The SEC brought 33 digital asset enforcement actions in FY2024 and just 13 in FY2025 (a 60% decline) according to Cornerstone Research, generating $6.05 billion in cumulative penalties across 125 actions from 2021 to 2024 — then saw FY2025 total remedies collapse to $808 million across all enforcement categories according to Harvard Law School analysis. This dramatic enforcement decline under Chairman Paul Atkins coincided with the most significant step toward resolving the jurisdictional question: the March 2026 SEC-CFTC joint token taxonomy guidance, in which the agencies jointly established a formal classification framework and Chairman Atkins stated that most crypto assets should not be considered securities outright. The FIT21 Act and the enacted GENIUS Act for stablecoins further advance the transition from regulation-by-enforcement to purpose-built legislative frameworks. The jurisdictional boundary between the SEC and the CFTC over digital assets remains the single most consequential regulatory question in U.S. digital asset law, directly impacting every security token issuer’s compliance strategy, offering structure, and market infrastructure selection.
Statutory Authority Comparison
| Dimension | SEC | CFTC |
|---|---|---|
| Primary Statute | Securities Act of 1933; Exchange Act of 1934 | Commodity Exchange Act (1936, amended) |
| Jurisdictional Trigger | Asset is a “security” (investment contract, note, etc.) | Asset is a “commodity” |
| Classification Test | Howey test (4-prong) | Broad statutory definition + case law |
| Spot Market Authority | Full registration, disclosure, and enforcement | Limited to fraud and manipulation enforcement |
| Derivatives Authority | Security-based swaps | Futures, options, swaps on commodities |
| Registration Regime | Exchanges, broker-dealers, transfer agents, investment advisers | Designated contract markets, futures commission merchants |
| Enforcement Budget (FY2024) | $2.1 billion | $400 million |
| Digital Asset Cases (FY2024) | 46 | 18 |
SEC Authority: The Securities Framework
The SEC derives its authority from the Securities Act of 1933 and the Securities Exchange Act of 1934. Its jurisdiction extends to “securities” as defined by Section 2(a)(1) of the Securities Act, which lists over 30 instrument types including “investment contracts” — the category into which most digital asset tokens fall under the Howey test.
The SEC’s jurisdictional claim is expansive. Former Chairman Gensler repeatedly stated that “the vast majority” of crypto tokens are securities. Under the current Commission, the Crypto Task Force has adopted a more nuanced approach, but the legal framework remains unchanged: any token that satisfies all four Howey prongs is a security subject to full SEC jurisdiction.
When the SEC asserts jurisdiction, the consequences are comprehensive:
- Primary offerings must be registered under Section 5 or conducted under an exemption (Reg D, Reg A+, Reg S, etc.)
- Secondary trading must occur on registered exchanges or ATS platforms
- Intermediaries must register as broker-dealers
- Issuers face ongoing disclosure obligations
- Transfer agents must register under Section 17A
- Custody must comply with the Customer Protection Rule
CFTC Authority: The Commodities Framework
The CFTC derives its authority from the Commodity Exchange Act (CEA). In 2015, in its order against Coinflip, Inc., the CFTC declared that Bitcoin and other virtual currencies are “commodities” under Section 1a(9) of the CEA — a determination upheld by the Eastern District of New York in CFTC v. McDonnell (2018) and subsequent decisions. The CEA’s commodity definition is intentionally broad, encompassing “all services, rights, and interests in which contracts for future delivery are presently or in the future dealt in.”
The critical distinction is the scope of the CFTC’s authority over commodity spot markets versus derivatives:
Spot Market Authority (Limited). The CFTC does not have comprehensive registration or disclosure authority over spot commodity transactions. It can bring enforcement actions against fraud and manipulation in spot commodity markets (under CEA Sections 6(c)(1) and 9(a)(2)), but it cannot require registration, mandate disclosures, or impose ongoing reporting obligations on spot market participants.
Derivatives Authority (Comprehensive). When commodities are traded as futures, options, or swaps, the CFTC has full regulatory authority — exchange registration, intermediary oversight (futures commission merchants, introducing brokers, commodity pool operators), customer protection requirements, position limits, and reporting.
