junho 30 2026

Know Your Stablecoin Customer: FinCEN and the Banking Agencies Propose Customer Identification Program Rules for Issuers

Share

On June 18, 2026, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”), together with the Office of the Comptroller of the Currency (“OCC”), the Board of Governors of the Federal Reserve System (“Board”), the Federal Deposit Insurance Corporation (“FDIC”), and the National Credit Union Administration (“NCUA”) (collectively, the “Agencies”), issued a joint Notice of Proposed Rulemaking (the “Proposed Rule”) to implement the customer identification program (“CIP”) requirements of the Guiding and Establishing National Innovation for US Stablecoins Act (the “GENIUS Act”) for permitted payment stablecoin issuers (“PPSIs”).

The Proposed Rule implements the GENIUS Act’s specific directive that PPSIs maintain an “effective customer identification program, including identification and verification of account holders.” The broader treatment of PPSIs as “financial institutions” under the Bank Secrecy Act (“BSA”)—and the AML/CFT program, reporting, and recordkeeping obligations that accompany it—is being effectuated principally through the companion AML/CFT and sanctions rulemaking covered in a prior Legal Update.

The Agencies propose a 12-month implementation period running from issuance of the final rule. Comments are due by August 21, 2026.

Background

The GENIUS Act establishes a federal framework for payment stablecoins and generally restricts their issuance in the United States to PPSIs, subject to limited exceptions, such as for certain foreign issuers. It directs that a PPSI be treated as a BSA financial institution subject to all federal laws applicable to US financial institutions relating to economic sanctions, money laundering prevention, customer identification, and due diligence. Many stablecoin issuers are currently regulated as money transmitters—a type of money services business (“MSB”)—and money transmitters, unlike banks and other CIP-covered institutions, have no general CIP obligation. Instead, money transmitters must verify customer identity only for certain activities, such as transmittals of funds over $3,000 and currency transactions exceeding $10,000. The Proposed Rule would therefore impose a formal CIP obligation on nonbank PPSIs for the first time, modeled on the long-standing CIP rules for banks, broker-dealers, mutual funds, and futures commission merchants. The Proposed Rule does not address customer identification standards that would apply to payment stablecoins issued by foreign payment stablecoin issuers.

Two aspects of the Proposed Rule provide useful context. First, it is a single, joint rule issued by FinCEN and the four federal banking regulators, intended to apply uniformly across all three PPSI pathways—subsidiaries of insured depository institutions (“IDIs”), federal qualified payment stablecoin issuers (“FQPSIs”) approved by the OCC, and state qualified payment stablecoin issuers (“SQPSIs”)—including issuers that opt for state supervision. Second, the Proposed Rule follows Treasury’s September 2025 advance notice of proposed rulemaking, in response to which Treasury received approximately 450 comments that informed this proposal.

Key Takeaways

CIP obligations track the bank model, tailored to size and business. A PPSI would be required to establish and maintain a written CIP, appropriate to its size and business and integrated into its AML/CFT program, that includes risk-based procedures to verify the identity of each customer sufficient to form a “reasonable belief” that the PPSI knows the customer’s true identity. Rather than impose a one-size-fits-all standard, the Agencies direct each PPSI to tailor its CIP to the types of accounts it maintains, how those accounts are opened, and the identifying information available—an approach the Agencies view as compelled by the GENIUS Act’s tailoring mandate.

The CIP reaches only primary market activity, reinforcing the primary/secondary market line drawn in the AML/sanctions rulemaking. Consistent with the companion AML/CFT proposal, the CIP obligation extends to direct, primary market relationships, including issuance, redemption, conversion, custodial services, and similar dealings, and does not extend to secondary market activity where a user’s only interaction with the PPSI is through a smart contract. The Agencies reasoned that a smart contract interaction does not yield the information needed to verify identity, and that a CIP obligation triggered by any transfer would impose a near-impossible “global obligation” on PPSIs that could “cripple the industry.” This mirrors the secondary market scoping in the AML/sanctions proposal, where SAR monitoring obligations were likewise confined to primary market activity, even as technical blocking/freezing capabilities and requirements to comply with lawful orders reached secondary market transactions.

The “account” definition contains stablecoin-specific carve-outs not found in other CIP rules. The Proposed Rule defines an “account” as a “formal relationship between a customer and a permitted payment stablecoin issuer established to provide or engage in services, dealings, or other financial transactions,” with five illustrative examples. Critically, it expressly excludes purely secondary market activity, as well as “[o]wnership or control of a [PPSI’s] payment stablecoins alone, without other indicators of a formal relationship”—a carve-out with no analog in the bank CIP rules and one that reflects the fact that a person can hold the issuer’s product without ever forming a relationship with the issuer.

Whether redemptions can create a customer relationship is an open and consequential question. Unlike a bank deposit relationship, a person with no prior relationship to a PPSI could acquire a stablecoin on an exchange and then seek to redeem it directly with the issuer; the Agencies note that this redemption “could establish an account” and make that person a “customer,” and they request comment on how to address such activity. How this line is ultimately drawn could materially affect onboarding obligations for redemption-driven business models.

Overview of the Proposed CIP Requirements

Three New Definitions

The Proposed Rule adds three defined terms to 31 CFR § 1033.100 that apply only to the CIP obligation: “account,” “customer,” and “digital asset service provider.” They largely track the corresponding concepts in the existing bank CIP rule, with modifications designed to confine the CIP obligation to direct, primary market relationships and to keep secondary market activity outside its scope.

