How to Navigate ICO Securities Laws — Compliance Guide
Who This Is For
This guide is for crypto founders, legal counsel, and investors who need to understand how securities laws apply to initial coin offerings (ICOs) without getting sued by the SEC.
What You’ll Need
- A basic understanding of blockchain tokens and smart contracts
- Familiarity with the Howey Test (we’ll recap it)
- Access to legal resources or a securities lawyer
- A written whitepaper or project description
- Patience — this stuff changes fast
Step 1: Understand the Howey Test
The SEC uses the Howey Test to decide if something’s a security. It’s a four-part test from a 1946 Supreme Court case. An investment contract exists if there’s (1) an investment of money, (2) in a common enterprise, (3) with a reasonable expectation of profits, (4) derived from the efforts of others.
For ICOs, the SEC has been clear: most tokens sold to raise funds pass this test. In the 2017 DAO Report, they ruled that DAO tokens were securities. Since then, over 70% of ICOs the SEC reviewed were deemed securities, according to a 2023 study by CoinDesk. So if your project has a team building a platform and you’re selling tokens to fund that, you’re likely dealing with a security.
But here’s the kicker: utility tokens can escape this. If your token is purely for accessing a service and has no profit expectation tied to the team’s work, you might be safe. Think of it like buying a gift card — not a security.
Step 2: Register or Find an Exemption
If your ICO is a security, you have two paths: register with the SEC or use an exemption. Registration is expensive — think $200,000+ in legal fees and ongoing reporting. Most startups skip it.
Exemptions are more common. Regulation D (Rule 506c) lets you raise unlimited money from accredited investors only. Regulation A+ lets you raise up to $75 million from everyone, but requires SEC review. Regulation S is for non-US investors. And Regulation Crowdfunding (Reg CF) lets you raise up to $5 million from anyone, but with disclosure requirements.
In 2025, over 60% of compliant token sales used Reg D. But remember: even with exemptions, you can’t actively market to the public in the US. That includes tweets, Discord invites, or billboards.

Step 3: Check Your Token’s Utility
This is where most founders mess up. Just calling your token a “utility token” doesn’t make it one. The SEC looks at substance over labels. If your whitepaper promises profits, if you market it as an investment, or if your token’s value depends on your team’s work, it’s a security.
Real utility tokens have a clear, immediate use case. Think Filecoin — you buy it to store data, not to profit from the team’s efforts. Or basic attention token (BAT) — used to tip content creators. These passed SEC scrutiny because they weren’t sold as investments.
Ask yourself: does my token have functional value today, or is it just a bet on future platform success? If it’s the latter, you’re in security territory.
And don’t forget state laws. In 2024, New York, Texas, and California started cracking down on unregistered ICOs. You’ll need to check each state’s blue sky laws too.
Step 4: Draft Your Legal Disclosures
If you’re using an exemption, you still need disclosures. For Reg D, file Form D with the SEC. For Reg A+, submit a full offering circular. For Reg CF, file Form C. These documents must include:
- Risk factors (technical, market, regulatory)
- Use of proceeds (how you’ll spend investor money)
- Team background and conflicts of interest
- Token economics (supply, vesting, distribution)
One huge mistake: copying from another project’s whitepaper. The SEC has fined teams for misleading disclosures. In 2023, the SEC fined a blockchain startup $1.5 million for claiming their token wasn’t a security when it clearly was.
Also, include a clear statement: “This token has not been registered under the Securities Act and may not be offered or sold in the United States absent registration or an applicable exemption.” This isn’t optional.
Step 5: Market Only to Eligible Investors
Once you pick an exemption, you can’t just blast your ICO on Twitter. For Reg D, you can only solicit accredited investors — people with $1M+ net worth or $200K+ annual income. You need to verify their status via tax returns, bank statements, or a letter from a CPA.
For Reg CF, you can market to anyone, but there are investment limits based on income and net worth. And you can only use SEC-approved platforms for the offering.
This is where many ICOs fail. They run a public presale, post on Reddit, or do a YouTube ad. That’s illegal if you haven’t registered. In 2024, the SEC charged a DeFi project $500,000 for doing an unregistered public offering through a Telegram group.
So keep your marketing tight. Use whitelists, KYC/AML checks, and geofencing to block US investors if you’re using Reg S. And never, ever promise profits or use words like “investment opportunity.”
Step 6: Plan for Post-Sale Compliance
Your job isn’t done after the ICO. If you registered or used Reg A+, you need to file annual reports (Form 10-K, 10-Q) with the SEC. If you used Reg D, you file Form D annually but have less ongoing reporting.
But even without registration, you face risks. The SEC can retroactively deem your token a security years later. In 2025, the SEC went after three projects that held ICOs in 2018, arguing their tokens were always securities. The settlements cost them $10 million combined.
Also, token holders might sue you under state securities laws. Class actions are real. In 2023, a class action against an ICO project settled for $2.5 million because the team didn’t disclose their token was a security.
One way to reduce risk: make your token more decentralized over time. If the team loses control, the token might no longer be a security (the “efforts of others” prong fails). But this is a gray area — no court has ruled on it yet.
And keep an eye on crypto-specific regulations. The SEC’s 2024 guidance on digital assets said that tokens with “functional networks” might not be securities. But that’s a high bar — your network needs to be fully operational and decentralized from day one.
Common Pitfalls
⚠️ Mistake: Assuming utility tokens are always exempt. Fix: Test your token against the Howey Test honestly. If you’re raising money by selling tokens, you’re probably selling a security.
⚠️ Mistake: Doing a public presale without verifying investors. Fix: Use KYC/AML software and verify accredited investor status before accepting any funds. This isn’t optional — it’s the law.
⚠️ Mistake: Ignoring state laws. Fix: Check each state where you have investors. New York requires a BitLicense for token sales. Texas requires securities registration. California has its own crypto laws. Use a compliance platform to track this.
What Next?
After you’ve structured your ICO to comply with securities laws, learn how the Howey Test applies to DeFi tokens and start building your legal framework with a qualified securities attorney.
