Legal development

FinCEN's proposed CIP rule for permitted payment stablecoin issuers: Familiar doctrine, new frontier

    Key takeaways

    • The proposed rule largely applies existing bank customer identification program (CIP) concepts, such as risk-based procedures, collection of identifying information, documentary and non-documentary verification, recordkeeping, and reliance, to permitted payment stablecoin issuers (PPSIs).
    • Formal “account” and “customer” relationships are dispositive. The most important question is whether the PPSI has established a formal relationship with a person to provide issuance, redemption, custody, or related services.
    • CIP is account-based, not token-based. The rule does not impose identity-verification obligations on every person who possesses or uses a stablecoin or engages in a stablecoin transaction. CIP attaches when a PPSI opens an account for a customer.
    • Intermediated models will drive the hardest interpretive questions. In platform, wallet, exchange, and embedded finance models, the central issue is whether the PPSI or only the intermediary has an account relationship with the end user.
    • Non-documentary verification will be central to compliance. Digital onboarding, API integrations, third-party identity data, blockchain analytics, and vendor tools may be appropriate, but PPSIs must demonstrate that their methods support a reasonable belief as to customer identity.

      Overview of the proposed rule

      On June 22, 2026, the Financial Crimes Enforcement Network (FinCEN) published a notice of proposed rulemaking that would require PPSIs to establish and maintain a customer identification program. The proposal implements the GENIUS Act’s requirement that PPSIs be treated as financial institutions subject to the Bank Secrecy Act (BSA) and maintain “an effective customer identification program, including identification and verification of account holders.” 91 Fed. Reg. 37,234, 37,235 (June 22, 2026).

      The proposed rule applies familiar CIP doctrine to PPSIs. It is grounded in the statutory standards concerning “the identity of the customer” in connection with “the opening of an account.” 91 Fed. Reg. 37,236. The proposal closely tracks the bank CIP rule under 31 C.F.R. § 1020.220, adapting its requirements to the operational characteristics of stablecoin issuance.

      Critically, this is not a generalized identity-verification mandate for all stablecoin activity. The rule does not purport to identify every person who acquires, holds, or transfers stablecoins on the secondary market. Rather, it attaches at the point at which a PPSI opens an account for a customer—the same triggering event that governs bank CIP. The familiar mechanics of CIP apply: written procedures approved by the board or senior management, risk-based verification using documentary and non-documentary methods, recordkeeping, government list screening, customer notice, and procedures for handling situations in which identity cannot be reasonably verified.

      The bank CIP architecture

      The proposal deliberately preserves the architecture of the bank CIP rule that was issued more than 20 years ago in 2003. It retains the reasonable-belief standard—requiring the PPSI to form a reasonable belief that it knows the true identity of each customer—and the account-opening trigger. This is significant because stablecoins, unlike traditional deposit products, are transferable digital instruments that circulate freely across wallets, exchanges, and protocols.

      The question the rule asks, however, is not whether a stablecoin has changed hands but whether the PPSI has opened or maintains an account for a customer. The CIP obligation does not follow every token transfer and instead attaches to the relationship between the PPSI and the person for whom the PPSI provides issuance, redemption, custody, or related services. This design choice is consistent with the statutory framework and avoids imposing an impracticable identity-verification requirement on every secondary-market transaction.

      Account and customer definitions

      The definitions of “account” and “customer” are the rule’s most consequential scope provisions. Although the proposal borrows from the existing CIP architecture, it adapts the account concept to the PPSI context. An “account” is not limited to a traditional deposit or custodial account. Instead, the proposal frames the account relationship around the stablecoin services a PPSI provides, including issuance, redemption, custody, transfer, or other services connected to permitted payment stablecoins and related digital asset functionality.

      That stablecoin-specific tailoring matters. The proposal recognizes that PPSIs may not look like banks offering conventional deposit accounts. They may provide account-like services through digital wallets, platform integrations, redemption portals, application programming interfaces (APIs), custody arrangements, or other stablecoin infrastructure. The relevant question is therefore not whether the arrangement resembles a traditional bank account but whether the PPSI has established a formal relationship with a person to provide stablecoin-related services covered by the proposed definition.

      The definition of “customer” performs the corresponding limiting function. The customer is the person who opens the account with the PPSI. In a direct model, that will often be the end user seeking issuance, redemption, custody, wallet access, or related PPSI services. In an intermediated model, the customer may instead be the platform, wallet provider, exchange, or other intermediary if that entity—not the end user—opens the account with the PPSI and the PPSI does not establish a formal account relationship with the intermediary’s users.

