A five-agency US rule proposed on June 18, 2026 would treat payment stablecoin issuers as financial institutions under the Bank Secrecy Act and force them to run customer identity checks — but only at the point of issuance and redemption, leaving the secondary market where most stablecoins actually move outside the perimeter.

The Financial Crimes Enforcement Network (FinCEN), with the Office of the Comptroller of the Currency (OCC), the Federal Reserve Board, the Federal Deposit Insurance Corporation (FDIC) and the National Credit Union Administration (NCUA), issued a joint notice of proposed rulemaking that implements the customer-identification-program (CIP) mandate in the Guiding and Establishing National Innovation for U.S. Stablecoins Act (GENIUS Act), enacted in July 2025. The rule, published in the Federal Register on June 22, 2026 with comments due August 21, 2026, classifies permitted payment stablecoin issuers (PPSIs) as financial institutions under the Bank Secrecy Act (BSA). This analysis walks through what the rule requires, how it compares with the EU, UK and Singapore, the enforcement history that explains its design, and the secondary-market gap that dominates the debate.

Key Facts:

• Five agencies — FinCEN, OCC, Federal Reserve, FDIC and NCUA — issued the joint CIP notice of proposed rulemaking on June 18, 2026 — FinCEN
• The rule classifies permitted payment stablecoin issuers as financial institutions under the Bank Secrecy Act — Federal Register
• CIP obligations apply only to primary-market activity — issuing, redeeming and custody — not secondary-market peer-to-peer transfers — Sullivan & Cromwell
• Issuers must collect name, date of birth, address and an identification number before opening an account — Federal Register
• The comment period closes August 21, 2026 — FinCEN
• A separate April 10, 2026 notice already proposed full AML/CFT and sanctions-compliance programmes for PPSIs — Federal Register

Methodology and sources

This analysis is built on primary documents: the June 22, 2026 CIP notice of proposed rulemaking in the Federal Register, FinCEN’s accompanying news release and fact sheet, the US Treasury announcement, and the April 10, 2026 AML/CFT and sanctions NPRM that precedes it. Secondary analysis draws on client alerts from Sullivan & Cromwell, Mayer Brown and Troutman Pepper Locke. The jurisdictional scope covers four regimes — the United States, the European Union, the United Kingdom and Singapore — chosen because each has a live payment-stablecoin framework in 2026. The time window is the GENIUS Act implementation cycle from the statute’s July 2025 enactment to the August 21, 2026 comment deadline. Where the rule is still a proposal, this is flagged; nothing here is final until the agencies issue a final rule.

What the rule actually requires

The GENIUS Act created a federal category — the permitted payment stablecoin issuer — and directed Treasury to apply anti-money-laundering obligations to it. The June rule delivers the customer-identification piece. A CIP is the same core obligation that banks have carried since the USA PATRIOT Act: a written, risk-based programme that collects identifying information and verifies who the customer is before, or within a reasonable time after, an account is opened. For PPSIs, that means capturing a name, date of birth, address and identification number, screening against government lists designated for CIP purposes, keeping records, and giving customers notice.

The defining design choice is the primary-market limitation. A CIP is required only when a customer deals directly with the issuer — minting new tokens against dollars, or redeeming tokens for dollars. Once a stablecoin is in circulation and changes hands wallet-to-wallet or on an exchange, the issuer owes no CIP duty on that transfer.

The US stablecoin CIP rule applies only to primary-market activity, defined as a customer’s direct dealing with the issuer to mint or redeem tokens. Under the June 22, 2026 notice of proposed rulemaking, “customers” for CIP purposes exclude secondary-market participants, even though most stablecoin volume occurs on the secondary market. FinCEN’s stated rationale is that issuers lack unique information about downstream transfers and that extending CIP there would generate defensive, low-value reporting. The rule also lets a PPSI rely on another federally regulated financial institution’s CIP where that institution has an AML/CFT programme and contractually certifies it annually. In practice, exchanges and wallet providers — not issuers — remain the chokepoint for identifying who actually holds and moves a dollar-pegged token in day-to-day use.

