By accessing the FASB documents on this site, you accept and agree to these FASB terms and the website terms as applied to your use of this site or any FASB licensed documents.
SEC Staff Rescinds Guidance on Safeguarding Crypto Assets
On January 23, 2025, the SEC staff issued Staff Accounting Bulletin (SAB) No. 122 which rescinds the interpretive guidance in SAB No. 121 discussed in this article. Please see our Bulletin, SEC Staff Rescinds Guidance on Safeguarding Crypto Assets, for more guidance.
On March 31, 2022, the Securities and Exchange Commission (SEC) issued Staff Accounting Bulletin No. 121 (SAB 121), which expresses the SEC staff’s views on accounting for an entity’s obligations to safeguard crypto assets for another party.
Safeguarding crypto assets presents unique risks and uncertainties, including technological, legal, and regulatory risks. The objective of SAB 121 is to “enhance the information received by investors and other users of financial statements about these risks, thereby assisting them in making investment and other capital allocation decisions.”
This publication discusses scope, recognition, measurement, and disclosures as well as internal control over financial reporting considerations related to SAB 121.
The American Institute of Certified Public Accountants (AICPA) included Appendix B in its AICPA practice aid, Accounting for and Auditing of Digital Assets (AICPA Practice Aid), which discusses insights in a question and answer (Q&A) format on applying SAB 121 based on discussions with the SEC staff. We strongly recommend entities consider the information in Appendix B when applying SAB 121.
SAB 121 defines a crypto asset as “a digital asset that is issued and/or transferred using distributed ledger or blockchain technology using cryptographic techniques.” This definition of a crypto asset is broad and is not limited to cryptocurrencies (for example, bitcoin and ether) that are fungible and used as a medium of exchange. Rather, under this definition, crypto assets can also include stablecoins and nonfungible tokens that exist on the blockchain.
Definition of Crypto Asset Under SAB 121 Is Different From the One in ASC 350-60
The definition of crypto asset in SAB 121 differs from the definition in ASC 350-60, Intangibles—Goodwill and Other—Crypto Assets. The definition of crypto asset in ASC 350-60 includes assets that meet specified criteria. See Section 3.1 of BDO’s publication, Accounting for Cryptocurrencies for more information. For example, nonfungible tokens are not in the scope of ASC 350-60; however, they are considered a crypto asset in SAB 121. Reaching a conclusion about whether an asset meets the definition of a crypto asset under SAB 121 and ASC 350-60 requires the application of professional judgment based on the terms and conditions of the asset.
SAB 121 applies to all entities that file financial information with the SEC under U.S. GAAP or International Financial Reporting Standards and that have a safeguarding obligation for crypto assets. However, as discussed in Q&A 4 of the AIPCA Practice Aid, if an entity controls the crypto assets and, therefore, recognizes such assets on its balance sheet, the entity does not apply SAB 121 to those crypto assets.
Entities that file financial information with the SEC include the following:
- Entities that file reports under Section 13(a) or Section 15(d) of the Securities Exchange Act of 1934 (Exchange Act) and periodic and current reports under Rule 257(b) of Regulation A (SEC Filers)
- Entities that have submitted or filed a registration statement under the Securities Act of 1933 or the Exchange Act that is not yet effective
- Entities that are in the process of submitting or filing an offering statement or post-qualification amendment under Regulation A
- Entities whose financial statements are filed with the SEC in accordance with Rule 3-09 and 3-05 of Regulation S-X
- Private operating entities whose financial statements are included in filings with the SEC in connection with a business combination involving a shell company, including a special purpose acquisition company
SAB 121 does not include guidance on determining whether an entity has a safeguarding obligation for crypto assets. SAB 121 includes an example of an entity that safeguards crypto assets held for its platform users and concludes that the entity’s safeguarding activities are in the scope of SAB 121. However, an entity is not required to operate a platform to be in the scope of SAB 121, as discussed in Q&A 3 in Appendix B of the AICPA Practice Aid. Further, an entity that is acting as an agent on behalf of another entity may be required to apply SAB 121. In such cases, there may be multiple entities in the arrangement that each must apply SAB 121.
Implied promises and perceptions of responsibilities for safeguarding crypto assets may override explicit provisions in agreements intended to limit an entity’s safeguarding risks. For example, a custodial or wallet agreement may include explicit provisions that limit or disclaim the custodian’s liability if the user is a victim of fraud or theft resulting in the loss of crypto assets. However, even so, a custodian could still be exposed to safeguarding risks (and therefore could have a safeguarding obligation) despite the explicit provision in the agreement that is intended to alleviate or mitigate such risks because of the lack of legal precedent on the enforceability of such provisions as well as a perceived view by users that the custodian is the safeguarding obligor and thus responsible for losses.
