Digging into the Stablecoin Customer Identification Program Proposal

Payment stablecoins pose unique challenges to the nation’s anti-money laundering (AML) and sanctions compliance regime. By design, blockchains allow issuers to track which wallets hold their stablecoins with a level of anonymity so as not to reveal the identities of those wallets’ owners. This dynamic has raised questions about how Permitted Payment Stablecoin Issuers (PPSIs) would comply with Bank Secrecy Act (BSA) requirements. 

Regulators have now proposed an answer. On June 18th, the Financial Crimes Enforcement Network (FinCEN) and the primary Federal payment stablecoin regulators jointly issued a notice of proposed rulemaking (NPRM) to establish Customer Identification Program (CIP) rules for Permitted Payment Stablecoin Issuers (PPSIs)(1).

This blog post discusses the NPRM, evaluates its content, and identifies next steps.

Background: The GENIUS Act’s Foundations

When Congress enacted the Guiding and Establishing National Innovation for U.S. Stablecoins (GENIUS) Act (2) last year, one of its most significant decisions was to require PPSIs to comply with the BSA. Section 4(a)(5) of the Act explicitly subjects PPSIs to federal laws governing economic sanctions, money laundering prevention, and customer due diligence(3). Specifically, the Act mandates that PPSIs must: 

• Maintain effective AML and economic sanctions programs;

• Retain appropriate records;

• Monitor and report suspicious transactions relevant to possible violations of law;

• Maintain the ability to block, freeze, and reject specific or impermissible transactions; and

• Maintain effective CIPs.

To effectuate these requirements, the GENIUS Act required the Treasury Secretary and the primary Federal payment stablecoin regulators — the Office of the Comptroller of the Currency, Federal Reserve Board, Federal Deposit Insurance Corporation, and National Credit Union Administration — to adopt tailored rules implementing them(4).

The Proposal: Defining “Accounts” and “Customers”

The NPRM would require each PPSI to establish a tailored, written CIP with risk-based procedures to verify customer identities. The NPRM’s text is comparable to the requirements applicable to different classes of financial institutions, albeit with PPSI-specific nuances.

The most critical aspect of the NPRM is its scope, which limits CIP obligations to “customers,” a term the NPRM generally defines as a person or corporation that opens a new account. Because stablecoins are token-based financial instruments rather than accounts, the NPRM defines the term “account” as a formal relationship between the PPSI and a customer in which the PPSI provides or engages in financial services or transactions without limitation. Crucially, this definition excludes situations in which “a formal relationship is not established with a person,” such as transactions via smart contracts(5). Accordingly, persons who buy or sell a PPSI’s payment stablecoins solely from or to third parties are not customers of the PPSI.

The Four Core Pillars of the CIP Rule

To align with broader financial institution standards, the NPRM retains the four key operational requirements of traditional CIPs. A PPSI’s program must require it to:

• Collect and Verify Identity Information: Issuers must obtain names, addresses, identification numbers, and dates of birth (or formation for entities). Identities must be verified within a reasonable timeframe using documentary evidence, non-documentary methods, or both. Any discrepancies must be formally resolved.

• Maintain Strict Recordkeeping: PPSIs must retain customer identifiers, descriptions of verification methods, and resolution logs for at least five years after an account is closed. 

• Government List Screening: Issuers must check customer names against federal lists of known or suspected terrorists or terrorist organizations and comply with subsequent federal directives.

• Provide Customer Notice: The issuer must clearly notify customers that their identity information is being collected for verification purposes.

Additionally, the NPRM would permit a PPSI to contract with another financial institution to execute its CIP so long as the other institution is subject to CIP rules and is regulated by a federal financial regulator. This partner institution could be an affiliate, and the institution must annually certify that it will perform the PPSI’s CIP responsibilities.

A Win for PPSIs, and Their Banking Competitors

There are two noteworthy observations from the regulators’ NPRM.

