GENIUS Act AML Compliance Guide for Payment Stablecoin Issuers (2026)

The Guiding and Establishing National Innovation for U.S. Stablecoins Act — known as the GENIUS Act — represents the United States’ most consequential legislative step toward establishing a coherent federal framework for payment stablecoins. The Act creates a licensing and regulatory pathway for payment stablecoin issuers, defining their obligations toward consumers, financial regulators, and the broader financial system.

Critically for compliance professionals and fintech founders, the GENIUS Act does not treat stablecoin issuers as unregulated technology companies. Instead, it explicitly directs that permitted payment stablecoin issuers (PPSIs) be treated as financial institutions under the Bank Secrecy Act (BSA). This single legislative decision cascades into a comprehensive set of AML/CFT obligations that mirror — and in some respects extend — the compliance duties already familiar to banks, money services businesses, and payment institutions.

On April 8, 2026, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) and the Office of Foreign Assets Control (OFAC) issued a joint Notice of Proposed Rulemaking (NPRM) to implement the GENIUS Act’s anti-money laundering and sanctions compliance programme provisions. Treasury Secretary Scott Bessent framed the proposal as strengthening American leadership in digital financial technology while protecting the U.S. financial system from national security threats.

This article provides compliance officers, MLROs, fintech founders, and in-house legal teams with a detailed, practitioner-level breakdown of every requirement in the proposed rule — what it demands, why it matters, and what you should be doing before it takes effect.

For broader context on the global trajectory of crypto asset regulation, see our MiCA Regulation Guide 2026 and our analysis of UK Regulatory Changes 2026.

Who Is a Permitted Payment Stablecoin Issuer (PPSI)?

Not every stablecoin issuer automatically qualifies — or is burdened — as a PPSI under the GENIUS Act. The term “permitted payment stablecoin issuer” refers specifically to entities that have obtained the appropriate authorisation under the GENIUS Act’s federal or state regulatory framework to issue payment stablecoins.

The NPRM adds nine new definitions to 31 CFR part 1010 and amends four existing ones to integrate PPSIs into the BSA compliance architecture. The key takeaway for compliance teams is this: if your entity issues payment stablecoins and falls within the GENIUS Act’s permissioning framework, the full weight of the proposed AML/CFT and sanctions obligations applies to you.

This includes obligations on both primary market activity (issuance and redemption of stablecoins directly with customers) and, in certain respects, secondary market activity (trading of stablecoins on exchanges and through intermediaries). The distinction between primary and secondary market obligations is particularly important for the technical capabilities requirements and sanctions programme — discussed in detail below.

🔍

INDUSTRY INSIGHT

The GENIUS Act’s approach mirrors the regulatory architecture applied to Money Services Businesses under the BSA — a framework compliance professionals in the US already know well. If your team has MSB compliance experience, much of the conceptual groundwork translates directly. The critical difference is that PPSIs operate in a blockchain environment where technical compliance capabilities (blocking, freezing transactions on-chain) must be built into the product itself, not just the back-office.

The Joint FinCEN–OFAC Proposed Rule: Overview

The proposed rule is jointly issued by two distinct Treasury agencies, each with a distinct mandate:

FinCEN is responsible for implementing the BSA and the AML/CFT programme requirements.
OFAC is responsible for administering and enforcing U.S. economic and trade sanctions.

Their joint issuance signals that payment stablecoin compliance is a dual-track obligation — firms must simultaneously maintain a robust AML/CFT programme and an independent, effective sanctions compliance programme. These are not the same thing and must not be treated as overlapping documents with cosmetic differences.

The proposed rule is docket number FINCEN-2026-0100. It is open for public comment for 60 days following its publication in the Federal Register (not from the April 8 announcement date — the Federal Register publication date governs the comment deadline).

For those tracking the broader illicit finance risk landscape around virtual assets, our analysis of the Europol SOCTA 2025 Financial Crime Trends and the FATF 2026 OVASP Risk Report provide essential context on why regulators are moving with urgency.

AML/CFT Programme Requirements for PPSIs

The proposed AML/CFT programme obligation for PPSIs is modelled closely on FinCEN’s recently proposed programme requirements for the 11 existing categories of financial institutions. The core principle is risk-based effectiveness: PPSIs must direct more resources toward higher-risk customers and activities, and the regulator’s focus is on genuine programme effectiveness rather than procedural box-ticking.

