Crypto & Blockchain Regulation & Licensing in USA

The United States applies one of the most complex and fragmented regulatory frameworks to crypto and blockchain businesses in the world. No single federal licence covers all digital asset activities - instead, operators must navigate overlapping federal agency mandates, state-by-state licensing requirements, and evolving enforcement priorities. For any international business entering the US market, the cost of misreading this landscape is measured in enforcement actions, asset freezes, and reputational damage that can end a project before it scales. This article maps the full regulatory architecture, identifies the most consequential compliance obligations, and explains how to build a licensing strategy that survives regulatory scrutiny.

The United States does not have a single crypto regulator. Authority is distributed across several federal agencies, each asserting jurisdiction over a different slice of digital asset activity. Understanding which agency applies to which business model is the first and most critical step in any US market entry plan.

The Financial Crimes Enforcement Network (FinCEN), a bureau of the US Department of the Treasury, treats most crypto businesses as money services businesses (MSBs) under the Bank Secrecy Act (BSA), 31 U.S.C. § 5311 et seq. Any entity that exchanges, transmits, or administers virtual currency for others must register with FinCEN as an MSB and implement a full anti-money laundering (AML) programme. Registration is mandatory before commencing operations, not after. A common mistake among international founders is treating FinCEN registration as a formality completed after launch - enforcement history shows this approach invites civil money penalties and, in serious cases, criminal referrals.

The Securities and Exchange Commission (SEC) asserts jurisdiction over digital assets that qualify as securities under the Howey test, a four-part analysis derived from SEC v. W.J. Howey Co. (1946). Under this test, an instrument is a security if it involves an investment of money in a common enterprise with an expectation of profit derived from the efforts of others. The SEC has applied this standard aggressively to token offerings, exchange-listed assets, and staking programmes. Issuers who sell unregistered securities face disgorgement, civil penalties, and injunctive relief under the Securities Act of 1933, 15 U.S.C. § 77a et seq., and the Securities Exchange Act of 1934, 15 U.S.C. § 78a et seq.

The Commodity Futures Trading Commission (CFTC) claims jurisdiction over digital assets that qualify as commodities under the Commodity Exchange Act (CEA), 7 U.S.C. § 1 et seq. Bitcoin and Ether have been treated as commodities in multiple enforcement actions and judicial decisions. The CFTC regulates derivatives markets, including crypto futures, options, and swaps, and has brought enforcement actions against unregistered crypto derivatives platforms operating from outside the US but accessible to US persons.

The Internal Revenue Service (IRS) treats virtual currency as property for federal tax purposes under Notice 2014-21 and Revenue Ruling 2023-14. Every taxable event - sale, exchange, or use of crypto to pay for goods - triggers capital gains or ordinary income recognition. Businesses that fail to implement transaction-level tax reporting face substantial back-tax liability and penalties under 26 U.S.C. § 6721 for information reporting failures.

The Office of the Comptroller of the Currency (OCC) regulates national banks and federal savings associations. Its interpretive letters have confirmed that national banks may custody crypto assets and use public blockchains for payment activities, creating a pathway for bank-integrated crypto services that bypasses some state licensing requirements.

Federal registration with FinCEN does not substitute for state-level money transmitter licences (MTLs). Each US state maintains its own licensing regime, and most require a separate licence for any business that transmits money - including virtual currency - on behalf of customers. Operating without the required state licence is a criminal offence in most jurisdictions, not merely a civil infraction.

The practical burden is significant. A crypto exchange or wallet provider seeking to serve customers across all 50 states must obtain up to 54 separate licences (50 states, the District of Columbia, Puerto Rico, Guam, and the US Virgin Islands). Each application requires a surety bond, minimum net worth or capital reserves, background checks on principals, and detailed business plan disclosures. Processing times range from 60 days in cooperative states to over 18 months in states with high application backlogs. Fees and bond requirements vary widely, with some states requiring bonds of USD 500,000 or more.

New York';s BitLicense, established under 23 NYCRR Part 200, is the most demanding state-specific crypto licence in the country. It requires a comprehensive application covering cybersecurity policies, AML/KYC programmes, consumer protection measures, and capital adequacy. The New York Department of Financial Services (NYDFS) has broad supervisory authority over BitLicense holders, including the right to conduct examinations and impose conditions. Many international businesses choose to exclude New York residents from their services rather than bear the cost and complexity of BitLicense compliance - a decision that carries its own commercial cost given New York';s market size.

