The SEC Just Made It Easier for Crypto Wallet Apps to Operate Legally — With Conditions

The US SEC's Division of Trading and Markets issued a staff statement on April 13, 2026, confirming that providers of self-custody crypto wallet interfaces and DeFi frontends can operate without registering as broker-dealers, provided they meet 12 specific conditions. The guidance covers both native crypto tokens and tokenized equities and debt securities and took effect immediately.

The statement applies to what the SEC calls "Covered User Interface Providers." These are entities that build websites, browser extensions, mobile apps, or other software that helps users interact with blockchain protocols through their own self-custodial wallets. The guidance is part of a broader SEC push to clarify how existing securities law applies to crypto activities.

Commissioner Hester Peirce issued a separate statement alongside it, arguing that existing law already makes the SEC's position clear, and calling for formal rulemaking to go even further. The staff statement will automatically expire five years from April 13, 2026, unless superseded.

What Is A Covered User Interface Under This SEC Guidance?

The SEC defines a Covered User Interface as software that converts a user's trade instructions, such as buy or sell orders, volume, asset, and price range, into commands that a blockchain can read. Those commands are then signed and sent through the user's self-custodial wallet. The user, not the interface provider, holds the private key.

These interfaces often also display market data, including potential execution routes, asset prices, and estimated gas fees. Providers typically charge a fixed percentage per transaction. The key word in the SEC's definition is "self-custodial." Neither the wallet provider nor the interface can hold or access the user's private key, encrypted or decrypted.

This restriction limits the statement's immediate reach to users comfortable managing their own keys. However, institutional investors using enterprise-grade self-custody solutions could also use these interfaces, potentially bypassing traditional broker-dealer intermediaries for their own trading activity.

What Are The 12 Conditions For The Broker Exemption?

The SEC does not grant a blanket pass. Providers must meet all of the following conditions to avoid broker-dealer registration:

• Users must be able to customize any default transaction parameters, and the interface must offer educational material to help them do so.
• The provider cannot solicit users to engage in any specific crypto securities transactions.
• The provider must select trading venues or distributed ledger systems based on objective factors, such as liquidity, latency, transparency, and security.
• If the provider is affiliated with a connected trading venue, that affiliation must be clearly disclosed, and the venue must be treated on equal terms with unaffiliated venues.
• If only one execution route is shown, users must be able to see additional routes where they exist.
• If multiple routes are shown, sorting must be based on objective factors, such as price or speed. The interface cannot label any route as "best" or "most reliable."
• The interface cannot provide commentary or subjective recommendations on execution routes.
• All software used to prepare trading instructions and display market data must operate on pre-disclosed, independently verifiable parameters.
• The interface cannot exercise any discretion or decision-making over the market information it displays or the transactions it processes.
• Fees must be fixed, consistent, and neutral. They cannot vary based on the asset chosen, the route taken, or the counterparty involved.
• The provider must establish policies to evaluate, onboard, and audit connected trading venues and periodically reassess default transaction parameters.
• The provider must prominently disclose its non-registered status, fee structures, conflicts of interest, cybersecurity policies, MEV-related risks, and system parameters to users.

Does This Statement Cover Tokenized Stocks And Bonds?

Yes, and that is one of the more significant aspects of this guidance. Earlier discussions about the SEC's planned innovation exemption suggested it would be limited to issuer-sponsored tokenized securities traded on automated market makers (AMMs), with whitelisting requirements and volume limits.

This statement is broader. It covers any tokenized equity or debt security traded through a qualifying interface. That said, the statement does not remove other regulatory obligations that may sit at the issuer or token level, such as whitelisting, KYC, or volume limits, which could be imposed through separate regulatory actions.

The result is that a tokenized equity could potentially trade in two very different regulatory environments: on a national securities exchange through a registered broker-dealer under full Regulation NMS rules, or on a permissionless AMM through an unregistered interface under disclosure-only obligations. Registered broker-dealers carry best execution, capital, supervisory, and investor protection obligations. Interface providers under this statement do not.

What Activities Are Excluded From The Safe Harbor?

The statement is explicit about what interface providers cannot do without triggering broker-dealer registration requirements.

Excluded activities include:

• Negotiating transaction terms
• Soliciting specific crypto securities transactions
• Making investment recommendations or providing financial advice
• Arranging for financing
• Processing trade documentation
• Conducting independent asset valuations
• Holding, accessing, or managing user funds, securities, or stablecoins
• Executing or settling transactions
• Taking or routing orders

The routing exclusion creates an immediate gray area. Interfaces that suggest optimal execution paths may remain within the safe harbor if they present the route for user approval and allow alternatives. 

