I. Introduction:
The Investments and Securities Act 2025 (the Act) resolves, at the level of primary legislation, a question that has occupied regulators across multiple jurisdictions: the legal status of digital assets. Under Nigerian law, virtual and digital assets are now brought within the statutory definition of securities. The Act marks the most consequential development in the regulation of digital assets in Nigeria since the Central Bank of Nigeria’s circular of February 2021. Where that circular sought, however imperfectly, to restrict the banking sector’s engagement with cryptocurrency, the ISA 2025 does the opposite: it places virtual and digital assets within the statutory definition of “securities” and charges the Securities and Exchange Commission with the registration and regulation of every category of entity that deals in them. The significance of this legislative act warrants careful and measured analysis. For the first time in Nigerian law, digital assets no longer occupy a regulatory grey area under Nigerian law. The Act resolves the threshold question of jurisdiction by placing them within the statutory concept of securities. The consequences of that classification radiate through the entire architecture of the Act.
This article examines that classification and its implications across the principal dimensions of the Act: the definitional framework, the operational mandate of the Commission, the novel enforcement powers introduced specifically for the digital context, the investment contract doctrine as it applies to token arrangements, and the co-regulatory relationship between the SEC and the CBN that the Act expressly contemplates. The analysis proceeds from the statutory text itself, with reference to comparative experience from the European Union’s Markets in Crypto-Assets Regulation and the considerations of the Financial Action Task Force that bear directly on Nigeria’s compliance standing. This article proceeds on the basis that ISA 2025 resolves the question of regulatory jurisdiction, and focuses on the structure, scope, and limits of the regulatory framework that follows.
II. The Securities Taxonomy: Where Digital Assets Now Stand
The interpretive provision of the ISA 2025, contained in Section 357, establishes the definition of “securities” in the following terms. The provision is reproduced in the relevant parts:
“securities” means , (a) debentures, stocks or bonds issued by a government; (b) debentures, stocks, shares, bonds, notes issued by a body corporate, any right or option in respect of any such debentures, stocks, shares, bonds or notes; (c) virtual and digital assets; (d) investment contracts; (e) commodities, futures, contracts, options and other derivatives; or (f) any other instrument deemed as securities which may be transferred by means of any electronic mode or which may be deposited, kept or stored with any depository or custodian.’ , Section 357, Investments and Securities Act, 2025
The legislature’s decision to enumerate virtual and digital assets as a discrete category of securities at paragraph (c) of this definition, positioned between the traditional categories of corporate instruments and the investment contract doctrine, is a considered structural choice. It does not graft digital assets onto an existing category by analogy; it acknowledges them as a sui generis form of security that demands its own statutory recognition. This approach, which one may contrast with the earlier regulatory guidance issued by the SEC in 2022 under the ISA 2007, resolves at the level of primary legislation a characterization question that in other jurisdictions has consumed years of regulatory effort and judicial consideration.
The Second Schedule to the Act, which is made applicable by Section 355 and constitutes the definitive list of investment types for the purposes of the Act, reinforces this position. Paragraph 4 of Part I of the Second Schedule provides:
“Virtual Assets , 4. Virtual assets, digital assets and other distributed ledger technology (DLT) offers, tokens and products.” , Second Schedule, Part I, Paragraph 4, Investments and Securities Act, 2025
The extension of the category to “distributed ledger technology (DLT) offers, tokens and products” is of considerable practical importance. It reflects a legislative intention to bring tokenised instruments, including utility tokens, governance tokens, and non-fungible tokens with financial characteristics, within the securities regulatory perimeter, particularly where they are offered as investment products. The formulation is deliberately technology-neutral and sufficiently broad to accommodate the continuous evolution of digital asset structures.
The Securities Exchange Definition and Digital Market Venues
The Act’s definition of “securities exchange or registered exchange” extends the exchange infrastructure concept explicitly to the digital sphere. The definition provides that a securities exchange means “an organized facility” which maintains infrastructure “(a) for bringing together buyers and sellers of securities, virtual assets, commodities, or financial products or instruments; (b) for matching bids and offers for securities, virtual assets, commodities, or financial products or instruments of multiple buyers and sellers; and (c) whereby a matched bid and offer for securities, virtual assets, commodities, or financial products or instruments constitutes a transaction.”
