US Regulators Bring Bank-Grade KYC to Stablecoin Issuers

Anyone who has shipped a KYC pipeline for a regulated fintech knows the real cost isn't the vendor invoice, it's the engineering quarters you lose to edge cases. On Thursday June 18, five US financial regulators dropped a 130-page proposed rule that drags stablecoin issuers into that exact world. The GENIUS Act is no longer a slogan on a press release. It's becoming code that USDT, USDC, and every aspiring "permitted payment stablecoin issuer" will have to write, test, and run in production.

What Happened

The Federal Reserve, Treasury, OCC, FDIC, and the NCUA jointly issued a notice of proposed rulemaking that applies Bank Secrecy Act style customer identification standards to stablecoin issuers. According to CoinDesk, the proposal landed Thursday alongside a 60-day public comment window. Treasury's FinCEN is running a parallel track for the AML provisions.

The substance is what every compliance officer expected. Issuers must run "reasonable procedures" to verify the identity of anyone opening an account, retain records of name, address, and other identifying information, and check users against government-supplied terrorist and sanctions lists. In plain terms: bank-grade CIP, applied to entities the law now formally calls "permitted payment stablecoin issuers," or PPSIs.

This isn't the first round. Back in September 2025, the same regulators put out a preliminary document asking the industry how they should approach implementation. Treasury received 450 comments on that one. The current draft is the answer, structured as a formal notice of proposed rulemaking, which means another comment cycle, then revisions, then final joint rules, then enforcement.

Not everyone on the Fed board is satisfied. Governor Michael Barr, who ran supervision under the previous administration, said he remains concerned the GENIUS framework "does not do enough so far to address the risks of illicit finance conducted through secondary market transactions in payment stablecoins." He flagged that bad actors can route around home-jurisdiction AML rules "and operate without detection when transacting in digital assets." The 130-page document itself asks the open question: should CIP requirements extend to secondary market activity, and under what conditions? That single question is the one engineering teams should be reading three times.

Technical Anatomy

Read the rule as a state machine, not a policy document. The primary account-opening event triggers verification: collect identifying data, run it through a list-screening function, persist the evidence, and gate minting against the result. That part maps cleanly to existing fintech KYC stacks. Any team that has integrated Onfido, Persona, or Jumio knows the pattern.

The hard part is the architecture mismatch. A bank account is a closed ledger. A stablecoin is a bearer token on a public chain. Once USDC leaves Circle's mint contract, it moves peer-to-peer across wallets the issuer never authenticated. Today, issuers handle this with the blunt instrument of a blocklist: addresses flagged by OFAC or fraud teams get frozen via a privileged contract function. That works for known-bad endpoints. It does nothing for the long tail of pseudonymous wallets in between mint and redemption.

Barr's question about secondary markets is the live wire. If regulators eventually require CIP at the wallet level, issuers face an architectural fork. Option one: maintain an allowlist of verified wallets and only permit transfers between them. That breaks composability with every DeFi protocol on Ethereum and Solana. Option two: lean on attestation systems where wallets carry verifiable credentials that DEXs and lenders must check before accepting the asset. The EVM tooling for that exists in fragments, but production-grade attestation infrastructure is years behind the regulatory ambition.

The 60-day comment period matters here. The proposal's question is open, which means the answer the industry writes back will shape the technical mandate. Silence will be read as consent for the strictest interpretation. My take: if you run a stablecoin issuer or a DEX that quotes USDT and USDC pairs, your protocol engineers should already be drafting comment language. The US rulemaking process rewards specific, technically literate objections, not generic complaints.

FinCEN's parallel AML rule adds another layer. Expect overlap, expect inconsistency, expect at least one round of agencies having to reconcile their drafts in production.

Who Gets Burned

Tether and Circle sit at opposite ends of the exposure curve. Circle has spent years building toward US regulated status and already runs bank-style compliance. USDC's mint and burn flows pass through Circle's gated onboarding. The new CIP rule formalizes what they largely do. Tether is the harder case. USDT's distribution model leans heavily on intermediaries and offshore counterparties. The PPSI designation, with CIP attached, raises the cost of doing business with US-facing partners and amplifies the gap between onshore and offshore liquidity.

Secondary-market actors are the ones who should be sweating, even though the current draft doesn't bind them yet. DEX aggregators, perpetual futures venues quoting stablecoin margin, and DeFi lending protocols all rely on the assumption that a stablecoin in a wallet is a stablecoin in a wallet, no questions asked. Barr's signal that he'll be "paying special attention" to extending ID provisions downstream is a written warning.

Centralized exchanges feel a related squeeze. Per CoinDesk Research published June 15, combined exchange volumes fell 3.45% in May 2026 to $4.41 trillion, the lowest level since September 2024. That's a real revenue compression hitting just as compliance overhead is about to climb. On a venue netting hundreds of millions in fees, a 3.45% volume drop is roughly the budget for a senior compliance engineering team. RWA perpetual futures volumes rose 10.4% to a new all-time high in the same period, which tells you where the desk-level migration is heading. Add the CME's stated intent to sue the CFTC over perpetual futures approval, and the regulatory weather across crypto is moving from cloudy to lightning.

The uncomfortable read: smaller US issuers that hoped to undercut Tether and Circle on UX now have a fixed compliance floor priced into their cost base. The GENIUS Act doesn't just regulate the incumbents, it locks in their scale advantage.

Playbook for Crypto and DeFi

Concrete actions for the next 60 days, while the comment window is open.

• File a comment. Read the 130-page proposal, specifically the secondary-market CIP question. Submit technically grounded language explaining what an allowlist regime would do to liquidity and composability. Regulators count well-argued submissions.
• Audit your CIP integration path. If you're a PPSI candidate or partner with one, map every account-opening flow to the three required procedures: verification, record retention, and list screening. Identify gaps now, not after the final rule lands.
• Inventory your blocklist tooling. Confirm your freeze and seize contract functions are tested under load and have a documented runbook. Production incidents I've seen at fintechs almost always trace back to compliance tooling that worked in staging and failed under a real sanctions event.
• Re-price your stablecoin exposure. If your business model depends on frictionless secondary-market transfer of USDC or USDT, model the scenario where attestation-gated transfer becomes mandatory in 18 months. What breaks? What costs more?
• Watch FinCEN. The parallel AML track will land separately and may contradict pieces of the joint banking-regulator rule. Assign one person to track both dockets.

Boring advice, but boring is what survives 2am. Teams that treat this as a paperwork problem will eat the rework cost twice.

Key Takeaways

• Five US agencies have proposed bank-style CIP rules for stablecoin issuers, with a 60-day comment window opened June 18, 2026.
• The mandate covers identity verification, record-keeping for name and address, and screening against terrorist lists for any account opening.
• Fed Governor Michael Barr is publicly pushing to extend ID requirements to secondary-market transfers, which would force an architectural rewrite of how stablecoins move on-chain.
• Treasury received 450 comments on last September's preliminary document. Engaging this round is the cheapest way to shape the final technical mandate.
• Compliance cost compression hits as May 2026 CEX volumes dropped 3.45% to $4.41 trillion. Smaller issuers absorb the floor, incumbents widen the moat.