The build-out of a comprehensive regulatory framework for payment stablecoins is steadily moving toward completion, as the various agencies charged with implementing the GENIUS Act continue to fill in the remaining gaps. The latest piece of that framework is a joint notice of proposed rulemaking by the Financial Crime Enforcement Network (FinCEN), Office of the Comptroller of the Currency (OCC), Federal Reserve Board (Fed), Federal Deposit Insurance Corporation (FDIC), and National Credit Union Administration (NCUA) governing how permitted payment stablecoin issuers (PPSIs) must collect and verify identifying information of their customers. The proposal implements the GENIUS Act's directive that PPSIs be treated as financial institutions under the Bank Secrecy Act (BSA) and maintain an effective customer identification program (CIP). Comments on the proposed rulemaking are due August 21, 2026.

The proposal slots into the broader architecture currently advanced through proposals and standards addressing stablecoin reserve, capital, liquidity, and risk management requirements, as well as a separate rulemaking applying anti-money laundering/countering the financing of terrorism (AML/CFT) and sanctions compliance program obligations to PPSIs. The degree of coordination among the federal agencies in building out the payment stablecoin regulatory framework is remarkable and a notable shift from a previous, often siloed approach. Joint rules applied uniformly across each agency's supervised institutions makes rulemakings more understandable and ultimately compliance less difficult.

Key Takeaways

  • PPSIs to be treated as "financial institutions." The GENIUS Act and the proposed rulemaking treat PPSIs as financial institutions for BSA purposes, subjecting them to the same core AML/CFT program and customer identification mandates that apply to banks.
  • Mandatory written, risk-based CIP. Each PPSI will have to establish and maintain a written CIP, tailored to its size and business and embedded within its broader AML/CFT program, with risk-based procedures to form a reasonable belief that it knows the true identity of each customer.
  • Core identifying information mirrors bank model. Before opening an account, a PPSI will have to collect, at a minimum, a customer's name; date of birth (for individuals) or date of formation (for entities); a physical address; and an identification number.
  • Definition of "account" tailored to stablecoin activity. The proposed rules would expand the concept of an "account" to capture primary market activities unique to stablecoin issuers—issuing and redeeming stablecoins, reserve management, and custodial safekeeping of stablecoins, reserves, or private keys—while excluding activity where the only interaction is with a PPSI's smart contract.
  • Flexibility on verification methods and reliance. The proposed rules would permit documentary and non-documentary verification, leave room for emerging digital identity tools, and allow a PPSI to rely on another federally regulated financial institution's CIP performance under defined conditions—although the PPSI would remain responsible for compliance.

Scope and Framework

The proposal would add a new Part 1033 to FinCEN's regulations and, at proposed 31 C.F.R. 1033.220, require every PPSI to establish and maintain a written CIP appropriate for its size and business. As with the CIP rule applicable to banks, a PPSI's CIP would have to be a component of the issuer's AML/CFT program. The proposed rules would apply to PPSIs supervised by each of the primary federal payment stablecoin regulators (OCC, Fed, FDIC, and NCUA) and PPSIs that opt for state supervision under the GENIUS Act.

New Definitions

The proposal would add three new CIP-specific definitions—"account," "customer," and "digital asset service provider"—"designed to clarify that a PPSI's CIP obligation extends to direct relationships, i.e., primary market activity, and does not extend to activity where the only interaction is with a PPSI's smart contract."

"Account" would be defined as a formal relationship between a PPSI and a customer, established to provide or engage in services, dealings, or other financial transactions, and would include a non-exclusive list of illustrative stablecoin-specific activities that fall within "services, dealings, or other financial transactions": (i) issuing or redeeming a payment stablecoin; (ii) managing related reserves; (iii) providing custodial or safekeeping services for stablecoins, required reserves, or private keys; (iv) other directly supporting activities; and (v) providing services of a "digital asset service provider" that are authorized by the primary federal payment stablecoin regulator or state payment stablecoin regulator. The definition would expressly exclude purely secondary market activity, such as where interactions occur only through a smart contract and mere ownership of an issuer's stablecoins without other indicators of a formal relationship.

"Customer" would be defined as a person who opens a new account, including an individual who opens a new account for an individual lacking legal capacity or for an entity that is not a legal person. The definition would likewise exclude regulated financial institutions, certain exempt persons, persons that have existing accounts with the PPSI where the PPSI has a reasonable belief of the person's true identity, and persons who acquire or redeem stablecoins other than directly with the PPSI.

