A Practical Guide to Geofencing

Introduction

At Variant, we work with founders in the earliest days of building and bringing their products to market. Recently, we’ve gotten many questions from founders about when and how to use geofencing as part of their regulatory compliance strategy. Inspired by conversations with founders in our portfolio and the broader space, we decided to share our views on geofencing in the hopes of helping founders make better decisions when they launch new products.

Geofencing works by taking a company outside the territorial scope of U.S. law, thereby eliminating the need to satisfy the regulatory compliance obligations that would otherwise apply to products and services offered within U.S. borders. Geofencing is also an unavoidable fact of life for many crypto companies, which have no choice but to geofence jurisdictions like North Korea and Iran in order to comply with U.S. sanctions laws.

Yet, within crypto, geofencing is often poorly understood and improperly implemented. Some companies that should be geofencing the United States aren’t doing so well enough for the strategy to be effective, and some aren’t geofencing at all. Meanwhile, other companies that don’t need to geofence the United States are doing so anyway, suffering the unnecessary cost of passing up the U.S. market. The crypto industry can do better.

In this guide, we seek to arm crypto companies and their counsel with the information and analysis they need to determine when and how to establish a U.S. geofence for products and services regulated under federal law. Although this area of law is uncertain and still evolving, our review of the case law reveals three key factors that courts often consider when deciding if a given product or service falls within U.S. jurisdiction.

This guide includes three sections. First, we define geofencing and explain its role in a crypto company’s overall regulatory compliance strategy. Second, we explore the territorial scope of the federal securities laws covering offers and sales of digital assets as well as other relevant U.S. regulatory frameworks. Third, we outline best practices for crypto companies to consider in establishing an effective U.S. geofence.

What Is Geofencing and Why Do It?

Geofencing refers to the practice of preventing users in a certain jurisdiction from accessing an online product — that is, creating a virtual “fence” around a “geography” that prohibits people outside the fence from becoming customers or users. In crypto, geofencing comes in many forms, such as blocking access to a front-end interface or excluding wallet addresses from an airdrop or other token distribution.

Geofencing is common in crypto, but why?

In short, geofencing is a “when all else fails” regulatory compliance strategy for products that can neither (1) affirmatively satisfy the compliance obligations imposed by a particular jurisdiction’s laws, nor (2) change the product so that those obligations won’t apply at all. In nearly all cases, both of those options are preferable to geofencing, so let’s break them down.

Before launching any new product, a company should undertake a regulatory risk assessment to determine what compliance obligations apply in the jurisdictions where the product will be offered. Some regulations require companies to get approval from a government agency before launching a product. Others require giving notice and disclosures to the government, the public, or both. Many regulations impose rules and restrictions on how the product works, who can access it, and what the company must do to keep in compliance.

Determining what compliance obligations apply to a product requires engaging counsel to analyze the details and mechanics of the product and compare them to the multitude of regulatory frameworks that might apply. For example, U.S. lawyers might check to see if the product triggers anti-money laundering obligations under the Bank Secrecy Act (“BSA”), derivatives obligations under the Commodity Exchange Act (“CEA”), or securities obligations under the panoply of statutes that make up the federal securities laws.

The first option — affirmatively satisfying compliance obligations — makes sense when the product is covered by one of those regulatory frameworks and the company has both the capability and resources to achieve what the law requires. Often, crypto companies lack one or the other. For many products, a company literally can’t comply because the technical nature of the product is incompatible with the compliance obligations imposed by law. And even when a company technically can comply, the cost in time and money is frequently so high that it’s no longer worth offering the product at all.

The second option — changing the product so that regulations don’t apply — is useful when the original design makes it too difficult or too expensive to affirmatively satisfy regulatory requirements. With the help of good lawyers, products can often be redesigned or restructured so that they don’t trigger certain compliance obligations. For example, a company that plans to take custody of U.S. users’ funds would likely be subject to the anti-money laundering compliance obligations of the BSA, which requires (among many other things) collecting personal information from every user. Since that’s often impossible in crypto, the company could restructure its product to be non-custodial, which could mean the BSA no longer applies.

In crypto, the second option is often best because regulations are generally not tailored to accommodate the unique way that crypto products function. As with the BSA, most regulations were designed for a centralized world of web2 companies offering proprietary products, not a decentralized world of web3 software developers launching permissionless protocols. As a result, satisfying regulatory requirements is often technically impossible, or imposes extremely high compliance costs that work for large incumbent institutions like banks but not lean crypto startups.

Yet, the second option doesn’t always work either. Sometimes, taking a crypto product outside the scope of a particular regulation requires changing it so much that it’s no longer interesting to put into the market. Other times, there’s simply no way to change the product enough so that the law won’t apply. For example, the CEA gives the Commodity Futures Trading Commission (“CFTC”) jurisdiction over all derivatives trades in the United States and, with a few exceptions, requires all of those trades to take place on licensed venues. Given the broad sweep of the CEA, it’s difficult to imagine how a company seeking to offer access to DeFi derivatives could change its product enough so that the CEA wouldn’t apply.

This brings us back to geofencing — essentially a third option for companies that can’t affirmatively satisfy regulatory compliance obligations and also can’t change their product so that compliance isn’t necessary. In that case, the most viable way to avoid violating the laws of a given jurisdiction is simply to avoid that jurisdiction entirely.

Unfortunately, avoiding a jurisdiction entirely is more complicated than it sounds. Many U.S. regulatory frameworks may technically apply if a company has a single customer or user based in the country. Some may apply if the company itself is based in the United States, even if none of its customers or users are. Some regulatory frameworks give “extraterritorial” jurisdiction to federal agencies, allowing them to enforce U.S. law even if the company and all of its customers and users are abroad.

