Compliance Issues in Cryptocurrency

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight

Nearly 15 years have passed since Satoshi Nakamoto introduced the first blockchain network and associated digital asset, Bitcoin. In that time, the blockchain industry has grown into a trillion-dollar ecosystem attracting the attention of consumers, investors, enterprises and governments around the world. Blockchain technology and the associated digital assets raise exciting prospects of new forms of economic development but also present a serious challenge to existing regulatory and compliance regimes. The high-profile collapses in 2022 of the stablecoin TerraUSD and the cryptocurrency exchange FTX, among others, have amplified calls to address these challenges. This chapter provides an overview of those challenges and the current regulatory landscape, primarily in the United States but also in a number of jurisdictions.[2]

Regulatory challenges of digital assets

Digital assets present unique regulatory challenges for a number of reasons. Many of those challenges stem from the core innovation of blockchain: to enable peer-to-peer transfer of value with less need for trusted intermediaries. First, unlike many other technological innovations, blockchain networks disrupt highly regulated financial markets. Second, the core disruption is to reduce the need for intermediaries, but many existing regulatory frameworks are built around regulating those intermediaries. Third, blockchain technology enables myriad new forms of assets that do not fit neatly within the categories of financial instruments addressed by existing regulations, even though they may trade in markets resembling conventional financial markets. Fourth, the technology and resulting markets are global, therefore requiring some measure of coordination and limiting the efficacy of efforts to regulate in any one jurisdiction.

As a result, the extensive global infrastructure of financial regulation is confronting fundamental questions of what existing regulations apply and to whom, and how to enforce them, in a rapidly evolving blockchain ecosystem that continues to adapt and raise new questions faster than the law can evolve to provide answers.

Broadly, there are two primary approaches taken by governments, in varying combinations: (1) seek to fit digital assets into existing regulatory and compliance regimes (the approach primarily relied on at the federal level in the United States to date); and (2) create new laws or amend existing laws specifically to address digital assets (as is evident in jurisdictions such as the European Union, Switzerland and Dubai, and certain states in the United States such as New York).

This chapter offers a high-level overview of the relevant laws in selected jurisdictions that will be relevant for compliance concerns. Although approaches differ, a few recurring themes emerge. First, most jurisdictions recognise that digital assets are, at times, used as an investment vehicle and, therefore, may implicate the laws and regulations governing securities markets, largely with an investor protection objective. Second, governments recognise that digital assets could be used as a tool for money laundering, sanctions avoidance or other illicit transactions and, therefore, seek to apply know-your-client or anti-money laundering (AML) regulations (or both), either by fitting certain digital asset transactions within existing laws or by crafting new laws to make these obligations explicit for digital assets.

Current regulatory landscape for digital assets

United States

There are a number of US regulators with overlapping authority over digital assets at both the federal and state levels. Unlike other jurisdictions, there is no overarching digital asset regulatory regime to which a participant can look for compliance obligations; instead, businesses must consider distinct areas of US federal law that may be relevant to any given digital asset activity. Businesses must also consider whether state law may be relevant, especially if they will offer services or conduct activity in New York, where the state’s Department of Financial Services requires a licence for ‘virtual currency business activity’.[3]

Although it is not an exhaustive list, prominent areas of regulatory and compliance obligations include federal and state securities and commodities laws, and federal and state banking laws governing money services businesses. Furthermore, a presidential Executive Order on digital assets issued by the Biden administration called on the Consumer Financial Protection Bureau, the Federal Trade Commission and other agencies to attend inter-agency meetings on digital asset regulatory questions, each of which has its own regulatory ambit that may be implicated by certain digital asset activities.[4]

US regulators also acknowledge international standards. For example, on 7 July 2022, the Secretary of the Treasury, in coordination with the heads of other relevant agencies, delivered to President Biden a framework for international engagement on digital assets, which emphasises active engagement with international partners through standard-setting bodies such as the Financial Stability Board and the Financial Action Task Force.[5]

Members of the US Congress have introduced proposals to address digital assets, with a primary focus to clarify the applicability of existing financial regulation frameworks to digital assets. In 2022, the failures of prominent digital asset companies provided a backdrop to increasing politicisation of digital asset regulation in the United States. For example, Republican members of Congress recently issued a letter to the Securities and Exchange Commission (SEC) chair Gary Gensler accusing the regulator of ‘forc[ing] digital asset market participants’ into an inapplicable securities framework and, therefore, ‘hamper[ing] the digital asset ecosystem’s ability to realize the unique benefits the new technology offers,’[6] whereas Democratic senator Elizabeth Warren proclaimed on social media that she is ‘[b]uilding an Anti-crypto Army.’[7]

SEC and the Securities Laws

The securities laws of the United States are enforced primarily by the SEC. Anyone engaged in digital asset transactions must be mindful of whether the digital asset activity in question amounts to an offer or sale of securities, or whether the digital asset itself is a ‘security’ under the securities laws. If so, then a host of registration and reporting requirements under the securities laws may come into play,[8] and an entity must further enquire whether it meets the definition of an ‘issuer’, an ‘exchange’, a ‘broker’ or a ‘dealer’.

