The SEC Confirms: The Nature of the Activity Matters

Over the past year, U.S. regulators have taken important steps toward clarifying how tokenized assets fit within existing legal and regulatory frameworks. While these efforts come from different agencies and address different use cases, a consistent theme has emerged: The nature of the asset, not the technology used to represent it, should determine its regulatory treatment. This principle sits at the core of the Avalanche Policy Coalition’s (APC) work on token classification. Encouragingly, recent guidance from the SEC, federal banking agencies, and the CFTC reflects a growing convergence toward this approach. The Guiding Principle for Token Classification At APC, we have consistently emphasized that effective policy and regulation begins with a simple but powerful idea: The nature of the asset matters.  The functions and features of the asset, regardless of how it is represented, are paramount for determining utilization, valuation, risk profile, and legal classification. This is not just a regulatory concept—it reflects how markets, businesses, and individuals already understand and interact with assets in every other context. When we think about how an asset is used, what its value is, or what risks it presents, we naturally focus on the bundle of rights that make up the asset. Tokenized assets should be no different. Our work has highlighted concrete examples that illustrate why classification must follow function and substance, not technology. For example: A tokenized share of stock, whether held through traditional infrastructure or represented on a blockchain, remains an equity security. It reflects ownership in a legal entity and should be regulated as such. A tokenized money market fund, such as those issued by major financial institutions and deployed on blockchain infrastructure, is still a fund product. Its risk profile, investor protections, and regulatory treatment should derive from that underlying reality, rather than from the fact that it settles on-chain. A concert or sporting event ticket represented as an NFT is fundamentally a consumer item, not a financial instrument. Treating it like a security simply because it exists on a blockchain is a category error. A loyalty reward or in-game asset, such as points or digital items used within a platform, functions as part of a closed ecosystem. These are not investments in a business enterprise or part of a company’s capital stack and should not be regulated as such. We discuss these concepts in more detail here, here, and here. This is exactly how markets already operate. The utilization of an asset depends on its nature—a stock conveys ownership rights, a ticket grants access, and a loyalty point provides benefits within a program. The same is true for valuation: investors value equities based on earnings and growth prospects, while collectibles or tickets derive value from scarcity, demand, or utility. When policymakers fail to make these distinctions, the result is overbroad definitions, regulatory confusion, and unintended consequences. When they get it right, the result is a framework that is easier to understand, easier to apply, and better aligned with actual risks. The common thread is simple: Tokenization does not change what an asset is. Recent regulatory developments suggest that U.S. agencies are increasingly adopting this same paradigm. Recent Regulatory Guidance Applies the Nature of the Asset Principle 1. CFTC Guidance on Tokenized Collateral In December 2025, the CFTC issued staff guidance on the use of tokenized assets as collateral in derivatives markets. The guidance addresses how futures commission merchants (FCMs), clearinghouses, and other market participants should evaluate tokenized collateral under existing margin and risk management rules. The CFTC emphasizes that tokenization is simply a technological wrapper: The use of distributed ledger technology does not, by itself, change the fundamental characteristics of an asset. As a result, the key considerations are familiar ones: Does the tokenized asset provide legal and economic rights equivalent to the underlying asset? Is the asset liquid and reliable enough to serve as collateral? Can the collateral be safely held, controlled, and transferred? The guidance encourages firms to focus on assets that are already eligible as collateral in traditional form, such as high-quality government securities, and to evaluate tokenized versions within existing risk frameworks. It also highlights several operational and legal issues that must be addressed, including: Custody and segregation of tokenized collateral Legal enforceability of claims Cybersecurity and access controls Settlement timing and operational resilience Finally, the CFTC notes that standard margin haircuts and risk assessments can be applied, with adjustments only where the tokenized format introduces new or different risks. 