The deliberate insertion of “virtual assets” alongside securities and commodities within the Act’s definitional framework, and its repetition across sub-paragraphs (a), (b), and (c), is best understood as reflecting a legislative intention to bring virtual asset trading infrastructure within the same regulatory perimeter as traditional exchange systems, rather than to create an entirely separate and parallel category of regulated entity.
The definition of “market venue” in Section 357, which captures “any platform whether physical or virtual where securities and other financial instruments are traded,” is equally significant. On its natural reading, a decentralized exchange protocol operating through smart contracts on a public blockchain, accessible to Nigerian investors and facilitating the trading of instruments that fall within the Act’s definition of securities or other regulated financial instruments, is capable of falling within the concept of a market venue and, in principle, within the Act’s regulatory architecture.
That characterization is legally coherent and reflects a defensible reading of the statutory text. It does not, however, resolve the most consequential practical question arising from the application of Section 357 to the digital asset sector: the enforcement asymmetry between centralized exchange infrastructure and genuinely decentralized protocol architecture. That asymmetry, addressed only implicitly in the Act, constitutes, on the present analysis, the central implementation challenge of the digital asset regulatory framework.
The Centralized–Decentralized Divide: An Enforcement Analysis
A centralized virtual asset exchange of the kind that has been the primary subject of Nigerian regulatory attention since 2023 exhibits the structural features that make conventional securities regulation workable. It typically has an identifiable legal entity capable of being registered, supervised, fined, or prosecuted. It maintains a compliance function capable of receiving and responding to regulatory directives. It holds customer assets in custody and therefore exercises control over private keys of the kind contemplated under Section 3(4)(o) of the Act. It operates know-your-customer procedures that generate records of Nigerian customers accessible to the Commission under Section 3(4)(j). It maintains banking relationships whose disruption can serve as an effective regulatory lever. Regulatory experience since 2023 suggests that each of these leverage points has, in practice, proven effective.
By contrast, a genuinely decentralized exchange protocol lacks many of these features. Such a protocol operates through autonomous smart contracts deployed on a public blockchain and may lack any identifiable legal entity exercising operational control once deployed. It does not hold customer assets in custody: users transact directly from their own cryptographic wallets, retaining exclusive control of their private keys throughout the trading process. It does not operate know-your-customer procedures and does not maintain customer records. It typically has no bank accounts or conventional financial relationships that can be targeted through regulatory intervention. Its smart contracts execute transactions without reference to the identity or jurisdiction of participants.
The requirement for domestication of private keys presupposes the existence of a regulated intermediary exercising custody or control over digital assets. In a fully decentralized protocol, where no such custodial operator exists, the direct imposition of that obligation becomes structurally difficult. This does not, however, eliminate regulatory reach. Enforcement may instead attach to identifiable access points, service providers, or economic actors interfacing with the protocol within Nigerian jurisdiction.
The Semi-Decentralized Middle Ground
The analysis above applies most clearly to genuinely autonomous protocols in which no identifiable party retains operational control after deployment. In practice, however, the digital asset ecosystem presents a more varied regulatory landscape. Many protocols described as decentralized retain governance or control features that may provide the Commission with meaningful enforcement traction.
A protocol that maintains an administrative multisignature arrangement capable of pausing contract execution, upgrading protocol logic, or redirecting fee flows retains, in the hands of its multisig key-holders, a form of operational control. Such persons or entities may, on a proper construction of the Act, be characterized as “digital asset operators” within the meaning of Section 3(3)(i), and may therefore fall within the Commission’s registration and compliance framework, particularly where their activities affect Nigerian participants.
Similarly, a protocol that issues governance tokens through which holders exercise meaningful influence over protocol parameters such as fee structures, supported trading pairs, or treasury deployment, creates an identifiable governance structure. Where such tokens are distributed in circumstances involving an expectation of returns derived from the development, maintenance, or managerial efforts of others, they may be capable of classification as investment contracts and therefore as securities under the Act.
Further, where a protocol distributes fee income to liquidity providers or token holders through automated mechanisms, this may establish an economic relationship capable, depending on its structure, of constituting income derived from an investment arrangement within the securities taxonomy. The Commission’s realistic near-term enforcement horizon is therefore most likely to encompass this semi-decentralized category: protocols with identifiable development teams or foundations, governance arrangements, administrative key structures, and treasuries that receive and distribute economic value.
