Crypto M&A: Unique Legal and Regulatory Considerations


Crypto M&A is slated to reach a record high in 2021. With a $2.4 trillion[1]  aggregate market value—which is now larger than the GDP of Canada—the crypto[2] ecosystem has gained a permanent seat at the table.

Despite regulatory uncertainty, major governments banning crypto trading, and the perceived environmental impact, deal-makers from the finance, technology and other innovative business communities have continued to ride the wave of crypto M&A.[3] Available data indicates that deal value, deal activity and ensuing competitiveness have all surged in this space, with approximately 60 transactions in 2021, for a total estimated value of approximately $18 billion.[4] In the U.S. alone, there have been $4bn worth of deals in 2021, a year-over-year increase of nearly 600%.[5]

Blockchain targets present a host of complex legal and regulatory issues and, accordingly, due diligence has increased in importance. Blockchain companies often operate in international markets. Therefore, due diligence investigations should take into account the target’s potential plurality of legal regimes, local norms, and applicable practices. Among other things, prospective acquirers may wish to see evidence of compliance, such as copies of licenses, as well as policies and procedures to mitigate regulatory risks. Prospective acquirers may also wish to speak with key personnel at the target company regarding compliance. While no publication can provide an in-depth analysis of all the issues that might be relevant to crypto M&A transactions, the following are key legal and regulatory due diligence issues worth considering in the crypto M&A space.

A. U.S. Federal Securities Laws Considerations

As digital assets in circulation across the globe continue to increase, it is unsurprising that offerings of digital assets[6] continue to be a popular fundraising tool for blockchain companies.

However, in 2017, the U.S. Securities and Exchange Commission (“SEC”) clarified that U.S. securities laws apply when digital assets that qualify as securities are marketed or sold to U.S. persons, regardless of the issuer’s location.[7]

As a result, issuers are required to either: (i) register the sale of their tokens under Section 5 of the Securities Act of 1933 (the “Securities Act”) by filing a registration statement, such as on Form S-1 or F-1, with the SEC; or (ii) rely on an exemption from the registration requirements of the Securities Act, such as Regulation CF, Regulation A and Regulation D.

Additionally, some market participants may not have immediately realized that only digital assets not treated as securities—such as bitcoin and ether—can trade freely on cryptocurrency exchanges. However, to the extent it is treated as a security and is not registered under the Securities Act, a digital asset would be treated as a restricted security, and therefore any sale of such digital asset (i.e., any “secondary sale”) must also be in compliance with similar securities laws and regulations and be transferred from the holder to another person pursuant to an exception or exemption.

The lack of clear regulatory standards for determining whether a digital asset is a security limits the ability of crypto companies to ensure they are not transacting in securities, and exposes them to second-guessing by the SEC and private plaintiffs.

If a blockchain target failed to comply with applicable securities rules and regulations, the SEC may investigate and prosecute alleged fraud in connection with such offerings, which may lead to civil penalties for defendants, including individuals. Unregistered offerings may also be subject to rescission rights and damages claims as well as enforcement actions by U.S. state and/or non-U.S. securities regulators, which may result, and in some cases have resulted, in fines, injunctions, and jail time in connection with potential related criminal proceedings.

Potential acquirers should review the legal advice a target has received and speak with its outside counsel on these issues. They should also consider whether there are any remedial actions that can be taken before closing, and otherwise conduct thorough due diligence investigations to avoid inheriting potential liabilities or having to address potential pitfalls post-closing.

B. Commodities Regulation Considerations

The U.S. Commodity Futures Trading Commission (“CFTC”) takes the position that all varieties of cryptocurrencies are commodities for purposes of the Commodity Exchange Act.[8] The CFTC has begun instituting enforcement actions against both fraudulent and manipulative actors in virtual currency spot markets and against persons operating as unregistered regulated entities and intermediaries.

Acquirers should be aware that the CFTC has issued guidance expansively defining the scope of derivatives it regulates, especially in the case of leveraged or margined transactions involving retail investors, and has pursued cases involving even seemingly minor instances of wash trades and undisclosed proprietary trading in the spot markets.

Acquirers should make sure to confirm a target has developed and implemented appropriate policies addressing matters regulated by the CFTC.

