The SEC Confirms: The Nature of the Activity Matters

A recent European Central Bank working paper looks to analyze decentralization in DeFi protocols from the standpoint of governance.  It finds concentration in governance and that this undermines decentralization.  This claim, however, rests on a conceptual error: it conflates system decentralization with governance concentration. And governance concentration that does not affect transaction finality or asset ownership is not relevant to whether a system is decentralized. The distinction matters and clarifies both the paper’s findings and their implications. At Avalanche Policy Coalition, we have consistently defined decentralization from a technical standpoint. A system or network is decentralized when there is no single source of truth, no single point of failure, and no authority with the ability or responsibility to change data, transactions or balances.  It is a definition focused on finality. It ensures that users can trust what they see regarding ownership of assets and the completion of transactions.  The working paper errs by reframing decentralization as a governance question rather than a matter of network finality.  It compounds this error by trying to answer the question of who to regulate in DeFi by looking at concentration of governance power and participation across major DeFi protocols.  What the paper actually demonstrates is not a failure of decentralization, but the presence of concentrated governance layered on top of decentralized infrastructure. Confusing governance concentration with decentralization risks pushing regulation toward infrastructure rather than actors—undermining the very properties that make these systems trustworthy. Here is a summary of the paper’s empirical findings:  Token ownership is heavily skewed, with the top 100 holders controlling more than 80% of supply across the studied protocols, and the top five holders often control a substantial fraction of that total. Governance systems also rely extensively on delegation, whereby token holders assign voting power to intermediaries. As a result, a relatively small number of delegates exercise a disproportionate share of voting power, in some cases controlling the majority of delegated votes. Delegation thus operates as a structural amplifier of concentration. The paper also notes that concentration of governance power is further compounded by opacity. A substantial share of the most influential participants cannot be linked to identifiable individuals or institutions, making it difficult to determine whether governance power is independent or coordinated, whether incentives are aligned or conflicted, and whether influence is exercised by insiders, intermediaries, or diffuse communities. At the same time, governance processes themselves do little to redistribute power. The paper shows that most proposals concern operational parameters—risk settings, asset listings, and similar adjustments—while very few address governance structure. As a result, the paper concludes, existing distributions of power tend to reproduce themselves over time. The paper then concludes that decentralization is a property of governance. Under this view, a system is decentralized to the extent that decision-making authority is widely distributed, no small group can dominate outcomes, and the relevant actors are identifiable and accountable. If governance power is concentrated, the paper concludes that decentralization is incomplete or illusory.  This definition is viscerally appealing, particularly from a regulatory perspective. Regulators require identifiable points of control, and the paper emphasizes the difficulty of relying on governance token holders, developers, or exchanges as regulatory “anchor points” precisely because of opacity and fragmentation in governance structures.  Yet this definition departs from the more established understanding of decentralization in distributed systems, where the concept refers not to governance dispersion but to system architecture: whether there is a single point of failure, a single source of truth, or a single authority capable of altering data or transactions. On the more technically precise definition of decentralization, the protocols studied in the paper—built on public blockchains—remain decentralized. Framed in these terms, the paper’s findings are best understood as documenting concentrations of governance power, not undercutting decentralization.  The paper does not show that any individual token holder, delegate, or developer can rewrite transaction history, override consensus, or unilaterally alter the state of the ledger. Nor does it show that the voting groups have this power.  It also implicitly recognizes that where governance does not affect asset ownership or transaction finality, regulatory hooks are difficult to establish.  Indeed, as noted above, the proposals on which votes are sought have nothing to do with transaction finality or asset ownership.   At best, the paper can conclude that the infrastructure remains decentralized even if governance becomes concentrated. This distinction suggests a more precise analytical framework. At the infrastructure layer, finality is distributed, consensus is collective, and no single point of failure exists. At the governance layer, ownership can become concentrated, voting power aggregated, and influence unevenly distributed. These are not contradictory observations but complementary ones. DeFi systems can be both decentralized and concentrated, depending on the layer of analysis. Recognizing this layered structure clarifies the nature of the challenges identified in the paper. The difficulty regulators face is not that decentralization has failed, but that concentration exists without clear attribution.  