The Perverse Incentive Problem
This analysis reveals a structural tension within the Act’s approach to digital asset regulation. The enforcement architecture, as presently constituted, creates a perverse incentive: the more operationally organized and institutionally structured a digital asset exchange or protocol is, the more susceptible it is to effective regulatory oversight. Conversely, protocols that maximize decentralization and eliminate identifiable control points are, in practical terms, more resistant to conventional enforcement mechanisms.
The consequence is that the actors most likely to be captured by the Act’s registration and compliance requirements are those already operating with some degree of transparency and structure. These include centralized exchanges and semi-decentralized protocols with identifiable governance. By contrast, actors engaged in unregistered offerings, fraudulent schemes, or manipulative practices through highly decentralized and anonymized structures are comparatively less susceptible to the Act’s traditional enforcement tools.
This dynamic is not unique to Nigeria. It reflects a broader structural feature of digital asset regulation observed across major jurisdictions, including the United States, the United Kingdom, and the European Union in the context of the Markets in Crypto-Assets (MiCA) regulation. The Commission’s regulatory response must therefore operate on multiple levels.
At the infrastructure level, the Commission may explore, in collaboration with relevant agencies such as the Nigerian Communications Commission, mechanisms for limiting access to protocol interfaces that actively target Nigerian users. At the accountability level, the Commission may, through subsidiary rules issued pursuant to Section 355(1) and in particular Section 355(1)(n) develop a framework for attributing regulatory responsibility to persons involved in the design, deployment, promotion, or economic exploitation of protocols that result in the unregistered offering of digital assets as securities to Nigerians. The investment contract framework provides the substantive legal basis; subsidiary legislation must supply the operational and procedural mechanisms for its enforcement. Enforcement may instead attach to identifiable access points, service providers, or economic actors interfacing with the protocol within Nigerian jurisdiction. The effectiveness of these powers presupposes the existence of an identifiable control point within the digital asset architecture.
III. The Investment Contract Doctrine and Its Digital Application
Section 357(d) of the Act in the definition of “securities” designates “investment contracts” as a separate and freestanding category of securities. The operative definition of investment contract activity is provided in Part II of the Second Schedule, at Paragraph 7, under the heading “Investment Business”:
“Investment Contracts , 7. Establishing a contract or scheme for the placing of capital or laying out of money in a way intended to secure income or profit from its employment by the promoter.” , Second Schedule, Part II, Paragraph 7, Investments and Securities Act, 2025 (Act No. 2 of 2025)
This formulation is Nigeria’s statutory analogue to the investment contract test developed in SEC v. W.J. Howey Co. (1946) 328 U.S. 293, where the Court defined an investment contract as any arrangement by which a person invests money in a common enterprise with an expectation of profits to be derived from the efforts of others. The Nigerian formulation does not replicate the Howey test in exact terms, but captures its functional core: the placing of capital, the intention to secure income or profit, and the deployment of that capital by a promoter, which functionally corresponds to reliance on the efforts of others.
The practical implications for the digital asset sector are substantial. A token sale in which investors commit capital in exchange for digital tokens, on the understanding that a development team will deploy the proceeds to build or maintain a platform from which holders may derive returns, is capable of satisfying the statutory definition of an investment contract under Second Schedule, Part II, Paragraph 7. The same analysis may apply depending on their structure and the role of identifiable actors to yield-bearing instruments offered by digital asset platforms, to staking arrangements in which returns are generated from the pooling and deployment of assets by a protocol operator, and to certain categories of decentralized finance products where investor returns are materially dependent on the promotional, managerial, or technical efforts of an identifiable team. It is submitted that the investment contract category, read together with the explicit recognition of virtual and digital assets at Section 357(c), substantially narrows the scope for structuring digital asset arrangements so as to fall outside the Act’s regulatory perimeter.
The investment contract doctrine also constitutes a principal avenue through which the Commission may engage the activities of developers and promoters of decentralized protocols that generate returns for Nigerian investors. Where a protocol’s returns are attributable not solely to the autonomous execution of smart contract logic but are materially dependent on the continued development, maintenance, or promotion by an identifiable team, the investment contract characterization under Second Schedule, Part II, Paragraph 7 may apply, and potential liability for the offering of unregistered securities to Nigerian investors may arise. It is acknowledged that the enforceability of any such liability against a developer seated outside Nigeria will depend on the extraterritorial reach of the Act, a question that the Commission’s rules and, in due course, the courts will need to address. The doctrine operates as a complement to the market venue analysis: instruments and platforms that might be argued to fall outside the exchange registration framework on decentralization grounds may nevertheless be captured by the investment contract analysis to the extent that an identifiable promoter’s effort is causally connected to investor returns.
