Start with the audit scope checker to get an immediate control status, then use the report layer to verify dated evidence, boundary conditions, and risk tradeoffs before launch.
Tool-first layer
This checker returns an immediate status (actionable/monitor/boundary), lane-level reasons, and a direct next action.
15 days
US exempt offers under Rule 506(c) require filing Form D no later than 15 days after first sale.
S2
6 months / 1 year
Resale windows remain bounded by issuer reporting status; transfer logic should reflect this boundary.
S3
1% (2% hard cap)
Bank cryptoasset exposures above thresholds can trigger prudential friction before product growth.
S4
January 1, 2026
Supervisory assumptions should be re-checked against the 2026 implementation baseline.
S5
USD/EUR 1,000+
Cross-border transfer data requirements apply above this threshold and should be reflected in audit evidence.
S7
85 of 117 jurisdictions (73%)
As of April 2025, legal adoption progressed but remained incomplete across jurisdictions in FATF tracking.
S8
6
Authorized DLT market infrastructures are still limited, so venue assumptions should stay explicit.
S9
18 recommendations
Same-activity-same-risk framing supports controls-based audit scoping instead of token-label shortcuts.
S6
8 of 20 jurisdictions
Retail-appropriateness and disclosure implementation remains uneven in IOSCO thematic review coverage.
S14
Code exhibits may be required
When smart contracts govern rights and flows, filing packages may need source code exhibits for auditability.
S1
Set your control assumptions and this checker returns an audit-readiness status with lane-level blockers and a concrete next action.
Report summary
Use this section to understand decision-level takeaways before diving into method and source details.
Every row includes a source and date so assumptions can be revalidated.
| Metric | Value | Source | Date | Audit implication |
|---|---|---|---|---|
| Rule 506(c) filing requirement | Form D within 15 days after first sale | SEC Rule 506(c) guide | SEC page reviewed 2026-04-18 | Audit checklist should include filing timestamps and owner accountability. |
| Rule 506(c) investor qualification | All purchasers must be accredited; issuer must take reasonable verification steps | SEC Rule 506(c) guide | SEC page reviewed 2026-04-18 | Transfer-onboarding controls should evidence accreditation checks, not self-attestation alone. |
| Rule 144 restricted-security holding period | 6 months / 1 year | SEC Rule 144 overview | SEC page reviewed 2026-04-18 | Transfer smart-contract logic should not imply unrestricted resale before legal windows. |
| Rule 144 Form 144 trigger for affiliates | Notice filing if sale exceeds 5,000 shares or USD 50,000 in three months | SEC Rule 144 overview | SEC page reviewed 2026-04-18 | Audit evidence should include affiliate-sale monitoring and automated filing triggers. |
| BCBS Group 2 cryptoasset exposure limit | Generally 1% of Tier 1 capital (2% hard limit) | BCBS d545 | Published 2022-12-16 | Institutional rollout assumptions must model prudential ceiling effects. |
| BCBS technical amendment implementation | January 1, 2026 | BCBS d583 | Published 2024-07-17 | Audit controls should be mapped against post-2026 supervisory baseline. |
| FATF transfer-rule threshold for VAs | Transactions above USD/EUR 1,000 | FATF Updated Guidance for Recommendation 16 | Published 2025-06-18 | Evidence packs need traceability fields for originator/beneficiary data obligations. |
| FATF Travel Rule legal implementation | 85 of 117 jurisdictions (73%) had passed legislation | FATF Targeted Update on VA/VASP implementation | As of April 2025 | Cross-border rollout checklists must include jurisdiction-level legal coverage tests, not global assumptions. |
| FATF Recommendation 16 revised requirement horizon | Jurisdictions should implement revised requirements by end-2030 | FATF Updated Guidance for Recommendation 16 | Published 2025-06-18 | Audit roadmaps need a dated migration plan for transfer-rule control upgrades. |
| IOSCO policy baseline | 18 recommendations under same-activity/same-risk principle | IOSCO Final Report | Published 2023-11 | Control mapping should follow activity risk, not marketing labels. |
| IOSCO Recommendation 18 implementation depth | 8 of 20 jurisdictions fully implemented in thematic review scope | IOSCO Thematic Review (FR/13/2025) | Published 2025-10-16 | Retail-facing disclosures and appropriateness controls require jurisdiction-specific gap mapping. |
| FSB finalized stablecoin-framework coverage | 5 jurisdictions (21% of assessed FSB members) | FSB Thematic Review (P161025-1) | Published 2025-10-16 | Stablecoin-linked structures need explicit fallback planning for framework asymmetry. |
| ESMA DLT Pilot instrument eligibility thresholds | Shares < EUR 500m market cap; bonds < EUR 1bn issuance; UCITS < EUR 500m AUM | ESMA DLT Pilot Regime page | ESMA page reviewed 2026-04-18 | Venue choice and product sizing should be audited together before distribution claims. |
| ESMA DLT market infrastructures list | 6 authorized infrastructures listed | ESMA Authorized DLT Market Infrastructures list | File date 2026-01 | Distribution and settlement assumptions require explicit venue checks. |
| MiCA transitional boundary | Grandfathering may continue for pre-2024-12-30 services until July 1, 2026 | ESMA MiCA implementation page | ESMA page updated 2026-04-17 | Audit templates should distinguish full authorization from temporary national transition treatment. |
Tool and report share one method chain: scope, score, boundary-test, evidence-map, risk-convert, then route.
