7.1 Compliance Infrastructure and Issuance Pathways
What four US exemption pathways allow security token offerings without full SEC registration, why compliance costs of $100,000 to $2 million are cheaper than Telegram's $1.22 billion lesson, and how ERC-3643 enforces investor eligibility inside the token itself.
In 2018, tZERO raised $134 million through a security token offering filed with the SEC under Regulation D and Regulation S 1. The sale was restricted to accredited investors in the US and qualified international buyers. Every participant passed KYC verification. The token included a mandatory lock-up period before secondary trading could begin. The process took months. tZERO is still operating today, with an SEC-registered Alternative Trading System, a broker-dealer license, and a special purpose broker-dealer designation allowing custody of digital securities 2.
Around the same time, dozens of ICOs raised similar amounts with no registration, no investor verification, and no compliance infrastructure. Most no longer exist. Several triggered SEC enforcement actions. Telegram returned $1.22 billion to investors after the SEC blocked its GRAM token sale 3. Kik paid $5 million in penalties for its unregistered KIN offering 4.
The difference between these outcomes wasn't the technology or the vision. It was the legal infrastructure underneath. This section covers what that infrastructure looks like, what it costs, and what trade-offs it creates for projects that choose to operate inside the regulatory framework.
Building on the Classification Question
Section 6.4 covered how regulators determine whether a token is a security: the Howey Test, enforcement case studies (Telegram, Kik, Ripple, Ethereum, BNB), and the practical checklist for classification. That section answered the threshold question: is your token a security?
This section starts where that analysis ends. The classification question is settled: your token is a security. Now what?
The answer involves choosing an exemption pathway, building compliance infrastructure, and accepting the costs that come with operating inside the regulatory framework. These costs are real. But as the contrast between tZERO and the ICO graveyard shows, they're often cheaper than the alternative.
US Exemption Pathways
Once a token qualifies as a security, issuers face a choice: full SEC registration (expensive, slow, and rarely used for tokens) or an exemption. Four exemptions matter for security token offerings 5.
Regulation D (Rule 506b and Rule 506c)
Regulation D is the most common path for security token offerings. It comes in two flavors.
Rule 506(b) allows issuers to raise unlimited amounts from accredited investors without registering with the SEC 6. The catch: no general solicitation. You cannot publicly advertise the offering. You can't post about it on Twitter or run a marketing campaign. You can only reach investors through pre-existing relationships or private networks. Issuers can include up to 35 non-accredited investors, but doing so triggers additional disclosure requirements that most projects prefer to avoid.
Rule 506(c) also allows unlimited fundraising from accredited investors, but with one key difference: general solicitation is allowed 7. You can advertise openly. The trade-off is stricter verification. Every investor must provide third-party proof of accredited status, not just self-certification. This means documented evidence of $200,000+ annual income (or $300,000 joint), or $1 million+ net worth excluding primary residence.
Both 506(b) and 506(c) require a Form D filing with the SEC within 15 days of the first sale. Neither requires SEC review or qualification before selling. This makes Reg D the fastest and cheapest path for most security token offerings.
tZERO used Reg D for its $134 million raise in 2018 1. The offering combined Reg D for US accredited investors with Reg S for international buyers, a common pairing that maximizes the investor pool while staying within compliance boundaries.
Regulation A+ (Tier 1 and Tier 2)
Regulation A+ is sometimes called the "mini-IPO" because it allows non-accredited investors to participate 8. This is the broadest access path, but it's also the slowest and most expensive.
Tier 1 permits raises up to $20 million over 12 months. Offerings require state-level review and qualification in each state where securities are sold. This adds complexity and cost.
Tier 2 permits raises up to $75 million over 12 months. No state-level review is required, but issuers must provide audited financial statements and file ongoing semi-annual and annual reports with the SEC. Non-accredited investors face limits: they cannot invest more than 10% of the greater of their annual income or net worth.
The SEC qualification process for Reg A+ typically takes 6 to 12 months and costs $500,000 to $2 million in legal and accounting fees. INX Limited used Reg A+ for what became the first SEC-registered security token IPO, raising approximately $84 million from over 7,200 institutional and retail investors 9. The process took over two years from INX's initial confidential filing in July 2018 to its launch in August 2020.
