Verticals / Crypto & DeFi
Crypto & DeFi
Certification-gated, not banned — growth infrastructure for licensed crypto operators, and a real plan for the protocols that can't advertise at all.
Crypto sits in an unusual position among high-risk verticals. The major ad platforms don't prohibit it outright the way they prohibit cannabis — they gate it behind certification regimes that most operators can't clear quickly, in every geography, for every product line. Google will certify exchanges and wallets country by country if you hold the right registrations. Meta requires prior written permission backed by a recognized regulatory license. X moved crypto off its prohibited list and into a certification path. The practical result: a licensed US exchange has a real, document-heavy road to paid acquisition, while a DeFi protocol with no licensed entity faces something functionally identical to a full ban — Google names 'DeFi trading protocols' as prohibited inventory regardless of who's asking.
The advertising gate is only half the operating problem. Mainstream processors treat exchanges and wallets as restricted categories. Banking access — the thing that nearly closed for the industry in 2023 — reopened meaningfully in 2025 when the OCC, FDIC, and Federal Reserve all rescinded their prior-approval and nonobjection regimes, but underwriting never got lighter; it just got possible. And the regulatory map keeps moving under your feet: the EU's MiCA transitional period ended July 1, 2026, meaning crypto-asset service providers without CASP authorization must stop serving EU customers, and the GENIUS Act put federal rails under payment stablecoins in the US.
This page maps the current, mid-2026 state of play: what each ad platform actually requires, what the payment and banking stack looks like, and why your website has to function as underwriting evidence and compliance artifact — not just a funnel. Operational and regulatory analysis only; none of this is legal advice — verify anything that touches licensing with counsel.
Where the ad platforms stand
Google permits ads for cryptocurrency exchanges, software wallets, hardware wallets, and (US-only) coin trusts — but only with certification, applied for separately per targeted country. In the US, exchange and software-wallet certification requires either FinCEN registration as a Money Services Business plus at least one state money transmitter license, or a federal/state bank charter. A July 2025 policy update added FINTRAC registration as the Canadian requirement, and in 2026 Google moved certification applications into the Google Ads account workflow. Critically, some inventory stays prohibited no matter what you hold: ICOs and token offerings, DeFi trading protocols, promotion of unhosted software wallets, and crypto investment advice or trading-signal services. Certification is a gate for regulated entities, not a workaround for unregulated products.
policy source →Meta prohibits ads promoting cryptocurrency trading platforms, lending/borrowing services, mining software, and wallets that enable buying, selling, swapping, or staking — without prior written permission. Permission is requested through the Authorizations and Verifications tab in Meta Business Suite and requires evidence of a recognized regulatory license or registration; Meta accepts credentials from roughly 30 jurisdictions, including FinCEN registration and the NYDFS BitLicense in the US, the FCA in the UK, and MAS in Singapore. Some categories run without permission: education and news about blockchain, storage-only wallets with no trading functions, tax services for crypto companies, NFTs, and physical mining hardware. ICOs remain banned outright.
policy source →X treats cryptocurrency products and services as restricted financial products: advertisers must obtain prior authorization from X through its certification process and must hold applicable licenses where the law requires them, with country-specific terms layered on top. This is a reversal worth noting — X had crypto on its prohibited-industries list as recently as 2024, then reopened it through the financial-services restricted path with mandatory disclosure requirements for paid crypto promotion. The audience skews crypto-native, which makes X one of the few paid channels where a certified operator reaches people who already understand the product.
policy source →TikTok's financial-services policy places virtual currencies and cryptocurrencies in the not-allowed category for most markets. Narrow carve-outs exist in specific regions — several Gulf states and Latin American markets permit licensed cryptocurrency exchanges and custodial wallets, but only with local licensing, 18+ targeting, and permission obtained through a TikTok sales representative via an application process. There is no self-serve path for crypto trading products in the US or EU. For most operators, TikTok is an organic-content channel, not a paid one, and sponsored crypto content by creators carries its own platform restrictions.
policy source →What closed paid channels do to the economics
The certification gate reshapes acquisition economics in two directions at once. For licensed operators, it thins the auction: only certified advertisers can bid on exchange and wallet inventory, so the license itself functions as a competitive moat — but the overhead is real. Certification is per-country on Google, per-license-jurisdiction on Meta, and every new market means a new application, new local registration requirements (a MiCA CASP authorization for the EU, FCA registration for the UK, FINTRAC for Canada), and new creative review. Paid budgets fragment across jurisdictions, campaigns die when a license lapses or a policy updates, and the compliance labor to keep certifications current is a genuine line item in CAC that most forecasting models omit.
For unlicensed operators — which includes essentially every DeFi protocol, since Google prohibits DeFi trading-protocol ads outright and Meta's written permission requires a license most protocols have no entity to hold — paid search and paid social are effectively closed. That pushes the entire acquisition burden onto channels that compound slowly: organic search, documentation and education content, community, integrations, and partnerships. The economics of those channels are the inverse of paid: high upfront cost, near-zero marginal cost, and — unlike a certification — an organic ranking doesn't get revoked when a policy team changes its mind. Operators who treat organic infrastructure as the foundation rather than the fallback end up with the only acquisition asset in this vertical that doesn't carry platform risk.