C. Federal and State Money Transmission Considerations

In general, unless otherwise exempt, a license is required to engage in the “business of money transmission”—i.e., to receive and transmit money—under the money transmission laws of each U.S. state in which a person has customers. Separately, a person who is engaged in money transmission activity will generally also be deemed a money services business (“MSB”) under the federal Bank Secrecy Act (“BSA”), and as a result, is subject to a registration requirement and related anti-money laundering (AML) compliance program requirements that are further addressed below.

The Financial Crimes Enforcement Network (“FinCEN”), which implements the BSA, has affirmed through guidance that certain activities involving virtual currency—including receiving and transmitting the same—are subject to the BSA requirements (even in cases in which the activity may not be subject to money transmission licensing in a particular state or states). The BSA operates to reinforce compliance with state money transmission laws by making it a federal felony to engage in money transmission in a state without a required state money transmission license in that state.[9]

FinCEN has issued extensive guidance on virtual currency activities that constitute MSB activities subjecting a person to the BSA. FinCEN interprets its regulations as applying to persons that are administrators or exchangers of virtual currency as “money transmitters.” An administrator or exchanger that: (i) accepts and transmits a convertible virtual currency; or (ii) buys or sells convertible virtual currency for any reason would be a money transmitter under FinCEN’s regulations, unless a limitation to or exemption from the definition applies to the person.[10] The applicability of the BSA to a person’s activities involving virtual currency is a fact-specific inquiry that must be addressed on a case‑by‑case basis.

A number of state money transmission statutes and regulations have also been amended to address the regulation of virtual currency. Furthermore, even a state that has not established a formal, public position could conclude that these laws covered virtual currency activity. Market participants should analyze the potential applicability to any particular virtual currency activity of state money transmission licensing laws, as well as any guidance, interpretations, enforcement actions or other rulings pertaining to state regulatory approaches to virtual currency activity to assess whether current or contemplated activity of the target constitutes regulated money transmission activity, or requires licenses.[11]

It is worth noting that locating a business offshore in order to avoid U.S. federal registration and related requirements or U.S. state licensing requirements is not effective. FinCEN regulations related to registration and anti-money laundering (“AML”) compliance apply to a money service business “wherever located doing business, whether or not on a regular basis or as an organized or licensed business concern, wholly or in substantial part within the United States” and “includes but is not limited to maintenance of any agent, agency, branch, or office within the United States.”[12] For example, in August 2021, FinCEN and the CFTC reached a resolution with BitMEX, an offshore cryptocurrency exchange that exists mostly in countries other than the U.S., alleging that the company did not comply with AML obligations per the BSA, did not have any AML policies or procedures in place and did not conduct any customer due diligence.[13]

D. U.S. AML Considerations

Under the BSA and its FinCEN-issued implementing regulations, a money transmitter engaging in virtual currency activity (or any other activity) that is deemed an MSB is required to: (i) register as an MSB with FinCEN; (ii) establish and maintain an effective AML program that is “reasonably designed to prevent the [MSB] from being used to facilitate money laundering and the financing of terrorist activities”; and (iii) comply with certain recordkeeping and reporting requirements—including suspicious activity reports (“SARs”) and currency transaction reports (“CTRs”).

Generally, an MSB’s BSA/AML program must be in writing and commensurate with the company’s specific risk profile, i.e., the program must be risk-based and cannot be an off‑the‑shelf solution. At a minimum, an MSB’s BSA/AML program must: (i) include policies, procedures, and internal controls that are reasonably designed to ensure ongoing compliance with the BSA; (ii) designate an individual responsible for the MSB’s BSA/AML program (a “BSA Officer”); (iii) provide adequate BSA/AML-related training to all appropriate personnel; and (iv) conduct independent (internal or external) testing. Many MSBs also establish and implement policies and procedures specifically addressing the identification and verification of beneficial owners of legal entity customers.

