The 50-State Problem
Federal securities regulation under the SEC receives the preponderance of attention in discussions about tokenized asset compliance — and for good reason. The SEC’s enforcement actions, no-action letters, and rulemaking define the primary compliance framework for tokenized securities in the United States. But beneath the federal framework lies a second layer of regulatory complexity that practitioners and issuers encounter in every transaction: state securities laws, colloquially known as “Blue Sky laws,” that can impose independent registration, disclosure, and licensing requirements on token offerings and the platforms that support them.
Blue Sky laws exist because Congress, in passing the federal securities acts, explicitly preserved the states’ authority to regulate securities offerings within their borders. Every state has its own securities regulator — 50 separate agencies with varying approaches to digital assets, varying staff expertise, and varying degrees of enforcement aggressiveness. Navigating this landscape requires a 50-state analysis that institutional issuers find expensive, slow, and deeply inconsistent with the efficiency gains that tokenization promises.
The good news — and it is substantial good news for institutional tokenized securities issuers — is that the National Securities Markets Improvement Act of 1996 (NSMIA) preempts state Blue Sky review for a broad category of securities offerings. The bad news is that NSMIA’s preemption has limits, and the categories outside those limits are precisely the categories that some tokenization business models rely on.
NSMIA Preemption and Regulation D 506(c)
NSMIA fundamentally reorganized the federal-state division of securities regulation by creating a category of “covered securities” exempt from state registration requirements. The most practically significant category of covered securities for the tokenized asset market is offerings made under Regulation D, Rule 506 — the private placement exemption that permits unlimited capital raises from accredited investors without SEC registration.
Under NSMIA, Rule 506 offerings — including Rule 506(c) offerings that permit general solicitation to accredited investors — are “covered securities” preempted from state registration and qualification requirements. States retain the authority to require notice filings and collect fees, and they retain anti-fraud jurisdiction, but they cannot impose their own merit review, disclosure requirements, or suitability standards on 506 offerings. An issuer conducting a 506(c) token offering must file Form D with the SEC and comply with state notice filing requirements — typically a Form D plus a fee, ranging from a few hundred to a few thousand dollars per state — but is not subject to state-by-state substantive review.
For institutional tokenized securities issuers, 506(c) preemption is the primary reason that state Blue Sky laws are manageable rather than prohibitive. Virtually every institutional tokenized securities offering — tokenized fund shares for accredited investors, tokenized private credit instruments, tokenized PE interests — is conducted under Rule 506(c). The NSMIA preemption means that compliance with SEC requirements and the accredited investor verification requirement is sufficient for state compliance purposes across all 50 states.
The notice filing requirement is administrative, not substantive, but it requires systematic tracking across every state where investors reside. A tokenized fund with investors in 30 states requires 30 separate Form D filings with state securities commissions, 30 separate fee payments, and annual updates. For large platforms with hundreds of issuing clients, managing this notice filing obligation efficiently requires dedicated compliance infrastructure — but it is a solved problem, not a fundamental barrier.
Where NSMIA Does Not Preempt: Regulation A+ Tier 1
NSMIA’s preemption does not extend to all offering exemptions. Critically, Regulation A+ Tier 1 offerings — which permit companies to raise up to $20 million from both accredited and non-accredited investors — are not preempted from state Blue Sky review. Tier 1 offerings must be qualified not only by the SEC but by each state in which securities are offered to investors.
This state qualification requirement for Tier 1 is the primary reason that the tokenized securities market has focused almost entirely on Regulation D rather than Regulation A+ as its offering framework. Qualifying a Reg A+ Tier 1 offering in all 50 states is a process that can take 6-12 months and cost $200,000-$500,000 in legal and filing fees — a timeline and cost that is prohibitive for the smaller issuers that Reg A+ is designed to serve.
Regulation A+ Tier 2 offerings, which permit raises up to $75 million, are preempted from state qualification requirements for sales to “qualified purchasers” (not the same standard as the Investment Company Act qualified purchaser; for Reg A+ purposes, this is effectively any investor who purchases pursuant to the Tier 2 offering). For tokenized securities issuers seeking to reach non-accredited investors — a meaningful long-term market — Tier 2 is the viable pathway, not Tier 1.
