The U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) and four federal banking regulators proposed a rule on Wednesday that would require permitted payment stablecoin issuers to maintain customer identification programs under the GENIUS Act’s anti-money-laundering (AML) framework.

The joint proposal issued by FinCEN, the Office of the Comptroller of the Currency, the Federal Reserve Board, the Federal Deposit Insurance Corp. and the National Credit Union Administration would treat permitted payment stablecoin issuers as financial institutions under the Bank Secrecy Act (BSA) for purposes of customer identification requirements.

The rule would require each permitted payment stablecoin issuer to establish and maintain a written customer identification program, or CIP, tailored to the issuer’s size and business. In some cases, stablecoin issuers would be allowed to rely on the CIP procedures of a national bank or another financial institution under federal oversight, although issuers would ultimately be responsible for ensuring the proper steps had been taken to mitigate their AML risks, the agencies said. 

Such steps include implementing risk-based procedures to verify the identity of each customer to the extent reasonable and practicable. The procedures would have to allow the issuer to form a reasonable belief that it knows the customer’s true identity, taking into account the issuer’s account types, account-opening methods, available identifying information, size, location, and customer base.

Before opening an account, issuers would have to obtain a customer’s name, date of birth for an individual or date of formation for an entity, address, and identification number. Verification could be conducted through documents, non-documentary methods, or both, within a reasonable period before or after an account is opened.

For non-documentary verification, the proposed rule cites methods such as contacting the customer, comparing customer-provided information with information from a consumer reporting agency, public database or other source, checking references with other financial institutions, or obtaining a financial statement.

For legal-entity customers and other non-individual customers, the agencies would require procedures to obtain information about individuals with authority or control over the account when the issuer cannot otherwise verify the customer’s identity through standard methods.

The proposed rule would also require issuers to have procedures for situations in which they cannot form a reasonable belief that they know a customer’s true identity, including a plan to address when an account should not be opened, when a customer may use an account while verification is pending, when an account should be closed after failed verification efforts, and when the issuer should file a suspicious activity report.

The agencies also proposed recordkeeping, government-list screening, and customer-notice requirements. Issuers would have to retain identifying information for five years after an account is closed and retain records related to verification methods and discrepancy resolution for five years after the record is made. They also would have to determine whether customers appear on federal lists of known or suspected terrorists or terrorist organizations designated by Treasury in consultation with federal regulators.

FinCEN and the agencies estimated that about 50 permitted payment stablecoin issuers would be affected by the proposed rule, with roughly 60 percent expected to be subsidiaries of insured depository institutions and 40 percent expected to be other issuers. 

The CIP proposal follows an April FinCEN-OFAC proposal that would impose broader AML/CFT and sanctions compliance obligations on permitted payment stablecoin issuers.

The agencies are seeking comment on all aspects of the proposal, including whether any customer identification requirements should extend to secondary-market activity, whether the definitions of account, customer or digital asset service provider should be refined, and whether the rule should explicitly address digital identity solutions or verifiable credentials.

Comments are due by August 21. The agencies proposed that the rule become effective 12 months after a final rule is issued.