I. Introduction
Many investors and other members of the public lost faith in large financial institutions following the 2007–08 financial crisis. Bitcoin, conceived in 2008, was designed to circumvent the traditional third-party financial institution trust-based system by offering a peer-to-peer electronic currency using blockchain technology.Footnote 1 “Cryptoassets”, an umbrella term encompassing a range of assets including Bitcoin and other cryptocurrencies,Footnote 2 stablecoinsFootnote 3 and utility tokens,Footnote 4 is defined broadly as representations or stores of value which can be transferred or exchanged digitally and which rely on cryptography and use distributed ledger technology, the blockchain being the most popular example of distributed ledger technology.Footnote 5 Since Bitcoin’s invention, the cryptoasset market has exploded. As of late 2025, the total market capitalisation of cryptoassets was $4.06 trillion.Footnote 6
Blockchain technology has been heralded as a means for greater innovation and efficiencies in many industries due to its decentralisation, security and transparency.Footnote 7 Claimed benefits of blockchain technology and cryptoassets include lower transaction costs, elimination of the need for settlement services and clearinghouses,Footnote 8 and faster cross-border transactions.Footnote 9 However, in many jurisdictions the touted benefits of blockchain technology and cryptoassets have not been fully realised,Footnote 10 nor has the growing popularity of this technology led to a significant transformation of financial services.Footnote 11 In addition, the development of cryptoassets has been accompanied by increased risk to investors, markets and possibly the financial system.
Further, effective regulation of cryptoassets has eluded rule makers around the world. Cryptoassets present a unique securities regulatory challenge particularly because of their novelty, complexity, volatility and fast-paced development. Or do they? This article argues that in applying a “same risk, same regulatory outcome” principle it should be reasonable to use a disclosure-based securities regulatory regime to address the risks posed by a popular kind of cryptoasset, namely utility tokens. Utility token features vary, but in general they are meant to be redeemable internallyFootnote 12 on the issuing platform for goods or services or to access features that exist already or will in the future. They run on smart contracts,Footnote 13 and may in some cases afford the holder voting rights over the platform’s governance.Footnote 14 Utility tokens are difficult to regulate. They are offered by many kinds of issuers, varying from centralised exchanges to decentralised platforms managed by dispersed holders of governance tokens. Utility tokens have proven particularly challenging for securities regulators because they can be designed to obscure their characteristics as securities. For example, they are often marketed and issued for their utility function, rather than as investments as traditional securities would be. Yet issuers sell these assets to raise capital and, in many cases, intend for their value to rise, and investors often purchase utility tokens as investments.
This article begins to point to an appropriate and consistentFootnote 15 global regulatory response in relation to utility tokens adoptable by rule makers in the EU, UK, US and other jurisdictions to ensure investor protection, proper functioning of markets and the reduction of systemic risk, without compromising innovation. Details of a consistent international approach to cryptoassets more generally are missing from the literature. Developing such an approach is important in light of the rising impact of cryptoassets as well as related technology and financial innovation. There has been some disagreement about the lasting power of cryptoassets. “Some say crypto will get wiped to zero, while others say it’s the entirety of our financial future.”Footnote 16 The technology underlying cryptoassets will probably endure, whether or not cryptoassets themselves do,Footnote 17 given its range of applications and how widely its use has already spread. It is valuable to begin with utility tokens, a species of cryptoassets, as a regulatory case study because such an analysis might inform future analysis as blockchain and other technology continues to develop.
Section II of this article will provide a description of utility tokens, recognising that there is a wide spectrum of utility token varieties ranging from tokens that closely resemble securities to those that resemble consumable goods. It will analyse the risks presented by this kind of cryptoasset and consider whether these risks exist in traditional financial markets or whether they are unique to the cryptoasset market. In many cases utility token risks are not unique to the cryptoasset market and can be found in traditional securities markets. Section III will scrutinise current regulatory regimes as they relate to utility tokens in each of the EU, UK and US, and will survey the remaining regulatory gaps and risks. Finally, Section IV will argue that while there are a range of different utility tokens, securities law is the most appropriate framework to address risks posed by this class of asset. Moving past the question of what framework may be appropriate to address the risks posed by utility tokens, this section will also examine how existing securities regulatory rules may require amendment and will suggest exemptions that should be made for utility tokens that do not present the same risks as traditional securities.
II. Utility Tokens and the Risks they Pose
The focus of this article is utility tokens issued on permissionless blockchains.Footnote 18 Utility tokens are typically offered and sold to raise funds for decentralised platform projects.Footnote 19 This practice began because decentralised platform developers found it challenging to raise money through venture capitalists given the risks and the open-ended nature of building these networks.Footnote 20 They therefore turned to the sale of tokens by way of initial coin offerings (“ICO”) as a fast way for developers to raise significant amounts of money.Footnote 21 Similar to an initial public offering (“IPO”), where a firm first offers its securities – particularly its equity shares – to the public to raise capital, an issuer uses an ICO to sell utility tokens to the public to fund the development of its network. However, in the case of a traditional IPO, securities laws in the EU, UK and US require the issuer to provide, among other things, a great deal of disclosure about its financial information and management.Footnote 22 Issuers completing ICOs for a time in each of these jurisdictions did not tend to furnish prospective token-buyers with detailed disclosure and provided instead only short and, at times, misleading, white papers about the offering.Footnote 23 ICOs have become much less popular since regulators have made it clear that this kind of offering in many cases will be subject to securities regulation, meaning a prospectus or registration statement will be necessary unless an exemption applies.Footnote 24 The recent EU Markets in Cryptoasset Regulation (“MiCA”),Footnote 25 discussed in more detail below, also sets out specific requirements about what disclosures must be made in white papers.Footnote 26
While ICOs may have decreased in popularity, utility tokens are a useful place to start when analysing the appropriate framework for regulating cryptoassets. While utility tokens are offered on many kinds of platforms, they are an important aspect of decentralised finance (“DeFi”), that is, the provision of financial services such as payments, lending, trading, investments, insurance and asset management without the use of a centralised intermediary on a blockchain settlement layer through decentralised applications (“Dapps”).Footnote 27 Utility tokens have been considered by securities regulators and rule makers in each of the EU, UK and US. They pose a regulatory challenge because the same kind of token may be purchased by some for its utility function and yet at the same time marketed as and purchased by others as an investment. Within this class of asset there are myriad kinds of utility tokens. They can be offered by identifiable issuers organised in a traditional business organisation, or by a platform run entirely on smart contracts called a Decentralised Autonomous Organisation (“DAO”).Footnote 28 They may be issued for goods and services on an established issuing platform or they may be offered by a nascent platform for future goods and services. They may be purchased solely in order to redeem goods and services on the issuing platform (such as a gift card or arcade token), or they may be purchased in the hope that their value will increase with the platform’s functionality and are often sold on the secondary market.Footnote 29 Unlike Bitcoin, which is arguably valuable in and of itself, a utility token’s value is derived from the issuing platform’s functionality and varies depending upon the extent of interest in the platform.Footnote 30 Specific examples of utility tokens include the Build and Build (“BNB”) token issued by Binance, the largest cryptoasset exchange, and the native utility token, MKR, on MakerDAO (one of the most popular applications on the Ethereum network), both of which are used to pay fees and both of which carry voting rights on their respective platforms.Footnote 31
There is a spectrum of utility token types. On one end of this spectrum are utility tokens offered by an identifiable issuer for a platform that does not yet exist and with the intention to list the utility tokens on a trading platform (call this the “traditional security” end of the spectrum). On the other end of the spectrum are utility tokens offered by a DAO that already exists, immediately redeemable for goods and services and sold without an intention to list these tokens for trading on an exchange (call this the “true utility” end of the spectrum). Then there are the various kinds of utility tokens lying between these two examples. Utility tokens of any sort along this spectrum present risks to investors and the market, as well as operational risks. They may also pose systemic risks concerns. Each of these risks might vary depending on the specific asset and where it sits on the spectrum.
Cryptoasset-related risks are categorised in several different ways by government bodies and scholars. For instance, the US Treasury presented the following cryptoasset risk categories: conduct risk (including risks stemming from fraud, theft and information asymmetries); operational risks (including risks stemming from decentralisation, software vulnerabilities and other security issues); risks from intermediation (including the risk of margin calls due to the volatile nature of the cryptoasset market and risks to investors in the case of bankruptcy of custodians); and risks that stem from regulatory non-compliance and developing market oversight.Footnote 32 Turilazzi et al. categorise risks presented by DeFi into practical risks (stemming from code vulnerabilities), operational risks (stemming from rushed development or lack of accountability for maintenance of a protocol), economic risks (which are essentially market and counterparty risks), legal risks (stemming from regulatory gaps) and emergent risks (stemming from cryptoasset complexity).Footnote 33 In discussing the risks presented by cryptoasset exchanges, Johnson refers to accelerating risks (stemming from the incorporation of high-frequency trading by cryptoasset exchanges, allowing for front-runningFootnote 34 and spoofingFootnote 35 ), cyber risks (stemming from vulnerabilities to hacks) and systemic risk (stemming from, Johnson says, enterprise-specific risks which can lead to economic shocks).Footnote 36
For simplicity, this article will use the above general categorisations of cryptoasset risks as a jumping-off point to divide risks posed by utility tokens into three main categories: investor protection-related risksFootnote 37 (similar to what the US Treasury calls “conduct risks”); operational risks (which also encompass what Johnson calls “accelerating risks”); and systemic risk. These kinds of risks may of course overlap. For example, a hack categorised as an operational risk could result in losses to investors. Legal risks and regulatory gaps will not be discussed as risk categories but will instead be analysed separately to illustrate how the above risk categories are or are not addressed by regulatory authorities. As will be demonstrated, while certain risks may be unique to utility tokens, or may present differently due to the unique features of the cryptoasset market, many of the risks posed by utility tokens are not unique. They exist in traditional financial markets and fit squarely within the existing mandates of securities regulators.