The practical result of the Tier 1 state qualification burden is that the sub-$20 million tokenized offering market — where community-scale real estate tokenization, small business equity tokenization, and local infrastructure tokenization might otherwise flourish — is significantly constrained by 50-state compliance costs. The platforms serving this market (including several real estate tokenization platforms that have used Reg CF crowdfunding as an alternative) have found that the regulatory friction of Tier 1 qualification is a more significant barrier to scale than technology or investor demand.
NASAA’s Operation Crypto-Sweep
The North American Securities Administrators Association — the coordinating body for state securities regulators — has run multiple rounds of its “Operation Crypto-Sweep” enforcement initiative, targeting fraudulent and unregistered cryptocurrency offerings. Operation Crypto-Sweep, launched in 2018 and continued through multiple cycles, has resulted in hundreds of enforcement actions and investigations across dozens of states.
NASAA’s enforcement focus has evolved from outright fraudulent crypto schemes — “exit scam” ICOs, pump-and-dump token promotions — toward more sophisticated violations involving unregistered broker-dealer activity by crypto platforms and the offer of unregistered securities to non-accredited investors under exemptions that don’t apply. For tokenized securities platforms, the NASAA sweep’s enforcement priorities are directly relevant: operating without broker-dealer registration in states that require it for digital asset transaction facilitation, and allowing non-accredited investors to purchase securities without proper qualification, are the most common violations that state regulators pursue.
State securities regulators also have anti-fraud jurisdiction over Rule 506 covered securities, notwithstanding NSMIA preemption from registration requirements. This means that while states cannot require a 506(c) tokenized offering to register, they can — and NASAA member states do — pursue enforcement actions for misrepresentations, omissions, and fraudulent conduct in connection with those offerings. The anti-fraud jurisdiction is particularly significant for tokenized offerings where marketing materials make performance claims that are not supported by the underlying asset’s financial data.
New York’s Martin Act: The Extraterritorial Threat
New York’s Martin Act — the New York securities anti-fraud statute enacted in 1921 — is the most powerful and feared state securities law in the United States. The Martin Act does not require proof of intent to defraud (unlike most state securities anti-fraud provisions), and it extends to any misrepresentation or omission in connection with the offer, purchase, or sale of securities or “commodity contracts” — a term that New York courts have interpreted broadly to include cryptocurrency and digital assets.
The Martin Act’s scope is effectively extraterritorial for institutional securities offerings. Any offering of digital asset securities that includes a New York investor, or any marketing of those securities through channels that reach New York (including websites and social media), is potentially subject to Martin Act jurisdiction. The New York Attorney General’s office — which enforces the Martin Act — has brought enforcement actions against crypto platforms including Tether, Bitfinex, and Coinseed that did not necessarily have significant New York-based operations but whose activities touched New York investors.
For tokenized securities issuers, Martin Act risk manifests in three primary ways: marketing materials that make misleading statements about returns or risk, failure to disclose material conflicts of interest in fund management, and the offer of securities that do not qualify for an applicable exemption to New York investors. The remedies available under the Martin Act — disgorgement, injunctions, criminal referral — make it one of the most significant state-level enforcement risks for digital asset platforms.
The BitLicense — New York’s regulatory framework for cryptocurrency businesses under 23 NYCRR Part 200 — operates independently from the Martin Act and imposes a separate set of requirements. BitLicense applicants must demonstrate adequate capital, cybersecurity infrastructure, AML compliance programs, and consumer protection measures. The license covers businesses that engage in “virtual currency business activity” involving New York residents, including exchange, transfer, control, and issuance of virtual currency.
The Wyoming-Texas-Colorado Regulatory Arbitrage
While New York’s Martin Act and BitLicense create one of the most demanding state regulatory environments in the country, Wyoming, Texas, and Colorado have deliberately created favorable regulatory climates for digital asset businesses that have attracted significant issuers and platforms.
Wyoming’s legislative program — including the Wyoming SPDI charter, the Wyoming DAO LLC statute, and a series of digital asset enabling laws — has created a comprehensive state framework for blockchain and digital asset businesses. Wyoming SPDIs (Special Purpose Depository Institutions) can provide custody, payments, and fiduciary services for digital assets under Wyoming state banking regulation, without requiring a national bank charter. Kraken’s parent company obtained a Wyoming SPDI charter in 2020 — the first crypto bank charter in the US — enabling it to offer banking services without the complexity of the federal charter process.
