Peer-to-Peer Lending Securities Compliance: Reves, Howey, and the Lessons of Prosper and BlockFi

The Securities Act of 1933 does not care whether the platform calls itself a marketplace, a crowdfunder, a yield account, or a DeFi protocol. It cares whether the instrument being offered fits inside the statutory definition of a security — and for peer-to-peer lending, the answer is almost always yes. From the SEC's 2008 cease-and-desist against Prosper to the $100 million BlockFi settlement in 2022, the regulator has repeatedly shown that P2P lending is a registration question, not an exemption question. The only move available to counsel is to get the compliance architecture right before the first lender funds the first loan.

Why every P2P lending platform is a securities offering until proven otherwise

Section 2(a)(1) of the Securities Act of 1933 defines a "security" by listing the instruments Congress meant to capture, and the list is long. In a single sentence, it sweeps in any "note," "evidence of indebtedness," and "investment contract" — among more than a dozen other categories. For a peer-to-peer lending platform, that statutory sentence is the entire game. The product almost always involves a note running to the lender, an investment-style return, or both. The default position is that the platform is offering securities; the burden is on counsel to demonstrate otherwise.

Two doctrinal lanes do that work, and a P2P platform typically has to clear both. The first is Reves v. Ernst & Young, where the Supreme Court held that any "note" is presumed to be a security unless it bears a "family resemblance" to a short list of commercial instruments the securities laws were never meant to reach — consumer financing, character loans, accounts receivable, and the like. Reves controls when the platform issues notes to its lenders. The second lane is SEC v. Howey, which asks whether an arrangement is an "investment contract": money invested in a common enterprise with profits expected from the efforts of others. Howey controls when the platform pools capital, manages deployment, or otherwise puts its own efforts between the lender and the return.

The two tests are not alternatives. In the 2022 BlockFi settlement, the SEC ran the Howey analysis on the yield product and the Reves analysis on the underlying notes in the same order, and BlockFi paid $100 million across federal and state regulators. The lesson for fintech counsel is operational. The first question to ask a P2P client is not "are we a security?" The honest first question is: which test are we losing under, and what registration path do we build around that loss?

The Reves four-factor test and how it caught Prosper in 2008

If the platform issues notes, the losing test is almost always Reves. Reves v. Ernst & Young, 494 U.S. 56 (1990), starts from the presumption that every note is a security and then asks four questions to see whether the instrument resembles one of the commercial exceptions closely enough to rebut that presumption: (1) the motivations of the buyer and seller, (2) the plan of distribution, (3) the reasonable expectations of the investing public, and (4) whether some other risk-reducing factor — typically an alternative regulatory regime — makes securities-law protection unnecessary. The factors are not weighed mechanically, but they are applied one at a time, and a platform that loses any of them in a serious way usually loses the case.

The SEC's November 24, 2008 cease-and-desist order against Prosper Marketplace ran exactly that walk and found all four factors pointing the same direction. On motivations, lenders were on the platform to earn a return on capital and Prosper was raising capital to fund borrower loans — a classic investment dynamic, not a consumer or commercial financing relationship. On plan of distribution, Prosper offered the notes to the general public over the internet, with no investor qualification gate; that is common trading, not the limited circulation that characterizes excluded commercial paper. On reasonable expectations, Prosper's own marketing presented the notes as investments, with advertised yields and risk-rated borrower listings; the investing public was being invited to treat them as securities, and the SEC took Prosper at its word. On the risk-reducing factor, there was no alternative regulatory scheme — no banking supervisor, no ERISA fiduciary regime, nothing — standing between the lender and total loss. The Commission concluded that Prosper had offered and sold unregistered securities in violation of Sections 5(a) and 5(c) of the Securities Act.

State regulators followed within weeks. A NASAA-led multistate settlement required Prosper to pay $1 million across the participating states for the same conduct, on the same theory. The federal and state actions together effectively shut the platform down for a quiet period of roughly seven months.

Prosper resumed operations in July 2009 — but only after registering its Borrower Payment Dependent Notes with the SEC on a Form S-1. That is full public registration, with audited financials, prospectus delivery, and ongoing Exchange Act reporting — not a Reg D private placement and not a Reg A exemption. The operational lesson is the one Reves itself teaches: novelty in the business model does not exempt the instrument. The test asks whether the substance fits the family, and a retail-marketed yield-bearing note almost always will.

The Howey overlay: BlockFi, crypto lending, and what changed

If Reves is the test for notes, Howey is the test for everything else the platform might be doing with the lender's money. The two doctrines are tools for the same job — sorting substance from packaging — and the SEC has shown, repeatedly, that it will run them in parallel against the same product. The most consequential demonstration came in February 2022, when the Commission and a coalition of state regulators reached a $100 million settlement with BlockFi over its retail crypto-lending program. The relevant move for fintech counsel is not that the product was crypto. The relevant move is that the agency reached for the same two tests it had used against Prosper fourteen years earlier and applied them to a new asset class without revising the framework.