The SEC’s focus on digital assets continues to grow. On 3 May 2022, it announced that it was nearly doubling the size of its Crypto Assets and Cyber Unit,[9] with a continuing focus on investor protection as reflected in a statement from the SEC’s director of enforcement, who commented: ‘Crypto markets have exploded in recent years, with retail investors bearing the brunt of abuses in this space’.

‘Securities’ under US federal law

The Securities Act of 1933 and the Securities Exchange Act of 1934 list a number of enumerated categories of instruments that fall within the definition of a ‘security’, including stocks, bonds, debentures, notes, investment contracts and many others.[10] The category ‘investment contract’ functions as a catch-all for numerous investment transactions or schemes not otherwise captured in the statutory definitions, and it is the category into which the SEC places many digital asset transactions.

The seminal test for what constitutes an investment contract was set forth in the Supreme Court case, SEC v. Howey. As the Court stated and the SEC maintains today, the term ‘investment contract’, as used to define a security, ‘embodies a flexible rather than static principle, . . . capable of adaptation to . . . countless and variable schemes’.[11] Howey creates a four-part test that the SEC has used to determine whether a digital asset offering is a securities offering. Although there are slightly different articulations of the test, for a transaction or scheme to constitute a securities offering, it must generally involve (1) an investment of money (2) in a common enterprise (3) with a reasonable expectation of profits, (4) derived from the effort of others.

Although, to date, the SEC has not issued any rule-making or definitive guidance on the application of securities laws to digital assets, the Howey test has guided the SEC’s thinking as its position on digital assets has evolved across a series of reports, enforcement actions and public speeches.[12] In 2019, the SEC released a ‘Framework for “Investment Contract” Analysis of Digital Assets’,[13] which spelled out how the agency’s staff are likely to approach digital assets under Howey, though it is careful to state that it is not a binding standard.

An additional area in which the application of US securities laws to digital assets continues to evolve is in the distinction between a ‘securities offering’ and a ‘security’, which may have substantial impact on the SEC’s authority to regulate trading platforms and other participants in the secondary market for crypto assets. Although the SEC maintains the position that initial coin offerings (ICOs) are securities offerings, it is a separate question whether the digital assets themselves are securities and must be regulated as such. For example, selling a token (or any other asset) in a fundraising scheme may constitute a securities offering, but the token itself may not be a security and subsequent transactions may not constitute securities transactions if the token carries no rights or legal relationship to any ‘issuer’. This particular question is likely to be the focus of recent suits brought by the SEC against numerous trading platforms.

Where compliance currently stands under US securities laws

To date, SEC officials have stated that the agency does not consider Bitcoin to be a security, and ETH may not be a security.[14] However, the SEC has viewed most ICOs as securities offerings; therefore, any activity that involves issuance and distribution of a new digital asset may constitute a securities offering under US law and trigger a variety of compliance obligations.

Compliance obligations fall on multiple sets of constituents under US securities law. In an offering such as an ICO, the offeror will be an issuer. An issuer includes ‘every person who issues or proposes to issue any security’.[15] An entity engaging in issuing a new digital asset that has the essential characteristics of an investment will likely be considered by the SEC to be an issuer subject to the full registration requirements as applicable to any other issuer of securities.

Separate from issuance, any business that effects digital asset transactions on behalf of others, or that engages in a business of buying and selling digital assets, should consider whether the requirements for exchanges, brokers or dealers, and clearing agents may apply. ‘Brokers’ are those who effect securities transactions ‘for the account of others’. A ‘dealer’ is any person buying or selling securities for that person’s own account, but there is a ‘trader exception’ when the buying or selling is ‘not part of a regular business’. In the first half of 2023, the SEC brought suits against three prominent trading platforms alleging that each of them violated the securities laws by operating as unlicensed exchanges, brokerages, and clearing agents.[16]

Beyond token sales and exchanges, the SEC has taken a more aggressive approach towards companies engaged in cryptocurrency lending or that offer accounts earning interest or similar rewards on token balances. In February 2022, it announced a settled enforcement against BlockFi, in which it found that BlockFi’s cryptocurrency-based interest accounts were unregistered securities offerings and that BlockFi operated as an unregistered investment company. BlockFi paid a total US$100 million in penalties to the SEC and state-level securities enforcers and embarked on a process to register its interest accounts with the SEC as securities.[17] Since then, the SEC has charged other service providers for cryptocurrency lending, again under the theory that their activities amounted to an unregistered securities offering.[18]

In addition, each of the 50 states has its own securities laws. Compliance with state securities laws is often accomplished by registering with the SEC, but where a product or business is not registered with the SEC, it may be subject to registration requirements in one or more states.

