Alston & Bird Consumer Finance Blog

Archives for July 25, 2025

Privacy, Cyber & Data Strategy / White Collar, Government & Internal Investigations Advisory | GENIUS Act Establishes Federal Regulatory Oversight of Global Stablecoin Industry

By , ,

Executive Summary
8 Minute Read

Our Privacy, Cyber & Data Strategy and White Collar, Government & Internal Investigations Teams examine how the GENIUS Act’s framework for stablecoin issuers will impact the cryptocurrency sector.

  • The Act restricts the issuance of payment stablecoins within the United States to “permitted payment stablecoin issuers” (PPSIs)
  • PPSIs must maintain reserves of high-quality, liquid assets that fully back their outstanding stablecoins on at least a one-to-one basis
  • Regulatory oversight is divided between federal and state authorities, with joint oversight applying when state issuers exceed certain thresholds or opt into federal frameworks

___________________________________________________

On July 17, 2025, during “Crypto Week,” the U.S. House of Representatives passed the landmark Guiding and Establishing National Innovation for U.S. Stablecoins Act (GENIUS Act). Signed into law by President Donald Trump the next day, the GENIUS Act establishes a comprehensive federal framework for the issuance of payment stablecoins, regulation of stablecoin issuers, and both federal and state oversight for stablecoin authorization, audits, and other obligations. Domestic and foreign issuers in the more than $250 billion stablecoin market now have a clear path to securing and maintaining regulatory compliance in the United States.

Demonstrating rare cross-aisle cooperation and a shared interest in modernizing financial regulations to match emerging blockchain and artificial intelligence (AI) technologies, the Act garnered 308 affirmative votes in the House and 68 in the Senate, surpassing the upper chamber’s filibuster threshold. The GENIUS Act addresses Trump’s key campaign and policy promise to bring clarity and control to the digital asset market.

Key Provisions of the GENIUS Act

Effective date

The GENIUS Act takes effect on the earlier of (1) January 18, 2027 (18 months after the date the Act is enacted into law); or (2) 120 days after the primary federal regulators responsible for stablecoins issue their final regulations to implement the Act.

Authorized issuance of stablecoins only

The Act restricts the issuance of payment stablecoins within the United States to only those entities that qualify as “permitted payment stablecoin issuers” (PPSIs). PPSIs must be either U.S.-based issuers authorized under the Act or foreign issuers that are registered and operate under a regulatory framework deemed comparable to the Act by U.S. authorities and are subject to supervision by the Office of the Comptroller of the Currency (OCC).

A domestic PPSI must meet the requirements of one of three main categories: (1) subsidiary of an insured depository institution that has received approval to issue payment stablecoins under Section 5 of the Act; (2) federal qualified payment stablecoin issuers, which encompass nonbank entities (excluding state-qualified issuers) approved by the OCC, uninsured national banks chartered and approved by the OCC, or a foreign bank that does business outside the United States and has opened one or more federally licensed branches or offices in a U.S. state (“federal branch”), approved by the OCC; or (3) state-qualified payment stablecoin issuers, which are entities legally established under state law and approved by a state payment stablecoin regulator, provided they are not an uninsured national bank, federal branch, insured depository institution, or subsidiary of any such entities.

Requirements for issuing stablecoins

PPSIs must maintain reserves that fully back their outstanding stablecoins on at least a one-to-one basis. These reserves must consist of high-quality, liquid assets such as U.S. coins and currency or credit with a Federal Reserve Bank, demand deposits at insured depository institutions, short-term U.S. Treasury securities, and other monetary securities described in Section 4(a)(1) of the GENIUS Act. Any PPSI must publicly disclose its redemption policies and publish monthly reports detailing the composition, average maturity, and custody location of its reserves. A PPSI’s CEO and CFO must certify the accuracy of those monthly reports, and the Act makes knowingly false certifications punishable by up to 10 or 20 years’ imprisonment under 18 U.S.C. § 1350. To ensure reserve quality and transparency, PPSIs are prohibited from pledging, rehypothecating, or reusing reserves except under limited conditions, such as meeting margin obligations for investments in permitted reserves or creating liquidity to redeem payment stablecoins.

Mitigating money laundering and illicit financing risk

The GENIUS Act designates permitted payment stablecoin issuers as “financial institutions” under the Bank Secrecy Act (BSA), requiring them to implement robust compliance programs to prevent money laundering, terrorist financing, sanctions evasion, and other illicit activity. PPSIs must annually certify that they have implemented an effective BSA/AML compliance program. False certifications are punishable by up to five years’ imprisonment. To ensure regulatory parity, the Act’s registration and inspection requirements for foreign issuers effectively subjects them to similar compliance standards when accessing the U.S. market. Issuers must also be technologically capable of assisting with asset freezes, seizures, and turnovers pursuant to lawful orders. The Act further strengthens enforcement by requiring both U.S. and foreign issuers to (1) maintain the technical ability to comply with such orders; and (2) comply with them. Foreign issuers that fail to do so may be designated “noncompliant” by the Treasury, triggering a ban on secondary trading of their stablecoins after 30 days. Violations of that ban carry steep penalties—up to $100,000 per day for digital asset service providers and $1 million per day for foreign issuers.