This asymmetry means the CFTC can pursue enforcement against crypto fraud in spot markets but cannot create a comprehensive regulatory framework for spot trading — a gap that the FIT21 Act seeks to address.
The Jurisdictional Overlap
The Classification Problem
The fundamental conflict arises because the SEC’s Howey-based classification and the CFTC’s commodity-based classification are not mutually exclusive. A digital asset can potentially be both a security and a commodity depending on the analytical framework applied, the context of the transaction, and the stage of the asset’s lifecycle.
Three scenarios illustrate the overlap:
Scenario 1: Clear SEC jurisdiction. A startup issues tokens to fund development. Investors pay capital (prong 1), funds are pooled (prong 2), investors expect price appreciation (prong 3), and the development team drives value (prong 4). All four Howey prongs are satisfied. The token is a security. SEC jurisdiction applies. This is the fact pattern in most ICO enforcement cases.
Scenario 2: Clear CFTC jurisdiction. Bitcoin is traded on spot exchanges. No issuer exists, no common enterprise is identifiable in the traditional sense, and no “efforts of others” drive value expectations (the network is sufficiently decentralized). Bitcoin is a commodity, not a security. CFTC anti-fraud authority applies, but no comprehensive spot market regulation exists.
Scenario 3: The overlap zone. A token launched through a securities offering (satisfying Howey at issuance) subsequently achieves sufficient decentralization such that secondary market transactions no longer satisfy the “efforts of others” prong. Is it a security, a commodity, or both? The Ripple ruling suggested this transition is possible; the Terraform Labs jury rejected the bifurcated analysis. This unresolved question affects the vast majority of digital assets.
The Ripple Precedent
Judge Torres’s 2023 ruling in SEC v. Ripple Labs created a framework that implicitly addresses the SEC-CFTC boundary. By finding that programmatic XRP sales on exchanges did not satisfy the Howey test (because purchasers did not know they were buying from Ripple), the ruling suggests that tokens can transition from SEC jurisdiction to a non-security classification — potentially falling into the CFTC’s commodity jurisdiction — based on the manner and context of sale.
The SEC appealed key aspects of this ruling to the Second Circuit, and the outcome will significantly impact the jurisdictional boundary. If the programmatic sales holding is reversed, the SEC’s jurisdictional claim expands dramatically. If affirmed, it creates a judicial pathway for tokens to “graduate” from SEC oversight.
The FIT21 Legislative Framework
The Financial Innovation and Technology for the 21st Century Act (FIT21), passed by the House of Representatives in May 2024 with bipartisan support (279-136), proposes the most comprehensive legislative solution to the jurisdictional divide:
Key Provisions
Dual Classification System. FIT21 creates two categories of digital assets:
- Restricted Digital Assets — tokens that satisfy the investment contract test, subject to SEC jurisdiction and registration requirements.
- Digital Commodities — tokens associated with blockchain systems that have achieved “decentralization,” subject to CFTC jurisdiction.
Decentralization Certification. A token issuer can apply for “decentralization certification” from the CFTC, demonstrating that no person or group of affiliated persons controls 20% or more of the tokens or voting power, and that the blockchain system is “functional.” Upon certification, the asset transitions from SEC to CFTC jurisdiction.
Transition Period. During the 12-month transition from restricted digital asset to digital commodity, the token is subject to SEC requirements but can be traded on CFTC-registered platforms.
SEC Registration Exemption. While classified as a restricted digital asset, the token can be offered under a new FIT21-specific exemption with disclosure requirements tailored to digital assets, supplementing existing Reg D and Reg A+ frameworks.
Senate Status and Prospects
The Senate companion bill faces significant negotiation. Key areas of contention include the definition of “decentralization” (critics argue the 20% threshold is too easily gamed), the scope of CFTC spot market authority, and the treatment of DeFi protocols that may not have identifiable issuers. The SEC’s Crypto Task Force has engaged with Congressional staff on technical aspects of the legislation.
Practical Impact on Security Token Issuers
Compliance Strategy Under Dual Jurisdiction
For security token issuers operating today, the practical approach is to assume SEC jurisdiction for primary offerings. The reasoning is straightforward: if a token is designed as a security (equity, debt, fund interest), Howey analysis will almost certainly confirm securities status, and the offering exemption framework provides well-established compliance pathways.
