Texas Takes Proof of Reserves Bull by the Horns
Texas Passes Bill Requiring Proof of Reserves for Crypto Exchanges. What does this mean? What can companies do to plan for compliance in the ninth-largest economy in the world and a state with the second-largest GDP in the US?
On April 21, 2023, Governor Abbott signed into law a bill requiring cryptocurrency exchanges licensed to operate by the state’s Department of Banking to maintain sufficient reserves to fulfill their clients’ payment obligations. The bill has been coined “the Texas Proof of Reserves Bill” by the media.
Background
Proof of Reserves is a process by which a cryptocurrency exchange demonstrates that it holds sufficient digital assets to cover customer liabilities (digital asset deposits). Proof of Reserves is an evolving standard that can be complicated for a provider to produce, and potentially confusing for customers to interpret. While gray area remains across the market, the Texas bill seems to further define what Proof of Reserves is/is not, and why transparency reporting is meaningful to consumers and regulators.
The Bill, “HB 1666,” was filed and championed by State Rep. Giovanni Capriglione (R), supported by industry groups, and was passed with “yea” votes from 148 of the 150 legislators (see votes). It was subsequently passed in the Texas Senate, and signed by the Governor, and is set to become law by Sept. 1, 2023.
The law amends the Texas Finance Code, specifically Section 160. The most noteworthy amendments to Section 160 include:
Who the law applies to: “Digital asset providers,” as defined by the bill, serving more than 500 customers in the state and holding at least $10 million of customer funds would be restricted from: (1) comingling the customer funds with any other type of operational capital, and (2) using customer funds for any other transactions besides the transaction demanded by the customer.
Prohibition on Commingling of Customer and Corporate Funds: The bill specifically enumerates that service providers subject to the provisions of the bill shall not, “commingle customer funds in a digital account with funds belonging to the digital asset service provider, including the digital asset service provider's: operating capital; proprietary accounts; digital assets; fiat currency; or other property that is not customer funds.”
Customer Funds are Not Collateral for Company Borrowing Activities: Like the prohibition on commingling of funds, the bill is specific that service providers shall not “use customer funds in a digital account to secure or guarantee a transaction other than a transaction for the customer contributing the funds; or maintain customer funds in a digital account in such a manner that a digital asset customer may be unable to fully withdraw the customer's funds.”
Full Reserves Required: The service provider is required to hold reserves in an amount sufficient to immediately make good on all possible customer withdrawals.
Quarterly Transparency for Customers & Audit Firm Involvement: The law requires service providers to “create a plan” to allow: (1) each digital asset customer to view at least quarterly an accounting of (a) any outstanding liabilities owed to the digital asset customer; and (b) the digital asset customer's digital assets held in reserve custody by the digital asset service provider; and (2) allow auditors to review the information made available to the customer.
Annual Filing Requirement: By the 90th day after the end of each fiscal year, a digital asset provider (such as an exchange) needs to provide reporting about its outstanding customer liabilities, as well custodial asset reserves to meet those customer liabilities, to customers and to the state Department of Banking.
Management Must File Attestation Reports: Importantly, the annual report, also requires an attestation by the digital asset service provider of “outstanding liability to digital asset customers; evidence of customer assets held by the provider; a copy of the provider's plan under Subsection (c) and an attestation by an auditor that the information in the report is true and accurate.”
Attestation means Independent Accountant’s Reports under AICPA Standards: The law also defines sufficient attest requirements by specifying that, “An auditor fulfilling the requirements of this section must: be an independent certified public accountant licensed in the United States; and apply attestation standards adopted by the American Institute of Certified Public Accountants.”
Condition of Good Standing for MTL Licenses: Penalties for non-compliance empower the Department of Banking to revoke the license issued to the service provider to operate and serve customers in the state.
Analysis and Understanding
Applicability: Who is in? Who is out?
HB 1666 applies to “Digital Asset Service Providers.” As provided by the Bill, a “Digital Asset Service Provider” “means an electronic platform that facilitates the trading of digital assets on behalf of a digital asset customer and maintains custody of the customer's digital assets.” Therefore, Digital Asset Service Providers with 500 customers or more located in Texas and/or $10,000,000 in total customer funds under custody, and already be subject to the existing Money Transmission Licensing requirements within the state will fall within the purview of the law.
The Digital Asset Service Provider definition seems to align with the term Virtual Asset Service Provider (VASP) as used in the US and other jurisdictions. Examples of businesses that would seem to fall within the scope of this definition include:
Crypto Exchanges
Crypto Custodians
Crypto Lenders
Other platforms that provide some combination of these services to customers.