Compliance is site architecture
Map every page to a licensed entity
Certification reviewers at Google and Meta check that the landing page, the advertiser account, and the submitted license all name the same entity. Multi-entity structures — a US-licensed spot exchange beside an offshore derivatives arm — need clean architectural separation: distinct domains or clearly gated paths, so the certified entity's pages never advertise the uncertified entity's products. Entity bleed is one of the most common reasons certified accounts still get disapprovals.
Build jurisdiction gating into the architecture, not the fine print
With MiCA's transitional period ended as of July 1, 2026, a crypto-asset service provider without CASP authorization must stop providing regulated services in the EU — and a marketing site that solicits EU users undercuts any claim that you aren't serving them. Geo-aware gating, explicit 'not available in' disclosures, and country-scoped landing pages are regulatory posture, not UX polish. The same logic applies state-by-state in the US, where your money transmitter license map defines where the site can invite sign-ups.
Treat the licensing and disclosures page as first-class content
License numbers, FinCEN registration, state coverage, CASP status, and an AML program summary belong in primary navigation, not a footer link. Three different audiences read that page before they'll transact with you: ad-platform certification reviewers, bank and processor underwriters, and institutional counterparties running vendor due diligence. It is the highest-leverage page on a crypto site and most operators treat it as an afterthought.
Write function, not returns
Copy that reads as investment solicitation — yield promises, price predictions, 'guaranteed' anything — trips the misleading-claims policies on every platform and creates securities exposure besides. Google separately prohibits crypto investment-advice and trading-signal ads even for certified advertisers. Describe what the product does: custody model, settlement mechanics, fee structure, supported assets. Functional copy survives platform review, counsel review, and underwriter review; performance copy survives none of them.
Quarantine token documentation from the product site
ICOs and token offerings are prohibited ad inventory on Google and Meta without exception. Any page that reads as an offering pitch — tokenomics decks, sale terms, allocation schedules — contaminates the domain it lives on and complicates certification for everything else. If token documentation must exist publicly, isolate it from the commercial site whose pages you intend to run traffic to.
Payment infrastructure
Stripe: restricted as a business, easier as a payment method
Stripe's restricted-businesses list places 'cryptocurrency exchanges and wallets' in the limited-availability category — onboarding runs through sales and enhanced review, not self-serve — while cryptocurrency mining and staking services, ICOs, and secondary NFT sales are prohibited outright. The asymmetry worth knowing: Stripe will let eligible US businesses accept stablecoin payments that settle as fiat in their Stripe balance. Accepting crypto as payment is a far shorter path than being a crypto business on Stripe.
PayPal: pre-approval territory
PayPal's Acceptable Use Policy requires pre-approval for money-transmitter-type activity and restricts currency-exchange businesses; crypto platforms should not assume default onboarding survives first review. PayPal operates its own consumer crypto services under separate terms, which does not translate into permissive merchant onboarding for third-party crypto businesses.
Banking access: the 2025 thaw is real, but underwriting is not lighter
In a three-month span in 2025, the federal banking agencies dismantled the prior-approval architecture: OCC Interpretive Letter 1183 (March 2025) reaffirmed that national banks may provide crypto custody and certain stablecoin services and eliminated the supervisory-nonobjection step; the FDIC rescinded FIL-16-2022, ending advance-notification requirements for supervised institutions; and the Federal Reserve withdrew its 2022 and 2023 crypto guidance in April 2025. Doors that were shut are open — but the banks that walk through them underwrite hard. Expect to produce MSB registration, state licenses, AML program documentation, and a website whose claims match all three.
Stablecoins now have federal rails — and a due-diligence surface
The GENIUS Act, signed July 18, 2025, restricts payment-stablecoin issuance to permitted issuers — insured-depository subsidiaries, OCC-supervised nonbanks, or qualifying state-regulated entities — with 1:1 reserve requirements in cash and short-dated Treasuries. If stablecoins touch your flow of funds, the issuer's regulatory status becomes your problem: processors and banking partners will ask which stablecoins you support and whether their issuers qualify under the new framework.
State licensing drives the payment map
New York requires either a BitLicense under 23 NYCRR Part 200 or a limited-purpose trust charter before conducting any virtual currency business activity involving New York or its residents, and most states apply money transmission law to fiat-touching crypto flows. Your license map should drive everything downstream — which processors you can truthfully apply to, which states the site invites sign-ups from, and which geos your certified ad campaigns target. Misalignment between the license map and the marketing map is what underwriters and platform reviewers are trained to find.
The zsty approach
zsty builds growth systems for verticals where the default acquisition stack is unavailable. The method wasn't developed in a workshop — it's proven on zsty's own properties in the hardest ad-banned vertical there is: operating a DTC brand under total advertising prohibition, where there is no certification path, no written-permission process, no appeal. zsty.us itself ranks organically without a dollar of ad spend. That constraint set is more severe than crypto's, and the playbook transfers cleanly, because crypto's operating reality rhymes with it: gated or closed paid channels, infrastructure that can be revoked, and a website that has to do double duty as marketing surface and underwriting evidence.