A. Investor Protection
The investor protection-related risks posed by utility tokens on each end of the utility token spectrum are not unique to the cryptoasset market and exist in traditional securities markets. However, there are certain aspects of the utility token and cryptoasset market that seem to heighten these kinds of risks. Investor losses are linked, among other things, to the opacity, complexity, volatility and outright criminal activity and market abuse in the cryptoasset market.
Cryptoassets generally are not well-understood by the public.Footnote 38 Their number and variety, as well as the complexity of the underlying technology, make it challenging for investors to fully comprehend what it is they are buying. The UK’s Financial Conduct Authority (“FCA”) recently found that public understanding of cryptoassets is declining.Footnote 39 Complexity, though, is not a unique feature of utility tokens, or even cryptoassets generally. Traditional financial instruments can also be quite complex and difficult to understand, even for sophisticated parties. Before utility tokens became popular, Hu argued that the conventional disclosure-based securities regulatory regime may be insufficient to depict the complex reality of financial instruments, particularly when it comes to complicated asset-backed security structures.Footnote 40 He points to the “slippage” between financial instruments’ underlying mathematical equations and contractual provisions in pooling and servicing agreements written in the English language which may not be able to accurately depict underlying complex math concepts.Footnote 41 There is then further slippage between agreement provisions and what Hu calls the “effective reality” of what will be implemented by a computer program calculating the flow of funds relevant to these kinds of instruments.Footnote 42 There is further slippage still between reality and what the issuer describes in its disclosure documents. Thus even when making “traditional” investments, investors may not understand the complex reality of what they are purchasing or receive disclosure from sellers that depicts the details of their investment accurately. While there are disclosure limitations in traditional financial markets, cryptoasset issuers, including utility token issuers, often furnish investors with especially limited information about the complex assets they are purchasing and the risks involved.Footnote 43 A lack of disclosure may exacerbate the problem of complexity in the cryptoasset market, particularly because of the high proportion of retail investors in this market.Footnote 44 Furthermore, while “transparency” is supposed to be at the heart of blockchain technology and DeFi because the underlying code is publicly viewable and all transactions are transparent, the average investor is not able to understand a DeFi application’s code and often lacks the resources to perform technical due diligence in order to understand whether the code will perform properly.Footnote 45 For example, if the value of a utility token issued by a DeFi platform relies on the platform’s functionality, a utility token purchaser with no technical expertise, despite having access to the code the platform runs on, would not be able to assess how the platform will function. No matter where a utility token falls on the above spectrum, most retail investors purchasing utility tokens would not have the code literacy to understand how well the underlying platform will run. Complexity, therefore, is a risk to an investor purchasing a utility token for intended use on the issuing platform or purely as an investment. If the platform’s code does not function properly, the utility token will not be useful. The project will either never go live, leaving the investor with a worthless asset, or it will eventually fail, causing the value of the token on the secondary market to plummet.
A lack of transparency has, in some cases, contributed to the collapse of cryptoasset service providers, including cryptoasset service providers that issued utility tokens to the public. Regulators have found that many cryptoasset service providers are subject to serious undisclosed conflicts of interest without mechanisms for managing these conflicts.Footnote 46 For instance, some service providers function as broker-dealers on behalf of clients, while also operating the exchange platform on which their clients’ cryptoassets are traded.Footnote 47 Failed cryptoasset service providers have been found not to have disclosed adequate information about their structure, their finances, the links between their affiliated entities, the vertical integration of their services, and the overall lack of governance and internal control mechanisms. For instance, a contributing factor to the failure of FTX,Footnote 48 which was at one time the world’s second largest crypto exchange, was the revelation that the exchange’s relationship with Alameda Research, the trading firm of FTX’s CEO and co-founder, Sam Bankman-Fried, was “unusually close”; Alameda’s largest asset was revealed to be FTX’s native utility token, FTT.Footnote 49 After this came to light, Binance announced that it would sell its entire stake in FTT. Binance’s announcement caused a liquidity crisis for FTX as users rushed to redeem their assets and the exchange was not able to meet the flood of withdrawal requests.Footnote 50 Former Chair of the US Securities and Exchange Commission (“SEC”), Gary Gensler, said before the US House of Representatives Committee on Financial Services: “The commingling of the various functions within crypto intermediaries creates inherent conflicts of interest and risks for investors—risks and conflicts the Commission does not allow in any other marketplace.”Footnote 51 Investors are often provided with inadequate information including, as in the case of FTT holders, inadequate information about cryptoasset service providers’ policies or procedures, whether they have the finances available to continue providing services, and whether they will provide services that put the investor or client’s interests first.Footnote 52
Also contributing to investor-related risks is the fact that cryptoassets, including utility tokens,Footnote 53 are famously volatile. Volatility risk most affects those purchasing utility tokens as an investment rather than for their instrumental value, but it is also relevant in the case of utility tokens that lie in the middle of the spectrum and which may be purchased for one or both of these ends. The value of utility tokens tends to fluctuate depending on the interest in and the utility of the platform they are to be used on. The trading price of MKR was over $6,200 at its peak in May 2021 but was down to just over $2,000 in June 2021. As of late 2025, its trading price was back up to over $3,700.Footnote 54 Volatility certainly exists in traditional markets as well, particularly in the price of shares in companies with smaller market capitalisations;Footnote 55 however, the utility token market is far more volatile than the traditional equity market. This extreme volatility has been linked to the factors that influence cryptoasset prices, which are often considered to include investor sentiment, technology, and supply and demand factors. By contrast, traditional asset prices are usually more significantly influenced by broader macroeconomic factors such as interest rates and inflation, as well as business performance.Footnote 56
Aside from risks posed by their complexity, volatility and opacity, fraud is also a risk in the cryptoasset market and, specifically, the utility token market. Fraud is, of course, a risk for the entire spectrum of utility tokens and is not unique to these markets. The US Federal Trade Commission’s data, for example, shows almost a doubling in all investment-related scam losses between 2021 and 2022.Footnote 57 Macey too observes a recent rise in fraud in the US and argues that trust, the key factor to a thriving economy, counterintuitively causes a rise in fraud.Footnote 58 While not unique to the utility token or cryptoasset market, fraud may be more prevalent in these markets than in traditional equities markets. It was estimated, for example, that in 2017 nearly 80 per cent of ICOs, which commonly offer utility tokens,Footnote 59 were investor scams.Footnote 60 Losses from cryptocurrencies reported to the US Federal Trade Commission in 2022 exceeded $1 billion out of a total of nearly $8.8 billion fraud-related losses reported that year; of these, $3.8 billion arose from investor scams.Footnote 61 Between 2022 and 2023, offers of cryptocurrency were the largest category of potential scams reported to the FCA.Footnote 62 As described above, the second largest cryptocurrency exchange in the world, FTX, collapsed in November of 2022, with $16 billion’s worth of customer claims in bankruptcy.Footnote 63 Sam Bankman-Fried was revealed to have been moving exchange funds, including customer funds, to Alameda to cover Alameda’s losses.Footnote 64
Another common investor protection issue for utility tokens and other cryptoassets is rooted in information asymmetry. Information asymmetries exist in traditional markets and traditional securities regulation is aimed at decreasing these asymmetries. Cryptoasset issuers, though, including those offering utility tokens, particularly those on the traditional security end of the utility token spectrum, may not provide investors with full, true and plain disclosure in their promotional materials. Investors may therefore lack the information needed to make informed decisions.Footnote 65 Authorities have found, for instance, that cryptoasset promotions often do not explain the risks of the investment and advertise high rates of return without supporting evidence.Footnote 66 Some cryptoasset platform promotions make inappropriate claims about being unregulated.Footnote 67 These information asymmetries benefit insiders while disadvantaging investors.Footnote 68
Beyond issues of complexity, opacity, fraud and misrepresentations are market abuses, including insider trading and market manipulation. Again, these issues are particularly acute for assets on the traditional security end of the utility token spectrum, but market abuses and insider trading once exposed may also impact pure utility token purchasers if the underlying platform collapses.Footnote 69 In 2022 Isan Wahi, the former product manager of Coinbase, a large US cryptoasset exchange, was indicted for insider trading, having made about $1.5 million by using nonpublic information about cryptoassets that were planned to be listed on the exchange.Footnote 70 A 2023 study examining the application of asset pricing models to cryptoassets also raised the possibility of a trend in insider trading in the cryptoasset market based on evidence that a small group of traders significantly outperformed the majority of the market.Footnote 71 Although some of these cases may have involved cryptoassets other than utility tokens, the risk for utility token-related abuse is the same, given that they are traded on cryptoasset exchanges, such as Coinbase. Other examples of market abuses prevalent in both traditional financial markets and cryptoasset markets include front-running and spoofing.