Banks are Out
HB 1666 specifically carves out banks as defined under the Texas Finance Code as well as companies that are not otherwise required to be registered Money Services Businesses. Here, Texas appears to have narrowed the focus of the bill to target the sector of the market where they perceive the most risk to consumers.
Public Companies are Out
Like, banks, public reporting companies are also specifically carved out and do not need to comply with the quarterly and annual reporting requirements to the Texas Department of Banking. The rationale for this exclusion is that public companies already have quarterly (10-Q) and annual (10-K) filing requirements with the SEC. While public reporting companies do have quarterly and annual financial reporting requirements, some have noted that, even with the application of Staff Advisory Bulletin 121 (SAB 121) from the SEC (requiring public reporting companies to pull customer assets on to the company balance sheet), the independent auditor’s annual testing of those accounts would likely always be on a sampling basis and may not ever include the 100% custodial asset testing contemplated by the original intent of Proof of Reserves. Additionally, 10-Q reports are most often unaudited filings.
Other Non-Money Transmitters May be Out
Additionally, businesses that are not subject to the Money Transmission Licensing requirements under current Texas law (and don’t meet the customers or assets thresholds) are not required to prove reserves under the new law.
From Model to Mandate
The general concept of Proof of Reserves was theorized in 2014; over the years, service providers have applied this model in varying ways, but there has been significant inconsistency in those approaches and a low overall application of Proof of Reserves. The collapse of multiple large exchanges and crypto lending platforms starting in the Summer of 2022, and the ensuing market contagion, brought Proof of Reserves into the common lexicon of institutional and retail investors alike. Many professionals and thousands of individuals on social media opined that if Proof of Reserves had been a common regulatory minimum for licensing, the collapse of those service providers could have been prevented, or at least detected before consumers were so deeply impacted. This notion seems to have inspired Texas lawmakers to demand more from digital asset service providers serving Texas customers.
In a January 2023 press release, the bills lead sponsor Representative Giovanni Capriglione made clear his and his co-sponsor’s focus on consumer protection, saying, “Over 8.5 million Texans have invested in cryptocurrencies and other digital assets, the vast majority of which are held by third party custodial account holders which facilitate the trade. Recently, multiple companies have betrayed the trust of their consumers by commingling investor funds with corporate assets, leading consumers to lose billions in their investments. HB 1666 makes it clear that any company that wishes to hold digital assets of Texas residents must verify to the Texas Department of Banking that they do not, and will not, comingle consumer funds with corporate assets. Additionally, these companies must prove that they are maintaining adequate reserves so consumers can access their funds.”
Representative Capriglione continued, “This bill is a product of months of conversations with stakeholders, consumer advocates, and many of my colleagues. I am proud that we have the support of the Texas Blockchain Council and can work together to restore consumer confidence in the blockchain economy.”
Lee Bratcher, President of the Texas Blockchain Council, joined Representative Capriglione by saying “The poor risk management practices demonstrated by multiple digital asset exchanges have severely damaged our industry. We at the Texas Blockchain Council are committed to ensuring custodial account holders do not commingle consumer funds and maintain adequate Proof of Reserves. The Texas Blockchain Council will continue to advocate for safe and secure methods of custody, including our ongoing educational efforts to promote self-custody of digital assets. We thank Representative Capriglione for filing HB 1666 and look forward to continuing to work with him in the 88th Legislative Session.”
The roll call vote on HB 1666 was nearly unanimous, which would seem to support the view that lawmakers have a good faith belief that Proof of Reserves requirements for digital asset service providers will provide a meaningful compliance regime, increase transparency for their constituent consumers, and ultimately create a barrier to fraudulent practices by digital asset service providers.
When do companies need to comply?
It is commonplace that changes to financial regulations and licensing requirements for money transmission have long implementation periods. Sometimes new requirements can take years to kick in after being signed into law.
Interestingly, in this case there is no long grace period or delay of implementation provided for in HB 1666, indicating the Texas lawmakers’ interest in protecting consumers now. Under the current bill, Digital Asset Service Providers need to start compliance in September. At this juncture, it seems that Digital Asset Service Providers with a fiscal year end of September 30th would have to provide their first year-end attest reporting to regulators (and the same transparency to customers) within 90 calendar days of the fiscal year end. All that said, affected companies should begin preparations for compliance now.
How can Companies Comply?
Generally
Start with research and conversation. Companies that are within the scope of HB1666 should start conversations with trusted regulatory counsel, engage the Texas Department of Banking with any questions related to the form and substance of their compliance, and seek out expert help from an independent and qualified CPA firm.
