unrealized gains as revenue,
increasing reported revenue levels.
Bearing these factors in mind, FinCEN and OFAC retained five
percent of total assets as a reasonable benchmark for revenue. This
parameter was chosen to retain an estimate of revenue that does not
minimize costs or possible fluctuations in returns. By using a
conservative but realistic estimate,
[[Page 18652]]
FinCEN and OFAC avoid underestimating the relative impact of compliance
costs associated with the proposed rule. FinCEN and OFAC request
comment on this benchmark.
In section XII.A.4.ii.a, FinCEN and OFAC discussed the expected
costs of compliance with the proposed rule for PPSIs. In that section,
the first-year incremental cost for a small PPSI was estimated to be
approximately $13,737 per IDI-subsidiary PPSI and $22,987 per non-IDI
subsidiary PPSI, and approximately $5,249 per IDI-subsidiary PPSI and
$13,540 per non-IDI subsidiary PPSI in each year thereafter.
Table 20 presents FinCEN and OFAC's estimates of the share of small
entity PPSIs that would experience significant impact as a result of
the estimated first-year incremental compliance costs with the proposed
rule and the anticipated average compliance costs each year thereafter.
FinCEN and OFAC request public comment on the general accuracy of these
estimates of the impact to small entities. In an effort to avoid
understating the effect on small entities, FinCEN and OFAC
conservatively base the calculation on the estimated costs for small
non-IDI subsidiary PPSIs.
Table 20--Expected Total Costs of Proposed Requirements as a Share of Modeled Annual Revenue
----------------------------------------------------------------------------------------------------------------
Percentage of Percentage of
small entities small entities
for which Year-1 for which Year-1
Cost year Modeled AML/CFT AML/CFT program AML/CFT program
program cost costs exceed 1% costs exceed 3%
of modeled of modeled
revenue revenue
----------------------------------------------------------------------------------------------------------------
1...................................................... $23,000 71 61
2+..................................................... 13,700 68 39
----------------------------------------------------------------------------------------------------------------
c. Small Entity PPSI Customers
While a substantial number of the firms that FinCEN and OFAC
anticipate would be required to provide customer information to the
PPSIs they wish to engage in direct transactions with, the cost of
provisioning this information is expected to be de minimis relative to
the average revenue of these firms.\516\ Based on the estimated costs
as described in section XII.A.4.ii.c and the average annual revenue
values in table 19, the expected cost to legal entity customers by type
are .002 percent and .008 percent of revenue, respectively. Therefore,
while a substantial number of businesses may be providing information
to issuers, FinCEN and OFAC do not contemplate that this requirement
would constitute a significant effect when considered in relation to
their overall financial positions.
---------------------------------------------------------------------------
\516\ This cost is estimated to be less than $200 per firm. See
section XII.A.4.ii.c.
---------------------------------------------------------------------------
3. Other Matters: Duplicate, Overlapping, Conflicting, and Alternative
Requirements
FinCEN and OFAC are unaware of any existing Federal regulations
that would overlap or conflict with the proposed rule. While FinCEN and
OFAC are mindful of concurrent GENIUS Act rulemakings that are related
to the proposed requirements in this rulemaking, neither FinCEN nor
OFAC anticipate a conflict between those proposed rules and this NPRM.
As previously discussed in section XII.A.2.i.d, the Agencies' proposed
rules will require a prospective PPSI to include in its registration
submission a certification that the prospective PPSI has established
and maintains the programs proposed in this NPRM. The Agencies'
proposed rules would also require a PPSI that has been granted its
registration to continue to provide re-certification of its AML/CFT
program and its sanctions compliance program on an annual basis in the
years following initial registration. Because the certification
requirements are ancillary to the actual program establishments and
ongoing maintenance that the certifications attest to, FinCEN and OFAC
do not anticipate conflict with concurrently proposed regulations.
The following sections reiterate FinCEN specific alternatives that
were previously discussed in section XII.A.5.i related to the expected
costs and potential benefits to small entities.
As previously referenced in section XII.A.5.i.a, FinCEN considered
exempting from or modifying requirements for small entities. In that
section, FinCEN opted against this exclusion for several reasons.
Firstly, because PPSI status is a voluntary designation, small entities
wishing to elsewise adhere to another regulatory standard have certain
abilities to do so, and thereby not incur the full burdens associated
with the proposed PPSI requirements even without seeking and obtaining
an exemption from the Secretary. Secondly, creating some category of
PPSI for small issuers that would entail lessened AML/CFT requirements
would conceivably result in the targeting of these PPSIs by illicit
actors seeking to circumvent regulatory scrutiny. Lastly, FinCEN's
analysis indicates that most technology services that enable AML/CFT
functions as described here are highly scalable, allowing small PPSIs
to readily identify and employ more cost-effective options.
In addition, as discussed in greater detail in section XII.A.5.b,
FinCEN also considered adopting additional BOI reporting requirements
for new legal entity customers. Because many primary market customers
of potential PPSIs are themselves small businesses, such a requirement
that expanded reporting requirements beyond the information that is
already provided in the ordinary course of business may have presented
an incremental cost for some number of these small entities. However,
as discussed in that section, FinCEN opted not to augment these
requirements for several reasons. First, many stablecoin issuers
already collect this additional information in the course of business,
and are best situated to determine what, if any, additional information
is necessary to make risk-based decisions about a customer. Secondly,
the absence of this information does not exempt an issuer from the
responsibility to assess the risk associated with specific customers or
their transactions, and thus it is the prerogative of the issuer to
determine whether or not such additional information is necessary to
conduct risk-based screening and analysis. By not pursing this
regulatory alternative, the requirements FinCEN is proposing instead
would impose lower costs on both small PPSIs and PPSI customers that
are small entities.
D. Unfunded Mandates Reform Act
The UMRA requires that an agency prepare a statement before
promulgating a rule that may result in expenditure by
[[Page 18653]]
the state, local, and Tribal governments, in the aggregate, or by the
private sector, of $193 million or more in any one year ($100 million
in 1995, adjusted for inflation).\517\ Section 202 of UMRA also
requires an agency to identify and consider a reasonable number of
regulatory alternatives before promulgating a rule.
---------------------------------------------------------------------------
\517\ The U.S. Bureau of Economic Analysis reports the annual
value of the gross domestic product implicit price deflator for
calendar year 1995 (the year UMRA was enacted) as 66.939, and as
128.974 for calendar year 2025 (the most recent available). Thus,
the inflation-adjusted estimate for $100 million is 128.974 / 66.939
x $100 million, or $192.7 million. U.S. Bureau of Economic Analysis,
Table 1.1.9. Implicit Price Deflators for Gross Domestic Product,
available at https://apps.bea.gov/iTable/?reqid=19&step=3&isuri=1&1921=survey&1903=13#eyJhcHBpZCI6MTksInN0ZXBzIjpbMSwyLDMsM10sImRhdGEiOltbIk5JUEFfVGFibGVfTGlzdCIsIjEzIl0sWyJDYXRlZ29yaWVzIiwiU3VydmV5Il0sWyJGaXJzdF9ZZWFyIiwiMTk5NSJdLFsiTGFzdF9ZZWFyIiwiMjAyNSJdLFsiU2NhbGUiLCIwIl0sWyJTZXJpZXMiLCJBIl1dfQ==.
---------------------------------------------------------------------------
As discussed above,\518\ FinCEN and OFAC have not estimated the
number of potential future SQPSIs given the inherently speculative
nature of such an exercise at this time. Consequently, FinCEN and OFAC
are unable to more fulsomely assess the potential burden to state,
local, and Tribal governments of the proposed rule and currently do not
expect any additional expenditures by these parties as an incremental
cost of the proposed rule. However, FinCEN and OFAC's expectation that
this rulemaking will not cause material changes in State expenditures
should be understood as relating only to the impact of this rulemaking
and not to the impact of the GENIUS Act writ large. The GENIUS Act
envisions an active role for the States in the regulation of PPSIs as a
complement to federal regulation.
---------------------------------------------------------------------------
\518\ See supra section XII.C.2.i.c.
---------------------------------------------------------------------------
While the analysis above \519\ and below \520\ indicate that the
proposed rule is not expected to impose incremental novel expenditures
on the private sector of $193 million or more, and hence that
additional economic analysis pursuant to UMRA requirements is not
strictly necessary, FinCEN and OFAC believe that the preceding
assessment of impact, generally, and consideration of policy
alternatives, specifically, would satisfy the UMRA's analytical
requirements. FinCEN and OFAC invite public comment on any additional
factors that, if considered, would materially alter the conclusions of
this assessment.
---------------------------------------------------------------------------
\519\ See supra sections XII.A through C.
\520\ See infra section XII.E.
---------------------------------------------------------------------------
E. Paperwork Reduction Act
The recordkeeping and reporting requirements in the proposed rule,
which qualify as ``collections of information'' under the PRA, will be
submitted to OMB for review in accordance with the PRA.\521\ Under the
PRA, an agency may not conduct or sponsor, and a person is not required
to respond to, a collection of information unless it displays a valid
control number assigned by OMB.\522\ Written comments and
recommendations for the proposed information collection can be
submitted by visiting https://www.reginfo.gov/public/do/PRAMain. Find
this particular document by selecting ``Currently Under Review--Open
for Public Comments'' or by using the search function. Comments are
welcome and must be received by June 9, 2026.
---------------------------------------------------------------------------
\521\ See 44 U.S.C. 3506(c)(2)(A).
\522\ See 44 U.S.C. 3507(a)(3).
---------------------------------------------------------------------------
1. FinCEN
In accordance with requirements of the PRA, 44 U.S.C.
3506(c)(2)(A), and its implementing regulations, 5 CFR part 1320, the
following information concerning the collection of information as it
relates to the PPSI AML/CFT requirements is presented to assist those
persons wishing to comment on the information collections.\523\
---------------------------------------------------------------------------
\523\ See infra section XII.E.3.
---------------------------------------------------------------------------
i. Description of Affected Financial Institutions and OMB Control
Numbers
OMB Control Number(s): 1506-[XXXX].
Description of Affected Entities: Only those covered financial
institutions defined in section 31 CFR 1010.100(t)(11) (i.e., PPSIs)
would be affected.
Estimated Number of Respondents: 50 PPSIs.
FinCEN estimates an average population of approximately 50 PPSIs in
each of the first three years of an effective final rule, comprised of
approximately 20 non-IDI subsidiary PPSIs and 30 IDI-subsidiary
PPSIs.\524\ FinCEN expects these entities to each have an average of
650 new customers annually.\525\
---------------------------------------------------------------------------
\524\ See supra section XII.A.2.ii.a.
\525\ See supra section XII.A.2.ii.d.2.
---------------------------------------------------------------------------
As this is a developing market, FinCEN acknowledges the significant
uncertainty regarding the number of banks that would apply to issue
payment stablecoins, either independently or through consortia and
other partnerships, or engage in other permitted payment stablecoin
activities through a subsidiary. However, as discussed earlier, FinCEN
estimates that PPSIs associated with insured depository institutions
would have certain reduced AML/CFT program-related expenses due to
their position within an insured depository institution parent's
existing AML/CFT program.
ii. Estimated Annual Burden Hours
FinCEN has identified nine primary cost elements resulting from the
recurring recordkeeping and reporting costs associated with the
requirements of the proposed rule. These are (1) establishing and
maintaining a written AML/CFT program, (2) ongoing customer due
diligence, (3) BOI-related customer due diligence, (4) CTRs, (5) SARs,
(6) recordkeeping and travel rule requirements, (7) information
sharing, (8) special standards of diligence requirements, and (9)
special measure requirements.
a. Recordkeeping Burden Associated With Establishing and Maintaining an
AML/CFT Program
PPSIs subject to requirements in the proposed rule would need to
establish and maintain an AML/CFT program that meets the minimum
requirements of the BSA. This program must be approved, stored, and
produced upon request. FinCEN expects that on average, each PPSI would
spend approximately 30 hours on this activity in the first year, and
approximately ten hours annually in subsequent years.
b. Recordkeeping Burden Associated With Ongoing Customer Due Diligence
The proposed rule would require PPSIs to implement appropriate
risk-based procedures for conducting ongoing customer due diligence.
