SEC-CFTC Crypto Guidance 2026: What Changed, What Remains at Risk, and What Builders Should Do

On 17 March 2026, the SEC and CFTC chose the same date to publish a coordinated piece of guidance. That coordination is the first signal worth noting. For years, the two agencies operated in a jurisdictional grey zone — each claiming territory over crypto, often colliding, leaving market participants to navigate the resulting uncertainty through expensive legal analysis and strategic silence. What landed last week is something different: a joint taxonomy, a shared division of regulatory responsibility, and explicit statements about specific activities.

SEC's Interpretive Release No. 33-11412 — a 68-page document titled “Application of the Federal Securities Laws to Certain Types of Crypto Assets and Certain Transactions Involving Crypto Assets” — establishes the categories, the tests, and the cleared activities. The CFTC joined the document to provide its guidance relating to that interpretation.

On the same day, but as a separate, distinct document, the CFTC published Staff Letter No. 26-09, granting no-action relief to Phantom Technologies — the provider of “Phantom”, one of the most popular self-custodial wallets on Solana.

As discussed earlier, the US crypto policy is expected to change, and these releases form one of the first major milestones in this direction. Taken together, these documents are intended to mark a deliberate reset in the US crypto policy and regulation, and will likely have real, immediate consequences for founders, DeFi protocol developers, infrastructure builders, and their lawyers.

From “Everything Is a Security” to Five Clear Categories: What Actually Changed in the SEC’s Approach

To understand what this guidance does, it helps to understand what the landscape looked like before it.

Before, under SEC Chair Gensler, the agency operated on the premise that nearly every crypto asset — other than Bitcoin — was a potential security subject to SEC registration requirements. The 2019 Framework for “Investment Contract” Analysis of Digital Assets provided theoretical guidance but in practice offered little certainty. The SEC’s primary tool was enforcement: it sued Ripple, Telegram, and dozens of token issuers, effectively using litigation as rulemaking.

In this new 2026 guidance, the SEC has, in practical terms, confirmed that it will treat a large proportion of crypto assets as non-securities. The Commission has established five explicit token categories, identified 18 specific tokens as digital commodities, cleared several key DeFi activities from securities treatment, addressed airdrops, and explained how a non-security token that was previously connected to an investment contract may, in certain circumstances, essentially cease to be subject to securities regulations. The 2019 Framework is superseded.

This is a genuine shift in the regulatory posture. But the real question is: what does it actually change in legal terms?

How the SEC Analyses Crypto Assets: the Howey Test

Before we move forward, let’s discuss the framework used by the SEC and US courts to determine whether a token or related arrangement falls within the ambit of US securities regulations.

By default, both the SEC and courts apply the so-called Howey test — a precedent from S.E.C. v. W.J. Howey Co., 328 U.S. 293, 298–99 (1946) — which was first applied by the Commission back in 2017 in the famous “the DAO” case. The Howey test establishes whether an investment contract exists. An investment contract, in turn, is a type of security subject to the federal securities laws and the SEC’s jurisdiction.

Under Howey, an investment contract exists if four prongs are met: there is an (1) investment of money (2) into a common enterprise (3) with expectation of profits (4) predominantly from the effort of others.

In its new 2026 guidance, the SEC has articulated how it interprets Howey as applicable to different types of tokens and crypto activities. However, it is critical that the SEC’s interpretation is not the final word. Courts apply the Howey test independently, and since the US Supreme Court’s 2024 Loper Bright decision, courts no longer defer to agency interpretations of ambiguous statutes, meaning that courts, not government agencies, must interpret ambiguous laws. That is a structurally important caveat, addressed in detail below.

The SEC’s Five-Category Framework: Where Your Token Fits

The guidance establishes five categories of crypto assets (tokens). Understanding where your token sits is the starting point for every legal decision that follows.

