A stablecoin issuer is not an exchange. The risk surface is different. Your token circulates on secondary markets, across bridges, and through wallets you never onboarded. You have freeze authority. You do not have recall authority. Once a token leaves your mint contract, you can stop it. But only if you can see it. And only on the chain where you execute the freeze.
Three regulatory frameworks now require you to act on that authority: the GENIUS Act in the United States, MiCA in the European Union, and the MAS Payment Services Act in Singapore. None of them tell you how to do it on a token deployed across eight chains simultaneously.
The GENIUS Act: what US issuers must demonstrate
The Guiding and Establishing National Innovation for US Stablecoins Act creates a federal licensing framework for payment stablecoin issuers. The Federal Reserve supervises bank holding company issuers. The OCC supervises non-bank issuers. State-chartered pathways remain for issuers below a $10 billion threshold.
The compliance obligations are specific. Issuers must maintain 1:1 reserve backing in high-quality liquid assets and publish monthly attestations of reserve composition. The Act classifies the issuer as a money transmitter under the Bank Secrecy Act. That means a full AML program: written policies, a designated compliance officer, customer identification procedures, transaction monitoring, suspicious activity reporting to FinCEN, and five-year recordkeeping.
The freeze obligation is the part most compliance programs underestimate. The Act requires issuers to implement technical controls to block transfers to or from OFAC-designated addresses and to freeze tokens at those addresses. "Technical controls" is not a policy checkbox. It means on-chain capability: a smart contract with admin-level freeze functions deployed and tested on every network where your token exists. If your token runs on Ethereum and Tron and Solana and your freeze contract is only deployed on Ethereum, you are not compliant on the other two chains.
Alert latency matters here. OFAC designations publish without advance notice. The SDN list update that hits at 2 p.m. on a Tuesday creates an immediate obligation. An issuer who runs daily batch screening will miss the window. The gap between designation and freeze is a compliance exposure.
MiCA: the EMT and ART frameworks
The EU's Markets in Crypto-Assets regulation divides stablecoins into two categories. E-Money Tokens reference a single fiat currency. Asset-Referenced Tokens reference a basket of assets, currencies, or commodities. USDC, USDT, and most retail dollar stablecoins are EMTs. The compliance obligations differ, but both require authorization before issuance.
For EMT issuers, MiCA requires authorization either as a credit institution or e-money institution under existing EU law, or under a specific MiCA authorization granted by a member state competent authority. The issuer must hold 1:1 reserves, segregated and protected. Reserves must be invested only in permissible assets: primarily central bank deposits and short-term government securities.
MiCA's AML obligations sit on top of the existing EU AML framework. The 6th Anti-Money Laundering Directive requirements apply in full: transaction monitoring, Suspicious Transaction Reports filed with national Financial Intelligence Units, enhanced due diligence for high-risk customers, and record retention. The EU FIU network (Egmont Group members) does not share a single reporting format. An issuer operating in France, Germany, and the Netherlands files STRs in three different systems.
MiCA imposes transaction limits on significant EMTs. An EMT that processes more than one million transactions per day or holds reserves exceeding €5 billion must notify the European Banking Authority and enters a supervisory escalation tier. That threshold requires real-time transaction aggregation, not end-of-day counts. An issuer who misses the crossing date will learn about it from the EBA, not their own dashboard.
Singapore: the MAS framework for major payment institutions
The Monetary Authority of Singapore licenses stablecoin issuers as Major Payment Institutions under the Payment Services Act. For single-currency stablecoins, MAS requires 1:1 reserve backing in Singapore dollars or the peg currency, monthly attestation by an independent auditor, and mandatory publication of redemption terms.
The Travel Rule requirement is explicit and specific. MAS requires single-currency stablecoin issuers to collect and transmit originator and beneficiary information on transfers above SGD 1,500 to other Virtual Asset Service Providers. The required fields follow FATF Recommendation 16: originator name, originator account number (the wallet address), originator physical address or national identity number or date of birth and place of birth, beneficiary name, and beneficiary account number. Singapore recognizes IVMS101 as the transmission standard. An issuer whose redemption flow does not collect this at the point of transfer cannot fill the required message payload after the fact.