The programme must be written, board-approved, and made available to FinCEN upon request. These are not optional enhancements — they are baseline requirements.

Risk Assessment Processes

Every PPSI must establish a documented risk assessment process that achieves three distinct objectives:

Evaluate the risks of the PPSI’s business activities — This requires a granular analysis of the PPSI’s products, customer segments, geographies, transaction channels, and counterparties. A stablecoin issuer serving retail customers in high-risk jurisdictions faces a fundamentally different risk profile than one operating exclusively in institutional wholesale markets.
Review and incorporate the AML/CFT Priorities — FinCEN publishes National AML/CFT Priorities periodically. PPSIs must actively review these and embed them into their risk assessment methodology, not simply acknowledge their existence.
Update promptly upon material changes — If a PPSI launches a new product, enters a new market, onboards a new distribution channel, or becomes aware of a significant change in its risk exposure, the risk assessment must be updated promptly. This is an ongoing obligation, not an annual exercise.

For a practical framework on building and documenting risk assessments, see our AML Risk Assessment Calculator and our guide on Building a Complete AML Programme Blueprint.

Internal Policies, Procedures, and Controls

A PPSI’s internal controls framework must be “reasonably designed to ensure compliance” with the BSA and 31 CFR chapter X. This is a substantive standard — regulators will assess whether the design of controls was genuinely calibrated to the firm’s risk profile, not simply whether a document existed.

Key components include:

Customer risk profiling: Ongoing customer due diligence (CDD) must be conducted to understand the nature and purpose of customer relationships and develop customer risk profiles.
Beneficial ownership: For legal entity customers, PPSIs must collect and maintain beneficial ownership information on a risk basis.
Ongoing monitoring: Transaction monitoring systems must be calibrated to identify and report suspicious activity, not simply log transactions.
Higher-risk escalation: Enhanced due diligence (EDD) must be applied to customers and activities identified as higher risk through the risk assessment process.

These controls must function across both primary and secondary market activities where applicable.

Independent Testing

The proposed rule requires PPSIs to establish independent AML/CFT programme testing. This is the functional equivalent of an independent AML audit — a structured, objective assessment of whether the programme has been effectively established and implemented.

Key requirements for independent testing:

Must be based on objective criteria — the testing methodology must be defined, documented, and designed to produce replicable results.
Must assess both programme design (are the policies appropriate?) and programme implementation (are the policies actually being followed?).
Must assess whether resources have been allocated consistent with the risk assessment.
The testing function must be independent — it cannot be performed by the same team responsible for day-to-day compliance.

This mirrors the independent testing obligations already applicable to banks and MSBs under existing BSA regulations, and the methodology is consistent with what regulators look for in an effective AML audit programme.

For UK payment institutions navigating similar independent review requirements, see our guide on FCA AML Audit Preparation.

💡

PRO TIP

Do not wait for the final rule to begin structuring your independent testing programme. The NPRM’s testing requirements are closely aligned with existing BSA independent testing standards, meaning you can begin designing a compliant programme now. Firms that build testing infrastructure during the comment period will be significantly better positioned when the rule takes effect.

Designating Your AML/CFT Officer

Every PPSI must designate an individual responsible for:

Establishing and implementing the AML/CFT programme
Coordinating and monitoring day-to-day compliance

The proposed rule imposes two explicit constraints on this individual that compliance leaders must understand:

The officer must be located in the United States. This is a meaningful jurisdictional constraint for PPSIs with offshore management structures or globally distributed compliance teams. Remote-first organisations must ensure their designated AML/CFT Officer is physically based in the US, not simply reachable via video call.
The officer cannot have been convicted of certain felony offences — specifically involving insider trading, embezzlement, cybercrime, money laundering, financing of terrorism, or financial fraud.

This requirement closely parallels similar suitability standards applied to MLROs in the UK, EU, and UAE. For global firms already operating under multi-jurisdictional MLRO frameworks, integrating a US-based AML Officer into an existing governance structure requires careful structural planning.

Our Global MLRO Services page outlines how ComplyFactor supports firms in meeting MLRO and AML Officer requirements across multiple jurisdictions simultaneously.

