How to handle KYC/AML when launching a tokenized product in the EU

KYC (Know Your Customer) verifies identity at onboarding. AML (Anti-Money Laundering) monitors behaviour over the entire investor lifecycle. In a tokenized securities platform, both are enforced through a connected stack: an off-chain identity layer that handles document, biometric, and sanctions screening; an encrypted data layer that stores personally identifiable information under GDPR-grade controls; and an on-chain identity layer that maps a verified investor to a permissioned token contract, so that compliance is checked at every transfer before the transaction settles.

What does the investor actually experience during KYC for a tokenized security?

A modern flow has six steps: sign-up with name, email, and country; ID upload (passport, national ID, driving licence); a selfie or liveness check; an AML and sanctions sweep; an accreditation or qualified-investor check where the offering requires one; and the on-chain step, where the verified wallet is registered to the token's compliance contract so it can receive units.

Best-in-class flows compress steps one through four to under five minutes on mobile. Complex investors - SPVs, trusts, family offices — extend to several business days because every Ultimate Beneficial Owner has to complete their own KYC. The architectural choice is whether to send each UBO an individually scoped, time-limited verification link, or to ask the company representative to courier documents back. One scales; the other does not.

Which three architectural layers carry the compliance burden?

We refer to this internally as the ONINO Three-Layer KYC Stack. Each layer fails on its own.

Off-chain verification. A regulated KYC provider performs document checks, biometric matching, and sanctions/PEP screening. Results return through signed webhooks; HMAC signature verification on every callback is non-negotiable. Polling-based integrations are a liability - they create stale states and race conditions during high-volume primary issuances.

Encrypted PII vault. Investor records sit behind envelope encryption: a key management service generates a data key, the platform encrypts the PII payload before it touches the database, and decryption happens server-side only when explicitly required. A database breach exposes ciphertext, not usable identity data. Under GDPR this is not a best practice. It is a lawful-basis requirement. The architecture must also support deletion: the encrypted blob can be wiped while the on-chain identity contract, which carries no personal data, remains intact.

On-chain identity. Verified investors are bound to a deployed identity contract that holds signed compliance claims. The token contract checks these claims at every transfer attempt. Off-chain verification without on-chain enforcement makes compliance advisory. On-chain enforcement without proper off-chain checks is signature theatre.

How does ERC-3643 bridge off-chain verification to on-chain enforcement?

ERC-3643, also known as the T-REX standard and developed by Luxembourg-based Tokeny Solutions, is the most widely adopted permissioned token standard for regulated securities. More than $28 billion of assets have been issued under it.

The bridge has three components. Each verified investor receives an ONCHAINID, a smart contract that stores cryptographic claims about verification status but no personal data. The platform's trusted issuer signs a KYC claim, attaches it to the investor's ONCHAINID, and registers the wallet in the token's Identity Registry along with a country code. From that point, the token's transfer function calls two checks: the Identity Registry confirms both sender and receiver have valid claims, and the modular Compliance Contract evaluates rules such as country restrictions, holder caps, and transfer cooldowns. If either check fails, the transfer reverts.

The practical consequence: a stolen private key cannot move security tokens to an unverified wallet. The asset is bound to the regulatory whitelist, not just to the cryptographic key. Forced transfers, freezing, and recovery functions exist because securities regulation requires them. Purely permissionless designs cannot accommodate them.

Where do most platforms lose investors during onboarding?

Drop-off in tokenized offerings clusters around four points: a desktop-first flow that forces mobile users to upload PDFs; over-asking on the first screen; KYC fatigue from investors who already verified on a sibling platform; and a black-box waiting screen with no status visibility.

The architectural unlock behind reusable KYC is the on-chain identity contract itself. Once an ONCHAINID exists, a second issuer can recognise existing verification claims rather than starting the flow from scratch. This is why platforms that share an identity layer outperform platforms that re-verify every investor at every offering.

Which EU and US rules govern KYC for tokenized securities in 2026?

For platforms touching EU investors, MiCAR applies to crypto-asset service providers and is in full application from 1 July 2026, with no grace period beyond national transitional deadlines. CASPs require formal authorisation with tiered minimum capital: €50,000 for execution and advice, €125,000 for exchange and custody, €150,000 for operating a trading platform. MiFID II applies where the token is a financial instrument and introduces investor classification (retail versus professional) that must propagate into the compliance module. AMLD6 sets the AML floor, with enhanced beneficial-ownership checks and stricter PEP rules. The European Crowdfunding Service Providers Regulation (ECSPR) covers crowdfunding offerings up to €5 million and adds an investor knowledge test for non-sophisticated investors.

In the US, the Bank Secrecy Act and FinCEN rules govern AML; SEC and FINRA rules govern investor verification. Regulation D 506(c) offerings require accredited-investor verification before sale. Institutional adoption is no longer theoretical: BlackRock's BUIDL tokenized money market fund surpassed $1 billion in assets in early 2025 and peaked near $2.9 billion by mid-2025, all of it gated by on-chain identity controls.

"Authorised crypto-asset service providers should actively manage the migration of existing clients, with wind-down plans that are operational, credible, and immediately executable in accordance with all relevant EU conduct, prudential, and AML/CFT obligations."

- European Securities and Markets Authority, Statement on the end of transitional periods under MiCA, 17 April 2026

How does ONINO implement the full pipeline?

Off-chain, the platform runs individual KYC and a custom KYB flow for institutional investors with per-UBO verification through time-limited links. Webhook synchronisation is signed, envelope-encrypted PII sits behind a managed key service, and verification levels are configurable for jurisdictions that require video identification.

On-chain, the ONINO platform deploys the full ERC-3643 (T-REX) stack per asset: ONCHAINID contracts, signed KYC claims from a trusted issuer identity, and Identity Registry registration with country codes for jurisdictional enforcement. The issuance pipeline checks eligibility, deploys or retrieves identity contracts, signs claims, and constructs the batch mint transaction before the issuer signs anything. White-label deployment lets multiple issuers run independent compliance configurations on shared infrastructure, which matters for banks and asset managers running parallel offerings.

What this means for issuers

Treat the KYC architecture like a checkout flow that also has to pass a regulatory audit. Measure drop-off at every step. Build a reusable identity layer, not a per-offering checklist. And accept that compliance enforcement at the protocol level is no longer optional for regulated tokens — it is the asset's most valuable property.

Ready to map this to your offering? Book a demo or read our companion piece on tokenized infrastructure for private markets.

Ready to Launch?

ONINO's infrastructure handles compliance, investor onboarding, and reporting from day one - so you can focus on structuring your deal and building your investor base. Platforms go live in under 24 hours, with no internal technical build required.

Book a Demo