The CLARITY Act makes crypto exchanges Bank Secrecy Act institutions. A 2026 guide to its KYC and AML requirements, the SEC and CFTC split, and Senate status.
Table of contents
- The CLARITY Act is a United States market structure bill that decides who regulates crypto, and it quietly drafts much of the industry into the Bank Secrecy Act.
- It gives the Commodity Futures Trading Commission the digital commodity spot market and leaves investment contract tokens with the Securities and Exchange Commission.
- The House passed it on 17 July 2025 by 294 to 134. The Senate Banking Committee advanced its version on 14 May 2026 by 15 to 9. It is not yet law.
- The compliance catch: the bill classifies digital commodity brokers, dealers and exchanges with direct customer access as Bank Secrecy Act financial institutions, with statutory KYC and anti-money laundering duties.
- Meeting those duties means deciding where KYC data lives. The December 2024 Coinbase breach, where data on roughly 70,000 customers leaked, shows the central store is the real liability.
The CLARITY Act is a United States market structure law that defines who regulates crypto. It splits oversight between the CFTC, which gains the digital commodity spot market, and the SEC, which keeps investment contract tokens, and it classifies digital commodity exchanges, brokers and dealers as Bank Secrecy Act financial institutions with KYC and AML duties.
TL;DR
The CLARITY Act is the bill that would finally tell crypto firms which regulator they answer to. It hands the CFTC the digital commodity spot market, keeps genuine securities with the SEC, and uses how decentralised a blockchain is to sort one from the other. The House passed it in July 2025 and the Senate Banking Committee advanced its own text in May 2026, but it still needs a floor vote and reconciliation, so it is not law yet. The detail that decides your build is the compliance one: the bill makes digital commodity intermediaries Bank Secrecy Act financial institutions, so KYC, customer identification and anti-money laundering controls become statutory. That forces a second decision the headlines ignore: where all that verified identity data lives once you collect it.
What is the CLARITY Act?
It is the short name for the Digital Asset Market Clarity Act of 2025 (H.R. 3633), introduced in the 119th Congress. It is a market structure bill, which means it sets the ground rules for who regulates digital asset trading, custody and intermediaries in the United States, rather than creating a new tax or banning anything. For years the central question in US crypto policy has been simple to ask and hard to answer: when a token trades, is it a security under the Securities and Exchange Commission (SEC) or a commodity under the Commodity Futures Trading Commission (CFTC)? The bill answers that with a statutory test instead of leaving it to case-by-case enforcement.
The part that decides your compliance build sits in the definitions, where the law classifies digital commodity exchanges, brokers and dealers as financial institutions under the Bank Secrecy Act. That single move pulls a large slice of the crypto industry into the same anti-money laundering perimeter as banks and money services businesses. Plenty of explainers cover the headline securities-versus-commodities split; what this guide adds is the operational consequence, turned into a readiness checklist and a data-architecture decision. The short companion entry in our CLARITY Act glossary gives the bare definition for quick reference.
Has the CLARITY Act passed yet?
No. As of late June 2026 the bill has passed the House of Representatives but not the Senate, so it is not yet law. The House passed H.R. 3633 on 17 July 2025 by a vote of 294 to 134, a broadly bipartisan margin. The Senate then began work on its own version, and the Senate Banking Committee advanced that text on 14 May 2026 by 15 to 9, with Democrats Ruben Gallego of Arizona and Angela Alsobrooks of Maryland joining every Republican on the panel. In early June 2026 the committee reported the bill and it was placed on the Senate Legislative Calendar, making it eligible for floor consideration.
Several hurdles remain before it becomes law. The Senate Banking text still has to be reconciled with the Senate Agriculture Committee's version, because crypto market structure touches both committees. After that it needs 60 votes on the Senate floor, then reconciliation with the House-passed bill, and finally a Presidential signature. Open disputes over stablecoin rewards, the treatment of decentralised finance and ethics provisions for senior officials are slowing the floor schedule. In June 2026, Galaxy Research cut its odds of the CLARITY Act passing in 2026 from 75 percent to about 60 percent, citing the tightening Senate calendar and the August recess deadline. Treat any "it passed" headline with care and check the date.
What does the law do for crypto?
At a high level the bill does three things. First, it ends the regulation-by-enforcement era by giving digital assets a defined federal framework rather than a patchwork of lawsuits. Second, it moves spot market jurisdiction for digital commodities to the CFTC, which has historically overseen commodity markets, while leaving true investment contracts with the SEC. Third, it writes consumer protections into statute, including a requirement that intermediaries segregate customer funds from their own operating funds, a direct response to the collapses that wiped out customer balances.
