SEC's taxonomy explained: What's a security in crypto and what's not

For years, crypto firms in the US operated under a cloud. Nobody knew which tokens would trigger an SEC lawsuit and which wouldn't. The agency's approach was simple: sue first, clarify later.

That era ended on March 17, 2026.

The SEC finally issued a clear interpretation of how federal securities laws apply to digital assets. The CFTC signed on too — a rare moment of harmony between the two agencies that recently formalized their coordination through a Memorandum of Understanding.

Most cryptocurrencies are not securities. But certain transactions involving them can still fall under securities laws when they function as "investment contracts."

This isn't the CLARITY Act — that would be a permanent, codified taxonomy that Congress can lock in. But it's the next best thing. And it gives financial institutions something they've been begging for: a reliable map.

TL;DR

• Most crypto assets aren't securities — Bitcoin, Ether, Solana, XRP, and others are now officially "digital commodities" under CFTC oversight.
• NFTs, meme coins, and utility tokens get a pass — Digital collectibles and functional tokens are off the SEC's securities radar, unless they offer fractional ownership or investment-like promises.
• Stablecoins are safe — but yield is the battleground — GENIUS Act stablecoins aren't securities, but issuers can't pay interest. The CLARITY Act fight is all about whether exchanges and DeFi can offer APY on deposits.
• Even non-securities can become investment contracts — The Howey Test still applies. If a token is sold with promises of future profits from others' efforts, it's a security — until those promises are fulfilled or fail.
• The map is finally drawn — SEC and CFTC are aligned. Institutions now have clear categories to build on. But Congress could still rewrite the rules with CLARITY — and the yield battle is far from over.

SEC's new token taxonomy

The SEC broke cryptoassets into clear categories. Here's how they land:

#1 Digital commodities — not securities

Assets whose value comes from supply and demand, not from someone else's effort to generate profits. The SEC explicitly listed Bitcoin (BTC), Ether (ETH), Solana (SOL), Cardano (ADA); Chainlink (LINK); Dogecoin (DOGE), XRP, and a few others as examples.

"A digital commodity does not have intrinsic economic properties or rights, such as generating a passive yield or conveying rights to future income, profits, or assets of a business enterprise or other entity, promisor, or obligor, but may have certain other rights."

XRP, in particular, was at the center of a years-long legal battle. The SEC finally accepted the court ruling that secondary market trading of these assets isn't an unauthorized securities sale.

What does this mean for firms? If you're offering trading, custody, or brokerage for digital commodities, you answer to the CFTC — not the SEC.

#2 Digital collectibles — not securities

NFTs designed to be collected or used — art, trading cards, in-game items, digital objects — are off the SEC's securities radar. The listed examples include CryptoPunks, Chromie Squiggles, Fan Tokens, WIF, and VCOIN.

Like digital commodities, collectibles do not generate a passive yield or convey rights to future income. They do not qualify as “securities” as they do not "represent a digitized form of any such instruments, including an investment contract."

Meme coins fall into the same category.

Like NFTs, meme coins are typically "acquired for artistic, entertainment, social, and cultural purposes, and their value is driven by supply and demand, rather than any essential managerial efforts of others." Most such assets have limited or no functionality — once they become functional, they transition into digital commodities.

The agency had previously hinted NFTs could be securities depending on their features. Now they're operating with a presumption that most aren't — unless they provide a fractional ownership interest.

#3 Digital tools — not securities

Utility tokens that actually do something — membership passes, tickets, credentials, identity badges — get a pass. If a token serves a practical function, it's not automatically a security just because it's on a blockchain.

This applies, among other things, to Ethereum Name Service domain names, and CoinDesk’s ‘Microcosms’ NFT Consensus Ticket. They do not give buyers any rights or interest with respect to any business entities, "just as persons acquiring a museum membership do not expect to realize a profit from the essential managerial efforts of the museum’s operators."

#4 Stablecoins — not securities

Stablecoins defined under the GENIUS Act as "payment stablecoins" are officially not securities. Their issuers are prohibited from paying holders any interest or yield solely for holding or using the assets.