The legislature’s retention of “investment contracts” as a category distinct from “virtual and digital assets” within the definition of “securities” in Section 357 serves a discernible structural purpose. The virtual and digital asset category at paragraph (c) captures instruments by reference to their technological form; the investment contract category at paragraph (d) captures arrangements by reference to their economic substance. This dual structure can serve as a deliberate safeguard against the kind of definitional arbitrage that has characterized regulatory evasion in the global digital asset space. The express inclusion of digital assets in Section 357 does not displace the relevance of investment contract analysis; rather, it operates alongside it as a complementary basis for regulatory capture.
IV. The Commission’s Statutory Mandate Over Digital Asset Entities
The Act confers on the Commission a specific and enumerated mandate over the categories of entity that operate in the digital asset space. Section 3(3) of the Act, which sets out the functions of the Commission, provides in the relevant parts:
“(b) register and regulate securities exchanges, commodities exchanges, virtual and digital asset exchanges and other market venues; … (i) register and regulate securities depository companies, clearing and settlement companies, custodians of assets and securities, collateral managers, credit rating agencies, virtual asset service providers, digital asset operators, credit enhancement facility providers, and such other agencies and intermediaries as may be approved by the Commission.” , Section 3(3)(b) and (i), Investments and Securities Act, 2025
Section 3(3)(b) establishes the Commission’s jurisdiction over virtual and digital asset exchanges as a matter of statutory mandate, not merely regulatory discretion. The exchange is expressly named alongside securities exchanges and commodities exchanges as a category of market venue that the Commission shall register and regulate. The word “shall” is operative; the function is not permissive.
Section 3(3)(i) is the more comprehensive provision for participants in the digital asset ecosystem. It enumerates “virtual asset service providers” and “digital asset operators” as two distinct categories of regulated entity within the Commission’s supervisory perimeter, alongside the traditional capital market intermediaries being depository companies, clearing and settlement companies, custodians, and credit rating agencies. The distinction drawn between virtual asset service providers and digital asset operators is significant and reflects the emerging international classification of digital asset market participants: a virtual asset service provider (in FATF terminology, an entity that conducts one or more activities involving virtual assets on behalf of customers) is treated as a species of the broader category of digital asset operator, which is a more general designation for entities whose principal business involves the management, issuance, or trading of digital assets.
Entities conducting virtual asset service activities in Nigeria from the commencement date of the Act fall within the Commission’s registration mandate under Section 3(3)(i). The Act does not provide for a grandfathering period of indefinite duration; the timeframe within which existing operators must regularize their position will be governed by such transitional provisions and subsidiary rules as the Commission may establish under its powers pursuant to Section 355. The Commission’s own Digital Asset Rules, initially issued under the ISA 2007 in 2022, remain a useful indication of the regulatory architecture that the Commission intends to develop further under the new legislation, though the rules will require revision to align with the enhanced statutory basis.
V. Enforcement Innovations: The Confiscation Wallet and Private Key Domestication
One of the most remarkable and technically sophisticated provisions in the entire ISA 2025, from the perspective of digital asset regulation, are contained in two sub-paragraphs of Section 3(4), which sets out the powers of the Commission. They deserve to be set out in full:
“(n) establish a National Confiscation Wallet and Multi-Party Combination Wallet; (o) ensure the domestication of private keys.” , Section 3(4)(n) and (o), Investments and Securities Act, 2025
These two provisions have no precedent in Nigerian securities legislation, and the author is not aware of any comparable provision in the primary securities legislation of any other common law jurisdiction at the time of writing. They represent a conscious decision by the legislature to confer on the Commission blockchain-native enforcement powers that seeks to match the native technological sophisticated environment in which digital asset fraud and capital market misconduct increasingly occur.
The National Confiscation Wallet
Section 3(4)(n) empowers the Commission to establish a National Confiscation Wallet and, separately, a Multi-Party Combination Wallet. A confiscation wallet, in the context of blockchain technology, is a cryptographic wallet controlled by a regulatory or enforcement authority into which digital assets may be transferred following a confiscation order or administrative sanction. The provision is the legislative response to a well-documented enforcement problem: when regulators obtain court orders or administrative directions for the confiscation of digital assets held by offenders, the conventional mechanisms for enforcement which are typically freezing of bank accounts, appointment of receivers, seizure of physical property are inevitably ineffective’ against assets held in self-custodied wallets accessible only by cryptographic private keys.