B. Operational Risks
Operational risk is defined by the Basel Committee on Banking Supervision as the “risk of loss resulting from inadequate or failed internal processes, people and systems or from external events”.Footnote 72 Operational risks plague the cryptoasset market generally, and holders of every kind of utility token are susceptible to these risks. First, because there is no central record of private keys;Footnote 73 if an investor loses the relevant private key, he or she will no longer have access to his or her cryptoassets, utility tokens included.Footnote 74 Second, hacks and cybersecurity risks have been major issues since the advent of cryptoassets,Footnote 75 with platforms facilitating utility token trades being targeted.Footnote 76 According to an FBI report, cryptocurrency to the value of $1.3 billion was stolen from investors between January and March of 2022, 97 per cent of which was taken from DeFi platforms.Footnote 77 In total, hackers have taken $5.4 billion from DeFi platforms.Footnote 78 Third, like any other software-based program, cryptoasset service providers generally are vulnerable to bugs and errors in codeFootnote 79 which are exploitable by hackers.Footnote 80 For instance, if a platform is truly decentralised,Footnote 81 as many utility token offerors claim to be, maintenance may not be any specific person’s responsibility, thus creating significant risk that the code will not be maintained properly without anyone to hold accountable.Footnote 82 Accountability can be especially problematic if governance decisions are automatically executed by a DAO.Footnote 83 Aside from platform-specific concerns, there may be interoperability issues across distributed ledger technology networks, meaning that assets on one network may become untransferable to other platforms. This in turn can lead to loss of assets during a network disruption if a cryptoasset service provider does not have a proper risk-management plan or fail-safe in place.Footnote 84 Tapioca, a DAO platform designed to combat interoperability issues by allowing users to lend and borrow cryptoassets across multiple blockchains, had 30 million of its native utility tokens (“TAP tokens”) stolen and converted to Ether, one of the most popular cryptocurrencies. The value of the TAP token dropped by 96 per cent following the hack.Footnote 85 The TAP example demonstrates that utility token holders may be impacted by operational failures even if their utility tokens themselves are not at risk.
While operational risks abound in the utility token and cryptoasset space, they are also prevalent in traditional finance. For years, incumbent financial service providers have been grappling with vulnerability to cyberattacks,Footnote 86 interoperability issuesFootnote 87 and risk-management issues.Footnote 88 Computer programming and technology in traditional markets have limitations as well. In 2022, McKinsey surveyed 50 chief information officers of large financial services and technology companies. Nearly one-third of responders estimated that 20 per cent of their respective firms’ tech budgets, while earmarked for new services, went to resolving technical debt issues.Footnote 89 This study also found that nearly 50 per cent of programs designed to modernise technology failed to reduce technical debt. Moreover, as mentioned earlier in this section, because of limitations in computer programming, slippage in the traditional securities world can occur between agreement provisions relating to asset-backed securities and the computer program used to distribute cash flow among tranches.Footnote 90 Significantly, however, large, incumbent financial service providers are highly focused on operational risks and have risk-management teams and large IT departments accountable for maintenance and operational issues, whereas cryptoasset service providers may not.
C. Systemic Risk
In addition to the established investor protection-related and operational risks, cryptoassets may also raise systemic risk concerns. Again, systemic risk is not a new problem and presents serious concerns for traditional markets.Footnote 91 Systemic risk is not consistently defined in the literature. Some sources refer to it as a “chain-like” risk of institutional and market participant failure which could be harmful to the entire economy.Footnote 92 Others define it as the risk of one market participant’s default on an obligation which causes other market participants to default.Footnote 93 These defaults cause a ripple effect leading to more and more financial difficulties.Footnote 94 Common to each of these definitions is a triggering event causing a domino effect of financial hardship.
While the focus in the literature has been on systemic risk concerns posed by cryptoassets generally, utility tokens, particularly those that are used in DeFi or traded on an exchange, have featured in cases of major collapse, such as the FTX failure. Large institutions, international organisations and regulatory authorities alike have raised the potentially significant risks that cryptoassets and particularly DeFi might pose to the financial system. In the DeFi space specifically, according to the Bank of England, platforms that provide interest to lenders in the form of native utility tokens for depositing their cryptoassets into the platform’s liquidity pool may create a dangerous feedback loop in times of market stress. Whereas in the traditional market a margin call is triggered if collateral value falls below a certain threshold, in a typical DeFi lending protocol this drop usually triggers liquidation of collateral. These drops in value are likely to happen when cryptoasset prices fall and so could amplify selling behaviour during times of market turmoil. It may not be possible to liquidate collateral if the event is sudden and the collateral’s value drops significantly.Footnote 95 The Financial Stability Board (“FSB”) recognised in early 2022 that the connections between the cryptoasset market and traditional markets were limited at the time, while also predicting that as DeFi continues to grow and becomes more connected with traditional finance, it could have a real effect on the financial system generally.Footnote 96 The Financial Policy Committee of the Bank of England similarly stated that “if the pace of growth seen in recent years continues, interlinkages with the traditional financial sector are likely to increase. Moreover, the new technology has the potential to reshape activity currently taking place in the traditional financial sector, through either the migration of that activity or the widespread adoption of the technology”.Footnote 97
A recent report by the European Securities and Markets Authority (“ESMA”) found that the cryptoasset market was highly concentrated, with most trades occurring in a few assets and exchanges.Footnote 98 This raises concerns that the failure or malfunction of a major cryptoasset or exchange could affect the wider crypto ecosystem. ESMA also found that there was co-movement between cryptoasset and equity prices.Footnote 99 The International Monetary Fund (“IMF”) found similarly that cryptoasset price movements have begun to correlate with major stock indices in recent years. Given indications of increasing interconnectedness between these markets, investment in cryptoassets might no longer be an effective way of diversifying in order to hedge against price falls in traditional markets.Footnote 100 The IMF also found evidence of increased spillovers both in volatility and returns during periods of market stress originating in the cryptoasset market, the traditional financial market or from exogenous shocks.Footnote 101 While interconnection between cryptoassets and other financial assets is lower than within respective asset classes,Footnote 102 there is evidence of interlinkages between asset classes increasing over time.Footnote 103
Scholars too have raised concerns that cryptoassets may give rise to systemic risk in the future. Twohig finds that there may be contagion risks associated with fintech firms that could contribute to worse outcomes than in the case of traditional institutions.Footnote 104 Magnuson argues that fintech firms present systemic risk in a distinct way from traditional large institutions. Systemic risk, he says, is often linked with the “too big to fail” phenomenon. However, small, decentralised financial markets may pose an even greater risk than large institutions because of their opacity, because the size and structure of smaller businesses allows for greater susceptibility to shocks and the spread of those shocks, and because of the riskier behaviour that small firms engage in.Footnote 105
Large institutional investors are beginning to dive further into the cryptoasset market as well. The SEC approved spot Bitcoin exchange-traded funds (“ETFs”) in 2024.Footnote 106 The day after this approval, $4.6 billion worth of shares were traded in over a dozen spot Bitcoin ETFs. While this example goes beyond utility tokens, it nevertheless illustrates the potential for increased interconnection between the traditional financial market and the cryptoasset market to lead to greater spillover between this market and the wider economy.
A systemic event resulting from a shock to the utility token market may not occur tomorrow, but the more this market grows, and the more the underlying technology is adopted and relied upon by incumbent firms and institutions, the more likely it is that a failure in the cryptoasset market could cause a ripple effect in traditional finance and affect the entire financial system. And while the utility token market may seem small and its connections with the traditional market unclear, the downfall of the US subprime mortgage market, a small, seemingly isolated market that did not appear to have a great connection with the wider financial system has, in recent memory, sparked a global financial crisis.
As demonstrated, cryptoassets generally and utility tokens specifically present an array of risks to investors, the market and possibly to the financial system. Many of these risks are not unique to utility tokens or even cryptoassets and are prevalent in traditional finance. Some of these risks may however be heightened in the cryptoasset market, particularly in the cases of operational risks and informational asymmetries. Armed with an understanding of the risks posed by utility tokens, let us now examine how securities regulators and authorities currently deal with, or propose to deal with, these various risks.
