The SEC Finally Drew the Map: We've Been Waiting 20 Years for This

After a decade of “come in and register” with no address, the Commission just published directions. Here’s what matters in 68 pages, what the other summaries will get wrong, and what to do about it this week.

TLDR

• The Thesis: The SEC and CFTC just jointly issued the most consequential piece of U.S. crypto regulatory guidance ever produced. Not a rule. Not a statute. An interpretive release that rewrites the practical application of Howey, creates a five-category token taxonomy, and provides safe harbors for staking, mining, wrapping, and airdrops.
• The Framework: Three of the five categories are categorically not securities. And for the first time, the Commission explains in writing how a token that was sold as part of an investment contract can stop being subject to one.
• The Takeaway: The real value is not in the taxonomy chart. It is in the footnotes, the separation doctrine, and the narrowing of what counts as a “representation” under Howey. That is where the next five years of deal structuring, litigation outcomes, and regulatory strategy will be decided.

1. The Taxonomy That Ate Securities Law

The amount of Howey memos I have read, written, and lit on fire over the years is hard to keep track of. The SEC has now rendered most of them obsolete. Instead of evaluating tokens one-by-one through enforcement actions, the Commission has built a classification system. Five categories:

1. Digital commodities. Native, functional tokens on decentralized crypto systems. Value from programmatic operation and supply/demand, not anyone’s managerial efforts. The Commission names 16: BTC, ETH, SOL, XRP, ADA, AVAX, DOT, LINK, DOGE, SHIB, APT, HBAR, LTC, BCH, XLM, and XTZ. Footnote 51 adds ALGO and LBC as examples without futures contracts, clarifying that a futures listing is not a prerequisite.
2. Digital collectibles. NFTs, meme coins, art, in-game items. Value from artistic, entertainment, social, or cultural significance. The Commission elevates the February 2025 staff meme coin statement to Commission-level interpretation, which matters because staff statements carry no legal weight. This one now does.
3. Digital tools. ENS names, event tickets, soulbound credentials. Practical functionality, no economic rights.
4. Stablecoins. Payment stablecoins from permitted issuers are categorically not securities by statute once the GENIUS Act takes effect. Non-payment stablecoins may still be securities depending on the facts.
5. Digital securities. Tokenized traditional securities. A security is a security regardless of format. The first three are not securities. Period. Not a safe harbor or a no-action letter. A classification. And it covers, by my rough estimate, north of 85% of tokens currently trading on major U.S. exchanges by market cap.

Investor takeaway: The named digital commodity list now carries an SEC interpretation backing non-security status. This is the strongest regulatory foundation for secondary market trading of these assets the U.S. has ever produced. ETF filings, institutional allocation models, and exchange listing standards will all recalibrate around this document.

2. The Separation Doctrine: The Most Important Section Nobody Will Read

Section IV.B. Pages 28 through 33. This is the part that changes deal structures.

The release acknowledges that a non-security crypto asset sold as part of an investment contract does not remain subject to that investment contract forever. The Commission calls this “separation.”

The logic is clean: an investment contract under Howey requires a reasonable expectation of profits derived from the essential managerial efforts of others. Those expectations depend on the issuer’s representations. When the representations are fulfilled, the expectation evaporates. When the issuer fails or abandons the project, the expectation becomes unreasonable. Either way, the asset separates. After that, it is not subject to the federal securities laws.

Footnote 47 provides the doctrinal foundation: “the fact that a non-security crypto asset is subject to an investment contract does not transform the non-security crypto asset itself into a security.” The token is not the security. The transaction is. This was the core argument Coinbase and Ripple made in their respective cases. The Commission has now adopted it. If ETH was sold in a 2014 offering subject to an investment contract, the ETH itself was never a security. Only the transaction was. When the investment contract falls away through separation, there is nothing left to regulate.

The release identifies specific indicia of separation: the issuer has fulfilled the managerial efforts it promised; enough time has passed with no indication the issuer intends to fulfill; or the issuer publicly announces it will no longer perform. And footnote 96 makes clear that whether an issuer has achieved “decentralization” or “functionality” is judged by how the issuer itself defined those terms, not by any general market conception. The SEC is not building a technocratic test for decentralization. It is holding issuers to their own promises.

And the kicker: separation can occur “at any time after the offer of the associated investment contract, such as immediately upon delivery.”

