The Crypto Exchange Compliance Playbook: SEC, CFTC, and MiCA in One Stack
A unified compliance framework for crypto exchanges navigating SEC, CFTC, and EU MiCA requirements simultaneously — token classification, KYC, AML, and Travel Rule.
Full name + work email required. We'll email you a copy.
March 2026 was the most consequential month for crypto regulation in history. The SEC and CFTC signed a historic MOU ending their jurisdiction war. Sixteen major cryptocurrencies were officially classified as digital commodities. The SEC submitted its Regulation Crypto proposal to the White House. And all of this happened while the EU's MiCA framework was already in force with a hard deadline of July 1, 2026.
For any crypto exchange serving users in both the US and the EU — which is most exchanges of any meaningful scale — the compliance challenge is no longer "which framework applies." It is "how do I satisfy all three simultaneously without tripling my compliance costs."
This playbook provides the unified framework.
The Three-Framework Matrix
Understanding the Overlap
The SEC, CFTC, and MiCA each regulate different aspects of the same activity. A crypto exchange that lists both securities-classified tokens and commodity-classified tokens while serving EU residents must comply with all three frameworks simultaneously.
SEC jurisdiction covers tokens classified as securities (investment contract tokens, security tokens, and any token that meets the Howey test). Requirements include registration as a broker-dealer or alternative trading system, securities-grade KYC and AML, and ongoing reporting.
CFTC jurisdiction covers tokens classified as digital commodities (BTC, ETH, SOL, XRP, and 12 others as of the March 17 interpretive release). Requirements include registration for derivatives trading, commodity-grade onboarding, and position reporting.
MiCA jurisdiction covers all crypto-asset services provided to EU residents, regardless of token classification. Requirements include CASP authorization, EU-grade KYC/AML, Travel Rule compliance, and stablecoin-specific provisions.
The Token Classification Decision Tree
Every token on your exchange must be classified. The March 2026 SEC/CFTC interpretive release provides the taxonomy:
Digital commodities — Tokens whose value derives from the operation of a functional blockchain system and supply-and-demand dynamics, not from expectations of profit. The 16 named tokens (BTC, ETH, SOL, XRP, ADA, LINK, AVAX, DOT, MATIC, ATOM, UNI, AAVE, LTC, BCH, XLM, ALGO) are explicitly classified. Others meeting the criteria are presumed commodities.
Securities — Tokens that meet the Howey test: an investment of money in a common enterprise with an expectation of profit from the efforts of others. ICO tokens, governance tokens with profit-sharing mechanisms, and tokens tied to investment returns remain securities.
Payment stablecoins — Tokens designed as payment instruments, pegged to fiat currency, backed by reserves. Under the GENIUS Act, these are neither securities nor commodities — they are regulated under a dedicated stablecoin framework.
For each token you list, document the classification, the regulatory framework that applies, and the specific KYC/AML obligations triggered by that classification.
KYC Requirements by Framework
SEC Requirements (Securities Tokens)
For tokens classified as securities, KYC obligations align with existing securities law requirements. Customer identification must verify full legal name, date of birth, address, and a government-issued identification number (SSN for US persons). Document verification must use reliable, independent sources. Enhanced due diligence applies to accounts over specified thresholds and to customers in higher-risk categories.
The SEC's Regulation S-P (Privacy of Consumer Financial Information) additionally requires safeguarding customer information, with compliance deadlines in June 2026 for smaller entities.
CFTC Requirements (Commodity Tokens)
For digital commodity trading, KYC requirements are less prescriptive than securities-grade but still mandatory. Customer identification at account opening, risk disclosure, and ongoing suitability assessment apply. The CFTC's approach is evolving rapidly — the "Future-Proof" initiative is reviewing and modernizing existing rules to accommodate digital asset markets.
MiCA Requirements (All EU Activity)
MiCA's KYC requirements are the most comprehensive. All CASPs must verify customer identity using reliable, independent sources before providing any service. Risk-based CDD applies to all customers, with enhanced measures for higher-risk categories. Records must be maintained for at least five years. The upcoming AMLR (July 2027) adds a €1,000 threshold for identity verification of hosted wallet transactions.
Pull quote“The exchange that builds verification infrastructure capable of satisfying all three frameworks through a single integration has a structural cost advantage over every competitor maintaining parallel compliance stacks.”
