Breaking News: FinCEN and Banking Agencies Propose New Customer Identification Program Rules for Stablecoin Issuers

Introduction

On June 22, the Financial Crimes Enforcement Network (FinCEN), the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation (FDIC), and the National Credit Union Administration (NCUA) jointly published a Notice of Proposed Rulemaking (the Proposed Rule) that establishes customer identification program (CIP) requirements for Permitted Payment Stablecoin Issuers (PPSIs).¹

This Proposed Rule implements the GENIUS Act,² which designated PPSIs as financial institutions under the Bank Secrecy Act and its amendments (BSA), and mandates that they maintain effective CIPs. The Proposed Rule would impose CIP obligations consistent with other financial institutions and would include both federal- and state-regulated PPSIs. Comments are due 60 days after Federal Register publication.

How We Got Here

PPSIs have already been subject to BSA obligations since at least 2019, when FinCEN explicitly named stablecoin issuers as money services businesses (MSBs) in regulatory guidance, and more recently in 2021 when the AML Act of 2020 was enacted.³ However, including PPSIs as MSBs under the BSA did not impose a CIP requirement on the PPSIs because MSBs are exempt from complying with the portion of the BSA that mandates CIP and customer due diligence (CDD) framework in a financial institution’s anti-money laundering (AML) program, unless those MSBs separately trigger state money transmission licensing requirements and those state-specific requirements include the inclusion of CIP. Consequently, while most MSBs have a de facto CIP in place to comply with other BSA obligations, there is often no affirmative requirement to do so.

The GENIUS Act disallows PPSIs from utilizing this MSB gap and requires “maintenance of an effective customer identification program, including identification and verification of account holders with the PPSI.”⁴ Any PPSI that does not already address CIP and CDD in its current AML compliance program will now have to update its program.

To ensure consistent treatment, this joint Proposed Rule establishes one uniform CIP framework for all three categories of PPSIs: (1) subsidiaries of insured depository institutions, (2) federally qualified PPSIs, and (3) state-qualified PPSIs. The CIP must be maintained in writing, tailored to the issuer’s size and business, and incorporated into the PPSI’s broader AML program. As with other types of financial institutions, where the PPSI is a subsidiary of another financial institution such as a bank, the parent can elect to extend the enterprise-wide AML program to the PPSI.

Additionally, the Proposed Rule suggests defining “account” as a formal relationship between a customer and a PPSI established to provide or engage in services, dealings, or other transactions, including the issuance or redemption of a payment stablecoin. This is significant because meeting the definition of “account” is what triggers a PPSI’s CIP obligation. The Proposed Rule would add key exclusions from the definition of “account,” most notably including any products or services where no formal relationship is established, where activity involving the PPSI occurs only through a smart contract, or where ownership or control of a PPSI’s payment stablecoins occur absent other indicators of a formal relationship.

Proposed CIP Requirements and Timing

The ultimate goal of any CIP program is for the covered institution to “form a reasonable belief that [the PPSI] knows the true identity of the customer.”⁵ This involves a two-pronged process: identifying the customer through the collection of pedigree information and reasonably verifying that information. To that end, the Proposed Rule specifies the minimum customer information PPSIs would be required to collect, which would be in line with other covered institutions subject to the BSA, as follows:

1. Full legal name
2. Date of birth for individuals or date of formation for entities
3. Physical address, meaning a residential or mailing address for individuals or a principal place of business for entities (P.O. boxes and virtual mail receiving services are not acceptable)
4. Identification number (e.g., a Social Security number for U.S. persons, a tax ID number for entities, or a foreign tax ID number, passport number, or alien ID for non-U.S. persons and entities)
   
   

