This chapter introduces the regulatory bodies most relevant to crypto startups, and provides a very high level overview of the current legislative and regulatory landscape.
The Securities and Exchange Commission (SEC)
The SEC regulates the issuance and transfer of securities in both primary and secondary markets. Its broad statutory mandate puts the Commission at the center of digital asset regulation, particularly for startups that issue tokens, coins, or any other instrument that may qualify as an investment contract.
When Is a Crypto Asset a Security?
The foundational question for every crypto project is whether its tokens or digital assets constitute “investment contracts” under the framework established by SEC v. W.J. Howey Co. An investment contract exists where there is (1) an investment of money, (2) in a common enterprise, (3) with a reasonable expectation of profit, (4) derived from the efforts of others. If a token satisfies these elements, it is a security subject to the full panoply of federal securities laws—including registration requirements, disclosure obligations, and anti-fraud provisions.
The SEC’s 2019 Framework for “Investment Contract” Analysis of Digital Assets provided granular guidance on the third and fourth prongs, emphasizing that the more active a promoter is in the development and operation of the token network and its market, the more likely it is that the token will be treated as a security. The framework remains relevant, but the analytical landscape has continued to evolve through enforcement actions, court decisions, and, increasingly, affirmative guidance from the Commission.
The Shift Under Chairman Atkins
The SEC’s approach to digital assets underwent a fundamental transformation beginning in January 2025, when Acting Chairman Mark Uyeda established the Crypto Task Force under Commissioner Hester Peirce’s leadership. The task force was explicitly designed to move the Commission away from regulation-by-enforcement and toward a comprehensive, transparent regulatory framework.
When Chairman Paul Atkins took office in April 2025, he accelerated this shift. The Commission held a series of public roundtables on topics including the securities status of digital assets, public offerings, exemptions and safe harbors, and trading and custody requirements. In July 2025, Atkins unveiled “Project Crypto”—a Commission-wide initiative to modernize securities regulation for digital assets—and directed staff to develop a comprehensive framework to facilitate crypto asset distributions within the United States. Atkins stated publicly that, in his view, most crypto assets are not securities, and that classification as a security should not be a deterrent to development.
In November 2025, Atkins outlined the next phase: a token taxonomy anchored in the Howey investment contract analysis, designed to provide clearer guidance on which tokens fall within the SEC’s jurisdiction. In January 2026, the Division of Corporation Finance, Division of Investment Management, and Division of Trading and Markets jointly issued a statement elaborating this taxonomy for tokenized securities.
Formal rulemaking is expected in 2026, with proposals anticipated for a comprehensive crypto asset framework and amendments to the Securities Exchange Act of 1934 to accommodate crypto trading on exchanges and alternative trading systems. For founders, the practical takeaway is that the regulatory posture has changed—but the rules have not yet been rewritten. Operating as though compliance is optional because the political winds have shifted is a serious mistake.
Stablecoins
In April 2025, the Division of Corporation Finance issued a staff statement analyzing whether transactions in stablecoins are subject to federal securities laws. The statement concluded that certain “covered stablecoins”—those designed to maintain a 1:1 peg to the U.S. dollar, backed by reserves of cash and short-term U.S. Treasuries, and redeemable on demand—do not involve the offer and sale of securities. This guidance was subsequently reinforced by the GENIUS Act, signed into law in July 2025, which established a federal regulatory framework for payment stablecoins and expressly provides that qualifying payment stablecoins are neither securities nor commodities.
Bitcoin
The SEC has consistently maintained that Bitcoin is not a security, on the basis that its consensus mechanism is too decentralized to constitute an enterprise controlled by a promoter or third party. This position has been reaffirmed across multiple administrations and is unlikely to change.
The Commodity Futures Trading Commission(CFTC)
The CFTC regulates the sale and transfer of commodities, derivatives, and futures contracts. The Commission’s jurisdiction over digital assets arises from the Commodity Exchange Act’s broad definition of “commodity,” which encompasses “all services, rights, and interests…in which contracts for future delivery are presently or in the future dealt in.” The CFTC has interpreted this language to encompass virtual currencies and certain digital assets—most notably, Ethereum has been treated as a commodity under this standard.
