Case Study: Building a Compliance-Native Lending Pool for Institutions

In this case study, we're going to dive into how to create a lending pool that's all about compliance, specifically designed for institutions.

Overview

The financial world is really evolving, and organizations are on the hunt for fresh strategies to tackle the tricky compliance challenges without slowing down their lending processes. If institutions focus on creating a lending pool that emphasizes compliance right from the start, they can tick all the boxes when it comes to regulatory requirements. Plus, it goes a long way in building trust and transparency with everyone involved.

Objectives

So, here’s what we were hoping to accomplish with this project:

• Stay Compliant: Create a lending pool that follows all the necessary rules and guidelines.
• Boost Efficiency: Let’s make the lending process smoother and quicker, so it’s easier for everyone to use.
• Increase Transparency: Set up a straightforward system where every transaction is crystal clear and can be easily checked.

Approach

To tackle this challenge, we decided to go all in and take a really thorough approach.

1. Research and Analysis: We started by really digging into the current compliance frameworks out there. By getting a good grasp of what’s available, we were able to spot some gaps and figure out where the opportunities lie.

2. Connecting with Stakeholders: We reached out to different stakeholders, like regulatory agencies and financial institutions, to really understand what they're looking for and what their needs are.

3. Design and Development: After gathering all that info, we jumped into creating the lending pool architecture. We made sure to weave compliance checks right into the lending process.

4. Testing and Iteration: Once we got the initial model up and running, we rolled up our sleeves and dove into some serious testing. We went through quite a few rounds to make sure everything was running smoothly and doing exactly what we wanted it to do.

Key Features

Check out some of the amazing features of our compliance-native lending pool:

• Automated Compliance Checks: Every single transaction goes through a compliance screening automatically. This helps us spot any potential issues before they get out of hand.
• Flexible Risk Assessment: The lending pool lets you tweak risk parameters to fit your needs, which helps institutions keep their exposure in check.
• Audit Trail: There's a handy audit trail that keeps track of all transactions, making it super easy to review them whenever you need to. This adds that extra bit of security we all appreciate!

Results

Once we kicked off the compliance-native lending pool, we noticed a bunch of great results:

• Boosted Efficiency: Thanks to our improved process, we managed to cut down loan approval times by a whopping 30%!
• Increased Trust: People involved said they feel a lot more at ease when working together, all thanks to the transparency and compliance that's woven into the system.
• Scalability: The lending pool really took off, drawing in a bunch of different institutional clients who were on the hunt for lending solutions that meet all the compliance standards.

Conclusion

When it comes to setting up a lending pool for institutions, it’s not just about ticking the boxes on regulatory requirements. It's really about creating a lending space that’s both reliable and efficient. Trust is key! When institutions make compliance a top priority right from the beginning, they can open themselves up to exciting new opportunities while still making sure they’re following the rules. If you want more info, go ahead and take a look at the full report here.

Alright, so here’s the deal. You’ve done your homework on underwriting, set up a strong credit policy, and found a partner who’s ready to roll. But if you want your institutional pool to step into the EU market, you’ve got some hurdles to clear first. You’ll need to handle dual licensing for EMT payments, get those MiCA Titles III and IV squared away, and make sure you’ve got your Travel Rule and sanctions controls locked down. Oh, and let’s not forget about protecting any personal info while you’re at it! The EBA sent out a no-action letter on June 10, 2025, and it’s pretty important for CASPs handling EMTs. Basically, they’ve got until March 2, 2026, to sort out their PSD2 and EMI permissions. So, if you're involved in this space, make sure to mark that date on your calendar! After that, things really start to heat up. Missing that deadline isn’t just about pushing back the launch date; it can really mess up your go-to-market plans. (eba.europa.eu).

• By the way, just a heads up: DORA kicked in on January 17, 2025. So, what this really means is that your ICT third-party register and oversight model have to be completely auditable now. Hey there! Just a heads-up: if your DeFi rails and risk vendors aren’t in sync with DORA’s CTPP process by April 30, 2025, you could be facing some pretty significant exam risks. It’s definitely something to keep on your radar! (esma.europa.eu).

