Atomic DvP (On-Chain)

The seller's custodial account on Ethereum holds the tokenized security — typically an ERC-3643 permissioned token issued by an SEC-registered transfer-agent function. Securitize LLC is the dominant industry actor for tokenized private funds [VERIFY current market share]; Tokeny SA, Backed Finance, and other ERC-3643-pattern transfer-agent / issuer-platform vendors fit the same architectural role, and traditional fund administrators (SS&C, U.S. Bank Global Fund Services, Apex Group's tokenization arm) have entered the space [VERIFY current production deployments]. The transfer agent maintains an on-chain identity registry alongside its statutory off-chain register. L4 Account and L5 Application are lit, both above the enforcement line — the seller's identity, the custodian's internal controls, and the transfer agent's record of beneficial ownership are all policy-enforced bank-grade controls, not on-chain code. The position is reconciled to the transfer agent's authoritative book; tokenization does not eliminate the transfer agent's SEC-registered role under §17A(c) of the Exchange Act, it relocates the record from a legacy DTC subledger to a public chain while preserving the transfer agent as the legal owner-of-record. Builder: call `isVerified(walletAddress)` on the ERC-3643 identity registry before displaying the position in the seller's UI — a token held by an address that has fallen off the whitelist (expired attestation, revoked qualification) should not be tradable. Use Fireblocks, Anchorage, or Copper as the institutional-grade custodian pattern; for self-custody by the beneficial owner, layer a qualified-custodian wrapper (Anchorage Trust, Coinbase Custody Trust) to satisfy SEC Rule 17f-1. Compliance officer: the seller's identity posture satisfies C1 (verified institutional investor — QIB, accredited investor under 17 C.F.R. § 230.501(a), or equivalent), the custodian's license posture satisfies C5 (trust charter, SEC transfer-agent registration under §17A(c)), and recordkeeping obligations under C11 anchor to the custodian's books plus the on-chain position — the adviser-side parallel obligation is Investment Advisers Act of 1940 §204 (17 C.F.R. § 275.204-2) for the fund's investment adviser. GENIUS §9 (custody & recordkeeping) applies where the custodian is also a stablecoin custodian on the cash leg. Honesty marker: 'tokenized security' as of early 2026 is narrowly defined — private securities under Reg D / 144A and some registered funds have tokenized analogues, but publicly-traded equities on NYSE / NASDAQ remain DTC-settled; this path describes the private-market and alternative-asset end of the atomic DvP story, not the public-equity end.

Before the DvP can bind, both counterparties must clear the ERC-3643 identity-registry check: QIB status (for 144A offerings), accredited investor status (for Reg D under 17 C.F.R. § 230.501(a) and 17 C.F.R. § 230.506(c)(2)(ii) reasonable-steps verification), professional-client status (for EU MiFID II Article 24 private placements), or retail-suitable status for registered funds. The registry is queried per-transfer by the security token's `compliance` module — Securitize DS Protocol is the dominant ERC-3643-aligned implementation in the tokenized private-funds segment [VERIFY current deployment count], Tokeny T-REX is a parallel implementation of the same ERC-3643 standard, and some tokenized securities use ad-hoc allowlist contracts or ERC-1404 variants instead. The compliance module layers ISIN-specific rules (transfer windows, lock-up periods, jurisdiction restrictions — e.g., no US persons for Reg S tranches) on top of the identity check. Market-abuse surveillance (C13) runs in parallel: the venue's matching engine checks for wash trades, layering, and spoofing patterns against MiFID II Article 14 and SEC Rule 10b-5 typologies. L3 Execution lit and code-enforced: a failed eligibility check reverts the trade-match instruction. Builder: the ERC-3643 ONCHAINID resolver returns the buyer and seller's claim set; filter trades client-side to only counterparties who pass the registry before submitting to the venue's order book, and expect a second on-chain check at match time to close the front-run window. For FIX-integrated venues, the compliance module exposes a pre-trade `ComplianceCheck` message that mirrors the on-chain logic so that the trading system can decline ineligible orders upstream of the match. Compliance officer: satisfies C1 (identity claim validity — anchored in the transfer agent's Reg D 506(c)(2)(ii) reasonable-steps verification workflow), C5 (licensed-intermediary gate — only registered broker-dealers or ATSs can facilitate a match; SEC-registered ATS operations are governed by 17 C.F.R. § 242.301), C13 (market-integrity pre-trade), and C15 (consumer-protection where retail eligibility is involved). SEC Rule 15c2-12 (disclosure on municipal securities) and Rule 15c3-5 (market-access risk controls, commonly 'Reg SCI' environment) apply on the intermediary side. For EU-listed tokens, MiCA Article 88 (market-abuse obligations on CASPs) applies directly to the venue. Honesty marker: ERC-3643 is the industry-consensus permissioned-token standard, but adoption is uneven — the dominant ERC-3643-aligned implementation in the tokenized private-funds segment is Securitize DS Protocol, with Tokeny T-REX as a parallel implementation; many tokenized securities still use ad-hoc allowlist contracts or ERC-1404 variants without a shared identity registry, and cross-issuer interoperability of claims is a known open problem.

