Once an institution decides to tokenise something, the next question is which kind of chain. The Web3-native instinct reads this as a binary, with permissionless as the real thing and permissioned as a corporate compromise. The TradFi instinct is the inverse. Both framings are wrong. The choice is a function of the target investor base, the regulator's posture, and the custody and settlement topology. Most serious institutional programmes today run on at least one chain of each kind.

What permissioned actually buys

A permissioned chain is a ledger where the validator set, and usually the read set, is gated by credential: a contract with the operator, a regulatory licence, a notary registration with a CSD (central securities depository). Chapter V on permissioned blockchains takes the architecture in detail. The short version is that the credential is what lets the chain inherit the supervisor's existing oversight machinery. A bank running a Canton sub-network or the Quorum-derived rail under Kinexys operates inside the same prudential perimeter that already governs the rest of the bank.

Permissioning buys confidentiality and operator control. Confidentiality at the protocol level (Canton's encrypted peer-to-peer messaging, with a Global Synchronizer that orders transactions without seeing their contents) lets a regulated counterparty hold a position without revealing it to the network. Operator control (pause the chain, freeze a wallet, reverse an erroneous transfer in coordination with a regulator) is what makes the chain compatible with sanctions screening, anti-money-laundering (AML) obligations, and the bank's internal controls. None of this is available, by design, on a fully permissionless chain.

The trade-off is reach. A permissioned chain is a closed network. The set of counterparties who can hold and transfer the instrument is the set the operator has onboarded. For a tokenised deposit issued to existing clients, that constraint is mostly costless. For a tokenised fund interest the issuer wants to distribute widely, it binds.

What permissionless actually buys

A permissionless chain is a ledger where any party with a valid wallet can hold and transact, subject only to the chain's consensus rules. Ethereum, Solana, Stellar, and the major L2s (Layer 2 networks) like Base and Arbitrum are the relevant institutional targets. BUIDL sits on Ethereum, Solana, Aptos, Arbitrum, Avalanche, BNB Chain, Optimism, and Polygon. FOBXX primarily lives on Stellar with replicas across nine other chains. The reason these issuers go to public chains is the distribution surface, which is too large to ignore.

Permissionless buys composability and reach. A BUIDL share on Ethereum can in principle be referenced by any smart contract on Ethereum. A FOBXX share on Stellar can settle against a counterparty's USDC balance without intermediaries. The same instrument can be held by a US qualified purchaser, an Asian family office, and a European institutional allocator without the issuer building three separate onboarding rails.

The cost is the supervisory and operational bar. The issuer has to enforce KYC and eligibility logic at the smart-contract level (the Securitize whitelist controlling who can hold BUIDL is the canonical example), because the chain does not. The issuer monitors for sanctioned wallets, flags suspicious activity, and responds to law-enforcement requests with the same diligence as off-chain holdings. Basel SCO60 prudential treatment for tokenised assets on permissionless chains is more demanding precisely because the operational risk surface is larger (Basel SCO60).

Why most programmes run both

The two stacks are converging, not competing. The BIS Annual Economic Report 2024 chapter on tokenisation describes the direction of travel as "unified ledger" rather than a fork between two camps (BIS AER 2024 Ch III). Most major institutional programmes run on at least one permissioned chain (regulated cash leg, bank-to-bank settlement, supervisor comfort) and at least one permissionless chain (distribution surface, composability, meeting allocators on the rails they already use).

The Kinexys roadmap is a worked example. The core Digital Payments product runs on the permissioned Quorum-derived rail under JPMorgan's bank charter. JPMD, the same bank's USD deposit token, launched natively on Base for retail-adjacent distribution and is moving onto Canton for institutional collateral integration in 2026 (Digital Asset / Kinexys announcement). One issuer, three chains, each picked for the audience and the use case. The same pattern shows up at Franklin Templeton and BlackRock.

How an asset manager actually picks

An asset manager picking chains for a tokenised product is solving three constraints at once. First, the target investor base. Qualified purchasers already trading on public DeFi (decentralised finance) venues require permissionless. Bank treasuries posting collateral inside a designated venue require permissioned. Most institutional products want both.

Second, the regulator's comfort. The MAS-led Project Guardian workstream has put pilots on both permissioned and permissionless chains, with the supervisory tone being that chain choice is downstream of the instrument's legal characterisation, not the other way round. The HKMA's Project Ensemble pilot phase, by contrast, runs on a permissioned consortium ledger because the wholesale-CBDC leg requires it.

Third, the custody-pairing topology. A tokenised asset has to be custodied somewhere. If the custodian only supports a particular set of chains, the asset lives on one of them. If the cash leg is a tokenised deposit, the deposit's chain is a hard constraint. If the cash leg is a stablecoin, the stablecoin's chain set is. Most architectural decisions are downstream of these custody-and-cash-leg constraints.

Part 4 takes the capability layer that the architectural choice unlocks: fractionalisation, collateral mobility, programmability, and cross-border settlement compression, with the production examples for each.