The cleanest way to understand a new crypto rule is to start with the exploit it is reacting to. Stablecoins — dollar-pegged tokens that move on public blockchains — are now the workhorse of crypto settlement, and that very usefulness has made them a favored conduit for the things regulators least like: laundering proceeds through mixers, routing payments around sanctions, financing the kind of actors who appear on Treasury lists. On June 5, 2026, the Federal Deposit Insurance Corporation published a proposed rule that answers that exploit head-on, and it does so by invoking a statute whose acronym you are going to be seeing a lot: the GENIUS Act.

The rule actually says what it is doing, and it says it plainly. The FDIC proposes to issue regulations under the Guiding and Establishing National Innovation for U.S. Stablecoins Act that would apply Bank Secrecy Act and sanctions-compliance standards to the stablecoin issuers it supervises. Read that twice, because the move it describes is the whole story: a stablecoin issuer is being folded into the same anti-money-laundering and sanctions framework that governs banks. The token may live on a permissionless chain, but the entity minting and redeeming it is being told to behave like a regulated financial institution.

"The Federal Deposit Insurance Corporation (FDIC) proposes to issue regulations pursuant to the Guiding and Establishing National Innovation for U.S. Stablecoins Act (GENIUS Act) that would implement appropriate Bank Secrecy Act (BSA) and sanctions compliance standards applicable to FDIC-supervised permitted payment stablecoin issuers."

Let me define the pieces, because the alphabet soup hides the mechanics. The Bank Secrecy Act is the foundational U.S. anti-money-laundering law: it requires covered institutions to know their customers, monitor for suspicious activity, file reports, and maintain a real compliance program. Sanctions compliance, administered through Treasury's Office of Foreign Assets Control, requires those same institutions to screen against blocked-persons lists and to refuse — or freeze — transactions involving sanctioned parties. A 'permitted payment stablecoin issuer' is the GENIUS Act's term of art for the licensed, supervised entities allowed to issue dollar-backed payment stablecoins under the new regime.

Stack those together and the connection to the exploit snaps into focus. Issuers of major stablecoins already have, and already use, the technical ability to freeze tokens at specific addresses — USDC and others have blacklisted addresses tied to hacks, thefts, and sanctioned entities for years. What the FDIC's proposal does is convert that capability from a discretionary, reputation-driven courtesy into a supervised legal obligation. If you are a permitted issuer, you will be expected to run a BSA program and a sanctions program, to monitor flows, and to act on what you find — the freeze button becomes a duty, with an examiner who can check whether you pressed it.

This is the part worth sitting with, because it cuts against a foundational crypto narrative. The promise of a permissionless stablecoin was money that moves like email — no gatekeeper, no off switch. The reality the GENIUS Act codifies is that the gatekeeper simply moved from the protocol to the issuer. The chain stays open, but the regulated entity at the on-ramp and the redemption window carries bank-grade obligations. For the dominant, fully-reserved, U.S.-supervised stablecoins, the off switch was always there; this rule makes pressing it a matter of law rather than goodwill.

It is worth being precise about scope, because regulation invites overreading. This is a proposed rule, not a final one — it was published for comment, and its specifics can shift before it binds anyone. It reaches FDIC-supervised permitted issuers, a defined slice of the market, not every token that calls itself a stablecoin and not the offshore issuers outside U.S. supervision. And it implements a piece of the GENIUS Act rather than the whole statute; parallel proposals from the OCC, the NCUA, FinCEN, and OFAC are filling in the rest of the framework for the issuers under their respective jurisdictions. The regime is being assembled in pieces across agencies.

But the direction is unmistakable, and it threads neatly into the security side of this beat. The same custody and freeze mechanics that engineers build into stablecoin contracts are the mechanics regulators are now leaning on for enforcement. When a hacked bridge dumps stolen funds into USDC, the issuer's ability to freeze that USDC is both a security feature and, under a rule like this, a compliance expectation. Follow the custody, not the hype: the technical power to control tokens and the legal duty to control them are converging, and this proposal is one of the documents pulling them together.

For builders and analysts, the practical reading is about who now carries the liability. If you issue a permitted payment stablecoin, the cost of compliance — screening, monitoring, reporting, the staff and systems to do it — becomes a structural cost of the business, the same way it is for a bank. That favors well-capitalized, already-regulated issuers and raises the barrier for newcomers, which is a competitive fact worth noting without editorializing about whether it is good or bad. It also means the question 'who can freeze this token, and under what legal compulsion?' now has a clearer, less comfortable answer than the marketing ever admitted.

I will resist the temptation to opine on whether stablecoins 'should' be regulated this way; that is not this column's job. What the documents support is narrower and more useful: a federal banking regulator is, under a named statute, proposing to hold stablecoin issuers to the anti-money-laundering and sanctions standards that govern banks, and the issuers already possess the technical levers to comply. The exploit — value moving through stablecoins past laundering and sanctions controls — and the rule that responds to it are two ends of the same wire.

So watch the comment period and the parallel proposals, because the shape of the final regime will determine how heavy this lands and on whom. But the connection at the center is already legible in the text: a stablecoin is a payment instrument, its issuer is being treated as a financial institution, and the freeze capability quietly engineered into these tokens is becoming the enforcement surface for the Bank Secrecy Act and the sanctions lists. The rule and the exploit, as ever on this beat, turn out to be describing the same thing from opposite ends.