An SEC-registered alternative trading system matches the seller's offer with the buyer's bid and produces a signed trade affirmation. Securitize Markets, LLC is the dominant SEC-registered ATS for tokenized-securities secondary trading; Prometheum ATS, INX, OnChain Markets, and tZERO operate the same venue category under SEC ATS supervision [VERIFY each operator's current Form ATS / ATS-N filing and operational status]. The trade is represented in ISDA CDM (Common Domain Model) canonical form — the industry-standard machine-readable representation of the economic terms — and simultaneously encoded in the venue's FIX (Financial Information eXchange) execution report. For settlement instruction the match is serialized into ISO 20022 sese.023 (MT541/MT543 equivalent) and, for on-chain atomic settlement, hashed into the DvP settlement contract's `TradeTicket` struct. L3 Execution and L4 Account are lit — the match-and-commit logic runs at execution layer, and both sides' account contracts confirm the committed balances. The CDM representation is the canonical cross-reference that lets this trade be reported to regulators (SEC CAT, EU ARM) and reconciled by the buy-side's post-trade system (Traiana, Omgeo/CTM, on-chain equivalents) without the usual FpML-vs-FIX reconciliation headaches. Builder: emit the CDM-hashed trade to both the DvP contract and an off-chain CDM validator before firing atomic settlement; this guarantees the same trade exists in exactly one canonical form across the affirmation, the settlement, and the downstream regulatory report. For DLT-native venues (Marketnode, Taurus TXG, R3 Corda-based markets), the CDM representation often lives in the native DLT object model; the on-chain hash is the cryptographic anchor back to the canonical representation. Compliance officer: satisfies C10 (oracle / market-data integrity — the trade's economic terms are reported consistently across every downstream system), C11 (recordkeeping — the CDM-hashed trade is the authoritative record; ATS recordkeeping obligations attach under 17 C.F.R. § 242.302), and C13 (market-integrity reporting — regulators receive a single canonical trade representation). The ATS operates under Reg ATS Rule 301 (17 C.F.R. § 242.301), which establishes the conditional Exchange-Act-§3(a)(1) exemption for an ATS registered as a broker-dealer; SEC Consolidated Audit Trail (CAT) Rule 613 requires reporting within narrow windows; ISDA CDM is the emerging lingua franca for multi-jurisdiction CAT-equivalent reporting. Honesty marker: CDM adoption in cash-securities workflows is still early as of early 2026 — CDM ships production-stable for derivatives and repo under ISDA, but the equity and structured-product modules are works in progress; expect to encounter FIX/FpML/CDM reconciliation during the transition.