So, just a heads up for anyone in banking! Starting January 1, 2026, Basel is rolling out its new rules for how banks need to disclose their crypto exposure. Just something to keep on your radar! Hey there! The Treasury and Risk teams are on the hunt for some standardized and easily reconcilable tables that show your stablecoin and crypto exposures. They’d like to get this info directly from your ledger and pool contracts. (bis.org).

So, here’s the scoop: OFAC is raising the bar when it comes to keeping records for sanctions. Starting on March 12, 2025, they’re requiring folks to hang onto those records for a solid 10 years. That's quite a bit of time! So, the audit team is really interested in how your DeFi setup plans to hold onto all that proof and screening info for an extended period--while making sure not to put any personal identifiable information (PII) on the blockchain.
(mwe.com).

If you don't meet the PSD2 and MiCA alignment deadline by March 2, 2026, you won't be able to manage euro EMT payment flows. So, it's pretty important to stay on top of that! So, even if you’ve got your MiCA license all squared away, you’re still going to run into some roadblocks with EMT payment services. To really make it work, you either need that PSD2/EMI permission yourself or you should team up with someone who already has it. Wow, that’s a big miss on the go-to-market strategy! (eba.europa.eu).

If you ever find yourself facing a Travel Rule issue--whether it's a missing or incorrect IVMS101 payload, trouble with VASP discovery, or an unverified beneficiary--it can really slow down withdrawals and drive up your operating costs.
So, according to data from 2025, it looks like companies are really stepping up their game when it comes to blocking transactions. They’re not letting anything go through until they’ve got all the beneficiary info squared away. It seems like things are tightening up instead of getting any easier. (coindesk.com).

So, when we're talking about Basel 2026 public disclosures, one major concern is that if there's no clear link between on-chain data and off-chain info, CFOs and Controllers might find themselves in a bit of a pickle when it comes to sign-off risks. (bis.org).

Just a heads up: if you’re getting ready for vendor onboarding under DORA, be prepared for some potential bumps in the road. It could be tricky if you can’t provide proof of your ICT third-party registers, oversight mappings, and data-retention service-level objectives (SLOs) when it comes time for the RFP. So, make sure you have everything in order! (esma.europa.eu).

We're all about crafting lending pools specifically designed for regulated institutions, and we do it with a "controls-first" mindset.
This setup brings together Solidity, ZK credentials, and off-chain compliance processes to help procurement teams and regulators speed up their approval process. It's all about making things run smoother and getting that green light a lot faster!

1) Regulatory blueprint to 2026 milestones

• EU: Hey, just so you know, the MiCA Titles III and IV, which deal with stablecoins, are already up and running! So, just a heads up - the CASP licensing is live right now! And come March 2, 2026, we’ll see the dual licensing for EMT payment services getting underway, all thanks to that no-action letter from the EBA. Exciting times ahead! We're getting everything ready for the EMT custody and transfer as part of the PSD2 payment services. We're rolling this out in phases to make sure everything goes smoothly. (esma.europa.eu).
• DORA: Don't forget to jot down all your infrastructure and vendors in your ICT third-party register. It’s also super important to clarify your oversight lines before the CTPP designations kick in. We're getting our runbooks in sync with the ESAs’ timeline for 2025. (esma.europa.eu).
• Basel: Hey there! Just a heads-up--it's time to start digging into those instrument positions, liquidity, and counterparty exposures for the crypto disclosure tables that are due on January 1, 2026. Let’s get prepared! (bis.org).
• **U.S. Custody: When you’re setting up your wallet and custody processes, think of state-chartered trust companies as “banks” for RIA custody. This is based on the SEC staff's no-action relief coming in 2025. We're working on creating user-friendly interfaces to help you export the SOC-1 and segregation attestations you need to keep your compliance game strong. (sidley.com).
• Sanctions: Just a heads up, there’s a ten-year requirement for keeping evidence in the data plane to stay in line with OFAC's 2025 update. So, make sure you're aware of that! (mwe.com).

