Stablecoin Compliance Infrastructure for the GENIUS Era: Our Comment Letter to U.S. Treasury

Last week, we filed a comment in response to the Department of Treasury’s proposed rule outlining AML/CFT and sanctions screening requirements for U.S. stablecoin issuers. While GENIUS defines baseline technical capabilities required for screening, it leaves the exact implementation and standard setting to the Financial Crimes Enforcement Network (FinCEN) and the Office of Foreign Assets Control (OFAC).

The proposed rule outlines how stablecoin issuers should implement AML/CFT and sanctions screening programs using the address freezing and blocking capabilities GENIUS requires. We applaud the rule’s distinction between primary markets, where issuers deal directly with customers, and secondary markets, where they do not. However, the rule could give stablecoin issuers more clarity on how to manage AML/CFT and sanctions risk in secondary markets, and greater authority to close gaps that malicious actors exploit today. Our comment addresses that with two core recommendations to FinCEN and OFAC:

1. Provide issuers greater discretion to proactively restrict and freeze high-risk addresses

2. Encourage issuers to adopt automated restrictions alongside manual workflows

The GENIUS Act is poised to make the U.S. the global hub of stablecoin innovation. Our recommendations on Treasury’s proposed rule would allow U.S. issuers to set responsible, growth-oriented global standards for stablecoin compliance and build greater trust in blockchains overall.

Encourage proactive enforcement by issuers

Our first recommendation is that issuers be given greater discretion to decide when to freeze addresses and prevent them from using their stablecoin.

Today, U.S. stablecoin issuers generally freeze addresses that have been specifically flagged by OFAC or are subject to a lawful order. While issuer compliance teams and other industry participants often identify other high-risk addresses tied to sanctioned and malicious actors, freezing them without explicit OFAC guidance or a lawful order exposes issuers to legal risk. This paradigm makes compliance enforcement too slow to effectively counter illicit finance, as malicious actors can spin up new wallets, drain DeFi protocols, and bridge funds to new blockchains in minutes – well before OFAC or any law enforcement agency can publicly flag them and give issuers clear authority to act.

Sanctions are a clear example of the current model’s shortcomings. Most issuers today restrict only the static list of addresses OFAC has publicly tied to sanctioned actors, even though those actors can easily create new addresses. However, issuers can readily identify the other addresses the OFAC-designated ones transact with. An address that receives a large transfer directly from a sanctioned address is almost certainly controlled by the same actor or a close associate, and likely warrants restriction – but most issuers leave those addresses untouched. Similarly, blockchain analytics firms routinely identify addresses associated with terrorism financing and other forms of ultra high-risk illicit activity, but these typically go unfrozen as well.

DeFi exploits are another example with even higher stakes given the importance of speed. The Drift Protocol hack earlier this year provides a stark illustration – North Korean hackers stole $285 million, which was then converted into stablecoins and bridged to new blockchains within hours. Blockchain sleuths and threat detection firms identified and publicized the hackers’ addresses in near-real time, but issuers did not freeze them. If those issuers had explicit encouragement from regulators to proactively freeze in that situation, they could have halted the funds mid-exploit, accelerating recovery for users and denying the North Korean government hundreds of millions of dollars.

We believe that regulation should give stablecoin issuers discretion to proactively restrict malicious actors from using their assets. Whether that comes in the form of a safe harbor law protecting good-faith efforts to freeze high-risk addresses or through another mechanism, such a policy would give issuers stronger compliance enforcement capabilities and make blockchains safer for all users.

Encourage automated enforcement alongside manual workflows

A stronger enforcement mandate is only half the battle. Issuers also need better systems to exercise that mandate effectively, starting with automated enforcement. Today, most issuers execute address restrictions – crucial for maintaining compliance in secondary markets – through manual freezes. Under this model, many issuers take days to act on OFAC designations, as the update must work its way through compliance, engineering, and other teams to take effect onchain. Onchain compliance enforcement infrastructure, like Predicate, cuts the process to minutes by detecting new additions to the OFAC list and executing the restrictions automatically.

Beyond OFAC list updates, issuers can take the same approach to other high-confidence risk signals as well. For instance, real-time threat detection feeds can quickly identify addresses tied to active exploits. By connecting those feeds to onchain policy enforcement infrastructure, issuers can preventatively block those addresses as soon as they’re identified, preventing hackers from acquiring the stablecoin. Issuers can also automatically screen holders of their stablecoin against data from Information Sharing and Analysis Centers (ISAC) and blockchain analytics providers, and restrict addresses flagged for other forms of illicit activity like terrorism financing or drug sales.

However, automation has limits in a sound compliance program. Issuers must weigh the confidence of each risk signal alongside findings from manual investigations. Compliance teams need to account for a myriad of data inputs, forensics analyses, and how potential malicious actors are interfacing with the issuer’s platform. Nor does every freeze need to be permanent. In many cases, stablecoin issuers can pause the address, temporarily restricting it from using the stablecoin while compliance investigates. Every issuer will need to enact the best policy for their business model and risk framework. The framework below illustrates an approach that would work for many issuers:

Automated compliance enforcement gives stablecoin issuers better consistency, accuracy, and speed when restricting high-risk addresses, while also reducing the workload for compliance teams. When implemented alongside manual compliance workflows for more complex risk assessments, this tooling enables issuers to run a robust, comprehensive AML/CFT and sanctions program in secondary markets. Furthermore, the automated mechanisms we outline come with no need for additional measures for issuers on secondary markets, such as KYC & KYB or SARs requirements.

Real-time stablecoin compliance enforcement is already live today. MetaMask USD, Startale USD, M0, and others currently rely on Predicate Asset Compliance for automated stablecoin compliance.

Advancing the digital dollar

Stablecoin issuers are a natural point of compliance enforcement in blockchain ecosystems. They are centralized and control the asset, which means they are best positioned to take action against malicious actors that permissionless protocols by design cannot, with the precision and auditability that regulators and institutions need. 

The GENIUS Act positions U.S. dollar stablecoins to serve as settlement infrastructure for global finance, and that role demands markets with credible, consistently enforced rules. Issuers equipped with real discretion and automated enforcement are the key to realizing that vision and expanding the dollar’s reach.

Read our full comment letter here.