Glossary Tokenize Events ComplianceNEW DigestNEW PulseNEW 💚73
www.truesourcemetals.com · Compliance Roadmap

TSM Compliance Roadmap

A six-step playbook for launching a tokenized physical-metal issuance under real-world rules. Pick jurisdiction, vault & custodian, licence, KYC/AML controls, token issuance, ongoing reporting. Every step links to the primary regulator page on the Hub Compliance Atlas. Informational only — never legal advice.

10 jurisdictions covered 6 steps + checklists Primary-source links only No legal advice
Building one? Open Partner intake →
Read this first. The TSM Compliance Roadmap is a reference index of public rules and regulator pages — not a legal opinion, not advice on whether a specific structure fits a specific project, and never a substitute for qualified counsel in the jurisdiction of issuance. Rules change. Always verify against the primary regulator page (linked in every step). If a step references a licence, treat the regulator's own published guidance as canonical, not anything written here.
1

Pick your jurisdiction of issuance

Where will the issuer entity sit?
⏱ Decision: 2–4 weeks 💰 Legal scoping: $20–80k
Checklist — what to do in Step 1
  1. Map your token claim type — is the holder owed title, a delivery right, an investment contract, or a cash-settled exposure? Different claims → different licences.
  2. List the candidate jurisdictions by your investor base (retail vs accredited vs institutional only). Retail to EU → MiCA almost certainly applies.
  3. Pull primary regulator framework documents: SFC Licensing Handbook, MAS CMS, ESMA MiCA, VARA rulebooks, FINMA fintech licence.
  4. Check tax residency consequences for the issuer entity (corporate, withholding, VAT/GST on physical delivery, redemption events).
  5. Confirm marketing reach: can the chosen jurisdiction lawfully solicit your target investor segment, or do you need a separate distribution entity?
  6. Engage qualified local counsel in the top two candidate jurisdictions before incorporating anything. Save written memos — regulators will ask later.
Common pitfall: picking a "crypto-friendly" jurisdiction (BVI, Cayman) for the issuer, then realising your retail distribution actually triggers EU MiCA, MAS PSA or US securities laws anyway. Jurisdiction-shopping does not remove obligations toward the customer's home regulator.

Each jurisdiction has a different posture toward tokenized commodities — from explicit framework (Liechtenstein TVTG, EU MiCA, Dubai VARA) to enforcement-driven (US SEC/CFTC) to case-by-case (Singapore MAS, Hong Kong SFC). The choice cascades into licence type, KYC tier, marketing rules, vault location and tax treatment.

Use the Hub Compliance Atlas for the side-by-side view: 10 jurisdictions × 6 columns (regulator, framework, licence types, KYC tier, sanctions sources, primary pages).

Open Compliance Atlas → Legal & Arbitration directory →
2

Choose your vault and custodian

Where does the physical metal live, audited by whom?
⏱ Vault onboarding: 4–12 weeks 💰 Storage + audit: ~50–150 bps p.a.
Checklist — what to do in Step 2
  1. Decide segregated vs allocated vs unallocated holding. Tokenized claims should normally be allocated & segregated — pooled/unallocated re-introduces counterparty risk.
  2. Pick at least one vault from the LBMA / COMEX / LME approved lists. For precious: Brink's, Loomis, Malca-Amit, JPMorgan, HSBC. For base: LME-listed warehouses.
  3. Negotiate the vault service agreement: third-party assayer access, monthly attestation, list of bars/serials on demand, insurance proof, force-majeure clauses.
  4. Verify the vault's own licensing — many jurisdictions licence vault operators separately (UK FCA AMLR, Swiss Banking Act, HK Money Lenders).
  5. Pick an independent auditor for proof-of-reserve. LBMA Good Delivery verification + a Big-4 attestation is the market norm.
  6. For sourcing: align with LBMA Responsible Gold Guidance, RJC CoC, OECD DDG.
Common pitfall: contracting the vault and the issuer with the same parent group. Regulators dislike circular custody — independent vault operator + independent auditor = harder to game.

A tokenized metal claim is only as honest as the vault behind it. Independent audit reports must be public; vault operator must be regulated and accept third-party assayer access. For precious metals: LBMA Good Delivery vaults (Brink's, Loomis, Malca-Amit, JPMorgan, HSBC) or COMEX-eligible vaults. For base metals: LME-listed warehouses.

