CMB Clarifies Proof of Reserves Audit for Crypto Asset Service Providers
Contents
- Recent Developments
- Proof of Reserves Audit Requirement
- Audit Period
- Audit Agreement
- Scope of the Audit
- Reporting of Audit Results
- Submission of the Report of the CMB
- Disclosure of Report Content
Recent Developments
With the Capital Markets Board’s (the “CMB“) resolution numbered i-SPK.35/B.2 (dated 8 May 2025 and numbered 30/846) (the “Resolution“), the CMB determined the principles and procedures applicable to the proof of reserves audit for crypto asset service providers (“CASPs“).
Proof of Reserves Audit Requirement
Pursuant to the CMB’s Communiqué on the Principles Regarding the Establishment and Operating Conditions for Crypto Asset Service Providers numbered III-35/B.1 (the “Communiqué“), CASPs must undergo proof of reserves audits as of the end of the third, sixth, ninth and twelfth months of the year to confirm the existence of reserves for crypto assets held in dematerialized form within the CASP, and to confirm compliance of the custody service with the CMB’s regulations.
In addition platforms that will apply to the CMB for an operating license by 30 June 2025 must include a proof of reserves report for two randomly selected dates within the last two months prior to the application date.
Audit Period
According to the Resolution, the audit period refers to each quarterly period between the third, sixth, ninth and twelfth months of the year.
The information systems auditor will randomly select two different dates to be audited within the audit period. The selected dates will not be shared with the CASP until one day before the actual audit date.
Audit Agreement
The CASP and information systems auditor must sign an agreement for the performance of the proof of reserves audit no later than the first month of each quarter subject to audit. The agreement may be signed collectively to cover the following audit periods of the year.The CASP may appoint the same auditor to conduct a maximum of 12 proof of reserves audits in a period. In addition, a chief responsible information systems auditor can sign a maximum of four consecutive proof of reserves audit reports for the same CASP.
Scope of the Audit
The auditor must build the audit scope until it reaches at least 80% of the total crypto asset balance of the clients, with a minimum of 10 crypto assets with the largest balance among the crypto assets of the clients. In addition, all assets held in the platform’s liquid reserve must be included in the scope of the audit.As a rule, the auditor must confirm the existence of 100% of the crypto assets under the scope of the audit.
Reporting of Audit Results
The auditor must report the results of the audit by comparing them with the data in the CASP’s records. The report must include the minimum elements provided in the Resolution.The “Assessment and Conclusion” of the report must include the assessments regarding the confirmation of the assets included in the scope of the audit and, in this regard, the auditor’s opinion on whether the crypto asset balance and cash balance of the CASP’s clients are protected, limited to the scope of the audit.
Submission of the Report of the CMB
The audit report must be sent to the CMB within 15 business days following the end of the relevant audit period, together with the board of directors’ resolution to accept the report. In addition, if the auditor determines that the total reserve protection ratio is below 100% during the audit process, this must be immediately notified to the CMB.
Disclosure of Report Content
The audit report will not be disclosed to anyone other than the CASP’s board of directors and the CMB. However, the reserve amounts and ratios of the crypto assets belonging to the clients may be included on the website of the CASP, provided that they are consistent with the last audit report, without including any information about the institution that performed the audit.
Successful