Regulation S (Offshore Offerings)
Regulation S provides an exemption for offers and sales made entirely outside the United States 10. No SEC registration or qualification is needed. The two core requirements are simple: the transaction must occur offshore, and the issuer cannot make directed selling efforts within the US.
Most security token offerings combine Reg S with Reg D. US accredited investors buy under Reg D. Non-US investors buy under Reg S. This dual structure maximizes reach while keeping each group within its proper regulatory lane.
The risk with Reg S is jurisdictional creep. If US investors participate despite Reg S restrictions, the SEC can still claim jurisdiction. Moving an offering offshore doesn't eliminate US regulatory risk if American buyers find their way in.
Regulation Crowdfunding (Reg CF)
Regulation CF allows raises up to $5 million per year from both accredited and non-accredited investors 11. All transactions must go through an SEC-registered funding portal or broker-dealer. Individual investment limits apply based on income and net worth.
Reg CF has the lowest barrier to entry but the smallest cap. The average successful Reg CF offering raises approximately $346,000, well below the $5 million limit 11. Securities purchased through Reg CF generally cannot be resold for one year.
For smaller token projects testing market demand before scaling, Reg CF offers a compliant entry point. For larger raises, it's too restrictive.
Comparing the Pathways
| Feature | Reg D (506b/506c) | Reg A+ (Tier 2) | Reg S | Reg CF |
|---|---|---|---|---|
| Max Raise | No cap | $75M | No cap | $5M |
| Investor Type | Accredited only | All investors | Non-US only | All investors |
| SEC Filing | Form D (15 days) | SEC qualification | None | Form C |
| Timeline | 2-4 weeks | 6-12 months | 2-4 weeks | 4-8 weeks |
| Estimated Cost | $100K-500K | $500K-2M | $100K-300K | $50K-150K |
| Ongoing Obligations | Minimal | Semi-annual/annual reporting | Minimal | Annual reporting |
| General Solicitation | 506c only | Yes | N/A | Yes (via portal) |
Most security token offerings use Reg D because it's fast, has no cap, and doesn't require SEC pre-approval. Projects that want retail participation pay the Reg A+ premium in time and cost. Reg S expands reach internationally. Reg CF serves smaller projects.
Compliance Infrastructure
Choosing an exemption pathway is just the first step. Security tokens require compliance infrastructure that utility tokens and standard ERC-20 tokens don't need. This infrastructure operates at three levels: investor verification, transfer restrictions, and regulated intermediaries.
KYC/AML Requirements
Every security token buyer must pass Know Your Customer (KYC) and Anti-Money Laundering (AML) checks. This means identity verification, source-of-funds documentation, and sanctions screening against OFAC and other watchlists.
For utility tokens, anyone with a wallet can buy. For security tokens, only verified individuals in approved jurisdictions can hold them. This applies at issuance and at every secondary market transfer. If Alice sells her security tokens to Bob, Bob needs to be verified before he can receive them. The smart contract enforces this at the protocol level.
Compliance platforms like Securitize 12, Tokeny 13, and Polymath 14 automate this process. They integrate identity verification services, maintain investor registries, and update whitelist databases that smart contracts reference during transfers.
Transfer Restrictions
Security tokens cannot trade freely like ERC-20 tokens on Uniswap. Several restrictions apply:
Smart contract whitelisting. Only wallets that have passed KYC/AML verification can receive security tokens. The token's smart contract checks a whitelist before executing any transfer. If the receiving wallet isn't approved, the transaction fails.
Lock-up periods. Reg D tokens typically face a holding period before resale under SEC Rule 144 15. For securities of reporting companies, the minimum holding period is six months. For non-reporting issuers, it's twelve months. tZERO's tokens had a 90-day lock-up after distribution, with broader trading beginning in January 2019, months after the October 2018 issuance 1.
Accreditation re-verification. Secondary buyers under Reg D must also be accredited investors. The compliance system must verify new buyers at each transfer, not just at initial issuance.
Jurisdictional restrictions. Tokens sold under Reg S to non-US investors cannot flow back to US wallets without proper exemptions. Smart contracts can encode geographic restrictions based on the investor's verified jurisdiction.
These restrictions are built into the token's smart contract, not just written in legal documents. Two token standards have emerged specifically for this purpose: ERC-1400 16 and ERC-3643 17.