Texas has positioned itself as a crypto-friendly state through favorable money transmitter law interpretations, clear guidance on digital asset mining as a permissible business activity, and a regulatory posture from the Texas State Securities Board that has emphasized education and compliance assistance over aggressive enforcement. Several tokenized real estate platforms have chosen Texas as their primary jurisdiction of organization precisely because of the more constructive regulatory environment.
Colorado’s Digital Token Act, enacted in 2019, created an exemption from Colorado securities registration requirements for utility tokens — digital tokens that provide access to a good or service rather than representing an investment interest. While most institutional tokenized securities do not qualify as utility tokens, Colorado’s proactive legislative approach signals a regulatory philosophy more focused on enabling innovation than restricting it.
The regulatory arbitrage created by these divergent state approaches is real but limited for institutional issuers. Major asset managers conducting tokenized fund offerings under Rule 506(c) do not choose their organizational state based on securities law considerations — NSMIA preemption makes state securities registration requirements essentially irrelevant for their core business. Where state choice matters is for the platform infrastructure — the broker-dealer or ATS operator — and for the custody and banking services supporting the platform.
Multi-State Compliance Checklist for Tokenized Securities Issuers
For institutional tokenized securities issuers conducting Rule 506(c) offerings, the following state-level compliance framework applies:
Notice Filings. File Form D Part II in each state where securities are sold to investors, within 15 days of first sale in that state. Most states accept the SEC’s Form D. File annual amendments. Budget $50-200 per state filing plus legal fees for coordination.
Broker-Dealer Registration. If operating a broker-dealer in connection with the offering, confirm that the broker-dealer is registered in each state where transactions are effected. FINRA member broker-dealers registered with the SEC have a streamlined state registration process through FINRA’s CRD system, but state-specific requirements (state exams, net capital rules, bonding requirements) vary.
Martin Act Diligence. For any offering that may include New York investors, conduct a Martin Act review of all marketing materials, offering documents, and disclosure for misleading statements or omissions. Obtain legal opinion from New York securities counsel.
BitLicense Assessment. If the platform provides custody, exchange, or transfer services for virtual currency to New York residents, assess BitLicense requirements. The application process takes 12-18 months and requires substantial compliance infrastructure documentation.
State Anti-Fraud Compliance. Even for preempted 506(c) offerings, maintain compliance with state anti-fraud provisions by ensuring all offering materials are accurate and not misleading in all material respects.
Exhibit: State Regulatory Climate for Tokenized Securities Platforms
| State | Key Framework | Regulatory Posture | Notable Features |
|---|---|---|---|
| New York | Martin Act + BitLicense | Aggressive enforcement | Extraterritorial reach; heaviest compliance burden |
| Wyoming | SPDI + DAO LLC + FinTech sandbox | Industry-friendly | Best state-level custody framework |
| Texas | MTL + Digital Asset guidance | Cooperative | Favorable mining and digital asset business treatment |
| Colorado | Digital Token Act | Progressive | Utility token exemption; innovation-focused |
| California | CalFIN + DBO supervision | Moderate enforcement | High investor count makes state unavoidable |
| Florida | MTL + Securities Act | Moderate | Money transmitter framework applies to crypto |
| Delaware | Corporate law dominant | Minimal digital asset specific | Formation jurisdiction; not custody/trading focused |
The Long-Term Harmonization Question
The 50-state compliance burden is a structural inefficiency that the tokenized securities market will eventually need to address through federal preemption legislation or uniform state law adoption. The Uniform Law Commission has studied the issue but has not yet produced a Uniform Digital Asset Securities Act equivalent to the Uniform Electronic Transactions Act that harmonized e-signature law across states in the early 2000s.
Until federal preemption legislation or a uniform state act reduces the compliance friction, institutional tokenized securities issuers will continue to manage 50-state compliance as a cost of business — manageable under NSMIA for Rule 506(c) offerings, more challenging for smaller issuers pursuing broader investor access through Regulation A+ or other frameworks. The Regulation D framework remains the dominant offering structure for institutional tokenized securities precisely because NSMIA preemption makes the 50-state problem tractable. Platforms and issuers considering alternative offering structures should model the state compliance costs carefully before making structural choices that add multi-state review requirements to an already complex regulatory stack.