The Principle Decision No. i-SPK.35/B.2 (dated 08/05/2025 and numbered 30/846) (“Principle Decision”), published on 8 May 2025, entered into force to be implemented during periodic audits and prior to license applications in accordance with the Communiqué No. III-35/B.1 on the Establishment and Operational Principles of Crypto Asset Service Providers (“Communiqué”).

1. Key Principles of the Proof of Reserves Audit Process

Audits shall be carried out by information systems auditors (assistant auditor, auditor, senior auditor, lead auditor, and responsible lead auditor) as defined under the Communiqué No. III-62.2 on Information Systems Independent Audit.

The audit period refers to three-month intervals as defined under Article 48 of the Communiqué. For each audit period, a contract must be signed between the CASP and the information systems audit firm. This contract may cover multiple periods. A maximum of 12 periods may be audited by the same firm, and a maximum of 4 consecutive audit reports may be signed by the same responsible lead auditor.

Following the execution of the contract, CASPs are required to submit the following information to the auditor within the prescribed time:

  • A list and current value of the crypto assets held or listed,
  • The networks on which assets are held, custody models, and access mechanisms,
  • Wallet addresses and their details,
  • Any other information and documents required for the audit.

In addition, the following data must be provided for platforms:

  • Customer cash balances,
  • The size of platform assets and cash,
  • A list of custodian institutions and bank account information.

2. Scope and Methodology of the Audit

At least 10 crypto assets representing a minimum of 80% of customer-held crypto balances must be included in the audit scope. The entirety of the platform’s liquid reserves shall also be included and evaluated separately in the audit report.

The audit shall aim for 100% verification. Debt/credit records related to liquidity provisioning activities may be confirmed through institutional records but must be disclosed in the report accordingly.

CASPs must provide the auditor with wallet addresses, wallet type (cold/hot), distributed ledger network, and infrastructure details—without granting any direct access or control over customer assets.

The auditor will compare the crypto assets on the distributed ledger with system records on two randomly selected dates. If the reserve ratio is found to be below 100%, this must be immediately reported to the CMB.

The auditor is also required to verify wallet ownership. The tools and methods used for this purpose must be explicitly stated in the audit report. Standards BDS 500, BDS 520, and BDS 530 shall be applied by analogy during the audit process.

 3. Reporting and Submission Process

The audit report shall be finalized upon signature by the responsible lead auditor. The report must be delivered to the chair of the board of directors of the CASP within 10 business days following the end of the audit period and submitted to the CMB within 15 business days under all circumstances.

The report shall be shared only with the board of directors and the CMB. However, summary information on reserve ratios and values may be disclosed to the public, without naming the audit firm.

The “Introduction” section of the report shall include: the audit objective, scope, tools, date, information on the assigned auditors, and whether this is a repeat audit. The “Assessment and Conclusion” section shall include: charts on custodian institutions and platforms, infrastructure adequacy, confirmed assets, and the auditor’s opinion.

You may access the full text of the Principle Decision here.

Share:

Share on Linkedin Share on Twitter Share on Facebook Share in Email Share