The Howey Test for Founders: When Your Token Is a Security

Most founders launching tokens don't have a clear framework for whether they're issuing a security. The Howey test has four prongs, and the SEC has applied each of them to token issuers in ways that would surprise most founders who think 'utility' is the safe word.

The Howey Test for Founders: When Your Token Is a Security
Loading AudioNative Player...

Why the SEC's Token Enforcement Wave Matters for Founders

The Securities and Exchange Commission has spent several years making an example of token issuers. Ripple, Terraform Labs, and Kik all faced enforcement actions on the same core theory: that they sold tokens to the public without registering those tokens as securities. The legal standard the SEC applied in each case traces back to a 1946 Supreme Court ruling, SEC v. W.J. Howey Co., 328 U.S. 293 (1946). That decision defines what counts as an "investment contract" — and therefore a security — under federal law. If your token meets the Howey definition, your launch was, in the SEC's view, an unregistered public securities offering.

The penalties are not abstract. After a jury found Terraform Labs and its co-founder Do Kwon liable, a federal court ordered the company to pay $3.586 billion in disgorgement plus $466 million in prejudgment interest and a $420 million civil penalty. Kwon personally owed an additional $110 million in disgorgement, $14.3 million in prejudgment interest, and an $80 million civil penalty — a combined exposure of roughly $4.47 billion. Kik, which raised $100 million in its Kin ICO, received a permanent injunction and a $5 million civil penalty after summary judgment. These outcomes illustrate the full range of consequences: disgorgement of all proceeds, civil penalties, permanent injunctions, and individual founder liability. Any one of those can end a project.

The enforcement climate has shifted. Under Chair Paul Atkins, the SEC initiated only 13 crypto enforcement actions in FY2025, down from 33 in FY2024, and crypto-related penalties fell to $142 million — less than 3% of 2024 levels. Atkins described the wave of dismissals as a "necessary course correction." But the Howey test has not changed, and neither has the underlying statutory framework. A political shift in enforcement priorities does not rewrite the law — it changes only the likelihood that the SEC will act first. State regulators, private plaintiffs, and a future administration retain the same legal tools. Understanding whether your token is a security is not optional; it is the baseline.

⚠️
Reduced SEC enforcement under the current administration does not eliminate legal exposure. The Howey test governs whether your token is a security regardless of how many cases the SEC chooses to bring in any given year.

The Four Prongs — How Howey Actually Applies to Token Structures

The test comes from a 1946 Supreme Court case involving Florida citrus groves. In SEC v. W.J. Howey Co., the Court held that an investment contract exists when a person invests money in a common enterprise and expects profits from the efforts of a promoter or third party. That four-part structure — (1) investment of money, (2) in a common enterprise, (3) with an expectation of profits, (4) derived from the efforts of others — has governed securities analysis ever since, and it maps directly onto how the SEC evaluates token transactions today.

In its 2019 Framework for Investment Contract Analysis of Digital Assets, the SEC staff stated that prongs one and two are typically satisfied in digital asset transactions. Buyers pay real value for tokens, and their returns generally move together based on the same underlying project. If you are still in the planning stage wondering whether your token sale starts the Howey clock, assume it does on both counts. The substantive legal fight almost always comes down to prongs three and four.

Prong four — profits derived from the efforts of others — is where most token projects are most exposed. The 2019 Framework asks whether an "Active Participant" (your development team, your foundation, your core contributors) still drives the network's value. The less control those participants retain, the less likely this prong is satisfied. But that threshold is high: if the protocol would stall, depreciate, or lose its core functionality without your team's continued work, a court or regulator will find that purchasers are relying on your efforts. That description fits the vast majority of early-stage projects.

The concept of "sufficient decentralization" entered the conversation through a June 2018 speech by then-SEC Director William Hinman, who suggested that a token operating on a sufficiently decentralized network — where no person or group is still carrying out essential managerial work — might shed its investment-contract status over time. That framing has been influential, but Hinman was explicit that he was expressing his personal views, not Commission policy. It has never been codified in a rule or formally adopted by the SEC, and courts have not treated it as authoritative.

What courts do treat as authoritative is economic reality. In SEC v. Terraform Labs, the Southern District of New York put it plainly: "the economic realities of a product — not the labels, the spin, or the hype — determine whether it is a security under the securities laws." Calling your token a utility token, a governance token, or a payments token does not change the analysis. SEC v. Kik Interactive makes that point concrete: Kik designed its Kin token as a payments and ecosystem currency, explicitly avoiding investment language in its marketing. At summary judgment, the court found Kin to be an investment contract. Kik paid a $5 million civil penalty and received a permanent injunction.

The Ripple Ruling: What It Actually Decided (and What It Left Open)

In July 2023, Judge Analisa Torres issued a split decision in SEC v. Ripple Labs, Inc. that every token founder has since cited — often incorrectly. The court held that Ripple's institutional sales of XRP were investment contracts under Howey: sophisticated investors bought directly from Ripple with full knowledge that the company would deploy the proceeds to develop the XRP ecosystem, and they reasonably expected profits from those efforts. But programmatic sales — XRP sold on secondary trading platforms through blind order-book matching — were held not to be investment contracts on those specific facts. The same token, two different legal outcomes, depending entirely on how it was sold and to whom.

The programmatic-sales holding rested on a narrow factual premise: because exchange-based trading matches buyers and sellers anonymously, retail purchasers on the secondary market could not have known their money was going to Ripple. Without that knowledge, they could not form a reasonable expectation of profits derived from Ripple's managerial efforts — so the third Howey prong failed. That logic is fact-specific to the point of being fragile. If your project markets heavily to secondary buyers, publicizes your roadmap, or otherwise makes it obvious that purchase proceeds flow back to the team, the anonymous-buyer rationale evaporates.