The DvP contract executes the atomic bind: the security token transfers from seller's custody to buyer's custody and the cash-leg stablecoin (Circle USDC is dominant; Circle EURC, Paxos USDP, and other regulated stablecoins fit the same role) transfers from buyer to seller in the same Ethereum block. Either both transfers succeed or neither does — the legs are bound by the EVM's atomicity guarantee, not by the good intentions of a CSD's timing window. Settlement risk is eliminated by code: the buyer can never be left holding cash with no security, and the seller can never be left holding a security with no cash. L4 Account (balance updates on both sides), L3 Execution (atomic swap logic + the transfer-restriction module re-firing at moment of transfer), and L2 Consensus (block-level atomic ordering) are all lit — every layer at or below the enforcement line participates. Finality on Ethereum is strong at one block (~12s) for institutional amounts under SEC Rule 15c6-1 T+1 thresholds; the transfer-restriction smart contract re-checks the buyer's whitelist status at the moment of transfer (closing the front-run window between match-time eligibility and settlement-time eligibility). Builder: the DvP contract should receive the ISDA CDM-hashed trade ticket from Step 3 and verify that the hash matches the buyer/seller/amount/security triple before executing the atomic bind — this prevents ticket-substitution attacks. Emit a `DvPSettled(cdmHash, securityId, buyer, seller, amount, blockNum)` event; downstream regulatory reporting and post-trade reconciliation pipelines index by cdmHash. Compliance officer: satisfies C6 (reserve-backing on the cash-leg stablecoin — Circle's 1:1 reserves under GENIUS §4(a) apply to the in-transit USDC amount; equivalent reserve-backing rules apply to other regulated stablecoins fitting the cash-leg role), C7 (Travel Rule on cross-border corridors if the transfer crosses $3,000 and either counterparty is in a non-US jurisdiction; packaged via IVMS101 alongside the CDM trade ticket), C13 (market-integrity recordkeeping of the atomic settlement event), and C16 (programmable-compliance enforcement — the transfer-restriction module re-fires at settlement). The Reg D 506(c) safe harbor (17 C.F.R. § 230.506(c)) governs the security leg's transfer; GENIUS §6 (AML/BSA) sanctions screening on the buyer's and seller's addresses is a pre-condition for the atomic call — wire Chainalysis OFAC oracle as a revert source. MiCA Article 68 (originator information) and EU T2S settlement-standard compatibility apply for EU-jurisdictional legs. Honesty marker: 'atomic DvP' in production as of early 2026 is real on permissioned rails (Fnality USC, JPMorgan Onyx / Kinexys, Project Meridian at the BIS, Clearstream D7) and on public chains for tokenized private securities (the EVM-pattern stack S2 models is the dominant public-chain implementation); atomic DvP for US public equities on the DTCC perimeter is still in pilot (Project Ion) and has not replaced the existing CNS/Fedwire settlement window.

Both custodians book the post-trade state: buyer's wallet now holds the tokenized security; seller's wallet holds the cash-leg stablecoin proceeds. The SEC-registered transfer agent's on-chain registry updates the beneficial-ownership record — the tokenized security's ownership ledger is the single authoritative record for corporate actions, voting, and tax reporting, replacing the old DTC/Cede & Co. nominee structure with direct named-beneficial-owner representation. L4 Account and L5 Application are lit on both sides, above the enforcement line — the post-trade obligations are policy-enforced by the custodians' internal controls and the transfer agent's registered role under SEC Rule 17Ad-1 et seq. Builder: the transfer agent's registry-update function should be callable only by the DvP contract via a permissioned role; this closes the attack where a compromised wallet tries to fake ownership without passing the atomic DvP. Cache the settled position in your custodian's internal books with the DvP block number as the reconciliation key for the overnight tie-out against the on-chain registry. Compliance officer: C11 (recordkeeping — the DvP tx hash + CDM hash + transfer-agent registry update together form the authoritative trade record with a retention floor of 6 years under SEC Rule 17a-4, paralleled by Investment Advisers Act of 1940 §204 (17 C.F.R. § 275.204-2) for the fund's investment adviser, and 7 years for registered reps, longer for specific jurisdictions) and C12 (audit-grade attestation — the on-chain settlement is independently verifiable by any third party without custodian cooperation). Tax reporting obligations attach: IRS §6045 cost-basis reporting for US persons, EU DAC7/DAC8 reporting for EU-based intermediaries. For private placements under Reg D / 144A, the resale restrictions of the Reg D 506(c) safe harbor (17 C.F.R. § 230.506(c)) and Rule 502(d) one-year holding (or the §4(a)(7) / Rule 144 holding period) must re-activate in the registry's transfer-restriction module at this step. Honesty marker: direct-beneficial-ownership representation is the long-term promise of tokenized securities but requires parallel upgrades to corporate-actions infrastructure (DTCC CA Web, proxy voting services) that are not yet fully in place — expect hybrid representation (on-chain beneficial owner + traditional voting agent) through 2026–2028.

