For years, the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) have actively policed digital asset markets, bringing enforcement actions based on alleged failure to register products and services, and, in some instances, engaging in fraudulent activities aimed at retail consumers.
These actions have led many in the industry — and from within the agencies themselves — to criticize the SEC and CFTC for engaging in “regulation by enforcement.” The Trump administration has signaled its support of the digital asset industry broadly, announcing key policy shifts in favor of fostering development of digital asset technology, revoking Biden-era regulatory policies, establishing a working group focused on digital assets and signaling that the SEC and CFTC will likely take a lighter touch to regulating the industry. (See our February 7, 2025, client alert “White House Announces First Steps Toward New Policies Supporting Cryptocurrencies and Digital Financial Technology.”)
The president has nominated chairs who are widely viewed as crypto-friendly (Paul Atkins to the SEC and Brian Quintenz to the CFTC). This has led many to believe the SEC and CFTC will throttle back their enforcement efforts in the space over the coming years.
Nevertheless, the vast majority of crypto stakeholders agree with the need to protect consumers from fraud, even as those stakeholders vigorously oppose onerous and illogical regulatory requirements that do not fit with many digital asset-related technologies.
Just recently, the SEC announced the formation of a Cyber and Emerging Technologies Unit to “focus on combatting cyber-related misconduct and to protect retail investors from bad actors in the emerging technologies space,” including, among other things, “[f]raud involving blockchain technology and crypto assets.” For its part, the CFTC recently reorganized its task forces to focus on issues of fraud (both with regard to retail and more sophisticated actors).
While the precise details of these new initiatives are yet to be announced, the current regulatory environment raises an important question: Other than the SEC and CFTC, who might police fraud aimed at retail consumers of crypto products and services? Potential candidates could include state attorneys general, private plaintiffs and other federal regulatory agencies.
Below, we highlight two federal agencies — the Federal Trade Commission (FTC) and Consumer Financial Protection Bureau (CFPB) — that historically have acted to protect U.S. consumers from fraudulent practices. We discuss these agencies’ jurisdictional scope and authority, as well as the tools they have employed for policing fraudulent acts and practices.
While it remains far from clear whether either agency will take a more active role in the digital asset space (and, as discussed below, recent events raise doubts that they will), industry participants should nevertheless bear them in mind when looking to navigate the rapidly evolving U.S. regulatory landscape.
FTC
Though the FTC has not made crypto a particular focus of its enforcement in past years, it might move to rein in certain activities of crypto participants, particularly if there is an element of consumer fraud.
The FTC can rely on Section 5 of the FTC Act for general authority to combat unfair or deceptive practices, as well as more specific regulations that can be, and have been, applied to cryptocurrencies.
Some FTC actions in this area relate to classic fraud schemes that are facilitated by the use of cryptocurrency. For example, in 2018 the FTC shut down a scheme that promised participants large returns on small initial investments of crypto. However, the scheme was a basic Ponzi scheme that just so happened to use crypto rather than U.S. dollars. Another recent enforcement action dealt with a company that offered unfounded claims of big returns to consumers who used their “secret passive income crypto bot.”
These actions fit neatly within the FTC’s authority under Section 5 to prevent unfair or deceptive practices and do not differ substantively from other FTC cases on fraudulent business opportunities. The FTC has also warned of bitcoin ATM scams. However, these largely are variations on common schemes to fraudulently induce individuals to send money to a scammer. The bitcoin ATMs simply provide a useful mechanism to facilitate the alleged fraud.
Other actions are more specific to the crypto industry. The FTC has shown some interest in tamping down on false claims about the financial security of crypto holdings. In 2023, the FTC brought two actions against cryptocurrency companies for making false claims about the financial security of moving assets from a traditional financial institution.
Among the false claims made in both enforcement matters were defendants’ statements that cryptocurrency deposits would be insured by the Federal Deposit Insurance Corporation (FDIC).1 The FTC alleged violations of Section 5 for purported misrepresentations made about the cryptocurrency services.
The FTC also utilized a provision of the Gramm-Leach-Bliley Act (GLBA) that prohibits any person from “obtain[ing] or attempt[ing] to obtain … customer information of a financial institution relating to another person … by making a false, fictitious, or fraudulent statement or representation to a customer of a financial institution.” The FTC claimed that the companies’ false statements about FDIC insurance, among other fraudulent claims, were an attempt to obtain a financial institution’s customer information.
The companies agreed to judgments of over $1.6 billion and $4.7 billion, both of which were suspended to allow the companies to return their remaining assets to consumers in bankruptcy proceedings.
The FTC could also potentially use the GLBA as a mechanism to enforce the privacy and security of customer information. Title V of the GLBA requires regulators to protect the privacy of a consumer’s personal financial information. The FTC has jurisdiction under Title V over financial institutions that are not otherwise subject to enforcement from another regulator under that provision. The FTC’s Safeguards Rule, promulgated pursuant to the GLBA, requires financial institutions to develop, implement and maintain an information security program with safeguards designed to protect customer information.
