SEC-CFTC MOU: Joint Framework for Crypto Market Oversight

The House-passed Financial Innovation and Technology for the 21st Century Act (FIT21) and the agencies' renewed interagency coordination posture have put the SEC-CFTC memorandum of understanding back at the center of every crypto compliance conversation. With the CFTC asserting spot-market jurisdiction over Bitcoin and Ether in multiple enforcement actions — and the SEC simultaneously pursuing exchange and token-issuer cases — the practical question isn't which agency matters. It's how they coordinate, what they share, and what that means for your exposure.

TL;DR

• The SEC and CFTC operate under a formal MOU that governs information sharing, referral protocols, and joint examination authority for entities touching both securities and commodity markets.
• Jurisdiction still turns on asset classification: securities (SEC) vs. commodities/derivatives (CFTC), but many tokens and platforms straddle both.
• Enforcement coordination is real — parallel investigations and simultaneous actions have occurred in multiple high-profile cases.
• FIT21 and pending Senate legislation would codify a clearer split, but until enacted, the MOU framework governs day-to-day coordination.
• Compliance teams need dual-agency readiness: policies, records, and personnel that can respond to either regulator without contradiction.

What This Regulation Actually Requires

The MOU Itself: Structure and Legal Basis

The SEC and CFTC have maintained a formal memorandum of understanding since 2008, updated periodically, that establishes protocols for sharing non-public information, coordinating examinations, and managing jurisdictional disputes. The agreement operates under authority granted by Section 8(e) of the Commodity Exchange Act and Section 17(d) of the Securities Exchange Act of 1934, both of which permit inter-agency cooperation arrangements.

The MOU is not a statute. It doesn't create new substantive obligations for registrants. What it does is structure how the two agencies talk to each other about you — and that has significant practical consequences.

Information Sharing Provisions

Under the MOU, either agency can request non-public examination findings, investigative materials, and registration data from the other. The requesting agency doesn't need a subpoena. Consent from the subject entity is not required. If the SEC opens an investigation into a crypto exchange and discovers conduct that looks like unregistered futures trading, it can — and routinely does — share that file with CFTC staff.

The reverse is equally true. CFTC enforcement staff investigating a derivatives platform for manipulation can refer securities-law concerns to the SEC Division of Enforcement. In the BitMEX matter, federal prosecutors, the CFTC, and FinCEN coordinated charges simultaneously. That's the operational reality the MOU enables.

Jurisdictional Allocation Framework

The agencies use a functional test to allocate jurisdiction:

Securities jurisdiction (SEC): Tokens that satisfy the Howey test — investment of money in a common enterprise with expectation of profits from others' efforts — are securities. The SEC has taken the position, articulated in the 2019 Framework for "Investment Contract" Analysis of Digital Assets, that most tokens issued through ICOs or ongoing development teams qualify.

Commodity jurisdiction (CFTC): Bitcoin and Ether have been treated as commodities in CFTC enforcement actions since at least 2015 (In re Coinflip, Inc., CFTC Docket No. 15-29). The CFTC has spot-market anti-fraud and anti-manipulation authority under CEA Section 6(c)(1) even without a derivatives nexus. Derivatives on any digital asset — futures, options, swaps — fall squarely within CFTC jurisdiction regardless of the underlying's classification.

The overlap zone: A token can be a security at issuance and transition to commodity status as the network decentralizes. Platforms that list both securities tokens and commodity tokens, or that offer both spot and derivatives trading, face concurrent jurisdiction. That's not a theoretical edge case — it describes most major exchanges operating today.

Joint Examination Authority

The MOU permits coordinated examinations where both agencies send staff simultaneously or sequentially to review the same entity. For a registered broker-dealer that also operates a commodity pool or swap desk, this is standard. For crypto firms that have obtained multiple registrations or are operating under no-action relief, a joint exam is a live possibility.

Referral and Escalation Protocols

When one agency's staff identifies conduct that appears to fall within the other's primary jurisdiction, the MOU establishes a referral process. This isn't automatic — staff exercise discretion — but the existence of the protocol means that a CFTC examination of a futures commission merchant can generate an SEC referral for the same firm's token-listing practices.

What This Means for Your Company

If your firm operates in any of the following categories, dual-agency exposure is not hypothetical:

• Crypto exchanges listing tokens that may be securities alongside BTC/ETH spot markets
• DeFi protocols offering leveraged or derivative-like products
• Token issuers whose networks haven't achieved sufficient decentralization to escape Howey
• Investment advisers or funds holding digital assets across both securities and commodity classifications
• Broker-dealers expanding into digital asset custody or trading

The MOU means that a document request, examination, or investigation from one agency can quickly become two. Inconsistent responses — different characterizations of the same token in an SEC filing versus a CFTC registration — create serious credibility problems. Compliance programs built to satisfy only one regulator are structurally incomplete.

The FIT21 framework, if enacted, would assign primary jurisdiction based on whether a digital asset's blockchain is "functional" and "decentralized" at the time of the transaction. Until that or comparable Senate legislation passes and implementing rules are finalized, the MOU-governed coordination regime is what you're operating under.

How to Operationalize

1. Map every asset on your platform or in your portfolio against both the Howey test and the CFTC commodity framework. Document the analysis. Date it. Have outside counsel review it annually or when material facts change (e.g., a development team disbands, a foundation dissolves, token utility launches).

2. Designate a dual-agency compliance lead. This person — or team — needs working familiarity with both the Securities Exchange Act and the Commodity Exchange Act. SEC and CFTC registration requirements, examination procedures, and enforcement postures differ in meaningful ways. Siloed compliance functions miss cross-agency risk.

