COREDO – EU Legal & Compliance Services Expert legal consulting, financial licensing (EMI, PSP, CASP under MiCA), and AML/CFT compliance across the European Union. Headquartered in Prague, we provide seamless regulatory solutions in Germany, Poland, Lithuania, and all 27 EU member states.
Grigorii Lutcenko
20.03.2026 | 6 min read
Updated: 20.03.2026
I’ve been running COREDO since 2016 and have seen investor and regulator expectations for corporate capital transparency, from cryptocurrency exchanges to payment providers, grow faster than technology. Proof of Reserves (PoR, proof of reserves) has become more than just a buzzword. It’s an infrastructure of trust without which, in 2026, major deals, licensing and the listing of reputable products will be in doubt.
Over the past years the COREDO team has implemented PoR projects in the EU, the UK, Singapore and a number of Asian jurisdictions, often combining this work with licensing of VASPs, payment institutions and custodians, as well as AML consulting. In this article I will systematically lay out how proof of reserves works, how to link it with proof of liabilities, how to embed PoR into corporate governance and regulatory regimes (MiCA, FATF, MAS, AMLD5), and how to assess the ROI of public reserve verification. This is a practical piece aimed at entrepreneurs, CFOs and founders who want to avoid unnecessary iterations and build PoR correctly the first time.
Why Proof of Reserves Is Needed
Investors and clients expect not only public statements about liquidity, but also formal confirmations, attestation reports from independent attestors with a reproducible methodology. In my experience, investors’ legal expectations for proof of reserves already include the regularity of attestations, on-chain verifiability, and linkage to internal controls at the level of SOX-like practices.
Public PoR incidents of 2022–2024 taught the market that a “snapshot” without accounting for liabilities and internal controls is misleading.
That is why proof of liabilities and proof of reserves are inseparable: an investor cares not just about the amount of assets, but also their reconciliation with client liabilities and the company’s own positions.
COREDO’s practice confirms: when PoR is supplemented with verification of liabilities, asset segregation and liquidity stress-tests, market trust in the platform grows measurably: the discount on quotes of tokenized liabilities shrinks and the cost of capital decreases.
How proof of reserves works
PoR is not a single document or a single “script”. It is a set of procedures and cryptographic techniques that provide verifiability of asset ownership and their sufficiency relative to liabilities.
The solution developed at COREDO for clients in the EU usually includes on‑chain verification of addresses, off‑chain reconciliation of balances with custodians’ and banks’ statements, as well as cryptographic commitments to client balances.
Key methods include hash commitments and Merkle tree proof for aggregating data without disclosing PII, as well as zero‑knowledge proof (zk‑SNARKs/zk‑STARKs) and range proofs for private verification of balance ranges and concentration limits. We add procedures for confirming address ownership (message signatures), independent verification of reserves by a third‑party attestor, and, when necessary: smart contracts for proof of reserves that automate the publication of commitments.
Merkle proof and commitments
Merkle proof and Merkle tree proof allow the attestor to verify the inclusion of a specific client balance in the overall commitment without revealing the entire registry.
This approach reduces the risk of data leakage but requires a strict chain of custody for artifacts (audit trail and chain of custody) to confirm the integrity of evidence in case of a dispute. The COREDO team embeds formal procedures in the PoR policy for storing root hashes, timestamps and change logs with notarization of hash‑commitments in public networks.
Cryptographic commitments are legally meaningful when you document the methodology of their formation and tie them to identifiable events. In reports for investors we describe the data format, the hash algorithm used, sorting and deduplication parameters, as well as the policy for handling “dormant” accounts. This reduces the risk of material misstatement and strengthens the company’s position during legal discovery and disclosure obligations.
Zero‑knowledge proofs: privacy
Zero‑knowledge proof for reserves solves the dilemma: how to show aggregated sufficiency of assets and the absence of adverse elements in the liability structure without disclosing sensitive details.
In COREDO projects we used zk‑SNARKS and zk‑STARKS, as well as range proofs to verify that no balance becomes negative and that the total volume of client liabilities does not exceed the confirmed reserves.
These are privacy‑preserving proofs, compatible with GDPR if the data model is designed properly.
