Global Tokenization Enforcement Tracker: Regulatory Actions and Precedents

Regulatory frameworks are written in statutes and secondary rules. The law in practice is written in enforcement actions. No compliance manual is complete without understanding what regulators have actually decided to pursue, how their theories of liability have fared before courts and tribunals, and what the resulting precedents mean for the structure of tokenization programmes operating today.

This tracker catalogues material enforcement actions across the major jurisdictions, with analysis of what each case established, what it left open, and what it means for compliance programmes. Actions are presented chronologically within each jurisdiction. We do not reproduce factual allegations that are contested; analysis reflects the state of each matter as of Q1 2026.

United States: SEC Enforcement

SEC v. Ripple Labs Inc. — D.S.D.N.Y., Case No. 20-cv-10832

Status: Partial ruling July 2023; appeal and remedies proceedings ongoing.

Background: The SEC filed suit in December 2020 alleging that Ripple’s sale of XRP constituted an unregistered securities offering under Section 5 of the Securities Act of 1933. The case raised the fundamental question of how the Howey test — the US framework for determining whether a transaction constitutes an “investment contract” and therefore a security — applies to token sales in different market contexts.

The July 2023 ruling (Judge Torres): The ruling carved the XRP market into two distinct categories with materially different legal treatment.

Institutional sales of XRP to sophisticated buyers who knew they were purchasing from Ripple and reasonably expected profits from Ripple’s efforts: securities. These sales met all four Howey prongs — investment of money, common enterprise, expectation of profits, primarily from the efforts of others. The institutional buyers were purchasing on the expectation that Ripple would develop the XRP ecosystem, driving appreciation.

Programmatic sales through exchanges, where retail buyers did not know they were purchasing from Ripple and did not have the same profit expectation tethered to Ripple’s specific efforts: not securities. The court found that anonymous exchange purchasers could not have been making a Howey-qualifying investment contract because they did not know the counterparty and therefore could not have had the expectation of profits specifically from Ripple’s efforts.

Precedent value for compliance teams:

The ruling does not establish that tokens are categorically not securities. It establishes that the same token can be a security when sold in one context and not a security when sold in another. The compliance implication is significant: it means that issuers of tokens cannot simply label their offering as a programmatic secondary market sale and avoid securities regulation. The context of the sale — who the counterparty is, what disclosures are made, what the buyer’s reasonable profit expectation is, and whether those profits are tied to the issuer’s efforts — determines the regulatory treatment.

For tokenization programmes, the Ripple ruling validates a structure that many institutional issuers were already using: registered or exempt primary offerings to institutional investors, with secondary market trading on regulated venues where the issuer’s involvement in individual trades is absent. It does not provide cover for issuers who maintain ongoing control over secondary market pricing or liquidity.

What remains open: The appeal of the programmatic sales holding means this precedent is not final. The SEC has appealed the non-securities finding for programmatic sales, and the Second Circuit’s ruling will either strengthen or overturn the most commercially significant element of the July 2023 decision.

SEC v. Terraform Labs and Do Kwon — S.D.N.Y.

Status: Settlement announced June 2024. Terraform agreed to pay $4.47 billion in disgorgement and penalties — the largest crypto enforcement settlement in SEC history at the time.

Background: The SEC brought securities fraud claims following the May 2022 collapse of the TerraUSD (UST) algorithmic stablecoin and associated LUNA token, which destroyed approximately $40 billion in market value. The case combined securities offering claims with fraud allegations related to false statements about the stability of the UST peg mechanism.

Key findings (SEC complaint, affirmed through settlement): The court found that both LUNA and UST qualified as securities under the Howey test, and notably did not apply the Ripple programmatic sales distinction to reach a different result. The court distinguished Ripple on the basis that Terraform actively promoted both tokens across all sale contexts, meaning the investor’s profit expectation was always tied to Terraform’s efforts regardless of purchase venue.

Precedent value: The Terraform settlement confirms that algorithmic stablecoins are within SEC jurisdiction when structured as investment contracts — a significant holding for the stablecoin market. It also confirms that a founding team’s public marketing and ecosystem development efforts can create a Howey-qualifying expectation of profits even in anonymous secondary market purchases, distinguishing the case from Ripple’s programmatic sales holding.