Wyoming has taken the opposite approach, enacting a Special Purpose Depository Institution (SPDI) charter under Wyo. Stat. § 13-12-101 et seq. An SPDI can hold digital assets in custody and provide related financial services without being subject to fractional reserve requirements. Wyoming also enacted the Digital Asset Property Law, clarifying property rights in digital assets under Wyo. Stat. § 34-29-101 et seq. These statutes have made Wyoming a preferred domicile for crypto-native financial institutions.

California, Texas, and Florida each have their own money transmission laws that apply to virtual currency. California';s Money Transmission Act (Cal. Fin. Code § 2000 et seq.) was amended to explicitly cover virtual currency. Texas treats virtual currency exchange as money transmission under Tex. Fin. Code § 151.301 et seq. Florida';s Money Transmitters'; Code (Fla. Stat. § 560.101 et seq.) has been applied to crypto businesses through enforcement actions and regulatory guidance.

A non-obvious risk for international businesses is the concept of "doing business" in a state. A company incorporated offshore with no physical presence in the US may still be required to obtain a state MTL if it serves residents of that state. Regulators have taken enforcement action against foreign entities on this basis, treating the location of the customer, not the company, as the trigger for licensing jurisdiction.

To receive a checklist of state money transmitter licensing requirements for crypto businesses in the USA, send a request to info@vlolawfirm.com

Whether a digital token is a security is the single most consequential legal question a crypto project faces in the United States. The answer determines whether the project must register with the SEC, whether its token sales are lawful, and whether its exchange listings expose the platform to liability as an unregistered securities exchange.

The Howey test remains the primary analytical tool. Courts and the SEC apply it to the economic reality of the instrument, not its label. A token marketed as a "utility token" is still a security if purchasers reasonably expect profits from the issuer';s managerial efforts. The SEC has consistently rejected the utility token defence when the token was sold before the underlying platform was functional, when marketing materials emphasised investment returns, or when the issuer retained a significant portion of the supply.

The Reves test, derived from Reves v. Ernst & Young (1990), applies to instruments structured as notes or debt. Under Reves, a note is presumed to be a security unless it falls within a recognised exception. Some crypto lending and yield products have been analysed under Reves rather than Howey, with significant consequences for the issuer';s registration obligations.

Regulation D (17 C.F.R. § 230.501 et seq.) provides the most commonly used exemption from SEC registration for token sales. Under Rule 506(b), an issuer may sell securities to up to 35 non-accredited investors and an unlimited number of accredited investors without SEC registration, provided no general solicitation occurs. Under Rule 506(c), general solicitation is permitted but all purchasers must be verified accredited investors. Both exemptions require filing a Form D with the SEC within 15 days of the first sale.

Regulation A+ (17 C.F.R. § 230.251 et seq.) allows issuers to raise up to USD 75 million in a 12-month period from both accredited and non-accredited investors, subject to SEC review of an offering circular. The process is more burdensome than Regulation D but opens the investment to retail participants. Several crypto projects have used Regulation A+ successfully, though the SEC';s review process can take six months or longer.

Regulation S (17 C.F.R. § 230.901 et seq.) exempts offers and sales made outside the United States to non-US persons. International projects often structure their token sales to rely on Regulation S for offshore sales and Regulation D for any US-person participation. A critical compliance requirement is ensuring that Regulation S tokens are not resold into the US market during the applicable restricted period, which ranges from six months to one year depending on the issuer';s reporting status.

In practice, it is important to consider that the SEC has brought enforcement actions against projects that believed their offshore structure insulated them from US jurisdiction. The agency has asserted jurisdiction wherever US persons purchased tokens, regardless of where the issuer was incorporated or where the sale nominally occurred.

Anti-money laundering compliance is not optional for any crypto business with US nexus. The Bank Secrecy Act imposes a mandatory AML programme requirement on all registered MSBs, including crypto exchanges, wallet providers, and peer-to-peer platforms that qualify as money transmitters.

A compliant AML programme under 31 C.F.R. § 1022.210 must include four core elements: written internal policies and procedures, designation of a compliance officer, ongoing employee training, and independent testing of the programme. FinCEN has made clear through enforcement actions that a nominal AML policy that is not actually implemented satisfies none of these requirements.

The Customer Identification Programme (CIP) requirement, derived from 31 U.S.C. § 5318(l), obligates MSBs to collect and verify the identity of customers before opening accounts or processing transactions above applicable thresholds. For crypto businesses, this means collecting legal name, date of birth, address, and an identification number, and verifying this information through documentary or non-documentary means. Beneficial ownership rules under 31 C.F.R. § 1010.230 extend CIP obligations to legal entity customers, requiring identification of natural persons who own 25% or more of the entity and a single control person.

