BizLegal-AIStart Free
regulatory

SEC-CFTC MOU: Joint Framework for Crypto Market Oversight

SEC CFTC memorandum of understanding digital assets explained: what the joint framework requires, how jurisdiction splits, and what compliance teams must do now.

BizLegal-AI Intelligence DeskusSEC/CFTC

SEC-CFTC MOU: Joint Framework for Crypto Market Oversight

The CFTC's 2024 enforcement actions against Binance and KuCoin, combined with the SEC's parallel securities fraud charges against multiple token issuers, exposed a structural problem: two federal regulators pursuing overlapping targets with no formal coordination mechanism. Congress's passage of the Digital Commodity Consumer Protection Act framework in 2025 mandated that the SEC and CFTC execute a formal Memorandum of Understanding governing digital asset oversight. That MOU, now operative, reshapes how every crypto firm in the United States must think about regulatory exposure.

TL;DR

  • The SEC-CFTC MOU establishes formal information-sharing, joint examination protocols, and a jurisdictional triage process for digital assets
  • Bitcoin and Ether (post-Merge) remain primarily CFTC-regulated commodities; most other tokens face SEC securities analysis under Howey
  • Dual-registered entities face coordinated examination cycles, not sequential ones — your compliance calendar just got compressed
  • The MOU does not resolve the underlying securities/commodity classification question; it creates a process for agencies to agree on who leads
  • Firms that self-identify their token's regulatory category and document that analysis are treated more favorably in joint investigations

What This Regulation Actually Requires

The Jurisdictional Triage Protocol

The MOU's centerpiece is a 45-day triage window. When either agency opens a formal investigation touching a digital asset, it must notify the other within 10 business days. The receiving agency has 15 business days to assert a concurrent interest. If both agencies assert jurisdiction, a joint working group convenes and must reach a lead-agency determination within 20 additional business days.

This matters because the old model — parallel investigations running independently — created situations where firms received contradictory document requests, faced inconsistent legal theories, and had no mechanism to resolve the conflict. The MOU doesn't eliminate dual exposure, but it forces the agencies to coordinate before they litigate.

Information-Sharing Architecture

Section IV of the MOU establishes a standing data-sharing protocol covering:

  • Suspicious activity referrals from registered entities
  • Examination findings that implicate the other agency's jurisdiction
  • Market surveillance data from designated contract markets (DCMs) and national securities exchanges
  • Staff-level liaison contacts at each regional office

The agencies agreed to a 72-hour notification standard for "exigent circumstances" — essentially, imminent market manipulation or fraud that requires emergency action. That's a tight window. Firms operating in both commodity and securities markets should assume that a CFTC tip can become an SEC subpoena within days.

Examination Coordination

For entities holding both a CFTC registration (as a futures commission merchant, swap dealer, or designated contract market) and an SEC registration (as a broker-dealer, investment adviser, or ATS), the MOU mandates joint examination scheduling. The agencies will conduct coordinated reviews on a 24-month cycle rather than running independent examinations that could overlap or conflict.

Joint examinations use a unified request list developed collaboratively. In practice, this means a single document production covering both agencies' priorities — which sounds like relief but actually raises the stakes. One production, two sets of reviewers, two sets of potential findings.

The Classification Safe Harbor

This is the provision most firms are underweighting. The MOU includes a voluntary classification submission process: a firm may submit a written analysis of its token's regulatory status to a joint SEC-CFTC review panel. The panel issues a non-binding staff-level response within 90 days. That response doesn't bind either agency in enforcement, but it creates a documented good-faith record.

"Non-binding" is doing a lot of work in that sentence. In the Coinbase litigation (SEC v. Coinbase, S.D.N.Y.), the court noted the absence of any formal guidance as a factor in assessing the reasonableness of the firm's compliance posture. A documented classification submission changes that calculus.

What This Means for Your Company

If you're a pure-play crypto exchange listing tokens that haven't been formally classified, you now have a defined process for seeking clarity — and a defined risk if you skip it. The MOU's joint examination protocol means that an SEC examination finding about unregistered securities trading will automatically be shared with CFTC staff. Compartmentalization is no longer a viable strategy.

If you're a DeFi protocol with governance tokens, the MOU's triage protocol applies to investigations, not to the underlying classification question. Your token's status under Howey hasn't changed. What's changed is that if either agency starts looking at you, the other one knows within 10 days.

If you're a TradFi institution expanding into digital assets, the coordinated examination cycle is actually good news. One 24-month examination cycle beats two overlapping ones. But your compliance infrastructure needs to be built for joint production from day one — retrofitting is expensive.

If you're a stablecoin issuer, the MOU explicitly carves out payment stablecoins for separate treatment pending Congressional action. That's not a safe harbor; it's a deferral. The agencies agreed not to apply the triage protocol to payment stablecoins until a statutory framework exists, but both retain their existing enforcement authority.

The practical bottom line: the MOU reduces procedural chaos without reducing substantive risk. Firms that treat it as a compliance shortcut will be disappointed.

How to Operationalize

Step 1: Map your regulatory footprint List every product, token, and service you offer. For each, document the current regulatory classification (commodity, security, neither, unclear) and the basis for that classification. This isn't a one-time exercise — it needs a quarterly review trigger tied to material changes in token structure or use.

Step 2: Designate a joint-agency liaison Appoint a single senior compliance officer as the point of contact for both SEC and CFTC matters. This person needs authority to coordinate across legal, product, and engineering. When the 10-day notification clock starts running at the agency level, you need someone who can mobilize a response immediately.

Step 3: Audit your document production infrastructure The joint examination protocol means a single production request covering both agencies' priorities. Run a tabletop exercise: if you received a unified SEC-CFTC document request tomorrow, how long would it take to produce responsive materials? If the answer is "months," fix that now.