The Multi-Party Combination Wallet provision, read in conjunction with the confiscation wallet, indicates a further sophistication: the legislature has anticipated the technical architecture for the secure custodianship of confiscated digital assets. A multi-party combination wallet (or multi-signature wallet, in prevailing technical terminology) requires the co-operation of multiple authorized parties to authorize a transaction, thereby preventing unilateral misappropriation of confiscated assets by any single regulatory officer. This is a governance mechanism embedded at the level of the wallet’s cryptographic architecture, and its inclusion in primary legislation signals an understanding of blockchain technology that is rarely found in the text of a national securities statute.
The Domestication of Private Keys
Section 3(4)(o) goes further. It empowers the Commission to “ensure the domestication of private keys.” In the architecture of public-key cryptography, a private key is the cryptographic secret that authorises transactions from a given wallet address. Control over the private key ordinarily constitutes primary control over the digital assets associated with that wallet, subject to variations in implementation such as multi-signature or distributed key arrangements.
The provision is best understood as the legislature’s response to the operational model of digital asset operators who hold assets on behalf of Nigerian customers while maintaining effective control of the associated private keys from infrastructure located outside Nigerian jurisdiction, thereby placing those assets beyond the immediate reach of Nigerian regulatory and enforcement mechanisms.
“Domestication” of private keys is not expressly defined in the Act. It may, however, be understood as requiring that the cryptographic control of wallets in which Nigerian investors’ assets are held be maintained within Nigerian jurisdiction, or otherwise structured in a manner that places effective control within the supervisory reach of Nigerian law through custodial or technical arrangements capable of regulatory oversight and compulsion.
Read together with Section 3(4)(n), the provision creates the legal foundation for a potentially robust blockchain-focused enforcement framework. The Commission is thereby empowered not merely to regulate digital asset entities at the level of corporate form, but to regulate the points at which cryptographic control over digital assets is exercised, particularly where such control is held on behalf of Nigerian investors.
The practical implications are significant for digital asset exchanges, custodians, and other virtual asset service providers serving Nigerian customers. An exchange that maintains its key management or cold storage infrastructure entirely outside Nigerian jurisdiction, without any domesticated or otherwise locally accountable control structure accessible to the Commission, may be exposed to regulatory non-compliance risk under Section 3(4)(o).
The Jurisdictional and Structural Limits of Cryptographic Enforcement
The regulatory significance of Section 3(4)(o) lies in its attempt to align legal control with cryptographic control. Its practical effectiveness, however, is conditioned by a set of jurisdictional, technical, and structural limitations that constrain the enforcement of obligations relating to private keys held outside Nigerian territory.
First, enforcement remains fundamentally territorial. The Securities and Exchange Commission Nigeria does not possess direct coercive authority over foreign custodians, exchanges, or other digital asset operators that maintain exclusive control of private keys entirely outside Nigerian jurisdiction and lack any operational presence within it. In such circumstances, compliance with Section 3(4)(o) depends less on regulatory compulsion and more on the existence of jurisdictional anchors local incorporation, licensing, assets, personnel, or business activities, through which the Commission can exert effective pressure.
Secondly, cross-border enforcement is mediated through mechanisms of international cooperation, including mutual legal assistance frameworks and inter-regulatory coordination. These processes are often slow, procedurally complex, and dependent on the willingness of foreign authorities to recognize and support the underlying regulatory objective. In the absence of harmonized approaches to digital asset custody and control, such cooperation cannot be assumed.
Thirdly, the architecture of digital asset systems introduces structural barriers to enforcement. Cryptographic control may be distributed across multiple jurisdictions through multi-signature or multi-party computation arrangements, such that no single actor exercises unilateral control over the relevant assets. In other cases, assets may be held directly by users through self-custody wallets (cold or hardware wallets), eliminating the existence of any intermediary capable of complying with a domestication requirement. Even where a legally identifiable operator exists, the opacity of key management structures may give rise to evidentiary challenges in establishing who exercises effective control over the assets and where that control is located.