Adding to that complexity is a high degree of uncertainty under the law. Reasonable minds can differ about how far a given regulatory framework extends beyond U.S. borders, and the courts have yet to establish clear rules on the issue. It won’t surprise anyone who follows U.S. crypto policy that the Securities and Exchange Commission (“SEC”), CFTC, and other agencies have not provided clear guidance on the geographic limits of their authority.1

Now that we’ve covered the basics on geofencing, let’s unpack the geographic boundaries of U.S. jurisdiction with a focus on the federal securities laws, since that regulatory framework is top of mind for many crypto companies. The next section dives deep into the case law on this issue, so non-lawyers should feel free to skip ahead to the final section of this guide, which provides best practices in establishing a U.S. geofence.

The Territorial Scope of the U.S. Securities Laws

Every U.S. regulatory framework starts with a federal statute enacted by Congress that sets out its fundamentals and selects an agency to implement and enforce it. The territorial scope of the framework — that is, the extent to which the framework covers activities conducted partially or wholly outside the United States — depends on what Congress put into the statute.

The Supreme Court’s Holding in Morrison

In 2010, the U.S. Supreme Court addressed when U.S. federal statutes apply extraterritorially in a landmark case called Morrison v. National Australia Bank.2 In that case, foreign investors brought a fraud claim under Section 10(b) of the Securities Exchange Act of 1934 (“Exchange Act”) against a foreign bank that issued shares trading on a foreign exchange. The investors argued that the Exchange Act covered the bank’s alleged fraud because one of the bank’s subsidiaries had supposedly participated in the fraud from its headquarters in Florida. The foreign bank argued that the claim lacked a sufficient nexus to the United States to fall under the scope of the Exchange Act.

The Supreme Court rejected the investors’ argument. The Court held that federal statutes do not apply extraterritorially unless Congress clearly expressed that that statute should have extraterritorial effect. In the Court’s words, “[w]hen a statute gives no clear indication of an extraterritorial application, it has none.” The Court described this “presumption against extraterritoriality” as a “principle of interpretation, long and often recited in our opinions[.]”3

The Court then established a two-step framework for analyzing the extraterritorial reach of any provision in a federal statute.

First, the Court said to look at the statutory provision at issue to see if it includes an explicit reference to extraterritoriality. If so, the provision has the extraterritorial effect set forth by Congress’s clear expression — but no further. As the Court explained, these provisions shouldn’t be interpreted broadly, because the presumption against extraterritoriality still applies and operates to limit the statute’s territorial scope to its explicit terms.4

Second, if the statutory provision doesn’t explicitly address extraterritoriality, the Court said that it only applies in cases involving “domestic activity.” The Court explained that determining if a case involves domestic activity requires defining the type of activity that the statute seeks to regulate, and then evaluating the geographic location where that activity allegedly occurred to determine if it was domestic or foreign.5 This analysis is commonly known as Morrison’s “transactional test.”

Offers and Sales of Digital Assets Under Morrison

Crypto companies often consider geofencing in the context of offers and sales of digital assets, which the SEC claims are regulated by the Securities Act of 1933 (the “Securities Act”) and the Exchange Act. Companies may seek to create or distribute a new token, such as through an airdrop or public sale. Companies also may seek to provide a platform where users can trade existing tokens, such as by offering a wallet or other front-end interface that enables access to an underlying DeFi protocol.

Since the securities laws generally don’t allow companies to affirmatively comply by registering a digital asset and treating it like a security, or by registering a wallet and treating it like a broker, many companies seek to comply by choosing the second option described above — designing the product so that it doesn’t trigger the securities laws at all. But given the SEC’s hostility toward crypto and ongoing uncertainty about whether and how the securities laws apply to digital assets, some companies choose the third option — geofencing the United States.

In this guide, we analyze only the provisions of the Securities Act and Exchange Act that deal with offers and sales of digital assets, whether through a primary distribution by the creator of the asset or through secondary market trading facilitated by third parties such as brokers, exchanges, and clearing agencies. For the purpose of our analysis, we make two assumptions worth flagging at the outset: first, that the relevant provisions do not contain an explicit reference to extraterritoriality, and second, that the relevant “activity” to assess is the offer or sale itself.6

Given we are focusing on provisions of the federal securities laws that do not have an explicit reference to extraterritorial effect, under step two of the Morrison test, the crux of the analysis for a company looking to geofence the United States is whether the sales and offers occur domestically. If the sales and offers do not occur domestically, they will not be governed by the federal securities laws.

Building on Morrison’s transactional test, the lower courts have generally coalesced around a separate two-step process for determining whether offers and sales are domestic: first, courts ask when the offer or sale occurred, and second, courts ask where the offer or sale occurred.7

As to when, courts have found that a sale occurs at the time when “irrevocable liability” attaches, which is when the parties become “bound to effectuate the transaction” such as by entering into a binding contract to purchase or sell.8 Some courts also consider the time when title to a security passes from the seller to the purchaser.9

Unlike sales, offers don’t necessarily result in a transaction, so there may be no time when irrevocable liability attaches or title transfers from the offeror to the offeree. Instead, courts generally analyze when offers occur by looking at the time when the offer was made. The concept of an “offer” under the securities laws is quite broad, including not only statements “couched in the terms of an express offer” but also those that “condition the public mind or arouse public interest” in buying a particular security.10

As to where, courts analyzing sales have considered factors such as the location of the seller, the location of the purchaser, the location where the purchase and sale was matched, the location where money was exchanged, and the location where title passed.11 Courts analyzing offers typically focus on the location of the offeror12 or, alternatively, the location of the offeree.13

Yet our review of the case law specific to crypto demonstrates that courts analyzing the location of an offer or sale have failed to reach a consensus on how to apply Morrison in the context of digital assets. To help shed light on the location of an offer or sale of digital assets under the relevant statutory provisions in the federal securities laws, we explore the case law and highlight three key factors that courts routinely address below.