| Step | Action | Output |
|---|---|---|
| 1. Scope freeze | Define one jurisdiction, one rights model, one launch stage, and one evidence baseline before scoring. | Audit perimeter statement with explicit assumptions. |
| 2. Lane scoring | Score legal, contract, reporting, operations, and governance lanes using deterministic rules. | Status + lane-level blocker visibility. |
| 3. Boundary test | Stress-test jurisdiction, transfer policy, and open findings to identify invalidation triggers. | Boundary/monitor/actionable routing. |
| 4. Evidence mapping | Map every key conclusion to dated primary sources and mark unknown fields explicitly. | Known/unknown evidence table for audit reproducibility. |
| 5. Risk conversion | Convert narrative risks into trigger + mitigation pairs that can be assigned to owners. | Actionable risk matrix. |
| 6. Route selection | Link each result state to a direct next action and fallback path. | No-dead-end execution path. |
Known and unknown evidence are shown together to prevent false certainty.
| Claim | Known | Unknown / pending | Sources |
|---|---|---|---|
| Rule 506(c) and Rule 144 constraints can invalidate token-transfer assumptions if ignored. | Form D timing, accredited-buyer verification, and holding period windows are published and explicit. | How each issuance stack enforces these windows technically is not uniformly public. | S2 · S3 |
| Smart-contract assurance can become a disclosure requirement in securities offerings. | SEC staff statement notes cases where smart-contract code is required as exhibit material. | Issuer-specific review thresholds vary by offering facts and counsel interpretation. | S1 |
| Tokenized securities can carry different rights depending on whether issuance is issuer-tokenized or third-party-tokenized. | SEC states the format does not remove federal securities-law obligations and distinguishes tokenization models. | Product-level rights mappings are often incomplete in public marketing materials. | S10 |
| Bank prudential boundaries can cap growth before infra throughput does. | BCBS Group 2 limits and 2026 amendment timing are published in standard text. | Institution-specific supervisory interpretation and capital buffer treatment may differ. | S4 · S5 |
| Cross-border transfer-data obligations are material audit controls for many tokenization flows. | FATF transfer-rule guidance sets clear threshold language for required data fields. | Cross-jurisdiction implementation quality remains uneven and dynamic. | S7 · S8 |
| Global implementation progress is still uneven even where policy recommendations exist. | IOSCO and FSB implementation reviews report inconsistent jurisdictional adoption across recommendation sets. | Public, issuer-level mappings from recommendation gaps to specific tokenized product controls remain limited. | S14 · S15 |
| Venue assumptions should be explicit in DLT-market rollout plans. | ESMA published a dated list with six authorized DLT market infrastructures. | Live depth, settlement reliability, and participant concentration are not fully standardized across venues. | S9 |
| A global audit-pass benchmark for RWA tokenization programs is often cited but rarely evidenced. | Primary sources publish obligations and implementation snapshots, not a harmonized pass-rate dataset for issuance programs. | Pending verification: no reliable public dataset was found for cross-jurisdiction audit pass/fail rates as of 2026-04-18. | S8 · S14 · S15 |
Each boundary states when a control claim is valid, where it fails, and the minimum audit action.
