( printed page 37234)

SUPPLEMENTARY INFORMATION:

I. Introduction

This proposal implements the GENIUS Act's directives to treat permitted payment stablecoin issuers (PPSIs) as financial institutions for purposes of the Bank Secrecy Act (BSA) and to require such issuers to maintain an “effective customer identification program, including identification and verification of account holders.” ^[1] This notice of proposed rulemaking (NPRM) is being issued jointly by FinCEN, along with the OCC, Board, FDIC, and NCUA (each an “Agency” and collectively “the Agencies”) as applied to the PPSIs that each Agency supervises.^[2] The proposal would also apply to PPSIs that opt for state supervision under the GENIUS Act.^[3]

Separately, FinCEN issued a rulemaking proposing changes to its existing regulations to effectuate the GENIUS Act's direction to apply BSA obligations to PPSIs. These changes include creation of a new part in chapter X applicable to PPSIs, proposed part 1033, into which this proposed rule would be incorporated.^[4]

II. Background and Authority

The GENIUS Act provides a comprehensive framework for the regulation of payment stablecoins.^[5] The GENIUS Act requires that a PPSI “be treated as a financial institution for purposes of the Bank Secrecy Act, and ( printed page 37236) as such, shall be subject to all Federal laws applicable to a financial institution located in the United States relating to economic sanctions, prevention of money laundering, customer identification, and due diligence.” ^[6] In addition to this clear, general directive, the GENIUS Act specifies that a PPSI's obligations include “maintenance of an effective customer identification program, including identification and verification of account holders with the permitted payment stablecoin issuer.” ^[7]

The Bank Secrecy Act, or “BSA,” is the common name for a collection of statutory authorities designed to, among other things, safeguard the national security of the United States by combating money laundering, the financing of terrorism, and other illicit finance activity.^[8] The Secretary of the Treasury has delegated the authority to implement, administer, and enforce the BSA and its associated regulations to the Director of FinCEN.^[9] The BSA requires the Secretary of the Treasury to prescribe “minimum standards” for financial institutions regarding “the identity of the customer that shall apply in connection with the opening of an account,” commonly referred to as customer identification programs (CIPs).^[10] Under the BSA, these minimum standards the Secretary of the Treasury prescribes must include reasonable procedures for: (1) verifying the identity of any person seeking to open an account to the extent reasonable and practicable; (2) maintaining records of the information used to verify a person's identity, including name, address, and other identifying information; and (3) determining whether the person appears on any lists of known or suspected terrorists or terrorist organizations provided to the financial institution by any government agency.^[11] In prescribing regulations related to these minimum standards, the BSA directs the Secretary of the Treasury to “take into consideration the various types of accounts maintained by various types of financial institutions, the various methods of opening accounts, and the various types of identifying information available.” ^[12] For financial institutions engaging in financial activity described in section 4(k) of the Bank Holding Company Act of 1956, such regulations must be jointly prescribed by the Secretary of the Treasury and the appropriate Federal functional regulator.^[13]

FinCEN, jointly with the appropriate Federal functional regulators, has issued implementing regulations imposing CIP obligations on various types of financial institutions under the BSA, including banks,^[14] brokers or dealers in securities,^[15] mutual funds,^[16] and futures commission merchants and introducing brokers.^[17] In contrast, money transmitters do not have a CIP obligation, but they are required to, for certain activity, verify an individual's identity.^[18] Stablecoin issuers are presently subject to BSA obligations as financial institutions and, more specifically, as money transmitters under FinCEN's regulations, which are a type of money services business (MSB).^[19]

The GENIUS Act directs the Secretary of the Treasury to issue regulations, tailored to the size and complexity of the PPSI, to implement the GENIUS Act's treatment of PPSIs as financial institutions for purposes of the BSA, including the requirement that PPSIs maintain effective customer identification programs.^[20] The GENIUS Act also directs the Secretary of the Treasury and each primary Federal payment stablecoin regulator—the OCC, Board, FDIC, and NCUA—to issue regulations through appropriate notice and comment rulemaking and to coordinate, as appropriate, to carry out the Act.^[21] FinCEN and the Agencies are issuing a single, joint rule, ensuring consistent and uniform application of CIP requirements to all PPSIs subject to each Agency's jurisdiction.^[22]

III. GENIUS Act Implementation

Treasury issued an advance notice of proposed rulemaking (ANPRM) in September 2025 seeking public comment on potential Treasury regulations implementing the GENIUS Act, including those imposing BSA, anti-money laundering, and sanctions compliance program obligations.^[23] In ( printed page 37237) response to this ANPRM, Treasury received approximately 450 timely comments from a variety of stakeholders, including banks and credit unions, stablecoin issuers, digital asset exchanges, analytics companies, law firms, trade associations, non-governmental organizations, technology firms, academics, and members of the public. In crafting this proposal, Treasury reviewed and considered the pertinent comments, including those related to illicit finance topics.

This NPRM represents one piece of the comprehensive regulatory framework for PPSIs set out in the GENIUS Act.^[24] In a separate rulemaking, FinCEN has proposed a rule to implement the GENIUS Act's directive to apply anti-money laundering obligations to PPSIs (referred to as “PPSI AML/CFT NPRM”), including program, reporting, and recordkeeping obligations, among others.^[25] The PPSI AML/CFT NPRM proposes adding several new definitions arising from the GENIUS Act to chapter X, which are here used to describe this proposed rule. These definitions include “digital asset,” ^[26] “distributed ledger,” ^[27] “payment stablecoin,” ^[28] “permitted payment stablecoin issuer,” ^[29] “primary Federal payment stablecoin regulator,” ^[30] “Federal qualified payment stablecoin issuer,” ^[31] “State payment stablecoin regulator,” ^[32] and “State qualified payment stablecoin issuer.” ^[33] Generally speaking, the proposed definitions in the PPSI AML/CFT NPRM track the language the GENIUS Act uses to define those terms, with a few proposed technical modifications that are intended to be non-substantive.

IV. Overview of Stablecoins and Issuers

The GENIUS Act only governs a subcategory of stablecoins, namely “payment stablecoins” as defined by the GENIUS Act, and a subcategory of actors in the payment stablecoin ecosystem, most critically for this rulemaking, PPSIs.^[34] Thus, under the GENIUS Act, not all stablecoins are payment stablecoins and not all stablecoin issuers will be eligible to be PPSIs. Because the GENIUS Act framework is not yet in place, however, it is not determined which specific stablecoins will be payment stablecoins and which specific stablecoin issuers will be PPSIs. An understanding of the stablecoin ecosystem, uses of stablecoins, and risks associated with stablecoins generally informs the parameters of the proposed rule, including the rationale behind certain proposed obligations.

A. Stablecoins and Their Uses

Stablecoins are a blockchain-based ^[35] digital asset ^[36] designed to maintain a stable value relative to an underlying asset, most often—but not always—a fiat currency.^[37] Most stablecoin issuers use smart contracts ^[38] to issue stablecoins, enable or prohibit subsequent transactions in the stablecoin, and redeem stablecoins. The smart contracts underlying most stablecoins maintain a ledger of the number of stablecoins “owned by a set of accounts where each account is owned by a blockchain address” or wallet.^[39]

The liquidity and stability of stablecoins relative to other digital assets and rapid settlement of stablecoins make them appealing to illicit actors as well as legitimate users.^[40] Currently, most legitimate users primarily rely on stablecoins to store value or facilitate trades in other digital assets. Payment stablecoins have the potential, however, to become a more widely adopted form of payment.^[41] Illicit actors have increasingly used stablecoins to facilitate transactions and store proceeds.^[42] The U.S. government has linked stablecoins to a range of illicit activities, including money laundering, and bad actors, including scammers and fraudsters; ^[43] Democratic People's Republic of Korea information technology workers, cybercriminal groups, and related money laundering ( printed page 37238) networks; ^[44] drug traffickers; ^[45] terrorist groups; ^[46] and sanctions evasion and money laundering networks,^[47] among others.

B. Issuers and Interactions With Users

Most stablecoins backed by financial assets, including fiat currency, have centralized control, meaning that one company, or a group of companies, are responsible for governance functions, including defining and ensuring compliance with standards related to the issuance, purchase, redemption, custody, and transfer of the stablecoin.

Currently, many stablecoin issuers generally interact directly with a small number of larger companies—which are often institutional participants in the trading of digital assets ( i.e., digital asset exchanges).^[48] Those companies, in turn, interact with a larger and more diverse group of users. Many stablecoin issuers predominantly offer issue and redemption services to financial institutions, including digital asset exchanges that may be regulated under the BSA as MSBs.^[49] Generally, once an issuer issues stablecoins to such financial institutions, those financial institutions put the stablecoins into broader circulation to other users, such as individual retail users.^[50]

Due to the use of smart contracts underlying stablecoin transactions and how users interact with stablecoin issuers, the ecosystem can, broadly speaking, be divided into two components, the primary market and the secondary market. For purposes of this rulemaking, FinCEN and the Agencies will use the term “primary market” to generally describe a PPSI interacting directly with a user or holder of a payment stablecoin, such as when a PPSI engages in issuing, converting, redeeming, repurchasing, burning, and reissuing payment stablecoins, as well as providing associated services, such as providing custodial services.^[51] FinCEN and the Agencies will use the term “secondary market” to describe payment stablecoin activity that does not directly involve the PPSI as a party to the transaction other than via a smart contract. For example, secondary market activity could include an individual purchasing payment stablecoins from intermediaries, an individual sending a payment stablecoin from a self-hosted wallet to a vendor to purchase goods, an individual exchanging payment stablecoins for another digital asset via a digital asset exchange, or person-to-person transactions in payment stablecoins.

V. Section-by-Section Analysis

As required by the GENIUS Act, this rulemaking proposes a CIP obligation for accounts maintained by PPSIs.^[52] Obligations under this proposal are comparable to existing CIP requirements for other financial institutions, such as banks, brokers-dealers, mutual funds, and futures commission merchants and introducing brokers in commodities. PPSIs likely will frequently interact with financial institutions that are already subject to CIP requirements, and in some cases, PPSIs will be subsidiaries of insured depository institutions with CIP requirements.^[53] Subjecting PPSIs to CIP requirements similar to such institutions is expected to increase the effectiveness and efficiency of CIP programs and facilitate the ability of PPSIs and other financial institutions with CIP requirements to rely on another institution's performance of any procedure related to a CIP, with the recommended safeguards contained in proposed 31 CFR 1033.220(a)(6).

In crafting this proposal, FinCEN and the Agencies have considered the statutory factors articulated in the BSA, specifically the various types of accounts PPSIs may maintain, the various methods of opening accounts, and the various types of identifying information available.^[54] Most notably, FinCEN and the Agencies recognize that these factors may vary significantly by the size and complexity of the PPSI, the activities in which it engages, and the types of customers it has. Accordingly, rather than prescribe a one-size-fits-all approach, FinCEN and the Agencies direct that a PPSI's CIP should address the types of accounts it intends to maintain, how it allows those accounts to be opened, and the types of identifying information available. In defining “account,” as noted below, the proposal takes into consideration the range of activities in which a PPSI can engage and the types of accounts that a PPSI may maintain.

Relatedly, as mentioned above, the GENIUS Act directs the Secretary to tailor BSA obligations to the size and complexity of an issuer.^[55] This proposal meets that requirement by proposing regulatory text that requires a PPSI to tailor its CIP to that PPSI's size and type of business, as well as take into consideration the PPSI's risk based on its unique business—including the types of accounts it has, how those accounts are opened, and the identifying information available. Other policy options to tailor for size and complexity were considered including, for example, a CIP obligation that would fluctuate solely based on the size of an issuer. FinCEN and the Agencies have preliminarily assessed, however, that such an approach, however, could harm national security by providing weaker points of entry to the financial system, but request comment on its approach. This CIP proposal necessarily results in tailored obligations, which comports with the GENIUS Act, mitigates the risk of weaker points of entry, and best ( printed page 37239) protects the U.S. financial system from illicit activity.

A. Proposed 31 CFR 1033.100—Definitions

FinCEN and the Agencies propose promulgating in § 1033.100 three new definitions with respect to the proposed CIP obligation—account, customer, and digital asset service provider.^[56] The definitions are proposed for purposes of this CIP rulemaking and would only apply to the CIP obligation unless otherwise expressly noted.^[57]

The definitions discussed in this proposal are designed to clarify that a PPSI's CIP obligation extends to direct relationships, i.e., primary market activity, and does not extend to activity where the only interaction is with a PPSI's smart contract. Consistent with the BSA, the CIP requirements for other types of financial institutions extend to where an institution has some sort of formal relationship with an individual or entity.^[58] Based on the language in section 4(a)(5) of the GENIUS Act, and the analysis undertaken by FinCEN and the Agencies of the stablecoin ecosystem, FinCEN and the Agencies assess that the term “customer” in section 4(a)(5) related to “customer identification program” pertains to circumstances where the “customer” and a PPSI have a direct interaction and relationship. Put differently, the term “customer” is not meant to apply where a transfer is the result of third parties and a payment stablecoin user's only interaction with the PPSI is through a smart contract.

Moreover, interaction with a smart contract does not currently result in a PPSI acquiring the kind of information needed to verify an identity. Imposing an obligation where any payment stablecoin transfer could, for purposes of a CIP obligation, result in a customer and account relationship with a PPSI would essentially impose on PPSIs a global obligation to collect and verify identifying information of individual users. FinCEN and the Agencies assess that such a CIP obligation would be nearly impossible for PPSIs to implement and could potentially cripple the industry. FinCEN and the Agencies, however, seek comment on this approach and their assessment of the difficulties of such a globally applicable CIP obligation.

1. Proposed 31 CFR 1033.100(a)—Account

FinCEN and the Agencies propose adding the definition of “account” at § 1033.100(a). The proposed definition resembles how “account” is defined in other CIP rules, but contains unique provisions that reflect the kinds of activities in which PPSIs can engage. It also considers, as the BSA requires, the types of accounts PPSIs may maintain.

The proposed text defines an “account” in paragraph (a)(1) as a formal relationship between a PPSI and a customer, established to provide or engage in services, dealings, or other financial transactions. The “formal relationship” language mimics most other CIP rules promulgated under the BSA.^[59] FinCEN and the Agencies are proposing carrying this language over to the PPSI CIP to promote consistency, efficiency, and the ability of institutions to rely on each other for CIP procedures (subject safeguards). FinCEN and the Agencies request comment, however, on whether the formal relationship language is sufficiently clear.

Similar to the definition of “account” for other financial institutions subject to CIP requirements, the proposed definition of account contains an illustrative list of activities that may fall within “services, dealings, or other financial transactions.” ^[60] The proposed examples are based on the GENIUS Act's provision limiting PPSI activities, including the GENIUS Act rule of construction that clarifies a PPSI can engage in digital asset service provider activities or activities incidental thereto to the extent where those activities are consistent with all other Federal and State laws and authorized by the appropriate primary Federal or State payment stablecoin regulator.^[61] As proposed, the illustrative list would include: (i) issuing or redeeming a payment stablecoin; (ii) managing related reserves, including purchasing, selling, and holding reserve assets or providing custodial services for reserve assets; (iii) providing custodial or safekeeping services for payment stablecoins, required reserves, or private keys of payment stablecoins; (iv) other activities that directly support activities in paragraphs (a)(1)(i), (ii), and (iii); or (v) providing services of a digital asset service provider that are authorized by the primary Federal payment stablecoin regulator or the State payment stablecoin regulator, as applicable, consistent with all other Federal and State laws, provided that the claims of payment stablecoin holders rank senior to any potential claims of non-stablecoin creditors with respect to the reserve assets, consistent with section 11 of the GENIUS Act. FinCEN and the Agencies assess that providing such examples promotes clarity while leaving room for innovations in the industry that could create new, but similar, relationships between a PPSI and a person that involves a formal relationship and could fall under the “account” definition.

Unlike with other types of financial institutions with CIP requirements, an individual with no established relationship with a PPSI could hold a PPSI's product, specifically a payment stablecoin, and then seek to engage directly with a PPSI for a financial service. For example, an individual who has no established relationship with the PPSI could acquire a payment stablecoin from, for example, an exchange, and seek to redeem it with the PPSI. That redemption could establish an account with the PPSI and make the individual a customer. FinCEN requests comment on whether the CIP proposal should be refined or clarified to account for such activity.

