What Accounting Professionals Should Know about Crypto Key Managementby
Blockchain and cryptocurrencies are certainly not new terms or ideas. Even with all of this chatter, however, two critical aspects about how blockchain, cryptocurrency and accounting overlap remains on the back burner: key management and custody practices.
Since 2016, crypto valuation, crypto taxation, crypto reporting and blockchain for accounting and audit practices have all sprung up in conversation in articles, journals and podcasts, on YouTube channels and at every accounting-related conference. Even with all of this chatter, however, two critical aspects about how blockchain, cryptocurrency and accounting overlap remains on the back burner: key management and custody practices.
Being unfamiliar with keys and key management many not have been something that CPAs thought would be a prerequisite to offering advisory services at the very beginning of the blockchain and cryptoasset movement, but now, it is more than a requirement. Key management and compliance are, without a doubt, possibly the most important areas in which CPAs can add value to any clients involved in the cryptocurrency space.
First Things First: What are Keys?
The first thing to understand about private key management is how it connects to bitcoin and other cryptocurrencies. Generally speaking, and even including stablecoins (cryptocurrencies supported by other real-world assets, such as gold, oil or US dollars), the only way to definitively prove ownership of the crypto is via private keys.
While this might sound abstract, this is not different from how cash functions; cash is a fungible asset whose ownership is driven by who is in physical possession of the asset. In other words, if your client does not have custody of their private keys and robust controls in place to safeguard these assets, they are putting themselves at risk. And, it may ultimately come back in the shape of blame landing on your desk. This should be the first thing that you speak about with any client, current or prospective, that is interested in owning, transacting in or otherwise dealing with cryptocurrencies.
After understanding what keys are and where they fit in the broader cryptoasset space, the next step is to understand where and how can these keys be stored.
It may seem relatively straightforward, given what was just stated, to understand what keys are, but storing these keys can be a tricky business. Many individual clients who have invested in bitcoin or other cryptocurrencies – in most cases – may not have personal ownership or custody of the private keys due to the fact that they have done so via exchanges such as Coinbase. In these situations, the crypto exchange actually holds the private keys of investors, much like how traditional brokerages have custody over investor funds and accounts.
If is the case for your crypto client, that makes the conversation simpler, and you can focus on reporting, tax implications and making sure that records are appropriately kept. That scenario aside, and assuming you have a client that holds keys off an exchange – which is not as unusual if your client is being paid in cryptocurrencies for goods or services – the conversation is a bit more complicated. Let’s take a look at some of the options that are out there.
Prior to discussing what types of wallets there are, it is important to realize that there are no cryptocurrencies actually stored in a cryptocurrency wallet. These wallets, however, point to where the cryptocurrencies are stored on the underlying blockchain itself.
There are several different wallets that clients could be using, and it’s important for every practitioner to at least have a working knowledge of these options:
- Hot Wallets: What a hot wallet represents is something more like an online access portal or website than a physical or virtual security tool. These are accessible online and be configured to be used on a desktop, laptop or even mobile devices, but with these levels of convenience also come increased risks. Perhaps highlighted in the highest-profile way by the hack at Binance during May of 2019, these types of wallets are not protected by blockchain encryption, jus by passwords.
- Practitioner Takeaway: Advise your clients to either never keep cryptocurrency in a hot wallet or to only keep amounts they are planning to use or could tolerate losing
- Cold Wallet: A cold wallet is named such due to its connection to the internet or other online portals; think of it like a specialized USB drive. The key upside and benefit is that since it is not connected to the internet, there is much lower risk of it being remotely hacked. This is not a 0 percent risk, however, as if a cold wallet is plugged into a computer infected with a virus or other malware, it could be infected that way. Given that risk, it is always recommended to ensure the cold wallet has an embedded component that can help it resist or even prevent this type of hacking.
- Practitioner Takeaway: what cold wallets lose in convenience they are able to make up for in data security, but that does not reduce the risk to 0%; practitioners still need to be active participants in this conversation
- Paper Wallets: Naming convention aside, there is no need for keys that are stored on a paper wallet to actually be written down on sheets of paper. On top of the risk of degrading over time, there are better options out there for storing information securely. Paper wallets can have private information engraved on pieces of wood or even stamped into sheets or metal, but there is a twist of irony that should be recognized. Many of these, due to the fact that the keys are actually attached to a physical product, need to be stored and secured, and they are usually stored in a safety deposit box. In other words, the cryptocurrency is required to be stored at the very institution it was meant to disrupt.
- Practitioner Takeaway: Paper wallets are the most secure form of storage when compared to hot or cold wallets, but they do limit the accessibility of funds. They also require physical storage security protocols to be implemented.
Cryptocurrency storage and key management are fast-growing areas; yet, they can often fly under the radar. In order for practitioners to offer a comprehensive suite of crypto or blockchain services, they need to understand them, and being able to understand and give advice related to private key management are also necessary.
Sean Stein Smith is a professor at the City University of New York – Lehman College. He also is the chairperson of the NJCPA's Emerging Technologies Interest Group (#NJCPATech). He serves on the Advisory Board of the Wall Street Blockchain Alliance, where he co-chairs the Accounting Work Group. Sean is on the Advisory Board of Gilded, a...