Open vault directory →
3

Select the licence track

What does the regulator call your token?
⏱ Licence app → grant: 6–18 months 💰 Licence + capital reqs: $100k–$5M+
Checklist — what to do in Step 3
  1. Map claim type → licence bucket (security / asset-referenced / commodity / e-money / utility). When in doubt, regulator discretionary review letters (HK SFC, MAS) settle classification.
  2. Pre-file consultation: most regulators offer informal pre-filing meetings — SFC, MAS, FINMA, VARA, FCA Innovation Hub.
  3. Prepare the regulatory pack: business plan, governance org-chart, fit-&-proper for directors, AML programme, IT & cyber policy, ICAAP/capital plan, exit/wind-down plan.
  4. For MiCA ART: draft the crypto-asset white-paper per Article 19; reserve assets & redemption plan per Article 36; recovery plan per Article 46.
  5. Minimum own funds: VARA Cat 1 ≥ AED 500k, Cat 2 ≥ AED 1.5M; MiCA ART ≥ €350k or 2% of reserve average; SFC Type 7 ≥ HKD 5M; MAS DPT ≥ SGD 250k.
  6. Budget for ongoing supervision fees + annual fit-&-proper renewals + quarterly returns.
Common pitfall: assuming the white-paper / prospectus is a marketing brochure. It is a regulatory disclosure document — material omissions create personal liability for directors in most frameworks.

Most metal-backed tokens fall into one of three regulatory buckets: security token (claim on physical = investment contract), asset-referenced / commodity-backed token (MiCA ART, VARA category 2), or e-money / payment token (rare for metals — only if pegged to fiat). The licence required depends entirely on the bucket × jurisdiction.

Jurisdiction Most common licence track Primary regulator page
🇭🇰 Hong Kong SFC Type 1 (dealing) + Type 7 (ATS) for STO SFC Licensing Handbook
🇸🇬 Singapore MAS CMS licence (SFA) + DPT exemption under PSA MAS Capital Markets
🇦🇪 Dubai VARA VASP — Category 2 (asset-referenced) VARA
🇨🇭 Switzerland FINMA fintech / banking licence — depends on claim structure FINMA Fintech
🇪🇺 EU MiCA ART (Asset-Referenced Token) issuer authorisation ESMA MiCA
🇬🇧 UK FCA cryptoasset registration + securities prospectus if applicable FCA Cryptoassets
🇺🇸 US SEC Reg D / Reg S / Reg A+ exemption + FinCEN MSB if transfer agent SEC Corp Fin
🇯🇵 Japan JFSA Type 1 Financial Instruments Business (Security Token) JFSA
🇱🇮 Liechtenstein TVTG Token Container Model — token-issuer registration FMA Liechtenstein
🇰🇾 Cayman CIMA VASP registration (issuance) CIMA
All licence types in the Atlas →
4

Implement KYC, AML and sanctions controls

FATF, OFAC, EU, UK OFSI, UN — all of them
⏱ KYC build: 8–16 weeks 💰 Vendors + ops: $50–500k p.a.
Checklist — what to do in Step 4
  1. Implement risk-based CDD tiers — at minimum: simplified (low risk), standard, enhanced (PEP / high-risk jurisdiction / over threshold).
  2. Integrate sanctions screening against OFAC SDN, EU consolidated, UK OFSI, UN SC consolidated, OFAC 50% Rule chains, local lists (HK Section 25A, JFSA SDN equivalent).
  3. Build the FATF Travel Rule pipe: IVMS-101 messaging + VASP-to-VASP discovery. Plug into a Travel Rule provider (Sumsub, Notabene, TRP, OpenVASP).
  4. Beneficial-ownership: collect UBO at 25% threshold (lower in some EU regimes), corroborate with public registries (UK Companies House, EU BORIS, FinCEN BOI).
  5. Transaction monitoring rules: structuring, round-tripping, sanctions-list address screening (on-chain via Chainalysis/TRM/Elliptic), velocity, geographic anomalies.
  6. Suspicious-activity reporting workflow: SAR to FinCEN, STR to JFIU/MAS STRO/FCA NCA/AUSTRAC. Filing deadline typically 30 days from suspicion crystallisation.
  7. Annual independent AML audit + board reporting cadence (quarterly minimum for licensed entities).
Common pitfall: outsourcing KYC to a vendor and assuming responsibility transfers. It does not. The licensed entity remains accountable for every false positive cleared and every alert dismissed.