The Unified Compliance Stack
Architecture Principles
Building three separate compliance systems — one for SEC, one for CFTC, one for MiCA — is the most expensive possible approach. The unified approach identifies the highest common denominator across all three frameworks and implements to that standard.
In practice, MiCA's KYC requirements are the most stringent. A system that satisfies MiCA also satisfies SEC and CFTC requirements (with minor additions). Build to MiCA standard, add the SEC-specific and CFTC-specific requirements as configuration layers, and operate a single compliance infrastructure.
The Integration Checklist
- Identity verification supporting documents from all EU member states + US + target markets
- Biometric matching with deepfake detection (MiCA requires "reliable and independent" verification)
- Sanctions screening against OFAC SDN, EU sanctions, UN sanctions, and country-specific lists
- PEP screening with ongoing monitoring
- Travel Rule data collection and transmission for transfers above €1,000 (MiCA) and applicable US thresholds
- Transaction monitoring with real-time alerting
- SAR/STR filing capability for both FinCEN (US) and EU member state FIUs
- Record retention for minimum 5 years across all jurisdictions
- Audit logging with tamper-proof storage
Travel Rule Implementation
The FATF Travel Rule requires VASPs to collect and transmit originator and beneficiary information for qualifying transfers. Implementation varies by jurisdiction.
EU (MiCA/TFR): All crypto transfers above €1,000 from hosted wallets require originator name, account number, and address or national ID number. Below €1,000, basic information must still be collected (though verification thresholds are higher). Unhosted wallet transfers require additional risk-based measures.
US: FinCEN's rules apply the $3,000 BSA threshold to certain crypto transfers. The CLARITY Act and GENIUS Act implementing rules (due July 2026) may modify these thresholds.
Interoperability: Your Travel Rule solution must be compatible with counterparty VASPs' systems. Multiple interoperability protocols exist — evaluate based on the counterparties you transact with most frequently.
The July 2026 Deadline Map
| Deadline | What | Who |
|---|---|---|
| Jul 1, 2026 | MiCA CASP authorization required | EU exchanges |
| Jul 1, 2026 | California Digital Financial Assets Law effective | CA-serving exchanges |
| Jul 18, 2026 | GENIUS Act implementing rules due | Stablecoin issuers |
| FY 2027 | Japan FIEA crypto framework implementation | Japan-serving exchanges |
| Jul 2027 | EU AMLR application date | All EU financial entities |
Crypto Exchange Compliance FAQ
- Can a single compliance system satisfy SEC, CFTC, and MiCA?
- Yes. MiCA's requirements are the most comprehensive. Building to MiCA standard and adding SEC/CFTC-specific requirements as configuration layers creates a unified system that satisfies all three frameworks.
- Which tokens are now classified as digital commodities?
- As of March 17, 2026: BTC, ETH, SOL, XRP, ADA, LINK, AVAX, DOT, MATIC, ATOM, UNI, AAVE, LTC, BCH, XLM, and ALGO. This is an interpretive classification, not permanent law — the CLARITY Act must pass to codify it.
- What is the Travel Rule threshold?
- €1,000 under MiCA/TFR for EU transfers. $3,000 under BSA for certain US transfers. Thresholds may change with CLARITY Act and GENIUS Act implementing rules.
- What happens to non-compliant exchanges after July 1, 2026?
- Exchanges without CASP authorization must cease providing services to EU residents. ESMA has been explicit that non-compliant firms will be excluded from EU markets.
- How should exchanges handle tokens that could be reclassified?
- Document every classification decision with supporting analysis. Monitor the CLARITY Act markup — passage would codify the commodity classifications. Maintain the ability to reclassify tokens and adjust compliance requirements if the regulatory framework changes.
Relevant Articles
The SEC Just Sent 'Regulation Crypto' to the White House
The SEC's rulemaking in detail.
Apr 8, 2026
Japan Reclassifies Crypto as Financial Instruments
Adding Japan to the compliance matrix.
Apr 11, 2026
Bithumb Fined for 6.65 Million KYC Violations
What KYC failure costs at exchange scale.
Apr 5, 2026
Crypto KYC in Brazil: The Virtual Asset Framework
Latin American compliance considerations.
Apr 17, 2026
What is deepidv?
Not everyone loves compliance — but we do. deepidv is the AI-native verification engine and agentic compliance suite built from scratch. No third-party APIs, no legacy stack. We verify users across 211+ countries in under 150 milliseconds, catch deepfakes that liveness checks miss, and let honest users through while keeping bad actors out.
Learn More