22-2, SEC Issues Staff Accounting Bulletin on Accounting for Obligations to Safeguard Crypto-Assets (April 6, 2022; Updated July 28, 2022)

SEC Issues Staff Accounting Bulletin on Accounting for Obligations to Safeguard Crypto-Assets

by Amy Park, Macaela Karnick, Amy Steele, Yoland Sinclair, Tony Goncalves, and Doug Rand, Deloitte & Touche LLP

This publication was updated on July 28, 2022, to reflect recent discussions the AICPA Digital Assets Working Group has had with the SEC staff as well as updated Q&As in the AICPA Practice Aid Accounting for and Auditing of Digital Assets (the “AICPA Practice Aid”).

Overview

On March 31, 2022, the SEC issued Staff Accounting Bulletin (SAB) No. 121 (SAB 121), which:

Provides the SEC staff’s view that it would be appropriate for an entity that has an obligation to safeguard crypto-assets to record a liability and corresponding asset on its balance sheet at the fair value of the crypto-assets.
Adds Section FF to SAB Topic 5;1 this section includes “interpretive guidance for entities to consider when they have obligations to safeguard crypto-assets.”

Background

The SEC staff has recently observed an increase in the number of entities that give users the ability to transact crypto-assets and provide a service to safeguard these assets. Currently, there is diversity in practice related to how entities disclose their obligations to safeguard crypto-assets. In the SEC staff’s view, there are unique risks and uncertainties (e.g., technological, legal, regulatory2) associated with safeguarding crypto-assets. Accordingly, the SEC staff released SAB 121 because the staff believes that it will “enhance the information received by investors and other users of financial statements about these risks, thereby assisting them in making investment and other capital allocation decisions.”

The SAB includes an example (reproduced in the Accounting Considerations section below) illustrating an entity that “safeguard[s] crypto-assets held for platform users”; however, an entity does not need to operate a platform to have an obligation to safeguard crypto-assets.3

Scope Considerations

SAB 121 applies to entities that file with the SEC under either U.S. GAAP or IFRS® Accounting Standards, as applicable. Further, the SAB applies to a public business entity that safeguards crypto-assets, whether safeguarding is provided by the entity or by an agent acting on behalf of the entity.

SAB 121 describes the term “crypto-asset” as follows:

For purposes of this SAB, the term “crypto-asset” refers to a digital asset that is issued and/or transferred using distributed ledger or blockchain technology using cryptographic techniques.

Although the determination of whether an entity has an obligation to safeguard crypto-assets will depend on an entity’s specific facts and circumstances, the AICPA Practice Aid contains a nonexhaustive list of factors an entity may consider when determining whether it has a safeguarding obligation. Specifically, these factors may include:4

“The nature [and level] of the entity’s involvement (including that of its agents) with the safeguarded assets” (e.g., flow of transactions, recordkeeping, customer services).
“The contractual terms of the arrangement with the third party whose assets are being safeguarded [or] other parties involved in the safeguarding of the assets.”
“The perception of the third parties whose ‘crypto-assets’ are being safeguarded.”

All entities that have an obligation to safeguard crypto-assets should record a liability and corresponding asset on their balance sheet at the fair value of the crypto-assets. Accordingly, in certain situations, more than one entity may recognize a safeguarding liability for the same crypto-assets (i.e., custodian and sub-custodian).5

Further, SAB 121 applies when an entity’s financial statements are filed with the SEC in accordance with SEC Regulation S-X, Rules 3-05 and 3-09.6

Connecting the Dots

SAB 121 includes specific transition guidance for certain private companies whose financial statements are filed with the SEC. (See the Transition section below.) Furthermore, private companies that are considering an initial public offering should consider the potential impact of SAB 121 on their financial statements, footnotes, and disclosures as well as the related internal controls over financial reporting (ICFR).

Accounting Considerations

The interpretive guidance in SAB 121 dictates that if an entity is responsible for safeguarding crypto-assets, the entity should record a liability on its balance sheet for its obligation to do so (this liability is hereafter referred to as a “safeguarding liability”). The safeguarding liability should be “measured at initial recognition and each reporting date at the fair value of the crypto-assets.” In determining the fair value of the crypto-assets, the entity should apply ASC 8207 or IFRS 13,8 as applicable.