• Digital commodity — a crypto asset intrinsically linked to the operation of a decentralised network, where no person’s essential managerial efforts sustain its value. These tokens do not qualify as securities. Explicitly named: Bitcoin, Ether, Solana, XRP, Cardano, Avalanche, Polkadot, Chainlink, Dogecoin, Shiba Inu, Stellar, Tezos, Aptos, Hedera, Litecoin, Bitcoin Cash, Algorand, and LBRY Credits.
• Digital collectible — a crypto asset designed to be collected, such as an NFT or token referencing internet memes, characters, current events, or trends. The guidance treats these like digital sports memorabilia, not securities.
• Digital tool — utility tokens with a specific, bounded function, such as ENS domain names, protocol credentials, or access keys. Not securities where the utility, not profit expectation, drives the acquisition.
• Stablecoin — payment-focused tokens. Those structured under the proposed GENIUS Act framework receive statutory protection (once the act takes effect). Others face case-by-case analysis, so stablecoin issuers are not fully in the clear.
• Digital security — tokenised stocks, bonds, fund interests, and instruments representing a direct financial stake in an enterprise. Fully within the SEC’s perimeter. Nothing changes here.

These five categories were established as a result of the SEC’s interpretation of the last prong under Howey — expectation of profits predominantly from the efforts of others — which is not met in the first four categories (except for the fifth, the digital securities).

For DeFi Protocol Developers: What’s Cleared, What Isn’t, and What to Do Now

Obviously, the SEC’s guidance cannot address every type of DeFi project. Nonetheless, several key DeFi activities were addressed, and the analytical approach used can be applied to other types of protocols and activities.

Staking Protocols

Until today, whether staking rewards constituted an investment contract was a live, unsettled question. The SEC had previously signalled that staking-as-a-service products could trigger securities requirements, and it pursued Kraken in 2023 over its staking programme.

Now, the SEC confirmed that the protocol staking is treated as an administrative or ministerial function — not an investment activity generating returns from the efforts of others. The analysis turns on who is doing the work:

• Self-staking (validators performing the work themselves): cleared, no SEC jurisdiction;
• Custodial staking: cleared, provided the custodian does not select whether, when, or how much to stake on the client’s behalf;
• Liquid staking receipt tokens (LSDs like stETH): treated as non-securities, provided the underlying token is not itself a security and the provider does not exercise discretionary control.

Wrapped Token, Cross-Chain & Bridge Protocols

In the first place, this section relates to the issuers of wrapped tokens (e.g., wETH, wBTC), providers of cross-chain solutions and various bridge operators.

The “wrapping” of crypto assets, as used by the SEC, refers to the process through which a person deposits a crypto asset with a custodian or cross-chain bridge and in return receives an equivalent amount of redeemable wrapped tokens on a one-for-one basis without directly or indirectly offering any return, yield, profit opportunity, or additional good or service.

In the 2026 guidance, the SEC confirmed that issuing and offering redeemable wrapped tokens in exchange for non-security crypto assets does not involve the offer and sale of a securities under the securities laws, i.e., falls outside the scope of the federal securities laws. However, the following requirements must be met:

• The token being wrapped or bridged (wrapped token) is a non-security crypto asset.
• Wrapped token is not otherwise subject to investment contract.
• Wrapped token is “locked up” and cannot be transferred, lent, pledged, rehypothecated, or otherwise used for any reason.
• Wrapped token is redeemable 1:1 for its receipt token, which is issued without return, yield, or profit opportunity.

The SEC concludes that, in such case, the redeemable wrapped tokens would be considered 'receipts' for non-security crypto assets that are wrapped (or bridged), and their offer or sale would not involve the offer and sale of a security within the meaning of the Securities Act or the Exchange Act.

Restaking and Liquid Restaking

Both restaking and liquid restaking protocols are outside the scope of the SEC’s guidance. And that is a deliberate deferral, not an oversight.

As discussed above, in its analysis, the SEC applies the Howey test to determine whether an investment contract exists. In the case of staking, the Commission believes that the last prong of Howey — expectation of profits predominantly from the efforts of others — is not met. This is because users do not expect that their staking profits will be primarily driven by “the efforts of others”, which in our context includes the efforts of staking protocols or their operators. The profits are composed of staking rewards automatically distributed by the underlying protocol.

Unlike staking, restaking and liquid restaking imply that the operator or provider engages in active risk management, allocation, and oversight of user funds, which in turn directly affects users’ profits or APYs. Many restaking and LRT protocols frame their professional discretion and risk management as a competitive advantage to users, which implies that their profits will increase owing to the operator’s managerial efforts.

