Rules Navigator

Register

NSCP Annual: Crypto grows up the hard way

Norm Ashkenas, Jason Holloway, Jason Foye.
Norm Ashkenas, Jason Holloway, and Jason Foye. Photo: Vlada Gurvich

Vlada Gurvich

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

Regulators at the conference proved that digital-asset markets can be improved through steady coordination, clearer rules, and real-world lessons from the front lines of compliance.

A tidy theory about digital assets rarely survives contact with a gas-station kiosk in Tampa. In Florida, elderly victims are still marched by scammers to “secure facilities” that turn out to be smoke shops, where a neon-lit crypto ATM takes a 26% cut.

In Georgia and Tennessee, inmates once ran crypto extortion rings on contraband phones air-dropped by drones. Far away, human-trafficking syndicates in Cambodian compounds coerced coders into running pig-butchering scams.

That grim tableau, relayed by Jason Holloway, director of blockchain and crypto at the Florida Office of Financial Regulation, is how the crypto market actually meets the public. It is also where policy either works or fails.

Alongside Mr. Holloway sat Jason Foye, a vice-president at FINRA who oversees illicit finance and fraud. His message matched Florida’s: Forget ideology, do the work. The rules are already thick on the ground.

What is missing in many corners is straightforward compliance and faster coordination.

Not always in one place

In most states, crypto businesses are treated as money services firms. They must obtain money-transmitter licenses and carry the usual ballast that comes with them: BSA/AML programs, KYC, independent testing, recordkeeping, trained staff.

Florida’s Office of Financial Regulation has licensed the well-known brands and fields a steady stream of declaratory requests. The state also recognizes a narrow peer-to-peer carve-out that many crypto-ATM operators use. That legal detail explains why enforcement often begins at the ATM, not on an exchange’s web page.

On the securities side, FINRA regulates through its member firms and their people, not through asset labels. Many FINRA rules are tied to securities transactions, but some are not.

Rule 2210 on communications with the public applies regardless of whether the underlying product is a security. So do the AML rule and Rule 2010, FINRA’s catch-all standard of commercial honor.

Mr. Foye’s “Crypto Hub” convenes staff from supervision, exams, enforcement, market ops, and education to treat crypto as a cross-house risk, not a novelty.

Old disciplines still decide outcomes

Washington will keep arguing over market structure. A House-passed Clarity Act contemplates a regime in which a broker-dealer could handle crypto-asset securities, certain non-securities, and plain equities under one roof.

 A GENIUS act for payment stablecoins has moved into rulemaking, with questions about capital treatment, custodial standards, and whether tokens will be treated as funds for various purposes.

The private-law plumbing is evolving too.

UCC Article 12 on “controllable electronic records” is now live in Florida. It clarifies how a security interest is perfected when you truly control a wallet, and how a good-faith purchaser can take assets free of prior claims. That matters in margin lending, rehypothecation, and bankruptcies.

For firms, the practical spine will feel familiar. There will be disclosure, segregation, conflicts management, and a version of best execution that copes with transparent ledgers and fragmentary venues.

Clients already use on-chain price feeds to second-guess fills. Any broker that touches tokenized instruments will soon be explaining routing logic with more than marketing adjectives.

Where the harm happens

Mr. Holloway’s case studies land far from Capitol Hill. Florida’s crypto-ATM scene is a magnet for remittance users, coupon clippers, and fraudsters. The P2P structure means many operators fall outside state licensure. The result is a compliance Swiss cheese.

Scammers know exactly which kiosks cut corners. There are cases of victims on the phone with the fraudster, sending their life savings to a wallet controlled on the other side of the world. The state pushed a bill to give itself a hook over sloppy operators. Some are professional and cooperative. Others are mom-and-pop fleets that buy crypto in bulk, run three machines, and do almost no KYC.

The worst stories are offshore. Human-trafficking gangs assembled forced-labor call centers in Southeast Asia, recruiting software developers with bogus ads and turning them into fraud workers under threat of violence. Crypto is not the crime in itself, Mr. Foy notes drily, it is the rail.

Yet the rails now have speed bumps. Florida’s Bureau of Financial Investigations teams with the Secret Service and local police, uses blockchain analytics, and moves fast to freeze exchange accounts when patterns light up. Speed is the variable that saves victims’ money, not clever statutory prose.

Then there is the prison playbook. In Georgia and Tennessee, inmates obtained contraband phones delivered by drones, posed as law enforcement, and told targets they faced arrest unless they paid in crypto.

