The SEC and CFTC have issued the most significant regulatory guidance in U.S. crypto history. Five categories. Sixteen named digital commodities. The Gensler presumption inverted — three of five categories are non-securities by default. The jurisdictional boundary between the two agencies is drawn for the first time.
The market read the classifications correctly. What it hasn't fully processed is what the guidance leaves open.
The taxonomy's most consequential provision isn't the five categories. It's "separation" — the framework under which a token exits investment contract status as its issuer's operational role diminishes and the network decentralizes.
The logic is sound. A token whose value no longer depends on a centralized team's efforts is a different instrument than it was at launch. What the guidance doesn't provide is a mechanism. There is no formal process for issuers to confirm separation has occurred. No registry. No safe harbor. No verification pathway.
That matters beyond securities law. AML requirements and Travel Rule data exchange don't pause during classification transitions. A VASP handling a token mid-separation has no authoritative basis for determining what obligations apply. The guidance resolves the destination. It says nothing about the journey.
Stablecoins receive their own category. The market read this as deregulatory. That reading is technically correct and practically incomplete.
"Not a security" doesn't reduce the compliance burden — it clarifies which regime applies. That regime is FATF-aligned, increasingly focused on unhosted wallet transaction reporting, and carries banking-grade data obligations under the GENIUS Act. The applicable rules are now unambiguous. They are also demanding.
The guidance is designed to unlock institutional adoption. The consequence: more institutions means more VASPs, more counterparty relationships, and a larger Travel Rule surface area across more jurisdictions.
The institutions entering with greater confidence also carry the most demanding internal compliance requirements — audit trails, counterparty verification, controls that exceed what most of the existing VASP ecosystem was built to accommodate. The guidance lowers the barrier to entry. It raises the operational bar.
The SEC answered: what category does this asset belong to? It's the right question to answer first.
But classification is not compliance. Knowing what an asset is doesn't tell you who transacted with it, under what obligations, through which counterparties, with what verifiable record.
Those questions are still open. They're also where the operational weight of this guidance will be felt.