Key Factors in Analyzing the Location of an Offer or Sale of Digital Assets

Our review of crypto-related cases in which courts analyze the territorial scope of the federal securities laws revealed three key factors that courts consider: (1) the location of the parties to the offer or sale; (2) the location of onchain infrastructure such as nodes; and (3) the location of offchain infrastructure such as servers.

1. The location of parties involved in the offer or sale

Every sale of a security involves a seller and a purchaser, and every offer of a security involves an offeror and an offeree. The locations of each individual or legal entity on both sides of an offer or sale, as well as other relevant intermediaries, is crucial to the analysis of when and where it took place and, thus, whether there was sufficient “domestic activity” to satisfy Morrison.

Courts often find jurisdiction when a purchaser or offeree is located in the United States at the time of an offer or sale. For example, in In re Tezos Securities Litigation, the court noted that the purchaser “participated in the transaction from [the United States.]”14 In SEC v. Balina, the court noted that “even if Balina and the relevant companies are technically located outside the United States, many of the ‘buyers’ in Balina’s pool were in the United States when they opted-in to the [offering].”15 In Williams v. Binance — a rare and significant opinion on a crypto-related issue from a federal appeals court — the Second Circuit noted that “irrevocable liability was incurred when Plaintiffs entered into the Terms of Use with Binance, placed their trade orders, and sent payments, all of which they claim occurred from their home states within the United States.”16 

Courts also often find jurisdiction when sellers or offerors are located in the United States at the time of an offer or sale. For example, in SEC v. Ripple Labs, the court noted that defendants “resided in California during the time period in question . . . and ‘directed [their] offers and sales of XRP from within the United States[.]’”17 In In re Tezos Securities Litigation, the court noted that the website used to purchase tokens was “run primarily” by a defendant in California.18 In Barron v. Helbiz, the court noted that “the virtual addresses that automatically created a HelbizCoin whenever a purchaser executed the smart contract, was . . . operated out of New York” and “many defendants . . . were ‘physically situated in the United States when they incurred irrevocable liability’ by selling their own HelbizCoin to the general public.”19

Courts also sometimes use the residency of parties to infer their location at the time of an offer or sale. For example, in Combs v. SafeMoon LLC, the court stated that “each of the named plaintiffs resides in the United States” and that an alleged seller defendant “resides in the United States and directed the sale of SafeMoon tokens[.]”20 In SEC v. MCC International, the court noted that “more than 900 MCC investors had United States addresses.”21 In Barron v. Helbiz, the court noted that the defendant was a “New York resident” when determining he was in New York at the time of the transaction.22 That said, the court also rejected the idea that residency or citizenship alone could satisfy Morrison’s domestic activity requirement.23

Further, courts sometimes look at marketing and other public communications to infer the location of a purchaser or offeree. For example, in In re Tezos Securities Litigation, the court noted that the plaintiff “presumably learned about the ICO and participated in response to marketing that almost exclusively targeted United States residents.”24 In SEC v. Balina, the court found that the SEC had jurisdiction in part based on the defendant’s “use of United States social media platforms[.]”25 On the other hand, in Barron v. Helbiz, the court found that “allegations that HelbizCoin was marketed in the United States do not satisfy Morrison.”26

Finally, courts sometimes use the place where relevant legal entities are incorporated or headquartered to determine the location of an offer or sale. For example, in SEC v. Ripple Labs, the court noted that “sales occurred on multiple digital asset trading platforms . . . which are incorporated in the United States[.]”27 In Combs v. SafeMoon LLC, the court noted “that many of the SafeMoon entities are headquartered in the United States[.]”28 In SEC v. MCC International, the court noted that “the corporate Defendants were registered as United States companies” and “MCC maintained an office in Port St. Lucie, Florida, and investors visited the office.”29

In all of these cases, the courts found sufficient domestic activity for the federal securities laws to apply under Morrison. The only court we saw reach a different conclusion in the crypto context was the Western District of Texas in Basic v. BProtocol Foundation. There, the plaintiffs asserted securities claims against defendants who had developed and launched a decentralized exchange protocol in which the plaintiffs had provided liquidity and lost money. Although the defendants were based offshore and did not have any direct contact with the United States, the plaintiffs argued that the federal securities laws still applied because “they invested in [the protocol] from the United States” and therefore “the transactions at issue were executed in the United States.” The court disagreed with the plaintiffs, explaining that “this rationale would turn any online transaction into a domestic transaction” and refusing to “extend American law to cover foreign defendants” any time “American investors . . . lose money[.]”30

2.The location of onchain infrastructure

Courts have taken a remarkably inconsistent approach to onchain infrastructure as part of a Morrison analysis. In 2018, the court in In re Tezos Securities Litigation first devised the “node theory” of U.S. jurisdiction. In that case, the plaintiffs alleged that the defendants violated the securities laws by unlawfully selling a digital asset to the public. The court found that the alleged transaction was covered by the securities laws in part because it “became irrevocable only after it was validated by a network of global ‘nodes’ clustered more densely in the United States than in any other country.”31 The court admitted that this fact alone was not dispositive of the Morrison analysis, but held that it supported an inference that the alleged sale occurred inside the United States.32

Yet roughly three years later, the court in Barron v. Helbiz rejected the node theory. In that case, the plaintiff alleged that “all transactions in HelbizCoin during the ICO and on the secondary market could only be completed via Ethereum” and thus “the sale of that virtual currency was executed on a network of digital nodes that have more nexus to the U.S. than to any other country.”33 But the court held that the “machinery for generating, administering, and delivering the bitcoin” didn’t “affect[] the location of the offer and acceptance of the purchase” because “Morrison dealt with the location of the change in the legal relationship between persons, not the electronic operations of creation, transport and delivery of the product.”34

