SEC Crypto Regulation on Enforcement, Rules, and Compliance
SEC crypto regulation is entering a more defined stage as U.S. regulators introduce clearer standards for how digital assets are classified, traded, and supervised. Financial institutions are now expected to strengthen governance, monitoring, recordkeeping, and risk management practices to align with evolving regulatory expectations across the crypto sector.
Key takeaways
-
SEC crypto regulation shifted toward formal rulemaking in 2025 after years of enforcement-led oversight.
-
A March 2026 SEC-CFTC interpretation groups digital assets into five categories and classifies 16 major cryptocurrencies, including Bitcoin and Ethereum, as digital commodities.
-
SEC enforcement continues to focus on fraud, misleading disclosures, custody issues, recordkeeping failures, and supervision gaps.
-
The March 2026 SEC-CFTC Memorandum of Understanding expands coordination through joint examinations and aligned rulemaking efforts, without creating new legal obligations.
-
Financial firms are expected to capture, retain, and supervise crypto-related communications across all channels, regardless of whether assets are treated as securities or commodities.
How digital assets are regulated
Classifying whether a digital asset is a security or a commodity determines which federal agency has primary oversight. This is the basis of crypto regulation.
Securities fall under SEC jurisdiction, carrying registration, disclosure, and reporting requirements. The SEC oversees digital assets that qualify as investment contracts, including tokens bought with the expectation of a third-party organization will increase the value.
The primary legal test for this determination is the Howey Test, derived from the Supreme Court’s 1946 decision in SEC v. W.J. Howey Co. As of March 2026, the SEC’s joint interpretation with the CFTC now provides a clearer framework than earlier staff guidance.
Commodities fall under CFTC jurisdiction, which applies a principles-based oversight model that focuses on derivatives and spot markets.
Following the March 2026 interpretation, the CFTC holds primary jurisdiction over 16 major cryptocurrencies classified as digital commodities, including Bitcoin, Ethereum, Solana, XRP, Cardano, Chainlink, Polkadot, Avalanche, Stellar, Hedera, Litecoin, Dogecoin, Shiba Inu, Tezos, Bitcoin Cash, and Aptos.
For many tokens, classification remains unresolved. The Joint Harmonization Initiative established by the March 2026 SEC-CFTC MOU is designed to reduce this uncertainty, though as a non-binding agreement, its impact will depend on both agencies’ follow-through.
The practical implication is clear. A broker-dealer trading assets classified as securities faces a different set of custody, reporting, and supervision obligations than one trading digital commodities.
Getting the classification wrong creates significant regulatory risk.
Take action
See how a modern archiving platform helps you capture and retain every communication across channels before gaps turn into compliance risk.
The March 2026 five-part token taxonomy
The SEC’s March 2026 joint interpretation with the CFTC established a five-part classification framework:
- Digital commodities
- Digital collectibles
- Digital tools
- Stablecoins
- Digital securities
Only digital securities (tokenized versions of traditional securities) remain subject to SEC registration and oversight.
The interpretation also clarified that protocol staking on proof-of-stake blockchains like Ethereum is an administrative network activity, not a securities transaction, provided rewards flow from the protocol rather than from a third party making forward-looking promises about returns.
For tokens not named in the interpretation, the framework applies on a facts-and-circumstances basis. Any non-security crypto asset can become subject to securities law if an issuer makes predictive promises about returns tied to its own efforts, triggering registration and disclosure obligations.
The SEC Crypto Task Force and formal rulemaking
In January 2025, Acting Chairman Mark Uyeda launched the SEC Crypto Task Force under Commissioner Hester Peirce. The Task Force worked closely with industry participants through public meetings, roundtables, and written submissions, producing staff statements on staking, no-action letters enabling tokenization pilots, and updated broker-dealer custody guidance.
In January 2026, Chairman Paul Atkins and CFTC Chairman Michael Selig announced that the effort would become a joint SEC-CFTC initiative, which led to establishing the five-part token taxonomy in March 2026.
While the interpretation carries Commission-level policy weight and supersedes prior staff statements, it is not a formal rulemaking. Courts are not bound by it, and it could be modified without the notice-and-comment process required for rules. If enacted, the CLARITY Act would codify the taxonomy into permanent law.
The SEC-CFTC Memorandum of Understanding
On March 11, 2026, the SEC and CFTC released a Memorandum of Understanding committing to harmonize oversight across their respective jurisdictions. This non-binding agreement does not supersede any applicable laws or regulations, and it does not create or change any legal obligations. Either agency may modify or terminate the agreement without formal rulemaking without formal rulemaking.