The proposed definition also provides instances where activity does not form an account relationship. Two of these ( printed page 37240) subparagraphs are intended to make clear that purely secondary market payment stablecoin activity does not form a formal relationship between a PPSI and a payment stablecoin user or holder. That list provides that the term “account” does not include a product or service where a formal relationship is not established with a person, such as payment stablecoin activity that does not directly involve the PPSI as a party to the transaction other than via a smart contract. It also specifies that ownership or control of a PPSI's payment stablecoins alone, without other indicators of a formal relationship, does not constitute an account.

Consistent with other CIP rules, the proposed text further provides that the term “account” does not include an account that the PPSI acquires through an acquisition, merger, purchase of assets, or assumption of liabilities from a financial institution regulated by a Federal functional regulator or a bank regulated by a State bank regulator or an account opened for the purpose of participating in an employee benefit plan established under the Employee Retirement Income Security Act of 1974.

2. Proposed 31 CFR 1033.100(b)—Customer

FinCEN and the Agencies propose adding the definition of “customer” at § 1033.100(b) for the purposes of a PPSI's CIP obligation. The proposal would define customer as (i) a person that opens a new account; and (ii) an individual who opens a new account for: (A) an individual who lacks legal capacity, such as a minor; or (B) an entity that is not a legal person, such as a civic club.

The proposed definition also provides that the term “customer” does not include: (i) a financial institution regulated by a Federal functional regulator or a bank regulated by a State bank regulator; (ii) a person described in § 1020.315(b)(2) through (4) of 31 CFR chapter X; (iii) a person that has an existing account with the PPSI, provided the PPSI has a reasonable belief that it knows the true identity of the person; or (iv) a person acquiring or redeeming a payment stablecoin from a means other than directly from or directly to the PPSI. The final provision promotes FinCEN and the Agencies' determination that transfers of payment stablecoins on the secondary market do not make a party to the transfer a customer of a PPSI.

3. Proposed 31 CFR 1033.100(c)—Digital Asset Service Provider

FinCEN and the Agencies propose adding a definition of “digital asset service provider” at § 1033.100(c) for the purposes of a PPSI's CIP obligations because the term is used in the proposed definition of “account.” As discussed, the GENIUS Act expressly reserves the ability of a PPSI to engage in the digital asset service provider activities, where such activities are authorized by the appropriate primary Federal payment stablecoin regulator or State payment stablecoin regulator.^[62] To help ensure such activities are appropriately included in activities that could create an account relationship with a PPSI, FinCEN and the Agencies propose defining “digital asset service provider” for CIP purposes.

The proposed definition of “digital asset service provider” is consistent with the definition provided in the GENIUS Act, with certain modifications in light of preexisting FinCEN regulatory definitions.^[63] Under the proposed rule, the term “digital asset service provider” would mean an individual, partnership, company, corporation, association, trust, estate, cooperative organization, or other business entity, incorporated or unincorporated that, for compensation or profit, engages in business in the United States (including on behalf of customers or users in the United States) of: (A) exchanging digital assets for monetary value, meaning a national currency or deposit denominated in a national currency; (B) exchanging digital assets for other digital assets; (C) transferring digital assets to a third party; (D) acting as a digital asset custodian; or (E) participating in financial services relating to digital asset issuance. The proposed definition also provides that the term “digital asset service provider” does not include: (i) a distributed ledger protocol; (ii) developing, operating, or engaging in the business of developing distributed ledger protocols or self-custodial software interfaces; (iii) an immutable and self-custodial software interface; (iv) developing, operating, or engaging in the business of validating transaction or operating a distributed ledger; or (v) participating in a liquidity pool or other similar mechanism for the provisioning of liquidity for peer-to-peer transactions. The proposed definition of digital asset service provider will also state the meaning of “distributed ledger protocol,” as defined by 12 U.S.C. 5901(9).

This proposed definition modifies the GENIUS Act language in three respects. None of the changes are intended to substantively change the meaning of the GENIUS Act definition of digital asset service provider.

First, the proposed definition modifies the GENIUS Act definition of digital asset service provider by replacing the statutory term “person” in that definition with the text the GENIUS Act uses to define “person” in 12 U.S.C. 5901(24).^[64] This change is proposed because the term “person” is already defined in FinCEN regulations at 31 CFR 1010.100(mm) ^[65] and differs from the GENIUS Act definition of “person.” ^[66] FinCEN's regulatory definition of person includes Indian Tribes as defined in the Indian Gaming Regulatory Act, which the GENIUS Act definition of person does not include. Further, FinCEN's regulatory definition also does not characterize the entities that comprise the category as “business” entities, as the GENIUS Act definition does. To ensure the definition of “digital asset service provider” for PPSIs accurately applies to the “persons” that Congress intended, as evidenced by the GENIUS Act definition of the term, FinCEN and the Agencies propose incorporating the GENIUS Act definition of person into the regulatory definition of “digital asset service provider.”

Second, the proposed definition of “digital asset service provider” incorporates the GENIUS Act definition of “monetary value” as provided in 12 U.S.C. 5901(17).^[67] FinCEN has two similar terms, “monetary instruments” and “currency,” that are already defined in its regulations at 31 CFR 1010.100(dd) ^[68] and 31 CFR ( printed page 37241) 1010.100(m).^[69] To avoid confusion between the existing definitions and the definition in the GENIUS Act, FinCEN and the Agencies propose including the GENIUS Act definition of “monetary value” within the definition of “digital asset service provider.”

Third, and finally, the proposed definition of “digital asset service provider” also incorporates the GENIUS Act definition “distributed ledger protocol” as provided in 12 U.S.C. 5901(9).^[70] The term “distributed ledger protocol” is not otherwise used in the proposed regulation, so FinCEN and the Agencies propose including the term and its definition within the definition of “digital asset service provider.”

B. Proposed 31 CFR 1033.220—Customer Identification Program

1. Proposed 31 CFR 1033.220(a) and (a)(1)—Minimum Requirements

Proposed § 1033.220(a) would establish the minimum standards for a CIP. Proposed § 1033.220(a)(1) would require a PPSI to establish and maintain a written CIP. The CIP would be required to be appropriate for a PPSI's size and business.

As with the CIP rule for banks and other financial institutions with CIP obligations, a PPSI's CIP would be required to be a part of the PPSI's anti-money laundering and countering the financing of terrorism (AML/CFT) program. As discussed in the PPSI AML/CFT NPRM, FinCEN and the Agencies recognize the value of enterprise-wide compliance efforts. Where a PPSI is a subsidiary of an insured depository institution, FinCEN and the Agencies anticipate that the enterprise may elect to extend a single AML/CFT program to both entities and that doing so would be permissible so long as a comprehensive AML/CFT program is reasonably designed to identify and mitigate the risks posed by the different aspects of each entity's business and activities and satisfies each of the risk-based AML/CFT program and other applicable BSA and GENIUS Act requirements to which the PPSI or parent is subject. Likewise, an enterprise may elect to implement an enterprise-wide CIP rather than maintain separate CIPs for a parent and subsidiary. In doing so, however, the enterprise-wide CIP would need to account for the legal and regulatory obligations of both the parent and subsidiary. Relatedly, where a PPSI is also a national trust bank, the entity could create a single CIP covering all the entity's regulatory obligations.

2. Proposed 31 CFR 1033.220(a)(2)—Identity Verification Procedures

Proposed § 1033.220(a)(2) would impose obligations related to identity verification procedures, effectuating 31 U.S.C. 5318( l)(2)(A). It would require that the CIP include risk-based procedures for verifying the identity of each customer to the extent reasonable and practicable. The procedures must enable the PPSI to form a reasonable belief that it knows the identity of each customer. The procedures must be based on the PPSI's assessment of the relevant risks, including those presented by the various types of accounts maintained by the PPSI, the various methods of opening accounts provided by the PPSI, the various types of identifying information available, and the PPSI's size, location, and customer base.

As with existing CIP rules, the rule proposes to include the term “risk-based” as a descriptor of these procedures.^[71] The identity verification procedures would need to be based on the PPSI's assessment of the relevant risks, and take into consideration the types of accounts the PPSI maintains, the different methods of opening accounts, and the types of identifying information available.^[72] Ultimately the procedures must enable the PPSI to form a reasonable belief that it knows the true identity of the customer.^[73] A risk-based framework reflects the fact that variations in customer relationships can present varying levels of risks.^[74]

i. Proposed 31 CFR 1033.220(a)(2)(i)—Customer Information Required

Proposed § 1033.220(a)(2)(i) would specify identifying information that a CIP must account for in procedures for opening an account. The proposed rule would require a PPSI to obtain from each customer the following information prior to opening an account: (1) name; (2) date of birth, for an individual; or date of formation, for a person that is not an individual; (3) address (a residential and mailing address for individuals, or the principal place of business, local office, or other physical address and mailing address for a person other than an individual); and (4) an identification number.

The proposed rule would require that a PPSI collect a residential or business street address for an individual. If the individual does not have a residential or business street address, the individual may provide an Army Post Office or a Fleet Post Office box number or the residential or business street address of a next of kin or another contact individual. If the customer is a corporation, partnership or trust, it must provide the address of its principal place of business, local office, or other physical location. A Post Office (PO) box is not an acceptable type of address for the purposes of the proposed rule. Similarly, although some virtual offices or commercial mail receiving agencies provide an address for an entity or individual to use, similar to a PO box, the address provided is not an actual place of business or residence for the entity or individual and does not evidence a physical location for the customer.^[75] Accordingly, such addresses are not acceptable physical locations for purposes of the proposed rule.

The proposed rule would also require collection of an identification number. For U.S. persons this would be a taxpayer identification number. For non-U.S. persons the identification number could be one or more of the following: a taxpayer identification number, passport number and country of issuance, alien identification card number, or number and country of issuance of any other government-issued document evidencing nationality or residence and bearing a photograph or similar safeguard. For a non-U.S. person that is not an individual and that does not have an identification number, the PPSI must request alternative ( printed page 37242) government-issued documentation certifying the existence of the person.

The proposed rule provides an exception for persons applying for a taxpayer identification number. However, the exception would require that the CIP include procedures for confirming that the application for a taxpayer identification number was filed, as well as obtaining the taxpayer identification number within a reasonable period of time after the account is opened.

ii. Proposed 31 CFR 1033.220(a)(2)(ii)—Customer Verification

Proposed § 1033.220(a)(2)(ii) relates to CIP procedures for verifying the identity of a customer using the information the PPSI has collected. The proposed rule would require that the CIP contains procedures for verifying the identity of each new customer within a reasonable period of time after the customer's account is opened. The procedures must describe when the PPSI will use documents, non-documentary methods, or a combination of both methods.

FinCEN and the Agencies recognize the interest in leveraging verifiable credentials and digital identity as part of account opening procedures.^[76] Over 20 years ago when the bank CIP final rule was promulgated, FinCEN and staff of the Board, FDIC, NCUA, OCC, and the Office of Thrift Supervision (OTS) recognized in guidance that an “electronic credential” was one method that an institution could use to form a reasonable belief that it knows the true identity of its customer.^[77] Since that time, digital identity tools have become more commonplace and more sophisticated. Notably, however, there are a variety of digital identity tools and applications currently in existence, as well as a significant number under development. These tools vary in how they operate and in their trustworthiness.^[78]

FinCEN and the Agencies propose that technological variation and innovation are best accounted for by maintaining the flexibility in the proposal relating to how a PPSI verifies a customer's identity. This flexibility will enable individual PPSIs to assess its comfort level with the trustworthiness of various tools and take into consideration variation in tools and differences in risk. FinCEN and the Agencies expect that PPSIs would treat different digital identity tools differently. For example, a mobile ID or driver's license issued by a state could constitute an “unexpired government-issued identification evidencing nationality or residence and bearing a photograph or similar safeguard” under proposed § 1033.220(a)(2)(ii)(A). A digital identity credential offered by a non-governmental entity that enables a person to prove that they are who they claim to be without revealing information other than that fact could, if appropriate as part of a risk-based procedure, be a non-documentary verification method. Accordingly, FinCEN and the Agencies are not proposing regulatory text related to verifiable credentials and digital identities, but request comment on this approach.

a. Proposed 31 CFR 1033.220(a)(2)(ii)(A)—Verification Through Documents

The proposed rule states that if the PPSI is relying on documents to verify a customer's identity, then the CIP must contain procedures that set forth the documents that the PPSI will use. For an individual, the PPSI could use an unexpired government-issued identification evidencing nationality or residence that contains a photograph or similar safeguard, such as a driver's license or passport. For a person other than an individual, such as a corporation, partnership, or trust, the document must show the existence of the entity, such as certified articles of incorporation, a government-issued business license, a partnership agreement, or a trust instrument.

b. Proposed 31 CFR 1033.220(a)(2)(ii)(B)—Verification Through Non-Documentary Methods

For a PPSI relying on non-documentary methods to verify a customer's identity, the proposed rule would require the CIP to contain procedures that set forth the non-documentary methods the PPSI will use. These methods may include contacting a customer; independently verifying the customer's identity through the comparison of information provided with respect to the customer with information obtained from a consumer reporting agency, public database, or other source; checking references with other financial institutions; or obtaining a financial statement.

Under the proposed rule, the PPSI's non-documentary procedures would be required to address situations where an individual is unable to present an unexpired government-issued identification document that bears a photograph or similar safeguard; the PPSI is not familiar with the documents presented; the account is opened without obtaining documents; the customer opens the account without meeting in person; or the PPSI is otherwise presented with circumstances that increase the risk that the PPSI will be unable to verify the true identity of a customer through documents.

c. Proposed 31 CFR 1033.220(a)(2)(ii)(C)—Additional Verification for Certain Customers

Proposed § 1033.220(a)(2)(ii)(C) would require that a PPSI's CIP address situations where, based on the PPSI's risk assessment of a new account opened by a customer that is not an individual, the PPSI will obtain information about individuals with authority or control over such account to verify the customer's identity. This verification method would apply only when the PPSI cannot verify the true identity of a customer that is not an individual through either documentary or non-documentary methods.

iii. Proposed 31 CFR 1033.220(a)(2)(iii)—Lack of Verification

FinCEN and the Agencies believe that, while the majority of customers may be verified through documentary and non-documentary methods, there may be instances where this is not possible. Proposed § 1033.220(a)(2)(iii) relates to CIP procedures in which the PPSI cannot form a reasonable belief that it knows the true identity of a customer. Under the proposed rule, these procedures would be required to describe: (1) when the PPSI should not open an account; (2) the terms under which a customer may use an account while the PPSI attempts to verify the customer's identity; (3) when the PPSI should close an account after attempts to verify a customer's identity fail; and (4) when the PPSI should file a Suspicious Activity Report in accordance with applicable law and regulation. ( printed page 37243)

3. Proposed 31 CFR 1033.220(a)(3)—Records

The proposed rule in § 1033.220(a)(3) states that the CIP must include procedures for making and maintaining a record of all information obtained by the PPSI through the CIP, effectuating 31 U.S.C. 5318( l)(2)(B). At a minimum, proposed § 1033.220(a)(3)(i) would require that the record include: (1) all identifying information about a customer obtained under the CIP; (2) a description of any document relied on to verify the identity of the customer under the CIP, noting the type of document, any identification number contained in the document, the place of issuance, and if any, the date of issuance and expiration date; (3) a description of the methods and results of any measures undertaken to verify the identity of a customer; and (4) a description of the resolution of each substantive discrepancy discovered when verifying the identifying information obtained.

Additionally, the proposed rule states that a PPSI must retain the identifying information about a customer obtained under § 1033.220(a)(3)(i)(A) for five years after the date the account is closed and the information regarding the verification of a customer's identity records collected under § 1033.220(a)(3)(i)(B), (C), and (D) for five years after the record is made.

4. Proposed 31 CFR 1033.220(a)(4)—Comparison With Government Lists

Proposed § 1033.220(a)(4) would require a PPSI's CIP to include reasonable procedures for determining whether a customer appears on any list of known or suspected terrorists or terrorist organizations issued by any Federal government agency and designated as such by Treasury in consultation with the Federal functional regulators, effectuating 31 U.S.C. 5318( l)(2)(C). The procedures would have to require the PPSI to make such a determination within a reasonable period of time after the account is opened, or earlier if required by another Federal law or regulation or Federal directive issued in connection with the applicable list. The procedures also would have to require the PPSI to follow all Federal directives issued in connection with such lists.