2. SEC Guidance on Tokenized Securities In January 2026, the SEC’s Division of Corporation Finance issued a statement addressing how federal securities laws apply to tokenized securities—that is, traditional securities represented using distributed ledger technology. The statement begins by clarifying that tokenization can take multiple forms. In some cases, an issuer may issue a security directly on a blockchain, recording ownership and transfers on-chain. In others, a third party may create a tokenized representation of an existing security, such as a token backed by shares held in custody or a synthetic instrument linked to the value of the underlying asset. Despite these structural differences, the SEC’s core message is clear: Tokenization does not alter the legal nature of the underlying instrument. Whether a security is recorded in a traditional book-entry system or on a blockchain, it remains subject to the same securities-law framework. The analysis turns on the rights conveyed, the structure of the product, and the obligations of the parties involved, not on the technology used to implement it. The statement also highlights important practical considerations, including: The need for clear disclosure around how tokenized products are structured The role of custodians and intermediaries in holding underlying assets The potential differences between issuer-sponsored tokenization and third-party tokenization models In short, the SEC is signaling that tokenization is permissible—but must fit within existing securities-law principles. 3. Federal Banking Agencies’ Capital Treatment of Tokenized Securities In March 2026, the Federal Reserve, OCC, and FDIC jointly issued guidance on how bank capital rules apply to tokenized securities. The guidance is framed as a set of FAQs. It addresses how banks should treat tokenized securities for purposes of: Risk-based capital requirements Market risk capital rules Collateral eligibility The agencies explicitly take a technology-neutral approach. They state that the use of distributed ledger technology to issue or represent a security does not, in itself, change how that asset should be treated under bank capital rules. Instead, the key question is whether the tokenized instrument: Confers legal rights identical (or substantively equivalent) to those of the traditional security, and Exposes the institution to the same underlying risks Where those conditions are met, the agencies conclude that: Tokenized securities should generally receive the same capital treatment as their non-tokenized equivalents They may qualify as financial collateral under existing rules Standard haircuts and risk weights can be applied The guidance also makes clear that banks must still consider: Operational risks, including settlement and custody mechanisms Legal enforceability of tokenized claims Liquidity characteristics of the tokenized asset Importantly, the agencies do not distinguish between permissioned and permissionless blockchains, reinforcing the principle that the focus should be on risk and rights—not infrastructure design. The banking agencies agree with the SEC: tokenization does not alter the legal nature of the underlying instrument. 4. SEC Broker-Dealer Capital Treatment of Stablecoins In February 2026, the SEC’s Division of Trading and Markets updated its FAQs addressing how broker-dealers may treat certain stablecoins under the net capital rule (Rule 15c3-1), specifically in FAQ 5. The guidance focuses on payment stablecoins—stablecoins designed for use as a medium of exchange and backed by high-quality reserves. Under the FAQ, the staff states that it will not object if a broker-dealer: Treats a proprietary position in a qualifying payment stablecoin as having a “ready market,” and Applies a 2% haircut, consistent with certain low-risk, liquid assets However, this treatment is not automatic. It is conditioned on the stablecoin meeting specific criteria, including: Backing by high-quality, liquid reserves Clear and enforceable redemption rights at par Regular public disclosures and independent attestations Alignment, where applicable, with the statutory framework under the GENIUS Act The guidance is intentionally narrow. It does not apply to all stablecoins, and it does not attempt to classify stablecoins more broadly under securities laws. Instead, it addresses a practical issue: how broker-dealers can incorporate certain stablecoins into their operations without facing disproportionate capital charges. At a broader level, the guidance reflects a willingness to integrate blockchain-based payment instruments into existing regulatory frameworks, provided their structure and risk profile support it.  Conclusion: Convergence Around a Workable Framework Taken together, these four regulatory interpretations reveal a clear and consistent direction in U.S. regulatory thinking. First, they reinforce technology neutrality. Blockchain is not the regulatory trigger. Second, they embrace a “same asset, same treatment” approach. Equivalent rights and risks should lead to equivalent regulatory outcomes, regardless of technology used. Third, because the nature of the asset is unchanged, they rely on existing regulatory frameworks rather than creating new regimes. Finally, they focus on real risks—legal, custody, liquidity, and operational—not labels or technological form. These themes closely align with an APC core principle: The nature of the asset matters. By focusing on what an asset is—rather than how it is represented—regulators can promote clarity, support innovation, and ensure that regulation remains targeted and effective. They also avoid reregulation and confusion around how to evaluate an asset. All of this supports robust, competitive markets. APC is pleased to see regulators aligning around this principle. Grounding regulation in the nature of the asset lays the foundation for frameworks that reflect existing law, avoid unnecessary complexity, and are ultimately workable and durable.