A further limitation arises from the absence of conventional enforcement levers. Digital asset operators may structure their affairs to avoid maintaining bank accounts, physical offices, or personnel within Nigerian jurisdiction, thereby reducing the Commission’s ability to deploy traditional coercive measures. The inherent mobility of digital infrastructure also enables operators to relocate or reconfigure their systems in response to regulatory pressure, giving rise to a persistent risk of jurisdictional arbitrage.
In addition, attempts to regulate access to offshore-controlled infrastructure are constrained by the distinction between protocol and interface. While front-end applications and access points serving Nigerian users may be subject to regulatory intervention, the underlying smart contract protocols typically remain globally accessible and resistant to jurisdiction-specific restrictions.
Taken together, these limitations indicate that the domestication of private keys, while legally significant, is not self-executing. Its effectiveness depends on the presence of identifiable actors, enforceable points of control, and sufficient jurisdictional nexus. Where these are absent, the Commission’s regulatory strategy necessarily shifts from direct compulsion at the level of cryptographic control to indirect regulation through intermediaries, access points, and economic interfaces within Nigerian jurisdiction.
The enforcement posture of the ISA 2025 is not merely a matter of technical regulatory design, but a central feature of the statutory framework through which the Commission’s capacity to supervise, investigate, and enforce within the digital asset ecosystem is materially expanded.
VI. The Prohibition of Fraudulent Schemes and the Digital Asset Connection
Section 357 of the Act defines a “prohibited scheme” in terms that extend with particular force into the digital asset sector. The definition provides that a prohibited scheme including those “commonly known as a Ponzi or Pyramid Scheme” means:
“(a) any investment scheme that pays existing contributors with funds collected from new contributors to the scheme promising high returns with little or no risk whether or not the scheme , (i) limits the number of persons who may participate … (ii) is operated at a physical address or through the internet or other electronic means, or (b) any scheme where participants attempt to make money by recruiting new participants usually where , (i) the promoter promises a high return with little or no risk, (ii) no genuine product or service is actually sold, (iii) the primary emphasis is on recruiting new participants, (iv) the product or service is not registered, or (v) the promoters or marketers are not licensed or registered.” , Section 357, Investments and Securities Act, 2025
The legislature’s express inclusion of schemes “operated at a physical address or through the internet or other electronic means” in the definition of a prohibited scheme is most naturally read as a deliberate legislative response to the proliferation of crypto-based Ponzi and pyramid schemes that have defrauded Nigerian investors in the period since 2018. The definitional criteria correspond closely to the operational model of the fraudulent digital asset platforms that have become a recurring feature of Nigerian financial crime litigation: the promise of high returns, the absence of a genuine product, the primary emphasis on recruitment, and the operation through electronic means.
Read together with the Commission’s powers under Section 3(4) to freeze assets Section 3(4)(k), enter and seal premises Section 3(4)(m), establish a National Confiscation Wallet Section 3(4)(n), and obtain subscriber records from internet service providers Section 3(4)(j), the prohibited scheme provisions create a comprehensive legal toolkit for the prosecution and suppression of digital asset fraud. The significance of Section 3(4)(j) in this context bears particular emphasis: the power to obtain subscriber records and communication content from internet service providers in connection with a suspected violation of the Act provides the investigative predicate for digital asset enforcement actions that previous regulatory instruments did not.
VII. The CBN-SEC Interface:
The relationship between the Central Bank of Nigeria and the Securities and Exchange Commission in the regulation of digital assets has been a source of jurisdictional uncertainty since at least 2017, when the CBN first issued guidance cautioning against dealings in cryptocurrencies. The ISA 2025 does not resolve that uncertainty by eliminating it; it resolves it by institutionalizing a structured co-regulatory relationship between the two bodies.
The mechanism operates at two levels. The first is at the level of the Commission’s Board composition. Section 4(2)(d) of the Act provides that the Board of the Commission shall include “a representative of the Central Bank of Nigeria not below the rank of a Director.” The CBN therefore has a permanent seat on the governing board of the capital markets regulator, which means that the development of digital asset regulatory policy within the SEC framework will, by design, incorporate CBN perspectives on monetary policy, financial stability, and payment system integrity.
