OPN Intel
LIVE
BTC$76,620MAYER0.95×200W1.25×PI-CYCLE38%DRAWDOWN-39%PUELL0.81×W-RSI45BMSB0.97×
AS OF 2026-05-24
Surveillance· June 6, 2026· 5 min read

Treasury Tells Stablecoin Issuers to Screen Your Self-Custody Transfers

On April 10, 2026, FinCEN and OFAC jointly published a proposed rule implementing the GENIUS Act's AML requirements for a new regulatory category: Permitted Payment Stablecoin Issuers (PPSIs). The rule treats licensed stablecoin issuers as Bank Secrecy Act financial institutions, requires AML programs and suspicious activity reporting at bank-grade standards, and introduces the first federal codification of an effective OFAC sanctions compliance program for any crypto entity. The provision drawing the most attention from privacy advocates is the unhosted wallet screening requirement: PPSIs must build the technical capability to block and reject transfers involving sanctioned addresses, including transfers between 2 self-custody wallets where no PPSI customer account is involved. The comment period closes June 9, 2026.

Key takeaways

  1. On April 10, 2026, FinCEN and OFAC jointly published a proposed rule in the Federal Register implementing the GENIUS Act's AML requirements for Permitted Payment Stablecoin Issuers (PPSIs). The rule creates a new Bank Secrecy Act financial institution category distinct from money services businesses (MSBs), covering all 3 PPSI pathways under the GENIUS Act: federal issuers approved by the OCC, state issuers approved by state regulators, and bank subsidiaries approved by their primary federal regulator. FinCEN will simultaneously revise the MSB definition to explicitly exclude PPSIs. The comment period closes June 9, 2026. Final rule is expected July 18, 2026. Effective compliance date is January 2027
  2. The core AML obligations match bank-grade compliance standards. PPSIs must establish AML/CFT programs with policies and procedures, internal controls, independent testing, and training. They must file Suspicious Activity Reports (SARs) with FinCEN for transactions above $5,000 that they know, suspect, or have reason to suspect involve illicit activity. They must comply with BSA information-sharing frameworks under Section 314(a) requests from law enforcement and voluntary 314(b) sharing with other financial institutions. Records must be maintained for 5 years
  3. The OFAC component of the rule introduces the first federal codification of what constitutes an effective OFAC sanctions compliance program for any crypto entity. Prior OFAC guidance was advisory. Under the proposed rule, PPSIs must maintain programs with 5 documented elements: management commitment, risk assessment, internal controls, testing and auditing, and training. Issuers face civil penalties for failing to maintain required program elements, even absent an underlying sanctions violation. This is a meaningful escalation from the advisory framework, which had no penalty structure for program inadequacy
  4. The provision with the most direct implications for self-custody Bitcoin holders is the unhosted wallet screening requirement. PPSIs must have the technical capability to block, freeze, and reject transactions involving sanctioned persons or jurisdictions. This requirement extends to transfers between 2 unhosted wallets where no PPSI account is involved but the stablecoin is the settlement medium. This obligates stablecoin issuers to screen not just their direct customers but the counterparty addresses of any transfer involving their token, including self-custody wallets the issuer has no direct customer relationship with
  5. Bitcoin held in self-custody has no issuer that can be compelled to implement a compliance program. USDT, USDC, and any GENIUS Act PPSI token have an issuer that is now legally required to screen transactions involving any address their token touches. The compliance obligation follows the asset, not the customer relationship. Every address that receives or sends a regulated stablecoin is a mandatory input to the issuer's compliance infrastructure under the proposed rule. If your self-custody wallet ever appears in a regulated stablecoin transaction, that address is screened against OFAC's SDN list by a federally mandated compliance program

What Happened

On April 10, 2026, the Financial Crimes Enforcement Network (FinCEN) and the Office of Foreign Assets Control (OFAC) jointly published a Notice of Proposed Rulemaking in the Federal Register implementing the GENIUS Act's anti-money laundering requirements for a new category of regulated entity: Permitted Payment Stablecoin Issuers. The rule establishes that PPSIs, meaning entities authorized under the GENIUS Act's 3 regulatory pathways (OCC-regulated federal issuers, state-regulated issuers, and bank subsidiaries approved by their primary federal regulator), are financial institutions under the Bank Secrecy Act. As BSA financial institutions, PPSIs must implement the same class of AML/CFT programs previously applied to banks, broker-dealers, and money services businesses. FinCEN is simultaneously proposing to revise the MSB definition to explicitly exclude PPSIs, creating a distinct compliance category rather than slotting stablecoin issuers into the existing MSB framework. The comment period closes June 9, 2026. A final rule is expected July 18, 2026. The effective compliance date is January 2027.

