Regulatory Framework

FIT21 and the CLARITY Act

Two related bills carry the commodity-vs-security framework. The Financial Innovation and Technology for the 21st Century Act (FIT21) passed the House 279-136 in May 2024 and stalled in the Senate. The Digital Asset Market Clarity Act (CLARITY Act, H.R. 3633) is the 2025 successor: it passed the House 294-134 on July 17, 2025, with bipartisan support. As of April 2026, CLARITY is before the Senate; companion market-structure work is in progress, no Senate floor vote scheduled. CLARITY is the bill to track for the broader non-stablecoin framework.

The commodity vs. security question

The core regulatory ambiguity for crypto has been: is this asset a security (SEC jurisdiction) or a commodity (CFTC jurisdiction)? A security requires disclosure, registration, and compliance with securities laws. A commodity has lighter-touch regulation.

The CLARITY Act framework: a digital asset is a digital commodity if the underlying blockchain is "functional and decentralized" - meaning no single issuer or affiliated group controls a majority of the network or its governance. It is a security if an issuer retains control. Under this framework, Bitcoin and Ethereum are commodities; many ICO-era tokens with controlling founding teams would be securities. The bill also creates a registration path for digital commodity exchanges with the CFTC and clarifies broker-dealer custody for non-security digital assets.

Stablecoin-specific regulation is addressed separately by the GENIUS Act (signed July 18, 2025, covered below). Together, the GENIUS Act (now law) plus the CLARITY Act (House-passed, in Senate) plus SEC SAB 122 (issued January 23, 2025, also below) represent the most consequential federal crypto regulatory activity in US history.

SEC SAB 122: The Bank Custody Unlock

For three years, SEC Staff Accounting Bulletin 121 (April 2022) quietly blocked traditional banks from custodying crypto at scale. SAB 121 required any entity safeguarding customer crypto-assets to record those assets as a liability on its balance sheet at fair value, with a corresponding asset entry. Banks face capital requirements based on balance sheet liabilities; under SAB 121, custodying $1 billion in customer Bitcoin meant holding capital against a $1 billion liability with no offsetting economic exposure. The economics did not work. BNY Mellon, State Street, and JPMorgan stayed on the sidelines for three years.

SEC SAB 122, issued January 23, 2025, superseded SAB 121. It instructs reporting entities to apply existing accounting standards (ASC 450 for contingent loss recognition, with relevant disclosures) rather than the unique fair-value liability treatment. The capital obstacle is gone.

OCC Interpretive Letter 1183 (March 7, 2025) reinforced the shift: national banks may provide crypto custody and stablecoin services without prior OCC non-objection, subject to existing safety and soundness standards. Together, SAB 122 plus Letter 1183 unlocked traditional bank crypto custody for the first time since 2022.

Why this matters for blockchain payments: a merchant accepting USDC at $5 million per month no longer needs to keep that treasury on a crypto exchange or a non-bank custodian. Banks can now offer stablecoin custody, on-ramp/off-ramp services, and integrated treasury accounts. The merchant-payment ecosystem reshapes around bank-grade custody being available, not aspirational.

GENIUS Act: The Federal Stablecoin Framework

The Guiding and Establishing National Innovation for U.S. Stablecoins Act (GENIUS Act) was signed into law on July 18, 2025. It is the first explicit federal framework for payment stablecoin issuers in the United States, and it lands directly on the asset class most US merchants use for crypto payments.

Core requirements for permitted payment stablecoin issuers:

• 1:1 reserves in US dollars or short-term US Treasury securities. No fractional backing. No riskier reserve assets.
• Monthly public attestations of reserve composition by an independent CPA, with the issuer's CEO and CFO certifying.
• Annual independent audits for issuers above $50 billion in market capitalization.
• Dual federal/state regulatory regime: large issuers ($10B+) regulated federally by the OCC or Federal Reserve; smaller issuers may opt for approved state regimes.
• Anti-money-laundering, sanctions, and Bank Secrecy Act compliance treated as a primary obligation.
• Bankruptcy priority: stablecoin holders have a senior claim on issuer reserves in insolvency.

GENIUS applies to stablecoin issuers - Circle (USDC), PayPal (PYUSD), and any new entrant. It does not directly regulate exchanges, self-custody, or non-stablecoin tokens. The CLARITY Act handles non-stablecoin classification; the GENIUS Act handles stablecoin issuance.

For a business accepting stablecoins as payment, GENIUS is mostly good news: the stablecoins reaching your wallet now have stronger reserve guarantees and clearer legal protections in issuer bankruptcy. Practical effect on integration choices: prefer stablecoin issuers that publicly state GENIUS Act compliance or are pursuing the federal trust charter path. Older or unregulated stablecoins still exist but carry growing institutional pressure to migrate or exit.

FinCEN and Money Services Business Rules

The Financial Crimes Enforcement Network (FinCEN) is the federal regulator for anti-money laundering (AML) compliance in the US. Any entity meeting the definition of a Money Services Business (MSB) must register with FinCEN and implement an AML program.

When crypto triggers MSB status

FinCEN's 2013 guidance (FIN-2013-G001) and 2019 guidance (FIN-2019-G001) are the primary references. Key distinctions:

Travel Rule

31 CFR 1010.410 requires MSBs to collect and transmit sender and recipient identifying information for transfers of $3,000 or more. For crypto MSBs, this means: when sending $3,000+ in crypto to another MSB, you must include the sender's name, address, and account number, and the recipient's name and account information.

