President Donald Trump’s statements that he wants to make the US the “crypto capital” of the world means companies will want to be aware of the emerging regulatory environment that could vary between the US government and the states.
A federal de-prioritization of enforcement doesn’t change the timeline on statutes of limitations that can span beyond a single administration. Given the specter of selective enforcement, crypto companies should be wary of an overly headlong approach.
State regulators are expected to ramp up enforcement to fill perceived gaps in US enforcement, especially on consumer protection grounds. Private litigants can ensnare crypto companies in lengthy and expensive litigation, especially after downturns in the crypto markets that cause individuals to lose money.
Assessing and Acting
The Securities and Exchange Commission’s position for years has been that digital assets issued on a blockchain may be securities under US securities laws and, if they are securities, issuers who offer or sell them in the US must register the offering and sale or qualify for a registration exemption.
As recently as July 2024, the SEC cautioned crypto companies that just because the Howey test (which determines whether an offering is a security) existed before blockchain, it still can apply. A security, the agency says, is “principles-based to allow for the flexibility that comes with innovative investment products, technology-driven or otherwise.”
Under Trump, the SEC has demonstrated that it doesn’t intend to come after crypto companies with the same zeal it had under prior administrations.
Renaming the SEC’s crypto unit to the more general Cyber and Emerging Technology unit likely reflects this federal de-prioritization, and the agency’s new Crypto Task Force signals a more permissive federal regulatory environment.
This shift is also reflected in the Department of Justice’s decision to scale back the scope of its cryptocurrency cases, moving from the “regulation by prosecution” approach to a limited focus on cases involving terrorism, drug cartels, and investor fraud. As part of this change in focus, the DOJ is disbanding its National Cryptocurrency Enforcement Team.
But administrations come and go—and the Howey test has been in force for more than 80 years. Crypto companies should be wary of assuming an endless crypto summer. And de-prioritization doesn’t mean there can’t be selective enforcement, especially for foreign crypto companies operating in the US.
Individual US states can use their securities and consumer protection laws to bring actions against crypto companies. New York and California have active attorney general offices that rigorously enforce consumer protection and securities laws related to cryptocurrency.
While federal securities laws preempt state securities laws to a degree, it isn’t a complete preemption, and it’s not difficult to imagine that states will argue against preemption when faced with a lax federal regulatory environment.
Companies should consider where their customers are located. While it may be impractical or impossible to prevent customers in specific states from buying digital assets or using a company’s services, being mindful of customers’ locations is important to understanding the activities most likely to generate regulatory risk.
It’s also important to track how states address regulations themselves. Many states have or are considering crypto-specific laws, including licensing requirements. The shift in federal regulatory focus is likely to intensify the state legislative and administrative activity aimed at the cryptocurrency industry.
Monitoring these developments is key to ensuring a clear understanding of the state regulatory risk companies are likely to face.
Strengthening Legal Protections
A well-drafted and consistently applied set of terms and conditions can be a company’s first line of defense to consumer disputes or litigation. It also can greatly aid in a defense of state regulatory scrutiny.
Reviewing the terms and conditions to ensure they’re up to date is an important initial step. Those that reflect inaccurate information may be difficult to enforce and can lead to regulatory action or litigation for fraud, deceptive trade practices, and other consumer protection violations.
For companies with multiple product lines, platforms, or subdivisions, ensuring consistency across terms and conditions is critical, as disputes may arise under multiple product offerings, and inconsistencies can create roadblocks to enforcing them.
Terms and conditions that require affirmative user consent generally are easier to enforce than those simply posted online. Companies should ensure user consent of terms and conditions is logged, as proof of consent can be crucial for enforceability.
Companies also should consider whether to include forum selection clauses that designate a specific jurisdiction where disputes should be brought. A forum selection clause can be a useful tool to ensure disputes are heard in jurisdictions that aren’t antagonistic to the cryptocurrency industry.
Including arbitration clauses or alternative dispute resolution mechanisms is another prudent step that can shield companies from expensive litigation.
Robust record-keeping and compliance procedures are essential to avoiding regulatory and litigation pitfalls. The worst time to discover gaps in policies and that records are unavailable is when facing a regulatory inquiry or litigation.
To avoid missteps, companies should review record generation and retention policies to ensure they’re up to date, adhere to all applicable state and federal requirements, and see that employees are aware of the policies.
Maintaining clear processes for issuing and enforcing legal hold notices in the event of litigation or regulatory inquiries is important to safeguard relevant records.
Preventing Theft, Fraud
Crypto companies handling personal information, including employee data, must navigate and comply with the complex patchwork of federal and state data privacy laws. In some instances, companies may have to comply with state laws, such as the California Consumer Privacy Act, even if they aren’t incorporated there.
The decentralized nature of cryptocurrency makes it a prime target for fraud and cybercrime, and all 50 US states have data breach notification laws. Regulators have strict and detailed cybersecurity requirements that can be a burden but that also protect companies.
The risks from private litigation, state-level enforcement, and cybersecurity threats persist, and may even be on an upward trajectory.
Proactive legal strategies can help crypto businesses thrive while protecting against persistent legal and regulatory challenges.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Author Information
Michael Bahar is partner at Eversheds Sutherland and co-lead of the firm’s global cybersecurity and data privacy and congressional investigations practices.
Mary Jane Wilson-Bilik is a technology, privacy, and insurance regulatory law partner at Eversheds Sutherland.
Alexander Fuchs is counsel at Eversheds Sutherland, focusing on class action and commercial litigation.
Eversheds Sutherland partner Alexander F.L. Sand contributed to this article.
Write for Us: Author Guidelines
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
Learn About Bloomberg Law
AI-powered legal analytics, workflow tools and premium legal & business news.
Already a subscriber?
Log in to keep reading or access research tools.