Entering the Stablecoin Market: An AML Compliance Playbook

When a payments company announces its entry into Blockchain payments, the first type usually focuses on Stablecoin payments.  With that announcement, the compliance function faces one of its most demanding challenges: building a robust anti-money laundering framework for an asset class that is simultaneously fast-growing, high-risk, and still evolving in regulatory terms.

FATF’s March 2026 Targeted Report on Stablecoins and Unhosted Wallets confirmed what compliance professionals had feared: stablecoins now account for 84% of all illicit virtual asset transaction volume. Chainalysis data cited in the report recorded over $154 billion in total illicit virtual asset activity in 2025, the vast majority conducted via stablecoin rails. TRM Labs put illicit stablecoin receipts in 2025 at $141 billion. These are not peripheral risks; they are systemic ones.

For financial crime leaders at payments companies entering this space, the compliance build is not an incremental adjustment to existing frameworks. It requires a fundamental expansion of risk infrastructure, regulatory mapping, and operational capability. This article sets out how to approach that task.

This Guide covers:

Stablecoin business-wide risk assessment

Mapping the regulatory landscape

Operationalizing the travel rule

Building Blockchain native transaction monitoring

Elevating sanctions controls

CDD and unhosted wallet procedures

VASP due diligence on counterparties

Stablecoin governance, policies and training

1. Update the Business-Wide Risk Assessment

The starting point is always the risk assessment. Before any product goes live, financial crime leaders must ensure the Business-Wide Risk Assessment (BWRA) is updated to reflect the new stablecoin product line. A generic virtual asset risk appendix is not sufficient. The assessment must address the specific features of the firm’s stablecoin proposition.

Key risk dimensions to evaluate include:

As the organization completes their analysis, they must remember that these updates to their BWRA must align with the risk methodologies used by the organization.  The risk factors with a virtual asset payments program may carry slightly different weightings, but there should not be material differences between risk factors in a virtual payment and a Fiat payment.  For example, jurisdictional risk should be nearly identical across the BWRA.  If they are materially different, a regulator may challenge the institution as to why they have unequal jurisdictional analysis.  What a regulator wants to see is a consistent approach to risk methodologies across the organization.

The BWRA update should be formally approved by the Board and should feed directly into risk appetite statements for the product.

2. Map the Regulatory Landscape

Stablecoin regulation is developing rapidly and unevenly across jurisdictions. Financial crime leaders must ensure the firm’s compliance obligations are mapped accurately and comprehensively before launch.

United Kingdom

The UK regulatory framework for stablecoins is in active transition. The Financial Services and Markets Act 2023 (FSMA 2023) brought cryptoassets within the regulatory perimeter by defining them as a regulated class of investment. On 4 February 2026, Parliament passed The Financial Services and Markets Act 2000 (Cryptoassets) Regulations 2026, which establishes the full FSMA-based cryptoasset regime. This regime is scheduled to come into force on 25 October 2027. The FCA announced in January 2026 that the application window for authorization will open in September 2026.

Under the new framework, “qualifying stablecoins” (defined as fiat-referenced stablecoins maintaining backing assets to preserve value) are explicitly designated as regulated activities. Payments firms currently registered under the Money Laundering Regulations 2017 (MLRs) for cryptoasset AML purposes will need to transition to full FCA authorization under FSMA before the October 2027 commencement date. Any firm already FCA-authorized under FSMA for another activity will require a Variation of Permission.

For systemic stablecoins (those widely used in payments), there is an additional layer of joint regulation by the FCA and the Bank of England. The Bank published a Consultation Paper in November 2025 on its proposed prudential regime for sterling-denominated systemic stablecoins, with draft Codes of Practice expected in 2026. Proposed reserve requirements include holding 40% of backing assets at the Bank of England and 60% in short-term UK government debt.

The MLRs 2017 continue to apply in the interim, meaning AML registration and full compliance with customer due diligence, record-keeping, and SAR filing obligations remain live requirements throughout the transition period.

European Union

The EU’s Markets in Crypto-Assets Regulation (MiCA) came into full application on 30 December 2024, creating the first unified EU-wide framework for cryptoassets including stablecoins. Under MiCA, stablecoin issuers, classified as issuers of Asset-Referenced Tokens (ARTs) or E-Money Tokens (EMTs) depending on their reference asset, must publish white papers, maintain high-quality reserve assets, and guarantee timely redemption for users. Larger stablecoins face additional supervisory requirements.