1. Secondary Market Immunity 

In combination with the AML and sanctions compliance rules for PPSIs proposed by FinCEN and the Office of Foreign Assets Control (OFAC) in April(6), the NPRM makes clear that regulators will impose AML and sanctions compliance obligations only on PPSIs’ primary-market activities. PPSIs will not be liable for secondary-market uses of their payment stablecoins, which greatly lightens PPSIs’ regulatory obligations vis-à-vis more onerous possible alternatives.

If the NPRM is finalized as proposed, a PPSI’s CIP obligations would extend only to instances in which an institution has a formal relationship with an individual or entity. Such a relationship would include those who purchase or redeem payment stablecoins directly from the PPSI but not those who purchase the PPSI’s payment stablecoins in the secondary market. A PPSI’s policies would require it to learn the identities of those who receive its payment stablecoins through commercial activities. This is consistent with FinCEN’s and OFAC’s April proposal, which would require PPSIs to file suspicious activity reports only with regard to primary-market activity.

Regulators’ focus on primary-market obligations in the proposals significantly lowers PPSIs’ potential compliance costs compared to possible alternatives. A PPSI can limit its customers to a small number of institutions that purchase payment stablecoins in volume to sell into the broader market, restricting its CIP obligations to only those institutional purchasers. Although the GENIUS Act requires PPSIs to maintain “technical capabilities, policies, and procedures to block, freeze, and reject specific or impermissible transactions,” the proposals would not require PPSIs to actively monitor who obtains their payment stablecoins or how their payment stablecoins are used in the secondary market.

2. Approval for Tokenized Deposits?

Though not a substantial part of the NPRM, it implies that banks’ BSA obligations apply only to primary markets. In justifying their decision to limit PPSIs’ CIP obligations to primary-market transactions, regulators noted that “the CIP requirements for other types of financial institutions extend to where an institution has some sort of formal relationship with an individual or entity.” This interpretation of banks’ obligations bolsters the viability of tokenized deposits.

Tokenized deposits are blockchain-based representations of traditional bank deposits, and hold the potential to compete with payment stablecoins. With the exception of projects that run on banks’ proprietary blockchains and give issuing institutions complete control over tokenholders’ activities, bankers have been hesitant to offer tokenized deposits, in part due to questions about the extent of their BSA obligations(7).

If regulators view banks’ BSA obligations as extending only to primary markets, it would allow banks to issue bearer tokenized deposits that compete against payment stablecoins as transferable monetary instruments. In addition, this interpretation removes one barrier to banks paying yield to holders of tokenized deposits, which PPSIs are by law prohibited from doing. Although sanctions compliance obligations remain, regulators’ proposed interpretation that interactions via smart contracts are not primary-market transactions would permit banks to airdrop interest payments to wallets via smart contracts without CIP obligations.

Next Steps

The public has until August 21 to submit comments to FinCEN and the primary Federal payment stablecoin regulators. The agencies will consider that feedback and promulgate a final rule thereafter. The final rule is expected sometime in the fourth quarter of 2026 or first quarter of 2027.

1.  Permitted Payment Stablecoin Issuer Customer Identification Program, 91 FR 37234 (June 22, 2026), https://www.federalregister.gov/documents/2026/06/22/2026-12460/permitted-payment-stablecoin-issuer-customer-identification-program.

2.  Pub. L. 119-27, 139 Stat. 419 (2025) (codified at 12 U.S.C. 5901-5916).

3.  12 U.S.C. § 5903(a)(5)(A).

4.  Id. §§ 5903(a)(5)(B), 5913(a).

5. Payment stablecoins are issued by PPSIs using smart contracts.

6. Permitted Payment Stablecoin Issuer Anti-Money Laundering/Countering the Financing of Terrorism Program and Sanctions Compliance Program Requirements, 91 FR 18582 (Apr. 10, 2026), https://www.federalregister.gov/documents/2026/04/10/2026-06963/permitted-payment-stablecoin-issuer-anti-money-launderingcountering-the-financing-of-terrorism.

7.  See, e.g., Brooke Ybarra & Yikai Wang, Decoding Digital Money, ABA Banking Journal (Sept. 22, 2025), https://bankingjournal.aba.com/2025/09/decoding-digital-money/.