Cross-border redemptions from Singapore-licensed issuers to US-based exchanges require Travel Rule compliance in both directions. The US counterpart must be a registered MSB. The issuer must verify that registration before transmitting. This is not a one-time check. MSB registrations expire and can be revoked.
What the frameworks share
Transaction monitoring is universal. All three frameworks require issuers to review transactions for patterns consistent with money laundering, sanctions evasion, and terrorist financing, and to file reports when patterns meet threshold. The thresholds differ: FinCEN SAR obligations in the US, STR obligations to national FIUs in the EU, and STR obligations to MAS in Singapore.
Sanctions screening is universal. All three frameworks require checking addresses against OFAC SDN, EU Consolidated Sanctions List, and MAS Targeted Financial Sanctions List respectively. An issuer operating in all three jurisdictions screens against all three lists simultaneously. A designation that appears only on the EU list still triggers action if the issuer holds a MiCA authorization.
Recordkeeping is universal. Five years under BSA. Five years under EU AML. Five years under MAS. The format requirements differ. The regulator review cadence differs. What does not differ: a regulator who asks for the compliance file on a specific address will expect to receive it within hours, not weeks.
The gap between monitoring and screening
Most compliance programs are built around screening: check an address at onboarding, check it again on each transaction. Screening is necessary. It is not sufficient for an issuer.
Your token is in circulation right now on chains and in wallets you have never seen. A wallet that held $2M of your token last Thursday was clean last Thursday. If that wallet's counterparty is designated today, your token's presence in that ecosystem is a fact the regulator may ask you to account for. A screening-only program cannot tell you about it. You learn about it when someone else tells you.
Monitoring is different. Monitoring is continuous observation of the token ecosystem: every address that has ever held your token, every address currently holding it, every bridge contract your token has passed through. When a new designation hits the SDN list, a monitoring system answers the question "how much of my token is now in sanctioned hands" before the regulator asks. That answer is the difference between proactive disclosure and reactive damage control.
Bridge attribution is the hard part. When your token crosses from Ethereum to Solana through a canonical bridge, the token burns on one side and mints on the other. The on-chain record of that hop is traceable: there is a lock event on the source chain and a mint event on the destination chain, with matching amounts and timestamps. That hop is attributable. What is not always attributable is the path the token takes after the destination mint: if it moves through a privacy protocol, or lands in a freshly created wallet, or gets mixed with tokens from multiple bridges, the attribution chain shortens. A compliance program that does not acknowledge this gap is promising more than it can deliver.
What regulators actually ask for
When a regulator calls about a specific address, they want a package. The package has a standard shape: the address, the current balance, the transaction history, the counterparty classification for the most significant flows, the OFAC/sanctions list check result with the list version and check timestamp, and the compliance action taken or recommended.
The SR³ Intelligence Layer produces that package. The Strix reasoning engine traces from a flagged address across chains, identifies the most significant counterparty clusters, and renders a classification with the evidence chain attached. The output is formatted to match what FinCEN, EBA member FIUs, and MAS expect on first review. The investigation that takes an analyst six hours to assemble manually runs in seconds. That gap, six hours versus seconds, is the difference between meeting an afternoon deadline and missing it.
What Strix cannot do is close every attribution gap. Fresh wallets with no history are genuinely ambiguous. Off-chain context (a name match, a leaked KYC document, a law enforcement referral) sits outside any on-chain system. Transactions through fully private protocols produce on-chain evidence of a transfer but not of a recipient. These cases require a human decision, with the on-chain evidence as input, not as conclusion. A system that claims otherwise is one hallucinated attribution away from a wrongful freeze.
The compliance obligation is to act on the best available evidence, document the reasoning, and be prepared to defend it. The tooling exists to make that evidence fast and traceable. The judgment call at the end of that process is still yours.