HomeGuides
KYC/AML for Tokenized Assets
Compliance Guide

KYC/AML for Tokenized Assets:
Complete Setup Guide

A practical guide to designing and implementing investor onboarding for tokenized securities. Covers risk-based KYC, AML policy design, provider selection, Travel Rule compliance, and on-chain identity integration — for issuers across all major jurisdictions.

📖 18 min read·5 steps·Updated March 2026·By GlobalTokenize
Applies to
All tokenized securities
Real estate, bonds, funds, equity
Frameworks
FATF, EU AMLD, MAS, FinCEN
Travel Rule (FATF R.16)
Key approach
Risk-based
SDD / CDD / EDD by investor risk
On-chain link
ONCHAINID / ERC-3643
KYC claim → allowlist → transfer

What you’ll achieve

A complete KYC/AML infrastructure that satisfies regulators, satisfies platforms, and protects your project.

📋

AML risk assessment

Documented risk-based approach accepted by regulators and platforms

🔐

KYC/AML policy

Written policies covering CDD, EDD, PEP, sanctions screening

⚙️

Automated onboarding

KYC provider integrated with investor portal and smart contracts

🌐

Travel Rule compliance

Originator/beneficiary data sharing for cross-chain transfers

⛓️

On-chain identity

KYC claims linked to ONCHAINID for ERC-3643 transfer control

Risk-based approach: three KYC levels

FATF requires a risk-based approach. Apply more scrutiny to higher-risk investors — and less friction to lower-risk ones.

Simplified Due Diligence (SDD)
Low risk
  • Small retail investment (below threshold)
  • Regulated financial institution as investor
  • Listed company or government entity
  • Low-risk jurisdiction, no adverse media
Requirements
Basic identity verification only — name, DOB, address. No source of funds required. Faster onboarding acceptable.
Customer Due Diligence (CDD)
Standard
  • Standard retail or accredited investor
  • Private company investor (KYB)
  • Investment above SDD threshold
  • No specific risk indicators present
Requirements
Government ID + liveness check. UBO for companies. Source of funds declaration. Sanctions + PEP screening. Ongoing monitoring.
Enhanced Due Diligence (EDD)
High risk
  • Politically Exposed Person (PEP) or close associate
  • High-risk jurisdiction (FATF grey/black list)
  • Large investment (typically >€50k or $50k)
  • Adverse media hits or unusual transaction patterns
  • Complex ownership structure, offshore entities
Requirements
Full source of wealth documentation. Senior management approval. Enhanced ongoing monitoring. Detailed UBO verification. More frequent re-KYC.

KYC provider comparison

Leading providers that integrate with tokenization platforms and support ONCHAINID claim issuance.

ProviderBest forTravel RuleONCHAINIDPricing model
SumsubGlobal onboarding, high volumeYesYesPer verification + monthly
OnfidoEU/UK compliance, biometricsVia partnerCustomPer verification
JumioEnterprise, US institutionalYesCustomEnterprise contract
Fractal IDWeb3-native, crypto-focusedYesNativePer verification
NotabeneTravel Rule specialistSpecialistVia partnerPer transaction
VeriffEU focus, fast onboardingVia partnerCustomPer session

Building your KYC/AML infrastructure in 5 steps

From risk assessment to on-chain identity — the complete setup process.

1Risk Assessment
2AML Policy
3KYC Integration
4Travel Rule
5On-Chain Identity
1
Foundation
AML Risk Assessment
Goal: Document your risk-based approach before building any systems.

What to assess

  • Customer risk: Who are your investors? Retail, accredited, institutional, corporate?
  • Geographic risk: Which jurisdictions do investors come from? FATF grey/black list exposure?
  • Product risk: Is your token a security? Is there secondary trading? Higher risk = more scrutiny
  • Delivery channel risk: Direct onboarding vs. platform-intermediated vs. DeFi
  • Transaction risk: Stablecoin payments? Crypto on-ramps? These carry higher ML risk

Output: risk assessment document

  • Inherent risk score for each risk category (Low / Medium / High)
  • Mitigating controls for each risk (KYC level, monitoring frequency, etc.)
  • Residual risk after controls — acceptable level defined by compliance team
  • Updated at least annually or when business materially changes
  • Document reviewed and approved by senior management/MLRO