Ongoing Employee Training

PPSIs must establish an ongoing employee training programme. The proposed rule does not prescribe specific training frequencies beyond “ongoing,” but this requirement must be read alongside the sanctions compliance programme’s training obligation (discussed below), which requires annual minimum frequency. Best practice for PPSIs will be to align AML and sanctions training into a coordinated annual programme with targeted role-based modules.

Training must be:

Substantive and role-specific — not generic online click-through modules
Updated to reflect changes in the regulatory environment, the firm’s risk profile, and findings from independent testing
Documented, with completion records retained

For guidance on building effective AML training programmes, see our AML Training Programs service page.

Written Programme and Board Approval

The proposed rule requires the AML/CFT programme to be written and approved by the PPSI’s board of directors (or equivalent governing body or appropriate senior management). This is a governance requirement, not merely a documentation requirement.

In practice, this means:

The board must actively review and formally approve the programme — not simply receive a summary from the compliance team.
Board minutes or equivalent governance records should evidence the approval.
The written programme must be made available to FinCEN or its designee upon request, which means it must exist in a form that can be produced promptly without material revision.

Suspicious Activity Reporting (SAR) Obligations

PPSIs must file Suspicious Activity Reports (SARs) for any suspicious transaction relevant to a possible violation of law or regulation. This integrates PPSIs fully into the existing BSA SAR framework applicable to banks and other financial institutions.

A critical scope clarification in the proposed rule: the SAR obligation applies to primary market activity but does not impose a secondary market SAR reporting obligation on PPSIs. This means PPSIs are not expected to monitor and report on suspicious activity occurring in secondary market trading of their stablecoins by third parties — though this boundary may evolve in the final rule based on public comment.

Compliance teams should ensure that:

SAR escalation thresholds and procedures are clearly documented
Suspicious activity indicators specific to stablecoin transactions are incorporated into the firm’s typologies library
The SAR filing process includes appropriate internal escalation, documentation, and tipping-off controls consistent with BSA requirements

For context on financial crime typologies relevant to virtual assets, see our Crypto Travel Rules Guide and our analysis of AML/CFT Best Practices for VASPs.

Recordkeeping and Travel Rule Requirements

The proposed rule requires PPSIs to comply with two overlapping but distinct recordkeeping obligations:

The Recordkeeping Rule

PPSIs must collect and retain records for funds transfers and transmittals of funds in amounts of $3,000 or more. This mirrors the Recordkeeping Rule (31 CFR 1020.410) already applicable to banks and MSBs.

The Travel Rule

PPSIs must comply with the Travel Rule (31 CFR 103.33), which requires them to transmit specific information about certain funds transfers and transmittals to other financial institutions participating in the transfer or transmittal. For a PPSI operating in a blockchain environment, Travel Rule compliance is not merely a policy obligation — it requires technical infrastructure capable of transmitting required data alongside or in connection with the stablecoin transfer itself.

The intersection of blockchain architecture and Travel Rule compliance is one of the most operationally complex aspects of PPSI compliance. The $3,000 threshold under the Recordkeeping Rule and the Travel Rule’s transmission obligations are related but operationally distinct: the Recordkeeping Rule governs what you retain, while the Travel Rule governs what you transmit to counterparties.

For a detailed breakdown of Travel Rule obligations across jurisdictions, see our Crypto Travel Rules Made Simple guide.

Information Sharing: Sections 314(a) and 314(b)

The proposed rule applies two specific information-sharing provisions to PPSIs:

Section 314(a) — Law Enforcement Requests

Upon receipt of a FinCEN request under section 314(a) of the USA PATRIOT Act, a PPSI must search its records to determine whether it maintains or has maintained any accounts for — or has engaged in transactions with — individuals or entities identified in the request. This is a mandatory, time-sensitive obligation. PPSIs must have systems and procedures capable of executing these searches promptly.

Section 314(b) — Voluntary Information Sharing

PPSIs will be permitted (but not required) to participate in FinCEN’s section 314(b) voluntary information sharing programme, which allows financial institutions to share information with one another for the purpose of identifying and reporting suspicious activity. For PPSIs operating in complex blockchain ecosystems involving multiple intermediaries and exchanges, participation in 314(b) can be a valuable tool for detecting coordinated illicit activity that might not be visible within a single institution’s transaction data.