BDO Insights - Determining whether SAB 121 applies requires judgement
The determination of whether an entity has a safeguarding obligation under SAB 121 depends on facts and circumstances and may require significant judgment. Q&A 7 in Appendix B of the AICPA Practice Aid includes a list (although not exhaustive) of factors to consider in this determination. Entities should consider consulting with advisors if, after reviewing the entity’s facts and circumstances and the factors in Q&A 7, there is still uncertainty about whether SAB 121 applies.
When an entity has an obligation to safeguard crypto assets on behalf of others, it recognizes a liability on its balance sheet for its safeguarding obligation in accordance with SAB 121. The entity also recognizes a corresponding asset similar to an indemnification asset under ASC 805, Business Combinations. The safeguarding asset and liability are initially measured at the fair value of the safeguarded crypto assets. Changes in the fair value of the safeguarding asset and liability may be recorded within the same line item in the income statement. If such changes in the fair value of the safeguarding asset and liability are recognized for the same amount in the same reporting period, there is no effect on the income statement, which will always be the case absent a safeguarding loss. However, upon a safeguarding loss, an entity recognizes a loss on the safeguarding asset without recognizing a corresponding change in the liability, which results in a net loss in income from operations for the difference.
Example 4-1 Safeguarding Loss
Facts
- Entity A has determined it is in the scope of SAB 121 and records the fair value of a user’s crypto assets of $300,000 as a safeguarding asset and liability.
- In December 20X3 a user’s wallet was hacked and 1% (or $3,000) of the user’s safeguarded crypto assets were stolen.
- The crypto assets’ fair value was $300,000 on the date the crypto assets were stolen.
Conclusion & Analysis
- Entity A records a safeguarding loss of $3,000 in its income from operations and reduces the value of the safeguarded asset to $297,000 (fair value of $300,000 on the date the wallet was hacked less the $3,000 of crypto assets stolen).
- Entity A’s safeguarding liability remains at $300,000, the amount initially recorded.
SAB 121 provides the SEC staff’s views on disclosures to include in the notes to the financial statements due to the risks and uncertainties associated with safeguarding crypto assets, including risk of loss. At a minimum, the disclosures should include:
- The nature and amount of crypto assets that the entity is safeguarding, with separate disclosures for each significant crypto asset
- An explanation of vulnerabilities due to any concentrations in such safeguarding activities
- ASC 820, Fair Value Measurement, disclosures for the safeguarding asset and liability
- Description of the accounting for the safeguarding asset and liability
- Information about who is responsible for the recordkeeping of the crypto assets, holding of the cryptographic keys to access the crypto assets, and safeguarding the crypto assets from loss or theft
In addition, the SEC staff indicated that entities may need to consider including disclosures outside the financial statements (for example, in Management’s Discussion and Analysis). Refer to the interpretive response to Question 2 of SAB 121 for examples of these disclosures.
While entities applying SAB 121 must focus on the accuracy of their financial statements, they should not overlook the internal controls necessary to comply with its requirements. Maintaining appropriate controls over the information used to recognize and measure the safeguarding asset and liability and make the required disclosures is critical. This is important even for private companies that do not obtain an audit of internal controls over financial reporting given complexities that may be present regarding the nature of, and the methods used to store, crypto assets. Regardless of the accounting system or underlying processes used by management, without effective internal controls over the completeness and existence of safeguarding assets and obligations, accuracy of the underlying data, and valuation of crypto assets, risks to the financial statements (and to the business) could be left unmitigated.
Each entity should evaluate its unique inherent risks and design and implement effective internal controls to address those risks. This evaluation may include assessing the design and operating effectiveness of controls of service providers and sub-service providers (for example, sub-custodians). In addition, management should consider whether it stores assets safeguarded on behalf of others in commingled public addresses, including whether the assets are commingled with the entity’s own assets, and if so, design controls to address the increased risk associated with that practice.
Examples of relevant controls include:
- Entity-level controls for conducting risk assessments to identify and respond to new risks (Committee of Sponsoring Organizations Principle 9)
- Review of accounting policies to ensure proper recognition, measurement, and presentation, and that proper disclosure guidance is applied
- IT and business process controls over:
- Securing and controlling an entity’s private keys (see our publication Accounting for Cryptocurrencies for more guidance)
- Tracking and reconciling crypto assets held on behalf of others (in segregated or commingled public addresses) between the blockchain and internal books and records
- Tracking customer fund flows, including the timeliness of crypto asset purchases and sales
- Measuring safeguarding assets and obligations (determining the fair value of the underlying crypto assets)
- Identifying and measuring safeguarding losses on a timely basis
- Providing appropriate disclosures
- Service organization controls, including relevant sub-service providers, and relevant complimentary user entity controls - Refer to AU-C Section 402, Audit Consideration of an Entity’s Use of a Service Organization, for more information.
Executive oversight of an entity’s internal controls, stakeholder training, and communication are critical to successfully applying the guidance in SAB 121. As part of those responsibilities, management and those charged with governance (for example, audit committees) should understand the plan for compliance with SAB 121 and confirm that the entity’s controls adequately address these unique risks.