Securitize Logo

#HyFi for Security Tokens — pooled assets and ownership tracking

Once Digital Securities from multiple users are mixed together inside a DeFi Smart Contract, it is important to establish rights and attributions that are consistent with the regulatory constraints of the security.

Dec 22, 2020

This post is part of a series that analyzes how Digital Securities can benefit from DeFi protocols bridging Decentralized and Centralized Finance in a Hybrid approach (#HyFi), and the different aspects that need to be taken into consideration to leverage this ecosystem while remaining compliant. You can read Securitize’s introduction to HyFi hereSecuritize’s introduction to HyFi hereSecuritize’s introduction to HyFi here, learn about the impact of KYC and transfer controls hereimpact of KYC and transfer controls hereimpact of KYC and transfer controls here, and understand the impact of assets being deposited into smart contracts here.


In my previous post, I discussed the impact on compliance controls for Digital Securities when they are deposited into a smart contract controlled by a single owner, like a Balancer private pool or a Maker Vault. But this is not the most frequent case for DeFi. Protocols like UniSwap, Aave, or Balancer with their public pools rely on multiple investors depositing their tokens as a shared pool inside a smart contract.

When this happens, the Digital Security controls cannot match the pool address to a single identity, so the attribution of ownership for those balances is not straightforward. As discussed in the previous post, the smart contract can still be “allowed” to hold the tokens, following the “compliance at the edge approach” but that is a bit like looking the other way when it refers to these tokens because this does not provide answers to many specific questions:

  • Who is the person (physical or legal) that should appear as holder for those assets in the issuer’s records? Since the issuer has reporting obligations for their holders, there must be an answer for that. In the “non-blockchain world” (some people say the “real world”, but at this point debating the reality of blockchain is pointless), when securities are deposited in an exchange there is a custodian or broker-dealer that is the Holder of Record for those assets in the issuer’s books. In a DeFi context, “decentralized” is the key concept, so there is no such holder.
  • Who should receive the economic rights derived from asset ownership? If the Digital Security is paying a dividend or performing a governance event like voting, is the smart contract holding the tokens expected to get those rights?
  • How does this impact investor counts for regulatory limits? Some securities have a limit in the number of worldwide holders or holders for a certain category — like non-accredited investors — that can be allowed to keep it within the present regulatory guidelines. If the compliance controls in the Digital Security keep track of those limits, how should it consider they are impacted when the tokens are deposited on a pooled smart contract?

The easiest solution to all these points is for some entity to take responsibility for all the above. For instance, a Broker-Dealer could create (or take responsibility for) the smart-contract pool, allow anyone holding the securities to provide liquidity (which by definition would be allowed holders, since otherwise, they could not hold the asset in the first place as enforced by the Digital Security smart contract), but then show up in the issuer’s records as the single Holder of Record and take the responsibility of distributing the corresponding rights to the beneficial owners. This, from the issuer’s (and issuer’s agents) perspective, reduces the issue to the one discussed in our previous post: a smart contract that can be associated with a single identity (the Broker Dealer’s in this case). But this is just a case of kicking the can down the road, because while tracking ownership and right distribution inside the pool is no longer a problem for the issuer or Transfer Agent, it becomes a problem for the Broker-Dealer itself. So we still need to find a solution for that.

Such a solution is not simple but can be addressed with the appropriate technological approach. For instance, we can consider two alternatives for handling it:

a) Have the Digital Security smart contract and the DeFi protocol have a deeper integration, so an accurate tracking of associated balances can be enforced on-chain. The DeFi protocol would communicate transactions and operations that usually are not relevant for a regular ERC20 token, but that become important for securities. While this approach is possible, it has some downsides like scalability issues for protocols in order to support a variety of specialized assets, and an increased cost of gas in all its operations. This approach may be explored in partnership with some DeFi protocol developers, and with a smart contract infrastructure that helps to address this (for instance, Securitize’s Omnibus Controller smart contract, which we will discuss in the future), but this may not be the right solution for the short term.

b) Track the pool activity off-chain via the events it produces, so that while the token smart contract will only record the total balance on the pool, the issuer’s records (Master Securityholder File, Transaction Log, snapshot infrastructure…) will have an accurate representation of the ownership structure inside. This is not a purely-decentralized approach, but a hybrid one (one more reason to consider that the intersection of DeFi and Digital Securities is a HyFi approximation), but one that is aligned with regulatory requirements and expectations.

If this approach is valid from a regulatory perspective, Securitize’s technology would be able to do this tracking and make it available via its Transfer Agent Services, which allow issuers to provide more flexible options to investors holding their assets. This tracking works by making some specific interpretation of what happens when investors interact with the corresponding DeFi protocol.

