Federal Agencies Propose More GENIUS AML/CFT Rules: Customer Identification Program and OCC Conforming Updates

Over the past week, federal agencies have proposed two additional rules to implement the anti-money laundering/countering the financing of terrorism (AML/CFT) program requirements for permitted payment stablecoin issuers (PPSIs) under the Guiding and Establishing National Innovation for U.S. Stablecoins Act (GENIUS Act):

• On June 18, the Financial Crimes Enforcement Network (FinCEN) and federal banking agencies¹ jointly proposed a rule (the CIP NPRM)² outlining the scope and key components of the customer identification program (CIP) each PPSI must establish as part of its AML/CFT program. Comments are due by August 21, 2026.
• On June 22, the OCC proposed a rule³ to make conforming changes to a March AML/CFT program proposed rule for OCC-supervised PPSIs (the March OCC NPRM) to align with components of a later April proposed rule by the Office of Foreign Assets Control and FinCEN (the April OFAC/FinCEN NPRM).⁴ As the later April OFAC/FinCEN NPRM established general expectations for any PPSI’s AML/CFT and sanctions programs, including OCC-supervised PPSIs, the OCC is now proposing largely technical conforming changes to the earlier March OCC NPRM. For clarity, we refer to the OCC’s recent conforming proposal as the June OCC Conforming NPRM. Comments are due by July 24, 2026.

As is clear from this background, the CIP NPRM and June OCC Conforming NPRM are just two components of an increasingly complex series of AML/CFT-related proposals by federal agencies to establish fundamental components of the new GENIUS Act financial crimes regulatory regime for PPSIs. Key practical takeaways, however, from these proposals:

• CIP only for primary issuance and redemption, not secondary transfers: The CIP NPRM would only require a PPSI to collect and verify information under its CIP for customers with which it directly issues, redeems, and converts payment stablecoins. A PPSI would not need to collect or verify, or otherwise apply its CIP to, end users that send and receive the payment stablecoin but do not have any direct, formal relationship with the PPSI. Engaging with a PPSI’s smart contract in connection with sending and receiving the payment stablecoin would not establish a direct relationship with the PPSI.
• Bank-like CIP requirements: The substantive requirements for a PPSI’s CIP would mirror those applicable to banks and broker dealers today — for instance, requiring the collection of the same customer information, the same verification methods, and screening against the same government lists (e.g., of known or suspected terrorists).
• OCC enforcement or supervisory action only for “significant or systemic” AML/CFT program failures: The June OCC Conforming NPRM includes gloss on the OCC’s approach to enforcement actions and other supervisory actions with respect to a PPSI’s AML/CFT program — which might be of particular interest to a PPSI that has historically been operating as a money services business (MSB). Specifically, the OCC would adopt a formal rule shielding a PPSI from enforcement actions, consent orders, or supervisory actions for AML/CFT program issues unless the PPSI has demonstrated a “significant or systemic” program failure. While similar language was included in the April OFAC/FinCEN NPRM, FinCEN has never proposed or finalized a rule similarly limiting its enforcement authority over MSBs. A stablecoin issuer operating as an MSB today but considering conversion into a PPSI may take additional comfort under this proposal when identifying ad hoc, nonsystemic technical issues with AML/CFT systems and making risk-based program design and implementation decisions.
• New, unrelated requests for comment from the OCC: Unexpectedly, the OCC seems to have used the June OCC Conforming NPRM as an opportunity to request additional comments on GENIUS Act-related matters not otherwise covered in the proposal — including relating to a PPSI’s reserve assets and a potential requirement that PPSIs redeem payment stablecoins directly with noncustomer end users in certain scenarios.

The CIP NPRM

As part of establishing the first comprehensive federal regulatory framework for payment stablecoins, the 2025 GENIUS Act designated PPSIs as “financial institutions” under the Bank Secrecy Act (BSA), effectively requiring FinCEN to bring PPSIs into their longstanding regulatory framework for AML/CFT programs of other financial institutions, such as banks. Under the BSA and its implementing regulations, a financial institution’s AML/CFT programs generally must address customer identity verification and processes to monitor for and report suspicious activity — with some tailoring of these requirements by financial institution type (e.g., nonbank MSBs are not subject to the same CIP expectations as banks).

The CIP NPRM establishes the scope and key requirements for a PPSI’s CIP to identify stablecoin-user customers — and builds on the April OFAC/FinCEN NPRM, which proposed broader AML/CFT program, sanctions program, reporting, and recordkeeping obligations but did not specifically outline requirements for the CIP component of the AML/CFT program. The proposed compliance date is 12 months after the effective date of the final rule.