This produces a structural asymmetry.  Governance actors can shape protocol outcomes—adjusting parameters, allocating resources, and influencing development trajectories—but they do so within systems whose core integrity cannot be compromised by that concentration. The result is a hybrid condition in which decentralized infrastructure coexists with concentrated influence over things that do not undercut decentralization. Reframing the issue in terms of concentration rather than decentralization also shifts the focus of regulation. For regulators, the challenge is not identifying a centralized intermediary in the traditional sense (i.e., one that controls transactions or custodies assets), but understanding how concentrated influence operates within systems that lack formal control points on the areas of typical regulation. Addressing these issues will require regulatory approaches that focus on identifiable actors and activities, rather than attempting to impose control at the infrastructure layer where it does not exist. The ECB paper makes a significant contribution by documenting the realities of DeFi governance. But its conceptual framing requires greater precision. Decentralization and concentration are not opposing descriptions of the same phenomenon; they operate at different levels of analysis. The systems studied in the paper are not failed attempts at decentralization. They are decentralized systems with concentrated governance structures. And where those structures do not affect transaction finality or asset ownership, the system remains decentralized. Recognizing this distinction provides a clearer understanding of both the risks and the possibilities inherent in DeFi. To hear more on this and related topics, please listen to this webinar from Global Blockchain Business Council.

Financial regulation has always looked to capture intermediaries, the money transmitters, brokers, exchanges, custodians, and others that move, hold or control assets on behalf of end users. In traditional financial services, that boundary is relatively clear: regulation attaches to those who intermediate transactions, control client assets, or provide financial services. It does not attach to the wider infrastructure that supports those activities. As digital asset ecosystems become more complex, that same boundary is being tested in new ways, making it important to defend the underlying principle. This piece examines how the EU’s implementation of the Travel Rule (via the recast Funds Transfer Regulation or “TFR”) correctly draws that line using the concept of “ancillary infrastructure,” and how a similar distinction appears in the U.S. GENIUS Act. At its core, the analysis is simple but consequential: when does a participant in a crypto system become a regulated intermediary, and when are they merely part of the infrastructure that makes the system work? These two pieces of legislation on both sides of the Atlantic show how policy makers can ensure regulation remains in force for the activities they want to capture, without blurring the distinction between infrastructure providers and financial intermediaries. In the EU: Where the Concept Comes From The EU’s idea of ancillary infrastructure appears in the recitals of the TFR, which guide how the regulation should be interpreted. The regulation explains (emphasis added): Persons that provide only ancillary infrastructure, such as internet network and infrastructure service providers, cloud service providers or software developers, that enable another entity to provide transfer services for crypto-assets, should not fall within the scope of the Regulation unless they perform transfers of crypto-assets. That is the entirety of it. The term is not further defined. There is no formal category or test in the operative provisions of the TFR, just this functional description and a few examples. But that short passage does a lot of good work. A Working Definition Taking the recital’s examples and its express limit together, ancillary infrastructure can be more specifically understood as: Infrastructure that is used by others in connection with crypto-asset transfers, but does not itself effect, execute, or control the transfer of crypto-assets, or provide custody of such assets. This is not a technology-based definition. It is a role-based definition, grounded in the regulatory perimeter. (This is consistent with other EU Regulations in the crypto-space, such as the Markets in Crypto-Assets (MiCA) Regulation.) What matters is not what the system looks like, but what the activity actually is. Two elements define the boundary: 1. Used in Connection with Transfers The infrastructure is part of the ecosystem that enables crypto-asset transfers. It may be essential to the functioning of the system. It may sit directly in the transaction flow. But it operates in a supporting role to the financial transaction, and is used by other entities such as CASPs and end users. 