Introduction
On June 18, 2026, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”), together with the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the National Credit Union Administration (collectively, the “Agencies”) issued a joint notice of proposed rulemaking (“NPRM”) to implement certain customer identification program (“CIP”) requirements under the Guiding and Establishing National Innovation for U.S. Stablecoins Act (“GENIUS Act”).[1]
The CIP NPRM supplements the broader anti-money laundering and countering the financing of terrorism (“AML/CFT”) program rule for stablecoin issuers published on April 10, 2026. Its primary function is to establish minimum CIP requirements for permitted payment stablecoin issuers (“PPSIs”) and to clarify when a PPSI has a customer and account relationship requiring identification and verification. That scope question matters because stablecoins can move through primary market relationships with an issuer, but also through secondary market activity that may involve exchanges, self-hosted wallets, peer-to-peer transfers, vendors, or smart contracts without any direct issuer relationship.
If finalized, the proposed rule would require PPSIs to maintain a written, risk-based CIP as part of their AML/CFT program, collect specified identifying information before opening an account, verify customer identity within a reasonable time before or after account opening, maintain related records, screen against any government lists designated for CIP purposes, provide customer notice, and permit limited reliance on other federally regulated financial institutions. The proposal also reflects the Agencies’ attempt to tailor bank-style CIP concepts to a stablecoin ecosystem without imposing a global identity-verification obligation on every holder or secondary market user of a payment stablecoin.
This client alert summarizes several important features of the CIP NPRM, but is not intended to cover every aspect of the proposal.
Key Takeaways:
PPSIs would be treated as BSA financial institutions, but this proposal focuses on CIP.
- The GENIUS Act requires PPSIs to be treated as financial institutions for purposes of the Bank Secrecy Act (“BSA”) and to maintain an effective CIP, including identification and verification of account holders. This NPRM implements that CIP directive. It should be read alongside FinCEN’s separate rulemaking proposing broader changes to apply BSA obligations to PPSIs.
The most important scoping issue is the line between primary and secondary market activity.
- The proposal would generally apply CIP obligations where the PPSI has a direct relationship with a customer, such as issuing, redeeming, converting, repurchasing, burning, reissuing, or providing custodial services. It would not treat mere ownership or control of a PPSI’s stablecoin, or secondary market activity that involves the PPSI only through a smart contract, as creating an account relationship that triggers CIP requirements.
The proposal avoids an issuer-level KYC obligation for every downstream holder.
- FinCEN and the Agencies expressly recognize that treating every payment stablecoin transfer as creating a customer relationship with the issuer would effectively impose a global obligation to collect and verify user information, which they describe as nearly impossible to implement and potentially crippling to the industry. That is a significant and practical scoping proposal, though the Agencies seek comment on whether the approach is correct.
The CIP itself is familiar, but the operating environment is not.
- The required elements generally track existing CIP rules for banks and other financial institutions (e.g., customer information, identity verification, records, list checking, customer notice, and reliance). However, applying those concepts to stablecoin issuance, redemption, wallet infrastructure, intermediated distribution, and digital identity tools will require more careful analysis than a simple “copy and paste” of bank CIP procedures.
Digital identity is acknowledged but not hard-coded.
- To comply with the proposed rule, the Agencies acknowledge that PPSI’s may need to use mobile IDs, verifiable credentials, and other digital identity tools, but they avoid writing specific digital identity requirements into the rule. This leaves room for rulemaking flexibility and innovation, but it also puts pressure on issuers to document why certain identification tools are reliable for particular customer types and risk profiles.
Reliance is available, but limited and not a liability transfer.
- A PPSI may be able to rely on another federally regulated financial institution to perform specified CIP procedures if (1) reliance is reasonable, (2) the institution is subject to AML/CFT and CIP requirements and regulatory oversight, and (3) the parties enter into the required contractual and annual certification arrangement. Regardless, the PPSI will remain responsible for its own CIP compliance.
Background
The GENIUS Act establishes a federal framework for payment stablecoins and requires PPSIs to be treated as financial institutions under the BSA, including for purposes of customer identification. The joint NPRM would apply familiar CIP requirements across different issuer structures, including those operating under the GENIUS Act’s state-supervision pathway.
Although the Agencies describe the proposal as comparable to existing CIP rules for other financial institutions, the stablecoin context presents a distinct scoping issue: payment stablecoins may circulate among persons who never onboard directly with the issuer. As a result, much of the proposal focuses on when a PPSI has an “account” and “customer” relationship, and when secondary-market activity falls outside that relationship.
