TL;DR: US crypto regulation now spans FinCEN registration, SEC and CFTC oversight, OFAC screening, and state licensing, while the GENIUS Act adds stablecoin-specific rules and the CLARITY Act could further reshape digital asset oversight, according to Sumsub. The core issue is fragmented compliance architecture, where federal and state obligations can diverge even when a business appears compliant on one side.
At a glance
What this is: This is a practical guide to the current US crypto regulatory stack, showing how federal agencies, state licensing, and new legislation now shape digital asset compliance.
Why it matters: It matters because identity, customer due diligence, transaction monitoring, and access governance all sit inside the compliance boundary for crypto firms, exchanges, custody providers, and platforms handling digital assets.
By the numbers:
- Stablecoin usage has surged, with total supply reaching USD 208 billion in 2025, a 28% increase on the previous year.
- DeFi total value locked stood at roughly $72 billion in mid-June 2026, down from about $114 billion at the start of the year.
- The GENIUS Act takes effect 18 months after enactment, or 120 days after final regulations are issued, whichever comes first.
👉 Read Sumsub's guide to US crypto regulation, stablecoins, and state licensing
Context
US crypto regulation is no longer a single federal question. It is a layered compliance problem spanning money transmission, securities, commodities, sanctions, tax, and state licensing, with different obligations triggered by different business models and asset types.
For identity and access teams, that matters because crypto compliance depends on who can access wallets, approve transfers, verify customers, screen counterparties, and operate regulated workflows. The governance challenge is not just legal classification, but proving that the right identities are controlled at the right point in the transaction chain.
The article also shows how regulatory fragmentation creates operational risk: a business can satisfy one regime and still fail another, especially when state rules, stablecoin issuance, and cross-border transfer obligations overlap. That makes identity governance part of compliance execution, not a separate technical layer.
Key questions
Q: How should crypto teams align identity controls with federal and state regulation?
A: They should map every regulated workflow to the identities that can approve, execute, or override it, then tie those identities to the relevant federal and state obligations. That includes customer onboarding, sanctions screening, custody actions, transfer approval, and exception handling. The goal is to prove that legal authority, operational authority, and system access are aligned.
Q: When does crypto compliance become an access governance problem?
A: It becomes an access governance problem when regulated activity depends on who can operate wallets, verify customers, screen counterparties, or approve transactions. At that point, licensing and AML compliance are no longer just legal functions. They depend on whether the right identities have the right privileges in the right jurisdiction.
Q: What breaks when state licensing is treated separately from IAM?
A: What breaks is the connection between legal scope and operational scope. A team may believe it is licensed, while the systems still allow identities to perform activities in states where the business is not authorised. That creates audit exposure, enforcement risk, and avoidable control drift across product and compliance teams.
Q: Who should own compliance controls in a crypto business?
A: Ownership should be shared across legal, compliance, security, and platform teams, but the control evidence should sit in the identity layer. Each regulated process needs a named owner, an approval path, and a review cycle. If no identity can be held accountable for the action, the control is not operationally complete.
Technical breakdown
How federal crypto oversight is split across agencies
US crypto regulation is distributed across several agencies because digital assets can be treated as money transmission, securities, commodities, sanctions exposure, or taxable property depending on the activity. FinCEN focuses on AML and BSA obligations for money transmitters and virtual currency businesses. The SEC applies securities law where the asset fits that category, the CFTC covers commodities and derivatives, OFAC enforces sanctions controls, and the IRS governs tax reporting. For practitioners, the main technical problem is entitlement design across multiple control planes, because the same product workflow may trigger different regulatory duties depending on who touches funds, keys, or transaction data.
Practical implication: Map regulated workflows to the identities that approve, move, and review transactions before assigning access.
Why state licensing changes the compliance model
State law adds a second compliance layer that can require licensing even when a business already meets federal AML expectations. New York's BitLicense, California's Digital Financial Assets Law, and other money transmitter regimes show that jurisdictional scope matters as much as activity type. In practice, state licensing affects who is allowed to operate, which processes must be documented, and how customer-facing controls are audited. This is especially important for crypto firms with distributed teams or platform access spread across states, because operational authority and legal authority are not always aligned.
Practical implication: Tie jurisdictional licensing obligations to role-based approval workflows and operating-state access restrictions.
Why stablecoins and DeFi create distinct governance pressure
Stablecoins and DeFi expose different compliance patterns. Stablecoin issuers face reserve, disclosure, AML, and sanctions obligations under the GENIUS Act, while DeFi sits in a harder category because the regulatory system expects an identifiable intermediary, which may not exist in a truly decentralized protocol. That creates a governance gap between protocol design and legal accountability. Hosted front-ends, custodial touchpoints, and on-ramps are often where identity controls become enforceable, while the protocol itself may remain outside conventional entity-based supervision.
Practical implication: Separate protocol risk from intermediary risk and govern the identities that actually control access, custody, and routing.
Threat narrative
Attacker objective: The practical objective is to exploit compliance ambiguity or weak identity controls to move value, evade screening, or operate without the required authorisation.
- Entry begins when crypto businesses operate across multiple federal and state regimes with different definitions of who is regulated and what activity is covered.
- Escalation occurs when identity, custody, transfer, and customer-verification workflows are misaligned across agencies, states, and business lines, creating compliance drift.
- Impact appears as licensing failures, sanctions exposure, AML gaps, or enforcement actions that can halt operations or trigger penalties.
Breaches seen in the wild
- Emerald Whale breach — exposed Git config files led to 15K secrets stolen and 10K repo compromises.