Every regulated jurisdiction expects: customer due diligence (CDD / KYC), enhanced due diligence (EDD) for high-risk customers, ongoing transaction monitoring, suspicious-activity reporting (SAR / STR), FATF Travel Rule for VASP-to-VASP transfers above the threshold, and real-time sanctions screening against the consolidated lists.

  • Sanctions feeds (live): OFAC SDN, EU CFSP, UK OFSI, UN Security Council. TSM mirrors metals-relevant entries daily — see Hub /ecosystem/sanctions/.
  • AML & FATF directory: /ecosystem/aml-fatf/ — Travel Rule, beneficial-ownership registries, FATF mutual evaluations.
  • KYC tiers by jurisdiction: tier table on Hub Compliance Atlas.
  • NGO & civil-society watchdogs: /ecosystem/ngo-watchdogs/ — Global Witness, Swissaid, Transparency International for cross-checks on supply-chain provenance.
Live sanctions dashboard → AML / FATF directory →
5

Issue the token

Smart contract, allowlist, redemption mechanics
⏱ Smart-contract audit: 4–8 weeks 💰 Audit + ops: $50–300k
Checklist — what to do in Step 5
  1. Pick a permissioned token standard. For metals, ERC-3643 (on-chain whitelist + identity registry) or ERC-1400 (partition + transfer hooks) are the industry defaults. Plain ERC-20 is rarely compatible with KYC obligations.
  2. Required transfer controls: allowlist enforcement, freeze/seize for sanctions hits, jurisdictional restrictions, accredited-investor gating where required.
  3. Redemption mechanics: ratio (1:1 fine ounces / fine grams / metric tons), redemption fee, minimum redemption denomination, KYC re-verification, logistics partner.
  4. Smart-contract audit by ≥ 2 independent firms (e.g. Trail of Bits, OpenZeppelin, Halborn, Quantstamp). Publish reports.
  5. Proof-of-reserve binding: on-chain attestation contract that publishes vault statements (Chainlink PoR, custom oracle, signed PSE). The total token supply must always be ≤ on-chain attested reserves.
  6. Reference live patterns: PAXG (Paxos, NYDFS), XAUT (Tether Gold), KAU/KAG (Kinesis, IoM FSA), CACHE Gold (HK).
  7. Publish the issuance terms, white-paper / prospectus, audit reports and proof-of-reserve on a permanent, primary-source URL (own domain or IPFS).
Common pitfall: shipping the smart contract before counsel reviews the transfer-restriction logic. A single missing modifier (e.g. no onlyAllowlisted on transferFrom) can void the entire compliance posture.

Once licence and KYC infrastructure are in place, the token itself needs an issuance design that the regulator can map back to the underlying claim. Live precious-metal tokens worth studying as patterns: PAXG (Paxos, NYDFS), XAUT (Tether Gold, Cayman / Swiss), KAU/KAG (Kinesis, ISLE of Man), CACHE Gold (HK). Smart contract must support allowlist enforcement, freeze / seize for sanctions hits, and a verifiable 1:1 link to vault inventory.

