Washington Finally Wrote Down What Counts as a Security. Most Tokens Aren't One.
For seven years the entire crypto industry argued about a single question, and the answer was always a shrug dressed up as enforcement. Is this token a security? In 2026 the U.S. government finally wrote the answer down. On March 17, the SEC and the CFTC issued a joint interpretation that sorts crypto assets into named categories and says, in plain regulatory English, which ones fall outside the securities laws entirely. That is a bigger deal than any price candle this year.
The short version: four kinds of token are not securities. Digital commodities, digital collectibles, digital tools, and payment stablecoins issued under the GENIUS Act all sit outside the SEC's reach as a default matter. What remains a security is narrow — digital securities, meaning traditional instruments that someone has simply tokenized. A share of stock wrapped on-chain is still a share of stock. A governance token for a live network, by this reading, usually is not.
A definition is a weapon, and both sides know it
To understand why this matters, remember what the absence of a definition did. For most of the last decade, builders operated under a doctrine of "we'll tell you it was illegal afterward." Projects launched, grew, and then discovered through a Wells notice whether their token had been a security all along. The vagueness was the enforcement strategy. It let regulators reach almost anything without committing to a rule anyone could plan around.
The CFTC's companion release and the SEC interpretation kill that ambiguity in a specific way. They give the categories names, and names have edges. A digital tool — a token that pays for compute, storage, or access to a protocol — is described as functional, not investment. A digital collectible is treated like the thing it resembles rather than a financial contract. The interpretation even reaches into the parts that used to trigger panic: airdrops, protocol staking, protocol mining, and the wrapping of a non-security asset each get direct treatment.
This is the difference between a speed limit and a cop who pulls you over when he feels like it. You can disagree with 65 miles per hour. You can at least drive.
The catch hiding inside the clarity
Here is the part the celebratory threads skip. The same interpretation that frees four categories also describes how a non-security crypto asset can become subject to an investment contract — and how it can shed that status later. In other words, the token itself is rarely the security. The deal around it might be.
Sell a "digital tool" through a fundraising arrangement that promises returns from your efforts, and you have reassembled an investment contract on top of a non-security asset. The token is innocent; the offering is not. That distinction is subtle, and it is exactly where the next five years of enforcement will live. Clarity did not abolish the Howey test. It relocated it from the asset to the arrangement.
So the practical question for a founder shifts. It is no longer "will my token be deemed a security?" It is "is the way I am distributing it an investment contract?" Those are different problems with different fixes, and most teams are not yet built to tell them apart.
What this does to token launches
Launch mechanics are about to get re-examined under a microscope that finally has a focus. If the dangerous thing is the offering structure rather than the token, then how a project handles vesting, lockups, insider allocations, and the promises it makes to early buyers becomes the legal core of the whole exercise.
That favors discipline over theater. A launch that locks team and liquidity tokens transparently, vests on a public schedule, and avoids return-promising language is a far cleaner artifact under the new reading than a "fair launch" that quietly routes most supply to insiders. Tools that enforce these constraints on-chain — time-locked liquidity through services like Team Finance, structured sales through a launchpad that standardizes vesting — stop being nice-to-haves. They become the paper trail that says the offering was not a disguised security.
The "sufficient decentralization" ghost is still in the room
The interpretation leans on the idea that a token tied to a functioning, sufficiently decentralized network behaves differently from one tied to a small team's promises. That concept has haunted crypto since 2018, when an SEC official first floated it about Ethereum. It was never written into law. Now it has been given more shape, but it remains a spectrum, not a switch.
Founders will be tempted to treat "decentralized enough" as a box to check at launch. It is not. A network can look centralized on day one and earn its way out, or look decentralized and quietly re-concentrate as a foundation accumulates influence. Regulators reserved the right to look at substance over labels, which means the decentralization story has to stay true after the press release, not just during it.
The states and the rest of the world did not wait
Federal clarity does not mean a single rulebook. New York's DFS proposed its own stablecoin framework on June 9, designed to sit alongside the GENIUS Act rather than defer to it entirely. Europe's MiCA regime is fully live, with payment caps on non-euro stablecoins that have nothing to do with how Washington classifies a governance token. A project that is "not a security" in the U.S. can still be a regulated payment instrument in Paris and an unlicensed offering in Singapore.
The interpretation is a floor, not a ceiling. It tells you what the federal securities laws do and do not cover. It says nothing about money transmission, commodities fraud, sanctions, or the patchwork of state rules that still apply on top. The Treasury's recent move to sanction the Iranian exchange Nobitex is a reminder that classification clarity and enforcement appetite are separate things. You can know exactly what your token is and still be on the wrong side of a sanctions case.
Why the boring outcome is the bullish one
Crypto spent years wanting to be treated as something genuinely new, exempt from old categories. It got the opposite. It got categorized. And categorization, however unromantic, is what lets serious capital show up. Funds that could not touch an asset of unknown legal status can hold a "digital commodity" with a defined regulatory home. Builders who could not get a bank account can point to a rulebook.
The romance of the lawless frontier is what attracted the first wave and burned a good share of it. The second wave wants to know the rules before it commits a balance sheet. This interpretation, with all its hedges and ghosts, is the closest thing to a map the United States has produced. The teams that read it as permission to stop worrying will get the next enforcement surprise. The teams that read it as a precise description of where the lines now run will build the projects that are still standing when the rules harden into statute.
The question was never really whether a token is a security. It was whether anyone in power would say so out loud, on the record, in a way you could plan around. Now someone has. What gets built on top of that sentence is the only part still undecided.