Technical Capabilities: Blocking, Freezing, and Rejecting Transactions

One of the most architecturally significant requirements in the proposed rule is the obligation for PPSIs to maintain technical capabilities to block, freeze, and reject specific or impermissible transactions that violate Federal or State laws, rules, or regulations.

This obligation applies to both primary and secondary market activity. Additionally, PPSIs must have the technical capabilities to comply with — and must in fact comply with — the terms of any lawful order.

What does this mean in practice?

PPSIs must be able to halt or reverse transactions at the on-chain or protocol level when directed by law enforcement or upon identification of a sanctioned address or prohibited transaction type.
This is not simply a matter of updating a policy document — it requires the underlying stablecoin’s smart contract architecture or token management infrastructure to support real-time intervention capabilities.
PPSIs that issue stablecoins without built-in freeze/block/reject functionality will need to either redesign their token architecture or implement a compliant wrapper layer before the rule takes effect.

This requirement makes clear that compliance for PPSIs is as much an engineering challenge as a policy challenge. Compliance teams must work directly with product and technology teams to ensure the technical infrastructure supports regulatory obligations — not as an afterthought, but as a core product requirement.

⚠️

COMMON MISTAKE

Many stablecoin issuers assume their compliance obligations end at onboarding — conduct KYC, approve the customer, and move on. The GENIUS Act NPRM makes explicit that PPSIs must maintain intervention capabilities throughout the transaction lifecycle, including secondary market activity. Failing to build blocking and freezing capabilities into the token architecture before launch is not a correctable back-office gap — it is a fundamental product deficiency that will require a protocol-level redesign under regulatory pressure.

Sanctions Compliance Programme: The Five Required Elements

Separate from — but parallel to — the AML/CFT programme, the proposed rule requires PPSIs to maintain an effective sanctions compliance programme incorporating five mandatory elements. These are derived from OFAC’s well-established framework for sanctions compliance and must be implemented with genuine rigour.

1. Senior Management and Organisational Commitment

The sanctions compliance programme must be reviewed and approved by senior management, which must actively support its implementation. The programme must:

Apply to all payment stablecoin-related activity
Be resourced with sufficient human capital, expertise, and information technology
Be fully integrated into the PPSI’s ongoing stablecoin operations
Routinely provide risk updates and test results to senior management
Grant the compliance function sufficient authority and autonomy to manage U.S. sanctions risk across the entire PPSI

The authority and autonomy requirement is particularly significant. Regulators have consistently found that sanctions failures often stem not from inadequate policies but from compliance functions that lack the organisational independence to escalate concerns and override business decisions.

2. Risk Assessments

PPSIs must conduct holistic sanctions-related risk assessments at appropriate intervals, using the results to:

Inform the operation of the sanctions compliance programme
Revise internal controls and training as appropriate
Account for identified violations or deficiencies, new products, services, mergers, or acquisitions, and other material changes to the PPSI’s risk profile

Sanctions risk assessments for stablecoin issuers must account for the unique characteristics of blockchain-based payments: pseudonymous addresses, smart contract interactions, DeFi protocol exposure, and the global reach of stablecoin transactions — all of which create sanctions exposure pathways that do not exist in traditional payment systems.

3. Internal Controls

PPSIs must establish and maintain a system of risk-based internal controls — including both technical capabilities and written policies and procedures — applicable to all payment stablecoin activity (primary and secondary market). Controls must:

Identify, block, and/or reject transactions that may violate or would violate U.S. sanctions
Retain relevant records in accordance with OFAC regulations

Screening against OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List) and other sanctions lists must be embedded into the transaction processing workflow — not applied retrospectively as a batch review.

4. Testing and Auditing

The sanctions compliance programme must include an independent testing or audit function that is:

Accountable to senior management
Staffed with sufficient resources, expertise, and authority
Designed to identify U.S. sanctions compliance weaknesses and deficiencies

This mirrors the independent testing requirement for the AML/CFT programme and similarly requires genuine independence from day-to-day compliance operations.

5. Training

PPSIs must maintain a risk-based sanctions compliance training programme that:

Is conducted at least annually and with frequency appropriate to the firm’s risk profile
Is provided to all relevant personnel and stakeholders
Is tailored to each trainee’s role and responsibilities — not one-size-fits-all
Is modified to reflect risk assessment findings and identified deficiencies, including testing and audit findings
Includes easily accessible resources and materials for all relevant personnel

Annual minimum frequency is the floor, not the ceiling. PPSIs operating in high-risk geographies or with complex product structures should anticipate that regulators will expect more frequent training and targeted interventions.