The EU Transfer of Funds Regulation (TFR) 2023/1113 extended the Travel Rule to VASPs, aligning EU law with FATF Recommendation 16. For payments firms operating across EU member states, licensing under MiCA grants EU-wide passporting. The Anti-Money Laundering Regulation (AMLR) further underpins AML/CFT obligations. Supervisors in the EU have begun targeted reviews of VASPs under MiCA with specific emphasis on DeFi exposure, cross-chain bridges, and unhosted wallet risks.

United States

In the US, payments firms engaging with stablecoins must navigate a multi-layered regulatory environment. FinCEN registration as a Money Services Business (MSB) under the Bank Secrecy Act remains foundational. State money transmitter licenses are required in most states. OFAC obligations are particularly critical given the dollar-denominated nature of most major stablecoins such as USDT and USDC. Congress has been moving toward comprehensive stablecoin legislation through vehicles such as the GENIUS Act, though as of March 2026 no single unified statute has been enacted.

3. Operationalize the Travel Rule

The Travel Rule is among the most operationally demanding compliance requirements for any payments firm entering the stablecoin space. FATF Recommendation 16, as revised in June 2025 to tighten payment transparency standards, requires that complete originator and beneficiary information travels with virtual asset transfers above applicable thresholds (typically the equivalent of €1,000 in most EU and UK-aligned jurisdictions).

As of 2025, around 85 of 117 jurisdictions have legislated for the Travel Rule for virtual assets, up from 65 in 2024. However, active enforcement remains uneven. The MLRs will need to be checked as they are being amended to reflect the shift from AML registration to FSMA authorization for cryptoasset activities in the UK.

Practical implementation steps include:

• Select a Travel Rule solution: Several established providers offer compliant solutions. The choice must account for your counterparty network: a solution with limited VASP connectivity creates compliance gaps.

• Address unhosted wallets: Transfers involving wallets not held at a regulated intermediary remain within the scope of the Travel Rule, which provides specific guidance for these scenarios. Rather than falling outside standard mechanics, the rule sets out clear verification steps: firms should conduct wallet risk analysis through a blockchain analytics report to address the potential absence of Know-Your-Wallet (KYW) information from the wallet's creator. Where that analysis indicates elevated risk, enhanced due diligence may be a natural and appropriate further step, and firms may also consider transaction limits pending completion of verification.

• Manage the sunrise problem: Where counterparty VASPs are not yet Travel Rule-compliant, the firm must have documented policies on how to handle such transfers, including whether to permit, restrict, or block them.

• Validate data quality: FATF's June 2025 revision establishes that partial or inconsistent originator/beneficiary data is unacceptable, but the validation obligations are institution-specific rather than universal. The originating institution is responsible for verifying the accuracy of originator information, but its obligation regarding beneficiary data is limited to confirming that all required fields are present. Conversely, the beneficiary institution must validate the beneficiary information on its side, but has no obligation to verify the accuracy of originator details, only that the required fields have been supplied. Systems must therefore be capable of actively validating incoming Travel Rule data according to each institution's specific role in the transaction, not merely receiving and storing it. Notably, these requirements apply across both digital asset transfers and traditional fiat payment rails.

  
  

4. Build a Blockchain-Native Transaction Monitoring Framework

Existing transaction monitoring systems built for traditional payment flows will not detect on-chain illicit activity. Stablecoin monitoring requires a layered approach combining conventional TM tooling with blockchain analytics.

Blockchain Analytics

Leading blockchain analytics platforms provide transaction tracing, entity identification, and risk scoring for on-chain activity. These tools must be integrated into the firm’s TM infrastructure to enable real-time and retrospective analysis of wallet activity. Procurement should include evaluation of coverage across relevant chains, risk category granularity, and API integration capability.

Stablecoin-Specific Typologies

Standard TM rule sets are not calibrated for stablecoin laundering patterns. Financial crime leaders must work with the compliance and technology teams to build and test rules covering:

• Structuring across multiple wallets to stay below reporting thresholds

• Rapid cycling through decentralized exchange protocols

• Use of mixing or tumbling services to obscure transaction trails

• Chain-hopping: moving value across multiple blockchains via bridges to break traceability

• Interaction with OFAC-designated smart contracts or wallet addresses

• Sudden changes in transaction behavior inconsistent with stated customer profile

FATF’s March 2026 report highlighted that DPRK-linked actors, Iranian proliferation financiers, and large-scale fraud networks have all adopted stablecoins as a preferred vehicle. These are not theoretical typologies; they are active threats documented across global case studies.