Specifically, PPSIs would be required to (1) understand the nature and
purpose of customer relationships for the purpose of developing a
customer risk profile and (2) conduct ongoing monitoring to identify
and report suspicious transactions and, on a risk basis, to maintain
and update customer information. FinCEN estimates this activity would
take an average of 50 hours per PPSI annually.
c. Recordkeeping Burden Associated With BOI-Related Customer Due
Diligence
In addition, PPSIs would be required to identify and verify
beneficial owners of new accounts opened by legal entity customers. The
PPSI may obtain the required identifying information by either
obtaining a prescribed certification form from the individual opening
the account on behalf of the legal entity customer, or by obtaining
from the individual the information required by the form by another
means, provided the individual certifies to the
[[Page 18654]]
best of the individual's knowledge the accuracy of the information.
PPSIs must maintain a record of customers' identifying information
and a description of any document relied on for verification, including
a description of any non-documentary methods and results of any
measures undertaken, and the resolutions of substantive discrepancies.
PPSIs would be required to retain such records used to identify each
beneficial owner for five years after the date the account is closed
and would also be required to retain records used to verify the
identity of each beneficial owner for five years after the record is
made.
FinCEN estimates this activity would take an average of 0.25 hours
per new customer. Given an average of 650 new customers per year, this
would result in an annual burden of 162.5 hours per PPSI.
d. Recordkeeping and Reporting Burden Associated With CTRs
As discussed in section VI.C.7, entities subject to the AML/CFT
program requirements of the BSA are obligated to file CTRs. Because
stablecoin issuance and redemption is typically a digital-only
business, FinCEN considers costs associated with filing CTRs to be de
minimis for regulated entities. Therefore, FinCEN assigns zero cost to
this requirement, but includes it here for pro forma completeness.
e. Recordkeeping and Reporting Burden Associated With SARs
Under the proposed rule, PPSIs would be required to conduct ongoing
monitoring of customers' transactions and file SARs when appropriate.
In addition, PPSIs would be required to maintain copies of filed SARs
and the underlying related documentation for a period of five years
from the date of filing. FinCEN utilized the findings in a recent Bank
Policy Institute report on the number of suspicious activity alerts
that turned into cases (i.e., alerts that are not considered false
positives) and concluded in the filing of a SAR (approximately 42
percent) to infer that for each case filed as a SAR, approximately 1.4
cases were not filed.\526\ While there is no requirement to report or
retain unfiled suspicious activity alerts, FinCEN considers this
activity to be part of the overall burden of SAR reporting and
recordkeeping.
---------------------------------------------------------------------------
\526\ See Bank Policy Institute, Getting to Effectiveness--
Report on U.S. Financial Institution Resources Devoted to BSA/AML &
Sanctions Compliance, supra note 483.
---------------------------------------------------------------------------
FinCEN estimates that PPSIs would file a weighted annual average of
190 SAR filings and have 266 unfiled cases. With an estimated hourly
burden of 1.5 hours per SAR filing and 0.5 hours per unfiled case,
together, these activities are estimated to take 418 hours annually per
PPSI.
f. Recordkeeping Burden Associated With Proposed Recordkeeping and
Travel Rule Requirements
The proposed rule would require PPSIs to comply with certain
recordkeeping obligations, including recording and maintaining
originator and beneficiary information for certain transactions. As
discussed in section XII.A.4.ii.a.7, FinCEN expects the primary burden
from these requirements to stem from compliance with proposed
requirements related to the Recordkeeping and Travel Rules which ae
codified at 31 CFR 1010.410(e) and (f), respectively. The Recordkeeping
and Travel Rules respectively require financial institutions to collect
and retain records for funds transfers and transmittals of funds in
amounts of $3,000 or more and to transmit information on certain funds
transfers and transmittals of funds to other financial institutions
participating in the transfer or transmittal. Cumulatively, FinCEN
estimates the annual recordkeeping burden per PPSI for these
requirements would be approximately 20 hours.
g. Recordkeeping Burden Associated With Information Sharing
The proposed rule would require PPSIs to implement the information
sharing procedures contained in section 314(a) of the USA PATRIOT Act.
Section 314(a) requires financial institutions, upon FinCEN's request,
to search their records to determine whether they have maintained an
account or conducted a transaction with a specified individual, entity,
or organization that a law enforcement agency has certified is
suspected, based on credible evidence, of engaging in terrorist
activity or money laundering. FinCEN estimates the annual hourly burden
of complying with the requirements under section 314(a) would be
approximately one hour for each regulated entity.
h. Recordkeeping Burden Associated With Special Standards of Diligence
Requirements
Under the proposed rule, PPSIs would be required to apply enhanced
due diligence for correspondent and private banking accounts. The scope
of the annual PRA burden and cost estimates in this renewal is limited
to maintaining and updating the due diligence programs as part of
current AML/CFT program requirements.
Due to the practical challenges of obtaining the total number of
correspondent accounts maintained for foreign financial institutions
subject to general due diligence requirements, the number of
correspondent accounts maintained for foreign banks subject to enhanced
due diligence requirements, and the number of private banking accounts,
the scope of the annual PRA burden is limited to the annual burden of
(1) establishing and maintaining a due diligence program as part of the
AML/CFT program for foreign correspondent accounts and private banking
accounts, and (2) securing approval of the program by an appropriate
level of senior management.
FinCEN estimates the annual hourly burden of establishing and
maintaining the due diligence program for foreign correspondent
accounts and private banking accounts and obtaining program approval at
two hours per PPSIs. This estimate covers the burden of (1)
establishing and maintaining the due diligence program to take into
consideration any regulatory changes and any potential modifications
required by changes in the types of foreign correspondent accounts or
private banking accounts maintained, or by changes in the operations or
organizational structure of the foreign financial institutions for
which a covered financial institution maintains accounts, as well as
changes to the organizational structure of private banking accounts
(one hour), and (2) presenting the updated due diligence program to the
appropriate level of senior management of the financial institution for
approval (one hour).
i. Recordkeeping Burden Associated With Special Measure Requirements
As discussed in section VI.C.11.iii, the rule proposes that PPSIs
be required to comply with special measures issued pursuant to the
sections 311, 9714(a), and 2313a to maintain the options available
under these sections to protect the U.S. financial system from certain
illicit finance threats. FinCEN assumes that all 50 PPSIs would have
foreign correspondent accounts and would therefore incur costs
associated with the special measures under section 311.
Consistent with the approach outlined in FinCEN's recent 60-day
notice,\527\ FinCEN estimates the average burden for the 20 non-IDI
subsidiary PPSIs
[[Page 18655]]
would be approximately eight hours in the first year for general
recordkeeping activities. FinCEN assumes that the 30 IDI-subsidiary
PPSIs would leverage the special measure processes that are already in
place and would therefore each incur only a 0.5-hour burden in the
first year. FinCEN assumes that in subsequent years, all 50 PPSIs would
incur an annual 18-minute burden associated with notification.
---------------------------------------------------------------------------
\527\ FinCEN, Agency Information Collection Activities; Proposed
Renewal; Comment Request: Renewal Without Change of Information
Collection Requirements in Connection With the Imposition of Special
Measures, 90 FR 57279 (Dec. 10, 2025).
---------------------------------------------------------------------------
j. Total Annual Burden
Tables 21 and 22 present the annual burden hours per respondent and
total annual burden hours for all affected PPSIs for year one and years
two and three, respectively.\528\ FinCEN estimates a three-year annual
burden of 672 hours per PPSI \529\ and a three-year average annual
burden of 33,577 hours for all 50 PPSIs.
---------------------------------------------------------------------------
\528\ Hourly burden figures presented in tables 22 and 23 are
rounded to the nearest hundredth of an hour for presentation
purposes. Total burden figures are produced using unrounded figures
for accuracy.
\529\ FinCEN notes that because, in its approach to calculating
expected time burdens, different burden estimates apply to PPSIs of
various (1) types (e.g., whether a PPSI is a subsidiary of an IDI or
not) and (2) sizes, average values may not meaningfully represent
the economic burden that any single, particular PPSI may expect to
incur.
Table 21--Year-1 Burden Hour Estimates
----------------------------------------------------------------------------------------------------------------
Hours per Number of Hours per Number of Total burden
Provision response responses respondent respondents hours
----------------------------------------------------------------------------------------------------------------
Establishing and maintaining the 30 1 30 50 1,500
written AML/CFT program
(including program approval,
storing the program, and
producing it upon request).....
Ongoing customer due diligence.. 50 1 50 50 2,500
BOI-related customer due 0.25 650 162.5 50 8,125
diligence......................
Recordkeeping and reporting of 0 0 0 50 0
CTRs...........................
Recordkeeping and reporting of 1.5 190 285 50 14,250
SARs...........................
Recordkeeping of unfiled 0.5 266 133 50 6,650
suspicious activity cases......
Recordkeeping and Travel Rule 20 1 20 50 1,000
requirements...................
Information sharing requirements 1 1 1 50 50
(314(a)).......................
Establishing and maintaining the 2 1 2 50 100
enhanced due diligence program
(including program approval)...
Special measures (non-IDI 8 1 8 20 160
subsidiary PPSIs)..............
Special measures (IDI-subsidiary 0.5 1 0.5 30 15
PPSIs).........................
-------------------------------------------------------------------------------
Total....................... .............. .............. .............. 50 34,350
----------------------------------------------------------------------------------------------------------------
Table 22--Years-2+ Burden Hour Estimates
----------------------------------------------------------------------------------------------------------------
Hours per Number of Hours per Number of Total burden
Provision response responses respondent respondents hours
----------------------------------------------------------------------------------------------------------------
Establishing and maintaining the 10 1 10 50 500
written AML/CFT program
(including program approval,
storing the program, and
producing it upon request).....
Ongoing customer due diligence.. 50 1 50 50 2,500
BOI-related customer due 0.25 650 162.5 50 8,125
diligence......................
Recordkeeping and reporting of 0 0 0 50 0
CTRs...........................
Recordkeeping and reporting of 1.5 190 285 50 14,250
SARs...........................
Recordkeeping of unfiled 0.5 266 133 50 6,650
suspicious activity cases......
Recordkeeping and Travel Rule 20 1 20 50 1,000
requirements...................
Information sharing requirements 1 1 1 50 50
(314(a)).......................
Establishing and maintaining the 2 1 2 50 100
enhanced due diligence program
(including program approval)...
Special measures................ 0.3 1 0.3 50 15
-------------------------------------------------------------------------------
Total....................... .............. .............. 664 50 33,190
----------------------------------------------------------------------------------------------------------------
iii. Estimated Annual Cost
Tables 23 and 24 present the average annual cost per respondent and
total annual cost for all affected PPSIs for year one and years two and
three, respectively. FinCEN estimates the three-year average annual
cost of recordkeeping and reporting requirements under the proposed
rule to be approximately $4.2 million, with a three-year average annual
cost of $83,660 per PPSI.
Table 23--Total Cost in Year 1
----------------------------------------------------------------------------------------------------------------
Hours per Average cost Total burden
Provision respondent per respondent hours Total cost
----------------------------------------------------------------------------------------------------------------
Establishing and maintaining the written AML/CFT 30 $3,737 1,500 $186,870
program (including program approval, storing
the program, and producing it upon request)....
