Learn more about the latest security and privacy threats
Back

Stablecoin KYC rule: five US agencies propose CIP duties under the GENIUS Act

Michelangelo Frigo Michelangelo Frigo (Co-Founder at Zyphe) Published June 29, 2026 Reviewed by Charlene Wang
Editorial illustration for the article "Stablecoin KYC rule: five US agencies propose CIP duties under the GENIUS Act".

Five US agencies propose a stablecoin KYC rule forcing payment stablecoin issuers to verify every customer under the GENIUS Act. Comments close 21 August 2026.

Table of contents

Five US regulators have proposed a stablecoin KYC rule that would force permitted payment stablecoin issuers to identify and verify every customer before opening an account. Announced on 18 June 2026 and published in the Federal Register on 22 June 2026 under the GENIUS Act, the customer identification program proposal is open for comment until 21 August 2026.

  • FinCEN, the OCC, the Federal Reserve, the FDIC and the NCUA jointly issued the stablecoin KYC rule; comments close 21 August 2026.
  • It treats permitted payment stablecoin issuers as financial institutions under the Bank Secrecy Act and requires a written customer identification program.
  • Issuers must collect a name, date of birth, physical address and identification number, then verify identity on a risk basis before opening any account.
  • A final rule would take effect 12 months after issuance, giving issuers a defined runway to build onboarding controls.
  • The proposal completes a rulemaking sequence that already covers AML, sanctions and Bank Secrecy Act standards for the same issuers.

What does the stablecoin KYC rule require?

The stablecoin KYC rule requires every permitted payment stablecoin issuer to build a written customer identification program and verify each customer before opening an account. On 18 June 2026 the five agencies that oversee these issuers proposed the rule together, and it was published in the Federal Register on 22 June 2026 with a 60-day comment window.

At the point of onboarding, an issuer must collect four pieces of identifying information: the customer's name, a date of birth for individuals or formation date for entities, a physical address (post office boxes are excluded), and an identification number such as a US taxpayer ID or, for non-US persons, a passport number. The issuer must then verify identity using documentary methods, such as a government-issued ID, or non-documentary methods, such as an identity verification vendor. The agencies require each issuer to form, in the words of the proposal, "a reasonable belief that it knows the true identity" of every customer (Federal Register, NPRM), the same test that anchors bank onboarding.

FactDetail
Issuing agenciesFinCEN, OCC, Federal Reserve, FDIC, NCUA
Proposed18 June 2026
Federal Register22 June 2026 (doc 2026-12460)
Comment deadline21 August 2026 (60 days)
Effective12 months after a final rule
StatuteGENIUS Act; Bank Secrecy Act

How does the rule fit the GENIUS Act timeline?

The customer identification program proposal is the final piece of a four-part rulemaking that implements the GENIUS Act, signed into law in July 2025. The Act directs that permitted payment stablecoin issuers be treated as financial institutions under the Bank Secrecy Act, then leaves the agencies to write the operational standards. They have done so in stages through 2026.

Earlier proposals set application procedures, then AML and sanctions program duties, then broader Bank Secrecy Act standards. The June stablecoin KYC rule supplies the missing identity layer: who an issuer must know, and how. Read together, the four proposals give a stablecoin issuer the same compliance spine as a bank, built specifically for a market that did not exist when the core onboarding rules were written.

Stage in 2026What it covers
FebruaryApplication and licensing procedures for issuers
AprilAML/CFT program and sanctions compliance duties
MayBank Secrecy Act standards for supervised issuers
JuneCustomer identification program (this proposal)

What does the stablecoin KYC rule mean for your obligations?

The stablecoin KYC rule converts a general statutory duty into named, testable controls. If you issue a payment stablecoin, the change is concrete across four established obligation areas, not abstract.

For customer due diligence, you move from informal checks to a documented customer identification program with the four data points and a recorded verification decision per customer. For sanctions screening, the proposal requires checking customers against government lists of known or suspected terrorists, which sits alongside Office of Foreign Assets Control screening you already owe as a US person. For record-keeping, you must retain the identifying information and a description of the verification method, the evidence an examiner will request first. For reliance, you may lean on another federally regulated financial institution for the program if the arrangement is reasonable, set out in a contract and certified annually, though a State-qualified issuer cannot rely on another State-qualified issuer. The duty to file a Suspicious Activity Report does not change, but a stronger identity layer makes the underlying detection more reliable.

The scope of "customer" matters here. The proposal targets people opening a new account directly with an issuer. Someone who acquires a stablecoin on the secondary market, through an exchange rather than from the issuer, is generally outside the definition, so the rule does not reach every holder of a token.

What is still uncertain about the stablecoin KYC rule?

