The GENIUS Act and Financial Crimes Compliance: A Detailed Guide

On July 18, 2025, the United States enacted the Guiding and Establishing National Innovation for U.S. Stablecoins Act (GENIUS Act) – landmark legislation establishing the first comprehensive federal framework for stablecoin regulation. The GENIUS Act weaves robust economic sanctions, anti-money laundering / countering the financing of terrorism (AML/CFT), and other financial crime compliance requirements into the fabric of stablecoin regulation in a number of complex and novel manners. Below we summarize the GENIUS Act's financial crimes compliance provisions and provide insights on key areas for companies issuing or dealing in stablecoins to monitor going forward.

Key Takeaways:

• The Act carries forward the existing AML/CFT obligations for stablecoin issuers, but suggests that permitted payment stablecoin issuers (PPSIs) licensed under the Act may be subject to a number of different and additional measures beyond those in place today, such as heightened know your customer (KYC) obligations and more granular sanctions compliances requirements, among others.
• PPSIs will be required to retain the ability to freeze issued tokens involved in illicit activity, including tokens held by persons with no relationship to the issuer and regardless of whether the tokens are in a custodial or non-custodial wallet.
• PPSIs are required to provide an annual compliance certification, certifying the issuer's compliance with AML/CFT and sanctions rules. If a PPSI fails to submit the required annual compliance certification, its regulator can revoke the issuer’s approval to operate. There are also criminal penalties for individuals that knowingly sign false certifications.
• Foreign stablecoin issuers wishing to issue tokens in the US must come from a jurisdiction with substantially similar AML/CFT and economic sanctions controls. The Treasury Secretary can revoke a foreign issuer's US registration upon finding that the issuer is facilitating sanctions evasion, money laundering, or other illicit finance.
• The Act requires Treasury to engage in a variety of future rulemakings, including creating a new type of Bank Secrecy Act (BSA) financial institution for PPSIs, which will have its own set of AML/CFT regulations. The precise obligations contained in the final rules are likely to have a significant impact on PPSIs going forward.

Considerations for Permitted Payment Stablecoin Issuers

AML/CFT Program Requirements for Stablecoin Issuers

Currently, most stablecoin issuers acting within the US are required to comply with the BSA and its implementing regulations promulgated by Treasury's Financial Crimes Enforcement Network (FinCEN). Stablecoin issuers can fall within a number of different categories of BSA financial institutions, including money transmitters, a type of money services business (MSB). Under FinCEN guidance, a person engaged as a business in issuing (putting into circulation) a convertible virtual currency (CVC), and who has the authority to redeem (to withdraw from circulation) such CVC is an "administrator." An issuer could also be viewed as an "exchanger" by virtue of selling or buying back its stablecoin to or from the public. "Administrators" and "exchangers" are both considered money transmitters. Other issuers have formed state trust companies and are therefore treated as a bank – another type of BSA financial institution. Following implementation of the GENIUS Act, issuers of payment stablecoins will no longer be able to issue tokens solely as a money services business or state trust company and will instead need to fall within one of the newly created licensing regimes under the Act.

The GENIUS Act carries forward the obligations currently applicable to payment stablecoin issuers by providing that any PPSI is legally treated as a "financial institution" for purposes of the BSA.[1]  However, certain provisions of the GENIUS Act suggest that PPSIs will be subject to a number of additional measures that go beyond what issuers are typically subject to today.

The GENIUS Act suggests that FinCEN will amend its AML/CFT rules to add a new category of financial institution for PPSIs and will promulgate rules specific to them. This means that, instead of adding PPSIs into an existing category of financial institution (e.g., MSBs, broker-dealers, or banks), FinCEN will, in consultation with other federal regulators, engage in notice and comment rulemaking and promulgate a new subsection of FinCEN regulations that is specifically targeting PPSIs. The GENIUS Act provides that such new rules should be "tailored to the size and complexity of permitted payment stablecoin issuers."