[[Page 18656]]
Ongoing customer due diligence.................. 50 6,229 2,500 311,450
BOI-related customer due diligence.............. 162.5 20,244 8,125 1,012,213
Recordkeeping and reporting of CTRs............. 0 0 0 0
Recordkeeping and reporting of SARs............. 285 35,505 14,250 1,775,265
Recordkeeping of unfiled suspicious activity 133 16,569 6,650 828,457
cases..........................................
Recordkeeping and Travel Rule requirements...... 20 2,492 1,000 124,580
Information sharing requirements (314(a))....... 1 125 100 6,229
Establishing and maintaining the enhanced due 2 249 100 12,458
diligence program (including program approval).
Special measures (non-IDI subsidiary PPSIs)..... 8 997 160 19,933
Special measures (IDI-subsidiary PPSIs)......... 0.5 62 15 1,869
---------------------------------------------------------------
Total....................................... .............. .............. 34,350 4,279,323
----------------------------------------------------------------------------------------------------------------
Table 24--Total Cost in Year 2
----------------------------------------------------------------------------------------------------------------
Hours per Average cost Total burden
Provision respondent per respondent hours Total cost
----------------------------------------------------------------------------------------------------------------
Establishing and maintaining the written AML/CFT 10 $1,246 500 $62,290
program (including program approval, storing
the program, and producing it upon request)....
Ongoing customer due diligence.................. 50 6,229 2,500 311,450
BOI-related customer due diligence.............. 162.5 20,244 8,125 1,012,213
Recordkeeping and reporting of CTRs............. 0 0 0 0
Recordkeeping and reporting of SARs............. 285 35,505 14,250 1,775,265
Recordkeeping of unfiled suspicious activity 133 16,569 6,650 828,457
cases..........................................
Recordkeeping and Travel Rule requirements...... 20 2,492 1,000 124,580
Information sharing requirements (314(a))....... 1 125 100 6,229
Establishing and maintaining the enhanced due 2 249 100 12,458
diligence program (including program approval).
Special measures................................ 0.3 37 15 18,869
---------------------------------------------------------------
Total....................................... 664 82,696 33,190 4,134,810
----------------------------------------------------------------------------------------------------------------
iv. Summary of Burden and Cost Estimates
Estimated Number of Respondents: 50 PPSIs.
Estimated Average Aggregate Annual Recordkeeping and Reporting
Burden: 33,577 hours.
Estimated Average Aggregate Annual Recordkeeping and Reporting
Cost: $4.18 million.
2. OFAC
In accordance with requirements of the PRA, 44 U.S.C.
3506(c)(2)(A), and its implementing regulations, 5 CFR part 1320, the
following information concerning the collection of information as it
relates to the proposed PPSI sanctions compliance program requirements
is presented to assist those persons wishing to comment on the
information collections.\530\
---------------------------------------------------------------------------
\530\ See infra section XII.E.3.
---------------------------------------------------------------------------
OFAC will submit a request for a new OMB control number for some of
the specific, new information collection and recordkeeping requirements
for PPSIs to maintain an effective sanctions compliance program under
this proposed rulemaking to implement the GENIUS Act. OFAC is proposing
a new part 502 to chapter V of the CFR entitled the ``Payment
Stablecoin Effective Sanctions Compliance Program Regulations'' to
effectuate the GENIUS Act's effective sanctions program requirement.
The proposed information collection covered by this notice includes
some of the requirements for an effective sanctions compliance program
to be maintained by PPSIs. Even though the proposed sanctions
compliance program prescribed five categories of requirement, only two
are expected to engender recordkeeping burdens for purposes of the PRA:
(1) internal controls (including maintaining written policies and
procedures and certification of PPSI status) and (2) maintaining the
records of results from testing and auditing and any enhancements
identified for the sanctions compliance program will be covered by this
information collection. Because a recordkeeping burden associated with
the internal controls requirements of the anti-money laundering/
counter-terrorist financing (AML/CFT) program is already accounted for
under FinCEN's requested new OMB control number 1506-[XXXX], no
additional burden is assigned here to avoid double counting activities
that may have substantial functional overlap. The only cost and burden
calculation itemized below pertains to the requirement to maintain the
records of the results of, and any enhancements made following the
testing and auditing mandated by the proposed rule for a PPSI's
sanctions compliance program.
i. Description of Impacted Financial Institutions and OMB Control
Numbers
The likely respondents and recordkeepers affected by the
information collections covered by this authority are PPSIs. OFAC's
current annual assessment of burden considers the number and type of
information collection and recordkeeping requirements necessary for
record retention under testing and auditing controls to maintain an
effective sanctions compliance program for
[[Page 18657]]
PPSIs. The submissions covered by this information collection will be
reviewed by the U.S. Department of the Treasury and may be used for
sanctions reconsiderations and other regulatory or administrative
actions by OFAC under its authorities.
OFAC will submit a request for a new OMB control number for the new
recordkeeping requirements for testing and auditing for PPSIs to
maintain a sanctions compliance program under this proposed rulemaking
to implement the GENIUS Act. The internal controls burden is part of
broader overall AML/CFT internal controls and are therefore accounted
for under FinCEN's requested new OMB control number 1506-[XXXX].
ii. Estimated Annual Burden Hours
OFAC estimates that the average time for information collection for
the recordkeeping requirements under the sanctions compliance program
testing and auditing elements to be 100 hours for the industry.
iii. Estimated Annual Cost
The estimated total annual reporting burden associated with the
information collections authorized under this authority is expected to
cost approximately $12,458 for the industry.
iv. Summary of Burden and Cost Estimates
The estimated total annual reporting burden associated with the
information collections authorized under this authority is expected to
cost approximately $12,458 for the industry. Under this information
collection, the estimated annual frequency of retaining record for
audit and testing is once per year. OFAC's estimate for the number of
unique entities annually is approximately 50 PPSIs. OFAC estimates that
the average time for information collection and recordkeeping
requirements to be 100 hours for industry.
3. General Request for Comments Under the Paperwork Reduction Act
Comments submitted in response to this proposed rule will be
summarized and included in a request for OMB approval. All comments
will become a matter of public record. FinCEN and OFAC invite comments
on: (1) whether the collection of information is necessary for the
proper performance of the mission of FinCEN and OFAC, including whether
the information shall have practical utility; (2) the accuracy of
FinCEN and OFAC's estimate of the burden of the collection of
information; (3) ways to enhance the quality, utility, and clarity of
the information to be collected; (4) ways to minimize the burden of the
collection of information on reporting persons, including through the
use of technology; and (5) estimates of capital or start-up costs and
costs of operation, maintenance, and purchase of services required to
provide information.
F. Additional Requests for Comment
1. This RIA utilizes an assumption of presumed compliance with
baseline regulatory requirements. Is there any reason to alternatively
expect that the proposed rule, if adopted as a final rule, would
independently alter the likelihood that a previously non-complaint
entity would newly seek to come into compliance? If so, how would this
alter the current expected balance of benefits to costs of the rule as
proposed? Please provide data, studies, or anecdotal evidence that
FinCEN and OFAC should take into consideration.
2. The assumption that all potential PPSIs would either be (1)
affiliated with depository institutions as a subsidiary or as part of
consortium or (2) successors to entities already registered as MSBs is
foundational to FinCEN and OFAC's assessment of the incremental changes
the proposed rule would introduce. Is this assumption reasonable?
Additionally, is the projected distribution of 60 percent IDI-
subsidiary PPSIs and 40 percent non-IDI subsidiary PPSIs reasonable? If
not, are there specific sources of empirical evidence or data that
would suggest these assumptions should be revised? Please provide data,
studies, or anecdotal evidence that would support the suggested
alternative assumptions.
3. FinCEN and OFAC's estimate of the population of potential PPSIs
incorporates certain assumptions about the willingness and/or
likelihood of current stablecoin issuers to change certain features of
their present product offerings to meet PPSI product requirements. Are
there concerns about the reasonableness of this approach? Please
provide data, studies, or any other information that might inform a
more accurate assessment of how likely current stablecoin issuers are
to change PPSI-disqualifying features or launch alternative products.
4. FinCEN and OFAC assume a total affected population of
approximately 50 PPSIs on average in each of the first three years of
an effective final rule. Are FinCEN and OFAC's implied assumptions
regarding market entry and attrition rates and the resulting population
estimate reasonable? If not, please provide data, studies, or reports
that would enhance FinCEN and OFAC's ability to estimate the expected
size of the affected population.
5. The RIA in this NPRM does not include a forecasted population of
potential future SQPSIs as a specific category of PPSIs due to
limitations in data availability. Please provide data, studies, or
anecdotal evidence that would enable analysis of the potential effects
of the proposed requirements on SQPSIs, generally, and small SQPSIs in
particular.
6. Stablecoin issuers, or potential stablecoin issuers, can seek
PPSI status through various paths, including as a subsidiary of a
depository institution, an uninsured national bank, or as another
subtype of FQPSI or as a SQPSI. How likely are stablecoin issuers to
choose each path?
7. FinCEN and OFAC formed certain expectations about the number of
primary market customers a typical PPSI would have based on data
regarding current stablecoin issuers. Are there other sources of data
or other methods to more accurately estimate how many unique primary
market customers a typical issuer of payment stablecoin-like products
interacts with? What costs do these stablecoin issuers face in
collecting customer information from these entities? How many of these
customers are new to the issuer on an annual basis?
8. FinCEN and OFAC have conservatively assumed that the majority of
future PPSI customers would either be financial institutions that trade
a broad range of stablecoin products as part of their investment
portfolios or digital asset exchanges that provide off-chain liquidity
to retail customers for a similarly broad range of stablecoin products,
and that these PPSI customers would each need to provide information
about themselves to a PPSI once per year. How reasonable are these
assumptions and expectations? How many new issuing/redeeming
relationships do current primary market customers for payment
stablecoin-like products typically initiate on an annual basis?
9. Are there other distinct, identifiable subpopulations of the
general public that could reasonably be expected to be directly
affected by the proposed rules and should have been separately
considered in the RIA? To what extent could their exclusion have
substantive effects on the RIA's assessment of economic impact? Please
provide data, studies, or reports that would enhance FinCEN or OFAC's
ability to identify and quantify such effects.
10. FinCEN and OFAC imposed certain conservative assumptions about
the incremental costs of implementing
[[Page 18658]]
technology to block, freeze, and reject stablecoin transactions, while
recognizing in their assessment of current market practices that the
proposed requirements would not represent an incremental cost for many
stablecoin issuers who appear to already have this technology. How
common is this technology to stablecoin issuers? How costly is it, and
do costs recur on an annual basis? Is there a substantive difference in
costs to obtain and/or retrofit such technology after a stablecoin has
already been issued?
11. Please provide data on the number of hours or specific costs
associated with current stablecoin issuers' review of suspicious
activity and SAR reporting. How generalizable are the data points
provided to expected future PPSIs?
12. FinCEN and OFAC assume that many stablecoin issuers may have
incentives to become PPSIs but did not have sufficient information to
quantify these when analyzing the expected benefits of the proposed
rule. Please describe any incentives that would be driving factors in a
stablecoin issuer's decision to apply for PPSI status and, if
applicable and to the extent feasible, include the expected magnitude
of anticipated financial or economic benefit to the stablecoin issuer
and comment on the generalizability to other similar issuers.
13. Are there any additional cost categories associated with
establishment and maintenance of the proposed AML/CFT programs and/or
the proposed sanctions compliance program that FinCEN and OFAC have
failed to consider? If so, please describe. To what extent would a
failure to separately consider these costs affect the conclusions of
the RIA?
14. FinCEN and OFAC assumed that many of the same resources would
be utilized by PPSIs to provide and complete the sanctions compliance
program-specific training and AML/CFT training that the proposed rules
would require. Is this a reasonable assumption? If not, please provide
data, studies, or anecdotal evidence that would support an alternative
assumption.