| Boundary | Applies when | Fails when | Minimum audit action | Sources |
|---|---|---|---|---|
| Rule 506(c) fundraising eligibility | All purchasers are accredited and the issuer can evidence reasonable verification steps. | Teams treat broad marketing access as equivalent to unrestricted investor eligibility. | Bind onboarding workflows to accreditation evidence retention and Form D timing logs. | S2 |
| Rule 144 resale readiness | Holding period, current-information, volume, and Form 144 thresholds are operationally monitored. | Transfer UX implies unrestricted resale without affiliate/non-affiliate distinctions. | Map transfer controls to Rule 144 conditions and affiliate filing triggers. | S3 |
| Tokenized security rights perimeter | Issuer-tokenized vs third-party-tokenized model and holder rights chain are explicitly documented. | Token label is used as shorthand for legal rights without rights-to-obligation mapping. | Freeze a rights matrix and legal-entity dependency map before launch sign-off. | S10 |
| EU venue and product-size scope | Instrument sizing and venue selection stay inside DLT Pilot thresholds and authorized infrastructure scope. | Distribution plans assume pilot eligibility without checking instrument caps and venue authorization. | Review instrument thresholds and authorized venue list in the same audit packet. | S9 · S13 |
| MiCA transition treatment | Pre-2024-12-30 providers rely on transitional treatment only within national conditions until 2026-07-01. | Temporary grandfathering is treated as equivalent to full pan-EU authorization. | Separate transitional controls from full-authorization controls with dated end-state milestones. | S12 |
Use this table to avoid route confusion across audit, compliance, finance, and scale pages.
| Route | Best for | Main question | Next action |
|---|---|---|---|
| /learn/rwa-tokenization-audit | Audit scope and control-readiness diagnosis | Are your legal, technical, and governance controls audit-ready? | Run this checker first when launch risk is uncertain. |
| /learn/rwa-compliance | Broader issuance/distribution compliance map | Which compliance lane owner is missing before launch? | Use after this audit route to deepen owner-level controls. |
| /learn/rwa-finance | Rights and market-structure decision context | How do rights, custody, and market mechanics change route choice? | Use when audit design is stable but strategic route is still open. |
| /learn/rwa-scale | Scale-readiness and denominator boundaries | Can your model scale safely across evidence and perimeter constraints? | Use when launch controls are in place and expansion planning starts. |
This table adds negative cases and minimum controls so teams can avoid narrative-only decisions.
| Choice | Upside | Limit | Counterexample | Minimum control | Sources |
|---|---|---|---|---|---|
| Multi-region launch vs single-jurisdiction rollout | Faster geographic coverage and distribution narrative. | Regulatory implementation is uneven across jurisdictions and recommendation sets. | FATF reported 85/117 jurisdictions with Travel Rule legislation (73%) in April 2025, not universal legal coverage. | Start with one jurisdiction and require dated legal-coverage checks before each expansion. | S8 |
| Label-driven token marketing vs rights-driven disclosure | Simpler messaging and faster go-to-market copy. | Tokenized format can mask materially different holder rights and obligations. | SEC distinguishes issuer-tokenized and third-party-tokenized securities; rights can differ across models. | Publish a rights matrix that links token holder claims to legal instruments and counterparties. | S10 |
| Policy adoption signal vs implementation confidence | Using high-level policy adoption as readiness proxy is quick. | Policy alignment does not guarantee full implementation quality at control level. | IOSCO thematic review found only 8/20 jurisdictions fully implemented Recommendation 18 in assessed scope. | Add jurisdiction-by-jurisdiction control testing for disclosure and retail-appropriateness lanes. | S14 |
| Scale narrative vs prudential envelope | Aggressive growth targets can improve fundraising optics. | Prudential and framework asymmetries can halt bank-led or stablecoin-linked scaling paths. | FSB review reports only 5 jurisdictions had finalised stablecoin frameworks among assessed members. | Set exposure and framework gates before committing scale milestones in external communications. | S15 · S4 |
Every risk row includes trigger and mitigation so teams can assign owners immediately.
| Risk | Impact | Trigger | Mitigation |
|---|---|---|---|
| Rights-mismatch risk | High | Token marketing implies ownership rights not supported by legal wrapper. | Publish rights matrix and legal-entity mapping with counsel sign-off before distribution. |
| Transfer-policy drift | High | Whitelists and transfer restrictions are updated manually without synchronized legal controls. | Version-control transfer policies, require dual approval, and maintain audit logs. |
| Evidence-staleness risk | Medium-High | Key evidence artifacts are older than one quarter or missing timestamps. | Set refresh SLA and reject go-live sign-off when freshness threshold fails. |
| Jurisdiction-overreach risk | High | Multi-region launch announced before local perimeter controls are tested. | Constrain launch to one jurisdiction until testable controls pass repeated cycles. |
| Contract-assurance gap risk | High | No external audit/formal verification on privileged contract paths. | Require independent review and severity closure evidence before launch approvals. |
| Governance handoff failure | Medium | Ownership between legal, engineering, and operations is unclear. | Assign named control owners and escalation deadlines in one shared runbook. |
| False confidence from aggregate metrics | Medium | Market-level growth stats are treated as proof of product-level readiness. | Use product-specific evidence and venue checks before any external claim. |
| Cross-jurisdiction implementation-divergence risk | High | Launch plans assume consistent Travel Rule, disclosure, and stablecoin-framework implementation across target markets. | Gate each jurisdiction with dated implementation evidence and downgrade launch scope when controls are partial. |
Examples show how the checker output translates into operational decisions.
