Under-reserved exchanges: What’s being done about it?

2022 Was Painful, but Preventable

If you were holding crypto in November of 2022, you likely have a vivid memory of November 2nd and the following days. Even casual observers were transfixed as they watched what would pan out to be a giant bankruptcy and the discovery of one of the largest financial frauds in history.

2022 was a rough year for crypto investors. FTX.com was the brick that broke the camel’s back; however, the cold liquidity breeze in the crypto markets started blowing in June 2022. This chill folded many exchanges, lenders, and crypto investment funds like the houses of cards they were.

Unfortunately, investors and consumers thought these companies were built on solid foundations.

Failures

👉 Voyager Digital was a publicly traded company. Didn’t that mean investors were protected by the expensive overhead of SEC reporting and PCAOB-level audit requirements?

👉 BlockFi, a crypto exchange and lender, was a darling of the industry, which raised a Series D financing round in March of 2021 valuing the company at $4.8 Billion. Surely professional investors must have seen a strong balance sheet and the operational maturity expected at the Series D age of a company, right?

👉 Celsius Network was a service provider with multiple products that had been in business since 2017 and raised $750 Million in late 2021, valuing the company at over $3 Billion. Surely, Celsius was doing it right? Like the leadership of the failed cohorts, their CEO was certainly visible and vocal with such assertions.

The infection of these and other business failures brought contagion that affected millions of investors in the US and abroad, to the tune of billions of dollars in value destruction.

💊 There was a medicine available to the industry, and it could have saved us a lot of pain. 💊

👎Unfortunately, this elective prophylactic, called Proof of Reserves, wasn’t taken widely.

Survivors

There are many global exchanges that survived the liquidity crisis of 2022. Looking at the crypto lending segment specifically provides the opportunity to consider the value of Proof of Reserves.

BlockFi, Celsius, and Voyager all offered retail and institutional lending (lending customer assets to institutional players and passing back a share of yield to customers). In hindsight, these companies presumably had one or more of the following issues behind the scenes:

💳 insufficient assessment of borrower creditworthiness,

🧺 concentration risks (specifically a concentration of loan receivables from Three Arrows Capital, another total embarrassment for the digital assets space),

☠️ cavalier risk tolerances that ignored known best practices, and

🔎 overall poor risk management and a lack of internal controls.

Notably, these three large lenders did not adopt a Proof of Reserves program or reporting (either by self-attestation or independent auditor’s attestation). It seems safe to conclude that they lacked customer trust when FOMAW (fear of missing asset withdrawal) spread like wildfire over Twitter and Reddit.

But consider BlockFi, Celsius and Voyager’s two largest competitors in the lending segment: both of those companies conducted regular Proof of Reserves reporting by an independent CPA firm. Both competitor firms survived the large wave of customer withdrawals in late 2022.

So, what defined success vs. failure? We may never know with certainty, but we can consider the potential factors. Perhaps their overall risk management practices and tolerances were simply more sound and/or conservative? Perhaps they had low or no exposure to Three Arrows Capital?

Perhaps these competitor firms held a higher baseline customer trust engendered by their regular practice of proving customer reserves, and thus experienced less FOMAW?

If those without, and those with Proof of Reserves experienced the same market conditions, and only one of the groups failed, it begs the question: was PoR the differentiator, or at least a contributing factor to their survival?

Again, we can’t say for sure; however, we do know from practice that engaging a third-party audit firm to perform a Proof of Reserve attestation necessitates preparation and operational hygiene that can benefit any exchange or lending platform operator.

Will History Repeat Itself?

From late 2021 through early 2022, investor sentiments were high, and BlockFi, Celsius, and Voyager flooded the market with “trust us” vibes, spending millions to market themselves as trustworthy brands.

🔊 With the benefit of hindsight, everyone can (should) now see that the balance sheet, regulatory status, audited financial statements, and proclaimed strength of these bankruptcies-in-waiting were just noise. Yes, all these companies were “audited!”

💡The signal was: whether any of these companies could demonstrate to customers, regulators, or investors that the customer assets held in reserve were sufficient to meet all existing customer liabilities.

However, the signal was lost in the noise.

For years leading up to 2022, proponents of reserves transparency attempted to shout over the noise, advocating that consumers and institutions both should advocate for self-regulation with Proof of Reserves reporting.  Rather, in a confounding and illogical move, industry participants organized themselves into a circular firing squad and started shooting. Advocates of these now-failed companies levied skepticism on their industry peers who had taken transparency efforts beyond financial statement audits. “That’s not an audit” was the common retort to third-party Proof of Reserves attestation reporting performed by US CPA Firms.