Because Treasury and the Federal functional regulators have not yet designated any such lists, the proposed rule cannot be more specific with respect to the lists PPSIs must check in order to comply with this provision. Accordingly, PPSIs would not have an affirmative duty under this proposed regulation to seek out all lists of known or suspected terrorists or terrorist organizations compiled by the Federal government. Instead, PPSIs would receive separate notification regarding the lists that must be consulted for purposes of this provision.

Many PPSIs already have procedures in place for determining whether customers' names appear on some Federal lists, including lists that identify known terrorists and terrorist organizations. For example, under current law, there are substantive legal requirements associated with lists circulated by Treasury's Office of Foreign Assets Control (OFAC). Failure to comply with these requirements may result in criminal or civil penalties.

5. Proposed 31 CFR 1033.220(a)(5)—Customer Notice

The proposed rule states in § 1033.220(a)(5) that the CIP must include procedures for providing customers with adequate notice that the PPSI is requesting information to verify their identities. Under the proposed rule, notice would be considered adequate if the PPSI generally described the identification requirements of this section and provided such notice in a manner reasonably designed to ensure that a prospective customer is able to view the notice, or is otherwise given notice, before opening an account. For example, depending upon the manner in which the account is opened, a PPSI may post a notice on its website, include the notice in its account applications, or use any other form of oral or written notice. The proposed rule provides a sample notice.

6. Proposed 31 CFR 1033.220(a)(6)—Reliance on Another Financial Institution

Proposed § 1033.220(a)(6) would provide that a PPSI's CIP may include procedures specifying when a PPSI may rely on another Federally regulated financial institution's performance of a procedure with respect to any PPSI customer that is opening or has opened an account. Such reliance would have to be reasonable under the circumstances, and the other financial institution on which the PPSI seeks to rely would have to be subject to an AML/CFT program with CIP requirements, as well as regulated by a Federal functional regulator.^[79] Additionally, the institutions would have to have a contract requiring the institution on which the PPSI seeks to rely to certify annually to the PPSI that it has implemented an AML/CFT program and will perform (or its agent will perform) the specified requirements of the PPSI's CIP. Critically, this proposed provision would not change a PPSI's CIP obligation, and the PPSI would remain responsible for its compliance.

This proposal is consistent with other CIP requirements under the BSA, including the bank CIP regulation where, critically, some banks—but not all banks—are overseen by a Federal functional regulator.^[80] It does, however, create a disparity between PPSIs that fall under a primary Federal payment stablecoin regulator and a State payment stablecoin regulator.^[81] A State qualified payment stablecoin issuer would be able to rely on, for example, a procedure performed by a PPSI that is a subsidiary of an insured depository institution. But a PPSI that is a subsidiary of a Federally regulated depository institution, would not be able to rely on a procedure performed by a State qualified payment stablecoin issuer because such issuers are not overseen by a Federal functional regulator.

While the proposal would not permit a PPSI to rely on another entity to perform a CIP procedure unless such an entity is another Federally regulated financial institution, it should not be construed as restricting appropriate use of third parties to perform a service related to a PPSI's CIP on the PPSI's behalf.^[82] In such cases, however, the CIP obligation would remain with the PPSI.

C. Proposed 31 CFR 1033.220(b)—Exemptions

Proposed § 1033.220(b) would provide that the appropriate Federal functional regulator, with the concurrence of the Secretary, may by order or regulation, exempt any PPSI or any type of account from the ( printed page 37244) requirements of this section. It also provides that the Secretary, with the concurrence of the Federal functional regulator, may exempt any PPSI or any type of account from the requirements of this section.

In issuing such exemptions, the Federal functional regulator and the Secretary would consider whether the exemption is consistent with the purposes of the BSA and with safety and soundness, as well as in the public interest. It would also permit the Federal functional regulator and Secretary to consider other necessary and appropriate factors. Given that the GENIUS Act identifies the OCC, Board, FDIC, and NCUA as a primary Federal payment stablecoin regulator for PPSIs under their respective jurisdictions, in this proposed rule, FinCEN and the Agencies retain “Federal functional regulator” consistent with its use in the BSA CIP exemption provision, providing the Secretary of the Treasury and the Federal functional regulator joint authority to issue an exemption.^[83]

D. Proposed 31 CFR 1033.220(c)—Other Requirements Unaffected

Proposed § 1033.220(c) clarifies that nothing in § 1033.220 relieves a PPSI of its obligation to comply with any other provision of chapter X, including provisions concerning information that must be obtained, verified, or maintained in connection with any account or transaction, including requirements to have the technological capability to comply with and to comply with the terms of any lawful order.^[84]

E. Compliance Date

FinCEN and the Agencies propose that the rule would be effective 12 months after issuance of the final rule to allow sufficient time for PPSIs to review and implement the requirements of the proposed rule.

VI. Request for Comments

FinCEN and the Agencies seek comments on all aspects of the proposed rule and specifically seek comments on the following topics. For all responses, commenters are encouraged to provide the basis for any conclusions drawn in their comments.

1. Should any CIP requirement be extended to secondary market activity? If yes, in what circumstances? What would be the benefits and drawbacks of doing so?

2. Should FinCEN and the Agencies refine or clarify its definitions of account, customer, or digital asset service provider? Are additional definitions needed?

3. Should FinCEN and the Agencies retain “formal relationship” as part of the definition of account? What are the hallmarks of a “formal relationship” between a PPSI and a user? Should FinCEN and the Agencies provide examples or attributes of a formal relationship in guidance? Would other concepts be a better foundation for the account definition, such as a contractual or business relationship, and why?

4. Should the proposed rule be clarified or refined to account for situations where a customer's only desired relationship with a PPSI is to redeem a payment stablecoin?

5. Should the regulatory text explicitly discuss digital identity solutions or verifiable credentials? How could it best do so given the range of tools available on the market?

6. What are the benefits and risks of using digital identity solutions or verifiable credentials as part of verifying customers' identities?

7. What is the expected likelihood that a PPSI would rely on another PPSI's CIP or the CIP of another Federal functionally regulated financial institution's CIP?

8. What, if anything, could be changed to make the proposed rule more conducive to industry innovation? Explain how any changes would positively or negatively impact PPSIs expected operations and illicit finance risk to the U.S. financial system.

VII. Executive Order 14294

Section 5 of Executive Order 14294 directs that all future notices of proposed rulemaking (NPRMs) and final rules published in the Federal Register , the violation of which may constitute criminal regulatory offenses, should include a statement identifying that the rule or proposed rule is a criminal regulatory offense and the authorizing statute.^[85] Executive Order 14294 directs agencies to draft this statement in consultation with the Department of Justice.

Executive Order 14294 further directs that the regulatory text of all NPRMs and final rules with criminal consequences published in the Federal Register after May 9, 2025 should explicitly state a mens rea requirement for each element of a criminal regulatory offense, accompanied by citations to the relevant provisions of the authorizing statute.

Willful violations of the proposed regulations set forth in this proposed rule, if finalized, may be subject to criminal penalties pursuant to 31 U.S.C. 5322 and regulations promulgated in 31 CFR chapter X. The statutory authority for criminal liability requires a mens rea of willfulness as an element pursuant to 31 U.S.C. 5322(a) and 31 U.S.C. 5322(b). FinCEN's existing regulation, 31 CFR 1010.840, that sets out criminal penalties for violations of regulations promulgated in 31 CFR chapter X also includes a mens rea of willfulness. The Department of Justice was consulted in drafting this statement.

VIII. Regulatory Impact Analysis

FinCEN and the Agencies have analyzed the proposed rule as required under E.O. 12866,^[86] E.O. 13563,^[87] E.O. 14192,^[88] the Regulatory Flexibility Act (RFA),^[89] the Unfunded Mandates Reform Act of 1995 (UMRA),^[90] the Paperwork Reduction Act (PRA),^[91] the Riegle Community Development and Regulatory Improvement Act of 1994,^[92] the Gramm-Leach-Bliley Act,^[93] and the Providing Accountability Through Transparency Act of 2023.^[94]

The Office of Information and Regulatory Affairs in the Office of Management and Budget (OMB) has determined this proposed rule to be a “significant regulatory action” under section 3(f) of E.O. 12866. FinCEN and the Agencies have included an Initial Regulatory Flexibility Analysis (IRFA) pursuant to the RFA as the proposed rule may have a significant economic impact on a substantial number of certain types of potentially affected small entities.^[95] Pursuant to analysis ( printed page 37245) required by UMRA, FinCEN and the Agencies conclude it is unlikely that the proposed rule, if implemented, would result in a novel annual expenditure of more than $193 million by State, local, and Tribal governments or by the private sector.^[96]

As described above,^[97] the proposed rule would implement the GENIUS Act's directives to treat PPSIs as financial institutions for purposes of the BSA and to require such issuers to maintain an “effective customer identification program, including identification and verification of the identity of account holders.” ^[98] It includes proposed requirements for a PPSI to establish and maintain a written CIP; maintain risk-based procedures for verifying the identity of each customer to the extent reasonable and practicable; maintain certain records; and compare the customers' identity with government lists. The proposal would also require a PPSI to include procedures for customer notice related to verifying identity, allows reliance on another financial institution's CIP under certain circumstances, and outlines the ability of FinCEN and the Agencies to issue exemptions related to the CIP requirement.

In issuing this proposal, FinCEN and the Agencies contemplate a number of benefits for PPSIs, regulators, other compliance examiners, law enforcement and national security agencies, and the general public. Such benefits include CIPs that effectively contribute to the detection and deterrence of money laundering and terrorist financing, support broader BSA policy goals, and help ensure that CIPs for PPSIs are consistent with those required for other financial institution types with CIP requirements, which should promote efficiencies and reduce opportunities for regulatory arbitrage.

This regulatory impact analysis (RIA) begins by describing the broad economic analysis FinCEN and the Agencies undertook to inform their expectations of the proposed rule's economic impact and burden.^[99] This is followed by pieces of additional and, in some cases, more specifically tailored analysis as required by E.O.s 12866, 13563, and 14192; ^[100] the RFA; ^[101] the UMRA; ^[102] and the PRA.^[103] Requests for comments related to the RIA—regarding specific findings, assumptions, or expectations, or with respect to the analysis in its entirety—can be found in the final subsection.^[104] These requests for comments have been previewed throughout the RIA.

A. Assessment of Impact

Consistent with best practices in regulatory economic analysis, FinCEN and the Agencies' assessment of impact begins with an overview of broad economic considerations, identifying, among other things, the need for the policy intervention.^[105] Next, FinCEN and the Agencies (1) establish baseline estimates of the number of covered PPSIs and other entities, including insured depository institutions, that could be affected by the proposed rule, and (2) describe the current regulatory requirements and background practices against which the proposed rule would introduce changes.^[106] The analysis then briefly reviews elements of the proposed rule that most directly inform how foreseeable economic impacts would flow from how PPSIs and their respective regulators would engage in activities not expected to otherwise be undertaken in order to comply.^[107] Next, the RIA presents the anticipated benefits and estimated costs to the respective affected parties that would be associated with the proposed CIP obligations.^[108] Finally, the assessment concludes with a brief discussion of alternative policies FinCEN and the Agencies considered and could have proposed, including an evaluation of the relative economic merits of each against the expected value of the rule as proposed.^[109]

1. Broad Economic Considerations

In performing its assessment of impact, FinCEN and the Agencies took into consideration certain fundamental economic problems that the proposed rule is expected to address as well as the general social and economic costs that may ensue from an AML/CFT and CIP regime for PPSIs that is ineffective. Because this NPRM is being issued pursuant to statutory obligations,^[110] the necessity for FinCEN and the Agencies to independently identify and articulate fundamental economic problems that the proposed rule is intended to address, as the basis for regulatory action,^[111] is attenuated because at best this activity would complement the problem identification already performed by Congress.^[112] Nevertheless, FinCEN and the Agencies have remained mindful of these animating considerations as well as the general social and economic costs that may ensue from an ineffective AML/CFT regime.^[113]

FinCEN and the Agencies expect that the proposed rulemaking would meaningfully alleviate certain underlying economic problems that could otherwise impair the effective administration of the BSA and potentially distort affected markets. These include potential problems that flow from the incidence of both positive and negative externalities in connection with customer identification activity and the potential for regulatory arbitrage in the absence of uniform minimum standards for financial institutions' CIPs.^[114]

The expected benefits of the proposed rule, as discussed below,^[115] are therefore linked by the extent to which the proposed requirements would address these fundamental economic problems.

2. Institutional Baseline and Affected Parties

In proposing this rule, FinCEN and the Agencies considered the ( printed page 37246) incremental impacts of the proposed CIP requirements relative to the current state of the affected markets and their participants.^[116] This baseline analysis of the parties that would be affected by the proposed rule, their current CIP-like obligations and activities, and the costs and/or benefits associated with those activities satisfies analytical best practices by describing the alternative of not pursuing the proposed, or any other, novel regulatory action.^[117] In each case, the RIA has attempted to identify the incremental expected economic effects of each component of the proposal as precisely as practicable against this baseline. Nevertheless, in certain cases, FinCEN and the Agencies can only make qualitative assessments.

As a first step in the process of isolating these anticipated marginal effects, FinCEN and the Agencies assessed the regulatory and market landscape facing the current stablecoin issuers, and potential future PPSIs, that would be affected by the proposed rule, including an estimate of the expected near-term number of potential PPSIs, their existing regulatory requirements, and the burden they either would or currently face in connection with the compliance activities the proposed rule would require. FinCEN and the Agencies also briefly discuss other categories of persons and entities ( i.e., regulators, compliance examiners, law enforcement and national security agencies, and certain members of the general public) that are expected to be directly affected by the proposed rule.

i. Regulatory Baseline

As discussed in section II, stablecoin issuers are already subject to BSA obligations as MSBs, specifically, money transmitters. As MSBs, stablecoin issuers are currently subject to a range of BSA obligations. MSBs are required to, for instance, (i) establish and maintain written AML programs ^[118] that include policies, procedures, and internal controls to verify customer identification; ^[119] (ii) file currency transaction reports; ^[120] (iii) file Suspicious Activity Reports (SARs); ^[121] and (iv) maintain certain records, including those relating to certain transmittals of funds.^[122] MSBs are required to register with FinCEN ^[123] and are subject to examination for BSA compliance by the Internal Revenue Service (IRS).^[124]

While MSBs are not subject to as many customer identification requirements as other types of financial institutions under the BSA, the BSA does require them to maintain policies, procedures, and internal controls to verify customer identification ^[125] and to collect identification information for transmittals of funds over $3,000—including the name, address, and identification document of an individual requesting transmission ^[126] —and for transactions in currency of more than $10,000.^[127]

ii. Baseline of Expected Affected Parties

FinCEN and the Agencies have identified four distinct populations expected to be directly affected, to varying degree, by the proposed rule, namely: (1) PPSIs, (2) customers of PPSIs, (3) certain other financial institutions, and (4) other less directly affected parties, including regulators (including examiners working for or under the authority of those regulators) and law enforcement and national security agencies. To the extent that economic impact on additional key, directly affected subpopulations of the general public should be considered, FinCEN and the Agencies invite comments, data, studies, or reports that would enhance its ability to identify and quantify such effects.

a. PPSIs

FinCEN and the Agencies have conducted independent research with a view to estimating the number of potential PPSIs that would exist in the near-term future.^[128] Taking each of those independent exercises into consideration, the proposed rule could be expected to apply to approximately 50 PPSIs in each of the first three years of the GENIUS Act being effective. Table 1 illustrates the anticipated distribution of these potential PPSIs as organized by types as categorized in the GENIUS Act's definition of “permitted payment stablecoin issuer” ^[129] and proposed definition § 1010.100(ttt). That proposed definition contains three subtypes of PPSIs, specifically those that are subsidiaries of insured depository institutions or credit unions that have been approved to issue payment stablecoins by a primary Federal payment stablecoin regulator (collectively “subsidiaries of insured depository institutions”); Federal qualified payment stablecoin issuers (FQPSIs); and State qualified payment stablecoin issuers (SQPSIs).^[130] As explained in proposed § 1010.100(vvv), a FQPSI is an entity approved by the OCC under 12 U.S.C. 5903 to issue payment stablecoins and is either—(1) a nonbank entity, (2) an uninsured national bank, or (3) a Federal branch.^[131]

FinCEN expects that of the 50 anticipated PPSIs, approximately 60 percent should be subsidiaries of insured depository institutions and 40 percent not.^[132 133] Because FinCEN has not identified, with more certainty than not, currently operating stablecoin issuers that it expects will become SQPSIs within the PPSI regulatory framework (as defined in proposed § 1010.100(ttt)(3) and § 1010.100(xxx)), the population used in this analysis does not further distinguish its estimate for these types of potential future PPSIs from other non-IDI subsidiary expected future PPSIs.^[134] Because these projections represent best-effort estimates based on limited information, ( printed page 37247) the public is strongly encouraged to provide additional comments, data, and other information that could enhance the accuracy and precision of these estimates.