15. FinCEN and OFAC's assessment of economic impact assumes future
PPSIs would incur lower training implementation costs relative to other
financial institutions with larger employee bases and broader arrays of
clients, like traditional banks or broker-dealers. Is this a reasonable
assumption? If not, please provide data, studies, or anecdotal evidence
that would support an alternative assumption.
16. FinCEN and OFAC request comment on the alternative policy
options presented and their anticipated economic effect.
17. The economic expectation that the proposed rule may have a
significant economic impact on a substantial number of certain types of
potentially affected small entities is sensitive to key assumptions
about how potentially affected financial institutions would respond to
the proposed requirements. FinCEN and OFAC request comment on whether
it would instead be more reasonable to certify that the proposed rule
would not have a significant economic impact on a substantial number of
small entities.
18. FinCEN and OFAC are requesting comment on the reasonableness of
an expectation that, in the future, small IDI-subsidiary PPSI would
exist. Are there data, studies, or anecdotal information that would
suggest these kinds of PPSIs should be expected? If so, please comment
on the expected population size and the anticipated significance of the
proposed rule's economic impact on such small entities.
19. In the IRFA, FinCEN and OFAC utilized a threshold of less than
$200 million in total reserve assets to define a small non-bank payment
stablecoin issuer. Please comment on the general soundness of this
approach and/or suggest additional methodologies to the extent that an
alternative approach would have been more appropriate.
20. In the IRFA, FinCEN and OFAC estimated firms' revenue for non-
IDI subsidiary potential PPSIs as five percent of total reserve assets.
Please comment on the general soundness of this approach and/or suggest
additional methodologies to the extent that an alternative approach
would have been more appropriate.
21. FinCEN and OFAC do not anticipate that the proposed rule would
result in novel incremental aggregate expenditures by State, local, or
Tribal governments, or by the private sector of $193 million or more in
any one year. Is there any empirical evidence that could be used to
support expectations to the contrary? If so, what studies, data, or
anecdotal evidence should have been taken into consideration?
22. Which states are likely to take action in response to this
proposed rule, and what actions are states likely to take? Please
provide data, studies, reports, or anecdotal evidence that would
enhance FinCEN and OFAC's ability to identify and quantify such
effects.
23. Should FinCEN reconsider the potential for standalone
incremental economic effects attributable to the definitions as
proposed in section VI.C.1, collectively or individually, in the
context of the requirements proposed in this NPRM? If so, please
describe the effects anticipated and their expected economic
significance.
24. Are FinCEN's analyses of the average costs for each component
the AML/CFT framework as outlined in section XII.A.4.ii.a an accurate
reflection of the costs faced by current issuers of products that
resemble future payment stablecoins? If not, are there specific sources
of empirical evidence or data that would suggest these burden estimates
should be revised? Please provide data, studies, or anecdotal evidence
that would support any suggested revisions. Are there reasons to expect
that the cost profile for future PPSIs would substantively differ from
the cost profile for current comparable stablecoin issuers?
25. FinCEN assumed that some PPSIs would interact with foreign
banking entities as primary market customers and may therefore incur
costs associated with special standards of diligence and/or the
imposition of certain special measures and therefore conservatively
assigned the related expected compliance burden to all expected future
PPSI in its cost models. Is this a reasonable approach? If not, what
share of stablecoin issuers should be expected to interact with foreign
entities as primary market customers? Please provide data, studies, or
anecdotal evidence that would enhance FinCEN's ability to estimate the
affected population.
26. Are there any additional, distinct categories of cost
associated with the establishment and maintenance of an AML/CFT program
or otherwise associated with ensuring compliance with the proposed AML/
CFT program requirements that FinCEN should have articulated and
separately taken into consideration? If so, please discuss the extent
to which failure to include such considerations would materially alter
FinCEN's conclusions or expectations of economic impact.
27. Please provide comments on the policy alternatives FinCEN
considered. In particular, do FinCEN's expectations about the
anticipated balance of costs to benefits of the alternatives considered
relative to the rule, as proposed, comport with market expectations?
28. For the purposes of this economic analysis, is it appropriate
for OFAC to estimate the incremental effects of the proposed rule based
on the presumption of full compliance by U.S. persons with sanctions
law as currently administered by OFAC?
29. Should OFAC reconsider the potential for standalone incremental
economic effects attributable to the
[[Page 18659]]
definitions as proposed in section VII.C, collectively or individually,
in the context of the requirements proposed in this NPRM? If so, please
describe the effects anticipated and their expected economic
significance.
30. OFAC considers that in practice, regulated persons do not
typically maintain sanctions compliance as a standalone function but
operationalize sanctions compliance as an integrated component of an
entity's broader AML compliance framework, and therefore combine the
costs associated with sanctions compliance with AML frameworks. Is this
a reasonable assumption?
31. OFAC estimated that retaining records for both audit activities
and enhancements made to sanctions compliance programs would require
only a couple of hours annually. How reasonable is this estimate?
32. Are there any additional, distinct categories of cost
associated with the establishment and maintenance of a sanctions
compliance program or otherwise associated with ensuring compliance
with the proposed rule that OFAC should have articulated and separately
taken into consideration? If so, please describe.
33. OFAC's analysis notes that its proposed rule will not create
incremental costs for primary market customers of PPIs. Is OFAC's
analysis reasonable? If not, please provide defensible methods or data,
studies, or anecdotal evidence that OFAC could use to estimate the
economic burden its proposed rule would have on direct customers of
PPSIs.
List of Subjects
31 CFR Part 502
Administrative practice and procedure, Banks, Banking, Blocking of
assets, Credit, Foreign trade, Payment stablecoins, Penalties,
Permitted payment stablecoin issuer, Reporting and recordkeeping
requirements, Sanctions, Securities, Services.
31 CFR Part 1010
Administrative practice and procedure, Authority delegations
(Government agencies), Banks, banking, Brokers, Business and industry,
Citizenship and naturalization, Commodity futures, Crime, Currency,
Electronic filing, Federal savings associations, Foreign persons,
Holding companies, Indian--law, Indians, Insurance companies,
Intergovernmental relations, Investigations, Law enforcement,
Penalties, Reporting and recordkeeping requirements, Small businesses,
Securities, Terrorism.
31 CFR Part 1033
Administrative practice and procedure, Banks, banking, Business and
industry, Electronic filing, Foreign persons, Investigations, Law
enforcement, Reporting and recordkeeping requirements, Terrorism.
For the reasons stated in the preamble, the Office of Foreign
Assets Control proposes to amend 31 CFR chapter V and the Financial
Crimes Enforcement Network proposes to amend 31 CFR chapter X as
follows:
Title 31--Money and Finance: Treasury
CHAPTER V--OFFICE OF FOREIGN ASSETS CONTROL, DEPARTMENT OF THE TREASURY
0
1. Add part 502 to read as follows:
PART 502--PERMITTED PAYMENT STABLECOIN ISSUER EFFECTIVE SANCTIONS
COMPLIANCE PROGRAM REGULATIONS
Subpart A--General Provisions
Sec.
502.101 Relation of this part to other laws and regulations.
502.102 Records and reports.
502.103 Procedures.
502.104 Paperwork Reduction Act notice.
Subpart B--Effective Sanctions Compliance Program Requirements
Sec.
502.201 Effective sanctions compliance program requirements for
permitted payment stablecoin issuers.
502.202 [Reserved]
Subpart C--General Definitions
Sec.
502.301 Knowingly.
502.302 OFAC.
502.303 Payment stablecoin-related activity.
502.304 Permitted payment stablecoin issuer; PPSI.
Subpart D--Penalties
Sec.
502.401 Penalties.
502.402 Referral to United States Department of Justice;
administrative collection measures.
Authority: 3 U.S.C. 301; 12 U.S.C. 5901-5916; 18 U.S.C. 2339B;
19 U.S.C. 3901-3913; 21 U.S.C. 1901-1908; 31 U.S.C. 321(b); 50
U.S.C. 1701-1706, 4301-4341; Pub. L. 101-410, 104 Stat. 890, as
amended (28 U.S.C. 2461 note).
Subpart A--General Provisions
Sec. 502.101 Relation of this part to other laws and regulations.
This part is separate from, and independent of, the other parts of
this chapter, with the exceptions of part 501 of this chapter, which
includes recordkeeping and reporting requirements and other procedures
that apply to this part. Actions taken pursuant to part 501 of this
chapter with respect to the provisions contained in this part are
considered actions taken pursuant to this part. Differing foreign
policy and national security circumstances may result in differing
interpretations of similar language among the parts of this chapter. No
license or authorization contained in or issued pursuant to other parts
of this chapter excuses any requirement of this part. No license or
authorization contained in or issued pursuant to any other provision of
law or regulation excuses any requirement of this part.
Sec. 502.102 Records and reports.
(a) For provisions relating to required records and reports, see
part 501, subpart C, of this chapter. Recordkeeping and reporting
requirements imposed by part 501 of this chapter with respect to
requirements contained in this part are considered requirements arising
pursuant to this part.
(b) A permitted payment stablecoin issuer shall provide upon
request to OFAC, or its designee, any and all certifications submitted
to its primary Federal payment stablecoin regulator or State payment
stablecoin regulator that the permitted payment stablecoin issuer has
implemented an economic sanctions compliance program pursuant to 12
U.S.C. 5904(i)(1).
Sec. 502.103 Procedures.
For procedures relating to administrative decisions, rulemaking,
and requests for documents pursuant to the Freedom of Information and
Privacy Acts (5 U.S.C. 552 and 552a), see part 501, subpart E, of this
chapter.
Sec. 502.104 Paperwork Reduction Act notice.
OFAC is seeking approval by the Office of Management and Budget
(OMB) under the Paperwork Reduction Act of 1995 (44 U.S.C. 3507) for a
new OMB control number for the specific, new recordkeeping requirements
for permitted payment stablecoin issuers that are required to maintain
an effective sanctions compliance program under this proposed rule.
Other information collection and recordkeeping requirements pursuant to
any OFAC sanctions program are approved by OMB under control number
1505-0164 and contained in Sec. 501.901 of this chapter. An agency may
not conduct or sponsor a collection of information unless it displays a
valid control number assigned by OMB.
[[Page 18660]]
Subpart B--Effective Sanctions Compliance Program Requirements
Sec. 502.201 Effective sanctions compliance program requirements for
permitted payment stablecoin issuers.
(a) Each permitted payment stablecoin issuer (PPSI) is required to
maintain an effective sanctions compliance program (SCP).
(b) An effective SCP is one that is risk-based and reasonably
designed to ensure compliance with all applicable U.S. sanctions. It
shall include, at a minimum:
(1) Senior management and organizational commitment. A PPSI's
senior management shall review and approve the SCP and support the
SCP's effective implementation, including by ensuring the SCP, at a
minimum:
(i) Applies to all payment stablecoin-related activity;
(ii) Has sufficient resources, including necessary investments in
human capital, expertise, and information technology to carry out the
activities described in paragraphs (b)(2) through (b)(5) of this
section;
(iii) Is fully integrated into the PPSI's ongoing stablecoin-
related operations;
(iv) Routinely provides risk updates, including testing results, to
senior management and other appropriate stakeholders within the
organization; and
(v) Provides sufficient authority and autonomy to the PPSI's
compliance function to manage effectively U.S. sanctions risks for the
entire organization.
(2) Risk assessments. Each PPSI shall:
(i) Conduct holistic assessments of U.S. sanctions risks at
appropriate intervals. Such assessments should analyze all payment
stablecoin-related activity and consider, among other relevant factors,
a PPSI's customer base, its size and complexity, direct and indirect
points of contact with foreign persons or persons residing in foreign
jurisdictions, and specific products and services.
