The Capital Markets Board has published the principles and procedures regarding the obligation for Crypto Asset Service Providers to conduct the proof of reserves audits.

An obligation for Crypto Asset Service Provider (“CASP“) platforms to conduct the proof of reserves audits has been introduced by the Communiqué No. 35/B.1 on Principles of Establishment and Operation; despite the fact that no regulation about procedures has been implemented yet. Accordingly, the Capital Markets Board (“CMB“), with its principle decision dated 08.05.2025 and numbered 30/846 (“Principle Decision”), has determined the principles and procedures to be applied in the mandatory proof of reserves audit processes.

The information systems auditor shall determine two different random dates within the audit period during which the audit will be conducted, and shall obtain the customer asset information tracked in the records held by the CAPS on those selected dates, for the purpose of comparing such data with the assets on the distributed ledger network. The selected dates shall not be shared with the crypto asset service provider up until one day prior to the audit date.

A contract regarding the conduct of the proof of reserves audit shall be signed between CASPs and information systems independent audit firms, at the latest within the first month of each audited quarterly period. It is also possible for the contract to be signed collectively to cover the other audit periods of the relevant year. It has been stipulated that a CASP may have the Proof of Reserves audit conducted by the same firm for a maximum of 12 consecutive periods.

Within the period specified in the signed contract, CASPs shall provide the information systems auditor with the list of crypto assets listed/held as of the audit period, the current value of customer-owned crypto assets, information regarding the networks on which the crypto assets are located, the custody model and access control mechanisms, the list and addresses of wallets where crypto assets are stored, and other information and documents that may be requested by the information systems auditor.

Furthermore, in addition to the aforementioned items, the amounts of customer-owned cash balances, the current value of platform-owned crypto assets and cash balances, the list of custodian institutions the platform works with, and bank and account information regarding cash balances shall be provided by the platforms.

All assets held in the platform’s liquid reserve shall be included within the scope of the audit. Additionally, during the audit, the existence of 100% of the crypto assets included in the scope of the audit must be confirmed/verified.

The audit report becomes final upon signature by the responsible chief information systems auditor and is submitted to the chairmanship of the CASP’s board of directors within the first 10 business days following the end of the audit period. The audit report is prepared addressed to the board of directors of the audited CASP and shall not be shared with any party other than the board of directors and the CMB. The Principle Decision also stipulates the minimum elements and information that must be included in the audit report.