Skip to main content

At a Glance

The SEC is generally restrictive but evolving. Crypto assets deemed securities must follow full registration and disclosure rules. Recent clarity has emerged:
  • Stablecoins now federally regulated under the GENIUS Act (Jul 2025).
  • Spot commodity-based ETPs (including crypto assets) can use generic listing standards (Sep 2025).
  • Protocol-level staking clarified as not always a securities transaction (May 2025, staff statement).
Key Regulatory Milestones:
  • GENIUS Act (federal stablecoin law): July 2025
  • Generic listing standards for commodity-based ETPs: September 2025
  • SEC Staff Statement on protocol staking: May 2025
These represent significant policy shifts. Verify current status before relying on these frameworks.
Region: United States
Scope:
  • Entities: Financial institutions, custodians, exchanges/ATS, asset managers, issuers
  • Activities: Issuance, custody, staking, stablecoins, exchange-traded products (ETPs)
Key Regulations:
  • SEC Framework for “Investment Contract” Analysis of Digital Assets (2019)
  • SEC approval of generic listing standards for commodity-based ETPs (2025-09)
  • SEC Staff Statement on Certain Protocol Staking Activities (2025-05)
  • GENIUS Act (2025) — US federal stablecoin law

Core Compliance Expectations

Registration / Licensing

Issuers, ATS/exchanges, broker-dealers, and investment advisers must register with the SEC or operate under exemption.

KYC/AML

Bank Secrecy Act (BSA) obligations via FinCEN; practically required for all institutional platforms.

Disclosure / Reporting

Prospectuses, periodic filings (10-K, 10-Q), public risk disclosures.

Custody Rules

Client assets must be segregated; use qualified custodians; SOC 2 / ISO 27001 audits expected.

Actionable Best Practices

Payments

Treat stablecoin issuers as regulated financial entities. Under the GENIUS Act, stablecoin issuers are subject to:
  • Federal prudential supervision
  • Capital and liquidity requirements
  • Reserve asset restrictions
  • Regular attestations and audits
GENIUS Act Compliance Requirements:Enterprises integrating stablecoins must:
  • Only support GENIUS-compliant issuers
  • Request proof of reserves and attestation reports
  • Verify capital and liquidity compliance
  • Monitor issuer regulatory status continuously
Using non-compliant stablecoins after the effective date may expose your organization to enforcement risk.
Build counterparty risk assessment processes. Before onboarding a new stablecoin:
  • Verify federal or state authorization
  • Review attestation reports (monthly or more frequent)
  • Assess reserve composition (cash, Treasury securities, etc.)
  • Monitor issuer credit ratings and prudential metrics
  • Establish ongoing monitoring cadence

Trading

Exchanges/ATS must register or operate under exemption. Key requirements:
  • Form ATS registration (if meeting volume thresholds)
  • Surveillance-sharing agreements for listed tokens
  • Market manipulation monitoring
  • Fair access policies
See Trading Patterns for:
  • Market surveillance architecture
  • Order book integrity controls
  • Manipulation detection algorithms
Run a Howey test for token listings. Before listing any token:
  1. Document Howey analysis (investment of money, common enterprise, expectation of profit, efforts of others)
  2. Consult qualified securities counsel
  3. Maintain written rationale for classification decision
  4. Implement delisting protocols for tokens that become securities
Listing Risk Management:Maintain delisting triggers for:
  • SEC enforcement action against token issuer
  • Adverse Howey determination
  • Material misrepresentation in disclosures
  • Insufficient liquidity or market manipulation evidence
  • Failure to meet ongoing disclosure obligations
Build internal market manipulation monitoring. SEC expects platforms to detect:
  • Wash trading
  • Spoofing and layering
  • Pump-and-dump schemes
  • Front-running
  • Coordinated trading
Maintain audit trails and reporting procedures for suspicious activity.

Funds & Assets

Use generic listing standards for ETPs where possible. The September 2025 approval enables:
  • Faster listing approval process
  • Commodity-based crypto asset ETPs (Bitcoin, Ethereum, etc.)
  • Standardized surveillance and liquidity criteria
Generic listing standards apply to commodity-based crypto assets. Securities tokens and other digital assets may require individual SEC approval. Consult the SEC’s current guidance before structuring products.
Prepare institution-grade disclosure packages. Investors expect:
  • Fee structures (management fees, transaction costs, custody fees)
  • Risk factors (volatility, custody, regulatory, technology)
  • Asset quality and sourcing
  • Custodian qualifications and insurance
  • Valuation methodology
Coordinate early with SEC staff. For novel products:
  • Engage in pre-filing consultations
  • Submit no-action letter requests where appropriate
  • Never launch products without proper registration or exemption