Defining the Scope: Primary vs. Secondary Market Activity
The most important practical contribution of the NPRM is its proposed scope. FinCEN and the Agencies distinguish between primary market activity, where a PPSI interacts directly with a user or holder, and secondary market activity, where payment stablecoin activity does not directly involve the PPSI as a party to the transaction other than through a smart contract.
Primary market activity would include issuing, converting, redeeming, repurchasing, burning, and reissuing payment stablecoins, as well as associated services such as custodial services. Secondary market activity could include purchasing stablecoins from intermediaries, sending stablecoins from a self-hosted wallet to a vendor, exchanging stablecoins for another digital asset on an exchange, or person-to-person transfers.
The proposed definitions of “account” and “customer” are built around this distinction. An “account” would generally mean a formal relationship between a PPSI and a customer established to provide or engage in services, dealings, or other financial transactions. By contrast, mere ownership or control of a PPSI’s stablecoin, without more, would not create an account.
This is a meaningful limitation. Without it, a PPSI could face CIP obligations for users that acquire or transfer the stablecoin entirely through third parties or self-hosted wallets. FinCEN and the Agencies appear to recognize that such a requirement would be difficult to implement operationally and could impair stablecoin use in secondary markets.
The Proposed CIP Requirements
The proposed rule would require each PPSI to maintain a written CIP as part of its broader AML/CFT program, with risk-based procedures for verifying the identity of each customer to the extent reasonable and practicable. In many respects, the technical requirements mirror the familiar CIP framework applicable to other types of financial institutions, including the collection of basic identifying information, use of documentary and non-documentary verification methods, and procedures for circumstances where the institution cannot form a reasonable belief that it knows the customer’s true identity. The significance of the proposal is, therefore, not that it creates a wholly new CIP model, but that it applies that familiar framework to PPSIs and requires them to adapt it to stablecoin-specific relationships.
Digital Identity and Verifiable Credentials
The NPRM acknowledges that identity verification has evolved since the original bank CIP rule, including through mobile IDs, digital identity credentials, and other account opening tools. Rather than propose specific regulatory text for these technologies, FinCEN and the Agencies preserve flexibility and seek comment on whether the rule should say more. That flexibility is sensible, but PPSIs that relying on digital identity tools will still need a defensible process for evaluating their reliability, appropriate use cases, residual risks, vendor controls, exception handling, and auditability.
Records, List Checking, Customer Notice, and Reliance
The proposed rule also includes familiar CIP-related requirements for recordkeeping, customer notice, list-checking, and reliance. PPSI’s would need to retain identifying and verification records, provide customers with notice that information is being requested to verify identity, and maintain procedures for checking customers against any government lists designated for CIP purposes, while continuing to comply separately with OFAC sanctions requirements. The proposal would also permit PPSIs to rely on another financial institution that is subject to BSA compliance program requirements and federal supervision to perform specified CIP procedures, but only where reliance is reasonable and supported by a contract requiring annual certification of the institution’s AML/CFT program and performance of the relevant CIP functions. Importantly, formal reliance would not transfer the PPSI’s liability for CIP compliance.
Looking Ahead
The proposal is scheduled for publication in the Federal Register on June 22, 2026, with comments due 60 days after publication. Given the speed of GENIUS Act implementation and the importance of the scoping questions embedded in the NPRM, affected institutions should consider whether to engage in the comment process.
In the meantime, PPSIs and prospective PPSIs can begin preparing for implementation of the final rule by identifying products, services, wallet flows, redemption channels, direct customer touchpoints, and third-party relationships; determining which activities may create an “account” under the proposal; comparing current onboarding and verification controls against the proposed CIP requirements; and assessing whether existing vendor and partner agreements sufficiently support CIP compliance.
For many issuers, the proposal will not require a wholesale reinvention of identity controls. Many already collect and verify customer information in some form. But the proposal would require those controls to be framed, documented, and governed as a BSA CIP program tailored to a stablecoin issuer’s actual business model. The key will be making sure that the issuer can explain not only what it collects, but why its scope decisions, verification methods, reliance arrangements, and exception processes are reasonable in light of its risks.
[1] Permitted Payment Stablecoin Issuer Customer Identification Program, scheduled for publication at 91 Fed. Reg. ___ (June 22, 2026).
