On Jan 29, 2019, Yusuf Hussain, the head of risk at Gemini, announced that the cryptocurrency exchange had become the first to successfully complete a SOC 2 Type 1 Review.
The review was performed by accounting firm Deloitte and Touche LLP. While this might seem like an important accomplishment, there are a series of other issues which seem to subtract from the overall ‘success’ of this event.
What is the SOC 2 Type 1 Review?
In June 2011, the American Institute of Certified Public Accountants (AICPA) released three different System and Organization Controls (SOC) reports for service organizations like Gemini:
- SOC 1 is used to evaluate how the controls of a service organization affect a user’s financial statements. It is completed for an organization’s management team, users, and auditors.
- SOC 2 report evaluates a service organization based on five Trust Services defined and developed by the AICPA and Canadian Institute of Chartered Accountants:
- Security of the system against unauthorized access,
- Availability of the system for user operation based on prior commitments and agreements,
- System Processing Integrity to ensure proper completeness, accuracy, timeliness, and authorization of tasks performed
- Online Privacy to ensure that all obtained personal information from e-commerce is collected, used, disclosed, and retained according to prior commitments or agreements, and
- Confidentiality of information to ensure that user data is protected according to prior commitments or agreements.
- SOC 3 reports evaluate similar information as SOC 2 reports without the same level of detail. Instead, these are presented for general audiences where usage of SOC 2 reports is restricted to the management team of a service organization, its users, regulators, and other defined entities. After a successful SOC 3 report, a seal is often issued to be displayed on an organization’s website. These reports and the issued seal are often used for marketing purposes.
— Cameron Winklevoss (@cameron) January 29, 2019
SOC 1 and 2 reports come in two different types. Type 1 reports evaluate a service organization at a specific point in time whereas Type 2 reports evaluate the effectiveness of an organization’s controls over a period of at least six months.
Problems with Gemini
Gemini completed a SOC Type 1 report. It is the first cryptocurrency exchange to do so, however, this accomplishment may not be as big of a deal as Hussain and Gemini are making it out to be. While the Type 1 report was successfully completed, no Type 2 report has been completed or announced.
This means that Gemini’s security, availability, processing integrity, online privacy, and confidentiality were examined at a given moment but not over a significant period of time. No short or long-term efficacy can be determined based on the completed report alone.
There are three other possible issues with Gemini beyond the limits of the Type 1 report:
Gemini is a Centralized Private Company
Cryptocurrencies were originally designed with the intention of decentralization. For example, Bitcoin (BTC) was developed to serve as an alternative to fiat currencies which required the mediation of peer-to-peer transactions by centralized third-party financial institutions.
As cryptos have evolved beyond currency alone, the focus on decentralization has increased to warrant the articulation of the Nakamoto Theory of Decentralization. This Theory holds that cryptocurrencies and other cryptoassets are to be developed and used in such a way as to remove centralized intermediaries, authorities, owners, and influences by making all forms of centralization a redundancy.
Gemini is founded and owned by brothers Cameron and Tyler Winklevoss. Their ownership and authority are centralized. As a result, Gemini violates the Nakamoto Theory of Decentralization.
This becomes especially apparent when the existence of decentralized exchanges (DEXs), which uphold the Nakamoto Theory, are accounted for. Instead of creating new forms of centralization like Gemini, DEXs encourage and support decentralization as fundamental to the proper functioning of true cryptocurrencies and other cryptoassets.
Currently, there are only a limited number of options available on Gemini: BTC, Bitcoin Cash (BCH), Ethereum (ETH) Litecoin (LTC), Zcash (ZEC), and the Gemini Dollar (GUSD), a stable-coin developed by Gemini for use on the Gemini platform.
All, except GUSD, are true cryptocurrencies. No other type of cryptoasset can be bought or sold on the exchange. Other centralized exchanges like Binance and Coinbase, however, offer a much wider selection.
Presentation of Cryptocurrency as Security
The five cryptocurrencies available on Gemini are being used outside of their intended and defined purpose. Cryptocurrencies are to be used as currencies. On Gemini, however, they are being traded as securities.
BTC, BCH, ETH, LTC, and ZEC were not created for the purpose of exchange. Their value was not supposed to be based on their exchange rate to the dollar or other fiats. They were developed to be used as currency in real-world settings with their use-value based on their actual use as currency. When Gemini and other exchanges present cryptocurrencies as a little more than an exchangeable asset, they showcase an improper use.
At first glance, it may seem impressive that Gemini passed the SOC 2 Type 1 review. After all, as Hussain points out, they are the first to do so. When Gemini is investigated more thoroughly, however, various issues and problems seem to suggest that this ‘accomplishment’ is not as great an accomplishment as it may seem.
Do you think passing the SOC 2 Type 1 review is as big an accomplishment for Gemini as Hussain makes it out to be? Let us know your thoughts in the comments below!