US Regulatory Framework for Cryptocurrency

U.S. cryptocurrency regulation remains fragmented across federal agencies and state jurisdictions, creating compliance complexity for digital asset businesses. The U.S. operates under a "regulatory patchwork" where the SEC, CFTC, FinCEN, state banking authorities, and money services regulators each exercise jurisdiction over different aspects of crypto activities.

This federalism stems from adapting pre-digital asset regulatory frameworks to new technologies. The SEC handles securities law, the CFTC oversees commodities and derivatives, FinCEN addresses AML/KYC, and states regulate money transmission. Understanding regulatory authority jurisdiction over specific activities is essential for compliance and avoiding violations.

The federal regulatory foundation for cryptocurrency consists of several key statutes and agencies. The Securities Act of 1933, Securities Exchange Act of 1934, and Investment Company Act of 1940 form the core securities regulatory framework. The Commodity Exchange Act (CEA) provides the CFTC with authority over commodity and derivatives trading. The Bank Secrecy Act (BSA), implemented through FinCEN, establishes AML/KYC requirements for financial institutions and money transmitters.

Additionally, the Dodd-Frank Act of 2010 expanded regulatory oversight of derivatives markets, including crypto derivatives. The Investment Advisers Act of 1940 regulates entities providing investment advice regarding cryptocurrencies and digital assets. Recent legislative efforts include the Digital Asset Broker-Dealer Act, the Framework for International Regulatory Standards in Crypto Assets Act, and the GENIUS Act, each addressing specific aspects of crypto regulation. Understanding the interaction between these statutes and agencies is critical for determining applicable compliance obligations.

Federal agencies have also issued substantial guidance documents and enforcement actions that establish regulatory positions. The FinCEN Notice from February 2019 clarified application of AML/KYC rules to crypto exchanges and custodians. The SEC's Framework for "Investment Contract" Analysis of Digital Assets (2019) provided guidance on determining whether tokens constitute securities under the Howey Test. The CFTC's jurisdictional determinations establish when crypto derivatives fall under its oversight.

The SEC's approach to cryptocurrency regulation centers on the question of whether particular crypto assets constitute "securities" under the federal securities laws. Using the Howey Test from SEC v. W.J. Howey Co., 328 U.S. 293 (1946), the SEC analyzes whether a crypto asset involves

• investment of money
• in a common enterprise
• with expectation of profits
• derived from efforts of others. If these elements are satisfied, the asset is a security requiring compliance with registration requirements or exemptions.

The SEC has taken enforcement actions against numerous cryptocurrency exchanges, platforms, and projects for offering unregistered securities. Notable cases include Securities and Exchange Commission v. Ripple Labs, Inc. (XRP class action litigation), enforcement actions against Coinbase regarding staking services, and investigations into Ethereum's classification. The SEC staff has provided guidance that certain tokens may constitute securities at issuance but cease to be securities after sufficient decentralization and secondary market development -a position disputed by crypto industry participants.

Implications for crypto businesses include registration requirements for exchanges trading in securities or security tokens, broker-dealer licensing, investment adviser registration for crypto fund managers, and compliance with Regulation D or other exemptions for token offerings. The SEC also exercises authority over crypto custody arrangements under the Custody Rule (17 CFR § 275.206(4)-2), requiring qualified custodians for crypto assets held by registered investment advisers.

The Commodity Futures Trading Commission regulates cryptocurrency when it qualifies as a "commodity" under the Commodity Exchange Act. The CFTC has regulatory authority over spot cryptocurrency markets through its fraud and manipulation authorities under the CEA Section 4c(b), and over derivatives markets including futures and options through its comprehensive derivatives regulatory framework. Bitcoin and Ethereum have been explicitly recognized as commodities by the CFTC.

CFTC jurisdiction extends to cryptocurrency derivatives trading platforms, requiring registration as either Designated Contract Markets (DCMs) for futures and options, or Swap Execution Facilities (SEFs) and Swap Data Repositories (SDRs) for swaps involving crypto assets. The CFTC Division of Market Oversight has issued guidance establishing enhanced compliance standards for crypto derivatives platforms, including position limit rules, circuit breakers, and comprehensive risk management requirements.

For regulated entities, compliance obligations include registration with the CFTC as appropriate, implementation of anti-fraud and anti-manipulation compliance programs, maintenance of audit trails, position reporting, and adherence to position limits for certain products. The CFTC has also asserted authority over spot cryptocurrency transactions that involve leverage, margin, or other financing, characterizing these as derivatives subject to CFTC regulation. Large traders and significant market participants must comply with large trader reporting requirements under CFTC Rule 15.03.

The Financial Crimes Enforcement Network, operating under the Treasury Department, exercises primary authority over anti-money laundering and sanctions compliance for cryptocurrency businesses. The FinCEN Notice "Application of FinCEN's Regulations to Certain Business Models Based on the Premises of Virtual Currency" establishes that cryptocurrency exchanges, wallet providers, and other entities engaging in money transmission activities must comply with the Bank Secrecy Act and register as Money Services Businesses.

MSB registration with FinCEN is mandatory for entities engaged in cryptocurrency exchange services, accepting deposits of virtual currency from customers, or providing custodial services. Registration is accomplished through the Regulatory Oversight System (ROS) and requires submission of Financial Institution Registration forms. State-level MSB registration is also required in jurisdictions maintaining separate registration requirements, and some states require federal MSB registration as a prerequisite for state licensure.

