Crypto Exchange Listing Risk & Compliance Framework

INTERNAL RESEARCH PAPER · MARCH 2026 · VERSION 1.0

Exchange Listing Risk, Market Structure & Regulatory Liability

A Framework for Crypto Exchanges Operating Under Evolving Regulation

Part A: Full Research Paper | Part B: Condensed Cheat Sheet

PART A — SECTION 1

Executive Summary

Six principles for defensible exchange operations

Token Classification Is Dynamic

A token passing Howey at listing can fail it later. Exchanges bear ongoing liability from listing date forward, not just at point of listing.

Dual-Agency Risk

SEC/CFTC jurisdictional overlap is structurally unresolved. FIT21 would resolve this; until then, plan for dual exposure.

MiCA Is the Global Floor

EU Regulation 2023/1114 is in force. Exchanges serving EU customers must treat CASP obligations as binding compliance baseline.

Market Structure = Legal Risk

Liquidity depth, insider concentration, wash-trading ratios, and fee incentive design are directly relevant to regulatory exposure.

Continuing Violation Doctrine

Each day of trading an unregistered security adds to disgorgement exposure. Delayed delisting is a quantifiable risk decision.

Documentation Is Defence

A consistent, contemporaneous analytical process materially lowers enforcement risk.

Kokesh v. SEC, 581 U.S. 455 (2017)

SECTION 2 — CONTEXT

Why This Matters to Exchanges Now

Four concurrent pressures have converged (2022–2025)

2.1

Enforcement Escalation

SEC filed parallel actions against Coinbase and Binance (June 2023). The exchange is the enforcement target — not just the issuer. Historical exposure is real.

2.2

The FTX Effect

November 2022 collapse proved custody risk and misrepresentation of reserves produce criminal prosecutions. Changed the political economy of crypto regulation.

2.3

New Regulatory Frameworks Online

MiCA in force Dec 2024. EU Transfer of Funds Regulation in force June 2023. Both were not in prior planning cycles.

2.4

Classification Risk Is Compounding

Each token added is a unit of potential retroactive liability. The five-year lookback window grows with every listing.

SECTION 3.1 — REGULATORY LANDSCAPE

The US Framework: Two Regulators, One Asset Class

The defining feature of US crypto regulation is the jurisdictional overlap between the SEC and the CFTC.

SEC

CFTC

Statutory Basis

Securities Act 1933; Exchange Act 1934

Commodity Exchange Act 1936

Core Claim

Tokens are securities if they satisfy Howey

Bitcoin and Ether are commodities; fraud/manipulation authority over spot

Registration Requirement

Broker-dealer, ATS, national exchange

DCM registration for derivatives; fraud/manipulation authority over spot

Recent Exchange Actions

Coinbase (2023), Binance (2023), Kraken (2023)

Binance (2023), FTX (2022–23), BitMEX (2020)

Resolution Pending

FIT21 would clarify SEC/CFTC line

FIT21 would grant CFTC spot market authority

A token can simultaneously be a commodity (CFTC) and a security (SEC) under current law. There is no safe harbour that protects an exchange from both regulators simultaneously.

SECTION 3.3 — EU REGULATION

MiCA: The Global Regulatory Floor

EU Regulation 2023/1114 — in force December 2024 — is becoming the de facto global standard.

E-Money Token (EMT)

Pegged to a single official currency

Only list from authorised e-money/credit institutions; reserve verification required

Asset-Referenced Token (ART)

References multiple currencies, commodities, or assets

Issuer must be EU-authorised; highest reserve and marketing restrictions apply

Other Crypto-Asset (OCA)

All other tokens including utility, governance

Issuer must publish MiCA-compliant whitepaper; conduct rules for CASPs apply

Excluded (DeFi/NFTs/MiFID II)

Truly decentralised DeFi, non-fungible NFTs, regulated financial instruments

MiCA does not apply — but MiFID II may

MiCA significance extends beyond Europe — it is becoming the reference framework for jurisdictions worldwide developing their own crypto regulatory frameworks.

SECTION 4 — MARKET STRUCTURE

Market Structure: What Exchanges Must Monitor

Market structure parameters are legally consequential — not just commercially relevant.