Regulatory oversight

Regulatory oversight is divided between federal and state authorities, with federal regulators overseeing federally chartered or bank-affiliated issuers, state regulators supervising state-chartered issuers, and joint oversight applying when state issuers exceed certain thresholds or opt into federal frameworks. Regulators are responsible for licensing, examining, and supervising PPSIs to ensure compliance with the Act’s requirements, including reserve backing, redemption policies, and risk management standards.

PPSIs with more than $50 billion in consolidated total outstanding issuance that are not subject to the reporting requirements of the Securities Exchange Act of 1934 are required to prepare an annual financial statement in accordance with generally accepted accounting principles (GAAP) and must disclose any “related party transactions,” as defined under GAAP. A registered public accounting firm must audit the annual financial statement, and the audit must comply with all applicable standards set by the Public Company Accounting Oversight Board. These audited financial statements must also be made publicly available on the PPSI’s website and submitted annually to the PPSI’s primary federal payment stablecoin regulator.

Civil and criminal penalties

Additional civil and criminal penalties are set out throughout the Act. Notably, entities other than PPSIs that issue payment stablecoins in the United States without proper approval may face civil penalties of up to $100,000 per day for violations. Individuals who knowingly issue stablecoins in the United States without being a permitted payment stablecoin issuer face up to five years’ imprisonment and fines up to $1 million for each violation. Additionally, individuals with certain felony convictions are prohibited from serving as officers or directors of a PPSI, and violations of that prohibition can result in imprisonment for up to five years. The Act expressly gives regulators discretion to refer violations of the Act to the Attorney General.

Modernizing anti-money laundering and financial crimes compliance

The GENIUS Act places a strong emphasis on leveraging blockchain technology and AI to modernize the detection of illicit financial activity involving digital assets. The Act mandates that the Secretary of the Treasury initiate a public comment period to gather insights on how regulated financial institutions are using or could use innovative tools—particularly blockchain and AI—to detect money laundering and related crimes. Blockchain technology is highlighted for its potential in transaction monitoring and transparency, especially in tracking digital asset flows and identifying suspicious patterns.

Rulemaking timeline

The Act mandates that all primary federal payment stablecoin regulators, the Secretary of the Treasury, and state payment stablecoin regulators must promulgate regulations to implement the Act within one year of its enactment (July 18, 2026). These regulations must be issued through a notice-and-comment process. Additionally, within 180 days of the Act’s effective date, the OCC, Federal Deposit Insurance Corporation, and Board of Governors of the Federal Reserve System shall submit a report to the Senate Committee on Banking, Housing, and Urban Affairs and the House Committee on Financial Services that confirms and describes the regulations necessary to carry out this Act.

Other Impending Crypto Legislation

The GENIUS Act is momentous for stablecoin issuers, but it does not resolve a number of crypto-native issues, which are the subject of a broader market structure bill known as the Digital Asset Market Clarity Act of 2025 (CLARITY Act). The CLARITY Act passed the House with broad bipartisan support, and a version is currently under Senate consideration. While the GENIUS Act focused narrowly on regulating stablecoin issuers, the CLARITY Act seeks to establish a robust regulatory framework for all digital assets and define the roles of the Securities and Exchange Commission and Commodity Futures Trading Commission in policing the digital asset markets. Most notably, for the first time, the CLARITY Act attempts to classify digital assets based on their characteristics, such as decentralization and blockchain maturity, with a goal of reducing regulatory uncertainty and fostering innovation in the cryptocurrency industry. Senator Tim Scott (R-SC), chair of the Senate Banking Committee, has made several public statements on the timeline for consideration of the CLARITY Act, with committee markup expected in September and full Senate action possible by late fall.

Conclusion

The GENIUS Act establishes a robust framework for the issuance and oversight of payment stablecoins in the United States. It sets clear standards to ensure transparency for the backing of permitted payment stablecoins, and it requires issuers, like traditional financial institutions, to quickly establish robust compliance programs to combat illicit uses of their stablecoins. With its strong bipartisan backing and goals of financial stability, consumer protection, and global competitiveness, the Act could lay the groundwork for a more transparent and trustworthy digital asset ecosystem.

Ransomware Fusion Center

Stay ahead of evolving ransomware threats with Alston & Bird’s Ransomware Fusion Center. Our Privacy, Cyber & Data Strategy Team offers comprehensive resources and expert guidance to help your organization prepare for and respond to ransomware incidents. Visit Alston & Bird’s Ransomware Fusion Center to learn more and access our tools.