For compliance teams structuring stablecoin programmes, the Terraform case establishes that algorithmic stablecoin mechanisms — where the peg is maintained by token issuance and burning rather than fiat reserves — attract heightened SEC scrutiny and likely constitute securities if marketed with profit expectations.

SEC v. Coinbase Global Inc. — S.D.N.Y., Case No. 23-cv-4738

Status: Ongoing as of Q1 2026. Motion to dismiss largely denied; proceeding to discovery.

Background: The SEC filed suit in June 2023 alleging that Coinbase operated an unregistered securities exchange, broker-dealer, and clearing agency by listing and trading tokens that the SEC characterised as securities. The case is the most consequential pending crypto enforcement action because it will determine whether major crypto exchanges — operating as they currently do, without securities exchange registration — are in violation of US securities law.

Current posture: Judge Failla denied Coinbase’s motion to dismiss in March 2024, finding that the SEC’s theory that crypto tokens listed on Coinbase constitute securities is legally cognizable — that is, the theory is plausible enough to proceed to discovery. The denial of the motion to dismiss does not decide the merits; it means the case will proceed to a fuller evidentiary examination.

Precedent significance: The Coinbase case will produce the most important US legal determination on crypto exchange regulation since the SEC’s enforcement programme began. A ruling against Coinbase would require crypto exchanges to either register as securities exchanges — with the attendant requirements around capital, custody, AML, and market manipulation — or cease listing tokens that qualify as securities. This would force a restructuring of the US crypto market architecture.

Compliance implication: Do not structure tokenized asset distribution programmes around the assumption that the current US market structure — unregistered crypto exchanges listing tokens without broker-dealer or exchange registration — will persist. The Coinbase case outcome may require programme redesign.

SEC v. Binance and Changpeng Zhao — D.D.C., Case No. 23-cv-1599

Status: Ongoing civil SEC case; parallel DOJ criminal case against CZ resolved (guilty plea, November 2023, $4.3B settlement with DOJ/CFTC/FinCEN).

Background: The SEC complaint alleges that Binance operated unregistered exchange, broker-dealer, and clearing agency functions; commingled customer assets; and made false representations about AML controls. The case is distinguished from Coinbase by the addition of fraud allegations and the parallel criminal resolution.

Compliance significance: The Binance matter establishes that commingling customer assets and operating unregistered securities market infrastructure are active SEC enforcement priorities, not theoretical risks. Programmes using Binance or similar unregistered venues for primary distribution or secondary market support should treat this case as a direct compliance signal.

UAE: VARA Enforcement Actions

VARA — the Virtual Assets Regulatory Authority established in Dubai in 2022 — is the world’s first standalone virtual assets regulator. Its enforcement programme has been substantive relative to the youth of the framework.

VARA 2023-2024 Enforcement Pattern

VARA enforcement in 2023-2024 focused on three categories:

Unlicensed operation: VARA issued enforcement notices against entities operating virtual asset activities in Dubai without the required VARA licence. Several foreign-operated crypto platforms that had Dubai commercial presences but did not hold VARA licences received cease-and-desist orders. The precedent is clear: commercial presence in Dubai without a VARA licence is not a regulatory grey zone — it is an enforceable violation.

Marketing violations: VARA’s marketing rules prohibit unlicensed entities from advertising virtual asset products to UAE residents. Several enforcement actions targeted social media marketing by unlicensed foreign platforms to UAE audiences. The implication for global platforms: geofencing UAE users is not optional if the platform is not VARA-licensed. VARA has demonstrated willingness to pursue cross-border marketing violations.

AML framework deficiencies: Several licensed entities received remediation orders for deficiencies in their AML frameworks, particularly around Travel Rule implementation and sanctions screening. VARA’s AML enforcement has been technical and detailed, consistent with a regulator that has invested significantly in its AML supervisory capacity.

Compliance significance: VARA enforcement establishes that Dubai’s 80+ licensed platform count reflects a real regulatory boundary, not a permissive environment. Entities operating in or marketing to Dubai without a VARA licence face a functioning enforcement programme. For programmes considering UAE as a primary jurisdiction, VARA compliance should be treated with the same rigour as FCA or BaFin compliance.

United Kingdom: FCA Enforcement

FCA Registration Refusals — AML Enforcement by Proxy

The FCA’s most significant enforcement mechanism in the crypto space has not been prosecution but registration refusal. The FCA has refused approximately 80% of applications to the Temporary Registration Regime (TRR) operated under the Money Laundering Regulations (MLRs) since 2020. This refusal rate is unprecedented in FCA registration history.

