NEWS SPONSORED BY rAge EXPO:

By Nevellan Moodley, Head of Financial Services Technology, BDO South Africa

Cryptocurrency has been trending in the news cycle the past few weeks, but as is so often the case, for all the wrong reasons. This time around the spike in interest came courtesy of FTX, a crypto exchange that filed for bankruptcy alongside a resignation by its CEO Sam Bankman-Fried, following ‘a run on the bank’ that left customers out of pocket and investors short of their digital assets.

As an avid advocate of cryptocurrency, I was disappointed to see interest in the space prompted by a scandal. But, in the spirt of “never let a good tragedy go to waste”, I thought I’d use FTX as a good opportunity to better understand what could have prevented its collapse and fraud in the first place.

The limitations of a proof of reserves audit

So what could have been done to avoid FTX from scamming people out of millions? In many of my conversations with various clients around the world, a common suggestion has emerged: a ‘proof of reserves audit’.

A proof of reserves ‘audit’ helps to ascertain how many assets an exchange or fund physically has with wallets under its control. And while this would have been a great starting point in the case of FTX, it would not be without its limitations.

This type of audit only provides an assessment for a point in time, as required by the auditing standard. This means that as a measure, ‘proof of reserves’ would only be able to prove that FTX held assets on the specific day they received the audit, with everything withdrawn shortly after the auditor was done.

The findings of a proof of reserves audit take the form of a limited liability report. The implication here is that an audit firm can only be sued for the amount of the fee that it cost them to do the work due to the fact that it is not a piece of work done by the ‘assurance’ practice, where liability is unlimited.

A proof of reserve audit is also limited by the fact that it offers no insight over the state of controls at a company — an issue in the case of FTX, where there was a material break down in controls.

The final limitation here is the fact that in the case that a provider said their assets were stored at another CEX (such as Binance), the audit doesn’t take into account whether that CEX is good for withdrawals of their crypto unless Binance also has a proof of reserves report.

How to prevent another FTX scam?

So how can we avoid an FTX-like situation from occurring in the future? One solution can be found in an ISAE 3402 Type 2 report on the design, implementation and operating effectiveness of crypto controls. This sort of report would then need to be signed by an auditor covering every six month period.

Other measures could include conducting a proof of reserve agreed upon procedures report. Or, in cases where other CEX hold crypto on behalf of a fund or exchange, they too have and ISAE 3402 report and periodic proof of reserves audit.

Over and above these measures, one thing FTX makes clear is a greater need for regulation. That said, regulation is only as effective as the authority granted to a regulator to enforce any piece of regulation. Such an environment would need to see crypto’s receive published audited financials and regulatory returns similar to what currently exists among our country’s banking industry.