Rain
FinCEN Advisory Change Map — May 9, 2026
What this is. A regulator-shaped change map for the April 7–10, 2026 FinCEN NPRM trio (PPSI rule + Program Reform rule + the coordinated bank-regulator companion NPRMs), specifically as the rules land on a stablecoin-infrastructure card issuer. Built entirely from the Federal Register, the four major law-firm NPRM summaries (Covington, DLA Piper, Sullivan & Cromwell, Mayer Brown), and Rain’s own published product surface.
What it is not. A pitch. Blanc is named zero times in the body. Recommendations are vendor-agnostic and executable inside the 30-day comment window. Every claim ties back to a primary source listed at the bottom.
The April 7–10 FinCEN NPRM trio creates two operationally distinct exposure surfaces for a stablecoin-infrastructure card issuer, neither of which collapses to “we already comply with BSA.” The first is downstream: permitted payment stablecoin issuers (PPSIs) the platform settles against will be required to maintain “effective sanctions compliance programs” with technical capabilities to block, freeze, or reject impermissible secondary-market transactions — the first-ever federal-statute-level sanctions program requirement for U.S. persons. Those obligations push out to integrators through commercial agreements. The second is direct: the parallel Program Reform NPRM rewrites the AML/CFT program standard for every BSA-covered financial institution — including a card-issuance and stablecoin-settlement MSB — codifying risk-assessment, the “in all material respects” implementation standard, and risk-based resource allocation as supervisable line items.
The 30-second read
Two rules, the same week, neither resolvable on first read in May 2026. The PPSI NPRM (Fed Reg 2026-04-10, 91 FR 06963) implements the GENIUS Act’s BSA provisions for stablecoin issuers and introduces the novel federal-statute-level sanctions program requirement. The Program Reform NPRM (issued April 7, 2026) modernizes the AML/CFT program standard for every BSA-covered institution. The coordinated companion NPRMs from OCC, the Federal Reserve, the FDIC, and NCUA mirror the FinCEN proposal for supervised banks — meaning a card-issuing partner bank’s BSA program reshapes on the same timeline.
Both NPRMs close their comment windows on 2026-06-09 (30 days from this writing). Implementation runs 12 months post-final for the Program Reform rule; the PPSI rule attaches to the GENIUS Act’s three-year timeline. The gap between a current Reg E / Reg Z / UDAAP / sanctions program and the proposed standard is concrete, mappable, and at most companies sits in three or four control sections that don’t reconstruct from spreadsheets.
section 2What the rules actually say
Two separate NPRMs, issued the same week, that operate on different parts of the BSA framework. The PPSI rule is targeted at stablecoin issuers; the Program Reform rule applies broadly across BSA-covered institutions. Both have downstream effects on stablecoin-infrastructure platforms even when the platform itself is not the primary regulated entity.
Implements the GENIUS Act’s BSA provisions. A “permitted payment stablecoin issuer” is a U.S.-formed entity that is either a subsidiary of an insured depository institution approved for stablecoin issuance, a federal qualified PPSI, or a state qualified PPSI. The rule moves these entities from MSB classification into a dedicated BSA framework under proposed Part 1033. Mandatory program elements: an “effective” AML/CFT program with risk-based internal policies, procedures, and controls; independent testing with explicit recordkeeping of results and program enhancements; a designated AML/CFT officer; ongoing employee training; customer due diligence; an “effective sanctions compliance program” (the novel piece — the first-ever federal-statute requirement for U.S. persons to maintain such a program, per the joint FinCEN/OFAC framing); technical capability to block, freeze, or reject impermissible secondary-market transactions; sanctions-compliance recordkeeping that extends beyond current U.S. person obligations. Comment period closes 2026-06-09. Implementation attaches to the GENIUS Act’s three-year timeline.
A separate but parallel rule, issued the same week, modernizing the AML/CFT program standard for all BSA-covered institutions under the Anti-Money Laundering Act of 2020. Key shifts: risk assessment becomes a formal, codified program component (currently a supervisory expectation but not explicitly required by rule); risk assessments must review and, where appropriate, incorporate Treasury’s AML/CFT Priorities; for the first time, financial institutions are expressly permitted — and effectively required — to direct resources toward higher-risk activity and away from lower-risk areas, grounded in the documented risk assessment; a new “in all material respects” implementation standard, intended to separate criticism of program design from criticism of day-to-day execution. Comment period closes 2026-06-09. Implementation runs 12 months after the final rule publishes. The coordinated bank-regulator companion NPRMs from OCC, the Federal Reserve, the FDIC, and NCUA mirror the FinCEN proposal for their respective supervised institutions, meaning a card-issuing partner bank’s BSA program will be reshaped on the same timeline.