( printed page 37248)

b. Customers of PPSIs

FinCEN and the Agencies expect the general public to be affected by the proposed rule, with certain subpopulations affected more directly than others. In particular, FinCEN and the Agencies considered customers of PPSIs, as the term “customer” is proposed to be defined in this rulemaking. Although estimated payment stablecoin users number in the hundreds of millions, a substantially smaller number (in the hundreds of thousands) are likely to interact with PPSIs in the primary market. Many of these customers are large financial institutions and most large stablecoin issuers set significant financial requirements for primary market participants that exclude retail-level participation. In terms of volume, most primary market activity can be attributed to these large entities. Most primary market activity, as measured in transaction volume, is attributable to these large entities. However, some issuers have increasingly adopted wider-facing mint/redeem models that seek to include smaller investors and businesses.

To estimate the number of expected primary market customers a future PPSI might interact with, FinCEN examined current on-chain minting and redemption activity as observable from publicly available data. Almost all the stablecoin products meeting the GENIUS Act's definitional criteria for future payment stablecoins that FinCEN reviewed had fewer than 1,000 primary market customers in a given year, which is consistent with prior expectations of high institutional barriers. However, a small number of the stablecoins reviewed had significantly more primary market contact (with over 250,000 customers) in a given year. In the sample of issuers FinCEN reviewed, the average number of an issuer's primary market customers was approximately 17,000, but this value appeared to be driven by extreme outliers. The truncated average was approximately 1,000, and the median value was 100.^[135]

Based on this analysis, FinCEN estimate that the “average” PPSI would have approximately 1,000 primary market customers that it interacts with directly, including issuing and redeeming payment stablecoins and engaging in digital asset service provider activities where those activities are authorized by the appropriate primary Federal or the State payment stablecoin regulator and consistent with all other Federal and State laws. However, some PPSIs are expected to have substantially more or substantially less customers than this estimate. In total, FinCEN does not expect the total number of unique primary market PPSI customers to exceed 300,000. However, FinCEN estimates that a substantial portion of these customers may be affiliates of a single counterparty or associated with non-U.S. entities.^[136] FinCEN estimates that the number of customers that are U.S. businesses is likely no more than 10,000. As described earlier, these businesses belong to several categories, including digital asset exchanges, specialized digital asset commodities traders, and other types of investment- and securities-related businesses. Besides digital asset exchanges, FinCEN expects most of a PPSI's other customers are likely to be financial institutions.^[137]

FinCEN also used publicly available data on on-chain minting and redemption activity to analyze annual rates of customer growth and turnover. Many of the stablecoin issuers reviewed retained the same group of large “core” primary market customers year over year but exhibited significant turnover among their smaller primary market customers. In addition, most stablecoin issuers saw significant growth in their primary market customer base during 2025. For purposes of modeling expected economic effects, FinCEN and the Agencies assume that this growth will continue, particularly among stablecoin issuers that are able to secure PPSI registration. Of the stablecoin issuers FinCEN reviewed, the average rate of new customer inflow, year over year, was approximately 65 percent of the number of existing, previous customers. Therefore, FinCEN and the Agencies apply this rate, where relevant, when estimating the costs in the remaining analysis.

c. Other Financial Institutions

Certain other financial institutions may be affected by the proposed rule. Although FinCEN and the Agencies cannot, at this time, provide the specific number of expected affected financial institutions in either category, there are two particular categories that could reasonably be expected to be affected by the proposed CIP requirements for PPSIs.

The first category includes insured depository institutions that have a PPSI as a subsidiary. Because this RIA projects that there may be up to 30 such PPSIs in the next three years, the corresponding number of expected affected insured depository institutions would also be up to 30. It is anticipated that an insured depository institution would arrange for its subsidiary PPSI's CIP to nest within the preexisting overall CIP structure of the parent organization. As such, parent organizations may be economically affected by the need to revise, expand, or otherwise tailor existing CIPs. FinCEN and the Agencies expect, however, that similarities between the existing CIP rule for banks and this proposal would minimize, though not eliminate, this cost.

The second category of financial institutions expected to be affected by the proposed CIP requirements includes those financial institutions already subject to their own CIP obligations on which one or more PPSIs would be able to rely for the performance of aspect of its CIP obligations, pursuant to proposed § 1033.220(a)(6), or which themselves could rely upon a PPSI for the performance of some aspect of their own CIP obligations, pursuant to the provision of the financial institution's CIP regulation analogous to proposed § 1033.220(a)(6).^[138] Table 2 presents the total number of financial institutions already subject to CIP obligations, which represents the maximum number of potentially affected parties in this category. FinCEN considers it unlikely that all, or even many, of these 14,575 financial institutions would either be relied upon by PPSIs for some aspect of the PPSI's CIP compliance or rely upon PPSIs for some aspect of the institution's CIP.^[139] FinCEN and the Agencies acknowledge, however, that this expectation is somewhat ( printed page 37249) speculative and are interested in receiving comments on the anticipated likelihood of this outcome.

d. Other Affected Parties

Regulators and Compliance Examiners: Examiners required to verify whether CIP obligations are being followed by PPSIs would be directly affected by the proposed rule.^[140] In a separate rulemaking, FinCEN is proposing changes to its existing regulations to effectuate the GENIUS Act's direction to apply BSA obligations to PPSIs.^[141] FinCEN's PPSI AML/CFT NPRM includes a proposal to (1) amend 31 CFR 1010.810(b) to delegate examination authority to the primary Federal payment stablecoin regulators (the Agencies) and (2) assert that its existing regulations delegates examination authority to the IRS for the SQPSIs.^[142] As a function of the proposal in that NPRM, this proposed rule is expected to directly affect FinCEN as well as the primary Federal payment stablecoin regulators, i.e., the Agencies, and their compliance examiners, who number approximately 7,500 from the Agencies, plus several hundred additional examiners from the IRS.^[143]

Law Enforcement and National Security Agencies: Law enforcement and national security agencies can directly access and use reports provided to FinCEN in compliance with the AML/CFT requirements after entering a memorandum of understanding with FinCEN. As of fiscal year 2024, 432 federal, state, and local law enforcement; regulatory; and national security agencies had access to BSA reports and BSA Search, and the BSA Portal had over 12,000 authorized personnel with access.^[144] While CIP obligations do not include express reporting requirements that would provide data directly to law enforcement or regulators, they support overall AML/CFT obligations and are complementary to the direct benefits of those programs for law enforcement. For instance, effective CIP practices include retaining standardized records that may support future law enforcement and national security needs and may improve the efficacy of certain types of BSA reporting, such as SARs, by providing PPSIs with additional data on existing or potential customers.

iii. Current Market Practices

In considering the impact of the proposed rule, FinCEN and the Agencies considered certain relevant features and CIP practices of current stablecoin issuers that could meet the proposed definitional criteria of PPSI.

In defining current practices, it is first important to distinguish stablecoins in general from the narrower concept of a payment stablecoin as defined by the GENIUS Act. As discussed earlier, stablecoins that carry indicators they could be payment stablecoins are only a subset of the overall market of stablecoins, although they represent ( printed page 37250) over 80 percent of the total market value.^[145] Payment stablecoins have several features that make CIP compliance more practical for their issuers. Most importantly, PPSIs are likely to have a centralized issuance structure in which the issuer is obliged to redeem upon demand the advertised fixed value for every coin issued. As opposed to decentralized issuance structures, where users can anonymously mint, trade, and redeem their own coins on a decentralized blockchain largely free of any third-party interface, centralized issuance structures allow a collection point for customer information and transaction records for primary-market transactions.

In order to collect, screen, and store customer information in the course of business, stablecoin issuers and other financial market participants often employ software technologies especially suited for this purpose. These third-party services provide customer identity information verification and screening to collect and verify personal information such as name or address, and to identify whether someone wishing to open an account is on a list of known or suspected terrorists or terrorist organizations, among other functions. These activities may be performed in the ordinary course of business but are also expected to occur because stablecoin issuers have AML/CFT program obligations as MSBs.^[146]

Many of the stablecoin issuers evaluated by FinCEN tended to retain the same group of large “core” primary market customers year over year, but exhibited significant turnover among smaller primary market customer institutions focused on market arbitrage or other short-term trading opportunities. Turnover rates were particularly high among issuers whose business models facilitated larger numbers of primary market customers. Stablecoin issuers such as this may see several thousand new primary market participants in a given year, indicating that such issuers are likely to have automated know your customer functions to facilitate large numbers of new customers. Smaller or more centralized issuers generally experienced far fewer numbers of new customers (although retention or growth may be similar from a percentage standpoint), indicating that processes may be more manual. Overall, most issuers saw significant growth in their primary market customer base during 2025, possibly a result of increased adoption rates and greater regulatory clarity following the passage of the GENIUS Act.

3. Description of Proposed Requirements

For purposes of the RIA, FinCEN and the Agencies considered the various components of the proposed rule with a view towards the specific features or elements that are expected to generate, either directly or indirectly, an economic benefit or cost or lead to changes in a market participant's incentives in a way that may generate economic benefits or costs.^[147] For completeness, this section presents a brief review of all of the components of the proposed rule and sorts those not anticipated to have a separable incremental effect from those foreseeably expected to impose direct economic effects. The latter are then further discussed in the following subsection (VIII.A.4). For components of the proposed rule that FinCEN and the Agencies' analysis has not assigned a quantified burden (in hours or dollars), the reason for doing so is briefly explained in the description of expected costs.^[148]

To balance the completeness of the RIA with the desire for expositional clarity and ease of tractability between the proposed regulatory text and sections V (Section-by-Section Analysis) and VIII (Regulatory Impact Analysis), FinCEN and the Agencies have included Table 3, to provide a mapping of the various components of the proposed rulemaking as presented in section V to their analogous categorization in the RIA.

i. New Definitions

As discussed in greater detail in section V.A, FinCEN and the Agencies propose adding three new terms “account,” “customer,” and “digital asset service provider” to the proposed new PPSI part of its regulations, 31 CFR 1033.100.^[149] The definitions are proposed for purposes of this CIP and would only apply to the CIP obligation unless otherwise expressly noted.^[150]

ii. New Requirements

As discussed in section V above, FinCEN and the Agencies are jointly proposing a rule to implement the GENIUS Act's directive that PPSIs maintain an effective CIP.

The proposed rule would require that a PPSI's CIP include risk-based procedures for verifying the identity of each customer to the extent reasonable and practicable. The procedures must enable the PPSI to form a reasonable belief that it knows the identity of each customer. The procedures must be based on the PPSI's assessment of the relevant risks, including those presented by the various types of accounts maintained by the PPSI, the various methods of opening accounts provided by the PPSI, the various types of identifying information available, and the PPSI's size, location, and customer base.

The proposed rule would require a PPSI to obtain the following information prior to opening an account: (1) name; (2) date of birth, for an individual; or ( printed page 37254) date of formation, for a person that is not an individual; (3) address (a residential and mailing address for individuals, or principal place of business, local office, or other physical address and mailing address for a person other than an individual); and (4) an identification number.

The proposed rule would require that the CIP contain procedures for verifying the identity of each new customer, using information obtained from the customer, within a reasonable period of time after the customer's account is opened. The procedures must describe when the PPSI would use documents, non-documentary methods, or a combination of both methods.

The proposed rule states that if the PPSI is relying on documents, then the CIP must contain procedures that set forth the documents that the PPSI would use. For an individual, the PPSI could use an unexpired government-issued identification evidencing nationality or residence that contains a photograph or similar safeguard, such as a driver's license or passport. For a person other than an individual, such as a corporation, partnership, or trust, the document must show the existence of the entity, such as certified articles of incorporation, a government-issued business license, a partnership agreement, or a trust instrument.

For a PPSI relying on non-documentary methods, the CIP must contain procedures that set forth the non-documentary methods the PPSI would use. These methods may include, but are not limited to, contacting a customer; independently verifying the customer's identity through the comparison of information provided with respect to the customer with information obtained from a consumer reporting agency, public database, or other source; checking references with other financial institutions; or obtaining a financial statement.

FinCEN and the Agencies believe that while the majority of customers may be verified through documentary and non-documentary methods, there may be instances where this is not possible. The risk that the PPSI would not know the customer's true identity may be heightened for certain types of accounts, such as an account opened in the name of a corporation, partnership, or trust that is created or conducts substantial business in a jurisdiction that has been designated by the United States as a primary money laundering concern or has been designated as non-cooperative by an international body.

The proposed rule states that the PPSI's CIP would be required to include procedures for responding to circumstances in which the PPSI cannot form a reasonable belief that it knows the true identity of a customer. These procedures should describe: (1) when the PPSI should not open an account; (2) the terms under which a customer may use an account while the PPSI attempts to verify the customer's identity; (3) when the PPSI should close an account after attempts to verify a customer's identity fail; and (4) when the PPSI should file a SAR in accordance with applicable law and regulation.

The proposed rule states that the CIP must include procedures for making and maintaining a record of all information obtained under procedures implementing the CIP. This is consistent with the requirement of 31 U.S.C. 5318( l)(2)(B) that CIPs include procedures for maintaining records of the information used to verify a person's identity, including name, address, and other identifying information. At a minimum, proposed § 1033.220(a)(3)(i) requires that the record must include: (1) all identifying information about a customer obtained under the CIP; (2) a description of any document relied on to verify the identity of the customer under the CIP, noting the type of document, any identification number contained in the document, the place of issuance, and if any, the date of issuance and expiration date; (3) a description of the methods and results of any measures undertaken to verify the identity of a customer; and (4) a description of the resolution of each substantive discrepancy discovered when verifying the identifying information obtained.

Additionally, the proposed rule states that a PPSI must retain the identifying information about a customer obtained under § 1033.2210(a)(3)(i)(A) of the proposed rule for five years after the date the account is closed, and the information regarding the verification of a customer's identity records collected under paragraphs (a)(3)(i)(B), (C), and (D) of this section for five years after the record is made.

Consistent with 31 U.S.C. 5318( l)(2)(C), the proposed rule outlines that the CIP would be required to include reasonable procedures for determining whether a customer appears on any list of known or suspected terrorists or terrorist organizations issued by any Federal government agency and designated as such by Treasury in consultation with the Federal functional regulators. The procedures must require the PPSI to make such a determination within a reasonable period of time after the account is opened, or earlier if required by another Federal law or regulation or Federal directive issued in connection with the applicable list. The procedures must also require the PPSI to follow all Federal directives issued in connection with such lists.

Lastly, the proposed rule states that the CIP would be required to include procedures for providing customers with adequate notice that the PPSI is requesting information to verify their identities. The proposed rule considers notice adequate if the PPSI generally describes the identification requirements of this section and provides such notice in a manner reasonably designed to ensure that a prospective customer is able to view the notice, or is otherwise given notice, before opening an account. For example, depending upon the manner in which the account is opened, a PPSI may post a notice on its website, include the notice in its account applications, or use any other form of oral or written notice. The proposed rule provides a sample notice.

4. Anticipated Economic Effects

This section provides FinCEN's and the Agencies analysis of the expected costs and benefits of the proposed rule as attributed to the elements of the regulation with foreseeable incremental effects. While not all costs and benefits are readily quantifiable, in this analysis FinCEN and the Agencies have sought to include an evaluation of certain foreseeable non-quantified economic benefits in addition to quantified costs to more comprehensively assess the potential net benefit of the proposed rule and select alternatives.

i. Expected Benefits

The proposed rule aims to clarify and standardize CIP requirements across all issuers of payment stablecoin that apply and are granted registration as PPSIs. This standardized obligation across all types of PPSIs would also harmonize the CIP obligations for payment stablecoin issuers with those applicable to other types of covered financial institutions, including banks. By standardizing CIP requirements for PPSIs, the potential for PPSIs to exploit opportunities to engage in regulatory arbitrage may be reduced. As discussed in section VIII.A.1, the expected economic benefits of the proposed rulemaking hinge on its ability to reduce the potential exploitation of this arbitrage as well as reducing the inefficiencies that the positive externalities of effective customer identification practices and the negative externalities generated by insufficient customer identification and ( printed page 37255) recordkeeping engender. A more even regulatory playing field might also remove the risk of potential inefficient overinvestment or socially costly underinvestment in the level of customer identification that could otherwise be attributable to regulatory uncertainty. Moreover, such standardization avoids the creation of regulatory gaps that criminals can exploit.

