A crypto exchange publishes a proof-of-reserves attestation showing $10 billion in wallet balances. The market reads safety. A risk committee should read something different: a single data point, frozen in time. PoR confirms asset control at a moment in time and says nothing about liabilities, legal claims, liquidity under stress, or survival probability.
What Proof of Reserves Actually Measures and What It Misses
Proof of reserves (PoR) is a verification procedure, usually performed by a third-party attestation firm, that confirms an entity controls certain assets at a specific point in time. It is a narrow transparency exercise. It is not a solvency assessment, a stress test, or a substitute for financial statement analysis.
Proof of Reserves Confirms Asset Control at One Moment in Time
A well-executed PoR engagement can demonstrate that a platform holds cryptographic control over specific wallet addresses and that those wallets contain a stated quantity of assets. That is a useful signal, particularly in a market where some operators have fabricated reserve figures outright. But wallet control is not financial health, and proving that assets exist does not answer the question institutions actually care about: can this counterparty meet all of its obligations?
Proof of Reserves Does Not Scope Liabilities or Off-Balance-Sheet Obligations
The most significant limitation of PoR is what it omits. A reserve attestation typically does not scope the entity's full liability structure, including off-balance-sheet obligations, contingent claims, intercompany loans, or subordination arrangements. The PCAOB warned directly that proof-of-reserve reports are "inherently limited" and that customers should "exercise extreme caution" when relying on them to conclude there are sufficient assets to meet customer liabilities.
A firm can appear fully reserved while carrying undisclosed debt, pending litigation, or senior creditor claims that would subordinate customer deposits in an insolvency. Without a complete view of liabilities, reserve figures lack the context needed for a credit judgment.
Reserve Attestations Cannot Predict Solvency Under Redemption Stress
Counterparty risk is fundamentally a question about survival under adverse conditions. PoR says nothing about what happens when a platform faces a surge in redemptions, a collapse in the value of illiquid collateral, or the loss of a banking partner. An entity can show 1:1 reserves on a Tuesday and face a funding crisis by Thursday if those reserves are concentrated in assets that cannot be liquidated quickly enough to meet withdrawal demand.
Four Risks That Proof of Reserves Does Not Address
Institutions setting counterparty exposure limits need four categories of information that PoR does not provide.
Undisclosed Debt and Contingent Claims Are Invisible to PoR
The SEC's Chief Accountant, Paul Munter, stated plainly that "non-audit arrangements are neither as rigorous nor as comprehensive as a financial statement audit and may not provide reasonable assurance to investors". PoR attestations fall squarely into the category of limited-scope assurance work. Decision-makers routinely treat narrow attestation work as comprehensive assurance. It isn't.
A risk committee reviewing a PoR report might reasonably ask: does this tell us the entity is solvent? The answer is no. It tells you certain assets were present at attestation time. Liabilities, encumbrances, and claim priority require a different scope of work entirely.
Quarterly Attestations Create 90-Day Windows of Undetected Deterioration
Crypto markets operate continuously. Liquidity conditions, reserve compositions, and withdrawal patterns can shift materially in hours. A PoR attestation captures a single moment, often with the attestation date known in advance by the entity being attested. The interval between snapshots creates a window where deterioration goes undetected.
For institutions managing real-time exposure, a monthly or quarterly attestation is structurally insufficient. Risk committees need to know whether reserves exist today, and whether they will hold under the specific stress scenarios their models contemplate.
Bankruptcy Remoteness and Creditor Priority Are Not Covered by PoR
Even where reserves demonstrably exist, the legal question of who owns them in a default scenario is often unresolved. Brookings has argued that reserve assets of a payment stablecoin should be segregated and prioritized in bankruptcy so holders can still access funds if the issuer fails. In practice, many crypto entities operate in jurisdictions where segregation requirements are ambiguous or unenforced.
Reserves held in commingled omnibus accounts at a bank, mixed with operating funds, may not be recoverable by the customers they supposedly protect. PoR does not answer questions about bankruptcy remoteness, asset segregation, or creditor priority.