Commodities Futures Trading Commission and the Commodity Exchange Act

Although the SEC may view some digital assets as securities, many are also likely be commodities according to the Commodities Futures Trading Commission (CFTC), the agency that enforces the Commodity Exchange Act (as passed in 1936 and subsequently amended (CEA)). Furthermore, just because one digital asset is part of a securities transaction does not necessarily mean that it cannot also be a commodity, thereby creating the potential for overlapping regulation.

The CFTC does not have general regulatory jurisdiction over the ‘spot’ market in digital assets; rather, it regulates futures and other derivatives of commodities and the marketplaces or exchanges on which commodities trade. It also asserts jurisdiction over fraud within the spot market for commodities in which futures are traded.

Those engaged in any type of activity concerning swaps, futures or other derivatives of digital assets are likely to fall under the regulatory authority of the CFTC, which pursues enforcement against organisations that fail to register as swap execution facilities or future commission merchants.[19] Likewise, if an organisation is a commodity trading adviser or commodity pool operator, the CFTC requires registration, record-keeping and disclosure.

Beyond the regulatory requirements of certain business models under the CEA, organisations and individuals must comply with the CEA’s anti-fraud and anti-manipulation mandates, which are wide in scope. For example, the CFTC pursues enforcement action against a variety of potentially deceptive trading practices, such as ‘spoofing’, in which market participants place orders they do not intend to complete, and manipulation of commodity or foreign-currency benchmark prices.[20]

In late 2022, a CFTC action against Ooki DAO, which the CFTC alleged operated as an unregistered exchange,[21] raised novel issues about regulators’ ability to pursue enforcement against decentralised actors in the digital assets space. The CFTC sued Ooki DAO as an entity, despite the fact that it is a decentralized autonomous organisation (DAO), and the court held that the case could proceed on the theory that the DAO was an unincorporated association comprising those who held governance tokens.[22] The case illustrates how US regulators implement novel approaches to existing frameworks to respond to the fluid circumstances of these still-emerging technologies.

US Treasury Department and money services businesses requirements under the Bank Secrecy Act

The Financial Crimes Enforcement Network (FinCEN), an enforcement body under the US Treasury Department (USDT), has established regulation and compliance requirements for companies that move money as a business, such as currency dealers or cheque cashers. Money services businesses and money transmitters must register with FinCEN, and those businesses must ensure compliance with the AML regulations under the Bank Secrecy Act of 1970 (BSA). The money laundering risks of cryptocurrency are a high priority for the USDT and is likely to be an area of increased scrutiny and growing regulation. In April 2023, the USDT issued a report concluding that decentralised finance (DeFi) is presently creating opportunities for illegal conduct and reminding DeFi service providers that BSA obligations apply equally to them.[23]

FinCEN has released specific guidance stating that the money transmitter regulations apply equally to the national currencies of sovereign states and to crypto­currencies.[24] Guidance issued in 2019[25] analysed various virtual currency business models and concluded that many of them would qualify as money transmitters and, therefore, fall under the registration and other requirements. Cryptocurrency businesses that transmit value between persons or entities are likely to be subject to FinCEN regulation. Additionally, most states have their own registration requirements for money transmitters, therefore requiring money services businesses to register in each state in which they do business (with some exceptions).

Digital asset business must additionally consider whether their operations may implicate sanctions. The Office of Foreign Assets Control (OFAC), another unit of the USDT, is responsible for enforcing trade and economic sanctions. In 2022, OFAC became active in digital asset regulation by sanctioning anonymity tools (known as virtual currency mixers) Tornado Cash and Blender as the means by which North Korean actors engaged in money laundering.[26] Court challenges to the Tornado Cash sanctions are ongoing, with plaintiffs arguing that Tornado Cash as a mere software tool is not the type of person or entity on which sanctions can be levied.[27]

In light of these recent OFAC actions, service providers should consider whether any anonymity features of their products implicate not only BSA regulation but also sanctions.

New York’s virtual currency business activity licence (BitLicense)

A handful of states have introduced cryptocurrency-specific legislation, including Wyoming, which has exempted cryptocurrency from money transmitter regulation and property tax. The most restrictive state in the digital asset regulator space is New York.

Organisations that operate in New York are required to maintain a licence, known colloquially as a ‘BitLicense’, if they engage in ‘virtual currency business activity’. This includes receiving or transmitting virtual currency, holding custody of virtual currency on behalf of others, buying and selling virtual currency as a customer business, performing exchange services as a customer business, or administering or issuing virtual currency.[28] In essence, New York creates an ex ante licensing requirement before cryptocurrency-based business activities can be undertaken.

