How Stablecoin Compliance Works: KYC, AML, and the Card Gate

The first question anyone asks about stablecoins in a compliance context is: if anyone can hold them without KYC, how do you prevent money laundering? It's a fair question. And the answer is more nuanced — and arguably more robust — than traditional banking compliance. Across dozens of conversations with bank executives, neobank founders, compliance officers, and regulators on the Tokenized podcast, a clear picture has emerged of how stablecoin compliance actually works in practice.

The Wallet-Card Distinction: Where Compliance Lives

The most important concept in stablecoin compliance is the distinction between holding stablecoins and spending them. Anyone can spin up a wallet and receive USDC or USDT — at the wallet level, stablecoins function like digital cash. No KYC is required to create a compatible wallet, just as no KYC is required to carry cash in your pocket.

But the moment a user wants to interact with the traditional financial system — get a card, use an on-ramp, send money through a payment network — compliance kicks in. Cuy Sheffield, Head of Crypto at Visa, articulated this clearly:

“Anyone can just set up a stablecoin wallet. But not anyone can just get a stablecoin-linked card. You have to go through full KYC. We have to ensure that whoever's operating that card has an AML program. One of the best outcomes for regulators is that a lot of the stablecoin ecosystem is actually stablecoin-linked cards, because then you have all the controls in place.”

— Cuy Sheffield, Head of Crypto at Visa (Episode 74)

This creates a natural compliance architecture. The permissionless layer (wallets) exists for holding and peer-to-peer transfers. The regulated layer (cards, on-ramps, payment networks) exists for interacting with the real economy. The card is the gate between the two worlds. And that gate requires full identity verification, AML screening, and ongoing transaction monitoring.

Sheffield argued this is actually a better outcome for regulators than the alternative — a world where stablecoins circulate entirely outside regulated channels. The more useful stablecoin-linked financial products become, the more users voluntarily pass through compliance checkpoints to access them.

Building Compliance from Day One

For the companies building stablecoin financial products, compliance isn't something you bolt on later. Mike Hudack, CEO of Sling Money — which built a global Venmo using stablecoins on Solana — described how the first major investment after their seed round wasn't product development. It was compliance infrastructure.

“The first major thing we spent money on was our financial crimes policy. We sought out the best people in the world who knew how to do this. The first thing they said to us was: you're kind of crazy. You're building a payments product with self-custodial wallets and stablecoins. This is terrifying. But we sat down and we spent a lot of time figuring out how to do sanctions enforcement properly, how to do transaction monitoring properly.”

— Mike Hudack, CEO of Sling Money (Episode 8)

Hudack's approach — hiring former government officials and regulatory experts before writing product code — reflects a pattern across the most credible stablecoin companies. Rags Pathi, CEO of KAST (which processes $5 billion in annual volume across 150 countries), was equally direct about compliance as a competitive weapon:

“We could grow even faster if we had no compliance. That is the speed at which we're growing by ensuring that we're super tight. We remove a lot of users who don't meet our bar, and we're not afraid to do that. I actually believe eventually most markets end up as duopolies, and we're racing to be one of those. Compliance infrastructure is how you become the lasting player.”

— Rags Pathi, CEO of KAST (Episode 74)

The logic is straightforward: in a new category with low barriers to entry, the companies that invest in compliance early will survive regulatory scrutiny when it comes. The ones that didn't will get shut down. Compliance is expensive today but becomes a moat tomorrow.

How Automated AML Replaces Batch Sampling

Traditional banking compliance works through sampling. A bank might process a million transactions, then compliance officers manually review a subset — perhaps 1,000 — looking for suspicious patterns. If they find something, they investigate further. This was adequate when banks processed thousands of transactions per day during business hours. It doesn't work when a stablecoin platform processes millions of transactions 24/7, including weekends and holidays.