III. Securities Regulation of Utility Tokens
EU, UK and US securities regulatory authorities have very similar mandates, albeit within different legal and regulatory frameworks. ESMA’s objectives put simply are to protect investors, to “foster the integrity, transparency, efficiency, and functioning of financial markets and market infrastructure, and to strengthen the financial system to be capable of withstanding shocks and the unravelling of financial imbalances”.Footnote 107 The UK’s FCA’s strategic objective is to ensure that the markets under its purview function well.Footnote 108 Its operational objectives are to secure an appropriate degree of protection for consumers, to protect and enhance the integrity of the UK financial system and to promote effective competition in the interests of consumers.Footnote 109 The FCA is required to act consistently with its strategic objective and advance one or more of its operational objectives as well as its more recent secondary objective of facilitating the international competitiveness and growth of the UK economy.Footnote 110 The SEC’s mission is to protect investors, maintain fair, orderly and efficient markets and to facilitate capital formation.Footnote 111
Securities regulators and rule-making authorities in each of the EU, UK and US have made the claim that cryptoassets should be regulated using the principle that the same risks should lead to the same regulatory outcomes.Footnote 112 They have, however, taken different approaches to regulating cryptoassets generally and utility tokens specifically. In recent years there has been a flurry of new cryptoasset regulatory initiatives in each of these jurisdictions, including regulatory sandbox initiatives (regulatory sandboxes allow businesses an opportunity to test new products over a short period of time while working closely with regulators).Footnote 113 Despite these efforts, regulatory gaps abound in each jurisdiction.
A. The European Union
The EU’s approach to the regulation of cryptoassets is by far the most robust of the jurisdictions examined. MiCA, a regulation of the European Parliament, came into force in June 2023. Its recitals recognise the importance of innovative financial technology, but also emphasise the risks that cryptoassets present. MiCA is intended to cover cryptoassets that do not fit properly within other EU financial services legislationFootnote 114 and to complement disclosure requirements cryptoasset businesses may already be subject to so as not to increase the burdens on these firms.Footnote 115
The provisions of MiCA are broad, covering transparency and disclosure for cryptoasset issuers and platform operators, requirements for authorisation and supervision of cryptoasset service providers, requirements designed to protect holders and clients of service providers, and requirements to prevent insider dealing.Footnote 116 ESMA released consultation packages in order to provide stakeholders with an opportunity to comment on the proposed detailed, draft technical and regulatory standards which follow from MiCA and subsequently released final reports on these standards.Footnote 117
MiCA categorises cryptoassets into three groups and sets out different requirements depending on these categories: two categories of stablecoins, being e-money tokens (the value of which is stabilised by reference to an official currency)Footnote 118 and asset-referenced tokens (cryptoassets that are not e-money, the value of which is stabilised by reference to another value or right or combination thereof);Footnote 119 and all other cryptoassetsFootnote 120 that are not stablecoins, including utility tokens.Footnote 121 Utility tokens are very narrowly defined in MiCA as cryptoassets solely intended to provide access to goods or services supplied by the token’s issuer.Footnote 122 If a cryptoasset meets the definition of “financial instrument” in the Markets in Financial Instruments Directive II (“MiFID II”),Footnote 123 then it will be subject to existing financial regulation, not MiCA. ESMA has stated that utility tokens, consistent with their narrow definition under MiCA, are not usually considered securities or financial products.Footnote 124
1. Investor protection
The investor-related utility token risks noted above are mostly addressed by MiCA. In certain contexts, utility token issuances and trading will be subject to robust disclosure requirements and service providers that deal with utility tokens will be subject to robust requirements. There remain, however, regulatory gaps which could leave investors unprotected.
Typical of securities regulatory requirements in each of the EU, UK and US, MiCA includes a great deal of mandatory disclosure requirements that mirror the EU’s current financial services regulatory regime.Footnote 125 If an offeror wishes to make an offer of utility tokens or seeks admission to trade utility tokens, they must, among other things, be a legal person and meet the white paper and marketing communication requirements under MiCA.Footnote 126 A white paper is a disclosure document that provides general information about the issuer or person seeking admission to trading, information about the project for which capital is being raised, the rights and obligations provided to cryptoasset holders, the underlying cryptoasset technology and sets out the risks related to the relevant cryptoasset.Footnote 127 The white paper must be fair and not misleading and the offeror will be held liable if the white paper does not meet these requirements. The white paper requirements do not apply to utility tokens offered for goods and services that already exist.Footnote 128 MiCA also exempts issuers from these requirements if utility tokens are to be used to redeem goods and services in a limited network of merchants with contractual arrangements with the issuer, although tokens redeemable for the issuer’s own goods and services are not exempt.Footnote 129 MiCA sets out additional guidance on when utility tokens will not be exempt, including in cases where the token is purchased without the intention to redeem goods and services and where the token is designed to be used on a continuously growing network of merchants.Footnote 130 The regulation makes clear that when considering cryptoassets, authorities should employ a “substance over form” approach.Footnote 131 The limited network exemption for utility tokens will also not apply if the cryptoassets represent “stored goods” not immediately transferrable to the buyer after purchase. In addition, an offeror will not be exempt from white paper requirements if they communicate an intention to seek admission to trading or if the cryptoasset is admitted to trading.Footnote 132 If therefore, an issuer wishes to raise funds prior to a platform’s launch and offers utility tokens under an ICO without immediate delivery (and therefore on the traditional security end of the spectrum), then the issuer will need to publish a white paper that meets the mandatory requirements under MiCA. It will also not be possible for a non-identifiable issuer to offer utility tokens to the public unless an exemption applies, because MiCA requires that the offeror be a legal person.
Marketing communications relating to a public offer of utility tokens are also heavily regulated under MiCA. These communications must be fair, clear and not misleading, which is the same requirement that applies to marketing materials governed by MiFID II.Footnote 133 In addition, under MiCA, marketing communications may not be released before a white paper, must be consistent with information provided in the white paper, and must contain a statement that no competent authority has reviewed the materials and that the offeror is solely liable for the content thereof.Footnote 134
In addition to white paper and marketing requirements, MiCA includes robust requirements for cryptoasset service providers, many of which are similar to the requirements relevant to traditional financial service providers in the EU.Footnote 135 For instance, service providers are not to use customer cryptoassets for their own accountFootnote 136 and will be responsible for losses due to operational faults, including cyberattacks, theft and malfunctions. To ensure its application to cryptoasset service provider activity that provides economically equivalent services to traditional investment firms and that is not already caught by MiFID II, MiCA includes deeming provisions equating services provided by such cryptoasset service providers with traditional financial service providers subject to MiFID II. For instance, a cryptoasset exchange platform operator, including those that exchange utility tokens, will be deemed to be equivalent to an operator of a multilateral trading facility and an organised trading facility under MiFID II and will need to comply with the requirements imposed on such trading facilities under MiFID II.Footnote 137 Cryptoasset service providers, much like traditional financial service providers, must meet prudential requirementsFootnote 138 as well as certain governance arrangements,Footnote 139 safeguard customer assets and cashFootnote 140 and, in the case of trading platforms, maintain clear and transparent rules of operation.Footnote 141 In order to operate, a cryptoasset service provider must submit an application to its relevant competent authority with disclosure about its organisational structure, whistle-blowing arrangements, whether the service provider has or will appoint external auditors, its shareholders and its management of risks relating to conflicts, among other things.Footnote 142
MiCA requires that rules be put in place prohibiting insider dealing, unlawful disclosure of inside information, and market manipulation in the cryptoasset market.Footnote 143 Policies regarding conflicts of interest management must be maintained and conflicts must be disclosed, along with the details of conflicts that may arise and how these will be managed.Footnote 144 MiCA’s market abuse regime extends the responsibility of cryptoasset transaction executors or arrangers to report suspicious transactions, including instances of maximum extractable value (“MEV”), a technique used by participants on blockchains that resembles front-running. Miners of cryptoassets or block validators have discretion as to the order of transactions they prioritise and may select transactions that pay higher transaction fees.Footnote 145 Systems and procedures should be developed proportionally to the size and nature of the business activity and risk posed to the market.Footnote 146 The third consultation package recognises that most abusive behaviours in cryptoasset markets seem to follow patterns of traditional financeFootnote 147 and uses existing technical requirements for arrangements and systems with some updates to provide for crypto-specific features.
2. Operational risks
MiCA also robustly addresses operational risks relating to utility tokens. Cryptoasset service providers are required to have systems to ensure that their platforms are resilient and can deal with high volumes of orders and messages and maintain trading under market stress.Footnote 148 They will be required to maintain basic operational, administrative and ICT (information and communication technology) security risk-management systems.Footnote 149 They must also maintain and disclose a business continuity plan that meets the standards set out in ESMA’s second package of technical standards. They will be required to disclose their rules of operation in their application to the relevant authority.Footnote 150 However, many utility tokens are offered on decentralised networks and MiCA exempts decentralised platforms with no intermediaries. The features of these service providers should be considered on a case-by-case basis and ESMA has clarified that the decentralised platform exemption is quite narrow, but little guidance is given about what a completely decentralised network is.Footnote 151
3. Systemic risk
Finally, MiCA emphasises the necessity of cooperation between competent authorities across Member States and across agencies, specifically the European Banking Authority (“EBA”) and ESMA.Footnote 152 It requires cooperation by competent authorities and by the EBA and ESMA during investigatory, supervisory and enforcement activities. Competent authorities are permitted to ask for help from authorities of other Member States. If a competent authority has “demonstrable grounds” to believe that there is suspicious activity related to cryptoassets, which include utility tokens, in another Member State, it has a duty to inform the relevant authority, as well as ESMA.Footnote 153 MiCA allows for competent authorities to enter into cooperation agreements with the authorities of states outside the EU in order to provide for the exchange of information and to allow the Member States’ authorities to better fulfil their duties under MiCA.Footnote 154 In theory, such cooperation should decrease risks to investors and markets domestically and lower the risk of illegal activity leaking across borders.