2. No Transfer or Custody Function The infrastructure provider does not: effect or execute transfers, control the movement of crypto-assets, or provide custody or control over those assets. That is the dividing line. Once a provider crosses into movement or control of value, it begins to look like an intermediary. If it does not, it remains infrastructure. What Counts as Ancillary Infrastructure The TFR itself provides only a handful of examples, but they point to a broader and consistent categorization. They are infrastructures that enable the system to function, without themselves engaging in the activities of financial intermediation. Internet Network Providers, such as internet service providers and network connectivity providers. These entities move data, not value. They carry transaction information across networks, but they have no relationship to the underlying assets being transferred or parties making the transfers. Cloud Service Providers, such as infrastructure-as-a-service providers and cloud hosting platforms. These providers supply computing power, storage, and hosting. They make it possible to run nodes, exchanges, and applications, but do not execute transfers, hold assets or interact directly with customers. Software Developers, such as developers of non-custodial wallets, developers of blockchain protocols, and providers of APIs and developer tools. These actors create the tools that others use to interact with crypto-assets. Once deployed, they do not control how those tools are used, nor do they execute or custody transactions. Technical Infrastructure Providers, such as node infrastructure providers, remote node access (RPC) providers, blockchain data indexing services, and validators and miners. These entities maintain and operate the underlying networks. They validate transactions, order and record them according to protocol rules, and ensure the system continues to function. They do not act on behalf of users, determine the purpose of transactions, or take custody of assets. Their role is protocol-level infrastructure and maintenance, not financial intermediation. Data and Analytics Providers, such as blockchain analytics firms, transaction monitoring tools, and risk scoring services. These providers analyze and interpret blockchain data. They support compliance, investigation, and risk management, but they do not initiate, execute, or control transfers. As we see, the concept of ancillary infrastructure covers a lot of different providers and activities, none of which intermediates or has direct responsibility for transfers or custody. This recognition provides a critical distinction between who is and who is not subject to regulation. A Parallel Approach: The GENIUS Act The same boundary appears explicitly in the U.S. GENIUS Act, which introduces the concept of a Digital Asset Service Provider (DASP) and provides exceptions for infrastructure providers. The Act defines DASPs by reference to familiar intermediary activities: exchanging digital assets, transferring them to third parties, acting as custodians, and providing financial services tied to issuance. In other words, DASPs are intermediaries. But the definition goes further by explicitly stating what is not an intermediary. The definition of DASP explicitly excludes: a distributed ledger protocol; developing, operating, or engaging in the business of developing distributed ledger protocols or self-custodial software interfaces; an immutable and self-custodial software interface; developing, operating, or engaging in the business of validating transactions or operating a distributed ledger; or participating in a liquidity pool or other similar mechanism for the provisioning of liquidity for peer-to-peer transactions. This is the same idea as ancillary infrastructure in the TFR, but stated directly in the text (rather than the recitals), and in greater detail. The Same Line, Two Drafting Styles The TFR and the GENIUS Act take different drafting approaches, but they arrive at the same place. The TFR uses a functional exclusion (“ancillary infrastructure”) The GENIUS Act uses explicit statutory carve-outs Both frameworks draw the same distinction: Intermediaries are regulated because they effect or execute transactions, or control or custody assets - activities that are traditionally within the regulatory perimeter. Infrastructure providers are not, because they enable systems rather than effect transactions or custody assets - activities that have never been captured within the regulatory perimeter, although firms using the infrastructure to undertake regulated activities may themselves require regulatory authorization. In both, that principle holds across network providers, software developers, validators and miners, and other technical actors. Conclusion: Why This Distinction Matters This boundary is not just a drafting detail, it continues to apply a foundational principle. Crypto systems are built in layers. Many actors contribute to how transactions are created, transmitted, and recorded. Without a clear distinction, regulation could easily expand to capture the entire stack. The concept of ancillary infrastructure prevents that outcome. It ensures that providing infrastructure, which is neutral and only indirectly involved, is not treated the same as acting as an intermediary in transactions. That principle is now reflected on both sides of the Atlantic. As digital asset markets evolve, it is likely to remain one of the most important lines in crypto regulation. And together these two pieces of legislation show how policy makers can update rulebooks for new technologies without unwittingly regulating the technology itself. We at Avalanche Policy Coalition have discussed this point multiple times over the last year, including in our April and May comment letters to the SEC Crypto Task Force, our response to the Australian Treasury consultation, and this blog post. Preserving the distinction between infrastructure and intermediary is one of our 2026 policy priorities.

