The Compliance Foundation Nobody Talks About
The sophisticated debates about SEC jurisdiction, FIT21 market structure, and OCC interpretive letters tend to dominate the policy conversation about tokenized assets. But beneath all of those superstructure questions lies a foundational compliance obligation that applies to every tokenized asset platform regardless of how securities jurisdiction questions are resolved: anti-money laundering and Bank Secrecy Act compliance, including the Travel Rule obligations that govern the transmission of value between financial institutions.
The Bank Secrecy Act of 1970, FinCEN’s implementing regulations, and the FATF international standards collectively create an AML compliance architecture that crypto platforms have historically honored inconsistently and that tokenized securities platforms must take seriously from day one. The consequences of inadequate AML compliance are not regulatory uncertainty or competitive disadvantage — they are criminal prosecution, deferred prosecution agreements, and billion-dollar penalties. Binance’s November 2023 resolution — a $3.4 billion penalty and guilty plea by the company and its CEO Changpeng Zhao — is the definitive case study in what happens when a major crypto platform treats AML as an afterthought.
For institutional tokenized securities platforms, the relevant AML framework divides into two distinct requirements: the Customer Identification Program (CIP) and Customer Due Diligence (CDD) requirements that govern onboarding, and the Travel Rule requirements that govern the transmission of value between institutions. Both must be implemented, but the Travel Rule presents unique technical challenges in the blockchain context that have spawned an entire compliance technology ecosystem.
FinCEN’s $3,000 Threshold and the 2019 Guidance
FinCEN’s Travel Rule — derived from 31 CFR § 103.33, the BSA’s “funds transfer recordkeeping rule” — requires that financial institutions transmitting funds in amounts of $3,000 or more collect and transmit specific information about the sender and receiver to the next institution in the payment chain. The information required includes the name, account number, address, and taxpayer identification of the originator; the name and account number of the beneficiary; and the identity of the originating financial institution.
In May 2019, FinCEN issued interpretive guidance making explicit that the Travel Rule applies to virtual currency transmissions in the same manner it applies to traditional funds transfers. “Money services businesses” — a category that includes cryptocurrency exchanges, peer-to-peer exchangers, and crypto kiosks — are subject to Travel Rule obligations when transmitting $3,000 or more in virtual currency. This $3,000 threshold, unchanged since the 1990s in the traditional context, applies at the same level to crypto transmissions — a threshold that, given cryptocurrency’s price appreciation, captures a very large proportion of institutional-scale transactions.
The 2019 FinCEN guidance was not a surprise to the crypto industry — the BSA’s applicability to money services businesses was never in serious legal doubt — but it crystallized compliance obligations that many platforms had treated as ambiguous. For tokenized securities platforms, the 2019 guidance makes clear that the transfer of tokenized securities involving a change of beneficial ownership, accompanied by a payment flow, requires Travel Rule compliance if the platform is a money services business and the transaction exceeds $3,000.
The question of whether a tokenized securities platform is a “money services business” under FinCEN’s regulations is itself complex. Platforms that facilitate the transfer of securities tokens without also transmitting fiat currency or money equivalents may not be MSBs — they may instead be broker-dealers subject to FINRA’s AML rules, which have parallel requirements. But platforms that handle both token transfers and stablecoin payments — the typical architecture for a tokenized fund with automated distributions — will likely fall within the MSB definition for at least some of their activities.
IVMS101: The Messaging Standard
The most significant practical challenge in implementing the Travel Rule for crypto transactions is the absence, in most blockchain architectures, of the counterparty identification information that the Travel Rule requires. Traditional wire transfers carry sender and receiver information in standardized message formats (SWIFT MT103, Fedwire format). Blockchain transactions contain only the sender’s and receiver’s wallet addresses — cryptographic identifiers that are not inherently linked to legal identity information.
The solution the industry has developed is the InterVASP Messaging Standard (IVMS101), a technical standard developed by a consortium of virtual asset service providers (VASPs) for transmitting Travel Rule information alongside cryptocurrency transactions. IVMS101 defines a standardized data format for the beneficiary and originator information that Travel Rule compliance requires, and enables VASPs to transmit that information through secure messaging channels that run parallel to the blockchain transaction.