About one year after that, the court in Williams v. Block one rejected the Tezos court’s node theory for a different reason. The court agreed with Barron v. Helbiz that the location of the majority of nodes on the network wasn’t relevant to the Morrison analysis, stating that “the locations of the other nodes on the blockchain that later may accept or reject the transaction does not properly bear on when and where ‘irrevocable liability’ as between the purchaser and the seller is incurred.”35 But the court didn’t agree that nodes were irrelevant entirely — instead, the court stated that “[i]n general, ‘irrevocable liability’ is incurred when the transaction has been verified by at least one individual node of the blockchain. Accordingly, the location of the node that verified the specific transaction at issue should control.”36

Most recently, the court in Basic v. BProtocol Foundation found a lack of sufficient domestic activity to satisfy Morrison. In that case, the plaintiffs invoked node theory as described by the court in In re Tezos, alleging that “the transactions relevant to this suit are recorded on the Ethereum blockchain, and the nodes that validate transactions are clustered more densely in the United States than any other country.” The court rejected the plaintiffs’ argument and refused to validate node theory in its entirety, holding that the density of nodes in the United States is alone inadequate to justify applying the securities laws. Nonetheless, the court implied that nodes are relevant to the analysis, and could satisfy Morrison under other circumstances.37

These four cases represent four different conclusions on node theory. In re Tezos originated the concept that nodes densely clustered in the United States support an inference of domestic activity under Morrison. Barron v. Helbiz found the opposite, that the location of nodes is irrelevant to the analysis. Williams v. Block one found that the location of the first node to validate a transaction is relevant, but that the density of clustered nodes is not. Basic v. BProtocol Foundation found that node density could be relevant, but unlike In re Tezos, refused to infer domestic activity despite the totality of the circumstances. Considering the wide range of perspectives that these four cases represent — and seeming confusion about the technology in more than one of them38 — it’s difficult to draw any meaningful insight regarding the importance of onchain infrastructure to Morrison’s transactional test.

3. The location of offchain infrastructure

Similar to node theory, courts have reached inconsistent conclusions about the importance of offchain infrastructure to the location of an offer or sale under Morrison.

The leading case on this issue is Williams v. Binance, in which the Second Circuit held that Binance was subject to the securities laws in part because of its use of offchain infrastructure based in the United States. In particular, the court noted that: “matching occurred on ‘the infrastructure Binance relies on to operate its exchange’” and “[a]ccording to Plaintiffs’ allegations, much of that infrastructure ‘is located in the United States’”; the infrastructure Binance used was provided by Amazon Web Services (“AWS”), “a cloud computing company that is located in the United States”; “a significant portion, if not all, of the AWS servers and [associated data centers and support services] that host Binance are located in California”; “most or all of Binance’s digital data is stored on servers located in Santa Clara County, California”; and the fact that plaintiffs submitted orders “from locations in the United States renders it more plausible that the trades at issue were matched over Binance’s servers located in the United States, as opposed to Binance’s servers located elsewhere.”39

The Second Circuit also acknowledged uncertainty as to the relevance of offchain infrastructure. The court explained that its conclusion “might be different were we faced with plaintiffs seeking to apply United States securities laws based on the happenstance that a transaction was initially processed through servers located in the United States” and that “it may not always be appropriate to determine where matching occurred solely based on the location of the servers the exchange runs on[.]” But, the court said that “it is appropriate to do so here given that Binance has not registered in any country, purports to have no physical or official location whatsoever, and the authorities in Malta, where its nominal headquarters are located, disclaim responsibility for regulating Binance.”40

But other courts have rejected the view that offchain infrastructure is relevant under Morrison. In Barron v. Helbiz, the plaintiffs argued that “the HelbizCoin interactive website . . . was housed on a server in Kansas” and “all HelbizCoins were issued from there” and that “the ICO sales took place ‘physically’ on those servers.” The court rejected that argument, however, holding that the plaintiffs “did not purchase . . . bitcoins in Kansas” just because the server was located there.41

Are Lower Courts Faithfully Applying Morrison?

As the above discussion shows, courts applying Morrison to offers and sales of digital assets have been readily inclined to extend the securities laws beyond U.S. borders. Yet, they have taken disparate paths to reach the same result, weighing a variety of different factors and assigning each one different degrees of importance.

That outcome seems to fly in the face of the presumption against extraterritoriality that the Supreme Court affirmed in Morrison. The Morrison court’s holding was motivated by a “disregard of the presumption against extraterritoriality” that had been “repeated over many decades by various courts of appeals” and had “produced a collection of tests for divining what Congress would have wanted” that was “complex in formulation and unpredictable in application.”42 The Morrison court sought to ensure that the lower courts didn’t exercise jurisdiction over every case with even a tenuous connection to the United States — as the court explained, “the presumption against extraterritorial application would be a craven watchdog indeed if it retreated to its kennel whenever some domestic activity is involved in the case.”43

Our review of the case law suggests that the lower courts have missed the message. The driving force behind the presumption against extraterritoriality was to create a single test that was “easy to administer” and would provide “a stable background against which Congress can legislate with predictable effects.” But as before Morrison, the case law shows “a proliferation of vaguely related variations” on the test for extraterritorial jurisdiction that is “unpredictable and inconsistent” and requires parties to “guess anew in each case” what the law may be.44

The Supreme Court may have an opportunity to remind the lower courts of their obligation to more carefully scrutinize claims of extraterritorial jurisdiction in Williams v. Binance. In June 2024, the defendants indicated their intent to seek Supreme Court review of the Second Circuit’s opinion, explaining that the case “presents significant questions regarding the presumption against the extraterritorial application of the federal securities laws” and “involves the Second Circuit’s misapplication of this Court’s decision in [Morrison] and the extension of the domestic securities laws to offshore transactions.”45 In September 2024, the defendants filed a petition for a writ of certiorari, identifying the question presented as whether the Second Circuit’s holding “is consistent with Morrison or is instead an improper revival of the “conduct and effects” test that this Court rejected as inconsistent with the presumption against extraterritoriality.”46

Other U.S. Regulatory Frameworks

The discussion above focuses on the application of Morrison to the federal securities laws where we assume the provisions at issue involving the offer or sale of a security do not explicitly provide for extraterritorial jurisdiction. However, although the dispute in Morrison was specific to Section 10(b) of the Exchange Act, the Supreme Court made clear that its two-step framework is a “principle of interpretation” that applies to any federal statute.47 As a result, the same concepts can likely be generalized to many other provisions within the federal securities laws, as well as other federal regulatory frameworks entirely.