      These definitions establish the outer boundary of the proposed CIP obligation. A PPSI is not required to identify every person who later receives, holds, or transfers its stablecoin. A person who purchases stablecoins on a secondary market, holds them in a self-custodied wallet, receives them as payment, or transfers them without opening an account with the PPSI should not become a PPSI customer solely by virtue of possessing or using the tokens. What matters is the account relationship: whether the person has opened, or is otherwise the customer of, a formal relationship with the PPSI for stablecoin-related services.

      At the same time, the stablecoin-specific definition of “account” means PPSIs should not assume that CIP applies only to arrangements labeled as “accounts.” If the PPSI provides issuance, redemption, custody, wallet, transfer, or similar services through a formal relationship, the relationship may fall within the proposed account definition even if the product is described using stablecoin or platform terminology rather than traditional banking terminology. The practical analysis should therefore focus on the substance of the relationship, the services provided, and the person for whom the account is opened.

      Intermediated distribution models

      The hardest interpretive questions under the proposed rule will arise in intermediated models—scenarios in which stablecoins reach end users through wallets, exchanges, embedded finance platforms, or other distribution partners rather than directly from the PPSI. In these arrangements, the central question is not whether identity verification occurs somewhere in the chain but whether the PPSI has opened or maintains the relevant account for the end user.

      If the PPSI maintains an account relationship with the end user—even where a third-party interface facilitates onboarding or access—CIP obligations may attach to the PPSI with respect to that end user. Conversely, if the PPSI’s account relationship is solely with the intermediary (and the intermediary separately onboards its own customers), the intermediary may be the PPSI’s customer for CIP purposes, and the end user may not be.

      Several factors inform this determination: Who opens the account? Whose terms of service govern the relationship? Who is identified to the end user as the service provider? Who provides issuance, redemption, custody, or account services? Who maintains records of account activity? Who can approve, restrict, freeze, close, or redeem? Who controls the flow of funds or stablecoins? Who collects and verifies identifying information? These questions do not yield mechanical answers, but they define the analytical framework.

      Analogies: Prepaid access and OCC Interpretive Letter 1174

      Two existing regulatory frameworks provide useful—though imperfect—analogies for applying the proposed PPSI CIP rule to intermediated stablecoin models.

      First, the federal banking agencies and FinCEN’s 2016 prepaid access guidance on CIP requirements suggests that a covered bank may maintain an account relationship even where a program manager or other intermediary manages the customer-facing aspects of the product. The presence of an intermediary does not necessarily determine who has the relevant account relationship for CIP purposes.

      Second, Office of the Comptroller of the Currency (OCC) Interpretive Letter 1174 is instructive in the API-based banking context. There, the fact that a technology provider delivered the customer-facing interface did not eliminate the bank-customer relationship where the bank remained the legal provider of the banking services and maintained the underlying contractual relationship with the end user.

      For PPSIs, these analogies suggest that direct legal and contractual relationships should carry significant weight. Terms of service, account agreements, redemption rights, custody agreements, or other direct obligations between the PPSI and the end user are strong indicators that the PPSI maintains the relevant account relationship. Customer-facing materials identifying the PPSI as the issuer, account provider, custodian, or redemption obligor would point in the same direction.

      The analogy is weaker where the PPSI provides services only to an intermediary, has no contractual relationship with the intermediary’s users, gives those users no direct rights against the PPSI, and does not provide account-level services to them. In that structure, the intermediary is more likely to be the PPSI’s customer.

      Structure, relationship, and control

      We expect PPSI customer determinations to turn on three related considerations: structure, relationship, and control.

      Structure asks how the account is formally arranged. Relevant evidence includes the account documentation, platform agreements, customer disclosures, and internal records identifying who opens the account and who is treated as the account holder.

      Relationship asks whether the PPSI has a direct or mediated relationship with the end user. This is where contractual privity is especially important. If the end user agrees to PPSI terms, receives redemption or custody rights from the PPSI, or is otherwise granted direct rights against the PPSI, the end user is more likely to be viewed as the PPSI’s customer. If the PPSI’s only relationship is with the intermediary, the intermediary is more likely to be the customer.

      Control asks whether the operational reality supports the formal designation. Relevant considerations include who controls account access, redemption, restrictions, freezes, records, and transaction activity.