An MSB that violates the registration and BSA/AML program requirements can face enforcement actions from regulators or law enforcement agencies, including severe monetary penalties. In addition, engaging in or aiding and abetting money laundering is a criminal offense under the U.S. Money Laundering Control Act (“MLCA”), punishable by a maximum of 20 years in prison and fines up to the greater of $500,000 or twice the amount of the transaction involved. The MLCA applies to all persons and businesses in the U.S. as well as to persons and businesses in other countries if at least one part of a transaction is executed in the U.S.

It is therefore of utmost importance for an acquirer of a business with virtual currency activities to conduct a thorough AML due diligence to determine: (i) whether the target is an MSB that is required to register with FinCEN and have a BSA/AML program; and, if yes, (ii) whether such program is effective, adequate, and appropriate. There may also be additional state legal requirements regarding an MSB’s BSA/AML compliance program. For example, the New York State Department of Financial Services’ (“NYDFS”) so-called Part 504 requirements provide for minimum standards for transaction monitoring and filtering programs and an annual compliance certification requirement for money transmitters licensed by the NYDFS.

In addition to the above U.S. legal requirements, many other jurisdictions have similar statutory and regulatory frameworks in place. The following principles generally apply and should also be considered for transactions involving foreign virtual money transmitters.

The scope and thoroughness of an AML due diligence should be risk‑based, taking into account the target’s risk assessment, all AML-related policies and procedures (including “know your customer” (“KYC”) requirements, customer due diligence/enhanced due diligence, transaction monitoring and SAR filings, and other reporting and recordkeeping requirements), independent testing reports and management responses, training materials, and the structure of the target’s BSA/AML compliance department and the BSA Officer’s roles and responsibilities.

Further, an acquirer should be mindful to include strong AML-related representations and warranties in any agreement. For effectiveness and efficiency, an acquirer may want to consider combining its due diligence on AML and sanctions issues and closely coordinating these activities.

Considering the legal and reputational (such as if criminals were discovered to operate through a crypto exchange) risks associated with money laundering and terrorist financing activities, an acquirer should also consider conducting at least a limited AML due diligence for any crypto M&A transaction, even if the target is not directly involved in virtual currency and/or money transmitter activities.

E. Sanctions Considerations

Sanctions refer to legal restrictions governments impose on transactions with specific persons or jurisdictions (i.e., embargoes). U.S. sanctions rules are generally applied on a strict liability basis and carry steep fines (for most violations, the greater of approximately $300,000 or twice the value of the transaction). Companies that operate in the blockchain space face risks since digital assets may facilitate anonymous or pseudonymous transactions that may lead to unknowing participation in prohibited transactions.

Many U.S. sanctions targets have attempted to use blockchain technology to either circumvent U.S. sanctions or engage in malign activity that U.S. sanctions target, and the Office of Foreign Assets Control (“OFAC”), the U.S. agency primarily responsible for implementing and enforcing U.S. sanctions, has taken an interest in cryptocurrency transactions. In September 2021, OFAC designated a Russian virtual currency exchange for facilitating financial transactions for ransomware actors.[14]

Targets that develop or use blockchain technology should be reviewed for sanctions controls and compliance, such as a process to collect identifying information on blockchain participants, and screen information against the SDN List, as well as IP blocking. Additional controls to look for include permissioned blockchains that condition participation on users providing information about their off-chain identities (that can then be screened against the SDN List), or smart contracts that halt transactions when users add keywords to transaction data such as “Iran” or “Cuba.”

F. CFIUS Considerations

The U.S. Committee on Foreign Investment in the United States (“CFIUS”) is one powerful force that non-U.S. acquirers and U.S. targets (including U.S. subsidiaries and branches of non-U.S. companies) should not ignore.

The recent regulations implementing the Foreign Investment Risk Review Modernization Act of 2018 give CFIUS the authority to review transactions through which a non-U.S. person could gain “control” of a U.S. business, and certain non-controlling investments in U.S. businesses involving critical technologies, critical infrastructure, or sensitive personal data (“TID” businesses). “Critical technologies” includes the currently undefined category of “emerging technologies,” which likely will comprise certain blockchain technologies (along with artificial intelligence, quantum computing, robotics, and data analytics). Additionally, a U.S. blockchain performing critical infrastructure functions, including by providing Internet protocol networks and exchange points, data centers, and core processing services for financial institutions, telecom, energy, or utility companies, may also fall within CFIUS’s heightened scrutiny on non-controlling investments.

