Compliance and KYC/AML Integration
Learning Objectives
Structure compliant offerings under Reg D 506(c), Reg A+, or international equivalents
Design KYC/AML workflows that integrate with XRPL trust line authorization
Implement transfer restrictions that maintain compliance across secondary trading
Manage ongoing compliance obligations including reporting, record-keeping, and investor communications
Identify compliance risks and develop monitoring procedures to detect and address issues
Many tokenization projects treat compliance as an afterthought—a box to check after building the technology. This approach fails. Securities violations can result in rescission rights (investors can demand their money back), fines, injunctions, and criminal liability. Projects that launch without proper compliance often face forced shutdowns, investor lawsuits, and reputational destruction.
The right approach: Design compliance into the structure from the beginning. Choose your exemption, understand its requirements, and build everything around maintaining those requirements throughout the token lifecycle. Compliance should be automatic, not an ongoing struggle.
This lesson provides the framework for compliance-first tokenization.
Most US tokenizations use Reg D 506(c). Understanding its requirements in detail is essential:
Core Requirements:
Rule 506(c) Elements:
───────────────────────────────────────────────────────────────
1. Accredited Investors Only
1. Verification Required
1. General Solicitation Permitted
1. Securities Restricted
Accreditation Verification Methods:
Income Verification (Safe Harbor):
───────────────────────────────────────────────────────────────
Acceptable documentation:
• IRS forms (W-2, 1099, K-1) for past 2 years
• Tax returns
• Written confirmation from licensed CPA, attorney, or
registered investment advisor
1. Investor provides documentation
2. Platform/issuer reviews
3. Calculate if $200K individual or $300K joint threshold met
4. Document review and conclusion
5. Valid for subsequent investments within reasonable period
Net Worth Verification (Safe Harbor):
───────────────────────────────────────────────────────────────
Acceptable documentation:
• Recent bank statements, brokerage statements
• Tax assessment for real property
• Appraisals for other assets
• Credit report for liabilities
• Mortgage statements
1. Investor provides asset documentation
2. Investor provides liability disclosure
3. Platform calculates: Assets - Liabilities - Primary Residence = Net Worth
4. Determine if >$1M
5. Document conclusion
Third-Party Verification:
───────────────────────────────────────────────────────────────
Written confirmation from:
• Registered broker-dealer
• SEC-registered investment adviser
• Licensed CPA
• Licensed attorney
That the professional has verified accreditation within past 3 months.
Most practical for repeat investors on established platforms.
For projects seeking retail access:
Tier 2 Requirements:
Key Parameters:
───────────────────────────────────────────────────────────────
• Maximum raise: $75M in 12-month period
• Non-accredited investors: Allowed
• Investment limits: 10% of income or net worth (non-accredited)
• SEC qualification: Required (not just filing)
• State registration: Preempted (can sell in all states)
• Ongoing reporting: Annual, semi-annual, and current reports
Timeline and Costs:
• Preparation: 2-4 months
• SEC review: 2-6 months
• Legal/accounting: $100,000-$500,000+
• Ongoing compliance: $50,000+/year
When Reg A+ Makes Sense:
• Raising $20M+ (justify costs)
• Retail access is strategic (not just nice-to-have)
• Professional sponsor with resources
• Long-term platform (not single property)
Practical Reality:
Few single-property tokenizations use Reg A+:
• Costs exceed benefits for <$20M raises
• Timeline doesn't fit typical deal cycles
• Ongoing reporting burden significant
More common for:
• Real estate funds (pooled investments)
• Platforms raising operating capital
• Large, signature properties with marketing value
Reg S (Non-US Investors):
Parameters:
───────────────────────────────────────────────────────────────
• No SEC registration required for offshore sales
• Must not be directed at US persons
• Distribution compliance period (restricted trading)
• Can run alongside Reg D for dual offering
Requirements:
• Offer made outside US
• No directed selling efforts in US
• Buyer certifies non-US person status
• Transfer restrictions during distribution period
Limitations:
• Tokens may flow back to US (leakage)
• Must actively prevent US participation
• Compliance monitoring required
Jurisdiction-Specific Compliance:
Each target jurisdiction has requirements:
───────────────────────────────────────────────────────────────
European Union (MiCA + MiFID II):
• Security tokens: Full prospectus or exemption
• Passporting for multi-country distribution
• Investment limits may apply
United Kingdom:
• FCA authorization or exemption
• Prospectus for public offers >€1M
• High-net-worth/sophisticated investor exemptions
Singapore:
• MAS licensing requirements
• Small offer exemption (SG$5M, 50 investors)
• Accredited investor exemption
Multi-Jurisdiction Approach:
• Separate offering documents per jurisdiction
• Jurisdiction-specific verification
• Prevent cross-border leakage
• Significant legal cost
Know Your Customer Components:
Identity Verification:
───────────────────────────────────────────────────────────────
Required documentation:
• Government-issued photo ID (passport, driver's license)
• Proof of address (utility bill, bank statement)
• Selfie/liveness check (prevent document fraud)
Verification methods:
• Manual review by compliance staff
• Automated document verification (Jumio, Onfido, etc.)
