Client Alerts
CIP or WIP: Proposed Stablecoin CIP Rule a Work in Progress
July 06, 2026
By Sam Kleiner, Braddock Stevenson and Abby Shamray
I. The Proposal
The Financial Crimes Enforcement Network (FinCEN), jointly with the Federal Reserve Board (FRB), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA) and Office of the Comptroller of the Currency (OCC) (collectively, the Agencies), issued a proposed rule (the Proposal) that would set out requirements for permitted payment stablecoin issuers (PPSIs) in maintaining Customer Identification Programs (CIPs), as required under the GENIUS Act.[1] This follows the proposed rule released in April 2026 on AML/CFT and sanctions compliance program requirements for PPSIs,[2] which explicitly deferred CIP to a later rulemaking, and arrives one month before the GENIUS Act’s July 18 rulemaking deadline.
The Proposal would require PPSIs to maintain:
- A written, risk-based CIP that specifies collection of the name, date of birth or entity formation date, address and an identification number (Social Security Number for U.S. persons and EIN for entities) before an account is opened, and sets out record-keeping procedures.
- Identity verification policies that require verification within a reasonable time of account opening.
- Procedures for when verification fails, including when to decline to open an account, when to close an account and when to file a suspicious activity report (SAR).
- A process to ensure screening of customers against government terrorist lists.
The Proposal would also address customer notice and reliance on other regulated institutions. Comments on the Proposal are due on August 21.
II. Key Observations
Account-Based Anchor
Mirroring the language of the GENIUS Act (see 12 U.S.C. § 5903(a)(5)(A)(v)), the Proposal would anchor CIP obligations to customers of the PPSI with “formal” account-holding relationships.[3] The Proposal contemplates primary and secondary market activities and proposes “that a PPSI’s CIP obligation extends to direct relationships, i.e., primary market activity,” including direct issuance and redemption, “and does not extend to activity where the only interaction is with a PPSI’s smart contract.”[4] The Proposal further states that applying the obligation to the secondary market would amount to a “global obligation to collect and verify identifying information of individual users” that would be “nearly impossible to implement and could cripple the industry.”[5] To achieve this boundary, the Proposal explicitly defines a customer as a person opening a new account for their own benefit, clarifying that the term does not encompass downstream individuals transacting through an intermediary.[6]
As currently drafted, the Proposal would require PPSIs to establish a formal account relationship and complete all CIP procedures in order to process a redemption. This would mean establishing a formal account relationship with any and all stablecoin holders for PPSIs with policies allowing direct redemption for all holders. This stands in notable contrast to pre-existing regulation and guidance that exclude analogous scenarios — such as check-cashing or sale of a check or money order,[7] or other one-off transactional services[8] or products such as nonreloadable prepaid cards[9] — from establishing a formal account relationship and invoking CIP obligations. This approach for PPSI redemption could create challenges in implementation as PPSIs seek to meet CIP requirements while fulfilling redemption requirements (i.e., on demand, par redemption within a reasonable period, currently proposed as two business days)[10] for requests from parties with whom they have no prior relationship (e.g., holders of stablecoins obtained on secondary markets). Issuers should be cognizant of these challenges in designing their redemption procedures and CIP policies.
Crucially, neither the GENIUS Act nor implementing prudential frameworks mandate that an issuer provide direct redemption to every downstream retail holder.[11] Regulators have explicitly acknowledged that issuers may deploy an intermediated model, routing secondary market liquidity through a designated tier of institutional partners.[12] While the NPRM articulates an expectation that “hundreds of thousands” of customers are “likely to interact with PPSIs in the primary market,” including through “wider-facing mint/redeem models that seek to include smaller investors and businesses,” the NPRM also notes that “[b]esides digital asset exchanges, FinCEN expects most of a PPSI’s other customers are likely to be financial institutions.”[13] By utilizing an intermediated model and limited direct redemption policy, the Proposal’s definition of a customer may support PPSIs only having to execute their CIPs with respect to a small handful of institutional intermediaries.