(ii) Use its risk assessments to inform the operation of its SCP,
including by revising internal controls and training as appropriate;
and
(iii) Revise risk assessments as appropriate to account for any
identified U.S. sanctions violations or deficiencies; new products,
services, mergers, or acquisitions; and any other factors that may
affect the PPSI's risk profile.
(3) Internal Controls. Each PPSI shall:
(i) Establish and maintain a system of risk-based internal
controls, including technical capabilities and written policies and
procedures, applicable to all payment stablecoin-related activity,
whether on the primary or secondary market, that:
(A) Identifies any payment stablecoin-related activity that is or
may be prohibited by U.S. sanctions;
(B) Blocks or rejects, as applicable, any payment stablecoin-
related activity that violates or would violate U.S. sanctions;
(C) Provides reports to OFAC as required, including those described
in Sec. 502.102(b) and part 501 of this chapter; and
(D) Retains relevant records in accordance with OFAC recordkeeping
obligations, including those described in part 501 of this chapter.
(ii) Document the internal controls described in paragraph
(b)(3)(i) of this section in writing and clearly communicate them to
all relevant personnel and stakeholders; and
(iii) Routinely review and revise the internal controls described
in paragraph (b)(3)(i) by:
(A) Taking timely and appropriate action to remediate any
identified gaps or deficiencies; and
(B) Ensuring the internal controls effectively address current,
new, amended, or updated U.S. sanctions authorities and applicable U.S.
sanctions risks, which may include addressing risks identified in the
PPSI's risk assessments or in advisories, alerts, or notices issued by
the Department of the Treasury or other relevant U.S. government
agencies.
(4) Testing and Auditing. Each PPSI shall:
(i) Establish and maintain an independent testing or audit
function, accountable to senior management, with sufficient resources,
expertise, and authority to identify U.S. sanctions compliance-related
weaknesses and deficiencies;
(ii) Ensure that qualified personnel routinely perform
comprehensive, independent, and objective testing or auditing of the
effectiveness of the SCP and its functions;
(iii) Utilize test and audit results as appropriate to identify and
implement any needed updates or enhancements to the SCP; and
(iv) Maintain, and provide upon request to OFAC, records of the
results and enhancements described in paragraph (b)(4)(iii) of this
section.
(5) Training. Each PPSI shall establish and maintain a risk-based
sanctions compliance training program that is:
(i) Performed at least annually and with a frequency appropriate to
the PPSI's risk assessments and risk profile;
(ii) Provided to all relevant personnel and stakeholders;
(iii) Appropriately tailored to each trainee's role and
responsibilities;
(iv) Modified to reflect risk assessment findings and identified
deficiencies, including testing and audit findings or following
identified violations of U.S. sanctions; and
(v) Designed to include easily accessible resources and materials
for all relevant personnel and stakeholders.
Sec. 502.202 [Reserved]
Subpart C--General Definitions
Sec. 502.301 Knowingly.
The term knowingly, with respect to conduct, a circumstance, or a
result, means that a person has actual knowledge, or should have known,
of the conduct, the circumstance, or the result.
Sec. 502.302 OFAC.
The term OFAC means the Department of the Treasury's Office of
Foreign Assets Control.
Sec. 502.303 Payment stablecoin-related activity.
The term payment stablecoin-related activity includes issuing,
trading, holding, transacting, transferring, redeeming, or any other
activity involving a payment stablecoin issued by a permitted payment
stablecoin issuer from the time of issuance until the payment
stablecoin's removal from circulation, whether on the primary or
secondary market, including through redemption or by any other means.
Sec. 502.304 Permitted payment stablecoin issuer; PPSI.
The term permitted payment stablecoin issuer or PPSI means an
individual, partnership, company, corporation, association, trust,
estate, cooperative organization, or other business entity,
incorporated or unincorporated, that is formed in the United States and
is:
(a) A subsidiary of either an insured depository institution, as
defined in section 3 of the Federal Deposit Insurance Act, 12 U.S.C.
1813, or an insured credit union, as defined in section 101 of the
Federal Credit Union Act, 12 U.S.C. 1752, that has been approved to
issue payment stablecoins, as defined in section 2(22) of the GENIUS
Act, by a primary Federal payment stablecoin regulator, as defined in
section 2(25) of the GENIUS Act;
(b) A Federal qualified payment stablecoin issuer, as defined in
section 2(11) of the GENIUS Act; or
(c) A State qualified payment stablecoin issuer, as defined in
section 2(31) of the GENIUS Act.
[[Page 18661]]
Subpart D--Penalties
Sec. 502.401 Penalties.
(a) Material Violations. A permitted payment stablecoin issuer
(PPSI) that materially violates the requirement to maintain an
effective sanctions compliance program (SCP), as described in Sec.
502.201, shall be liable for a civil penalty of not more than $100,000
for each day during which the violation continues.
(b) Knowing Violations. In addition to the penalties described in
paragraph (a) of this section, a PPSI who knowingly violates the
requirement to maintain an effective SCP, as described in Sec. 502.201
of this chapter, shall be liable for a civil penalty of not more than
an additional $100,000 for each day during which the violation
continues.
Sec. 502.402 Referral to United States Department of Justice;
administrative collection measures.
In the event that the violator does not pay the penalty imposed
pursuant to this part or make payment arrangements acceptable to the
Director of the Office of Foreign Assets Control, the matter may be
referred for administrative collection measures by the Department of
the Treasury or to the United States Department of Justice for
appropriate action to recover the penalty in a civil suit in a federal
district court.
Title 31--Money and Finance: Treasury
CHAPTER X--FINANCIAL CRIMES ENFORCEMENT NETWORK, DEPARTMENT OF THE
TREASURY
PART 1010--GENERAL PROVISIONS
0
2. The authority citation for part 1010 is revised to read as follows:
Authority: 12 U.S.C. 1829b, 1951-1959, and 5901-5916; 31 U.S.C.
5311-5314 and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115
Stat. 307; sec. 2006, Pub. L. 114-41, 129 Stat. 458-459; sec. 701,
Pub. L. 114-74, 129 Stat. 599; sec. 6403, Pub. L. 116-283, 134 Stat.
3388.
0
3. Revising Sec. 1010.100 by:
0
a. Revising and republishing paragraph (t)(9) and (t)(10);
0
b. Adding paragraph (t)(11);
0
c. Revising and republishing paragraph (ff)(8)(ii) and (ff)(8)(iii);
0
d. Adding paragraph (ff)(8)(iv);
0
e. Revising and republishing paragraph (bbb)(1);
0
f. Revising and republishing paragraph (eee); and
0
g. Adding paragraphs (nnn), (ooo), (ppp), (qqq), (rrr), (sss), (ttt),
(uuu), (vvv), (www), and (xxx).
The revisions, republications, and additions read as follows:
Sec. 1010.100 General definitions.
* * * * *
(t) * * *
(9) An introducing broker in commodities;
(10) A mutual fund; or
(11) A permitted payment stablecoin issuer.
* * * * *
(ff) * * *
(8) * * *
(ii) A person registered with, and functionally regulated for
examined by, the SEC or the CFTC, or a foreign financial agency that
engages in financial activities that, if conducted in the United
States, would require the foreign financial agency to be registered
with the SEC or CFTC;
(iii) A permitted payment stablecoin issuer; or
(iv) A natural person who engages in an activity identified in
paragraphs (ff)(1) through (ff)(5) of this section on an infrequent
basis and not for gain or profit.
* * * * *
(bbb) * * *
(1) Except as provided in paragraph (bbb)(2) of this section,
transaction means a purchase, sale, loan, pledge, gift, transfer,
delivery, or other disposition, and with respect to a financial
institution includes a deposit, withdrawal, transfer between accounts,
exchange of currency, loan, extension of credit, purchase or sale of
any stock, bond, certificate of deposit, or other monetary instrument,
security, contract of sale of a commodity for future delivery, option
on any contract of sale of a commodity for future delivery, option on a
commodity, purchase or redemption of any money order, payment or order
for any money remittance or transfer, purchase or redemption of casino
chips or tokens, or other gaming instruments, an issuance or redemption
of a payment stablecoin, or any other payment, transfer, or delivery
by, through, or to a financial institution, by whatever means effected.
* * * * *
(eee) Transmittal order. The term transmittal order includes a
payment order and is an instruction of a sender to a receiving
financial institution, transmitted orally, electronically, or in
writing, to pay, or cause another financial institution or foreign
financial agency to pay, a fixed or determinable amount of money or
payment stablecoin to a recipient if:
* * * * *
(nnn) [Reserved]
(ooo) [Reserved]
(ppp) Digital asset. Any digital representation of value that is
recorded on a cryptographically secured distributed ledger.
(qqq) Distributed ledger. A technology in which data is shared
across a network that creates a public digital ledger of verified
transactions or information among network participants and cryptography
is used to link the data to maintain the integrity of the public ledger
and execute other functions.
(rrr) Lawful order. A lawful order is any final and valid writ,
process, order, rule, decree, command, or other requirement issued or
promulgated under Federal law, issued by a court of competent
jurisdiction or by an authorized Federal agency pursuant to its
statutory authority, that:
(1) Requires an individual, partnership, company, corporation,
association, trust, estate, cooperative organization, or other business
entity, incorporated or unincorporated, to seize, freeze, burn, or
prevent the transfer of payment stablecoins it issued;
(2) Specifies the payment stablecoins or accounts subject to
blocking with reasonable particularity; and
(3) Is subject to judicial or administrative review or appeal as
provided by law.
(sss) Payment stablecoin.
(1) In general. A digital asset (i) that is, or is designed to be,
used as a means of payment or settlement; and (ii) the issuer of which:
(A) Is obligated to convert, redeem, or repurchase for a fixed
amount of monetary value, not including a digital asset denominated in
a fixed amount of a monetary value; and
(B) Represents that such issuer will maintain, or create the
reasonable expectation that it will maintain, the digital asset at a
stable value relative to the value of a fixed amount of monetary value.
(2) Exceptions. A payment stablecoin does not include a digital
asset that:
(i) Is a national currency;
(ii) Is a deposit (as defined in section 3 of the Federal Deposit
Insurance Act (12 U.S.C. 1813)), including a deposit recorded using
distributed ledger technology; or
(iii) Is a security, as defined in section 2 of the Securities Act
of 1933 (15 U.S.C. 77b), section 3 of the Securities Exchange Act of
1934 (15 U.S.C. 78c), or section 2 of the Investment Company Act of
1940 (15 U.S.C. 80a-2).
(3) For purposes of this definition the term--
(i) National currency means each of the following--
(A) A Federal Reserve note (as the term is used in the first
undesignated paragraph of section 16 of the Federal Reserve Act (12
U.S.C. 411)); or
[[Page 18662]]
(B) A medium of exchange currently authorized or adopted by a
domestic or foreign government, including a monetary unit of account
established by an intergovernmental organization or by agreement
between two or more countries that is:
(1) Standing to the credit of an account with a Federal Reserve
Bank;
(2) Issued by a foreign central bank; or
(3) Issued by an intergovernmental organization pursuant to an
agreement by two or more governments; and
(ii) Monetary value means national currency or deposit (as defined
in section 3 of the Federal Deposit Insurance Act (12 U.S.C. 1813))
denominated in a national currency.
(ttt) Permitted payment stablecoin issuer. An individual,
partnership, company, corporation, association, trust, estate,
cooperative organization, or other business entity, incorporated or
unincorporated formed in the United States that is:
(1) (i) A subsidiary of an insured depository institution that has
been approved to issue payment stablecoins by a primary Federal payment
stablecoin regulator; or
(ii) A subsidiary of an insured credit union that has been approved
to issue payment stablecoins by a primary Federal payment stablecoin
regulator;
(2) A Federal qualified payment stablecoin issuer; or
(3) A State qualified payment stablecoin issuer.
