Tokenized Deposits

Regulated Liability Network (RLN)

Multi-bank tokenized deposit network with central-bank-money interoperability. Citigroup-led consortium exploring shared settlement of commercial bank money, central bank money, and regulated non-bank digital money on a common ledger.

Vendors

Citigroup · SETL · HSBC · Mastercard · NY Fed (observer)

Compliance Center

Bank-grade KYC at Identity + multi-party settlement compliance at Authorization. Central bank money leg adds sovereign oversight.

tokenized-deposits rln citigroup central-bank-money multi-party shared-ledger setl

Filter by shape:

C5 · UNKNOWNRegulated Liability Network (RLN)·6 stations(4 compliance, 2 infra)·citigroup · setl · hsbc · mastercard · bny-mellon · td-bank · us-bank · truist · wells-fargo

3+5 shape system

GatePre-condition — blocks if it failsMonitorConcurrent — observes without haltingObligationPost-settlement — reports after the factsolid = codedashed = policy

How to read this diagram

Each station on the rail represents a compliance or infrastructure event in the Regulated Liability Network (RLN) path. Hover any station to inspect it. The shape tells you what kind of event it is. The ring tells you how it's enforced.

Gate Monitor Obligation| Ingress Crossing Transform Settlement Venue

This path at a glance

6 stations across 5 of 8 segments. 4 are compliance checkpoints, 2 are infrastructure.

1 code-enforced5 policy-enforced

C5 · REGULATED LIABILITY NETWORK (RLN) · REGULATED LIABILITY NETWORK (CITI-LED, SETL-STACK)

L5 APPLICATIONRLN consortium onboarding (member entity) + per-bank CIP for member-customers

L4 ACCOUNTMember-customer wallet ↔ participating bank's existing customer file

Step 1 · Member Identity (Bank-Grade Onboarding)Policy-Enforced

"An institutional client onboarded to a major correspondent bank — bank-grade due diligence, beneficial-ownership disclosure, ongoing-monitoring program, attested before any RLN access."

Each RLN participating member (Citi · HSBC · Mastercard · BNY Mellon · TD · US Bank · Truist · Wells — VERIFY current roster) completes the consortium's institutional onboarding before joining the network. The onboarding satisfies bank-grade KYB on the member entity, beneficial-ownership disclosure (31 C.F.R. § 1010.230), and attestation of the member's own BSA/AML program.

Member-customers (corporate clients of the participating banks) inherit identity attestation from their respective banks' existing CIP files. RLN does not run customer-level CIP at the consortium layer; the participating bank does.

L4 ACCOUNT (member-customer wallet eligibility) and L5 APPLICATION (consortium onboarding + per-bank CIP) lit, policy-enforced.

Honesty marker: RLN is in pilot at the model's January 2026 cutoff. The 2022–2023 New York Innovation Center PoC established the architecture, but production-stage commercial rollout, public-facing member roster, exact participant entity names, and Fed participation status all carry VERIFY. Renderers should not assume current production deployment; treat path content as architecturally directional pending public disclosure.

Counterparty: RLN consortium onboarding · participating bank CIP
Latency: Member onboarding is multi-week · customer-level identity inherited
Finality: N/A — onboarding pre-date
Vendors: RLN consortium onboarding administration · Participating-bank CIP file (per-bank — VERIFY)
Chain: Regulated Liability Network (Citi-led, SETL-stack) (Citi-led consortium · SETL (Marqeta-owned · VERIFY) provides underlying ledger technology)

L5 APPLICATIONOriginating member treasury — liability-class selection per payment economics + receiving-member acceptance

Step 2 · Liability-Class Selection (Multi-Asset Negotiation)Policy-EnforcedINGESTDETECTALERT

"A correspondent banker selecting the cash leg currency for a cross-border settlement — except the choice is between commercial bank money, central bank money, or regulated non-bank digital money rather than between USD and EUR."

RLN's multi-liability architecture means the originating member must select which liability class denominates the settlement: commercial-bank money (member-bank deposit liability), central-bank money (Fed reserve-account leg — VERIFY production-stage availability), or regulated non-bank digital money (regulated stablecoin issuer liability).

The choice has settlement-finality, prudential, and tax implications: central-bank-money settlement carries sovereign-risk-free finality but requires Fed-leg eligibility; commercial-bank-money carries the issuing bank's credit exposure; regulated-non-bank settlement carries the stablecoin issuer's reserve-backing exposure.

L5 APPLICATION lit, policy-enforced. C13 (market integrity) attaches because the liability-class choice is disclosed to the receiving counterparty — a misstated liability class would create operational exposure for both members.