For instance, let’s say we had a UniSwap pool allowing to exchange a tokenized security called DS1 (for “Digital Security 1”) for USDC, and this pool has 2 liquidity providers owing 40% and 60% of the assets respectively which currently include 10,000 DS1 tokens. If a third party investor uses the pool to buy 5,000 tokens, and the operation is approved — because the investor is authorized by the security compliance controls — the blockchain will reflect a single movement of 5,000 tokens from the pool to the new investor. But in practice, since the pool is actually co-owned by the 2 liquidity providers, for securities regulation purposes the issuer’s records will show a transaction for 2,000 tokens from one of the LPs and 3,000 from the second, and their corresponding positions will be updated in such a way.

The compliance and record-keeping capabilities required to ensure this process are far from trivial, but their diligent implementation ensures that investors can interact with each other through the DeFi ecosystem, preventing bad actors to be involved in the process and providing accurate and comprehensive records that can determine at each point the rights and responsibilities of all stakeholder.

The Securitize platform has the technology which can identify interactions with these kinds of pools, and expand them in the corresponding records to reflect the relevant impact. This way the behavior of a DeFi protocol could be translated into what it actually means from a proper record-keeping standpoint. And since for this to happen specific integrations with each protocol are required, the controls are in place to only support protocols that are vetted and reviewed to guarantee issuers and investors would not get exposed by their usage. As a Registered Transfer Agent, we take this responsibility for investor protection very seriously and we understand we must perform a gatekeeping role.

Throughout this post, I have discussed depositing Digital Securities in a shared pool and the correct tracking of the transactions that happen with it. A similar approach must be taken when assets are withdrawn from the pool by liquidity providers. But there is one aspect of this process I have not discussed yet, which is that LPs can usually withdraw those assets from the pool using additional DeFi protocol tokens that the investor receives at deposit time. I will discuss these receipt tokens in a forthcoming post.

Disclaimer: The scenarios discussed in this article serve to illustrate the application of certain technological solutions. Securitize is not provided advice about the regulatory compliance of any those scenarios, nor actively involved in pursuing any such scenarios at this time.

Securitize Logo
© 2021 Securitize, LLC All rights reserved
Securities are offered through Securitize Markets, LLC, (“Securitize Markets”) a registered broker-dealer and member FINRA/SIPC. Neither Securitize Markets, nor any of its affiliates provide any investment advice or make any investment recommendations to any persons, ever, and no communication through herein or in any other medium should be construed as such. Securities offered on the Securitize Markets ATS have not been registered under the Securities Act of 1933 and may not be offered or sold in the United States absent registration or an applicable exemption from registration requirements. Assets listed herein are securities that are not publicly traded, may be subject to resale restrictions, and are intended for investors who do not need a liquid investment. These investments are not bank deposits (and thus not insured by the FDIC or by any other governmental agency), are not guaranteed by Securitize Markets or its affiliates, and may lose value. Investments in private placements, and start-up investments in particular, are speculative and involve a high degree of risk Investors must be able to afford the loss of their entire investment. Eligibility to buy and sell securities on the Securitize Markets ATS is determined by Securitize Markets in its sole discretion. Offers to sell, or the solicitations of offers to buy any security can only be made through official offering documents that contain important information about risks, fees and expenses associated with the applicable securities available for trading on the Securitize Markets ATS. Investors should conduct their own due diligence, not rely on the financial assumptions or estimates displayed herein, and are encouraged to consult with a financial advisor, attorney, accountant, tax advisors, and any other professional that can help you to understand and assess the risks associated with any investment opportunity. Past performance is not indicative of future results. Neither the Securities and Exchange Commission nor any federal or state securities commission or regulatory authority has recommended or approved any investment or the accuracy or completeness of any of the information or materials provided herein or through any references/links herein. Any financial projections or returns shown herein are provided by the issuer of the relevant security and Securitize Markets has not verified the accuracy. Further, there can be no assurance that any valuations provided by issuers are accurate or in agreement with market or industry valuations. Securitize Markets and its affiliates make no representations or warranties as to the accuracy of such information. Securitize Markets may collect certain information about you that helps us comply with various securities regulations and rules and the USA PATRIOT Act, a Federal law that requires all securities firms to obtain, verify, and record information that identifies each applicant. The information also helps us more fully understand your investment profile and identify what types of investments or strategies may be suitable for you. The term “Investors” used on this website, typically refers to accredited investors where applicable. Please note: if we cannot verify the information you provide, we may be required to restrict or deny your account. By accessing this site and any pages thereof, you agree to be bound by our Terms of Service and Privacy Policy.