Introduction On March 17, 2026, the U.S. Securities and Exchange Commission (SEC), together with the Commodity Futures Trading Commission (CFTC), issued its most comprehensive statement to date on how federal securities laws apply to crypto assets. The Interpretation represents a significant step in clarifying how regulators view token classification, interpret “investment contract”, and categorize core blockchain activities. Of course, we were very pleased that the agencies classify AVAX as a digital commodity and not a security in the Interpretation. But there is much more to dig into. Over the past year, Avalanche Policy Coalition (APC) has advanced a framework for crypto regulation centered on three principles: (1) the nature of the asset matters, (2) infrastructure and intermediaries must be treated differently, and (3) regulation should be workable and grounded in real market structure. Our April, May and September 2025 comment letters to the SEC Crypto Task Force articulated these ideas in detail. This post compares the SEC Interpretation with that framework, highlighting where they align, where they differ, and how the two approaches relate conceptually. Token Classification: Converging on Function One of the most important developments in the SEC Interpretation is the introduction of a five-part taxonomy for crypto assets: digital commodities, digital collectibles, digital tools, stablecoins, and digital securities. This approach aligns closely with APC’s long-standing emphasis on token classification based on function, which we call the nature of the asset test and is grounded in the functions and features of the token rather than how it is marketed or what it is called. APC has described “protocol tokens” as a distinct category of assets integral to the functioning of blockchain networks. The SEC’s category “digital commodities” captures much of this same concept. These assets derive value from the programmatic operation of a functional crypto system and supply-and-demand dynamics, rather than from the expectation of profits based on managerial efforts. The SEC definition of digital commodity as part of a crypto system emphasizes functionality at both the Layer 1 and application layer, much as APC’s protocol token is agnostic about the layer on which the protocol functions. This is an important recognition that digital commodities may exist at various levels of the tech stack. Also important, the SEC does not opt for a slavish application of a “decentralization” requirement as the deciding factor for the nature of the asset.  Rather, it remains focused on functionality and consumptive use.  This flows as well into its interpretation of “investment contract,” discussed below. The two approaches therefore converge in substance, reflecting a growing consensus around function-based token classification, which we have championed for many years. Both the SEC and APC recognize that tokens such as AVAX, BTC, and ETH do not have the features or functions of securities and should be analyzed accordingly. The difference lies primarily in structure: APC proposed a distinct legal category for protocol tokens, subject to distinct treatment, while the SEC states that digital commodities may fall into the broader world of commodities. Similarly, the SEC addresses stablecoins, particularly those covered by the GENIUS Act and prior staff guidance, finding them to not be securities while noting that other stablecoin arrangements may require further analysis. This reflects its alignment with the nature of the asset test APC articulated, which evaluates tokens based on their specific characteristics and functions. Assets vs. Transactions: A Shared Distinction A central theme of the SEC Interpretation is the explicit distinction between a crypto asset and the transaction in which it is offered or sold. For example, a digital commodity is not itself a security; however, it may be sold pursuant to an investment contract. This is a point of strong alignment with APC’s framework. APC has consistently emphasized that digital assets should not be classified as investment contracts or other types of securities simply because they are involved in activities that look like capital-raising. The SEC Interpretation adopts this principle directly, clarifying that the legal analysis should focus on the contract, transaction, or scheme, rather than the asset itself.  This phrase, taken directly from Howey, has often been overlooked.  The SEC correctly recognizes that it is the lynchpin of how Howey defines investment contract. Oranges simply are not and never will be securities. This brings crypto assets into alignment with other areas of law, where non-security assets (such as commodities or real estate) can be part of securities transactions without themselves becoming securities.  