On May 4, 2022, California Governor Gavin Newsom signed an executive order calling for comprehensive crypto asset regulation in California. The order, which seeks to harmonize a California regulatory scheme with an as-yet-undeveloped federal framework for digital assets, aptly recognizes that in the crypto sphere “responsible innovation has been encumbered by regulatory uncertainty, especially with regard to federal law.” The best way to resolve the uncertainty identified in the California order is for regulators to clarify whether and when existing laws apply to the crypto ecosystem, and not use enforcement actions as a substitute for formal rulemaking, as has too often been the case.

Similar to the Biden Administration’s March 2022 Executive Order on Ensuring Responsible Development of Digital Assets, which largely instructed federal regulators to identify policy gaps and report back with recommendations, the California order calls on state agencies to collect stakeholder input, produce reports, and begin crafting a crypto regulatory approach. While state and federal laws prohibiting fraudulent and deceptive business practices are longstanding, policymakers have yet to hammer out key details about whether more technical requirements apply to crypto projects, such as registration, disclosure, and reporting obligations across domains including securities, tax, and anti-money laundering laws.

Not rushing to judge novel and complex issues can be prudent, but delaying or avoiding formal rulemaking while simultaneously subjecting market participants to unpredictable enforcement makes compliance a fraught guessing game and can push entrepreneurs out of the United States. Pursuing enforcement actions without first issuing formal rules has been a longstanding shortcoming of the Securities and Exchange Commission’s (SEC) approach to crypto regulation. The day before Governor Newsom signed his order, the SEC had suggested it was doubling down on enforcement, announcing increased staffing for the Crypto Assets and Cyber Unit in the Division of Enforcement. SEC Commissioner Hester Peirce’s response to this news put it best: “The SEC is a regulatory agency with an enforcement division, not an enforcement agency. Why are we leading with enforcement in crypto?”

The SEC has been leading with enforcement for some time. In 2017, the SEC instituted a watershed cease-and-desist order against Munchee (the developer of a restaurant review app) for selling crypto tokens that the Commission considered to be unregistered securities; Munchee’s app sought to pay restaurant reviewers in these tokens, which were to be redeemable for in-app and in-restaurant purchases. The SEC has launched numerous other enforcement actions against so-called “initial coin offerings” (ICOs), including where, as with Munchee, the tokens were developed to provide access to certain goods and services within a network. Yet not all crypto projects necessarily have involved the offer of securities in the eyes of the SEC. In 2019, by contrast, the Commission provided a no action letter in the case of a token sale where, among other things, the offeror would not use the proceeds to develop its platform, which would be fully operational by the time any tokens were sold.

In an apparent effort to reveal some of the thinking behind this enforcement approach, on the same day that the Commission issued the 2019 no action letter, the SEC’s Strategic Hub for Innovation and Financial Technology issued a “Framework for ‘Investment Contract’ Analysis of Digital Assets.” The Framework outlined some factors to consider when assessing whether the sale of a digital asset is an offer of a security, which often comes down to the question of whether a token’s purchaser is “relying on the efforts of others,” or, put differently, whether the project is too “centralized” to avoid a collision with securities law.

While this informal guidance is not nothing, the Framework is far from definitive as guidance, let alone as a set of clear, final rules. By the Framework’s own terms, the factors provided “are not intended to be exhaustive in evaluating whether a digital asset is an investment contract or any other type of security, and no single factor is determinative.” Also, the document notes, “[T]he Commission has neither approved nor disapproved [the Framework’s] content.”

Compounding the ambiguity, a notable 2018 speech by the SEC’s then-Director of the Division of Corporate Finance, William Hinman, implied that the Commission might have let one slide where a prominent crypto token network—Ethereum—that may once have involved sales of securities in the SEC’s eyes became sufficiently decentralized such that the token (Ether) was no longer a security. According to Hinman, “applying the disclosure regime of the federal securities laws to current transactions in Ether would seem to add little value.” Nonetheless, while Ethereum may have been the beneficiary of decentralizing at the right time, in 2020, the SEC again provided a cautionary tale, alleging that from 2013 to 2020, Ripple engaged in an offer of unregistered securities when selling XRP tokens (the native coins of a blockchain designed to facilitate payments, remittances, and real-time settlements).

With respect to Ripple, it is fair to ask whether XRP was as decentralized in 2020 as Ethereum was in 2018. Nonetheless, it also is fair to ask the SEC how market participants are to evaluate their compliance positions in light of the Commission’s checkered pattern of crypto enforcement actions (and apparent inaction) and lack of formal rules interpreting how securities laws apply to crypto projects. Judging by the absence of such rulemaking from the SEC’s most recently published regulatory agenda, and SEC Chair Gary Gensler’s perspective that the Commission already has set forth its views on the subject, the regulatory clarity sought by Governor Newsom’s order may remain elusive.