BlockFi offered a product called the BlockFi Interest Account. Retail customers transferred crypto to BlockFi in exchange for a variable yield, and BlockFi pooled the assets and deployed them — institutional lending, market making, and proprietary trading — to generate the returns it then paid out. The Howey analysis the SEC ran on that structure was textbook. There was an investment of money (or its crypto equivalent) in a common enterprise (the pooled assets and BlockFi's lending book), with a reasonable expectation of profit (the advertised yield) derived from the efforts of others (BlockFi's deployment decisions). The SEC's order concluded that the BIAs were investment contracts and therefore securities, and that BlockFi had offered and sold them without registration since March 2019.

The Commission did not stop at Howey. In the same order, it ran the Reves four-factor analysis on the same product and reached the same conclusion — the BIAs were also notes that failed every prong of the family-resemblance test, for substantially the reasons Prosper had failed them in 2008. The parallel-track analysis matters because it forecloses the argument that crypto sits outside the Reves framework. It does not. The substance — a yield-bearing instrument marketed to retail and backed by the issuer's deployment efforts — fits both families at once.

The third leg of the BlockFi order is the one fintech counsel often forget to plan around. Because BlockFi held more than 40 percent of its non-cash assets in investment securities (the loans and tokens in its lending book), it also met the statutory definition of an "investment company" under Section 3(a)(1)(C) of the Investment Company Act of 1940 — and was operating without registering as one. That is a separate, parallel violation with its own remedial regime. A platform that solves its 1933 Act problem by registering the offering can still find itself on the wrong side of the 1940 Act if the underlying portfolio mix triggers the threshold.

The settlement split $50 million to the SEC and $50 million across 32 state regulators, mirroring the Prosper-NASAA structure on a much larger scale. And the playbook ran again almost immediately. In January 2023, the SEC charged Genesis and Gemini in connection with the Gemini Earn program — a retail crypto-yield product structurally identical to the BIA — under the same Howey theory. Genesis ultimately settled with the Commission for a $21 million penalty in March 2024, on top of its bankruptcy proceedings. The framework had not changed. Only the defendants had.

The compliance menu: Reg A+ Tier 2, Reg D 506(c), Reg CF

The framework had not changed. The registration paths into it have not changed much either. A P2P platform that has decided — or been told by the SEC — that it is offering securities has three realistic exemptions to choose from under the Securities Act: Regulation A Tier 2, Rule 506(c) of Regulation D, and Regulation Crowdfunding. Each one constrains what the platform can sell, to whom, in what amounts, and with what ongoing reporting burden. Counsel's job is to pick the path before the product architecture locks, because retrofitting a marketplace to fit a different exemption is almost always more expensive than building it correctly the first time.

Reg A+ Tier 2: the marketplace-lender path

Tier 2 of Regulation A permits an issuer to raise up to $75 million in any rolling twelve-month period through a qualified offering circular on Form 1-A, with two years of audited financial statements and continuing reporting on Forms 1-K (annual), 1-SA (semiannual), and 1-U (current). The offering is open to retail; there is no accredited-investor gate. For a platform that does not want to take Prosper and Lending Club's full S-1 path but still needs to reach retail lenders, this is the modern available exemption. The empirical profile bears that out: SEC Division of Economic and Risk Analysis data on exempt offerings shows that the financial sector accounts for roughly 64 percent of Tier 2 proceeds, and the typical Tier 2 raise lands near $12.5 million — meaningful capital, but with the audit and reporting burden of a quasi-public company.

Reg D 506(c): general solicitation, accredited only

Rule 506(c) removes the historical ban on general solicitation in private placements, which means a platform can market the offering publicly. The trade-off is that every purchaser must be an accredited investor and the issuer must take "reasonable steps" to verify that status — income or net-worth documentation, third-party letters, or one of the safe harbors in the rule. There is no offering cap. Verification has historically been the friction point, but in March 2025 the SEC staff issued a no-action letter confirming that high minimum investment amounts — at least $200,000 from a natural person or $1 million from an entity, paired with written purchaser representations and a no-financing covenant — can themselves constitute reasonable verification. That guidance materially lowers the operational cost of running a 506(c) offering, but it also tells you who the path is for: institutional and high-net-worth lenders, not retail.

Reg CF: small platforms only

Regulation Crowdfunding caps the offering at $5 million in any twelve-month period, requires the offering to be conducted through a registered intermediary (a funding portal or broker-dealer), and imposes tiered financial-statement disclosures plus a Form C filing and ongoing annual reports, per the SEC's issuer guidance. In practice the path is much smaller than the cap suggests. The same DERA market-statistics report puts the average Reg CF raise at roughly $346,000, with the median issuer holding about $80,000 in assets. Reg CF is a viable path for an early-stage micro-platform piloting a single lending product; it is not a path for a platform that intends to operate at marketplace scale.

