SEC Clarifies Federal Securities Law Application to Crypto Assets

The SEC's Division of Corporation Finance issued Staff Bulletin No. 121 in March 2022, requiring custodians of crypto assets to record liabilities on their balance sheets — a move that rattled banks and crypto firms alike and was later overturned by Congress via the Congressional Review Act in May 2024. That episode crystallized a pattern: the SEC's approach to crypto has been iterative, contested, and consequential. With the agency's 2025 crypto task force actively publishing staff statements and the Ripple litigation producing a partial appellate ruling, the interpretive landscape has shifted enough that compliance teams need a fresh read.

TL;DR

• The Howey test remains the primary analytical framework for determining whether a crypto asset is a security, but the SEC's staff has issued new guidance narrowing how it applies to certain proof-of-work tokens and stablecoins.
• The SEC's Crypto Task Force, launched in January 2025 under Acting Chair Mark Uyeda, has published multiple staff statements signaling a less aggressive enforcement posture — but those statements are not binding law.
• Secondary market trading of tokens previously sold as securities does not automatically strip the security classification; the asset-level vs. transaction-level distinction matters enormously.
• Exchanges, broker-dealers, and custodians face distinct registration obligations depending on whether they handle "crypto asset securities" versus commodities or payment instruments.
• Enforcement risk hasn't disappeared — it's shifted toward unregistered offerings, fraud, and market manipulation rather than broad "everything is a security" theories.

What This Regulation Actually Requires

The Howey Test and Its Crypto Application

The foundational question — is this token a security? — still runs through SEC v. W.J. Howey Co., 328 U.S. 293 (1946). An investment contract exists when there is (1) an investment of money, (2) in a common enterprise, (3) with an expectation of profits, (4) derived from the efforts of others. The SEC has applied this four-part test to token sales since at least the 2017 DAO Report.

What's changed is the granularity of the analysis. The SEC's FinHub published a framework for analyzing digital assets in April 2019 that remains the most detailed staff-level guidance available. That framework introduced concepts like "active participant" reliance and "consumptive use" as factors that can push a token away from security status. The 2025 task force statements have built on this, explicitly acknowledging that a token can begin its life as a security and later cease to be one as a network decentralizes — a position the SEC resisted articulating clearly for years.

Proof-of-Work Tokens: Staff Statement on Bitcoin

In March 2025, the Division of Corporation Finance issued a staff statement concluding that mining and selling proof-of-work tokens like Bitcoin does not constitute an offer or sale of securities under the Securities Act of 1933. The statement is narrow: it applies to PoW tokens where no central issuer controls the protocol and miners receive tokens as compensation for computational work. It does not extend to PoS tokens, governance tokens, or tokens sold in pre-mine or ICO structures.

Practical implication: Bitcoin spot ETF issuers, miners, and OTC desks dealing exclusively in PoW tokens have clearer footing. Everyone else should not read this statement as a green light.

Stablecoins: The "Covered Stablecoin" Carve-Out

A separate staff statement from February 2025 addressed "covered stablecoins" — defined as fiat-backed, 1:1 redeemable instruments backed by low-risk liquid assets held in segregated reserves. The staff concluded these instruments, when structured correctly, are not securities. The key conditions: no yield, no governance rights, no profit-sharing, and full reserve backing with independent attestation.

Algorithmic stablecoins, yield-bearing stablecoins, and partially-backed instruments are explicitly excluded from this carve-out. The Terra/LUNA collapse in May 2022 and the subsequent SEC enforcement action against Terraform Labs (settled in June 2024 for $4.47 billion) remain the cautionary benchmark here.

The Ripple Ruling and Its Limits

SEC v. Ripple Labs, decided at the district court level in July 2023, produced a split outcome: XRP sold to institutional investors in direct contracts was a security; XRP sold on secondary markets to retail buyers was not. Judge Torres's reasoning — that retail buyers lacked the "reasonable expectation of profits from the efforts of others" because they didn't know they were buying from Ripple — was controversial and has not been universally adopted.

The Second Circuit's subsequent review has not fully resolved the circuit split. Compliance teams should treat Ripple as persuasive, not controlling, outside the Southern District of New York. The SEC's partial appeal and eventual settlement in 2024 means no binding appellate precedent emerged from that case.

Registration and Exemption Pathways

If a token is a security, the issuer must either register the offering under the Securities Act or qualify for an exemption. The most commonly used exemptions in crypto:

• Regulation D, Rule 506(b) or 506(c): Accredited investor sales, no general solicitation (506b) or general solicitation permitted with verification (506c). No dollar cap.
• Regulation A+: Up to $75 million in a 12-month period, available to non-reporting companies, requires SEC qualification of an offering circular.
• Regulation S: Offshore transactions to non-US persons, subject to specific conditions to prevent flowback.
• Regulation CF: Crowdfunding up to $5 million per year, requires use of a registered funding portal.

Secondary market trading of crypto asset securities requires the trading platform to register as a national securities exchange or operate as an ATS under Regulation ATS. The SEC's enforcement actions against Coinbase (filed June 2023) and Binance (filed June 2023) both centered on this requirement.

What This Means for Your Company

Token issuers need to run a fresh Howey analysis on every token in their ecosystem — not just at launch, but periodically as the network matures. A token that was a security at ICO may qualify for a different treatment once the network is sufficiently decentralized, but that determination requires documented legal analysis, not assumption.

Exchanges and trading platforms face the sharpest operational risk. Listing a crypto asset security without proper ATS or exchange registration exposes the platform to Section 5 liability under the Exchange Act. The SEC's 2023 enforcement wave demonstrated willingness to pursue platforms with millions of US users.

Custodians and prime brokers need to map their token inventory against the PoW statement and covered stablecoin guidance. Tokens that don't fit either carve-out require securities custody infrastructure — qualified custodian status, segregation requirements, and potentially special purpose broker-dealer registration.