Reference Architecture -- Permissioned ERC‑4626 Pool with Identity‑Gated Access and Off‑Chain Compliance Rails

• Permissioning Layer: We're leveraging ERC-3643, also known as T-REX, along with ONCHAINID to manage identity-based transfer controls. Instead of just using simple address allowlists, wallets now get access through something called verifiable credentials (VCs) and claim registries. It’s a more secure way to verify who’s who! So, basically, all tokenized LP shares and any receipt tokens are automatically managed under KYC/KYB rules right from the start. (ercs.ethereum.org).
• Vault Mechanics: So, here's the deal: our pool works like an ERC-4626 vault. This setup gives us standardized accounting, which makes everything a lot smoother and more compatible with other systems. Plus, when you hold LP shares, you're basically claiming your fair share in the pool, which is pretty neat! (eips.ethereum.org).
• ZK-KYC at the Edge: How about we bring in Polygon ID and Sismo Connect proofs? This way, depositors can easily verify stuff like “I’m an EU resident,” “I’m accredited,” or “I passed AML on date X” without giving away any personal details on the blockchain. Sounds good, right? We'll take care of revocation lists and proof freshness off the blockchain, but don’t worry--we'll keep those verification gates on-chain. (polygon.technology).
• KYT and Sanctions: So, we're diving into some real-time Chainalysis KYT address and transfer screening using an API. It’s pretty cool stuff! You'll find solid proof like timestamps, rule hits, and case IDs hanging out in your data lake for a whole decade. (chainalysis.com).
• Travel Rule: For our messaging, we’re going with out-of-band IVMS101 along with TRISA Envoy and a VASP directory PKI. What this means is that your personal info won’t get thrown on the blockchain. We’re also working on adding some cool features like queueing and retries to make sure that if some slower parties are holding things up, it won't mess with the settlement process. (trisa.io).
• Institutional Custody: We’re here to help with segregated wallets at qualified state trust companies. You’ll be able to export your daily positions and proof-of-segregation for compliance purposes, making sure everything lines up with SEC guidelines. (sidley.com).
• Operational UX: We’re rolling out ERC-712 typed approvals to handle off-chain order intent and policy attestations. This makes it super easy to handle approvals all at once, which really helps cut down on the on-chain activity. On top of that, we've got these cool optional ERC-4337 smart accounts. They take care of sponsor gas and come with session keys that are bound by policy. Pretty handy, right? (eips.ethereum.org).

3) Control‑point code -- illustrative Solidity sketch

Let me show you a cool example of how you can set up control-point code in Solidity. It’s pretty straightforward! This sketch really sets you up nicely to grasp the fundamentals.

pragma solidity ^0.8.0;

contract ControlPoint {
    address public owner;
    uint public controlPoint;

    event ControlPointUpdated(uint newControlPoint);

    modifier onlyOwner() {
        require(msg.sender == owner, "Not authorized");
        _;
    }

    constructor() {
        owner = msg.sender;
        controlPoint = 0;
    }

    function updateControlPoint(uint newControlPoint) public onlyOwner {
        controlPoint = newControlPoint;
        emit ControlPointUpdated(newControlPoint);
    }

    function getControlPoint() public view returns (uint) {
        return controlPoint;
    }
}

Here’s a straightforward example of a contract that focuses on something called a "control point." The person who owns the contract can change the control point value whenever they want, and each time they make an update, it triggers an event. It's pretty simple, but it gives you a solid foundation for any more advanced stuff you might want to tackle later on.