It is important to provide measures for protecting confidentiality when disclosing reserves: pseudonymization, limiting the attestor’s visibility, and a policy for destroying unnecessary copies of data. We integrate these requirements into contracts with auditors and into the data protection impact assessment (DPIA) to minimize the risks of GDPR violations and leakage claims.
Liquidity and capital adequacy
Proof of reserves without proof of liabilities easily turns into marketing.
I insist that the methodology include a calculation of liabilities broken down into: client deposits, borrowed positions, off‑balance guarantees and operational liabilities.
Liquidity checks and stress testing identify the ability to cover outflows under “n‑day” scenarios and price‑correlation shocks.
Where appropriate, we add capital adequacy metrics, asset segregation and confirmation of insurance coverage (for crypto assets and custodial risks).
This approach is especially appreciated by institutional investors: they need to see not only “there are assets”, but also “how quickly you can monetize them to meet obligations”.
On-chain and off-chain: differences and their relationship
On-chain verification of reserves provides transparency: addresses, signatures, public balances. But in reality you have off-chain accounts with custodians, banks and trust structures. Therefore off-chain reconciliation of balances is mandatory: matching statements, confirming the existence of assets with custodians, and aligning dates and timestamps with on-chain snapshots.
In COREDO projects we introduce a «double ledger»: an on-chain sub-ledger with addresses and an off-chain sub-ledger by custody institutions, as well as reconciliation procedures that reflect discrepancies and their resolution.
This reduces oracle risk and oracle vulnerabilities, since there are fewer dependencies on a single source of truth.
When oracles are used, we document oracle attacks and mitigations: provider redundancy, threshold signatures and validation through independent channels.
Linking PoR with regulation and AML
In a context of tightening regulation, by linking PoR with Compliance and AML practices, organizations reduce operational risks and increase the likelihood of meeting international requirements.
Below we will examine how the requirements of FATF, AMLD5, MiCA and the MAS approach affect PoR and what changes will need to be made to KYC and monitoring processes.
PoR and AML/KYC, FATF, AMLD5, MiCA, MAS
FATF guidance on virtual assets and regulatory oversight of VASPs form the expectation that public statements about reserves must correlate with AML/KYC programs.
In the EU, AMLD5 and the MiCA framework preparing to come into full effect apply; in Singapore, MAS has long expected providers to have strong risk‑based controls.
In practice COREDO PoR in the context of compliance is a mapping to CDD/EDD policies, transaction monitoring and investigation of sources of funds.
MiCA and proof of reserves mean not just “show the assets”. The regulator expects management of conflicts of interest, disclosure of beneficial ownership, segregation of client funds and independent verification. For Singapore we take into account MAS expectations on management of custodial keys, hot wallet controls, cold storage and multi‑signature custody procedures.
Internal controls and standards
SOX-like internal controls and ISO 27001 information security strengthen the reliability of PoR processes.
SOC 1/SOC 2 reports vs PoR attestations cover different dimensions: SOC, operational and information security controls; PoR: existence and sufficiency of assets.
An investor expects both to be present: the SOC report gives confidence in processes, PoR in balances and liquidity.
The COREDO team designs corporate governance policies for transparency: roles and responsibilities of directors, an audit committee, a policy on auditor rotation and the independence of attestors.
Such a foundation helps not only with licensing, but also with M&A transactions and capital raising.
Legal aspects for investors
legal risks of reserve disclosures are related to incorrect wording, implicit assumptions and a lack of methodological transparency.
The legal consequences of manipulations with PoR include claims for material misstatement, administrative and criminal risks in several jurisdictions.
director’s liability in cases of errors in PoR underscores the importance of fiduciary duty and oversight by the board.
One must take into account GDPR and data protection: privacy‑preserving proofs, data minimization and the legal correctness of cross‑border transfer.
In cases of cross‑border enforcement, regulators and law enforcement use mutual legal assistance to obtain original data; therefore the audit trail and chain of custody must be impeccable.
In international audits COREDO employs forensic accounting on‑chain to document the sources of assets and the absence of commingling of client funds.
Storage and operational safety
Custodial agreements (custody agreements and SLA) should record asset segregation, rights to give instructions, custodian liability (custodian liability) and plans for force majeure.
Hot wallet controls and cold storage determine the operational model: limits, replenishment procedures, multi-factor authentication and threshold signatures.
