Re: Comment on Permitted Payment Stablecoin Issuer Anti-Money Laundering/Countering the Financing of Terrorism Program and Sanctions Compliance Program Requirements; Docket No. FINCEN-2026-0100; RIN 1506-AB73

June 9, 2026

Via Electronic Submission

Regulatory and Strategic Affairs Division, Financial Crimes Enforcement Network U.S. Department of the Treasury

Office of Foreign Assets Control United States Department of the Treasury

Dear Sir or Madam:

Blockaid is pleased to respond to the joint notice of proposed rulemaking issued by the Financial Crimes Enforcement Network ("FinCEN") and the Office of Foreign Assets Control ("OFAC," and together with FinCEN, the "Agencies") titled Permitted Payment Stablecoin Issuer Anti-Money Laundering/Countering the Financing of Terrorism Program and Sanctions Compliance Program Requirements (the "Proposal").[1] Blockaid appreciates the opportunity to provide comments on the Agencies' proposed implementation of the Guiding and Establishing National Innovation for U.S. Stablecoins Act (the "GENIUS Act") as it relates to anti-money laundering and countering the financing of terrorism ("AML/CFT"), sanctions compliance, and technical capability requirements for permitted payment stablecoin issuers ("PPSIs," and each a "PPSI").

As a provider of blockchain security and real-time transaction risk technology, Blockaid offers the following comments to assist FinCEN and OFAC in developing a final rule that is effective, risk-based, operationally workable, and appropriately tailored to the technical realities of blockchain-based payment stablecoin activity.

I. About Blockaid

Blockaid is a blockchain security company that provides real-time transaction monitoring, pre-transaction risk analysis, and onchain threat prevention services to stablecoin issuers, digital asset exchanges, payment processors, custodians, and other financial institutions operating in blockchain-based markets. Blockaid's platform analyzes billions of transactions and combines pre- and post-transaction visibility, onchain data analysis, and internet-wide scanning to help detect and respond to threats.[2] Blockaid's platform simulates transaction outcomes before execution, detects behavioral and exposure-based risk indicators, and enables financial institutions to identify and prevent illicit activity, sanctions exposures, and fraud before settlement occurs.[3]

Blockaid's technology is directly relevant to the obligations the Proposal would impose on PPSIs under the GENIUS Act. Blockaid has also previously urged federal regulators to recognize pre-execution, transaction-level safeguards in digital-asset markets.[4] We submit this comment to assist the agencies in designing a final rule that reflects the operational realities of blockchain-based financial systems and promotes compliance frameworks that are effective, risk-based, and technically achievable.

Blockaid supports the overall structure of the Proposal. We write to offer specific recommendations on the Proposal's AML/CFT program requirements, additional technical capabilities obligations, the secondary market approach, and the sanctions compliance program framework. These recommendations are targeted, risk-based, and directed at improving prevention without turning the rule into a high-volume reporting experience.

II. Summary of Positions

Blockaid's principal recommendations are:

• FinCEN should clarify that effective AML/CFT programs under proposed 31 CFR 1033.210 may incorporate pre-transaction monitoring, transaction simulation, and behavioral risk analysis as components of required risk assessment and internal controls, and should expressly recognize that static sanctions list screening alone is insufficient for the blockchain environment.
• The final rule governing additional technical capabilities under proposed 31 CFR 1033.240 should recognize that effective block, freeze, and reject capabilities require real-time or near real-time transaction-level visibility across the lifecycle of a payment stablecoin, including applicable secondary market activity onchain. Critically, FinCEN should clarify that a PPSI's ability to exercise control through its smart contract infrastructure may inform a corresponding compliance obligation to deploy that capability when legally required and that the design of smart contract controls is therefore itself a compliance question.
• The final rule should confirm that effective sanctions compliance programs under proposed 31 CFR Part 502 may incorporate exposure-based and behavioral risk methodologies, including indirect counterparty exposure analysis and cross-chain monitoring, as complements to direct OFAC list screening. The proposed "should have known" standard in OFAC's penalty framework reinforces why static, list-only screening may be difficult to defend where reasonable, risk-appropriate monitoring would have detected the risk.
• FinCEN's preliminary assessment that broad secondary market suspicious activity report ("SAR") obligations may not be warranted is correct, and the final rule should instead prioritize high-quality intelligence and preventative controls embedded into transaction flows where legally required and technically feasible.
• FinCEN should provide guidance on what constitutes adequate "technical capabilities" under proposed 31 CFR 1033.240 to promote supervisory consistency and give PPSIs clearer standards against which to design their compliance infrastructure.
• Blockaid encourages FinCEN to address, in its forthcoming Customer Identification Program ("CIP") rulemaking, how pre-transaction monitoring and behavioral analytics can complement and inform CIP obligations in blockchain environments where traditional identity verification alone cannot identify all illicit activity.