Applied to crypto, the work is architecture-first. Licensing and disclosure pages built as primary content, because three sets of reviewers read them before any customer does. Jurisdiction gating and entity separation designed into the information architecture rather than bolted on after a disapproval. Organic search infrastructure aimed at the long-tail operational queries — custody mechanics, settlement, licensing status, integration documentation — that competitors' compliance-averse marketing teams won't touch, and that convert the highest-intent visitors in the vertical. Copy engineered to read as operational analysis rather than investment solicitation, so the same page survives Google's certification review, a bank underwriter's file, and counsel's redline.
For licensed operators pursuing certification, that means landing paths built to pass Google and Meta review on the first submission: matching entity names, visible registrations, geo-scoped claims, no returns language. For protocols and unlicensed operators, it means an honest accounting — paid is closed, and pretending otherwise burns accounts and domains — followed by building the compounding organic machine that is the only durable acquisition asset available. Either way, the deliverable is the same: a web presence that no reviewer, underwriter, or regulator can use against you.
Questions operators ask
- Can a US crypto exchange actually run Google Ads in 2026?
- Yes, if it clears certification. The US path requires FinCEN registration as a Money Services Business plus at least one state money transmitter license (a federal or state bank charter also qualifies), then a certification application for each country you intend to target — and in 2026 that application process moved into the Google Ads account itself. Two caveats: certification covers exchanges, software wallets, hardware wallets, and coin trusts, but prohibited formats stay prohibited even for certified advertisers — no ICO promotion, no DeFi trading protocols, no trading signals or investment-advice angles. And Google issues at least a 7-day warning before suspending accounts for violations under this policy, which is survivable if someone is actually watching the account.
- We're a DeFi protocol with no licensed entity. What are our real options?
- Paid acquisition on the major platforms is closed to you, and it's worth being unsentimental about that: Google prohibits DeFi trading-protocol ads outright regardless of licensing, and Meta's written-permission process requires a regulatory license you have no entity to hold. The channels that remain are organic search, technical documentation and education content, community, integrations, and partnerships — and platform policies treat education about a protocol differently from solicitation to trade on it, which makes the line your site's copy walks genuinely consequential. The compensation is durability: rankings and documentation compound and can't be revoked by a policy update. Most protocols underinvest here because it's slow, which is precisely why it works for the ones that don't.
- What does a bank or payment processor actually look at on our website?
- The same things a certification reviewer does, with money on the line. Entity identity that matches the application, licensing and registration disclosures they can verify, an AML/KYC posture stated plainly, jurisdiction limits that match your license map, and flow-of-funds clarity — what the customer pays, who custodies what, how settlement works. Mismatches between the marketing site and the underwriting file are among the most common decline reasons in this vertical. The 2025 federal rescissions (OCC Interpretive Letter 1183, the FDIC's withdrawal of FIL-16-2022, the Fed's April 2025 withdrawals) mean banks can now serve crypto businesses without prior regulatory sign-off, but that expanded permission made underwriting more common, not more casual.
- We're US-based. Does MiCA actually affect us?
- If EU residents can sign up, yes. MiCA's transitional period ended July 1, 2026 — past that date, providing crypto-asset services in the EU requires CASP authorization, with no further grace period, and ESMA has publicly called on unauthorized providers to stop. The reverse-solicitation exemption (the customer found you, unprompted) is construed narrowly, and a marketing site that targets EU keywords or fails to gate EU sign-ups undermines the claim. Practically: your site's geo-gating, disclosures, and targeting choices are part of the evidence of whether you're soliciting EU customers. This is exactly the kind of question to put to counsel with your specific facts — not legal advice.
zsty buys no ads. It ranks organically — and did so for itself first.
If paid acquisition is closed in your vertical, the owned layer is the whole game. That's the layer we build.
Sources
- Cryptocurrencies and related products — Advertising Policies Help — Google
- Updates to Cryptocurrencies and related products policy (July 2025) — Google
- Cryptocurrency Products and Services — Ad Standards — Meta Transparency Center
- Financial services — Ads content policies — X Business
- Financial Services — TikTok Ads Policy — TikTok for Business
- Prohibited and Restricted Businesses — Stripe
- Accept stablecoin payments — Stripe Documentation
- Acceptable Use Policy — PayPal
- Interpretive Letter 1183 (March 2025) — Office of the Comptroller of the Currency
- FDIC Clarifies Process for Banks to Engage in Crypto-Related Activities (FIL-7-2025) — FDIC
- Federal Reserve Board announces withdrawal of guidance for banks related to crypto-asset and dollar token activities (April 24, 2025) — Federal Reserve
- S.1582 — GENIUS Act of 2025 (Public Law, signed July 18, 2025) — Congress.gov
- Markets in Crypto-Assets Regulation (MiCA) — ESMA
- Public Statement: MiCA transitional period ends (June 2026) — ESMA
- Virtual Currency Businesses — New York Department of Financial Services
Regulatory and platform policies change frequently. This page is operational analysis, not legal advice — verify current rules with counsel before acting.