Why legal infrastructure matters more in crypto than anywhere else
Crypto and blockchain startups operate in one of the most legally complex and rapidly evolving regulatory environments in technology. Token projects have faced SEC enforcement action, exchange platforms have been shut down for AML failures, DeFi protocols have lost user funds with no legal framework for liability, and founders have faced personal criminal exposure from inadequate compliance programmes. Getting legal infrastructure right before launch is not optional in this industry — it is existential.
Step 1: Token classification — understanding what you are building
The most consequential legal question for any crypto project is how your token will be classified by regulators. In the US, the SEC applies the Howey test — if a token is an investment of money in a common enterprise with an expectation of profit from the efforts of others, it is a security and must be registered or exempt. In the EU, MiCA classifies crypto-assets as: e-money tokens, asset-referenced tokens, or other crypto-assets — with different regulatory frameworks for each.
Misclassifying your token — treating a security as a utility token — is the most common legal mistake in crypto and has resulted in SEC enforcement actions against well-funded, well-intentioned projects. TECHLAWG can help you assess your token's likely regulatory classification before you commit to a launch structure.
The complete legal checklist
Pre-launch regulatory assessment
- Token classification analysis under US, EU, and applicable local law
- Exchange and custodian licensing requirements in target markets
- Money Services Business / Money Transmitter License requirements
- MiCA compliance assessment for EU market access
- Sanctions compliance screening (OFAC, EU, UN)
- Assessment of DeFi-specific regulatory obligations in target markets
Legal documents you need before launch
- Token Purchase Agreement / Terms of Token Sale — the primary contract governing your token sale or distribution event. Must include purchaser representations (accredited investor status where applicable), transfer restrictions, lock-up provisions, jurisdiction-specific securities law compliance, and explicit exclusion of EU, US, or other restricted jurisdiction purchasers if required.
- Risk Disclosure Statement — comprehensive, specific disclosure of every material risk: regulatory uncertainty, smart contract vulnerabilities, market volatility, liquidity risk, key person risk, and the risk of total loss. Courts and regulators expect risk disclosures to be specific and prominent.
- Platform Terms of Service — governing user relationships on your exchange, wallet, DeFi protocol, NFT marketplace, or blockchain application. Must address prohibited jurisdictions, KYC/AML compliance requirements, liability for smart contract errors, and governing law.
- Privacy Policy — GDPR and CCPA compliant; specifically addressing blockchain data (transaction data on public chains is not "personal data" in the traditional sense but wallet addresses may be personal data in some jurisdictions); KYC document handling; and blockchain analytics tool disclosures.
- AML/KYC Policy and Procedures — documented customer due diligence, enhanced due diligence for high-risk customers, transaction monitoring procedures, suspicious activity reporting, and record-keeping obligations. Required for any business that qualifies as a Virtual Asset Service Provider (VASP) under FATF standards.
- Smart Contract Disclaimer — limiting liability for smart contract bugs, vulnerabilities, and exploits. The disclaimer must be prominently disclosed and technically accurate about the risks of smart contract interaction.
If you are structuring a DAO
- Legal wrapper selection — Wyoming DAO LLC, Marshall Islands DAO company, Cayman Islands foundation, or other jurisdiction
- DAO governance documentation — voting procedures, proposal thresholds, treasury management rules
- Contributor agreements for core team members
- Treatment of governance token holders — rights, liability exposure, and tax implications
MiCA compliance for EU-facing projects
MiCA is fully in force for most crypto-asset service providers. If your project issues tokens, operates an exchange, provides custody services, or makes AI-powered trading tools available to EU users, you need to assess your MiCA obligations. Key requirements include: issuing a crypto-asset white paper meeting MiCA's disclosure requirements; notifying the relevant EU national competent authority; and — for CASP licences — applying for authorisation in at least one EU member state.
What happens if you skip this
The examples are not hypothetical. Terraform Labs and Do Kwon faced civil and criminal charges after the LUNA collapse. Ripple spent years in SEC litigation over whether XRP was a security. BitMEX founders were criminally charged for AML failures. Binance paid over $4 billion in settlements for regulatory violations. These are not enforcement outcomes that befell obviously bad actors — they reflect the regulatory reality of operating in crypto without adequate legal infrastructure. See our Crypto and Blockchain Legal Services for details on how TECHLAWG can help.
Frequently Asked Questions
Do I need a lawyer before launching a crypto project?
Yes — and the earlier the better. The most consequential legal decisions in crypto (token structure, launch jurisdiction, regulatory classification, sale structure) are made at the beginning and are very difficult to undo. Legal costs incurred pre-launch to get the structure right are dramatically lower than the legal costs of regulatory enforcement, investor litigation, or forced restructuring post-launch.
What is a VASP and do I need to register?
A Virtual Asset Service Provider is any business that provides exchange, transfer, safekeeping, administration, or offering and sale of virtual assets — as defined by the FATF standards adopted in most major jurisdictions. VASPs must register with their national financial regulator (FinCEN in the US, national competent authorities in the EU under MiCA), implement AML/KYC programmes, and comply with travel rule obligations for transfers above applicable thresholds.
What is the Howey test and how does it apply to tokens?
The Howey test is the US Supreme Court standard for determining whether an instrument is a security requiring SEC registration. An instrument is a security if it involves: an investment of money; in a common enterprise; with an expectation of profits; from the efforts of others. The SEC has applied this test aggressively to crypto tokens, finding that many tokens promoted as "utility tokens" are in fact securities. The analysis is fact-specific and depends on how the token is marketed, the state of development of the project at the time of sale, and the economic reality of the relationship between buyers and the project.
Can I exclude US and EU investors from my token sale?
Yes — many crypto projects structure their token sales to exclude US persons (to avoid SEC jurisdiction) and EU investors (to avoid MiCA or securities regulation). Exclusion requires more than simply stating in your terms that US persons may not participate — you must implement technical and procedural controls (IP blocking, KYC screening, geofencing) that make the exclusion effective. Courts and regulators have found that token sales with nominal exclusions that were not effectively implemented did not avoid US or EU securities law obligations.
What is the "travel rule" in crypto and does it apply to me?
The FATF Travel Rule requires VASPs to collect and transmit originator and beneficiary information for crypto transfers above a threshold (typically $1,000 or the local equivalent). In the US, FinCEN enforces the travel rule for covered transactions. In the EU, the Transfer of Funds Regulation applies travel rule requirements to all crypto transfers regardless of amount. If you operate any service that transfers crypto assets on behalf of users — exchanges, wallets, payment processors — the travel rule likely applies and requires technical solutions for information transmission between VASPs.