Multi‑signature custody reduces single-point risk, but raises requirements for operational discipline.
Smart contracts for automating PoR require an independent smart contract audit.
We account for oracle risk: signed feeds, fault tolerance, monitoring of deviations and circuit breakers.
For some clients the COREDO team configured real-time monitoring solutions with alerts for anomalies and deviations from liquidity limits.
Attestation frequency and verification
The market is moving from a “quarterly snapshot” to continuous attestation and real‑time metrics.
Snapshot frequency and time‑based metrics should align with portfolio volatility, the type of business, and regulator expectations.
We usually recommend monthly public attestations and daily internal reconciliations, and for high‑risk profiles – semi‑continuous monitoring with on‑chain signals.
Public vs private proof of reserves: a strategic choice.
Public increases market trust but brings legal obligations and disclosure risks; private is useful for investors’ and regulators’ Due Diligence.
The COREDO team helps choose a model taking into account jurisdictions and growth stages (startup vs scale‑up).
How to implement proof of reserves
Первым шагом я ставлю Governance: назначаем владельца процесса на уровне C‑suite, утверждаем политику PoR и зоны ответственности. Далее проводим инвентаризацию on‑chain и off‑chain активов, сегрегацию клиентских и собственных фондов, и настраиваем офчейн‑реконсиляцию. Третий блок, криптографический стек (Merkle tree, коммитменты, zk‑доказательства), смарт‑контракты и мониторинг.
Четвертый шаг, выбор независимого аттестатора и критериев качества: third‑party attestor independence criteria, отсутствие conflicts of interest, опыт ончейн‑аудита и процедур ротации (audit firm rotation). Пятый, юридические документы: регламент раскрытия для инвесторов, политика по GDPR, beneficial ownership disclosure, соглашения с кастодианами, escrow agreements и trust arrangements. Завершаем пилотом, корректируем, переходим к регулярным attestations.
Technical and legal checkpoints and documents
Технические контрольные точки PoR включают: подтверждение владения адресами, дедупликацию балансов, устранение отрицательных позиций, stress‑тесты ликвидности, мониторинг оркестровки ораклов.
Legal: verification of licensing status (VASP, payment services), corporate governance, allocation of directors’ duties and disclosures.
Какие документы требовать от партнёра по PoR: методологию attestations, образцы Merkle proof, политику обработки данных, отчеты SOC 1/SOC 2, ISO 27001 сертификаты, страховые полисы и шаблоны attestation report независимого аудитора.
Мы с клиентом согласуем industry standards и рамки признания PoR, чтобы отчеты были сопоставимы на международном уровне.
Это важно для M&A, кросс‑листингов и банковских отношений.
Ключевая цель, устойчивость к legal discovery и трансграничным запросам.
Technical debt and scaling
Внедрение PoR создает operational burden: нужны инженеры данных, криптографы, комплаенс‑офицеры и внутренний аудит.
Technical debt often accumulates due to storage fragmentation and the lack of a single data catalog.
Решение, разработанное в COREDO, использует единый слой данных с версионированием и протоколами контроля качества.
We address scalability challenges in verifying large portfolios with stream processing and sharding of Merkle‑trees.
Для мультичейн‑архитектур выстраиваем стандартизованные коннекторы и политику консолидации.
Это снижает стоимость attestations по мере роста бизнеса.
How to calculate ROI and benefits
The cost of a proof-of-reserves audit in the EU depends on the scope, cryptography, and the required frequency of checks.
How much does implementing PoR for an exchange cost: it’s an architecture question: on‑chain automation increases capital expenditures but reduces the operating costs of attestations. In COREDO projects we perform a cost‑benefit analysis of PoR implementation taking into account the discount on the cost of capital and insurance terms.
ROI from public verification of reserves is measurable. Clients see increased conversion of institutional wallets, reduced reserve requirements from counterparties, and improved market confidence metrics. We offer ROI metrics for reserve verification: cost of funding, share of deposits from “long” clients, speed of due diligence completion, and coverage of new jurisdictions.
COREDO cases — how it works
In the EU the COREDO team supported a crypto exchange building a MiCA‑compatible architecture. We combined on‑chain commitments, proof of liabilities, ISO 27001 and SOC 2, and synchronized an independent auditor’s attestation report with monthly snapshots. The result – faster alignment with the regulator and fewer questions from the banking partner about correspondent relationships.
