Service: Regulatory Compliance Engine

The Regulatory Compliance Engine serves as the full-stack, regulated infrastructure layer for the RWA platform, turning the complexity of financial compliance into a seamless, automated, and invisible process. It addresses the fundamental challenges of tokenizing securities—licensing hurdles, stringent investor verification, fragmented data, asset-level legal wrappers, and enforcing on-chain rules—by providing end-to-end "Compliance-as-a-Service." It ensures that every asset and investor interaction adheres to relevant securities laws (SEC, FINRA, MICA, etc.), mitigating risk and building institutional-grade trust.

This engine delivers value through key pillars:

• Automated Verification: Streamlines and automates KYC/AML, Accreditation (including rigorous 506c checks), and suitability assessments, creating reusable "compliance passports" for investors.

• Embedded Rule Enforcement: Translates complex regulations (investment limits, transfer restrictions, lock-ups, geographic constraints) into actionable rules applied consistently at onboarding, pre-investment, and pre-transfer stages.

• On-Chain Compliance Enablement: Manages the off-chain data (like allow-lists) necessary for permissioned tokens (e.g., EIP-3643) to enforce rules directly on the blockchain.

• Auditability & Reporting: Creates immutable, verifiable records of all compliance actions, statuses, and attestations, ready for regulatory scrutiny.

• Adaptability: Designed to accommodate evolving regulations across different jurisdictions.

Core Technical Components & APIs

This engine integrates deeply across the platform to enforce rules at critical points.

Primary Models:

• Profile Model: The central record where compliance statuses (KYC, Accreditation, MiFID II category, Sophistication) are stored and managed by this engine.

• Offer Model: The source of truth for the regulation_type and specific compliance requirements of an offering.

• Investment Model: The engine acts as a gatekeeper before an Investment can be created or legally confirmed.

• EVM Contract Model: Used to manage the allow-list of verified evm-wallets for permissioned tokens.

Governing Logic:

• KYC Status Lifecycle & Accreditation Status Lifecycle: These state machines are orchestrated by this engine.

• Global Business Rules: Many cross-cutting compliance rules are implemented here.

Primary APIs:

• profile-api: Exposed by this engine to allow other services (like Investment Process Management) to request eligibility checks or trigger verification workflows for the profile.

• offer-api: Called by the engine to retrieve the specific compliance requirements (like regulation_type or required accreditation level) defined for a particular Offer.

• evm-api: Called by the engine to add or remove investor evm-wallet addresses from the on-chain allow-list managed by the relevant EVM Contract.

• Consumed APIs: KYC Provider API (Plaid), Accreditation Provider API (North Capital)

The Process Lifecycle & Key Capabilities

The engine enforces compliance throughout the user and asset journey.

Phase 1: Comprehensive Investor Onboarding & Verification

Establishes and maintains the compliance status of each investor Profile.

• Automated KYC/AML Workflow: Orchestrates instant identity verification using integrated providers, including document checks, liveness detection, and AML/sanctions screening. Manages status updates, retries, and document requests.

• Multi-Method Accreditation Verification:

  • Manages rigorous verification for Reg D 506(c), including secure document collection (tax returns, CPA letters) and integration with verification providers.

  • Facilitates self-certification via questionnaires for Reg D 506(b) accredited investors.

  • Handles status expirations and triggers renewal workflows.

• Suitability & Sophistication Assessment: Presents and processes questionnaires to:

  • Determine MiFID II categorization (Retail/Professional) for EU investors.

  • Assess sophistication for non-accredited investors accessing certain offerings (e.g., Reg D 506b).

  • Collect necessary data for Reg CF/A+ investment limit calculations (income, net worth).

• Investment Limit Calculation & Tracking: Automatically calculates and stores applicable investment limits (e.g., per-offering for Reg A T2, rolling 12-month for Reg CF) on the Profile.

• "Compliance Passport" Management: Stores verified statuses to enable seamless investment in future offerings without redundant checks (where regulations permit).

• Consent Management: Manages and logs investor consent for data processing (e.g., GDPR) and risk acknowledgments.

---

Phase 2: Offering Compliance Configuration & Issuer Checks

Ensures the offering itself is set up compliantly.

• Rule Association: Allows administrators (via the Issuer Portal) to associate specific compliance requirements (regulation type, accreditation needs, geographic restrictions) with each Offer.

• Issuer "Bad Actor" Checks: Integrates checks (potentially manual or via API) to ensure issuers and their principals are not disqualified under securities regulations before an Offer can be published.

---

Phase 3: Pre-Investment Eligibility Checks

This phase occurs every time an investor attempts to view or invest in a specific offer.

• Offer Access Control: Checks if the investor's status permits viewing the specific Offer (e.g., restricting Reg D 506b visibility).

• Investment Limit Enforcement: Blocks Investment creation if the amount exceeds the investor's calculated limit for Reg A T2 or Reg CF.

• Investment Eligibility Validation: Before an Investment record is created, it performs real-time checks:

  • Confirms kyc_status is approved.

  • Confirms accreditation_status meets the Offer's requirement (Verified, Self-Certified, or not required).

  • Confirms the proposed investment amount is within calculated limits (for Reg A T2, Reg CF).

  • Confirms MiFID II appropriateness checks/warnings are completed if required.

• Result: Provides a clear "Go / No-Go" decision to the Investment Process Management engine.

---

Phase 4: On-Chain Compliance Support

While the smart contract enforces on-chain rules, this engine manages the off-chain data that enables it.

• Allow-List Management: Maintains the registry of verified EVM wallet addresses that are permitted to hold specific permissioned tokens (like EIP-3643). Updates are pushed via the evm-api.

• Transfer Restriction Enforcement (Off-Chain Check): Before initiating an on-chain transfer (via the evm-api), verifies:

  • The token is outside its mandatory lock-up period. (The smart contract reads or enforces this).

  • Both sender and receiver EVM Wallets are allow-listed for the specific EVM Contract.

---

Phase 5: On-Chain Compliance Enablement

Manages the off-chain data that allows smart contracts to enforce rules.

• Allow-List Synchronization: Securely calls the evm-api to add verified EVM wallet addresses to the appropriate on-chain allow-lists maintained by permissioned token contracts (e.g., EIP-3643). Manages removal if compliance status changes.

Phase 6: Audit & Reporting Support

Maintains records for regulatory purposes.

• Immutable Logging: Ensures all verification attempts, status changes, attestations, limit calculations, and enforcement decisions are logged securely and immutably.

• Data Provision for Reporting: Provides access to compliance data needed for generating regulatory filings (e.g., Form C/D reports, investor lists).

Advanced Scenarios & Platform Resilience

• Status Expiration Handling: The engine includes logic to automatically transition Accreditation Status to EXPIRED and trigger notifications for renewal.

• Webhook Processing & Error Handling: Reliably processes asynchronous updates from third-party verification providers, with mechanisms to handle failures or delays.

• Manual Overrides & Auditing: Provides secure mechanisms (likely via the Issuer Portal) for authorized personnel to review and potentially override compliance statuses, with all such actions meticulously logged.

• Handling Evolving Regulations: The rules engine is designed modularly to allow for updates and additions as securities laws change across jurisdictions.

• Cross-Border Complexity: Includes logic to apply the correct set of compliance checks based on investor residency and offering jurisdiction.

• Provider Integration Robustness: Manages API interactions with multiple third-party verification providers, including handling errors, retries, and asynchronous webhook responses.

Associated End-to-End Workflows

• Workflow: Onboarding a New Investor

• Workflow: Submitting a New Investment (Performs eligibility checks)

• Workflow: Closing a Successful Offer (Performs final batch compliance check)