Recent turmoil in the cryptocurrency market has underscored the critical risks involved with investing in or engaging with digital assets.
If you invest in or engage with digital assets — such as cryptocurrencies and non-fungible tokens (NFTs) — it’s important that you understand the risks, including those associated with your digital asset service providers.
And consider how that risk affects stakeholder trust in your business.
1. Operational. Do you understand the contractual services provided and whether your vendor has robust controls in place to mitigate the associated risks? The types of operational risks involved will vary based on your digital asset investment approach or business model — whether you’re investing directly, trading futures or staking assets for income generation, as a few examples. Examples of operational risks include unauthorized transactional activity, inaccurate or incomplete books and records, digital asset holdings that do not reconcile to your custodian and/or the respective blockchain.
2. Technology. Can you rely on the technology your vendor uses to provide services such as custody, reporting, reconciliations and other digital asset activities? Technology risks may include inappropriate or unauthorized logical and physical access to critical systems, change management activities resulting in system errors and reporting, and ineffective resiliency in extreme market conditions.
3. Custody and security. What controls are in place to help secure your assets? Since blockchain-based transactions are irrevocable, your assets could be gone forever if your wallet is breached. Service providers should have robust controls over traditional custody functions such as onboarding, deposits/withdrawals and reconciliation — as well as every stage of the private key life cycle from generation, distribution, storage, security and usage through rotation and destruction.
4. Market access and data. Will you be able to execute your strategy, even during times of market turmoil? Will you connect to each decentralized exchange and blockchain separately or leverage an infrastructure provider to aggregate and provide a one-stop-shop? You need to gain an understanding of controls in place at service providers to help maintain market data and liquidity.
5. Confidentiality and privacy. Will sensitive information, including business details and personal data, be protected? Maintaining confidentiality and privacy is fundamental in building trust in the services being provided and meeting stakeholder expectations.
6. Compliance and tax. What services and reporting, if any, will be provided by your vendor to demonstrate compliance with financial industry standards and regulations — such as anti-money laundering (AML) and know your customer (KYC) — and/or help you meet your tax reporting obligations?
With any digital asset service provider, it’s important to read your contractual agreements to understand your obligations and who is responsible for what. This is especially true in the new and ever changing realm of digital assets where any ambiguity has the potential to leave gaps in risk management.
Fortunately, there’s a powerful tool that can help with your assessments: system and organization controls (SOC) reporting. SOC 1 reports, most relevant when assessing a user’s internal control over financial reporting or financial statement audits, and SOC 2 reports covering the trust services principles, including security, availability, confidentiality, processing integrity and privacy, can help you understand a vendor’s internal control environment.
SOC reporting offers the potential to provide transparency and mitigate the risk of miscommunication and misunderstanding of responsibilities. SOC reports include a list of complementary user entity controls that make responsibilities clear. This list can help complement — but will not take the place of — your understanding of your obligations and your digital asset service providers responsibilities.
SOC 2 reporting — relative to service commitments — may provide insight into systems, processes and controls over confidentiality and privacy and other areas, such as availability, not traditionally covered within a SOC 1 report.
SOC reports can also assist in identifying any potential exposure to the use of and failures in counterparties and fourth parties through the disclosure of relevant subservice organizations and complementary subservice organization controls that should be in place.
The current lack of industry standards for digital assets applies to SOC reports too. As this is an emerging area, consistency is lacking regarding who issues them and what they contain within the current market. If you’re a customer, consider asking questions about these SOC report dimensions to help assess the reports you receive. If you’re a service provider, addressing these dimensions and answering these questions can help you determine if your reporting meets the needs of your customers.
Digital assets like crypto, NFTS and metaverse are game changers. Now is the time to understand the space and find your opportunities.
More than just providing assurance, PwC’s attest reporting services can help build trust with your customers, regulators and stakeholders