The broker-dealer and both custodians reconcile the settled trade against their internal books, the CDM-hashed trade ticket from Step 3, and the on-chain DvP event from Step 4. Regulatory reporting fires: SEC CAT Rule 613 (within narrow windows for the execution-report event), FINRA TRACE / ORF for the post-trade public tape (for registered securities), EU ESMA ARM reporting under MiFIR Article 26 for EU-jurisdictional legs. The SEC-registered ATS that matched the trade in Step 3 carries Reg ATS reporting obligations on the venue side: Form ATS (17 C.F.R. § 242.304) for tokenized-securities ATSs under current Rule 304 scoping (which reaches NMS stocks with Form ATS-N — the SEC's pending exchange-definition rulemaking would extend Form ATS-N to non-NMS-stock ATSs if adopted), Rule 302 recordkeeping (17 C.F.R. § 242.302), and Rule 303 record-preservation (17 C.F.R. § 242.303; Exchange Act Rule 17a-4, 17 C.F.R. § 240.17a-4) for ATS-side records. For tokenized securities traded on a DLT market, CPMI-IOSCO Principles for Financial Market Infrastructures §§17–19 (recordkeeping, operational-risk, CSD-specific obligations) apply to the operator. The audit bundle — DvP tx hash + CDM hash + FIX execution report + ISO 20022 sese.023 + transfer-agent registry update — is archived to durable WORM-compliant storage with retention of 6 years (SEC 17a-4), 7 years (FINRA), 10 years (EU MiFID II); the adviser-side parallel obligation is Investment Advisers Act of 1940 §204 (17 C.F.R. § 275.204-2). L5 Application is lit — finality lives entirely in the policy layer because the regulatory record of settlement is the broker-dealer's books plus the on-chain evidence, with the broker-dealer's SEC/FINRA registration as the accountable party. Builder: for the CAT report, use the CDM hash from Step 3 as the stable cross-reference key; for EMIR/ARM reports on OTC derivatives legs (where S2 overlaps with derivatives settlement), the ISDA CDM representation is reportable directly under ESMA's Technical Standards RTS 22. Store the full audit bundle in R2 or S3-Glacier under a retention policy that outlives the record-date of the underlying security. Compliance officer: C11 (recordkeeping with multi-jurisdictional retention floors — SEC 17a-4, Reg ATS Rule 303 / 17 C.F.R. § 242.303, Investment Advisers Act §204 / 17 C.F.R. § 275.204-2), C12 (audit/attestation — the DvP event is independently verifiable by a third party without custodian cooperation, which strengthens the audit posture vs. traditional trade confirmations), and C13 (market-integrity regulatory reporting via CAT, TRACE, ARM, Form ATS, and equivalent). SEC Rule 17Ad-22 (Covered Clearing Agency standards) applies to any DLT-native CSD operating this path. Honesty marker: regulator tolerance for DLT-native recordkeeping as the primary audit source is still jurisdiction-dependent as of early 2026 — the SEC has accepted DLT records for specific pilots [VERIFY current pilot roster — Prometheum ATS, INX, and Figure's ATS were among the early DLT-record acceptors] but has not issued a general determination that an on-chain record satisfies Rule 17a-4 standalone; most broker-dealers still maintain parallel traditional records, so C11 compliance is effectively belt-and-suspenders.