Once the foregoing information is collected, the Proposed Rule offers both documentary and non-documentary ways to verify that the information is correct and the customer is who they say they are. As an example of acceptable documentary methods, the PPSI can collect a copy of an individual’s photo identification, such as a passport or driver’s license, to verify that the information on that document matches the information provided. For an entity, a copy of the certificate of incorporation can serve the same purpose. As examples of acceptable non-documentary methods, the PPSI can use public databases such as a state corporate registry or check references with other financial institutions, or it could contact the customer directly and obtain a financial statement to demonstrate resources. The Proposed Rule requires non-documentary procedures to address situations where (i) a customer cannot present an unexpired photo identification, (ii) the PPSI is unfamiliar with the documents presented, (iii) the account is opened without documents, (iv) the customer does not meet in person, or (v) other circumstances increase the risk that documents will not verify true identity. For a non-U.S. person who is not an individual and does not have an identification number, the PPSI must request alternative government-issued documentation certifying the person’s existence.

Additional considerations the Proposed Rule addresses include:

• The inclusion of policies and procedures for when the PPSI cannot verify its customer’s identity,
• The use of federal lists such as the Office of Foreign Assets Control’s economic and terrorist sanctions lists, and
• Notice to the customer of the CIP requirements that generally describes the identification requirements and is provided in a manner that is reasonably designed to ensure that the prospective customer can view it before opening an account.
  
  

Notably, the Proposed Rule advises that “customers” for the purposes of CIP requirements do not include customers from secondary markets despite most stablecoin activity occurring on the secondary market, as CIP collection at that level is impractical. Existing primary market customers will also be excluded, provided the PPSI has a reasonable belief that it knows the customer’s true identity, although the Proposed Rule indicates that ongoing CDD should be conducted. The agencies also declined to include wallet identification numbers as a part of CIP collection in the Proposed Rule.

Identifying information must then be retained for five years after the account is closed, while records concerning verification documents, verification methods and results, and discrepancy resolution must be retained for five years after the record is made.

Comments on the Proposed Rule are due 60 days after its publication in the Federal Register, on August 21. The agencies have proposed that any final rule would take effect 12 months after issuance, giving PPSIs time to design and implement compliant programs.

Our Thoughts

For most established PPSIs, the Proposed Rule should feel familiar and not change much for their existing AML programs. PPSIs that already conduct CDD and have a CIP program in place for their primary-market customers will likely find any potential compliance burden from the final rule to be manageable, particularly given the exclusion of existing customers. Even so, PPSIs should not wait for a final rule to begin measuring their onboarding, verification, recordkeeping, and notice practices against the proposed requirements. PPSIs and other interested parties should also consider submitting comments. The agencies specifically request comment on digital identity and verifiable credentials. Digital identity tools remain flexible under the Proposed Rule rather than prescribed in regulatory text; for instance, the Proposed Rule states that mobile IDs or digital driver’s licenses may be treated as government-issued identification where appropriate, and nongovernmental digital identity credentials may be usable as non-documentary methods if appropriate under risk-based procedures.

If you have questions about the Proposed Rule or its implications for your business, or wish to discuss submitting a comment during the comment period, please contact one of the listed authors of this client alert or your relationship attorney at Lowenstein Sandler.

¹ Note that the GENIUS Act and this accompanying Proposed Rule apply only to “permitted payment stablecoins” and “permitted payment stablecoin issuers” as those terms are defined in the GENIUS Act. The Proposed Rule emphasizes that not all stablecoins are payment stablecoins and not all stablecoin issuers will be eligible to be PPSIs.
² See “Guiding and Establishing National Innovation for U.S. Stablecoins (GENIUS) Act of 2025,” 12 U.S.C. §§ 5901-5916.
³ See 31 U.S.C. § 5312(a)(2). For FinCEN’s previous implementing guidance, see “Application of FinCEN’s Regulations to Certain Business Models Involving Convertible Virtual Currencies,” FIN-2019-G001, available at https://www.fincen.gov/resources/statutes-regulations/guidance/application-fincens-regulations-certain-business-models.
⁴ 12 U.S.C. § 5903(a)(5)(A)(v).
⁵ Proposed Rule, 31 C.F.R. § 1033.220(a).