Not Your Keys, Not Your Coins — Lessons Learned from the FTX Bankruptcy
As the use of digital assets, such as cryptocurrencies and digital securities, continues to grow, the role of accountants in managing and safeguarding these assets is becoming increasingly important. One of the key elements in managing digital assets is the use of private keys, which are critical for ensuring the security and integrity of these assets.
Private keys are generated using cryptographic algorithms that create a unique, random sequence of characters and are used to control access to digital assets. In the case of cryptocurrencies, the private key is generated when a user creates a new wallet on a blockchain or distributed ledger.
One of the key benefits of using private keys for digital assets is that they provide a high level of security. The use of cryptographic algorithms makes it extremely difficult to crack the private keys. In addition to providing security, private keys also play a critical role in ensuring the integrity of digital assets. Private keys are used to create digital signatures that verify the authenticity and integrity of digital assets, prevent fraud and ensure that transactions are not tampered with or altered in any way.
Lessons Learned from the FTX Bankruptcy
FTX was a cryptocurrency exchange and hedge fund run by the now-disgraced Sam Bankman-Fried (SBF) that collapsed in November 2022. In his declaration in support of the Chapter 11 bankruptcy petition, interim CEO John J. Ray III, who replaced SBF, claimed that in more than 40 years of legal and restructuring experience, he had never seen such a complete failure of corporate controls and absence of trustworthy financial information as occurred at FTX. He cited specifics, including compromised systems integrity and the concentration of control in the hands of a very small group of inexperienced, unsophisticated and potentially compromised individuals.
The party with possession of the private keys is the effective owner of the digital assets. When a crypto owner holds their digital asset on an exchange such as FTX, opportunity exists for the exchange to transfer or sell the digital assets without the permission or knowledge of the depositor. Of important note from his declaration is Mr. Ray’s reference to the unsecured account used to access private keys. According to Mr. Ray, “unacceptable management practices included the use of an unsecured group email account as the root user to access confidential private keys and critically sensitive data for the FTX Group companies around the world, the absence of daily reconciliation of positions on the blockchain, [and] the use of software to conceal the misuse of customer funds.”
Consideration for CPAs
The use of private keys for digital assets can also help to improve transparency and accountability. Digital assets that are protected by private keys are recorded on a public ledger that is accessible to anyone. This means that transactions can be easily tracked and audited, which can help to improve accountability and prevent fraud.
However, the use of private keys for digital assets also presents some unique challenges for accountants. One of the key considerations is ensuring that private keys are properly safeguarded and managed. Private keys are extremely valuable; if they fall into the wrong hands, they can be used to steal or manipulate digital assets, as seen in the case of FTX. Accountants should advise their clients of the risk associated with digital asset ownership rights and stress the importance of safeguarding the keys to the kingdom.
For businesses and individuals that do not hold their digital assets on an exchange and therefore have possession of their own private keys, another challenge is the need to ensure that private keys are properly managed over time. Private keys can be lost or forgotten, resulting in the permanent loss of digital assets. As a result, accountants must advise stakeholders to ensure private keys are properly backed up and that they are accessible when needed.
Digital assets are becoming increasingly relevant for many businesses, and their value can often be significant. Therefore, the security and integrity of these assets must be a top priority for owners and management. Auditors and advisors must consider private key security when conducting their risk management evaluation. Private keys must be kept secure and only shared with trusted parties when absolutely necessary. It is also important to have a backup of the private keys stored in a secure location to prevent loss due to technical failures or human error. By doing so, owners can maintain complete control and ownership over their digital assets and minimize the risk of loss or theft.