Stablecoin KYC Compliance: What the GENIUS Act Does Not Bind
articleVerifyo Editorial TeamJuly 8, 2026

Stablecoin KYC Compliance: What the GENIUS Act Does Not Bind

Stablecoin KYC under multi-issuer settlement is treated as a single-issuer policy problem: read the GENIUS Act, satisfy the FATF Travel Rule, ship the integration. Mastercard's 4 June 2026 settlement-expansion names six regulated stablecoin payments — USDC, PYUSD, USDG, USDP, RLUSD, SoFiUSD — across eight blockchains (13). The binding compliance burden no longer sits at the stablecoin issuers. It is the duplicated counterparty-screening compliance every platform carries across each issuer-chain pair on payment stablecoin rails.

Flow diagram showing one cross-border stablecoin transfer triggering three regulatory regimes - US GENIUS Act, EU MiCA TFR AMLR, FATF Recommendation 16.

Cross-border stablecoin settlement: why a single transfer touches three regimes

The architecture Mastercard described is concrete. Cross-border stablecoin payments routed through the card network reach an issuer wallet, hop one blockchain to a regulated CASP, then bridge to a destination platform. At every step the same stablecoin payments transaction inherits a different rule book. Three regulatory compliance frameworks apply at once: the GENIUS Act, MiCA Title IV, and FATF Recommendation 16 (4)(6). Each jurisdiction's rules bind a slice of the compliance stack; every payment requires the financial institutions on each issuer's rail to meet parallel compliance rules across funds, payments and crypto-assets.

Six stablecoins, eight chains, three jurisdictions

Walk one path. A USDC payments transaction from a US-licensed bank routes onto Ethereum, bridges to Solana, and lands at a European Union-licensed CASP. The issuer side is governed by the GENIUS Act's permitted payment stablecoin issuers regime (1). The Union CASP side is governed by MiCA and Regulation (EU) 2023/1113 (7)(9). FATF Recommendation 16 sits beneath both as the global standard on virtual-asset transfers (4). Each issuer × chain × jurisdiction combination inherits its own compliance stack, and the issuers and CASPs the rail touches each face their own rules.

The BIS Committee on Payments and Market Infrastructures put it plainly in October 2023: cross border stablecoin arrangements must satisfy "same business, same risks or risk profile, same regulatory outcome" (16). Every issuer-chain pair must independently satisfy parallel compliance rules — a fact Mastercard's settlement-expansion made commercially urgent. A stablecoin payments transaction is not one transfer touching one rule book; it is one touching three frameworks at three financial institutions, and the BSA/AML rules each rail inherits multiply with each hop.

The GENIUS Act: a single-issuer policy lens that does not bind the rail

The GENIUS Act, signed 18 July 2025 as Public Law 119-27, establishes the first federal framework for payment stablecoin issuers in the United States (1). It defines a permitted payment stablecoin issuer (PPSI) and sets three pathways: subsidiary of an insured depository institution (the banks pathway, where the banks subsidiary inherits the depository institution's supervisory rules), federal-qualified nonbank issuer, or state-qualified stablecoin issuers with Treasury certification (2). Reserve requirements mandate 1:1 backing, with dual federal/state pathways routing each issuer to its supervisor (3). The institutions party to a permitted pathway carry pathway-specific obligations the GENIUS Act requires each issuer to satisfy.

The critical reframe sits in one sentence. The GENIUS Act is issuer-side law. It binds who can issue a payment stablecoin and what compliance obligations the issuer carries. It does not discharge the per-transfer AML and BSA obligations downstream financial institutions inherit when a PPSI-issued token routes through their rail. Section 4 of the GENIUS Act requires each PPSI to maintain an effective "BSA/AML compliance program" — an AML programme tailored to the issuer's risk profile (1). The surrounding BSA/AML rules on banks, CASPs and money service businesses do not collapse into that obligation. Each entity owes its own anti money laundering programme, and PPSI issuers carry their own.