SAR Filing

Suspicious Activity Reports must be updated to capture on-chain identifiers. When filing SARs related to stablecoin activity, compliance teams should include transaction hashes, wallet addresses, blockchain network identifiers, and relevant timestamps. This is increasingly expected by financial intelligence units and law enforcement as standard practice.

5. Elevate Sanctions Controls

Of all the risk areas in stablecoin compliance, sanctions present the most acute threat. The FATF’s March 2026 report found that sanctions-related activity accounted for 86% of illicit crypto flows in 2025, with stablecoin platforms cited as the primary vehicle. Iranian actors have used stablecoins to finance proliferation and evade restrictions. DPRK cybercriminal groups laundered proceeds from the $1.46 billion Bybit hack, the largest single virtual asset theft in history, primarily through stablecoin conversions.

Required controls include:

• Real-time wallet screening: Every sending and receiving wallet address must be screened against OFAC’s SDN list, UK Sanctions list, EU and UN lists before transactions are executed. Batch or retrospective screening is insufficient.

• Smart contract-level controls: Major stablecoin issuers such as Circle (USDC) maintain blacklisting functions enabling them to freeze balances at OFAC’s request. Firms should understand and monitor these controls but must not treat issuer-level freezing as a substitute for their own screening obligations.

• Secondary sanctions awareness: Dollar-denominated stablecoins carry US secondary sanctions exposure even for non-US firms. Legal advice should be obtained on the firm’s exposure profile.

• 24/7 freeze capability: FATF has recommended that stablecoin issuers and intermediaries establish 24/7 law enforcement contact points capable of executing expedient asset freezes. Firms should build this capability into their operational model.

FATF has gone further in its March 2026 report, urging countries to consider requiring stablecoin issuers to implement smart contract functionalities including freeze, burn, and deny-listing capabilities, as well as allow-listing of pre-approved addresses. Compliance teams should monitor whether these expectations translate into binding regulatory requirements in relevant jurisdictions.

6. Strengthen CDD and Unhosted Wallet Procedures

Standard KYC onboarding procedures require extension and enhancement for stablecoin products. At a minimum:

• Onboarding questionnaires should capture intended stablecoin use, expected transaction volumes and counterparties, and source of funds and wealth for significant exposures.

• Institutional clients using stablecoins require thorough UBO verification, given the potential for pseudonymous on-chain activity to obscure beneficial ownership.

• Customers identified as VASPs themselves should trigger VASP due diligence procedures before they are permitted to transact; nested VASP exposure is a documented typology for layering at volume. This risk mirrors a well-established pattern in traditional finance: when a FinTech company holds a single pooled account at a chartered bank, the chartered bank has no visibility into the individual end-user accounts sitting behind it. Illicit flows can move through that nested structure without ever surfacing to the correspondent institution. The dynamic in blockchain payments is analogous: a VASP operating as a customer of another VASP can obscure the ultimate originators and beneficiaries of transactions in the same way, and at comparable scale.

For unhosted wallets specifically, the firm should implement a documented policy covering: the level of risk categorization applied to such transfers; whether proof-of-wallet-ownership is required; transaction limits applicable pending verification; and EDD requirements triggered by unhosted wallet use. FATF has identified peer-to-peer transfers via unhosted wallets as a “key vulnerability” in the global stablecoin ecosystem, and regulators will scrutinize how firms have addressed this in their frameworks.

7. Conduct VASP Due Diligence on Counterparties

Any exchange, wallet provider, or other VASP with which the firm has a business relationship must be subject to a formal VASP due diligence assessment. The Wolfsberg Group VASP Due Diligence Questionnaire provides a useful baseline structure. Key dimensions include: licensing and registration status; AML/CFT program quality; Travel Rule capability; sanctions screening practices; and governance and ownership transparency.

The firm should establish minimum standards that counterparty VASPs must meet and a clear process for managing VASPs that do not meet those standards, including relationship termination where warranted. Where the stablecoin ecosystem connects the firm to VASPs in higher-risk jurisdictions, enhanced VASP DD and more frequent review cycles are appropriate.

8. Update Governance, Policies and Training

The compliance infrastructure must be underpinned by updated governance and

documentation:

• AML Policy and Procedures: Update to explicitly address virtual assets, stablecoin-specific risks, and the new regulatory perimeter under FSMA 2023 and the Cryptoassets Regulations 2026.

• Risk Appetite Statement: A formal stablecoin risk appetite statement, covering customer types, transaction types, jurisdictions, and interaction with unhosted wallets and DeFi, should be reviewed and approved by the Board.

• Financial Crime Mandate: Confirm that the financial crime leader’s terms of reference explicitly extend to the new product line and that appropriate resources are in place.