The SEC has deliberately omitted restaking and LRT from its guidance. The general logic applied by the Commission implies how the Howey analysis is to be undertaken, and together these demonstrate that restaking and liquid restaking arrangements are likely to constitute investment contracts under Howey, leading to the application of US securities regulations. Therefore, restaking protocols, AVS providers, and liquid restaking token (LRT) issuers should treat this as an unresolved risk.

Note that this reflects an opinion, not the SEC’s official position.

Action Steps for DeFi Protocol Teams

1. If conducting or planning an airdrop: Map your existing token distributions against the gratuitous/task-based airdrop distinction and seek specific advice on any that involved participation conditions.
2. If a staking provider: Review your staking architecture: confirm who exercises discretion over staking decisions and whether your technical architecture aligns with the guidance’s conditions.
3. If a restaking/LRT provider: If you are building on restaking or liquid restaking infrastructure, consider the SEC's guidance as a rather negative signal and approach the U.S. market with caution.
4. If launching a token: Assess token design and economics: fee-sharing, revenue entitlement, and buyback rights keep governance tokens inside the Howey analysis regardless of the label used.

Airdrops – When They Are Legal in the US

The SEC defines an “airdrop” as a means for crypto asset issuers to disseminate their crypto assets in exchange for no or nominal consideration. The issuer, usually in the early stages of development, transfers its crypto asset to specific cryptographic wallets or other addresses.

Until this guidance, the legal status of airdrops was genuinely unclear, particularly for retroactive distributions that rewarded prior protocol usage.

The SEC has now confirmed that an airdrop of non-security crypto assets to recipients without any bargained-for consideration — i.e. those who do not provide the issuer with money, goods, services, or other consideration in exchange for the airdropped asset — is cleared from Howey analysis since the first element of the Howey test — investment of money — is not satisfied. For future distributions and community incentive programmes, the structure now matters enormously.

Commission further notes that that the airdrop would not trigger the application of securities laws even if the recipients did provide the issuer with money, goods, services, or other consideration, but only if such consideration was not provided in exchange for the airdrop. In other words, the recipient must not bargain for or choose to provide such consideration in exchange for the airdropped tokens for the interpretation to apply.

The SEC expressly identified cases where an airdrop could trigger securities regulations:

“… an issuer may airdrop its crypto asset in exchange for the recipient providing a service. That service could include, for example, a task aimed at raising awareness of the issuer’s crypto asset and associated crypto system through various channels, such as following the issuer on social media, “retweeting” (or reposting) a post sent by the issuer, writing an article about the associated crypto system, referring another person to the associated crypto system, or fixing bugs in the associated crypto system’s software.”

In 2017, in the so-called "Munchee case" the SEC established that even where airdrop recipients did not pay or make an actual investment, their participation in marketing, PR or promotional activities may be viewed as “investment” and thus establish the first prong of Howey.

Structuring an Airdrop in Line With the SEC’s Guidance

Based on the SEC’s release, the following three steps would substantially reduce, or potentially even mitigate, the regulatory risks under U.S. securities laws in relation to a token airdrop:

1. The token distributed is a non-security crypto asset.
2. The airdrop is not offered in exchange for goods or services.
3. The airdrop terms and distribution criteria are not announced until after the snapshot or qualification period has ended, in order to avoid suggesting that recipients could engage in airdrop-related activities for the purpose of qualifying for the distribution.

The SEC further offered three examples of airdrops that would not trigger securities regulations:

• An issuer airdrops its non-security crypto asset to persons who hold another specified crypto asset in their digital wallets, and the issuer does not announce the airdrop before the non-security crypto asset is disseminated.
• An issuer creates a new crypto system and runs a testing environment before launch. After the system is fully functional, the issuer announces that persons who used the testing environment during a specific prior period will receive an airdrop — but does not announce this before they transact.
• An issuer airdrops its non-security crypto asset free of charge to users of a related software application who satisfy eligibility criteria based solely on their prior use of the application, with the airdrop not announced before the non-security crypto asset is disseminated.