• Database checks (identity databases)
Enhanced due diligence for:
• High-risk jurisdictions
• Politically exposed persons (PEPs)
• Large investments
• Unusual patterns
Beneficial Ownership:
For Entity Investors:
───────────────────────────────────────────────────────────────
Must identify:
• Entity legal name and registration
• Principal place of business
• Formation documents
• Beneficial owners (>25% ownership)
• Control persons
• Tax identification numbers
1. Collect entity formation documents
2. Request ownership chart
3. Verify each beneficial owner individually
4. Check control persons
5. Document entire chain
Anti-Money Laundering Requirements:
Sanctions Screening:
───────────────────────────────────────────────────────────────
Check against:
• OFAC SDN List (US)
• UN Sanctions List
• EU Sanctions Lists
• Country-specific lists
Timing:
• At onboarding
• Before each transaction (best practice)
• Periodic rescreening (quarterly minimum)
Hit handling:
• Potential match → enhanced review
• Confirmed match → reject/freeze/report
• Documentation required for all decisions
PEP Screening:
───────────────────────────────────────────────────────────────
Politically Exposed Persons require:
• Enhanced due diligence
• Source of funds verification
• Senior management approval
• Ongoing monitoring
Adverse Media:
───────────────────────────────────────────────────────────────
Screen for:
• Fraud allegations
• Criminal proceedings
• Regulatory actions
• Reputational red flags
Integration Architecture:
┌─────────────────────┐
│ Investor Portal │
│ (Platform Website) │
└──────────┬──────────┘
│
│ 1. Submit KYC documents
▼
┌─────────────────────┐
│ Verification Layer │
│ (Jumio/Onfido/etc) │
└──────────┬──────────┘
│
│ 2. Document verification results
▼
┌─────────────────────┐
│ Compliance Review │
│ (Manual/Auto) │
└──────────┬──────────┘
│
│ 3. Approve/Reject decision
▼
┌─────────────────────┐
│ Trust Line System │
│ (XRPL Interface) │
└──────────┬──────────┘
│
│ 4. Authorize trust line (if approved)
▼
┌─────────────────────┐
│ XRPL Ledger │
│ (Trust line auth) │
└─────────────────────┘Workflow Implementation:
// Example integration flow
// Step 1: Investor submits application
const investorApplication = {
personalInfo: { /* name, address, etc. */ },
documents: { /* ID images, proof of address */ },
accreditationDocs: { /* income verification, etc. */ },
xrplAddress: "rInvestorXRPLAddress..."
