Tokenising Real Assets: The Compliance Layer Is the Hard Part

Tokenisation of real-world assets (funds, treasuries, credit) is one of the more credible institutional uses of public blockchains. The pitch is straightforward: atomic settlement, programmable compliance, and one authoritative record of ownership. In practice the token is the easy 10%. The hard 90% is the compliance and operations layer that lets a regulated product live on a permissionless chain without breaking the rules that make it regulated.

Permissioned transfers, by construction

A regulated security cannot move to just any wallet. Every holder has to be identity-verified, transfers outside permitted jurisdictions must be blocked, and lock-ups and per-investor caps have to be enforced. The cleanest way we have found to do this is a permissioned-token standard where an on-chain identity registry maps wallets to attestations from the issuer's KYC provider, and a modular compliance contract gates every single transfer. The compliance rules are deliberately hot-swappable, because jurisdictions and policies change and you do not want to redeploy the asset every time they do.

The issuer needs power, and that power needs governance

Regulators frequently require that the issuer can freeze tokens or force a transfer — to satisfy a court order, recover from a lost key, or remove a sanctioned holder. That is a lot of power, and concentrating it in one key is both a regulatory and a security failure. We put these privileged actions behind a multisig with role separation between, say, the compliance officer and the treasury desk, and behind a timelock so that any change to the contract itself is visible to the administrator and auditors before it takes effect. Power, but observable and constrained.

Reconcile to the cent, on-chain and off

The administrator of a regulated fund must reconcile on-chain token supply against off-chain assets under management exactly. This is an invariant, and we treat it as one: invariant tests assert that total supply always equals the administrator's recorded units, and the operations console shows a live reconciliation so a break is visible immediately rather than at the next reporting cycle. Settlement is made atomic — cash-in and mint in a single transaction — so there is no window in which the books and the chain disagree.

Pricing comes from a guarded oracle

Subscriptions and redemptions execute at net asset value, which is computed off-chain. Feeding that price on-chain naively is an attack surface and an operational risk. We publish NAV through a signed oracle with multisig control and a staleness guard, so a subscription reverts rather than executing on an out-of-date price. The system fails closed: when in doubt, it does nothing, which on a regulated product is exactly the right default.

The audit is the floor, not the ceiling

An independent audit with no high or critical findings is the minimum bar for a product holding regulated capital, and we design toward it from day one with high branch coverage and invariant tests. But the audit reviews the contracts; the operations layer, the reconciliation, and the key management are equally capable of losing client funds and deserve the same rigour.

Get the compliance layer right and tokenisation delivers on its promise: same-day settlement of regulated assets with a clean, continuous reconciliation. Get it wrong and you have built a faster way to break the rules.