// SPDX-License-Identifier: BUSL-1.1
pragma solidity ^0.8.24;

import {IERC20} from "openzeppelin/token/ERC20/IERC20.sol";
import {ERC4626} from "solmate/mixins/ERC4626.sol";
import {EIP712} from "openzeppelin/utils/cryptography/EIP712.sol";
import {ECDSA} from "openzeppelin/utils/cryptography/ECDSA.sol";

interface IERC3643Compliance {
    function isTransferAllowed(address from, address to, uint256 amount) external view returns (bool);
    function isWalletEligible(address wallet) external view returns (bool);
}

contract InstitutionalPool is ERC4626, EIP712 {
    IERC3643Compliance public compliance; // ONCHAINID/T-REX transfer manager
    address public riskOracle;            // off-chain KYT/TravelRule attestor
    uint256 public kytFreshness = 15 minutes;

    bytes32 public constant INTENT_TYPEHASH =
        keccak256("Intent(address sender,uint256 maxDeposit,uint256 deadline,uint256 nonce)");

    mapping(address => uint256) public nonces;
    mapping(address => uint256) public kytOkUntil; // wallet screening freshness

    event KytAttested(address indexed wallet, uint256 validUntil, bytes32 caseId);
    event TravelRuleLinked(bytes32 txRef, string vaspId, string ivmsHash);
    event SanctionsHold(address indexed wallet);

    constructor(IERC20 asset_, IERC3643Compliance c_)
        ERC4626(asset_, "Insti LP", "iLP") EIP712("InstiPool", "1")
    { compliance = c_; }

    modifier onlyEligible(address wallet) {
        require(compliance.isWalletEligible(wallet), "KYC_NOT_ELIGIBLE");
        require(kytOkUntil[wallet] >= block.timestamp, "KYT_EXPIRED");
        _;
    }

    // Off-chain risk oracle posts attestations signed under EIP-712
    function attestKYT(address wallet, uint256 validUntil, bytes32 caseId, bytes calldata sig) external {
        bytes32 digest = _hashTypedDataV4(keccak256(abi.encode(
            keccak256("KYT(address wallet,uint256 validUntil,bytes32 caseId)"), wallet, validUntil, caseId
        )));
        address signer = ECDSA.recover(digest, sig);
        require(signer == riskOracle, "BAD_RISK_SIG");
        kytOkUntil[wallet] = validUntil;
        emit KytAttested(wallet, validUntil, caseId);
    }

    function deposit(uint256 assets, address receiver)
        public override onlyEligible(msg.sender) returns (uint256 shares)
    {
        require(block.timestamp + kytFreshness <= kytOkUntil[msg.sender], "KYT_TOO_OLD");
        require(compliance.isTransferAllowed(address(0), receiver, assets), "3643_BLOCKED");
        shares = super.deposit(assets, receiver);
    }

    // EIP-712 signed “intents” reduce on-chain approvals chatter
    function depositWithIntent(
        uint256 assets, address receiver, uint256 deadline, bytes calldata sig
    ) external onlyEligible(msg.sender) returns (uint256 shares) {
        bytes32 digest = _hashTypedDataV4(keccak256(abi.encode(
            INTENT_TYPEHASH, msg.sender, assets, deadline, nonces[msg.sender]++
        )));
        require(ECDSA.recover(digest, sig) == msg.sender, "BAD_INTENT_SIG");
        require(deadline >= block.timestamp, "INTENT_EXPIRED");
        shares = deposit(assets, receiver);
    }
}

When it comes to compliance checks, we really focus on being identity-centric (think ERC-3643) instead of just sticking with those basic address allowlists. It's a more comprehensive approach that helps us ensure everything runs smoothly. KYT proofs are done off-chain and are signed using EIP‑712, which means you won't have to worry about any gas fees for those attestations. Also, just a heads up: the Travel Rule artifacts are stored off-chain. We only keep track of the hashes and some references, nothing more. This method is a lot like what permissioned pools, like Maple, do with their allowlists. They keep track of vault accounting using ERC-4626 and take care of KYC checks, all while making sure they don’t store any Personally Identifiable Information (PII) on the blockchain. It's a smart way to manage things! (docs.maple.finance).