Jurisdiction / Regulator	Framework & date	Issuer scope	Key identity requirement	Secondary-market reach
US (FinCEN + OCC, Fed, FDIC, NCUA)	GENIUS Act CIP rule, proposed June 18, 2026	Permitted payment stablecoin issuers	CIP under the Bank Secrecy Act at mint/redeem	Excluded — primary market only
EU (ESMA + national authorities, AMLA)	MiCA, Regulation (EU) 2023/1114; EU AML package	Issuers of EMTs and ARTs; all CASPs	KYC at issuance plus Travel Rule on transfers via CASPs	Covered — CASPs apply checks on transfers
UK (FCA, HM Treasury)	FCA stablecoin regime, phasing through 2026	Authorised fiat-backed stablecoin issuers	Money Laundering Regulations 2017 KYC; promotions regime	Partial — via authorised intermediaries
Singapore (MAS)	Payment Services Act; stablecoin framework, 2023	Single-currency stablecoin issuers (SCS)	KYC and Travel Rule under MAS notices	Covered — DPT service providers in scope

Sources: Federal Register, MiCA Regulation (EU) 2023/1114, FCA and MAS published frameworks. Last updated June 27, 2026.

How four jurisdictions diverge

The contrast in the table is not about whether issuers must run KYC — they must in all four — but about how far the obligation travels. The EU’s Markets in Crypto-Assets Regulation (MiCA) pairs issuer-level checks with a transfer-of-funds Travel Rule applied by every Crypto-Asset Service Provider (CASP), so identity data follows the token across regulated venues. The US rule deliberately stops at the issuer. Singapore’s Monetary Authority of Singapore (MAS) regime sits closer to the EU, placing Digital Payment Token service providers in scope for both KYC and the Travel Rule. The UK’s Financial Conduct Authority (FCA) framework, still phasing in, leans on the Money Laundering Regulations 2017 and authorised intermediaries rather than a single issuer-to-transfer chain.

The practical consequence is regulatory-arbitrage risk. A token minted by a US PPSI carries verified identity only at its creation; the same token traded on an offshore venue sheds that linkage. The EU and Singapore approaches keep the identity layer attached for longer because they regulate the service providers handling transfers, not just the issuer.

The divergence between the US and EU stablecoin AML models comes down to the regulated chokepoint. The US GENIUS Act rule, proposed June 18, 2026, fixes the obligation on the issuer at mint and redeem. MiCA, by contrast, distributes the duty across CASPs and applies the Financial Action Task Force (FATF) Travel Rule to transfers, so a Euro-denominated EMT keeps its identity trail as it moves between regulated firms. For a global issuer, that means running two compliance architectures: a narrow primary-market CIP for the US market and a broader transfer-level programme for the EU. Industry Spread has tracked this widening split in its coverage of the EU’s AMLA single rulebook and the FATF Travel Rule sunrise gap.

“President Trump is strengthening American leadership in digital financial technology. This proposal will protect the U.S. financial system from national security threats without hindering American companies’ ability to forge ahead in the payment stablecoin ecosystem.”

— Scott Bessent, Secretary, US Department of the Treasury (U.S. Department of the Treasury)

Enforcement context: why BSA coverage matters

The rule’s design is best read against the largest crypto-AML case on record. In November 2023, Binance and its founder Changpeng Zhao settled with the US Department of Justice, FinCEN and the Office of Foreign Assets Control (OFAC) for a total of $4.3 billion, after the exchange was found to have violated the Bank Secrecy Act by operating without an effective AML programme and processing transactions tied to sanctioned jurisdictions. FinCEN’s own consent order accounted for $3.4 billion of that figure, the largest in the bureau’s history at the time.

The Binance settlement established the template the GENIUS Act rules now formalise: if an entity sits at a chokepoint for dollar-denominated value, US authorities will treat the absence of a functioning identity-and-screening programme as a BSA violation carrying multi-billion-dollar exposure. By naming PPSIs as financial institutions, the June rule removes any argument that a stablecoin issuer is outside the BSA perimeter. It also explains the primary-market focus: issuers are the one actor in the stablecoin stack that authorities can license, examine and penalise directly, the same logic that made centralised exchanges the target in 2023.

That precedent is why compliance teams treat the proposal as a floor, not a ceiling. The enforcement risk attaches the moment an issuer is named a BSA financial institution, regardless of how the secondary-market debate resolves.

