What the GENIUS Act Rulemaking Is Actually Building

The GENIUS Act, the federal framework regulating payment stablecoin issuers, passed in July 2025, and for a few weeks afterward most of the conversation was about what made it into the final bill, which is normal whenever a piece of major financial legislation crosses the line. Eight months later, the conversation has shifted, because the work that actually shapes the regime is happening at the agency level, and it has been moving faster than anyone in the room would have predicted last summer.

A panel at Consensus Miami 2026 put the two halves of the picture side by side. The Blockchain Association walked through the requirements every payment stablecoin issuer will need to meet, then mapped out what federal agencies have already proposed to operationalize them, and putting those next to each other is more useful than it sounds, because the pace of agency activity has been genuinely hard to track in real time, even for people whose full-time job is to follow it.

The Six Requirements

Every payment stablecoin issuer in the U.S. now has to clear the same bar, and the GENIUS Act draws it in six pieces, none of which are particularly surprising on their own but which add up to a meaningful change in the operating environment for the entire stablecoin sector. Issuers have to maintain full, low-risk reserves for every dollar of stablecoins outstanding, which rules out the fractional models and the kind of opaque rehypothecation arrangements that have shown up in earlier stablecoin failures. They have to publish monthly disclosures and bring in independent auditors, which means the attestation cadence is now a regulatory floor rather than a marketing flourish. Misleading marketing is explicitly off the table, which closes a category of behavior that has caused real damage in past cycles, and in an insolvency holders come first, so the legal architecture is built around protecting end users when something breaks rather than just hoping it does not.

Two of the requirements are doing heavier lifting than the others and deserve a closer look. The first is the requirement that issuers must be able to freeze, block, or seize tokens on lawful order, which sounds straightforward until you start thinking through what it actually means at the protocol level. Issuers cannot rely on offchain workarounds or partial implementations; the capability has to live inside the system itself, designed in from the start rather than bolted on after the fact, and that has real consequences for token design, smart contract architecture, and operational readiness. The second is the treatment of foreign issuers, who face a higher threshold than their domestic counterparts: their home jurisdiction has to be certified as having equivalent safeguards, the issuer has to agree to oversight by U.S. regulators, and they have to comply with Treasury freeze orders. The U.S. is not pretending it can extend its regulatory regime extraterritorially, which would be a non-starter both politically and legally, but it is making access to U.S. markets conditional in a way that has real teeth, and foreign issuers who want to operate here at scale are now working backward from those conditions to figure out what their compliance architecture needs to look like.

The Rulemaking Pace

Statutes set the bar and agencies decide how to clear it, and since September 2025 that work has piled up quickly enough that even people paying close attention have struggled to keep track. Treasury opened things up with an advanced notice of proposed rulemaking on GENIUS implementation, which was expected, but the speed of what followed was less so. The FDIC came out in December with application procedures for the banks it supervises; the NCUA, the National Credit Union Administration, brought in credit unions in February; and the OCC, the Office of the Comptroller of the Currency, moved in March with rules for the institutions under its chartering authority. April was the busiest month by a wide margin: Treasury proposed the principles for determining when a state regulatory regime is “substantially similar” to the federal framework, the FDIC put out a prudential framework for the issuers under its supervision, and FinCEN and OFAC, the Financial Crimes Enforcement Network and the Office of Foreign Assets Control, issued a joint rulemaking covering anti-money-laundering, counter-financing of terrorism, and sanctions compliance.

That is seven notices across eight months, hitting every charter type and most of the major compliance functions, and it is not how federal rulemaking usually feels in financial services, where multi-year timelines are the norm and parallel agency action is rare. The agencies are clearly under pressure to build the regime in parallel rather than sequentially, which makes sense given that the alternative would be a multi-year drag during which the rest of the world keeps building, and the upside for the industry is that issuers and prospective issuers are getting a much clearer picture much sooner than they normally would, even if the picture is not fully resolved yet.

What The Pattern Tells Us

A few things jump out from the way this is unfolding, and they are worth flagging because they will shape strategic decisions across the industry over the next year. The framework is plural by design, which is a deliberate choice rather than an accident of jurisdictional politics. Banks, credit unions, OCC-chartered institutions, and qualifying state-licensed issuers all have a route in, and whoever drafted the statute clearly decided not to pick a winner among charter types, instead setting a common bar and leaving institutions to choose how to meet it. That decision is showing up in the rulemakings, each of which is tailored to its supervisory context, which means an issuer evaluating its options has to think carefully about which path actually fits its business model rather than defaulting to whatever charter type is most familiar.

The federal-state question is the one to watch, and Treasury’s “substantially similar” rulemaking is the linchpin of the whole thing. Get the substantially similar standard right and the state-level regimes that have been preparing for years can plug into the federal framework cleanly, which preserves the regulatory diversity that has historically been a feature of U.S. financial regulation rather than a bug. Get it wrong and the result is litigation, fragmentation, and capital sitting on the sidelines waiting for clarity, which is the worst of all worlds for an industry that needs predictability to attract serious institutional participation. A lot of what happens in the next twelve months of state-federal coordination turns on that one document, and the comment period is worth watching closely.