While the Proposal’s approach in limiting CIP obligations to customers with formal account-holding status with PPSIs was not necessarily unanticipated, it has drawn some notable concern. Michael Barr, member of the Board of Governors of the Federal Reserve, issued a statement on the proposal, citing concern that the GENIUS Act’s regulatory framework “does not do enough so far to address the risks of illicit finance conducted through secondary market transactions in payments stablecoins,” and noted he would “carefully review comments” regarding whether the rule should be extended to secondary market activity.[14]
Conversely, extending PPSI CIP obligations to the secondary market may be unnecessary given the robust on-chain tracking capabilities of blockchain analytics, requirements that PPSIs maintain capabilities to block and freeze tokens and wallets to enforce legal or sanctions orders,[15] and the fact that downstream intermediaries, including exchanges and wallet providers, bear independent CIP obligations. Ultimately, the Proposal’s approach in not creating CIP obligations for PPSIs in relation to secondary market activity directly aligns with FinCEN’s long-standing treatment of intermediated financial relationships. For instance, FAQs and administrative rulings have established that clearing and deposit infrastructure providers are not required to “look through” independent intermediaries to perform CIP onboarding on downstream retail participants.[16]
Digital ID and Verifiable Credentials
While the Proposal itself does not incorporate reference to or otherwise advance utilization of digital ID or verifiable credentials, the Request for Comment does solicit input on whether and how the regulatory text should specify such use, as well as input on benefit and risks of such solutions.[17]
The solicitation is not entirely unprecedented. The Agencies have previously acknowledged advanced electronic onboarding, confirming that financial institutions may utilize an electronic credential, such as a digital certificate, as an acceptable nondocumentary method to verify customer identity over purely electronic channels.[18] Despite this baseline, there remains uncertainty regarding data collection standards, such as whether a PPSI must extract and decrypt the underlying raw attributes of a decentralized ID to satisfy baseline customer identification data fields, or if a cryptographic attestation alone is compliant. Furthermore, traditional record retention rules require firms to maintain the exact information used to verify an identity for five years post account closure; however, it remains unclear how issuers can legally satisfy this mandate when relying on ephemeral digital credentials, zero-knowledge proofs or privacy-preserving decentralized ledgers that do not permanently store customer data.
Reliance
Also noteworthy is the Proposal’s reliance framework, which would introduce a regulatory asymmetry with the GENIUS Act by limiting a PPSI’s ability to rely on third-party CIP procedures exclusively to financial institutions supervised by a federal functional regulator. This would effectively freeze out a PPSI’s ability to formally rely on state-regulated entities, including money service business digital asset exchanges and state-chartered PPSIs, even if such institutions are determined to be subject to a substantially similar regulatory regime under the GENIUS Act. Restricting federally supervised entities from reciprocating reliance on state-supervised partners would create a compliance wall, disincentivizing integration and impeding operational efficiency. Ultimately, this structural disconnect could force redundant customer screening, artificially fragmenting stablecoin ecosystems and driving up compliance overhead across the industry.
III. Next Steps
Financial institutions interested in issuing stablecoins should map their planned or existing customer onboarding processes to the proposed CIP standard and further reconcile it with the AML/CFT and sanctions framework released in April.
The 60-day comment window is open now through Aug. 21.
[1] Permitted Payment Stablecoin Issuer Customer Identification Program, 91 Fed. Reg. 37234 (June 22, 2026).
[2] Permitted Payment Stablecoin Issuer Anti-Money Laundering / Countering the Financing of Terrorism Program and Sanctions Compliance Program Requirements, 91 Fed. Reg. 18582 (Apr. 10, 2026); see also Office of the Comptroller of the Currency, OCC Bull. No. 2026-28, GENIUS Act: Anti-Money Laundering/Countering the Financing of Terrorism and Sanctions Compliance: Notice of Proposed Rulemaking (June 22, 2026), https://www.occ.gov/news-issuances/bulletins/2026/bulletin-2026-28.html.