For example, the Second Circuit has held that the CEA “is silent as to extraterritorial reach” and therefore “[g]iven the absence of any ‘affirmative intention’ by Congress to give the CEA extraterritorial effect, we must ‘presume it is primarily concerned with domestic conditions.’”48 Some courts confronted with crypto-related claims under the CEA have accordingly applied Morrison’s transactional test, such as in Messieh v. HDR Glob. Trading Ltd., where the court held that BitMEX was subject to U.S. law despite ineffectual attempts at geofencing.

As in the securities cases discussed above, the court in Messieh considered the location of the parties to the relevant transactions. The court noted that “BitMEX’s workforce was located in the U.S., and it solicited purchases from U.S. customers;” “U.S. customers not only entered into Terms of Use Agreements from within the United States, but also purchased the tokens from the United States;” and “[a]lthough in 2017, BitMEX purported to prevent U.S. customers from accessing its service, BitMex knew that U.S. customers were using anonymous emails and passwords, and VPN networks to circumvent BitMEX’s system that prevented new accounts made using a U.S. IP address.” The court also considered the location of relevant infrastructure, noting that “the Insider Trading Desk, the desk that caused liquidations of Plaintiffs’ holdings, operated from Manhattan” and “although the [complaint] doesn’t specifically mention the location of servers, since BitMEX operates — at least in part — from the U.S. and many employees resided in the U.S., it is possible that the securities were matched on servers in the U.S.”49

Like the SEC, the CFTC has not explained its views on the territorial limit of its jurisdiction in the crypto context, although it has implicitly recognized geofencing as an appropriate strategy to avoid the application of the CEA. In its settlement with decentralized finance developer Opyn, Inc., the CFTC noted that although Opyn “took certain steps to exclude U.S. persons from accessing the Opyn Protocol, such as blocking users with U.S. internet protocol addresses, those steps were not sufficient to actually block U.S. users from accessing the Opyn Protocol.” The CFTC allowed Opyn to continue operating after the settlement due in part to it taking “additional steps to block U.S. users’ access to the Opyn Protocol[,]” but did not clarify what additional steps Opyn took in order to satisfy its expectations for an effective geofence.50

That said, we have not undertaken to analyze all of the many and varied regulatory frameworks that may apply to the crypto industry. Importantly, other statutes may differ significantly from the federal securities laws in key ways, such as the presence of explicit extraterritoriality provisions and the types of “activity” that they cover.51 Crypto companies should conduct their own analysis with the help of counsel to understand the geographic scope of each federal statute that could be relevant to their business.

 

Best Practices for Geofencing

Given the extraordinary complexity of the many U.S. regulatory frameworks that may apply to a given product or service and the differing territorial scope covered by each one, it’s crucial that crypto companies hire their own counsel to conduct a regulatory risk assessment and determine how geofencing might factor into their overall compliance strategy.

Based on our review, we have identified three best practices for establishing an effective U.S. geofence: (1) block all users located in the United States; (2) use infrastructure outside of the United States; and (3) set up offshore entities to offer non-U.S. products. We provide details for companies to consider regarding how to achieve these best practices below.52

Best practices for geofencing

Block All Users Located in the United States

In the cases we reviewed, the factor that courts most often considered in analyzing whether a product or service falls within the territorial scope of U.S. law was the location of the parties involved in transactions related to that product or service. The presence of U.S. users substantially increases the likelihood that a court will find domestic activity sufficient to satisfy Morrison because it tends to show that an offer, sale, or other relevant activity took place within the United States.

Who should be blocked?

An effective geofence requires blocking all persons located in the United States, whether they are individuals or legal entities.

The most conservative approach to geofencing is to create a permissioned system in which a company collects personal identifying information from each user and then grants them access only after confirming that they are not located in the United States. This practice is commonly known as “know-your-customer” (“KYC”) and — along with other measures — gives a company the best chance at ensuring that zero U.S. persons have access to a product or service.

Although KYC and permissioning are required in certain circumstances, such as for financial institutions regulated under the BSA, it does not represent the current industry standard for geofencing purposes. KYC and permissioning may be impossible to achieve in the context of a decentralized public blockchain, may undermine the goals of open access and financial inclusion that animate the technology, and may result in significant overcompliance by excluding many users who are not U.S. persons but nonetheless cannot or will not share sensitive personal information with the company.

Regardless of whether a company engages in KYC, it must use all accessible information regarding their users to exclude those who are located in the United States. For example, companies can use:

  • Physical address. This one is obvious — if the user provides an address located in the United States, they should be flagged as a potential U.S. person.
  • Email address. If the user provides an email address containing a top-level domain indicating U.S. touchpoints, such as email@companywebsite.us, they should be flagged as a potential U.S. person.
  • IP address. If the user has an IP address located in the United States, they should be flagged as a potential U.S. person.
  • GPS location. This is particularly relevant in the context of mobile applications — if the user’s GPS location is in the United States, they should be flagged as a potential U.S. person.