Precedent significance: The high refusal rate establishes that the FCA’s AML standards for crypto firms are substantive and difficult to meet. Firms that received FCA refusals include some with well-resourced compliance teams. The FCA has been explicit that the standard is not checklist compliance but genuine AML system effectiveness, including the ability to demonstrate real-time transaction monitoring and Travel Rule compliance. This is the standard that MiCA-authorised firms passporting into the UK will need to satisfy to demonstrate equivalence.

Ongoing enforcement: The FCA has brought criminal prosecutions in crypto fraud cases (not regulatory violations) and has issued multiple s.165 information requests to crypto firms as part of supervisory engagement. The FCA’s crypto enforcement is calibrated: heavy on AML registration standards, developing on market abuse (under MiCA-equivalent UK rules enacted in 2024).

Germany: BaFin Enforcement

BaFin Custody Licensing Actions

BaFin introduced mandatory crypto custody licensing under the KWG in 2020 — one of the first EU member states to impose binding crypto-specific regulatory requirements. BaFin’s enforcement in 2021-2024 focused on entities providing crypto custody without the required KWG licence.

Several enforcement actions resulted in ordered wind-down of unlicensed custody operations and referral to criminal prosecutors for violation of the KWG prohibition on unlicensed banking activities. The criminal law dimension of German banking regulation — unlike most other jurisdictions where regulatory violations are administrative — creates a qualitatively different compliance incentive.

MiCA transition enforcement posture: BaFin has published guidance indicating that entities that are genuinely in the process of converting their KWG licence to a MiCA CASP authorisation will not face enforcement action during the transitional period, provided they meet BaFin’s documented requirements for transitional cover. Entities that are not making credible progress toward CASP authorisation will face enforcement.

MAS (Singapore): Enforcement Pattern

MAS enforcement on digital payment tokens (DPTs) has focused on two areas: unlicensed provision of DPT services (Payment Services Act violations) and retail marketing violations.

Retail marketing: MAS prohibited the marketing of DPT services to the general public in January 2022, including restrictions on ATMs, physical advertising, and social media promotion to retail audiences. Enforcement actions against violations of these restrictions have been consistent and published. The compliance implication: Singapore-licensed platforms must rigorously segment their marketing activities by investor type.

Unlicensed DPT services: MAS has pursued enforcement against platforms operating with an Exemption (the transitional mechanism used during the PSA licensing regime’s early phase) that exceeded the scope of their exempted activities.

Cross-Jurisdictional Enforcement: What It Means Collectively

The aggregate picture from global enforcement activity points to five durable compliance conclusions:

1. The Howey test is being applied, not abandoned. The SEC has consistently applied the Howey framework to crypto tokens. Courts have upheld the SEC’s jurisdiction in every case that reached a dispositive ruling on this point (Ripple carved some space at the margins; it did not reject the Howey framework). Compliance programmes that treat Howey as inapplicable to their token structure are not well-advised.

2. Context determines classification. Ripple establishes that the same token can be a security in one transaction and not in another. The compliance implication is programme design: institutional exempt offering + regulated secondary market = defensible structure. Retail primary offering without exemption + unregistered exchange secondary market = high enforcement risk.

3. AML is the universal enforcement mechanism. Even in jurisdictions where securities classification is disputed, AML enforcement is not. FATF Travel Rule violations, inadequate KYC, and sanctions screening failures are pursued consistently across SEC, FCA, BaFin, and VARA. AML compliance is not optional because securities law is contested.

4. Marketing is a primary enforcement vector. VARA, MAS, and FCA have all taken action specifically on marketing violations — reaching audiences without proper licensing. Geofencing, investor eligibility verification, and marketing pre-clearance are not administrative overhead; they are the activities that prevent the most commonly pursued category of enforcement.

5. Criminal exposure exists in multiple jurisdictions. The Binance/CZ resolution and BaFin’s KWG referrals to criminal prosecutors are reminders that regulatory violations in the tokenization space are not always administrative matters. Programmes operating in jurisdictions with criminal law dimensions to regulatory violations — including Germany, the US, and the UK — should ensure their board-level risk assessments reflect this.

For related analysis, see /analysis/death-of-regulatory-arbitrage/ and /regulations/mica/.