The European Union mirror is the same shape. Title IV of MiCA, applying from 30 June 2024, consolidates EMT supervision at the EBA and sets reserve and attestation regulatory requirements on stablecoin issuers under MiCA's e money tokens regulations (7)(8). The Bank Secrecy Act and MiCA regulate issuance; neither binds the screening obligation when the token leaves the issuer's wallet (17). The GENIUS Act regulates who can issue; it does not regulate who must screen, or which compliance rules apply at each hop.

Where the compliance obligations sit: every CASP on every hop

FATF Recommendation 16 requires originator and beneficiary information at every VASP and CASP hop (4). The Union transposed the standards in Regulation (EU) 2023/1113 — the Transfer of Funds Regulation as applied to crypto-assets, the regulation on transfers of funds — from 30 December 2024 alongside MiCA's CASP rules (9). The EBA's Travel Rule Guidelines (EBA/GL/2024/11), published 4 July 2024, require banks acting as intermediary PSPs and CASPs to detect missing information on a transfer of funds, payments and crypto-assets (10). The June 2025 update confirms the Travel Rule as the binding compliance standard for cross border transfers, binding every CASP and the issuers on the rail (6).

The AMLR adds a Customer Due Diligence layer. AMLR regulations, in Regulation (EU) 2024/1624 from 10 July 2027, make CASPs obliged entities and set the CDD threshold at EUR 1,000 — lower than the EUR 15,000 floor for other financial institutions (11). Articles 19–28 of the AMLR require the businesses on every rail to meet the Know Your Customer (KYC) standard. These Know Your Customer KYC obligations duplicate at every CASP — wallets receiving qualifying transfers, wallet addresses screened, transaction activity flagged in real time, the wallet's owner identity each sit within scope.

The Travel Rule, applied at every transfer

Read the Travel Rule mechanically. Each qualifying stablecoin payments transaction carries originator name, originator wallet, beneficiary name, and beneficiary wallet; each receiving CASP runs real time compliance data exchange at each handshake and flags missing transaction activity (10). When the same payment routes from CASP-A on Ethereum, through a bridge, to CASP-B on Solana, the handshake repeats — and the Know Your Customer KYC checks against the wallets repeat per payments hop. The FATF 2025 Targeted Update reports 76 jurisdictions with at least one licensed VASP, up from 69 in 2024 (5) — each transposing the standards under its own KYC AML compliance rules. Funds-screening duties at every CASP and the duty to trace funds through SDN screening sit alongside the Travel Rule, which applies once per transaction, at every hop.

6-by-8 matrix showing 48 independent rail compliance stacks across six stablecoins and eight chains - stablecoin KYC compliance duplication tax.

AML compliance under a multi-issuer regime: the duplication tax

This is where the duplication tax materialises. Every CASP on the route screens every transaction against the Office of Foreign Assets Control SDN list, runs sanctions screening on the wallets, and submits suspicious activity reporting where red flags trigger. Banks and CASPs running OFAC SDN screening on stablecoin payments face the same five components, and OFAC requires every PPSI and the financial institutions on each rail to operate them as a stablecoin compliance baseline. OFAC's 15 October 2021 Sanctions Compliance Guidance describes "five essential components of an effective sanctions compliance program" — management commitment, risk assessment, internal compliance controls, testing, training (12). Suspicious activity flagged at every CASP, multiplied across each financial institutions hop, is the stablecoin compliance pattern across rails — and suspicious activity reporting under the BSA duplicates across every PPSI and every financial institutions hop on the same payments rail.

The FinCEN consent order against Binance Holdings, dated 21 November 2023, anchors the AML compliance burden. The exchange "willfully failed to develop, implement, and maintain an effective money laundering program reasonably designed to prevent it from being used to facilitate money laundering," and FinCEN found 1,667,153 apparent violations of multiple "sanctions programs" between August 2017 and October 2022 (19). The penalty exceeded $4 billion. The Binance case sets the compliance burden at single-VASP scale; multi-issuer settlement multiplies multi-VASP suspicious activity at the Binance scale across every rail and every CASP. A risk based approach per FATF (4) — banks and CASPs together face the AML enforcement under FinCEN — translates into AML compliance programmes per issuer. The rules duplicate per rail; activity duplicated per rail compounds across regulated businesses screening every transfer.