There are certain requirements in MiCA specifically designed to address systemic risk concerns. These include prudential requirements and internal control mechanisms for service providers and enhanced requirements applying to offerings of “significant asset-referenced tokens”Footnote 155 and “significant” e-money tokensFootnote 156 as well as “significant” cryptoasset service providers (those with 15 million users or more). However, DeFi was intentionally left out of this regulation and the consultation process. Thus, it remains unclear how DeFi platforms issuing or facilitating transactions of utility tokens will be regulated. As required by article 142 of MiCA, in early 2025 ESMA and the EBA released a joint report on recent developments in cryptoassets, including DeFi developments. The report found that DeFi represented a “niche phenomenon”, particularly in the EU, and so it did not propose policy recommendations related to DeFi.Footnote 157
B. The United Kingdom
Until recently, in sharp contrast to the current approach in the EU, the UK employed a light-touch approach to utility token regulation. However, the UK Government is in the midst of implementing a robust regime which would bring cryptoassets, including in some cases utility tokens, under existing securities legislation.
1. Investor protection
While anti-money launderingFootnote 158 and financial promotions regulationsFootnote 159 apply to all cryptoasset-related activity in the UK, most cryptoassets remain largely unregulated by the FCA, including exchange tokens (used as a means of exchange but not backed by a central authority) and utility tokens (unless they meet the definition of e-money as defined below). Security tokens (tokens with attributes that provide rights and obligations similar to traditional securities, such as an ownership stake in the issuer) and e-money (electronically stored monetary value representing a claim on the issuer issued on the receipt of funds, to be used in payment transactions and accepted by a party other than the issuer)Footnote 160 were until recently the only cryptoassets captured by UK regulatory initiatives.Footnote 161
Cryptoasset exchanges and ICOs (including those trading or offering utility tokens) are sometimes regulated and sometimes unregulated.Footnote 162 However, an exchange that facilitates the buying, selling and transferring of security tokens in the UK must meet the requirements for these activities. The FCA encourages those offering cryptoassets through ICOs to determine whether securities and therefore securities legislation are involved. ICOs in the UK may or may not, depending on the asset involved, require a prospectus.Footnote 163 If a token is a transferable security that will either be offered to the public in the UK or traded on a regulated market, a prospectus is required unless an exemption can be relied upon.Footnote 164 An ICO offering utility tokens to the public will likely require a prospectus in the UK unless a platform issues utility tokens privately and trades them on an unregulated cryptoasset exchange. Unless a prospectus is required, investors are typically only provided with a white paper related to the cryptoasset they might purchase. White papers have been found to be “unbalanced or misleading” as their content is not regulated as it is in the EU.Footnote 165
In 2023, HM Treasury concluded a consultation process for much more robust cryptoasset regulationFootnote 166 with the intention of regulating existing and future cryptoassets using the regulatory framework covered by the Financial Services and Markets Act 2000, rather than creating a separate regime.Footnote 167 Consistent with the FCA’s emphasis on encouraging growth of the UK’s economy and its competitiveness internationally, the following statement is included in the consultation response report: “The government considers that having robust and effective regulation will boost innovation, by giving people and businesses the confidence they need to use new technologies safely.”Footnote 168 Unlike the EU’s bespoke cryptoasset regime, the UK’s existing framework will include cryptoasset activity. A draft statutory instrument aimed at bringing certain activities under the FCA’s remit was published in April 2025.Footnote 169 A firm must be authorised by the FCA in order to participate in “regulated activities” under the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001Footnote 170 (the “RAO”) unless there is an appropriate exclusion or exemption. Cryptoassets will still not be considered “financial instruments” for the most part, and only certain activities will be regulated. Amendments to the RAO will apply in large part to activities involving “qualifying cryptoassets”Footnote 171 and “qualifying stablecoins”.Footnote 172
This regime, like MiCA, is intended to catch certain crypto-related activities not otherwise regulated in order to encourage innovation and competition, allowing consumers to make well-informed decisions, and protect financial stability and market integrity.Footnote 173 Firms participating in regulated activities, including offering qualifying cryptoassets to the public, operating a qualifying cryptoasset trading platforms, dealing in qualifying cryptoassets, and providing custodial servicesFootnote 174 will be subject to the same standards as equivalent or similar activities in traditional financial services.Footnote 175 Offers of cryptoassets that are “securities” will have to meet the requirements of the new UK prospectus regime,Footnote 176 but for other public offers of cryptoassets, prospectus level disclosure will not be required.Footnote 177 The Draft Order’s definition of “qualifying cryptoassets” seems to exclude utility tokens on the true utility end of the spectrum. A cryptoasset is not a qualifying cryptoasset if it:
(i) cannot be transferred or sold in exchange for money or other cryptoassets, except by way of redemption with the issuer; and
(ii) can only be used in the following ways—
(aa) it allows the holder to acquire goods or services from the issuer; or
(ab) it allows the holder to acquire goods or services within a limited network of service providers which have direct commercial agreements with the issuer.Footnote 178
Activities including lending and borrowing, custodial and dealing activities involving true utility tokens thus will remain unregulated in the UK. A firm will need to be authorised to carry on activities relating to a utility token that is considered a qualifying cryptoasset or that falls under another category of “specified investment” under the RAO. The Government acknowledges that utility tokens, while they may be intended to have functional features, can also be traded on cryptoasset platforms.Footnote 179 The token’s use, not just the possibility of what it may be used for, will be emphasised. The updates will also include a cryptoasset market abuse regime based on current market abuse regulation of traditional financial instruments.Footnote 180 While certain DeFi arrangements and activities appear to be captured by the above amendments, truly decentralised platforms were explicitly excluded from this regime. “Where there is no person that could be seen to be undertaking the activity by way of business”,Footnote 181 then authorisation for the activity is not required. The FCA will be responsible for determining whether a person has sufficient control over a platform. Certain decentralised finance protocol activities will thus be regulated, while other activities will not be.
Following HM Treasury’s consultation, but before the publication of the Draft Order, the FCA published a discussion paper outlining its proposals on regulating admissions and disclosures as well as its objective for the market abuse regime relating to cryptoassets including utility tokens. According to this discussion paper, for instance, if a utility token which is not a specified investment (and therefore not already covered under current securities regulation) is to be admitted to trading on a cryptoasset trading platform, then the person applying for this admission will be responsible for making disclosures and will be liable for the content of these disclosures.Footnote 182 Types of disclosures which may be required include the features, prospects and risks of the utility token; the rights and obligations attached thereto; and details of the person seeking admission to trading.Footnote 183 The FCA is also considering introducing more detailed and prescriptive rules but has recognised that in the dynamic cryptoasset market this may be impractical and could hinder innovation.Footnote 184 A cryptoasset trading platform will be expected to conduct a sufficient level of due diligence to conclude whether the utility token should be admitted to trading and whether the provided disclosures about the token and the person making the admissions are accurate and complete.Footnote 185 The FCA’s proposed market abuse regime for cryptoassets is meant to be partly based on the UK’s Market Abuse RegulationFootnote 186 but subject to the recognition that certain features of the cryptoasset market might make achieving the same outcomes as the traditional market abuse regime challenging. For instance, inside information disclosures may be difficult to regulate because issuers might be difficult to pinpoint, particularly when a cryptoasset (such as a utility token) is issued by a DAO.Footnote 187 However, this view does not seem to be consistent with the position of the International Organization of Securities Commissions (IOSCO) that even so-called “decentralised” platforms would be maintained and run by core developers and other responsible individuals.Footnote 188
While this promises to be a more robust approach than the current approach to cryptoassets in the UK, and may reduce market abuse, many important requirements will be left in the hands of cryptoasset trading venues. Utility tokens are still not clearly subject to regulation in every case and their issuance may or may not require disclosure, particularly if they are issued by a decentralised platform. Without disclosure, investors will be subject to the risks described above, especially those that stem from informational asymmetries. Respondents to HM Treasury’s request for consultation noted that leaving disclosure standards up to trading venues may mean a race to the bottom or inconsistent or additional burdens for market participants.Footnote 189 HM Treasury intentionally did not include frameworks for DeFi,Footnote 190 but the FCA’s latest discussion paper did set out its intended approach to lending, borrowing, trading platforms, staking and decentralised finance.Footnote 191 There are some who remain sceptical as to whether this regulatory update will sufficiently protect investors and speculate that it may make matters worse. The former chair of the FCA, Charles Randell, for example, stated that the Government had not attempted to “quantify the consumer harms that could result from holding crypto out as a regulated investment”.Footnote 192
2. Operational and systemic risks
Utility token operational risks, including technical vulnerabilities and cybersecurity risks, were not thoroughly addressed in the Government’s consultation or response paper. Details of disclosure and admission documents, including information about the code, cybersecurity and other technical details are to be left up to cryptoasset trading venues.Footnote 193 The FCA is still consulting on operational risks and the details of how cryptoasset firms might mitigate these.Footnote 194 Cryptoasset firms will need to disclose material sources of operational and technical risks and must have risk mitigation strategies, consistent with IOSCO recommendations.Footnote 195 In one of the FCA’s recent discussion papers, an outline of the underlying technology was included in a list of possible disclosures to be made by persons seeking admission to trading of cryptoassets. That would mean that those seeking admission to trading for utility tokens that are not on the true utility end of the spectrum and that are not otherwise covered under the RAO will likely be expected to include these details in the disclosure documents they provide to the cryptoasset trading platform and will be liable if these statements are misleading.Footnote 196
Detailed requirements relating to systemic risk will also be left up to the trading venues, with no specific standards offered by HM Treasury. The FCA did, in one of its discussion papers, touch on the possibility of safe harbours from the market abuse regime if there were financial stability concerns which result from the release of inside information.Footnote 197 How these safe harbours might relate to the utility token market remains unclear.