3. Audit your existing registrations and exemptions for consistency. If you've represented a token as a commodity in a CFTC filing and as a non-security in an SEC no-action request, those positions need to be reconcilable. They don't have to be identical, but they can't be contradictory. Document the legal basis for any difference.

4. Build a coordinated document-hold and response protocol. When a subpoena or examination request arrives from either agency, your litigation hold should automatically flag whether the same materials are relevant to the other agency's potential interest. Your outside counsel team should include practitioners with both SEC and CFTC enforcement experience.

5. Conduct a tabletop exercise simulating a parallel investigation. Walk through the scenario: CFTC issues a civil investigative demand; two weeks later, SEC staff contacts your general counsel. Who responds? What gets produced? Who approves representations made to each agency? Gaps in that exercise are gaps in your program.

6. Monitor FIT21 and Senate companion legislation. The House passed FIT21 in May 2024. Senate action and any presidential signature will trigger a rulemaking period — likely 12-18 months — before new jurisdictional rules take effect. Start scenario-planning now for how your business model fits under the proposed framework.

7. Review your AML/BSA program for dual-agency touchpoints. Both the SEC (through FINRA for broker-dealers) and the CFTC (for FCMs and swap dealers) have AML examination authority. FinCEN coordinates with both. A gap in your AML program is visible to all three.

Common Mistakes and How to Avoid Them

Treating the MOU as theoretical. Some compliance teams know the MOU exists but don't factor it into their risk assessments. The BitMEX, FTX, and Binance enforcement actions all involved multi-agency coordination. The MOU is operational, not ceremonial.

Inconsistent asset classification across filings. A token described as a "utility token" with "no investment expectation" in marketing materials but structured with profit-sharing mechanics in its smart contract creates a paper trail that both agencies can use. Classification positions need to be legally defensible and internally consistent.

Assuming CFTC jurisdiction is narrower. The CFTC's anti-fraud authority under CEA Section 6(c)(1) reaches spot commodity markets without any derivatives nexus. Firms that think they're outside CFTC reach because they don't offer futures are often wrong.

Failing to coordinate outside counsel. Firms that retain separate SEC counsel and CFTC counsel without a coordinating lead attorney risk producing inconsistent representations to the two agencies. In a parallel investigation, that's a serious problem.

Waiting for FIT21 to clarify everything. Even if FIT21 passes in its current form, it won't eliminate dual-agency jurisdiction for all assets or all activities. Derivatives on digital assets remain CFTC territory. Securities tokens don't disappear. The MOU framework will continue to govern coordination for a significant slice of the market.

Underestimating examination risk for non-registered entities. The CFTC has brought enforcement actions against entities that were never registered with it, asserting jurisdiction based on the commodity nature of the assets involved. Not being registered doesn't mean not being subject to examination or enforcement.

FAQ

Q: Does the MOU require the SEC or CFTC to notify a firm before sharing its information with the other agency?

A: Generally, no. The MOU permits information sharing without prior notice to the subject entity. The agencies may notify firms as a matter of practice in some circumstances, but there's no blanket notification requirement. This is one reason why a parallel-investigation protocol should be part of your standard compliance program, not an afterthought.

Q: If my token was classified as a commodity by the CFTC in an enforcement action, does that bind the SEC?

A: No. Agency determinations in enforcement actions bind the parties to that action; they don't create binding precedent for the other agency. The SEC could independently analyze the same token and reach a different conclusion. Courts have the final word on classification disputes, and the case law remains unsettled for most token types outside of Bitcoin and Ether.

Q: How does FIT21 change the MOU framework if it passes?

A: FIT21 would establish statutory jurisdiction rules that supersede the agencies' informal coordination on classification questions. The CFTC would get primary jurisdiction over "digital commodities" (assets on functional, decentralized blockchains), while the SEC would retain jurisdiction over "restricted digital assets" (assets on blockchains that aren't yet sufficiently decentralized). The MOU would likely be updated to reflect the new statutory framework, but interagency coordination and information sharing would continue. The practical effect is more clarity on primary jurisdiction, not elimination of dual-agency risk.

Q: Can a firm be subject to enforcement by both agencies for the same conduct?

A: Yes. The Double Jeopardy Clause applies to criminal prosecutions, not civil regulatory actions by different agencies. The CFTC and SEC can both bring civil enforcement actions arising from the same underlying conduct if that conduct violates both the CEA and the securities laws. Parallel civil actions have occurred. Firms should assume that a serious enforcement matter will attract attention from both agencies.

Q: What's the practical difference between an MOU referral and a formal joint investigation?

A: An MOU referral is one agency flagging potential violations to the other and sharing relevant materials. The receiving agency then decides independently whether to open its own investigation. A joint investigation involves active coordination of investigative steps, shared resources, and potentially coordinated charging decisions. Joint investigations are less common but have occurred in major crypto enforcement matters. Either way, your firm is dealing with two regulators, not one.

---

Sources

• Commodity Exchange Act § 6(c)(1), 7 U.S.C. § 9 (CFTC anti-fraud and anti-manipulation authority)
• Securities Exchange Act of 1934 § 17(d), 15 U.S.C. § 78q(d) (inter-agency cooperation authority)
• CFTC, In re Coinflip, Inc., CFTC Docket No. 15-29 (Sept. 17, 2015) (Bitcoin as commodity)
• SEC, Framework for "Investment Contract" Analysis of Digital Assets, FinHub (Apr. 3, 2019)

---

Disclaimer

This article is provided for general informational and educational purposes only. It does not constitute legal advice and does not create an attorney-client relationship. The regulatory landscape for digital assets changes rapidly; readers should consult qualified legal counsel before making compliance decisions. BizLegal-AI Intelligence Desk makes no representations regarding the completeness or accuracy of information as of any date after publication.