FinCEN and OFAC Propose Rules to Reform AML/CFT Program Requirements for Financial Institutions and Stablecoin Issuers

Authors: Michael Gershberg; Niko Savas

The Financial Crimes Enforcement Network (FinCEN) of the U.S. Department of the Treasury recently issued two proposed anti-money laundering rules of importance to the U.S. financial and cryptocurrency sectors. On April 7, 2026, FinCEN issued a proposed rule to reform the anti-money laundering and countering the financing of terrorism (AML/CFT) obligations of financial institutions subject to the Bank Secrecy Act (BSA). On April 8, FinCEN and the Office of Foreign Assets Control (OFAC) issued a joint proposed rule (the Stablecoin Rule) to implement elements of the GENIUS Act and impose AML/CFT and economic sanctions compliance requirements on certain stablecoin issuers. FinCEN and OFAC are accepting public comments on the proposed rules until June 9, 2026.

AML/CTF Program Rule

While the AML/CFT Program Rule does not change the fundamental structure and substance of the existing BSA regulations, it seeks to the modernize the BSA regime to permit financial institutions to focus on the risk-based and reasonably designed nature of their AML/CFT programs, efficiently direct resources to higher-risk areas, and produce useful information for law enforcement and national security agencies. Under the AML/CFT Program Rule, FinCEN would take the lead in enforcement actions, requiring federal banking regulators to consult with FinCEN prior to taking significant supervisory or enforcement actions. The AML/CFT Program Rule also intends to harmonize requirements for all financial institutions subject to the BSA. Finally, the AML/CFT Program Rule differentiates between the formal "establishment" and the practical "implementation" of an AML/CFT program, focusing compliance obligations on the design of the program and de-emphasizing check-the-box exercises and non-systemic missteps.

In accordance with these guiding principles, the AML/CFT Program Rule establishes four core pillars for financial institutions' AML/CFT programs:

1. Internal policies, procedures, and controls, and revised risk assessment process. The AML/CFT Program Rule establishes a new risk assessment process that will include:

1. 1. evaluation of the AML/CFT risks of the financial institution's business activities, including its products, services, distribution channels, customers, and geographic locations;
   2. review and, where appropriate, incorporation of FinCEN's AML/CFT priorities; and
   3. prompt updates upon any change that the financial institution knows or has reason to know could significantly change the institution's AML/CFT risk.
2. The AML/CFT Program Rule would explicitly permit financial institutions to allocate more attention and resources towards customers and activities deemed higher-risk, based upon the risk assessment framework.

1. Independent program testing. The AML/CFT Program Rule specifies that independent testing should be based on objective criteria designed to assess whether the financial institution has effectively established an AML/CFT program consistent with the aforementioned risk assessment process. Auditors are encouraged to rely on the judgment of the financial institutions' risk assessment, and refrain from substituting their subjective judgment when assessing AML/CFT programs.
2. Designation of a U.S.-based compliance officer. The AML/CFT Program Rule requires that the designated compliance officer be resident in the United States and accessible to FinCEN. Other personnel outside of the United States may still perform AML/CFT functions, but current guidelines on restricting the sharing of suspicious activity reports with such personnel will remain in place.
3. Ongoing employee training. The AML/CFT Program Rule would clarify statutory language requiring an "ongoing employee training program" by uniformly applying the requirement across all financial institutions. It would leave flexibility for financial institutions in determining content, frequency, and appropriate target audience for such trainings.

FinCEN prepared a Fact Sheet on the AML/CFT Program Rule and a document summarizing the proposed changes from the current BSA regulatory regime.

Stablecoin Rule

The Stablecoin Rule proposed jointly by FinCEN and OFAC would apply the full requirements of the BSA and AML Act to permitted payment stablecoin issuers (PPSIs). The new defined term will include subsidiaries of insured depository institutions and credit unions approved to issue payment stablecoins by a federal regulator, as well as state and federal qualified payment stablecoin issuers. Institutions falling under the new definition of PPSIs may be currently regulated as money services businesses under the BSA. To limit overlapping obligations and avoid confusion, FinCEN intends to revise the definition of money services businesses to explicitly exclude PPSIs.

Pursuant to the Stablecoin Rule, PPSIs would be treated as financial institutions under the BSA and subject to the aforementioned requirements under the AML/CFT Program Rule, reporting suspicious activity, retaining the technical capabilities and procedures to block, freeze, and reject transactions that violate state and federal law, and retaining the technical capabilities to comply, and complying in fact, with the terms of lawful orders.

PPSIs in the United States are already required to comply with OFAC sanctions programs. However, the GENUIS Act goes further, and requires that PPSIs maintain "an effective sanctions compliance program." This represents the first time that federal law has explicitly mandated the maintenance of a sanctions compliance program by any U.S. person. Accordingly, PPSIs will be required to adopt a thorough and effective program for compliance with OFAC sanctions, although the enumerated requirements are broadly the same as OFAC's framework for sanctions compliance. The elements of the required sanctions compliance program include:

1. Creation of policies and procedures for compliance with sanctions across all payment stablecoin-related activity. Such policies and procedures should ensure sufficient resources are devoted to compliance, integrate such compliance functions into the PPSI's ongoing stablecoin-related operations, routinely provide risk updates to management, and provide sufficient authority and autonomy to the compliance function to manage OFAC sanctions risk for the entire PPSI.
2. Sanctions-related risk assessment. Such risk assessments should be holistic and conducted at appropriate intervals, with the results utilized to inform the operation of the PPSI's sanctions compliance program. Risk assessments should be revised as appropriate to account for any OFAC sanctions violations or compliance program deficiencies, as well as new products or services, mergers, acquisitions, or other factors affecting the PPSI's risk profile.
3. Internal controls. PPSIs will be required to establish and maintain a system of internal risk-based controls applicable to all payment stablecoin-related activity, on both the primary and secondary markets. Such system will include written policies and technical capabilities that identify, block, and/or reject transactions that may violate OFAC sanctions, and retain relevant records.
4. Testing and auditing. PPSIs will be required to establish and maintain an independent testing and audit function, accountable to senior PPSI management, with sufficient resources to identify weaknesses and deficiencies with respect to sanctions-related compliance.
5. Training program. PPSIs will be required to establish and maintain a risk-based sanctions compliance training program. Such program will be performed at least annually, provided to relevant personnel, appropriately tailored to personnel roles and responsibilities, modified to reflect risk assessment findings, and designed to include easily acceptable resources and material for relevant personnel and stakeholders.

FinCEN and OFAC prepared a Fact Sheet on the Stablecoin Rule.

Payment stablecoin issuers should familiarize themselves with the requirements of the Stablecoin Rule and AML/CFT Program Rule, and may submit comments to FinCEN and OFAC until June 9, 2026.

This communication is for general information only. It is not intended, nor should it be relied upon, as legal advice. In some jurisdictions, this may be considered attorney advertising. Please refer to the firm's data policy page for further information.