Although this is the same approach as taken in some other jurisdictions, such as Dubai and, more recently, the European Union, it is a notable departure from the prevailing regulatory norm in the United States, in which regulatory agencies exercise discretion to engage in ex post enforcement activities rather than creating up-front requirements to enter the market.

European Union

Although under debate since 2020, on 16 May 2023, the Council of the European Union formally adopted Markets in Crypto-assets Regulation (MiCA).[29] MiCA creates a distinct and wide-ranging regulatory regime for digital assets within the European Union. Previously, digital currencies were outside the scope of EU legislation.[30]

Unlike the British approach, MiCA creates a new set of regulatory categories specific to digital assets and digital asset service providers. Broadly speaking, it introduces disclosure requirements for new issuances of digital assets reminiscent of traditional securities regulation, and it creates a harmonised EU-wide licensing regime for service providers. It also introduces stringent requirements for stablecoins, which are digital assets structured to be pegged to national currencies.

Companies contemplating any digital asset activity in the European Union must now assess MiCA’s compliance obligations, which apply to any person or entity ‘engaged in the issuance, offer to the public and admission to trading of cryptoassets or that provide services related to cryptoassets in the [European] Union.’[31] MiCA defines ‘cryptoassets’ broadly as any ‘digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology or similar technology.’[32] There are 10 enumerated categories of regulated ‘crypto-asset services’ under MiCA, including custody, exchange, trading, advisory and portfolio management services.[33] MiCA was published in the Official Journal of the European Union on 9 June 2023, which means that new rules on stablecoins will go into effect in June 2024, and the remainder of MiCA will go into effect in December 2024.

Cryptoassets are divided into three categories under MiCA: electronic money tokens (EMTs), asset-referenced tokens (ARTs) and a residual category of all other cryptoassets. EMTs are stablecoins, which MiCA defines as ‘a type of crypto-asset that purports to maintain a stable value by referencing the value of one official currency.’[34] ARTs are conceptually similar, but pegged to a basket of currencies or assets rather than one national currency.[35] Finally, all other cryptoassets – such as the familiar cryptocurrencies such as Bitcoin – fall into the third category.[36] Notably, MiCA explicitly excludes non-fungible tokens or any ‘crypto-assets that are unique and not fungible with other crypto-assets’ from its purview.[37]

MiCA introduces disclosure requirements through White Papers for issuers of cryptoassets, a disclosure regime reminiscent of prospectus requirements in securities regulation, but adapted to the distinct features of digital assets. For example, a MiCA White Paper must disclose not only material typical of securities, such as ‘information about the offeror’ and ‘information on the risks,’ but also ‘information on the underlying technology’ and ‘information on the rights and obligations attached to the crypto-asset’.[38] In its emphasis on stablecoins, MiCA also reflects the concerns of traditional banking regulation by, for example, requiring reserves of assets and addressing liquidity risks.[39] It likewise adds AML requirements typical of emerging digital asset regulation as well as traditional financial regulation.

Under MiCA, cryptoasset service providers (CASPs) must obtain ex ante authorisation before providing digital asset services;[40] however, MiCA streamlines compliance for service providers in the European Union because it assures EU-wide authorisation once the service provider registers in its home EU State.[41]

United Kingdom

The primary regulator of note in the United Kingdom is the Financial Conduct Authority (FCA), which regulates financial services firms and the British financial markets. The FCA divides digital assets into regulated tokens and unregulated tokens.[42] The two types of regulated tokens are security tokens, which provide the functional equivalent of equity or debt rights, and e-money tokens, which fall under the Electronic Money Regulations 2011 but do not include cryptocurrencies such as Bitcoin, which are sometimes referred to in UK guidance as ‘exchange tokens’.[43]

Exchange tokens are currently considered to be unregulated by the FCA. As of January 2020, however, they are subject to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017;[44] therefore, despite the lack of specific regulatory classification for many of the most common digital assets, compliance with AML rules means that businesses providing exchange, transfer or custodian services must register with the FCA – a process that requires disclosure of business plans, internal systems and controls, AML risk assessment and other information.[45]

With MiCA as a comparative backdrop, British regulation of digital assets may expand in 2023 and 2024. On 1 February 2023, the government announced a consultation period to ‘set out ambitious plans to robustly regulate cryptoasset activities’.[46] On 5 June 2023, a group of UK lawmakers in the Crypto and Digital Assets All Party Parliamentary Group issued a report calling for development of clear regulatory frameworks within the next 12 to 18 months and for appointment of a ‘Crypto Tsar’ to coordinate efforts among government agencies.[47] The report emphasises, however, that digital asset regulation is best accomplished within existing frameworks as much as possible.[48] Businesses contemplating digital asset activity in the United Kingdom should stay attuned to these developments.