That said, the MOU signals important priorities.
- Increased SEC-CFTC coordination is a central priority of the March 2026 MOU.
- Joint Harmonization Initiative leadership includes Robert Teply (SEC) and Meghan Tente (CFTC).
- Coordinated exam planning, reduced duplicative enforcement, joint product interpretations, and tailored crypto regulatory frameworks are key agency objectives.
- Parallel enforcement investigations involving overlapping jurisdiction are expected to include coordination from the outset.
Firms should treat the MOU as a directional signal. Reviewing supervisory frameworks across both regulatory regimes and identifying inconsistencies is essential for preventing roadblocks during joint examinations.
Enforcement trends
The SEC dropped or dismissed most enforcement actions from the prior administration that were based on unregistered broker-dealer or exchange theories without fraud allegations. What remained was a focus on traditional anti-fraud enforcement.
- Fraud and market manipulation, including misappropriated investor funds and Ponzi schemes
- Misleading disclosures about digital asset activities or risk management practices
- Custody and safeguarding violations involving private key management and asset segregation
- Recordkeeping failures, particularly off-channel communications on texts, WhatsApp, and similar platforms
- Supervision failures at broker-dealers and investment firms lacking written procedures for digital asset activity
What compliance requires now
Financial firms engaged in digital asset activity face operational obligations under both SEC and CFTC regimes, as well as FINRA and applicable state regulators. The key areas examiners evaluate:
Custody
Firms holding digital assets on behalf of clients must implement safeguards appropriate to their registration type. Broker-dealers custodying digital asset securities must demonstrate physical possession or control under SEC Rule 15c3-3, including maintaining written policies and procedures to protect private keys from theft, loss, or unauthorized access.
The Division of Trading and Markets issued a December 2025 statement clarifying how broker-dealers can satisfy these requirements for crypto assets specifically.
CFTC-registered intermediaries must comply with customer funds segregation requirements under the Commodity Exchange Act. The pending CLARITY Act is expected to establish additional custody standards for digital commodity intermediaries. Registered investment advisers must ensure client assets are held by a qualified custodian; the SEC has clarified that state-chartered trust companies may serve in this capacity for crypto assets.
Across all entity types, client assets must be segregated, access controls must be robust, and custodial practices must be documented and regularly tested.
Books and records
SEC Rule 17a-4 requires broker-dealers to preserve records of business activities including customer communications, order tickets, and trade confirmations.
The CFTC imposes parallel obligations under Regulations 1.31 and 1.35. Both sets of requirements apply fully to digital asset activity. Every crypto-related trade, client interaction, and advisory recommendation must be documented and retained in a manner that allows the firm to produce records promptly for examination by either agency.
Supervision of communications
Both SEC and CFTC examiners expect firms to prove that crypto-related communications are supervised across every channel where those conversations happen: email, messaging platforms like Teams, Slack, and Bloomberg Chat, mobile messaging apps, collaboration tools, and social media.
The obligation extends to trading, marketing, advisory activity, and internal decision-making about digital asset strategies.
One notable difference between the regimes: the CFTC imposes explicit oral communications recording requirements under Regulation 1.35 for futures commission merchants and certain other registrants.
As more digital assets fall under CFTC jurisdiction following the March 2026 interpretation, voice capture will likely be a more prominent examination focus. The off-channel enforcement sweep that generated over $3.5 billion in combined penalties demonstrated that regulators will not accept channel gaps as a defense.
Effective supervision requires technology capable of capturing and reviewing communications in real time or near-real time, qualified supervisory personnel, documented exceptions and escalations, and testable audit trails.
Marketing and advertising
The SEC’s marketing rule, Rule 206(4)-1, applies to any advertisement promoting crypto-related investment services, including performance claims, testimonials, and endorsements.
FINRA Rule 2210, governs broker-dealer communications with the public and imposes principal pre-approval requirements for advertisements and sales literature related to securities.
The CFTC enforces parallel requirements under Regulation 4.41 for commodity trading advisors and pool operators, prohibiting misleading claims about past performance and requiring balanced presentation of risks.
Firms must ensure that crypto investment promotions, including influencer marketing, social media posts, podcast appearances, and video content, comply with the appropriate regime based on registration type and asset classification. Performance claims must follow applicable rules on net-of-fee returns and consistent time periods.
Suitability and best interest
Broker-dealers recommending crypto to retail customers must satisfy Regulation Best Interest and FINRA’s suitability rule, Rule 2111, evaluating risk, reward, and cost without placing the firm’s interests ahead of the customers.