(uuu) Primary Federal payment stablecoin regulator.
(1) For a subsidiary of an insured depository institution, as
described in paragraph (ttt)(1)(i) of this section, the appropriate
Federal banking agency of such insured depository institution;
(2) For an insured credit union or a subsidiary of an insured
credit union, as described in paragraph (ttt)(1)(ii), the National
Credit Union Administration;
(3) For a State chartered depository institution, not covered in
subparagraph (1), the Federal Deposit Insurance Corporation, the Office
of the Comptroller of the Currency, or the Board of Governors of the
Federal Reserve System; or
(4) For a Federal qualified payment stablecoin issuer, the Office
of the Comptroller of the Currency.
(vvv) Federal qualified payment stablecoin issuer. An entity that
is approved by the Office of the Comptroller of the Currency under 12
U.S.C. 5904 to issue payment stablecoins and is either--
(1) A nonbank entity;
(2) An uninsured national bank; or
(3) A Federal branch.
(www) State payment stablecoin regulator. A State agency that has
the primary regulatory and supervisory authority in such State over
entities that issue payment stablecoins. For purposes of this
definition, the term State includes each State and each Territory and
Insular Possession.
(xxx) State qualified payment stablecoin issuer. An entity that:
(1) Is legally established under the laws of a State or Territory
and Insular Possession and approved to issue payment stablecoins by a
State payment stablecoin regulator; and
(2) Is not an uninsured national bank chartered by the Office of
the Comptroller of the Currency pursuant to title LXII of the Revised
Statutes; a Federal branch, or an insured depository institution (as
described in paragraph (ttt)(1) of this section), or a subsidiary, of
such national bank, Federal branch, or insured depository institutions.
0
4. In Sec. 1010.230, revise and republish paragraphs (b)(2) and (c) to
read as follows:
Sec. 1010.230 Beneficial ownership requirements for legal entity
customers.
* * * * *
(b) * * *
(2) Verify the identity of each beneficial owner identified to the
covered financial institution, according to risk-based procedures to
the extent reasonable and practicable. At a minimum, these procedures
must contain the elements required for verifying the identity of
customers that are individuals under Sec. 1020.220(a)(2) of this
chapter (for banks); Sec. 1023.220(a)(2) of this chapter (for brokers
or dealers in securities); Sec. 1024.220(a)(2) of this chapter (for
mutual funds); Sec. 1026.220(a)(2) of this chapter (for futures
commission merchants or introducing brokers in commodities); or for
permitted payment stablecoin issuers procedures that enable the
permitted payment stablecoin issuer to form a reasonable belief that it
knows the true identity of each individual, including procedures that
contain the elements of Sec. 1020.220(a)(2); provided, that in the
case of documentary verification, the financial institution may use
photocopies or other reproductions of the documents listed in paragraph
(a)(2)(ii)(A)(1) of Sec. 1020.220 of this chapter (for banks); Sec.
1023.220 of this chapter (for brokers or dealers in securities); Sec.
1024.220 of this chapter (for mutual funds); Sec. 1026.220 of this
chapter (for futures commission merchants or introducing brokers in
commodities), or for permitted payment stablecoin issuers for an
individual, an unexpired government-issued identification evidencing
nationality or residence and bearing a photograph or similar safeguard,
such as a driver's license or passport; and for a person other than an
individual (such as a corporation, partnership, or trust), documents
and any amendments thereto showing the existence of the entity, such as
certified articles of incorporation, a government-issued business
license, a partnership agreement, or a trust instrument. A covered
financial institution may rely on the information supplied by the legal
entity customer regarding the identity of its beneficial owner or
owners, provided that it has no knowledge of facts that would
reasonably call into question the reliability of such information.
(c) Account. For purposes of this section, account has the meaning
set forth in Sec. 1020.100(a) of this chapter (for banks); Sec.
1023.100(a) of this chapter (for brokers or dealers in securities);
Sec. 1024.100(a) of this chapter (for mutual funds); Sec. 1026.100(a)
of this chapter (for futures commission merchants or introducing
brokers in commodities); and for permitted payment stablecoin issuers a
formal relationship between a customer and a permitted payment
stablecoin issuer established to provide or engage in services,
dealings, or other financial transactions.
* * * * *
0
5. In Sec. 1010.410:
0
a. Removing the word ``or'' at the end of paragraph (e)(6)(i)(H) and
(I);
0
b. Revising and republishing paragraph (e)(6)(i)(J); and
0
c. Adding paragraph (e)(6)(i)(K).
The removal, revisions, republications, and additions read as
follows:
Sec. 1010.410 Records to be made and retained by financial
institutions.
* * * * *
(e) * * *
(6) * * *
(i) * * *
(J) A mutual fund; or
(K) A permitted payment stablecoin issuer; and
0
6. In Sec. 1010.605:
0
a. Revising and republishing (c)(2)(i), (ii), (iii), and (iv);
0
b. Adding paragraph (c)(2)(v);
0
c. Removing the word ``and'' at the end of paragraph (e)(1)(iii);
0
d. Revising and republishing (e)(1)(iv); and
0
e. Adding paragraph (e)(1)(v).
The revisions, republications, and additions read as follows:
Sec. 1010.605 Definitions.
* * * * *
(c) * * *
(2) * * *
[[Page 18663]]
(i) As applied to banks (as set forth in paragraphs (e)(1)(i)
through (v) of this section):
(A) * * *
(ii) As applied to brokers or dealers in securities (as set forth
in paragraph (e)(1)(ii) of this section) means any formal relationship
established with a broker or dealer in securities to provide regular
services to effect transactions in securities, including, but not
limited to, the purchase or sale of securities and securities loaned
and borrowed activity, and to hold securities or other assets for
safekeeping or as collateral;
(iii) As applied to futures commission merchants and introducing
brokers (as set forth in paragraph (e)(1)(iii) of this section) means
any formal relationship established by a futures commission merchant to
provide regular services, including, but not limited to, those
established to effect transactions in contracts of sale of a commodity
for future delivery, options on any contract of sale of a commodity for
future delivery, or options on a commodity;
(iv) As applied to mutual funds (as set forth in paragraph
(e)(1)(iv) of this section) means any contractual or other business
relationship established between a person and a mutual fund to provide
regular services to effect transactions in securities issued by the
mutual fund, including the purchase or sale of securities; and
(v) As applied to permitted payment stablecoin issuers (as set
forth in paragraph (e)(1)(v) of this section) means any formal
relationship established by a permitted payment stablecoin issuer to
provide regular services, dealings, and other financial transactions.
* * * * *
(e) * * *
(1) * * *
(iv) A mutual fund; and
(v) A permitted payment stablecoin issuer.
0
7. In Sec. 1010.651:
0
a. Removing the word ``and'' at the end of paragraph (a)(3)(i);
0
b. Revising and republishing (a)(3)(ii); and
0
c. Adding paragraph (a)(3)(iii).
The revisions, republications, and additions read as follows:
Sec. 1010.651 Special measures against Burma.
(a) * * *
(3) * * *
(ii) An investment company (as defined in section 3 of the
Investment Company Act of 1940 (15 U.S.C. 80a-5)) that is an open-end
company (as defined in section 5 of the Investment Company Act (15
U.S.C. 80a-5)) and that is registered, or required to register, with
the Securities and Exchange Commission pursuant to that Act; and
(iii) A permitted payment stablecoin issuer.
0
8. In Sec. 1010.653:
0
a. Removing the word ``and'' at the end of paragraph (a)(3)(ix);
0
b. Revising and republishing (a)(3)(x); and
0
c. Adding paragraph (a)(3)(xi).
The revisions, republications, and additions read as follows:
Sec. 1010.653 Special measures against Commercial Bank of Syria.
(a) * * *
(3) * * *
(x) A mutual fund, which means an investment company (as defined in
section 3(a)(1) of the Investment Company Act of 1940 ((``Investment
Company Act'') (15 U.S.C. 80a-3(a)(1))) that is an open-end company (as
defined in section 5(a)(1) of the Investment Company Act (15 U.S.C.
80a-5(a)(1))) and that is registered, or is required to register with
the Securities and Exchange Commission pursuant to the Investment
Company Act; and
(xi) A permitted payment stablecoin issuer.
0
9. In Sec. 1010.810, add paragraph (b)(11) to read as follows:
Sec. 1010.810 Enforcement.
* * * * *
(b) * * *
(11) To the appropriate primary Federal payment stablecoin
regulator with respect to permitted payment stablecoin issuers
regularly examined by the primary Federal payment stablecoin regulator
for safety and soundness.
0
10. Add part 1033 to read as follows:
PART 1033--RULES FOR PERMITTED PAYMENT STABLECOIN ISSUERS
Sec.
Subpart A--General Provisions
1033.100 Definitions.
1033.110 Severability.
Subpart B--Programs
1033.200 General.
1033.210 Anti-money laundering/countering the financing of terrorism
program requirements for permitted payment stablecoin issuers.
1033.220 [Reserved]
1033.221 Supervision and enforcement.
1033.230 [Reserved]
1033.240 Additional technical capabilities, policies, and procedures
for permitted payment stablecoin issuers.
Subpart C--Reports Required To Be Made By Permitted Payment Stablecoin
Issuers
1033.300 General.
1033.310 Reports of transaction in currency.
1033.311 Filing obligations.
1033.312 Identification required.
1033.313 Aggregation.
1033.314 Structured transactions.
1033.315 Exemptions.
1033.320 Reports by permitted payment stablecoin issuers of
suspicious transactions.
Subpart D--Records Required To Be Maintained By Permitted Payment
Stablecoin Issuers
1033.400 General.
1033.410 Recordkeeping.
Subpart E--Special Information Sharing Procedures To Deter Money
Laundering and Terrorist Activity
1033.500 General.
1033.520 Special information sharing procedures to deter money
laundering and terrorist activity for permitted payment stablecoin
issuers.
1033.530 [Reserved]
1033.540 Voluntary information sharing among financial institutions.
Subpart F--Special Standards of Diligence; Prohibitions, and Special
Measures for Permitted Payment Stablecoin Issuers
1033.600 General.
1033.610 Due diligence programs for correspondent accounts for
foreign financial institutions.
1033.620 Due diligence programs for private banking accounts.
1033.630 Prohibition on correspondent accounts for foreign shell
banks; records concerning owners of foreign banks and agents for
service of legal process.
Authority: 12 U.S.C. 1829b, 1951-1959, and 5901-5916; 31 U.S.C.
5311-5314 and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115
Stat. 307; sec. 701, Pub. L. 114-74, 129 Stat. 599.
Subpart A--General Provisions
Sec. 1033.100 Definitions.
Refer to Sec. 1010.100 of this chapter for general definitions not
noted in this part. To the extent there is a differing definition in
Sec. 1010.100 of this chapter, the definition in this section is what
applies to part 1033. Unless otherwise indicated, for purposes of this
part:
(a) [Reserved]
(b) [Reserved]
(c) [Reserved]
Sec. 1033.110 Severability.
If any provision of this part, or any provision of Sec. Sec.
1010.100, 1010.230, 1010.410, 1010.605, 1010.651, 1010.653, or 1010.810
of this chapter referencing permitted payment stablecoin issuers, is
held to be invalid, or the application thereof to any person or
circumstance is held to be invalid, such invalidity shall not affect
other provisions, or application of such other provisions to other
persons or circumstances, that can be given effect without the invalid
provision or application.
[[Page 18664]]
Subpart B--Programs
Sec. 1033.200 General.
