On June 18, 2026, the Financial Crimes Enforcement Network (FinCEN), with the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation (FDIC) and the National Credit Union Administration (NCUA), issued a joint proposed rule that would implement the Guiding and Establishing National Innovation for U.S. Stablecoins Act’s (GENIUS Act’s) requirement that permitted payment stablecoin issuers (PPSIs) maintain an effective customer identification program (CIP). The proposed rule was published in the Federal Register on June 22, 2026, and public comments will be accepted for 60 days following publication.
Stablecoin Issuers Will Be Financial Institutions With Full BSA Obligations
The proposed rule’s core message is that PPSIs will be treated as financial institutions for purposes of the Bank Secrecy Act (BSA) and will be subject to all federal laws applicable to financial institutions relating to the prevention of money laundering, customer identification and due diligence. Stablecoin issuers, presently subject to BSA obligations as money services businesses (MSBs), will face the heightened CIP expectations applied to banks, broker-dealers, mutual funds and futures commission merchants. The proposed rule complements a separate FinCEN and Office of Foreign Assets Control proposed rulemaking issued the same day that would apply additional anti-money laundering and countering the financing of terrorism (AML/CFT) program obligations to PPSIs.
Key Elements of Proposed CIP Rule
Primary Market Activity, Not Secondary Transfers
The proposed rule draws a critical distinction between primary market activity, in which a PPSI interacts directly with a customer (e.g., issuing, redeeming or providing custodial services), and secondary market activity, in which a payment stablecoin user’s only interaction with the PPSI is through a smart contract. The agencies focused on primary markets and acknowledged that imposing a global CIP obligation on all stablecoin transfers that occur on-chain “would be nearly impossible for PPSIs to implement and could potentially cripple the industry.” Accordingly, CIP obligations would extend only to direct customer relationships, and this rule does not address purely secondary market transfers.
Customer Information Required
The proposed rule would require a PPSI to collect information from each customer prior to opening an account: (1) name; (2) date of birth for an individual or date of formation for an entity; (3) a residential or business street address; and (4) an identification number, such as a taxpayer identification number for U.S. persons or a passport number for non-U.S. persons. P.O. boxes and virtual office addresses are not acceptable as customers’ physical locations. The bill does not directly address AI agents, but these requirements may limit agents’ ability to be direct customers of PPSIs because they lack addresses and government identification numbers.
Recordkeeping
The CIP must include procedures for making and maintaining records of all customer identification information obtained. Customer identifying information must be retained for five years after account closure, and verification records must be retained for five years after the record is made.
Comparison With Government Lists
The CIP must include reasonable procedures for determining whether a customer appears on any list of known or suspected terrorists or terrorist organizations designated by Treasury. Because no such lists have yet been designated specifically for PPSIs, issuers will receive separate notification when lists must be consulted.
Reliance on Another Financial Institution
A PPSI’s CIP may include procedures permitting reliance on another federally regulated financial institution’s performance of CIP procedures, provided that reliance is reasonable, the other institution is subject to AML/CFT program requirements and regulated by a federal functional regulator, and the institutions enter into an annual certification contract. Critically, reliance does not relieve the PPSI of its own CIP compliance obligations.
Practical Implications and Strategic Outlook
As with longstanding BSA/AML guidance, rather than a one-size-fits-all approach, the proposed CIP rule would allow the individual PPSI to tailor its CIP to the issuer’s size, services, risk profile, customer base and onboarding methods. The agencies considered — but ultimately rejected — a purely size-based threshold for lessened requirements, concluding it “would conceivably result in the targeting of these issuers by illicit actors seeking to circumvent regulatory scrutiny.”
When a PPSI is a subsidiary of an insured depository institution, the enterprise may implement a single, enterprise-wide AML/CFT program and CIP, provided it accounts for the distinct legal and regulatory obligations of each entity.
The agencies expressly acknowledged the role of verifiable credentials and digital identity solutions but declined to mandate specific technologies, inviting comment on how the rule could best accommodate innovation in this space.
The exclusion of purely secondary market activity from CIP obligations provides significant relief for the industry, but the agencies seek comment on whether any CIP requirement should be extended to secondary market activity and in what circumstances.
The agencies propose a 12-month compliance window following issuance of the final rule, providing PPSIs time to build or adapt their CIP infrastructure.
Next Steps
With additional regulations on the horizon, existing and prospective stablecoin issuers should evaluate their current customer onboarding and verification processes against the proposed CIP framework.
Institutions that interact directly with stablecoin issuers, including digital asset exchanges, custodians and depository institutions considering stablecoin subsidiaries, should assess how the reliance and enterprise-wide program provisions may impact their compliance architecture.
Given the agencies’ broad open questions, including key definitions, digital identity solutions, secondary market obligations and potential economic impact on small entities, there is a brief but valuable opportunity for industry stakeholders to shape the final rule. Accordingly, readers may want to consider submitting comments.
McGuireWoods’ Securities Enforcement & Regulatory Counseling Practice Group is a national leader in securities enforcement defense and broker-dealer and investment adviser regulatory counseling. Anchored by former SEC and Financial Industry Regulatory Authority attorneys from enforcement and trading and markets, as well as prominent federal prosecutors, the team manages complex securities investigations at every stage — from informal inquiries and routine exams through investigations, litigation and appeals — all while staying at the forefront of developing issues confronting the securities industry. For questions about this alert, contact the authors or your McGuireWoods contact.