4) Evidence and auditability baked in

• Travel Rule: We shoot the TRISA Envoy message IDs and IVMS101 hashes right over to your audit bus instead of the chain. Plus, we store them in WORM storage for a full 10 years to make sure we’re sticking to OFAC rules. Pretty neat, right? For more info, head over to trisa.io. You'll find some cool stuff there!
• Sanctions/KYT: Whenever you make a deposit or withdrawal, we log the Chainalysis KYT case IDs, any rule triggers, and a JSON of the evaluation right into your compliance lakehouse. It’s all about keeping things organized and transparent! And here’s the cool part: we don’t keep any Personally Identifiable Information (PII) on the blockchain. Learn more at chainalysis.com.

Hey there! Just a quick heads-up about our Basel and DORA compliance stuff. We send out daily snapshots of your positions from the ERC-4626 vault, plus custody statements that really come in handy for filling out your disclosure templates and ICT-TPRM registers. It's all about making things easier for you! If you want to explore this topic further, check out bis.org. It’s got some great info!

5) Operational Readiness for Procurement

• DORA ICT Third-Party Register Package: This package gives you a rundown of various components, such as pool contracts, KYT vendors, the Travel Rule service, and custody arrangements. It's a handy reference for keeping track of everything! We should definitely map out how our data is going to flow, set some service level objectives (SLOs) that we can stick to, and brainstorm some solid failover plans that align with the ESA timelines. If you want to dive deeper into the details, just click here to get all the info you need!
• Custody Playbook: We’re diving into the interfaces for segregated accounts managed by state trust companies. Plus, we’ll be gathering those SOC-1 and SOC-2 evidence bundles to make sure we’re all set to comply with the SEC’s staff relief guidelines coming up in 2025. If you want to explore this topic further, check out the article here. It’s got some great insights!
• Documentation: We’ve got to whip up some runbooks for our developers, put together schemas for audit trails, and create those matrices that regulators will love.

Prove -- GTM metrics and outcomes

We’ve stumbled upon some really exciting insights from two pilot programs we ran. One of them comes from a top-tier payments institution in the EU, and the other is from the U.S. It's pretty cool stuff! The RIA platform will be up and running sometime between 2025 and the first quarter of 2026.
Here’s what we uncovered:.

• Contract-to-first-deposit cycle time: We made some awesome progress here--dropping from 46 business days all the way down to just 21! This change happened after we brought in the DORA/ICT register, added custody attestations, and set up a sanctions retention plan during the RFP stage. It really streamlined the whole process! A big shoutout to 7Block Labs for providing the internal program data!
• Onboarding speed: We're really excited to share that the time it takes to onboard new entities is now perfectly aligned with the benchmarks we’ve set for permissioned pools. On average, it’s taking about 10 to 15 minutes to fill out the forms, and if you're using our VC flow, those KYC documents are getting done in around 9 minutes. Pretty smooth, right? On top of that, we’ve shown that we’re all set for the Travel Rule by testing it out with TRISA Envoy sandbox credentials before actually launching. (docs.maple.finance).
• Compliance Opex: We’ve actually managed to cut down manual casework by 38% for every 1,000 transfers! This improvement comes from some clever tweaking of our Know Your Transaction (KYT) rules and automating evidence generation. We’re using Chainalysis KYT in combination with our own custom typologies, and it's really paying off! (chainalysis.com).
• Audit friction: Say goodbye to the headaches of on-chain PII exposure! We’ve moved all IVMS101 data off-chain and hashed it to keep everything secure while ensuring referential integrity. We've got a new OFAC retention policy in place that keeps things organized for a solid 10 years at the bucket level, along with some lifecycle rules to manage everything smoothly. (mwe.com).
• Investor relations: We’ve pulled together the Basel crypto exposure disclosures right from the pool ledger and custody snapshots, all wrapped up nicely before that January 1, 2026 deadline. (bis.org).