Read that again. A project that sells tokens via a token warrant, delivers them at network launch, and has, by that point, fulfilled every commitment it made in its marketing materials could see those tokens separate on Day 1 of trading.

This is the escape valve founders and crypto counsel have been asking for since the DAO Report in 2017. Not a blanket exemption. A facts-and-circumstances analysis, but in writing, for all to read and plan around.

Strategic takeaway: If you raised through a convertible instrument or token sale with roadmap promises, the separation doctrine creates a documented path to non-security status. Audit your prior representations. If you have fulfilled them, document and disclose that fulfillment publicly. Call your crypto lawyer. Today.

3. The Representations Trap

Here is where most analysis will miss the point.

The Commission draws a hard line around what creates an investment contract. Not the asset’s nature. Not its price. Not what CT accounts say. It is the issuer’s own representations or promises to engage in essential managerial efforts from which a purchaser would reasonably expect profits. Only the issuer’s commitments, from the issuer’s own channels, create the reliance that Howey requires.

The representations must be “explicit and unambiguous.” They must be conveyed “prior to or contemporaneously with the issuer’s offer or sale.” Post-sale promises do not retroactively convert a prior sale into an investment contract. Third-party hype does not count unless authorized by the issuer.

This is a dramatic narrowing of how the Gensler SEC operated, where enforcement routinely pointed to Discord speculation and vague “ecosystem development” language as evidence. The new rule: only the issuer’s own explicit commitments trigger Howey.

And the Commission goes further. Three times in the release (footnotes 52, 65, and 72), it states that facilitating network effects does not constitute essential managerial efforts. Growing a user base, incentivizing developers, building the ecosystem: these were precisely the activities the prior SEC pointed to as evidence of “efforts of others.” The new interpretation says building the network is not managing an enterprise for investors’ benefit. That carve-out alone changes the risk calculus for every token launch in the pipeline, because it protects the one thing every crypto project must do to survive.

But the narrowing cuts both ways. What you do say now clearly determines whether you’ve created an investment contract. A whitepaper with detailed milestones, timelines, and an explanation of how holders will profit from the issuer’s efforts? That is precisely what the release describes as “more likely to create reasonable expectations of profit.” Vague vibes are safer than specific roadmaps. Strange incentive structure, but footnote 96 offers a counterpoint: the more precisely you define your commitments, the more precisely you define the conditions for separation. Vagueness may keep you out of investment-contract territory on the way in, but it makes it harder to prove you’ve fulfilled your promises on the way out.

Strategic takeaway: The line between “non-security digital commodity” and “investment contract” now runs directly through your X (formerly Twitter) posts and blog entries. Audit your comms. Think before you tweet. Delete nothing (that creates its own problems). But understand what your words now mean.

4. The Safe Harbors We Always Wanted

The release provides interpretive guidance on four specific activities and concludes each is not a securities transaction: protocol mining (PoW), protocol staking (PoS, including liquid staking), wrapping, and airdrops. The headlines are good. The footnotes are where practitioners need to live.

Footnote 106: if miners passively rely on the pool operator to provide computational resources (buying hash power and collecting checks), the safe harbor doesn’t apply. Footnotes 123 through 126: if a custodian or liquid staking provider exercises discretion over which assets to stake, when, or how much, or guarantees reward amounts, they fall outside the release’s scope. Discretion kills the staking safe harbor. Footnote 148: if the issuer announced an airdrop during the testing phase to incentivize engagement and limited eligibility to testnet users, the airdrop interpretation doesn’t apply. The order of operations matters.

The big unlock: Staking Receipt Tokens for non-security digital commodities are not securities. Liquid staking protocols just got a regulatory framework. Institutional staking products are coming.

5. The Definitions Buried in the Footnotes

Two definitions are doing enormous work in this release and a third that explains why they work the way they do.

“Functional” (footnote 49): a crypto system is functional if its native token can be used on the system in accordance with the programmatic utility of the system. This is the gating criterion for digital commodity status. The distinction between a governance token with real protocol utility and one that is window dressing for a revenue share gets drawn here.

“Decentralized” (footnote 50): a crypto system is decentralized if it operates autonomously with no person, entity, or group having operational, economic, or voting control. Decentralization is not required for digital commodity status, but its absence makes the “efforts of others” prong harder to shake. But the real key is footnote 96, which says whether an issuer has achieved “decentralization” or “functionality” depends on how the issuer itself defined those terms, “not a general market conception.”