Suspicious Activity Reports (SARs) must be filed with FinCEN within 30 days of detecting a suspicious transaction involving USD 2,000 or more. The 30-day period extends to 60 days if no suspect can be identified. SARs are confidential - the business is prohibited from disclosing to the subject of the report that a SAR has been filed. Currency Transaction Reports (CTRs) are required for cash transactions exceeding USD 10,000 in a single day.

The Travel Rule, codified at 31 C.F.R. § 1010.410(f), requires money transmitters to pass certain information about the originator and beneficiary of a funds transfer to the next financial institution in the chain when the transfer equals or exceeds USD 3,000. FinCEN has confirmed that the Travel Rule applies to virtual currency transfers. Compliance requires technical infrastructure to collect, transmit, and receive counterparty information - a requirement that many smaller crypto businesses have struggled to implement.

A common mistake is assuming that decentralised protocols are exempt from AML obligations. FinCEN';s guidance has indicated that developers who maintain control over a protocol or who profit from its operation may qualify as money transmitters regardless of the protocol';s technical architecture. This is an area of active regulatory development, and the risk of retroactive enforcement is real.

Many underappreciate the record-keeping obligations that accompany AML compliance. MSBs must retain transaction records for five years under 31 C.F.R. § 1010.430, including records of each transaction, customer identification documents, and SAR filings. FinCEN examinations routinely focus on record-keeping gaps as evidence of systemic compliance failures.

To receive a checklist of AML/KYC compliance requirements for crypto businesses operating in the USA, send a request to info@vlolawfirm.com

Understanding the regulatory framework in the abstract is necessary but not sufficient. The following scenarios illustrate how compliance obligations and enforcement risks materialise for different types of crypto businesses operating in or into the US market.

Scenario one: offshore exchange serving US retail customers

A crypto spot exchange incorporated in a non-US jurisdiction begins accepting US retail customers without obtaining state MTLs or registering with FinCEN. The exchange lists tokens that the SEC would classify as securities. Within 18 months, the exchange receives a FinCEN civil money penalty for operating as an unregistered MSB, a CFTC subpoena related to leveraged trading products offered to US persons, and an SEC Wells notice regarding unregistered securities offerings. The cost of resolving these three parallel enforcement actions - including legal fees, penalties, and remediation costs - substantially exceeds the revenue generated from US customers during the period of non-compliance. The lesson: US market entry requires a pre-launch regulatory analysis covering all applicable federal and state obligations, not a post-launch remediation plan.

Scenario two: DeFi protocol with US developer team

A decentralised finance protocol is developed by a team based in the United States. The protocol facilitates peer-to-peer lending and yield generation. The developers argue that the protocol is fully decentralised and therefore not subject to US regulation. FinCEN';s published guidance and subsequent enforcement actions suggest that developers who retain administrative keys, collect fees, or exercise ongoing control over a protocol may be treated as money transmitters. The SEC has separately indicated that governance tokens issued by such protocols may be securities. The risk of inaction here is not theoretical - enforcement actions in this space have resulted in disgorgement orders and injunctions that effectively shut down the protocol';s US operations. Developers in this position should obtain a legal opinion on their specific control structure before launch, not after.

Scenario three: institutional asset manager adding crypto to a fund

A registered investment adviser (RIA) managing a traditional securities fund seeks to add Bitcoin and Ether exposure for institutional clients. The RIA must analyse whether the addition of crypto assets changes its obligations under the Investment Advisers Act of 1940, 15 U.S.C. § 80b-1 et seq., and the Investment Company Act of 1940, 15 U.S.C. § 80a-1 et seq. Custody of crypto assets by the fund raises specific questions under SEC custody rules (17 C.F.R. § 275.206(4)-2), which require assets to be held by a "qualified custodian." The OCC';s interpretive letters confirming that national banks may custody crypto assets have created a pathway, but the practical implementation requires careful structuring of custodial arrangements. An RIA that fails to address custody compliance before adding crypto exposure faces examination findings and potential enforcement action by the SEC';s Division of Examinations.

US crypto enforcement has intensified across all major agencies. The DOJ, SEC, CFTC, and FinCEN have each expanded dedicated crypto enforcement units, and inter-agency coordination has become standard practice in major investigations. International operators who believe geographic distance provides protection are consistently proven wrong - US agencies have demonstrated willingness and ability to pursue enforcement against foreign entities through asset freezes, extradition requests, and cooperation with foreign regulators.

The loss caused by incorrect strategy in this environment is not limited to direct penalties. Secondary consequences include banking relationship termination, investor withdrawal, and reputational damage in other jurisdictions where US enforcement actions are treated as disqualifying events. A single enforcement action can trigger a cascade of consequences that takes years to resolve.