Where this hits a stablecoin-infrastructure card issuer
A platform that turns stablecoins into card-network-acceptable settlement — cards issued by a partner bank under a Visa or Mastercard license, customer funds held as stablecoins, daily settlement to the network — sits at a regulatory junction the NPRMs explicitly reorganize.
Stablecoins held by customers and routed through the platform’s settlement flow are issued by entities that will be reclassified under Part 1033. Those issuers will be required to extend “effective sanctions compliance programs” downstream, and the technical block/freeze/reject obligation only works if the platform can honor freeze requests in near-real-time. Expect counterparty agreements to be reopened, sanctions-screening attestations to become formal, and the platform’s transaction-monitoring stack to need to produce an audit trail acceptable not just to internal counsel but to a PPSI’s independent testing engagement.
A money services business operating as a card-issuance and stablecoin-settlement infrastructure layer is a BSA-covered financial institution. The risk-assessment codification, the AML/CFT Priorities incorporation, and the risk-based resource allocation provisions apply directly. The “in all material respects” implementation standard means a program that looks complete on paper but isn’t running on a cadence the regulator can re-test will fail the standard on examination, regardless of design quality.
The card-issuing bank’s own BSA program will be reshaped by the parallel banking-regulator NPRM. The TPRM cycle the partner bank runs against fintech partners — quarterly evidence reviews, control-testing log requests, sanctions-screening attestations — will tighten the moment the bank’s own examiner expectations recalibrate. The platform receives the cascade through the partner-bank relationship before the regulatory floor finalizes.
The 30, 90, and 365-day clocks
Three operational windows, each gating a distinct set of work. The downstream-counterparty obligation from PPSI partners will arrive commercially before the regulatory floor finalizes — an inversion of the typical “rule finalizes, then implementation” sequence that forces an earlier internal decision than the headline comment-period deadline suggests.
Three actions worth running inside the comment window
Vendor-agnostic and executable inside 30 days, regardless of which compliance platform a stablecoin-infrastructure card issuer is running today.
Every claim in this change map links to a primary source.
- FinCEN + OFAC. “Permitted Payment Stablecoin Issuer Anti-Money Laundering/Countering the Financing of Terrorism Program and Sanctions Compliance Program Requirements.” Federal Register, April 10, 2026 · 91 FR 06963. federalregister.gov
- FinCEN. AML/CFT Program Reform NPRM. April 7, 2026. fincen.gov
- OCC, Federal Reserve, FDIC, NCUA. Coordinated companion NPRMs mirroring the FinCEN Program Reform proposal for supervised institutions. April 2026.
- Anti-Money Laundering Act of 2020. Statutory authority for the AML/CFT program standard reform.
- GENIUS Act. Statutory authority for the PPSI BSA framework and three-year implementation clock.
- Covington & Burling. PPSI NPRM client alert. April 2026. Source for PPSI definition (U.S.-formed IDI subsidiary, federal qualified PPSI, or state qualified PPSI), “first-ever federal-statute sanctions program requirement” framing, and technical block/freeze/reject capability scope.
- DLA Piper. AML/CFT Program Reform NPRM alert. April 2026. Source for the April 7 publication date, 2026-06-09 comment close, and 12-month post-final implementation.
- Sullivan & Cromwell. Program Reform NPRM client memo. April 2026. Source for the risk-assessment codification, the “in all material respects” implementation standard, and the coordinated bank-regulator companion NPRM framing.
- Mayer Brown. Program Reform NPRM client alert. April 2026. Source for risk-based resource allocation as a new express obligation.
- Morrison Foerster. AML/CFT Program Reform NPRM alert. April 2026. Companion law-firm summary on implementation timeline.
- Rain. About / product surface (wallets, virtual accounts, card issuing, rewards, onramps, offramps, payments, corporate cards; cards issued by Third National pursuant to Visa license; banking via SSB, Member FDIC; PCI DSS compliance achieved 2025). rain.xyz/about-us
- Christopher Grieco public bio — General Counsel & Chief Compliance Officer at Rain since February 2023; previously Associate Deputy Attorney General (U.S. Department of Justice), Associate Counsel to the President (The White House), Majority Counsel (House Judiciary Committee, white-collar subcommittee). Stanford JD. The Org + Federalist Society + Rain PCI DSS press release.