A recent European Central Bank working paper looks to analyze decentralization in DeFi protocols from the standpoint of governance.  It finds concentration in governance and that this undermines decentralization.  This claim, however, rests on a conceptual error: it conflates system decentralization with governance concentration. And governance concentration that does not affect transaction finality or asset ownership is not relevant to whether a system is decentralized. The distinction matters and clarifies both the paper’s findings and their implications. At Avalanche Policy Coalition, we have consistently defined decentralization from a technical standpoint. A system or network is decentralized when there is no single source of truth, no single point of failure, and no authority with the ability or responsibility to change data, transactions or balances.  It is a definition focused on finality. It ensures that users can trust what they see regarding ownership of assets and the completion of transactions.  The working paper errs by reframing decentralization as a governance question rather than a matter of network finality.  It compounds this error by trying to answer the question of who to regulate in DeFi by looking at concentration of governance power and participation across major DeFi protocols.  What the paper actually demonstrates is not a failure of decentralization, but the presence of concentrated governance layered on top of decentralized infrastructure. Confusing governance concentration with decentralization risks pushing regulation toward infrastructure rather than actors—undermining the very properties that make these systems trustworthy. Here is a summary of the paper’s empirical findings:  Token ownership is heavily skewed, with the top 100 holders controlling more than 80% of supply across the studied protocols, and the top five holders often control a substantial fraction of that total. Governance systems also rely extensively on delegation, whereby token holders assign voting power to intermediaries. As a result, a relatively small number of delegates exercise a disproportionate share of voting power, in some cases controlling the majority of delegated votes. Delegation thus operates as a structural amplifier of concentration. The paper also notes that concentration of governance power is further compounded by opacity. A substantial share of the most influential participants cannot be linked to identifiable individuals or institutions, making it difficult to determine whether governance power is independent or coordinated, whether incentives are aligned or conflicted, and whether influence is exercised by insiders, intermediaries, or diffuse communities. At the same time, governance processes themselves do little to redistribute power. The paper shows that most proposals concern operational parameters—risk settings, asset listings, and similar adjustments—while very few address governance structure. As a result, the paper concludes, existing distributions of power tend to reproduce themselves over time. The paper then concludes that decentralization is a property of governance. Under this view, a system is decentralized to the extent that decision-making authority is widely distributed, no small group can dominate outcomes, and the relevant actors are identifiable and accountable. If governance power is concentrated, the paper concludes that decentralization is incomplete or illusory.  This definition is viscerally appealing, particularly from a regulatory perspective. Regulators require identifiable points of control, and the paper emphasizes the difficulty of relying on governance token holders, developers, or exchanges as regulatory “anchor points” precisely because of opacity and fragmentation in governance structures.  Yet this definition departs from the more established understanding of decentralization in distributed systems, where the concept refers not to governance dispersion but to system architecture: whether there is a single point of failure, a single source of truth, or a single authority capable of altering data or transactions. On the more technically precise definition of decentralization, the protocols studied in the paper—built on public blockchains—remain decentralized. Framed in these terms, the paper’s findings are best understood as documenting concentrations of governance power, not undercutting decentralization.  The paper does not show that any individual token holder, delegate, or developer can rewrite transaction history, override consensus, or unilaterally alter the state of the ledger. Nor does it show that the voting groups have this power.  It also implicitly recognizes that where governance does not affect asset ownership or transaction finality, regulatory hooks are difficult to establish.  Indeed, as noted above, the proposals on which votes are sought have nothing to do with transaction finality or asset ownership.   At best, the paper can conclude that the infrastructure remains decentralized even if governance becomes concentrated. This distinction suggests a more precise analytical framework. At the infrastructure layer, finality is distributed, consensus is collective, and no single point of failure exists. At the governance layer, ownership can become concentrated, voting power aggregated, and influence unevenly distributed. These are not contradictory observations but complementary ones. DeFi systems can be both decentralized and concentrated, depending on the layer of analysis. Recognizing this layered structure clarifies the nature of the challenges identified in the paper. The difficulty regulators face is not that decentralization has failed, but that concentration exists without clear attribution.  