The ruling never received appellate review. The SEC appealed the programmatic-sales holding in October 2024, but both parties dropped their cross-appeals as part of a 2025 settlement, leaving Judge Torres's opinion as district court precedent only — persuasive, not binding, outside the Southern District of New York. Courts elsewhere have already diverged: a March 2024 federal ruling in an SEC insider-trading case against a former Coinbase employee found that secondary token sales on exchanges could qualify as securities, a conclusion directly in tension with the Ripple programmatic-sales logic. Founders who treat the Ripple ruling as a blanket secondary-market exemption are reading a case that may not survive the next circuit-level test.

⚠️
The Ripple decision is useful context, not a compliance strategy. Before relying on any secondary-sales argument, map your specific facts — buyer awareness, marketing reach, team communications — against the anonymous-buyer reasoning that drove the programmatic-sales holding.

Safe Harbor Arguments That Have and Haven't Worked

The most common defense founders raise is that their token has real utility — it pays for storage, governance rights, access to a platform — and therefore is not a security. Courts have consistently rejected that framing when the economic reality points the other way. In SEC v. Kik Interactive Inc., the Southern District of New York granted summary judgment against Kik, holding that Kin tokens were investment contracts regardless of the utility Kik had built around them. Kik paid a $5 million penalty and accepted a permanent injunction. Terraform Labs fared worse: after a jury trial, a court entered a $4.47 billion judgment applying the same economic-reality analysis. The label on the token does not control; the substance of what investors reasonably expected does.

The SAFT (Simple Agreement for Future Tokens) model, popularized by the Filecoin raise in 2017, tried to thread this needle structurally: sell a Reg D security to accredited investors now, deliver a presumably-functional utility token later, and argue the delivered token is no longer a security. The Telegram case dismantled that logic. Judge Castel held that "the security was neither the Gram Purchase Agreement nor the Gram but the entire scheme" — the SAFT-equivalent purchase agreements and the intended token distribution were a single unregistered public offering, making the initial purchasers statutory underwriters who could not lawfully resell into the public. The SEC obtained an emergency TRO in October 2019, a preliminary injunction in March 2020, and Telegram ultimately abandoned a $1.7 billion raise from 171 purchasers entirely. Case No. 1:19-cv-09439 (S.D.N.Y.).

Commissioner Hester Peirce's Token Safe Harbor Proposal 2.0, published in April 2021, offered a thoughtful path forward: a three-year grace period for network developers to achieve decentralization before securities registration obligations attached, subject to mandatory disclosures and an outside-counsel assessment of decentralization. If you were hoping to rely on it, you cannot. The proposal was published in Peirce's individual capacity only — it was never adopted by the Commission and creates no legal protection whatsoever.

The one mechanism that reliably works for pre-launch fundraising is Regulation D under Rules 506(b) or 506(c). Both exemptions allow unlimited offering sizes from accredited investors and require only a Form D filing with the SEC. Rule 506(b) permits up to 35 sophisticated non-accredited investors but bars general solicitation; Rule 506(c) allows general solicitation if every purchaser is a verified accredited investor. Neither exemption resolves your token's status at the point of secondary trading, but they provide a defensible structure for the initial raise — which is where founders most commonly create unregistered-offering exposure.

⚠️
A Reg D raise covers the sale of the instrument, not the token's permanent securities status. If you later distribute tokens to those investors or sell them on a public exchange, that distribution is a separate transaction that may itself require registration or a separate exemption.

What Founders Should Actually Do Before Launching a Token

The Howey analysis tells you whether you have a problem. Exemptions tell you what to do about it.

For pre-launch fundraising from accredited investors, Regulation D is the standard path. Rule 506(b) permits sales to up to 35 sophisticated non-accredited investors alongside unlimited accredited investors, but bars any public advertising. Rule 506(c) flips that trade-off: general solicitation is allowed, but every purchaser must be independently verified as accredited. Both exemptions require filing a Form D with the SEC. Neither requires registration — and neither changes the fact that you are issuing a security.

If you need to reach the general public, Regulation A+ (Tier 2) allows raises of up to $75 million after SEC qualification. Blockstack's 2019 offering — the first SEC-qualified token sale under Reg A+ — took roughly 10 months and cost $2.8 million to complete. That timeline and budget are realistic benchmarks; Reg A+ is viable for well-capitalized projects, not seed-stage teams.

Offshore structuring under Regulation S is frequently floated as a workaround. It isn't. Reg S provides a safe harbor for sales to non-U.S. persons, but secondary trading erases that protection quickly — U.S. buyers purchase tokens on secondary markets regardless of where the initial sale occurred, and crypto exchanges do not qualify as foreign securities exchanges. In the Terraform Labs litigation, the court rejected the Reg S defense outright, finding that the defendants showed neither an absence of substantial U.S. market interest nor any preventative measures against U.S. resale.

On the regulatory horizon: SEC Chair Atkins has acknowledged that current registration forms are inadequate for crypto assets and has pledged clearer guidelines. No new rules are in force yet. That acknowledgment matters for tone, not for your compliance obligations today.

The operative diagnostic before any token launch is simple: would a reasonable purchaser buy your token expecting to profit from your team's continued work? If the honest answer is yes, you are almost certainly issuing a security. The first practical step is a securities law opinion from counsel who can apply that analysis to your specific token structure before launch — not after an enforcement action forces the question.

Launching a token and want to understand your securities law exposure before it becomes enforcement exposure? Promise Legal advises web3 founders on Howey analysis, Reg D structuring, and pre-launch compliance.

Get in touch