III. The Treatment of Secondary Market Activity (Questions D, F in Section IX)

FinCEN has correctly identified that certain compliance obligations must address secondary market activity, specifically the block, freeze, and reject capabilities required under proposed 31 CFR 1033.240 and lawful order compliance under proposed 31 CFR 1033.240(b). We support this approach.

We also support FinCEN's preliminary judgment that mandatory SAR filing obligations for secondary market transactions may generate substantial burden without commensurate intelligence value. FinCEN correctly notes that secondary market transactions often occur without any direct relationship between the PPSI and the transacting parties. Imposing broad SAR reporting on activity the PPSI does not initiate, facilitate, or observe through a direct customer relationship, risks generating defensive reporting volume that overwhelms FinCEN's analytical capacity without surfacing actionable intelligence.

However, due to the immutability and speed of the blockchain, the agencies should be explicit in the final rule about why secondary market compliance, where required, should be grounded in technical capabilities rather than retrospective review alone:

• On many public blockchains, settlement can be near-instant and once final, generally irreversible. Unlike traditional payment rails, there may be no practical settlement window in which a suspicious transaction can be recalled or intercepted after execution.
• Sophisticated illicit actors often avoid known sanctioned wallets. OFAC-listed addresses represent a floor, not a ceiling, of sanctions exposure. Illicit actors can route funds through intermediary wallets, use newly created addresses, and exploit cross-chain infrastructure to create distance from OFAC designations.[5]
• Post-transaction investigative tools are essential for forensics, but insufficient by themselves for prevention. Blockchain analytics tools that trace transactions after settlement play a critical role in law enforcement investigations. They are not, however, a substitute for controls that prevent impermissible transactions from occurring where the PPSI has the capability and legal obligation to act.

The final rule should therefore expressly state that effective compliance with secondary market obligations under 31 CFR 1033.240 should require real-time transaction monitoring capabilities that operate at the point of transaction rather than solely through retrospective review. This would provide supervisory clarity for both PPSIs and their examiners.

Without enforcing point of transaction capabilities, the rule risks preserving the appearance of control while missing the only practical moment when interdiction remains possible.

IV. Smart Contract Capability Should Inform Compliance Expectations: Design of Technical Controls Is a Compliance Question (Question D in Section IX)

The Proposal's discussion of smart contract functionality contains an important regulatory signal: The Agencies' position in the Proposal that a PPSI's ability to exercise control through its smart contract architecture may bear on how compliance obligations apply to secondary market activity. Put more practically, where a PPSI has built and maintains the capability to block, freeze, burn or prevent further transfer of a payment stablecoin, that capability should be part of the compliance analysis when a lawful order or sanctions obligation requires action.

This framing has significant implications for how PPSIs should approach the design of their smart contract infrastructure. A PPSI that builds robust blocking and freezing functionality into its smart contracts may face greater supervisory scrutiny if it fails to deploy those capabilities in response to a lawful order or sanctions obligation than one with more limited technical architecture, subject to the facts and the terms of the applicable legal obligation. Conversely, a PPSI should not be able to rely on a self-imposed design limitation to avoid compliance with technical-capability obligations otherwise required by the GENIUS Act and implementing regulations.

The final rule should address this directly in two respects:

A. FinCEN Should Clarify the Relationship Between Technical Capability and Legal Obligation

The final rule or its accompanying preamble should state clearly that a PPSI's existing technical capabilities are a baseline against which its compliance obligations will be assessed, and that PPSIs are expected to maintain and deploy the capabilities their smart contract architecture affords when legally required. PPSIs should not be able to claim compliance failure was unavoidable where the PPSI itself designed away a technical capability that the GENIUS Act and implementing regulations require.

At the same time, the final rule should recognize that not all smart contract architectures are identical, and that compliance expectations should be calibrated to what a PPSI's technical design actually permits, consistent with the statutory technical capability requirement. FinCEN's stated approach of not prescribing a single technological architecture is correct; but this flexibility must be paired with clarity that whatever capability a PPSI has built, it is expected to use when required.