An entity should record a corresponding asset at the same time as it records the safeguarding liability. This asset is similar to an indemnification asset as described in ASC 805 and IFRS 39 (hereafter referred to as a “safeguarding asset”) and should be measured at the fair value of the crypto-assets held. Changes in the fair value of the safeguarding liability and safeguarding asset may be recognized within the same line item in the income statement. In a manner similar to that described in the guidance in ASC 805 and IFRS 3, the measurement of the safeguarding asset would also factor in any potential loss events, which would be reflected in the income statement. If no potential loss events occur in a given reporting period, there would be no net effect on the income statement (i.e., net zero impact).10

To illustrate how to apply the guidance, SAB 121 adds the following example to SAB Topic 5.FF:

Facts: Entity A’s business includes operating a platform that allows its users to transact in crypto-assets. Entity A also provides a service where it will safeguard the platform users’ crypto-assets, including maintaining the cryptographic key information necessary to access the crypto-assets. Entity A also maintains internal recordkeeping of the amount of crypto-assets held for the benefit of each platform user. Entity A secures these crypto-assets and protects them from loss or theft, and any failure to do so exposes Entity A to significant risks, including a risk of financial loss. The platform users have the right to request that Entity A transact in the crypto-asset on the user’s behalf (e.g., to sell the crypto-asset and provide the user with the fiat currency (cash) proceeds associated with the sale) or to transfer the crypto-asset to a digital wallet for which Entity A does not maintain the cryptographic key information. However, execution and settlement of transactions involving the platform users’ crypto-assets may depend on actions taken by Entity A.

Question 1: How should Entity A account for its obligations to safeguard crypto-assets held for platform users?

Interpretive Response: The ability of Entity A’s platform users to obtain future benefits from crypto-assets in digital wallets where Entity A holds the cryptographic key information is dependent on the actions of Entity A to safeguard the assets. Those actions include securing the crypto-assets and the associated cryptographic key information and protecting them from loss, theft, or other misuse. The technological mechanisms supporting how crypto-assets are issued, held, or transferred, as well as legal uncertainties regarding holding crypto-assets for others, create significant increased risks to Entity A, including an increased risk of financial loss. Accordingly, as long as Entity A is responsible for safeguarding the crypto-assets held for its platform users, including maintaining the cryptographic key information necessary to access the crypto-assets, the staff believes that Entity A should present a liability on its balance sheet to reflect its obligation to safeguard the crypto-assets held for its platform users.

As Entity A’s loss exposure is based on the significant risks associated with safeguarding the crypto-assets held for its platform users, the staff believes it would be appropriate to measure this safeguarding liability at initial recognition and each reporting date at the fair value of the crypto-assets that Entity A is responsible for holding for its platform users. The staff also believes it would be appropriate for Entity A to recognize an asset at the same time that it recognizes the safeguarding liability, measured at initial recognition and each reporting date at the fair value of the crypto-assets held for its platform users. [Footnotes omitted]

Connecting the Dots

Generally, an entity currently does not report the crypto-assets of its users on its balance sheet unless the entity has control over those assets.11 SAB 121 does not remove the requirement related to determining whether an entity has control over the crypto-assets.12 However, if an entity does not have control over the crypto-assets but has determined that it has a safeguarding obligation, the SAB’s interpretive guidance will result in a significant change to the accounting and financial reporting for these entities, since the fair value of the crypto-assets will now be recorded as a liability, along with a corresponding asset, when an entity does not control the crypto-assets.

The safeguarding asset is not the crypto-asset itself and therefore would not be recognized as an intangible asset as is the common practice when an entity accounts for certain crypto-assets13 like bitcoin that the entity controls. ASC 350 requires an entity to initially measure the intangible asset at cost; when controlled, the asset would also be subject to impairment. The accounting for these crypto-assets is not discussed in the SAB since the safeguarding asset in the SAB is not the crypto-asset. Rather, the safeguarding asset would be recorded at the fair value of the crypto-assets held. The entity would factor in potential loss events (e.g., theft, loss of the private key, loss of the crypto-asset, cybersecurity hacks) that could affect the measurement of the safeguarding asset. The occurrence of such a loss event would result in a difference between the safeguarding asset and the safeguarding liability.

Example

Entity A has an obligation to safeguard crypto assets. The fair value of the crypto-assets being safeguarded is $100,000. During the second quarter of 20X2, A loses some of the private keys for certain wallets. Entity A has determined that the lost private keys control 10 percent of the customers’ crypto-assets and therefore has resulted in a loss of 10 percent of the safeguarded crypto-assets. Under such circumstances, provided that the fair value of the crypto-assets being safeguarded is still $100,000, A would recognize, as of the second quarter of 20X2, a safeguarding liability of $100,000 and a safeguarding asset of $90,000, with the $10,000 loss recorded in the income statement.