• Training: First and second line staff require tailored training on stablecoin risk typologies, red flags specific to on-chain activity, and the regulatory framework. Generic crypto awareness training is insufficient.

• Internal Audit: The audit plan should be updated to include a stablecoin-specific review. Where internal audit lacks blockchain forensics capability, external specialist resource should be engaged.

A Sequenced Approach

For a payments firm in the early stages of stablecoin launch, the build is significant but manageable if sequenced correctly. A practical order of priority:

FinScan Payments: One Platform Across All Rails

As payments companies expand into stablecoins alongside existing fiat, real-time, and cross-border payment flows, one of the most significant operational challenges is managing AML compliance across multiple payment rails without fragmenting the screening infrastructure or creating separate conflighting risk management approachs.. Disparate systems create coverage gaps, inconsistent risk scoring, and significant operational overhead for compliance teams already under pressure.

FinScan Payments addresses this directly. Built for the complexity of modern payment ecosystems, FinScan Payments enables financial institutions, fintechs, bigtech, MSB's, and payment service providers to screen transactions across all major rails from a single platform. This includes ISO 20022, SWIFT, IACH, Fedwire, other domestic and cross-border payment infrastructures, stablecoin, and crypto digital wallets consolidating what would otherwise require multiple point solutions into a unified compliance layer.

For payments companies entering the stablecoin market, this architectural approach is particularly relevant. Rather than bolting on a separate screening tool for digital asset flows, FinScan Payments allows firms to extend their existing compliance infrastructure to cover new payment types as they are introduced, maintaining consistent screening logic, watchlist coverage, and audit trails across the full payments stack.

Key capabilities relevant to stablecoin compliance include:

• ISO 20022 native architecture: Unlike legacy screening systems that were built for older payment rails and have had ISO 20022 support added as an afterthought, FinScan Payments is natively built for ISO 20022. This matters because ISO 20022 carries significantly richer, more structured data than its predecessors, and a system that cannot ingest and interrogate that data natively will not fully exploit it for compliance purposes. FinScan's native adapters for SWIFT and ISO 20022 environments reduce integration effort, eliminate data translation risk, and ensure that the full richness of the ISO 20022 message, including structured names, addresses, and remittance data, is available to the screening engine. For payments companies adding stablecoin rails to an existing ISO 20022 infrastructure, this means compliance screening can extend to new payment types without rebuilding the integration layer.

• Real-time and batch screening: FinScan Payments screens transactions in real time and in batch, with sub-second response times and the capacity to process more than 100 million transactions per day, meeting the velocity demands of modern payment rails.

• Broad watchlist coverage: The platform screens against more than 70 compliance lists, including OFAC, HMT, EU and UN sanctions lists, PEP databases, adverse media, and custom internal watchlists, with list management handled by FinScan.  The watchlists also include those providers who offer lists that meet the strict time requirements for data refreshes in the real time payment space (SEPA instant Payments, RTP, etc.) and blockchain payments 

• Advanced conditional logic: Beyond static list-based screening, FinScan Payments supports dynamic, risk-based rules that assess payment corridors, counterparty risk, transaction thresholds, and custom blocklists, enabling more precise detection calibrated to the firm’s specific risk appetite.

• Data quality as a foundation: Poor data quality is one of the leading causes of false positives and missed true hits in AML screening. FinScan's built-in data quality engine standardizes and cleanses customer and payment data before it reaches the matching layer, ensuring records are accurate, complete, and fit for compliance screening. This is particularly relevant for stablecoin and cross-border payment flows where data formats and completeness can vary significantly across rails and counterparties.

• Culturally sensitive and multilingual matching: Cross-border payments involve counterparties from diverse jurisdictions where naming conventions, transliterations, and character sets differ widely. FinScan's proprietary matching algorithm is multilingual and multicultural, handling variations in Arabic transliteration, compound name structures, regional dialects, and native character screening across multiple alphabets. This reduces both false positives from legitimate name variations and false negatives from missed matches, which is critical for payments companies operating across global corridors.

For compliance teams building out a stablecoin framework, the ability to consolidate payment screening across all rails in a single platform reduces operational risk, simplifies audit and governance, and positions the firm to onboard new payment types, including digital assets, without rebuilding compliance infrastructure from the ground up.

Stablecoins represent a genuine strategic opportunity for payments firms. They also represent one of the most acute money laundering and sanctions evasion threats in the global financial system today. For financial crime leaders, the mandate is clear: build the controls to match the risk, and build them before the product goes live.