For a crypto business, the practical effect is that your regulatory home stops being a matter of opinion, and a second decision lands on your desk at the same time. Once the bill makes you a Bank Secrecy Act institution, you must verify and retain customer identity at scale, which means choosing where that sensitive data lives and who is liable when it leaks. In our work with exchange compliance teams, that data-location question, not the identity checks themselves, is the one that stalls procurement, because the liability is asymmetric: the verification is routine, but the store you keep is what turns into a breach headline. Hold the thought; it is the part of the bill with the longest tail. If you run onboarding for an exchange today, our guide to KYC for crypto exchanges covers the controls this framework would make mandatory.
How does it split the SEC and CFTC?
The split turns on how decentralised the underlying blockchain is. Under the bill, a digital asset whose value is intrinsically linked to the use of a blockchain, and which runs on a sufficiently decentralised or mature network, is treated as a digital commodity and falls to the CFTC. A token that is still controlled by a company or development team, where buyers are effectively investing in that group's efforts, looks like an investment contract asset and stays with the SEC. The same token can change hands over its life: it may start as an SEC-supervised offering and migrate to CFTC oversight once its network is sufficiently decentralised.
To operationalise that, the bill creates three new CFTC-registered intermediary categories: the digital commodity exchange, the digital commodity broker and the digital commodity dealer. The first table summarises the division of labour; the second shows how it tends to land for well-known assets.
| Question | SEC | CFTC |
|---|---|---|
| Asset type | Investment contract assets (tokens tied to a controlling enterprise) | Digital commodities on decentralised or mature blockchains |
| Market overseen | Securities offerings and trading | Digital commodity spot market |
| New registrant categories | Existing securities registrants | Digital commodity exchanges, brokers and dealers |
| Compliance hook | Securities disclosure rules | Market conduct plus Bank Secrecy Act duties |
| Example asset | Likely treatment | Why |
|---|---|---|
| Bitcoin (BTC) | Digital commodity, CFTC | Decentralised network, no controlling issuer |
| Ether (ETH) | Digital commodity, CFTC | Widely treated as a commodity; no single controlling party |
| Payment stablecoins (such as USDC) | Governed by the GENIUS Act | Falls under the separate payment stablecoin regime |
| A new issuer-controlled fundraising token | Investment contract asset, SEC | Buyers rely on a central team's efforts until the network matures |
This is illustrative, not legal advice; final classification turns on the facts and on how decentralised a network actually is. The practical takeaway is that more crypto trading activity moves under the CFTC, but the anti-money laundering obligations attach regardless of which regulator holds the rest of the file.
CLARITY Act vs the GENIUS Act: what is the difference?
People mix these up constantly, so it is worth being precise. The GENIUS Act and the CLARITY Act are different bills with different jobs, summarised below.
| Aspect | GENIUS Act | CLARITY Act |
|---|---|---|
| Status | Signed into law 18 July 2025 | Passed the House; in the Senate, not yet law |
| Scope | Payment stablecoins | Digital asset market structure |
| Primary regulators | Treasury and stablecoin regulators | SEC and CFTC |
| Headline duty | One-to-one reserves and disclosures | Securities and commodity sorting, plus Bank Secrecy Act AML |
Think of it as a stack. The GENIUS Act handles the dollar-pegged payment layer, the market structure bill handles the wider question of securities versus commodities and the intermediaries in between, and both sit on top of long-standing Bank Secrecy Act duties. The two even overlap on a live fight: whether stablecoins can pay yield. A March 2026 bipartisan agreement between Senators Tillis and Alsobrooks, backed by the White House, would ban passive stablecoin yield while allowing activity-based rewards tied to payments, and that compromise is one of the threads still being stitched into the Senate text. For the operational background on monitoring, see our AML transaction monitoring guide.
Who has to comply?
If the bill becomes law, the clearest targets are the CFTC-registered intermediaries it creates: digital commodity exchanges, brokers and dealers. The House Financial Services Committee's section-by-section is explicit about the reach: it treats digital commodity brokers and dealers, and digital commodity exchanges that permit direct customer access, as financial institutions under the Bank Secrecy Act. So a centralised exchange or custodian that onboards and holds customer assets sits squarely inside the perimeter, as do many firms that compete with banks for the same activity.
The contested edges are decentralised finance and self-custody. The bill is drafted to protect genuine self-custody and non-controlling software developers, so a person holding their own keys or a team publishing open protocol code is not meant to be swept in as a money transmitter. The Bank Policy Institute argues the carve-out is too wide on a same-activity, same-risk principle, leaving some digital asset service providers outside the anti-money laundering net, which is one reason the Senate text keeps changing. If your model touches custody, order matching or fiat ramps, assume you are in scope and plan accordingly. Our KYB software and AML software pages walk through the business and transaction checks that follow.
What KYC and AML duties does the CLARITY Act create?
Because the bill makes digital commodity intermediaries Bank Secrecy Act financial institutions, the duties are the familiar anti-money laundering programme, applied to crypto. Treasury, acting through the Financial Crimes Enforcement Network and in consultation with the SEC and CFTC, would set requirements consistent with those for futures commission merchants. That means a written programme with a designated compliance officer, a Customer Identification Program that verifies identity at onboarding, screening against government sanctions and watchlists, ongoing transaction monitoring, suspicious activity reporting and multi-year recordkeeping. None of this is exotic; it is the backbone banks and money services businesses already run, now statutory for exchanges.
