Using crypto and digital assets? 6 risks to consider when selecting a provider

Here are six key risks that you may consider when selecting a digital asset service provider

1. Operational. Do you understand the contractual services provided and whether your vendor has robust controls in place to mitigate the associated risks? The types of operational risks involved will vary based on your digital asset investment approach or business model — whether you’re investing directly, trading futures or staking assets for income generation, as a few examples. Examples of operational risks include unauthorized transactional activity, inaccurate or incomplete books and records, digital asset holdings that do not reconcile to your custodian and/or the respective blockchain.

2. Technology. Can you rely on the technology your vendor uses to provide services such as custody, reporting, reconciliations and other digital asset activities? Technology risks may include inappropriate or unauthorized logical and physical access to critical systems, change management activities resulting in system errors and reporting, and ineffective resiliency in extreme market conditions. 

3. Custody and security. What controls are in place to help secure your assets? Since blockchain-based transactions are irrevocable, your assets could be gone forever if your wallet is breached. Service providers should have robust controls over traditional custody functions such as onboarding, deposits/withdrawals and reconciliation — as well as every stage of the private key life cycle from generation, distribution, storage, security and usage through rotation and destruction.

4. Market access and data. Will you be able to execute your strategy, even during times of market turmoil? Will you connect to each decentralized exchange and blockchain separately or leverage an infrastructure provider to aggregate and provide a one-stop-shop? You need to gain an understanding of controls in place at service providers to help maintain market data and liquidity. 

5. Confidentiality and privacy. Will sensitive information, including business details and personal data, be protected? Maintaining confidentiality and privacy is fundamental in building trust in the services being provided and meeting stakeholder expectations. 

6. Compliance and tax. What services and reporting, if any, will be provided by your vendor to demonstrate compliance with financial industry standards and regulations — such as anti-money laundering (AML) and know your customer (KYC) — and/or help you meet your tax reporting obligations? 

Who’s responsible? Read the contract first

With any digital asset service provider, it’s important to read your contractual agreements to understand your obligations and who is responsible for what. This is especially true in the new and ever changing realm of digital assets where any ambiguity has the potential to leave gaps in risk management.

Bridging the knowledge gap

Fortunately, there’s a powerful tool that can help with your assessments: system and organization controls (SOC) reporting. SOC 1 reports, most relevant when assessing a user’s internal control over financial reporting or financial statement audits, and SOC 2 reports covering the trust services principles, including security, availability, confidentiality, processing integrity and privacy, can help you understand a vendor’s internal control environment.

SOC reporting offers the potential to provide transparency and mitigate the risk of miscommunication and misunderstanding of responsibilities. SOC reports include a list of complementary user entity controls that make responsibilities clear. This list can help complement — but will not take the place of — your understanding of your obligations and your digital asset service providers responsibilities. 

SOC 2 reporting — relative to service commitments — may provide insight into systems, processes and controls over confidentiality and privacy and other areas, such as availability, not traditionally covered within a SOC 1 report.

SOC reports can also assist in identifying any potential exposure to the use of and failures in counterparties and fourth parties through the disclosure of relevant subservice organizations and complementary subservice organization controls that should be in place.

How to assess SOC reports

The current lack of industry standards for digital assets applies to SOC reports too. As this is an emerging area, consistency is lacking regarding who issues them and what they contain within the current market. If you’re a customer, consider asking questions about these SOC report dimensions to help assess the reports you receive. If you’re a service provider, addressing these dimensions and answering these questions can help you determine if your reporting meets the needs of your customers.

• Type: Which reports exist? Common practice may be for a provider to issue both a SOC 1, to be used for internal control over financial reporting, as well as a SOC 2, covering areas such as security, availability and confidentiality, among others. Make sure to understand a digital asset vendor candidate’s reporting capabilities and whether it will be able to provide sufficient detail to meet your needs.
• Scope: Is the scope appropriate? Does the available reporting cover critical services, entities, jurisdictions, etc.? Many vendors operate in multiple jurisdictions, have multiple legal entities and offer multiple services (e.g., cold wallet services in addition to prime broker trading services). Make sure to understand what legal entities, services and assets are covered within the SOC reporting scope as the SOC report may not cover the specific offering you need.
• Outsourcing: Do reports lay out your digital asset vendor’s controls over its own vendors? Most digital asset vendors are using sub-service providers for areas such as hosting, SaaS platforms and physical security/storage. This makeup can lead to new operational, technology, security, privacy and compliance risks sitting with third or fourth parties. SOC reporting may help you understand these third or fourth parties and the associated risks as well as whether separate reports for sub-service providers are needed to be obtained for full coverage of your outsourced services.
• Completeness: Do the reports cover the activities that matter most to you? Given the lack of industry standards, SOC reporting tends to vary in terms of scope. So, when looking at a SOC report for a digital asset custodian, for instance, make sure to look for details on controls over the entire private key life cycle including key generation, which is fundamental and critical for security in this ecosystem. If key generation controls are flawed or not tested by an independent auditor, your digital assets may be more vulnerable.