Originally published July 24, 2025.

If you have any questions, or would like additional information, please contact one of the attorneys on our Privacy, Cyber & Data Strategy team.

You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.

Financial Services / White Collar, Government & Internal Investigations Advisory | Financial Institutions Permitted to Use Third Parties to Collect Customers’ Taxpayer Identification Numbers for Identity Verification

By ,

Executive Summary
9 Minute Read

Our Financial Services and White Collar, Government & Internal Investigations Teams examine the Financial Crimes Enforcement Network’s new customer identification program (CIP) exemption that allows banks and credit unions to use third parties to collect customers’ taxpayer identification numbers (TINs).

  • Reflects the view that using third-party sources allows institutions to reasonably accommodate customers’ privacy and data security concerns about submitting TINs electronically
  • Mirrors the flexibility available under existing CIP rules for credit card account opening
  • Continues to require written, risk-based CIP procedures that enable institutions to form a reasonable belief that they know the true identify of each customer

___________________________________________

On June 27, 2025, U.S. federal bank and credit union regulators issued an order, with the concurrence of the Financial Crimes Enforcement Network (FinCEN), granting an exemption from customer identification program (CIP) rules. Under the order, U.S. banks and credit unions are relieved from the requirement to collect taxpayer identification numbers (TINs) (e.g., Social Security numbers (SSNs)), employer identification numbers (EINs), and individual taxpayer identification numbers (ITINs)) directly from customers at account opening. News releases by the Office of the Comptroller of the Currency (OCC) and other agencies generally touted the order as a reasonable exercise of regulatory flexibility that addresses customer privacy concerns without increasing fraud, money laundering, or bank safety and soundness risk.

Under CIP rules applicable since 2001, banks have generally been required to collect TINs in addition to names and other identifying information about customers seeking to open accounts.

Significantly, except in the case of credit card accounts, the account-opening institution has been required to obtain this information from the customer. The institution must then apply CIP procedures intended to use this information to verify the customer’s identity, which can include both documentary methods (such as comparison against the customer’s driver’s license or similar government-issued identification) and nondocumentary methods (such as comparison against information obtained from a consumer reporting agency (CRA)).

When the agencies and FinCEN jointly issued final CIP rules in 2003, they acknowledged industry concerns that the requirement to obtain this information from customers directly imposed an undue hardship on institutions in opening credit card accounts. Credit card issuers indicated that new customers were reluctant to provide their TIN information over the telephone and were typically not asked to do so in person. The regulators determined then that allowing banks to continue to rely on third-party sources, such as CRAs, for some of this information would be consistent with existing practices, which had, according to the regulators, “produced an efficient and effective means of extending credit with little risk that the lender does not know the identity of the borrower.”

The USA PATRIOT Act provisions implemented by the CIP rules (statutory authority that is part of what is generally referred to as the Bank Secrecy Act (BSA)) do not prescribe either the minimum information that banks must collect for verifying customer identities or the source of that information. The AML Act of 2020 specifically requires the agencies and FinCEN to review BSA regulations such as the CIP rules for those that may be outdated or that do not otherwise promote risk-based anti-money laundering compliance programs.

In 2024, FinCEN issued a request for information (RFI) soliciting feedback on the potential risks and benefits of permitting banks to obtain TINs from third-party sources instead of from customers as part of their CIP. Within both the RFI and the order, the regulators noted that significant technological changes had occurred within financial services since the CIP rules’ adoption in 2003, both in the ways that customers access such services and in how institutions deliver them. These changes reflect, among other things, innovations in available identity verification methods and tools.

As part of the RFI, the regulators also noted the increasing prevalence of bank partnerships with nonbanks and that these nonbank partners may not be directly subject to CIP or similar compliance requirements. This difference has both compliance and competitive implications for banks. The regulators also acknowledged the need, within the constraints of the existing BSA provisions that the CIP rules implement and other applicable law, to balance CIP requirements intended to prevent and detect fraud, money laundering, and other illegal activity, on the one hand, with bank burdens and customer privacy concerns implicated by account opening processes on the other. At this time FinCEN specifically requested public comment on allowing a bank to obtain partial TIN information from its customer (such as the last four digits of their SSN) and the customer’s full TIN from a third-party service provider.

The Order

The order provides an exemption from the CIP rule requirement for banks subject to the jurisdiction of the agencies (and certain bank subsidiaries) to obtain full TINs directly from the customer prior to opening an account.

The order permits banks, for all account types, to instead use an alternative collection method to obtain TIN information from a third-party source (such as a CRA), provided that the bank otherwise complies with CIP rules, which require written procedures that (1) enable the bank to obtain TIN information before opening an account; (2) are based on the bank’s assessment of the relevant risks; and (3) permit the bank to form a reasonable belief that it knows the true identity of each customer. The agencies stress that reliance on the exemption is optional; banks are not required to begin using an alternative TIN collection method. The order was effective immediately upon its publication, making the exemption it describes available immediately as well.