Counterparty: Originating member treasury · receiving member acceptance
Latency: Per-payment selection
Finality: Selection binds settlement contract to liability class
Vendors: RLN liability-class selection surface (VERIFY UI vendor) · Originating + receiving member treasury systems
Chain: Regulated Liability Network (Citi-led, SETL-stack) (Citi-led consortium · SETL (Marqeta-owned · VERIFY) provides underlying ledger technology)

L5 APPLICATIONPer-member compliance pipelines (NICE Actimize · Verafin · SAS — VERIFY) — outbound sanctions + multi-party authorization workflow

L3 EXECUTIONRLN atomic-swap contract — multi-party signature gate (originating member · receiving member · Fed-leg if applicable)

◆ Enforcement Line — mixed code- and policy-enforced

Step 3 · Multi-Party Authorization (Atomic Swap Setup)Mixed EnforcementINGESTDETECTALERT

"A multi-party DvP settlement message that requires affirmative sign-off from each leg's holder — except the legs are different liability classes on a single ledger."

RLN's atomic-swap primitive requires authorization from each liability holder participating in the settlement. For a commercial-bank-money payment: originating bank, receiving bank, and (if the central-bank-money leg is involved) the Federal Reserve all sign affirmatively before the swap fires.

Sanctions screening runs at the originating-member layer (NICE Actimize · Verafin · SAS — VERIFY member-by-member); on-chain enforcement gates the settlement contract on the multi-party signature requirement.

L3 EXECUTION (multi-party signature gate) and L5 APPLICATION (per-member compliance pipelines) lit. Mixed enforcement: bank-side sanctions screening is policy-enforced, on-chain signature gate is code-enforced. C9 (prudential) attaches at every participating bank because the swap changes intraday-liquidity positions.

Honesty marker: GENIUS Act §13 explicitly excludes deposit tokens from the stablecoin definition. The commercial-bank-money leg of RLN carries this exclusion; the regulated-non-bank-digital-money leg does NOT — a regulated stablecoin issuer participating in RLN remains subject to the full GENIUS Act stablecoin perimeter (reserve backing under §4, audit attestation under §4(b), recordkeeping under §4(c)). Path resolutions that combine deposit-token + stablecoin legs in a single RLN swap need to surface both compliance perimeters; conflating them is the most common modelling error in this architecture.

Counterparty: All participating liability holders + Fed (if CBM leg)
Latency: Sub-second on-chain after signatures · variable signature-collection time
Finality: Pre-condition — halts on any withheld signature
Vendors: Per-member sanctions screening (NICE Actimize · Verafin · SAS — VERIFY) · RLN atomic-swap contract · Federal Reserve signature primitive (VERIFY production architecture)
Chain: Regulated Liability Network (Citi-led, SETL-stack) (Citi-led consortium · SETL (Marqeta-owned · VERIFY) provides underlying ledger technology)

L4 ACCOUNTMulti-class liability tokens — atomic debit/credit across all participating legs

L3 EXECUTIONRLN settlement contract — atomic multi-liability swap with cryptographic liability-class tagging

L2 CONSENSUSRLN consensus (BFT among member validators · VERIFY algorithm)

L1 NETWORKRLN private network (consortium-operated · VERIFY transport architecture)

◆ Enforcement Line — code-enforced at this layer

Step 4 · Atomic Multi-Liability Swap (RLN Ledger)Code-Enforced

"An RTGS settlement that simultaneously moves cash legs across multiple central-bank accounts — except on a shared ledger with multiple liability classes coexisting."

The RLN settlement contract executes the atomic multi-liability swap. All legs commit together: originating member's commercial-bank-money debit, receiving member's commercial-bank-money credit, and (if applicable) the central-bank-money or regulated-non-bank-digital-money legs.

Liability class is preserved cryptographically through the swap — a token tagged 'commercial-bank-money' cannot be silently converted to 'central-bank-money' without an explicit Fed-leg signature. This protocol-level liability-class integrity is the substrate's defining property.

L1 NETWORK · L2 CONSENSUS · L3 EXECUTION · L4 ACCOUNT all lit. Final on RLN consensus per the SETL ledger engine's BFT round [VERIFY exact algorithm and latency target]. C13 (market integrity) attaches because liability-class integrity is load-bearing for the settlement guarantee.

Counterparty: RLN settlement contract + all participating liability holders
Latency: Sub-second (VERIFY exact target)
Finality: Final on RLN consensus
Vendors: RLN settlement contract · SETL ledger engine (Marqeta-owned · VERIFY) · Per-member validator nodes
Chain: Regulated Liability Network (Citi-led, SETL-stack) (Citi-led consortium · SETL (Marqeta-owned · VERIFY) provides underlying ledger technology)

L5 APPLICATIONFederal Reserve Bank of New York (observer · production-stage participation VERIFY) + participating bank reserve accounts + OCC examination interface

Step 5 · Sovereign-Leg Oversight (Fed Touch Point)Policy-EnforcedINGESTDETECTALERT

"A Fedwire settlement passing through the Fed's central settlement infrastructure — except the Fed leg is one of three liability classes on a shared ledger rather than a distinct messaging rail."