B. Smart Contract Design Reviews Should Be Part of AML/CFT and Sanctions Compliance Governance

FinCEN should recognize in the final rule that the design of a PPSI's smart contract infrastructure—specifically, the block, freeze, burn, and transfer-prevention capabilities it incorporates is itself relevant to an effective AML/CFT program under proposed 31 CFR 1033.210 and to sanctions compliance governance under proposed 31 CFR Part 502. A PPSI's independent testing and program review obligations under proposed 31 CFR 1033.210(b)(2) should include review of whether the PPSI's smart contract architecture is consistent with its obligations under 31 CFR 1033.240, where applicable.

This approach would create a coherent compliance loop: a PPSI's risk assessment identifies its secondary market exposure, its internal controls include appropriate smart contract capabilities to address that exposure, and its independent testing verifies those capabilities are functional, documented, and deployed appropriately when required. It would also give examiners a concrete basis to assess whether a PPSI's technical architecture actually supports the obligations the rule imposes.

V. AML/CFT Program Requirements Should Expressly Recognize Pre-Transaction and Behavioral Risk Controls (Questions C, D in Section IX)

Proposed 31 CFR 1033.210 imposes AML/CFT program requirements on PPSIs, including risk assessment processes under proposed 31 CFR 1033.210(b)(1)(i), internal controls to mitigate money laundering and terrorist financing ("ML/TF") risks under proposed 31 CFR 1033.210(b)(1)(ii), and ongoing customer due diligence under proposed 31 CFR 1033.210(b)(1)(iii). We support these requirements and offer specific recommendations to strengthen their application in blockchain environments.

A. Risk Assessment Processes Should Incorporate Behavioral and Exposure-Based Indicators

The Proposal would require PPSIs to develop risk assessment processes that identify and evaluate ML/TF risks. The final rule should clarify that an effective risk assessment process in a blockchain environment should be able to incorporate, and in some circumstances may need to incorporate, behavioral and exposure-based risk indicators beyond direct counterparty identification.

Specifically, FinCEN should recognize that effective risk assessment for PPSIs may include:

• Exposure-based risk scoring that evaluates a wallet's indirect counterparty exposure, i.e., the extent to which a wallet has transacted with addresses associated with illicit activity, even absent direct interaction with OFAC-designated wallets.
• Behavioral pattern analysis, including transaction frequency, volume patterns, wallet clustering, bridge usage, and cross-chain activity inconsistent with stated business purpose.
• Pre-transaction simulation that evaluates the expected outcome of a transaction before execution, identifying sanctions exposure, anomalous fund flows, or illicit finance indicators prior to settlement.
• Protocol-level and cross-chain monitoring that provides visibility into the onchain environment in which payment stablecoins operate, including decentralized exchanges, bridges, and liquidity pools.[6]

This approach reflects how illicit actors can operate in blockchain ecosystems. A transaction involving a newly created wallet, rapid bridge activity, available jurisdictional indicators inconsistent with stated customer location, and indirect exposure to high-risk infrastructure may present material sanctions or illicit finance risk even where no directly sanctioned wallet is identified. Effective risk assessment should be capable of detecting this type of risk. The relevant risk signal is the pattern of activity and the probability of illicit behavior, not simply whether a single address appears on a static list.

B. Internal Controls Should Prioritize Preventative Over Retrospective Approaches

Proposed 31 CFR 1033.210(b)(1)(ii) requires PPSIs to implement internal controls reasonably designed to mitigate identified ML/TF risks. We recommend that the final rule's preamble guidance clarify that, given the often irreversible nature of blockchain settlement, effective internal controls for PPSIs may include preventative controls embedded into transaction flows rather than relying solely on retrospective monitoring and review.

This does not diminish the value of post-transaction monitoring or blockchain analytics, both remain essential for SAR filing, law enforcement support, and ongoing risk assessment. However, for PPSIs, effective internal controls should also include the ability, where technically feasible and legally required, to identify and block impermissible transactions before they settle. Treasury has recognized the role of APIs, blockchain analytics, and real-time decisioning in improving digital asset illicit finance controls, including facilitating pre-transaction simulation and risk assessments, and supporting interdiction before settlement.[7] The final PPSI rule should be consistent with that guidance.

C. Beneficial Ownership Information ("BOI") and Customer Due Diligence ("CDD") Limitations Underscore the Need for Transaction-Level Monitoring

The Proposal's beneficial ownership and customer due diligence requirements are important compliance tools. However, FinCEN's own regulatory impact analysis recognizes that BOI collection and related CDD requirements will impose operational burdens, particularly for PPSIs whose current customer relationships are primarily institutional. More fundamentally, customer onboarding information alone is frequently insufficient to identify illicit activity in blockchain environments, where sophisticated actors can transact through newly created wallets, intermediary addresses, and decentralized protocols that have no onboarding history.