The operational weight lands on identity. A Customer Identification Program under the Bank Secrecy Act requires you to collect, verify and retain identifying information for every customer, then keep screening them over time. For a crypto exchange onboarding at scale, that is a large, sensitive data set: names, dates of birth, addresses, government identifiers and document images. Building the programme is well understood; the question this framework forces is where all that verified identity data goes once you have it, and who becomes liable for it. Our KYC software page and the decentralised KYC explainer show how the same checks can run without warehousing the data centrally.
The CLARITY Act compliance readiness checklist
Use this checklist to pressure-test your programme against the Bank Secrecy Act duties the bill would make mandatory. It is a starting point, not legal advice.
- ] Confirm scope: are you a digital commodity exchange with direct customer access, a broker or dealer, or a custodian or fiat ramp that competes with a bank?
- ] Appoint an accountable compliance officer and document a written anti-money laundering and CFT programme.
- ] Stand up a Customer Identification Program that collects and verifies identity at onboarding.
- ] Screen every customer against OFAC sanctions and watchlists at onboarding and on an ongoing basis.
- ] Implement transaction monitoring with documented red-flag rules and an alert triage process.
- ] Build a Suspicious Activity Report workflow that meets filing timelines.
- ] Set a records retention schedule that satisfies multi-year Bank Secrecy Act recordkeeping.
- ] Decide where verified identity data lives, and whether you are building a central honeypot.
- ] Produce an exportable, audit-ready trail an examiner can review on demand.
- ] Map data-protection duties, such as retention limits and the right to erasure, against your KYC store.
Can you comply without a PII honeypot?
The last checklist item is the one most firms underweight, so it is worth slowing down on. Standing up the KYC programme is well-trodden; the open decision is the data architecture, and there are several honest answers. You can hold KYC data in a SOC 2 environment encrypted at rest, minimise and tokenise what you keep, lean on a third-party vendor, or decentralise storage so no single system holds the whole record. Plenty of well-run exchanges operate a central store and pass their exams. The question is what that store costs you in risk.
The cost is not hypothetical. In December 2024 a group of overseas support agents was bribed to steal data on roughly 70,000 Coinbase customers, including, for some customers, images of government IDs submitted for KYC, an incident Coinbase disclosed in a May 2025 SEC filing and estimated could cost up to 400 million dollars. Encryption at rest did not stop a bribed insider, and the Customer Identification Program rules force you to retain that data for years while data-protection law layers on retention limits and erasure duties. A central database is a single, standing target no matter how well it is locked. We break that case down in our Coinbase data breach analysis.
Zyphe's answer is to verify identity without becoming the place it accumulates. Verified data is sharded across a decentralised network under a 29-of-100 threshold scheme, so no single node holds a complete record and there is no central honeypot to breach. The examiner's first question is usually whether you can still produce a complete record on demand, and you can: authorised parties reconstruct the full record through the threshold scheme when needed and export the audit trail, so sharding never means losing access, it means no single breach ever exposes the whole file. That is the same complete-record-on-demand standard Bank Secrecy Act recordkeeping already expects, met without keeping the single store that turned a bribed insider into a breach Coinbase estimated at up to 400 million dollars. The customer keeps a reusable KYC passport they can re-present elsewhere. If that architecture fits the build decision the bill forces, you can book a demo to map it to your onboarding.
The bottom line
The CLARITY Act is less about price and more about plumbing: it decides who regulates what, and quietly drafts much of the crypto industry into the Bank Secrecy Act. Whether it passes this year or next, the direction is set, and the smart move is to treat statutory KYC and anti-money laundering as a given and design for it now. The teams that come out ahead will be the ones who satisfy the verification duty without inheriting the central data liability that sank others. Verify identity, keep the audit trail, and weigh the honeypot before you build one.
Related resources
- CLARITY Act glossary definition
- KYC for crypto exchanges: compliant onboarding
- Coinbase data breach 2025: why KYC data is the honeypot
- AML transaction monitoring guide
- Decentralised KYC: what it is and how it works
- Zyphe KYC passport
Cited sources
- H.R. 3633, Digital Asset Market Clarity Act of 2025, full text and actions (Congress.gov)
- Congressional Research Service, An Overview of H.R. 3633 (IN12583)
- House Financial Services Committee, CLARITY Act section-by-section (Bank Secrecy Act treatment)
- Senate Banking Committee, Committee advances the bill in a bipartisan vote
- S.1582, GENIUS Act of 2025, signed into law 18 July 2025 (Congress.gov)
- Galaxy Research lowers CLARITY Act 2026 passage odds to 60 percent (June 2026)
Michelangelo Frigo(Co-Founder at Zyphe)Michelangelo Frigo is a privacy and identity infrastructure expert and co-founder of Zyphe.