Settlements involving the central-bank-money leg touch Federal Reserve infrastructure. The Fed's role at the model's January 2026 cutoff is observer (per the 2022–2023 NY Innovation Center PoC); production-stage Fed participation as a liability holder carries VERIFY.

When the CBM leg is live, the Fed's leg-signature primitive participates in the multi-party authorization (cf. step 3) and the Fed's reserve-account books reflect the settlement. Sovereign oversight attaches: every CBM-leg settlement is observable to the Fed and the OCC for participating national banks.

L5 APPLICATION lit, policy-enforced. C10 (operational resilience) attaches because the Fed leg introduces dependence on Fed operational uptime — RLN settlements involving the CBM leg cannot complete during Fed-side outages.

Honesty marker: Sovereign oversight is the architectural feature that distinguishes RLN from every other tokenized-deposit pattern in the registry. The central-bank-money leg means every CBM-touching settlement is potentially observable to the Federal Reserve and to the OCC for participating national banks. This is operationally similar to Fedwire today, but the on-shared-ledger architecture concentrates supervisory visibility in a way that no other consortium-bank pattern (Cari · Kinexys · Canton) does. Compliance programs at participating banks should assume Fed and OCC examination scope on every CBM-leg settlement.

Counterparty: Federal Reserve · participating bank reserve accounts · OCC
Latency: Per CBM-leg settlement · Fed-side participation cadence VERIFY
Finality: Final on RLN · Fed books reflect leg post-settlement
Vendors: Federal Reserve Bank of New York settlement infrastructure (VERIFY production architecture) · Participating bank reserve-account interfaces · OCC examination interface
Chain: Regulated Liability Network (Citi-led, SETL-stack) (Citi-led consortium · SETL (Marqeta-owned · VERIFY) provides underlying ledger technology)

L5 APPLICATIONRLN reporting infrastructure + participating banks' books + Fed books (CBM-leg) — single canonical record across all parties

Step 6 · Settlement Reporting & Multi-Class RecordkeepingPolicy-EnforcedINGESTDETECTALERT

"Settlement-record archives at a multi-currency clearing house — each currency leg's record is preserved alongside the integrated settlement record."

Each settlement's record preserves the liability-class composition: the on-chain transaction hash anchors the multi-class swap, and each participating liability holder's books reflect their leg of the settlement.

Recordkeeping satisfies C11 obligations at every participating bank under existing 12 C.F.R. §§ 12.1, 12.3 (records of account); the cryptographic on-chain record satisfies C12 (independent audit trail). Cross-class reconciliation (e.g., commercial-bank-money debit at originating bank reconciles to central-bank-money credit at Fed leg) is the canonical end-of-day reconciliation primitive.

L5 APPLICATION lit, policy-enforced. The single canonical record across all participating books is the operational simplification — multi-leg reconciliation that traditionally requires per-bank-per-currency book matching collapses to one ledger query.

Counterparty: RLN reporting · all participating books · Fed books (CBM-leg)
Latency: Real-time queryable · daily reconciliation
Finality: Final · on-chain hash + per-member books canonical
Vendors: RLN reporting infrastructure · Participating-bank books · Federal Reserve books (CBM-leg · VERIFY production access model)
Chain: Regulated Liability Network (Citi-led, SETL-stack) (Citi-led consortium · SETL (Marqeta-owned · VERIFY) provides underlying ledger technology)

Resolved 6 steps across 1 chain(s). 0 threshold(s) triggered. Frameworks: Common Reporting Standard / FATCA.

Coverage notes: 5 disclosed gap(s).

Other Tokenized Deposits Paths

C1 Cari DDA Tokenization (Mint/Burn) Cari Network · Prividium (ZKsync)

C2 Cari Interbank Deposit Transfer Cari Network · Huntington

C3 Cari Commercial Payment Cari Network · Corporate Treasury

C4 Cari Intraday Liquidity Sweep Cari Network · Member Banks

C6 Cari–Stablecoin Bridge Cari Network · Circle

C7 JPMorgan Deposit Token JPMorgan · Onyx

← All Tokenized Deposits Paths

Resolve Your Own Path →

Regulated Liability Network (RLN)

Step 1 · Member Identity (Bank-Grade Onboarding)Policy-Enforced

Step 2 · Liability-Class Selection (Multi-Asset Negotiation)Policy-EnforcedINGESTIDETECTDALERTA

Step 3 · Multi-Party Authorization (Atomic Swap Setup)Mixed EnforcementINGESTIDETECTDALERTA