Coinbase Logo

Regulating Crypto: How we move forward as an industry from here

Tl;dr: One of the most common questions I get asked by folks in the regulatory governance and policy communities is what exactly regulatory clarity looks like. In this blog, I outline a realistic blueprint to ensure we have regulatory clarity for centralized actors, and a level playing field across exchanges, while preserving the decentralized crypto innovations that will bring enormous benefits to the world.

By Brian Armstrong


, December 19, 2022

, 7min read time

Coinbase Blog

In the wake of FTX's collapse I thought it would be helpful to give a blueprint for where I think the industry can go, to restore trust and turn the page.

These are fairly simple steps, but it will require us all to move forward together, as companies, policymakers, regulators, and customers. We should pursue early, relatively easy, wins passing new legislation, instead of waiting to get something comprehensive and perfect.

I'll describe much of this from a U.S. lens, but similar steps will be needed from every major financial market around the world, and the rest of the G20.

1. Create regulatory clarity for centralized actors

I've been in hundreds of meetings with policymakers over the past 10 years discussing how we can get regulatory clarity in crypto. While there has been some meaningful progress, my hope is that the collapse of FTX will be the catalyst we need to finally get new legislation passed.

It's best to create regulatory clarity first around centralized actors in crypto (stablecoin issuers, exchanges, and custodians) because this is where we've seen the most risk of consumer harm, and pretty much everyone can agree it should be done. Regulation in traditional finance is organized around ensuring intermediaries operate fairly and properly, and that same principle makes sense for crypto when there are intermediaries. Decentralized arrangements (DAOs, DeFi, etc), on the other hand, do not involve intermediaries, and  have their own, in some ways superior, set of protections, which I'll come back to later in this post.


Regulating stablecoin issuers is a good place to start, because there is broad interest in DC, and we can get some momentum with a quick win. We don't need to do anything fancy or crypto specific here; stablecoins can be regulated under standard financial services laws by using, for instance, a state trust charter or an OCC national trust charter.

You shouldn't have to be a bank to issue stablecoins, unless you want to do fractional reserve lending. Bank regulation is the most stringent because it comes with permission to lend out customer funds. But many stablecoin issuers will be fine being required to hold assets 1-to-1 and only being allowed to invest in high quality assets like treasuries.

So what would a reasonable stablecoin law require for issuers:

  • Register as a state trust or OCC national trust charter

  • You can also be a bank if you want to do fractional reserve or invest in riskier assets. If not, you can only invest in high quality liquid assets, like US treasury bonds

  • Undergo rigorous annual audits, which provide transparency that customer funds are held in appropriate reserve assets and separate from corporate cash

  • Establish reasonable controls, and board governance

  • Meet basic cybersecurity standards such as SOC compliance

  • Establish a blacklist capability to meet sanctions requirements

Hopefully we can get something like this passed in the first half of next year.

Exchanges and custodians

Once we have stablecoin regulation clarified, a set of rules for centralized exchanges and custodians can help prevent bad activity while preserving innovation. Many of these ideas can, again, be borrowed from traditional financial services, so we don't need to reinvent the wheel.

Here are some potential regulations for centralized exchanges and custodians:

  • Implement robust know-your-customer (KYC) and anti-money laundering (AML) policies and procedures.

  • Establish a federal licensing and registration regime that allows you to get one license and serve an entire country (or passport that license to an entire region like the EU). In places like the U.S., it's fine to preserve the option for states to issue their own licenses as well, but there should be a federal option that allows the US to be a single market.

  • Require strong consumer protection rules, such as disclosure of risks, and transparency around fees and conflicts of interest

  • Create effective minimum standards for safeguarding clients’ assets

  • Prohibit market manipulation, wash trading, and other forms of market misconduct

Commodities and Securities

Perhaps the most complex point that needs clarity is around which crypto assets are commodities and which are securities. The CFTC and SEC have been debating this issue in the U.S. for several years now, but unfortunately they haven't provided any clarity to the market.

