Josh Garcia is a fintech and blockchain Lawyer at Cooley LLP, where he helps clients with compliance advice, government enforcement actions and inquiry letters.

The following article is an exclusive contribution to CoinDesk’s 2017 in Review.

The regulators are coming.

They have formed committees, subpoenaed documents, studied white papers, and will march into 2018 armed with enforcement actions. These actions will be more in the vein of re-actions, as regulators will attempt to stem the darker tides of cryptocurrency: promises of ludicrous returns, Ponzi schemes, and other obvious violations of securities laws.

When the gavel lands, even the best-meaning and most honest developers may have to cope with a rulebook built for criminals.

That’s one scenario.

Here’s another: Industry leaders take action tailored for a specific business purpose, time and market sentiment. The rest of the industry follows without fully considering the fit for their businesses. This occurred spectacularly as the “ICO” or “token sale” frenzy took off over the summer.

Businesses traditionally averse to crypto created and sold blockchain tokens without asking why their business needed access to a distributed network of computers.

Regulation through penalties and accidental leadership have both set the industry’s standards to date. This coming year presents an opportunity for a third way forward, where key contributors develop principled standards and encourage their use through a self-regulatory organization (SRO), a certification entity, via new law drafted with regulators and lawmakers or through new frameworks that creatively navigate old law.

Regulation through penalties

Regulators turn to regulation by enforcement because the law moves achingly slow.

The Administrative Procedure Act requires a notice and comment period between the proposal of a rule and its final publication in the Federal Register (where it carries the force of law). A notice and comment period tends to stretch rulemaking out at least a year.

This timeline means every government agency that could potentially issue comprehensive regulation over token sales and the secondary markets, including the Securities Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC) and the Financial Crimes Enforcement Network (FinCEN), must, by law, move at the speed of glue.

The only way for a guard dog to stay relevant is to bark or to bite. Put more elegantly, a regulator can make its presence known by either pronouncing a new interpretation of old law or putting someone in prison and assessing a hefty penalty.

FinCEN barked in 2013 guidance and drew the acceptance and transmission of convertible virtual currencies close enough to take bites at the industry. The SEC barked in its DAO report and warned cryptocurrency exchanges not to list security tokens without the proper registration, and recently warned issuers to avoid promises of exchange listing.

The CFTC bit, in a few different places, and now takes the position that margin trading of cryptocurrencies and fraud in the bitcoin spot markets can both fall under its jurisdiction.

Regulation by enforcement is not the same as true rulemaking. It is standard setting by fiat. True rulemaking usually involves careful study of a range of issues, serious inquiry into the most pressing and harmful ones, and a principled approach that responsibly resolves the issues or minimizes their occurrence without chilling innovation.

Regulators can take a careful, studied approach prior to issuing new proposed rules. Proposals of one regulator often contain upwards of 800 pages of research, summaries of comments and exacting policy positions for each subsection of a new rule.

But that process can’t happen through the federal government any time soon.

The necessarily slow pace of rulemaking is inadequate to govern rapid advancements in applied cryptography. The industry should view 2018 as a golden moment to set its own standards. The time may pass for the industry to pen a comprehensive set of guidelines with fresh ink. Let that moment slip and regulators will draft rules within the charred outlines of criminal enterprises.

Accidental leadership

To be clear, standard setting through leadership has occurred already. But it has been either reactive or accidental.

The reactive standard arrives piecemeal, in response to crisis after crisis. The white hat response to the Parity hack was a prime example of specialists spearheading efforts in a reactive fashion to stop the theft of funds where the government could not.

Cryptocurrency exchanges have reacted swiftly and intelligently to customer complaints and flash crashes in the market, offering examples of how to set new standards on the fly.

Other standards arise simply because companies desperately want to replicate success. This has resulted in standard-following without introspection. Token sales, mentioned above, have become a fundraising option set to outpace traditional financing in fintech.

But many companies selling tokens do not have a good reason for developing on a blockchain. Other companies opt for a Swiss foundation without fully thinking through the operational implications of running a business out of several countries.

These practices became the market standard by accident.

A principled approach

A mature industry will need a principled set of rules in order to thrive.

The best way to develop those rules is to reach out to smart, engaged community members and to seek their input. The Uniform Law Commission did exactly this as it worked with Coin Center to develop a new uniform virtual currency licensing law that could be adopted by all 50 states. We believe Cooley did this as well with the SAFT Project, an open-source effort inviting community input to develop a token sale framework that navigates existing law. The Brooklyn Project is another example inviting public comment.

New technology on the horizon will need new standards. Otherwise, newbies will be harmed.

For instance, decentralized exchanges have no standards for protecting against spoofing, wash trading or other market manipulation. Open-source software will one day allow anyone to create and trade regulated financial instruments from their smartphone with a few simple taps. New entrants will thus risk exposure to derivatives touted by anonymous sellers as lucrative investments on unregulated markets.

The industry can wait for regulators. But even when regulators take the time to think about their rules, they can come up short.

Take New York’s BitLicense and compare it against the Uniform Regulation of Virtual Currency Businesses Act. One took industry input that regulators decided in their discretion was either valid or not, while the other had regulators and industry experts working in concert to draft law.

Place these two work products side-by-side and see how stark the differences are. Many companies that did found the poorly-tailored BitLicense’s requirements too onerous and decided not to operate in New York. This drove innovation and opportunity out of a key state and into other markets.

The industry has a few paths toward principled standard-setting:

Form an independent, profit-agnostic SRO that proposes standards to govern token sales, secondary market activity, or the creation new financial instruments. FINRA and NFA offer excellent examples of how SROs serve, respectively, the securities and commodities industries. Create a certification entity that certifies compliance with any new standards, whether set by an SRO or otherwise. Work with regulators and lawmakers to identify salient risks and codify rules that deter bad actors from engaging in activity harmful to investors or consumers. Propose regulatory frameworks, much like the SAFT proposal, so the industry can comply in innovative ways without halting deal flow.

The market follows leaders. Which means the market can follow itself off a cliff if it isn’t careful.

The time is ripe to set principled standards, or the industry risks having regulators and accidents of history set unhelpful standards for all.

Have a different idea for the path forward? CoinDesk is looking for submissions to its 2017 in Review series. Email news@coindesk.com to pitch your idea and make your views heard.

Assorted pens image via Shutterstock