GENIUS Act KYC: What Stablecoin Issuers Must Do Now

On June 18, 2026, five US federal agencies — FinCEN, the OCC, the Federal Reserve, the FDIC, and the NCUA — jointly published a notice of proposed rulemaking that rewrites the compliance rules for every stablecoin issuer operating in the United States. The proposal was entered into the Federal Register on June 22 under docket number 2026-12460. Comments are due August 21, 2026.

The rule is not a technical clarification. It is a structural shift: for the first time, Permitted Payment Stablecoin Issuers (PPSIs) would be classified as financial institutions under the Bank Secrecy Act and required to operate Customer Identification Programs (CIP) identical in substance to those maintained by commercial banks.

If you issue, redeem, convert, or custody a payment stablecoin in the United States, this proposal is about your onboarding stack — not your legal team's reading list.

What the GENIUS Act Actually Did

The Guiding and Establishing National Innovation for US Stablecoins Act, signed into law in 2026, established the first federal licensing framework for payment stablecoins. Among its provisions, the Act directed federal banking regulators and FinCEN to treat PPSIs as financial institutions under the BSA.

That designation carries weight. Financial institution status means AML program requirements, suspicious activity reporting obligations, and — through the proposed CIP NPR — mandatory customer identification before account opening. The proposed rulemaking implements the CIP component; a parallel rulemaking published in April 2026 addressed the AML/CFT program and sanctions compliance requirements.

Together, the two rules bring stablecoin issuers to the same compliance baseline as the banks whose rails they sit alongside.

The Four Pillars of the Proposed CIP Rule

The proposed Customer Identification Program requirements for PPSIs are built on four operational obligations. Every compliance team at a stablecoin issuer needs to map these against their current onboarding flow.

1. Written, Risk-Based CIP Policy

Issuers must maintain a written CIP that is integrated into their broader AML/CFT program. The policy must be risk-based: higher-risk customers require more intensive verification procedures, while standard-risk customers may be processed through lighter verification — but within defined limits. The written policy must be reviewed and updated as risk profiles change.

This is a significant operational requirement for issuers who currently rely on informal onboarding processes or third-party managed flows with no in-house policy documentation.

2. Mandatory Data Collection Before Account Opening

Before opening an account, issuers must collect:

Data Element	Required
Full legal name	Yes
Date of birth	Yes
Address (residential or business)	Yes
Government-issued identification number	Yes

For US persons, the government identification number is a taxpayer identification number (SSN, ITIN, or EIN). For non-US persons, the agencies propose accepting a passport number or equivalent foreign government-issued document number, combined with the country of issuance.

This collection requirement applies at account opening. The proposed rule does not allow collection to be deferred until after the customer has initiated transactions.

3. Identity Verification Within a Reasonable Time

Collecting data is not enough. Issuers must verify that the customer is who they claim to be. The proposed rule adopts the "reasonable time" standard used by bank CIP rules: verification must occur before or shortly after account opening.

Acceptable verification methods include documentary verification (checking identity documents), non-documentary verification (database checks, credit bureau queries, public records), or a combination of both. For digital-first issuers operating without physical branches, non-documentary verification — pulling from authoritative government data sources, verifying biometrics, or running liveness detection — is the practical standard.

The agencies explicitly acknowledged that stablecoin issuers operate differently from retail banks and that remote, automated verification methods are expected to be the norm.

4. Recordkeeping, Government List Screening, and Customer Notice

Beyond collection and verification, the proposed rule requires:

• Recordkeeping: CIP records must be retained for five years after account closure.
• Government list screening: Customers must be screened against lists designated for CIP purposes, which in practice means OFAC sanctions lists at minimum.
• Customer notice: Issuers must inform customers that their identity information will be collected and verified for CIP purposes.
• Reliance: Issuers may rely on other federally regulated financial institutions to perform CIP functions, provided a formal reliance agreement is in place.

The reliance provision is operationally important for issuers that distribute through regulated intermediaries or custody providers. Where the intermediary performs CIP, the issuer can rely on that work — but the reliance agreement must be documented and the issuer retains ultimate responsibility if the intermediary fails.