Once the form and substance of the Proof of Reserves reporting is more clear to the business, management teams should devise an internal plan that cuts across the main functional areas of the business, from trade operations and database administration, to engineering teams, custody operations, and accounting. Management’s plan should include the implementation of policies and practices that will allow management to produce (1) snapshots of all customer accounts and relevant digital asset balances per customer at a point in time; (2) a plan for the custody operations team to produce a full accounting of deposit, hot and cold storage wallet addresses for all supported blockchains/assets on the platform; and (3) a means to make the information related to customer account liabilities and total like-kind assets available and verifiable by customers on a quarterly cadence.
For “(3)” noted above, the conservative assessment is that the Digital Asset Service Provider would need to produce something “more” than what they provide on a daily basis through the account holder’s profile (i.e. log in, view account balances for each digital asset deposited). If this is true and aligns with a future interpretation and implementation by the Texas Department of Banking, there likely be three different ways to comply with the quarterly customer transparency requirement:
“Do it Yourself” PoR – Where the Digital Asset Service Provider performs a “snapshot” of customer liabilities at quarter-end, creates a cryptographic proof of all customers and liabilities per in-scope asset on the platform, and then makes a tool available for customers to individually check that they were included in the liabilities snapshot
“Auditor Assisted” PoR – The same basic process as noted above, but where an independent accountant as defined in the bill performs procedures to validate the “raw” liabilities snapshot (and perhaps also crates the cryptographic proof of those liabilities for customers to verify independently).
Be a Public Company – Where US public filing companies would be excluded from the requirements of the bill (see below).
Attestation Plan
Management’s plan for compliance should also include (1) a path to engaging with a qualified independent CPA firm to produce year-end attest reporting; and (2) alignment of teams around a year-end snapshot date (say midnight on 12/31); and (3) implementation of any systems or tools (such as digital signature tools) that will aid management in demonstrating control of the customer’s digital assets at the year-end.
In-Scope Assets/Liabilities and Coverage Plan
While the bill is not explicit on the percent coverage of on-platform assets, a plain reading of the bill would seem to indicate that the platforms are responsible to report on all customer liabilities and assets on the platform. In the case of a platform that supports, say, bitcoin, ether and cash, the “lift” required to support 100% of in-scope assets and liabilities will be relatively low. However, the majority of customer-facing platforms support many more tokens, which run on multiple different public blockchain networks. This being the case, the “long tail” of smaller market cap assets on the platform will present more complexity for management to report on. For the lower market cap tokens that run on emerging or newer blockchain networks, the complexity for management lies largely in the wallet infrastructure and signature schemes of these blockchains. Specifically, management will need to source or develop tools that allow for management to securely sign a message or securely transmit assets to demonstrate control of those assets at a point in time.
Preparing to Test and Produce Evidence
Management’s plan should consider that proving control of assets in a Proof of Reserves context may be unlike the process they have undertaken with an auditor for their financial statement audits. In a financial statement audit, auditors typically employ the concept of materiality and a sampling methodology to test “rights and obligations” (read as “control of the selected account or assets”). In a Proof of Reserves context, and what HB 1666 seems to require, is a 100% testing approach (or at least the testing of control over as many wallets needed in order to reach a 1:1 reserve ratio).
That being said, the language of the bill specific to the quarterly requirement may not require management to produce total customer assets held on behalf of customers or proof of assets held on behalf of each customer. The annual reporting requirement does appear to be more clear, providing that management should produce, and a CPA should attest to, “evidence of customer assets held by the provider.” Here again, further detailing the quarterly reporting/production requirement may come from DoB interpretation, rulemaking, or guidance. In addition, it seems that auditor discretion could be applied to the quarterly reporting requirement, where the auditor would test a selected sample of custodial wallets to gain comfort over total custodial assets without performing a 100% test of all wallets needed to make up a 1:1 reserve of customer liabilities.
As the bill specifically exempts public companies that would otherwise fall within the purview of the law, the above-noted sampling approach and auditor discretion may in fact be applied in future engagements related to the quarterly and/or annual requirements for private companies.
Cryptographic Proof of Liabilities Planning
For a fulsome understanding of what is possible for the “liabilities side” of a Proof of Reserves, we will produce an additional analysis and insights article. For now, and as noted above, at least annually, the prospective Texas law would require management offer customers a means to cryptographically verify the inclusion of the customer’s account and related account liabilities in the year-end liabilities snapshot.
There are myriad potential approaches for management to take here, and some open-sourced, referenceable examples available of how such cryptographic proofs and verification can be made available to the individual customer. There are also service providers entering the space offering technical solutions to this aspect of a Proof of Reserves.