Internationally, FATF's Recommendation 16 sets the Travel Rule at $1,000 for crypto transfers. Some jurisdictions (Singapore, Switzerland, EU under MiCA) have implemented the $1,000 threshold. A US business sending crypto internationally should assume the lower threshold applies in the destination jurisdiction.

State Money Transmitter Licenses

Forty-nine US states and the District of Columbia have money transmitter laws. Most cover crypto transmission. A business that meets the MSB definition and serves customers in multiple states needs a license in each of those states.

The alternative to licensing is to use a licensed payment processor (BitPay, Coinbase Commerce) that operates under its own MTLs. In this model, you are a merchant, not a money transmitter. You accept crypto and the processor handles compliance. This is the correct starting point for most businesses - only pursue your own MTLs when volume justifies the cost and you want to run your own payment infrastructure.

California DFAL (Effective July 1, 2026)

California's Digital Financial Assets Law (AB 39, signed September 2023) creates the most detailed state-level crypto licensing framework in the US, effective July 1, 2026.

Covered "digital financial asset business activity" includes: exchanging digital financial assets, transferring digital financial assets, storing or safeguarding digital financial assets, administering or maintaining digital financial assets. Exceptions exist for banks, broker-dealers, and entities conducting limited activity below threshold volumes.

The DFCA (Department of Financial Protection and Innovation) is accepting license applications. Given California's processing timelines, businesses that may need a license should be filing now - waiting until mid-2025 risks not having a license by the July 2026 deadline.

New York BitLicense

New York's virtual currency business activity regulation (23 NYCRR 200, the "BitLicense") has been in effect since 2015. It is administered by the New York Department of Financial Services (NYDFS).

The BitLicense covers any business engaged in "virtual currency business activity" involving New York or New York residents. This includes: receiving/transmitting virtual currency, buying/selling virtual currency as a customer business, controlling/administering virtual currency, and exchanging virtual currency.

Compliance requirements are extensive: detailed application with business plan, org charts, key personnel background checks (FBI fingerprinting included), minimum capital requirements, cybersecurity program meeting 23 NYCRR 500 standards, quarterly financial reports, and annual audits.

In practice, many crypto businesses have exited the New York market rather than obtain a BitLicense. Those that have obtained it (Coinbase, Circle, PayPal, Robinhood, Paxos) often cite it as a competitive barrier that legitimizes their operations and differentiates them from non-compliant competitors. For most small-to-mid businesses, the correct path is using a BitLicense holder as an intermediary rather than obtaining the license directly.

MiCA: Markets in Crypto-Assets (EU)

MiCA Title III (stablecoin issuers, asset-referenced tokens and e-money tokens) took effect June 30, 2024. Title V (Crypto-Asset Service Providers, CASPs) took full effect December 30, 2024. MiCA creates a single EU-wide licensing regime with passporting: an authorization in any one of the 27 member states covers the whole bloc.

Stablecoin provisions

Under MiCA, stablecoins fall into two categories: "asset-referenced tokens" (pegged to a basket of assets) and "e-money tokens" (pegged to a single fiat currency). USDC, as a USD-pegged e-money token, received its EMI license from France's ACPR (Autorité de Contrôle Prudentiel et de Résolution) on July 1, 2024, making Circle the first major stablecoin issuer to operate as a regulated electronic money token across the EU under MiCA.

USDT (Tether) has not received MiCA authorization. EU exchanges are required to delist non-authorized stablecoins. The result is a bifurcated stablecoin market: USDC for EU-regulatory-compliant use cases, USDT for non-EU markets. For businesses with EU customers, USDC is the compliant stablecoin choice.

Note the GENIUS-Act-meets-MiCA dynamic: stablecoins authorized under both regimes (Circle-issued USDC is the live example) carry dual reserve, attestation, and audit obligations and become the default choice for any business operating across both jurisdictions. The Tether market-share question at MiCA-regulated EU venues is, in practice, already settled.

CASP licensing for US businesses

A US business that "provides crypto-asset services" to EU residents in the context of a business activity may need to register as a CASP. Covered services include custody, exchange, transfer, order placement, portfolio management, and advice on crypto assets. A merchant accepting USDC for products is generally not a CASP; a business that exchanges crypto for customers or operates a crypto platform likely is. Legal analysis of specific activity against MiCA's CASP definition is necessary for any US business with meaningful EU revenue.

International Frameworks Beyond MiCA

For US businesses whose customer base extends beyond the EU, other major regulatory regimes are worth knowing. None of them exempt you from US obligations; they layer additional rules on top when you serve customers in those jurisdictions.

Practical rule for international payments: identify the customer jurisdiction first, then ask whether your processor of choice already holds the relevant license there. BitPay, Coinbase Commerce, Stripe (via Bridge for stablecoins), and Circle each hold different licensing footprints. Routing payments through a processor licensed in the destination jurisdiction is almost always cheaper than building licensing yourself.

Practical Compliance Pre-Check

Before accepting crypto payments at any meaningful scale, work through this framework. It is not a substitute for legal counsel, but it identifies the questions your attorney will ask.