      FinCEN’s enforcement order in In re Pinnacle Capital Markets, LLC is useful by analogy on this last point, but it should not be overstated. Pinnacle does not interpret the proposed PPSI CIP rule or establish a stablecoin-specific customer standard. Its relevance is methodological: To determine whether a customer relationship had been created, FinCEN looked beyond formal labels and examined how the account relationship operated in practice, including access, control, and the institution’s anti-money laundering (AML) oversight of activity conducted through the accounts. See FinCEN, FIN-2010-4, Assessment of Civil Money Penalty, In the Matter of Pinnacle Capital Markets, LLC (Aug. 26, 2010).

      The practical point is straightforward: PPSIs should make sure the formal account structure, contractual relationship, and operational control framework tell the same story. Contractual designations will matter, but they should be consistent with how the product actually operates.

      Non-documentary verification and third-party data

      Given the digital-native character of stablecoin issuance, non-documentary verification methods will be central to PPSI compliance. PPSIs will likely employ digital onboarding workflows, third-party identity databases, device intelligence, vendor-provided identity verification services, blockchain analytics, sanctions screening tools, fraud signals, IP and geolocation data, and API-based data flows.

      The proposal does not prescribe specific verification technologies, but PPSIs will need robust controls over their non-documentary processes. These include controls addressing data provenance and reliability, identity-matching logic, handling of incomplete or stale data, exception processing, false positives and false negatives, vendor oversight and due diligence, audit trails, sanctions and watchlist screening, escalation protocols, manual review procedures, and periodic testing of verification effectiveness.

      Recent developments regarding third-party taxpayer identification number (TIN) collection for banks are directionally relevant—they reflect regulatory comfort with certain intermediated data-collection models—but those provisions have not been expressly extended to PPSIs. Industry participants may wish to address this gap in comments.

      Reliance and outsourcing

      The proposed rule permits a PPSI to rely on another regulated financial institution to perform CIP functions, subject to specified conditions. However, the provisions related to reliance address who performs CIP verification, not whether the PPSI has opened an account or who the PPSI’s customer is. A PPSI cannot avoid a customer determination by pointing to an intermediary’s CIP program; it must first determine whether it has an account relationship with the person and, if so, either perform CIP itself or establish a valid reliance arrangement.

      Similarly, vendor outsourcing of CIP functions does not shift the PPSI’s regulatory responsibility. The PPSI remains accountable for the adequacy of its CIP regardless of whether verification is performed in-house or by a third-party service provider. True regulatory reliance—as distinguished from commercial outsourcing—requires that the relied-upon institution be an eligible financial institution and that appropriate contractual and certification arrangements be in place.

      Next steps for industry participants

      PPSIs and their platform partners should take the following steps in anticipation of a final rule:

    • Map account architecture across all distribution channels, identifying each point at which the PPSI may be deemed to open or maintain an account.
    • Identify the customer for each account type, distinguishing between relationships with intermediaries and relationships with end users.
    • Test contractual labels against operational reality, evaluating whether formal account designations are consistent with how services are actually provided and controlled.
    • Define control rights with precision, documenting who can approve, restrict, freeze, close, or redeem with respect to each account type.
    • Allocate CIP responsibilities between the PPSI and its distribution partners, specifying which entity performs each CIP function and on what legal basis.
    • Assess whether reliance arrangements are available and appropriate for each distribution model.
    • Build non-documentary verification controls that are auditable, testable, and defensible.
    • Align CIP with AML transaction monitoring to ensure that customer determinations are consistent across compliance functions.

    The comment period

    The proposal provides a 60-day comment period. Comments must be received by August 21, 2026. PPSIs, wallet providers, exchanges, and platform partners should consider submitting comments addressing several issues of particular importance: the scope and application of the “account” and “customer” definitions; the treatment of intermediated distribution models; the significance of terms of service and contractual privity in determining whether a PPSI has an account relationship with an end user; the distinction between reliance and outsourcing; the standards for non-documentary verification and use of third-party data; and the treatment of secondary-market participants. Thoughtful industry engagement during this period can meaningfully shape the final rule’s contours.

    Conclusion

    FinCEN’s proposed CIP rule for PPSIs is doctrinally conservative but operationally significant. It imports the familiar bank CIP framework from 2003 into an industry characterized by novel distribution models, digital-native verification, and complex intermediary relationships. The central question under the rule is not whether a person uses or holds a stablecoin but whether that person has an account relationship with the PPSI.

    For PPSIs operating through intermediated models, the practical framework is: Start with structure, identify the relationship, assess control, and align verification. Those that invest in rigorous account-architecture analysis, defensible customer determinations, and robust non-documentary verification will be best positioned to demonstrate compliance as the regulatory framework matures.

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.