Federal regulators are moving to require certain payment stablecoin issuers to verify the identities of customers who open accounts directly with them, extending bank-style customer identification requirements into a digital asset sector that has been promoted as a faster, more flexible alternative to traditional payments.
The Federal Reserve Board on Thursday requested comment on a joint proposed rule that would require permitted payment stablecoin issuers to maintain written customer identification programs (CIPs), comparable to those already required of banks and credit unions.
The proposal is issued by the Financial Crimes Enforcement Network (FinCEN), the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, and the National Credit Union Administration.
Comments are due 60 days after the proposal is published in the Federal Register.
The rule would implement part of the GENIUS Act, the 2025 law that created a federal regulatory framework for payment stablecoins.
Under the proposal, permitted payment stablecoin issuers would be treated as financial institutions for purposes of the Bank Secrecy Act and would have to maintain an effective customer identification program, including procedures for identifying and verifying account holders.
The proposal marks another step in the federal government’s effort to bring payment stablecoins into the same anti-money laundering and counterterrorist financing framework that governs traditional financial institutions.
Stablecoins are digital assets designed to maintain a stable value relative to another asset, usually a fiat currency such as the U.S. dollar.
Regulators say their speed, liquidity, and potential use as payment instruments also make them attractive to illicit actors seeking to move or store value.
The proposed rule would require a permitted payment stablecoin issuer to establish and maintain a written CIP appropriate to its size and business. The program would have to be part of the issuer’s broader anti-money laundering and countering the financing of terrorism program.
At a minimum, the CIP would have to include risk-based procedures for verifying the identity of each customer to the extent reasonable and practicable.
The procedures would have to allow the issuer to form a reasonable belief that it knows the true identity of each customer, based on the issuer’s assessment of relevant risks, including the types of accounts it maintains, the ways accounts are opened, the identifying information available, and the issuer’s size, location, and customer base.
Before opening an account, an issuer would generally have to collect a customer’s name, date of birth for individuals or date of formation for legal entities, address, and identification number.
For U.S. persons, that would mean a taxpayer identification number.
For non-U.S. persons, it could include a taxpayer identification number, passport number and country of issuance, alien identification card number, or another government-issued document showing nationality or residence and bearing a photograph or similar safeguard.
The proposal would allow documentary and non-documentary methods of verification.
For individuals, documentary verification could include an unexpired government-issued identification document, such as a driver’s license or passport.
For corporations, partnerships, trusts, and other entities, documents could include certified articles of incorporation, a government-issued business license, a partnership agreement, or a trust instrument.
Non-documentary methods could include contacting the customer, comparing customer-provided information against consumer reporting agencies or public databases, checking references with other financial institutions, or obtaining a financial statement.
The agencies also recognize the growing use of digital identity tools, including mobile driver’s licenses and verifiable credentials, but they are not proposing a separate regulatory framework for those technologies.
Instead, the proposal would leave issuers flexibility to determine, under a risk-based approach, whether a particular digital identity tool is trustworthy enough to use for customer verification.
The proposal would also require issuers to maintain records of information obtained through the CIP. Identifying information would have to be retained for five years after an account is closed, while records related to verification methods and results would have to be retained for five years after the record is made.
Issuers would also have to include procedures for determining whether a customer appears on any federal government list of known or suspected terrorists or terrorist organizations designated by the Department of Treasury in consultation with federal functional regulators.
The proposed rule would require issuers to provide customers with notice that information is being requested to verify their identities.
Federal Reserve Governor Michael S. Barr supported issuing the proposal but warned that the broader GENIUS Act framework may not yet adequately address illicit finance risks in secondary market stablecoin transactions.
Barr said the proposed rule would impose CIP requirements on board-supervised payment stablecoin issuers similar to those imposed on board-supervised banks. He said he remains concerned that the GENIUS Act regulatory framework “does not do enough so far” to address illicit finance conducted through secondary market stablecoin transactions.
Barr also said some digital asset service providers are subject to anti-money laundering and anti-terrorist financing requirements in their home jurisdictions, but bad actors can still evade those restrictions and operate without detection when transacting in digital assets.
He said he will review comments on whether portions of the CIP rule should be extended to secondary market activity and will assess whether implementation of the broader GENIUS Act framework provides adequate protection against illicit finance involving stablecoins.
The proposed rule is part of a larger regulatory buildout under the GENIUS Act. FinCEN has separately proposed rules to apply anti-money laundering, reporting, recordkeeping, and sanctions compliance obligations to permitted payment stablecoin issuers.
If finalized, the CIP rule would become effective 12 months after issuance of the final rule, giving issuers time to build or revise customer identification systems before compliance is required.
Article Topics
AML | biometrics | cryptocurrency | digital identity | financial services | identity assurance | KYC | U.S. Government