};
// Step 2: Process through verification service
const verificationResult = await kycProvider.verify(investorApplication);
// Step 3: Compliance review
if (verificationResult.status === "PASS" &&
accreditationVerified(investorApplication) &&
!sanctionsHit(investorApplication)) {
// Step 4: Authorize trust line on XRPL
const authorizeTx = {
TransactionType: "TrustSet",
Account: ISSUER_ADDRESS,
LimitAmount: {
currency: "MSP",
issuer: investorApplication.xrplAddress,
value: "0"
},
Flags: 0x00010000 // tfSetfAuth
};
await submitTransaction(authorizeTx);
// Step 5: Record in compliance database
await complianceDB.record({
investor: investorApplication.xrplAddress,
verificationDate: new Date(),
verificationResult: verificationResult,
accreditationVerified: true,
sanctionsCleared: true,
trustLineAuthorized: true
});
}
Documentation Requirements:
For Each Investor, Maintain:
───────────────────────────────────────────────────────────────
Identity Records:
• Copy of government ID
• Proof of address
• Verification service results
• Any manual review notes
Accreditation Records:
• Documents reviewed
• Calculation methodology
• Conclusion and date
• Verification expiration
AML Records:
• Screening results
• Hit review documentation (if any)
• Source of funds (if EDD required)
• Ongoing monitoring results
Investment Records:
• Subscription agreement
• Token purchases/sales
• Distribution history
• Communications
Retention Period:
• Minimum 5 years after account closure
• May be longer per jurisdiction requirements
• Maintain accessibility for regulatory examination
Secondary trading creates compliance challenges:
Without Controls:
- Investor A (verified accredited) holds tokens
- Investor A sells to Investor B on DEX
- Investor B is NOT accredited (or not KYC'd)
- Transfer completes on blockchain
- Non-accredited person now holds security
Result:
• Securities violation (sold to non-qualified investor)
• Issuer potentially liable
• Exemption potentially blown
• Investor B may have rescission rights
```
RequireAuth as Gatekeeper:
- Issuer enables RequireAuth on account
- All trust lines require explicit authorization
- Unauthorized addresses CANNOT hold tokens
- Even if transfer attempted on DEX, it fails
Workflow:
• Buyer must have authorized trust line BEFORE purchase
• Authorization requires completed KYC/AML
• DEX trades fail if buyer unauthorized
• Compliance maintained by technical control
```
Transfer Attempt Resolution:
// What happens when unauthorized buyer tries to purchase
// Scenario: Bob (unauthorized) tries to buy from Alice (authorized)
// Bob's account has either:
// A) No trust line to issuer → Payment fails (no trust line)
// B) Trust line but not authorized → Payment fails (not authorized)
// Either way:
// • Transaction rejected by ledger validation
// • No tokens transfer
// • Compliance maintained automatically
// Error message (simplified):
// "tecNO_AUTH: The trust line is not authorized"
For secondary trading, most structures use a transfer agent:
Transfer Agent Functions:
Role in Tokenized Securities:
───────────────────────────────────────────────────────────────
1. Maintain shareholder/member records
1. Verify transfer eligibility
1. Execute/authorize transfers
1. Regulatory reporting
XRPL Integration:
• Transfer agent controls trust line authorization
• All secondary transfers require TA approval
• TA maintains binding legal records
• Blockchain provides transparent audit trail
Model 1: Platform-Only Trading
Structure:
───────────────────────────────────────────────────────────────
• All trading through platform marketplace
• Platform verifies buyer before matching
• Trust line authorization via platform
• Settlement on XRPL
1. Seller lists tokens on platform
2. Buyer (verified on platform) places order
3. Platform confirms buyer has authorized trust line
4. Trade executes on XRPL DEX or direct transfer
5. Records updated
Advantages:
• Full compliance control
• Integrated verification
• Clean audit trail
Disadvantages:
• Limited liquidity (only platform users)
• Platform dependency
Model 2: ATS Trading
Structure:
───────────────────────────────────────────────────────────────
• Alternative Trading System (SEC-registered)
• Broker-dealer intermediation
• Wider liquidity pool
1. Holder deposits tokens to ATS custody
2. ATS matches buy/sell orders
3. All participants pre-verified
4. Settlement via ATS processes
Advantages:
• Regulatory clarity
• Potentially more liquidity
• Professional market structure
Disadvantages:
• Limited ATS options for security tokens
• Additional costs and complexity
• May require custody transfer
Model 3: Open DEX with Gated Access
Structure:
───────────────────────────────────────────────────────────────
• Trading on XRPL native DEX
• Trust line authorization gates participation
• Anyone with authorized trust line can trade
1. All participants must be pre-verified
2. Authorized trust lines enable DEX participation
3. Orders placed directly on XRPL DEX
4. Settlement atomic on ledger
Advantages:
• Most decentralized option
• 24/7 trading
• Lower platform dependency
Disadvantages:
• Thin liquidity typical
• Less oversight of trading activity
• May not satisfy all regulatory preferences