Hammam Maloof, co-founder of Lead Bank — which powers the banking infrastructure behind stablecoin card programs including partnerships with Bridge, Visa, and Stripe — described how their approach differs fundamentally:

“The traditional bank will rely on testing and monitoring, sampling, some of the traditional ways of risk management. At the scale we're operating at, and at the speed — 24/7 — you cannot just rely on that. A lot of our systems have built-in checks and balances, anomaly detection. Not a cent moves that's unaccounted for. We leverage tools like Chainalysis and other blockchain forensics as part of our own internal AML process.”

— Hammam Maloof, Co-Founder & CPO at Lead Bank (Episode 74)

The key innovation is monitoring every single transaction in real time rather than sampling a fraction manually. Blockchain forensics tools like Chainalysis can trace the provenance of stablecoins — where they came from, which wallets they passed through, whether any addresses are flagged — automatically and at machine speed. Combined with anomaly detection on spending patterns, this creates a compliance system that is arguably more thorough than what any traditional bank operates.

Taylor made this point explicitly: “When there are millions and millions of transactions a day, and we have automation, we have AI, we have technology — you can start to catch even sophisticated stuff with relatively simple automations in a much more sophisticated way.” The irony is that the crypto industry, often criticized for enabling illicit finance, is building compliance infrastructure that sees more and catches more than the banking system it's compared to.

The Travel Rule and Cross-Border Compliance

For stablecoin payment networks that operate across borders, the FATF Travel Rule is the critical compliance framework. It requires that when value is transferred between financial institutions, identifying information about the sender and receiver must travel with the transaction — just as it does in the SWIFT messaging system for traditional bank wires.

Implementing the travel rule for stablecoins is a challenge that the Circle Payments Network (CPN) and similar coordination protocols are trying to solve. Elise Soucie Watts, a financial compliance expert who has appeared multiple times on Tokenized, described why the compliance layer is the real value proposition of these networks:

“The compliance layer is absolutely the value add. If you can crack that and actually crack it for firms, they will probably be lining up, because that is something that is very costly and very time consuming. However, for it to actually work, it has to work in all the jurisdictions within which the network operates. Not yet every single jurisdiction actually has their rules in place for stablecoins. So you have this chicken and egg problem.”

— Elise Soucie Watts, Compliance Expert (Episode 28)

The jurisdictional patchwork is real. The EU has MiCA. The US is implementing the GENIUS Act. The UK hasn't finalized its stablecoin framework yet. Hong Kong is issuing its first stablecoin licenses. Each jurisdiction has different requirements, different timelines, and different enforcement mechanisms. A stablecoin payment network that claims to solve compliance must solve it everywhere — not just in the markets where rules are already clear.

Rob Hadick, formerly at Dragonfly Capital, added that compliance standards in the stablecoin space haven't converged the way they have in traditional banking: “This isn't something large banks necessarily think about — they all have to meet a certain level. Because the stablecoin market isn't quite there yet, we don't have everyone up to that same standard. We don't even have the same disclosure templates for stablecoins.”

Self-Custodial and Compliant: Not a Contradiction

One of the most persistent misconceptions in the compliance debate is that self-custodial wallets are inherently non-compliant. If a user holds their own private keys, the thinking goes, there's no intermediary to enforce KYC or AML. Sling Money's approach proves this wrong.

Sheffield highlighted the significance: Sling is “one of the first examples I've seen that is self-custodial wallet but KYC.” Users go through full identity verification when they create an account, and their wallet address is associated with their verified identity. Transactions are monitored. Sanctions screening is performed. The wallet is self-custodial — the user controls their keys — but the identity layer is managed by the company.

Hudack explained that the infrastructure for this now exists:

“There's a lot of infrastructure now that's been created around the travel rule. There's a lot of standards for how you can associate identity with a wallet address. That allows you to build a compliant self-custodial product, which maybe people thought wasn't possible a few years ago. But I think it's the default state of this technology, or should be.”

— Mike Hudack, CEO of Sling Money (Episode 8)

This is an important evolution. Early crypto compliance assumed a binary: either the platform is custodial (and therefore can enforce compliance) or it's non-custodial (and therefore can't). The emerging model is identity-linked self-custody — where the user controls their assets but has voluntarily associated their identity with their wallet to access regulated financial services.