[3] 12 U.S.C. § 5903(a)(5)(A)(v).
[4] Permitted Payment Stablecoin Issuer Customer Identification Program, supra note 1, at 37239.
[5] Id.
[6] Id., at 37240.
[7] 31 CFR § 1020.100(a)(2)(i).
[8] Bd. of Governors of the Fed. Reserve Sys., Fed. Deposit Ins. Corp., Fin. Crimes Enforcement Net., Nat’l Credit Union Admin., Off. of the Comptroller of the Currency, Off. of Thrift Supervision and the U.S. Dep’t of the Treasury, FAQs: Final CIP Rule (April 2005), https://www.fincen.gov/system/files/guidance/finalciprule.pdf.
[9] Bd. of Governors of the Fed. Reserve Sys., Fed. Deposit Ins. Corp., Fin. Crimes Enforcement Net., Nat’l Credit Union Admin. and Off. of the Comptroller of the Currency, Interagency Guidance to Issuing Banks on Applying Customer Identification Program Requirements to Holders of Prepaid Cards (March 21, 2016), https://www.fincen.gov/system/files/shared/InterAgencyGuidance20160318.pdf.
[10] See 12 U.S.C § 5903; Sec. 350.5 of the FDIC’s proposed rule (91 Fed. Reg. 18534 (April 10, 2026)); Sec. 15.12 of the OCC’s proposed rule (91 Fed. Reg. 10202 (Mar. 2, 2026)).
[11] See 12 U.S.C § 5903; Sec. 350.5 of the FDIC’s proposed rule (91 Fed. Reg. 18534 (April 10, 2026)); Sec. 15.12 of the OCC’s proposed rule (91 Fed. Reg. 10202 (Mar. 2, 2026)).
[12] U.S. Securities and Exchange Commission, Statement on Stablecoins (April 4, 2024), https://www.sec.gov/newsroom/speeches-statements/statement-stablecoins-040425 (“In some cases, any holder may be eligible to mint or redeem a Covered Stablecoin directly with the issuer on a one-for-one basis corresponding to the value of the USD. In other cases, only designated intermediaries may be eligible to mint or redeem a Covered Stablecoin directly…”).
[13] Permitted Payment Stablecoin Issuer Customer Identification Program, supra note 1, at 37248.
[14] Michael Barr, Board of Governors of the Federal Reserve System, Statement on the Proposal for Customer Identification Program Requirements for Payment Stablecoin Issuers (June 18, 2026), https://www.federalreserve.gov/newsevents/pressreleases/barr-statement-20260618.htm; see also Question 1 of Request for Comments in the Proposal (“Should any CIP requirement be extended to secondary market activity? If yes, in what circumstances? What would be the benefits and drawbacks of doing so?”).
[15] See Permitted Payment Stablecoin Issuer Anti-Money Laundering / Countering the Financing of Terrorism Program and Sanctions Compliance Program Requirements, 91 Fed. Reg. 18582, 18582-18583 (April 10, 2026).
[16] Bd. of Governors of the Fed. Reserve Sys. et al., supra note 5; FinCEN Administrative Ruling FIN-2008-R008 (June 3, 2008), https://www.fincen.gov/sites/default/files/administrative_ruling/fin-2008-r008.pdf.
[17] See Request for Comments in the Proposal, Question 5 of Request for Comments in the Proposal (“Should the regulatory text explicitly discuss digital identity solutions or verifiable credentials? How could it best do so given the range of tools available on the market?”); and Question 6 (“What are the benefits and risks of using digital identity solutions or verifiable credentials as part of verifying customers' identities?”).
[18] Bd. of Governors of the Fed. Reserve Sys. et al., supra note 5.
Contributors


Practice Areas
For More Information