CFIUS may also review certain transactions involving a U.S. blockchain target to the extent it maintains or collects sensitive personal data of U.S. citizens, including financial, geolocation, and health data. Contrary to CFIUS’s long-standing history as a purely voluntary process, certain transactions by non-U.S. persons involving a U.S. TID business are subject to a mandatory CFIUS review. Failure to notify CFIUS of a transaction subject to mandatory filing can result in civil penalties up to the value of the transaction.

In recent years, CFIUS has focused on a number of deals involving non-U.S. acquirers, including British, Canadian, Chinese, and Japanese acquirers. It is critical for deal‑makers to closely assess the CFIUS risk profile of a blockchain target and consider whether to voluntarily notify CFIUS, or if not, whether to voluntarily notify CFIUS to seek pre-closing “clearance.”

CFIUS-related risk is generally addressed via representations, covenants and closing conditions tied to a successful outcome of the CFIUS review process, and sometimes by including a reverse break fee in the event that the outcome of the CFIUS review process prevents completion of the transaction. Moreover, where the CFIUS risk is high, U.S. targets may consider requesting that the non-U.S. acquirer deposit the amount of the reverse break fee into a U.S. escrow account in U.S. dollars. Non-U.S. acquirers may also consider purchasing CFIUS-risk insurance to cover payment of the reverse break fee, plus other broken deal costs, such as attorneys’ fees, investment banking fees, financing costs, and other due diligence expenses.

G. Privacy and Cybersecurity Considerations

The use of blockchain in a business model presents unique privacy issues. This includes scenarios where personal information about natural persons is processed on the blockchain, as well as those in which personal information is stored off‑chain but associated with, or linked to or from, the chain (and even when the information on the chain is about both consumers and individual business users using the blockchain application for business use). Even a user’s public-private encryption key associated with its identity is covered by many data protection laws.

Crypto companies should be aware that privacy laws may impose broad requirements, and may apply outside the borders of the country that promulgated the law (e.g., the European Union’s General Data Protection Regulation 2016/679 applies to non-European Union establishments if they are doing business with people located in the European Union).

Data protection laws globally impose requirements and restrictions on processing personal information about individuals, whether they are acting as retail consumers or representatives of businesses. Under some laws, called data export restrictions, personal information may only be exported from one country to another if certain conditions are met. This is a challenge for a global blockchain application in which the data is housed and duplicated around the world. If the blockchain application is private, the data export requirement can be met by including certain terms in the contract between the participants. Similar laws, called data location laws, require that the “master” copy of data be housed in a particular country, even if it may also be stored elsewhere. This poses another challenge for a decentralized blockchain application where there is no one true “master” copy.

Data protection laws often also give individuals various rights with regard to companies’ use of their data, such as individual consent to data use. In a blockchain model, this would require the individual to agree, electronically, to a data agreement before their personal information can be processed on the chain. In some cases, there is no opportunity to obtain this consent directly from the individual, so the participants in the blockchain have to rely on a contractual representation from other participants that they obtained the required consents.

Many of these challenges might be avoided with encryption, storing personal information off‑chain, or implementing a private blockchain instead of a public blockchain, so that all participants can agree contractually to the rules for the use of personal information; however, these topics are important to discuss with local counsel so that, if needed, a business model can be adjusted to avoid legal foot faults.

Last, but not least, crypto companies are also at risk of cybersecurity hacks, breaches or other incidents. Cybersecurity is a key area of disclosure focus not only for investors, but also for the SEC. Targets should ensure that cybersecurity risks, including any past incidents, are properly disclosed and presented in the offering document in order to protect against disclosure liability.

H. Other Issues

There are many other legal and regulatory issues that may become a focus of due diligence. These include, among others: (i) “investment companies” that are required to register under the Investment Company Act of 1940; (ii) IP rights considerations; (iii) commercial and insolvency laws; (iv) custodial methods and related risks; (v) competition and antitrust; (vi) consumer protection; and (vii) changes in the local political and legislative landscapes.


