The Treasury Department, through a coordinated rulemaking effort involving OFAC and FinCEN, has taken a significant step toward formalizing anti-money laundering and sanctions compliance expectations for a rapidly evolving segment of the financial services industry—permitted payment stablecoin issuers. The recently issued Notice of Proposed Rulemaking reflects a deliberate attempt to bring these entities squarely within the ambit of the Bank Secrecy Act framework, while at the same time tailoring requirements to account for the unique operational and technological characteristics of stablecoin-based payment systems. The proposal signals not only regulatory maturation in the digital asset space, but also a clear expectation that stablecoin issuers will adopt compliance architectures comparable in rigor to those long imposed on traditional financial institutions.

At its core, the proposed rule establishes a comprehensive AML/CFT program requirement that mirrors, in structure and substance, the familiar pillars of the Bank Secrecy Act. Permitted payment stablecoin issuers would be required to implement written compliance programs that are formally approved by the board of directors or equivalent governing authority, thereby embedding accountability at the highest levels of organizational governance. These programs must include internal controls reasonably designed to ensure ongoing compliance, robust procedures for maintaining and updating customer information—including beneficial ownership data—and independent testing conducted either internally or by qualified third parties. In addition, the proposal requires designation of a qualified compliance officer located in the United States and subject to regulatory oversight, as well as the establishment of a continuous employee training program.

Beyond these baseline requirements, the NPRM underscores the importance of operationalizing compliance in a manner that is demonstrable and verifiable. It is not sufficient for a stablecoin issuer to maintain a theoretical or paper-based compliance program. Rather, the rule explicitly requires that the AML/CFT program be implemented “in all material respects,” reinforcing the longstanding regulatory principle that effectiveness—not mere formal adoption—will serve as the benchmark for compliance. This emphasis is further reflected in the requirement that issuers make their AML/CFT programs available to FinCEN upon request and provide certifications evidencing implementation to their primary regulators. Taken together, these provisions signal a clear expectation that regulators will scrutinize not only program design, but also execution and ongoing effectiveness.

The proposed rule also introduces a structured supervisory and enforcement framework that aligns stablecoin issuers with broader financial regulatory practice. FinCEN defines “AML/CFT enforcement actions” broadly to include both formal and informal measures, such as cease-and-desist orders, consent orders, and civil monetary penalties, thereby preserving a wide range of remedial tools. At the same time, the NPRM articulates a measured enforcement posture, providing that entities that have established compliant programs will generally not be subject to enforcement actions absent significant or systemic failures. This approach reflects an effort to incentivize proactive compliance while reserving enforcement for material deficiencies and breakdowns in program implementation.

From a sanctions compliance perspective, the implications of the proposed rule are equally significant, even where not expressly delineated in standalone provisions. By bringing stablecoin issuers within the broader AML/CFT framework, the rule necessarily incorporates sanctions screening, transaction monitoring, and reporting obligations as integral components of a compliant program. In practice, this means that stablecoin issuers will be expected to implement screening protocols capable of identifying blocked persons and prohibited jurisdictions, integrate sanctions risk into customer due diligence processes, and maintain controls sufficient to prevent the facilitation of prohibited transactions. Given the speed and pseudonymity often associated with blockchain-based transactions, these expectations will present substantial operational challenges and will likely require investment in advanced analytics and monitoring tools.

The NPRM must also be understood in the broader context of regulatory convergence across digital assets and traditional finance. For several years, regulators have grappled with the question of how to apply legacy compliance frameworks to emerging technologies without stifling innovation. This proposal reflects a decisive shift toward harmonization, making clear that the core principles of financial crime compliance—transparency, accountability, and traceability—apply with equal force in the digital asset ecosystem. In this respect, the rule does not so much create a new compliance paradigm as it extends an existing one into a new technological domain.

For companies operating in or adjacent to the stablecoin ecosystem, the practical implications are immediate and substantial. Organizations should begin by conducting a comprehensive gap assessment to evaluate existing compliance capabilities against the proposed requirements. This process should include a detailed review of customer onboarding procedures, beneficial ownership identification, transaction monitoring systems, and sanctions screening protocols. Particular attention should be paid to governance structures, including board oversight and the designation of a qualified compliance officer, as these elements will be subject to heightened regulatory scrutiny. Companies should also consider the development of documented policies and procedures that reflect not only regulatory requirements but also the specific risk profile of their operations.

In parallel, organizations should prioritize the development of documentation and evidentiary records that demonstrate the operationalization of compliance controls. As the NPRM makes clear, regulators will expect issuers to substantiate their compliance efforts through contemporaneous records, testing results, and internal reporting. This includes maintaining detailed records of customer due diligence, transaction monitoring alerts, and escalation processes, as well as documenting the rationale for risk-based decisions. In an enforcement context, the ability to produce such documentation will be critical in demonstrating good faith compliance and mitigating potential liability.

Finally, companies should closely monitor the progression of the rulemaking process and be prepared to engage with regulators through the comment process where appropriate. Given the technical complexity and rapidly evolving nature of the digital asset space, industry input will play an important role in shaping the final contours of the rule. At the same time, organizations should not delay in beginning to align their compliance frameworks with the proposed requirements, as the direction of travel is clear and the expectations articulated in the NPRM are unlikely to be materially relaxed.

In sum, the Treasury Department’s proposed rule represents a pivotal development in the regulation of stablecoin issuers, marking the transition from a largely unstructured compliance environment to one defined by clear, enforceable expectations. By extending the core principles of AML/CFT and sanctions compliance to this sector, regulators are signaling that digital innovation does not exist outside the bounds of financial crime risk management. For industry participants, the message is equally clear: robust, well-documented, and operationalized compliance programs are no longer optional, but essential components of doing business in the evolving digital asset landscape.