In addition, the GENIUS Act contains a number of novel and technology-specific AML/CFT requirements for PPSIs. The fact that FinCEN will engage in a new rulemaking means the rules are more likely to be appropriately tailored to PPSIs and, therefore, should be able to avoid some the difficulties that can arise when trying to apply existing fiat-based rules in the digital asset context. However, a new rulemaking process also means FinCEN will have wide latitude to consider novel and additional requirements. Those additional requirements could be relatively uncontroversial (e.g., mandating the use of blockchain analytics) or could be complex and onerous (e.g., requirements to monitor for suspicious activity in the secondary market). Therefore, the details of the new rules are likely to be quite important.

The GENIUS Act does make clear that PPSIs will have at least some heightened AML obligations compared to MSBs. For example, the GENIUS Act indicates that PPSIs will be subject to Customer Identification Program (CIP) and Customer Due Diligence (CDD) rules, which will prescribe granular KYC compliance requirements for PPSIs for both individual and entity customers. MSBs are not subject to CIP or CDD rules, meaning they have additional flexibility with respect to how they KYC users. Therefore, these more granular KYC obligations will be an important change for some issuers. It remains to be seen whether PPSIs will be subject to CIP/CDD requirements that match existing rules for other BSA-regulated financial institutions, such as banks, or whether FinCEN, in conjunction with other relevant regulators, will seek to issue CIP/CDD rules specifically scoped to the activities of PPSI issuers.

Sanctions Compliance and Asset Freezing Obligations

Beyond the AML/CFT measures, Congress built specific economic sanctions compliance obligations into the GENIUS Act. PPSIs must maintain an effective sanctions compliance program, including procedures to screen for and block transactions involving sanctioned persons or countries. The law expressly requires verification against relevant sanctions lists (such as the Office of Foreign Assets Control's (OFAC) Specially Designated Nationals and Blocked Persons List (SDN List)) to prevent stablecoins from being used in violation of US sanctions. While most MSBs and other stablecoin issuers are already expected to have in place robust economic sanctions compliance measures, in many cases this expectation is not explicitly built into the law and is instead something that arises indirectly from the requirement to have a "risk-based" AML compliance program or similar broad concepts. One area to monitor is whether FinCEN elects to build more granular sanctions compliance measures into its regulations and mandate specific mechanisms PPSIs must use to ensure compliance.

Perhaps the most significant mandate is that issuers must have "technical capabilities, policies, and procedures to block, freeze, and reject specific or impermissible transactions that violate Federal or State laws, rules, or regulations." Notably, this requirement appears to extend both to primary market transactions (i.e., purchases and sales of tokens directly involving the issuer) and secondary market transactions (i.e., activity occurring on-chain between third parties with no direct involvement with the PPSI issuer). This means issuers will likely need to maintain some centralized control – such as an ability to blacklist certain wallet addresses or burn tokens – despite the decentralized nature of most blockchain transactions. A number of the largest stablecoin issuers already have such functionality built into their technology. However, the GENIUS Act now makes such capabilities a legal prerequisite for operation. An issuer that cannot halt illicit transactions on its network would be barred from issuing stablecoins under the Act's standards.

One critical question left unanswered in the GENIUS Act is to what degree stablecoin issuers will be expected to proactively monitor and intervene in the secondary market, as opposed to merely responding to law enforcement and regulator requests. As discussed below, it appears likely that FinCEN will impose at least some secondary market monitoring requirements on issuers, but the scope of those obligations is unclear and will need to be delineated by FinCEN in guidance or regulations. Such secondary freezing would include stablecoins held in both custodial and non-custodial wallets and, presumably, stablecoins being used in connection with various decentralized protocols.

The GENIUS Act also establishes a protocol for government coordination with PPSIs in enforcing sanctions. When Treasury moves to block a person’s property (for instance, by adding them the OFAC SDN List), the GENIUS Act instructs Treasury to coordinate, where appropriate, with relevant PPSIs to ensure the person's stablecoin assets can be effectively frozen at the time sanctions are imposed. This prevents sanctioned persons from seeing their designation and quickly converting their stablecoins into another asset before an issuer is able to freeze the tokens. Notably, while the Act encourages such coordination, it does not require advance notice to the issuer before Treasury takes action, leaving Treasury with discretion.

While secondary market freezing is unlikely to be problematic in many contexts, it is possible that such freezing could create complexities in certain contexts. For example, it is possible to imagine a scenario in which freezing of stablecoins used as collateral for a DeFi protocol interferes with the operation of the protocol or causes a cascade of events leading to significant financial harm to other protocol participants.