At this point, it seems clear that Congress needs to step in and pass legislation. This can be done with an updated version of the Howey test that applies to crypto tokens that may fall under the definition of an investment contract.

A modern day Howey Test for cryptocurrency might look something like this:

  1. Was there an investment of money?

    If the crypto asset issuer hasn't sold the asset for money for the purpose of building a project, it's not a security.

  2. Is the investment in a common enterprise?

    For a crypto asset to be a security, it must be controlled and operated by a centralized organization like a company. If a project has become sufficiently decentralized, it's not a security.

  3. Is there an expectation of profit?

    If the primary purpose of the crypto asset is some other form of utility (voting, governance, incentivizing actions of a community, etc) then it is very unlikely to be considered a security.

  4. Are the profits to be derived primarily from the efforts of others?

    If the expectation of profit primarily comes from participants who are unaffiliated with the issuance of the asset, then the project is sufficiently decentralized and would not be considered a security.

It's important to note that all four of these prongs need to be satisfied for the asset to be considered a security. If you just have a few of them, it's not enough. For example, people invest in gold or Picasso paintings with an expectation of profit, but these are not securities because the expectation of profit is not derived from a common enterprise (or the efforts of others).

We also need to establish a legal precedent for what constitutes "sufficiently decentralized". One lawyer (who doesn't represent myself or Coinbase) told me they're seeing "5-15% of token supply distributed" emerge as a rough consensus, before asset issuers could begin engaging in secondary sales of their asset. But this is not tested in court yet, and we'll ultimately need to see case law develop.

In the absence of this clarity from the SEC and CFTC, Coinbase has developed its own detailed legal analysis for every asset we've considered whether to list, as we're only able to list commodities today. I'd like to open source this analysis (currently looking into this) to see if it can help a self-regulatory standard emerge, and save other crypto companies the enormous legal cost. We would prefer to have this clarity from the regulators themselves, and when clarity emerges we may need to update our analysis, but until then, we're happy to show our work and see if it helps.

The industry is primarily focused on trading crypto commodities today, but a robust market to register and issue crypto securities should also exist in the U.S., and could be a real improvement over how traditional securities are issued. Under current rules, this would require a Broker Dealer and a separate National Securities Exchange, both of which are authorized by the SEC to trade crypto securities.  But the rules aren’t a great fit right now.  While the SEC could modify their own rules to make sure customers are truly protected, Congress may need to take action to make it happen.

Congress should also require the CFTC and SEC to clearly publish their categorization of the top 100 crypto assets by market cap within 90 days of the above legislation being enacted, declaring whether each asset is a commodity, security, or "other" (such as a stablecoin). If asset issuers disagree with the analysis, the courts can settle the edge cases, but this would serve as an important labeled data set for the rest of the industry to follow, as, ultimately, millions of crypto assets will be created.

2. Enforce a level playing field

Getting regulatory clarity would be a good first step, but if we don't enforce these rules evenly, both domestically and abroad, we will not have a path forward.

One challenge is that regulators and law enforcement are focused on their domestic markets. Mostly, they don't have an international mandate, or capability to go regulate/investigate companies that are offshore. Where do they send the legal notice if the entity is not registered? What door do they go knock on?

This has created an adverse incentive for crypto companies to serve broad swaths of the world from favorable jurisdictions overseas, while companies who try to follow the rules on-shore are penalized. was a good example of this, being based out of the Bahamas, while serving customers in many countries, including some U.S. citizens, due to weak KYC controls. In my opinion, FTX.US entity was partially real, but also partially a facade to distract U.S. regulators from their primary business.

It's an open secret in the crypto industry that there are still a handful of questionable actors who are not following rules like those above. And we will continue to see issues in the crypto space until both regulatory clarity emerges and a level playing is enforced.

What does it mean to enforce a level playing field? It means that if you are a country who is going to publish laws that all cryptocurrency companies need to follow, then you need to enforce them not just domestically but also with companies abroad who are serving your citizens. Don't take that company's word for it. Actually go check if they are targeting your citizens while claiming not to. If you don't have the authority to prevent that activity, then you'll need to work with international law enforcement. Otherwise, you will unintentionally be incentivizing companies to serve your country from offshore. Tens of billions of dollars of wealth have been lost by countries not realizing this over the past few years, and now millions of customers have been harmed with the collapse of FTX.