Reg D Ongoing Obligations:
Form D Filing:
───────────────────────────────────────────────────────────────
• Initial filing within 15 days of first sale
• Amendment for material changes
• Annual amendment (some states)
Content includes:
• Issuer information
• Offering amount
• Type of securities
• Exemption claimed
• Sales to date
State Blue Sky:
• Notice filings in states where investors reside
• Forms and fees vary by state
• Track investor locations
Investor Reporting:
Tax Reporting:
───────────────────────────────────────────────────────────────
Schedule K-1 (for LLC):
• Issued annually by March 15 (or extension)
• Reports each investor's share of income, deductions
• Required for investor tax filings
1099 Reporting:
• If distributions made (1099-DIV or other)
• Track amounts distributed to each investor
Investor Communications:
• Quarterly updates (operational, financial)
• Annual meeting/report
• Material events disclosure
Continuous Obligations:
Periodic Rescreening:
───────────────────────────────────────────────────────────────
Frequency: Quarterly minimum, more frequent for higher risk
Actions:
• Rescreen all investors against updated sanctions lists
• Check for status changes (bankruptcy, criminal proceedings)
• Review transaction patterns for unusual activity
Documentation:
• Log all rescreening activities
• Document any hits and resolution
• Maintain audit trail
Suspicious Activity Monitoring:
Watch for:
───────────────────────────────────────────────────────────────
• Unusual transaction patterns
• Attempts to circumvent controls
• Significant unexplained changes in activity
• Structuring behaviors
Response:
• Investigate internally
• File SAR if warranted (FinCEN)
• Freeze account if necessary
• Document all actions
Handling Status Changes:
Accreditation Lapses:
───────────────────────────────────────────────────────────────
Scenario: Investor was accredited, now is not
Considerations:
• Reg D doesn't require ongoing accreditation
• Initial qualification is sufficient
• BUT: Subsequent purchases may be problematic
• Restrict additional investment if status changes
Process:
• Verify at each new investment
• Document status at time of each purchase
• Consider transfer restrictions for non-accredited
Death/Inheritance:
───────────────────────────────────────────────────────────────
• Estate must complete verification
• Beneficiaries subject to KYC
• May require new trust line authorization
• Consider transfer restrictions during probate
Address/Contact Changes:
───────────────────────────────────────────────────────────────
• Update records promptly
• Reverify if significant change (country change)
• Maintain communication capability
Principles:
Build compliance in, not on
Defense in depth
Assume examination
Plan for problems
Recommended Components:
Identity Verification:
───────────────────────────────────────────────────────────────
Options: Jumio, Onfido, Trulioo, Persona
Functions: Document verification, liveness check, database check
Integration: API-based, real-time results
Accreditation Verification:
───────────────────────────────────────────────────────────────
Options: VerifyInvestor, Parallel Markets, manual review
Functions: Document collection, verification, certification
Integration: Platform integration or standalone
AML Screening:
───────────────────────────────────────────────────────────────
Options: ComplyAdvantage, Refinitiv, Dow Jones, LexisNexis
Functions: Sanctions screening, PEP check, adverse media
Integration: Real-time screening, batch rescreening
Compliance Management:
───────────────────────────────────────────────────────────────
Options: Custom database, compliance platforms
Functions: Record keeping, workflow management, reporting
Integration: Central repository for all compliance data
Transfer Agent:
───────────────────────────────────────────────────────────────
Options: Securitize, tZERO, traditional TAs with digital capability
Functions: Legal record keeping, transfer processing, reporting
Integration: XRPL connectivity for on-chain operations
Budget Considerations:
Initial Setup:
───────────────────────────────────────────────────────────────
Legal (securities, operating agreement): $30,000 - $100,000
KYC/AML platform setup: $5,000 - $20,000
Accreditation verification setup: $2,000 - $10,000
Transfer agent setup: $5,000 - $25,000
Form D and state filings: $2,000 - $10,000
────────────────────────────────────────────────────────────
Initial Total: $44,000 - $165,000
Ongoing Annual:
───────────────────────────────────────────────────────────────
KYC/AML screening (per investor): $5 - $20/investor
Transfer agent annual: $5,000 - $25,000
Legal (maintenance, questions): $5,000 - $20,000
Tax preparation (K-1s): $50 - $100/investor
State renewals: $1,000 - $5,000
Audit (if required): $10,000 - $50,000
────────────────────────────────────────────────────────────
Ongoing Total (100 investors): $25,000 - $120,000/year
Per-Investor Economics:
$2M raise with 100 investors = $20,000 average investment
Compliance cost ~$250-1,200/investor/year
= 1.25% - 6% of investment annually
Implication: Minimum investments below $5,000 become economically
irrational given compliance costs.
