Skip to main contentSkip to FAQSkip to contact
For OpssReference· 6 min

Compliance Architecture#

All participant verification is enforced on-chain via the ComplianceRegistry contract. Non-compliant addresses are rejected at the contract boundary - open(), fill(), and claim() all revert.

ComplianceRegistry - a UUPS-upgradeable per-chain contract that stores KYC attestations. Every settlement interaction checks compliance at the contract level - non-compliant addresses are rejected before any funds move.

Attestation Model#

Each participant needs a valid on-chain attestation:

Solidity
1struct Attestation {
2    bytes2 jurisdiction;  // ISO 3166-1 (e.g., "US", "CH")
3    uint8 tier;           // 0=NONE, 1=RETAIL, 2=PROFESSIONAL, 3=INSTITUTIONAL
4    uint48 expiresAt;     // Attestation expiry timestamp
5    bytes32 vendorHash;   // KYC vendor (e.g., keccak256("chainalysis"))
6}
6 linessolidity

isCompliant(address) checks: attestation exists → not expired → jurisdiction not blocked. Cost: < 0 gas.

Attestation Lifecycle

submit KYCapprovedrejectedexpire / revokere-submitUnregisteredPending KYCAttestedRevoked
initial
normal
success
error
Hover a state to explore

Settlement Path Routing#

EscrowResourceLock (Compact)
Compliant (no API key)ComplianceSettlerEscrowComplianceAllocator via Compact
Direct (API key present)InputSettlerEscrowIntegrator's allocator via Compact

API key present → Direct path (integrator handles KYC externally). No API key → Compliant path (on-chain enforcement, 403 COMPLIANCE_FAILED for non-compliant signers).

Pre-Trade Compliance Gate#

Every order passes 0 checks before reaching settlement contracts:

  1. Risk labels - wallet risk scoring via vendor adapter
  2. Originator sanctions - OFAC/EU/UN screening
  3. Beneficiary sanctions - same screening on recipient
  4. Jurisdiction corridor - origin→destination corridor permitted
  5. Corridor volume - per-corridor caps not exceeded
  6. Travel Rule data - FATF fields present above threshold
  7. Unhosted wallet EDD - enhanced due diligence for non-custodial wallets

Compliance Check Sequence

ParticipantKYC ProviderComplianceRegistryPre-Trade GateEvidence LedgerSubmit identity1Attestation tx2Trade request3checkCompliance()4Attestation valid ✓5Log decision6
0 / 6

KYC / KYB Onboarding#

Onboarding Flow#

  1. User initiates KYC/KYB - frontend calls POST /api/v1/kyc/initiate, which creates a Sumsub applicant and returns a verification URL / SDK token
  2. Vendor verification - Sumsub collects identity documents, runs liveness checks, verifies beneficial ownership (KYB). Result arrives via webhook (POST /api/v1/kyc/webhook)
  3. Off-chain registration - backend stores the verified counterparty with jurisdiction, tier (1/2/3), and vendor evidence hash. The ComplianceService DashMap is updated for O(1) pre-trade lookups
  4. On-chain attestation - backend calls ComplianceRegistry.setAttestation() on each chain where the counterparty needs to transact (per-chain replication, no cross-chain messaging)
  5. Counterparty can transact - isCompliant(wallet) returns true on both off-chain (DashMap) and on-chain (ComplianceRegistry) layers

Counterparty Types#

KYC Individual users on the Compliant settlement path.

  • Complete KYC via Sumsub WebSDK (identity verification, liveness)
  • Pre-trade gate checks KYC status, sanctions, and jurisdiction on every order
  • Attestation expires - renewal required before expiry
Entity TypeRequirements
Individual (KYC)Identity, address, wallet, sanctions, PEP screening
Company (KYB)Entity verification, UBO, director KYC, sanctions
BrokerCompany KYB + regulatory license + compliance program + insurance
LPCompany KYB + liquidity proof + settlement infrastructure + SLA docs

Attestations expire. Alerts fire at 90 days (info), 30 days (warning), and on expiry (critical - trading blocked).

Travel Rule (IVMS101)#

FATF Recommendation 16 compliance via IVMS101 data format. Originator and beneficiary identity data transmitted between VASPs via Notabene for transfers above jurisdiction-specific thresholds.

WORM Evidence Ledger#

Every compliance decision and trade generates an immutable audit record:

WORM Properties
  • Hash-chained: Each entry's SHA-256 hash includes the previous entry's hash - tampering breaks the chain
  • Append-only: Written by the EvidenceSubscriber on the EventBus, cannot be modified or deleted
  • Retention: Hot (in-memory DashMap) → Cold (PostgreSQL, append-only evidence_entries table)

Per-Chain Replication Architecture#

Compliance Pipeline

Mini Map
Actor
Engine
Contract
Network

The ComplianceRegistry is deployed independently on each chain - there is no cross-chain messaging for compliance state. This is a deliberate architectural choice.

Why per-chain, not cross-chain? Cross-chain compliance would create an oracle dependency for KYC state - if the oracle relay is down, no one could trade. Per-chain replication avoids this: each chain has a self-contained registry that the backend keeps in sync.

How replication works:

  1. Backend KYC service verifies a participant via vendor adapter (Chainalysis, Elliptic)
  2. Backend calls setAttestation() on each chain's ComplianceRegistry contract
  3. Each chain now has an independent, locally-verifiable attestation
  4. isCompliant() checks are pure on-chain reads - no external calls, no oracle dependency

Registry contracts are deployed via CREATE2 for deterministic addresses across chains. The address is the same on every chain, simplifying integrator configuration.

Circuit Breaker for Vendor Adapters#

Circuit Breaker States

Mini Map
Actor
Engine
Contract
Network

Vendor adapters use a circuit breaker on a 24-hour rolling fill rate window:

Fill RateStateEffect
≥ 90%ClosedNormal - all requests forwarded
80–89%WarningLogged to evidence ledger, no penalty
50–79%ProbationRanking weight −50%
under 50%OpenDisabled, admin reset required

After Open, a timeout triggers a Half-Open probe: success → Closed, failure → Open again.

Travel Rule & IVMS101#

Travel Rule (FATF Recommendation 16) requires transmitting originator and beneficiary information for transfers above the regulatory threshold.

  1. Pre-trade: Both counterparties provide identity information during KYC onboarding
  2. Post-fill: TetraFi constructs an IVMS101 message with originator/beneficiary data
  3. Transmission: Message sent to counterparty's VASP via Travel Rule network
  4. Evidence: Transmission receipt logged to WORM ledger as compliance evidence

Data fields are pseudonymized using HMAC before storage - the platform stores hashed references, not raw PII. Full data is transmitted only to the regulatory-required recipient.

See Also#

Settlement Flows

Compliant vs Direct path routing

Smart Contracts

ComplianceRegistry interface

Personas & Workspaces

Onboarding per counterparty type

I'm in OpsStep 3 of 7
OpsNext · Data Layer

Related topics

Settlement Flows

Architecture· Lock types, escrow models, settlement path routing, equivocation protection, and the fill/claim lifecycle.

Oracle Network

Architecture· 7 cross-chain oracle implementations, relay mechanisms, attestation verification, and oracle selection per corridor.

Smart Contracts

Architecture· On-chain contract reference: InputSettler, OutputSettler, ComplianceRegistry, oracle implementations, and deployment addresses.

Data Layer & Evidence

Architecture· WORM evidence ledger, hash-chained audit trail, credit system, workspace model, and data archival.