Articles + Publications June 29, 2026
From Crypto to Compliance: How the GENIUS Act Is Reshaping Stablecoin KYC Obligations
Key Points
- On June 22, FinCEN and four co-regulators published a joint proposed rule under Section 4(a)(5)(A) of the GENIUS Act that would treat all PPSIs as BSA financial institutions and require them to maintain written CIP programs.
- The proposed rule applies to every category of PPSI — including subsidiaries of insured depository institutions, OCC-chartered federal qualified issuers, and state qualified issuers — with no blanket exemption for state-supervised entities.
- At minimum, each PPSI’s CIP must collect name, date of birth, address, and a taxpayer identification number for each account holder, with CIP and account-closure records retained for five years.
- FinCEN estimates the rule would initially apply to roughly 50 PPSIs, with the proposed $200 million threshold capturing approximately 76% of current issuers meeting the GENIUS Act’s criteria.
- Comments on the proposed rule are due August 21, with a final rule anticipated in 2027 and compliance required 12 months after issuance.
Executive Summary
On June 22, 2026, the Financial Crimes Enforcement Network (FinCEN) — jointly with the Office of the Comptroller of the Currency (OCC), the Federal Reserve Board, the Federal Deposit Insurance Corporation (FDIC), and the National Credit Union Administration (NCUA) — published a joint proposed rule to establish certain Customer Identification Program (CIP) requirements for permitted payment stablecoin issuers (PPSIs) as financial institutions for purposes of the Bank Secrecy Act (BSA). The proposed rule seeks to implement a core mandate (Section 4(a)(5)(A)) of the Guiding and Establishing National Innovation for U.S. Stablecoins Act (GENIUS Act), which we analyzed in a prior client alert, and directs Treasury to tailor these regulations to each issuer’s size and complexity and to coordinate with the primary federal payment stablecoin regulators. The proposed rule signifies a joint, five-agency posture that represents a unified approach and reduces the risk of conflicting requirements.
If finalized, every PPSI — whether federally or state-supervised — would be required to maintain a written CIP that identifies and verifies account holders, integrates with its anti-money laundering (AML)/combating the financing of terrorism (CFT) program, and preserves specified records for five years.
Key Dates and Comment Period
- Publication: June 22, 2026, in the Federal Register (Dockets FINCEN-2026-0101 and OCC-2026-0331).
- Comment deadline: August 21, 2026 — 60 days after publication. Comments may be filed electronically at https://www.regulations.gov or by mail.
- Final rule and compliance: a final rule is anticipated in 2027, with compliance required 12 months after the final rule is issued.
What Is the Proposed Rule?
The proposed rule establishes minimum CIP standards tailored to PPSIs and applies to every category of PPSI — subsidiaries of insured depository institutions, federal qualified issuers (OCC-chartered), and state qualified issuers. State-supervised entities are not exempt.
What Does It Stem From?
As we explained in our earlier alert, the GENIUS Act created the first comprehensive federal framework for payment stablecoins and flagged the implementing CIP, AML/CFT, and sanctions rulemakings as critical next steps. This proposed rule is the latest in that coordinated effort, which also includes:
Key Requirements of the Proposed CIP Rule
- Written CIP. Each PPSI must maintain a written CIP — tailored to the issuer’s size, complexity, and customer base — that is part of its AML/CFT program.
- Identity verification. The CIP must use risk-based procedures to verify each person who opens an “account,” collecting at minimum name, date of birth (for individuals), address, and an identification number (e.g., a taxpayer identification number). Verification may be documentary, nondocumentary, or a combination, depending on risk.
- Risk-based approach. PPSIs may calibrate verification to risk — accounting for account types, transaction volumes, geographic exposure, and customer profiles — reflecting stablecoin uses ranging from retail payments to institutional settlement.
- AML/CFT integration. The CIP must be embedded in the PPSI’s broader BSA/AML/CFT program, including suspicious activity monitoring and reporting and sanctions compliance, dovetailing with the companion April 2026 AML/CFT NPRM.
- Recordkeeping. CIP records must be retained for five years after creation, and account-closure records for five years after closure — consistent with traditional BSA standards.
- Definition of “account.” Proposed § 1033.100 introduces three new defined terms — “account,” “customer,” and “digital asset service provider” — that together limit the CIP obligation to a PPSI’s direct, primary-market relationships and exclude activity in which a user’s only interaction is with the PPSI’s smart contract. “Account” is defined as a “formal relationship” between a PPSI and a customer established to provide or engage in services, dealings, or other financial transactions. The definition includes an illustrative list of covered activities — issuing or redeeming payment stablecoins, managing related reserves, and providing custodial or safekeeping services for stablecoins, reserves, or private keys, as well as authorized digital asset service provider activities. It expressly excludes stablecoin activity that does not directly involve the PPSI as a party other than through a smart contract, as well as mere ownership or control of a PPSI’s stablecoins absent other indicators of a formal relationship. The agencies reasoned that treating every transfer as a CIP relationship would impose a “global obligation to collect and verify identifying information of individual users” that would be “nearly impossible to implement and could cripple the industry”. These definitions apply only to the Part 1033 CIP obligation unless otherwise expressly note.
How to Prepare
Entities expecting to operate as PPSIs should act now:
- Gap analysis. Benchmark current KYC/CIP procedures against the proposed minimums and identify deficiencies in verification, data collection, and recordkeeping.
- Technology and integration. Confirm onboarding systems can support documentary and nondocumentary verification, ongoing risk assessment, five-year retention, and integration with AML/CFT, suspicious activity reporting, and sanctions screening.
- Governance. Prepare for board-level approval of the CIP by briefing directors and developing governance documentation.
- Comment and monitor. Consider filing a comment letter by August 21, 2026, and track the related FinCEN, OCC, OFAC, FDIC, and NCUA rulemakings.
Practical and Business Impact
FinCEN estimates it would initially apply to roughly 50 PPSIs, and the proposed $200 million threshold would capture about 76% of current issuers meeting the GENIUS Act’s criteria. Key impacts include:
- Compliance costs and consolidation. PPSIs must invest in verification technology, compliance personnel, and recordkeeping; smaller and early-stage issuers may bear disproportionate costs.
- Level playing field. Uniform CIP obligations apply across charter types, subjecting state-supervised issuers to the same federal floor as OCC-chartered entities.
- Cross-border considerations. Verifying non-U.S. persons raises equivalency questions for foreign identification documents and other cross-border compliance issues.
Exceptions and Exemptions
Proposed § 1033.220(b) contemplates exemptions, the scope of which will develop through the comment process. The framework recognizes that certain low-risk accounts or transactions may warrant simplified procedures, that the Secretary of the Treasury may grant tailored exemptions or modifications, and that the GENIUS Act’s tailoring principle supports differentiated treatment by issuer size and complexity.
No blanket exemption exists for state-qualified PPSIs. Even issuers supervised exclusively at the state level are subject to these federal CIP requirements by operation of the GENIUS Act’s treatment of all PPSIs as BSA financial institutions.
Insight Industries + Practices