Rule 504 of Regulation D is designed to provide a streamlined exemption for small-scale capital raising by early-stage or non-reporting companies. Unlike Rule 506, which allows unlimited capital raises, Rule 504 is capped at $10 million in aggregate offerings over any rolling 12-month period. This limitation makes Rule 504 especially useful for startups or closely held businesses that are in the initial phases of fundraising and do not require substantial capital injections from institutional investors.

To be eligible for Rule 504, the issuer must satisfy a narrow set of qualifications. First and foremost, it must be a non-reporting company. This means the issuer cannot be subject to the ongoing reporting requirements of the Securities Exchange Act of 1934—such as the obligation to file annual or quarterly reports with the SEC. In addition, the issuer must not be an investment company as defined under the Investment Company Act of 1940. Investment companies, such as mutual funds or hedge funds, are categorically excluded from Rule 504 due to the heightened risk and regulatory concerns they pose. Furthermore, blank check companies are also barred from using this exemption. These are entities that have no concrete business operations and are formed primarily to merge with or acquire an unidentified business in the future—raising unique investor protection issues that render them ineligible for a lightly regulated offering route.

One of the most significant constraints under Rule 504 concerns general solicitation and advertising. As a baseline, the rule prohibits the use of general solicitation in connection with the offering. That means the issuer cannot broadly advertise the offering to the public through newspapers, internet postings, social media campaigns, or public events. However, there are defined and narrow exceptions under Rule 504(b)(1) that permit solicitation in limited circumstances. These include situations where the offering is either registered in at least one U.S. state that mandates public filing and substantive disclosure to investors, or conducted exclusively in jurisdictions that allow general solicitation under a regulatory exemption that also imposes disclosure requirements. In such cases, although federal law permits solicitation, the issuer must still comply with all applicable state-level filing and investor protection obligations. Even where permitted, any general solicitation must be conducted in strict compliance with both federal and state laws to avoid losing the exemption entirely.

This leads directly to another key feature of Rule 504: it does not benefit from federal preemption of state securities regulation. Unlike Rule 506 offerings, which are deemed “covered securities” under the National Securities Markets Improvement Act of 1996 (NSMIA) and therefore exempt from state registration requirements, Rule 504 offerings remain fully subject to state “blue sky” laws. This means the issuer must register the offering in each state where the securities are offered, or qualify for and comply with a state-specific exemption. In practice, this often requires submitting a Form D, paying filing fees, and providing offering materials such as private placement memoranda to state regulators for review. The result is that while Rule 504 may seem simpler at the federal level, it can become complex and fragmented when multiple states are involved.

Despite its streamlined nature, Rule 504 does not impose specific disclosure requirements. The rule does not differentiate between accredited and non-accredited investors in this regard. However, the absence of formal disclosure obligations does not relieve issuers from liability under the federal securities anti-fraud provisions. Any material misrepresentation or omission may still trigger civil or even criminal liability under Rule 10b-5. Consequently, prudent issuers typically prepare a written disclosure document—often modeled after a simplified private placement memorandum—to describe the terms of the offering, the issuer’s business, risk factors, and financial condition. While not legally mandated under Rule 504, such documentation serves as a critical tool in managing legal exposure and demonstrating good faith compliance.

Finally, Rule 504 incorporates the “bad actor” disqualification provisions that are set forth in Rule 506(d). This means that if the issuer, or any of its directors, executive officers, general partners, managing members, or 20% beneficial owners, has been subject to certain disqualifying events—such as securities-related convictions, injunctions, or regulatory orders—the issuer may be barred from relying on Rule 504. The disqualification provisions are triggered by both recent and historical misconduct, with look-back periods ranging from five to ten years, depending on the nature of the event. Notably, even third-party solicitors or placement agents involved in the offering are covered persons under this rule. However, if the issuer can demonstrate that it exercised reasonable care and was unaware of the disqualifying event, a limited exception may apply. The burden of this proof, though, rests squarely on the issuer.

To bring this into focus, consider how our SaaS startup might use Rule 504. Suppose the startup is aiming to raise only $2 million from a mix of angel investors across multiple U.S. states and does not want the compliance burden of verifying accredited investor status. It could structure the offering under Rule 504, assuming it qualifies as a non-reporting company and is not disqualified under the bad actor rules. However, because general solicitation would not be permitted by default, the company would either need to register the offering in each state where it intends to solicit investors or structure the offering in compliance with state exemptions that permit solicitation and require disclosure. Even though no disclosure is required federally, the startup would still likely prepare a simplified investor package to avoid any claim of fraud or omission. In this case, Rule 504 offers an efficient path to early capital but demands meticulous state-level coordination and internal discipline in how the offering is communicated and documented.

GENIUS Act goes even further in shaping what issuers are allowed to do—and just as importantly, what they must not do. The statute imposes tight operational boundaries to ensure that stablecoin issuance remains a narrow and predictable activity, rather than a gateway to shadow banking or hidden financial risk.

Permitted stablecoin issuers are strictly limited in their functions. They are allowed to issue and redeem stablecoins, manage the underlying reserves, and provide custodial services for the coins and related reserve assets. That’s it. They cannot engage in lending, investments, or any unrelated financial services unless explicitly authorized by their regulator. It’s a formal line meant to keep stablecoin issuers out of business models that could distort their risk profile or distract from their singular job: maintaining a stable, redeemable token.

To reinforce that narrow scope, the Act includes a flat prohibition on paying interest or yield on stablecoins. Whether in cash, tokens, or rewards, issuers may not offer users any return simply for holding the coin. This is a deliberate firewall to avoid triggering securities laws. If stablecoins began offering yield—even if modest—they could be reclassified as investment contracts under U.S. securities law, triggering oversight by the SEC. By banning interest outright, Congress makes clear that these instruments are to function like cash, not like savings products or investment vehicles.

Compliance expectations are equally stringent. The Act applies the full weight of anti-money laundering (AML) and sanctions laws to permitted issuers. This includes the Bank Secrecy Act, know-your-customer (KYC) requirements, suspicious activity reporting, and strict internal controls. But it also goes beyond traditional compliance by demanding technological capability: issuers must be able to block, freeze, or reject transactions involving their stablecoins when subject to a lawful order. In practice, this means an issuer cannot simply say, “We don’t control the protocol.” If you want to issue a compliant stablecoin, you must build it in a way that allows intervention when legally required. That has significant implications for token design, wallet access, and smart contract architecture.

A particularly novel restriction appears in how the law treats public companies—especially those not engaged in traditional financial services. If a company is publicly traded but not predominantly involved in financial activities, it must receive unanimous approval from a federal Stablecoin Certification Review Committee before it can issue stablecoins. This structural filter meant to prevent Big Tech or large data-driven platforms from turning stablecoins into engagement tools, advertising instruments, or closed-loop payment systems.

Even if such a company were to get approval, it would still face strict data privacy limitations. Unless a consumer gives explicit consent, the issuer may not use transactional data to personalize ads, target content, or share that information with affiliates or third parties. This provision is unusually privacy-forward for a financial law. It reflects a growing concern that payment data could be exploited in ways that compromise user autonomy or market competition.