Federal Banking Regulators and FinCEN Propose New Customer Identification and BSA/Sanctions Compliance Standards for Payment Stablecoin Issuers
On June 22, 2026, federal regulators released two additional notices of proposed rulemaking that would further build out the Bank Secrecy Act (“BSA”) and sanctions compliance framework to be applied to permitted payment stablecoin issuers (“PPSIs”) under the Guiding and Establishing National Innovation for U.S. Stablecoins Act (the “GENIUS Act”). Below, we summarize and highlight key takeaways from the following two proposed rulemakings (together, the “Proposals”):
CIP Proposal. The U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”), the Office of the Comptroller of the Currency (“OCC”), the Board of Governors of the Federal Reserve System (“FRB”), the Federal Deposit Insurance Corporation (“FDIC”), and the National Credit Union Administration (“NCUA,” and together with the OCC, FRB, and FDIC, the “Banking Agencies”) jointly announced a notice of proposed rulemaking (the “CIP Proposal”) that would implement GENIUS Act provisions treating PPSIs as financial institutions under the BSA and requiring PPSIs to maintain an effective customer identification program (“CIP”).
OCC Compliance Standards Proposal. Separately, the OCC, in coordination with FinCEN and Treasury’s Office of Foreign Assets Control (“OFAC”), announced a proposed rulemaking (the “OCC Compliance Standards Proposal”) amending its March 2, 2026 proposed rule (the “PPSI Proposal,” covered in a previous blog post) to implement the GENIUS Act’s requirement that the OCC issue BSA and sanctions compliance standards for PPSIs under the OCC’s jurisdiction.
The Proposals come in the context of other recent proposed rules from FinCEN and the Banking Agencies.1 In addition to the PPSI Proposal, the FDIC and Treasury separately took initial steps to implement the GENIUS Act earlier this year. These steps included rules to determine whether a state-level regime is “substantially similar” to the GENIUS Act framework as well as how subsidiaries of FDIC-supervised banks and associations may qualify as PPSIs. Together, the Proposals reflect the agencies’ incremental, cross-referenced approach to building out the GENIUS Act’s illicit-finance architecture: FinCEN and OFAC supply the substantive AML/CFT and sanctions requirements, and the prudential regulators layer tailored supervisory and enforcement frameworks on top.
Below, we discuss key takeaways from the CIP and OCC Compliance Standards Proposals.
CIP Proposal
The CIP Proposal is a new rulemaking, separate from the joint FinCEN/OFAC proposal announced on April 8, which would establish a general AML/CFT and sanctions compliance framework for PPSIs (the “Stablecoin Proposal,” discussed in a previous post). The CIP Proposal would be incorporated into that broader framework (proposed new 31 C.F.R. Part 1033) and is focused specifically on customer identification requirements.
Under the GENIUS Act, PPSIs are “financial institutions” subject to the BSA as well as other federal laws relating to “economic sanctions, prevention of money laundering, customer identification, and due diligence,” and the CIP Proposal is designed to implement the customer identification component of that mandate.
Key takeaways from the CIP Proposal include the following:
- BSA Minimum Standards. Under the BSA, the minimum standards the Secretary of the Treasury prescribes must include reasonable procedures for “(1) verifying the identity of any person seeking to open an account to the extent reasonable and practicable; (2) maintaining records of the information used to verify a person's identity, including name, address, and other identifying information; and (3) determining whether the person appears on any lists of known or suspected terrorists or terrorist organizations provided to the financial institution by any government agency.”
New Definitions. The CIP Proposal introduces new defined terms for “account,” “customer,” and “digital asset service provider.”
“Account” is defined broadly as a formal relationship between a PPSI and a person that is established to provide services, dealings, or other transactions, including issuing or redeeming a payment stablecoin, managing related reserves, and providing custodial or safekeeping services. Notably, the “account” relationship need not predate the interaction: a holder that acquires a PPSI’s stablecoin on the secondary market and later presents it directly to the PPSI for redemption would establish an account at that point. On the other hand, mere ownership or control of a PPSI’s stablecoin, without more, would not.
“Customer” is defined to cover persons opening a new account, but excludes federally regulated financial institutions, state-regulated banks, certain persons described in 31 C.F.R. § 1020.315(b)(2)–(4), existing accountholders whose true identity the PPSI already reasonably believes it knows, and persons acquiring or redeeming stablecoin through indirect means.
Finally, “digital asset service provider” standardizes GENIUS Act terminology to cover persons or entities that, for compensation or profit, engage in exchanging digital assets for national currency or other digital assets, transferring digital assets to third parties, acting as a digital asset custodian, or participating in financial services related to digital asset issuance.
CIP Requirements. The CIP would need to be integrated into a PPSI’s broader AML/CFT program and would require risk-based procedures designed to form a reasonable belief as to a customer’s true identity broadly consistent with CIP requirements currently imposed on other types of financial institutions. Before opening an account, a PPSI would need to obtain basic identification information from the customer, and would then need to verify that information within a reasonable period through documentary or non-documentary means. The CIP also would need to include procedures addressing when a PPSI should not open an account, when it should close an account after verification attempts fail, and when it should file a Suspicious Activity Report.