1) EU Stablecoin Settlement Pilot (EMT)

• Objective: We’re aiming to get euro EMT up and running for loan settlements and make sure we avoid any dual-licensing headaches before March 2, 2026.
• Design: We're putting together a lending pool with an ERC-4626 vault, and we'll be issuing LP shares as ERC-3643 tokens. This means that only wallets verified by VC can actually hold or transfer them. (eips.ethereum.org). Alright, so if you’re diving into EMT flows and you want to offer some smooth “payment-like” transfer services--think custody or making transfers for your clients--you’ve got a couple of routes you can take. First up, you can team up with a PSD2/EMI entity, which might make things easier. Or, if you're feeling adventurous, you could start your own PSD2/EMI application. Just keep in mind that you’ll need to follow the transition plan set by the EBA’s no-action letter and try to get that sorted out by March 2, 2026. Happy planning! (eba.europa.eu).
• Travel Rule: Make sure to check out TRISA Envoy for swapping IVMS101 payloads. It's a handy tool you'll want to have in your toolkit! Oh, and don't forget to set up a directory cache for those VASPs. It’s also a good idea to have some retry strategies ready to go just in case things don’t go as planned. Just a quick reminder--make sure there’s no personal identifiable information (PII) floating around in your calldata or logs. It’s super important to keep that stuff secure! (trisa.io).
• ZK-KYC: Remember to set up a system that requires “EMT-eligible in EU” claims for deposits, and go with Polygon ID or Sismo for that. Also, don’t forget to regularly check the freshness of the proofs and keep an eye on any off-chain revocations. (polygon.technology).
• Why it works: This setup is a win-win! It meets the MiCA Titles III and IV requirements right off the bat, ensures that EMT services can be audited for PSD2, and takes care of DORA ICT vendor mapping. Plus, it keeps users’ personally identifiable information (PII) safely off-chain, which is super important! (esma.europa.eu).

1. U.S. RIA-Aligned Custody and Lending Access. Sounds a bit formal, right? Let’s break it down a bit! This is all about having a solid connection between Registered Investment Advisors (RIAs) and the services they use for keeping assets safe and lending options. It’s like making sure all the pieces fit together so that advisors can do their best work for their clients. Pretty cool, huh?

• Goal: We want to make it super simple for RIA clients to get on board, all while making sure we meet those custody requirements.
• Design:
• You can set up separate wallets using a state-chartered trust company that made it onto the SEC staff's relief list for 2025. Don't forget to send the daily segregation attest exports over to your compliance storage! (sidley.com). Make sure your Know Your Transaction (KYT) game is strong with Chainalysis, and don’t forget to hang onto those evidence artifacts for a solid decade! Trust me, it's worth it. (chainalysis.com). You can use EIP-712 intents to manage your deposits and withdrawals. This way, everything stays organized, and you’ve got solid proof that your actions were legit. (eips.ethereum.org).
• Why It Works: This method not only meets the adviser custody requirements, but it also strengthens your audit trail and ensures that your clients' personal information is kept secure and protected, safely off the blockchain.

Best Emerging Practices (2025-2026) We Use by Default

We're really into using ERC-3643 with ONCHAINID instead of having to whip up custom allowlists for our identity-based controls. It just makes things way easier! It's been put to the test in real-life situations for permissioned securities and real-world assets (RWA). Plus, it runs those transfer checks just before any calls are made, making sure everything's in order. Take a look at this: (ercs.ethereum.org). You're gonna want to see it!

We love to wrap our pools in ERC-4626 format. This really simplifies things when it comes to integration and helps maintain a consistent accounting process across different locations and reporting systems. If you want to dig deeper into the details, you can check it out here: (eips.ethereum.org).

So, for the Travel Rule, we make sure to keep all the data off the chain. We just hold onto hashed references instead. We've jumped on board with TRISA Envoy and made sure we're in sync with TRUST/OpenVASP. This way, we can steer clear of tying ourselves to just one vendor. Learn more here: (trisa.io).

We're really focusing on ZK credentials right now. It's at the top of our list! We use Sismo/Polygon ID to verify things like accreditation, region, and age/PEP screening results. We're also thinking ahead about how to manage any updates or revocations that might come up. If you want to dive deeper into it, check out this link: docs.sismo.io. There's a lot of great info waiting for you!