The most consequential departures from the bank rules appear in the “account” and “customer” definitions. As in other CIP rules, an “account” turns on a “formal relationship” between the issuer and a customer, but the proposal adds stablecoin-specific carve-outs—most notably excluding purely secondary market activity and “ownership or control of a [PPSI’s] payment stablecoins alone, without other indicators of a formal relationship.” The “customer” definition reinforces this line by excluding any person who acquires or redeems a stablecoin other than directly from or to the issuer, confirming that secondary market transferees are not customers. The third term, “digital asset service provider,” is included only because it appears in the “account” definition, and it excludes activities such as operating distributed ledger protocols, providing self-custodial software, and participating in liquidity pools.

Minimum CIP Requirements

A PPSI’s CIP would, at a minimum, need to address the following elements, each closely modeled on the bank CIP rule:

  • Customer information: Before opening an account, a PPSI must obtain the customer’s name; date of birth (for individuals) or date of formation; a physical address (not a PO box); and an identification number, such as a TIN for US persons.
  • Identity verification: The CIP must include risk-based documentary and/or non-documentary verification procedures, with added steps for certain entity customers and for cases where the issuer cannot form a reasonable belief that it knows a customer’s true identity (including when to decline to open an account, when to close an account, and when to file a SAR). The Agencies acknowledge interest in leveraging verifiable credentials and digital identity solutions as part of account opening procedures; while the Proposed Rule does not include regulatory text on this topic, the Agencies request comment on how the rule could best address digital identity tools or verifiable credentials given the range available on the market.
  • Government list comparison: The CIP must screen customers against any list of known or suspected terrorists designated by Treasury. No such list has yet been designated, and PPSIs would be separately notified rather than having to seek lists out. The Proposed Rule notes that many PPSIs already maintain procedures in place for screening customers against certain sanctions lists circulated by Treasury’s Office of Foreign Assets Control, given the substantive legal requirements that apply to transactions involving persons on such lists.
  • Customer notice and recordkeeping: The CIP must give customers adequate notice that identifying information is being collected (the rule provides sample language) and retain identifying records for five years after account closure and verification records for five years after creation.
Reliance on Other Institutions

A PPSI’s CIP may permit reliance on another financial institution (including an affiliate) to perform CIP procedures, but only where that institution is regulated by a federal functional regulator, is subject to an AML/CFT program rule, and contractually certifies its AML/CFT program annually. This tracks the existing bank CIP rule, which likewise permits reliance only on institutions overseen by a federal functional regulator. For PPSIs that may wish to rely on another PPSI’s CIP, the practical effect is a one-directional gap for state-supervised issuers: because SQPSIs have no federal functional regulator, a federally regulated PPSI—whether an IDI subsidiary or an OCC-regulated FQPSI—generally could not rely on an SQPSI’s CIP, even though an SQPSI could rely on the CIP of a federally regulated PPSI. The Agencies acknowledge this disparity. Separately, the Agencies clarify that the CIP “account” definition does not narrow the GENIUS Act’s distinct lawful order compliance and “technological capability” obligations, which apply regardless of whether an “account” exists.

Open Questions

The Agencies seek comment on all aspects of the Proposed Rule and pose several questions that could materially reshape the final rule:

  • “Formal relationship”: The “account” definition hinges on a “formal relationship” between the issuer and a user, a concept carried over from the existing CIP rules. The Agencies ask whether to retain that standard, what its “hallmarks” are, whether to illustrate it with examples or attributes in guidance, and whether a “contractual or business relationship” would be a better anchor. Because this concept sets the outer boundary of the entire CIP obligation, any change could meaningfully expand or contract who counts as a customer.
  • Redemption-only relationships: Under the proposal, a person can become a “customer” by redeeming a stablecoin directly with the issuer, even with no prior relationship. The Agencies ask whether the rule should be clarified for situations where a holder’s only desired relationship is to redeem. How this is resolved will determine whether redemption-driven models must onboard and verify otherwise secondary market holders at the point of redemption.
  • Secondary market: As proposed, the CIP obligation reaches only primary market activity and excludes secondary market transfers where the user’s only interaction is with a smart contract. The Agencies ask whether any CIP requirement should be extended to secondary market activity, and if so, in what circumstances. Extending CIP into the secondary market would significantly broaden its scope and parallels the analogous question raised in the AML/CFT and sanctions proposal.
  • Digital identity and verifiable credentials: The Agencies ask whether the regulatory text should explicitly discuss digital identity solutions or verifiable credentials, and how it could best do so given the variety of tools available. They also seek comment on the benefits and risks of using such tools as part of customer identity verification.
  • CIP reliance: The Agencies ask about the expected likelihood that a PPSI would rely on another PPSI’s CIP or the CIP of another federally regulated financial institution.

Next Steps

Read together with the companion AML/CFT and sanctions proposal, the Proposed Rule gives prospective PPSIs a clearer picture of the BSA obligations that accompany PPSI status. Issuers, particularly nonbank issuers currently operating as money transmitters, should assess whether their current onboarding processes would satisfy the more formal CIP requirements. Issuers and other market participants with views on the questions raised by the Proposed Rule, particularly the “formal relationship” standard, redemption-only relationships and secondary market scope should weigh submitting comments, which are due by August 21, 2026.

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.
Subscribe