Why Banks Struggle with Stablecoin Compliance

If the compliance tools exist and the frameworks are maturing, why are traditional banks still hesitant? Sam Broner, who works with financial institutions on blockchain adoption, identified the core problem: it's not that the technology doesn't work. It's that banks don't know which solution to pick.

“I met with 30 to 40 people in the banking and fintech space. They're all asking: what do I do on privacy? How do I do KYC? And the answer I can give is, I've got 30 solutions for you. Pick one. And they're saying, which is the established one? Which is the right one? They're going to get pulled into stablecoin use, because users are going to demand better money. And when that force gets strong enough, they're going to have to suck it up and decide.”

— Sam Broner, a16z (Episode 45)

Sheffield added the institutional psychology behind the paralysis: “It's so hard for a large financial institution. You commit to a solution, spend a year of political capital pushing this through — and then it turns out that was the wrong one. The number of variables for a large institution to deal with is very difficult.”

Taylor offered the analogy that keeps coming up in these discussions: this is exactly how mobile banking played out 15 years ago. “The biggest players and the smallest ones will figure out how to use this. But from us as an industry, we've got to do the baby steps piece. It's going to be diagram by diagram.” KYC for stablecoins, he noted, is going to look very similar to KYC for the apps banks already run: “You KYC 200 million Americans. I'm sure we can do it again.”

The GENIUS Act and What Comes Next

The regulatory landscape is clarifying rapidly. The GENIUS Act in the US establishes a federal framework for stablecoin issuers, including reserve requirements, disclosure standards, and compliance obligations. Broner argued that GENIUS Act-compliant stablecoins will naturally win:

“As a consumer, as an enterprise, a merchant — you're going to want to pick a GENIUS Act-compliant stablecoin for exactly these reasons. It's the same technology product but with much better guarantees on the security side. It's going to outcompete over time.”

— Sam Broner, a16z (Episode 45)

The pattern is familiar from other financial services: compliance creates a two-tier market. GENIUS Act-compliant stablecoins (like USDC) will be preferred by institutions, payment networks, and regulated financial products. Non-compliant stablecoins will continue to exist but will be locked out of the parts of the financial system that matter most for mainstream adoption — card networks, bank settlement, cross-border payment rails.

What This Means for the Industry

• The card is the compliance gate. Wallets are permissionless. Cards are not. Stablecoin-linked cards require full KYC, AML programs, and card network oversight. This is why regulators should want more stablecoin activity flowing through card programs, not less.
• Automated monitoring beats batch sampling. Stablecoin platforms that monitor 100% of transactions in real time using blockchain forensics catch more than traditional banks that sample a fraction manually. The compliance infrastructure being built for stablecoins is arguably more robust than what it's replacing.
• Self-custody and compliance can coexist. Identity-linked self-custodial wallets — where users control their keys but have verified their identity to access regulated services — represent a new model that didn't exist five years ago.
• Compliance is a competitive moat. In a market heading toward consolidation, the stablecoin companies that invested in compliance from day one will be the survivors. The ones that grew fast by cutting corners will be the ones regulators shut down.
• Banks are paralyzed by choice, not by risk. There are 30 solutions for KYC, privacy, and compliance on-chain. The problem isn't that none work — it's that banks can't agree on which one to choose. User demand will eventually force the decision.
• The GENIUS Act creates a two-tier market. Compliant stablecoins will win institutional adoption. Non-compliant ones won't disappear, but they'll be excluded from the payment rails and banking services that matter most for mainstream use.

Stablecoin compliance isn't the obstacle the industry once feared. The tools exist. The frameworks are maturing. The companies building on stablecoin rails are investing in compliance from day one, not as an afterthought. The real question isn't whether stablecoins can be compliant. It's how long before traditional banks adopt the same real-time, automated approach that stablecoin-native companies have already built.