IVMS101 has achieved broad adoption among institutional crypto exchanges and custody platforms. The major Travel Rule messaging networks — TRP (Travel Rule Protocol), Notabene, TRISA, and Sygna — all use IVMS101 as their underlying data format, enabling cross-platform compliance message exchange. For tokenized securities platforms, implementing IVMS101-compliant Travel Rule infrastructure means connecting to one or more of these messaging networks and ensuring that every qualifying transaction generates the required compliance messages.
The technical implementation is non-trivial but solved. The more difficult challenge for tokenized securities platforms is that Travel Rule compliance requires knowing the beneficiary VASP’s identity before transmitting the transaction — which requires that both counterparty VASPs be connected to a common messaging network. Transactions to counterparties who are not connected to any Travel Rule messaging network — the “sunrise problem” of uneven Travel Rule adoption globally — present compliance gaps that must be addressed through enhanced due diligence or transaction blocking.
FATF Recommendation 16: The Global Standard
The Financial Action Task Force’s Recommendation 16 — the “wire transfer rule” that applies to financial institutions globally — is the international analog of FinCEN’s Travel Rule. Updated in 2019 to explicitly include virtual asset service providers, FATF Recommendation 16 requires that VASPs collect and transmit originator and beneficiary information for virtual asset transfers above €1,000 (roughly equivalent to FinCEN’s $3,000 threshold in practical application).
FATF’s 2019 guidance — “Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers” — established the global framework that has been implemented (with variations) across more than 60 jurisdictions. The EU implemented FATF Recommendation 16 through the Transfer of Funds Regulation (TFR), effective December 2024, which applies to all crypto asset transfers regardless of amount and requires full IVMS101-compliant Travel Rule messaging for all EU-licensed VASPs.
For US tokenized securities platforms serving international investors — which includes virtually every institutional platform at scale — the EU TFR’s zero-threshold requirement creates compliance obligations that exceed FinCEN’s $3,000 threshold. A US platform that receives token transfers from EU-based investors must be prepared to receive and process Travel Rule messages under the EU’s stricter standard, even for transactions below $3,000.
The divergence between US and EU Travel Rule thresholds is one of several technical compliance mismatches that tokenized securities platforms operating cross-border must manage. FATF’s broader supervisory framework — the mutual evaluation process that assesses jurisdictions’ AML compliance — creates additional pressures: jurisdictions that fail FATF evaluations may be placed on the “grey list,” limiting their ability to access US dollar correspondent banking and creating practical barriers to cross-border tokenized asset transactions.
On-Chain KYC Solutions: Chainalysis, Elliptic, TRM Labs
The Travel Rule compliance infrastructure ecosystem has grown substantially in response to both regulatory requirements and institutional demand. Three categories of technology address different aspects of the AML compliance challenge for tokenized asset platforms.
Blockchain analytics. Chainalysis, Elliptic, and TRM Labs provide transaction monitoring tools that analyze blockchain transaction patterns to identify suspicious activity, sanctions violations, and connections to known illicit wallets. These tools are the crypto equivalent of traditional wire fraud monitoring systems — they do not collect identity information, but they flag transaction patterns that require enhanced due diligence or reporting. For tokenized securities platforms, transaction monitoring is a required element of a FinCEN-compliant AML program, and the major analytics providers have developed institutional-grade products specifically for permissioned token markets.
Identity verification and wallet screening. KYC platforms including Jumio, Onfido, and Socure provide identity verification for onboarding investors to tokenized securities platforms. Separately, wallet screening tools from Chainalysis and TRM Labs assess the history of wallet addresses before accepting transfers from them — identifying whether the sending wallet has prior connections to sanctions targets, darknet markets, or other high-risk sources.
Travel Rule messaging. The Travel Rule-specific platforms — Notabene, TRISA, Sygna, and TRP — handle the VASP-to-VASP information exchange that compliance requires. These platforms maintain directories of connected VASPs and their cryptographic credentials, enabling secure, authenticated message exchange of IVMS101-format compliance data.
For tokenized securities platforms, the practical compliance stack requires some combination of all three categories: blockchain analytics for transaction monitoring, identity verification for investor onboarding, and Travel Rule messaging for inter-VASP transfers. The cost of building and maintaining this infrastructure is significant — on the order of $500,000-$2,000,000 annually for platforms of meaningful scale — and represents a compliance overhead that smaller platforms struggle to bear.
ERC-3643 and ONCHAINID: Embedding Compliance in the Token
The most innovative approach to Travel Rule compliance for tokenized securities is embedding KYC and AML compliance directly into the token’s smart contract architecture. The ERC-3643 standard — also known as the T-REX (Token for Regulated EXchanges) standard — implements an on-chain identity framework called ONCHAINID that verifies and records investor compliance status at the token level.