Basis for the Exemption

In issuing the order, the agencies relied on existing CIP rule authority allowing the bank regulators—with FinCEN’s concurrence—to exempt any entity subject to their supervision or type of account they may open from the rules’ requirements.

Ultimately, the agencies concluded that the risks associated with relaxing the CIP rules to permit banks to obtain TINs from third parties as described in the order did not outweigh the associated benefits. In particular, the agencies relied on (1) evidence of wide availability of alternative TIN collection methods; (2) an increase in electronic and other non-face-to-face account opening; and (3) the success of the existing credit card exemption. They also cited BSA legislative history for the proposition that these rules should not impose requirements that are burdensome, prohibitively expensive, or impractical.

While the agencies acknowledged fraud and identity theft risks associated with non-face-to-face account opening, they concluded that unauthorized TIN information exposure—from data breaches not specifically attributable to account opening or even to banks—has diminished the importance of the specific method of TIN collection used by banks for identity verification purposes. According to the agencies, this exposure has also contributed to consumer hesitancy to provide TINs at account opening. In light of this hesitancy and the increasing availability of alternative identity verification resources (including those using email address, geolocation, and internet protocol (IP) address location information), the agencies determined that the order provided meaningful regulatory relief consistent with safe and sound banking practices.

Risks Related to the Exemption and Other Considerations

The primary risk the agencies focused on within the order is that this exemption may result in weaker account opening processes and therefore increases in identity theft, fraud, and other illegal activity that the CIP rules are intended to prevent. In this regard, the agencies took care to reinforce not only that reliance on the exemption is optional but also that, to take advantage of it, institutions must still support their practices as part of a CIP program that reflects the bank’s assessment of the relevant risks and includes procedures enabling the bank to form a reasonable belief that it knows the true identity of each customer. The agencies asserted that the resulting banking practices will not be contrary to generally accepted standards of prudent banking operation or give rise to abnormal risk of loss or damage to an institution or its shareholders.

Public comments cited by the agencies also raised a concern that smaller institutions may not have the resources to implement third-party TIN collection methods or may be forced to increase fees or take other steps that negatively impact their customers or prospective customers (including the “unbanked”) to do so. The agencies did not specifically address this concern other than by reinforcing that implementation of these alternative methods is optional. Being an order pursuant to existing rules, the agencies did not have to consider these concerns in the same way that they would have had to as part of regulation changes.

The agencies also did not address concerns raised by commenters about the intersection of CIP rule requirements and Internal Revenue Service (IRS) backup withholding requirements. Banks relying on the order to collect TINs from third-party sources may need to align these procedures with procedures used to satisfy these withholding rules. Under these requirements, banks are generally required to implement backup withholding on customer accounts for which the bank is a payer of income (such as interest) for IRS purposes if the customer fails to either furnish accurate TIN information to the bank or fails to certify, under penalties of perjury, that the TIN information furnished to the bank is correct.

Banks frequently satisfy these requirements by collecting a Form W-9 (or substitute W-9 in accordance with IRS rules) from their customers. While backup withholding requirements are distinct considerations and are not implicated by all account types, many banks have streamlined their account opening requirements to satisfy both sets of requirements concurrently (and to streamline future account opening processes, such as a customer’s opening of a non-interest-bearing account and subsequent addition of an interest-bearing account). Similarly, broker-dealers and certain other entities subject to CIP rule requirements are not subject to the order, and institutions deploying joint account opening processes (such as within an affiliate or referral program structure) will need to ensure that reliance on the order does not result in compliance gaps or poor customer experience outcomes.

Banks will also need to consider how reliance on the order could impact sanctions compliance (for example, to the extent that sanctions screening is conducted based on customer-provided information before the completion of CIP identity verification); compliance with other BSA rules (such as legal entity customer beneficial ownership rules or the so-called Travel Rule, under which separate TIN collection requirements apply that are arguably not impacted by the order); and compliance with the federal Fair Credit Reporting Act and similar state laws that may apply to various third-party identity verification services used to do so.

Finally, the order also may compel banks and their program managers or other fintech partners to put a finer point on who is considered the bank’s CIP “customer” for BSA purposes for a particular program or product and what information is required about them under their anti-money laundering programs and partnership terms. As noted in the RFI, CIP standards among these entities may vary, and the order may allow them to better align onboarding practices and deliver a better overall customer experience.

Originally published July 24, 2025.

If you have any questions, or would like additional information, please contact one of the attorneys on our Financial Services team or one of the attorneys on our White Collar, Government & Internal Investigations team.

You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.