FinCEN Enforcement Policy and the Safe Harbour Provision

One of the most consequential — and underreported — elements of the proposed rule is FinCEN’s articulation of its intended enforcement posture. The NPRM includes a significant safe harbour provision: if a PPSI has established its AML/CFT programme in accordance with the proposed rule, FinCEN generally will not take an enforcement action unless the PPSI has a significant or systemic failure to maintain that programme.

Similarly, FinCEN or agencies acting on its behalf generally will not take major supervisory action absent such a significant or systemic failure.

This is an important signal for compliance professionals. It represents FinCEN’s attempt to provide regulatory certainty and encourage proactive programme-building, rather than creating a compliance environment where minor procedural gaps result in enforcement. The safe harbour is not a licence to build a paper programme — the threshold is “significant or systemic failure,” which regulators will interpret seriously — but it does reward firms that invest in genuine, substantive compliance infrastructure.

The rule also introduces a notice and consultation framework between primary Federal payment stablecoin regulators and FinCEN with respect to significant AML/CFT supervisory actions, ensuring FinCEN plays a central coordinating role across the oversight architecture.

For perspective on how regulators have historically approached enforcement in similar contexts, see our analysis of Canada’s historic $176M FINTRAC AML penalty and the lessons from Monzo’s AML failures.

How to Comment on the Proposed Rule

FinCEN and OFAC are actively soliciting public comment on all aspects of the proposed rule. The comment period runs for 60 days following the rule’s publication in the Federal Register.

Comments can be submitted:

Electronically: via regulations.gov — search for docket FINCEN-2026-0100 and follow the “Submit a comment” instructions
By mail: Regulatory and Strategic Affairs Division, Financial Crimes Enforcement Network, P.O. Box 39, Vienna, VA 22183

Do not include personally identifiable information or confidential business information in your submission, as all comments are public records.

Compliance leaders and industry associations should take the comment period seriously. The proposed rule is well-structured but leaves a number of implementation questions open — particularly around secondary market obligations, the cross-border application of the AML Officer location requirement, and the technical standards for blocking and freezing capabilities. Substantive, evidence-based comments from practitioners can meaningfully influence the final rule’s design.

For questions about the rule’s contents, contact FinCEN’s Regulatory Support Section via fincen.gov/contact.

What PPSIs Should Be Doing Right Now

The proposed rule is not yet final, but the direction of travel is clear and the structural requirements are well-established. PPSIs and aspiring PPSIs should begin acting immediately rather than waiting for the final rule. Here is a prioritised action plan:

Immediate (0–30 days)

Read the full NPRM and the FinCEN/OFAC Fact Sheet — not just summaries. The details matter.
Assess your current AML/CFT programme against the proposed requirements. If you have an existing programme built for MSB or VASP obligations, conduct a gap analysis.
Identify your AML/CFT Officer designate — confirm they are U.S.-based and meet the suitability requirements.
Assess your token architecture for blocking, freezing, and rejection capabilities. If these do not exist, escalate immediately to the product and technology team.

Short-term (30–90 days)

Conduct or update your risk assessment to reflect your stablecoin business model, customer segments, geographic reach, and DeFi exposure.
Begin designing your independent testing programme using objective criteria aligned with the proposed rule.
Assess your Travel Rule compliance infrastructure — can you transmit required data at the $3,000 threshold?
Engage counsel or a compliance adviser to assist with the comment period if your firm has views on specific rule provisions.

Medium-term (90 days to rule effective date)

Build or procure sanctions screening infrastructure capable of real-time SDN List screening against all payment stablecoin transactions.
Develop and deliver role-based AML and sanctions training that meets the proposed rule’s requirements.
Establish your board approval process for the written AML/CFT programme.
Prepare for independent testing — conduct a pre-examination readiness review before the rule takes effect.

Our AML Compliance Program service page outlines how ComplyFactor supports firms through each stage of this process, from initial gap analysis through full programme implementation and independent testing.