The issuer side has its own precedent. The NYDFS / Paxos consent order of 13 February 2023 ordered Paxos to cease minting Binance USD after finding it "violated its obligation to conduct tailored, periodic risk assessments and due diligence refreshes" of BUSD customers (20). Regulators treat counterparty-refresh failure as a discrete aml programme defect on top of per-hop Travel Rule duties — issuer-side enforcement against issuers, and issuer businesses face the same counterparty-refresh duty. Stablecoin compliance across rails is the binding constraint for the issuer businesses and the CASPs alike, not the GENIUS Act's PPSI licensing.

Transaction monitoring and continuous sanctions screening against real time sanctions lists sit with the chain-analytics layer — vendors like Chainalysis, Elliptic and ComplyAdvantage build blockchain analytics catching transaction patterns. Verifyo handles the identity-attestation layer of the same rail.

Before-and-after diagram showing N onboarding events on the left and one reusable attestation queried N times on the right - stablecoin KYC compliance unit of reuse inversion.

What an architecturally honest answer looks like

Invert the unit of work. The duplication is not in the screening systems or controls. It is in the onboarding processes and the underlying identity infrastructure. Every CASP, every PPSI, every regulated financial institution must screen the wallet, satisfy customer due diligence, and document the compliance result. Each entity runs identity verification against the same customer, building compliance programmes per rail across regulated businesses every issuer integrates with.

The unit of reuse is the attestation, not the onboarding

A reusable verifier-private attestation moves the unit of reuse to the right place. The W3C Verifiable Credentials Data Model v2.0, a W3C Recommendation of 15 May 2025, defines an issuer-holder-verifier model: an issuer asserts claims, the holder carries the credential, any verifier confirms the claim cryptographically without seeing the documents (14). NIST Special Publication 800-63-4, finalised in 2025, frames the architecture across federated assurance levels (15).

This is the approach we take at Verifyo — a Zero-Knowledge KYC attestation issued once and reusable across integrating platforms, embedding identity into stablecoin rails as reusable infrastructure. Our Level 1 KYC verification covers identity document verification with document country captured, age attestation booleans, wallet ownership binding, and an AML screening set (sanctions, PEP, criminal, barred-persons, military and adverse-media). The integration is REST-API-based; no raw PII reaches the receiving platform.

Travel Rule data exchange and transaction monitoring sit outside our current scope. We handle the identity-attestation side of the rail; chain-analytics tools handle the transaction-monitoring side. What changes is who bears the marginal onboarding burden — each integrating platform queries the attestation, not the customer; the customer onboards once, not per rail. The duplicated counterparty-screening burden the FSB October 2025 implementation review describes as the structural gap in global stablecoin arrangements (18) is the binding constraint.

KYC under multi-issuer stablecoin settlement is a multi-issuer problem; the binding burden is the duplicated counterparty-screening compliance every issuer × chain pair requires. A reusable verifier-private attestation is the architecturally honest response. When businesses scope a stablecoin compliance programme, the operator question is which KYC AML compliance obligations duplicate per rail, and which can be discharged once and reused across the institutions scoping multi-issuer programmes.

Sources

(1) US Congress. Public Law 119-27 — Guiding and Establishing National Innovation for U.S. Stablecoins Act of 2025 (GENIUS Act). 18 July 2025. https://www.congress.gov/119/plaws/publ27/PLAW-119publ27.pdf

(2) US Congress. S.1582 — GENIUS Act of 2025 (119th Senate-introduced bill text). 2025. https://www.congress.gov/bill/119th-congress/senate-bill/1582/text

(3) US Federal Register. GENIUS Act Implementation — Treasury notice and request for comment. 19 September 2025. https://www.federalregister.gov/documents/2025/09/19/2025-18226/genius-act-implementation