C. The United States
Unlike the UK’s plan to regulate cryptoassets with an updated securities law regime and the EU’s approach which explicitly encompasses cryptoassets not otherwise regulated by MiFID II, the SEC’s cryptoasset approach has until very recently relied entirely on securities regulation and analyses that have been applied to traditional financial instruments for decades. Both the EU and the UK intend to embrace innovation either by updating securities laws or implementing robust new regulations to cover cryptoasset-related risks, including some risks presented by utility tokens. In the US, on the other hand, the SEC’s position until 2025 was that existing securities laws were, without any revision, up to the task of mitigating utility token-related risks. This approach may have reflected either a concern for legislative inertia or a view that cryptoassets offer more risk than benefit. Prior to the recent administration change, President BidenFootnote 198 and the US TreasuryFootnote 199 recognised cryptoasset-specific risks that would require greater regulatory focus and possible updates. On the date of President Trump’s inauguration, Gary Gensler stepped down as Chair of the SEC, and Mark Uyeda was appointed interim chair. Uyeda is known for his pro-crypto stance and has criticised what he sees as the SEC’s overly broad interpretation of the Howey test,Footnote 200 used by courts in the US to determine if an investment contract (and therefore a security) exists.Footnote 201 In January 2025, Uyeda established a task force led by conservative Republican commissioner, Hester Peirce, dedicated to establishing “a comprehensive and clear regulatory framework for crypto assets”.Footnote 202 Following an Executive Order signed by President Trump, a White House report on digital assets was released with a heavy emphasis on ensuring US dominance in the cryptoasset market.Footnote 203 Current SEC Chair, Paul Atkins, also announced the launch of “Project Crypto” in August 2025. This initiative will review and update SEC rules in order to make the US “the crypto capital of the world”.Footnote 204
1. Investor protection
Notwithstanding federal legislative initiativesFootnote 205 and the launch of Project Crypto in 2025, US securities laws still will only apply to utility tokens if they are securities. The SEC had provided some guidance on how cryptoassets might be considered investment contracts and hence securities and how the traditional Howey test applies for purposes of federal securities laws.Footnote 206 Again, the Howey test is used by courts in the US to determine if an investment contract (and therefore a security) exists. Under this test, something is an investment contract if there is investment of money in a common enterprise with a reasonable expectation of profits to be derived from the efforts of others. While crypto-specific SEC guidelines list certain factors the presence of which makes the finding of a security more likely, in a rapidly developing sector this was not intended to be an exhaustive list and offerings or sales of securities must be registered with authorities unless an exemption is available.Footnote 207 The SEC’s strategy was reactive for the most part, with the doubling of crypto-related enforcement efforts in 2022.Footnote 208 Following its change of leadership, in 2025 the SEC established the Cyber and Emerging Technologies Unit,Footnote 209 which replaced the Crypto Assets and Cyber Unit with about half of the staff of the previous unit.Footnote 210
Gary Gensler likened cryptoasset trading platforms to traditional exchanges, stating that they “play roles similar to those of traditional regulated exchanges. Thus, investors should be protected in the same way”.Footnote 211 Gensler also made clear during his tenure that ICOs involve securities in the vast majority of cases.Footnote 212 ICOs should thus be subject to the same robust registration and disclosure requirements as any other securities offering. This included offerings of utility tokens, in some cases, even when the tokens clearly had a utility function. The SEC, for example, launched a suit against LBRY, Inc.,Footnote 213 alleging that LBRY was issuing securities without registration in contravention of securities laws. LBRY, a network allowing for video and image sharing, had been selling “LBC”, its native utility token, to the public. Users of the LBRY network were required to pay a fee in LBC to access its features.Footnote 214 LBRY argued that LBC were not securities and were purchased by some to be used and not as an investment. The court agreed with the SEC that LBCs were securities, concluding that a token might both have a utility function and constitute a security under the Howey test. The court emphasised various claims made by LBRY to prospective investors that would have caused investors to have a reasonable expectation that LBC’s value would increase over time due to the managerial efforts of LBRY. Even without these direct statements, the court noted that by retaining large amounts of LBC, LBRY “signaled that it was motivated to work tirelessly to improve the value of its blockchain for itself and any LBC purchasers”.Footnote 215
Though utility tokens offered under an ICO or to raise capital for a network were commonly treated as securities in the US, this treatment may in some instances have been issuer-dependent rather than asset-dependent. Former SEC commissioner, William Hinman, while agreeing that calling something a “utility token” does not disqualify it from meeting the definition of security, has said that sufficiently decentralised platforms offering utility tokens may not be subject to securities regulation. As he explained:
If the network on which the token or coin is to function is sufficiently decentralized – where purchasers would no longer reasonably expect a person or group to carry out essential managerial or entrepreneurial efforts – the assets may not represent an investment contract. Moreover, when the efforts of the third party are no longer a key factor for determining the enterprise’s success, material information asymmetries recede.Footnote 216
What it means to be “sufficiently decentralized” was not clarified by Hinman or the SEC. The recent White House report on digital assets does provide certain factors it recommends Congress consider in determining the regulatory treatment of DeFi, including whether an application takes control over user assets (although DeFi platforms typically do not take control over user assets), whether the software is capable of being modified once deployed, the extent to which there is centralised management of a platform, and the extent to which an application is capable of complying with current regulations.Footnote 217 What qualifies as centralised management of a platform and the extent to which an application is capable of complying with current regulations remain difficult challenges.
The view of the SEC used to be that utility tokens fit squarely within existing laws and its regulatory approach was vigorous enforcement of these laws. If one accepts that utility tokens fit neatly within existing regulation, then theoretically investor protection concerns arising from a lack of information and transparency, fraud and market abuse should all be appropriately addressed through enforcement. Securities fraud is already illegal, robust disclosure is required if a firm is issuing a security, and abusive market practices are also outlawed under securities laws in the US.
However, if utility tokens and service providers facilitating trades and holding custody of these assets do not fit appropriately within the existing rules, this may lead, as has been observed in the US, to uncertainty about the application of current laws or to investors being subjected to the above-noted risks or provided with unhelpful information. Drexler argues that the SEC’s approach to ICOs is inappropriate. Utility token purchasers are provided with information about the issuer’s financials and management, about the sources of competition of the issuer, and about the risks surrounding its operations and projections. He claims that this kind of information is not useful for utility token-buyers because they are not acquiring equity interests in the issuer. These investors, instead, want to know the impact value of the token, its functionality, its secondary market volatility and potential cybersecurity risks.Footnote 218 It seems likely, however, that an issuer’s financials and management would have an impact on its ability to improve the platform’s functionality and consequently would be relevant to the token’s volatility in the secondary market.
It remains to be seen just how utility tokens will be treated by the SEC going forward. The SEC, for the first time since 2019, issued a no-action letter concerning a crypto project.Footnote 219 The project, called DoubleZero, launched “2Z” utility tokens on 2 October 2025. DoubleZero’s request to the SEC for a no-action letter claimed that the tokens were to be issued as compensation to those supporting a decentralised physical infrastructure network but this filing also contemplated a secondary market for 2Z tokens which could involve speculative purchases.Footnote 220 In a statement accompanying the SEC’s no-action letter, Commissioner Peirce distinguished between uncommon instruments, which nevertheless have security attributes, and those that “facilitate the programmatic functioning of a decentralised physical infrastructure network”, which are not sold to “finance additional development from investors attracted solely by the prospect of investment returns”.Footnote 221 The SEC therefore left the door open for action in the future if facts or circumstances change. Shortly after the 2Z tokens were launched and began trading on a number of large exchanges, including Coinbase and Binance, their value plummeted by 65 per cent. This drop in value was due to confusion about the token’s supply as well as some technical issues encountered by traders. DoubleZero had issued a white paper in accordance with MiCA which disclosed that there would be approximately 700 million tokens circulated at launch,Footnote 222 but at the token’s launch there were in fact 3.4 billion 2Z tokens in circulation. The project’s team has not provided any additional information about the discrepancy.Footnote 223
Commissioner Peirce has confirmed that federal securities laws still apply to tokenised securities, although her statement was focused largely on tokenised versions of traditional securities.Footnote 224 Thus, utility tokens on the traditional end of the securities spectrum may still be subject to federal securities laws, while pure utility tokens will likely sit outside of these regulations. The court in LBRY confirmed that a utility token could be a security even if it had a utility function. In its attempt to encourage growth and innovation, the SEC’s narrower interpretation of the Howey test may leave investors unprotected and with inadequate information about the risks of their investment.
