Treasury’s Proposed AML Rule Under the GENIUS Act: What It Means for Stablecoin Issuers

A New Phase of Stablecoin Regulation

For several years, stablecoin regulation in the United States has been discussed in terms of principles, risks, and competing policy approaches.

The GENIUS Act moves that conversation into something more concrete. It brings permitted payment stablecoin issuers (PPSIs) into the Bank Secrecy Act framework and treats them as financial institutions. That part is relatively straightforward.

What matters more is what comes next. The Act does not define, in detail, how compliance should work in practice. That is left to federal rulemaking. This is where the framework is actually built.

The proposed rule from Treasury, FinCEN and OFAC is one of the first clear examples of that process.

It does not create an entirely new AML regime. But it does not simply replicate existing rules either. Instead, it starts from a different place. It asks where stablecoin activity happens, what the issuer can see, and where control actually sits.

Not a New AML Regime, but a Different Starting Point

At a basic level, the proposal does what the GENIUS Act requires.

Stablecoin issuers are treated as financial institutions. They are expected to maintain AML programs, report suspicious activity, keep records, share information, and comply with sanctions obligations.

None of that is unfamiliar. 

What changes is how those obligations are applied. The framework is not built around a traditional intermediary moving funds between accounts. It is built around a digital asset that is issued once and then circulates independently. That difference runs through the entire proposal.

Primary Market vs Secondary Market

Most of the rule can be understood through a single distinction: stablecoin activity does not happen in one place, it splits into two environments.

The primary market is where the issuer is directly involved. Issuance, redemption, conversion, custody. This is where customers are known, relationships exist, and information is available.

The secondary market looks different. Tokens move between wallets, across exchanges, through protocols. The issuer is no longer part of the transaction in any meaningful sense. At most, it sees activity at the level of the smart contract.

That difference is not just technical, it determines how AML is applied.

Where the issuer has a customer, it is expected to act like a financial institution. Where it does not, the expectations are narrower. This is why the proposal is strict on primary-market controls, but more cautious when it comes to secondary-market reporting.

Suspicious Activity Reporting: A Deliberate Boundary

The approach to suspicious activity reporting is one of the clearest examples of how the rule is designed.

PPSIs are required to file SARs but not across the entire stablecoin ecosystem.

There is no general obligation to monitor and report all secondary-market activity. The reason is straightforward. In secondary markets, the issuer often lacks the information needed to assess what is happening. Imposing full reporting obligations in that environment would likely produce large volumes of low-value reports.

Instead, the rule focuses on primary-market activity, where the issuer has direct visibility.

That does not mean secondary-market activity is ignored. It means the rule recognises the limits of what the issuer can realistically observe. This remains an open question. The proposal explicitly asks whether a more targeted approach to secondary-market reporting should be introduced.

AML as a System, Not a Document

The proposal also makes something else clear. AML is not treated as a policy requirement, it is treated as a system that has to work.

Issuers are expected to understand their risks, map how their business operates, monitor activity, and adjust their controls over time. The question is not whether a policy exists, but whether it functions.

For a stablecoin issuer, that means looking at the structure of the product itself. Issuance and redemption flows. Intermediary exposure. Cross-border usage. Smart contract design. Interaction with self-hosted wallets.

These are not edge cases. They are part of the core risk profile.

So while the framework uses familiar language, the expectation is more practical. It assumes the firm understands how its own system behaves.

Control Moves to the Token Level

The most important part of the proposal sits outside traditional AML categories. It sits in the technical requirements.

PPSIs are expected to have the ability to block, freeze and reject transactions, and to comply with lawful orders affecting their stablecoins. These obligations apply in both primary and secondary markets.

This is where the model starts to diverge from traditional finance. In a banking system, AML controls sit at the level of accounts and institutions. In a stablecoin system, control extends to the asset itself.

Issuers are expected to design systems that allow intervention in tokens that are already in circulation. Freezing funds, preventing transfers, executing legal orders.

That changes the role of the issuer. It is no longer just a payment intermediary. It is a controllable infrastructure layer.

Familiar Rules, Applied Differently

Not everything in the proposal introduces something new, some elements extend existing frameworks.

Recordkeeping and Travel Rule obligations apply to stablecoin transfers. Information-sharing requirements bring issuers into the existing 314(a) and 314(b) system. Sanctions expectations follow established models.

At the same time, some boundaries remain unchanged.

Currency transaction reporting does not apply to stablecoin transfers themselves, because they are not treated as transactions in physical currency.

The overall approach is consistent. Existing rules are applied where they fit. Adjustments are made where the structure of stablecoins requires it.

A Three-Layer Model of Compliance

Taken together, the proposal describes a different way of thinking about AML. For stablecoin issuers, compliance operates across three layers.

The first is the customer layer. Onboarding, due diligence, risk profiling, suspicious activity reporting.

The second is the transaction and data layer. Recordkeeping, Travel Rule obligations, information sharing, reporting systems.

The third is the token layer. The ability to freeze assets, block transfers, reject transactions, and execute lawful orders directly at the level of the stablecoin.

This third layer is what makes the framework distinct. It reflects the fact that stablecoins are not just payment instruments. They are programmable assets with embedded control mechanisms.

A Different Approach to Supervision

There is also a more subtle point in how the rule approaches enforcement.

The standard is not that every illicit transaction must be prevented. The focus is on whether the issuer has built and maintains a functioning AML system. If that system exists and is operating as intended, enforcement action is less likely unless there is a serious or systemic breakdown.

That is a more realistic position, it recognises that risk cannot be eliminated entirely, but it can be managed.

At the same time, Treasury signals that AML oversight should remain centralised. The consultation requirement with other regulators points to a preference for consistency rather than fragmented supervision.

What Remains Open

The proposal leaves several points unresolved.

It is not yet clear whether any form of secondary-market SAR obligation will be introduced.

The customer identification program required under the GENIUS Act is expected to be addressed separately, so the onboarding framework is not yet complete.

There are also practical questions around how far technical control requirements extend, particularly across different blockchain environments.

And there is a broader issue of how smaller issuers will meet these expectations, even within a risk-based framework.

From Financial Institutions to Infrastructure

The proposal does two things at the same time.

It places stablecoin issuers firmly within the financial regulatory system but it also recognises that they operate differently. They issue assets that move independently across networks. They rely on programmable systems. And they retain a level of control that does not exist in traditional payment instruments.

That is why the framework looks the way it does.

It focuses on governance and reporting but it also places equal weight on technical capability and control.

The result is a model where compliance is no longer limited to onboarding and monitoring - it becomes part of how the asset itself is designed and managed. And that is the point where stablecoin AML starts to look less like traditional compliance, and more like infrastructure.