The Capital Markets Board Published the Decision Regarding the Proof of Reserves Audit Processes for Crypto Asset Service Providers

The Capital Markets Board (CMB) published the Decision numbered i-SPK.35/B.2 (Decision No. 30/846) (Decision) through the Capital Markets Board Bulletin dated 08.05.2025.

The Communiqué on the Principles Regarding the Establishment and Activities of Crypto Asset Service Providers (Communiqué No. III-35/B.1), published in the Official Gazette dated 13.03.2025 and numbered 32840, had imposed an obligation on crypto asset service providers to have a proof of reserves audit conducted. The Decision regulates the fundamental principles and rules to be followed in the above-mentioned audit processes.

Accordingly, the regulations addressed by the Decision are summarized below:

• The audit period within the scope of the proof of reserves audit refers to quarterly periods falling within the third, sixth, ninth, and twelfth months of a year.
• An agreement must be entered into between crypto asset service providers and independent information systems audit firms to ensure that the proof of reserves audit is carried out no later than the first month of each quarterly audit period. This agreement may also be structured to collectively cover the other audit periods within the same calendar year.
• Once the agreement is executed between the crypto asset service provider and the information systems auditor, the service provider must submit various information to the auditor. The submitted information must include: (i) the list of crypto assets, (ii) the current values of crypto assets belonging to clients, (iii) the networks on which the crypto assets are located, (iv) information on the custody model and access control mechanisms, and (v) the list and addresses of the wallets in which the crypto assets are held. These elements must be included at a minimum in the audit report.
• In addition to the above-mentioned information, platforms must also include the following in the report: (i) the total amount of client cash balances, (ii) the current value of the platform’s crypto assets and cash balances, (iii) the list of custody institutions the platform works with, and (iv) bank and account information related to the cash balances.
• All assets included in the liquid reserve of the crypto asset platform fall within the audit scope, and the results related to these assets must be presented in a separate section in the report.
• The full existence of all crypto assets included in the audit scope must be verified during the audit process.
• The information systems auditor shall report by comparing the client asset data recorded by the crypto asset service provider on two randomly selected dates with blockchain data. The report must include the minimum elements stipulated under the Decision. If, as a result of the review, the total reserve coverage ratio is found to be below 100%, this situation must be reported to the CMB immediately.
• The audit report becomes final once it is signed by the responsible information systems auditor and must be delivered to the chairperson of the board of directors of the crypto asset service provider within 10 business days. The received audit report must be submitted to the CMB within 15 business days along with the board resolution regarding its approval.
• The content of the audit report shall not be shared with any party other than the board of directors to which it was submitted and the CMB. However, it is permissible for the crypto asset service providers to publish content from the report on their websites, provided that the audit firm conducting the audit is not mentioned. In any case, the published content must be consistent with the audit report.