Permitted payment stablecoin issuers are subject to the program
requirements set forth and cross-referenced in this subpart. Permitted
payment stablecoin issuers should also refer to subpart B of part 1010
of this chapter for program requirements contained in that subpart
which apply to permitted payment stablecoin issuers.
Sec. 1033.210 Anti-money laundering/countering the financing of
terrorism program requirements for permitted payment stablecoin
issuers.
(a) In general. A permitted payment stablecoin issuer has an
effective AML/CFT program and complies with the requirements of 31
U.S.C. 5318(h)(1) and this section if the permitted payment stablecoin
issuer:
(1) Establishes an AML/CFT program in accordance with paragraph (b)
of this section; and
(2) Maintains an AML/CFT program by implementing the AML/CFT
program in accordance with paragraph (c) of this section.
(b) Program establishment. A permitted payment stablecoin issuer
establishes an AML/CFT program in accordance with this paragraph if the
permitted payment stablecoin issuer:
(1) Establishes a risk-based set of internal policies, procedures,
and controls that are reasonably designed to ensure compliance with the
Bank Secrecy Act and this chapter and to:
(i) Identify, assess, and document the permitted payment stablecoin
issuer's money laundering, terrorist financing, and other illicit
finance activity risks through risk assessment processes that:
(A) Evaluate the money laundering, terrorist financing, and other
illicit finance activity risks of the permitted payment stablecoin
issuer's business activities, including its products, services,
distribution channels, customers, and geographic locations;
(B) Review and, as appropriate, incorporate the AML/CFT Priorities;
and
(C) Are updated promptly upon any change that the permitted payment
stablecoin issuer knows or has reason to know significantly changes the
permitted payment stablecoin issuer's money laundering, terrorist
financing, and other illicit finance activity risks;
(ii) Mitigate the permitted payment stablecoin issuer's money
laundering, terrorist financing, and other illicit finance activity
risks consistent with the risk assessment processes required under
paragraph (b)(1)(i) of this section, including by directing more
attention and resources toward higher-risk customers and activities,
consistent with the risk profile of the permitted payment stablecoin
issuer, rather than toward lower-risk customers and activities; and
(iii) Conduct ongoing customer due diligence, including to:
(A) Understand the nature and purpose of customer relationships for
the purpose of developing a customer risk profile; and
(B) Conduct ongoing monitoring to identify and report suspicious
transactions and, on a risk basis, to maintain and update customer
information (including information regarding the beneficial owners of
legal entity customers, as defined in Sec. 1010.230 of this chapter);
(2) Establishes independent AML/CFT program testing to be conducted
by permitted payment stablecoin issuer personnel or by an outside
party;
(3) Designates an individual, who is (i) located in the United
States, (ii) accessible to, and subject to oversight and supervision by
FinCEN and its designee, (iii) responsible for establishing and
implementing the AML/CFT program and coordinating and monitoring day-
to-day compliance, and (iv) has not been convicted of a felony offense
involving insider trading, embezzlement, cybercrime, money laundering,
financing of terrorism, or financial fraud may be designated as the
responsible individual under this paragraph; and
(4) Establishes an ongoing employee training program.
(c) Program implementation. A permitted payment stablecoin issuer
implements an AML/CFT program in accordance with this paragraph if the
permitted payment stablecoin issuer implements, in all material
respects, the AML/CFT program required under paragraph (b) of this
section.
(d) Written AML/CFT program and approval. A permitted payment
stablecoin issuer's AML/CFT program must be written, and it must be
approved by the permitted payment stablecoin issuer's board of
directors, an equivalent governing body within the permitted payment
stablecoin issuer, or appropriate senior management. The permitted
payment stablecoin issuer must make a copy of its AML/CFT program
available to FinCEN or its designee upon request.
(e) AML/CFT program certifications. A permitted payment stablecoin
issuer shall make available to FinCEN, or its designee, upon request
any and all certifications submitted to its primary Federal payment
stablecoin regulator or State payment stablecoin regulator that the
permitted payment stablecoin issuer has implemented an AML/CFT program
pursuant to 12 U.S.C. 5904(i)(1).
Sec. 1033.220 [Reserved]
Sec. 1033.221 Supervision and enforcement.
(a) Definitions. For purposes of this section:
(1) AML/CFT enforcement action means any formal or informal action
taken by FinCEN that seeks to penalize, remedy, prevent, or respond to
noncompliance with past or ongoing violations of, or past or ongoing
deficiencies relating to, an AML/CFT requirement. The term includes--
(i) A cease-and-desist order, consent order, or memorandum of
understanding; or
(ii) The assessment of a civil money penalty.
(2) AML/CFT requirement means a requirement of the Bank Secrecy
Act, 12 U.S.C. 5903(a)(5)(A)(i)-(v), 12 U.S.C. 5903(a)(6)(B), 12 U.S.C.
5903(f)(1)(A), or this chapter.
(3) Significant AML/CFT supervisory action means any written
communication or other formal supervisory determination issued by
FinCEN or a primary Federal payment stablecoin regulator when acting
pursuant to authority delegated under this chapter that, in either
case--
(i) Identifies one or more alleged deficiencies, weaknesses,
violations of law, or unsafe or unsound practices or conditions
relating to an AML/CFT requirement;
(ii) Communicates supervisory expectations to a permitted payment
stablecoin issuer regarding actions or remedial measures required to
correct the deficiency, weakness, violation, or practice or condition;
and
(iii) Contemplates significant or programmatic actions or remedial
measures to be taken by the permitted payment stablecoin issuer.
The term does not include examiner observations, suggestions, or
other informal comments.
(b) FinCEN enforcement and supervision policy.
(1) In general. Except with respect to a significant or systemic
failure to implement the AML/CFT program in accordance with Sec.
1033.210(c), a permitted payment stablecoin issuer that has established
an AML/CFT program in accordance with Sec. 1033.210(b) will not be
subject to:
(A) An AML/CFT enforcement action related to the requirements of 31
U.S.C. 5318(h)(1) or 31 CFR 1033.210 by FinCEN; or
(B) A significant AML/CFT supervisory action related to the
[[Page 18665]]
requirements of 31 U.S.C. 5318(h)(1) or 31 CFR 1033.210 by FinCEN or by
a primary Federal payment stablecoin regulator when acting pursuant to
authority delegated under this chapter.
(2) Program establishment violations. Nothing in this paragraph (b)
may be construed to restrict an AML/CFT enforcement action by FinCEN,
or a significant AML/CFT supervisory action by FinCEN or a primary
Federal payment stablecoin regulator when acting pursuant to authority
delegated under this chapter with respect to any failure to establish
an AML/CFT program in accordance with Sec. 1033.210(b).
(3) Criminal enforcement. Nothing in this paragraph (b) may be
construed to affect criminal enforcement liability under the Bank
Secrecy Act.
(c) FinCEN consultation.
(1) Consultation and consideration requirement. Before initiating a
significant AML/CFT supervisory action, a primary Federal payment
stablecoin regulator when acting pursuant to authority delegated under
this chapter will provide the Director, FinCEN an opportunity to review
the action and consider any input offered by the Director, FinCEN on
the action, which may include any view as to the effectiveness of the
permitted payment stablecoin issuer's AML/CFT program.
(2) Notice requirement. To provide the Director, FinCEN an
opportunity to provide a view under paragraph (c)(1) of this section, a
primary Federal payment stablecoin regulator when acting pursuant to
authority delegated under this chapter will:
(i) Send written notice, to the Director, FinCEN of its intent to
take that action at least 30 days before taking the action (unless a
shorter period of time is necessary, in the sole discretion of the
primary Federal payment stablecoin regulator, to remedy, prevent, or
respond to an unsafe or unsound practice or condition), accompanied by
the relevant AML/CFT information underlying the proposed action,
including the relevant portions of the draft report or enforcement
action, the relevant examination workpapers supporting the proposed
action, and the relevant AML/CFT information submitted by the permitted
payment stablecoin issuer to the primary Federal payment stablecoin
regulator, other than information over which the permitted payment
stablecoin issuer may claim privilege under Federal or State law; and
(ii) Respond to the extent reasonably practicable to requests for
additional information from the Director, FinCEN regarding the proposed
action.
(d) FinCEN considerations. In determining whether to take an AML/
CFT enforcement action or significant AML/CFT supervisory action, or
when reviewing a proposed action by a primary Federal payment
stablecoin regulator under paragraph (c) of this section or applicable
regulations under title 12 of the Code of Federal Regulation, the
Director, FinCEN shall consider:
(1) The factors under 31 U.S.C. 5318(h)(2)(B), as applicable to
actions concerning the AML/CFT program requirements under Sec.
1033.210;
(2) The extent (if any) to which the permitted payment stablecoin
issuer, where appropriate in light of its size, complexity, and risk
profile, has advanced the AML/CFT priorities by providing highly useful
information to law enforcement authorities or national security
officials, conducting proactive analytics, or performing other
innovative activities producing demonstrable outputs evincing the
effectiveness of the permitted payment stablecoin issuer's AML/CFT
program (including effective use of artificial intelligence, federated
learning, and other advanced monitoring tools); and
(3) Any other factor the Director, FinCEN deems appropriate,
including the permitted payment stablecoin issuer's size, complexity,
and risk profile, and, as relevant, where the permitted payment
stablecoin issuer's low-risk customers or limited business activities
naturally limits the extent to which the permitted payment stablecoin
issuer can meaningfully contribute to AML/CFT priorities.
Sec. 1033.230 [Reserved]
Sec. 1033.240 Additional technical capabilities, policies, and
procedures for permitted payment stablecoin issuers.
(a) Permitted payment stablecoin issuers shall have the technical
capabilities, policies, and procedures to block, freeze, and reject
specific or impermissible transactions that violate Federal or State
laws, rules, or regulations. The required technical capabilities,
policies and procedures must account for transactions occurring by, at,
or through the permitted payment stablecoin issuer, as well as
transactions by third parties, including where a transaction results in
an interaction with a permitted payment stablecoin issuer's smart
contract.
(b) Permitted payment stablecoin issuers shall (1) have the
technical capabilities to comply with the terms of any lawful order and
(2) comply with the terms of any lawful order. A permitted payment
stablecoin issuer's technical capabilities to comply with the terms of
any lawful order must account for lawful orders requiring an issuer to
comply with terms regarding an issuer's payment stablecoins held by a
third party, including in an account not with or controlled by a
permitted payment stablecoin issuer, and transactions by third parties,
including where a transaction results in an interaction with a
permitted payment stablecoin issuer's smart contract.
Subpart C--Reports Required To Be Made By Permitted Payment
Stablecoin Issuers
Sec. 1033.300 General.
Permitted payment stablecoin issuers are subject to the reporting
requirements set forth and cross-referenced in this subpart. Permitted
payment stablecoin issuers should also refer to subpart C of part 1010
of this chapter for reporting requirements contained in that subpart
which apply to permitted payment stablecoin issuers.
Sec. 1033.310 Reports of transactions in currency.
The reports of transactions in currency requirements for permitted
payment stablecoin issuers are located in subpart C of part 1010 of
this chapter and this subpart.
Sec. 1033.311 Filing obligations.
Refer to Sec. 1010.311 of this chapter for reports of transactions
in currency filing obligations for permitted payment stablecoin
issuers.
Sec. 1033.312 Identification required.
Refer to Sec. 1010.312 of this chapter for identification
requirements for reports of transactions in currency filed by permitted
payment stablecoin issuers.
Sec. 1033.313 Aggregation.
Refer to Sec. 1010.313 of this chapter for reports of transactions
in currency aggregation requirements for permitted payment stablecoin
issuers.
Sec. 1033.314 Structured transactions.
Refer to Sec. 1010.314 of this chapter for rules regarding
structured transactions for permitted payment stablecoin issuers.
Sec. 1033.315 Exemptions.