AML/KYC compliance obligations include Customer Identification Programs (CIP) requiring verification of customer identity, reporting of Suspicious Activity Reports (SARs) for transactions exceeding $5,000 with actual or suspected AML violations, Currency Transaction Reports (CTRs) for transactions exceeding $10,000 (though many crypto platforms choose to report all transactions), and maintenance of transaction records for at least five years. The OFAC sanctions compliance program requires screening against the Specially Designated Nationals (SDN) list and blocking of transactions involving designated persons or entities.

Individual state regulation of money transmission remains a critical compliance requirement for cryptocurrency businesses. Most states impose money transmitter licensing requirements on entities engaging in virtual currency exchange, custody, or transmission of value. The requirements, fees, application procedures, and ongoing compliance obligations vary substantially across states, creating significant complexity for national crypto platforms.

Key state regulatory considerations include: capital and net worth requirements (ranging from $100,000 to $2 million+ depending on jurisdiction), surety bonding requirements (typically 5-10% of required capital), application fees ($250 to $5,000+), annual renewal fees, background checks on applicants and beneficial owners, consumer protection and cybersecurity standards, and regular reporting requirements including transaction volume and customer data. States including New York (BitLicense framework), California, Texas, Florida, and others maintain particularly stringent requirements.

Failure to obtain required state licenses creates significant legal exposure including enforcement actions, cease-and-desist orders preventing business operations, civil penalties up to $1,000+ per violation per day, criminal penalties for certain violations, and restitution requirements. Many crypto platforms have chosen to restrict service to unlicensed states or exit certain state markets due to regulatory complexity. Compliance requires comprehensive state-by-state analysis and typically engagement of regulatory counsel in each jurisdiction where the business operates.

New York's BitLicense framework, established by the New York Department of Financial Services (NYDFS) under 23 NYCRR 200, represents the most comprehensive state-level cryptocurrency regulatory regime in the United States. The BitLicense applies to any entity engaging in virtual currency business activities in New York, including exchanges, custodians, wallet providers, payment processors, and merchants accepting virtual currency. NYDFS distinguishes between BitLicense requirements (full compliance) and Superintendent Regulatory Exemptions for limited activities.

BitLicense requirements include extensive capital and net worth standards ($5,000 minimum capital plus enhanced requirements based on business model), comprehensive cybersecurity standards (23 NYCRR 200.12) establishing security controls, encryption requirements, penetration testing, audit requirements, and incident reporting protocols. Additionally, applicants must maintain detailed policies addressing AML/KYC, sanctions compliance, consumer protection, and conflict of interest management. NYDFS exercises broad discretion to impose additional conditions based on risk assessment.

Other states have adopted varying approaches: Texas modified its money transmitter law to create "money services licenses" specifically applicable to crypto businesses with clarified requirements; California requires conditional money transmitter licenses for virtual currency exchanges; Florida created a specific virtual currency license under Florida's money services regulatory framework; Illinois allows virtual currency exchanges under traditional money transmitter licensing with clarified standards. The absence of federal preemption means crypto businesses must evaluate state-specific requirements to avoid unintentional violations in jurisdictions where they provide services.

Successful navigation of the US cryptocurrency regulatory landscape requires systematic analysis of applicable regulatory authorities based on specific business activities. The foundational analysis determines whether activities trigger securities laws (SEC jurisdiction), commodities laws (CFTC jurisdiction), money transmission requirements (FinCEN and state authorities), or other regulatory regimes including banking laws, insurance regulations, or commodities broker rules.

A practical compliance methodology includes:

• detailed mapping of all business activities and revenue-generating functions
• analysis of whether each activity triggers regulatory requirements from applicable agencies
• assessment of applicable rules and guidance from each regulator
• determination of required registrations and licenses
• implementation of compliance programs addressing specific regulatory requirements
• establishment of ongoing compliance monitoring and policy review procedures, and
• retention of qualified regulatory counsel for ongoing guidance as regulations evolve.

Particular attention should be paid to regulatory gray areas and novel business models not directly addressed in existing guidance. The SEC and CFTC have indicated willingness to provide no-action letters and regulatory relief in narrow circumstances, though obtaining such relief requires demonstrating compliance with fundamental protective objectives. Market participants should also monitor regulatory developments including congressional legislation, agency guidance updates, and enforcement trends that may shift compliance obligations or create new requirements.

The GENIUS Act (Global Economy and Unified Standards for Stablecoins Act), passed in 2024 and effective in 2025-2026, represents the first comprehensive federal framework directly addressing cryptocurrency stablecoin regulation. The Act establishes a federal stablecoin licensing regime administered by the Federal Reserve, Office of the Comptroller of the Currency, and FDIC, creating a new category of "stablecoin issuers" subject to specific authorization and operational requirements.

Key GENIUS Act provisions establish that stablecoin issuers must maintain 100% reserves of eligible assets (US dollars, US Treasury securities, or other highly liquid instruments), prohibit stablecoin use as leverage or collateral except for specifically authorized purposes, require compliance with the Act's disclosure and transparency requirements, and maintain comprehensive audit and attestation procedures confirming reserve adequacy. The Act also establishes a federal supremacy provision preempting most state regulations except for specific carve-outs preserving certain state authorities.

The Act's impact on existing crypto regulatory frameworks includes potential relief from SEC securities law requirements for certain stablecoins complying with GENIUS Act requirements, but maintained CFTC authority over stablecoin derivatives and spot trading platforms. FinCEN AML/KYC requirements remain applicable to stablecoin issuers and platforms facilitating stablecoin transactions. Crypto businesses involved in stablecoin activities must assess whether GENIUS Act compliance provides beneficial regulatory relief or creates additional compliance obligations relative to current regulatory status.