The second mechanism is at the level of supervisory action. Section 3(5) provides:
“Where the Commission is empowered to take any action against an entity or its officers that is also regulated by another regulator, the Commission shall collaborate with the regulator of such entity in taking any regulatory action in accordance with the framework agreed between the Commission and such regulator.” , Section 3(5), Investments and Securities Act, 2025
This provision applies directly to digital asset entities that operate at the intersection of securities law and payment systems law. A virtual asset service provider that maintains a payment channel for fiat-to-digital asset conversion is, by the nature of its operations, subject to the oversight of both the SEC (as a virtual asset service provider registered under Section 3(3)(i)) and the CBN (as a payment service provider subject to the Payment Service Providers Regulatory Framework). When the Commission proposes to take enforcement action against such an entity, it is required to collaborate with the CBN before doing so, within the terms of the agreed framework between the two regulators.
The provision is designed to prevent jurisdictional conflict and duplicated enforcement actions against the same entity by two regulators applying different standards. Whether it achieves that purpose in practice will depend on the quality of the agreed collaborative framework and the institutions’ willingness to give effect to it. It also, it is submitted, places a positive obligation on both the SEC and the CBN to develop and publish the agreed collaborative framework, so that regulated entities can conduct their compliance planning on the basis of a clear understanding of which regulator takes the lead role for which category of regulatory concern. That framework remains, at the time of writing, unpublished; its development is, in the analysis presented here, among the most urgent regulatory priorities arising from the commencement of the ISA 2025.
VIII. The Global Regulatory Context: FATF, MiCA and the Question of Alignment
Nigeria’s engagement with the international digital asset regulatory architecture has been shaped by its inclusion on the Financial Action Task Force’s list of jurisdictions under increased monitoring, commonly known as the grey list, in February 2023, following identified deficiencies in its anti-money laundering and counter-terrorist financing framework. The ISA 2025, enacted in March 2025 during the terminal phase of the observation period, is in part a legislative response to the FATF’s concerns about the adequacy of Nigeria’s anti-money laundering and counter-terrorist financing framework as it applies to virtual assets.
FATF Recommendation 15, which addresses the regulation of virtual asset service providers, requires member jurisdictions to apply anti-money laundering and counter-terrorist financing requirements to VASPs, and in particular to implement the “Travel Rule” requiring the transmission of originator and beneficiary information in virtual asset transactions above a threshold value. Nigeria’s compliance with Recommendation 15 under the ISA 2007 was assessed as partially compliant; the ISA 2025’s explicit recognition of virtual asset service providers as regulated entities under Section 3(3)(i), and the domestication of private keys requirement under Section 3(4)(o), represent structural advances in the compliance framework that directly address the FATF deficiencies identified in earlier assessments.
The European Union’s Markets in Crypto-Assets Regulation (MiCA), which became fully applicable in December 2024, provides the most comprehensive reference framework against which the ISA 2025’s digital asset provisions may be evaluated. MiCA establishes a tiered classification of crypto-asset types, namely asset-referenced tokens, electronic money tokens, and utility tokens, and prescribes registration, disclosure, custody, and operational requirements for issuers and crypto-asset service providers.
The ISA 2025 does not replicate MiCA’s classification architecture. However, the broad definitional categories of virtual and digital assets, read together with the investment contract provision, achieve a similar regulatory coverage across the spectrum of instruments addressed within MiCA’s taxonomy.
The most notable gap identified in this comparative analysis, and one that the Commission’s subsidiary rules should address as a matter of priority, is the absence in the ISA 2025 of a disclosure regime comparable to MiCA’s white paper requirements for crypto-asset issuers. These requirements mandate the publication of standardized information documents prior to the public offering of crypto-assets.
IX. What Remains for Subsidiary Legislation: The Regulatory Agenda
The ISA 2025 establishes the statutory foundation for digital asset regulation in Nigeria. It does not, and by the nature of primary legislation cannot, supply the operational detail that market participants require to conduct their compliance planning. The following matters, in the assessment presented here, constitute the most urgent items on the Commission’s subsidiary legislative agenda.
The Virtual Asset Service Provider Registration Framework
The Act confers the function of registering virtual asset service providers and digital asset operators on the Commission, but does not prescribe the conditions, capital requirements, governance standards, or technical specifications for registration. The Commission’s existing Digital Asset Rules of 2022 provide a starting framework, but they were developed under the ISA 2007 and in some respects reflect the more limited statutory basis of that legislation. A comprehensive VASP registration framework, aligned with the expanded mandate of Section 3(3)(i) and incorporating the FATF Travel Rule requirements, is required as a matter of priority.