While these anticipated benefits are more difficult to quantify than the costs, the proposed rule is nonetheless expected to generate value insofar as risk-based, effective CIPs can contribute to the detection and deterrence of money laundering and terrorist financing and support broader BSA policy goals. A PPSI's efforts to obtain and verify the identity of account holders or respond to circumstances in which the PPSI cannot form a reasonable belief that it knows the true identity of a customer would help reduce the ability of money launderers, criminals, and other illicit finance actors to access U.S. financial markets through PPSIs. Maintaining records would enhance PPSI's internal compliance efforts and aid PPSI and enforcement personnel in detecting and taking measures to prevent potential illicit finance activity. Establishing a CIP with these elements would help PPSIs systematize, and in some cases automate, practices that facilitate the detection of attempted financial crimes and ensure that PPSIs have effective practices for identifying and verifying the identities of their customers and prospective customers. Insulating this financial market from abuse by bad actors of potentially significant social and monetary value is essential to its growth and longevity and protects the integrity of the broader U.S. financial system.

ii. Expected Costs

This section assesses the foreseeable costs to the respective parties expected to be incrementally economically impacted by the proposed rule.^[151] This section is organized as follows. First, it estimates select cost profiles likely to be incurred by PPSIs, including both start-up costs and recurring administrative and maintenance costs based on relevant cost information associated with each identified category of required compliance activity. The discussion of expected costs then describes potential costs to PPSI customers and concludes with an estimate of government implementation costs for oversight and enforcement.

The sum of the proposed rule's expected incremental quantified costs (unadjusted) over a multi-year time horizon are presented in Table 4.^[152] This includes expected costs to a static population of 50 PPSIs of approximately $284,000 in the first year, and an average of approximately $239,000 in each year thereafter; ^[153] expected costs to an anticipated PPSI customer base that increases by 65 percent year over year of approximately $1.0 million annually in the first year, and approximately the same amount each year thereafter; ^[154] and expected costs to the government of approximately $982,000 in the period leading up to the first effective year of the final rule, approximately $1.3 million in the first effective year, and approximately $913,000 per year thereafter. In total, the quantified economic costs of the proposed rule would amount to an average burden of approximately $2.3 million per year once a final rule became effective. FinCEN and the Agencies invite comment on whether the analysis of the average costs for each component of the CIP as outlined in section VIII.A.4.ii.a is an accurate reflection of the cost faced by issuers of products that may be considered payment stablecoins. In addition, FinCEN and the Agencies request comment on whether there are any additional cost categories that FinCEN and the Agencies have failed to consider.

a. PPSIs

1. Establishing and Maintaining a Written CIP

The proposed rule would require a PPSI to establish and maintain a CIP aligned with, and integrated into, its broader risk-based and reasonably designed AML/CFT program. As described in section VIII.3.ii, a PPSI must also use this approach to establish and maintain a well-designed, written CIP that establishes and maintains the operational framework for executing effective identity verification.

If an entity that becomes a PPSI does not already have a CIP that is consistent with the proposed rule's requirements, that prospective PPSI would have to newly establish or else modify its existing customer identification practices. Creating or modifying the policies and procedures detailed in the CIP would entail costs for these entities. Such entities may incur costs both while implementing new or modified policies and procedures, as well as when newly programming, or modifying existing programming of, their automated systems and testing those ( printed page 37256) systems. These costs are expected to be significantly lower for PPSIs that are subsidiaries of insured depository institutions, which are currently required to have established procedures in place for obtaining identifying information of customers in compliance with BSA requirements.^[155] By contrast, other PPSIs are less likely to have policies and procedures in place that meet the minimum requirements in the rule, and are therefore expected to face higher up-front CIP implementation costs.

These design, implementation, documentation, and maintenance costs are distinct from similar costs to establish and maintain the PPSI's overall AML/CFT program but would generally be expected to be guided by the same principles of risk-based, allocatively efficient construction. As such, CIP implementation costs are expected to vary not just by whether a PPSI is affiliated with or is an institution with a CIP obligation, but also by the nature of the types of accounts the PPSI maintains, the methods it provides to open an account, the types of identifying information available from customers, and the PPSI's own unique size, location, and customer base. However, to simplify the remainder of the analysis, FinCEN and the Agencies distinguish primarily between PPSIs affiliated with a insured depository institution or “IDI” (referred to for simplicity as “IDI-subsidiary PPSIs”) and PPSIs that are not affiliated with a subsidiary of an insured depository institution (referred to for simplicity as “non-IDI subsidiary PPSIs”) in developing compliance-related expected cost profiles. FinCEN and the Agencies request comment on the share of PPSIs that would likely already have CIPs established and would therefore not incur the full costs associated with establishing and maintaining a CIP.

The average burden, measured in time, for a non-IDI subsidiary PPSI to establish and maintain a written CIP that encompasses all the regulatory elements as grouped and described in section VIII.A.3 above is expected to range between approximately 20 to 30 hours per firm (an average of 25 hours per firm). For IDI-subsidiary PPSIs, these activities are expected to require about ten to 15 hours per firm (with an average of approximately 12 hours per firm) in the first year, depending on each institution's existing digital infrastructure. For both PPSI types, FinCEN estimates annually, on average, this activity would take approximately ten hours in subsequent years.

CIP establishment and maintenance activities would therefore be expected to result in an incremental cost of approximately $3,115 per non-IDI subsidiary PPSI, $1,495 per IDI-subsidiary PPSI,^[156] and a total collective cost of approximately $107,139 in the first year after the proposed rule is finalized.^[157] In each subsequent year, ongoing establishment and maintenance is expected to result in an average cost of approximately $1,246 per PPSI, and a total average annual cost of approximately $62,290 for 50 PPSIs.^[158]

2. Obtaining and Verifying Customer Identification Information

The proposed rule would require a PPSI's CIP to include the collection of certain information prior to opening a new account. This information would include, at a minimum, the name, date of birth, address, and identification number of each customer opening new accounts. Centralized stablecoin issuers already obtain identifying information from customers, such as their names and addresses, since most issuers need to uniquely identify each of their customers operationally and these particular forms of personally identifiable information are common ways of doing so. Therefore, the associated incremental cost of compliance with the requirement is expected to be relatively small for all PPSIs.

Despite this, some new costs for PPSIs can be anticipated because some may not be obtaining all the information required by the proposed rule or doing so consistently. These issuers would face additional costs in collecting this information and updating their account opening applications to insert procedures requesting that customers provide the required information.

The proposed rule would further require a PPSI's CIP to include procedures to verify the identity of each customer and would provide issuers with multiple possible methods to do so, which would mitigate the costs of such activities.^[159] For example, depending on the procedures implemented—including through documentary or non-documentary methods, as provided by the rule—and based on the issuer's assessment of the relevant risks, customers that open accounts with an issuer may simply provide a copy of documents showing its existence as a legal entity. Alternatively, issuers may, for example, obtain a financial statement from the customer or compare the information provided by the customer with information obtained from a consumer reporting agency or public database.

The documentary and non-documentary verification methods set forth in the proposed rule to verify the identities of customers are not meant to be an exclusive list of the appropriate means of verification. Other reasonable methods may be available now or in the future. The purpose of making the rule flexible in this regard is to allow payment stablecoin issuers to select verification methods that are reasonable and practicable. Methods that are appropriate for an issuer with a small, familiar customer base may not be sufficient for an issuer with more customers from many different geographic regions. The proposed rule recognizes this fact and, therefore, allows an issuer to employ such verification methods as would be suitable to form a reasonable belief that it knows the true identities of its customers.

FinCEN and the Agencies recognize that obtaining and verifying the identity of each customer would result in incremental costs for many PPSIs if these firms currently do not use verification methods or do not verify identities in a way that is consistent with the proposed rule's requirements. ( printed page 37257) FinCEN and the Agencies also note that this requirement for customer identification information collection and verification, which is applied to all customers equally, is distinct from the requirements to conduct customer due diligence as required in the accompanying proposed rule on AML/CFT program requirements for PPSIs. Unlike generalized CIP collection and verification, that due diligence requires prioritized, risk-based screening based on factors identified by the PPSI.

As discussed earlier, FinCEN estimates that the “average” PPSI would have approximately 1,000 legal entity clients that it interacts with directly.^[160] The proposed requirements do not require PPSIs to collect information on existing customers,^[161] and therefore FinCEN only estimate incremental costs for collecting information on new customers. As described earlier, FinCEN and the Agencies used public data on on-chain minting and redemption activity to examine annual rates of customer growth and turnover, and estimate that the average new customer rate is 65 percent of the number of existing customers. Therefore, FinCEN expects the average PPSI to collect information on approximately 650 new customers per year.

Due to the wide range of models employed by issuers, FinCEN and the Agencies acknowledge a range of costs for customer information collection and verification. However, nearly all stablecoin issuers already collect significant customer information on primary market customers in the ordinary course of business. Nevertheless, the customer information collection requirements in this proposal may still entail a relatively small incremental burden on a per-customer basis for non-IDI subsidiary PPSIs, which may be inherently less familiar with CIP information collection requirements than banks. Nearly all primary market customers interfacing with stablecoin issuers directly are legal entities, and FinCEN estimates that non-IDI subsidiary PPSIs would require an average of three minutes collect any additional required information from each customer. For IDI-subsidiary PPSIs, more streamlined incremental information collection processes associated with the existing CIP program of the parent company can be anticipated. For this reason, FinCEN estimates an average time to correspond with each customer and collect the required information of two minutes. For small PPSIs, FinCEN and the Agencies conservatively assume it would take three minutes per PPSI to collect information from each customer.

In summary, FinCEN expects that the collection of customer information to comply with the proposed rule would cost approximately $4,049 per non-IDI subsidiary PPSI, or a total of $80,977 annually. For IDI-subsidiary PPSIs, FinCEN and the Agencies expect a per-firm cost of approximately $2,699, which results in approximately $80,977 annually for all firms of this type.^[162] Table 5 below provides a comparative summary of these costs for each PPSI type.

3. Recordkeeping

The proposed rule requires certain records to be retained for a five-year period following the creation of the record ^[163] and others to be retained for five years following an account closure.^[164] While FinCEN and the Agencies generally expect PPSIs to utilize the same technological infrastructure to securely store CIP-specific records as they would all other business/operation-related data, it is nevertheless foreseeable that some incremental costs might accrue. To allow for this, FinCEN includes a PRA recordkeeping cost for non-labor, technology costs that include an annual $100 baseline storage cost for each PPSI and a per-record cost of $0.10 associated with storing customer records.^[165] Based on an estimate of 650 new customers per PPSI per year, the corresponding incremental storage cost would be $165 per PPSI per year, or an aggregate total of $8,250 annually for a population of 50 PPSIs.

4. Comparing Customers With Government Lists

The proposed rule would require a PPSI's CIP to include reasonable procedures for determining whether a customer appears on any list of known or suspected terrorists or terrorist organizations issued by any Federal government agency and designated as such by Treasury in consultation with the Federal payment stablecoin regulators. Such a list has not yet been issued.

Nevertheless, similar list-checking activities should already be industry practice by stablecoin issuers and other financial institutions that are U.S. persons because an obligation already exists for such U.S. persons to check their customers against the Specially Designated Nationals (SDN) List administered by OFAC. While the burden associated with this evaluation of customers against the SDN List is also considered as part of the separate proposed rule to impose AML/CFT program and sanctions compliance program requirements on PPSIs,^[166] failure to comply with current obligations, such as by engaging in appropriate customer screening, could result in criminal or civil penalties for a stablecoin issuer.

Since a list as described in proposed § 1033.220(a)(4) has not yet been issued, and to a certain extent the prospective requirement to compare customers ( printed page 37258) against a future list reinforces existing market practices, the cost resulting from this requirement is currently expected to be de minimis.

5. Providing Notice to Customers

The proposed rule would require a PPSI's CIP to include procedures for providing its customers with adequate notice that the issuer is requesting information to verify their identities.^[167] Proposed § 1033.220(a)(5)(ii) sets forth general adequacy standards for the content of a notice and states that notice may be provided in a manner reasonably designed to ensure that a customer is able to view the notice, or is otherwise given notice, before opening an account. For example, if an account is opened electronically, such as through an internet website, the issuer may provide notice electronically. Because the notice is a standardized disclosure included with all applications, FinCEN does not anticipate a per-customer burden, but rather a one-time upfront cost to add the notice to application materials. FinCEN also allows for an average one-hour ongoing annual burden to review and update the notice if necessary. Because proposed § 1033.220(a)(5)(iii) provides sample notice text, the expected burden of preparing or revising the textual content of a PPSI's notice is expected to take proportionately less time and effort than a PPSI's other presentation-related business-specific decisions, such as location (as banner text online, inline on a form, etc.) and accessibility (including formatting, number of languages/translations to provide, number of distinct locations, methods of messaging, and platforms to place notice), among other attributes, which FinCEN and the Agencies expect to be informed by a PPSI's approach to risk-based and reasonably designed programs, generally.

FinCEN estimates that the average annual cost for this activity would be approximately $124.58 per PPSI, yielding an aggregate average annual cost of approximately $6,229 for 50 expected PPSIs.^[168]

b. PPSI Customers

As presented above in section VIII.A.2.ii.b, the typical stablecoin issuer that could be considered a payment stablecoin issuer would have approximately 100 legal entity clients that it interacts with directly and the population of unique prospective PPSI customers that could be affected parties as U.S. legal persons is no more than 10,000. As described in section VIII.A.2.ii.b, these non-individual persons, legal entities, or other businesses belong to several categories, including digital exchanges, specialized digital commodities traders, and other types of investment- and securities-related businesses that, aside from digital exchanges, would generally all be classified under NAICS code 523 (“Securities, Commodity Contracts, and Other Financial Investments and Related Activities”). Accordingly, $102.54 was used to estimate hourly costs to PPSI customers.^[169]

FinCEN estimates that PPSI customers, which are mostly financial institutions engaged in trading a broad range of stablecoin products as part of their investment portfolios, or exchanges seeking to provide off-chain liquidity to retail customers for a similarly broad range of stablecoin products, will likely initiate at least one new primary market relationship each year, although this frequency may fluctuate. In order to generate a conservative estimate, FinCEN and the Agencies assume for purposes of this analysis that all primary market participants would be required to provide this information at least once during the course of business in a given year when interacting with a new PPSI, while acknowledging significant uncertainty around this estimate. FinCEN and the Agencies request public comment on this assumption.

Assuming that 10,000 customers would spend, on average, approximately one hour to collect, review, and transmit the required customer identification information to its PPSI counterparties each year, this would imply that costs to PPSI customers could be as much as $1.03 million annually.

This estimate is highly conservative and likely to overestimate the true incremental costs of the proposed CIP requirements to PPSI customers for a number of reasons. For one, it assumes that all primary market participants will be required to provide this information once during the course of business in any given year as a function of opening or attempting to newly open an account with a PPSI, which may not be true for many customers. Additionally, these costs may be included, or otherwise indistinguishable from customer costs attributable to other business reasons to collect and provide identifying information to a PPSI, including as necessary to satisfy a PPSI's general AML/CFT program requirements. Some customers may be required to submit information to identify themselves and support a PPSI's required verification activities, and in some cases, submit additional information about select key individuals associated with the customer in order for a PPSI to satisfy its separate needs to meet certain general AML/CFT program requirements and requirements unique to its CIP. However, the collection and production of this information by the customer is generally the same, or a highly overlapping, set of activities. Therefore, the customer costs presented here should not be treated as strictly additive to the customer costs articulated in FinCEN's rulemaking that proposes general AML/CFT program requirements for PPSIs.

c. Government Costs

To implement the proposed rule, FinCEN anticipates incurring certain operating costs that would include approximately $0.98 million in the year prior to the final rule's effective date, $1.35 million in the first effective year the rule is in effect, and approximately $0.91 million per average subsequent year. These estimates include anticipated expenses related to rulemaking and maintenance, stakeholder outreach and informational support, compliance monitoring, and potential enforcement activities as well as certain incremental increases to pre-existing administrative and logistic expenses.