Open How-to-Tokenize playbook →
6

Ongoing reporting and audit cadence

Vault attestations, regulator returns, sanctions re-screens
⏱ Ongoing — never ends 💰 ~150–400 bps p.a. total opex
Checklist — what to do in Step 6
  1. Vault attestations: monthly minimum, weekly preferred. Publish to permanent URL with sequential signed PDF + on-chain hash.
  2. Annual independent audit (Big-4 or equivalent) of: reserves, AML programme, IT/cyber controls, customer complaints, white-paper still-accurate test.
  3. Regulator returns: monthly transaction reports (MAS, FinCEN), quarterly own-funds + capital adequacy (MiCA, VARA), annual financial statements with auditor opinion.
  4. Sanctions re-screening: daily diff against updated lists. Maintain audit trail of every clear/escalate decision for ≥ 5 years (7+ in some regimes).
  5. White-paper / prospectus material-change updates: MiCA Art. 12 requires update within strict window for any material change; SEC requires Form 8-K-equivalent for material info.
  6. Customer-facing primary-source mirror: live dashboard of reserves, sanctions delta, vault attestations, audit history. Investors should never have to ask.
  7. Wind-down: keep the recovery / resolution plan refreshed. Test it. Regulators increasingly request live-fire drills.
  8. Watch the carbon & ESG layer — EU CSRD / ESRS, ISSB IFRS S1/S2, LBMA RGG all extending into 2026+.
Common pitfall: letting attestations lag during a market-stress week — exactly when investors check most. Treat reserve attestations as customer-facing infrastructure, not back-office paperwork.

Issuance is not a one-time event. Most frameworks require: monthly or weekly vault attestations (proof of reserves), annual independent audit, periodic regulator returns (suspicious-activity, beneficial-ownership refresh), and continuous sanctions re-screening of the customer base whenever a list updates. MiCA additionally requires white-paper updates within strict windows for material changes.

Full ecosystem directory →

Need the side-by-side regulator view?

The Roadmap walks you through six steps. The Hub Compliance Atlas shows all 10 jurisdictions in one table — regulator, framework, licence types, KYC tier, sanctions sources, primary pages.

Open Hub Atlas →

Live sanctions screening?

The Sanctions dashboard mirrors OFAC, EU, UK OFSI and UN consolidated lists daily, filtered for metals relevance. Updated automatically — no judgment, just a primary-source mirror.

Open sanctions dashboard →
Partner intake

Building a tokenized metal? Tell us about the project.

If you are an issuer, vault, custodian, exchange, regulator-watcher, or legal team working on a tokenized physical-metal product and you want TSM to know about your roadmap, leave a signal here. We respond in plain language with primary-source pointers, never legal advice.

Not a formal KYC. This form is an informational signal of interest only. TSM is a public reference index. We do not provide legal advice, do not certify projects, do not act as gatekeeper to any regulator. Nothing submitted here creates an attorney-client relationship or a partnership.

Submissions are processed via Formspree (US, SOC 2 Type II, GDPR). Encrypted in transit, stored in the EU. We respond from info@truesourcemetals.com. See /privacy for details.

Intake received.

Thank you. We will get back to you from info@truesourcemetals.com. Reminder: this is informational only, never legal advice.

How the Roadmap stays honest

  1. Primary sources only. Every licence, framework and sanctions list links to the regulator's own page. TSM does not reinterpret, summarise authoritatively or compete with the primary source. If our page disagrees with the regulator, the regulator wins.
  2. Informational, never advisory. The Roadmap is a reference index. It is not legal advice, not regulatory advice, not investment advice. Treat every step as a starting point for conversation with qualified counsel in your jurisdiction of issuance.
  3. No regime promotion. TSM does not rank jurisdictions or call any one "best". Every regime listed here is presented neutrally with its own primary page. Forum-shopping decisions belong to issuers and their counsel — not to a public reference site.
  4. Plain language. Regulator pages are often dense. The Roadmap explains the structure in plain English. Where we paraphrase, the regulator's exact wording is one click away on every step.
  5. Drift watch. Rules change. TSM operates a quarterly regulator-watch process (see /sources). When a primary page changes meaningfully, the Roadmap step is updated and dated.
  6. No legal advice. Repeating the disclaimer at the top of this page because it is the single most important sentence here.

See also

Compliance never sits alone. The Roadmap above is the legal scaffolding; the links below are the asset, the math, and the directory it sits on.

Underlying tokenized metals (Hub)

Step 2 (Asset Structuring) requires knowing how the underlying is priced and warehoused. Each metal page links to primary exchange data.

Pricing & logistics math (Hub calculators)

Steps 5 and 6 (Pricing & Disclosure, Lifecycle) need transparent math. These calculators show every formula — auditable, no black box.

Reference layers

Roadmap steps cite glossary terms, sources, and primary registries. Hover any unfamiliar term elsewhere on the site — it likely has a definition.