For the better part of a decade, RIAs advising clients on crypto holdings operated in a jurisdiction built from inference. The SEC’s primary analytical tool was the Howey test, a 1946 framework designed around orange groves, applied case-by-case, enforcement action by enforcement action. Compliance programs had to be built around what the SEC might say rather than what it actually had.
On March 17, 2026, that changed. The SEC issued a formal interpretation classifying crypto assets into five categories under federal securities law, with the CFTC co-signing to clarify its own jurisdictional reach. For the first time, RIAs have something they can build to: a defined taxonomy that maps specific asset types to specific regulatory obligations.
The practical question isn’t whether this changes things, it does. The question is where your compliance program is now exposed, and what needs updating before your next exam.
The Five Categories and What They Mean
The SEC classified crypto assets based on their characteristics, uses, and functions, producing five distinct categories: digital commodities, digital collectibles, digital tools, stablecoins, and digital securities. Four of the five are not securities under federal law. One is.
That’s the headline most people took from the release. But the compliance implications vary significantly across each category, and treating “not a security” as “not a compliance problem” is where programs are going to get firms into trouble.
Digital commodities are crypto assets whose value derives from the programmatic operation of a functional crypto system and supply-demand dynamics, not from the managerial efforts of a development team. Bitcoin is the clearest example. These are not securities. But they do fall under CFTC jurisdiction, which means the SEC-CFTC MOU signed earlier this month now applies directly. RIAs advising on digital commodities are operating under dual-agency visibility, even if only one agency shows up for the exam.
Digital collectibles, NFTs, tokenized artwork, trading cards, in-game items, are also not securities under the interpretation. They are designed to be collected and used, and may represent rights to artwork, music, videos, or digital representations of current events or trends. The compliance issue here isn’t securities law. It’s disclosure. If a client holds digital collectibles through an RIA-managed account, the firm’s portfolio reporting and valuation methodology needs to address them explicitly, most currently don’t.
Digital tools cover crypto assets that serve a practical function: memberships, credentials, access tokens, identity badges. Not securities. The disclosure gap here is similar to collectibles, but the conflict-of-interest dimension is sharper. If an advisor holds a token that provides access to a platform they’re recommending to clients, that’s a material conflict. Few compliance manuals currently have a framework for identifying or disclosing it.
Stablecoins meeting the GENIUS Act definition of payment stablecoins issued by a permitted issuer are not securities. Client holdings in qualifying stablecoins sit outside SEC securities law oversight. That’s a meaningful carve-out, but it doesn’t eliminate the custody question, where those stablecoins are held, and under what custodial framework, remains an open compliance question that the interpretation doesn’t fully resolve.
Digital securities, tokenized equities, tokenized bonds, any financial instrument formatted as a crypto asset, are securities, full stop. These are financial instruments enumerated in the definition of “security” where the record of ownership is maintained in whole or in part on or through a crypto network. Every existing securities obligation applies: disclosure, custody, marketing review, suitability. If a client holds a tokenized Treasury or a tokenized fund share, it carries the same compliance weight as the underlying instrument.
The Investment Contract Wrinkle
The taxonomy covers what a token is. The interpretation also addresses what a token becomes, and that’s the more complex compliance problem for RIAs advising on earlier-stage assets.
A non-security crypto asset becomes subject to an investment contract when an issuer offers it with representations or promises to undertake essential managerial efforts from which a purchaser would reasonably expect to derive profits. In plain terms: a token that’s currently a digital commodity can acquire securities-law obligations if the issuer makes the wrong kind of promises about future development.
The inverse is also true. A non-security crypto asset ceases to be subject to an investment contract when the investment contract terminates, either because the issuer has fulfilled its representations or promises, or because the issuer has failed to satisfy them. Securities obligations can end. That’s new ground. It means that assets sitting in client portfolios under a securities-law assumption may no longer require that treatment, but only if your compliance program has a mechanism to track and evaluate the change.
Most don’t. That’s the gap.
Four Compliance Areas That Need Updating Now
Custody
Custody obligations track the security classification. Digital securities require qualified custodians meeting SEC standards. Digital commodities, collectibles, and tools do not, at least not under the same framework. But the custody question hasn’t gone away: it’s shifted to “what does appropriate custody look like for non-security crypto assets, and how does your compliance manual document that decision?”