Scope: Primary Market Only

The CIP NPRM would limit CIP obligations to the primary market — that is, a PPSI interacting directly with a user or holder of a payment stablecoin, such as when a PPSI issues, converts, or redeems a stablecoin with or provides custodial services to a customer. As a technical matter, a PPSI’s CIP only needs to provide for the collection and verification of information about a PPSI’s “customer” (i.e., customer identification program), and a “customer” is generally defined as a person opening an “account.” The CIP NPRM’s principal structural decision is to define both “account” and “customer” in a way that excludes secondary market transactions — for example, users sending payment stablecoins directly to one another or via a third-party intermediary, not the PPSI. The following table generally summarizes these definitions:

Defined term	Includes	Excludes
Account: a formal relationship between a customer and a PPSI for services or transactions5	issuing or redeeming a payment stablecoin managing related reserves, including purchasing, selling, holding, or providing custody for reserve assets providing custodial or safekeeping services for payment stablecoins, required reserves, or private keys other activities that directly support the above providing services of a digital asset service provider6	a product or service where a formal relationship is not established — e.g., when the PPSI is not a party to the transaction other than via a smart contract (i.e., a secondary market transaction) mere ownership of a PPSI’s payment stablecoin by an end user, without other indicators of a formal relationship certain accounts acquired by a PPSI from a financial institution, subject to limits an account opened for the purpose of participating in an Employee Retirement Income Security Act employee benefit plan
Customer	a person who opens a new account an individual who opens a new account for an individual who lacks legal capacity or an entity that is not a legal person, such as a civic club	a person acquiring or redeeming a payment stablecoin other than directly with the PPSI (i.e., a person operating exclusively in the secondary market) a person whose identity the PPSI has already verified a financial institution regulated by a federal functional regulator or a bank regulated by a state bank regulator a governmental agency or entity that exercises governmental authority a company with U.S. publicly listed equity

 

CIP Requirements

The proposed substantive requirements for a PPSI’s CIP would mirror the existing CIP rules for banks. The CIP would need to be appropriate for the PPSI’s size and business and include the following:

• Customer information: A PPSI would be required to collect, at a minimum, the customer’s (i) legal name, (ii) date of birth (or legal formation, for entities), (iii) address, and (iv) identification number.
• Verification: The CIP would be required to contain procedures for verifying the identity of each customer through documentary or nondocumentary methods within a reasonable time before or after the customer’s account is opened. In practice, this allows the PPSI to open accounts while completing verification. While FinCEN and the U.S. banking agencies recognize the growing use of digital identity tools and verifiable credentials, the CIP NPRM would allow PPSIs to determine the reliability of different digital identity solutions without requiring their use.
• Reliance on another financial institution: Notably, a PPSI, like a bank, would be permitted to rely on certain other financial institutions to carry out elements of the PPSI’s CIP. Among other things, the reliance would have to be reasonable under the circumstances and under a written contract requiring a certification from the third-party financial institution that it will perform specified requirements of the PPSI’s own CIP. The third-party financial institution would also have to be subject to a CIP regulation and federally regulated, meaning a PPSI could not rely for CIP purposes on a state qualified PPSI (i.e., with total payment stablecoin issuance of $10 billion or less that opts for state regulation rather than federal regulation).

The NPRM would also require a PPSI to include in its CIP processes to maintain records, compare customer names to government lists, and provide certain customer notices, in a manner similar as applies to banks.

The June OCC Conforming NPRM

The core purpose of the June OCC Conforming NPRM was for the OCC to make technical changes to align its earlier March OCC NPRM with the subsequent April OFAC/FinCEN NPRM, both of which would establish general AML/CFT program requirements for OCC-supervised PPSIs. For example, the GENIUS Act technically requires the OCC (as one of the primary federal PPSI regulators) to issue tailored AML/CFT rules for the PPSIs it supervises, and the June OCC Conforming NPRM would formally do so by incorporating the proposed AML/CFT requirements from the April OFAC/FinCEN NPRM by reference — as well as establish formal processes for the OCC to consult with FinCEN on potential enforcement actions and for OCC-supervised PPSIs to share certain confidential supervisory information with FinCEN in the context of certain enforcement actions.

More notably:

• Limited enforcement: As discussed above, the June OCC Conforming NPRM would adopt a formal OCC rule shielding PPSIs from AML/CFT program enforcement actions absent a “significant or systemic” program failure — a significant protection for PPSIs compared with FinCEN’s more ambiguous existing rules for MSBs, including stablecoin issuers today.
• New, unrelated requests for comment: In the context of adjusting certain components of the earlier March OCC NPRM, the recent June OCC Conforming NPRM requests comment on a number of questions that relate to issues not otherwise raised by the proposed conforming edits. For example, the OCC requests comment on issues related to protecting a PPSI’s reserve assets from fraud and misuse, limits on fees a PPSI or third-party asset manager could charge to manage reserve assets, and a potential requirement that a PPSI redeem payment stablecoins directly with end users who are not the PPSI’s customer in certain scenarios where customers cannot otherwise liquidate their stablecoins.

---

1 The Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the National Credit Union Administration.
2 91 Fed. Reg. 37,234 (June 22, 2026).
3 91 Fed. Reg. 37,840 (June 24, 2026).
4 Please refer to previous Sidley Updates on the March OCC NPRM and April OFAC/FinCEN NPRM.
5 Some of the examples of an account that are included are inconsistent with the concept of establishing a “formal” service relationship. For example, maintenance of reserves would not result in a PPSI establishing a formal relationship unless it is with another PPSI.
6 The CIP NPRM would adopt the GENIUS Act definition of a “digital asset service provider,” which generally includes a person or entity that (1) exchanges digital assets for traditional currency, deposits, or other digital assets; (2) transfers digital assets to a third party; (3) acts as a digital asset custodian; or (4) participates in financial services relating to digital asset issuance. It would similarly exclude distributed ledger protocols, developing distributed ledger protocols or self-custodial software, validating transactions or operating a distributed ledger, or participating in a liquidity pool to support P2P transactions. The GENIUS Act permits a PPSI to act as a digital asset service provider.