No more enforcement actions against stablecoin issuers on securities grounds — the SEC even confirmed this aligns with a policy interpretation they published last year.

However, assets that do not qualify as "payment stablecoins issued by a permitted payment stablecoin issuer" could meet the definition of “security.”

#5 Digital securities (tokenized securities) — securities

This one's simple. If it's a security in traditional form, putting it on a blockchain doesn't change that. Stocks, bonds, or funds — whether tokenized by issuers or third parties — remain securities.

"A security is a security regardless of whether it is issued, or otherwise represented, offchain or onchain."

Any additional "non-financial benefits to holders" these assets may provide, similar to a digital commodity, digital collectible, or digital tool, do not change that. The SEC issued guidance on this in January, and the principle hasn't shifted.

Investment contract catch

Here's where it gets interesting — and where compliance teams need to pay attention.

Even a "non-security" crypto asset can become subject to securities laws for a defined period of time when it's offered in a way that involves:

• An investment of money
• In a common enterprise
• With promises that someone else will do the essential work
• And purchasers reasonably expect profits from that work

This is still Howey Test territory. But the SEC added practical clarity: the investment contract terminates when the issuer either fulfills or fails to fulfill their obligations. That means projects can plan around a clear endpoint.

What about airdrops, staking, and wrapping?

The SEC also addressed the operational questions that have kept developers up at night:

• Protocol mining — not an offer or sale of a security
• Protocol staking — not an offer or sale of a security
• Wrapping — not an offer or sale of a security
• Airdrops — generally don't involve an "investment of money"

This is massive for platforms and developers. For years, the uncertainty around routine protocol activities scared off innovation. Now there's a baseline: these mechanisms themselves don't trigger securities violations.

That said, facts and circumstances still matter. If an airdrop is tied to fundraising or marketing promotions, the analysis changes.

Implications for financial institutions

For banks, brokerages, and asset managers, this interpretation removes a major barrier.

• Product risk assessment just got easier. Firms evaluating crypto custody, trading, or brokerage can now map offerings to clear categories. Digital commodities go through the CFTC lens. Tokenized securities follow traditional securities rules. Stablecoins have a defined path under GENIUS.
• Governance requirements still apply. Clarity doesn't mean carte blanche. Institutions still need robust due diligence, disclosures, and compliance change management. But at least they know what they're due-diligencing against.
• The SEC-CFTC handshake matters. Both agencies signed off on this interpretation. That means firms can operate with confidence that they won't get whipsawed by conflicting agency views. Even without CLARITY Act passage, the regulatory map is coherent.

Not quite CLARITY, but close

This interpretation isn't a statute or a formal rule. It says it “does not supersede or replace the Howey test,” and the Commission may “refine, revise, or expand upon the interpretation.” So the taxonomy isn't permanent — but Congress could still pass the CLARITY Act and lock in these definitions for good.

CLARITY Act has its own landmines

While the SEC's interpretation brought welcome clarity, the latest draft of the CLARITY Act has raised fresh alarms — particularly around stablecoins and yield. The core fight is simple but massive: can crypto exchanges and DeFi protocols legally offer yield on stablecoin deposits, or does that revenue stream get walled off permanently?

Banks argue that offering APY on reserves is effectively taking deposits — without FDIC insurance or capital requirements. Crypto firms counter that they're simply passing through rewards on fully backed assets, not fractional reserve lending.

If the bill tilts toward the banking lobby, the potential consequences are stark: issuers get forced into zero-yield assets, liquidity incentives dry up for US users, and crypto-native platforms lose their main competitive advantage against bank-led initiatives already moving to capture market share.

Yet with the legislative timeline uncertain — slipping into 2027 or beyond — the SEC gave the industry something it desperately needed: clarity, now.

The enforcement-led approach of previous years is gone. In its place is a leadership team focused on providing guardrails that enable innovation rather than chasing it with lawsuits. For crypto firms and financial institutions alike, the cloud has lifted, and the map is drawn.