Switzerland has taken specific steps to hold itself out as a hospitable regulatory environment for cryptocurrency and digital assets. Unlike the United States and the United Kingdom, the Swiss approach foreshadowed MiCA by delineating specific new regulatory categories for digital assets. Switzerland has presented itself as a hub for crypto innovation, and it has succeeded in making itself an important centre for ICOs.

Although the Swiss Financial Market Supervisory Authority (FINMA) takes the general approach that the same financial markets laws apply regardless of whether new technology underlies transactions, FINMA also issued its 2018 ‘ICO Guidelines’, which create specific regulatory categories into which traditional cryptocurrencies, such as Bitcoin and other digital tokens, will fall.

The ICO guidelines recognise three types of tokens, though it emphasises that hybrids are possible, and, in the case of an ICO, a fact-specific, case-by-case inquiry may still be required to determine where a given token falls. The three enumerated categories are:

  • payment tokens, which are synonymous with cryptocurrencies;
  • utility tokens, which provide access to a digital application or service; and
  • asset tokens, which represent rights in traditional assets and are analogous to equities, debt instruments, or derivatives.[49]

FINMA has indicated that participants in the Swiss digital asset space should prioritise their attention on Switzerland’s securities regulations and AML laws. Payment tokens require compliance with the Swiss AML Act but not Swiss securities laws. Conversely, asset tokens are regulated as full securities under Swiss law, including with a full prospectus requirement. Utility tokens are a more complex category. If a utility token at the time of its issuance solely confers digital access to some application or service, then it is not regulated as a security. But if a utility token has even a partial function as an investment, then FINMA treats it just like an asset token (i.e., as a security).

Recent action by FINMA indicates a growing concern with the money-laundering risks of payment tokens. As of 1 January 2023, an updated version of the AML Act and corresponding ordinance requires financial intermediaries to identify within 30 days the beneficial owners in transactions involving the transfer of cryptocurrency valued at over 1,000 Swiss francs. Public comments had pushed to raise the threshold, but FINMA stated it ‘stands by’ its decision to keep the threshold at 1,000 francs.[50]

Separately, in August 2021, Switzerland implemented its Distributed Ledger Technology Act (the DLT Act), which formally recognises and creates a framework for rights to securities to be recorded on a blockchain ledger rather than traditional registration and certification processes. The DLT Act recognises blockchain-based digital assets as their own category and regulatory target with their own compliance needs that may overlap with, but also be distinct from, traditional financial regulations, such as those covering securities.


Like Switzerland, Singapore has promoted itself as a crypto-friendly environment. It has been a successful hub of digital asset activity, unlike many of its Asian neighbours (such as China, Indonesia and Thailand), which have at times restricted cryptocurrency trading or banned it outright.

Singapore has taken the general approach that cryptocurrency businesses want to be regulated because they prefer to know what the rules are rather than to face uncertainties. To that end, cryptocurrency businesses operating in Singapore have long been regulated by the Monetary Authority of Singapore (MAS), and the Payment Services Act created a licensing regime for crypto activity.[51]

Until recently, Singapore’s approach was to regulate more lightly cryptocurrency operators based in Singapore but who direct their services solely outside Singapore. In this way, Singaporean authorities aimed to adopt a ‘consumer protection’ approach for their own citizens, while offering their city state as a hub for innovations aimed at the citizens of other countries. However, this has changed. On 5 April 2022, Singapore passed the Financial Services and Markets Bill,[52] under which digital asset providers based in Singapore but conducting business in other countries must now abide by Singaporean AML and anti-terrorism financing laws.[53] It also introduces a licensing regime for Singaporean digital asset service providers in compliance with Financial Action Task Force standards adopted in 2019 requiring licensing or registration in the jurisdiction where digital assets are created.[54]

In an August 2022 speech, the managing director of MAS summarised Singapore’s current stance as ‘yes to digital asset innovation, no to cryptocurrency speculation’.[55] MAS continues to weigh whether new regulation may be proper, reiterating the point that digital assets are a powerful technology, but cryptocurrency speculation threatens consumer harm.[56] Meanwhile, MAS continues to reiterate its position that cryptocurrency services should not be targeted at the general public of Singapore itself.[57]

The current status of Singapore’s digital asset regulatory approach has established an extraterritorial reach outside Singapore at the same time that activity within Singapore is being curtailed. The effect of Singapore’s increasing regulation remains to be seen.