Annual Compliance Certification

To reinforce these obligations, the GENIUS Act builds in accountability through an annual certification requirement. Within 180 days of receiving regulatory approval – and annually thereafter – every PPSI must certify that it has implemented an AML and economic sanctions compliance program reasonably designed to prevent illicit financial transactions. This written certification to the issuer's primary federal (or state) regulator essentially forces leadership to take personal responsibility for the issuer's compliance framework. Such certifications have previously been used in certain states (e.g., New York's transaction monitoring certification requirements), but have not previously been a feature of federal AML or sanctions rules.

If a PPSI fails to submit the required annual compliance certification, its regulator can revoke the issuer's approval to operate. There are also criminal penalties for individuals that knowingly sign false certifications. In other words, a compliance officer or executive who attests that "we have effective AML/sanctions controls" when they know that to be untrue could be prosecuted.

Considerations for Digital Asset Service Providers

The GENIUS Act also imposes various financial crimes compliance obligations on non-issuers that meet the definition of "digital asset services providers" (DASPs). A DASP includes any firm that, for compensation, exchanges, transfers, custodies, or otherwise participates "in financial services relating to digital asset issuance" for US customers or within the US. The definition contains a number of carveouts for certain software developers, validators, liquidity pool participants, and other enumerated actors.

Beginning three years after enactment, it becomes unlawful for a DASP to offer or sell or otherwise make available a payment stablecoin to a US person or in the US unless the coin is issued by (i) a PPSI or (ii) a comparable foreign issuer that is approved pursuant to the GENIUS Act.

The GENUIS Act arms Treasury with a powerful "non-compliance" designation. If a foreign issuer lacks the technological ability (or willingness) to comply with a lawful freeze or other order, Treasury can label it non-compliant and publish a Federal Register notice prohibiting DASPs from facilitating any secondary trading of that coin in the US.

FinCEN and Treasury Initiatives to Combat Digital Asset Illicit Finance

The GENIUS Act not only imposes compliance obligations on PPSIs, but also tasks government agencies with adapting and sharpening their tools to combat illicit finance in the digital asset realm. Among other measures, the GENIUS Act requires Treasury, via FinCEN, to conduct research and solicit industry input on a number of illicit finance-related topics and report to Congress on various items. That report must address a range of issues, including "legislative and regulatory proposals to allow regulated financial institutions to develop and implement novel and innovative" compliance measures; the risks posed by mixers, tumblers, and similar protocols; and legislative recommendations regarding the DASP definition and whether it should be expanded to capture additional actors in the DeFi context.

Most notably, the GENIUS Act gives FinCEN a deadline to update AML guidance and rules for the digital asset era. Within three years of the Act’s enactment, FinCEN must issue public guidance and engage in formal rulemaking to address a range of topics involving illicit finance and digital assets.

First, FinCEN is to encourage and outline how regulated entities can implement "innovative or novel methods" to detect illicit digital asset activity.[2] This might include using blockchain analytics tools, machine learning to spot suspicious on-chain patterns, or other advanced techniques. The Act essentially nudges FinCEN to support innovation in AML compliance, so long as it leads to better identification of illicit transactions and bad actors.

Second, FinCEN must establish standards for stablecoin issuers to identify and report illicit activity involving their tokens. This will likely build on the GENIUS Act's basic AML requirements by providing detailed expectations or best practices for transaction monitoring on blockchain networks. The standards will address illicit finance risks including "fraud, cybercrime, money laundering, financing of terrorism, sanctions evasion, or insider trading."

Third, FinCEN is tasked with formulating standards for how stablecoin issuers should monitor "transactions on blockchains, digital asset mixing services, tumblers, or other similar services that mix payment stablecoins in such a way as to make such transaction or the identity of the transaction parties less identifiable."