To be clear, the current industry standard is not necessarily to collect and retain all of this information solely for geofencing purposes, which would be akin to KYC. Rather, the focus is to use all accessible information to make decisions about whom to block — if a company already has access to this information as part of its business, then the company will likely be held responsible for using that information to establish an effective geofence.

What should they be blocked from?

An effective geofence requires blocking U.S. persons from any regulated activity for which a company can block users.

Identifying regulated activity requires hiring counsel to conduct a regulatory risk assessment and determine what aspects of a product or service, if any, trigger compliance obligations under U.S. law. For example, if a company offers a product that enables both spot and derivatives trading, counsel may identify derivatives trading as regulated activity under the CEA. Counsel may then advise the company to establish a geofence blocking U.S. users from derivatives trading, even while still allowing U.S. users to access spot trading.

Identifying activities for which a company can block users requires analyzing a product or service for control points where the company has the technical ability to allow or deny access to users, such as a proprietary front-end interface. The company should block U.S. users consistently across all aspects of the technology stack that it controls. For example, if a company chooses to block U.S. users on a front-end interface based on their IP address, the company should also enforce the block through API access.53

Ideally, crypto companies will not have control points on a public blockchain itself, such as in smart contract protocols deployed on a blockchain, since these should be decentralized and immutable. If a company does have control over permissioning at that layer of the technology stack, it arguably must use that control to block U.S. users as well.

Some counsel may advise that a conservative approach to geofencing requires companies to build control points into a product or service before launching it, so that they have the technical ability to block U.S. users in the future. Some government agencies have suggested that U.S. law applies even where a company lacks control over software.54 Although this is an open question of law,55 the current industry standard is to build decentralized and immutable protocols where possible.

How should they be blocked?

The goal of an effective geofence should be to reduce the number of users located in the United States to zero. Without KYC/permissioning, companies must use a variety of methods to exclude U.S. users based on information suggesting that they are located in the United States. The measures that make sense for a particular product or service may vary, but at minimum, companies should consider the following issues:

  • IP addresses. It is particularly important to block U.S. IP addresses — this is one of the factors that regulators cite most often in enforcement actions related to geofencing.
  • Attestations. It is useful to require all users to attest that they are not located in the United States before allowing them to access a geofenced product or service. The best attestations require users to affirmatively review and click to accept a certification that they are not located in the United States. Less helpful attestations may be included in a product’s Terms of Service. For more guidance on attestations, see this post discussing the enforceability of Terms of Service related to front-end interfaces. That said, solely relying on attestations in any form will likely not be sufficient to establish an effective geofence, since regulators have repeatedly cited these measures as ineffectual.56
  • Blocking VPNs. It is an open question whether companies need to block all VPN use, although regulators have cited screening IP addresses against known VPNs as a positive factor for effective geofencing.57 Some companies block VPNs outright and others do not, citing privacy concerns. Regardless of the approach to VPN blocking, all companies should monitor for users who change their IP address in a way that suggests the use of a VPN to circumvent a geofence. For example, if a company observes a user attempting to access a geofenced product using a U.S. IP address and then immediately reconnect the same wallet address or account using a non-U.S. IP address, it may be appropriate for the company to conclude that the user is located in the United States. The company may then decide to permanently deny access to that wallet address or account regardless of the IP address associated with future attempts.
  • B2B considerations. If a company sells a product or service to another company that services end-users, the company should geofence not only their direct customers but also end-users who the company identifies as being located in the United States.58 The company should make clear in its contracts with direct customers that geofencing by the direct customer will be required by including terms to that effect and consider including an indemnification provision triggered by any breach of those provisions.
  • Monitoring. Since even one U.S. user could defeat a geofence for regulatory purposes, it is crucial that companies monitor for any signs that U.S. persons are gaining access to a geofenced product or service. For example, if a company observes activity on social media suggesting that U.S. persons have found a way to evade the company’s geofencing measures, the company should take immediate action to remediate the issue. Feigning ignorance is not an acceptable strategy and could lead to even worse penalties if regulators believe that the company didn’t take geofencing seriously.59

Use Infrastructure Outside the United States

Companies that provide or use infrastructure should minimize the amount of U.S.-based hardware and personnel necessary to run that infrastructure. This includes using servers or instances based outside of the United States (such as non-U.S. AWS instances), locating key persons who support the infrastructure outside of the United States, and using non-U.S. legal entities to engage with non-U.S. infrastructure whenever possible. While the same principles apply to both onchain and offchain infrastructure, our review of the case law suggests that companies should focus primarily on offchain infrastructure for geofencing purposes.

Set Up Offshore Entities to Offer Non-U.S. Products

Companies that wish to demonstrate a clear boundary between products available to U.S. users and geofenced products only available to non-U.S. users should consider segregating those products — and all of the personnel, infrastructure, and marketing related to those products — between separate legal entities. In this model, companies can use a U.S.-based entity to offer products and services solely to the U.S. market, and a non-U.S. entity to offer products and services to the rest of the world. This model is common among centralized exchanges, who often establish a different company in each jurisdiction where they service customers. Although complex legal structuring likely isn’t necessary for an effective geofence, using separate legal entities can help a company demonstrate a strong commitment to compliance.

Conclusion

Geofencing — that is, abandoning the U.S. market entirely — is an extreme and costly measure to ensure compliance with U.S. law. We decided to write this guide after observing confusion in the space over what effective geofencing means and how it fits into a crypto company’s regulatory strategy.

Some companies seem to under-comply by failing to geofence effectively, or not trying at all, despite the need to exclude a given crypto product or service from the territorial scope of U.S. law. Other companies seem to over-comply by geofencing products and services that they could have offered in the United States if they had used a different compliance strategy instead.