When Are Digital Assets Commodities?
The line between a security and a commodity remains one of the most contested questions in digital asset regulation. The CLARITY Act, which passed the House in July 2025, proposes to resolve this by creating a taxonomy that divides crypto assets into digital commodities, investment contract assets, and permitted payment stablecoins—with the CFTC exercising primary jurisdiction over digital commodities and the SEC over investment contract assets. If enacted in its current form, the CLARITY Act would provide the clearest jurisdictional framework the industry has seen. Until then, the analysis remains fact-specific and the outcome can depend on which regulator reaches a given asset first.
SEC-CFTC Coordination
In September 2025, Chairman Atkins and Acting CFTC Chairman Caroline Pham issued a joint statement formalizing their commitment to harmonize digital asset regulation. The statement previewed potential joint actions including expanded trading hours, coordinated margin requirements, and safe harbors for peer-to-peer spot crypto trading. With Michael Selig—former chief counsel of the SEC’s Crypto Task Force—confirmed as CFTC chairman, the two agencies are better positioned for coordination than at any point in the history of digital asset regulation.
Futures and Swaps
If your company allows users to exchange futures contracts or hedge the value of a digital asset, it is likely subject to CFTC registration requirements. The CFTC has brought numerous enforcement actions against crypto platforms operating unregistered futures exchanges, and this area of enforcement has continued regardless of the broader shift in regulatory posture.
The United States Treasury
FinCEN
The Financial Crimes Enforcement Network (FinCEN) is a bureau of the Treasury Department responsible for policing financial crime and regulating money services businesses (MSBs). Companies engaged in the exchange of virtual currency for fiat currency, or that issue or administer virtual currencies, may qualify as MSBs and must comply with the Bank Secrecy Act, including know-your-customer (KYC) requirements, anti-money laundering (AML) obligations, and suspicious activity reporting.
Determining whether your company qualifies as an MSB is one of the most important regulatory questions a crypto startup can ask—particularly if your business processes payments, facilitates exchanges, or provides custodial services involving digital assets. State-level money transmitter licensing adds an additional layer of complexity, as requirements vary significantly across jurisdictions.
The IRS
The IRS treats crypto as property—analogous to stock, bonds, and other capital assets. Accordingly, U.S. taxpayers must report a range of crypto transactions, including sales, exchanges, and conversions. If your startup involves a crypto exchange, staking rewards, mining, yield farming, or other income-producing activities, you must ensure compliance with federal tax obligations. The IRS has also intensified its enforcement focus on crypto tax reporting in recent years, and the information reporting requirements imposed on centralized exchanges and brokers continue to expand.
The Legislative Landscape
The regulatory framework for digital assets in the United States is being reshaped by legislation, not just agency action. Two statutes enacted in 2025 are particularly consequential.
The GENIUS Act
The Guiding and Establishing National Innovation for U.S. Stablecoins Act (GENIUS Act), signed into law on July 18, 2025, is the first federal legislation specifically addressing digital assets. The Act establishes a comprehensive regulatory framework for payment stablecoins, requiring issuers to maintain reserves backing outstanding stablecoins on at least a 1:1 basis with U.S. dollar-denominated assets (primarily cash and short-term U.S. Treasuries). Issuers are prohibited from paying interest or yield on payment stablecoins, and qualifying stablecoins are expressly excluded from the definitions of “security” and “commodity” under federal law.
For crypto startups, the GENIUS Act provides critical clarity: if your product involves a payment stablecoin, the regulatory pathway is now defined by statute rather than by enforcement discretion.
The CLARITY Act
The Digital Asset Market Clarity Act of 2025 (the CLARITY Act) passed the House on July 17, 2025, and is pending in the Senate as of this writing. The Act’s core innovation is a three-part taxonomy that divides crypto assets into digital commodities, investment contract assets, and permitted payment stablecoins, with regulatory jurisdiction allocated between the CFTC and SEC based on classification. The Act would also establish registration pathways for digital asset trading platforms, custodians, and dealers.