The Disclosure Regime for Digital Asset Issuances
The Act’s classification of virtual and digital assets as securities brings token issuances within the scope of the Commission’s general prospectus and public offer regime under Part IX of the Act. Whether existing prospectus requirements, which are calibrated for traditional corporate securities, are appropriate for the distinct characteristics of token issuances remains an open question. This includes, in particular, the frequent absence of an identifiable issuer in decentralized protocol structures, the technical complexity of smart contract documentation, and the inherently global reach of online token distributions. These are matters that the Commission must address through tailored subsidiary regulation.
The MiCA white paper regime provides a useful reference model in this regard. Its structured disclosure framework, covering project description, rights attaching to tokens, technology architecture, and risk factors, offers a coherent template for adapting disclosure obligations to the realities of digital asset issuance.
The Private Key Domestication Framework
Section 3(4)(o)’s requirement for the domestication of private keys requires operational content from the Commission. What form of domestication satisfies the statutory requirement? A licensed custodian holding keys within Nigerian jurisdiction; a multi-signature arrangement requiring at least one Nigerian-resident key holder to authorize transactions; or some other technical arrangement? The absence of implementing rules on this point creates compliance uncertainty for every digital asset custodian operating in Nigeria and should be resolved by the Commission through consultation with industry participants and the relevant technical community.
The CBN-SEC Collaborative Framework
As noted in Section VI of this article, Section 3(5) of the Act requires the Commission to collaborate with co-regulators, including the CBN, before taking regulatory action against jointly regulated entities. The publication of the agreed collaborative framework between the SEC and the CBN, covering the allocation of primary regulatory responsibility for different categories of digital asset activity and the procedures for joint enforcement action, is a prerequisite for the orderly development of the digital asset market in Nigeria. Its absence leaves regulated entities unable to determine with confidence which regulator’s requirements take precedence in cases of potential overlap.
X. Concluding Analysis
The Investments and Securities Act, 2025 represents a significant and considered advance in Nigeria’s statutory approach to digital assets. The legislature has moved from the posture of institutional caution that characterized earlier regulatory interventions to a framework of comprehensive statutory recognition, in which virtual and digital assets are treated as securities by primary legislation, the entire infrastructure of the capital markets regulatory regime is extended to the digital asset ecosystem, and the Commission is equipped with enforcement powers that are technically calibrated to the blockchain environment in which digital asset misconduct predominantly occurs.
Three features of the Act merit particular recognition as contributions to the global conversation on digital asset regulation. First, the co-equal enumeration of virtual and digital assets alongside government bonds and corporate instruments in the definition of “securities” resolves the characterization question at the highest level of legislative authority and substantially forecloses the definitional uncertainty that has been exploited in other jurisdictions to delay or evade regulatory compliance. Second, the investment contract category, read together with the express category of virtual and digital assets, creates a regulatory perimeter with deliberate structural depth. Instruments that might be argued to fall outside the virtual and digital asset category on definitional grounds may nevertheless be captured by the investment contract doctrine. Conversely, instruments that do not fall neatly within either category may still come within the Commission’s residual authority under Section 357(f) to designate instruments as securities, including, where applicable, by reference to their electronic transferability. This layered structure substantially narrows, though does not eliminate, the scope for definitional arbitrage.
Third, the National Confiscation Wallet and the domestication of private keys provisions represent, in the assessment presented here, the most technically sophisticated enforcement provisions in any Nigerian financial legislation, and among the most technically coherent in any common law jurisdiction.
What remains is the work of implementation, and that work is quite substantial. The subsidiary legislative agenda identified in Section IX of this article is not merely administrative detail; it is the condition of the Act’s practical effectiveness. Without a VASP registration framework that operationalizes the mandate of Section 3(3)(i), a disclosure regime calibrated to the particular characteristics of token issuances, operational content for the private key domestication requirement of Section 3(4)(o), and a published CBN-SEC collaborative framework under Section 3(5), the statutory architecture of the ISA 2025 will produce compliance uncertainty as much as regulatory clarity. The Commission now possesses the statutory tools. The obligation is to deploy them through subsidiary legislation of corresponding quality, developed through genuine consultation with technically informed industry professionals and the investment community, and implemented with the proportionality and precision that the scale of Nigeria’s digital asset economy demands.