We hope this guide helps crypto companies and their counsel determine when and how to establish a U.S. geofence for regulated products and services.

 

Footnotes

1. The SEC did adopt Regulation S in 1990, which provides an exclusion under the securities laws for certain offerings made outside the United States. See 17 C.F.R. § 230.901, et seq. While this safe harbor may be applicable to transactions in digital assets, this guide focuses on the territorial limits of U.S. law under federal statute and does not address whether and how a company might invoke Regulation S.

2. 561 U.S. 247 (2010).

3. Id. at 255.

4. Id. at 265 (citing Microsoft Corp. v. AT&T Corp., 550 U.S. 437, 455-56 (2007)).

5. Id. at 266–67.

6. While generally true, we recognize that our assumptions oversimplify the securities laws. For example, only one month after the Morrison decision, Congress amended the Exchange Act to include an explicit extraterritoriality provision related to fraud suits brought by the SEC. See 15 U.S.C. § 78aa(b). As another example, Section 30(a) of the Exchange Act “explicitly permits extraterritorial application against brokers or dealers for transactions on foreign exchanges when the issuer is a U.S. company.” Nathan Lee, The Extraterritorial Reach of United States Securities Actions After Morrison v. National Australian Bank, 13 Rich. J. Global L. & Bus. 623, 626 (2015). Since we expect that these statutes are less likely relevant to crypto companies, we do not analyze them in this guide — but they serve as a helpful illustration of why it’s so important for companies to engage their own counsel.

7. Williams v. Binance, 96 F.4th 129, 136 (2d Cir. 2024).

8. Absolute Activist Value Master Fund Ltd. v. Ficeto, 677 F.3d 60, 67 (2d Cir. 2012).

9. See William S. Dodge, Extraterritorial Application of Federal Securities Law: What Hath Morrison Wrought?, 56 N.Y.U. J. Int’l L. & Pol. 199, 205–06 (2023).

10. See Richard Grossmann, The Trouble with Dicta: Morrison v. National Australian Bank and the Securities Act, 41 Sec. Reg. L.J. 1, 7 (2013).

11. See, e.g., Absolute Activist, 677 F.3d at 70.

12. See SEC v. Ripple Labs, Inc., 2022 WL 762966, at *13 (S.D.N.Y. Mar. 11, 2022).

13. See SEC v. Balina, 2024 WL 2332965, at *6 (W.D. Tex. May 22, 2024).

14. In re Tezos Sec. Litig., 2018 WL 4293341, at *8 (N.D. Cal. Aug. 7, 2018).

15. Balina, 2024 WL 2332965 at *7.

16. Williams, 96 F.4th at 140.

17. Ripple Labs, Inc., 2022 WL 762966 at *13.

18. In re Tezos Sec. Litig., 2018 WL 4293341 at *8.

19. Barron v. Helbiz Inc., 2023 WL 5672640, at *6 (S.D.N.Y. Sept. 1, 2023).

20. Combs v. SafeMoon LLC, 2024 WL 1347409, at *7 (D. Utah Mar. 29, 2024).

21. SEC v. MCC Int’l Corp., 2023 WL 2891235, at *5 (S.D. Fla. Mar. 8, 2023).

22. Barron, 2023 WL 5672640 at *6.

23. Id. at *7; see also Absolute Activist Value, 677 F.3d at 70 (“a party’s residency or citizenship is irrelevant to the location of a given transaction.”).

24. In re Tezos Sec. Litig., 2018 WL 4293341 at *8.

25. Balina, 2024 WL 2332965 at *7.

26. Barron, 2023 WL 5672640 at *7.

27. Ripple Labs, Inc., 2022 WL 762966 at *13.

28. Combs, 2024 WL 1347409 at *7.

29. MCC Int’l Corp., 2023 WL 2891235 at *5.

30. Basic v. BProtocol Foundation, 2024 WL 4113751, at *4, 8–9 (W.D. Tex. July 31, 2024), report and recommendation adopted, 2024 WL 4113024 (Sept. 6, 2024); see also Holsworth v. BProtocol Foundation, 2021 WL 706549, at *3 (S.D.N.Y. Feb. 22, 2021) (dismissing putative class action for lack of personal jurisdiction and noting in dicta that “[t]he federal securities laws do not reach a purchase and sale outside the United States.”).

31. In re Tezos Sec. Litig., 2018 WL 4293341 at *8.

32. See id.

33. Barron v. Helbiz Inc., 2021 WL 229609, at *5–6 (S.D.N.Y. Jan. 22, 2021), vacated on other grounds, 2021 WL 4519887 (2d Cir. Oct. 4, 2021).

34. Id. at *6.

35. Williams v. Block one, 2022 WL 5294189, at *7 (S.D.N.Y. Aug. 15, 2022).

36. Id.

37. Basic, 2024 WL 4113751 at *9.

38. The Williams v. Block one court appears to misunderstand how transactions are validated on public blockchains, focusing on “the first node to identify the cryptographic hash corresponding with a proposed transaction” as the location where the transaction occurs, even if that node’s function is merely to gossip the transaction throughout the network. 2022 WL 5294189, at *1. The Basic v. BProtocol Foundation court appears to address onchain and offchain infrastructure as a single issue, citing the discussion in Williams v. Binance regarding offchain infrastructure to support its holding that the location of Ethereum nodes was not dispositive of Morrison’s transactional test. 2024 WL 4113751, at *9.

39. Williams, 96 F.4th at 136–41; see also In re Tezos Sec. Litig., 2018 WL 4293341 at *8 (finding domestic activity in part because the website where digital assets were sold was “hosted on a server in Arizona”).

