Introduction
For the better part of a decade, the U.S. Securities and Exchange Commission (SEC) has been the most influential and unpredictable regulator in digital assets. Enforcement actions defined the agency’s posture: lawsuits against exchanges, penalties for token issuers, and cease-and-desist orders for projects that fell outside its interpretation of securities law. The absence of clear rulemaking created a climate of uncertainty, where firms navigated compliance by guessing what might trigger enforcement.
That posture is shifting. In late September 2025, the SEC issued a rare “no-action” letter for a crypto token (Axios), granting clarity that a specific asset would not be pursued as an unregistered security. More importantly, the agency launched a dedicated Crypto Task Force with a mandate to draft structured rulemaking. The move signals a pivot away from enforcement-by-litigation toward codified expectations.
For crypto firms, the implications are clear. Enforcement-only regulation created ambiguity, but ambiguity also bought time. Rulemaking removes that ambiguity. Practices that were optional or buried in legal gray zones will soon become enforceable obligations. Firms that preempt these changes will gain credibility with institutions and regulators alike. Those that wait will face costly remediation or exclusion from institutional markets.
Do not wait for rules to land. Preempt them.
1. Why the SEC’s Shift Matters Now
The SEC has historically relied on two tools: guidance and enforcement. Guidance was minimal, often informal, and subject to reinterpretation. Enforcement filled the gap, producing high-profile cases but little clarity. Exchanges and token issuers operated under constant risk of becoming the next test case.
The new Crypto Task Force represents a structural shift. Its purpose is not to litigate but to regulate: to define standardized obligations for custody, disclosures, investor protections, and market conduct.
This matters for three reasons. First, enforcement risk becomes predictable. Firms can now align controls to rules, not just enforcement patterns. Second, institutions gain confidence. Banks, asset managers, and fintechs need codified frameworks to justify partnerships. Third, innovation stabilizes. Projects no longer need to interpret enforcement trends to design compliance strategies.
The shift mirrors other regulatory milestones. Sarbanes-Oxley reshaped corporate controls after Enron. MiFID II standardized transparency across EU financial markets. In each case, initial resistance gave way to widespread adoption. Firms that prepared early gained strategic advantage.
2. Anticipated Regulatory Themes
The SEC has not yet published draft rules, but signals from recent speeches, settlements, and interagency collaboration suggest the contours of what is coming. Five themes stand out.
First, disclosure and transparency. Expect requirements for standardized reserve attestations, governance disclosures, and clear articulation of risks. Token issuers will likely be required to file structured statements analogous to prospectuses, while custodians and platforms may need to publish quarterly control attestations.
Second, custody and segregation. Segregated client funds will move from best practice to requirement. Custodians will need to demonstrate they meet qualified custodian status, with clear segregation of assets on-chain and in internal ledgers. This will likely mirror the SEC’s custody rule for investment advisers.
Third, market structure controls. Trading venues will face requirements for surveillance, liquidity risk management, and conflict-of-interest mitigation. This aligns with existing frameworks for equities and derivatives, where exchanges must demonstrate fair and orderly markets.
Fourth, AML and KYC integration. Coordination with the Treasury’s Financial Crimes Enforcement Network (FinCEN) will lead to harmonized AML obligations. Expect exchanges, wallet providers, and possibly stablecoin issuers to adopt full Bank Secrecy Act compliance, including suspicious activity reporting.
Fifth, auditability. SOC 2, ISO 27001, and internal control attestations will move from optional to mandatory for firms engaging with institutions. The SEC’s emphasis on audit trails suggests that projects must produce evidence that systems are not only compliant but continuously monitored.
Each of these themes reflects areas where enforcement has already taken place. Rulemaking will formalize them into structured obligations.
3. Implications for Crypto Firms
The move from enforcement to rulemaking has direct consequences.
Ambiguity is gone. Firms can no longer rely on legal uncertainty as a shield. What was previously a gray area will now be black-and-white.