FinCEN acknowledges that this treatment of cost estimates implicitly assumes that increased resources commensurate with any novel operating costs would exist. If this assumption does not hold, then operating costs associated with a rule may impose certain economic costs on the public in the form of opportunity costs from the agency's forgone alternative activities and those activities' attendant benefits. Putting that into the context of this proposed rule, and benchmarking against FinCEN's actual appropriated budget for fiscal year 2025 ($190,193,000),^[170] the corresponding opportunity cost could resemble forgoing up to 0.7 percent (0.5 percent) of current activities in the first year (each subsequent year) in which a final rule was effective. However, to the ( printed page 37259) extent that activities FinCEN would undertake as a function of the proposed rule would functionally substitute for or otherwise replace forgone activities, such an estimate likely overstates the potential economic costs to FinCEN and, consequently, the public.

These estimates do not include the potential costs borne by other regulators or entities engaged in informational outreach, examinations, or related supervisory actions of enforcement activities as a consequence of the proposal. Consequently, the cost estimates here may understate the burden of activities required to promote compliance with the rules as proposed and the full scope of government costs.

5. Consideration of Policy Alternatives

FinCEN and the Agencies considered several alternatives to the currently proposed version of the rule, but is limiting the presentation here to considerations where public response may be most useful. Some of the alternatives described below are scenarios that may have resulted in reduced burdens for PPSIs but would do so at the expense of forgone benefits or efficiency gains. Other alternatives would have resulted in more significant burdens. For the reasons described below, FinCEN and the Agencies decided not to propose any of these alternatives. FinCEN and the Agencies invite comment on these alternatives, and on any other alternatives that were not considered here.

i. Alternative Definitions of “Customer”

FinCEN and the Agencies considered adopting wider definitions of “customer” to encompass additional market activity, namely on the secondary market. While the PPSI AML/CFT NPRM does propose some requirements for PPSIs with regard to secondary market activity,^[171] this proposed rule limits customer information collection with regard to the CIP to primary market customers ( i.e., such as when a PPSI engages in issuing, converting, redeeming, repurchasing, burning, and reissuing payment stablecoins, as well as providing associated services, such as providing custodial services).^[172]

Collecting information on secondary market customers would have significant benefits, but is also practically challenging. Almost all (approximately 99 percent) of stablecoin transaction activity takes place on the secondary market. In addition to most transaction volume occurring in the secondary market, nearly all users of payment stablecoin products are secondary market users, as most large payment stablecoin issuers set significant financial requirements for primary market participants that exclude retail traders.

Despite this being the location of significant activity, and potentially significant risk, issuers have a limited ability to collect customer information on the secondary market. The secondary market includes both “on-chain” transactions (actual blockchain exchanges of digital assets) and “off-chain” transactions (ledger/book transactions made by third-party exchanges for which no evidence appears on the blockchain). Market participants tend to use the two types of secondary trading for different purposes. On-chain transactions typically include digital asset transactions (such as arbitrage trading or institutional flows) and a small portion of direct payments for purposes like remittances across international borders. Off-chain transactions are where most retail trading takes place. The ratio of on-chain to off-chain transaction activity varies significantly by product, but in the aggregate, a majority of transaction volume for likely payment stablecoin products occurs off-chain.^[173] Even for products where most transaction volume occurs on-chain, a majority of the actual economic value for these products is typically held in the wallets of exchange providers for off-chain trading. For either type of activity, it is most often the case that no customer information is collected in secondary market transactions by the stablecoin issuer itself.

Many exchange operators facilitating off-chain activity collect customer information in a manner similar to the information collected by issuers for their primary market customers. However, exchanges rarely share this information with issuers. For secondary market customers trading stablecoins on the blockchain itself, identities are often anonymous or pseudonymous. Blockchains are by nature decentralized algorithms, so there is often no central collection point at which identifying information is collected.

This being the case, FinCEN and the Agencies opted to confine the definition of customer for the purpose of customer information collection under the proposed rule to those undertaking primary market transactions directly with the issuer.

ii. Alternative Information Requirements

Another alternative that FinCEN and the Agencies considered was requiring customers to provide additional information beyond what is required by the proposed rule. The proposed rule would require issuers to collect, at a minimum, the name, address, and government-issued identification number or incorporation document for legal entity customers. For instance, FinCEN and the Agencies might have required customers to provide any blockchain wallet addresses associated with a legal entity, incorporation or tax documents, or certain identifying financial information such as account numbers. However, FinCEN and the Agencies opted not to require these items for several reasons. First, many issuers already collect this additional information in the ordinary course of business, and are best situated to determine what, if any, additional information is necessary to make risk-based decisions about a customer. Second, the absence of this information does not exempt an issuer from the responsibility to assess the money laundering and terrorist financing risks associated with a customer or their transactions. Given this broader programmatic obligation, little may be lost in letting it remain the issuer's prerogative to determine when or whether such additional information is necessary.

iii. Size-Related Alternatives

FinCEN and the Agencies considered modifying the proposed rule's requirements for small payment stablecoin issuers or establishing an asset threshold for certain compliance obligations of payment stablecoin issuers that are not bank subsidiaries. As discussed in more detail in the IRFA (section VIII.C.1.ii.b), FinCEN utilizes a threshold of $200 million in total reserve assets to identify small payment stablecoin issuers that are not subsidiaries of insured depository institutions. FinCEN and the Agencies considered using this threshold as a tailoring benchmark, whereby issuers under the threshold would be allowed ( printed page 37260) to apply for PPSI status under lessened CIP standards designed to reduce compliance cost. However, FinCEN and the Agencies opted against this alternative. Creating some category of PPSI subject to lessened CIP requirements would conceivably result in the targeting of these issuers by illicit actors seeking to circumvent regulatory scrutiny. Further, FinCEN's analysis indicates that most technology services that enable customer information collection as described here are highly scalable, allowing small issuers to readily identify and employ more cost-effective options.

B. Executive Orders 12866, 13563, and 14192

E.O. 12866 directs agencies to assess the costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, and public health and safety effects; distributive impacts; and equity). E.O. 13563 emphasizes the importance of quantifying both costs and benefits, reducing costs, harmonizing rules, and promoting flexibility. E.O. 13563 also recognizes that some benefits are difficult to quantify and provides that, where appropriate and permitted by law, agencies may consider and discuss qualitatively values that are difficult or impossible to quantify.

This proposed rule has been designated a “significant regulatory action” under E.O. 12866; accordingly, it has been reviewed by OMB.

This action, if finalized, is expected to be considered an E.O. 14192 regulatory action.

C. Regulatory Flexibility Analysis

When an agency issues a proposed rulemaking, the RFA requires the agency either to provide an IRFA with a proposed rule or certify that the proposed rule would not have a significant economic impact on a substantial number of small entities.

1. FinCEN IRFA

Because the proposed rule may have a significant economic impact on a substantial number of certain types of PPSIs that may qualify as small entities, FinCEN undertook the following analysis. In the event that FinCEN has potentially overestimated the anticipated scope and significance of the economic burden of the proposed rule on small entities, and certification would instead be more appropriate, comments to this effect—including studies, data, or other evidence—are invited.

i. The Proposed Rule: Objectives, Description, and Legal Basis

The proposed rule would implement FinCEN's regulations that prescribe the minimum requirements for CIPs for PPSIs as described earlier in section V.

The legal basis for the proposed rule is the GENIUS Act.^[174] The GENIUS Act creates a regulatory framework for payment stablecoins in the United States.^[175] Under the GENIUS Act, it generally will be unlawful for any person other than a PPSI to issue a payment stablecoin in the United States.^[176] The GENIUS Act outlines certain reserve, capital, liquidity, and risk management requirements for PPSIs and tasks implementing those requirements to the Agencies, and, as applicable, State payment stablecoin regulators.^[177]

The GENIUS Act requires that a PPSI “be treated as a financial institution for purposes of the Bank Secrecy Act, and as such, shall be subject to all Federal laws applicable to financial institutions located in the United States relating to economic sanctions, preventing money laundering, customer identification, and due diligence.” ^[178] In addition to its general directive, the GENIUS Act specifies that a PPSI's obligations must include maintenance of an effective CIP, including identifying and verifying the PPSI's account holders.^[179]

The proposed rule would implement the GENIUS Act by proposing a requirement for PPSIs to maintain an effective CIP, including identification and verification of account holders. It includes requirements related to documenting customer verification procedures, requisite customer information, required recordkeeping, comparison with government lists, and customer notification.

ii. The Expected Impact on Small Entities

The expected impact of the rule on small entities varies across three distinct types of PPSIs: those that are subsidiaries of insured depository institutions; FQPSIs; ^[180] and SQPSIs.^[181] FinCEN has incorporated the Agencies' RFA analyses with respect to their nexuses with these respective types and limited its own further analysis below to the remaining potential future PPSIs that it anticipates. As the proposed rulemaking may also affect the small entities that are customers of PPSIs, this population was also subject to IRFA requirements and is included in section VIII.C.1.ii.c below.

a. Small PPSIs Considered by the Agencies

Analyses of the expected impact on PPSIs that would be subject to their jurisdiction were conducted by each of the Agencies and are appended with their respective certifications in sections VIII.C.2, 3, 4, and 5 below.

b. Other Potential Small PPSIs

The U.S. Small Business Administration (SBA) definition of “small entity” as defined in 13 CFR 121.201 includes businesses, nonprofits, and small government entities with fewer than 50,000 residents.^[182]

Based on analysis of the distributional data separately analyzed by FinCEN in the IRFA accompanying the PPSI AML/CFT NPRM, FinCEN considered applying a functional definition of “small entity” for purposes of this IRFA that would correspond closely to the 80th percentile threshold, which was rounded to $200 million for convenience in that proposed rule and is requesting comment on the appropriateness of the $200 million threshold in both that NPRM and this proposed rule.

The proposed $200 million threshold would capture approximately 76 percent of current stablecoin issuers that meet the GENIUS Act definitional criteria to be eligible for potential future PPSI status. That is, of the pre-GENIUS Act population of 25 stablecoin issuers that may be eligible to meet the GENIUS Act's definitional criteria for future PPSIs (see Table 1), 19 had fewer than $200 million in total circulating payment stablecoin product values. Together, these 76 percent of current ( printed page 37261) stablecoin issuers hold less than one percent of aggregate market average total assets.

To examine the expected impact of the proposed rule on small entities, FinCEN used two steps: the first step was to estimate the total number of potential future small entities that would be affected by the proposed rule, and the second step was to estimate the significance of this impact on those entities.

In order to contextualize the relative significance of costs associated with the proposed rule for small PPSIs, FinCEN used estimates of total assets to estimate likely revenues for such issuers. Stablecoin issuers generally derive revenue from investment returns on their reserve holdings. As described in the GENIUS Act, PPSIs would be permitted to invest reserve funds in several different types of asset classes, including government-backed securities. Based on prevailing interest rates, FinCEN assumed issuers would likely receive returns of about five percent on invested funds. While actual returns may fluctuate and fall below or above this estimate, this value represents an benchmark for estimation purposes. To validate this assumption, FinCEN examined actual revenue values as reported by current stablecoin issuers and compiled in quarterly MSB Call Report data. While five percent of total assets was generally within the same order of magnitude to actual reported revenue, actual revenues often exceeded five percent.

Returns in excess of prevailing rates for government-issued fixed income securities can be due to several factors. First, stablecoin issuers often “over collateralize” their products, meaning that they hold larger reserve portfolios than are required to redeem every coin at par value. This practice helps protect from market fluctuations and affords issuers greater flexibility during times of financial stress. In such cases, stablecoin issuers have reserve portfolios that are larger than the circulating value of their products, leading to returns in excess of those implied by multiplying their circulating value by prevailing rates of return for common reserve investments. Stablecoin issuers may also invest excess reserves in higher-yielding products or loans whose rates of return exceed those of government-backed securities. In addition to this, several other factors might lead to larger returns. For example, stablecoin issuers may offer certain fee-based services to customers, and may account for certain unrealized gains as revenue, increasing reported revenue levels.

Bearing these factors in mind, FinCEN retained five percent of total assets as a reasonable benchmark for revenue. This parameter was chosen in order to retain an estimate of revenue that does not minimize costs or possible fluctuations in returns. In other words, by using a conservative but realistic estimate, FinCEN avoids underestimating the relative impact of compliance costs associated with the proposed rule. FinCEN requests comment on the appropriateness of using five percent of total reserve assets as an estimate of these firms' revenue.

In section VIII.A.4.ii, FinCEN discussed the expected incremental costs of compliance with the proposed rule for PPSIs. As that section detailed, the incremental first-year costs of the proposed CIP requirements for PPSIs not covered by the Agencies' analyses are expected to be approximately $7,500 per PPSI in the first year, and approximately $5,600 in the average subsequent year.

At this time, FinCEN assesses that there is insufficient data to forecast with meaningful precision the proportion of the total population of potential future PPSIs that would resemble current stablecoin issuers that would qualify as small entities or to consider the potential economic significance of the proposed CIP requirements differentially by type. FinCEN has therefore provided the analysis in Table 5 for illustrative purposes only to facilitate an assessment of how economically significant the proposed CIP requirements might be if future small PPSIs were comparable to current stablecoin issuers whose products meet the GENIUS Act's definitional criteria for a future payment stablecoin. Comments and data are invited to assist analyzing the potential effects of the proposed CIP requirements on small PPSIs, particularly those that would not be the subsidiaries of insured depository institutions.

c. Small Business Customers of PPSIs

In addition to these entities, FinCEN expect that the proposed rule, if adopted, to have impacts on the primary market customers of PPSIs. Many of these entities, which include digital asset exchanges, specialized commodities traders, and other investment firms, are small businesses. Using the data described earlier,^[183] FinCEN estimates that there are approximately 300,000 primary market customers that interact directly with stablecoin issuers. However, FinCEN estimates that a substantial portion of these may be affiliates of a single counterparty or associated with non-U.S. entities. FinCEN estimates that the number of affected U.S. businesses is no more than 10,000. These businesses belong to several categories, including digital asset exchanges, specialized digital commodities traders, and other types of investment- and securities-related businesses. Aside from digital asset exchanges, FinCEN expects that nearly all of these firms would be part of the NAICS classifications under industry code 523 (“Securities, Commodity Contracts, and Other Financial Investments and Related Activities”).

( printed page 37262)

While a substantial number of these firms would be required to provide customer information to the PPSIs they wish to engage in direct transactions with, the cost of providing this information is expected to be de minimis relative to the average revenue of these firms.^[184] Therefore, while a substantial number of businesses may be providing information to PPSIs, FinCEN does not contemplate that this requirement would constitute a significant effect when considered in relation to their overall revenue.

iii. Other Matters: Duplicate, Overlapping, Conflicting, and Alternative Requirements

FinCEN is unaware of any existing Federal regulations that would overlap or conflict with the proposed rule. As discussed in section III, in a related, complementary rulemaking FinCEN is proposing to apply additional GENIUS Act and BSA obligations on PPSIs, including, for example, AML/CFT program requirements and suspicious activity reporting requirements. This rulemaking deals exclusively with a CIP requirement, which is not contained within the related, complementary rulemaking.

Additionally, FinCEN has considered certain alternatives to the proposed rule that take into consideration the expected costs and potential benefits to small entities. As discussed in greater detail in section VIII.A.5.iii, FinCEN considered modifying the requirements for small entities. As discussed in that section, FinCEN opted against this exclusion for several reasons. By creating some category of PPSI for small issuers that would be subject to lessened CIP requirements could conceivably lead to illicit actors who seek to circumvent regulatory scrutiny targeting these small issuers. Additionally, FinCEN analysis indicates that most technology services that enable customer information collection as described here are highly scalable, allowing small issuers to readily identify and employ more cost-effective options.

In addition, as discussed in greater detail in section VIII.A.5.ii, FinCEN also considered adopting additional information reporting requirements for new customers. Because some primary market customers of potential PPSIs may themselves be small businesses, such a requirement that expanded reporting requirements beyond what information is already provided in the ordinary course of business may have presented an incremental cost for some number of these small entities. However, as discussed in section VIII.A.5.ii, FinCEN opted not to augment these requirements. Many issuers already collect this additional information in the course of business, and are best situated to determine what, if any, additional information is necessary to support overall AML/CFT goals. As a result, FinCEN expect no incremental cost burden to small entity customers of potential PPSIs as a result of the requirements in the proposed rule.