The final rule should therefore recognize that transaction-level monitoring and behavioral analytics complement BOI and CDD programs. A PPSI that has collected robust customer identification information but lacks real-time transaction monitoring may have an incomplete picture of the risks its customer relationships pose, particularly as payment stablecoins move through the secondary market after issuance.

D. Guidance on "Reasonably Designed" Controls for Blockchain Environments

FinCEN should provide guidance, either in the final rule's preamble or in subsequent supervisory communications, clarifying what constitutes a "reasonably designed" AML/CFT program for PPSIs operating in blockchain environments. Without such guidance, supervisory inconsistency is a meaningful risk, and PPSIs, particularly smaller entrants, may face uncertainty about whether their compliance investments meet regulatory expectations.

Specifically, FinCEN should address whether and how examiners will evaluate the adequacy of pre-transaction monitoring tools, behavioral risk scoring, and real-time transaction controls as components of AML/CFT programs under 31 CFR 1033.210.

VI. The Additional Technical Capabilities Requirement Should Be Operationally Grounded (Question D in Section IX)

Proposed 31 CFR 1033.240 imposes requirements on PPSIs to maintain technical capabilities, policies, and procedures to block, freeze, and reject specific or impermissible transactions (31 CFR 1033.240(a)) and to comply with lawful orders (31 CFR 1033.240(b)). These requirements are among the most operationally significant provisions of the proposed rule.

A. The Final Rule Should Clarify That Block/Freeze/Reject Capabilities Require Real-Time Transaction-Level Visibility

A block, freeze, or reject capability is most effective if the PPSI has visibility into the transaction at a point in time when blocking, freezing, or rejecting can be used as a preventative tool and is still feasible in the transaction lifecycle. For onchain transactions, this generally means real-time or near-real-time monitoring that operates before or at the point of transaction execution.

The final rule should therefore state that compliance with 31 CFR 1033.240(a) ordinarily requires technical capabilities that provide PPSIs with transaction-level visibility in real time, not only through retrospective review or periodic batch analysis. Without this clarification, PPSIs may invest in compliance infrastructure that does not technically satisfy the obligation. A capability that identifies risk only after settlement is, for these purposes, primarily an investigative tool rather than a block, freeze, or reject control.

B. Pre-Transaction Analysis Is the Operationally Appropriate Control for Lawful Order Compliance

Proposed 31 CFR 1033.240(b) requires PPSIs to maintain technical capabilities to comply with lawful orders, including orders issued by Federal agencies or courts. Compliance with such orders may require acting within very short windows after an order is issued.

FinCEN should recognize in the final rule that effective lawful order compliance may require PPSIs to maintain continuously updated monitoring of payment stablecoin holders and active onchain positions, so that a PPSI can identify and act on assets subject to a lawful order without relying on manual investigation processes that may be too slow given the speed of onchain activity. The practical standard should be whether the PPSI can move from detection to action quickly enough to make legal process meaningful onchain.

VII. Know Your Customer ("KYC"), CDD, and Travel Rule Obligations Should Be Integrated Into Real-Time Risk Infrastructure (Questions C, G, H in Section IX)

We support FinCEN's proposed CDD requirements under proposed 31 CFR 1033.210(b)(1)(iii), the beneficial ownership collection obligations under proposed 31 CFR 1010.230, and the recordkeeping and Travel Rule obligations under proposed 31 CFR 1033.400 and 1033.410.

In blockchain-based financial systems, the characteristics of a transaction may often be more indicative of illicit activity than customer identity information standing alone. While customer identification, beneficial ownership and the Travel Rule remain important compliance tools, this information alone is frequently insufficient to identify illicit activity in blockchain environments. Sophisticated actors can transact through newly created wallets that have no onboarding history, route funds through intermediary addresses and decentralized protocols, and exploit cross-chain infrastructure in ways that cannot be effectively identified through customer onboarding information in isolation.

The final rule should therefore recognize the importance of integrating KYC information, Travel Rule data, and available jurisdictional indicators with transaction-level intelligence, such as behavioral analytics, wallet exposure analysis, and real-time transaction monitoring. A PPSI that has collected robust KYC information but operates without real-time transaction monitoring will have an incomplete picture of the risks its customer relationships pose.