The proposed rule arrives approximately 5 months after the GENIUS Act was enacted and represents the regulatory implementation phase of the statute. Treasury framed the rule as closing illicit finance vulnerabilities in the stablecoin ecosystem, which processes trillion-dollar volumes in settlement transactions annually. The rule is the primary vehicle through which the GENIUS Act's compliance framework becomes operational: a stablecoin issuer that is licensed as a PPSI under the GENIUS Act but has not implemented the required AML program will face BSA enforcement, not just regulatory guidance. The distinction matters because guidance creates aspirational standards while rulemaking creates enforceable obligations backed by civil and criminal penalties. For the stablecoin industry, June 9 is the last opportunity to shape the final regulation before Treasury locks in the compliance architecture.

The Compliance Architecture

The AML obligations imposed on PPSIs under the proposed rule are substantive and match bank-grade compliance standards. PPSIs must establish and maintain AML/CFT programs with 4 required elements: policies and procedures designed to detect and prevent money laundering and terrorist financing, internal controls, independent testing, and training. PPSIs must file Suspicious Activity Reports with FinCEN for any transaction above $5,000 that the issuer knows, suspects, or has reason to suspect involves funds from illegal activity or is designed to evade reporting requirements. PPSIs must maintain transaction records for 5 years. They must comply with FinCEN's information-sharing frameworks under BSA Section 314(a) and 314(b), which require sharing transaction information with law enforcement on request and permit voluntary sharing between financial institutions. The rule's supporters argue this is appropriate: banks screen every wire transfer against the SDN list, MSBs file SARs for suspicious transactions, and the compliance architecture being applied to PPSIs simply brings a systemically important asset class under the same standard.

The OFAC component of the rule introduces something genuinely new to crypto compliance: the first federal codification of what constitutes an effective OFAC sanctions compliance program for any crypto entity. Prior OFAC guidance on crypto compliance was advisory and non-binding. Under the proposed rule, PPSIs must maintain documented programs with 5 specific elements (management commitment, risk assessment, internal controls, testing and auditing, training) and face civil penalties for failing to maintain required elements, even absent an underlying sanctions violation. A PPSI that does not have a documented risk assessment, or whose compliance program fails the internal controls standard, could face OFAC enforcement even if that issuer has never processed a transaction with a sanctioned entity. This is a meaningful escalation: the penalty structure is no longer tied exclusively to the underlying violation but to the adequacy of the compliance program itself.

The Unhosted Wallet Provision

The provision with the most direct implications for self-custody Bitcoin holders is the unhosted wallet screening requirement. FinCEN and OFAC require PPSIs to have the technical capability to block, freeze, and reject transactions involving sanctioned persons or jurisdictions. Critically, this requirement extends to transfers between 2 unhosted wallets where no PPSI customer account is the direct counterparty but the stablecoin is the settlement medium. The plain reading: if USDT or USDC is being transferred peer-to-peer between 2 self-custody addresses, Tether and Circle will need the technical infrastructure to determine whether either address is on OFAC's SDN list and block the transfer if so. The issuer's compliance obligation does not require a direct customer relationship with the wallet in question. It requires that any address involved in a transaction with their token be screened.

This is an architectural shift from the existing compliance model. Prior stablecoin compliance depended primarily on exchange-level and custodial screening at the fiat on-ramp and off-ramp. The PPSI rule moves the compliance obligation into the token transfer layer itself, obligating issuers to screen not just their registered customers but the counterparty addresses of any transfer their token touches. In practice, this requires real-time address screening infrastructure capable of evaluating every transaction broadcast to the issuer's token smart contract. The compliance cost and the data collection requirement are both substantial. The implication for self-custody users is structural: every self-custody wallet address that ever receives or sends a regulated stablecoin becomes a potential input to the issuer's compliance database, screened against federal sanctions lists by an issuer who may have no other relationship with that address.