We’ve got some pretty firm policies in place when it comes to sanctions and keeping tabs on our transactions. We follow the Know Your Transaction (KYT) guidelines and stick to our Service Level Agreements (SLAs) like glue, making sure everything lines up with OFAC’s 10-year rule. We make sure to gather all the case IDs and JSON payloads for each transfer in one place, so everything stays nice and tidy. If you want to dive deeper into this, you can take a look here: (mwe.com). It's got all the details you need!

• Great news! We’ve finally got our procurement in line with the Digital Operational Resilience Act (DORA). We’ve got these pre-packaged ICT third-party registers, data flow diagrams, and incident runbooks that really help us move through security reviews a lot faster. If you want to dive deeper into this, check out more details here: esma.europa.eu.
• Who: We're talking about the folks in charge of Digital Assets, Treasury Operations, Risk/Credit, and Compliance at EU PSPs/CASPs. Also, the innovation teams at banks that are getting ready for the Basel 2026 disclosures in the U.S. So, you’ve got registered investment advisors (RIAs) getting into the whole on-chain credit scene. It's definitely an interesting shift!
• Here are some keywords you might want to toss into your internal documents and RFPs: Hey there! Just a heads up about the MiCA Titles III/IV stablecoin compliance stuff: the European Banking Authority (EBA) has given a no-action stance that lasts until March 2, 2026. This relates to the dual licensing under PSD2 and EMI for EMT services. You can find more details over at esma.europa.eu. Check out the “DORA ICT third-party register” and the “CTPP designation data pack” over at ESMA's website. You can find all the details here. It’s a great resource for staying updated!
• “Starting January 1, 2026, the Basel framework will roll out those new disclosure tables for cryptoasset exposure” (bis.org).
• "So, here’s the scoop on OFAC's 10-year recordkeeping for sanctions and KYT evidence retention. You can check out more details at this link: mwe.com." Have you checked out the ERC-3643 permissioned tokens that come with ONCHAINID? They’re pretty cool! Plus, there's also the ERC-4626 for vault accounting. You can dive into all the details over at ercs.ethereum.org.
• "Check out TRISA Envoy's Travel Rule IVMS101 for off-chain messaging and see how it works with TRUST/OpenVASP interoperability. You can find more info at trisa.io." Hey there! So, there’s this cool thing called EIP-712 that deals with off-chain intents. It also touches on the optional user experience for smart accounts under ERC-4337. If you're curious to dig deeper, you can check out the details over at eips.ethereum.org. Happy exploring! Check out the Chainalysis KYT evidence artifacts and case IDs stored in the data lake over at kytdoc.kyt-dev.e.chainalysis.com!

How We Engage and Ship (Fast)

• Discovery and Regulatory Blueprint (Weeks 1-2): We’re starting off strong with a gap analysis to dive into MiCA/PSD2 (EMT), DORA ICT-TPRM, Basel 2026, and OFAC retention. This is where we’ll identify what we need to focus on to stay compliant and up to date. So, what do we end up with? A great controls matrix and all the necessary documents that are good to go for procurement.
• Architecture and PoC (Weeks 3-6): Alright, so here’s the plan! We’re going to jump right into setting up the ERC-3643 identity-gated ERC-4626 pool. We're going to get those ZK-KYC proofs all set up, create a little placeholder for KYT and TRISA Envoy in a sandbox environment, and map out some EIP-712 intent flows. It’s going to be a fun project!
• Integration Hardening (Weeks 7-9): During this time, we’re going to focus on connecting Chainalysis KYT production. We’ll also figure out the best way to integrate either state trust company custody or Fireblocks-based permissioned pools where it makes sense. It's all about making sure everything works smoothly together! We're going to dive into some work on instrument disclosure exports, too. If you want to learn more about Fireblocks, just click here. You'll find some interesting info waiting for you!
• Readiness and Audit Pack (Weeks 10-12): To finish things off, we’ll dive into some threat modeling and fuzzing, and then we’ll wrap it all up with a detailed audit. It’s going to be a busy but important few weeks! We’ve got you covered! We’ll be rolling out the DORA ICT register, the custodial attest pack, and the Basel disclosure mapping to make sure everything’s looking great.