Setup: US pilot, accredited perimeter, external contract audit completed, weekly reconciliations, 1-3 minor open findings.
Result: Monitor -> close findings and run full evidence rehearsal.
Why: Foundation is sound, but closure discipline determines production readiness.
Setup: EU + Asia rollout, custodial-wrapper model, partial evidence pack, manual transfer controls.
Result: Boundary -> narrow scope and re-sequence by jurisdiction.
Why: Jurisdiction complexity and control maturity are misaligned.
Setup: Synthetic rights model, no external contract assurance, monthly reconciliations, multiple open findings.
Result: Boundary -> stop launch claims and restructure control design.
Why: Model risk and assurance gaps create immediate audit failure conditions.
Setup: Issuer-sponsored model, auditable pack, daily reconciliation, legal-tech-ops assurance, no open critical findings.
Result: Actionable -> proceed with controlled expansion checks.
Why: Control operating model is testable and owner-accountable.
Setup: Two-jurisdiction rollout approved from policy memos, but local implementation evidence is partial and rights mapping differs by venue.
Result: Monitor -> downgrade expansion and run jurisdiction-by-jurisdiction evidence closure.
Why: Policy convergence alone does not prove operationally equivalent controls.
Questions are grouped by decision intent, not glossary padding.
Snapshot date: 2026-04-18. Re-check time-sensitive regulatory items before execution.
States that smart-contract code may need to be filed as exhibit material in certain offerings.
https://www.sec.gov/newsroom/speeches-statements/statement-crypto-asset-securities-offerings-registrations-041025Accredited-investor requirement and Form D filing timing reference.
https://www.sec.gov/smallbusiness/exemptofferings/rule506cHolding period, volume condition, and Form 144 threshold references.
https://www.sec.gov/reports/rule-144-selling-restricted-control-securitiesDefines Group 2 exposure limits and prudential treatment baseline.
https://www.bis.org/bcbs/publ/d545.pdfIncludes January 1, 2026 implementation timing references.
https://www.bis.org/bcbs/publ/d583.pdfSets 18 recommendations under same-activity-same-risk principle.
https://www.iosco.org/library/pubdocs/pdf/IOSCOPD734.pdfClarifies transfer-rule expectations and threshold references.
https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Updated-guidance-r16-VA-VASP-transfer-rule-compliance-tools.htmlProvides jurisdiction-level implementation statistics and supervisory coverage gaps.
https://www.fatf-gafi.org/content/dam/fatf-gafi/recommendations/2025-Targeted-Upate-VA-VASPs.pdf.coredownload.pdfReference list of authorized DLT market infrastructures.
https://www.esma.europa.eu/sites/default/files/2026-01/Authorised_DLT_Market_Infrastructures.pdfClarifies rights and risk differences across tokenized-security structures.
https://www.sec.gov/newsroom/speeches-statements/corp-fin-statement-tokenized-securities-012826MiCA application timing and EU digital-finance status context.
https://finance.ec.europa.eu/news/digital-finance-2024-12-19_enTransitional treatment timelines and implementation updates (including 2026-07-01 transition boundary).
https://www.esma.europa.eu/esmas-activities/digital-finance-and-innovation/markets-crypto-assets-regulation-micaDLT Pilot start date and instrument eligibility thresholds (shares, bonds, UCITS).
https://www.esma.europa.eu/mt/node/207362Implementation findings across 20 jurisdictions, including recommendation-level depth.
https://www.iosco.org/library/pubdocs/pdf/IOSCOPD801.pdfCross-jurisdiction framework implementation progress and persistent divergence evidence.
https://www.fsb.org/uploads/P161025-1.pdfUse one of these direct paths after running the checker and reading the evidence layer.
Compare adjacent projects and market surfaces.
Open scannerMove into owner-level compliance controls.
Open RWA complianceReview rights and market-structure boundaries.
Open RWA financeRequest a structured project review with your current evidence stack.
Submit project