An official website of the United States government
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock
()
or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Please find written input submissions to the Crypto Task Force below. The written input is posted without modification. We hope sharing the submissions will help encourage productive dialogue and continued engagement. Please note that the “Key Points” and “Topics” are AI generated. AI can make mistakes, and the Key Points and Topics are not a replacement for you reading the submissions. The Crypto Task Force has not reviewed these AI-generated summaries for accuracy or completeness. If you believe a Key Point or Topic is inaccurate, please email the Crypto Task Force at crypto@sec.gov. The written input provided to the SEC and posted on this page does not necessarily reflect the views of the Crypto Task Force or others in the U.S. Securities and Exchange Commission.
The kit establishes technical controls and standardized evidence artifacts to demonstrate continuous compliance with SEC Customer Protection Rule 15c3-3 and the Custody Rule, enabling verifiable segregation and control of digital assets without reliance on trust.
It provides examiner query packs and failure scenario playbooks, allowing independent regulatory verification of asset segregation, key management, and recovery procedures, including protocols for insolvency, key compromise, and asset return.
The kit translates existing custody requirements into auditable operational procedures but does not create new regulatory obligations, assert legal conclusions, or seek SEC endorsement of specific custody models or technology implementations.
The Pack provides legally substantive templates for technical standard changes, conformance updates, and pilot expansion requests, ensuring that filings address all required regulatory elements, evidence, and governance approvals before submission to the SEC.
It operationalizes a detailed crosswalk mapping pilot evidence artifacts to regulatory recordkeeping and surveillance objectives (e.g., SEC Rule 17a-4, CAT), demonstrating how tokenized securities pilots can meet or exceed existing audit trail, retention, and integrity requirements.
The Pack establishes a legally relevant, tiered model for regulatory access to participant data (aggregate, routine, emergency), with purpose limitation, dual-control approval for sensitive access, and mandatory post-event review, supporting privacy, due process, and proportionality in regulatory oversight.
Implements SEC recordkeeping principles (Rules 17a-3, 17a-4) with mandatory retention periods (7 years for transaction/authentication logs; indefinite for key ceremonies, holds, and incidents) and legal hold overrides to ensure compliance during litigation or investigation.
Aligns with SEC Customer Protection Rule (Rule 15c3-3) and Custody Rule (Rule 206(4)-2) by requiring qualified custodians, segregation of participant assets, and documented beneficial ownership to prevent commingling and ensure fiduciary safeguards.
Establishes tiered supervisory access with dual-control approvals, purpose limitation, immutable logging, and mandatory post-event review to meet due process and oversight requirements under securities laws and privacy frameworks.
Miller Whitehouse-Levine and Patrick Wilson, Solana Policy Institute
The SEC should adopt a technology-neutral framework that distinguishes true intermediaries (those holding funds or controlling execution) from developers of non-custodial, non-discretionary software tools.
Interpretive guidance should confirm that publishing or maintaining non-custodial software (wallets, smart contracts, passive interfaces) does not constitute operating an exchange, clearing agency, or effecting transactions for others.
The definition of “exchange” should exclude non-custodial, non-discretionary software that does not perform marketplace functions, ensuring communication layers and read-only tools remain outside regulatory scope.
SEC should confirm that SEC-registered transfer agents may serve as qualified custodians for tokenized securities, ensuring regulatory oversight and compliance.
Establish guidance allowing tokenization of securities in markets abandoned by traditional infrastructure under existing exemptions when using SEC-registered transfer agent custody with verifiable 1:1 backing.
Clarify that public, permissionless blockchains (e.g., Solana) may be used for tokenized securities when paired with appropriate custody arrangements, without requiring permissioned alternatives.
The SEC should apply existing statutory definitions of “exchange,” “broker,” and “dealer” to DeFi participants and assess compliance under the Securities Exchange Act of 1934.
The SEC lacks authority and policy basis to grant broad exemptive relief from these definitions, as doing so would undermine investor protections and market resiliency measures.
Instead of disapplying the regulatory framework, the SEC should conduct rule-by-rule analysis and address impediments through notice-and-comment rulemaking to preserve investor protections.
Securities Industry and Financial Markets Association (SIFMA)
Activities involving native, wrapped, or entitlement tokens qualify as securities transactions, triggering broker-dealer, exchange, and registration requirements under the Securities Act and Exchange Act.
Issuers of tokenized securities must comply with Securities Act §§ 5, 6, 7, 10, including filing registration statements and delivering prospectuses. Additional disclosures may be needed to address unique tokenization risks.
Sections 12, 13, 15, 17, and 23 of the Securities Act and §§ 9, 10, and 20 of the Exchange Act prohibit manipulative practices and impose liability for material misstatements or omissions, regardless of whether securities are tokenized.
The proposed modernization advocates amending the Custody Rule to allow registered investment advisers (RIAs) to safeguard client crypto assets using non-qualified custodian (non-QC) solutions under a reasonableness standard, ensuring assets remain secure and fiduciary duties are met.
Introducing flexibility to permit both QC and non-QC safeguarding solutions mitigates operational frictions, reduces concentration risk, and aligns custody practices with the unique properties of crypto assets, while maintaining compliance with the Custody Rule’s core tenets.
The model framework leverages multi-signature/multi-party computation (MS/MPC) technology, contractual agreements (MPA), and operational security standards to satisfy policy objectives of segregation, safeguarding, and independent verification without mandatory third-party custody.
SIFMA refuted claims by DeFi Education Fund that it previously supported broad exemptive relief for emerging technologies, clarifying that its advocacy focused on structured regulatory reform through formal rulemaking and statutory authority.
SIFMA opposed the SEC’s 2022 Proposal to redefine “exchange” under Rule 3b-16, citing concerns that the inclusion of undefined terms like “communication protocol systems” would improperly expand regulatory scope to systems operated by broker-dealers and investment advisers.
SIFMA recommended a limited volume exemptive framework under the Exchange Act, tailored to address specific market challenges, rather than blanket exemptions for DeFi platforms.
Zack Tickman, Claude & Friends: Risk Analytics Research Group
Custody, RFI Responses, Safe Harbor, Security Status
Zcash and Aleo rely on zkSNARKs requiring a “trusted setup,” which introduces a permanent trust assumption. If the setup’s entropy (“toxic waste”) is not securely destroyed, it could allow undetectable token counterfeiting, undermining supply integrity.
Zcash’s opt-in privacy model results in most transactions being transparent, enabling deanonymization through statistical analysis. This undermines its claim to privacy-preserving status and exposes users to surveillance risks.
Aleo’s programmable privacy increases protocol complexity, which has led to real-world data leaks (e.g., unencrypted KYC data). This complexity heightens the likelihood of implementation flaws, expanding the attack surface and compromising user privacy.