In addition, the FTC has enforcement authority over the CFPB’s Privacy of Consumer Financial Information rule (Regulation P), which is similarly promulgated under Title V of the GLBA. In 2022, the FTC issued civil investigative demands (CID) to two crypto companies related to investigations to determine whether the companies failed to protect the security of customer data and engaged in unfair or deceptive practices related to consumer privacy and data security.2
Both companies sought to quash the CIDs on the basis that the FTC lacked jurisdiction. The FTC commissioners denied the motions to quash and affirmed that the FTC was “within permissible limits” to investigate crypto companies for potential violations of the GLBA or rules promulgated thereunder. While there do not appear to be any additional publicly known cases of the FTC enforcing consumer privacy rules against crypto companies, it appears to have precedent for doing so.
Ultimately, it is not clear how the FTC will treat crypto companies under a more industry-friendly administration. But as noted above, there is a path for the FTC to pick up enforcement, particularly regarding deceptive statements about crypto products and services, and potentially as to protecting consumer financial information.
CFPB
Like the FTC, the CFPB has undertaken efforts to protect consumers from crypto fraud and other violations, which may continue or intensify in light of a potential pullback by the SEC and CFTC.
The CFPB was created in the aftermath of the 2008 financial crisis by the Dodd-Frank Act for the purpose of “regulat[ing] the offering and provision of consumer financial products or services under the Federal consumer financial laws.”
It has broad authority to protect consumers “from unfair, deceptive, or abusive acts and practices and from discrimination,” ensure consumers “are provided with timely and understandable information to make responsible decisions about financial transactions” and enforce more than a dozen federal consumer financial laws.
The CFPB has the authority to bring either enforcement actions in court or administrative proceedings and obtain injunctive relief, damages, civil penalties and other relief. In some respects, the CFPB’s authority overlaps with that of the FTC, including the authority to enforce prohibitions against unfair and deceptive acts with respect to nondepository companies in the consumer financial services sector.
The CFPB’s authority is significantly broader than the FTC’s authority in other respects, as it has authority to regulate banks and has supervisory/examination authority with respect to various categories of nondepository institutions as well as larger banks. Moreover, the CFPB’s enforcement mechanisms under the Consumer Financial Protection Act in some respects provide for a more direct avenue to obtain monetary relief, and larger potential civil penalties, than FTC enforcement actions for violations of the Federal Trade Commission Act.
On the other hand, the FTC has broader authority with respect to matters involving business-to-business transactions that do not involve services provided to “consumers” (individuals).
Throughout its history, the CFPB has aggressively combated fraud, including bringing 280 enforcement actions alleging unfair, deceptive, or abusive acts and practices. Furthermore, recent CFPB actions illustrates an active approach with respect to regulating cryptocurrency and digital assets in particular, including:
- Investigations. The CFPB has launched at least one publicly disclosed enforcement investigation related to crypto. In December 2021, the CFPB issued a CID to Nexo Financial LLC relating to the company’s “Earn Interest Product” offered to consumers holding digital assets in its portfolio.3
- Crypto fraud advisories and guidance. In 2024, the CFPB issued a report warning of fraud risk related to cryptocurrency and digital assets in video games and virtual worlds. And a decade earlier, in August 2014, the CFPB issued a consumer advisory stating that consumers should be aware that virtual currencies “are targets for highly sophisticated hackers,” that there are fewer protections available to holders of virtual currencies, that currencies “can cost consumers much more to use than credit cards or even regular cash” and that “[f]raudsters are taking advantage of the hype surrounding virtual currencies.”
- Complaints. In 2022, the CFPB published a report analyzing consumer complaints related to cryptocurrency, concluding that these complaints “strongly suggest that consumers are at risk when seeking to acquire or transact with crypto-assets” and that there is a need for greater accountability from cryptoasset platforms in “identifying and stopping fraudulent transactions.”
On February 12, 2025, President Donald Trump nominated former FDIC director Jonathan McKernan to be the bureau’s permanent director. McKernan brings some experience in this area: During his tenure at the FDIC, the agency warned of vulnerabilities in the crypto sector, including risk of misrepresentations regarding FDIC insurance.
See the Executive Briefing publication
1 FTC v. Voyager Digital, LLC, 1:23-cv-08960 (S.D.N.Y. Oct. 12, 2023); FTC v. Celsius Network, Inc., 1:23-cv-6009 (S.D.N.Y. July 13, 2023).
2 See In the Matter of Civ. Investigative Demand to Bachi.tech Corp., Dated May 11, 2022, No. 222-3050, 2022 WL 3500455, at 12 (F.T.C. Aug. 9, 2022); In the Matter of Civ. Investigative Demand to Spread Techs. LLC, Dated May 11, 2022, No. 222-3050, 2022 WL 2967367, at 7 (F.T.C. July 18, 2022).
3 Decision and Order on Petition by Nexo Financial LLC To Modify Civil Investigative Demand, 2022-MISC-Nexo Financial LLC-0001 (Nov. 22, 2022).
This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.