To clarify the exclusion in the "account" definition, the proposal would define "digital asset service provider" consistent with the GENIUS Act as persons that, for compensation or profit, engage in the business in the United States (including for customers or users in the United States) of exchanging digital assets for monetary value, exchanging digital assets for other assets, transferring digital assets to a third party, acting as a digital asset custodian, or participating in financial services relating to digital asset issuance. The definition would exclude certain activities, such as distributed ledger protocols, developing distributed ledger protocols or self-custodial software interfaces, immutable and self-custodial software interfaces, validating transactions or operating a distributed ledger, and participating in liquidity pools or similar mechanisms for peer-to-peer transactions.

Identity Verification Procedures

The proposal would require a PPSI to have risk-based procedures enabling the PPSI to form a reasonable belief that it knows each customer's true identity, calibrated to the PPSI's accounts and account-opening methods, available identifying information, and the PPSI's size, location, and customer base. Before opening an account, the PPSI would have to obtain at a minimum from each customer:

  • the customer's name;
  • the date of birth for an individual, or date of formation for an entity;
  • the customer's address (a residential and mailing address for an individual, or the principal place of business, local office, or other physical address and mailing address for an entity); and
  • an identification number like a taxpayer identification number or passport number.

The proposal contemplates documentary verification (such as a driver's license or passport for individuals, or articles of incorporation for entities) and non-documentary methods (such as comparing customer information against information from a consumer reporting agency or public database), and would preserve flexibility for use of emerging digital identity solutions and verifiable credential tools.

Where the PPSI cannot verify a customer's true identity, the proposal would require the CIP to address when the PPSI should not open an account, the terms of any interim account usage while attempting to verify the customer's identity, when to close the account after attempts to verify a customer's identity have failed, and when to file a Suspicious Activity Report.

Recordkeeping

The proposal would require a PPSI to have procedures for making and maintaining a record of all information obtained, including the identifying information collected, a description of any verification documents, the methods and results of verification, and the resolution of any discrepancies discovered when verifying the identifying information obtained. The PPSI would need to retain identifying information for five years after the account is closed, and verification records for five years after the record is made.

Comparison with Government Lists

The proposal would require a PPSI's CIP to include reasonable procedures for determining whether a customer appears on any list of known or suspected terrorists or terrorist organizations created by any federal agency and designated by Treasury in consultation with the federal functional regulators. Because no such list has yet been designated, PPSIs would have no affirmative duty to seek out all lists of known or suspected terrorists or terrorist organizations compiled by the federal government and will instead receive separate notification regarding the lists that must be consulted for purposes of this provision—although an obligation already exists for U.S. persons to check their customers against the Specially Designated Nationals List administered by OFAC, which is considered as part of a separate proposed rule to impose AML/CFT program and sanctions compliance program requirements on PPSIs. Failure to comply with current obligations, such as by engaging in appropriate customer screening, could result in criminal or civil penalties for a PPSI.

Customer Notice

The proposal would require PPSIs to give customers adequate notice that the PPSI is requesting information to verify their identity, such as a notice posted on a website or included in account applications. The proposal provides sample notice language.

Reliance on Another Financial Institution

The proposal would permit a PPSI to rely on another federally regulated financial institution's performance of CIP procedures where reliance is reasonable, the other institution is subject to an AML/CFT program with CIP requirements and is regulated by a federal functional regulator, and the parties enter into a contract requiring annual certification that the institution has implemented an AML/CFT program and will perform the specified requirements of the PPSI's CIP. The PPSI nevertheless would remain liable for CIP compliance.

Exemptions

The proposal would allow the appropriate federal functional regulator, with concurrence of the Treasury Secretary (and vice versa), to exempt any PPSI or type of account from the requirements, as consistent with BSA purposes, safety and soundness, and the public interest.

Our Take

By formally classifying PPSIs as "financial institutions" and mapping familiar bank-like CIP requirements onto the unique mechanics of stablecoin issuance, redemption, reserve management, and custody, regulators are signaling that the guardrails for this market should approximate the safety and soundness expectations long applied to banks and credit unions. It also should answer many of the objections asserted by banks who have long argued that crypto entities should be subject to bank-like risk management. The proposed requirements will make the market more stable, more predictable, and better positioned for future growth. For most established issuers—many of which already collect substantial customer information in the ordinary course—the incremental compliance burden may be manageable, but the importance of formalizing written programs, recordkeeping, and verification standards should not be underestimated.

+++

Steve Gannon and Michael Treves have extensive experience spanning financial compliance, regulatory counsel, and enforcement matters, providing insights to help clients navigate complex challenges in the financial services sector. For questions or more insights, please contact Steve, Michael, or another member of Davis Wright Tremaine's financial services team and sign up for our alerts.