LIQUIDITY PARAMETERS

Bid-Ask Spread

Tight spreads = healthy competition. Wide spreads = manipulation risk. Persistent wide spreads evidence unfair market operation.

Order Book Depth

A thin order book is easily manipulated by a single large actor. Deep books absorb large trades without price impact.

Market Depth Ratio

Ratio of liquidity within ±2% of mid-price to daily volume. Low ratios mean modest trading has outsized price impact.

Wash-Trading Ratio

Benford's Law + on-chain wallet cluster analysis. Illegal under Exchange Act s. 9(a)(1) and CEA s. 4c(a).

CONCENTRATION & MANIPULATION

Float / Circulating Supply

Low float (<10–15% of total supply) enables artificial scarcity and price manipulation.

Top-10 Wallet HHI

Above 40% in non-custodial wallets = manipulation red flag. Apply Herfindahl-Hirschman Index.

Insider Token Allocation

Allocations >25% of supply with vesting <12 months create both Howey risk and manipulation risk.

Order Cancellation Ratio

High large-order cancellation within milliseconds = spoofing signal. Criminal offence under CEA.

Key Insight:

The commercial answer and the regulatory answer to market structure are increasingly the same answer.

SECTION 5.2 — CLASSIFICATION RISK

Token Risk Categories

Not all tokens carry equal classification risk. Current enforcement signals mapped.

Token Category

Securities Risk

Key Indicators

Enforcement Signal

Established Commodities (BTC, ETH)

LOW

No identifiable issuer; CFTC claimed jurisdiction

CFTC jurisdiction widely accepted

Protocol Governance (UNI, AAVE)

MEDIUM-HIGH

Founder controls roadmap; concentrated voting

No definitive ruling; SEC named similar tokens

Fee-Sharing / Revenue Tokens

HIGH

Token holders receive protocol revenue share

Probable investment contract; SEC v. Terraform

Layer-1 / Layer-2 Native Tokens

MEDIUM

Foundation issuer; profit-expectation at launch

SOL, ADA named in Coinbase complaint

Liquid Staking Derivatives (stETH)

MEDIUM-HIGH

Yield-bearing; issued by identifiable entity

Kraken staking order creates analogy

Real-World Asset Tokens

VERY HIGH

Almost certainly a security under Howey/Reves

Do not list without confirmed registration

Algorithmic Stablecoins

HIGH

Complex mechanism; UST/LUNA held to be securities

SEC v. Terraform — avoid without legal analysis

AI / Agent Tokens

VERY HIGH

Anonymous issuer; concentrated; profit-expectation

Unregulated emerging category — max scrutiny

Tokens named in the SEC's Coinbase complaint (SOL, ADA, MATIC, SAND, AXS, CHZ, FLOW, ICP, NEAR) were being traded by compliant retail exchanges at the time. This list is the floor — not the ceiling.

SECTION 6 — LIABILITY

Exchange Liability: The Core Theories

Understanding how enforcement actions are constructed against exchange operators.

01 — Unregistered Broker/ATS

The primary SEC enforcement theory.

Securities Classification

SEC establishes the token is a security using Howey analysis. Courts have broadly accepted this.

Broker/Dealer Activity

Satisfied simply by matching buyers and sellers of the token.

Absence of Registration

Exchange not registered as broker-dealer or operating under valid exemption.

SEC v. Coinbase (SDNY 2023)

02 — Continuing Violation Doctrine

Each day of trading a security on an unregistered exchange is a fresh violation.

Estimated Exposure = (Trading fees collected) × (Probability of adverse classification) × (5-year lookback window)

Holding a token 90 days after a Wells Notice to the issuer may accumulate $X in fees while accumulating $10X in additional disgorgement exposure.

Kokesh v. SEC, 581 U.S. 455 (2017)

03 — Aiding & Abetting

Exchange aided and abetted an issuer's unregistered securities offering by providing the marketplace for distribution.

Three triggers:

Undisclosed economic relationship with issuer

Exchange reproduced issuer's profit-expectation statements

Exchange provided structural support for token launch

Lorenzo v. SEC, 139 S. Ct. 1094 (2019)

Delisting is not a last resort. It is a financial tool. The decision to continue listing after adverse signals is a quantifiable risk-taking decision that should be escalated to the board.