Strategic risk management for international crypto businesses with US exposure requires several concurrent actions. First, a jurisdictional analysis must determine whether the business has US nexus based on customer location, developer location, server location, and marketing activities. Second, a product-by-product regulatory classification must be completed for each token, product, and service offered. Third, a licensing roadmap must identify which federal registrations and state licences are required before US operations commence. Fourth, an AML compliance programme must be designed, documented, and tested before the first US customer transaction is processed.

The cost of building this compliance infrastructure is real but manageable. Legal fees for a comprehensive US regulatory analysis typically start from the low tens of thousands of USD. State licensing costs, including application fees, surety bonds, and legal support, can reach the mid-hundreds of thousands of USD for a full 50-state programme. These costs must be weighed against the revenue opportunity and the enforcement risk of proceeding without compliance - a risk that has materialised in penalties measured in the hundreds of millions of USD for major operators.

A non-obvious risk is the personal liability exposure of founders, directors, and compliance officers. US regulators have pursued individual liability in crypto enforcement actions, including against individuals who were not US residents or citizens. The BSA imposes civil money penalties on individuals who wilfully violate its requirements, and the SEC and CFTC have sought disgorgement and bars from the industry against individual respondents. Founders who structure their businesses to distance themselves from day-to-day operations as a liability shield have found that regulators look through corporate structures to identify the individuals who exercised actual control.

We can help build a strategy for US market entry that addresses federal and state licensing requirements, AML compliance, and securities law obligations. Contact info@vlolawfirm.com to discuss your specific situation.

What is the most immediate legal risk for a crypto business that starts serving US customers without a compliance review?

The most immediate risk is operating as an unregistered money services business under the Bank Secrecy Act, which exposes the business to FinCEN civil money penalties and potential criminal referral to the Department of Justice. Simultaneously, if any tokens offered qualify as securities, the business faces SEC enforcement for unregistered securities offerings. These two risks can materialise concurrently and are handled by different agencies with different enforcement timelines, meaning a business can face parallel proceedings with no coordinated resolution pathway. The practical consequence is that legal costs and management distraction compound rapidly, often before the business has generated sufficient US revenue to justify the exposure. Acting before US customers are onboarded - not after - is the only reliable risk mitigation.

How long does it take and what does it cost to obtain the necessary licences to operate a crypto exchange legally across the United States?

A realistic timeline for obtaining a full multi-state money transmitter licence programme ranges from 18 to 36 months, depending on the states targeted and the completeness of the initial applications. New York';s BitLicense alone can take 12 to 24 months from application to approval. Legal fees for the licensing process typically start from the low tens of thousands of USD per state for straightforward applications, with more complex states requiring significantly higher investment. Surety bond requirements add to the capital burden, with some states requiring bonds of USD 500,000 or more. Many businesses adopt a phased approach, launching in states with faster processing times and lower requirements first, then expanding as additional licences are obtained. This phased strategy requires careful geofencing to ensure customers in unlicensed states cannot access the service.

When should a crypto project choose Regulation D over Regulation A+ for a token sale, and what are the practical trade-offs?

Regulation D is appropriate when the project';s investor base consists entirely or primarily of accredited investors and the project does not need to market broadly to retail participants. It is faster to implement - no SEC review is required, only a Form D filing within 15 days of the first sale - and the ongoing disclosure burden is lower. Regulation A+ is appropriate when the project needs retail investor participation and is willing to invest in the SEC review process, which involves preparing and submitting an offering circular and responding to SEC comments over a period that typically ranges from four to eight months. The trade-off is straightforward: Regulation D offers speed and lower compliance cost but limits the investor pool; Regulation A+ opens the investment to retail participants but requires substantially more time and legal investment upfront. Projects that launch under Regulation D and later seek retail participation must either conduct a separate Regulation A+ offering or pursue a full SEC registration, both of which involve additional cost and delay.

Crypto and blockchain regulation in the United States is a multi-agency, multi-jurisdictional compliance challenge that rewards careful pre-launch planning and penalises reactive remediation. The regulatory architecture spans FinCEN, the SEC, the CFTC, the IRS, the OCC, and 50-plus state regulators, each with distinct authority and enforcement priorities. Businesses that treat US compliance as a secondary concern consistently face enforcement outcomes that dwarf the cost of proactive legal structuring.

To receive a checklist of the key federal and state compliance steps for crypto and blockchain businesses entering the US market, send a request to info@vlolawfirm.com

Our law firm VLO Law Firms has experience supporting clients in the USA on crypto and blockchain regulatory and licensing matters. We can assist with FinCEN registration, state money transmitter licence applications, token classification analysis, securities law exemption structuring, and AML programme design. To receive a consultation, contact: info@vlolawfirm.com