Disclosure

As discussed in the sections below, SAB 121 requires an entity to provide a significant number of additional disclosures related to safeguarding obligations for crypto-assets held.

Financial Statement Footnote Disclosures

The SAB indicates that an entity should disclose the following in the footnotes to its financial statements:

The “nature and amount of crypto-assets that [the entity] is responsible for holding . . . , with separate disclosure for each significant crypto-asset.”
Vulnerabilities “due to any concentration in such activities” (see ASC 275-10-50 and IAS 114).
Fair value disclosures related to the “crypto-asset safeguarding liabilities and the corresponding assets” (see ASC 820 and IFRS 13).
Description of the “accounting for the liabilities and corresponding assets” (see ASC 235-10-50 and IAS 1).

In connection with the above disclosures, entities should also consider disclosing the following:

Who holds the cryptographic key information.
Who maintains the internal recordkeeping of those assets.
Who is obligated to secure the assets and protect them from loss or theft.

Connecting the Dots

Determining the fair value of crypto-assets may be complex. In making this determination, an entity may need to carefully consider how to apply ASC 820 or IFRS 13, as applicable, to these types of assets. For example, the entity may find it challenging to determine its principal market given that crypto-assets generally trade in multiple markets. In addition, these markets trade 24 hours a day, 365 days a year, and do not have a traditional market close. Entities will want to establish a policy related to the critical judgments used in making this determination as well as appropriate controls for maintaining this policy. Further, the determination of whether a loss event has occurred and the value of the loss may be complex; an entity may need to use specialists in making this determination. The AICPA Practice Aid contains additional nonauthoritative guidance related to fair value measurements for crypto-assets that an entity may want to consider.15

Disclosures Outside the Financial Statements

An entity may be required to provide the following disclosures outside its financial statements (i.e., description of the business [see Regulation S-K, Item 10116]; risk factors [see Regulation S-K, Item 10517]; or MD&A [see Regulation S-K, Item 30318]):

“[S]ignificant risks and uncertainties associated with the entity holding crypto-assets.”
If material, “the types of loss or additional obligations that could occur, including customer or user discontinuation or reduction of use of services, litigation, reputational harm, and regulatory enforcement actions.”
“[D]iscussion of the analysis of the legal ownership of the crypto-assets held,” including consideration of what would happen in the event of the entity’s bankruptcy.
“[P]otential impact that the destruction, loss, theft, or compromise or unavailability of the cryptographic key information would have to the ongoing business, financial condition, operating results, and cash flows of the entity.”
If material, “information about risk-mitigation steps the entity has put in place,” such as insurance coverage.

ICFR Considerations

As entities consider SAB 121’s guidance in preparing their financial statements and related disclosures, they should be cognizant of the ICFR implications. Entities that safeguard crypto-assets may have to (1) document new or different judgments (e.g., determinations of fair value) and (2) gather and track information that they may not have previously monitored. As a result, entities may need to create or modify processes, controls, and information systems; assess the reliability of new information; and test the controls. Furthermore, because the safeguarding liability is established on the basis of the risk associated with safeguarding assets held, management’s assessment and the auditor’s attestation, as applicable, may also take into account controls over the safeguarding of assets and the cryptographic key information necessary to access those assets. If a service organization is used to custody the crypto-assets, an entity may need to consider controls at the service organization.

Transition

The SAB 121 transition guidance applicable to an entity will depend on whether it is defined as a public entity or an “other entity” as follows:

Entities that are current SEC filers (hereafter referred to as “public entities”):
1. Entities that file reports in accordance with Section 13(a) or Section 15(d) of the Securities Exchange Act of 1934.
2. Entities that must file periodic and current reports in accordance with SEC Regulation A, Rule 257(b).19
All other entities, including but not limited to (hereafter referred to as “other entities”):
1. Entities that have submitted or filed an initial registration statement under the Securities Act of 1933 or Securities Exchange Act of 1934 that is not yet effective.
2. Entities submitting or filing an offering statement or post-qualification amendment under Regulation A.
3. Private operating companies whose financial statements are included in filings with the SEC in connection with a business combination involving a shell company, including a special-purpose acquisition company.

The table below summarizes the transition requirements for these two types of entities.