AML and sanctions compliance are not afterthoughts in this framework, which is itself a meaningful signal. The joint FinCEN and OFAC rulemaking pulls stablecoin issuance squarely inside the same financial crime compliance regime as the rest of the regulated financial system, with the same expectations around screening, reporting, recordkeeping, and sanctions enforcement that apply to traditional money transmitters and banks. For anyone treating compliance as a function to layer on after launch, that is going to be expensive, because compliance has to be designed into the issuance architecture from the beginning, and that is a fundamentally different kind of build than retrofitting controls onto a system that was originally designed without them.

What To Do Between Now And Final Rules

The window between proposed rulemaking and final rules is not passive time. It is the most useful window an issuer or aspiring issuer gets, and it is also the most underutilized, because most firms treat it as a waiting period rather than a working one. Comment periods are still open on several of these notices, and final rules have historically reflected substantive industry input, so the firms that engage with the actual substance of the rulemakings rather than just monitoring them from a distance tend to end up with rules that work better for their business models. Mapping internal capabilities against the six statutory requirements is the kind of work that benefits from being done now rather than later, particularly around reserves attestation, monthly disclosure cadence, and law enforcement response, all of which require technical and operational infrastructure that takes time to stand up. So is figuring out which charter path actually fits the business, because federal and state timelines will diverge the moment final rules drop, and an issuer who waits until then to make the choice has already lost months of preparation.

The other piece worth tracking is what is happening in adjacent jurisdictions, because the U.S. framework is not being built in a vacuum. MiCA, the European Union’s Markets in Crypto-Assets regulation, is fully live in Europe; other regimes are taking shape in Singapore, Hong Kong, the UAE, and elsewhere; and issuers serving global markets are already running into the harmonization problem of needing to satisfy multiple regulators simultaneously without building parallel infrastructure for each one. The GENIUS Act final rules will reshape how that work plays out, especially through the foreign issuer requirements and the substantially similar standard for state regimes, which together will determine how much of the global stablecoin market routes through U.S.-compliant rails over the next several years.

Where The Infrastructure Has To Do The Work

Most of these requirements are not policy questions for the compliance team to wrestle with in spreadsheets. They are engineering questions for whoever is building the issuance stack, and they translate fairly directly into technical problems with technical solutions. Full reserves behind every token is a real-time data problem, because attesting to reserves once a quarter is not enough when the regulatory expectation is continuous backing verified on a much tighter cadence. Monthly public disclosures and independent audits are an attestation problem, which means the underlying systems have to produce audit-ready data on a predictable schedule rather than requiring a fire drill every month to assemble the numbers. The law enforcement freeze-and-seize capability is a protocol design problem, because the capability has to be built into the token at the contract level rather than mediated through a custodian or a centralized intermediary that may not always be in the loop. AML and sanctions screening is a transaction-monitoring and reporting problem, which means the infrastructure has to be capable of both real-time screening at the point of transfer and structured reporting to the relevant authorities on whatever schedule the final rules set.

This is the layer we have been building for at Instruxi. TrustSync, our proof-of-reserves and data attestation product, handles the engineering side of full backing and transparency, and it is designed for the continuous-attestation model that the GENIUS Act regime points toward rather than the periodic-snapshot model that has been the industry norm. Enforcer, our data governance and compliance framework, is configurable to whatever supervision regime an issuer ends up operating under, whether that is a federal banking regulator, a state regime certified as substantially similar, or a foreign jurisdiction running through an equivalence determination, and the configurability is the point because we expect the regulatory landscape to keep evolving rather than settling into a single global standard over any predictable timeframe. Stablecoins are one of the cleanest use cases for both products, and the rulemaking cycle is sharpening that fit in real time.

The infrastructure question used to live on a roadmap, somewhere between “important” and “we will get to it after the next funding round.” It is now a precondition for being in the market at all, which is a meaningful shift in how stablecoin businesses need to allocate engineering and compliance resources, and the issuers that work this out early get an advantage that compounds over time, because once the infrastructure is in place it scales while competitors are still trying to build it from scratch under regulatory pressure.

The Bigger Picture

A year ago, “stablecoin compliance” in the U.S. was mostly a conversation about what the rules might look like, which is to say it was speculative work, the kind of thing serious firms did but did not bet the business on. That phase is over. The bar is set, the agencies are moving, the rulemakings are stacking up faster than most observers expected, and the businesses that engage with the substance of all of this now, rather than waiting for the final rules to drop before they start serious preparation, will be the ones operating cleanly when the regime locks in. The ones that wait are going to find themselves running compliance retrofits against a moving target, which is the worst position to be in when the regulators start examining for compliance in earnest.