This produces a structural asymmetry.  Governance actors can shape protocol outcomes—adjusting parameters, allocating resources, and influencing development trajectories—but they do so within systems whose core integrity cannot be compromised by that concentration. The result is a hybrid condition in which decentralized infrastructure coexists with concentrated influence over things that do not undercut decentralization. Reframing the issue in terms of concentration rather than decentralization also shifts the focus of regulation. For regulators, the challenge is not identifying a centralized intermediary in the traditional sense (i.e., one that controls transactions or custodies assets), but understanding how concentrated influence operates within systems that lack formal control points on the areas of typical regulation. Addressing these issues will require regulatory approaches that focus on identifiable actors and activities, rather than attempting to impose control at the infrastructure layer where it does not exist. The ECB paper makes a significant contribution by documenting the realities of DeFi governance. But its conceptual framing requires greater precision. Decentralization and concentration are not opposing descriptions of the same phenomenon; they operate at different levels of analysis. The systems studied in the paper are not failed attempts at decentralization. They are decentralized systems with concentrated governance structures. And where those structures do not affect transaction finality or asset ownership, the system remains decentralized. Recognizing this distinction provides a clearer understanding of both the risks and the possibilities inherent in DeFi. To hear more on this and related topics, please listen to this webinar from Global Blockchain Business Council.

Financial regulation has always looked to capture intermediaries, the money transmitters, brokers, exchanges, custodians, and others that move, hold or control assets on behalf of end users. In traditional financial services, that boundary is relatively clear: regulation attaches to those who intermediate transactions, control client assets, or provide financial services. It does not attach to the wider infrastructure that supports those activities. As digital asset ecosystems become more complex, that same boundary is being tested in new ways, making it important to defend the underlying principle. This piece examines how the EU’s implementation of the Travel Rule (via the recast Funds Transfer Regulation or “TFR”) correctly draws that line using the concept of “ancillary infrastructure,” and how a similar distinction appears in the U.S. GENIUS Act. At its core, the analysis is simple but consequential: when does a participant in a crypto system become a regulated intermediary, and when are they merely part of the infrastructure that makes the system work? These two pieces of legislation on both sides of the Atlantic show how policy makers can ensure regulation remains in force for the activities they want to capture, without blurring the distinction between infrastructure providers and financial intermediaries. In the EU: Where the Concept Comes From The EU’s idea of ancillary infrastructure appears in the recitals of the TFR, which guide how the regulation should be interpreted. The regulation explains (emphasis added): Persons that provide only ancillary infrastructure, such as internet network and infrastructure service providers, cloud service providers or software developers, that enable another entity to provide transfer services for crypto-assets, should not fall within the scope of the Regulation unless they perform transfers of crypto-assets. That is the entirety of it. The term is not further defined. There is no formal category or test in the operative provisions of the TFR, just this functional description and a few examples. But that short passage does a lot of good work. A Working Definition Taking the recital’s examples and its express limit together, ancillary infrastructure can be more specifically understood as: Infrastructure that is used by others in connection with crypto-asset transfers, but does not itself effect, execute, or control the transfer of crypto-assets, or provide custody of such assets. This is not a technology-based definition. It is a role-based definition, grounded in the regulatory perimeter. (This is consistent with other EU Regulations in the crypto-space, such as the Markets in Crypto-Assets (MiCA) Regulation.) What matters is not what the system looks like, but what the activity actually is. Two elements define the boundary: 1. Used in Connection with Transfers The infrastructure is part of the ecosystem that enables crypto-asset transfers. It may be essential to the functioning of the system. It may sit directly in the transaction flow. But it operates in a supporting role to the financial transaction, and is used by other entities such as CASPs and end users. 