GENIUS Act NPRM: The SAR Exemption on the Secondary Market That Nobody Reads

An AML framework built around a deliberate loophole

The NPRM jointly issued by FinCEN and OFAC on April 8, 2026, codifies into secondary law Section 9 of the GENIUS Act, which designates Permitted Payment Stablecoin Issuers (PPSIs) as financial institutions under the Bank Secrecy Act. The text opened a comment window that closes today, June 9, 2026, at midnight Eastern Time. The affected issuers -- namely subsidiaries of insured depository institutions, federal qualified issuers, and approved state qualified issuers -- must publish their compliance program before July 18, or cease operating in the United States before January 18, 2027.

Media attention has focused on the sanctions component, presented by Treasury as the first federal obligation placed on a specific category of US persons to maintain a dedicated sanctions compliance program. The trade press has treated this part with the seriousness it deserves. Almost no one flagged the sentence that follows, located in the section on reporting obligations.

The clause that exempts the secondary market

The NPRM specifies that PPSIs are not required to implement a Customer Identification Program or file Suspicious Activity Reports for secondary transactions. In other words, when an already-issued stablecoin moves between wallets, on DEXs, or through P2P swaps that do not involve the issuer, the active monitoring obligation does not apply. The issuer remains technically required to block prohibited flows, such as those tied to sanctioned addresses, but does not have to flag them in real time or report them to FinCEN.

On the surface, this looks like a technical concession. Read closely, it is a quiet acknowledgment of a fact the industry avoids naming. Once a stablecoin has left the issuer's wallet, tracking it falls under chain analysis, not KYC. FinCEN could have required PPSIs to monitor post-issuance flows using Chainalysis or TRM Labs tools and flag any suspicious matches. The regulator chose not to.

Why the regulator is taking this stance

The likely reason comes down to accountability mechanics. Extending SAR requirements to the secondary market would saddle issuers with an obligation that exchanges and intermediary services are already expected to carry. From the Treasury's perspective, the risk is introducing redundant double reporting that would yield no new signal, merely duplicating what VASPs already submit.

There is almost certainly a political reading as well. The GENIUS Act was designed to anchor stablecoins within regulated American finance without breaking the economic model. Requiring issuers to continuously monitor every post-mint transaction would effectively reclassify stablecoins as traceable assets on par with bank payments. This is precisely what the pro-GENIUS coalition sought to avoid.

What this changes for the privacy-conscious user

The practical effect is more nuanced than it appears. A user holding PPSI stablecoins still exists within an ecosystem where every compliant exchange collects KYC at on-ramp and off-ramp. The exempted secondary market remains, in most cases, traversed by platforms themselves subject to the Travel Rule, whose obligations cover transfers above the $1000 threshold.

The margin for maneuver is real only for fully decentralized flows, meaning those that include no identifiable intermediary. For everything else, the SAR exemption merely confirms a role distribution that already existed: issuers manage the primary perimeter, VASPs manage the secondary perimeter, and the end user is triangulated by both.

What to watch after July 18

The implementation timeline leaves five weeks for the regulator to incorporate comments, then five additional months for affected entities to come into compliance. Three signals to watch.

• Final list of approved PPSIs. The number of issuers that will obtain PPSI status will indicate whether the US stablecoin market consolidates, or whether several small players survive.
• Technical scope of blocking controls. The text requires issuers to have the technical capabilities to block, freeze, or reject illicit transactions. The definition of these capabilities, and their operational mode, will determine whether PPSIs can actually freeze a stablecoin already issued to a third-party wallet.
• SEC position. The GENIUS Act coexists with an SEC framework under construction. Any friction between the two regulators will create an operational gray zone that benefits uncovered foreign issuers.

Editorial verdict

The NPRM is a compromise text that succeeds in imposing a new AML regime without breaking the sector's economic architecture. The SAR exemption on the secondary market is consistent with this compromise, and probably necessary for its feasibility. It does not create a deliberate loophole for privacy. It creates a loophole that the regulator technically acknowledges, because the alternative would have been either unrealistic or redundant with what VASPs already report. For our directory, the direct impact on service selection remains marginal in the short term. To watch: if the SEC publishes a stricter parallel rule on platform scope, the US stablecoin ecosystem could split into two disjointed frameworks, which would have concrete consequences for the end user.