- CI/CD pipeline exploitation case study — full server takeover via exposed .git directory and mismanaged CI/CD pipeline secrets.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Fragmented crypto regulation is also an identity governance problem. The article treats compliance as a legal mapping exercise, but the operating reality is that regulated actions are performed by specific human and machine identities. If access to customer verification, transfer approval, sanctions screening, and wallet custody is not aligned to the applicable regime, compliance becomes a role design issue rather than a policy issue. Practitioners should treat regulatory scope as an access model.
Crypto compliance creates a dual-control challenge between legal authority and technical authority. A team may have the right license posture while still allowing the wrong identities to execute regulated actions. That gap is especially visible in state licensing, where an entity can be authorised in principle but operationally misconfigured in the systems that move funds or record approvals. The implication is that governance must bind entitlement, geography, and duty separation together.
Stablecoins and DeFi introduce a jurisdictional identity split that many programmes still miss. The compliance burden often sits on issuers, custodians, front-ends, and intermediaries, while the protocol layer itself may not map cleanly to a legal person. Regulated-access boundary: the core failure mode here is assuming the control point and the regulated point are the same thing. They are not, and practitioners must govern the identities that can actually trigger the regulated transaction.
State-by-state licensing turns access reviews into operational evidence checks. It is no longer enough to know who can log in. Teams need to know who can operate in a state, who can approve an activity there, and whether those privileges match the licence footprint. That makes recertification a control over legal scope, not just user access.
Crypto programmes now need compliance traceability across human and non-human identities. The article's regulatory stack depends on customer identification, transfer data, sanctions screening, and operating authority. Those functions are executed by people, service accounts, APIs, and workflow systems, so the next maturity step is unified identity governance across all of them. Practitioners should stop separating regulatory controls from identity controls.
From our research:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
- For identity teams: Review NHI Lifecycle Management Guide to connect offboarding, rotation, and entitlement removal to your regulated workflow evidence.
What this signals
Regulatory fragmentation will push more crypto firms toward identity-led compliance evidence. As federal and state obligations diverge, the useful control question becomes whether the identities that can move money, verify users, or screen counterparties are bounded by the correct jurisdictional rules. That is a governance design problem, not just a legal review.
Access control in crypto is becoming a licensing control surface. Teams that still treat approvals, wallet permissions, and sanctions exceptions as purely operational will struggle to prove compliance when state rules differ from federal registration. The practical response is to make access reviews, entitlement ownership, and operating-state restrictions part of the compliance record.
92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to our Ultimate Guide to NHIs. That matters here because crypto businesses rely heavily on vendors, custodians, and infrastructure partners, which means delegated access is often part of the regulated path. The next control question is not whether access exists, but whether it is bounded, reviewable, and revoked when the regulatory scope changes.
For practitioners
- Map regulated actions to identity owners Create a control inventory that links customer onboarding, transfer approval, sanctions screening, and custody operations to named human and non-human identities. Use that map to show which workflow sits under FinCEN, SEC, CFTC, OFAC, or state licensing obligations.
- Separate federal and state operating scopes Build a jurisdiction matrix that ties each state licence requirement to the product functions, approval roles, and technical systems allowed to operate there. Recheck that matrix whenever you expand to a new state or asset class.
- Bind approval rights to geographic authority Restrict production access, transfer limits, and admin privileges so only identities authorised for a given state or asset workflow can execute it. This is especially important where one entity is compliant federally but not yet licensed locally.
- Treat sanctions and KYC workflows as governance controls Ensure screening, escalation, and exception handling are recorded as access-controlled processes with evidence trails. That gives auditors a clear view of who approved exceptions and whether those approvals fit the regulatory model.
Key takeaways
- Crypto regulation in the US now depends on both legal classification and identity control, because the same workflow can trigger federal, state, sanctions, and tax obligations.
- State licensing creates operational risk even when federal compliance looks sound, so jurisdiction-specific access and approval boundaries matter.
- The most effective response is to align regulated workflows, access reviews, and entitlement ownership so auditors can see who was allowed to do what, where, and under which rule set.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access rights must match regulated duties across crypto workflows. |
| NIST Zero Trust (SP 800-207) | PR.AC-1 | Crypto operations need continuous verification across users, systems, and jurisdictions. |
| OWASP Non-Human Identity Top 10 | NHI-03 | API keys and service identities used in crypto custody need lifecycle governance. |
Align approvals and privilege boundaries to regulated duties and review them with compliance evidence.
Key terms
- Money Services Business: A money services business is a company that moves, exchanges, or transmits value in ways regulated under US financial law. In crypto, this classification often triggers FinCEN registration, AML obligations, and customer due diligence requirements tied to the identities operating the service.
- State money transmitter licence: A state money transmitter licence authorises a firm to move value within a specific jurisdiction under state law. For crypto businesses, the licence footprint may differ from federal registration, so operating authority must be matched to both geography and the exact service being delivered.
- Stablecoin issuer: A stablecoin issuer is the entity responsible for creating and maintaining a fiat-linked digital asset. Under the GENIUS Act, that role carries reserve, disclosure, AML, and sanctions obligations, making issuer identity and control ownership central to compliance governance.
- Regulated workflow: A regulated workflow is any business process that performs an activity covered by law or licensing, such as customer onboarding, wallet custody, transfer approval, or sanctions screening. In crypto, the workflow itself must be mapped to the identities that can execute it and the rules that govern it.
What's in the full article
Sumsub's full article covers the operational detail this post intentionally leaves for the source:
- Federal agency-by-agency breakdown of which activities trigger FinCEN, SEC, CFTC, OFAC, and IRS obligations
- State licensing examples that matter for implementation teams, including New York, California, Connecticut, and Colorado
- Stablecoin issuance requirements and the compliance implications of monthly reserve disclosure
- DeFi-specific treatment of intermediary responsibility, front-end exposure, and reporting obligations
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-07-03.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org