Please ensure Javascript is enabled for purposes of website accessibility

Cryptobros Celebrate the GAO Shooting Down a Sneaky SEC Staff Accounting Bulletin

woman with bitcoins inexplicably over her eyes

Call them worthless bureaucrats if you must but the US Government Accountability Office (GAO) just made a bunch of friends in the crypto space this week with its decision on Staff Accounting Bulletin No. 121 issued by the SEC in March of last year.

Without getting too deep into it, said bulletin provided interpretive guidance on how covered entities should account for and disclose their custodial obligations to safeguard cryptoassets held for their platform users. Resident SEC contrarian Hester Peirce naturally objected to the whole thing calling it ” yet another manifestation of the Securities and Exchange Commission’s scattershot and inefficient approach to crypto.” In her criticism she also noted that a bulletin was probably not the correct vehicle through which to issue this guidance and communicate it to the public.

She said:

SAB 121 is unusual among SABs in that it provides definitive interpretive guidance for a very specific, very limited number of public companies. SAB 121 is also unusual among SABs in the detailed description of disclosure the staff expects to see, including a full paragraph describing relevant disclosures that “may also be required outside the financial statements under existing Commission rules.” While past SABs have included statements suggesting companies should consider the applicability of other disclosure requirements outside of the financial statements, SAB 121’s granular guidance is unique. The SAB, as a staff statement, is not enforceable, but much of the language in the document reads as if it is. For example, SAB 121 tells affected companies they do not have to issue a restatement and gives them a transition period so that they do not have to apply the guidance immediately.

In other words, and this is what the GAO found, the bulletin had all the appearance of being a legitimate rule and if they’re going to issue a rule or rule-like guidance the SEC is required to run it through Congress pursuant to the Congressional Review Act (CRA) or the Comptroller General. They did not. To be fair, the SEC did say “the statements in staff accounting bulletins are not rules or interpretations of the Commission, nor are they published as bearing the Commission’s official approval” in the bulletin.

The bulletin says:

The interpretations in this SAB express views of the staff regarding the accounting for entities that have obligations to safeguard crypto-assets held for their platform users.[1] In recent years, the staff has observed an increase in the number of entities that provide platform users with the ability to transact in crypto-assets. In connection with these services, these entities and/or their agents may safeguard the platform user’s crypto-asset(s) and also maintain the cryptographic key information necessary to access the crypto-asset. The obligations associated with these arrangements involve unique risks and uncertainties not present in arrangements to safeguard assets that are not crypto-assets, including technological, legal, and regulatory risks and uncertainties. Specifically:

  • Technological risks – there are risks with respect to both safeguarding of assets and rapidly-changing crypto-assets in the market that are not present with other arrangements to safeguard assets for third parties;
  • Legal risks – due to the unique characteristics of the assets and the lack of legal precedent, there are significant legal questions surrounding how such arrangements would be treated in a court proceeding arising from an adverse event (e.g., fraud, loss, theft, or bankruptcy); and
  • Regulatory risks – as compared to many common arrangements to safeguard assets for third parties, there are significantly fewer regulatory requirements for holding crypto-assets for platform users or entities may not be complying with regulatory requirements that do apply, which results in increased risks to investors in these entities.

These risks can have a significant impact on the entity’s operations and financial condition. The staff believes that the recognition, measurement, and disclosure guidance in this SAB will enhance the information received by investors and other users of financial statements about these risks, thereby assisting them in making investment and other capital allocation decisions.

Footnote [1] reads: This SAB expresses no view with respect to any other questions that these activities may raise for any of the entities involved, including the applicability of the registration or other provisions of the federal securities laws or any other federal, state, or foreign laws.

TLDR SAB 121 requires a reporting entity that performs crypto asset custodial activities, whether directly or through an agent acting on its behalf, to record a liability with a corresponding asset.

In its decision, the GAO concluded the bulletin is a rule for purposes of CRA. To come to that conclusion the GAO considered whether it meets the definition of a rule under Administrative Procedure Act (APA), which states that a rule is “the whole or a part of an agency statement of general or particular applicability and future effect designed to implement, interpret, or prescribe law or policy or describing the organization, procedure, or practice requirements of an agency.”CRA excludes three categories of rules from coverage: (1) rules of particular applicability; (2) rules relating to agency management or personnel; and (3) rules of agency organization, procedure, or practice that do not substantially affect the rights or obligations of non-agency parties. In its response to the GAO, SEC maintained that the bulletin is not subject to CRA because it does not meet the APA definition of a rule as it is not an “agency statement” of “future effect.”

Said GAO:

The Bulletin meets the APA definition of a rule. First, the Bulletin is an agency statement because it was published on SEC’s official, public-facing website as a representation of the views held by its own employees. Second, the Bulletin is of future effect because it explicitly states that it applies to certain entities and contains “guidance for [these] entities to consider when they have obligations to safeguard crypto-assets held for their platform users.” Bulletin. From this, we ascertain that SEC intended the Bulletin’s guidance to apply prospectively to covered entities’ future accounting and disclosure practices. Lastly, the Bulletin interprets and prescribes policy because it announces a preference for how covered entities should account for and disclose crypto-asset-related custodial obligations.


Having concluded that the Bulletin meets the APA definition of a rule, we next consider whether any of the three CRA exceptions apply. We conclude that none apply. First, the Bulletin is a rule of general applicability because it neither identifies specific entities by name nor does it address specific actions for a named entity to take.[9] Second, the Bulletin concerns actions that covered entities should take, rather than actions that SEC management or personnel should take, and is, therefore, not a rule of agency management or personnel.[10] This leaves the third exception, the exception for rules of “agency organization, procedure, or practice that do[] not substantially affect the rights or obligations of non-agency parties.” 5 U.S.C. § 804(3)(C). The Bulletin does not qualify for this last exception because it has a substantial impact on its regulated community.

Reaction to the GAO decision in the crypto space has been strong. The decision does not rescind the bulletin but it does open up the SEC for scathing criticism and probably lawsuits.