Plenty is unresolved, because this is a proposal, not a final rule. The agencies have asked for comment, and the text can shift before it binds anyone. The first open question is the secondary-market gap: if direct customers are screened but tokens then circulate freely between unscreened wallets, critics will argue the rule verifies the front door while the building has many others.

Cost and engineering burden are the second risk. Building a customer identification program, wiring verification vendors and retaining records is routine for a bank and heavy for a young issuer, and the 12-month runway may feel short once a final rule lands. Third, the four proposals must interlock cleanly; gaps or contradictions between the AML, sanctions, Bank Secrecy Act and identity layers would create compliance ambiguity that examiners and issuers both dislike. Finally, retaining detailed identity records for a fast-growing customer base concentrates sensitive data, and every new honeypot is a future breach headline. The rule is necessary, but it does not, on its own, solve where that data should live.

Who is in scope and who is exempt?

The rule reaches permitted payment stablecoin issuers, the entities the GENIUS Act licenses to issue payment stablecoins, whether they sit under a bank, a credit union or a State regime. The "account" that triggers the duty is a formal relationship to issue or redeem stablecoins, manage reserves or provide custody, not a casual transfer between users.

Several categories fall outside. Existing customers an issuer already knows do not need re-verification, other regulated financial institutions are excluded as customers, and people who obtain a stablecoin through an intermediary rather than directly from the issuer are not "customers" for this purpose. That last carve-out is the most consequential, because most stablecoin units change hands on the secondary market, far from the issuer's onboarding screen.

How should compliance teams respond?

Start by confirming whether you are, or will become, a permitted payment stablecoin issuer, because the answer decides whether any of this binds you. If it does, map your current onboarding against the four data points and the risk-based verification standard, and document the gaps now rather than after a final rule starts the 12-month clock. Decide early whether you will verify in-house or rely on a federally regulated partner, since the reliance route needs a contract and an annual certification you cannot assemble overnight. File a comment before 21 August 2026 if the secondary-market scope or the effective date would hurt your model, because the text is still movable. For background, our explainer on how KYC and AML obligations differ and our note on the EU MiCA deadline show how the same identity duties are landing on both sides of the Atlantic, while the Prince Group sanctions action shows what weak onboarding eventually invites.

A stablecoin KYC rule that mandates collecting and retaining identity records raises one quiet question: where does that data sit. Zyphe verifies a customer through an NFC chip read to ICAO 9303 and eIDAS standards with two-step liveness and no image upload, then shards the personal data across a decentralised network so no single node holds a complete record and there is no central honeypot to breach. The reusable credential lets a verified customer re-present elsewhere, and the single API integrates in about 15 minutes on usage-based pricing. See how it works and pricing, or book a demo to map it to a stablecoin onboarding flow.

The bottom line

The proposal closes the last obvious gap in stablecoin oversight: identity at onboarding. For teams running KYC and AML, the message is that a stablecoin issuer is now expected to know its customers the way a bank does, with documented collection, risk-based verification and retained records. The open scope question for the stablecoin KYC rule, what to do about tokens that circulate on the secondary market, will dominate the comment period, and the honeypot risk that comes with retaining identity data is a reason to think hard about architecture, not just process, before the clock starts.

Cited sources

Michelangelo Frigo Michelangelo Frigo (Co-Founder at Zyphe) Michelangelo Frigo is a privacy and identity infrastructure expert and co-founder of Zyphe.

Frequently Asked Questions

It is a June 2026 proposal requiring permitted payment stablecoin issuers to run a customer identification program. FinCEN, the OCC, the Federal Reserve, the FDIC and the NCUA issued it jointly under the GENIUS Act, which treats these issuers as financial institutions under the Bank Secrecy Act.

Comments are due by 21 August 2026, 60 days after the proposal appeared in the Federal Register on 22 June 2026. The agencies propose that a final rule take effect 12 months after it is issued, giving issuers time to build onboarding and verification controls.

Before opening an account, an issuer must obtain the customer's name, a date of birth or formation date, a physical address that is not a post office box, and an identification number such as a taxpayer ID or passport number. It must then verify identity using documentary or non-documentary methods.

No. It covers customers opening an account directly with the issuer. Someone who buys a stablecoin on the secondary market, through an exchange rather than from the issuer, is generally outside the definition of "customer", which is the main scope question commenters are likely to raise.

Yes, within limits. An issuer may rely on another federally regulated financial institution for its customer identification program if the arrangement is reasonable, set out in a contract and certified annually. A State-qualified issuer, however, cannot rely on another State-qualified issuer for the program.

See privacy-first KYC in action

Verify identity without storing a single document. Reusable credentials, an exportable audit trail, and a 15-minute integration.

Book a demo