A Token Can Exit “Securities” Status

Something fundamentally new in this guidance is the SEC’s position that a non-security crypto asset that was subject to an investment contract does not necessarily remain subject to that investment contract in perpetuity.

In essence: (a) where a token that is not inherently a security (b) was subject to an investment contract (i.e. security treatment) pursuant to Howey, such token will not be subject to security treatment after (c) the issuer (project team) is no longer expected to engage in essential managerial efforts with respect to the project or the token.

In this scenario, the non-security crypto asset separates from the representations and promises of the project team to engage in essential managerial efforts, and thereafter is not subject to the federal securities laws. This is because the last prong of Howey — expectation of profits predominantly from the efforts of others — would no longer be satisfied.

The two scenarios for this are:

• Fulfilment of promises or representations: where the main promises made by the team were actually completed and no further substantial engagement is expected.
• Failure to deliver on promises or representations: where the project team fails to satisfy their representations, in which case purchasers would not reasonably expect the issuer’s past representations regarding essential managerial efforts to remain connected to the non-security crypto asset.

For Token Founders: Key Considerations & Action Steps

From a token project founder's perspective, it is important to understand that, in the SEC's view, the token may now exit securities classification entirely once a project has completed — or permanently ceased — all essential managerial efforts (meaning the network operates without the core team’s ongoing involvement), as explained above.

Another point worth noting is that, in Chair Atkins’ speech — importantly, this was not included in the SEC’s guidance itself, but only in the speech — he indicated that a rule proposal would follow within weeks to introduce a startup exemption. Under this proposed exemption, projects raising up to $5 million over a four-year development period may be able to rely on an exemption while building toward decentralisation. This would operate alongside existing securities exemptions, rather than replace them, thereby giving founders additional optionality during the development period.

What the Guidance Does Not Change

Antifraud rules apply to all five categories. AML/KYC obligations under FinCEN are unaffected. State securities laws (Blue Sky laws) vary and are not pre-empted. Crucially: if your historical communications — white papers, investor decks, social media posts, pitch materials — suggest ongoing team control or future value creation from the core team’s efforts, those communications can reopen a Howey analysis even under the new framework.

Action Steps for Founders

1. Run a fresh analysis of your token against the five-category taxonomy — specifically the Howey prong on essential managerial efforts.
2. Conduct a communications audit: review all public statements about your project from inception. Flag anything that suggests investor return expectations tied to your team’s ongoing efforts.
3. Build a decentralisation roadmap with legal milestones: at what point will your network qualify for the safe harbour trigger?
4. Track the formal rule proposal from the SEC (expected within weeks of this guidance). The rule will set specific conditions — plan to the current guidance but be ready to adapt.
5. Assess whether the proposed $5M startup exemption fits your raise profile and whether it can be stacked with existing Reg D or Reg CF exemptions — these details will be critical once the formal rule is published.

For Wallet and Infrastructure Builders: The Phantom Template — What It Is and What It Isn’t

It is important to be clear about what the Phantom no-action letter is, and equally clear about what it is not.

This is a separate document from the SEC’s interpretive release. It was published by the CFTC — not the SEC — and addresses a specific question under CFTC jurisdiction: whether a self-custodial wallet provider integrating access to regulated derivatives markets must register as an introducing broker.

What Phantom asked: Whether providing users with in-app access to CFTC-regulated event contracts and futures — through registered futures commission merchants (FCMs) and designated contract markets (DCMs) — required Phantom to register as an introducing broker or associated person.

What the CFTC said: No, but only subject to a number of conditions, including the following core structural points:

1. Users’ orders route directly to registered FCMs and DCMs — Phantom does not sit in the order flow;
2. Phantom does not custody user funds at any point;
3. Phantom does not exercise discretion over any trading decision;
4. Phantom does not pre-select or recommend specific counterparties;
5. Phantom operates as a software interface only — not as a financial intermediary.

What this establishes: A meaningful regulatory distinction between software that facilitates access to a market and a market participant that introduces clients. Where software operates neutrally — routing access without managing relationships, touching assets, or exercising discretion — the introducing broker registration requirement does not automatically apply.