Where 7Block Labs Adds Leverage Right Now

• Let’s dive right in and start creating your pool with our all-in-one smart contract development and web3 development services. We’ve got everything you need to get things rolling!
• Get your compliance and custody setup sorted out with our awesome blockchain integration services. We've got you covered! Hey there! Before you hit that live button, we can totally assist you with a focused security audit. We’ve got your back! This means you'll want to keep an eye out for things like making sure ERC-3643 rules are being followed, checking if the proof is up to date, and also looking into the revert-path coverage. Are you considering a strategy that connects various venues or chains? Our team has got your back with our expertise in cross-chain solutions development and blockchain bridge development. We focus on making sure you have strong controls in place across all chains, so you can feel confident and secure in your operations. Hey there! If you're on the hunt for some fundraising support for a regulated pool vehicle, we’ve got your back. Our fundraising advisory service can help you fine-tune your pitch deck and operations model so they’re all in line with the latest MiCA, DORA, and Basel guidelines. Check it out!

Appendix -- References You Can Share with Compliance

There’s already a precedent for permissioned pools out there. This includes things like KYC’d pools, a global allowlist, and ERC-4626 liquidity providers. (docs.maple.finance).

• Check out the documentation for the ERC-3643/ONCHAINID standard and its associated factories. (ercs.ethereum.org). Sure thing! Here's a bit about the ERC-4626 standard. It's a pretty important part of the Ethereum ecosystem. This standard is all about tokenized vaults, which basically means it helps manage and store tokens in a way that’s organized and efficient.

The whole idea is to make it easier for users to interact with these vaults--think of them as handy storage spaces for digital assets. Plus, ERC-4626 aims to ensure that everything is pretty standardized across different projects, which can really help with compatibility.

So, if you're diving into DeFi or just curious about how tokens are being managed in the blockchain world, ERC-4626 is definitely worth checking out! (eips.ethereum.org). Alright, let’s break this down. So, we're diving into what the ESMA and EBA are doing with MiCA enforcement, especially when it comes to stablecoins. It’s really interesting how this all ties into the EBA’s PSD2 regulations, particularly concerning the timeline for dual-licensing. It’s a bit of a complex web, but understanding how these pieces fit together is key! (esma.europa.eu).

• Let's talk about the timeline for applying for DORA and getting that CTPP designation. (esma.europa.eu). So, starting January 1, 2026, Basel is rolling out new rules for how banks need to disclose their crypto holdings. (bis.org).
• Check out the Chainalysis KYT API along with its documentation. (chainalysis.com).
• TRISA Envoy for messaging related to the Travel Rule. (trisa.io). Hey there! Just a quick heads-up: OFAC has updated its recordkeeping rules, and now you’ll need to keep those records for a solid 10 years. (mwe.com).

CTA -- Is this hitting home for your 2026 roadblocks?

Hey! If you're running digital asset projects for a payment service provider or a crypto asset service provider in the EU or the U.S., you’re in for an exciting ride! If you're working with an RIA platform and trying to get everything ready for a pool launch before March 2, 2026, don’t worry--we’re here to help! Whether you need EMT support, Basel-ready disclosures, TRISA messaging, or you want to make sure your 10-year sanctions record is in check, we’ve got your back!

Hey there! How about setting aside just 30 minutes this week for a quick architecture chat with our lead engineers? We’ve got your back on figuring out where you stand with PSD2 and MiCA. Plus, we’ll help you pick the best ERC-3643 and 4626 patterns for your needs. And just to sweeten the deal, we’ll give you a 7-day sandbox experience where you can check out ZK-KYC proofs, KYT evidence capture, and Travel Rule interoperability. Sounds good? Let’s dive in! By doing this, your procurement team and regulators will notice a “controls-first” mindset right from the start.

To get your appointment moved up, just hop over to our blockchain development services page and use the intake link. All you need to do is mention “Compliance-Native Pool 2026” in your message. Easy peasy! I’m really excited to help you out!