Registered investment advisers must complete a thorough assessment of concentration, liquidity, and custody risk before recommending any crypto allocation to fulfill their fiduciary duty.
On the CFTC side, Commodity Trading Advisors face NFA suitability obligations when providing personalized trading recommendations.
Across all registration types, documentation of the analysis is essential for examination readiness, and written supervisory procedures should address the risk factors unique to digital assets, including rapid price declines, limited secondary market liquidity for certain tokens, and the operational risks associated with blockchain-based custody.
How obligations differ by firm type
Broker-dealers face the most immediate compliance demands: customer protection rules, net capital requirements, custody standards, and communications archiving obligations under both SEC and CFTC regimes.
Those trading both digital securities and digital commodities must maintain supervisory frameworks that address both. Registered investment advisers must document the rationale for crypto recommendations, capture and supervise client communications, and evaluate concentration and custody risks.
Banks offering digital asset exposure — whether through custody services, stablecoin issuance under the GENIUS Act, or partnerships with crypto exchanges — must navigate overlapping requirements from the SEC, CFTC, OCC, FDIC, and state banking regulators, with GENIUS Act implementation rules due by July 2026.
Crypto exchanges interacting with regulated entities must demonstrate that their operations meet the standards expected of regulated counterparties, including transaction reporting, trade surveillance, and the ability to produce records responsive to regulatory inquiries.
What to watch in 2026
The CLARITY Act passed the House in July 2025 with a 294-134 vote and is advancing through the Senate. If enacted, it would codify the SEC-CFTC token taxonomy into statute, grant the CFTC explicit authority over digital commodity spot markets, and establish registration standards for crypto brokerages and exchanges. Senate leadership has signaled a target of floor action before the August 2026 recess.
GENIUS Act implementation is underway. The first federal crypto legislation signed into law requires regulators to finalize implementation rules by July 2026. The OCC, FDIC, and Treasury Department have issued proposed rulemakings, and state regulators are assessing whether their frameworks meet the “substantially similar” standard for state-qualified stablecoin issuers.
SEC exemptive rulemaking may expand in the coming years. At the March 2026 DC Blockchain Summit, Chairman Atkins previewed possible startup and fundraising exemption proposals, though neither has been formally introduced or entered the notice-and-comment rulemaking process.
Global crypto regulation continues to evolve as the EU’s Markets in Crypto-Assets Regulation (MiCA) remains fully in effect. U.S. firms with international operations should monitor cross-border requirements and align compliance programs by jurisdiction.
SEC-CFTC coordination is expected to increase under the March 2026 MOU, with both agencies signaling interest in coordinated examinations, harmonized reporting standards, and joint approaches to cross-margining and event-based product classification. These remain policy goals and would still require formal rulemaking.
When your archiving strategy may fall short
Many agencies believe their current approach is sufficient, However, many archiving strategies are falling short when faced with requests to produce records quickly and discover gaps. These issues often remain hidden until pressure is highest.
There are clear signs that a current approach needs improvement.
- Reliance on email-only archiving
- Lack of mobile or social media capture
- Systems that cannot scale with demand
- Data silos across departments
The risk: Incomplete records can make retrieval difficult or impossible, especially under tight deadlines.
Frequently asked questions
SEC crypto regulation is the body of federal securities laws, interpretive guidance, and enforcement actions that govern how digital assets classified as securities are issued, traded, held, and supervised. Since March 2026, the SEC and CFTC have jointly defined a five-part classification framework that determines which agency oversees each type of digital asset.
No. As of March 2026, the SEC and CFTC jointly classified Ethereum as a digital commodity. Protocol staking on Ethereum is also classified as a non-securities activity under the interpretation.
The March 2026 MOU is a non-binding coordination agreement in which both agencies express their intent to pursue coordinated examinations, harmonized rulemaking, and reduced enforcement duplication. It does not create new legal obligations but signals examination priorities. Dually regulated firms should review supervisory frameworks across both regimes.
Share this post!
- SEC Crypto Regulation on Enforcement, Rules, and Compliance - May 27, 2026
- Cybersecurity vs. Cyber Compliance - May 19, 2026
- The Overlooked Risk of Voice in Financial Services - March 25, 2026
Smarsh Blog
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.
Ready to enable compliant productivity?
Join the 6,500+ customers using Smarsh to drive their business forward.
Subscribe to the Smarsh Blog Digest
Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.
Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing [email protected].
FOLLOW US