SECTION 6.4–6.5 — CUSTODY & AML

Custody & AML: The Fastest Path to Criminal Prosecution

AML/KYC liability can result in both corporate and individual criminal exposure — unlike most securities liability.

CUSTODY RISK MATRIX

Commingling customer/exchange assets

Fraud; CEA s. 4d

Misrepresentation of reserves

Exchange Act s. 10(b); CFTC fraud

Hot wallet >30% of customer assets

Negligence; industry standard violation

Staking customer assets without disclosure

Securities offering (Kraken)

Inadequate insurance vs. held assets

Negligence; breach of duty of care

AML & SANCTIONS EXPOSURE

<strong style="color:#FFFFFF;">Largest AML penalty in crypto</strong> — Binance settlement with FinCEN, OFAC, and DOJ. November 2023.

<strong style="color:#FFFFFF;">OFAC sanctions now extend to smart contract addresses.</strong> Tornado Cash designation (August 2022) means accepting deposits from sanctioned addresses = automatic exposure.

<strong style="color:#FFFFFF;">Individual liability attaches.</strong> BSA criminal liability can attach to senior compliance officers who knew about deficiencies. CZ pleaded guilty to BSA violation (2023).

31 U.S.C. § 5322 · 50 U.S.C. §§ 1701–1707 · DOJ Press Release Nov 2023 · OFAC SDN Aug 2022

SECTION 7 — OPERATIONS

Operational Implications by Team

Five teams. Five distinct sets of obligations under the current regulatory environment.

LISTINGS TEAM

Standardise submissions: whitepaper, audit, beneficial ownership, vesting schedules. Return incomplete applications.

Build a quantitative risk scoring model calibrated to token categories. Listings committee receives scores, not just memos.

Maintain 90-day, 12-month, and annual re-assessment calendar. Treat as scheduled, not reactive.

COMPLIANCE TEAM

Own ongoing monitoring — automated feeds for issuer activity, on-chain events, regulatory announcements for every listed token.

Build SAR workflow calibrated to crypto-specific patterns: wash trading, cluster wallet coordination, large transfers before regulatory announcements.

Maintain regulatory change log. Every new guidance assessed for portfolio impact within 30 days.

CUSTODY TEAM

Proof-of-Reserves reporting must have legal review before publication. Inaccurate PoR data is fraud.

Segregation controls must be technically enforced — not just policy-based. Operational wallets must not touch customer asset wallets.

Pooled staking must not go live without documented legal clearance.

PRODUCT TEAM

Every feature touching asset economics requires legal/compliance pre-review before development begins.

Fee structure redesigns reviewed for wash-trading incentive risk. Compliance must sign off on any net-positive round-trip rebate.

Customer disclosure flows must surface elevated risk at point of purchase — not buried in ToS.

SURVEILLANCE TEAM

Coverage must include all listed tokens. A surveillance gap on a thin-liquidity token that has a manipulation event = exchange-level liability.

Implement cross-asset surveillance — sophisticated manipulation exploits correlated spot/derivatives positions.

Document ALL surveillance events regardless of action taken. Contemporaneous records are enforcement defence.

PART B — CHEAT SHEET

10 Questions to Ask Before Every Listing

Designed for listings committees and compliance teams. Answer all 10 before approval.

Does this token satisfy any prong of the Howey test? Can we document a specific analysis explaining our conclusion?

Has the issuer made any public statements implying financial return to token holders? Have we reviewed all of them?

What percentage of circulating supply is held by the top 10 wallets? Are those wallets subject to documented lock-ups?

Has a third-party smart contract audit been completed, published, and reviewed for admin key risk?

Has the issuer, any major holder, or affiliated entity received a Wells Notice, informal inquiry, or consent order?

Is the exchange registered (or under valid exemption) as broker-dealer/ATS in the relevant jurisdiction? Is geo-blocking verified?

Does the issuer comply with MiCA whitepaper requirements for EU customers? Is an EU geo-block technically in place?

Is our Travel Rule infrastructure compatible with this token's chain? Can we handle unhosted wallet transfers?