What this does not establish: A blanket protection for all wallet providers. This is staff-level guidance from the CFTC’s Market Participants Division. It binds staff only with respect to Phantom’s specific described facts. A wallet provider with a different architecture — one that pre-selects counterparties, exercises discretion, or maintains custody — cannot rely on this letter. However, it remains a very useful north star for legal and regulatory structuring.

Action Steps for Wallet and Infrastructure Builders

1. Audit your wallet architecture against the five Phantom conditions: order routing (direct to FCM/DCM), no custody, no trading discretion, no counterparty selection, software-only interface. Read the original no-action letter as it contains a list of conditions that must be met.
2. If your architecture diverges from any of the Phantom's conditions, you cannot rely on this letter. Seek your own no-action request or legal opinion before integrating regulated derivatives access.
3. Document your “software-only” status actively — terms of service, technical architecture, and user-facing language should all reinforce that you are not managing user assets or trading decisions.

The Critical Caveat: Enforcement Risk ≠ Litigation Risk

Here is the most important thing this guidance does not do, and the point that many in the industry are glossing over.

The Securities Act of 1933 and the Exchange Act of 1934 are statutes. They remain unchanged. The Howey test is a judicial precedent established by the US Supreme Court in 1946. It also remains unchanged. What the SEC has done is express its current interpretation of how those existing laws apply to crypto assets. That interpretation is persuasive — but it is not binding on anyone other than the SEC itself.

Courts Are Not Bound by This Guidance

Since the Supreme Court’s June 2024 decision in Loper Bright Enterprises v. Raimondo, courts no longer defer to agency interpretations of ambiguous statutes. The SEC’s new guidance can be cited as persuasive authority in litigation — courts may find it helpful and may be inclined to follow it — but a court applying the Howey test independently could reach a different conclusion.

Private Plaintiffs Can Still Sue (Class Action Risk Remains)

This is the gap that matters most for founders and protocol teams.

Securities Act creates a private right of action — not an SEC enforcement action, but a right for purchasers to bring their own lawsuits — against sellers of unregistered securities. This is a strict liability claim: the plaintiff does not need to prove fraud, misrepresentation, or even harm. They need only prove that the instrument was a security and was sold without registration.

In 2025, crypto class action litigation was active and growing, with dozens of cases filed against token issuers, promoters, and sellers — the majority relying on exactly this theory. Even in a world where the SEC will not initiate an enforcement action against you, the private litigation risk and class action risk remains.

To reduce that risk materially, you need one of two things:

1. Favourable court precedents — actual judicial decisions holding that tokens structured like yours are not securities under Howey. These are the precedents the industry needs to accumulate, and they take time.
2. Legislation — statutory amendments to the Securities Act or Commodity Exchange Act that create explicit exclusions for specific token types. This is what the CLARITY Act would do.

What a Formal SEC Rule Would and Would Not Change

Chair Atkins stated he intends to propose a formal rule within weeks. A formal rule — unlike this interpretive guidance — goes through the official rulemaking process: public notice, comment period, and final publication. This is meaningful because formal rules carry more legal weight than interpretive guidance and can establish firm safe harbours from SEC enforcement.

However, even a formal SEC rule does not change the Securities Act itself. Private plaintiffs bringing their own claims do not need to show that the SEC would have brought an enforcement action — they are suing under the statute directly. The SEC’s rule creates a defence against agency enforcement, but it does not eliminate the private right of action.

What the SEC’s Guidance Still Does Not Resolve

1. Restaking and LRTs — EigenLayer-style restaking and various liquid restaking activities, including LRTs, are explicitly deferred. However, the relevant risks should be considered as high (see above).
2. Governance tokens with economic rights — if your governance token confers fee-sharing, revenue entitlement, or buyback participation, the Howey analysis runs regardless of the governance label. The guidance does not provide a safe harbour for governance tokens as a class.
3. Cross-border exposure — the guidance is US-centric. It operates alongside MiCA in Europe (which has its own classification framework), see details, the FCA’s developing crypto regime in the UK, and various other national frameworks. The SEC clearing does not determine how other jurisdictions treat specific tokens or crypto activities.

Frequently Asked Questions

Does the SEC’s new 2026 guidance mean my token is no longer a security?

