Recognition and Measurement
Under SAB 121, if an entity is responsible for safeguarding crypto assets, it recognizes a liability on its balance sheet for its safeguarding obligation. The entity also recognizes a corresponding asset similar to an indemnification asset under ASC 805, Business Combinations. The safeguarding asset and liability are initially measured at the fair value of the crypto assets. Changes in the fair value of the safeguarding asset and liability may be recorded within the same line item in the income statement. If such changes in the fair value of the safeguarding asset and liability are recognized for the same amount in the same reporting period, there is no effect on the income statement, which will always be the case absent a safeguarding loss.
However, upon a safeguarding loss, an entity recognizes a loss on the safeguarding asset without recognizing a corresponding change in the liability, which results in a net loss in income from operations for the difference. For example, assume the fair value of safeguarded crypto assets is initially $300,000. Subsequently, a user’s wallet was ‘hacked’ and its crypto assets were stolen, which was 1% (or $3,000) of all safeguarded crypto assets. The safeguarding asset is reduced by $3,000 and recognized as a loss in income from operations. Assuming the fair value of the crypto assets being safeguarded is still $300,000, the balance of the safeguarding asset is $297,000, and the balance of the safeguarding liability remains $300,000.
Disclosure
SAB 121 provides the SEC staff’s views on disclosures to include in the notes to the financial statements due to the significant risks and uncertainties associated with safeguarding crypto assets, including risk of loss. At a minimum, the disclosures should include:
- Nature and amount of crypto assets that the entity is safeguarding, with separate disclosure for each significant crypto asset
- Vulnerabilities due to any concentrations in such safeguarding activities
- Fair value disclosures required under ASC 820, Fair Value Measurement, for the safeguarding asset and liability
- Accounting for the safeguarding asset and liability
- Information about who is responsible for the recordkeeping of the crypto assets, holding of the cryptographic keys to access the crypto assets and safeguarding the crypto assets from loss or theft
In addition, the SEC staff indicated that entities may need to consider including disclosures outside the financial statements (e.g., MD&A). Refer to interpretive response to Question 2 of SAB 121 for examples of these disclosures.
Adoption
SAB 121 applies to SEC Filers no later than the first interim or annual period ending after June 15, 2022, with retrospective application as of the beginning of the fiscal year to which the interim and annual period is related. For calendar year-end companies, this date was no later than the interim financial statements for the period ended June 30, 2022, with retrospective application as of January 1, 2022.
For all other entities2, SAB 121 is applicable to an entity’s financial statements beginning with the next submission or filing with the SEC, with retrospective application as follows:
Effective Date | Example |
As of the beginning of the most recent annual period ending before June 15, 2022, if the filing also includes a subsequent interim period reflecting application of SAB 121. | Calendar year-end entity A submits a registration statement in January 2023. Such filing includes interim financial statements for the period ended September 30, 2022, in which SAB 121 was applied. SAB 121 also applies to the annual financial statements ended December 31, 2021. |
As of the beginning of the two most recent annual periods ending before June 15, 2022, if the filing does not include a subsequent interim period reflecting application of SAB 121. | Calendar year-end entity B submitted a registration statement in April 2022. That filing did not include any interim financial statements reflecting application of SAB 121. SAB 121 applied to the annual financial statements ended December 31, 2021, and 2020. |
Internal Control Over Financial Reporting
While entities adopting SAB 121 must focus on getting the numbers right in their financial statements, they should not overlook the internal controls necessary to comply with its requirements. Maintaining appropriate controls over the information used to recognize and measure the safeguarding asset and liability and make the required disclosures is critical, even for private companies that do not obtain an audit of internal controls over financial reporting, given complexities that may be present regarding the nature of, and the methods used to store, crypto assets. Regardless of the accounting system or underlying spreadsheets used by management, if there are not effective internal controls over the completeness and existence of safeguarding assets and obligations, accuracy of the underlying data, and valuation of crypto assets, risks to the financial statements (and to the business) could be unmitigated.
Each entity should evaluate its unique inherent risks and design and implement effective internal controls to address those risks. This evaluation may include assessing the design and operating effectiveness of controls of service providers and sub-service providers (e.g., sub-custodians). In addition, management should consider whether it stores assets safeguarded on behalf of others in commingled public addresses, including whether the assets are commingled with the entity’s own assets, and if so, design controls to address the increased risk associated with that practice.
Examples of relevant controls include:
- Entity-level controls over risk assessments to identify and respond to new risks (Committee of Sponsoring Organizations Principle 9)
- Review of accounting policies over the appropriate recognition, measurement, presentation, and disclosure guidance to apply
- IT and business process controls over:
- Securing and controlling an entity’s private keys (see our publication Accounting for the Purchase, Sale and Receipt of Cryptocurrencies for more guidance)
- Tracking and reconciling crypto assets held on behalf of others (in segregated or commingled public addresses) between the blockchain and internal books and records
- Tracking customer fund flows, including the timeliness of crypto asset purchases and sales
- Measuring safeguarding assets and obligations (determining the fair value of the underlying crypto assets)
- Identifying and measuring safeguarding losses on a timely basis
- Providing appropriate disclosures
- Service organization controls, including relevant sub-service providers, and relevant complimentary user entity controls - Refer to AU-C Section 402 – Audit Consideration of an Entity’s Use of a Service Organization for more information.
Executive oversight of an entity’s internal controls, stakeholder training and communication are critical to successfully applying the guidance in SAB 121. As part of those responsibilities, management and those charged with governance (e.g., audit committees) should understand the plan for compliance with SAB 121 and confirm that the entity’s controls adequately address these unique risks.