DeFi protocols are not off the hook. The SEC's 2023 action against Uniswap Labs (Wells notice issued April 2024) signaled that front-end operators of decentralized protocols may face liability even when the underlying smart contracts are autonomous.

How to Operationalize

Step 1: Token Classification Audit Map every token your business touches. For each, document: issuance structure, whether a central issuer exists, degree of network decentralization, presence of profit expectations, and any yield or governance features. Use the FinHub 2019 framework as your checklist.

Step 2: Apply the Staff Statements Check each token against the PoW statement (March 2025) and covered stablecoin statement (February 2025). Document why a token does or doesn't qualify. These statements aren't binding, but they're the best available safe harbor signal.

Step 3: Assess Registration Status For tokens classified as securities, confirm whether the original offering was registered or exempt. Identify any ongoing reporting obligations. If the token was sold under Reg D, confirm that resale restrictions are being honored.

Step 4: Platform Registration Review If your platform facilitates trading of crypto asset securities, engage securities counsel on ATS registration or exchange registration requirements. Review the SEC's ATS-N filing requirements under Regulation ATS.

Step 5: Custody Infrastructure Confirm your custodial arrangements meet qualified custodian standards under the Investment Advisers Act if you're an RIA holding crypto asset securities for clients. The SEC's proposed custody rule amendments (2023) remain relevant even if not yet finalized.

Step 6: Ongoing Monitoring Assign someone to track SEC task force publications, no-action letters, and enforcement actions quarterly. The interpretive environment is moving fast enough that a classification made in 2023 may need revisiting in 2026.

Common Mistakes and How to Avoid Them

Treating staff statements as binding rules. Staff statements from the Division of Corporation Finance or FinHub are not rules, regulations, or formal guidance. They don't bind the Commission, courts, or other regulators. Build your compliance program on the actual statutory text and case law, using staff statements as supporting evidence.

Assuming decentralization is a binary switch. Many projects claim their token "became decentralized" at mainnet launch. The SEC looks at actual control: who controls protocol upgrades, who holds large token allocations, who funds development. Decentralization is a spectrum, and the burden of proof is on the issuer.

Ignoring state blue sky laws. Federal securities law preempts state registration for covered securities (Reg D, Reg A+, exchange-listed), but not for all offerings. Some token sales have triggered state enforcement actions independent of SEC activity. New York's BitLicense regime adds another layer entirely.

Conflating commodity and security classifications. The CFTC has concurrent jurisdiction over crypto commodities. Bitcoin and Ether have been treated as commodities in CFTC enforcement actions. But commodity status doesn't preclude security status in a specific transaction — the Howey analysis is transaction-specific, not asset-specific in all cases.

Failing to document the analysis. If the SEC comes knocking, your legal memo matters. Undocumented classification decisions look like willful blindness. Maintain written Howey analyses, update them when material facts change, and preserve them.

FAQ

Q: Does the SEC's 2025 task force guidance mean enforcement is over? A: No. The task force has signaled a preference for rulemaking over enforcement-by-litigation, but the SEC retains full enforcement authority. Fraud, unregistered securities offerings, and market manipulation remain active enforcement priorities. The shift is in tone and strategy, not in legal authority.

Q: Can a token that was sold as a security ever stop being a security? A: The SEC's current staff position acknowledges this is theoretically possible as a network decentralizes and the "efforts of others" prong of Howey weakens. But there's no formal safe harbor, no bright-line test, and no no-action letter process currently available for this determination. It requires a fact-intensive legal analysis and carries real risk.

Q: What's the difference between a crypto asset security and a crypto commodity? A: The distinction turns on the Howey test. If a token meets all four prongs, it's a security regulated by the SEC. If it doesn't — as the SEC staff has concluded for Bitcoin — it may be a commodity regulated by the CFTC under the Commodity Exchange Act. Some tokens may be neither (pure utility tokens, payment instruments). The classification isn't always clean, and both agencies have claimed jurisdiction over the same assets in different contexts.

Q: Do DeFi protocols need to register as exchanges? A: The SEC's position, reflected in the Uniswap Wells notice and the 2023 proposed amendments to the definition of "exchange," is that some DeFi protocols may meet the statutory definition of an exchange or broker-dealer. This remains contested legally. The practical answer: if your protocol facilitates trading of crypto asset securities and has identifiable operators, you face real registration risk.

Q: What should we do if we're unsure whether our token is a security? A: Get a written legal opinion from qualified securities counsel. Consider whether a no-action letter request to FinHub is feasible (the process is slow and not guaranteed, but it creates a record). Structure your token to minimize Howey risk where possible — avoid profit representations, minimize centralized control, and don't promise returns tied to your team's efforts.

---

Sources

• SEC Division of Corporation Finance, Framework for "Investment Contract" Analysis of Digital Assets, FinHub (April 2019)
• SEC Division of Corporation Finance, Staff Statement on Proof-of-Work Mining (March 2025)
• SEC Division of Corporation Finance, Staff Statement on Covered Stablecoins (February 2025)
• SEC v. W.J. Howey Co., 328 U.S. 293 (1946)
• SEC v. Ripple Labs, Inc., No. 20-cv-10832 (S.D.N.Y. July 2023)

---

Disclaimer

This article is produced by BizLegal-AI Intelligence Desk for informational purposes only. It does not constitute legal advice and does not create an attorney-client relationship. The regulatory environment described herein is subject to change; readers should verify current requirements with qualified legal counsel before taking action. BizLegal-AI makes no representations regarding the completeness or accuracy of information derived from third-party regulatory sources. Specific facts about your situation may materially affect the analysis. Always consult a licensed attorney for advice tailored to your circumstances.