The GENIUS Act's language strongly suggests that FinCEN's rules or guidance will expect PPSIs to monitor and intervene in transactions in both the primary and, to at least some degree, secondary markets. For PPSIs with billions of dollars of stablecoins in circulation across multiple blockchains, this could potentially result in a dramatic expansion of their AML regulatory requirements. At present, stablecoin issuers are responsible for AML compliance with respect to primary market transactions to which they are a party, but are not expected to monitor all transactions across the entirety of the blockchain. Therefore, the precise requirements from this rulemaking or guidance are likely to be critically important for PPSIs. Requirements for secondary market monitoring may also amount to a de facto ban on issuing payment stablecoins on privacy-enhanced blockchains where such monitoring would not be feasible.

Finally, the GENIUS Act calls for tailored risk management standards for "financial institutions" interacting with decentralized finance protocols. Notably, this provision is not specific to PPSIs and instead addresses all "financial institutions," meaning this could result in new rules for all digital asset companies that are subject to the BSA. The Biden administration issued a proposed rule seeking to impose heightened requirements for certain BSA financial institutions dealing with mixers and tumblers, but that rule was never finalized. It is unclear if the Trump administration will seek to borrow from that proposed rule or to start from scratch.

Restrictions on Foreign Stablecoin Issuers and International Cooperation

Recognizing the global nature of crypto markets, the GENIUS Act also imposes guardrails on foreign-issued stablecoins entering the US and seeks to elevate international compliance standards. The Act creates a pathway for a non-US stablecoin issuer to be recognized as a comparable foreign payment stablecoin issuer, but only if strict criteria are met. First, the stablecoin must be issued from a jurisdiction with a regulatory regime comparable to the US framework under the GENIUS Act. In particular, the foreign jurisdiction's rules for stablecoins – including prudential requirements and AML/sanctions controls – must measure up to the standards of the Act. Treasury, advised by a multi-agency Stablecoin Certification Review Committee, will determine which foreign countries' regulatory regimes qualify as comparable.

Even if an issuer hails from an approved jurisdiction, additional conditions apply. The foreign issuer must register with the US Office of the Comptroller of the Currency (OCC) before offering its stablecoins via any digital asset platform to US customers, thus allowing US authorities to vet the issuer. The OCC can reject a registration if, for example, the issuer cannot provide sufficient information to assess compliance or if the stablecoin could pose a significant risk to US financial stability. Significantly, one of the explicit factors the OCC must consider is whether the foreign stablecoin issuer "presents illicit finance risks to the United States." In short, a foreign stablecoin that is frequently used in connection with money laundering, financing of terrorism, or sanctions evasion may not be allowed to be issued in the US. In addition, no foreign stablecoin issuer will be accepted if it is domiciled in a country subject to comprehensive US sanctions or designated by Treasury as a "primary money laundering concern."

Even after a foreign issuer is approved and operating, US regulators retain a tight leash. A foreign issuer must consent to US jurisdiction and ongoing monitoring. The OCC can rescind a foreign issuer’s registration if the firm fails to comply with the GENIUS Act's requirements – for example, if it does not maintain adequate reserves or if it poses an illicit finance threat or threat to financial stability of the US. Moreover, the Treasury Secretary can revoke a foreign issuer's US registration upon finding that the issuer is facilitating sanctions evasion, money laundering, or other illicit finance. This revocation is a powerful tool: it means if a foreign stablecoin starts being used to skirt US sanctions or becomes frequently used for illicit means, Treasury can swiftly kick that stablecoin out of the regulated US ecosystem.

***

The financial crimes compliance provisions of the GENIUS Act are significant and contain a number of novel provisions. How these provisions are ultimately implemented and enforced will be critically important for PPSIs and for the digital asset industry generally. For additional information regarding the financial crimes provisions of the GENIUS Act please contact a member of Steptoe’s AML Practice or Blockchain and Cryptocurrency Practice.

[1] All FinCEN-regulated financial institutions are required to have a written AML/CFT compliance program, appoint an individual with responsibility for implementing the program, provide training to relevant to company employees, and provide for a periodic independent assessment of the program. But beyond those core pillars, different financial institutions can have somewhat different compliance obligations with various FinCEN requirements applying only to certain types of financial institutions.

[2] On August 18, Treasury published a request for comment on innovative measures to detect illicit finance activity involving digital assets. 90 Fed. Reg. 157 (Aug. 19, 2025), https://www.govinfo.gov/content/pkg/FR-2025-08-18/pdf/2025-15697.pdf.