(4) FATF. Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers. October 2021. https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Guidance-rba-virtual-assets-2021.html

(5) FATF. Targeted Update on Implementation of the FATF Standards on Virtual Assets and VASPs. 2025. https://www.fatf-gafi.org/content/dam/fatf-gafi/recommendations/2025-Targeted-Upate-VA-VASPs.pdf.coredownload.pdf

(6) FATF. Update to Recommendation 16 on Payment Transparency. June 2025. https://www.fatf-gafi.org/en/publications/Fatfrecommendations/update-Recommendation-16-payment-transparency-june-2025.html

(7) European Parliament and Council. Regulation (EU) 2023/1114 on markets in crypto-assets (MiCA). 31 May 2023. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32023R1114

(8) European Banking Authority. Asset-referenced and e-money tokens (MiCA) — supervisory framework page. Updated 2025. https://www.eba.europa.eu/regulation-and-policy/asset-referenced-and-e-money-tokens-mica

(9) European Parliament and Council. Regulation (EU) 2023/1113 on information accompanying transfers of funds and certain crypto-assets. 31 May 2023. https://eur-lex.europa.eu/eli/reg/2023/1113/oj/eng

(10) European Banking Authority. Travel Rule Guidelines (EBA/GL/2024/11) under Regulation (EU) 2023/1113. 4 July 2024. https://www.eba.europa.eu/sites/default/files/2024-07/6de6e9b9-0ed9-49cd-985d-c0834b5b4356/Travel%20Rule%20Guidelines.pdf

(11) European Parliament and Council. Regulation (EU) 2024/1624 (Anti-Money Laundering Regulation, AMLR). 19 June 2024. https://eur-lex.europa.eu/eli/reg/2024/1624/oj/eng

(12) US Treasury OFAC. Sanctions Compliance Guidance for the Virtual Currency Industry. 15 October 2021. https://ofac.treasury.gov/recent-actions/20211015

(13) Mastercard. Mastercard expands settlement capabilities to include stablecoin. 4 June 2026. https://www.mastercard.com/global/en/news-and-trends/press/2026/june/mastercard-expands-settlement-capabilities-to-include-stablecoin.html

(14) W3C. Verifiable Credentials Data Model v2.0 — W3C Recommendation. 15 May 2025. https://www.w3.org/TR/vc-data-model-2.0/

(15) NIST. Special Publication 800-63-4 — Digital Identity Guidelines (final). July 2025. https://pages.nist.gov/800-63-4/

(16) CPMI (Bank for International Settlements). Considerations for the use of stablecoin arrangements in cross-border payments. October 2023. https://www.bis.org/cpmi/publ/d220.htm

(17) Financial Stability Board. High-level Recommendations for the Regulation, Supervision and Oversight of Global Stablecoin Arrangements — Final Report. 17 July 2023. https://www.fsb.org/2023/07/high-level-recommendations-for-the-regulation-supervision-and-oversight-of-global-stablecoin-arrangements-final-report/

(18) Financial Stability Board. FSB finds significant gaps and inconsistencies in implementation of crypto and stablecoin recommendations. October 2025. https://www.fsb.org/2025/10/fsb-finds-significant-gaps-and-inconsistencies-in-implementation-of-crypto-and-stablecoin-recommendations/

(19) US Treasury / FinCEN. FinCEN Consent Order 2023-04 — In the Matter of Binance Holdings Ltd. 21 November 2023. https://www.fincen.gov/system/files/enforcement_action/2023-11-21/FinCEN_Consent_Order_2023-04_FINAL508.pdf

(20) New York Department of Financial Services. Consent Order with Paxos Trust Company — cease minting of Binance USD (BUSD). 13 February 2023. https://www.dfs.ny.gov/consumers/alerts/Paxos_and_Binance

Tags:stablecoin kyc compliancegenius actmicappsicasptravel rulemulti-issuer settlementverifier-private attestation

Want to learn more?

Explore our other articles and stay up to date with the latest in zero-knowledge KYC and identity verification.

Browse all articles