For deal-makers seeking to create synergies, drive growth, or enter new markets, crypto M&A may be the answer. With expert deal analysis, proper planning and due diligence, any acquirer has the opportunity to employ M&A to become the next link in the evolution of crypto.


[1] See CoinMarketCap, (last visited December 7, 2021).

[2] In this article, we generally refer to “crypto” to include cryptocurrencies, security tokens, decentralized application tokens, protocol tokens, non-fungible tokens (NFTs), and other similar blockchain-enabled instruments, the ownership and/or transmission of which is recorded or verified by a distributed ledger (including a “blockchain” or directed acyclic graph) or other similar technology. However, market participants generally refer to: (i) “cryptocurrencies” to mean a blockchain-enabled digital representation of value that functions as a medium of exchange, a unit of account, or a store of value, which is generally used as a substitute for fiat currencies as a means of paying for goods or services or transferring value, and is not meant to be a “security,” as such term is defined under U.S. federal securities laws (bitcoin and ether are examples of such cryptocurrencies); (ii) “security tokens” to mean broadly blockchain-enabled assets that fall within the definition of a security under U.S. federal securities laws; and (iii) non-fungible tokens (NFTs) to mean blockchain-enabled unique digital files that typically contain data that point to an online version of digital art, collectibles (such as digital trading cards), and other content (which visually appear in gif, jpeg, or other common media formats) or a physical asset, and usually records ownership, evidences authenticity or provides certain rights of use, which may or may not constitute a “security,” as such term is defined under U.S. federal securities laws.

[3] We generally refer to “M&A” to include partnerships, joint ventures, mergers and acquisitions, and other strategic and private equity transactions.

[4] See Research, TokenData, (last updated May 26, 2021), and Deallogic, (last updated November 16, 2021).

[5] One of this year’s crypto M&A deals, Galaxy Digital’s $1.2bn acquisition of BitGo, is the largest crypto M&A transaction to date. See press release

[6] Also known as “token offerings,” “initial token offerings,” “token launches,” “token sales,” “initial coin offerings,” or “ICOs.”

[7] In addition, in April 2019, the SEC’s Strategic Hub for Innovation and Financial Technology (“FinHub”) published additional informal guidance, titled “Framework for ‘Investment Contract’ Analysis of Digital Assets” (Framework), which provides analytical tools for determining if a digital asset is a security based on an analysis of whether the asset is an “investment contract,” as that term was first used by the Supreme Court of the United States in SEC v. Howey, 328 U.S. 293 (1946). The Court in Howey articulated a four-part test, stating that an instrument is an “investment contract” when there exists: (i) an investment of money; (ii) in a common enterprise; (iii) with an expectation of profits; and (iv) to be derived solely from the efforts of others (e.g., a promoter, sponsor or third party). The Framework elaborates on the Howey test via examples and instances when the test would be satisfied.

[8] The term “commodity,” defined in Section 1a(9) of the Commodity Exchange Act, is extremely broad, covering everything from physical commodities to “services, rights, and interests,” which the CFTC believes includes cryptocurrencies, and are therefore subject to the CFTC’s jurisdiction.

[9] See 18 U.S.C. § 1960(b)(1)(B).

[10] See FIN-2013-G001, Application of FinCEN’s Regulations to Persons Administering, Exchanging, or Using Virtual Currencies (Mar. 18, 2013).

[11] State money transmission licensing laws generally define regulated activity broadly to include “receiving money for transmission,” and many state statutes define “money” to include “monetary value.” Any state that has to date not established a formal position with respect to the regulation of virtual currency activity could: (i) deem the receipt, holding, or transfer of fiat currency in connection with virtual currency activity (such as facilitating a virtual currency exchange platform) to constitute money transmission subject to regulation in its own right; and (ii) deem virtual currency activity itself to be subject to regulation in a manner similar to activity involving fiat currency, such as receiving and transmitting virtual currency.

[12] See 31 CFR § 1010.100(ff)(5).

[13] See CFTC v. HDR Global Trading Ltd. et al., Case 1:20-cv-08132 (S.D.N.Y. Aug. 10, 2021).

[14] United States Office of Foreign Assets Control. Sanctions Compliance Guidance for the Virtual Currency. Available at