CertainKey

The Regulatory Case for
Cryptographic Proof of Reserves

Why SMSF auditors, accountants, and trustees need better evidence for self-custodied Bitcoin — and why the window is closing.

The evidence gap

Exchange-held Bitcoin

  • Holding statement from exchange
  • Type 2 control report (ASAE 3402)
  • Clear ownership and valuation

Self-custodied Bitcoin

  • Signed declaration from trustee
  • Screenshots of wallet balances
  • No standard verification mechanism

Self-custody is permitted and encouraged. But there is no prescribed way for auditors to verify it.

ATO draws the line

Auditing SMSFs with crypto assets — 24 October 2025

Holding statements or investment summaries alone are not sufficient to confirm market value. You must obtain additional objective, supportable evidence. ATO, "Auditing SMSFs with crypto assets", QC105714, 24 October 2025
If you can't verify the crypto asset exists, belongs to the fund, or is reported at market value, you must qualify both Part A and Part B of the audit report if material. ATO, same guidance

For exchange-held crypto, the ATO prescribes Type 2 reports. For self-custody: silence.

The consequences are real

28
SMSF auditors acted against by ASIC
in just 6 months (H2 2025)
12%+
of all SMSF breaches reported to ATO
are now Reg 8.02B valuation failures
200+
auditor quality reviews completed
by the ATO in FY24-25
41
auditors referred to ASIC
from those reviews

Sources: ASIC 26-010MR (29 Jan 2026); ATO SMSF Auditor Compliance Focus 2025

Even exchange evidence is under fire

ATO Stakeholder Group Meeting — 8 July 2025

[Group members] are starting to see reports for crypto platforms that are called type 2 control reports, but don't really meet the definition. ATO SMSF Auditors Professional Association Stakeholder Group, Key Messages, 8 July 2025

If exchange-provided evidence is unreliable, self-custody evidence based on screenshots and signed declarations has no chance under scrutiny.

What's coming

October 2025
ATO publishes crypto audit guidance — "additional objective, supportable evidence" required
January 2026
ASIC acts against 28 SMSF auditors — enforcement is accelerating
31 March 2026
AUSTRAC regulates virtual asset custody services — wallets and key management in scope
16 March 2026
Senate committee reports on Digital Assets Framework Bill — AFSL licensing for platforms
30 June 2026
ASIC no-action letter expires — exchanges must hold AFSL. Evidence gap for self-custody widens
1 July 2026
Tranche 2 AML/CTF — accountants become AUSTRAC reporting entities
FY25-26 audits
First full audit cycle under the October 2025 guidance — peak demand for crypto evidence

The gap is widening, not closing

Every regulatory change improves evidence standards for exchange-held crypto while leaving self-custody untouched.

Exchange-held: improving

  • Digital Assets Framework Bill mandates AFSL
  • ASIC sets minimum custody standards
  • AUSTRAC brings exchanges under AML/CTF
  • Type 2 reports (where genuine) provide assurance

Self-custodied: nothing

  • No legislation addresses self-custody evidence
  • No standard verification mechanism
  • AUASB GS 009 has no crypto guidance (last updated June 2020)
  • Auditors left to improvise

The scale of the problem

$3.02 billion
in SMSF digital assets as at June 2025 (ATO data)

Even if only 10–20% is self-custodied, that's $300–600 million in assets with no standard audit verification mechanism.

Every one of those funds needs an audit. Every auditor needs evidence.

CertainKey fills the gap

What auditors need

  • Proof the Bitcoin exists (balance)
  • Proof the fund controls it (key ownership)
  • AUD valuation at a specific date
  • Independently verifiable evidence

What CertainKey delivers

  • On-chain balance at a specific block height
  • Cryptographic proof of key control (message signing)
  • AUD valuation sourced from Bitaroo
  • Tamper-proof PDF, verifiable with open-source tools

No funds move. No keys exposed. Data purged after report generation.

The window is closing

The ATO has drawn the line. ASIC is enforcing it. The first full audit cycle under the new guidance lands in FY25-26.

Auditors who can't verify self-custodied crypto must qualify the audit. Trustees who can't provide evidence face contravention reports.

CertainKey gives both sides what they need.

app.certainkey.dpinkerton.com
Example report: app.certainkey.dpinkerton.com/example-report.pdf