Cryptocurrencies are attractive but harbour specific risks. To store them securely (crypto custody), careful thought needs to be given to how to manage the private keys and therefore safeguard ownership of and access to the digital assets. Investors must systematically identify and reduce crypto custody risks – whether they decide to hold their private keys in self custody or use a professional third party custodian.
Cryptocurrencies are based on decentralized structured blockchain technology (distributed ledger technology or DLT), so there are no central authorities as this would be the case with banks in traditional financial markets. Users manage their digital assets themselves and therefore require the appropriate technical expertise. In order to manage digital assets private keys are used to execute transactions and therefore manage the digital assets. If the users lose the private key, there is no central authority to reset or restore the private key. As such the users need an appropriate custody solution including a suitable backup, i.e. a backup code and/or a backup of the private key. It is therefore vital for cryptocurrency investors to understand the roles and responsibilities of all parties involved and be aware of and mitigate crypto custody risks.
Exploiting the advantages and addressing the risks
In just a few years, a significant proportion of financial products will have no central supervisory authority. Cryptocurrencies are not only accelerating the roll-out of digital financial products due to (capital) cost considerations, but are also enabling real-time settlement and slashing of transaction costs in the process.
Understandably, both institutional and private investors are keen to exploit these advantages. But they should be aware of the risks associated with crypto custody. If the private key and its backup are lost or changed, the investor will lose access to their cryptocurrencies. Unauthorised persons can take advantage and execute unauthorised transactions. Likewise, there is a risk of fraud if there is no clear segregation of tasks in the crypto custody solution or the responsible parties ignore security standards. In the traditional world of banking, assets can be recovered in the event of error or fraud. This is not the case with cryptocurrencies.
Optimising custody
Investors must store the private keys and their backup separately and protect them from attacks. This is where professional crypto custody services come in. These safeguard the availability, confidentiality and integrity of private keys and permit their recovery. Depending on their technical expertise, investors can manage crypto custody solutions themselves or externally with a third-party provider. Based on their security requirements and requirements for transaction execution, they can carry their digital wallets offline, online or both.
Using an auditor
The financial auditor of a company with cryptocurrencies checks whether private keys and the associated backup are stored appropriately and whether the corresponding controls are effective. The auditor must be able to verify that the company can actually access its digital assets and that no unauthorised person has viewed or acquired sensitive information on the private key.
In doing so, the auditor must ensure that controls are in place for the entire lifecycle of the private keys – starting from the generation of the key in a key ceremony. Otherwise, there is a risk that the keys could have been compromised at some point in the past and the cryptocurrencies could be lost at any time. We therefore recommend using an auditor from the outset for the key ceremony.
An auditor will also create transparency and certainty regarding the approval of transactions. For example, they will check whether and how the company ensures that only employees with signing authority can initiate cryptocurrency transactions – at a minimum the dual control principle shall be followed.
The auditor must also carefully assess the likelihood of a loss of digital assets and evaluate any impact on the audited entity’s financial statements. The audit opinion indicates that the risk of loss has been addressed with appropriate controls.
Interplay between transparency and trust
Cryptocurrencies reshape the relationship between company, custodian and auditor / financial auditor (see graphic). To make sure that an external storage solution is secure, the parties must live up to their responsibilities and work together in a spirit of trust.
- The company with cryptocurrencies must select an appropriate crypto custody solution, ensuring that a risk-based internal control system is in place. In the case of an external solution, the custodian is responsible for the control system, ultimate responsibility still remains with the company however.
- The custodian takes on the custody risk. The custodian usually earns a small commission based on a percentage of the cryptocurrencies in custody. If there is a partial loss of the cryptocurrencies for which no insurance coverage exists, the custodian could potentially become insolvent and the company will need to take the loss. The custodian executing the controls appoints an auditor to assess the respective controls and report in an attestation report.
- In its investigations, the financial auditor must consider the risk of losing private keys. The auditor’s duties include requesting evidence that there are adequate controls for crypto custody throughout the entire life cycle. Where an external custody solution is used, it must critically assess the attestation report and, in particular, ensure that relevant risks are addressed by controls and that no significant findings have been identified during the entire life cycle.
Crypto custody: risks and controls from an auditor’s perspective
Cryptocurrencies are attractive but harbour specific risks. To store them securely (crypto custody), careful thought needs to be given to how to manage the private keys and therefore safeguard ownership of and access to the digital assets. Investors must systematically identify and reduce crypto custody risks – whether they decide to hold their private keys in self custody or use a professional third party custodian.
Adrian Keller leads PwC Switzerland Blockchain & Crypto Audit since 2016. Adrian and his team are auditing and advising blockchain and crypto clients as well as clients in the blockchain financial services industry. He is in close collaboration with market participants and engaged in various initiatives and associations. Adrian is a Swiss Certified Public accountant and a lecturer for blockchain audit at the professional organisation for audit experts, EXPERTsuisse.
Ralf Hofstetter heads Trust & Transparency Solution of PwC Switzerland since 2019. He has extensive experience and knowledge in bringing transparency and thus trust to clients and their stakeholders using attestations such as ISAE 3000 or ISAE 3402. Ralf and his team are pioneers in providing assurance to the subject of Crypto Custody. He has a Master Degree from the University of Zurich and is certified according to CISA, CISSP as well as ISO 27001 Lead Auditor.
#social#