The Secondary Market Carve-Out

One of the most significant scoping decisions in the proposed rule is what it does not cover: secondary market activity.

The proposal explicitly limits CIP obligations to primary market relationships — cases where the PPSI has a direct relationship with a customer through issuing, redeeming, converting, repurchasing, burning, reissuing, or providing custodial services. Owning or controlling a stablecoin in a secondary market transaction does not, by itself, create an account relationship that triggers CIP requirements.

Critically, the agencies also proposed that interactions with smart contracts on secondary markets — even when the issuer's stablecoin is the underlying asset — do not trigger CIP obligations.

This is a meaningful relief for decentralized exchange activity. An issuer does not need to KYC every wallet that holds or trades its stablecoin on a secondary platform. The obligation runs only where there is a direct, intentional customer relationship.

However, compliance teams should read this carefully. Where an issuer operates custodial services, mint/redeem portals, or direct-to-consumer distribution — even through a third party — those relationships are primary market activity and within scope.

Why the Timing Matters

The proposal published on June 22, 2026. Comments close August 21, 2026. The agencies have proposed that any final rule become effective twelve months after publication — meaning early-to-mid 2027 is the realistic compliance deadline.

That twelve-month runway is less generous than it appears. Building a compliant CIP from scratch — documented policy, integrated verification systems, OFAC screening, recordkeeping infrastructure — takes six to nine months minimum for a mid-sized issuer. Organizations that begin only after the final rule publishes will be scrambling.

The comment period is also not a delay. The proposed rule reflects months of inter-agency coordination following the GENIUS Act's passage. The comment period exists to refine technical parameters, not to reconsider the fundamental requirement. Issuers that treat the NPR stage as "just a proposal" and wait for finality are taking a material compliance risk.

What This Means for the Crypto KYC Landscape

The GENIUS Act CIP rule arrives at a moment when the broader crypto compliance landscape has already tightened significantly. The MiCA Travel Rule took full effect for EU-registered CASPs earlier this year, requiring verified identity data on every crypto transfer with no minimum threshold. The UK's MLR amendments extended correspondent relationship rules for crypto firms effective June 30. For a broader picture of how these obligations stack, see our State of KYC in Crypto 2026 report.

The US rule adds a new dimension: for the first time, the world's largest stablecoin market has a domestic KYC mandate at the issuer level. Previously, US stablecoin issuers operated under a patchwork of state money transmitter licenses with inconsistent identity verification requirements. The GENIUS Act and the proposed CIP rule create a federal floor that replaces that patchwork with a uniform standard.

For issuers operating in both the EU and the US, this means dual-jurisdiction CIP compliance is now necessary. The good news: the core data elements are similar. The EU's AMLR framework and the proposed US CIP rule both require name, date of birth, address, and government identification number. A well-designed verification infrastructure can satisfy both requirements with a single flow — but only if it is built to collect and retain the right data fields from the start.

Issuers that built lightweight onboarding in earlier years — minimal data collection, no formal verification policy — are now carrying a retroactive compliance gap. Unlike a new regulatory requirement that applies only to future customers, a CIP requirement typically mandates re-verification of existing account holders who do not meet the new standard. The operational cost of remediating an existing customer base that was never properly KYC'd is far higher than building it correctly the first time.

The Fraud Risk Driving the Regulation

The regulatory logic behind the CIP rule is not purely bureaucratic. Deloitte's Center for Financial Services projects that AI-enabled fraud losses in the United States will reach $40 billion annually by 2027, up from $12.3 billion in 2023. Banks are now flagging approximately 1 in 20 verification attempts as potentially fraudulent. The proportion of fraud attempts that involve AI-generated synthetic identities — including AI-generated documents, voice clones, and deepfake video — has crossed 50%.

Stablecoin issuers, historically operating with weaker identity controls than banks, have been a predictable target. Without mandatory CIP, a fraudster can acquire stablecoins from a primary issuer using a synthetic identity, convert them to other assets, and exit the regulated perimeter before detection. The proposed rule closes that gap.

The fraud environment also means that CIP compliance is not just about regulatory form — it is about detection efficacy. A rule-compliant process that collects a name and government ID but does not verify document authenticity, check biometric liveness, or screen against adverse media provides legal cover but minimal fraud protection. For a detailed view of what happens when verification systems fail, our article on synthetic identity fraud and the KYC response covers the mechanics in depth.