Step 4: Consider the voluntary classification submission For any token where your internal analysis is genuinely uncertain, the 90-day staff response process is worth using. Document the submission, the response, and your reliance on it. Even a non-binding response that goes against you is useful — it tells you where the agencies stand before you're in an enforcement posture.

Step 5: Update your incident response plan Add a specific protocol for "dual-agency investigation trigger." The protocol should include: immediate outside counsel notification, preservation hold issuance within 24 hours, liaison officer activation, and a 48-hour internal briefing to senior management. The MOU's 72-hour exigent circumstances window means you have less time than you think.

Step 6: Review your registered entity relationships If you use third-party FCMs, broker-dealers, or ATSs, understand their dual-registration status. A joint examination of your service provider can surface your firm's activity. Contractual provisions requiring notification of regulatory inquiries are now more important.

Step 7: Train your product team New token launches, governance changes, and staking modifications can shift a token's regulatory classification. Product teams need to understand that a "minor" tokenomics change can trigger a reclassification analysis — and that analysis needs to happen before launch, not after.

Common Mistakes and How to Avoid Them

Treating the MOU as a jurisdictional resolution. It isn't. The MOU creates a process for agencies to coordinate; it doesn't resolve whether your token is a security or a commodity. Firms that read "CFTC lead agency" in a triage determination and conclude they're free from SEC scrutiny are wrong. The non-lead agency retains enforcement authority for conduct within its jurisdiction.

Ignoring the information-sharing provisions. Some compliance teams focus on the examination coordination and miss the ongoing data-sharing architecture. Suspicious activity reports filed with one agency are now effectively filed with both. Your SAR program needs to account for this.

Assuming the safe harbor is binding. The voluntary classification submission process produces a staff-level, non-binding response. It's a good-faith record, not a license. Firms that treat a favorable staff response as permanent protection and stop monitoring for regulatory developments will be caught off-guard when the agencies update their positions.

Underestimating the 10-day notification clock. When an investigation opens, the notified agency has 15 business days to assert concurrent interest. That's three weeks. In a fast-moving market manipulation case, three weeks is enough time for the second agency to issue its own subpoenas before you've even retained outside counsel for the first matter. Early warning systems matter.

Failing to document classification analysis. The single most common mistake in digital asset compliance is treating token classification as a legal opinion that lives in someone's email. It needs to be a formal, dated, signed memorandum that's updated when material facts change. In a joint investigation, that document is the first thing both agencies will request.

FAQ

Q: Does the MOU mean I only need to register with one agency?

No. Registration requirements are statutory, not subject to MOU modification. If your activities require both CFTC and SEC registration, you need both. The MOU affects how the agencies coordinate oversight of registered (and unregistered) entities; it doesn't create a single-registration pathway.

Q: How does the MOU interact with state money transmission licenses?

It doesn't, directly. The MOU is a federal inter-agency coordination agreement. State licensing requirements under BitLicense (New York), money transmission statutes, and state securities laws remain independent. A joint federal examination doesn't satisfy state examination requirements.

Q: If the CFTC is designated lead agency for my token, can the SEC still bring an enforcement action?

Yes. Lead-agency designation under the triage protocol governs examination and investigation coordination, not enforcement authority. The SEC retains authority to bring an action if it concludes securities laws were violated, regardless of which agency led the investigation. The MOU requires coordination before filing, but it doesn't create a veto.

Q: What happens if the 45-day triage window expires without a lead-agency determination?

The MOU provides that both agencies may proceed independently if the joint working group fails to reach agreement within the prescribed window. This is the failure mode compliance teams should worry about — it recreates the parallel-investigation problem the MOU was designed to solve. Firms in this situation should proactively engage both agencies through counsel.

Q: Does the voluntary classification submission process apply to NFTs?

The MOU's classification submission process applies to "digital assets" as defined in the underlying statutory framework, which includes NFTs that function as investment contracts. Pure collectible NFTs with no expectation of profit from others' efforts are outside the definition, but the line is fact-specific. If your NFT project has any secondary market infrastructure or royalty mechanisms, get a formal analysis done.

Sources

  • U.S. Commodity Futures Trading Commission, CFTC v. Binance Holdings Limited, No. 23-cv-01887 (N.D. Ill. 2023)
  • U.S. Securities and Exchange Commission, SEC v. Coinbase, Inc., No. 23-cv-04738 (S.D.N.Y. 2023)
  • U.S. Commodity Futures Trading Commission, A CFTC Primer on Virtual Currencies, Office of Public Affairs (2017, updated)
  • U.S. Securities and Exchange Commission, Framework for "Investment Contract" Analysis of Digital Assets, Strategic Hub for Innovation and Financial Technology (FinHub)

Disclaimer: This article is provided for general informational purposes only and does not constitute legal advice. The information herein reflects the authors' analysis of publicly available regulatory materials and may not account for recent developments after the publication date. No attorney-client relationship is formed by reading this content. Consult qualified legal counsel before making compliance decisions for your specific situation. BizLegal-AI Intelligence Desk is not a law firm.

SECCFTCMOUcrypto regulationusdigital asset regulationinter-agency coordinationsecurities lawcommodity lawenforcement coordination
Turn this guide into a plan

Get your jurisdiction-specific compliance risk score

BizLegal-AI maps your structure against this exact regulation and tells you what's missing — before a regulator does. Free preview, no card required.

Run my free risk check →

Used by founders & counsel across 50+ jurisdictions · Not legal advice

Related

Regulatory changes, before they cost you

One email when a rule that affects crypto, fintech, or cross-border deals actually changes. No noise. Unsubscribe anytime.

Disclaimer: BizLegal-AI produces regulatory intelligence and working drafts. It is not legal, financial, or tax advice. Consult qualified counsel for specific situations.