In March 2022, the emirate approved the Dubai Virtual Asset Regulation Law, which establishes the Dubai Virtual Assets Regulatory Authority (VARA), a first-of-its-kind regulator dedicated to digital assets. The Law requires an ex ante licence from VARA before a person may engage in any business activity relating to digital assets, including exchanging digital assets for national currency, exchanging digital assets for other digital assets, operating a digital asset platform, or otherwise offering exchange, transfer, custody or portfolio services for digital assets.[58]

VARA released the implementing regulation for the Law on 7 February 2023: the Virtual Assets and Related Activities Regulations 2023 (the VARA Regulations). The VARA Regulations are notable in that they focus more on delineating categories of activities rather than categories of assets. They reiterate that Dubai requires ex ante a licence to engage in seven types of virtual-asset activity: advisory services, broker-dealer services, custody services, exchange services, lending and borrowing services, payments and remittances services, and management and investment services. They offer examples of different types of activities that may fall in each category.[59]

The VARA Regulations promulgate four Compulsory Rulebooks that are mandatory on all registrants covering company practices (the Company Rulebook), internal compliance controls (the Compliance and Risk Management Rulebook), technology infrastructure (the Technology and Information Rulebook), and market conduct (the Market Conduct Rulebook). Additionally, each of the seven enumerated types of virtual-asset activities have their own rule books, and there is a special rule book for new token issuances.

The VARA Regulations and the corresponding rule books cover the same substantive areas of compliance concern as other regulatory regimes, but they also outline how registrants must meet their obligations. For example, the VARA Regulations emphasise AML, but the Compliance and Risk Management Rulebook further specifies that registrants must appoint a specific ‘money laundering reporting officer’ to oversee compliance in this area.[60] The rule books delve into the details of registrants’ operations. For example, a registrant must ‘maintain a company structure with a clear chain of ownership’ such that the VARA can determine its beneficial owners, and if a company elects ‘organisational forms with decentralised governance’, then it must state its reason for doing so and provide the VARA with information about the structure and any related entities.[61] The VARA Regulations also include specific definitions of and prohibitions against insider trading and market manipulation.[62]


Digital asset businesses operate in a regulatory environment that is uncertain and constantly evolving. In most jurisdictions, compliance will focus on securities, commodities and banking laws. Given the rapid evolution of technology and the law, and the likelihood of multiple overlapping compliance regimes, it is crucial to stay abreast of the regulatory developments and frequently re-evaluate compliance policies and procedures.


[1] Kayvan B Sadeghi is a partner and Lawrence W McMahon is an associate at Jenner & Block LLP.

[2] The European Union, the United Kingdom, Switzerland, Singapore and Dubai.

[3] 23 NYCRR § 200.

[4] Executive Order No. 14067 on Ensuring Responsible Development of Digital Assets, 9 March 2022.

[5] US Department of the Treasury (USDT), Press Release, ‘Fact Sheet: Framework for International Engagement on Digital Assets’, (accessed 14 August 2023).

[6] Letter, Rep. Patrick McHenry et al. to Gary Gensler, 18 April 2023, (accessed 14 August 2023).

[7] Elizabeth Warren (@ewarren), ‘I’m in this fight to put our government on the side of working families. . .’, Twitter, 29 March 2023, 1:02 PM, (accessed 14 August 2023).

[8] For example, an issuer of securities to the public generally must register those securities with the US Securities and Exchange Commission (SEC) and disclose detailed information about the financials, structure and management of their underlying business (15 U.S.C. § 78l). After registration, issuers are also subject to ongoing annual, quarterly and other reporting requirements (15 U.S.C. § 78m).

[9] SEC, Press Release, ‘SEC Nearly Doubles Size of Enforcement’s Crypto Assets and Cyber Unit’, (accessed 14 August 2023).

[10] 15 U.S.C. § 77b(a)(1).

[11] SEC v. Howey, 328 U.S. 293, 299 (1946).

[12] The SEC’s first substantial action relating to cryptocurrencies was its July 2017 ‘Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934: The DAO’ (SEC, Release No. 81207, 25 July 2017,, in which the SEC staff made clear that they viewed the sale of decentralized autonomous organisation (DAO) tokens as a securities offering. In June 2018, the director of the SEC’s Division of Corporations gave prepared remarks at a cryptocurrency summit, which was interpreted as conveying the SEC’s staff’s position at the time (SEC, Speech by William Hinman, ‘Digital Asset Transactions: When Howey Met Gary (Plastic)’, 14 June 2018, (Hinman Speech)). The SEC also has brought dozens of enforcement actions, a list of which is maintained at (web pages accessed 14 August 2023).

[13] SEC, ‘Framework for “Investment Contract” Analysis of Digital Assets’, updated 8 March 2023, (accessed 14 August 2023).

