The customer identification program rule that banks and other regulated financial institutions follow when they open accounts has not been substantively rewritten since 2003. That matters for stablecoins and other crypto-related services, both the ones operating today and the ones being built. Every stablecoin issuer, every regulated onramp, every crypto asset broker-dealer, and every bank that holds operating accounts for crypto firms operates under that rule. When the rule is rigid and badly matched to modern fraud, the friction lands on crypto users and the institutions that serve them. When the rule modernizes, it modernizes for them too.Consensys filed a comment letter with the Financial Crimes Enforcement Network on May 28, 2026, responding to the proposed AML/CFT Program Reform NPRM. Six things are worth flagging.First, the rule is overdue for an update. Static personal identifying information, including Social Security numbers, dates of birth, and addresses, is no longer secret. Repeated breaches have made those attributes available to anyone willing to pay for them. Asking a customer to recite them no longer proves anything. Generative AI now produces convincing identity documents and biometrics at near-zero marginal cost. The dominant US remote-onboarding architecture is verifying against data that attackers also have, using document scans that AI can defeat.Second, the technology to do this better exists. Cryptographically verifiable digital credentials, including mobile driver licenses under ISO/IEC 18013-5, credentials built on the W3C Verifiable Credentials standard, and zero-knowledge proofs, let the customer hold and present their own credentials, prove only the attributes the institution needs, and do so without surrendering raw personal data to another database that will eventually be breached. The standards are mature. NIST has reference implementations underway. The blocker is regulatory recognition.
Third, Treasury already has the tools. The Secretary's exemptive authority under 31 U.S.C. § 5318(a)(7), FinCEN's interpretive guidance powers, and the coordinated supervisory machinery operated with the federal banking agencies are enough to modernize meaningfully without a full rewrite. FinCEN showed it could move when it issued the June 2025 CIP TIN Exemption Order.
Fourth, the proposal is not novel. FDIC Acting Chairman Travis Hill, the American Fintech Council, The Clearing House Association, the Bank Secrecy Act Advisory Group, Treasury's own 2023 De-Risking Strategy, and FATF have reached substantially the same conclusion. The banking industry, the fintech industry, the federal banking regulators, and the international standard-setters all agree that the current framework is misaligned with both the modern risk environment and the available technology.
Fifth, the framework has to be designed against surveillance. The same posture that animated the rejection of a US central bank digital currency should apply to digital identity infrastructure. Selective disclosure, no-phone-home verification, user-controlled credentials, no centralized identity ledger, and no use of public-information monitoring to debank lawful but politically disfavored activity. These are the price of public legitimacy for any modernized identity system.
Sixth, the United States is the outlier. The UK, EU, Singapore, Canada, and Australia all operate modernized third-party reliance frameworks. US consumers, and the US crypto users among them, pay the cost in friction, duplicated data collection, and weaker competition.The conversation is starting in the right place. We hope FinCEN takes the staged path the existing authorities make available. Read our comment letter to FinCEN in full.