Specifically, issuers should:
- Conduct thorough Howey analysis using the SEC’s 2019 Framework to confirm securities classification and identify the appropriate exemption.
- Structure the offering under Reg D 506(c), Reg A+, or Reg S based on investor access and liquidity preferences.
- Use registered market infrastructure — ATS platforms, broker-dealers, and transfer agents — for secondary trading.
- Monitor legislative developments that could shift jurisdiction to the CFTC for sufficiently decentralized tokens.
- Consider CFTC implications if the token could be traded as a commodity derivative on designated contract markets.
Enforcement Risk From Both Agencies
Both the SEC and CFTC maintain active digital asset enforcement programs. The SEC has initiated over 200 enforcement actions since 2017, while the CFTC has brought approximately 80 actions in the same period. In several cases — including actions against BitMEX and FTX — both agencies brought parallel proceedings against the same defendants.
For security token issuers, the dual-enforcement risk means that compliance with SEC requirements does not necessarily immunize against CFTC claims, particularly if the token or related activities involve commodity elements. The SEC enforcement tracker and enforcement statistics provide ongoing monitoring of enforcement trends.
International Dimension
The SEC-CFTC jurisdictional contest has no parallel in most international markets, where single regulators oversee digital assets. The EU’s MiCA framework, Switzerland’s FINMA classification system, and Singapore’s Payment Services Act each provide unified regulatory frameworks. This regulatory clarity advantage has led some token issuers to choose offshore jurisdictions for initial offerings while maintaining U.S. compliance through Reg S safe harbors. For detailed analysis of the U.S.-EU regulatory comparison, see our US vs. EU comparison.
Case Study: Parallel Enforcement Against FTX and Alameda Research
The FTX collapse in November 2022 provides the most instructive example of dual-agency enforcement in the digital asset space. Both the SEC and CFTC filed civil complaints against FTX, Alameda Research, and their principals — but the agencies targeted different conduct based on their respective jurisdictional mandates.
The SEC’s complaint focused on the offer and sale of securities (specifically, FTT tokens and yield-bearing accounts) to investors without registration or exemption. The SEC alleged that FTT satisfied the Howey test because investors purchased FTT with the expectation that FTX would use its profits to buy back and “burn” tokens, thereby increasing the value of remaining tokens through the efforts of the FTX management team.
The CFTC’s complaint targeted the trading of commodity derivatives and the operation of an unregistered designated contract market. The CFTC asserted jurisdiction over Bitcoin and Ether as commodities and alleged that FTX operated as an unregistered futures commission merchant and designated contract market for commodity derivatives.
The DOJ brought parallel criminal charges, further demonstrating the multi-agency enforcement model that applies to digital asset misconduct. This three-agency approach — SEC civil, CFTC civil, DOJ criminal — has become the standard playbook for major digital asset enforcement matters.
Historical Context: The Turf War Timeline
The SEC-CFTC jurisdictional contest did not emerge overnight. Key milestones include:
- 2015: CFTC declares Bitcoin a commodity in In re Coinflip order.
- 2017: SEC issues the DAO Report, asserting securities jurisdiction over digital assets sold as investment contracts.
- 2018: CFTC launches Bitcoin futures on CME and CBOE; SEC blocks Bitcoin spot ETFs for years.
- 2019: SEC publishes the Framework for Investment Contract Analysis; both agencies claim jurisdiction over Ether’s classification.
- 2020-2023: SEC brings hundreds of enforcement actions; CFTC brings dozens; both target overlapping defendants.
- 2024: House passes FIT21, proposing legislative resolution; Senate negotiation continues.
- 2025: SEC Crypto Task Force signals openness to CFTC role for sufficiently decentralized assets.
The resolution of this jurisdictional contest — whether through legislation, judicial precedent, or inter-agency agreement — will determine the regulatory architecture for the entire U.S. digital asset market. Security token issuers who build compliance infrastructure aligned with SEC requirements today are positioned for any outcome, because even under FIT21, tokens that begin as securities must go through SEC-regulated channels before any potential transition to CFTC oversight.
For authoritative primary sources, see the SEC’s Digital Assets Overview and the CFTC’s Digital Assets Advisory.