Firms that have been applying qualified-custodian standards to all crypto holdings uniformly will need to revisit that approach. Firms that have been applying no custodial standards to non-security assets will need to build a documented framework, even if it doesn’t require a qualified custodian.
Marketing and Testimonials
The Marketing Rule applies to digital securities, and the interpretive question of whether a given token was a security previously made many RIAs either over-apply or under-apply it. The taxonomy gives clearer ground. For digital securities, marketing materials require the same review and documentation as any other securities-related content: written supervisory procedures, documented review, timestamped approval.
For non-security crypto assets, the Marketing Rule’s securities-specific provisions don’t apply in the same way, but the general obligation to avoid misleading client communications does. If a firm’s marketing describes the risk profile of digital commodities or collectibles held in client accounts, that content still needs review. The standard is different, but the need for a documented process isn’t.
Conflict Disclosures
This is the area most compliance programs are least prepared for. The taxonomy creates new conflict-identification obligations that most ADV Part 2 disclosures haven’t contemplated.
An advisor who personally holds a digital commodity recommended to clients now has a clearer obligation to disclose it, and the nature of that holding (commodity vs. security) affects how the disclosure is framed. An advisor who holds a digital tool granting access to a platform or service also has a potential material conflict, one that almost no current disclosure template addresses.
Form ADV Part 2A, Item 10 needs review. If the firm’s advisors hold digital assets of any category, and those assets have any relationship to client recommendations or firm services, that relationship needs to be named.
Portfolio Reporting and Valuation
Four of the five categories are not securities, which means the standard reporting frameworks most RIAs use weren’t designed with them in mind. Digital collectibles in particular raise a valuation problem: there’s no standardized methodology for marking an NFT or a tokenized piece of artwork to market in a client statement.
Compliance manuals need to address how each category is reported, how it’s valued, how frequently valuations are updated, and what the disclosure to clients looks like when the methodology has meaningful uncertainty baked in. The interpretation created the taxonomy. It didn’t create the reporting infrastructure. That’s the firm’s job.
The Protocol Activity Question
The interpretation also resolved, at least for now, three specific activities that have been compliance gray areas.
Protocol mining, protocol staking, and the wrapping of a non-security crypto asset do not involve the offer and sale of a security. If clients are earning staking rewards on digital commodity holdings, those rewards are not securities transactions. Certain airdrops also do not involve an “investment of money” under the Howey test, meaning airdrop receipts don’t automatically trigger securities-law treatment.
The compliance implication: if your current policies treat staking rewards or airdrops as securities transactions requiring the same review and documentation as a securities sale, those policies may need recalibration. The inverse risk, treating them as entirely outside the compliance program, is also wrong. They’re still income events that need to appear somewhere in portfolio reporting and client disclosures.
What This Quarter Requires
The interpretation is dated March 17, 2026. It’s live. Examiners won’t wait for annual review cycles.
Three things need to happen before Q2 closes. First, a classification audit: for every crypto asset held in client accounts, document which of the five categories it falls into, and what compliance obligations follow from that classification. Second, a policy gap review: custody, marketing, conflict disclosures, and portfolio reporting, each needs to be checked against the taxonomy and updated where the current policy was built on jurisdictional ambiguity that no longer exists. Third, a training touchpoint for any advisor or operations staff who works with client crypto holdings. The taxonomy is new. The team needs to know it.
The interpretation was framed by the SEC as a bridge, something to build on while Congress works toward a broader statutory framework. That framing is accurate. What’s here now is clearer than anything that existed before. But it’s not the last word, and compliance programs built to this interpretation will need to track what comes next.
That’s the work. The firms that do it now will have cleaner exams and more credible disclosures. The ones that treat this as a monitoring item for the annual review are making a bet that no examiner asks the question before they’re ready.
Smartria’s compliance calendar and policy management tools are built to absorb regulatory change without requiring a manual rebuild from scratch. If you’re mapping your crypto holdings to the new taxonomy and need a platform that keeps the audit trail as you work, [talk to us about how Smartria handles it.]