Are there active staking or yield features? Is the exchange pooling or pass-through? Has specific legal analysis been done?

Do we have adequate custody infrastructure for this token type? Can we suspend withdrawals within 15 minutes if needed?

Source: Part B — Exchange Listing & Liability Cheat Sheet · March 2026

PART B — RISK FLAGS

10 Liability Red Flags

Escalate immediately. Each flag represents a quantifiable risk-taking decision.

CRITICAL = escalate to board immediately · HIGH = escalate to compliance/legal within 48 hours

PART B — KEY TAKEAWAYS

10 Things Every Exchange Operator Must Know

The essentials. Designed for scanning in under 5 minutes.

01

Token classification evolves

Build monitoring infrastructure, not just a listing gate. Classification is continuous, not a one-time decision.

02

Ongoing liability from day one

Every day of trading a security without registration is a fresh violation under the continuing violation doctrine. (Kokesh v. SEC, 2017)

03

Dual-agency exposure

The SEC and CFTC both claim jurisdiction over different aspects of the same asset. Plan for both until FIT21 resolves the overlap.

04

MiCA is binding for EU access

CASP authorisation and whitepaper requirements are binding law, not aspirational targets, for any exchange serving EU customers.

05

Market structure = legal risk

Liquidity, concentration, and manipulation indicators are as legally significant as the Howey analysis.

06

Review your fee schedule

Fee structures that create net-positive round-trip rebates are a direct market abuse exposure.

07

Pooled staking requires clearance

Pooled staking products are probable unregistered securities offerings. Do not launch without independent legal clearance. (Kraken, 2023)

08

PoR misrepresentation is fraud

Every Proof-of-Reserves attestation requires technical verification before publication. No exceptions.

09

Documentation is your defence

A defensible process that reached a wrong conclusion is exponentially better than an undocumented correct conclusion.

10

Model the delisting economics

Once adverse signals emerge, calculate expected trading revenue vs. incremental liability. Delisting has a computable positive return.

OUTLOOK — NEXT 12–18 MONTHS

5 Things That Will Define the Landscape

Monitor these developments. Each one materially shifts exchange strategy.

FIT21: Passage or Failure

If enacted: creates a defined CFTC/SEC line for digital commodities vs. digital securities — providing the clearest listing path in US history. If it fails: dual-agency enforcement remains the operating environment indefinitely. Status: Passed US House May 2024. Senate uncertain.

SEC's Position on Secondary Market Trading

The Ripple district court's programmatic sales distinction has not been affirmed by any circuit court. The Second Circuit appeal resolution will define whether exchange trading of a token constitutes a securities offering.

MiCA Full Implementation

Transition periods expiring. ESMA finalising technical standards for DeFi, NFTs, and cross-border services. Exchanges must be in full CASP compliance or risk losing EU market access.

AI / Agent Token Regulatory Clarity

The 2024–25 wave of AI-linked tokens created a new category: highly concentrated, anonymously issued, profit-expectation-marketed. Regulators will provide guidance — or enforcement will provide it by example.

Travel Rule Enforcement Gap Closure

FATF member jurisdictions under increasing pressure to enforce Travel Rule for unhosted wallet transfers. Exchanges with gaps face heightened AML enforcement risk in 2025–26.

Source: Section 3.5 Direction of Travel · March 2026 · CONFIDENTIAL

CONCLUSION

The Listing Decision Is Not an Event — It Is a Continuous Obligation.

Classify Conservatively. Monitor Continuously.

Apply maximum scrutiny at listing and build automated monitoring that treats classification as an ongoing analysis, not a one-time gate.

Price the Liability, Not Just the Revenue.

Every token listing generates trading fee revenue and creates ongoing liability exposure. Both sides of the equation must be explicitly weighed.

Documentation Is Defence.

In any enforcement proceeding, contemporaneous good-faith analysis is the primary factor distinguishing a civil penalty from a criminal referral. Document everything.

The exchanges best positioned to navigate this are those that have built the process infrastructure to adapt quickly — not those waiting for regulatory certainty that may not arrive.

Exchange Listing Risk, Market Structure & Regulatory Liability · March 2026 · Version 1.0 · CONFIDENTIAL — INTERNAL USE ONLY