The Treasury Department’s Financial Crimes Enforcement Network (FinCEN) and four federal banking regulators proposed rules on Thursday to implement customer identification program (CIP) and anti-money-laundering (AML) requirements for payment stablecoin issuers under the GENIUS Act.
Consistent with CIP obligations for other types of financial institutions, these new rules would establish the minimum standards for permitted payment stablecoin issuers’ (PPSIs) CIPs, including developing a written program tailored to the issuer’s size and business, risk-based procedures for verifying the identity of each customer, and procedures to address when a potential or existing customer’s identity cannot be verified.
As FinCEN’s press release about it notes, “[t]he proposal seeks to provide an appropriately tailored regime that mitigates potential illicit finance risks while protecting the US financial system and national security interests.”
The GENIUS Act
The Guiding and Establishing National Innovation for US Stablecoins Act, or GENIUS Act, was passed by Congress in late July 2025, and is the primary US law regulating payment stablecoins. Signed into law, it establishes a comprehensive regulatory framework to lock in the dollar’s dominance with such stablecoins, and it provides consumer protections in the digital asset market.
It also designates PPSIs to serve as a financial institutions and be subject to the Bank Secrecy Act (BSA), which means such issuers have to develop comprehensive AML and Countering the Financing of Terrorism (CFT) frameworks, including those CIPs, which includes significant due diligence obligations, plus suspicious activity reporting and economic sanctions law requirements.
Overview of proposed rule
The proposed rule would require a “written CIP that is appropriate for a PPSI’s size and business,” FinCEN notes in its fact sheet about the proposal. “The CIP would be part of the PPSI’s anti-money laundering and countering the financing of terrorism program.”
The required components of the CIP are:
- Customer information required and verified: The proposed rule would require a PPSI to obtain from each customer the following information prior to opening an account: (1) name; (2) date of birth, for an individual, or date of formation, for an entity; (3) address; and (4) an identification number. “The CIP contains procedures for verifying the identity of each new customer within a reasonable period of time after the customer’s account is opened. The proposed rule would enable verification procedures to include verification through documents and non-documentary methods,” the fact sheet notes.
- Records: The proposed rule would include procedures for making and maintaining a record of all information obtained by the PPSI by way of its CIP.
- Comparison with government lists: The proposed rule would require the CIP “to include reasonable procedures for determining whether a customer appears on any list of known or suspected terrorists or terrorist organizations issued by any Federal Government agency and designated as such by Treasury in consultation with the Federal functional regulators.”
- Customer notice: The proposed rule would require procedures for providing customers with adequate notice that the PPSI is requesting information to verify their identities.
- Reliance on another financial institution: The proposed rule states that “a PPSI’s CIP may include procedures specifying when a PPSI may rely on another federally regulated financial institution’s performance of a procedure with respect to any PPSI customer that is opening or has opened an account.”
Back in April
Just recently, in April, FinCEN and the Treasury’s Office of Foreign Assets Control issued a separate but related proposed rule to establish AML/CFT and sanctions obligations on issuers, requiring them to maintain such programs and the infrastructure to block or freeze transactions that violate US sanctions.
It outlines risk assessment and mitigation processes that devote more resources to higher-risk customers and activities, but it sticks with its traditional expectation of ongoing customer due diligence.
Quotable
The regulatory agencies joining FinCEN in the proposed rulemaking include the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the National Credit Union Administration (NCUA).
Comments on the notice of proposed rulemaking will be accepted for 60 days after publication in the Federal Register.
In the NCUA’s press release about it, Chair Kyle Hauptman said the joint rule “mirrors” current CIP requirements for credit unions. “It sets clear standards for identifying and verifying account holders and safeguards the interests of credit unions and their members. By establishing robust customer identification requirements, we are reinforcing our commitment to preventing money laundering and terrorist financing in our financial system,” he said.
Federal Reserve Governor Michael Barr had a more nuanced statement on the proposed CIP requirements for payment stablecoin issuers. He thinks the GENIUS Act’s regulatory framework does not do enough in overseeing the peer-to-peer exchange of the digital asset, trading on exchanges, or DeFi protocol transfers of already issued stablecoins where the primary issuer is not directly involved.
Here is his statement about those secondary marketplaces:
“I support the issuance of this proposal, which would impose customer identification program (CIP) requirements on Board-supervised payment stablecoin issuers that are similar to CIP requirements imposed on Board-supervised banks. I remain concerned, however, that the GENIUS Act regulatory framework does not do enough so far to address the risks of illicit finance conducted through secondary market transactions in payment stablecoins. While some digital asset service providers are subject to anti-money laundering and anti-terrorist financing requirements in their home jurisdiction, it is far too easy for bad actors to evade these restrictions and operate without detection when transacting in digital assets. I will carefully review comments in response to the proposal’s questions regarding whether any portions of the CIP rule should be extended to secondary market activity. I will also be assessing whether overall implementation of the GENIUS Act regulatory framework beyond just the CIP rule would result in adequate protection against the use of stablecoins in illicit finance.”
His worries reflect ones he has expressed previously. In a speech delivered in March, Barr observed how bad actors can purchase stablecoins in markets that may not have CIP requirements, saying “both regulatory and technological solutions will need to be deployed to limit these risks.”