2. Operational and systemic risks
In May 2022, President Biden signed an Executive Order relating to the responsible development of digital assets which contained several policy objectives including the protection of consumers, investors and businesses, protection of financial stability and the reduction of systemic risk, keeping the US financial system and technological innovations competitive, and supporting innovation.Footnote 225 Following this order, the US Treasury Department published a report with recommendations for reducing risks posed by cryptoassets. The Treasury recognised operational and possible systemic risks presented by cryptoassets and the Treasury recommended that government agencies continue to monitor the cryptoasset sector for illegal activity, that enforcement be expanded and that agencies work together to bring enforcement actions.Footnote 226 Agencies should also, according to the Treasury, continue to review their cryptoasset policies and provide additional rules and guidance, address education about cryptoasset services and operational and technical mandates that relate to intermediaries, and ensure that the public has access to accurate information about cryptoassets that highlights their risks.Footnote 227 The most recent report from the White House also recognises similar operational risks, although it encourages rules that provide clarity to market participants and emphasises growth and innovation to ensure US dominance in the cryptoasset market. If utility tokens and DeFi remain unregulated, this could increase the potential for systemic risk.
D. Comparing Approaches
In each of the EU, the UK and the US, rule makers and regulators are relying on securities regulation to attempt to manage the risks presented by utility tokens in different ways. The SEC’s previous enforcement-heavy approach was certainly not perfect. However, the new crypto taskforce and “Project Crypto” in the US, while providing crypto-specific rules, may open up investors, the market and the financial system to even more utility token-specific risks. The risks posed by utility tokens might be more clearly managed by the EU and UK approaches. The variance in approaches to cryptoasset and utility token regulation may be explained by differing views of cryptoassets or may arise from structural or political differences in securities regulatory systems in the EU, UK and US. For instance, the EU is comprised of many different jurisdictions. One objective of MiCA was to eliminate disjointed approaches to cryptoasset regulation across the EU and to support the functioning of the EU Single Market.Footnote 228 MiCA requires ESMA, a European Supervisory Authority, to put forward guidelines to be implemented at the Member State level. The EU’s approach to financial regulation has been for some time robust and directive heavy. For example, its approach to post-financial crisis regulatory updates has been referred to as “death by a thousand directives”.Footnote 229 The FCA in the UK is instead known for its light-touch approach to securities regulation, which has, until recently, been consistent with its approach to cryptoassets, leaving most of the above-noted utility token risks unchecked. The UK, however, like the EU, recognising the traditional as well as heightened risks posed by cryptoassets and utility tokens, intends to update financial regulation in the UK to address cryptoassets, including utility tokens in some cases, directly. The SEC, on the other hand, usually focusses heavily on enforcement and has in the past not wished to “risk undermining 90 years of securities laws and create some regulatory arbitrage or loopholes”Footnote 230 but will likely now introduce crypto-specific policies and has narrowed its interpretation of the Howey test. What is common to each jurisdiction is that utility tokens are still sometimes covered by securities regulation and are at other times excluded. Furthermore, in each jurisdiction, clarity has not been offered regarding possible securities regulation of DeFi platforms which often offer or facilitate transactions involving utility tokens.
IV. Way Forward
Stepping back from these varying approaches, and in light of the above in-depth analysis of utility token risks, the question remains: is securities regulation, in fact, the appropriate tool to address these risks? The answer to this question is yes. While utility token characteristics vary, securities regulation is the appropriate tool to regulate this kind of asset. Securities regulation is designed to encompass an enormous spectrum of complex assets and activities. A survey of the risks presented by utility tokens reveals that those closer to the traditional security end of the spectrum are more likely to be susceptible to risks stemming from information asymmetries and other kinds of market abuse. Utility tokens of every type, however, present operational risks stemming from code vulnerabilities, investor protection concerns stemming from fraud, complexity and opacity, and may present systemic risk concerns if they are used on DeFi platforms in particular. Therefore, applying a “same risk, same regulatory outcome” principle (as authorities say they are applying in each of the EU, the US and the UK), it should be reasonable to use a disclosure-based securities regulatory regime to address many of these risks. Securities regulation is designed to be used flexibly to cast a very wide net (which could include all types of utility tokens) and release, through exemptions, the kind of assets or activities that might not need to be subject to robust disclosures because they do not present serious risks to investors or the market.
For instance, if an identifiable issuer issues a utility token on a platform that is still being developed, which is redeemable for services that do not yet exist, then this offering will pose investor protection risks. Those risks stem from information asymmetries and market abuse risks as well as the operational risks noted above. Securities regulation should be effective at addressing these risks through mandatory disclosure. If, however, a truly decentralised platform issues a utility token to be used on a platform that is already live; if that token provides access to goods and services already offered by the issuing platform; and if the issuer has no plans to list the token on an exchange, then this offering presents risks that more closely resemble those involved in the sale of a gift card than a traditional security. This offering, though, will still present all of the operational risks noted above. Additionally, it will pose certain of the investor protection risks relating to fraud, complexity and the risk that the offering issuer might fail, resulting in the utility token being rendered unredeemable (just as would be the case if a business selling gift cards were to go bankrupt). In the case of DeFi, utility token use could also lead to systemic risk concerns. Securities regulation as a framework in the EU, the UK and the US is still well equipped to handle this kind of offering through the use of carefully calibrated exemptions, applicable where there is less information asymmetry or through a more relaxed disclosure regime for cryptoassets while still requiring appropriate disclosures about the issuers’ operations and platform functionality. This kind of regulation would not be an unreasonable extension of the boundaries of securities regulatory regimes in any of the EU, US or UK. It would support the mandates of investor protection, strengthening of the financial system, and fostering capital formation.
Merton compares market innovation surpassing infrastructure to the introduction of a new high-speed train that cannot run safely on existing railroad tracks. Failing to upgrade the infrastructure, he notes, means that the promised benefits of the high-speed train are outweighed by the danger to passengers if the train is run on outdated tracks. Passengers could be protected simply by imposing a permanent speed limit for the train, but this would mean the benefits of the innovative technology would be lost. Alternatively, he suggests that a speed limit could be introduced as a temporary measure only to be imposed until the tracks are upgraded.Footnote 231 In the case of cryptoassets, the relevant out-of-date infrastructure not designed to handle this innovation might be today’s securities regulation. Critics have suggested that because there seems to be no social benefit to be gained from cryptoassets, and by extension utility tokens, they should, like a permanent speed limit on the high-speed train, be banned entirely.Footnote 232 But such a drastic measure could mean that their benefits may never be properly realised simply because policies to support their proper use are not yet in place. In any case, as HM Treasury stated in its consultation response paper, outlawing cryptoassets would not address the risks they poseFootnote 233 and, as Johnson points out, “the horse is out of the gate”.Footnote 234 Utility tokens and cryptoassets, more broadly, are too widespread to ban effectively. Macey, another cryptoasset critic, instead suggests a lighter approach to regulation. More regulation of crypto, he argues, might legitimise it and, in his view, the social value of crypto does not justify such legitimisation. He asserts that more regulation will tend to lead investors to believe that the market is safe, and so will encourage more investment in the space and that, in turn, could lead to more fraud.Footnote 235 However, he provides no empirical evidence in support of this assertion. ESMA, in a recent report, predicts that regulatory certainty brought by MiCA may increase trading volumes in the EU,Footnote 236 but even if trading volumes increase, this would still not provide evidence of a causal link between greater regulation and fraud.
Ultimately, it may not be necessary to determine whether utility tokens represent a socially positive, negative or neutral financial innovation in order to ensure that they are properly regulated. What is clear is that securities regulators are responsible for protecting the investing public and the stability of the financial system. In most cases, regulators agree that they are “technology neutral”.Footnote 237 The more important question is what is to be done with the risks presented by utility tokens. While some argue that fintech generally and cryptoassets specifically present something entirely new,Footnote 238 a deep analysis reveals that risks posed by utility tokens, in most cases, do not appear to present a wholly new challenge for securities regulators. Indeed, in many cases they appear to present the same risks as many previous financial innovations. There may be certain instances in which the unique underlying technology exacerbates these risks. For example, code vulnerabilities open up utility token holders to risks of hacks, especially on DeFi platforms that run entirely on smart contracts without a traditional financial intermediary. Still, an entirely new regime does not seem to be called for. A 2019 study surveying global crypto regulation recommended examining current regulations before creating bespoke cryptoasset regulations.Footnote 239 If the goal of cryptoasset regulation is to promote a “same risk, same regulatory outcome” as authorities in each jurisdiction examined have said it is, then an entirely new framework does not seem necessary to appropriately regulate utility tokens. Current regulation may need some further updates however. In other words, an entirely new track does not seem called for, but maintenance of the old track might be required.
While securities regulation itself might be the appropriate tool to regulate utility tokens, there remains an open question as to how it should and could best be applied consistently in each of the EU, the US and the UK to address the above-noted risks while allowing society to reap the benefits of utility tokens.
To promote consistency in approach, international bodies, including the FSB and IOSCO, have provided cryptoasset policy recommendations.Footnote 240 While providing a helpful starting point, these recommendations are, by design, high-level. Granular details of what updates or legislation may be required are appropriately left up to domestic rule makers.