The money flowed through predictable kiosks to wallets controlled by outside accomplices. The fix was tedious and local: Teach precinct detectives how to read a blockchain tracer, prewire contacts with exchanges, and insist that big firms name a law-enforcement liaison who can act in hours rather than days.

How enforcement is actually evolving

The fashion for regulation by enforcement is fading, though not gone. The center of gravity has shifted to fraud and retail protection. State actions are no sideshow. Reciprocity clauses mean a loss of one license can trigger automatic suspensions in dozens of states – an existential threat for a payments business.

Florida’s participation in the Binance and CZ matter illustrated how state actions can cascade into federal consequences and back again into disclosure obligations for a group’s non-crypto subsidiaries.

At FINRA, recent crypto cases fall into two bins. The first is communications: A 2210 sweep caught firms whose marketing made it look as if the broker-dealer itself offered crypto access with SIPC-like comfort, when the service actually sat at an unregulated affiliate. That is not a gray area. It is precisely what the rule forbids.

The second is outside business activities and private securities transactions. Registered reps have pooled investor money for token ventures or mining schemes away from the broker-dealer, without notice or supervision. In some cases, the money was misused.

FINRA issued Rule 8210 letters. Those who did not respond were barred. The trail did not end there. FINRA shipped referrals to state and federal law enforcement. The point of self-regulation is a hand-off, not a cul-de-sac.

Criminal enforcement is changing too. The Department of Justice and partners have become adept at on-chain recovery. Large seizures from pig-butchering rings make crypto feel less like a one-way hole.

Bad actors follow fashion. When a rail is no longer easy, they take their pump-and-dump scripts to whatever new buzzword is raising money that week.

Fragmentation is real, innovation is local

Fragmentation in America is not a bug, it is a constitutional setting, though it irritates operators. A single crypto product can receive contradictory readings from two state exam teams.

Banks, broker-dealers and MSBs still face different AML expectations, a legacy that the AML Act and interagency guidance are trying to harmonize. Mr. Foye’s team has a broader “modernize and align” track under FINRA’s Forward initiative, which has attracted a thicket of comment letters.

Florida is not waiting for Washington to finish. The state revamped its fintech sandbox to admit DeFi experiments under light supervision with consumer safeguards.

Applicants include synthetic-dollar and protocol-market projects that live entirely on code. The intent is simple. Give responsible builders a front door, watch them closely, and learn enough to inform federal rules when they finally arrive.

What a competent program looks like

The counsel from the panel is not glamorous. It is a checklist and a rolodex.

First, talk early. Map the activity to the rules that actually apply. If you are a broker-dealer that offers crypto via an affiliate or a third party, treat the investor-facing communications as if they were your own, because in the eyes of Rule 2210, they are.

Document the legal analysis that decides whether a token is a security for the purpose at hand. If you are wrong, be wrong for sensible reasons and with a change-management plan.

Second, build capability. The gap is not conceptual, it is practical. You need people who can read on-chain analytics, cross-check prices against block explorers, and interrogate wallets without mysticism.

FINRA is rolling out multi-level crypto and blockchain e-learning, plus an in-person course with Georgetown. Use it to get compliance, legal, and comms to the same baseline.

Third, pre-wire law enforcement. Name a dedicated liaison who can freeze accounts quickly. Post an internal runbook with exchange escalation contacts, subpoena templates, and decision trees for SAR timing.

Practice it. In retail fraud, hours matter. Days are the difference between restitution and regret.

Fourth, fix the obvious frictions. Crypto-ATM exposure needs a policy of its own: site-selection due diligence, enhanced monitoring, mystery-shop checks, signage that warns about government-payment scams, and low friction reporting to local police.

Affiliate arrangements demand prominent, plain disclosures about who does what, who holds what, and what protections do or do not apply. If you are inching toward custody, spell out access controls, key management, segregation, and reconciliation on a schedule that auditors can test.

Fifth, benchmark. The best compliance officers call peers every week. They trade notes on what examiners are asking, how disclosures read after a regulator’s red pen, and which blockchain tools are actually useful. This is not illicit behavior. It is how a young control function becomes a profession.

Growing up is mostly paperwork

America’s crypto future will not be decided by a single grand statute. It will be built in exam rooms, police precincts and court affidavits, one SAR and one corrected web page at a time.

Florida’s gruesome examples are not outliers. They are where policy lands. FINRA’s cases on communications and off-book ventures are not crypto-specific curiosities. They are the same investor-protection rules applied to a new wrapper.

This is how the Wild West becomes a town with a clerk’s office and a streetlight. It is unromantic. It is also how people keep their savings.

, , , , , , , , , , , , , ,
You may also like