GENIUS Act 2025: Stablecoin Compliance Checklist

The GENIUS Act finally answers three questions for stablecoin builders: who can issue, how reserves must be safeguarded, and what transparency looks like. It defines payment stablecoins (fixed-value, payable/redeemable) and limits issuance to licensed Permitted Payment Stablecoin Issuers (PPSIs).

This checklist provides an actionable compliance roadmap covering the main areas of regulated activity for stablecoin issuers under the 2025 GENIUS Act.

TL;DR
Issuers must operate under BSA/AML and sanctions rules, follow strict reserve and custody safeguards, and provide CEO/CFO-certified monthly reserve reports that are independently examined by a registered public accounting firm. Regulators will also set principles-based IT/operational risk standards.

And, for cross-border context, see our guide to global stablecoin regulation.

Reserve Management & Financial Controls

Issuers must ensure stablecoin reserves are fully backed, secure, and transparent.

• Maintain 1:1 reserves in high-quality liquid assets: Reserves must always equal or exceed outstanding stablecoins and consist only of cash, Federal Reserve deposits, or U.S. Treasury bills maturing ≤93 days. Risky assets like corporate debt or equities are prohibited to prevent de-pegging and ensure full redemption value.
• No rehypothecation: Reserve assets cannot be pledged, lent, or reused. This prevents the assets from being leveraged and ensures immediate redemption availability.
• Qualified custody and asset segregation: Reserves and any custodied stablecoins must be held by financial institutions supervised by a federal banking agency, the Securities and Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC), or a state banking supervisor. Reserves and custodied assets must be fully segregated from corporate assets.
• Audited reserve reports: Issuers must publish monthly reserve reports verified by an independent public accounting firm to ensure accuracy.
• Executive certification of disclosures: The CEO and CFO must personally certify the accuracy of each monthly report. False certifications carry criminal liability.
• Priority for holders in insolvency: In the event of a bankruptcy, stablecoin holders have first claim on reserve assets, ahead of all other creditors.

AML/CFT & Sanctions Compliance

The GENIUS Act classifies stablecoin issuers as financial institutions, subjecting them to the full scope of AML/CFT rules under the Bank Secrecy Act (BSA).

• Establish a BSA-compliant AML program: Implement a written, risk-based AML program built on the core pillars identified by regulators.
• A designated compliance officer
• Explicit internal controls
• Continuous employee training
• Independent testing
• Customer due diligence
• Customer Identification Program (CIP): Collect and verify customer identity (name, date of birth, physical address, and government-issued ID number) using documentary or non-documentary methods before account activation.
• Suspicious activity and transaction reporting: Monitor transactions and file required reports with the Financial Crimes Enforcement Network (FinCEN).
  • Suspicious Activity Reports (SARs) for suspicious transactions ≥ $25,000, or transactions ≥ $5,000 where a suspect is identified.
  • Currency Transaction Report (CTRs) for cash transactions > $10,000 per day.
• Office of Foreign Assets Control (OFAC) sanctions compliance: Screen all customers and wallet addresses against OFAC’s sanctions lists, including the Specially Designated Nationals and Blocked Persons (SDN) list, and block any prohibited parties or jurisdictions.
• Geolocation and IP blocking: Use geolocation tools to identify and block users from sanctioned regions.
• Blockchain analytics & Travel Rule compliance: Use blockchain analytics to detect illicit transaction patterns and comply with the Financial Action Task Force (FATF) Travel Rule by collecting, holding, and transmitting required data for transfers according to the regulatory threshold. BSA reporting/recordkeeping duties and AML obligations apply to transmittals below $3,000. Transactions above $3,000 must be accompanied by all the required sender and recipient information.

Technology, Cybersecurity & Operational Resilience

Issuers must maintain secure, resilient systems that protect critical infrastructure and assets.

• Adopt an organizational IT risk framework: Implement a formal cybersecurity and operational risk program based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF 2.0), covering governance, identification, protection, detection, response, and recovery.
• Independent smart contract and dApp audits: Adopt risk-based, independent third-party security assessments (e.g., code review, formal verification, audit) for smart contracts and related dApps that support issuance, redemption, and reserve operations.
• Regular penetration testing: Conduct periodic, risk-based independent testing (vulnerability scanning and penetration testing) across web applications, APIs, and internal networks with documented remediation and oversight.
• Secure cryptographic key management: Manage private keys under ISO/IEC 27001, the global standard for information security management systems, ensuring secure key generation, storage, rotation, and destruction. The Cryptocurrency Security Standard (CCSS) also offers additional crypto-specific controls that issuers should follow.

Conclusion

The GENIUS Act introduces structure to the operational and legal aspects of stablecoin issuance. Meeting these requirements means operating at an institutional scale with fully backed reserves, auditable controls, bank-level cybersecurity, and airtight AML compliance.

Each rule is designed to protect users, prevent systemic risk, and strengthen the dollar’s position in the digital economy. For issuers, compliance is not a box-checking exercise, but an ongoing demonstration of transparency, accountability, and resilience.

Those who meet this standard will gain institutional confidence and long-term legitimacy in a regulated market.

Hacken’s stablecoin security stack enables issuers to launch and grow with confidence in a regulated environment. With auditable controls, real-time risk monitoring, and provable reserves, Hacken supports compliance with GENIUS Act standards — helping issuers gain trust, listings, and long-term legitimacy.