👊 And so, Proof of Reserves took nearly fatal blows from those it sought to protect. But why? Because Proof of Reserves is not a panacea, there should be no medicine at all?

Maybe there was still too much disagreement regarding the formulation of this specialized prophylactic? This is perhaps a factor, but not a root cause. Indeed, in one reasonably available formulation, Proof of Reserves was offered as an independent accountant’s attestation engagement, performed under private company attestation standards, covering the subject matter of like-kind reserve assets being sufficient to meet customer liabilities. If you think that isn’t perfect, pause here to ponder: why should perfection be the enemy of progress?

This formulation of Proof of Reserves was outlined by the Digital Chamber of Commerce in its 2021 “Practitioners’ Guide to Proof of Reserves,” and re-iterated in the May 2024 update to this unparalleled resource on the topic.  Such an approach, if adopted, can:

⏱be produced more frequently than audited financial statements,

👀 made available to retail customers (unlike private company audited financial statements),

💯can demonstrate testing over 100% of in-scope customer assets and liabilities (unlike audits based on sampling, which may not even cover customer assets and liabilities reported “off-balance sheet), and

✅ empower the customer to participate in validating their inclusion in the liability set produced by the service provider (a real innovation in attestation services that can be applied to crypto platforms and even non-crypto platforms).

Regarding that last bit about customer participation and verification… it is enabled by cryptography and offers a crowd-sourced check against the service provider’s stated customer liabilities (after the attestation report has been produced). Interestingly, the tech and process could be used beyond digital asset service providers and will, eventually, usher in a paradigm shift for the CPA and assurance industry.

Back to the failed platforms of 2022, the bankruptcy courts, lawyers, and consultants started the game of 52-card pickup in 2023. At that time it should have been abundantly clear: financial statement audit was alone insufficient to prevent, detect, or correct reserve shortfalls at service providers.

The logic is both plainly and painfully obvious. Proof of Reserves may not be a panacea, but it’s logical to conclude that taking the medicine could have reduced the spread of infection and/or the severity of the disease.

So, what will we do now to prevent widespread infections caused by fraudulent or poorly run service providers?

So, what is being done?

Proof of Reserves was a hot topic in the wake of FTX.com’s collapse. Policymakers in the U.S. and globally seemed to acknowledge the naked truth; it was their time and their duty to protect their constituents with reasonable Proof of Reserves or Proof-of-Reserves-like requirements.

🤠 The state of Texas was quick to act and effective in passing such legislation, unanimously.

🤠 The state of Wyoming passed a Proof of Reserves law ("Enhanced Digital Asset Custody Framework") in 2021, but the scheme is opt-in for now.

❓What about the other 48?

🗽Senators Tom Tillis and John Hickenlooper offered bipartisan legislation – the PROOF ACT – in late 2023. Other Congressional efforts have been focused on stablecoins, their reserve reporting, and a larger regulatory framework.

These are all positive developments, but trying to solve all problems at once means no simple, principles-based solution for reserve transparency can come to fruition with requisite speed.

The virus of poor reserve practices lies dormant today. However, as crypto markets pump, and the medicine is still not widely administered, it is almost certainly inevitable that unsuspecting consumers will suffer the results of another infectious wave. When exactly, we don’t know. But Proof of Reserves sits on the shelf while the thrust of policymaking focuses on a periphery of issues, some systemic, some less so. 

What Should Be Done

Is it time for digital asset service providers, crypto investors, blockchain and digital assets proponents to read the writing on the wall? How can we not conclude, 18 months after the wildfires of FTX.com and others, that: Proof of Reserves can be a meaningful and powerful supplement to financial statement audits, regulatory examinations, and other third-party assurance reporting such as SOC 1 and SOC 2? Shouldn’t we advocate for this simple medicine, especially given that it is relatively cheap and reasonably effective?

If the opportunity for self-regulation has passed, is it not time for our elected state and federal doers to take action to ensure those companies that commit to holding customers’ digital assets can show their customers proof of like-kind customer reserves adequate to meet customer liabilities with quarterly or better frequency?

It’s time for rational, principles-based Proof of Reserves adoption and requirements so that consumers can trust in quantitative measures, not hype and noise.