CMB's "Proof of Reserves" Regulation for Crypto Asset Platforms

The CMB announced that it has determined certain principles and guidelines for the implementation of the proof of reserve audit processes that platforms are required to have done prior to their operating permit applications by crypto asset service providers.

According to the announcement in the weekly bulletin, a contract will be signed between crypto asset service providers and information systems independent auditing organizations regarding the conduct of proof of reserve audits within the first month of each 3-month period subject to audit. The contract can also be signed collectively to cover other audit periods of the year.

A crypto asset service provider may have a maximum of 12 consecutive periods of reserve proof audits carried out by the same company. A responsible information systems chief auditor may sign a maximum of 4 consecutive periods of reserve proof audit reports for the same crypto asset service provider.

Within the scope of the signed contract, crypto asset service providers will be obliged to prepare all kinds of records, information and documents subject to audit and the systems in which the audit will be carried out.

After the contract is signed, crypto asset service providers will be required to submit certain information to the information systems auditor within the specified period and to be included in the audit report.

This information will include "list of crypto assets", "current value of crypto assets belonging to customers", "networks in which crypto assets are located", "information on the storage model and access control mechanisms" and "list and addresses of wallets where crypto assets are stored".

Platforms will also submit "customers' cash balance sizes", "current value of crypto assets belonging to the platform and cash balance sizes", "list of depository institutions with which the platform works" and "bank and account information regarding cash balances" to the information systems auditor and include this information in the audit report.

All assets held in the liquid reserves of the crypto asset platform will be included in the scope of the audit, and the audit results for the assets in question will be included under a separate heading in the report.

The audit will require confirmation of the existence of 100 percent of the crypto assets included in the audit.

The information systems auditor will randomly determine two different dates to be audited during the audit period and will be able to obtain customer asset information tracked in the records of the crypto asset service provider during the day on the selected dates to compare it with the assets in the distributed ledger network.

The selected dates will not be shared with the crypto asset platform until one day before the audit date.

The auditor will verify that the wallet addresses transmitted by the crypto asset service provider belong to the crypto asset service provider and will include the verification method in the audit report.

It will report the audit results by comparing them with the data in the records of the crypto asset service provider.

The report will include tools to be used in wallet balance inquiries and wallet verification processes.

The audit report will become final when signed by the responsible information systems chief auditor and will be delivered to the chairman of the board of directors of the crypto asset service provider within the first 10 business days following the end of the audit period.

The report will be sent to the CMB, together with the board of directors' decision to accept it, within 15 working days following the end of the audit period.

The audit report will be prepared for the board of directors of the crypto asset platform and will not be shared with any party other than the board of directors and the CMB.

The introductory section of the report will include the purpose and scope of the audit, the tools and techniques used during the audit, the dates the audit was conducted, the names, surnames, titles and contact information of the assigned information systems auditors, and the number of times the audit was conducted consecutively by the relevant independent audit company and the responsible information systems chief auditor.

The announcement, in which the principles and fundamentals were explained, also included the information, opinions, statements and tables that should be included at a minimum in the introduction, evaluation and conclusion sections of the audit report.