[14] On 19 April 2023, Chair Gensler expressly refused to state whether ETH was a security when pressed to answer by Representative Patrick McHenry in the course of his testimony before the House Financial Services Committee (FSC). See FSC, Press Release, ‘Committee Republicans Grill SEC Chair Gensler Regarding His Disastrous Agenda’, Chair Gensler’s refusal to answer was a stark contrast to the position previously taken by SEC staff, opining that offers and sales of Ether were not securities transactions. See William Hinman, Director, SEC Division of Corporate Finance, ‘Digital Asset Transactions: When Howey Met Gary (Plastic)’, Remarks at the Yahoo Finance All Markets Summit: Crypto, 14 June 2018, (explaining that, in Hinman’s view, ‘current offers and sales of Ether are not securities transactions’ as is also the case with Bitcoin). See, however, André Beganski, ‘SEC Chair Gensler Again Says Bitcoin Is Not a Security. What About Ethereum?’, Decrypt, 27 June 2022, (quoting and linking to a video of an interview on 27 June 2022 with SEC Chair Gary Gensler, in which he identifies Bitcoin as a commodity but makes clear that Bitcoin is the ‘only one’ for which he is willing to make that statement) (web pages accessed 14 August 2023).

[15] 15 U.S.C. § 77b(a)(4).

[16] Complaint, SEC v. Bittrex, Inc., No. 23 Civ. 580 (W.D. Wash. Apr. 17, 2023); Complaint, SEC v. Binance Holdings Ltd., No. 1:23-cv-01599 (D.D.C. June 5, 2023); Complaint, SEC v. Coinbase, Inc., No. 23 Civ. 4738 (S.D.N.Y. June 6, 2023); see also SEC, Press Release, ‘SEC Charges Crypto Asset Trading Platform Bittrex and its Former CEO for Operating an Unregistered Exchange, Broker, and Clearing Agency’, 17 April 2023, (Bittrex action press release); SEC, Press Release, ‘SEC Files 13 Charges Against Binance Entities and Founder Changpeng Zhao’, 5 June 2023, (Binance action press release); SEC, Press Release, ‘SEC Charges Coinbase for Operating as an Unregistered Securities Exchange, Broker, and Clearing Agency’, 6 June 2023, (Coinbase action press release) (web pages accessed 14 August 2023).

[17] SEC, Press Release, ‘BlockFi Agrees to Pay $100 Million in Penalties and Pursue Registration of its Crypto Lending Product’, 14 February 2022, (accessed 14 August 2023).

[18] SEC, Press Release, ‘SEC Charges Genesis and Gemini for the Unregistered Offer and Sale of Crypto Asset Securities through the Gemini Earn Lending Program’, 12 January 2023, (accessed 14 August 2023).

[19] See, e.g., Commodities Futures Trading Commission (CFTC), Press Release, ‘CFTC Imposes A $1.25 Million Penalty against Kraken for Offering Illegal Off-Exchange Digital Asset Trading and Failing to Register as Required’, 28 September 2021, (accessed 14 August 2023).

[20] See, e.g., CFTC, Press Release, ‘CFTC Orders Glencore to Pay $1.186 Billion for Manipulation and Corruption’, 24 May 2022,; CFTC, ‘Barclays to Pay $400 Million Penalty to Settle CFTC Charges of Attempted Manipulation and False Reporting of Foreign Exchange Benchmark Rates’, 20 May 2015, (web pages accessed 14 August 2023).

[21] CFTC, Press Release, ‘CFTC Imposes $250,000 Penalty Against bZeroX, LLC and Its Founders and Charges Successor Ooki DAO for Offering Illegal, Off-Exchange Digital-Asset Trading, Registration Violations, and Failing to Comply with Bank Secrecy Act’, 22 September 2022, (accessed 14 August 2023).

[22] CFTC v. Ooki DAO, No. 3:22-cv-05416-WHO, 2022 WL 17822445 (N.D. Cal. Dec. 20, 2022).

[23] USDT, Press Release, ‘Treasury Releases 2023 DeFi Illicit Finance Risk Assessment’, 6 April 2023, (accessed 14 August 2023).

[24] Financial Crimes Enforcement Network (FinCEN), Guidance, ‘Application of FinCEN’s Regulations to Persons Administering, Exchanging, or Using Virtual Currencies’, 18 March 2013, (accessed 14 August 2023).

[25] FinCEN, Guidance, ‘Application of FinCEN’s Regulations to Certain Business Models Involving Convertible Virtual Currencies’, 9 May 2019, (accessed 14 August 2023).

[26] USDT, Press Release, ‘U.S. Treasury Issues First-Ever Sanctions on a Virtual Currency Mixer, Targets DPRK Cyber Threats’, 6 May 2022,; USDT, Press Release, ‘U.S. Treasury Sanctions Notorious Virtual Currency Mixer Tornado Cash’, (web pages accessed 14 August 2023)

[27] Plaintiffs’ Memorandum in Support of Motion for Summary Judgement at 12-22, Coin Center v. Yellen, No. 3:22-cv-20375-TKW-ZCB (N.D. Fla. May 26, 2023), ECF No. 36-1; Plaintiffs’ Reply in Support of Motion for Partial Summary Judgment and Response to Defendants’ Cross-Motion for Summary Judgment at 3-12, Van Loon v. Dep’t of the Treasury, No. 1:23-cv-312-RP (W.D. Tex. May 24, 2023), ECF No. 87.

