Stablecoin compliance: What you need to know about the GENIUS Act and PPSIs
- The GENIUS Act and new proposed rules clarify stablecoin compliance, setting expectations for how they are issued, backed and governed.
- The introduction of Permitted Payment Stablecoin Issuers (PPSIs) and requiring them to maintain BSA/AML obligations provides a recognizable compliance structure while rules are still being finalized.
- Clearer regulatory guidance is positioning stablecoins as a more viable option for digital payments in the future.
For years, at most community banks and credit unions, stablecoins felt like something happening somewhere else. However, new regulatory shifts are bringing them closer to the financial mainstream.
The GENIUS Act and the resulting 2026 FinCEN and joint-agency notices of proposed rulemakings (NPRM) move payment stablecoin issuance into a more familiar regulatory structure. The key new player is the Permitted Payment Stablecoin Issuer (PPSI), which may become a bank customer or a fintech partner.
Understanding how these new regulatory shifts are reshaping oversight and stablecoin compliance is the first step toward evaluating the potential benefits and risks of this emerging digital payment system.
What are stablecoins?
A stablecoin is a type of cryptocurrency designed to maintain a stable value relative to another asset, most commonly the U.S. dollar. The National Institute of Standards and Technology (NIST) describes stablecoins as cryptocurrencies whose price is pegged to another asset, typically one with low price volatility. NIST also explains that stablecoins can differ significantly depending on what backs the coin, how the coin is issued and how the peg is maintained.
Not all stablecoins are built the same way. Some are backed by traditional financial assets, such as cash or short-term government securities. Others rely on crypto collateral. Some have even relied on algorithms and a second token to try to maintain the peg.
For BSA/AML professionals, that distinction is not academic. As a NIST report explains, the structure of the coin affects its risk, its controls and the type of due diligence a bank should perform.
A few terms help make the rest of the discussion easier:
- Token: A digital unit recorded on a blockchain. In the stablecoin context, the token represents a claim or unit of value that can be transferred between digital wallets.
- Permitted Payment Stablecoin Issuer: A regulated entity authorized under the GENIUS Act to issue fully backed stablecoins in the United States. These issuers must meet financial institution-like standards for reserves, compliance and oversight, positioning them as the legal foundation for stablecoin-based payment systems.
- Blockchain: A distributed ledger maintained across a network of computers. Public blockchains are typically pseudonymous, but the transactions are visible on the ledger.
- Smart contract: A code deployed to a blockchain that can execute predefined functions. FinCEN’s NPRM, citing NIST, describes a smart contract as “a collection of code and data” deployed using cryptographically signed transactions and executed by nodes on a blockchain network.
- Payment stablecoin: Under the GENIUS Act framework, a narrower concept than the general technical meaning of stablecoin. It is intended to function as a payment instrument and is subject to specific reserve, redemption and regulatory requirements.
- Primary market activity: PPSI interacting directly with a user or holder. This includes activities such as issuing, redeeming, converting, repurchasing, burning or reissuing payment stablecoins.
- Secondary market activity: Involves transfers that occur after issuance, when tokens move between third parties on a blockchain and the PPSI is not directly acting as the customer-facing counterparty.
How do stablecoins work?
The simplified version of how stablecoins work would look like:
- A stablecoin issuer receives U.S. dollars from their customer.
- The issuer places the dollars into permitted reserve assets.
- The PPSI then “mints” an equivalent amount of stablecoin tokens and sends them to their customer’s wallet.
- The customer can then hold the tokens, transfer them or use them for payment.
When the customer wants dollars back, the process runs in reverse: The customer redeems the tokens, the PPSI returns dollars and the tokens are typically removed from circulation.
That last step is important. The redemption promise is what connects the blockchain token to the traditional financial system. It is also what makes the issuer’s reserve practices, liquidity, controls and customer identification procedures so important.
Under the GENIUS Act framework, payment stablecoins must be backed by permitted reserve assets. The framework is designed around a reserve-backed model, not an algorithmic model.