2. No Transfer or Custody Function The infrastructure provider does not: effect or execute transfers, control the movement of crypto-assets, or provide custody or control over those assets. That is the dividing line. Once a provider crosses into movement or control of value, it begins to look like an intermediary. If it does not, it remains infrastructure. What Counts as Ancillary Infrastructure The TFR itself provides only a handful of examples, but they point to a broader and consistent categorization. They are infrastructures that enable the system to function, without themselves engaging in the activities of financial intermediation. Internet Network Providers, such as internet service providers and network connectivity providers. These entities move data, not value. They carry transaction information across networks, but they have no relationship to the underlying assets being transferred or parties making the transfers. Cloud Service Providers, such as infrastructure-as-a-service providers and cloud hosting platforms. These providers supply computing power, storage, and hosting. They make it possible to run nodes, exchanges, and applications, but do not execute transfers, hold assets or interact directly with customers. Software Developers, such as developers of non-custodial wallets, developers of blockchain protocols, and providers of APIs and developer tools. These actors create the tools that others use to interact with crypto-assets. Once deployed, they do not control how those tools are used, nor do they execute or custody transactions. Technical Infrastructure Providers, such as node infrastructure providers, remote node access (RPC) providers, blockchain data indexing services, and validators and miners. These entities maintain and operate the underlying networks. They validate transactions, order and record them according to protocol rules, and ensure the system continues to function. They do not act on behalf of users, determine the purpose of transactions, or take custody of assets. Their role is protocol-level infrastructure and maintenance, not financial intermediation. Data and Analytics Providers, such as blockchain analytics firms, transaction monitoring tools, and risk scoring services. These providers analyze and interpret blockchain data. They support compliance, investigation, and risk management, but they do not initiate, execute, or control transfers. As we see, the concept of ancillary infrastructure covers a lot of different providers and activities, none of which intermediates or has direct responsibility for transfers or custody. This recognition provides a critical distinction between who is and who is not subject to regulation. A Parallel Approach: The GENIUS Act The same boundary appears explicitly in the U.S. GENIUS Act, which introduces the concept of a Digital Asset Service Provider (DASP) and provides exceptions for infrastructure providers. The Act defines DASPs by reference to familiar intermediary activities: exchanging digital assets, transferring them to third parties, acting as custodians, and providing financial services tied to issuance. In other words, DASPs are intermediaries. But the definition goes further by explicitly stating what is not an intermediary. The definition of DASP explicitly excludes: a distributed ledger protocol; developing, operating, or engaging in the business of developing distributed ledger protocols or self-custodial software interfaces; an immutable and self-custodial software interface; developing, operating, or engaging in the business of validating transactions or operating a distributed ledger; or participating in a liquidity pool or other similar mechanism for the provisioning of liquidity for peer-to-peer transactions. This is the same idea as ancillary infrastructure in the TFR, but stated directly in the text (rather than the recitals), and in greater detail. The Same Line, Two Drafting Styles The TFR and the GENIUS Act take different drafting approaches, but they arrive at the same place. The TFR uses a functional exclusion (“ancillary infrastructure”) The GENIUS Act uses explicit statutory carve-outs Both frameworks draw the same distinction: Intermediaries are regulated because they effect or execute transactions, or control or custody assets - activities that are traditionally within the regulatory perimeter. Infrastructure providers are not, because they enable systems rather than effect transactions or custody assets - activities that have never been captured within the regulatory perimeter, although firms using the infrastructure to undertake regulated activities may themselves require regulatory authorization. In both, that principle holds across network providers, software developers, validators and miners, and other technical actors. Conclusion: Why This Distinction Matters This boundary is not just a drafting detail, it continues to apply a foundational principle. Crypto systems are built in layers. Many actors contribute to how transactions are created, transmitted, and recorded. Without a clear distinction, regulation could easily expand to capture the entire stack. The concept of ancillary infrastructure prevents that outcome. It ensures that providing infrastructure, which is neutral and only indirectly involved, is not treated the same as acting as an intermediary in transactions. That principle is now reflected on both sides of the Atlantic. As digital asset markets evolve, it is likely to remain one of the most important lines in crypto regulation. And together these two pieces of legislation show how policy makers can update rulebooks for new technologies without unwittingly regulating the technology itself. We at Avalanche Policy Coalition have discussed this point multiple times over the last year, including in our April and May comment letters to the SEC Crypto Task Force, our response to the Australian Treasury consultation, and this blog post. Preserving the distinction between infrastructure and intermediary is one of our 2026 policy priorities.