40. Id. at 139; see also SEC v. Binance, 2024 WL 3225974, at *36 (D.D.C. June 28, 2024) (“Given that Binance disavows being located anywhere, this Court agrees with the Second Circuit’s analysis in Williams and concludes that the factual allegations here plausibly allege that irrevocable liability was incurred in the United States when customers in the United States placed trade orders and sent payments on the Binance.com platform.”).

41. Barron, 2021 WL 229609 at *6; cf. Basic, 2024 WL 4113751 at *9 (“Similar arguments were enough for the Binance court to find those transactions were domestic transactions, but . . . [u]nlike Binance, Defendants have not run away from the authority of all jurisdictions.”).

42. Morrison, 561 U.S at 255–56.

43. Id. at 266 (emphasis in original).

44. Id. at 259–61.

45. Application for Extension of Time, Binance v. Anderson, No. 23A1155, at *2 (June 25, 2024), available at https://tinyurl.com/3mefa8vx.

46. Petition for Writ of Certiorari, Binance v. Anderson, No. 23A1155, at *i (Sept. 23, 2024), available at https://tinyurl.com/95r7jc9f.

47. Morrison, 561 U.S. at 255 (citing EEOC v. Arabian American Oil Co., 499 U.S. 244, 248 (1991).

48. See Loginovskaya v. Batratchenko, 764 F.3d 266, 271 (2d Cir. 2014); see also CFTC v. Garofalo, 2010 WL 11245430, at *6 (N.D. Ill. Dec. 21, 2010) (“[N]either the CEA nor its legislative history specifically authorizes extraterritorial application of the statute.”); but see CFTC v. Vision Fin. Partners, LLC, 190 F. Supp. 3d 1126, 1131 (S.D. Fla. 2016) (“The Commodity Exchange Act, though, does contain an affirmative indication that it applies to extraterritorial transactions, at least concerning suits brought by the Commission itself.”) (emphasis in original).

49. Messieh v. HDR Glob. Trading Ltd., 2024 WL 1436755, at *2–3 & n. 1, 2 (S.D.N.Y. Apr. 3, 2024).

50. See In the Matter of Opyn, Inc., CFTC Dkt. No. 23-40, at 4 (Sept. 7, 2023).

51. See, e.g., 7 U.S.C. §§ 2(c)(2)(D)(ii) & 6(a) (CEA provisions regulating not only persons who offer or sell futures contracts in the United States, but also those who “conduct an office or business in the United States” for the purpose of offering or selling such contracts anywhere in the world).

52. We note that these best practices are imperfect at best. Since case law addressing Morrison provides little guidance as to the characteristics of an effective U.S. geofence, we drew additional insight from enforcement actions brought by regulators such as the SEC, CFTC, Financial Crimes Enforcement Network (“FinCEN”), and Office of Foreign Assets Control (“OFAC”), which go deeper into the details of what makes an effective geofence. Yet, we do not know and cannot predict whether regulators or courts will find these best practices sufficient to take a product or service outside the territorial scope of U.S. law. No matter how hard a company tries to establish an effective geofence, it is possible that even a single touchpoint with the United States could subject the company to U.S. jurisdiction.

53. See Dkt. 62, Consent Order ¶ 27, CFTC v. HDR Global Trading Ltd., No. 1:20-cv-08132-MKV (S.D.N.Y. Oct. 1, 2020).

54. See Dkt. 1, Indictment ¶ 34, United States v. Storm, No. 1:23-cr-0430 (S.D.N.Y. Aug. 21, 2023); U.S. Dep’t of the Treasury, OFAC Enters Into $507,375 Settlement with BitPay, Inc. for Apparent Violations of Multiple Sanctions Programs Related to Digital Currency Transactions (Feb. 28, 2021), https://tinyurl.com/yc7ksb29 (“BitPay OFAC Settlement”).

55. On September 26, 2024, U.S. District Judge Katherine Polk Failla issued an oral decision in United States v. Storm that appears to support a view that control is not a prerequisite for liability; but see Dkt. 39, Brief of the DeFi Education Fund at 2, United States v. Storm, No. 1:23-cr-0430 (S.D.N.Y. Apr. 5, 2024) (“Put simply, validating the Indictment’s theories of liability would mean rejecting core principles of due process and the rule of law.”).

56. See, e.g., Dkt. 80, Consent Order ¶ 135, CFTC v. Zhao, No. 1:23-civ-01887 (N.D. Ill. Dec. 14, 2023).

57. See U.S. Dep’t of the Treasury, OFAC Settles with CoinList Markets LLC for $1,207,830 Related to Apparent Violations of the Ukraine-/Russia-Related Sanctions Regulations (Dec. 13, 2023), https://tinyurl.com/yc4ha3b5.

58. BitPay OFAC Settlement (noting that “[w]hile BitPay screened its direct customers,” called “merchants,” “BitPay failed to screen location data that it obtained about its merchants’ buyers,” including the buyer’s name, address, email address, and phone number, and eventually, IP addresses).

59. See U.S. Dep’t of the Treasury, FinCEN, Assessment of BitMEX (Aug. 10, 2021), https://tinyurl.com/mupax9dd (“BitMEX actively ignored signs that U.S. Customers traded on the platform and chose to overlook or alter data indicating that customers were located in the U.S.”).

* * *

 

This writing is provided for informational purposes only and should not be considered as legal, investment, tax, or business advice. None of the information, analysis, or opinions provided here are intended as legal advice for any particular facts or circumstances and are not meant to create an attorney-client relationship or replace competent counsel. It is strongly advised that you contact and retain your own counsel in your jurisdiction for legal advice specific to you. You should not act or refrain from acting in any way on the basis of any content provided here. This writing may not reflect all current updates to applicable laws or interpretive guidance, and the authors disclaim any obligation to update this writing after publication. All liability with respect to actions taken or not taken based on the content of this writing are hereby expressly disclaimed. The content here is provided “as is;” no representations are made that the content is error-free.