3. Let innovation happen in decentralized crypto

The above lays out a good set of steps to regulate centralized actors in crypto. But with the decentralized aspects of crypto, we have an opportunity to create even stronger consumer protections.

First, self-custodial wallets allow customers to store their own crypto in a way where they don't have to trust anyone else. Technology improvements, like multi-party computation and social recovery, will make it easy for anyone to safely store their own crypto without needing to trust third parties.

Second, smart contracts, which power DeFi and Web3 apps, are public and open source by default. This means anyone can go audit the code to see if it really does what it claims to do. This is the ultimate form of disclosure. Instead of "don't be evil" (Google's famous company value) we can have "can't be evil", where you can trust the laws of math instead of human beings.

Third, as we get more organizations to be built "on-chain" using DAOs and smart contracts, we'll see the emergence of on-chain accounting. You should be able to see the solvency, financial statements, tax payments, etc for any organization built entirely on-chain, in a totally transparent manner.

This is the future that self-custody, DeFi, and Web3 can offer, but to get here we need to preserve the innovation potential of this technology. Self-custodial wallets should be treated as software companies, not regulated as financial service businesses, because they never take possession of customer funds. Similarly, creating decentralized protocols or hosting a website on IPFS should be equivalent to publishing open source code, which is protected by freedom of speech in the U.S. People may send money through a web browser or over internet protocols, but we don't regulate these as financial service businesses, and the same concept applies here.

The role of financial regulators should be limited to centralized actors in cryptocurrency, where additional transparency and disclosure is needed. In an on-chain world, this transparency is built in by default, and we have an opportunity to create even stronger protections. With the internet, we got better regulation through Uber's star ratings system than we had with taxi medallions. Crypto has the potential to take this idea even further, by encoding trust on-chain in a cryptographically provable way.


With regulatory clarity for centralized actors, a level playing field, and decentralized crypto innovation preserved, crypto can bring enormous benefits to the world. Right now there is too much distraction from bad actors causing harm, and we all need to take responsibility for improving this. I'm optimistic that we can make significant progress on the above in 2023 and get crypto legislation passed. Coinbase will be working hard to help make this happen, our door remains open, please get in touch if you're a policy maker who would like to work to make the above happen.

*1 Objectively, KYC and AML programs have largely failed at stopping criminal activity. The United Nations estimates that just 0.2% of illicit funds are seized, and this study estimates that "compliance costs exceed recovered criminal funds more than a hundred times over". These programs also harm customer privacy, result in higher fees for customers, are barriers to startups/innovation, and hurt financial inclusion. Despite these issues, wiping the slate clean on KYC and AML rules doesn't seem to be inside the Overton window of debate, so the most likely path is that KYC and AML rules get applied to centralized crypto exchanges and custodians, while decentralized crypto wallets and protocols represent a frontier for innovation that brings enormous value and protections to consumers.

*2  If we're being honest, the biggest barrier to getting the commodity vs security issue resolved is politics. Some regulators don't want regulatory clarity for crypto, because they are actually trying to curtail the industry. Harsh rhetoric, and regulation by enforcement, without creating clear rules for everyone to follow, has pushed much of the industry outside the U.S., which has resulted in American investors and businesses being harmed.

Coinbase logo
Brian Armstrong

About Brian Armstrong

Brian Armstrong is the Chief Executive Officer and Co-founder of Coinbase. As CEO, Brian is responsible for Coinbase’s consumer and institutional arms, which offer an entire suite of products that make accessing cryptocurrencies easy and secure, in addition to new products that operate at the frontiers of crypto and blockchain. Before co-founding Coinbase, Brian worked as a Software Engineer at Airbnb. He holds three degrees from Rice University: Bachelor’s of Computer Science, Bachelor’s of Economics, and a Master’s of Computer Science.