ERC-1400, proposed by Polymath in 2018, bundles four sub-standards (ERC-1410, ERC-1594, ERC-1643, and ERC-1644) into a framework for compliant security tokens on Ethereum. It handles partition-based token transfers, document management, and controller operations for forced transfers when legally required 16.
ERC-3643, also known as the T-REX (Token for Regulated Exchanges) standard, achieved Final status as an Ethereum Improvement Proposal in December 2023, the first compliance-focused token standard to reach this milestone 17. Developed by Tokeny Solutions, ERC-3643 has been used to tokenize over $28 billion in assets across hundreds of projects 18. It integrates on-chain identity verification directly into the transfer process, checking an identity registry before every transaction.
Every revert is automatic and atomic. There's no manual override step. The issuer configures the rules; the contract enforces them on every single transfer.
Transfer Agents and Broker-Dealers
US securities law requires specific licensed intermediaries to facilitate security token operations.
Transfer agents maintain the official record of who owns a security. The SEC requires registration under Section 17A of the Securities Exchange Act 19. For traditional stocks, companies like Computershare and EQ handle this. For security tokens, the transfer agent must reconcile blockchain records with regulatory requirements.
Securitize became one of the first SEC-registered transfer agents to operate on blockchain infrastructure 20. Its protocol maintains the official shareholder registry on-chain while meeting the SEC's recordkeeping and reporting requirements.
Broker-dealers are required for any platform facilitating the buying and selling of securities. Both the SEC and FINRA regulate broker-dealers 21. Operating a security token marketplace without broker-dealer registration is illegal, regardless of whether the marketplace runs on blockchain.
Alternative Trading Systems (ATS) are a specific category of broker-dealer that operates a marketplace but doesn't self-regulate like a traditional exchange. tZERO operates an SEC-registered ATS for digital securities 2. In 2024, tZERO also obtained a special purpose broker-dealer designation, making it one of only two US firms licensed to custody tokenized securities directly 22.
Compliance Platforms
Four platforms handle different parts of the security token compliance stack:
| Capability | Securitize | tZERO | Polymath | Tokeny |
|---|---|---|---|---|
| Issuance | Yes | No | Yes | Yes |
| KYC / AML | Yes | Yes (trading) | Yes (chain-level) | Yes |
| SEC Transfer Agent | Yes (registered) | No | No | No |
| Broker-Dealer / ATS | Yes (ATS) | Yes (ATS + special purpose BD) | No | No |
| Token Standard | ERC-3643 compatible | Proprietary | ERC-1400 / Polymesh native | ERC-3643 (T-REX architect) |
| Blockchain | Ethereum + 9 networks | Ethereum | Ethereum + Polymesh | Ethereum + EVM chains |
| Jurisdiction Focus | US | US | Global | Europe (MiCA) |
| Notable | BlackRock BUIDL ($2.4B AUM) | First SEC-registered digital securities ATS | Purpose-built permissioned chain | $28B+ in assets tokenized |
Securitize offers the most comprehensive end-to-end solution: issuance, KYC/AML, transfer agent services, broker-dealer operations, and secondary market trading through its ATS 12. Securitize powers BlackRock's BUIDL fund, a tokenized US Treasury money market fund that launched in March 2024 on Ethereum and surpassed $1 billion in assets under management by early 2025 23 24. The fund has since expanded to nine blockchain networks and held over $2.4 billion in AUM by early 2026. Securitize filed to go public in late 2025 through a SPAC deal valuing the business at $1.25 billion 25.
tZERO focuses on the exchange side, operating an SEC-registered ATS for secondary trading of digital securities 26. It holds broker-dealer, ATS, and special purpose broker-dealer registrations. Section 7.3 covers tZERO's full history and current operations.
Polymath took a protocol-first approach. After developing ERC-1400 on Ethereum, Polymath built Polymesh, a purpose-built permissioned blockchain designed specifically for regulated securities 14. Polymesh handles identity, compliance, confidentiality, and settlement at the chain level, rather than relying on smart contract layers built on top of general-purpose blockchains.
Tokeny focuses on European regulatory compliance through the ERC-3643 standard and its T-REX protocol 13. As the architects of the first compliance-focused token standard to achieve Final EIP status, Tokeny provides tools for creating and managing permissioned tokens that meet EU requirements, including MiCA compliance 18.
Each platform addresses different parts of the stack. Some issuers use multiple platforms, combining Securitize for issuance and transfer agent services with tZERO for secondary trading, for example.