Custody

Maintain segregated client accounts. SEC custody rule proposals (and existing rules for RIAs) require:
  • Separate client accounts (on-chain addresses + books & records)
  • Independent audit trails
  • Qualified custodian standards
See Custody Patterns for:
  • On-chain segregation models
  • Reconciliation automation
  • Qualified custodian controls
Implement compensating transaction protocols. For error or fraud remediation:
  • Never rewrite blockchain history
  • Create compensating transactions with clear audit trail
  • Require dual approval for remediation transactions
  • Document root cause and remediation steps
Qualified Custodian Requirements:SEC expects custodians to demonstrate:
  • Professional indemnity insurance or bonding
  • Cold storage for majority of assets
  • Disaster recovery and business continuity plans
  • SOC 2 Type II or equivalent audit
  • Regular third-party security assessments
  • Incident response and notification procedures

Identity & Compliance

Onboard users with BSA/AML-compliant KYC. Requirements include:
  • Customer Identification Program (CIP)
  • Beneficial ownership verification (for entities)
  • Source of funds documentation (for high-risk customers)
  • Ongoing monitoring and suspicious activity reporting (SARs)
See Identity & Compliance Patterns for:
  • KYC lifecycle automation
  • SAR generation workflows
  • Risk-based CDD/EDD triggers
Maintain record-keeping systems aligned with Exchange Act. Retain:
  • Customer account records (6 years)
  • Transaction records (6 years)
  • Communications (3 years, searchable)
  • Compliance policies and procedures
Build compliance dashboards for regulators. Enable efficient audits by providing:
  • Real-time transaction monitoring views
  • Customer risk segmentation
  • SAR filing history
  • Training and certification records

Data & Oracles

Use regulated benchmarks where available. For price feeds influencing:
  • ETP NAV calculations
  • Customer account valuations
  • Collateral margining
Prefer regulated benchmark administrators or supervised entities.
See Data & Oracles Patterns for:
  • Oracle selection frameworks
  • Fallback mechanism design
  • Data quality monitoring
Document oracle governance. Key elements:
  • Who controls the oracle (centralized vs. decentralized)
  • Fallback mechanisms if primary source fails
  • Dispute resolution procedures
  • Data source diversity and correlation analysis
Be ready to provide transparency reports. If your data influences regulated products:
  • Maintain data lineage documentation
  • Log all oracle updates with timestamps
  • Prepare to explain methodology to SEC staff

Key Risks to Watch

Evolving Enforcement Priorities:
  1. Liquid staking - Still under scrutiny. SEC commissioners remain split on whether liquid staking tokens represent securities. Avoid launching liquid staking products without legal clarity.
  2. NFTs & DeFi - Not formally addressed by comprehensive rulemaking. Expect enforcement-driven policy development. NFT projects with royalties or profit-sharing may trigger securities analysis.
  3. Dual oversight - SEC vs. CFTC jurisdiction overlaps remain unresolved. Bitcoin and Ethereum are generally treated as commodities; most other tokens risk securities classification.

Enterprise Opportunities

Stablecoins: Federal law opens mainstream integration. The GENIUS Act provides:
  • Regulatory clarity for enterprise treasury operations
  • Predictable compliance framework for payment integrations
  • Bank-grade counterparties with prudential supervision
ETPs/ETFs: Generic listing standards accelerate approvals. Benefits:
  • Shorter time-to-market for commodity-based crypto products
  • Standardized surveillance requirements
  • Broader asset class coverage beyond Bitcoin
Staking: Clarity reduces validator risk. May 2025 staff statement suggests:
  • Protocol-level staking (running validators) generally not a securities offering
  • Staking-as-a-service and liquid staking remain grey areas
  • Direct institutional staking operations have clearer path

Implementation Checklist

When implementing SEC-compliant operations:
  • Conduct Howey analysis for all listed tokens
  • Verify stablecoin issuers comply with GENIUS Act
  • Register as ATS/exchange or confirm exemption applicability
  • Implement BSA/AML program (CIP, CDD, EDD, SARs)
  • Establish qualified custodian controls
  • Deploy market manipulation surveillance
  • Build segregated client account architecture
  • Maintain record-keeping per Exchange Act requirements
  • Prepare ETP disclosure packages if launching products
  • Document oracle governance for price feeds
  • Establish SEC staff consultation procedures for novel products
  • Train compliance team on current SEC guidance

See Also

Official Sources: Related IPTF Patterns:

Build docs developers (and LLMs) love

Get started for freeTalk to us