US regulators have started the compliance clock for stablecoin issuers, with a proposed customer-identification rule that would make direct minting, redemption, and account relationships look more like bank onboarding.
The bigger fight begins after that first customer check. Stablecoins can be bought, transferred, and used across exchanges, wallets, DeFi venues, and smart contracts long after a token leaves the issuer’s direct relationship.
A joint proposal from FinCEN, the Federal Reserve, the OCC, the FDIC, and the NCUA would require permitted payment stablecoin issuers to run a written Customer Identification Program, or CIP, as part of their anti-money-laundering controls.
The Federal Register notice, published June 22, sets up a comment period that runs through Aug. 21.
The agencies are treating the rule as more than a fringe compliance update. In the official notice text, they say roughly 99% of stablecoin transaction activity occurs in the secondary market and that nearly all users of payment stablecoin products are secondary-market users.
That single fact turns a technical CIP rule into a market-structure fight.
The proposed rule would formalize identity checks where an issuer has a direct account relationship with a customer. As drafted, it leaves exchange trades, wallet transfers, DeFi swaps, and smart-contract interactions outside a direct issuer KYC event when no formal issuer relationship exists.
That leaves stablecoins facing a two-layer future: a regulated gate where tokens are minted, redeemed, or held through issuer-facing relationships, and a transfer layer where most usage happens through exchanges, wallets, ledgers, and smart contracts that may sit outside the issuer’s direct control.
Issuer relationships are becoming bank-like
The proposed rule follows the GENIUS Act’s direction to treat permitted payment stablecoin issuers as financial institutions under the Bank Secrecy Act. The agencies want issuers to maintain a written CIP appropriate to their size and business, with risk-based procedures to verify customer identity.
In practical terms, issuers would need procedures designed to form a reasonable belief that they know the true identity of each customer. For individuals, that points toward familiar information such as legal name, date of birth, address, and an identification number.
For legal entities, it points toward comparable identifying information and verification procedures.
Those requirements are familiar in banking, broker-dealer, and money-transmission contexts. They are less straightforward with stablecoins because the token can continue to circulate after the initial customer relationship ends.
The proposal’s account definition does a lot of work. It focuses on a formal relationship with the issuer to obtain financial services or products, including minting, redeeming, custody, or other services offered directly by the issuer.
It also excludes activity in which no formal relationship is established with the issuer, including activity that does not directly involve the issuer as a transaction party, other than through a smart contract.
That distinction turns issuer compliance into a gatekeeping rule instead of a universal identity layer for every token movement. A user who mints directly with an issuer is in a different position from a user who buys the same stablecoin from another trader, an exchange balance, a wallet transfer, or a DeFi pool.
That gatekeeping model also explains why the proposal is more than a checklist for issuers. It determines where stablecoin compliance can be confidently attached: at the point where a company recognizes a customer, records a relationship, and can maintain procedures over time.
The harder question starts when that same dollar token is circulating among people and venues the issuer may never see.
The secondary market is where the pressure builds
The agencies acknowledge the secondary-market problem directly. Their notice discusses the potential benefits of collecting customer information beyond direct issuer relationships, but also says doing so would be practically challenging because issuers have limited ability to collect information once stablecoins move away from direct interactions.
That is the unresolved fight at the center of the proposal. If the compliance perimeter stops at issuance and redemption, issuers become more like regulated doors into and out of the stablecoin system.
If regulators later push identity expectations into secondary-market flows, the effect could land on exchanges, hosted wallets, DeFi front ends, payment processors, analytics vendors, or issuer-controlled smart-contract infrastructure.
The rule text keeps those venues distinct. It describes secondary-market activity as including on-chain blockchain transactions and off-chain ledger or book transactions at third-party exchanges, and notes that most retail trading occurs off-chain.
That distinction is important for readers who might assume the debate is only about DeFi.
DEXs and smart contracts are the most visible edge case because they test whether compliance can follow token movement without an intermediary account relationship. But the larger question also extends to centralized trading venues, app-based wallets, payment flows, custody products, and internal exchange ledgers, where users may never interact with the issuer.
A bank-style CIP requirement at the primary layer is administratively familiar. A secondary-market identity regime would be a different kind of project, because it would have to decide which actors are responsible for collecting information, which transfers are covered, and how far the obligation follows a token after issuance.
The safest reading of the proposal is that regulators are starting where the issuer relationship is clearest. Direct minting and redemption already create a customer-facing gate. The issuer can request identity information, verify it, maintain records and lists, and design procedures for the relationship.
Permissionless transfer flows work differently. A stablecoin may move through a smart contract, a liquidity pool, a self-custody wallet, a centralized exchange book, or a payment app without the issuer having to open a new account for each holder.
The proposal does not, on its face, make the issuer responsible for identifying every secondary-market user.
The agencies’ own discussion points to the next regulatory battleground. If almost all transaction activity occurs in the secondary market, then primary-market CIP rules can make issuer doors more bank-like while still leaving open how far identity checks should travel into the places where stablecoins are actually used.
For DeFi, the question is especially sensitive because a broader rule could pressure interfaces, wallet providers, or protocol-adjacent services even if the smart contract itself has no conventional customer file.
For centralized venues, the question is more likely to concern coordination among regulated intermediaries, issuer reliance, data sharing, and whether existing exchange or money-services compliance covers the policy gap regulators are worried about.
The proposal therefore creates a compliance split rather than closing the debate. Issuers get a clearer path for direct customers. Secondary-market platforms and users receive a signal that regulators see the activity, understand its scale, and are asking where to draw the line next.
The comment window is the next market signal
The live deadline gives the industry a short runway. Comments are due Aug. 21, 60 days after the Federal Register publication.
That creates a concrete window for issuers, exchanges, wallet companies, DeFi developers, banks, consumer groups, and compliance vendors to argue over where the stablecoin identity perimeter should stop.
The key question is where identity checks should end. The proposal strongly points toward direct customer identification at the issuer gate.
The open issue is whether the final rule, guidance, or future rulemaking maintains compliance there or begins building a bridge to secondary-market activity.
If the final rule keeps the current structure, stablecoins may evolve with a more bank-like primary layer and a still-contested transfer layer.
Issuers would face clearer obligations when customers come directly to mint, redeem, or maintain accounts, while most user activity would continue to be governed through exchanges, wallets, DeFi interfaces, and other intermediaries under their own legal frameworks.
If regulators move further, the stablecoin market could face a more consequential redesign. Identity checks could become less about who enters through the issuer and more about which venues, interfaces, and service providers must police token movement after issuance.
The proposal extends beyond the compliance department, as stablecoins are useful precisely because they can move across platforms.
Regulators are now formalizing customer checks at the issuer’s door, while the largest share of activity occurs outside that door. The next fight is whether that split remains a practical compromise or becomes the starting point for a broader stablecoin identity regime.