2. OCC Certification

The proposal will apply to entities overseen by the OCC. The OCC currently supervises 997 institutions (national banks, Federal savings associations, and branches or agencies of foreign banks),^[185] of which approximately 609 are small entities under the RFA.^[186] In general, the OCC classifies the economic impact on an individual small entity as significant if the total estimated impact in one year is greater than five percent of the small entity's total annual salaries and benefits or greater than 2.5 percent of the small entity's total non-interest expense. Furthermore, the OCC considers five percent or more of OCC-supervised small entities to be a substantial number, and at present, 30 OCC-supervised small entities would constitute a substantial number.

In the OCC's NPRM published March 2, 2026, the OCC stated, “Given that all current OCC banks that issue stablecoins generally have issuance of over $1 billion and are not considered small entities and the lack of small entity stablecoin issuers, the OCC will need to wait for more information to determine whether it is likely that there will be a significant number of small entities affected by the proposed rule. At this time, the OCC does not expect that the proposed rule would have a significant impact on a substantial number of small entities under the RFA.” ^[187]

The OCC continues to expect that small entities will not be the initial adopters of this technology because of the compliance infrastructure and capital necessary to support stablecoin issuance. As such, the OCC anticipates that future FQPSIs would not be small entities as defined by the SBA (currently $850 million in assets for financial entities). Hence, the proposed rule would not have a significant impact on a substantial number of small entities ( printed page 37263) under the OCC's purview for purposes of the RFA.

3. Board IRFA

The Board is providing an initial regulatory flexibility analysis with respect to this proposal. The RFA requires an agency to consider whether the rules it proposes will have a significant economic impact on a substantial number of small entities. Under regulations issued by the SBA, a “small” entity includes a depository institution, bank holding company, or savings and loan holding company with total assets of $850 million or less.^[188] For purposes of this section, any reference to “small” entities is a reference to this definition.

In connection with a proposed rule, the RFA requires an agency to prepare an IRFA describing the impact of the rule on small entities, unless the head of the agency certifies that the proposed rule, if promulgated, will not have a significant economic impact on a substantial number of small entities and publishes such certification along with a statement providing the factual basis for such certification in the Federal Register . An IRFA must contain (1) a description of the reasons why action by the agency is being considered; (2) a succinct statement of the objectives of, and legal basis for, the proposed rule; (3) a description of, and, where feasible, an estimate of the number of small entities to which the proposed rule will apply; (4) a description of the projected reporting, recordkeeping, and other compliance requirements of the proposed rule, including an estimate of the classes of small entities that will be subject to the requirement and the type of professional skills necessary for preparation of the report or record; (5) an identification, to the extent practicable, of all relevant Federal rules which may duplicate, overlap with, or conflict with the proposed rule; and (6) a description of any significant alternatives to the proposed rule which accomplish its stated objectives and minimize any significant economic impact of the proposed rule on small entities.^[189]

The Board has considered the potential impact of the proposed rule on small entities in accordance with the RFA. Based on its analysis and for the reasons stated below, the Board believes that this proposed rule will not have a significant economic impact on a substantial number of small entities. Nevertheless, the Board is publishing and inviting comment on this initial regulatory flexibility analysis.

i. Reasons Why Action Is Being Considered by the Board

As explained above, this proposal implements the GENIUS Act's directives to treat PPSIs as financial institutions for purposes of the BSA and to require such issuers to maintain an “effective customer identification program, including identification and verification of account holders.” ^[190] The proposed rule would subject PPSIs to CIP requirements that are comparable to existing CIP requirements for other financial institutions, such as banks, broker-dealers, mutual funds, and FCMs and IBCs. It also would require a PPSI to tailor its CIP to that PPSI's size and type of business, as well as take into consideration the PPSI's risk based on its unique business—including the types of accounts it has, how those accounts are opened, and the identifying information available.

ii. The Objectives of, and Legal Basis for, the Proposal

The proposed rule would prescribe the minimum requirements for CIPs for PPSIs as described earlier in section V.

Section 4(a)(5)(A) of the GENIUS Act (12 U.S.C. 5903(a)(5)(A)) requires that a PPSI “be treated as a financial institution for purposes of the Bank Secrecy Act, and as such, shall be subject to all Federal laws applicable to financial institutions located in the United States relating to economic sanctions, preventing money laundering, customer identification, and due diligence.” ^[191] Additionally, section 4(a)(5)(A) specifies that a PPSI must maintain an effective CIP, and must identify and verify the PPSI's account holders.^[192]

The proposed rule would implement the GENIUS Act by proposing a requirement for PPSIs to maintain an effective CIP, including identification and verification of account holders. The proposed rule includes requirements related to documenting customer verification procedures, requisite customer information, required recordkeeping, comparison with government lists, and customer notification.

iii. Description of the Compliance Requirements of the Proposal and Estimate of the Number of Small Entities

The proposed rule would implement the GENIUS Act by proposing a requirement for PPSIs to maintain an effective CIP, including identification and verification of account holders. The proposed rule includes requirements for Board-supervised PPSIs of all sizes related to documenting customer verification procedures, requisite customer information, required recordkeeping, comparison with government lists, and customer notification. The compliance burdens are described in more detail in section VIII.A.4.ii above.

This NPRM is being issued jointly by FinCEN, along with the Board and other Agencies as applied to the PPSIs that each Agency supervises. The expected impact on PPSIs that are subject to the Board's jurisdiction is analyzed below.

The proposed rule would apply to (i) subsidiaries of insured State member banks that have been approved by the Board to issue payment stablecoins and (ii) State-qualified PPSIs that are uninsured State-chartered depository institutions that have transitioned to the Board's regulatory framework under section 4(d) of the GENIUS Act (12 U.S.C. 5903(d)). By definition, the proposed rule would only apply to a State-qualified PPSIs that have an outstanding issuance value of more than $10 billion, and accordingly, would not be considered small for the purposes of this IRFA. This analysis therefore focuses only on Board-supervised PPSIs that are subsidiaries of State member banks. The Board is not aware of any method of determining the identity, industry, or size of Board-supervised PPSIs that are subsidiaries of State member banks, given that there are no such entities at this time and it is difficult to predict how this market will develop. Further, SBA regulations do not provide small entity thresholds specific to PPSIs. As a result, this section of the IRFA discusses the size of the parent State member banks of such PPSIs. The Board believes this approach is appropriate because, under the GENIUS Act, an insured State member bank must have “control” of a Board-supervised PPSI.^[193]

( printed page 37264)

As of December 31, 2025, there were 703 insured State member banks.^[194] Of those institutions, 439 are considered small for the purposes of RFA.^[195] For this analysis, the Board estimates that between five and ten insured State member banks may, with the Board's permission, form a Board-supervised PPSI subsidiary in the first few years after the finalization of the proposed rule. Given the early stages of the payment stablecoin market, this range accounts for significant uncertainty regarding the volume of future participants. The population of Board-supervised PPSIs that are subsidiaries of State member banks could be higher or lower depending on market demand, strategic operational choices of insured State member banks and other institutions eligible to become PPSIs, and future developments in the digital landscape. By utilizing this range, the Board aims to establish an estimate that serves as the basis for evaluating the economic effects of the proposed rule, while acknowledging the inherent uncertainty resulting from a lack of historical precedent. The Board expects that the insured State member banks that are most likely to seek to form a Board-supervised PPSI subsidiary initially will be larger institutions with the compliance infrastructure and capital necessary to support a new business line to issue payment stablecoins. As such, the Board anticipates that most, if not all, insured State member banks with Board-supervised PPSIs would not be small entities as defined by the SBA. Even assuming the unlikely scenario that all, i.e., the upper-bound number of ten insured State member banks, would be small and that all ten insured State member banks would be significantly impacted by the proposed rule, these impacted entities would comprise a very small percentage of small insured State member banks.

iv. Consideration of Duplicative, Overlapping, or Conflicting Rules and Significant Alternatives to the Proposal

The Board has not identified any Federal statutes or regulations that would duplicate, overlap, or conflict with the proposal. The Board is seeking comment on certain potential alternative approaches to discrete aspects of the final rule, as discussed elsewhere in this proposal, most of which would not significantly change the estimated economic impact of the proposed rule.

vi. Conclusion

Based on its analysis and for the reasons stated above, the Board believes that the proposed rule is unlikely to have a significant economic impact on a substantial number of small entities. The Board welcomes comment on all aspects of its analysis. In particular, the Board requests that commenters describe the nature of any impact on small entities and provide empirical data to illustrate and support the extent of the impact. Additionally, the Board requests that commenters describe the number of small entities under the RFA and the impact on small entities.

4. FDIC Certification

The RFA generally requires an agency, in connection with a proposed rule, to prepare and make available for public comment an initial regulatory flexibility analysis that describes the impact of the proposed rule on small entities.^[196] However, an initial regulatory flexibility analysis is not required if the agency certifies that the proposed rule would not, if promulgated, have a significant economic impact on a substantial number of small entities. The SBA has defined “small entities” to include banking organizations with total assets of less than or equal to $850 million.^[197]

Generally, the FDIC considers a significant economic impact to be a quantified effect in excess of five percent of total annual salaries and benefits or 2.5 percent of total non-interest expenses. The FDIC believes that effects in excess of one or more of these thresholds typically represent significant economic impacts for FDIC-insured institutions.

The FDIC estimates the effects of the required mandates of the proposed rule on small FDIC-supervised entities. For the purposes of this analysis, the FDIC utilizes a pre-statutory baseline under which the GENIUS Act is considered unenacted. Under this baseline, no formal federal framework exists to coordinate and homogenize the issuance of payment stablecoins, leaving the market to operate under a fragmented regulatory framework and limited federal guidance.

As previously discussed, the proposed rule would apply to all PPSIs, including FDIC-supervised PPSIs, which would be subsidiaries of FDIC-supervised institutions.^[198] As of the quarter ending September 30, 2025, there were 2,772 insured State nonmember banks and State savings associations. Of those institutions, 2,064 are considered “small” for the purposes of RFA.^[199]

The FDIC recognizes considerable uncertainty regarding the number of FDIC-supervised PPSIs that would emerge under the proposed framework. For the purposes of this analysis, the FDIC estimates that the number of FDIC-supervised PPSIs would likely range between five and 30 in the first few years after the enactment of the proposed rule. Given the early stages of the payment stablecoin market, this range accounts for significant uncertainty regarding the volume of future participants. The population of FDIC-supervised PPSIs under the proposed rule could be higher or lower depending on market demand, strategic operational choices of eligible institutions, and future developments in the digital landscape. By utilizing this range, the FDIC aims to establish an estimate that serves as the basis for evaluating the economic effects of the proposed rule, while acknowledging the inherent uncertainty resulting from a lack of historical precedent.

Because an FDIC-supervised PPSI must be a subsidiary of an IDI, the FDIC expects that the initial adopters of this technology would likely be larger institutions with the compliance infrastructure and capital necessary to support stablecoin issuance. As such, the FDIC anticipates that most, if not all, future PPSIs would not be small entities as defined by the SBA. Therefore, the FDIC believes the proposed rule is unlikely to have a significant economic impact on a substantial number of small entities.

However, given the lack of historical precedent and the evolving nature of the payment stablecoin market, the FDIC conservatively assumes that, for the purpose of this analysis, all the entities falling within the previously discussed ( printed page 37265) scope of five to 30 potential FDIC-supervised PPSIs could be small entities. By adopting this conservative assumption, the FDIC aims to provide a comprehensive estimate of the potential economic impact on small entities.

In the unlikely scenario that all, i.e., the upper-bound number of 30 entities, would be small, the estimated impact on each small entity would be a de minimis amount. Even if all 30 entities would instead be significantly impacted by the proposed rule, the FDIC does not consider 30 entities to be a substantial number of small entities.

In light of the foregoing, the FDIC certifies that the proposed rule would not have a significant economic impact on a substantial number of small entities. Accordingly, an initial regulatory flexibility analysis is not required.

The FDIC invites comments on all aspects of the supporting information provided in this RFA section. The FDIC is particularly interested in comments on any significant effects on small entities that the agency has not identified.

5. NCUA Certification

As noted in the FDIC certification, under the RFA an initial regulatory analysis is not required if the promulgating agency certifies the proposed rule (if enacted) would not have a “significant economic impact” on a substantial number of “small entities.” The NCUA certifies the economic burden of the CIP rule—both in terms of likely expenses borne by individual small credit unions and the number of small credit unions facing significant expenses—falls short of the RFA materiality threshold.

Under the GENIUS Act, federally insured credit unions (FICUs) cannot become PPSIs. The credit-union analogue for a bank subsidiary—at least for purposes of this act—is the credit union service organization (CUSO).^[200] Currently, the NCUA does not charter, insure, or collect call-report type data from CUSOs, so there is no formal definition of small for RFA purposes. Following the FDIC, the NCUA relies on its traditional approach to RFA analysis by examining the impact of the CIP rule on FICUs with fewer than $100 million in assets.^[201] As of September 30, 2025, the NCUA supervised 4,331 FICUs; of these, 2,553 (or 58.9 percent) qualified as small entities. Compared with commercial banks, credit unions are quite small. Indeed, the industry median asset size (again 2025:Q3) was $63.63 million—roughly one-sixth of the median asset size in the banking industry. Put another way, 3,813 FICUs (88.0 percent of all FICUs) would qualify as small under the FDIC RFA threshold (fewer than $850 million).

Predicting the number of PPSIs in the credit-union sector is difficult because: (i) CUSOs or credit unions have never offered a product quite like stablecoin; and (ii) as noted, the NCUA—with extremely limited authority over CUSOs (as third-party vendors)—has little-to-no anecdotal or formal data to make a forecast. That said, the National Association of Credit Union Service Organizations (NACUSO) reported in its 2020 CUSO Market Report that credit unions holding between $100 and $500 million in assets are by far the largest block of CUSO customers. Moreover, the credit-union sector has historically been conservative in its approach to offering products/services with novel risk dimensions. When such products/services are offered, large credit unions have been in the forefront. In short, qualitative and quantitative data suggest the number of PPSIs in the credit-union sector should be well below that in the banking industry. Specifically, the NCUA expects the actual number to fall between zero and 10, with five being a reasonable point estimate. Five represents 0.2 percent of the total number of small FICUs.

As for the number of small FICUs potentially facing a “significant” burden, applying the FBA materiality threshold of either 5 percent of annual compensation expense or 2.5 percent of total non-interest expense is problematic because small credit unions: (1) tend to rely heavily on volunteers; ^[202] and (2) often enjoy free office space provide provided by a sponsor. Under the FBA compensation threshold (5 percent), for example, 1,274 small FICUs—49.9 percent of those holding fewer than $100 million—would face a significant burden. Similarly, under the FBA non-interest expense threshold (2.5 percent), 1,226 would face an undue burden. At first, both numbers appear to qualify as “substantial.” But, again, it is important to remember small credit unions typically have relatively simple operations with plain vanilla product/service offerings. The CUSOs serving these credit unions would be extremely unlikely to become PPSIs even if the CIP regulatory burden were zero dollars. So, to arrive at an estimate of small FICUs potentially facing an undue burden, recall the estimate for PPSIs industrywide offered above—zero to 10. Now, assume (unrealistically) the actual number is 10, that all held fewer than $100 million in assets, and all faced marginal compliance expenses exceeding 5 percent of compensation expense or 2.5 percent of non-interest expense. Under these conservative assumptions, only 0.4 percent of small FICUs would face an undue burden. In short, the relatively modest size and simple operations of “small” FICUs—both absolutely and compared with commercial banks—suggest few would be interested in stablecoins even if there were no regulatory burden. Accordingly, it is reasonable to conclude the CIP rule will not have a significant economic impact on a substantial number of small FICUs.

D. Unfunded Mandates Reform Act

The UMRA requires that an agency prepare a statement before promulgating a rule that may result in expenditure by the state, local, and Tribal governments, in the aggregate, or by the private sector, of $193 million or more in any one year ($100 million in 1995, adjusted for inflation).^[203] Section 202 of UMRA also requires an agency to identify and consider a reasonable number of regulatory alternatives before promulgating a rule.

