On June 22, the Financial Crimes Enforcement Network (FinCEN), together with the Office of the Comptroller of the Currency (OCC), Board of Governors of the Federal Reserve System (Federal Reserve), Federal Deposit Insurance Corporation (FDIC) and National Credit Union Administration (NCUA), published a joint notice of proposed rulemaking (NPRM) to implement customer identification program (CIP) requirements for permitted payment stablecoin issuers (PPSIs) under the Guiding and Establishing National Innovation for US Stablecoins Act (GENIUS Act).
Comments on the proposed rule are due by August 21, 2026.
Background
Enacted in July 2025, the GENIUS Act established the first federal regulatory framework for payment stablecoins and their issuers. Among other things, the GENIUS Act directs that PPSIs be treated as financial institutions under the Bank Secrecy Act (BSA) and required to maintain an “effective customer identification program, including identification and verification of account holders.” This NPRM implements that CIP directive and should be read alongside the separate April 2026 FinCEN/Office of Foreign Assets Control NPRM addressing broader anti-money laundering and counter-terrorism financing (AML/CFT) and sanctions compliance program requirements for PPSIs, which addressed AML program obligations but expressly left CIP requirements to a stand-alone rulemaking.
The NPRM imposes a CIP obligation for all accounts maintained by PPSIs, whether the PPSI is supervised by a federal banking agency or operating under a state supervision pathway. In many respects, the proposed requirements mirror the familiar CIP framework applicable to banks, broker-dealers and other financial institutions, but adapted for the stablecoin context.
What the proposed rule would require
Under the proposal, each PPSI would be required to maintain a written, risk-based CIP appropriate for the PPSI’s size and business as part of its broader AML/CFT program.
Scope of obligation
The NPRM proposes three new definitions – “account,” “customer” and “digital asset service provider” – which are intended to clarify that the CIP obligation extends only to direct relationships and not to activity where a user’s only interaction with the PPSI is through a smart contract. CIP obligations would therefore attach only in the “primary” market, such as when a customer opens an account directly with the PPSI to issue, redeem or custody stablecoins. “Secondary” market participants (i.e., those who later transact in tokens without a direct relationship with the issuer) would not be considered the PPSI’s “customer” for CIP purposes, a scoping decision on which the agencies are seeking comment.
Customer information and identify verification
Before opening an account, a PPSI would be required to collect standard identifying information (name, date of birth or formation, address and government identification number) and verify customer identity through risk-based procedures that “enable the PPSI to form a reasonable belief that it knows the identity of each customer.” PPSIs must verify identity “to the extent reasonable and practicable,” and, where a PPSI cannot form a reasonable belief that it knows the true identity of a customer, the CIP must describe: when not to open an account; the conditions under which a customer may use an account while verification is pending; when to close an account after failed verification attempts; and when to file a Suspicious Activity Report.
Notice and comparison with government lists
PPSIs also would be required to screen customers against government lists of known or suspected terrorists or terrorist organizations and provide customers with adequate notice that the PPSI is requesting information to verify their identities.
Reliance on another institution
A PPSI’s CIP may include procedures for relying on another federally regulated financial institution to perform CIP procedures on its behalf, provided the reliance is reasonable, the other institution is subject to its own AML/CFT and CIP requirements and is regulated by a Federal functional regulator,[1] and there is a contract in place requiring that institution to certify annually that it has implemented its program and will perform the specified CIP procedures. The PPSI would remain responsible for its own compliance regardless of any such reliance arrangement.
Records
The proposed rule creates two distinct records retention periods: (1) Identifying information collected prior to account opening must be retained for five years after account closure; but (2) verification records (descriptions of documents reviewed, nondocumentary methods used and resolution of discrepancies) must be retained for five years after the record is made.
Comments sought
The agencies are soliciting comment on a range of issues. On the substantive rule design, the agencies ask whether CIP requirements should extend to secondary market activity and, if so, under what circumstances. They seek feedback on whether the proposed definitions of “account,” “customer” and “digital asset service provider” are sufficiently clear and whether “formal relationship” is the right conceptual anchor for the definition of “account“, or whether alternative concepts – such as a “contractual” or “business” relationship” – would be more appropriate. The agencies also ask whether the rule should be clarified for the specific scenario where a customer’s only desired interaction with a PPSI is to redeem a payment stablecoin.
On verification and technology, the agencies invite comment on whether the regulatory text should explicitly address digital identity solutions and verifiable credentials, and what the benefits and risks of those tools are for customer identity verification.
On reliance, the agencies ask how likely it is that PPSIs would rely on another PPSI’s CIP or the CIP of another Federal functionally regulated financial institution. Finally, the agencies broadly invite input on what changes would make the rule more conducive to industry innovation.
Looking ahead
The CIP rulemaking is one of several GENIUS Act rulemakings underway, with additional rules still to come. For example, the Federal Reserve and the US Department of the Treasury are expected to propose new rules covering licensing, substantive GENIUS Act obligations and foreign issuers, among other matters. We will continue to monitor developments as the GENIUS Act regulatory framework takes shape.
[1] Under section 509 of the Gramm-Leach-Bliley Act, the term “Federal functional regulator” means (A) the Board of Governors of the Federal Reserve System; (B) the Office of the Comptroller of the Currency; (C) the Board of Directors of the Federal Deposit Insurance Corporation; (D) the Director of the Office of Thrift Supervision; (E) the National Credit Union Administration Board; and (F) the Securities and Exchange Commission. 15 U.S.C. 6809(2)