✅ Reg D 506(c) is workable for tokenization with proper verification procedures
✅ XRPL's RequireAuth provides effective technical transfer restriction
✅ KYC/AML can be integrated with trust line authorization workflows
✅ Transfer agents provide necessary legal record-keeping layer
✅ Compliance costs are significant but manageable for appropriately-sized offerings
⚠️ Long-term SEC treatment of tokenized securities (evolving views)
⚠️ Whether ATS trading will develop sufficient liquidity for real estate tokens
⚠️ International regulatory harmonization (or continued fragmentation)
⚠️ Optimal balance between automation and human oversight
⚠️ How compliance technology costs will evolve with scale
📌 Launching without proper exemption—"move fast and break things" doesn't work for securities
📌 Relying solely on technical controls without legal documentation
📌 Underestimating ongoing compliance costs and operational burden
📌 Assuming KYC once is sufficient—ongoing monitoring is required
📌 Ignoring state blue sky requirements (SEC compliance alone isn't enough)
Compliance isn't an obstacle to work around—it's the framework that makes tokenization legally viable. Projects that take compliance seriously from day one build sustainable structures. Projects that cut corners face existential risks. The costs are real and significant, which is why very small offerings and very low minimums are economically irrational. Design for compliance first; everything else follows.
Design a complete compliance architecture for a Reg D 506(c) real estate tokenization on XRPL, including all workflows, technology integrations, and operational procedures.
Part 1: Verification Architecture (30%)
- KYC process (identity verification steps and providers)
- Accreditation verification (methods, documentation, timing)
- AML screening (providers, frequency, hit handling)
- Integration with XRPL trust line authorization
Include workflow diagrams showing decision points and data flows.
Part 2: Transfer Restriction Implementation (25%)
- Initial trust line authorization process
- Secondary trading controls
- Transfer agent integration (if applicable)
- Handling unauthorized transfer attempts
Specify the technical and operational controls for each scenario.
Part 3: Ongoing Compliance Procedures (25%)
- Periodic rescreening (frequency, process, documentation)
- Suspicious activity monitoring
- Investor status changes
- Regulatory reporting (Form D, K-1s, etc.)
- Record retention
Include timelines and responsible parties.
Part 4: Cost Analysis and Budgeting (20%)
- Initial setup costs (itemized)
- Ongoing annual costs (itemized)
- Per-investor marginal costs
- Break-even analysis (minimum offering size)
- Sensitivity analysis for different investor counts
- Completeness of workflow coverage (25%)
- Technical accuracy of XRPL integration (25%)
- Practical operability of procedures (25%)
- Accuracy of cost analysis (15%)
- Clarity of documentation (10%)
4-5 hours
This plan serves as an operational blueprint for compliant tokenization. The discipline of specifying every workflow reveals gaps before they become compliance failures.
Document with workflow diagrams, 3,000-4,000 words.
Knowledge Check
Question 1 of 5Verification Requirements
- **Rule 506 of Regulation D**: Primary exemption text and SEC guidance
- **Compliance and Disclosure Interpretations**: SEC staff interpretations
- **Investor Bulletin: Private Placements**: Educational resources
- **SIFMA Research on RegTech**: Industry overview of compliance technology
- **Various KYC/AML vendor documentation**: Technical integration guides
- **SEC Transfer Agent Rules**: Rule 17Ad series
- **Security Token Transfer Agent Guidance**: Emerging best practices
Lesson 9 examines secondary markets and liquidity in depth. Before proceeding, review the DEX mechanics from Lesson 3—we'll analyze why real estate token liquidity remains poor and what might change this.
End of Lesson 8
Total words: ~5,700
Estimated completion time: 55 minutes reading + 4-5 hours for deliverable
Key Takeaways
Reg D 506(c) dominates for good reasons
: Allows general solicitation while providing clear exemption path. Verification requirements are manageable with proper systems.
XRPL RequireAuth enables technical compliance
: Trust line authorization gates participation, preventing unauthorized holders even in DEX trading. Technical and legal controls work together.
Transfer restrictions must persist
: Secondary trading doesn't remove securities law obligations. All buyers must be verified before they can hold tokens.
Ongoing compliance is substantial
: It's not "set and forget." Regular rescreening, reporting, and monitoring are required throughout the token lifecycle.
Compliance costs set minimum viable offering size
: $44K-165K setup plus ongoing costs mean offerings below ~$1-2M don't economically justify the compliance burden. ---