Verified Platforms
Quick Links
Where to Stay Secure
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
The headline wrote itself on June 18: stablecoins now need KYC. It is true at one door and false everywhere else, and the distance between those two facts is the entire story.
Identity gets checked where you mint or redeem a stablecoin with the company that issues it. It does not get checked when the token moves from one wallet to another on-chain. A rule can sit on the issuer's front desk and never reach the hallway behind it. That is, almost exactly, what five federal agencies proposed this week.
This walkthrough follows Lilith through where the rule attaches. Twenty years in cybersecurity, much of it spent deciding who may touch a system and who may not, she reads a regulation the way she reads an access-control list: not by what it announces, but by where the permission actually lands. Lucia sits across from her, carrying the doubt that arrived with the headline.
"So they're banning anonymous stablecoins," Lucia says.
Lilith shakes her head. "They put a guard on one door. Watch which door, and you'll see what they did, and what they left alone."
On June 18, 2026, five regulators moved as one body: FinCEN, the Federal Reserve Board, the OCC, the FDIC, and the NCUA. Together they proposed putting a Customer Identification Program, the kind every bank already runs, onto permitted payment stablecoin issuers. CoinDesk described it as customer-ID rules "akin to banks."
The hinge is the GENIUS Act, which treats a permitted issuer as a financial institution under the Bank Secrecy Act. Become a financial institution and the identity duties come attached to you. FinCEN, which administers that act, would require risk-based identity verification, recordkeeping, screening against government watch lists, customer notification, and procedures to rely on another regulated institution that has already done the identity work. Before opening an account, the issuer collects four things from each new customer: legal name, date of birth, a physical address, and a government-issued ID number.
Four fields, one counter.
Lucia leans in. "That's my name. My ID. That's me."
"It's you if you walk up to the issuer," Lilith says. "Read the nouns. Customer. Account. Those two words carry the whole rule."
Lucia half-remembers something. "Didn't they already pass a rule like this in the spring?"
"Different one," Lilith says. "Back on April 10 the same kind of issuer drew an anti-money-laundering and sanctions-program proposal. That rule is about the machinery an issuer must run inside its walls. This one, June 18, is narrower and more personal. It is the identity check at the door. Two proposals, two jobs, and people keep stacking them into one frightening sentence."
They are not the same rule.
It helps to know how a stablecoin actually works before asking who has to identify you to hold one. The token is a claim on a dollar the issuer holds in reserve, and this proposal is the first hard demand the parent statute makes on the people running that claim. If you want the wider frame, it sits inside the GENIUS Act, the law that created the permitted-issuer category in the first place. The comment window opens with publication in the Federal Register on June 22 and runs sixty days.
None of it is final yet.
"Here is the word doing all the work," Lilith says. "Customer. The rule identifies the issuer's direct customer. Not every person who ever holds the token. The person standing on the other side of the counter."
A stablecoin lives in two markets. The primary market is where you deal with the issuer face to face: you send dollars, the issuer mints fresh tokens to you, or you hand tokens back and the issuer redeems them for dollars. That is the on-ramp and the off-ramp, the same counter run in two directions. The secondary market is everything after that first handshake. The token changes hands between wallets, exchanges, and contracts, and the issuer is nowhere in the transaction.
The Customer Identification Program lives in the primary market. It binds the mint-and-redeem boundary, because that is the only place the issuer has a customer to point at.
Identity needs a counterparty.
"So the ID check isn't really about the coin," Lucia says slowly. "It's about the counter."
"The counter," Lilith says. "Identity attaches to a relationship, not to a token. The token never carries your name. The account does."
"Like cash, then," Lucia says. "The bank knows me when I take it out. The twenty in my pocket doesn't."
"Close," Lilith says. "The issuer knows you at the window. After that the token spends like a bearer note, passing from hand to hand until it reaches another window."
It guards windows, not the walk between them.
This is the same discipline as reading what you're really trusting in a stablecoin: the risk lives in the structure behind the issuer, not in the symbol on the screen. TRM Labs, writing for compliance teams rather than holders, frames the duty around the issuer's direct customer base, the people minting and redeeming. That is the same primary-market counter Lilith keeps pointing at, seen from the issuer's side of the glass.
Lucia is not satisfied. "Fine. But once the token is mine, doesn't the rule follow it down to me?"
"No," Lilith says. "And the proposal says so out loud, which is the part worth reading twice."
The agencies looked at a wider version of this rule, one that would reach every holder of the token, and preliminarily rejected it as unworkable. Their own language draws the line cleanly. An issuer is not required to identify people who later transact in the tokens on the secondary market. A purely secondary transfer, where the issuer is not a direct counterparty, including a transfer carried out by a smart contract, does not create an account relationship.
