The proposal seeks to mitigate illicit finance risks while protecting the US financial system and national security interests.
By Arthur S. Long, Parag Patel, Hanyu (Iris) Xie, Pia Naib, and Deric Behar
Link to Key Points: Key Points:
- Permitted payment stablecoin issuers would be required to establish and maintain written, risk-based customer identification programs tailored to their size and business models.
- The proposed requirements would include reasonable procedures for verifying customer identity, maintaining verification records, checking customers against relevant government lists, and giving customers notice of identity checks.
- The CIP Proposal would apply across the GENIUS Act framework, including to PPSIs that opt for state supervision under the GENIUS Act.
On June 18, 2026, the Department of the Treasury’s (Treasury’s) Financial Crimes Enforcement Network (FinCEN), the Board of Governors of the Federal Reserve System (FRB), the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), and the National Credit Union Administration (NCUA) (collectively, the Agencies) issued a joint proposal (the CIP Proposal) to implement customer identification program (CIP) requirements for permitted payment stablecoin issuers (PPSIs) under the Bank Secrecy Act (BSA) and the Guiding and Establishing National Innovation for US Stablecoins Act (GENIUS Act) (for more information on the GENIUS Act, see this Latham Client Alert).
The CIP Proposal is part of a broader interagency effort to implement the GENIUS Act’s illicit finance framework:
- On April 10, 2026, FinCEN and the Office of Foreign Assets Control (OFAC) issued a joint Notice of Proposed Rulemaking that would treat PPSIs as financial institutions subject to all federal laws applicable to financial institutions located in the US relating to the prevention of money laundering, economic sanctions, customer identification, and due diligence (see this Latham blog post).
- On June 5, 2026, the FDIC issued a third Notice of Proposed Rulemaking seeking to implement anti-money laundering/countering the financing of terrorism (AML/CFT) and economic sanctions compliance standards for FDIC-supervised PPSIs (including requirements promulgated by FinCEN and OFAC) that are principles-based, tailored to the business model and risk profile of PPSIs, and consistent with applicable law.
- On June 22, 2026, in coordination with FinCEN and OFAC, the OCC issued a notice of proposed rulemaking under the GENIUS Act, substantially similar to the FDIC’s, to implement BSA and sanctions compliance standards for permitted payment stablecoin issuers subject to the OCC’s jurisdiction (the BSA/Sanctions Proposal).
Link to Customer Identification Program Requirements Customer Identification Program Requirements
The BSA requires the Secretary of the Treasury (who delegates the authority to implement, administer, and enforce the BSA and its associated regulations to the Director of FinCEN) to prescribe “minimum standards” for financial institutions regarding CIPs. The GENIUS Act, in turn, directs that PPSIs be treated as financial institutions under the BSA, and that BSA obligations be tailored to the size and complexity of the issuers.
The CIP Proposal would therefore require that as part of their AML/CFT programs, PPSIs establish and maintain a written CIP that is risk-based and “appropriate for a PPSI’s size and business.” The CIP would need to “include risk-based procedures for verifying the identity of each customer to the extent reasonable and practicable,” and to do so “within a reasonable period of time after the customer’s account is opened.”
The procedures would need to be based on the PPSI’s assessment of the relevant risks and “enable the PPSI to form a reasonable belief that it knows the identity of each customer.” At a minimum, a PPSI would be required to collect identifying information from each customer, after providing appropriate notice, including name, date of birth (for an individual) or date of formation (for an entity), address, and an identification number.
In the case of a PPSI’s inability to “form a reasonable belief that it knows the true identity of a customer,” the CIP Proposal would require the PPSI to maintain procedures that describe:
- when the PPSI should not open an account;
- the terms under which a customer may use an account while the PPSI attempts to verify the customer’s identity;
- when the PPSI should close an account after attempts to verify a customer’s identity fail; and
- when the PPSI should file a Suspicious Activity Report under applicable law.
The CIP would also need to include procedures for maintaining records of the information used to verify customer identity and for determining whether a customer appears on any list1 of known or suspected terrorists or terrorist organizations issued by a federal government agency and designated as such by Treasury.
The CIP obligation would extend only to “direct relationships, i.e., primary market activity, and would not extend to activity where the only interaction is with a PPSI’s smart contract.” The Agencies considered broader coverage of secondary-market activity due to the associated risks, but they did not propose such broader coverage because “issuers have a limited ability to collect customer information on the secondary market.”
The federal functional regulator of a PPSI, with the concurrence of the Secretary of the Treasury (or vice versa), would be permitted to issue an exemption to a PPSI or for an account type as long as the exemption “is consistent with the purposes of the BSA and with safety and soundness, as well as in the public interest.”
The Agencies request feedback on all aspects of the proposal and include eight specific questions for consideration, including whether any CIP requirement should be extended to secondary market activity; whether the proposal should be refined to account for situations where a customer’s only relationship with a PPSI is to redeem a payment stablecoin; and whether any changes would make the proposal more conducive to responsible industry innovation.
Comments on the CIP Proposal are due by August 21, 2026, which is 60 days after publication in the Federal Register. If finalized, the CIP Proposal would be effective 12 months after issuance of the final rule to provide PPSIs sufficient time to review and implement the requirements.
Although FRB Governor Michael S. Barr issued a statement in support of the CIP Proposal, he expressed concern that “the GENIUS Act regulatory framework does not do enough so far to address the risks of illicit finance conducted through secondary market transactions in payment stablecoins.” He was particularly interested in feedback on whether “portions of the CIP rule should be extended to secondary market activity.”
Link to The BSA/Sanctions Proposal The BSA/Sanctions Proposal
On March 2, 2026, the OCC issued an initial proposal to implement requirements for supervised entities under the GENIUS Act, including regarding reserves, capital, redemption, and operational, compliance, and information technology risk management (see this Latham Client Alert).
The BSA/Sanctions Proposal would amend the OCC’s March 2 proposal to cross-reference the obligations in FinCEN and OFAC’s April 10, 2026, joint Notice of Proposed Rulemaking to implement the GENIUS Act’s requirement that the OCC issue regulations implementing appropriate and tailored BSA and sanctions compliance standards. It would add that PPSIs be required to comply with applicable regulations at 31 CFR Chapter X and OFAC regulations at 31 CFR Chapter V, including any AML/CFT program, sanctions program, and reporting requirements.
The BSA/Sanctions Proposal would define key terms, set out the OCC’s supervisory and enforcement policy for AML/CFT program failures, and establish a consultation process with FinCEN before the OCC initiates certain AML/CFT enforcement actions or significant AML/CFT supervisory actions.
The BSA/Sanctions Proposal substantially mirrors the FDIC’s third Notice of Proposed Rulemaking issued June 5, 2026, seeking to implement AML/CFT and economic sanctions compliance standards for FDIC-supervised PPSIs (see this Latham blog post).
Comments on the BSA/Sanctions Proposal are due by July 24, 2026, which is 30 days after publication in the Federal Register.
Link to Conclusion Conclusion
Together, the CIP Proposal, the OCC’s BSA/Sanctions Proposal, the FDIC’s similar June 5 proposal, and FinCEN and OFAC’s April 10 proposal reflect a coordinated effort by the various Agencies to implement the GENIUS Act’s illicit finance framework. If all are finalized as proposed, longstanding BSA, AML/CFT, sanctions, and CIP obligations would apply to PPSIs (treated as financial institutions under the GENIUS Act and BSA), and implementation would be tailored to the particular risks of stablecoin issuers.
Follow this and other critical developments on Latham’s US Crypto Policy Tracker.