The Compliance Tax
Security token compliance costs real money. Anyone considering this path should understand the full price tag.
The Costs
Issuance costs range from $100,000 to $2 million depending on the exemption path. A Reg D offering with straightforward terms might cost $100,000 to $500,000 in legal, technical, and filing expenses. A Reg A+ qualification with SEC review, audited financials, and state-level compliance can reach $2 million. Compare this to launching a utility token on Ethereum, which costs little more than gas fees and a developer's time.
Legal counsel runs $50,000 to $200,000 per jurisdiction. Securities law is specialized. Firms experienced in both blockchain technology and securities regulation charge accordingly. Projects operating across multiple jurisdictions multiply this cost.
Ongoing compliance costs $20,000 to $100,000 annually. Transfer agent fees, KYC maintenance for the investor registry, regulatory filings, and annual audit requirements add up. These costs recur every year the token exists.
Smaller investor pools limit fundraising reach. Accredited-only restrictions under Reg D exclude over 90% of potential US investors. Only households meeting the income or net worth thresholds qualify. This narrows the buyer base compared to unrestricted utility token sales.
Reduced liquidity constrains secondary markets. Fewer exchanges list security tokens. Daily trading volumes on security token platforms remain a fraction of what major crypto exchanges process. This makes it harder for holders to exit positions.
The Benefits
Legal certainty removes existential risk. No SEC enforcement action hanging over the project. No surprise lawsuits years after launch. Telegram's $1.22 billion return and $18.5 million penalty 3 would have funded decades of compliance costs.
Institutional access opens larger capital pools. Regulated security tokens can attract banks, asset managers, pension funds, and endowments. These institutions manage trillions of dollars but cannot touch unregistered tokens. BlackRock chose to tokenize its BUIDL fund through Securitize's compliant infrastructure specifically because institutional investors require this regulatory framework 23.
Investor protection builds trust. Compliance infrastructure, KYC verification, transfer restrictions, and regulated intermediaries signal seriousness. Institutional allocators give larger commitments to compliant structures because they face their own regulatory obligations.
Longevity favors compliant projects. Compliant projects survive regulatory crackdowns. Non-compliant ones don't. tZERO raised $134 million in 2018 and is still operating, expanding, and adding new capabilities in 2025 2. Most unregistered token sales from the same era are gone.
The growing institutional market rewards early infrastructure. As firms like BlackRock, JPMorgan, and Goldman Sachs enter tokenization, the compliance infrastructure that early platforms built becomes the foundation. Securitize's path from startup to a $1.25 billion valuation shows how compliance infrastructure can become a competitive moat 25.
The Honest Summary
Compliance is expensive and limiting in the short term. A Reg D security token offering costs 100x or more than launching a utility token. It restricts who can buy. It slows down issuance. It limits where tokens can trade.
But it's the only path to institutional adoption and long-term viability. Projects that skip compliance to move fast often pay far more in enforcement penalties and legal fees than compliance would have cost. Telegram spent over $1.2 billion learning this lesson. tZERO spent a fraction of that building compliant infrastructure and is still in business.
The security token market is small today compared to the broader crypto market. But as real-world asset tokenization grows, driven by institutions that require compliance infrastructure, the projects and platforms that built this plumbing early will be the ones processing the next wave of tokenized assets.
Looking Ahead
Compliance infrastructure defines how security tokens can be issued and traded. The next section covers what they actually represent: real-world assets tokenized on-chain. Real estate, equity, debt, commodities, and fund shares each bring different legal structures, different risk profiles, and different value propositions for investors. The compliance framework described here is the foundation. What gets built on top of it determines whether security tokens deliver on the promise of bringing traditional finance onto blockchain rails.
- Compliance costs run $100K to $2M at issuance and $20K-$100K annually; Telegram's enforcement lesson was $1.22 billion for avoiding those same costs.
- ERC-3643 enforces KYC directly inside the token's transfer function; if the receiving wallet hasn't passed identity verification, the transaction fails at the protocol level.
- Reg D permits unlimited raises with no SEC pre-approval, restricting buyers to accredited investors and excluding over 90% of US households from any compliant STO.
- BlackRock's BUIDL needed a licensed transfer agent, broker-dealer, and ATS to reach $2.4 billion; institutional tokenization doesn't displace compliance infrastructure, it validates it.