Good faith is not enough. Self-declared compliance will carry little weight. Documentation, third-party audits, and regulator-ready evidence will become the standard.
Costs shift to the front. Instead of retrofitting compliance under enforcement pressure, firms must build controls into their systems from inception. While this raises upfront costs, it reduces the risk of catastrophic penalties later.
Institutional adoption accelerates. Clarity benefits firms that align early. Institutions need compliant partners. Projects that can demonstrate readiness will capture institutional flows ahead of competitors.
For example, custodians that preempt custody segregation rules will be first in line for partnerships with banks. Stablecoin issuers that adopt standardized reserve attestations before mandated will become the default choice for regulated institutions.
4. What Cantina Sees in Practice
Cantina’s high-signal audits and operational assessments consistently identify gaps that map directly to the SEC’s emerging priorities. These include incomplete reserve attestations where projects disclose holdings but lack cryptographic proofs or third-party validation. Weak fund segregation where client assets are pooled without sufficient accounting separation, raising insolvency risks. Opaque governance where administrative key management and upgrade processes are poorly documented or concentrated in too few hands. Fragmented AML enforcement where sanctions and AML checks are applied inconsistently across transfer, redemption, and bridging functions. Documentation deficits where technical and operational controls are rarely documented at the standard regulators expect.
Each of these gaps represents not only a technical weakness but also a compliance exposure. Under enforcement-only regimes, projects could obscure or negotiate these weaknesses. Under rulemaking, they will be disqualifying.
5. Preemptive Compliance: A Practical Blueprint
Crypto firms that want to be ready for the SEC’s next phase should begin aligning now. Five preemptive actions stand out.
First, map controls to existing frameworks. Conduct a gap analysis against NIST Cybersecurity Framework, SOC 2, and ISO 27001. These are the benchmarks regulators and institutions already use.
Second, produce audit-grade documentation. Create clear, regulator-ready evidence of reserves, governance, redemption mechanics, and control processes. Documentation should be structured for both technical and non-technical stakeholders.
Third, implement segregation and custody best practices. Adopt qualified custodian models where possible. Segregate client funds on-chain and in accounting systems, and commission independent attestations of segregation integrity.
Fourth, stress test critical processes. Simulate redemption surges, liquidity crunches, and circuit overloads. Document the results and remediations. This not only proves operational resilience but also demonstrates regulatory alignment.
Fifth, commission independent audits. Smart contract audits, operational security audits, and compliance-aligned reviews provide third-party validation. Independent evidence is essential for institutional trust.
By following this blueprint, firms move from defensive compliance to proactive credibility.
6. Lessons from Other Regulatory Shifts
History shows that regulatory pivots reshape industries. Sarbanes-Oxley forced public companies to implement internal control reporting after the collapse of Enron. Firms that prepared early gained investor trust while laggards suffered market penalties. MiFID II mandated transparency and reporting in EU financial markets. Brokerages that adopted early controls captured institutional clients migrating from less-prepared competitors. Basel III raised capital requirements for banks. Early adopters secured counterparties who needed capital certainty.
The crypto industry is entering its equivalent moment. Rulemaking will not stifle innovation. It will create the environment where only resilient, transparent, and well-governed projects survive.
Conclusion
The SEC’s pivot from unpredictable enforcement to structured rulemaking is more than a procedural change. It is a defining moment for digital assets in the United States. Rulemaking provides clarity, but clarity comes with obligations. Practices that were once optional will soon be required, and institutions will not engage with partners who fail to meet those standards.
Crypto firms have a choice. They can wait for rules to land and scramble to comply, or they can preempt the shift and establish themselves as credible, institution-ready partners. The former approach risks exclusion. The latter positions firms as leaders in a maturing market.
Cantina helps organizations make that choice now. Through high-signal audits, operational assessments, and compliance-aligned documentation, we bridge the gap between crypto-native innovation and institutional expectations. Our work ensures that when the SEC’s rules arrive, our clients are already there.
Contact Cantina to prepare your infrastructure for the SEC’s next phase of rulemaking.