Picking the path

The selection is mechanical once the lender-investor profile is honest. Retail investors and a real capital plan point to Reg A+ Tier 2 and the audit infrastructure that comes with it (or, for issuers willing to absorb full reporting-issuer status, an S-1 like Prosper and Lending Club). Accredited-only with a tolerance for high investment minimums points to 506(c). A pilot with friends-and-family economics points to Reg CF. What does not work is choosing the exemption after the marketing site is live and the customer acquisition funnel is built, because each of these paths constrains the architecture of the product itself — who can buy, in what increments, with what disclosure delivered when. Pick the path first.

Where modern platforms land — and where they fail

Picking the path first is what separates the platforms that survive a regulatory cycle from the platforms that get named in the next enforcement order. The clearest illustration is still LendingClub. In October 2008 — the same week the SEC was finalizing its cease-and-desist against Prosper — LendingClub came out of its own quiet period by registering its Member Payment Dependent Notes on a Form S-1 for up to $600 million, and renewed the shelf in 2012 for $1 billion. Full reporting-issuer status, audited financials, prospectus delivery on every note sold. That is the marketplace-lending compliance template, and it is the reason LendingClub was still operating while a generation of unregistered yield platforms was being unwound in bankruptcy court.

The platforms that did not pick the path first ended up litigating Howey on someone else's timetable. In SEC v. Coinbase, Judge Failla denied Coinbase's motion to dismiss on March 27, 2024 and held that the agency had adequately pled that Coinbase's pooled staking program met every prong of Howey — investment of assets, common enterprise, expectation of profit, derived from Coinbase's validation and slashing-management efforts. Staking-as-a-service, in other words, is not categorically different from BlockFi's interest accounts. The packaging changed; the doctrine did not.

What changed in 2025 was discretion, not doctrine. Under Chairman Atkins, SEC crypto enforcement fell roughly 60 percent year over year, and the Commission voluntarily dismissed its pending actions against Coinbase, Binance, Robinhood, and Ondo. Project Crypto, announced in late 2025, articulated narrow exemptive relief for certain protocol staking and liquid-staking activities — but it did not create a safe harbor for DeFi pooled lending or for P2P platforms generally, and the staff was clear on that point. Howey itself remains untouched. Commissioner Peirce, quoted in Skadden's August 2025 client alert, put it plainly in July 2025: "tokenized securities are still securities."

The operational read for fintech counsel is uncomfortable but straightforward. An Atkins-era SEC may not bring the case against an unregistered P2P platform launching today. A successor SEC, three or five years from now, can — and the statutes of limitation are long enough to reach back. Build to the doctrine, not to the current enforcement appetite.

Practical framework for fintech counsel and founders

Building to the doctrine looks the same whether the platform is a consumer marketplace lender, a crypto-yield product, or a DeFi front end. The sequence below is the one that keeps a P2P platform out of the next BlockFi-style order. Run it before the first marketing email goes out, not after.

1. Map the product to the lane — or both lanes. If a lender holds a payment-dependent note issued by the platform, Reves governs and the presumption is that the note is a security. If the platform pools capital, manages deployment, or puts its own efforts between the lender and the return, Howey governs. Many platforms sit in both lanes at once; that is the rule, not the exception.
2. Run the relevant test factor-by-factor, in writing, time-stamped, and signed by counsel. For Reves, walk all four factors: motivations, plan of distribution, reasonable expectations, and risk-reducing factor. For Howey, walk all four prongs: investment of money, common enterprise, expectation of profit, efforts of others. The memorandum is the document an SEC subpoena will ask for, and its absence is itself evidence of scienter.
3. Pick the registration path before the product architecture locks. Reg A+ Tier 2, Rule 506(c), Reg CF, or full S-1 registration each constrain who can buy, in what increments, with what disclosures delivered when. Retrofitting a marketplace to a different exemption after the customer-acquisition funnel is built is more expensive than building to the path from day one.
4. If the platform involves pooled risk or platform-managed deployment, default to Howey plus a 1940 Act analysis. The Coinbase staking ruling treated pooled deployment as satisfying every Howey prong, and BlockFi's separate Investment Company Act violation is the reminder that registering the offering does not resolve the portfolio-composition problem. Run the 40 percent test on the lending book before registration, not after the first examination letter.
5. When in doubt, run both tests and assume the SEC will lead with whichever is stronger. The Commission ran Reves and Howey in parallel against BlockFi's interest accounts and reached the same conclusion on both. A platform that has cleared only one analysis has cleared half the exposure.

If the analysis above surfaces a question you cannot answer cleanly in writing, that is the signal to get a second set of eyes on the structure before launch rather than after. Book a 30-minute consult.