Step 1 checklist

2
Policy
AML/KYC Policy Documentation
Goal: Write the policies that govern your entire compliance programme.

Policies you need

  • AML/CTF Policy: Overall framework — risk appetite, governance, roles, regulatory obligations
  • KYC/CDD Procedure: Step-by-step investor verification process including SDD/CDD/EDD thresholds
  • Sanctions Screening Policy: Which lists screened (EU, UN, OFAC), frequency, match handling
  • PEP Policy: Definition, identification process, approval requirements, ongoing monitoring
  • Transaction Monitoring Policy: Rules, thresholds, alert investigation, SAR filing process
  • Record Keeping Policy: 5-year minimum retention for all KYC records and transaction data

Operational requirements

  • MLRO designated with clear authority to file SARs independently
  • Escalation matrix: who approves EDD investors, PEP decisions, SAR filings
  • Staff training schedule — AML awareness annually, role-specific more frequent
  • Independent audit of AML programme — annually or per regulator requirement
  • Whistleblowing channel for internal AML concerns

Step 2 checklist

3
Technology
KYC Provider Integration
Goal: Automate investor verification so onboarding is fast, compliant, and scalable.

Individual investor KYC flow

  • Investor submits government-issued ID (passport, national ID)
  • Liveness check — selfie or video to prevent document fraud
  • Address verification — utility bill, bank statement (not always required)
  • PEP and sanctions screening — automated against live lists
  • Accredited/qualified investor confirmation — self-declaration or document upload
  • Source of funds for investments above EDD threshold
  • Result: Approved / Pending manual review / Rejected

Corporate investor KYB flow

  • Company registry extract — confirms legal existence and status
  • UBO identification and verification — all owners above 25% threshold
  • Director verification — ID and liveness for all directors
  • Board resolution authorising investment
  • Source of funds — audited accounts or bank reference
  • Complex structures (trusts, holding companies) require additional layers

Step 3 checklist

💡 Tip: Most tokenization platforms (ADDX, Securitize, Tokeny) have preferred KYC providers already integrated. Check platform requirements before choosing your provider — using their preferred partner often reduces integration time from weeks to days.

4
Transfers
Travel Rule Compliance
Goal: Share originator and beneficiary data on token transfers above threshold — as required by FATF Recommendation 16.

What is the Travel Rule?

  • FATF Recommendation 16 requires VASPs to share sender and receiver information on transfers ≥ threshold (€1,000 in EU, $3,000 in US)
  • For tokenized securities: applies to on-chain transfers between wallets at different VASPs/CASPs
  • Data required: originator name, wallet address, account number; beneficiary name and wallet address
  • Both sending and receiving VASP must be able to verify and store this data
  • EU Travel Rule (TFR) fully in force since December 2024 — applies to all crypto-asset transfers

Implementation options

  • Notabene: Leading Travel Rule network — connects VASPs globally for data exchange
  • Sygna Bridge: Asia-Pacific focused Travel Rule solution
  • Shyft TrustAnchor: Open protocol for Travel Rule compliance
  • Platform-provided: Most regulated platforms (ADDX, Securitize) handle Travel Rule within their ecosystem
  • Sunrise issue: counterparty VASP may not be Travel Rule compliant — document your policy for non-compliant counterparties

Step 4 checklist

5
On-Chain
On-Chain Identity & Ongoing Monitoring
Goal: Connect off-chain KYC to on-chain transfer controls and maintain ongoing compliance.

KYC → on-chain flow

  • Investor passes KYC with your provider
  • Provider issues cryptographic claim to investor’s ONCHAINID contract
  • Claim contains: jurisdiction, investor type, verification date, expiry
  • ERC-3643 token contract checks ONCHAINID before every transfer
  • Expired claim → transfer automatically blocked until re-verified
  • Revoked claim (sanctions hit, fraud) → instant transfer restriction on-chain

Ongoing monitoring

  • Transaction monitoring — flag unusual patterns (large/frequent transfers)
  • Periodic re-KYC — typically annually for standard risk, more frequent for high risk
  • Sanctions rescreening — continuous or daily against updated lists
  • Adverse media monitoring — automated screening for negative news on investors
  • SAR filing — report suspicious activity to FIU within required timeframe
  • Annual AML programme review and staff retraining

Step 5 checklist

Need help designing your KYC/AML setup?

Our advisory team helps issuers design compliant investor onboarding — from AML risk assessment to KYC provider selection and on-chain identity integration.

Book a free callBrowse platforms →

Related guides

⛓️TechnologySmart Contracts for Security Tokens: ERC-3643 GuideHow ONCHAINID integrates with ERC-3643 for on-chain KYC enforcement.⚖️RegulationMiCA for Token Issuers: Complete Guide 2026EU AML/CTF obligations under MiCA for token issuers and CASPs.🏠Step-by-StepHow to Tokenize Real Estate — Compliance-First RoadmapFull guide including KYC/AML setup for real estate token offerings.