For a custodial service in the UK we implemented multi‑signature custody, an asset segregation policy and custody risk insurance. We added privacy‑preserving proofs and range proofs to pass due diligence by large family offices without disclosing the full client register. This allowed the service to obtain insurance coverage on acceptable terms and open accounts with two new custodians.
A payment provider in Cyprus requested proof of reserves for payment providers in conjunction with an electronic money license. Our experience at COREDO showed that regular PoR reduces questions about the liquidity of prepaid liabilities and simplifies limit discussions with partner banks. We integrated PoR with internal treasury limits and stress tests.
In an M&A deal in Singapore we prepared PoR for due diligence, combining forensic accounting on‑chain and off‑chain reconciliation with a trustee. The buyer gained confidence in asset quality, and the seller received a valuation premium for transparency and process manageability.
This case demonstrated how proof of reserves in M&A deals directly affects price.
PoR: investors, insurance, sandbox
Investors require PoR as part of reserve reporting requirements, and insurers: for assessing risks and pricing policies.
In some EU countries and in Asia, regulatory “sandboxes” (regulatory sandbox) support PoR‑experiments, especially around zero‑knowledge proofs and smart‑contract automation. The COREDO team participated in such pilots and helped formalize the results in regulatory documentation.
Insurance coverage for crypto assets and escrow‑models benefit from PoR, because information asymmetry is reduced.
For fund managers and custodians this converts into better terms with reinsurers. Systemic PoR increases business predictability, and therefore accelerates capital‑raising transactions.
How to assess third-party attestations
I look at independence (ownership and fee model), competence in on-chain auditing and methodological transparency.
It is important to avoid conflicts of interest among independent attestators and to document rotation criteria.
We check whether the attestator has cross-border enforcement practice and experience with legal discovery.
Industry standards and recognition frameworks for PoR are still fragmented, but benchmarks are already emerging. We map reports to best practices: a clear definition of “reserve”, proof of ownership, inventory of liabilities, stress tests, data policies and reproducibility of computations. Trust benchmarks and market confidence metrics then help track the effect on the market.
Checklists for Entrepreneurs
- Regulation and licensing: MiCA regulatory implications for exchanges, FATF recommendations on reserve verification, MAS expectations in Singapore, AMLD5 and requirements for exchange service providers.
- Legal foundations: directors’ fiduciary duties and PoR, custodian liability and contractual obligations, beneficial ownership disclosure, GDPR and cross-border transfers.
- Technology: Merkle proofs, zk‑SNARKS/zk‑STARKS, cryptographic commitments, oracle risk and mitigations, smart contract audits, real‑time monitoring.
- Operations: hot wallet controls, cold storage, multi‑signature custody, off‑chain reconciliation, continuous attestation vs periodic checks.
- Risks: reputational risk in case of PoR falsification, material misstatement and criminal liability, conflicts of interest, legal discovery and disclosure obligations.
- Economics: cost‑benefit analysis, implementation and audit costs in the EU, ROI metrics for reserve verification, impact on insurance and banking terms.
- Taxes and borders: cross‑border taxation implications and documentation of the chain of asset ownership.
We turn each item into an action plan and KPIs so that PoR doesn’t remain a “tick-box” report. This approach accelerates Licensing and increases readiness for investor due diligence.
PoR, not a report but a system of trust
PoR changes the logic of the dialogue between businesses, investors and regulators.
This is not a one-off publication of a hash root, but an end-to-end process – from the architecture of custodial storage to corporate governance, AML controls and legal reporting.
When PoR is implemented correctly, it lowers the cost of capital, improves insurance terms and opens doors to new jurisdictions.
From years of practice at COREDO I am convinced: a sustainable PoR is built on four pillars: cryptography, compliance, legal certainty and operational discipline.
The COREDO team knows how to assemble these elements into a single system, taking into account the specifics of the EU, the United Kingdom, Singapore, Cyprus, Estonia, the Czech Republic, Slovakia and Dubai.
If you need a reliable and comprehensive approach to proof of reserves: from methodology to attestation report and integration with licensing, we are ready to become your long-term partner and carry the project through to a measurable result.