Investment Contract Analysis: Different Approaches One of the main areas of divergence is how to define and apply the concept of an “investment contract.” APC has proposed a framework with clearer boundaries for when securities laws apply. In particular, we encouraged the following definition: “an express agreement between a seller and buyer that provides for the investment of money in a common enterprise with a reasonable expectation of profits solely from the undeniably significant managerial or entrepreneurial efforts of the seller.” This definition starts with the basic articulation from Howey and adds modifications based on prevailing Supreme Court case law and other precedent. By reviving the word “solely” from the original Howey test and requiring an express agreement, this definition provides greater certainty about the “who” and the “what” of the investment contract. The SEC, by contrast, provides guidance on how it will apply the originally articulated version of the Howey test to crypto assets, resulting in less definitive regulatory boundaries. The SEC Interpretation places significant emphasis on issuer representations and promises, including their source, timing, and specificity, in determining whether purchasers have a reasonable expectation of profits from the efforts of others. These concepts reflect a close reading and application of Howey and its progeny, which we agree with. We just wish for something that is easier to apply. Both approaches aim to clarify the same issue, but they differ in methodology. APC emphasizes clearer rules and definitions, while the SEC relies on interpretive guidance within an existing legal framework. Lifecycle and “Separation”: Different Structures, Similar Outcomes APC has proposed a lifecycle-based framework distinguishing between pre-functionality and functional protocol tokens for purposes of determining SEC jurisdiction. Under that approach, protocol tokens sold prior to protocol functionality would be presumed to be the subject of an investment contract, resulting in a securities law framework for their offer and sale.  In contrast, tokens used in a functioning protocol would fall outside the federal securities laws. The SEC does not adopt this structure in full but incorporates elements of it in the Interpretation. Instead, it introduces the concept of “separation” under which a non-security crypto asset can cease to be subject to an investment contract once purchasers no longer reasonably expect the issuer’s essential managerial efforts to remain connected to the asset. This test does not rely solely on “sufficient decentralization” or related concepts, but looks at the overall facts and circumstances to determine whether separation has occurred. While the mechanisms differ, the underlying idea is similar: the regulatory treatment of a token as part of an investment contract or not can change over time as the network evolves and other events occur. APC’s approach uses a more structured lifecycle model, while the SEC relies on a fact-specific analysis tied to issuer activities and market expectations. Infrastructure vs. Intermediaries: Alignment in Core Activities APC has consistently argued that regulation should focus on intermediaries, not infrastructure providers. Validators, node operators, and protocol participants perform technical functions and should not be treated as financial intermediaries. The SEC’s Interpretation reflects this principle in its treatment of specific activities. It concludes that, when conducted as described, the following do not involve securities transactions: Protocol mining Protocol staking Certain wrapping arrangements Certain no-consideration airdrops In each case, the SEC characterizes these activities as administrative or ministerial, rather than managerial or intermediary in nature. Rewards created through staking and delegation are treated as compensation by the network for services performed, not profits derived from the efforts of others. This represents a clear point of convergence. The SEC recognizes that core protocol activities operate at the infrastructure layer and should be treated differently from traditional intermediary services. Token Issuance and Market Structure: Different Levels of Detail APC’s framework includes proposals for a more comprehensive regulatory structure, including tailored approaches to token issuance, disclosures, and the role of intermediaries. The SEC’s Interpretation does not address these areas in detail. It focuses primarily on classification and the application of existing law, rather than introducing new exemptions, disclosure regimes, or intermediary frameworks. Conclusion The SEC’s Interpretation and APC’s framework share a common foundation. Both approaches recognize the importance of functional token classification, the distinction between assets and transactions, and the need to treat infrastructure differently from intermediaries. They also reflect a broader convergence around core securities law principles; particularly, the focus on economic reality, consumptive use, and the distinction between managerial and non-managerial activity. At the same time, they differ in how those principles are implemented. The SEC relies on interpretive guidance within existing legal frameworks, while APC has proposed more structured approaches to classification, lifecycle analysis, and market design. Taken together, the two perspectives reflect an evolving consensus around the core concepts that should guide crypto policy. As regulatory discussions continue, these shared principles provide a foundation for further development of a coherent and workable framework. Avalanche Policy Coalition will continue to engage with policymakers and stakeholders to support thoughtful, functional approaches to crypto regulation.