Governance Failures and Key-Person Risk Have Driven Most Major Crypto Collapses
PoR also says nothing about the operational capacity of a counterparty to actually process redemptions, maintain custody controls, respond to incidents, or manage key-person dependencies. Governance failures, inadequate internal controls, and concentrated decision-making authority have been at the center of many crypto failures. None of these operational risks appear in a wallet balance verification.
Why Stablecoin Depegs Expose the Limits of Reserve Attestations
If PoR were sufficient anywhere in crypto, it would be in stablecoins, where the entire value proposition rests on the idea that every token is backed by high-quality reserves. Yet stablecoins are precisely where reserve visibility has proven most incomplete as a risk framework.
Reserve Quality, Duration, Liquidity, Concentration, Determines Real Redemption Capacity
A stablecoin issuer can hold $1 in reserves for every $1 in circulation and still pose material risk if those reserves are concentrated in illiquid assets, held at a single custodian, or subject to encumbrance. Reserve quality spans duration, credit quality, liquidity profile, and concentration. These characteristics determine whether backing assets can actually be converted to meet redemptions under stress, and quantity alone does not answer that question.
Stablecoin Holders Carry Issuer, Custodian, and Redemption Mechanic Risk Simultaneously
Stablecoin holders depend on a chain of counterparties: the issuer, the reserve manager, the custodian banks, and the audit or attestation firms. If any link in that chain fails, reserve existence becomes irrelevant. Agio Ratings frames stablecoin risk as a composite of issuer solvency, reserve quality and liquidity, redemption mechanics, and legal or regulatory enforceability, because no single factor captures the full exposure.
The Wolfsberg Group, an association of 12 member banks that develops frameworks and guidance for the management of financial crime risks, has recommended that banks apply a financial crime risk framework to operating accounts, reserve management, and client settlement for fiat-backed stablecoin issuers. That guidance reflects a recognition that reserve custody alone does not constitute adequate oversight.
A Better Framework for Institutional Crypto Counterparty Risk
The right approach keeps PoR as one input and builds a full counterparty framework around it. Institutions need a layered approach that starts with forward-looking credit analysis and incorporates ongoing surveillance.
Probability of Default Gives Institutions a Forward-Looking Credit Signal
Traditional credit analysis centers on estimating the probability that a counterparty will fail to meet its obligations over a defined time horizon. That framework translates directly to crypto counterparties, where the relevant question is not "do they have assets today" but "what is the likelihood they default in the next 30, 90, or 360 days." Probability of default integrates data on assets, market signals, behavioral indicators, and structural risk factors into a single forward-looking measure that maps to limit-setting and underwriting decisions.
PoR may help an institution reach a binary judgment (comfortable or uncomfortable with a counterparty), but it does not translate into a pricing input, an exposure haircut, or a capital allocation decision. Probability of default (PD) and loss given default (LGD) address that gap directly. When combined into an expected loss estimate, PD and LGD give risk teams a quantitative basis for haircutting exposures, comparing venues on a risk-adjusted basis, and determining how much capital to hold against a given counterparty position.
Agio Ratings provides real-time probability-of-default monitoring for crypto counterparties, combining on-chain data with traditional financial indicators to produce quantitative, forward-looking risk probabilities of defaults and loss given defaults. For risk committees accustomed to PD-based frameworks in traditional finance, Agio's approach translates directly into existing governance workflows.
Continuous Monitoring Closes the Gap Quarterly Attestations Leave Open
A quarterly PoR attestation creates a 90-day gap in visibility. In crypto markets, 90 days is a long time. Digital asset risk monitoring that tracks on-chain flows, reserve balances, withdrawal patterns, and market-implied risk signals provides the kind of ongoing surveillance that banks and insurers already expect for traditional counterparties. Agio's daily monitoring cadence reflects the reality that crypto counterparty risk does not pause between attestation dates.
