Skip to main content
Perspective:
Perspective

Assurance in a blockchain world

How can you prepare to address the risks?

​As blockchain, distributed ledgers, and cryptocurrencies enter the mainstream, stakeholders should consider their ability to mitigate the new risks that can occur. Explore the unique risks associated with the technology and business models of these players—particularly, the financial, technology, operational, and regulatory risks. If not properly planned for, these risks can cause significant loss.

Assurance in a blockchain world: How you can prepare to address the risks
8 MB PDF

Prepare to address the distributed ledger risks

Blockchain technology is changing rapidly. In addition to standard financial, technology, operational, and regulatory risks, blockchain, distributed ledgers, and cryptocurrencies come with their unique set of risks and challenges. It's time for stakeholders to take note of the risks, look closer at the players, and determine how much risk-mitigation assurance they need. Let's start off by diving into the blockchain-based companies that are already well established within the industry.

The interactive table below is not an all-inclusive set of risks. It is an illustrative set of topics entities can use to generate a dialogue. The table includes where the risks reside and which risks apply to the service providers listed.

Digital asset exchanges (E) and digital asset wallet providers (W):

It is common for entities to purchase or acquire publicly available digital assets using digital asset exchanges. The exchange typically provides the customer with a wallet to store their newly acquired assets. With so many wallet providers, it is important for entities to consider risks associated with the security of the platform and the availability of the assets, which we cover in this report.

There are a number of ways to help customers secure their assets. They range from a simple username and password, to complex multifactor authentication coupled with multi-signature wallets. Entities that store digital assets on exchanges should be asking a series of questions to their potential service provider prior to engaging in business.

  • What percentage of the digital assets is stored in hot wallets versus cold wallets?
  • How are digital assets going to be secured?
  • What is the service provider’s process to prevent misappropriation of assets?
  • Are funds commingled with other customers?
  • What happens if the service provider is hacked and loses a significant amount of digital assets?
  • What controls does the service provider have in place to reconcile customer balances to protect blockchain data?

Digital asset custodians (C)

Similar to wallets, digital asset custodians provide an additional layer of services on top of standard wallet providers. Custodians have built out control environments that financial services institutions require in order to place trust and confidence in the solution. While the primary purpose of wallets is to act as a means of supporting transactions and to temporarily hold assets, custodian services are designed to act as storage of digital assets for longer periods of time.

For this reason, security is critical to the custodians as compared to availability of services relative to digital assets exchanges. Examples of questions to consider include:

  • What monitoring controls should the user entity implement related to usage of the custody service?
  • How does the ledger work to ensure that the customer receives all transactional details associated with an account?
  • If there is a theft by an internal or external actor, what assurances does the service organization provide?
  • Which third-party certifications does the service provider have and what is the reputation of the organization providing the certification?

Cryptocurrency payment companies (P):

Cryptocurrency payment companies allow merchants to accept cryptocurrency as payment for the goods and services they sell. The merchants typically receive some form of fiat currency (i.e., USD) in exchange for a digital asset such as bitcoin. Given how quickly the digital assets are exchanged for USD, risks related to processing of information are of much greater importance compared with the ongoing security and availability of digital assets. Examples of questions to consider include:

  • What fees are charged by the service provider to process transactions?
  • Who pays the blockchain miner fees associated with a transaction?
  • Does the service provider have a dispute resolution process?
  • Given the high congestion on the blockchain network, how quickly does the customer get access to USD funds?

Utility tokens

There are several other start-up entities that are using the Ethereum blockchain ERC-20 Utility Tokens (U), commonly known as initial coin offerings (ICOs). These tokens are commonly represented as units of service that can be purchased on a variety of digital assets exchanges. Historically, products have been developed prior to being sold in the marketplace.

With the advent of crowdsourced funding, ICOs are one such mechanism sold to sponsor development of technology products. The tokens are not intended to be utilized as currency, but they do have a derived value based on the ability to trade them on exchanges. Entities planning to use such services or companies that are issuing tokens should address the key risks related to such tokens. Some questions to ask include:

  • Has the issuer of the ICO documented all of the regulatory considerations with respect to issuance of these?
  • Are these securities or not?
  • How is the customer going to account for these tokens?
  • What are the tax implications?
  • What could go wrong related to the technology and ICO issuance?
  • What are we doing to mitigate the risks related to theft during the issuance?

Evaluating risks and controls

Given the volatility of the markets and increasing use of digital assets, many customers are concerned about the availability of the services and access to their funds. Rightfully so. While a majority of these risks reside at service providers, customers need to be aware of the same and plan to address them by identifying ways of evaluating controls at the service providers.

There are a few different ways of evaluating risks and controls at the service provider level. One way is for service providers to get a report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy (Trust Services Criteria), also commonly referred to as a service organization control 2 report. Combing the nature of the technology and the lack of publicly available mature frameworks, it is incumbent upon the service provider to select a qualified service auditor.

A control environment that effectively addresses the risks would consist of a combination of traditional controls and controls addressing blockchain-specific risks.

Rapidly changing technology will continue to introduce new and unique risks in the environment and, therefore, customers and service providers alike will need to adapt and continue addressing such risks.

To learn more, download Assurance in a blockchain world: How you can prepare to address the risks

x-default

Did you find this useful?

Yes
No

Thanks for your feedback

Your feedback is important to us

To tell us what you think, please update your settings to accept analytics and performance cookies.

Need help updating cookies?

Get in touch

Tim Davis

Tim Davis

Global & US Risk & Financial Advisory Blockchain & Digital Assets Leader
+1 206 716 7000