The impact of the GENIUS Act and PPSIs on BSA/AML
The GENIUS Act created a federal framework for payment stablecoins and directed that PPSIs be treated as financial institutions under the Bank Secrecy Act.
The Treasury describes the act as requiring PPSIs to maintain anti-money laundering obligations and effective sanctions compliance programs. The GENIUS Act pulls PPSIs toward a recognizable BSA/AML structure, with implementing rules still being finalized.
Additional regulatory shifts include:
- The April 2026, FinCEN/OFAC NPRM: This NPRM implements the AML/CFT and sanctions compliance portions of the GENIUS Act. The proposed rule would treat PPSIs as financial institutions for BSA purposes, impose AML obligations and require effective sanctions compliance programs.
- The June 2026, joint customer identification programs NPRM: Issued by FinCEN together with the OCC, Federal Reserve Board, FDIC and NCUA, this NPRM addresses customer identification. The proposal would require PPSIs to maintain written customer identification programs (CIP). Before opening an account, a PPSI would need to obtain the customer’s name, date of birth or formation, address and identification number. The PPSI would also need procedures to verify identity, handle situations where identity cannot be verified, maintain records, provide customer notice and check customers against government lists.
For a BSA officer, this should sound familiar. The CIP NPRM looks and feels like bank CIP, adapted to PPSIs.
That familiarity is useful. It gives compliance teams a practical starting point for due diligence: Does the PPSI collect the expected information? How does it verify identity? What does it do when verification fails? Does it rely on another financial institution, and if so, when? How are records maintained?
How BSA/AML teams can build a stablecoin compliance framework
While the final rules may still evolve, institutions that are considering providing banking services to or partnering with a PPSI have enough direction to begin building a due diligence and ongoing monitoring framework. In practice, these steps will be much like a composite of industry best practices and regulatory guidance applied towards principal money services businesses, third party payment processors and fintech partners.
Here is a list of specific areas of focus recommended for initial and ongoing due diligence:
- Ownership and licensing status
- Audit and examination results
- Stablecoin type and reserve model
- Reserve assets, custodians, reporting and redemption procedures
- CIP and customer verification process
- AML/CFT program governance, staffing, monitoring, SAR process and independent testing
- Sanctions screening and on-chain restriction controls
- Blockchain analytics tools and alert disposition process
- Exposure to secondary-market, cross-chain and decentralized finance activity
- Contingency planning for depegging, high-volume redemptions or operational disruption
Your compliance framework does not need to be overengineered. Ultimately, the goal is to translate your institution’s existing third-party, high-risk customer and BSA/AML governance practices into a stablecoin context.
Moving forward with stablecoin adoption
The GENIUS Act and the FinCEN-led NPRMs bring PPSIs into a more familiar compliance structure, but the underlying activity still involves blockchain-based tokens, wallet activity, smart contracts and secondary-market transfers.
The good news is that the basic compliance questions are not new:
- Who is the customer?
- What is the product?
- How does money move?
- Where can illicit finance enter?
- What controls exist?
- Are the controls tested and documented?
- Are there any concerns with the third-party service provider (i.e., the PPSI) themselves?
For financial institutions, the most useful mindset is neither skepticism nor enthusiasm. Stablecoins may become an important digital payment tool, especially for faster settlement and cross-border use cases. However, institutions should approach PPSI relationships the same way they would approach any other high-impact financial services relationship: Understand the business model, verify the control environment and make sure the compliance program is strong enough for the risk.
For BSA/AML teams managing risks and monitoring for suspicious activity, the point is not to become blockchain engineers. The point is to understand enough about how stablecoins work and what the GENIUS Act requires to ask better questions, identify where illicit finance risk enters the picture, evaluate whether a PPSI’s controls make sense and strengthen third-party risk management overall.
How Wipfli can help
Stablecoins can become a powerful digital payment tool for institutions that have the right foundation in place. Wipfli helps financial institutions strengthen compliance, reduce risk and stay ahead of changing regulatory expectations. Talk to our financial services team today about how you can build a compliance framework that supports long-term growth and resilience.
Explore our risk advisory services