The CIP Proposal also would require procedures for checking customers against government lists of known or suspected terrorists and terrorist organizations, and for providing customers adequate notice that identity verification information is being requested. In addition, the CIP would need to include recordkeeping procedures — identifying information would be retained for five years after an account closes, and verification records for five years after the record is made — and could permit reliance, under specified conditions, on CIP procedures performed by another federally regulated financial institution.
- Impact. The CIP Proposal would directly affect customers of PPSIs as well as other financial institutions, including institutions with PPSI subsidiaries and institutions already subject to CIP obligations, along with regulators, compliance examiners, law enforcement, and national security agencies that access and use related FinCEN reports.
Comments on the CIP Proposal are due by August 21, 2026. Among other things, the Banking Agencies have specifically requested comment on whether CIP requirements should extend to secondary market activity, refinements to the “account,” “customer,” and “digital asset service provider” definitions (including whether to retain the “formal relationship” concept and how to treat redemption-only customers), the role of digital identity solutions and verifiable credentials in identity verification, and the likelihood that PPSIs will rely on other PPSIs’ or federally regulated institutions’ CIPs.
OCC Compliance Standards Proposal
The OCC Compliance Standards Proposal would amend the OCC’s March 2, 2026 proposed rule by adding a new paragraph to proposed Part 15 that cross-references the obligations set out in the Stablecoin Proposal announced on April 8 and would make corresponding changes to 12 C.F.R. Part 4 and Part 19.
Key takeaways from the OCC Compliance Standards Proposal include the following:
- Proposed § 15.13(c) Compliance Standard. New paragraph § 15.13(c) would provide that, to ensure compliance with BSA and sanctions requirements, each PPSI must comply with applicable regulations at 31 C.F.R. chapters V and X, including any AML/CFT program, sanctions program, and reporting requirements. Notably, the proposed rule would not impose requirements beyond those already contained in the FinCEN/OFAC framework proposed under the Stablecoin Proposal — rather, compliance with FinCEN’s and OFAC’s regulations would itself constitute compliance with § 15.13(c), reflecting an effort to reduce burden and promote consistency between the OCC’s rule and the broader Treasury framework.
- Statutory Basis. The proposal would require PPSIs to comply with the BSA, sections 4(a)(5) and 4(a)(6)(B) of the GENIUS Act, and applicable regulations at 31 C.F.R. chapters V and X.
- Supervision and Enforcement Framework. A new subpart R to 12 C.F.R. Part 19 would establish a supervision and enforcement framework for PPSI AML/CFT programs, including a FinCEN–OCC consultation process for AML/CFT enforcement or significant supervisory actions. Consistent with the enforcement threshold proposed under the FinCEN and Banking Agencies Proposals discussed in our prior post, an issuer with an effective AML/CFT program generally would not be subject to an enforcement or significant supervisory action except for a “significant or systemic failure to implement” that program; the threshold would not restrict OCC action for a PPSI’s failure to establish a program in the first instance, nor would it affect criminal liability.
- Notice and Information-Sharing. Before taking an AML/CFT enforcement or significant supervisory action, the OCC would need to provide the FinCEN Director with 30 days’ advance written notice, though that period could be shortened at the OCC’s discretion in cases involving unsafe or unsound conditions. The OCC has also proposed, under 12 C.F.R. Part 4, two alternative approaches for authorizing PPSIs to share the OCC’s non-public supervisory information with the FinCEN Director in connection with an existing or potential AML/CFT enforcement or significant supervisory action. Under Option 1, the OCC would authorize a PPSI to disclose such information to the FinCEN Director (and authorize the FinCEN Director to use it) without further conditions; under Option 2, that authorization would be conditioned on the PPSI’s contemporaneous disclosure of the same information to the OCC — an approach the OCC suggests may better preserve applicable privileges, though at the potential cost of chilling proactive reporting to FinCEN.
Comments on the OCC Compliance Standards Proposal are due by July 24, 2026. The OCC has specifically requested comment on how proposed Part 15 would interact with the OCC’s pre-existing BSA and sanctions regimes, additional reserve-asset safeguards against fraud, redemption protections for stablecoin holders, alignment with the FDIC’s parallel proposed rule, privilege implications of the Part 4 disclosure options, refinements to the Part 19 definitions (including whether revocation of approval to issue a payment stablecoin should count as an AML/CFT enforcement action), and whether an asset-size threshold (e.g., $10 billion) or an optional consultation process would help streamline the framework and avoid examination delays.
What Comes Next?
The CIP Proposal and the OCC Compliance Standards Proposal are subject to separate comment periods, closing on August 21, 2026 and July 24, 2026, respectively. Notably, the OCC has provided only a 30-day comment window — a short runway for issuers with views on the FinCEN consultation framework or the Part 4 privilege options. Both proposals build on, and in places cross-reference, the broader AML/CFT and sanctions compliance framework for PPSIs proposed under the Stablecoin Proposal announced on April 8. FinCEN and the Banking Agencies have proposed that a final CIP rule would take effect 12 months after issuance. In the meantime, PPSIs and other affected institutions may wish to begin considering how their customer identification, AML/CFT, and sanctions compliance frameworks would align with the standards proposed under these two rulemakings.
***
- On July 7, the FRB released an additional proposed rule on bank anti-money laundering programs. The FRB’s proposal generally tracks those of the other agencies, which we addressed in a prior post.
To receive the latest insights on US legal developments, subscribe to the Freshfields A Fresh Take Blog.