Not automatically. The guidance establishes categories and tests, but whether your specific token falls within a category depends on the facts of how it was issued, what rights it confers, and what your communications led purchasers to expect. It provides a framework for the analysis and shows how the Commission would apply the law, but is not law itself — courts could apply a different approach. Conduct a fresh analysis and assess your full communications history before drawing conclusions.

Is staking now legally safe from a US securities law perspective?

Protocol staking — where validators perform the work themselves — is cleared. Custodial staking is cleared where the custodian exercises no discretion over staking decisions. Liquid staking receipt tokens are treated as non-securities under the same conditions. Note: this clearing applies prospectively to SEC enforcement; historical claims by private plaintiffs are a separate analysis.

Is restaking and liquid restaking (LRT) now legally safe from a US securities law perspective?

Restaking and liquid restaking, including LRTs, are deferred and not covered in the new guidance. Applying the SEC’s own logic, restaking and liquid restaking arrangements (including issuance of LRTs) where operators or providers exercise discretion or managerial control represent a high risk from a US securities law perspective.

What’s the difference between the SEC’s interpretive release and the CFTC’s Phantom no-action letter?

They are separate documents with different authors, different scope, and different legal effect. The SEC’s release addresses the classification of crypto assets under securities law and applies broadly. The CFTC’s letter to Phantom addresses a specific wallet provider’s specific facts under CFTC jurisdiction and binds only CFTC’s Market Participants Division staff with respect to those facts. The Phantom letter cannot be relied upon by other wallet providers directly, though it is a useful model for how to structure wallet software to avoid introducing broker status.

If the SEC guidance says my token isn’t a security, can I still be sued by token purchasers?

Yes. The SEC’s guidance shapes agency enforcement — it does not eliminate private rights of action under the Securities Act. Under Section 12(a)(1), purchasers have a private right to bring suit for rescission if they believe they were sold an unregistered security. Courts apply the Howey test independently and are not bound by the SEC’s interpretation. The guidance substantially reduces enforcement risk, but it does not eliminate litigation risk or class action risk.

What does the CLARITY Act actually change, and when will it pass?

The CLARITY Act would amend the Securities Act to create statutory exclusions for digital commodities, granting CFTC exclusive jurisdiction over spot markets for those assets. This is the legislative piece that would close the private action gap — because it changes the statute, not just how the SEC interprets it. As of March 2026, the bill has passed the House.

What should I do right now as a result of this guidance?

If your project has US nexus, targets or operates within the US – a number of things: (1) Conduct a fresh Howey analysis of your token or protocol against the five-category taxonomy. (2) Audit all public communications for language suggesting ongoing team control or investor return expectations. (3) If you conduct or plan an aidrop, align with the recommendations set out above. (4) If you are building wallet software that routes to regulated markets and want to remain outside the scope of regulations, model your structure against the conditions described in the CFTC's no-action letter for Phantom. (5) If you develop or operate a type of DeFi protocol addressed in the SEC’s guidance, ensure that you satisfy the relevant conditions so that your activities fall outside the scope of the securities laws. (6) Monitor the forthcoming SEC rule proposal and the CLARITY Act’s progress.

In Conclusion

The real significance of the SEC and CFTC’s 17 March 2026 crypto guidance is not only in the specific positions taken on token categories, staking, or airdrops. It is in what the guidance signals: a meaningful shift from regulation by enforcement toward more structured, coordinated regulatory oversight. For crypto builders, founders, and token issuers, that change matters. It provides a clearer basis for making decisions on token design, staking models, distribution strategies, and broader compliance planning.

But this is not a full resolution of regulatory risk. The enforcement landscape may be evolving, yet private litigation risk, structuring risk, and legislative uncertainty remain very real. In practice, that means projects should treat this guidance as a stronger framework for planning, not as a blanket safe harbour. Builders who move now with a clear understanding of the five token categories, the updated approach to staking and airdrops, and the limits of the current guidance will be in a far better position to build credibly and scale with fewer regulatory surprises.

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Some concepts have been simplified for readability and ease of understanding. Readers should refer to the underlying sources and obtain legal advice before acting on any specific situation.