How ComplyFactor Can Help

ComplyFactor works with fintech companies, VASPs, CASPs, MSBs, and payment institutions across the US, Canada, UK, UAE, and EU to build, implement, and independently test AML/CFT programmes that meet current and emerging regulatory standards.

For PPSIs and aspiring PPSIs navigating the GENIUS Act’s compliance requirements, we offer:

Fractional AML Officer / MLRO Services — providing qualified, experienced AML leadership for firms not yet ready to hire a full-time AML Officer. Particularly relevant for PPSIs that need a U.S.-based AML Officer to satisfy the proposed rule’s location requirement. See our Global MLRO Services.
AML/CFT Programme Design and Implementation — building written programmes, risk assessment frameworks, CDD/EDD policies, and transaction monitoring procedures calibrated to the stablecoin business model. See our AML Compliance Program service.
Independent AML Testing and Audits — providing objective, independent testing of AML/CFT programmes consistent with BSA requirements and the proposed PPSI independent testing standards. See our AML Audit Services.
Sanctions Compliance Programme Development — designing and documenting the five-element sanctions compliance programme required by the proposed rule, including risk assessments, internal controls, and training programmes. See our AML Advisory Services.
AML Training — developing and delivering role-based AML and sanctions training programmes for PPSI teams, boards, and key personnel. See our AML Training Programs.

Contact ComplyFactor to discuss your GENIUS Act compliance readiness.

Frequently Asked Questions

Does the proposed rule apply to all stablecoin issuers? No. The proposed rule applies specifically to Permitted Payment Stablecoin Issuers (PPSIs) — entities that have been authorised under the GENIUS Act’s federal or state framework. Not every stablecoin issuer is a PPSI. However, firms currently operating as VASPs, MSBs, or money transmitters that intend to become PPSIs should treat the proposed rule as directly relevant to their compliance planning.

When will the rule take effect? The proposed rule was announced on April 8, 2026, with a 60-day public comment period following its Federal Register publication. The final rule’s effective date will be set after FinCEN and OFAC review public comments — no final effective date has been announced. However, given the GENIUS Act’s mandate, the rulemaking timeline is expected to move quickly relative to typical BSA rulemakings.

Does the AML/CFT Officer have to be a US citizen? The proposed rule requires the AML/CFT Officer to be located in the United States — not to be a U.S. citizen. Qualified international professionals physically based in the US can satisfy the requirement.

Does the Travel Rule apply to all stablecoin transactions? The Travel Rule applies to funds transfers and transmittals of funds meeting the $3,000 threshold. For blockchain-based transactions, PPSIs must develop technical infrastructure capable of transmitting required information alongside or in connection with qualifying stablecoin transfers.

What is the difference between the AML/CFT programme and the sanctions compliance programme? These are two separate, parallel obligations. The AML/CFT programme (designed under FinCEN oversight) focuses on money laundering and terrorist financing risk management, CDD, SAR filing, and independent testing. The sanctions compliance programme (designed under OFAC oversight) focuses on U.S. economic sanctions risk — screening, blocking, and internal controls to prevent transactions with sanctioned parties or jurisdictions. Both are mandatory for PPSIs under the proposed rule.

Can the AML/CFT Officer and the Sanctions Compliance Officer be the same person? The proposed rule does not prohibit a single individual from holding both roles, but PPSIs should carefully assess whether one person can genuinely fulfil both sets of responsibilities, given the distinct expertise, systems access, and day-to-day obligations involved. For larger PPSIs, separate officers are strongly advisable.

How does the proposed rule interact with state money transmission laws? The GENIUS Act creates a federal framework for PPSIs that coexists with — and in some respects displaces — state money transmission licensing regimes for certain activities. The interaction between the federal PPSI framework and state-level obligations is a complex area that requires jurisdiction-specific legal analysis.

Where can I read the full proposed rule? The full NPRM is available on regulations.gov under docket FINCEN-2026-0100. FinCEN’s Fact Sheet summarising the key elements is available via fincen.gov.

This article was prepared by the ComplyFactor regulatory compliance team and reflects the content of the FinCEN/OFAC joint NPRM published in connection with the GENIUS Act as of April 2026. It does not constitute legal advice. Regulatory requirements are subject to change as the proposed rule progresses through the rulemaking process. Consult qualified legal and compliance counsel for advice specific to your organisation’s circumstances.