Most regulation lands through a thousand specific obligations. Occasionally it lands through a single word. On April 10, 2026, Treasury's Financial Crimes Enforcement Network and its Office of Foreign Assets Control jointly published a proposed rule that does the latter. Buried in the title — Anti-Money Laundering / Countering the Financing of Terrorism — is a classification move so consequential that everything else in the rule follows from it almost mechanically. The move is to call a stablecoin issuer a "financial institution."
The rule says so directly, and the directness is the point. It implements the GENIUS Act's instruction to treat permitted payment stablecoin issuers as financial institutions for purposes of the Bank Secrecy Act, to impose anti-money-laundering obligations on them, and to require the specific sanctions-compliance measures the statute demands. Read that as a single causal chain: classify the issuer as a BSA financial institution, and the entire pre-built machinery of AML and sanctions law swings into place on top of it, because that machinery is defined to apply to exactly that category of entity.
"Specifically, it implements the GENIUS Act's directive to treat permitted payment stablecoin issuers (PPSIs) as financial institutions for purposes of the Bank Secrecy Act, proposes anti-money laundering obligations for PPSIs, and proposes certain specific obligations required by the GENIUS Act for PPSIs."
It helps to understand why 'financial institution' is the load-bearing phrase. The Bank Secrecy Act does not regulate abstractly; it regulates a defined list of covered entities — banks, money transmitters, and others — by name. If you are on that list, you must maintain an AML program, conduct customer due diligence, monitor for and report suspicious activity, and keep records. If you are not, none of it applies. So the whole fight over whether crypto businesses owe these duties has always reduced to a definitional question: are you a 'financial institution' under the Act? This rule answers that, for permitted stablecoin issuers, with a flat yes.
FinCEN brings the anti-money-laundering half; OFAC brings the sanctions half. FinCEN's domain is the BSA program itself — knowing your customers, watching the flows, filing suspicious-activity reports. OFAC's domain is the blocked-persons lists and the legal duty to screen against them and to freeze or reject transactions that touch a sanctioned party. The two agencies issuing this jointly is itself a signal: they are closing the AML gap and the sanctions gap in the same instrument, so an issuer cannot satisfy one regime while neglecting the other.
Now connect it to the exploit, which is the reason any of this exists. Stablecoins are fast, dollar-denominated, and globally transferable on open networks — an almost ideal medium for moving illicit value if no one at the edges is checking. Laundering networks have used them; sanctioned entities and jurisdictions have reached for them precisely because a token does not ask for a passport. The classic countermeasure in finance is to deputize the chokepoints: the regulated entities through which value must pass to enter or leave the system. For a stablecoin, the cleanest chokepoint is the issuer — the party that mints, redeems, and can freeze. This rule makes that chokepoint a legally accountable one.
What the issuer must now do follows from the designation rather than from any exotic new crypto-specific demand. A permitted stablecoin issuer would have to stand up a genuine AML compliance program, identify and verify customers at the points it controls, monitor transactions for suspicious patterns, report what it finds, and run a sanctions-screening program capable of catching and blocking dealings with listed parties. These are not novel inventions; they are the standard obligations of a regulated financial institution, now pointed at an entity that a few years ago insisted it was merely software.
The honest caveats matter here as much as anywhere. This is a proposed rule, published for comment, and its operational specifics — thresholds, timelines, the exact contours of the obligations — can change before it binds. It governs permitted payment stablecoin issuers, the GENIUS Act's defined and supervised category, not every token marketed as a stablecoin and not the offshore issuers beyond Treasury's practical reach. And it is one strand of a regime woven across several agencies: the FDIC's BSA-and-sanctions proposal, the OCC's reporting forms, the NCUA's issuance rules. They rhyme because they implement the same statute from different jurisdictional seats.
But the structural insight survives all those caveats. Whether crypto firms owe AML and sanctions duties was, for a decade, argued as a deep philosophical question about the nature of decentralized money. This rule reframes it as a narrow definitional one and then answers it: a permitted stablecoin issuer is a financial institution, full stop, and the rest is consequence. Follow the classification, not the rhetoric. Once the label attaches, the freeze button the issuer already has becomes a sanctions tool the issuer is legally bound to use, and the customer data it already touches becomes information it is legally bound to police.
For builders, the takeaway is about where the liability now sits and what it costs to carry. Becoming a BSA financial institution is not a checkbox; it is an operating posture — staff, systems, audits, examinations, and personal accountability for compliance officers. That cost reshapes the market: it advantages issuers already built to bank standards and pressures those who are not, a competitive reality I will note without grading. The token can still move permissionlessly on-chain; the entity that issues it now answers to FinCEN and OFAC the way a money transmitter does.
So the rule and the exploit, once again, turn out to be the same object seen from two sides. The exploit is value slipping through stablecoins past anti-money-laundering and sanctions controls. The rule is Treasury declaring that the issuer of that stablecoin is a financial institution and therefore owns the duty to stop it. The whole apparatus pivots on one classification — and that is exactly why this otherwise dense proposed rule is one of the documents on this beat most worth reading in full.