Building for Compliance: The Technical Requirements

Meeting the proposed CIP rule requires identity infrastructure with several specific capabilities that many stablecoin issuers currently lack.

Document verification: The issuer must be able to authenticate government-issued identity documents. This requires access to document databases, forensic image analysis, and the ability to detect AI-generated or manipulated documents — a growing problem, given that AI-generated fake IDs are now commercially available.

Biometric liveness detection: For remote verification, biometric matching against a selfie or video, combined with liveness detection that rules out a replay attack or deepfake, is the practical way to link a document to the customer presenting it. Liveness detection must be robust against injection attacks that bypass the camera layer entirely.

OFAC screening: Real-time or near-real-time screening against OFAC's Specially Designated Nationals list, plus other government lists as designated, is required at onboarding and on an ongoing basis.

Automated case management: The volume of onboarding for a stablecoin issuer with mass adoption means that human review of every case is not operationally viable. Agentic KYC — AI systems that automate verification, risk scoring, and case routing — is increasingly how compliant issuers handle scale without proportionally scaling headcount.

Audit trails: Five-year record retention requires structured data management. Each CIP record must include the data collected, the method and result of verification, and the date.

The Comment Period and What to Watch

The comment period closes August 21, 2026. Several open questions in the proposed rule are likely to attract significant comment:

• Timing of verification: The "reasonable time" standard for post-opening verification has been a source of ambiguity in bank CIP rules for decades. Commenters are likely to push for clearer timelines for stablecoin-specific flows.
• Non-US persons: The proposed rule requires a passport number or equivalent for non-US natural persons. For institutional customers from jurisdictions with different documentation norms, the practical application is unclear.
• Beneficial ownership: The proposed rule does not impose beneficial ownership requirements for legal entity customers beyond what existing regulations require. Whether GENIUS Act regulations will eventually close this gap is an open question.
• Interoperability with state regimes: Issuers already subject to state money transmitter CIP requirements have asked for explicit clarity on when federal CIP compliance satisfies state requirements and vice versa.

For compliance teams building their response, the comment period is also an opportunity. Agencies take substantive technical comments seriously, and the specifics of how verification requirements are operationalized in the final rule will be shaped by what the industry submits.

FAQ

Does the GENIUS Act CIP rule apply to all stablecoin issuers?

No. It applies to Permitted Payment Stablecoin Issuers — entities that hold a federal license or approval under the GENIUS Act framework to issue payment stablecoins. Issuers operating under state regimes, or entities that have not sought GENIUS Act authorization, are not directly covered by this specific proposed rule, though they may face similar requirements under other regulatory frameworks.

When will the rule become final and effective?

Comments close August 21, 2026. After reviewing comments, agencies will publish a final rule. The proposal provides for a twelve-month implementation period after the final rule is published, so the effective date is likely to fall in mid-to-late 2027 at the earliest — though this depends on how quickly the agencies move to finalize.

Does the rule cover decentralized stablecoin protocols?

The rule is scoped to entities that act as PPSIs under the GENIUS Act. Purely decentralized protocols with no identifiable issuer entity are not straightforwardly covered. However, any entity that performs issuing, redeeming, or custodying functions — even through a DAO wrapper — may find that regulators treat them as a functional PPSI.

What happens to secondary market activity?

Secondary market trading — buying and selling stablecoins on exchanges or through smart contracts — is explicitly excluded from the proposed CIP scope. The rule applies where the issuer has a direct relationship with the account holder, not where the issuer's token changes hands in a secondary transaction.

Can an issuer rely on a third-party KYC provider for CIP compliance?

Yes. The proposed rule includes a reliance provision: issuers may rely on other federally regulated financial institutions to perform CIP functions, provided a written agreement is in place. The issuer retains ultimate responsibility for CIP compliance, even when relying on a third party.

What data does the rule require issuers to collect?

For natural person customers: full legal name, date of birth, residential address, and government-issued identification number. For legal entity customers: entity name, principal place of business address, and taxpayer identification number or equivalent.