Entity Type	Transition	Application for Calendar-Year-End Entities
Public entities	No later than the first interim or annual period ending after June 15, 2022, with retrospective application as of the beginning of the fiscal year to which the interim and annual period is related.	These entities will need to adopt the guidance in SAB 121 no later than their Form 10-Q for the second quarter of 2022, with retrospective application as of January 1, 2022. For the 2022 Form 10-K, the comparative period as of December 31, 2021, will not be required to reflect the recognition of the safeguarding asset and safeguarding liability.
Other entities	In the entity’s next submission or filing with the SEC, if the subsequent interim period includes the application of SAB 121, the SAB applies to the interim period and applies retrospectively to the beginning of the most recent annual period ending before June 15, 2022.	For a registration statement submitted in January 2023, SAB 121 would apply to the 2021 annual financial statements as well as the financial statements for the nine months ended September 30, 2022.
	In the entity’s next submission or filing with the SEC, if the filing does not include a subsequent interim period that reflects the application of SAB 121, the SAB would apply retrospectively to the beginning of the two most recent annual periods ending before June 15, 2022.	For a registration statement submitted in April 2022, SAB 121 would apply to the 2020 and 2021 annual financial statements.

Connecting the Dots

Because of the transition guidance provided, the accounting treatment reflected in the historical financial statements of public entities for the periods before those described in the transition guidance is not considered an error.

Transition Disclosures

An entity will need to consider the following additional disclosures in implementing SAB 121’s transition guidance, since such implementation represents a change in accounting principle:

SAB Topic 11.M (SAB 74)20 disclosures — SAB 74 indicates that a registrant should disclose the effects of recently issued accounting standards that are not yet effective “unless the impact on [the registrant’s] financial position and results of operations is not expected to be material” (footnote omitted). SAB 74 disclosures have been a focus for the SEC staff, and the staff continues to emphasize the importance of providing these transition disclosures. Public entities should evaluate the appropriateness of the SAB 74 disclosures in their Form 10-Q for the first quarter of 2022, in advance of adoption in their Form 10-Q for the second quarter of 2022. In addition, an entity should ensure its ICFR appropriately addresses the transition disclosures.
Disclosures in the financial statements — ASC 250 and IAS 821 require disclosure, in the period in which an accounting change is made, of the nature and reason for the change in accounting principle, the impacts on the financial statements, amounts recognized at transition, a description of prior-period amounts that have been adjusted (if applicable), and any indirect effects of the change in accounting principle.

In applying SAB 121, entities may need to use judgment and consider their specific facts and circumstances in addition to consulting with their accounting advisers, SEC advisers, and legal counsel. Entities should also continue to monitor the evolving legal and regulatory landscape.

Footnotes

SEC Staff Accounting Bulletin Topic 5.FF, “Miscellaneous Accounting; Accounting for Obligations to Safeguard Crypto-Assets an Entity Holds for Its Platform Users.”

This list is not all-inclusive; not all of these risks need to be present for a safeguarding obligation to exist. For more information, see Question 2 in Appendix B of the AICPA Practice Aid.

See Question 3 in Appendix B of the AICPA Practice Aid.

See Question 7 in Appendix B of the AICPA Practice Aid.

See Question 6 in Appendix B of the AICPA Practice Aid.

See Question 9 in Appendix B of the AICPA Practice Aid.

For titles of FASB Accounting Standards Codification (ASC) references, see Deloitte’s “Titles of Topics and Subtopics in the FASB Accounting Standards Codification.”

IFRS 13, Fair Value Measurement.

IFRS 3, Business Combinations.

See Question 8 in Appendix B of the AICPA Practice Aid.

See Question 10 in the AICPA Practice Aid.

An entity should first determine whether it has control over the crypto-assets. If so, SAB 121 does not apply. See Question 4 in Appendix B of the AICPA Practice Aid.

Crypto-assets, as defined in Question 1 of AICPA Practice Aid Accounting for and Auditing of Digital Assets, are accounted for as intangible assets. Note that SAB 121 refers to crypto-assets more broadly than the definition used in Question 1 of the AICPA Practice Aid. See the Scope Considerations section for additional discussion.

IAS 1, Presentation of Financial Statements.

See Questions 16–21 in the AICPA Practice Aid.

SEC Regulation S-K, Item 101, “Description of Business.”

SEC Regulation S-K, Item 105, “Risk Factors.”

SEC Regulation S-K, Item 303, “Management’s Discussion and Analysis of Financial Condition and Results of Operations.”

SEC Regulation A, Rule 257(b), “Tier 2: Periodic and Current Reporting.”

SEC Staff Accounting Bulletin Topic 11.M (SAB 74), “Miscellaneous Disclosure; Disclosure of the Impact That Recently Issued Accounting Standards Will Have on the Financial Statements of the Registrant When Adopted in a Future Period.”

IAS 8, Accounting Policies, Changes in Accounting Estimates and Errors.

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.

As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of our legal structure. Certain services may not be available to attest clients under the rules and regulations of public accounting.