Refer to Sec. 1010.315 of this chapter for exemptions from the
obligation to file reports of transactions in currency for permitted
payment stablecoin issuers.
Sec. 1033.320 Reports by permitted payment stablecoin issuers of
suspicious transactions.
(a) General. (1) Every permitted payment stablecoin issuer shall
file with
[[Page 18666]]
FinCEN, to the extent and in the manner required by this section, a
report of any suspicious transaction relevant to a possible violation
of law or regulation. A permitted payment stablecoin issuer may also
file with FinCEN, by using the Suspicious Activity Report specified in
paragraph (b)(1) of this section, or otherwise, a report of any
suspicious transaction that it believes is relevant to the possible
violation of any law or regulation, but whose reporting is not required
by this section.
(2) A transaction, as clarified by paragraph (g) of the section,
requires reporting under this section if it is conducted or attempted
by, at, or through the permitted payment stablecoin issuer; it involves
or aggregates funds or other assets of at least $5,000; and the
permitted payment stablecoin issuer knows, suspects, or has reason to
suspect that the transaction (or a pattern of transactions of which the
transaction is a part):
(i) Involves funds derived from illegal activity or is intended or
conducted in order to hide or disguise funds or assets derived from
illegal activity (including, without limitation, the ownership, nature,
source, location, or control of such funds or assets) as part of a plan
to violate or evade any Federal law or regulation or to avoid any
transaction reporting requirement under Federal law or regulation;
(ii) Is designed, whether through structuring or other means, to
evade any requirements of this chapter or any other regulations
promulgated under the Bank Secrecy Act;
(iii) Has no business or apparent lawful purpose or is not the sort
in which the particular customer would normally be expected to engage,
and the permitted payment stablecoin issuer knows of no reasonable
explanation for the transaction after examining the available facts,
including the background and possible purpose of the transaction; or
(iv) Involves use of the permitted payment stablecoin issuer to
facilitate criminal activity.
(3) A permitted payment stablecoin issuer and other financial
institutions may have separate obligations to report suspicious
activity with respect to the same transaction pursuant to other
provisions of this chapter. In those instances, no more than one report
is required to be filed by the permitted payment stablecoin issuer and
other financial institution(s) involved in the transaction, provided
that the report filed contains all relevant facts, including the name
of each financial institution and the words ``joint filing'' in the
narrative section, and each institution maintains a copy of the report
filed, along with any supporting documentation.
(b) Filing and notification procedures--(1) What to file. A
suspicious transaction shall be reported by completing a Suspicious
Activity Report (SAR) and collecting and maintaining supporting
documentation as required by paragraph (c) of this section.
(2) Where to file. The SAR shall be filed with FinCEN in accordance
with the instructions to the SAR.
(3) When to file. A SAR shall be filed no later than 30 calendar
days after the date of the initial detection by the reporting permitted
payment stablecoin issuer of facts that may constitute a basis for
filing a SAR under this section. If no suspect is identified on the
date of the initial detection, a permitted payment stablecoin issuer
may delay filing a SAR for an additional 30 calendar days to identify a
suspect, but in no case shall reporting be delayed more than 60
calendar days after the date of such initial detection.
(4) Mandatory notification to law enforcement. In situations
involving violations that require immediate attention, such as
suspected terrorist financing or ongoing money laundering schemes, a
permitted payment stablecoin issuer shall immediately notify by
telephone an appropriate law enforcement authority in addition to
filing timely a SAR.
(5) Voluntary notification to the Financial Crimes Enforcement
Network or a Primary Federal Payment Stablecoin Regulator. A permitted
payment stablecoin issuer wishing to voluntarily report suspicious
transactions that may relate to terrorist activity may call the
Financial Crimes Enforcement Network's Financial Institutions Hotline
at 1-866-556-3974 in addition to filing timely a SAR if required by
this section. The permitted payment stablecoin issuer may also, but is
not required to, contact its primary Federal payment stablecoin
regulator to report in such situations.
(c) Retention of records. A permitted payment stablecoin issuer
shall maintain a copy of any SAR filed by the permitted payment
stablecoin issuer or on its behalf (including joint reports), and the
original (or business record equivalent) of any supporting
documentation concerning any SAR that it files (or that is filed on its
behalf) for a period of five years from the date of filing the SAR.
Supporting documentation shall be identified as such and maintained by
the permitted payment stablecoin issuer and shall be deemed to have
been filed with the SAR. A permitted payment stablecoin issuer shall
make all supporting documentation available to FinCEN or any Federal,
State, or local law enforcement agency, or any Federal regulatory
authority that examines the permitted payment stablecoin issuer for
compliance with the Bank Secrecy Act, upon request.
(d) Confidentiality of SARs. A SAR, and any information that would
reveal the existence of a SAR, are confidential and shall not be
disclosed except as authorized in this paragraph (d). For purposes of
this paragraph (d) only, a SAR shall include any suspicious activity
report filed with FinCEN pursuant to any regulation in this chapter.
(1) Prohibition on disclosures by permitted payment stablecoin
issuers--
(i) General rule. No permitted payment stablecoin issuer, and no
current or former director, officer, employee, or agent of any
permitted payment stablecoin issuer, shall disclose a SAR or any
information that would reveal the existence of a SAR. Any permitted
payment stablecoin issuer, and any current or former director, officer,
employee, or agent of any permitted payment stablecoin issuer, that is
subpoenaed or otherwise requested to disclose a SAR or any information
that would reveal the existence of a SAR shall decline to produce the
SAR or such information, citing this section and 31 U.S.C.
5318(g)(2)(A)(i), and shall notify FinCEN of any such request and the
response thereto.
(ii) Rules of construction. Provided that no person involved in any
reported suspicious transaction is notified that the transaction has
been reported, this paragraph (d)(1) shall not be construed as
prohibiting:
(A) The disclosure by a permitted payment stablecoin issuer, or any
current or former director, officer, employee, or agent of a permitted
payment stablecoin issuer of:
(1) A SAR, or any information that would reveal the existence of a
SAR, to FinCEN or any Federal, State, or local law enforcement agency,
or any Federal regulatory authority that examines the permitted payment
stablecoin issuer for compliance with the Bank Secrecy Act; or
(2) The underlying facts, transactions, and documents upon which a
SAR is based, including but not limited to, disclosures:
(i) To another financial institution, or any current or former
director, officer, employee, or agent of a financial institution, for
the preparation of a joint SAR; or
[[Page 18667]]
(ii) In connection with certain employment references or
termination notices, to the full extent authorized in 31 U.S.C.
5318(g)(2)(B); or
(B) The sharing by a permitted payment stablecoin issuer, or any
current or former director, officer, employee, or agent of the
permitted payment stablecoin issuer, of a SAR, or any information that
would reveal the existence of a SAR, within the permitted payment
stablecoin issuer's corporate organizational structure for purposes
consistent with Title II of the Bank Secrecy Act as determined by
regulation or in guidance. As doing so is consistent with Title II of
the Bank Secrecy Act, a permitted payment stablecoin issuer, as defined
in Sec. 1010.100(ttt)(1), may reveal the existence of a SAR to its
parent insured depository institution and such parent may also reveal
the existence of a SAR to a subsidiary permitted payment stablecoin
issuer.
(2) Prohibition on disclosures by government authorities. A
Federal, State, local, territorial, or Tribal government authority, or
any current or former director, officer, employee, or agent of any of
the foregoing, shall not disclose a SAR, or any information that would
reveal the existence of a SAR, except as necessary to fulfill official
duties consistent with Title II of the Bank Secrecy Act. For purposes
of this section, ``official duties'' shall not include the disclosure
of a SAR, or any information that would reveal the existence of a SAR,
in response to a request for disclosure of non-public information or a
request for use in a private legal proceeding, including a request
pursuant to 31 CFR 1.11.
(e) Limitation on liability. A permitted payment stablecoin issuer,
and any current or former director, officer, employee, or agent of any
permitted payment stablecoin issuer, that makes a voluntary disclosure
of any possible violation of law or regulation to a government agency
or makes a disclosure pursuant to this section or any other authority,
including a disclosure made jointly with another institution, shall be
protected from liability to any person for any such disclosure, or for
failure to provide notice of such disclosure to any person identified
in the disclosure, or both, to the full extent provided by 31 U.S.C.
5318(g)(3).
(f) Compliance. Permitted payment stablecoin issuers shall be
examined by FinCEN or its delegates for compliance with this section.
Failure to satisfy the requirements of this section may be a violation
of the Bank Secrecy Act and of this chapter.
(g) Transaction. A transaction, for purposes of Sec. 1033.320, is
not conducted or attempted by, at, or through a permitted payment
stablecoin issuer only because a transfer by third parties results in
an interaction with a permitted payment stablecoin issuer's smart
contract.
Subpart D--Records Required To Be Maintained By Permitted Payment
Stablecoin Issuers
Sec. 1033.400 General.
Permitted payment stablecoin issuers are subject to the
recordkeeping requirements set forth and cross referenced in this
subpart. Permitted payment stablecoin issuers should also refer to
subpart D of part 1010 of this chapter for recordkeeping requirements
contained in that subpart which apply to permitted payment stablecoin
issuers.
Sec. 1033.410 Recordkeeping.
For regulations regarding recordkeeping, refer to Sec. 1010.410 of
this chapter.
Subpart E--Special Information Sharing Procedures To Deter Money
Laundering and Terrorist Activity
Sec. 1033.500 General.
Permitted payment stablecoin issuers are subject to the special
information-sharing procedures to deter money laundering and terrorist
activity requirements set forth and cross-referenced in this subpart.
Permitted payment stablecoin issuers should also refer to subpart E of
part 1010 of this chapter for special information-sharing procedures to
deter money laundering and terrorist activity contained in that subpart
which apply to permitted payment stablecoin issuers.
Sec. 1033.520 Special information sharing procedures to deter money
laundering and terrorist activity for permitted payment stablecoin
issuers.
For regulations regarding special information-sharing procedures to
deter money laundering and terrorist activity for permitted payment
stablecoin issuers, refer to Sec. 1010.520 of this chapter.
Sec. 1033.530 [Reserved]
Sec. 1033.540 Voluntary information sharing among financial
institutions.
For regulations regarding voluntary information-sharing among
financial institutions, refer to Sec. 1010.540 of this chapter.
Subpart F--Special Standards of Diligence; Prohibitions, and
Special Measures for Permitted Payment Stablecoin Issuers
Sec. 1033.600 General.
Permitted payment stablecoin issuers are subject to the special
standards of diligence, prohibitions, and special measures requirements
set forth and cross referenced in this subpart. Permitted payment
stablecoin issuers should also refer to subpart F of part 1010 of this
chapter for special standards of diligence, prohibitions, and special
measures contained in that subpart.
Sec. 1033.610 Due diligence programs for correspondent accounts for
foreign financial institutions.
For regulations regarding due diligence programs for correspondent
accounts for foreign financial institutions, refer to Sec. 1010.610 of
this chapter.
Sec. 1033.620 Due diligence programs for private banking accounts.
For regulations regarding due diligence programs for private
banking accounts, refer to Sec. 1010.620 of this chapter.
Sec. 1033.630 Prohibition on correspondent accounts for foreign shell
banks; records concerning owners of foreign banks and agents for
service of legal process.
For regulations regarding prohibition on correspondent accounts for
foreign shell banks and related provisions refer to Sec. 1010.630 of
this chapter.
Dated: April 8, 2026.
Andrea M. Gacki,
Director, Financial Crimes Enforcement Network.
Dated: April 8, 2026.
Bradley T. Smith,
Director, Office of Foreign Assets Control.
[FR Doc. 2026-06963 Filed 4-9-26; 8:45 am]
BILLING CODE 4810-02-P