Full Balance Sheet Analysis: Reserve Quality Plus Liability Structure
Where reserve data is available, it should be used, but alongside a corresponding view of liabilities. A useful framework evaluates asset quality, concentration, and liquidity on one side of the balance sheet. On the other side, it evaluates liability structure, maturity profile, contingent claims, and subordination. PoR captures a partial view of one side of the balance sheet. A useful risk framework requires the other side too.
Jurisdiction, Licensing Status, and Governance Are Material Counterparty Risk Inputs
Jurisdiction, licensing status, bankruptcy treatment of customer assets, board composition, key-person risk, and regulatory compliance history are all material inputs to a counterparty risk assessment, none of which appear in a PoR attestation. A defensible due diligence framework incorporates these factors alongside quantitative analysis.
How Banks, Insurers, and Trading Firms Should Apply This Framework
Translating the argument into operational terms requires different emphasis depending on the institution type.
For banks
Banks extending services to crypto entities, whether as custodians, correspondents, or lending counterparties, should document their counterparty risk framework at the policy level and ensure it is approved by the relevant risk committee. Qualified custody assessments, PD-based exposure limits, and defined escalation triggers (such as a material change in a counterparty's PD score or a regulatory action) provide a governance structure that PoR alone cannot support. PoR can be one input into that framework, but it should not be the primary or sole basis for an exposure decision.
For insurers
Underwriting crypto-related risks, whether for custody insurance, directors and officers coverage, or crime policies, requires a default probability estimate that reflects the forward-looking risk profile of the insured entity. Reserve attestations do not provide that estimate. Insurers should evaluate reserve access assumptions under claims scenarios, including whether reserves would actually be available to policyholders in an insolvency, and incorporate PD-based monitoring into their portfolio surveillance.
For trading firms and allocators
Firms routing order flow through crypto venues or allocating to crypto strategies face venue and counterparty exposure concentration risk. Practical controls include venue-level exposure limits tied to quantitative risk scores, diversification across counterparties, monitoring cadence that matches the speed of the underlying markets, and pre-defined contingency plans for counterparty deterioration. A PoR report from a venue is worth reviewing, but it should not substitute for independent, continuous risk assessment.
Expected loss estimates (PD multiplied by LGD multiplied by exposure at default) give trading desks and allocators a concrete basis for haircutting balances held at each venue, comparing the risk-adjusted cost of routing through one counterparty versus another, and sizing positions relative to counterparty quality. PoR alone offers no framework for that arithmetic. Firms should also consider how crypto compliance obligations intersect with their counterparty selection and monitoring processes.
How Agio Ratings Delivers Real-Time Probability of Default for Crypto Counterparties
Agio Ratings calculates daily probability-of-default estimates for crypto counterparties, including exchanges, custodians, lenders, and stablecoin issuers. These forward-looking, quantitative risk signals map directly to existing bank, insurer, and trading firm governance frameworks.
By combining on-chain indicators with traditional financial metrics, Agio produces ratings that reflect real-time conditions rather than quarterly snapshots. For risk committees evaluating whether to onboard, maintain, or reduce exposure to a crypto counterparty, Agio provides a defensible, auditable basis for that decision.
Proof of Reserves Is One Input. Counterparty Risk Management Requires More.
Agio Ratings provides the quantitative, real-time PD layer that institutional crypto risk management has been missing. The PCAOB, the SEC, and major risk analytics providers have all reached the same conclusion: narrow attestation work should not be conflated with comprehensive financial assurance.
Institutions that treat PoR as sufficient are effectively running a counterparty risk program with a single, static, backward-looking input that cannot be translated into a haircut, an expected loss adjustment, or a risk-adjusted valuation of their exposed balances. A stronger framework combines probability of default, continuous monitoring, full balance sheet analysis, and legal and governance review into a layered assessment that reflects how credit risk actually works.
For banks, insurers, and trading firms building defensible crypto counterparty programs, the question is no longer whether reserves exist. The question is whether the counterparty will still be standing when it matters.