If the CLARITY Act becomes law in substantially its current form, it will represent the most significant structural reform of U.S. securities and commodities regulation in decades. Founders should monitor its progress closely and plan for the possibility that the rules governing their tokens, platforms, and business models may change materially within the next legislative cycle.
Enforcement Actions and Investigations
Even in a more favorable regulatory environment, enforcement actions and investigations remain a reality for crypto companies. Having an expectation for the process, understanding how to comply, and knowing what regulators look for is key to mitigating liability. Regulators across administrations have consistently rewarded cooperation and good-faith compliance from companies that demonstrate a genuine effort to operate within the rules.
How Investigations Begin
Investigations can originate from several sources: market surveillance, referrals from other agencies, whistleblower tips, or self-reporting by the company. Understanding how an investigation originated can inform your response strategy and help you anticipate the scope of the inquiry.
Agency Coordination
Agencies routinely coordinate on digital asset enforcement. The SEC and FINRA frequently bring parallel actions, as do the SEC and DOJ (where the conduct implicates criminal law). The CFTC and DOJ similarly coordinate where commodities fraud is alleged. State regulators and international authorities may also be involved, particularly where the company operates across borders.
If a peer company becomes the subject of an investigation, take it seriously: conduct an internal review to determine whether your operations share any of the characteristics that attracted regulatory attention. Proactive self-assessment is far less expensive than reactive defense.
Subpoenas and Formal Requests
Formal investigations typically involve written demands to produce records and information. The DOJ issues grand jury subpoenas; executive agencies issue administrative subpoenas or formal orders of investigation. A critical point: corporations do not enjoy Fifth Amendment protection against self-incrimination, so a corporate subpoena recipient cannot refuse to produce records on that basis.
If you receive an administrative subpoena, engaging in dialogue with the issuing agency can be productive. Depending on the circumstances, negotiation may lead to a narrower scope, an opportunity to present your perspective on the facts, or—in the best case—a decision not to proceed. Retain experienced counsel immediately upon receiving any formal request.
Whistleblowing
Federal whistleblower programs continue to grow in scope and activity. The Dodd-Frank Act’s SEC whistleblower program, Sarbanes-Oxley’s protections for corporate insiders, and the Anti-Money Laundering Act’s expanded Treasury whistleblower program all incentivize individuals to report potential misconduct. The AMLA has particular relevance for crypto companies: it bolstered the whistleblower program within the Treasury Department, with direct implications for companies subject to the Bank Secrecy Act—including money services businesses that deal in virtual currencies.
Your compliance program should include easily accessible whistleblower information and robust anti-retaliation policies. Creating a culture that takes compliance seriously and respects the importance of internal reporting mechanisms is both a legal obligation and a practical necessity.
Self-Reporting
Self-reporting—voluntarily disclosing potential violations to regulators—can provide tangible benefits. Leadership from both the SEC and DOJ has emphasized that self-reporting often leads to reduced penalties or declinations. A secondary benefit is control: by acting first, your company can shape the narrative and direction of any resulting inquiry, rather than being in a purely reactive posture.
Self-reporting should not be undertaken without a careful cost-benefit analysis. Factors to consider include the magnitude of the suspect activity, the likelihood it will be detected through other means, the legal risk involved, the costs of cooperation, the potential reputational impact, and the effect on shareholders and investors. Not every compliance gap warrants voluntary disclosure to federal regulators.
Preserving Data
The moment you become aware of a potential investigation, you must take immediate steps to preserve all relevant information. Document destruction—even of seemingly inconsequential data—can lead to obstruction charges, adverse inferences, and separate penalties that may exceed the liability for the underlying conduct. Legal holds should be implemented promptly, automated deletion processes should be suspended, and employees should be notified of their preservation obligations.
