SOC Series: SOC in Crypto Ecosystem (part 3)
This is the third post in a 4-part series on SOC reporting basics within the cryptocurrency ecosystem. Part 1 provides basic introduction to SOC reporting. Part 2 breaks down the various types of SOC reports. Part 3 discusses SOC reporting in the cryptocurrency space. Part 4 is a simple guide for cryptocurrency firms interested in getting started.
To many, saying that SOC engagements can serve as a component to mass crypto adoption, is a paradox. However, the merit in this statement comes from what SOC audits and reports serve to foster: trust through transparency. While the future is still unwritten, existing SOC engagements with crypto companies may serve as an indicator of SOC’s role that is to come in the wider crypto ecosystem.
There’s an elephant in the room so let’s introduce it.
SOC reports (seemingly) represent the antithesis of a prevailing crypto ethos — one that is often characterized by less government, less regulation, less controls. With a SOC audit, organizations open up the proverbial kimono and invite an external accounting firm to comb through sensitive financial information, business systems, and organizational controls. By both subjective and objective measures, this process contradicts the very principles of privacy and decentralization upon which cryptocurrency was founded.
So, why would a cryptocurrency service organization opt in for a SOC audit and subsequent report that shares an organization’s most private information?
The answer fundamentally comes down to trust.
Customers, investors, and other stakeholders want assurance that the company has their best interests in mind. Not only that, stakeholders want assurance that their interests are being protected through the implementation of proven, effective controls and monitoring, as well as transparent financial reporting. A simple search for “list of cryptocurrency exchange hacks” serves as just one example as to why this is important.
Gemini: Example of SOC in the Crypto Ecosystem
We’re already seeing SOC engagements within the crypto ecosystem. An industry leading exchange and custodian, Gemini, provides perhaps the most notable example to date.
Since its beginnings, Gemini has been an advocate for a positive, symbiotic relationship between regulators and the crypto community. To Gemini leadership, such a relationship is a foundational part of the customer trust equation:
“We are committed to earning and maintaining your trust. We believe that in order to do so, we must invest in our four pillars for the long-term. Product, Security, Licensing, and Compliance are the inputs that generate a trust output.”
This commitment is not simply corporate lip service. Gemini’s proven record of making such investments is a testament to putting their money where their mouth is. One example of such an investment is that of SOC examinations.
In January 2019, Gemini announced a first in crypto. They successfully completed a SOC 2 Type 1 examination, which looks at an organization’s ability to meet specified Trust Services Criteria at a specific point in time. Completing this exam made Gemini, “the world’s first cryptocurrency exchange and custodian to demonstrate this level of security compliance in protecting customer data and funds.”
This announcement was followed by two separate announcements in early 2020 about two related firsts in crypto. In January and April, Gemini announced the successful completion of, respectively, both SOC 2 Type 2 and SOC 1 Type 1 examinations. The former is related to its Type 1 counterpart, with a key difference of looking at controls over a specified period of time. The latter looks more specially at financial controls.
[For more on the different types of SOC reports, check out part 2 of this series.]
The Gemini example is used not as the basis for any suggestions as to what other crypto organizations should or shouldn’t do. Rather, it’s evidence that proves SOC reporting has made its way into crypto in a high-profile style.
So, which types of organizations might consider following suit?
Organizations Well-Suited for SOC Reporting
The SOC framework is intended for service organizations. Generally, a service organization can be thought of as providing non-tangible products and solutions to their customers.
This can apply to any organization whose customers’ businesses rely on the organization’s transparent financial reporting and sufficient controls that minimize risk exposure. This same logic can be extended to the organization’s investors and shareholders, whose decisions are informed by reliable, accurate information.
In short, any service organization within the crypto ecosystem may want to consider SOC reporting as a way to communicate trust and transparency to its stakeholders.
A list of such organizations might include:
- Centralized exchanges
- Decentralized exchanges
- Blockchain consultants
- DeFi solution providers
- Mining pool operators
- Publicly traded firms
To be sure, this list is by no means exhaustive. But, hopefully, it does help to get the conversation started.
Despite contradicting opinions about regulation’s role within crypto and the degree to which crypto organizations should engage with institutional powerhouses like the Big 4, one thing is certain. In order for crypto to reach the mainstream and become embedded in the global economy, stakeholders need to trust the organizations with whom they are dealing.
From individual retail customers to large-scale institutional investors and everywhere in between, stakeholder-organization trust is a key mechanism for mass crypto adoption. SOC engagements can serve as a small component of this complex trust mechanism.
Head over to part 4 where we will review a simple guide for cryptocurrency firms interested in getting started.