Stablecoin KYC Rule: What the 'Global' CDD Rejection Means

The Stablecoin KYC Rule Just Drew a Line at the Wallet's Edge

On June 18, 2026, five federal agencies — FinCEN, the OCC, the Federal Reserve Board, the FDIC, and NCUA — jointly proposed a Customer Identification Program rule for payment stablecoin issuers. The proposal was published in the Federal Register on June 22, 2026, with comments due August 21, 2026. It is the second major rulemaking implementing the GENIUS Act.

The headline most outlets ran is that issuers must now identify their customers. That is true but unremarkable. Here is the part the coverage is missing.

The agencies preliminarily rejected a "global" customer due diligence requirement they say is unfeasible, limiting KYC obligations to direct-to-consumer services. In plain terms, an issuer must identify the customer who buys or redeems a stablecoin directly. It is not required to identify every wallet that holds the token after it enters circulation. That single design choice defines the risk surface of the entire payments rail.

Why the GENIUS Act Made This Rule Inevitable

The GENIUS Act (S. 1582, Pub. L. No. 119-27) was signed into law on July 18, 2025, creating the first federal regulatory framework for payment stablecoins. The statute does not take effect immediately. It becomes effective on the earlier of January 18, 2027 or 120 days after the primary regulators issue final implementing rules, per the OCC's implementation bulletin.

That timeline is the reason this rulemaking is moving fast. The CIP proposal does not stand alone.

• April 10, 2026: FinCEN and OFAC published a separate NPRM requiring issuers to build AML/CFT programs, file suspicious activity reports, and maintain sanctions compliance.
• June 18, 2026: The CIP NPRM added customer identification obligations on top of that framework.
• Earlier: Treasury's September 2025 advance notice drew roughly 450 timely comments on GENIUS Act implementation.

The two NPRMs are distinct rulemakings. The CIP rule supplements the earlier AML/CFT rule; it does not replace it. Issuers must comply with both.

The 'Global CDD' Rejection Is the Real Story for Payments Rail Risk

A stablecoin is a bearer instrument that moves peer-to-peer. Once an issuer mints a token and a customer takes possession, the token can travel through dozens of wallets — exchanges, custodians, smart contracts, anonymous addresses — without the issuer ever seeing the parties.

A "global" customer due diligence regime would have required issuers to identify everyone in that chain. The agencies concluded that is unfeasible. They are correct as a technical matter. No issuer can KYC a wallet it never transacts with.

What the perimeter actually covers

• In scope: customers who buy, mint, or redeem directly with the issuer or its direct-to-consumer interface.
• Out of scope: secondary holders who acquire the token on the open market or through a third-party wallet.

Where the risk migrates

This is a deliberate allocation of payments rail risk, and it carries real consequences. The screening burden does not disappear. It shifts downstream to exchanges, custodians, and other regulated intermediaries that interact with the customer at the point of cash-out.

The distinction that matters is between issuer-level KYC and rail-level AML. The CIP rule controls who can enter and exit the rail through the front door. It does nothing to monitor what happens inside the rail. Compliance teams that treat issuer registration as the end of their obligation will misread the structure entirely.

What Issuers and Their Partners Should Do Before August 21

The comment period closes August 21, 2026, and the rule would take effect 12 months after the final rule issues. That is not a long runway for building an identity infrastructure. Start now.

First, map your direct-to-consumer touchpoints precisely. The rule attaches to direct customer relationships. If you operate a mint-and-redeem portal, an app, or an API that onboards end users, those are your CIP obligations. Document where the direct relationship begins and ends.

Second, reconcile the CIP rule with the April AML/CFT NPRM. These are two separate proposals with overlapping but distinct requirements. Your program must satisfy both customer identification and the broader AML/CFT, SAR, and sanctions obligations from the earlier rulemaking.

Third, allocate secondary-market screening by contract. Because the issuer is not required to KYC downstream wallets, exchanges and custodians carry that load. Partner agreements should state clearly who screens at cash-out and who bears the liability if screening fails.

Fourth, file a comment if the perimeter does not fit your model. Issuers with hybrid distribution models have a narrow window to shape the final definition of a direct-to-consumer relationship. A well-supported comment now is cheaper than a remediation later.

Key Takeaways

• The KYC perimeter stops at the direct customer. The agencies rejected a global CDD requirement as unfeasible, so issuers must identify direct buyers and redeemers, not every downstream wallet holder.
• Two rulemakings, not one. The June 18, 2026 CIP NPRM supplements the April 10, 2026 AML/CFT NPRM; issuers must comply with both, and conflating them is a compliance error.
• The GENIUS Act clock is running. The statute takes effect on the earlier of January 18, 2027 or 120 days after final rules, which is why these proposals are moving on a compressed schedule.
• Secondary-market risk shifts downstream. Exchanges, custodians, and partner intermediaries absorb the screening burden the issuer is not required to perform, and partner contracts should allocate that liability explicitly.
• The comment window is short. Comments are due August 21, 2026, and the final rule carries only a 12-month implementation period.