What this means for issuers, exchanges and compliance teams

For stablecoin issuers, the immediate task is standing up a documented, risk-based CIP that captures the four core data points at mint and redemption, plus the records and government-list screening the rule specifies. Issuers planning to lean on the reliance provision must paper contractual annual certifications with each federally regulated counterparty whose CIP they intend to use — a procurement and legal exercise, not just a technology one.

For exchanges, custodians and wallet providers, the message is that the identity burden for secondary-market activity stays with them under existing money-services-business and exchange rules; the issuer rule does not lift it. Firms operating across the US and EU face the heavier lift: a US programme scoped to primary-market dealings and an EU programme that applies the Travel Rule to every transfer. Fund managers and tokenisation platforms entering the reserve business — a trend visible in this week’s filings for tokenised stablecoin-reserve funds — should expect their issuer partners to demand CIP attestations before onboarding. Legal and compliance teams should file comments before August 21, 2026, particularly on the reliance conditions and the secondary-market boundary, both of which will shape the final rule. The cross-border reserve dimension also intersects with the Bank of England’s stablecoin cap.

“Bear no responsibility once a coin has been issued, their incentive to invest in blocking technology weakens.”

— Siwon Huh, Analyst, Four Pillars (Yahoo Finance)

What’s next — the forward view

Three threads will decide the final shape of the regime. First, the comment file: banking groups including the Bank Policy Institute and The Clearing House are pressing for stricter secondary-market obligations, while DeFi-aligned voices such as Paradigm and the Hyperliquid policy centre argue the perimeter is already too wide for permissionless software. Their submissions are due by August 21, 2026, and the agencies must reconcile them before a final rule. Second, the interaction with the April 10, 2026 AML/CFT and sanctions NPRM: the CIP rule is one of several GENIUS Act pieces, and issuers will not have a complete compliance picture until the full programme requirements are finalised. Third, jurisdictional alignment: as the EU beds in MiCA and reopens parts of its rulebook — covered in our report on Hong Kong’s competing stablecoin licences — global issuers will lobby for mutual recognition to avoid running parallel identity systems. Expect a final US rule no earlier than late 2026, with the secondary-market question the most contested item in the file.

FAQ

What does the new US stablecoin CIP rule require?

It requires permitted payment stablecoin issuers to run a written, risk-based customer identification programme — collecting name, date of birth, address and an identification number, and verifying identity — when customers mint or redeem tokens directly with the issuer. It was proposed on June 18, 2026, with comments due August 21, 2026.

Does the rule cover secondary-market stablecoin transfers?

No. The customer identification obligation applies only to primary-market activity — direct dealings with the issuer. Peer-to-peer and exchange transfers, where most stablecoin volume occurs, are excluded; identity duties there fall on exchanges and wallet providers under separate rules.

Are stablecoin issuers now financial institutions under US law?

Under the proposal, yes. Permitted payment stablecoin issuers would be classified as financial institutions for Bank Secrecy Act purposes, bringing them squarely within FinCEN’s anti-money-laundering jurisdiction.

How does the US approach differ from the EU’s MiCA?

MiCA pairs issuer KYC with a Travel Rule applied by every Crypto-Asset Service Provider, so identity data follows the token across regulated venues. The US rule stops at the issuer, creating a narrower perimeter and a wider secondary-market gap.

What is the enforcement precedent behind the rule?

The November 2023 Binance settlement of $4.3 billion with the DOJ, FinCEN and OFAC for Bank Secrecy Act and sanctions violations established that chokepoint entities handling dollar value must run effective AML programmes — the logic the GENIUS Act rules now codify for issuers.

When could the rule become final?

Not before the comment period closes on August 21, 2026, and likely no earlier than late 2026, given the volume of contested submissions on the secondary-market boundary and the reliance conditions.

This article is informational analysis only and does not constitute legal, regulatory, tax, or investment advice. Regulatory frameworks change frequently and interpretation depends on facts and circumstances; primary documents and official regulator guidance always supersede summaries. Firms should consult qualified legal counsel and their relevant supervisory authority before taking any action based on the analysis above.