Under ERC-3643, token transfers can only occur between wallet addresses that have verified ONCHAINID credentials — cryptographic proofs that the wallet holder has completed KYC verification with an authorized identity provider. The smart contract checks ONCHAINID credentials before executing any transfer and rejects transfers to uncredentialed wallets. This architecture means that AML compliance is enforced at the protocol layer rather than relying on platform-level controls that can be bypassed.
For Travel Rule compliance specifically, ONCHAINID enables tokenized securities platforms to verify that the receiving wallet is controlled by an identified, KYC-verified investor before completing a transfer — addressing the beneficiary identification requirement of the Travel Rule without requiring separate messaging infrastructure for every transaction. The on-chain identity verification serves as a pre-cleared Travel Rule record, with the ONCHAINID credentials providing the originator and beneficiary identification that FinCEN requires.
ERC-3643 is used by Securitize and several European tokenized securities platforms as their primary compliance architecture. Its adoption by major institutional platforms validates the concept of protocol-level compliance enforcement as a technically viable and regulatorily defensible approach.
The Unhosted Wallet Rule Proposal and Its Status
FinCEN’s October 2020 proposed rule — the “Unhosted Wallet Rule” — would have required money services businesses to collect identifying information on counterparties when conducting transactions above $3,000 with “unhosted wallets” (wallets not associated with a regulated financial institution) and to file Currency Transaction Report equivalents for transactions above $10,000 with unhosted wallets. The proposed rule generated over 65,000 public comments, the most in FinCEN’s history, and was not finalized by the Biden administration.
The unhosted wallet proposal remains in regulatory limbo under the current administration. The Crypto Task Force has not indicated whether it will revive, modify, or permanently withdraw the proposal. For tokenized securities platforms that serve institutional investors who maintain custody of their own digital wallets, the unhosted wallet rule’s potential revival is a material compliance risk: it would require collection and reporting of counterparty identity information for wallet-to-wallet transfers in a manner that current technical infrastructure does not fully support.
Exhibit: AML Compliance Requirements for Tokenized Securities Platforms
| Requirement | Regulatory Source | Threshold | Implementation |
|---|---|---|---|
| Customer Identification Program | BSA / FinCEN 31 CFR 1022.220 | All customers | Identity verification at onboarding |
| Suspicious Activity Reporting | BSA / FinCEN 31 CFR 1022.320 | Suspicious transactions | Transaction monitoring + SAR filing |
| Travel Rule (US) | FinCEN 31 CFR 1010.410 | $3,000+ transmissions | IVMS101 messaging (Notabene/TRISA) |
| Travel Rule (EU) | EU Transfer of Funds Reg. | €0 (all amounts) | Full IVMS101 for EU-licensed platforms |
| Sanctions Screening | OFAC 31 CFR Part 500 | All transactions | Chainalysis/TRM wallet screening |
| FATF Rec. 16 | FATF / implemented by jurisdiction | Varies by country | Cross-border VASP messaging |
| Bank Secrecy Act baseline | BSA 31 USC 5311 et seq. | All transactions | AML program, recordkeeping |
Strategic Compliance Architecture
For tokenized RWA platform operators, the Binance resolution provides the clearest possible guidance on what inadequate AML compliance costs: criminal liability, business disruption, and existential regulatory risk. The resolution established that crypto platforms are not insulated from BSA obligations by their technical architecture — running a blockchain-based platform does not create a regulatory safe harbor from the same AML requirements that apply to traditional financial institutions.
The institutional tokenized securities market is distinguished from the retail crypto market precisely by its commitment to full regulatory compliance — including AML compliance that meets or exceeds traditional securities market standards. Platforms that build comprehensive AML infrastructure from day one are not merely avoiding regulatory risk; they are differentiating themselves in a market where institutional investors and their compliance officers have zero tolerance for AML ambiguity.
The cost of compliance is real, but the alternative — the Binance outcome — defines the floor. Platforms investing in robust blockchain analytics, IVMS101-compliant Travel Rule messaging, and ONCHAINID-embedded token compliance are building the infrastructure that institutional adoption requires. The broker-dealer registration and ATS registration frameworks that govern tokenized securities trading incorporate AML compliance as a baseline requirement — not an optional add-on.