Crypto companies should be particularly diligent about communications hygiene. The SEC, CFTC, and FINRA have made recordkeeping a priority enforcement area, levying substantial fines against financial institutions whose employees conducted business on unapproved messaging platforms. If your team works remotely—as most crypto companies’ teams do—ensure that business communications occur on approved, monitored, and retained platforms.
Internal Investigations
Internal investigations are a powerful tool when facing regulatory scrutiny. By independently gathering facts and assessing the situation, you position the company to respond more effectively, cooperate more credibly, and control the narrative. Without an internal investigation, cooperation with regulators is harder to calibrate, and the process is more likely to produce unfavorable outcomes.
The downside is cost. Before launching an internal investigation, assess whether the expense is justified by the magnitude of the risk. And if you proceed, ensure the investigation is conducted by qualified outside counsel with experience in the relevant regulatory area. A poorly executed internal investigation—one that appears biased, incomplete, or sloppy—can do more harm than no investigation at all.
Attorney-Client Privilege
The attorney-client privilege protects communications made for the purpose of obtaining legal advice. Upon learning of a potential investigation, take immediate steps to ensure that privileged communications are preserved and not inadvertently disclosed. Retaining outside counsel is advisable for several reasons: it creates a clearer privilege boundary than in-house communications (which may be characterized as business rather than legal advice), it adds credibility with regulators, and it provides access to specialized expertise.
Be cautious about disclosing privileged information in exchange for leniency. Once the privilege is waived, it is waived permanently—and the disclosed information may be used by third parties in ways you did not anticipate. The preferred approach is to compile a factual presentation based on the results of your internal investigation without revealing work product or internal legal analysis.
Cooperation Frameworks
Every major federal agency has its own framework for crediting cooperation. Understanding what each agency expects is essential for any company navigating an enforcement inquiry.
DOJ
Federal prosecutors evaluate cooperation under the Filip Factors—eleven considerations that guide charging decisions for corporate criminal violations. The cooperation standard requires disclosure of complete factual information about the individuals substantially involved in or responsible for the misconduct. This is a high bar, but the Department recognizes that access to information may be limited in some circumstances.
SEC
The SEC’s Seaboard Report (2001) establishes the framework for crediting cooperation. Key factors include the extent to which the company was self-policing before the violation was discovered, whether the company self-reported the violation, the extent of remedial efforts taken after discovery, and the degree to which the company worked with law enforcement. Companies that score well across these factors may receive reduced sanctions or even a recommendation of no action.
CFTC
The CFTC has made clear that ordinary cooperation is insufficient for credit. Cooperation must be “sincere, robustly cooperative and indicative of a willingness to accept responsibility.” The agency evaluates the value of the cooperation to the investigation, its value to the CFTC’s broader enforcement interests, and the culpability of the company.
OFAC
The Office of Foreign Assets Control evaluates cooperation based on whether the organization self-disclosed voluntarily, provided all relevant information, investigated and disclosed all potential violations, and responded to the agency’s requests in a timely manner. OFAC sanctions can carry severe penalties, and proactive cooperation is one of the most effective mitigants available.
Looking Ahead
The regulatory environment for crypto and digital assets is in a period of rapid, structural change. The enforcement-heavy posture of the prior administration has given way to an affirmative effort to build fit-for-purpose regulatory frameworks through legislation, rulemaking, and interagency coordination. The GENIUS Act and CLARITY Act represent the first wave of statutory reform. Project Crypto and the SEC’s forthcoming token taxonomy represent the agency-level counterpart. And the coordination between the SEC and CFTC under their current leadership suggests that the jurisdictional turf wars that plagued the industry for years may finally be giving way to a more coherent regime.
None of this means that compliance is less important. If anything, the transition from enforcement-first to framework-first regulation raises the stakes for companies that fail to engage with the emerging regime. The companies that will benefit most from the new regulatory landscape are those that have been building compliance infrastructure all along—maintaining clear records, making good-faith classification decisions, engaging with counsel, and positioning themselves to take advantage of safe harbors and exemptions as they become available.
For crypto founders, the message is clear: the regulatory environment is more favorable than it has ever been, but it is still just as complex.
Written by David Lopez Kurtz