[28] 23 NYCRR § 200.3(c).

[29] Council of the European Union, Press Release, ‘Digital finance: Council adopts new rules on markets in crypto-assets (MiCA)’, 16 May 2023,; European Parliament, Press Release, ‘Crypto-assets: green light to new rules for tracing transfers in the EU’, 20 April 2023, (formal approval by the European Parliament) (web pages accessed 14 August 2023).

[30] European Parliament, Press Release, ‘Cryptocurrencies in the EU: new rules to boost benefits and curb threats’, 14 March 2023, (accessed 14 August 2023).

[31] Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets, OJ L 150, 9.6.2023, p. 40-205, Article 2(1).

[32] ibid., Article 3(1)(5).

[33] ibid., Article 3(1)(16).

[34] ibid., Article 3(1)(7).

[35] ibid., Article 3(1)(6).

[36] ibid., Title II.

[37] ibid., Article 2(3).

[38] ibid., Article 6(1).

[39] ibid., Article 58.

[40] ibid., Article 59(1).

[41] ibid., Articles 59(7) and 62(1).

[42] Financial Conduct Authority (FCA), ‘Cryptoassets: our work’, updated 23 February 2023, (accessed 14 August 2023).

[43] FCA, PS19/22, ‘Guidance on Cryptoassets: Feedback and Final Guidance to CP 19/3’, July 2019 at 9.

[44] FCA, ‘Cryptoassets: AML / CTF regime’, updated 22 March 2023, (accessed 14 August 2023).

[45] FCA, ‘Cryptoassets: AML / CTF regime - Registering with the FCA’, updated 31 July 2023, (accessed 14 August 2023).

[46] His Majesty’s Treasury, Press Release, ‘UK sets out plans to regulate crypto and protect consumers’, 1 February 2023, (accessed 14 August 2023).

[47] Crypto and Digital Assets All Party Parliamentary Group, Report, ‘Realising Government’s vision for the UK to become a global hub for cryptocurrency & fintech innovation: Inquiry of the All Party Parliamentary Group for Crypto & Digital Assets’, June 2023, p. 6.

[48] id.

[49] Swiss Financial Market Supervisory Authority (FINMA), ‘FINMA publishes ICO guidelines’, 16 February 2018, (accessed 14 August 2023).

[50] FINMA, ‘FINMA publishes partially revised FINMA Anti-Money Laundering Ordinance’, 2 November 2022,; Jack Schickler, ‘Switzerland Sticks to Tougher ID Checks for Crypto to Cash Transactions’, CoinDesk, 2 November 2022, (web pages accessed 14 August 2023).

[51] Monetary Authority of Singapore (MAS), Press Release, ‘New regulatory framework to enhance payment services in Singapore’, 19 November 2018, (accessed 14 August 2023).

[52] MAS, ‘“Financial Services and Markets Bill” – Second Reading Speech by Mr Alvin Tan, Minister of State, Ministry of Culture, Community and Youth & Ministry of Trade and Industry, and Board Member of MAS, on behalf of Mr Tharman Shanmugaratnam, Senior Minister and Minister-in-charge of the Monetary Authority of Singapore, on 4 April 2022’, 4 April 2022, (accessed 14 August 2023).

[53] See also MAS, ‘Explanatory Brief for Financial Services and Markets Bill 2022’, 14 February 2022, (accessed 14 August 2023).

[54] id.

[55] MAS, ‘“Yes to Digital Asset Innovation, No to Cryptocurrency Speculation” - Opening Address by Mr Ravi Menon, Managing Director, Monetary Authority of Singapore, at Green Shoots Seminar on 29 August 2022’, 29 August 2023, (accessed 14 August 2023).

[56] MAS, Consultation Paper P008 – 2022, ‘Proposed Regulatory Measures for Digital Payment Token Services’, October 2022.

[57] MAS, Press Release, ‘MAS Issues Guidelines to Discourage Cryptocurrency Trading by General Public’, 17 January 2022, (accessed 14 August 2023).

[58] Virtual Assets Regulatory Authority (VARA), ‘Empowering innovation through responsible regulation of the virtual assets industry’,; Government of Dubai, ‘Mohammed bin Rashid approves law to regulate virtual assets in Dubai’, 9 March 2022, (web pages accessed 14 August 2023).

[59] Virtual Assets and Related Activities Regulations 2023 (the VARA Regulations), Schedule 1.

[60] VARA Regulations, Compliance and Risk Management Rulebook, Part III, Section A.

[61] VARA Regulation, Company Rulebook, Part I, Section A.

[62] VARA Regulations, Part VIII.

Unlock unlimited access to all Global Investigations Review content