As discussed above,^[204] FinCEN and the Agencies have not estimated the number of potential future SQPSIs given the inherently speculative nature of such an exercise at this time. Consequently, FinCEN and the Agencies ( printed page 37266) are unable to assess the potential burden to state, local, and Tribal governments of the proposed CIP rule and are, at this time, not expecting any additional expenditures to these parties as an incremental cost of the proposed rule. However, FinCEN and the Agencies' expectation that this rulemaking will not cause material changes in State expenditures, in particular, should be understood as relating only to the impact of this rulemaking and not to the impact of the GENIUS Act writ large. The GENIUS Act envisions an active role for the states in the regulation of PPSIs as a complement to Federal regulation.

While the analyses above ^[205] and below,^[206] indicate that the proposed rule is not expected to impose incremental novel expenditures on the private sector of $193 million or more, and hence that additional economic analysis pursuant to UMRA requirements is not strictly necessary, FinCEN and the Agencies believe that the preceding assessment of impact, generally, and consideration of policy alternatives, specifically, would satisfy the UMRA's analytical requirements. FinCEN and the Agencies invite public comment on any additional factors that, if considered, would materially alter the conclusions of this assessment.

E. Paperwork Reduction Act

The recordkeeping requirements in the proposed rule, which qualify as “collections of information” under the PRA, will be submitted to OMB for review in accordance with the PRA.^[207] Under the PRA, an agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a valid control number assigned by OMB.^[208] Written comments and recommendations for the proposed information collection can be submitted by visiting https://www.reginfo.gov/​public/​do/​PRAMain. Find this particular document by selecting “Currently Under Review—Open for Public Comments” or by using the search function. Comments are welcome and must be received by August 21, 2026.

In accordance with requirements of the PRA, 44 U.S.C. 3506(c)(2)(A), and its implementing regulations, 5 CFR part 1320, the following information concerning the collection of information as it relates to the new CIP requirements for covered PPSIs is presented to assist those persons wishing to comment on the information collections.

1. Description of Affected Financial Institutions and OMB Control Numbers

OMB Control Number(s): [1506-XXXX].

Description of Affected Entities: Only those covered financial institutions defined in section 31 CFR 1010.100(t)(11) ( i.e., PPSIs) would be affected.

Estimated Number of Respondents: 50 PPSIs.

FinCEN estimates an average annual population of approximately 50 PPSIs in the first three years, comprised of approximately 20 non-IDI subsidiary PPSIs and 30 IDI-subsidiary PPSIs.^[209] FinCEN expects these entities to each have an average of 1,000 customers, with an average of 650 new customers annually.^[210]

As this is a developing market, FinCEN and the Agencies acknowledge significant uncertainty regarding the number of potential PPSIs. However, as discussed earlier, FinCEN and the Agencies estimate that IDI-subsidiary PPSIs would have reduced CIP-related expenses due to their position within a parent's existing CIP program.

2. Estimated Annual Burden Hours

As described in section VIII.A.4.ii.a, each PPSI is expected to incur recordkeeping burdens associated with the proposed CIP obligations. FinCEN and the Agencies have identified five main cost categories associated with the various incremental recurring costs expected to be incurred by PPSIs to comply with CIP requirements. These cost categories are: (1) establishing and maintaining a written CIP; (2) obtaining and verifying customer identification information, (3) recordkeeping; (4) consulting government lists, and (5) customer notification.

i. Establishing and Maintaining a Written CIP

PPSIs subject to this rule would have to establish a CIP in accordance with the proposed rule. FinCEN estimates the average cost for a PPSI to establish and maintain a written CIP as described in section VIII.A.4.ii.a.1 to be between approximately 20 to 30 hours per firm (with an average of 25 hours per firm) in the first year for non-IDI subsidiary PPSIs, and about ten to 15 hours per firm (with an average of approximately 12 hours per firm) in the first year for IDI-subsidiary PPSIs. For both PPSI types, the average burden of these activities is expected to decrease to approximately ten hours per PPSI, irrespective of type, in each subsequent year. This activity would involve tasks such as reviewing the requirements of the rule, establishing and documenting the program, and updating the CIP when necessary.

ii. Obtaining and Verifying Customer Identification Information

The proposed rule would require PPSIs to collect and verify certain information from each customer.^[211] Because the proposal exempts existing primary market customers from information collection requirements, the agencies estimate information collection costs for primary market customers opening new accounts. FinCEN and the Agencies estimate this cost on a per-customer basis.

FinCEN estimates a range of costs for customer identification information collection and verification—most of which would be from legal entities.^[212] FinCEN estimates that small issuers would require an average of one hour to correspond with each new customer and collect the required information, while larger issuers would require only ten minutes (0.17 hours) per new customer, owing to more volume and onboarding automation. Thus, FinCEN uses an average of 35 minutes (0.58 hours) per new customer for non-IDI subsidiary PPSIs. For PPSI entities affiliated with insured depository institutions, FinCEN and the Agencies estimate more streamlined information collection processes associated with the existing CIP program of the parent. For this reason, FinCEN estimates an average time to correspond with each new customer and collect the required information ranging from ten minutes for most banks to 20 minutes for some smaller banks. FinCEN uses an average of 15 minutes (0.25 hours) per new customer.

iii. Recordkeeping

The proposed rule would require certain records to be retained for a five-year period following the creation of the record ^[213] and others to be retained for five years following an account closure.^[214] To allocate burden to these obligations, FinCEN PRA estimates allow for non-labor, technology costs that include an annual $100 baseline cost for each PPSI and a per-record cost of $0.10 associated with storing new customer records in accordance with ( printed page 37267) similar estimates in prior rulemakings.^[215]

iv. Comparison With Government Lists

The proposed rule would require a PPSI's CIP to include reasonable procedures for determining whether a customer appears on any list of known or suspected terrorists or terrorist organizations issued by any Federal government agency and designated as such by Treasury in consultation with the Federal payment stablecoin regulators. While such a list has not yet been issued, a nominal one-hour burden in the PRA section is assigned to this requirement to account for the possible future issuance of such lists.

v. Customer Notification

The proposed rule would require a PPSI's CIP to include procedures for providing its customers with adequate notice that the issuer is requesting information to verify their identities. Because the notice is a standardized disclosure included with all applications, FinCEN does not anticipate a per-customer burden, but rather a one-time upfront cost to add the notice to application materials. FinCEN also assigns a nominal average one-hour ongoing annual burden to review and update the notice if necessary.^[216]

vi. Summary of Annual Burden Hours

Tables 7 and 8 present the estimated average annual burden hours per respondent and the aggregate average annual burden hours for all affected PPSIs in year one and in subsequent years, respectively.^[217] FinCEN estimates a three-year average annual burden of 264 hours per PPSI and a three-year average annual burden of 13,178 hours for all 50 PPSIs.^[218]

3. Estimated Annual Total Costs

Tables 9 and 10 present the average annual cost per respondent and total annual cost for all affected PPSIs for year one and years two and three, respectively. FinCEN estimates an average annual labor cost of $32,835 per PPSI and an aggregate annual labor cost of $1.64 million. FinCEN additionally estimates an average annual non-labor cost of $165 per PPSI and an aggregate annual non-labor cost of $8,250 to account for storage and technology costs. In total, FinCEN and the Agencies estimate an average annual of $33,000 per PPSI ^[219] and an aggregate annual cost of $1.65 million.

( printed page 37268)

4. Aggregate Burden and Cost Estimates

Estimated Number of Respondents: 50 PPSIs.

Estimated Aggregate Three-Year Average Annual Recordkeeping Burden: Approximately 13,178 hours.

Estimated Aggregate Three-Year Average Annual Recordkeeping Cost: Approximately $1,650,007.

5. General Request for Comments Under the Paperwork Reduction Act

FinCEN and the Agencies invite comments on: (1) whether the collection of information is necessary for the proper performance of the mission of FinCEN, including whether the information would have practical utility; (2) the accuracy of FinCEN's estimate of the burden of the proposed collection of information; (3) ways to enhance the quality, utility, and clarity of the information required to be maintained; (4) ways to minimize the burden of the collection of information, including through the use of automated collection techniques or other forms of information technology; and (5) estimates of capital or start-up costs and costs of operation, maintenance, and purchase of services required to report the information.

F. Riegle Community Development and Regulatory Improvement Act

Pursuant to section 302(a) of the Riegle Community Development and Regulatory Improvement Act of 1994 (RCDRIA), in determining the effective date and administrative compliance requirements for new regulations that impose additional reporting, disclosure, or other requirements on IDIs, each Federal banking agency must consider, consistent with principles of safety and soundness and the public interest, any administrative burdens that such regulations would place on affected depository institutions, including small depository institutions, and customers of depository institutions, as well as the benefits of such regulations.^[220] In addition, section 302(b) of the RCDRIA requires new regulations and amendments to regulations that impose additional reporting, disclosures, or other new requirements on insured depository institutions generally to take effect on the first day of a calendar quarter that begins on or after the date on which the regulations are published in final form.^[221] The Agencies invite comments to further inform their consideration of the RCDRIA.

G. Plain Language

Section 722 of the Gramm-Leach-Bliley Act ^[222] requires the Federal banking agencies to use plain language in all proposed and final rulemakings published in the Federal Register after January 1, 2000. The agencies invite your comments on how to make this proposed rule easier to understand. For example:

• Have the agencies organized the material to suit your needs? If not, how could the proposed rule be more clearly stated?
• Are the requirements in the proposed rule clearly stated? If not, how could the proposed rule be more clearly stated?
• Does the proposed rule contain language or jargon that is not clear? If so, which language requires clarification?
• Would a different format (grouping and order of sections, use of headings, paragraphing) make the proposed rule easier to understand? If so, what changes to the format would make the proposed rule easier to understand?
• What else could the agencies do to make the proposed rule easier to understand?

H. Providing Accountability Through Transparency Act of 2023

The Providing Accountability Through Transparency Act of 2023 requires that a notice of proposed rulemaking include the internet address of a summary of not more than 100 words in length of a proposed rule, in plain language, that shall be posted on the internet website under section 206(d) of the E-Government Act of 2002.^[223]

( printed page 37269)

The proposal and the required summary can be found at www.regulations.gov by searching for Docket IDs FINCEN-2026-0101, OCC-2026-0331 or NCUA-2026-0793 or https://www.fdic.gov/​federal-register-publications.

I. Additional Requests for Comment

1. Are FinCEN and the Agencies' baseline estimates of the number of market participants accurate? Are there specific sources of data that would suggest any of these population estimates should be revised? Please provide data, studies, or anecdotal evidence that would support any suggested alternatives.

2. Are there other distinct, identifiable subpopulations of the general public that could reasonably be directly affected by the proposed rule and should have been considered in the RIA? Please provide data, studies, or reports that would enhance FinCEN and the Agencies' ability to identify and quantify such effects.

3. FinCEN and the Agencies assume that a number of depository institutions would have affiliates or subsidiaries that seek PPSI status and that other PPSIs would not be subsidiaries of insured depository institutions. How likely are issuers or potential issuers to seek PPSI status as a subsidiary of an insured depository institution versus seeking PPSI status not as a subsidiary of an insured depository institution?

4. FinCEN and the Agencies made certain assumptions, based on data, about the number of primary customers that a typical PPSI would have. How many primary market customers does a typical issuer of payment stablecoin-type products interact with? What costs do issuers face in collecting customer information from these entities? How many are these customers are new to the issuer on an annual basis?

5. Is it likely that any of the 14,575 financial institutions listed in Table 2 would be relied upon by PPSIs for some aspect of their CIP compliance? Please provide data, studies, reports, or anecdotal evidence that would enhance FinCEN and the Agencies' ability to identify and quantify the effects of such reliance.

6. To what extent should the economic impact on state regulatory agencies be considered in the RIA? Please provide data, studies, or reports that would support the identification enhance FinCEN's ability to identify and quantify such effects.

7. Is FinCEN and the Agencies' analysis of the average costs for each component of the CIP as outlined in section VIII.A.4.ii.a reasonable reflection of the cost faced by issuers of products that may be considered payment stablecoins? If not, are there specific sources of empirical evidence or data that would suggest these burden estimates should be revised? Are there any additional cost categories related to establishing and maintaining a CIP that FinCEN and the Agencies have failed to consider? Please provide data, studies, or anecdotal evidence that would support any suggested revisions.

8. What types and share of PPSIs would likely already have CIPs established and would therefore not incur the full costs associated with establishing and maintaining a CIP? Are there certain CIPs or customer identification practices implemented by stablecoin issuers that this analysis should take into account? Please provide data, studies, or reports that would enhance FinCEN and the Agencies' ability to identify this population.

9. Is it reasonable to assume that PPSIs would already have measures in place to form a reasonable belief that they know the true identities of their existing customers and therefore would not need to obtain and verify customer identification information for any of their existing primary market customers in the first year once the rule would become effective? If not, what share of PPSIs would need to obtain and verify customer identification for all or a portion of their existing customers? Are there specific sources of empirical evidence or data that would suggest this assumption should be revised? Please provide data, studies, or anecdotal evidence that would support the suggested alternative assumption.

10. FinCEN and the Agencies request comment on the alternative policy options presented in section VIII.A.5 and their economic effect.

11. FinCEN utilized a threshold of less than $200 million in total reserve assets to define a small payment stablecoin issuer. How appropriate is this threshold? Similarly, is five percent of total reserve assets a good estimation of these firms' revenue?

12. The RIA in this NPRM does not include a forecasted population of potential future SQPSIs due to limitations in data availability. Please provide data, studies, or anecdotal evidence that would enable analysis of the potential effects of the proposed requirements on SQPSIs, generally, and small SQPSIs in particular.

13. The FDIC, Board, NCUA, and OCC invite comments on all aspects of the supporting information provided in sections VIII.C.2-5, particularly related to any significant effects on small entities that the agency has not identified.

14. The economic expectation that the proposed rule may have a significant economic impact on a substantial number of certain types of potentially affected small entities is sensitive to key assumptions about how potentially affected financial institutions would respond to the proposed requirements. FinCEN and the Agencies request comment on whether it would instead be more reasonable to certify that the proposed rule would not have a significant economic impact on a substantial number of small entities.

15. FinCEN and the Agencies do not anticipate that the proposed rule would result in novel incremental aggregate expenditures by State, local, or Tribal governments, or by the private sector of $193 million or more in any one year. Is this assumption reasonable? If not, what studies, data, or anecdotal evidence should be taken into consideration that would update this expectation?

16. Would PPSIs incur ongoing recordkeeping burdens associated with the proposed customer notification requirement? Or is the recordkeeping burden largely incurred when the notification is initially drafted? If it is an ongoing burden, what is the average amount of time spent on the recordkeeping activity per year?

J. NCUA Analysis on Executive Order 13132 on Federalism

Executive Order 13132 encourages certain regulatory agencies to consider the impact of their actions on state and local interests. The NCUA, an agency as defined in 44 U.S.C. 3502(5), complies with the executive order to adhere to fundamental federalism principles. This proposed rule would apply to PPSIs. This scope is set by statute. The NCUA works cooperatively with state regulatory agencies on all supervisory matters, including AML/CFT matters, and will continue to do so. The NCUA expects that any effect on states or on the distribution of power and responsibilities among the various levels of government will be minor. The NCUA welcomes comments on ways to eliminate, or at least minimize, any potential impact in this area.

K. NCUA Assessment of Federal Regulations and Policies on Families

The NCUA has determined that this proposed rule would not affect family well-being within the meaning of section 654 of the Treasury and General Government Appropriations Act, ( printed page 37270) 1999.^[224] The proposed rule relates to PPSIs, and any effect on family well-being is expected to be indirect.

For the reason set forth in the preamble, FinCEN and the OCC, Board, FDIC, and NCUA propose that FinCEN amend 31 CFR part 1033, as proposed to be added at 91 FR 18582 (April 10, 2026), as follows:

1. The authority citation for part 1033 continues to read as follows:

Authority: 12 U.S.C. 1829b, 1951-1959, and 5901-5916; 31 U.S.C. 5311-5314 and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec. 701, Pub. L. 114-74, 129 Stat. 599.

2. In § 1033.100, add paragraphs (a) through (c) to read as follows:

3. Add § 1033.220 to read as follows:

[FR Doc. 2026-12460 Filed 6-18-26; 8:45 am]

BILLING CODE 4810-02-P