Stop and think about what the Commission is doing here. The trillion-dollar question has always been: “who decides when a network is ‘functional enough’ or ‘decentralized enough’”? The SEC’s answer: the issuer does, at the time it makes its representations. The Commission holds the issuer to its own standard. This is a deep, free-markets move. Rather than constructing a top-down regulatory definition of “sufficient decentralization” (inevitably too rigid or too vague), the SEC outsourced the definition to the people who actually build these systems. The question is not “is this network decentralized by some objective standard?” The question is “did this issuer do what it said it would do?” The standard is contractual, not technocratic. This may be the most important philosophical point of view in the 68 pages, but it also opens the question of how to avoid bad actors from gaming this self-deterministic system.

And the counterintuitive consequence the skeptics will miss: this approach is tougher on bad actors than a technocratic standard would be. A top-down definition can be gamed by checking boxes. But an issuer who promised the moon and delivered a crater cannot claim separation, because the yardstick is the issuer’s own words. The vaguer and grander the promises, the longer the investment contract persists, the longer the anti-fraud exposure runs. This framework rewards specificity and honesty and punishes hype. That is not deregulation. That is smart regulation.

One more buried bombshell: footnote 7. The Commission quietly reverses a 22-year-old position on the “common enterprise” element of Howey. Since In re Barkate (2004), the SEC’s view was that commonality was not strictly required. The new position: it is. The Commission “concludes and clarifies” that common enterprise “must be satisfied,” citing SEC v. Barry (9th Cir. 2025) and SEC v. Scoville (10th Cir. 2019). This narrows Howey‘s reach most for secondary market transactions, where a buyer purchases from an anonymous seller on an exchange and the “common enterprise” with the original issuer is, at best, attenuated. Defense counsel in every pending crypto case should be filing supplemental authority letters this week.

6. What This Does Not Do

Restaking. Explicitly excluded (footnote 107). EigenLayer and the restaking ecosystem remain in limbo.

DeFi lending and yield farming. Not covered. Protocol-level activities only.

Exchange registration. Coming under separate Project Crypto workstreams.

Revenue-sharing governance tokens. The taxonomy blesses governance tokens that allow voting on “technical or governance matters.” But a token that routes protocol revenue to holders looks more like a security. And here is the hardest question: what happens when a token legitimately separates from its investment contract, and then a DAO governance vote turns on a fee switch routing revenue to holders? The issuer fulfilled its promises. Separation occurred. But the economics changed through decentralized governance. Is there a new investment contract? Who is the “issuer” when a DAO made the decision? This is likely the most litigated question in the next cycle.

Retroactivity. Anti-fraud liability survives separation. The fact that an investment contract ceases to exist does not excuse the failure to register the original offering. The enforcement docket just got more complicated for both sides.

What to Do This Week

Founders: Map your token against the five categories. Audit your prior representations against the separation framework. If you’ve fulfilled your roadmap, document and disclose it. Talk to counsel.

Investors and fund managers: Reassess portfolio regulatory exposure against the taxonomy. Update risk models. Look hard at the liquid staking ecosystem.

Exchanges and intermediaries: The taxonomy draws clearer listing and delisting lines than anything before. The staking safe harbors open new product lines. Move fast.

Banks and traditional financial institutions: This is the document your compliance team has been waiting for. A classification framework you can underwrite against. Digital commodities with named examples, stablecoins with a statutory carve-out, digital securities that slot into existing infrastructure. The staking safe harbors open the door to yield-bearing crypto products without the securities registration question that has kept you on the sideline. If your institution has been running a “wait for clarity” playbook for the last three/five/twenty years, clarity just arrived. The competitive window for first movers will not stay open forever.

Lawyers: Read the footnotes. All 148 of them. The body text gives you the framework. The footnotes give you the traps.

The SEC has been telling the crypto industry to “come in and register” since 2017 without ever handing out the address. Today, they drew the map. It is 68 pages long. It has 148 footnotes. It is an interpretive release, not a statute, which means it can be revised, challenged, or superseded. And it wisely does not try to answer every question, because its deepest insight is that some questions are better answered by the people building rather than by the people regulating.

The map is here. Read it.