But aggregator protocols like CowSwap, whose solver network actively finds counterparties and determines execution paths, may fall outside it. The distinction between "preparing" a transaction and "routing" an order will be tested in the comment period.

The financing exclusion is equally notable. Lending protocols such as Aave and Morpho, whose core function is arranging for borrowing and lending, appear to fall outside the scope of this statement entirely. Their frontends would need separate regulatory clarity.

How Does The Self-Custody Requirement Work In Practice?

The self-custody condition is the statement's most important limiting factor. The SEC's definition requires that neither the provider nor the interface have custody of or access to the user's private key.

Wallet technology is evolving, however. Multi-party computation (MPC) wallets distribute key shards so that no single party holds the complete key. Smart contract wallets with social recovery introduce yet another model. Whether these architectures qualify as "self-custodial" under the SEC's definition will likely be tested.

Coinbase is one firm that will be closely watched. It already operates a self-custodial wallet separate from its main exchange, founded the Base blockchain, and has broad ambitions across the digital asset value chain. The affiliate disclosure condition in the statement requires transparency about such relationships, but economic incentives remain.

What Does This Mean For The Traditional Financial Services Industry?

The broker-dealer community, led by SIFMA, has consistently argued that wallet providers performing broker-like functions should be regulated based on the substance of their activities, not their technical form.

As recently as February 2026, SIFMA's follow-up letter to the Crypto Task Force emphasized "significant functional similarities between traditional broker-dealer services and some wallet provider activities" and urged notice-and-comment rulemaking rather than blanket exemptions or no-action relief.

The staff statement is technically broader than a no-action letter and was issued without a prior comment period. It is effective immediately. That combination may make this guidance harder to accept for traditional financial services firms accustomed to formal rulemaking processes.

That said, the SEC staff faced a genuinely difficult task. Blockchain technology does not map neatly onto existing regulatory categories. An interface that converts a user's trade parameters into blockchain commands and routes them through a self-custodial wallet does not function like a traditional broker. The 12 conditions the staff imposed represent a serious attempt to replicate key investor protections without requiring full broker-dealer registration.

Security And MEV: What Disclosures Are Required?

The statement requires interface providers to disclose their cybersecurity policies, procedures, and controls, if any. The phrase "if any" is significant. A provider is not required to have security controls in place, only to disclose whatever it does or does not have. For an interface handling tokenized equities and bonds, this is a lower standard than what applies to registered broker-dealers.

On MEV (maximal extractable value), the statement requires disclosure of policies to protect user trading information from front-running strategies. MEV refers to the practice by which blockchain validators or other actors reorder, insert, or censor transactions to extract additional profit, often at the expense of ordinary users. The SEC explicitly acknowledges the MEV risk in a footnote but frames the remedy as disclosure rather than prohibition.

Who Is Accountable At The Protocol Level?

A notable gap in the statement is what it does not cover. The safe harbor applies only to the interface layer. The underlying AMM protocols, the smart contracts that actually match liquidity and execute trades, are not addressed and are therefore presumed to sit outside the regulatory framework entirely.

This means no entity is directly accountable at the protocol level for trade execution. The frontend provider has disclosure obligations but does not execute trades. The protocol executes trades but is not subject to this framework. The user is self-custodial, so there is no intermediary bearing responsibility for execution quality. For institutional participants accustomed to a market structure where someone is always accountable for execution, this is a meaningful departure.

Conclusion

The SEC's staff statement creates a conditional, time-limited framework that allows self-custody crypto interface providers to operate outside broker-dealer registration for five years. It covers native crypto tokens and tokenized equities and bonds, imposes 12 specific conditions around fee neutrality, disclosure, venue evaluation, and conflict management, and explicitly excludes activities such as order routing, lending facilitation, fund custody, and investment advice. 

The guidance addresses the interface layer only and leaves protocol-level accountability unresolved. Security standards are disclosure-based rather than prescriptive. Commissioner Peirce has called for formal rulemaking to go further, while industry groups like SIFMA have pushed back on the absence of a prior comment period. The SEC staff welcomes public comment on the statement through File Number 4-894.

Resources 

1. Press release by US SEC: Staff Statement Regarding Broker-Dealer Registration of Certain User Interfaces Utilized to Prepare Transactions in Crypto Asset Securities

2. Report by Crypto Briefing: SEC sets conditions for crypto trading apps to stay outside broker rules

3. Report by The Block: SEC carves out path for some crypto interfaces to bypass broker registration