The SEC’s Division of Trading and Markets today issued a Staff statement laying out conditions under which providers of crypto wallet interfaces and DeFi frontends can operate without registering as broker-dealers. The statement covers not just crypto-native tokens but also tokenized versions of equities and debt securities, effective immediately. Commissioner Hester Peirce issued a separate statement arguing the law already makes this clear and calling for formal rulemaking to go further.
The scope is notable. Earlier discussions about the SEC’s planned innovation exemption suggested it would be limited to issuer sponsored tokenized securities traded on automated market makers (AMMs), with whitelisting requirements and volume limits. This statement addresses one piece of that puzzle, the interface layer, but its definition of covered securities is broad, encompassing any tokenized equity or debt security. Other requirements such as whitelisting, KYC, and potential volume limits may be imposed at the token issuer level through separate regulatory actions. The statement does not displace those obligations.
The safe harbor is limited to self custodial wallets, where neither the wallet provider nor the interface has custody of or access to the user’s private key. That restriction narrows the immediate reach to crypto-native users but also doesn’t specify that the user has to manage their own keys. It does not rule out use by institutional investors or the buy side, who could self custody with enterprise grade security and potentially bypass traditional broker-dealer intermediaries for their own trading activity.
Enjoying this article? It’s the kind of coverage we produce regularly for Ledger Insights Pro subscribers. This one is ungated. Subscribe to get more like it.
What it means for traditional market structure
The statement could eventually contribute to a two tier market structure. A tokenized equity could trade on a national securities exchange or ATS through a registered broker-dealer under full Regulation NMS obligations. But it could also trade on a permissionless AMM accessed through an unregistered frontend under disclosure only obligations. The regulatory asymmetry would be significant given registered broker-dealers carry best execution, capital, supervisory and investor protection obligations. Interface providers under this statement do not.
For the traditional financial services industry, this represents a significant shift. The broker-dealer community, led by SIFMA, has argued consistently that wallet providers performing broker-like functions should be subject to regulation based on the substance of their activities. As recently as February, SIFMA’s follow up letter to the Crypto Task Force emphasized the “significant functional similarities between traditional broker-dealer services and some wallet provider activities” and urged notice and comment rulemaking rather than exemptions or no-action relief. It followed that up with a comprehensive DeFi paper this month.
Instead, the Staff statement is broader than a no-action letter, was issued without a prior comment period, and is effective today, potentially making this blanket guidance harder to swallow for TradFi.
That said, the Staff faced a genuinely difficult task. Blockchain technology does not map neatly onto existing regulatory categories. An interface that converts a user’s trade parameters into blockchain commands and sends them to an AMM through a self custodial wallet does not look like a traditional broker. The twelve conditions the Staff imposed, covering conflicts of interest, fee neutrality, venue evaluation, and disclosures, represent a serious attempt to replicate key investor protections without forcing full registration. This statement will boost innovation and the use of blockchain in capital markets. It could also attract scammers.
What is excluded and why it matters
The statement explicitly excludes several activities from the safe harbor. Interface providers cannot negotiate transaction terms, make investment recommendations, hold or access user funds, execute or settle transactions, route orders, or arrange for financing.
The routing exclusion creates an immediate gray area. Interfaces that suggest optimal execution paths, as Uniswap’s auto router does, may fall on the safe harbor side if they present the route for user approval and allow alternatives. Aggregator protocols like CowSwap, whose solver network actively finds counterparties and determines execution paths, may fall outside it. The distinction between “preparing” a transaction and “routing” an order will be heavily debated in the comment period.
The financing exclusion is equally significant. Lending protocols such as Aave and Morpho, whose core function is arranging for borrowing and lending, appear to be outside the scope of this statement. Their frontends would need separate regulatory clarity. The Staff has carved out the simplest use case, user initiated spot swaps, and left more complex financial functions for another day.
Protocols are not addressed
A notable gap in the statement is what it does not cover. The safe harbor applies to the interface layer only. The underlying AMM protocols, the smart contracts that actually match liquidity and execute trades, are not addressed.
This means no entity is accountable at the protocol level for trade execution. The frontend provider has disclosure obligations but does not execute trades. The protocol executes trades but is not subject to this framework. The user is self custodial, so there is no intermediary bearing responsibility. For institutional readers accustomed to a market structure where someone is always accountable for execution quality, this is a significant departure.
Security is disclosure only
The statement requires interface providers to disclose their cybersecurity policies, procedures, and controls “if any.” That qualifier is significant. A provider is not required to have security controls, only to disclose whatever it does or does not have. We previously reported on a self custody wallet provider which suffered a breach resulting in the loss of client funds (which they covered). Beyond cybersecurity, software often includes basic sanity checks. Recently a thin set of liquidity pools resulted in a DeFi trader losing $50 million on a simple purchase. For an interface handling tokenized equities and bonds, this is a lower bar than what applies to registered broker-dealers.
The statement also requires disclosure of policies to protect user trading information from MEV strategies such as front running. The Staff explicitly acknowledges the MEV risk in a footnote, noting that blockchain validators have incentives to reorder transactions for profit. But the remedy is disclosure, not prohibition.
Self custodial limitation and its boundaries
The self custodial requirement is the statement’s most important limiting factor and potentially its most gameable. The definition specifies that neither the provider nor the interface can have “custody of, or access to, the user’s encrypted or decrypted private key.” And wallet technology is evolving rapidly. Multi party computation (MPC) wallets distribute key shards so that no single party holds the full key. Smart contract wallets with social recovery introduce yet another model. Some so-called self custodial wallets do not involve the user being responsible for their private keys. A case in point was the “self custodial” wallet security breach mentioned earlier. In that case the wallet provider outsourced the self custody technology to a third party, but wallet security issues exposed the user’s funds, despite the wallet not having custody. Which architectures qualify as “self custodial” under this definition will be tested.
Coinbase, which already operates a self custodial wallet separate from its exchange, founded the Base blockchain, and has ambitions across the digital asset value chain, will be closely watched. The affiliate disclosure condition in the statement requires transparency about such relationships, but the economic incentives remain.
Peirce calls for more
Commissioner Peirce praised the Staff’s work but argued the law already makes this position clear, citing the court’s ruling in SEC v. Coinbase that a wallet charging a 1% fee is not a broker. In that case, the court noted that the Coinbase self custodial wallet was not “providing trading instructions to third parties or directing how trades should be executed”. However, the court described a self custodial wallet more narrowly than the SEC’s definition, by saying the “private key” is stored locally on the user’s device. Peirce called for formal rulemaking to reassess the broker definition, but the direction she favors is less regulation rather than more. The twelve conditions in this Staff statement may represent the high water mark for investor protection in this space.
The Staff has invited public comment and the statement carries a five year sunset. This is an opening position, not a final framework. The comment period will be the real battleground.