No account relationship, no customer. No customer, no duty to check.
Follow one token to feel it. You mint it at the issuer's counter, and your ID sits on file. You send it to a friend's wallet, and nobody runs a check. The friend swaps it on a decentralized exchange, and the contract asks for nothing. Weeks later the friend cashes out at an exchange, and that exchange takes the friend's ID, not because of where the token has been, but because cashing out is its own counter. One coin touched four hands and triggered identity exactly twice, at the two ends where a person met an institution.
Two ends, one rule each.
So when a stablecoin lands in a self-custodied wallet from a peer, or routes through a contract on its way somewhere else, the issuer never meets the person receiving it.
The permissionless property of the token survives the trip downstream.
None of this means an issuer is powerless over a token after it leaves the counter: the same company that learns your name at onboarding can also freeze a specific wallet under sanction, which is a different lever entirely. Identity at the door and control after the fact are not the same power, and this rule reaches only the first one.
Two separate things.
The honest answer is a question fired back: which door did you use?
If you mint or redeem directly with the issuer, yes. You are the customer the rule names, and you show ID. If you bought on a KYC'd exchange or hold through a custodial wallet, that intermediary already identified you, rule or no rule, and the issuer is allowed to lean on that work rather than repeat it. If you received a stablecoin into self-custody on-chain, no one verified you at all, right up until the day you carry it to a ramp to turn it back into bank money. The off-ramp is a counter too, and it knows your face.
Lilith sketches it as two columns on the desk.
| Primary market (mint or redeem with the issuer) | Secondary market (on-chain transfer, DEX, peer wallet) | |
|---|---|---|
| Who counts as the "customer" | You, directly | No one, as far as the issuer can see |
| Is ID required | Yes | No |
| Who verifies it | The issuer | No one, until a ramp |
| What the June 18 rule covers | This boundary | Explicitly carved out |
"One token," Lilith says. "Two columns. Your exposure depends on which column you're standing in the moment money changes form."
Same coin, two identities of risk.
The proposal went out with an asterisk. Federal Reserve Governor Michael Barr abstained, flagging the secondary-market risk the rule deliberately sets aside. His objection is not procedural noise.
It is the live edge of the entire question.
Barr's point is that the activity the rule leaves untouched, the on-chain hallway behind the counter, is exactly where downstream risk can collect. The sixty-day comment window, counting from June 22, exists in part to argue whether identity duties should ever reach that hallway. Today the answer is no. Whether it stays no is the thing still being contested. If that line moved, the pseudonymous secondary market Lilith just described would change shape, and self-custody would pick up a reporting tail it does not carry now.
Lilith is precise about why that is hard. An issuer cannot identify a wallet it has never met, so pushing the duty on-chain would mean handing it to someone else: the exchanges and bridges the token passes through, or the contracts themselves. That is a different rule, aimed at different parties, and writing it is the whole argument. Not a footnote to this one.
"So it could change," Lucia says.
"The boundary is drawn in pencil," Lilith says. "Drawn, and real, but in pencil. Read it as a live argument, not a closed case."
Lilith's reflex is a habit you can borrow. Before you decide whether a stablecoin's identity rules touch you, run four questions in order.
Answer those four and you can read your own exposure without waiting for a headline to misread it for you. That is the Survival Framework move applied to regulation: find where a rule binds before it binds you.
"The headline asked the wrong question," Lilith says. "Not whether stablecoins need KYC. Ask where your name is, and who is holding it."
The rule did not stamp a name onto the token. It put a guard on one door. The argument that starts on June 22 is about how many doors there are.
At the issuer's mint-and-redeem counter, yes. The June 18 proposal requires permitted payment stablecoin issuers to verify the identity of their direct customers before opening an account. For a purely on-chain transfer between wallets, no. That is not an account relationship, and the issuer does not identify you.
To create or cash out USDC directly with the issuer, or through a regulated exchange, you are identified by that party. To receive USDC into a self-custodied wallet from someone else, no one checks your ID, until you off-ramp it through a counter that does.
Receiving a stablecoin into self-custody on-chain does not trigger the issuer's identification duty. Converting it back into bank money at an exchange, or redeeming it with the issuer, does, because that is the primary-market boundary the rule covers.
No. It makes permitted issuers identify their direct customers at onboarding. It does not outlaw holding or receiving a stablecoin pseudonymously on-chain, and the agencies preliminarily rejected a wider version that would have reached every holder.
Not under this proposal, which carves out secondary transfers, including those routed through a smart contract. Whether identity duties should extend on-chain is the open question the sixty-day comment window, opening June 22, was written to test.