VIII. The Forthcoming Customer Identification Program Rulemaking Should Address Blockchain-Specific Implementation (Question C in Section IX)

The Proposal expressly declines to implement the GENIUS Act's customer identification program requirement, noting that CIP will be addressed in a separate forthcoming rulemaking. Blockaid respectfully requests that FinCEN use that rulemaking to address how CIP obligations apply in blockchain environments where traditional identity verification alone cannot adequately identify illicit activity.

Specifically, FinCEN's forthcoming CIP rulemaking should address:

• How pre-transaction monitoring and behavioral analytics may complement traditional identity verification as part of a risk-based CIP and CDD framework program for PPSIs — particularly where a PPSI's direct customer base is primarily institutional but payment stablecoins circulate to a much wider population through secondary market activity.
• How PPSIs should treat wallets for which no KYC information is available — a common circumstance in secondary market activity — and whether real-time risk scoring based on wallet behavior and exposure can inform related CIP, CDD, and sanctions risk management obligations in that context.
• How CIP requirements will interact with the Travel Rule framework for payment stablecoin transfers, particularly given the practical challenges of identifying ultimate recipients in decentralized transfer environments.

The forthcoming CIP rulemaking is an important opportunity to establish that blockchain-native compliance tools are a recognized and expected component of PPSI compliance infrastructure, not a substitute for traditional identity-based obligations.

IX. The Reporting Framework Should Prioritize Intelligence Quality Over Defensive Volume (Questions E, F in Section IX)

FinCEN's preliminary assessment in the Proposal that broad secondary market SAR obligations may not be warranted correctly anticipates a key risk in AML regulatory design: that broad reporting mandates can generate defensive filing behavior that overwhelms the financial intelligence system with noise, reducing the actionable utility of BSA data for law enforcement.

We encourage FinCEN to maintain this orientation in the final rule and to actively discourage compliance models that prioritize high-volume SAR filing as a proxy for compliance effectiveness. The final rule's preamble should be explicit that the goal is accurate, timely, and useful intelligence, and that a lower SAR volume should not itself be treated as weak compliance where PPSIs can demonstrate strong preventative controls, real-time monitoring capabilities, and timely well-supported filings when SAR obligations are triggered. FinCEN should make clear that examiners will evaluate the usefulness and timeliness of reporting, not the raw number of SARs filed.

This framing would align with Treasury's stated goal of designing obligations that are fit for purpose, assist law enforcement, and minimize unnecessary burden.[8]

X. Conclusion

Blockaid supports Treasury's effort to establish clear, effective AML/CFT and sanctions compliance obligations for permitted payment stablecoin issuers. The Proposal reflects a sophisticated understanding of the stablecoin ecosystem and correctly identifies key compliance challenges, including obligations that address secondary market activity and the need for specific technical capabilities.

We respectfully encourage FinCEN and OFAC to strengthen the final rule by:

1. Expressly recognizing that effective AML/CFT programs for PPSIs may incorporate pre-transaction monitoring, transaction simulation, exposure-based risk scoring, behavioral analytics, and cross-chain monitoring as components of required risk assessment processes and internal controls under proposed 31 CFR 1033.210.
2. Clarifying that a PPSI's smart contract architecture may inform compliance obligations commensurate with the technical capabilities that architecture affords, and that smart contract design reviews are a component of effective AML/CFT and sanctions compliance governance.
3. Stating that block, freeze, and reject capabilities under proposed 31 CFR 1033.240 generally require real-time transaction-level visibility, and providing minimum standards or safe harbors to promote supervisory consistency.
4. Confirming that effective sanctions compliance programs under proposed 31 CFR Part 502 should not rest on direct OFAC list screening alone where exposure analysis and behavioral risk detection would materially strengthen the program, and that the proposed "should have known" penalty standard reinforces this expectation.
5. Addressing, in the forthcoming CIP rulemaking, how pre-transaction monitoring and behavioral analytics can complement CIP and CDD obligations in blockchain environments.
6. Maintaining the preliminary determination that broad secondary market SAR mandates are not warranted, and framing the final rule to prioritize useful intelligence and preventative controls over defensive reporting volume.
7. Providing a phased implementation timeline that gives PPSIs adequate time to build, test, and validate the smart contract and technical infrastructure the final rule will require.

Payment stablecoin markets move in real time, and settlement is irreversible. Controls that arrive only after settlement are too late to prevent the conduct the rule is designed to address. The compliance framework that governs them must reflect these realities. Blockaid appreciates the opportunity to comment on this important rulemaking and would welcome the opportunity to discuss these recommendations with FinCEN and OFAC staff.