Segregation Planning
There are two more important provisions of HB 1666 which will require management to plan for compliance: (1) the prohibition on commingling; and (2) the prohibition of using customer funds as collateral for other financing.
First, to commingling. While many service providers have wallet operations that allow for segregation of customer and company funds by design, it is not uncommon that a service provider’s trading fees accrue to the same omnibus wallet where customer funds are held. This can happen naturally when a user trades one asset for another on the platform, their account balance (database entry) is debited by the amount of the trade + the fees paid for that trade execution… and the service provider’s “account” is credited with the trading fees earned for trade execution services (another database entry); however, in this example, the on-chain assets remain in the wallet. While it is possible to automate the withdraw of trading fees earned from an omnibus wallet into a company-owned wallet, trading fees are typically very small and the cost of such withdrawals (on-chain transaction fees) would extinguish much or all of the service provider’s profits.
It seems reasonable that management could set up a periodic process to withdraw accrued trading fees from the omnibus wallet to segregate them from customer funds. However, as with all manual processes, policy, internal controls and monitoring are very important and will need to be implemented by the service provider, documented and producible as evidence in an attest engagement.
In the simpler case, where a company has set up their wallet operations to keep company capital, company profits, and other assets in the same wallets as customer funds, the law is clear that these accounts need to be teased apart. Here management needs to make a “one-time” change to their wallet operations and custody setup such that customer and company funds are no longer commingled.
Planning to Demonstrate that Customer Funds are not Treated as Collateral
How companies can comply with the prohibition on using customer funds as collateral for the company’s own borrowing or financing is admittedly less clear than some other portions of the bill. While a company can enact such a policy with the “stroke of the pen,” evidencing that this policy is in fact complied with to a regulator or independent attest provider may be more difficult.
One step in the right direction would be ensuring that management has a full and detailed accounting of any borrowing, lending and other finance relationships, including evidence of any contractual commitment, loan agreements, or the like. Management should also expect that an attest provider will likely choose to apply some independent judgement on how to test this requirement of the bill. Alternatively, or in addition, management that chooses to report under the AICPA’s Agreed Upon Procedures attest standards can expect that an attest provider would likely require some test procedures and findings to be included in the attest report relevant to this requirement. With the rationale being that, in an AUP, the procedures and their sufficiency are determined by management, the attest provider must also assess whether the procedures as written (without additional procedures) could lead to a misleading presentation in an attest report.
Understanding AICPA Standards
Management should seek to understand the attest standards promulgated by the American Institute of Public Accountants so that they can knowledgeably select the attest standard and reporting vehicle that best fits their needs for compliance. The Network Firm will produce additional information in the coming weeks and months to further explain the relevant standards, resulting reporting as well as the usefulness of each for reporting on such subject matter.
For now, there are two main standards that are most applicable in the Proof of Reserves context. Examination standards (AT-C Section 205 Assertion-Based Examination Engagements) and Agreed Upon Procedures standards (AT-C Section 215 Agreed-Upon Procedures Engagements). The requirements and guidance in these two standards supplement the requirements and guidance of the AICPA’s Concepts Common to All Attestation Engagements (AT-C Section 105 Concepts Common to All Attestation Engagements)
Under the examination standards, the practitioner should form an opinion about whether the subject matter is in accordance with (or based on) the selected criteria, in all material respects, or the assertion is fairly stated, in all material respects. As successful examination engagements result in the opinion of an independent accountant, they are generally described to provide a higher level of assurance to the intended user of the report as compared with AUP reporting, where the independent accountant does not reach a conclusion or opinion, but rather performs specific enumerated procedures and presents the findings of those procedures. There are myriad other important differences between the standards in both the form of reporting, the type of testing undertaken to support each (substantive and control testing), all of which require more than a cursory analysis by management when planning for an engagement.
Conclusion
With HB 1666 being signed into law by the Governor, the Texas Department of Banking will inevitably take up consideration of how to bring the compliance requirements of the law into practice. That process could also result in additional regulator guidance to aid management in understanding compliance requirements.
As noted, there are areas in the bill that remain broad or subject to some interpretation. In these areas, direct and early communication with the Department of Banking about how your company will plan to comply is likely to be time well spent.
Additionally, market participants and service providers will continue to develop approaches and best practices for management’s quarterly self-attest, outside management consulting to support the compliance process, and for CPAs providing attestations under AICPA standards. Active industry groups also have a key role to play in educating affected companies, sharing “how to comply” information with members, and providing feedback on the law’s practical effects to law makers.