What This Means for You

If you self-custody Bitcoin in your own keys on the Bitcoin network, this rule has no direct impact on your BTC holdings. The PPSI rule applies to stablecoin issuers, not to Bitcoin's protocol. Bitcoin has no issuer to compel, no smart contract to update, no compliance program to implement. The UTXOs in your hardware wallet are not visible to any regulated stablecoin issuer unless you transfer a regulated stablecoin to or from those addresses. If your operational stack uses only native BTC held in self-custody, the compliance architecture being built under the GENIUS Act for PPSIs is architecturally irrelevant to your stored value. The distinction that matters is not whether you are a PPSI customer, but whether your asset has an issuer that can be compelled to screen your transactions. Bitcoin's answer is no. Regulated stablecoins' answer is now yes, by federal mandate.

If you use regulated stablecoins for any purpose, the PPSI rule changes the risk profile of holding those tokens in self-custody. Under the proposed architecture, every time you receive USDT or USDC from an exchange, counterparty, or DeFi protocol, the issuer's compliance infrastructure will screen your receiving address against OFAC's sanctions lists. If that address has ever been associated with a sanctioned counterparty through chain analysis, address clustering, or any other attribution method, that association becomes a compliance flag for the issuer. Your private keys give you cryptographic control of the address. They do not insulate you from being screened by the issuer's compliance engine every time that address appears in a stablecoin transaction. The rule makes this screening technically mandatory and federally enforceable, not discretionary. The concrete action item before June 9: if you have comments on the unhosted wallet provision specifically, the Federal Register docket accepts public comment and the deadline is 3 days away.

What to Watch

Watch the June 9 comment docket for industry pushback on the unhosted wallet provision, specifically from privacy advocacy organizations and DeFi protocol teams whose smart contracts rely on stablecoins as settlement currency. The technical requirement to screen peer-to-peer transfers between self-custody addresses is operationally novel and the most contestable element of the rule. The final rule publication, expected July 18, 2026, should be checked for any modifications to the unhosted wallet screening requirement based on comment submissions. Whether the new OFAC effective compliance program codification generates enforcement actions before the January 2027 effective date is an open question, because Treasury has historically moved quickly once a codified standard is in place. How Tether, Circle, and the GENIUS Act's 3 classes of designated issuers actually implement real-time address screening at the token transfer layer is decisive, because the technical architecture that emerges will determine the practical reach of the compliance mandate. And watch whether unhosted wallet screening becomes a model for future rules targeting DeFi protocols with identifiable governance entities.

Stablecoins have an issuer. The issuer is now a Bank Secrecy Act financial institution. And your self-custody wallet address is a mandatory compliance input for every transaction that touches a regulated stablecoin.

Sources

  1. [1]FinCEN and OFAC — 'Permitted Payment Stablecoin Issuer Anti-Money Laundering/Countering the Financing of Terrorism Program and Sanctions Compliance Program Requirements', Federal Register Vol. 91 Doc. 2026-06963, April 10, 2026
  2. [2]US Department of the Treasury — Press release SB0435: 'Treasury Proposes Rule to Implement the GENIUS Act's Requirements to Counter Illicit Finance', April 2026
  3. [3]Covington and Burling LLP — 'FinCEN and OFAC Propose AML/CFT and Sanctions Framework for Permitted Payment Stablecoin Issuers: Five Things to Know', April 2026
  4. [4]TRM Labs — 'What the GENIUS Act PPSI Rule Means for Stablecoin Issuers', April 2026
  5. [5]Business Law Today (ABA) — 'From Money Transmitters to PPSIs: Treasury's Proposed Stablecoin Compliance Framework', June 2026
  6. [6]Mayer Brown LLP — 'Stable Rules for Stablecoins: Treasury Proposes AML and Sanctions Framework for Issuers', April 2026
  7. [7]Orrick, Herrington and Sutcliffe LLP — 'FinCEN and OFAC Propose Rule for Payment Stablecoin Issuers to Implement GENIUS Act', April 2026

More in Surveillance

OFAC Sanctions Four Iranian Crypto Exchanges in Largest ActionBessent Details Operation Economic Fury's $1B Keystroke Seizure