If the risks presented by utility tokens are similar to traditional securities (even taking into account the spectrum of utility token types), then, drawing from the “same risk, same regulatory outcome” principle, a possible consistent approach would be to simply extend the definition of securities to include utility tokens in relevant regulation and incorporate them into the regulatory perimeter, like any other security. However, rule makers in the EU, UK or US have not done this, though they have acknowledged that cryptoassets are securities in certain cases and treated them as such. If utility tokens do present risks that are very similar to those of traditional financial instruments that fall within the current perimeter of securities law in each of the EU, UK and US, why not, then, simply add another prong to the definition of “security” itself? The SEC’s initial position during Gary Gensler’s tenure was that this was unnecessary because the law already appropriately covers cryptoassets as is. The recent White House report, though, recommends the SEC updates its rules and establish an exemption from registration requirements for securities that involve digital assets (which would include utility tokens).Footnote 241 The EU and the UK have come out with robust policies (or in the UK’s case, plans for policies) addressing utility tokens, but without updating any definition of “security” or “financial instrument”, thus creating variant forms of securities regulation when it comes to cryptoassets. But as already mentioned, securities laws are intentionally broad and flexible. They are meant to cast a very wide net initially and release things from this net where appropriate.Footnote 242
For instance, in the case of the US, the definition of “securities” in the Securities Act of 1933Footnote 243 could be amended to include specific reference to cryptoassets, a term which could in turn be defined to include utility tokens. The peculiarities of these asset classes could be addressed with exemptions or slightly different standards in order to account for any heightened risks. This would be consistent with the “same risk, same regulatory outcome” principle. Drexler argues that the information provided in a traditional registration statement in the US is not useful for utility token purchasers not usually gaining or looking for a financial stake in the relevant platform.Footnote 244 He argues for a prospectus exemption from the registration requirements for ICOs where the issuer is sufficiently decentralised. If the platform is not sufficiently decentralised, then it should be allowed to rely on an updated accredited investor prospectus exemption which includes technology experts in the definition of accredited investors.Footnote 245 These updates, along with the addition of cryptoassets to the definition of security, may be a helpful way of including cryptoassets within the US’s regulatory perimeter to address utility token-specific risks while still providing clarity to market participants about the specific contexts in which disclosure and other requirements would apply to their activities.
Updates to the definition of “security” or “financial instrument” in the case of the UK and the EU may be more about form over substance. The clear intention of both EU and UK rule makers was to use existing securities regulatory regimes for cryptoassets and related activities which fit neatly within these policies and to introduce new, robust policies for cryptoassets and related activities which do not. In the UK and the EU, the robust policies currently being developed sufficiently address many of the risks posed by utility tokens outlined above, with certain exceptions, particularly in the case of DeFi. Instead of such a robust regulation, like MiCA, other relevant directives, including, inter alia, MiFID II, the Prospectus Regulation and Transparency Directive, might instead be updated to account for utility tokens and achieve the same outcomes. If a utility token does not present the same risks as traditional securities, then instead of issuing a prospectus, an issuer could be allowed under an exemption to issue a white paper, thereby meeting the requirements in MiCA. At this time, it may seem more pragmatic to have one, long regulation rather than updating so many others. However, this approach may prove more confusing and complex in the future as the cryptoasset market becomes larger and more interconnected with traditional finance. In a European Banking Institute report, Lehman criticises the EU’s approach to regulating cryptoassets, in part because it is not technologically neutral and is designed to cover only assets that use distributed ledger technology.Footnote 246 While it is true that the cryptoasset regime targets only assets that use a specific technology, the point of MiCA was to catch assets that present the same or similar risks as traditional financial assets but that were not being caught by so-called “technologically neutral” incumbent financial regulation. In other words, it is designed to fill the cryptoasset-shaped hole in previously existing financial regulations, which provided an advantage for those using distributed ledger technology. In any case, including cryptoassets in the already robust financial regulatory regime would eliminate claims of technological bias. Thus the flexible securities regulation currently in place in the EU, as it has been in the UK, could be built upon to fashion different requirements for different types of utility tokens. In the UK, while certain utility token activities will require authorisation by the FCA under the amended RAO, pure utility tokens are explicitly excluded from many of these amended provisions. HM Treasury specifically declined to make updates to the definition of “financial instrument”, stating that this would lead to unsuitable or onerous rules.Footnote 247 Exemptions or different standards would be a simple way to account for this quandary. Even accepting that utility tokens are securities and should be treated as such, updates to the current regulatory regime seem necessary in each jurisdiction if the “same risk, same regulatory” principle is to be adhered to.
Regardless of how regulators deal with the definition of “security”, further investigation in each jurisdiction is required to address the various risks posed by DeFi, particularly in light of the systemic risk concerns it raises. Despite the above regulatory efforts in the EU, UK and US, regulatory gaps relating to utility tokens remain. It is so far unclear how DeFi platforms issuing or facilitating transactions involving utility tokens will be regulated. Regulation of DeFi was explicitly excluded from MiCA for the time being. In the US, if a platform is truly decentralised, securities regulation may not apply, but what decentralisation means has not been clarified. It is also not evident how a DeFi platform issuing or facilitating the trade of utility tokens will be treated in the UK because truly decentralised platforms, as determined by the FCA, will not require authorisation. It is conceivable that a decentralised platform may not currently be subject to securities regulation in any of these jurisdictions. This means that investor protection risks (with perhaps the exception of certain risks stemming from informational asymmetries, such as insider trading), operational risks and possible systemic risk concerns remain.
The FSB supports the expansion of financial regulatory perimeters if financial stability risk is not adequately addressed by current regimes.Footnote 248 There has been a suggestion that it is DeFi’s underlying technology that should be regulated, rather than the issuers of utility tokens themselves.Footnote 249 IOSCO, though, in detailing its DeFi policy recommendations and concerns, notes that while the technology underlying DeFi protocols is new, DeFi business operations, from a functional and economic perspective, are similar to traditional financial service providers.Footnote 250 Rule makers seem reluctant to make the first move in some cases, citing concerns about being onside international developments.Footnote 251 Utility tokens issued by clearly identifiable parties may fit squarely within current and developing securities law regimes. Truly decentralised platforms will certainly be more difficult to hold responsible for regulatory breaches but can and should be regulated using securities regulation. And while IOSCO’s position is that regardless of the level of decentralisation, there will always be “Responsible Persons” involved in controlling or influencing the offer of products, services or engagement in activities, the list of potentially “Responsible Persons” IOSCO provides in its DeFi recommendations is incredibly broad.Footnote 252 To be sure, as long as utility tokens are issued and used on these protocols without sufficient regulatory protections in place, investors and markets more generally will be open to the risks noted above.
V. Conclusion
Utility tokens present investor protection and operational risks and may also pose systemic risk. Many of these risks are not unique to the cryptoasset market and can be found in traditional markets. Unsurprisingly, given political and structural differences across the EU, UK and US, the cryptoasset regulatory approach and, more specifically, the approach towards utility tokens has developed in different ways. In each case there remain domestic regulatory gaps, leaving certain risks unmanaged.
The above analysis reveals that it is reasonable to use securities regulation to regulate the spectrum of utility tokens, given the similarities between utility token risks and those found in the traditional securities market. Updating current regimes so that utility tokens are treated like every other security, with necessary amendments to properly mitigate the above-noted risks, exempting activities where appropriate and allowing for retail investor participation, seems the simplest way to ensure that the same risks yield the same regulatory outcomes and that any new or heightened risks are appropriately and consistently managed in each of the EU, UK and US. None of these jurisdictions have presented robust solutions for regulating DeFi. This is certainly a topic for further research and one that will require greater regulatory effort.
While utility tokens have been the focus here, the applications of this analysis are much broader. It will be useful to analyse other kinds of cryptoassets through this lens and examine historical examples of financial innovation in order to understand how similar risks posed by novel financial instruments or processes have been managed by regulation in the past. This framing could be applied to further developments in cryptoassets and to future financial innovation, which is likely to continue at a rapid pace and should help to provide an answer as to whether cryptoassets more generally truly represent something new from a securities regulatory perspective.
Rule makers seem to agree that the time to act is now, whether through enforcement or with robust cryptoasset-specific regimes. Coffee argues that, without crisis, regulatory inertia inhibits reform. Following crisis, regulation is implemented and then clawed back in a “sine curve”.Footnote 253 Romano and Bainbridge have criticised reform regulations following crises for being hastily implemented and poorly justified.Footnote 254 Securities regulators and rule makers are paying attention to cryptoassets now (perhaps because of fairly recent disasters in the cryptoasset market) and there may be enough momentum to proactively avoid a systemic crisis if appropriate regulation is implemented in time. HM Treasury has said that if cryptoassets become systemic then requirements beyond those in the UK Government’s most recent consultation may need to be considered.Footnote 255 Gorton’s words about stablecoins ring true for utility tokens and DeFi: “Some policymakers may view stablecoins as an up-and-coming financial innovation that does not currently pose any systemic risk and therefore believe that the best strategy is to wait to see how things play out. That would be a terrible mistake.”Footnote 256
Open access
