FinCEN Proposes First Stablecoin KYC Rules for Issuers – BitRss

Ledger
Bybit


Dokky® Suite - Professional way to Publish, Manage, and Share Documents


What to Know

  • FinCEN and four federal banking agencies published the first proposed stablecoin customer identification program rules on June 18, 2026, implementing a core GENIUS Act mandate
  • Nonbank stablecoin operators, currently regulated as money transmitters, face the steepest compliance shift, as they have no account-level identity verification requirement under existing rules
  • The proposed rules cover direct primary-market relationships only; secondary-market smart contract transactions are excluded, though direct redemptions from secondary-market buyers remain an open regulatory question
  • Public comments close August 21, 2026, and regulators propose a 12-month implementation window after the final rule is published

For stablecoin issuers, the regulatory honeymoon is ending. The Financial Crimes Enforcement Network, joined by the OCC, Federal Reserve, FDIC, and NCUA, released a joint Notice of Proposed Rulemaking that would extend Bank Secrecy Act customer identification obligations to permitted payment stablecoin issuers, the first formal rules of their kind. The rulemaking is a direct consequence of the GENIUS Act, which established America’s first comprehensive federal framework for digital payment currencies earlier this year and explicitly required issuers to maintain effective customer identification programs as a condition of legal operation. Consider this the KYC moment stablecoin has been building toward.

What Does the Proposed Rule Actually Require?

The CIP Framework, Explained

Under the proposal, any permitted payment stablecoin issuer (PPSI) must establish a written customer identification program before opening accounts, modeled closely on the programs banks and broker-dealers have maintained for years under federal law. The rulemaking was published in the Federal Register on June 22, with comments due August 21 and a proposed 12-month implementation window running from when a final rule is issued.

Each issuer would tailor its program to its own size, business model, and risk profile, but the baseline requirements apply uniformly across the board. At account opening, PPSIs would be required to collect:

bybit

The proposal also introduces stablecoin-specific definitions of ‘account’ and ‘customer’ that depart from traditional banking rules. Simply holding or controlling a stablecoin would not, by itself, establish a customer relationship with the issuer. A formal relationship must exist before customer identification obligations are triggered, which turns out to matter a great deal once secondary-market activity enters the picture.

  • Customer name and physical address
  • Date of birth (individuals) or date of formation (entities)
  • Taxpayer identification number or other government-issued identifier
  • Risk-based documentary or non-documentary identity verification procedures
  • Watch-list screening against government databases
  • Customer notification at account opening
  • Record retention policies for all verification materials

Nonbank Issuers Get the Sharpest End

Here’s the part that stings. Under current rules, money transmitters, the regulatory category covering most nonbank stablecoin operators, are only required to verify customer identities on higher-value transactions. No formal, account-level customer identification program requirement exists for them today. That changes under this proposal.

Banks and broker-dealers have operated under comprehensive CIP obligations since the Bank Secrecy Act rules were hardened in the early 2000s. Nonbank stablecoin issuers have largely avoided that compliance burden, until now. The GENIUS Act didn’t just define what a payment stablecoin is. It set the table for exactly this kind of rulemaking, mandating that issuers maintain effective customer identification programs as a condition of legal operation under the new framework.

For incumbents with existing compliance infrastructure, the transition is manageable. For newer nonbank entrants who built their businesses on lighter money transmission requirements, the operational costs are going to be real. New onboarding workflows, identity verification systems, watch-list screening integrations, this is bank-grade compliance arriving at companies that were never built for it.

A small stablecoin operator currently processing transactions under a money transmitter license has never had to design a formal CIP from scratch. Under this rule, they would need to build one, and have it operational within 12 months of the final rule being published.

Does the Smart Contract Exemption Actually Hold?

Where the Carve-Out Ends

Regulators drew a deliberate boundary: obligations under the proposed Bank Secrecy Act extension apply only to direct, primary-market relationships. That covers stablecoin issuance, redemption, conversion, and custodial services where the customer interacts with the issuer directly. Secondary-market transactions, where users interact only through smart contracts without any direct issuer contact, are explicitly excluded.

The logic is practical. Requiring identity verification on every on-chain secondary transfer would impose what the agencies themselves described as an impractical global compliance obligation. Nobody seriously disagrees with that reasoning.

But the edges get messy fast. What happens when someone buys a stablecoin on a secondary exchange, with no prior relationship with the issuer, and then shows up to redeem it directly? The agencies flagged this as a ‘consequential question’ and explicitly did not resolve it. That redemption scenario could trigger a full customer relationship requiring identity verification, even though the buyer never directly engaged with the issuer before attempting to redeem.

Issuers whose business models lean heavily on redemption flows need to watch this closely. The final rule’s answer here will determine how many walk-up redemptions require full CIP onboarding before a token can simply be exchanged for dollars, and that could reshape how some redemption-heavy business models are structured entirely.

What Stays Open Before the August 21 Deadline

The comment window closes August 21, 2026, and the agencies deliberately left several significant questions open for industry input.

Whether the ‘formal relationship’ trigger is the right legal standard, or whether a contractual or business-relationship framework would provide cleaner lines, remains unsettled. How digital identity technologies and verifiable credentials should be incorporated into verification workflows for a sector built on decentralized infrastructure is another unresolved question. Whether issuers running redemption-only business models warrant different treatment from full-service operators sits in the same unfinished pile. And how frequently PPSIs will rely on a partner financial institution’s existing customer identification program, rather than building their own, carries major cost implications that the proposal has not yet addressed.

This rulemaking pairs with companion proposals covering anti-money laundering obligations, countering the financing of terrorism, and sanctions compliance. Together, they are assembling the regulatory compliance foundation the GENIUS Act made inevitable. The question is no longer whether stablecoin issuers will face bank-grade KYC requirements, that was decided when the bill passed. The question is where exactly the final lines get drawn.

Frequently Asked Questions

What is a permitted payment stablecoin issuer?

A permitted payment stablecoin issuer (PPSI) is an entity authorized under the GENIUS Act to issue payment stablecoins in the United States. Under the proposed rule, PPSIs must establish written customer identification programs before onboarding customers, modeled on the standards banks and broker-dealers follow under the Bank Secrecy Act.

What does the proposed stablecoin customer identification rule require?

The proposed rule requires PPSIs to collect customer names, physical addresses, dates of birth or formation, and taxpayer identification numbers before opening accounts. Issuers must also implement risk-based identity verification, watch-list screening, customer notification, and record retention policies tailored to each issuer’s size, business model, and risk profile.

Are secondary market stablecoin transactions subject to the new KYC rules?

No. The proposed rules apply only to direct, primary-market relationships, stablecoin issuance, redemption, conversion, and custodial services. Pure secondary-market transactions through smart contracts are excluded. However, a secondary-market buyer who later seeks direct redemption with an issuer may trigger a new customer relationship requiring full identity verification.

When must stablecoin issuers comply with the new identification rules?

Comments on the proposal are due August 21, 2026. After a final rule is published, regulators propose a 12-month implementation period. Depending on when the final rule is issued, stablecoin issuers could face these compliance obligations as early as mid-to-late 2027.



Source link

fiverr

Be the first to comment

Leave a Reply

Your email address will not be published.


*