[Suit Up]

HOME / MECHANICS / Custody and access / CH. VI · PT 1
Custody and access

Whitelisted wallets

Chapter I established that ERC-3643 won the institutional standards race because it separated token logic from compliance logic. This chapter covers what that compliance layer actually does day to day inside a regulated tokenisation programme. The first thing it does, before transfer rules, before sanctions screening, before any of the more interesting machinery, is decide which wallet addresses are even allowed to hold the token. That is the whitelist, and it is the load-bearing primitive that makes BUIDL, MONY, and JPMD legally distinct from a payment stablecoin. Get the whitelist wrong and nothing else matters.

What "whitelisting" actually means at the contract level

A whitelist is a checked precondition on receipt, not just on transfer. The token contract refuses to credit a balance to any address that has not been pre-approved by the issuer. An attempt to call transfer(unknownAddress, amount) reverts before any state change. The same is true for mint calls from the issuer, transferFrom invocations from a delegated spender, and any internal hook a compliance module exposes. The address either appears in the approved set, or the operation cannot land. This is the inverse of the payment-stablecoin pattern, where every address is permitted to hold the token by default and a smaller blacklist is used to remove sanctioned or fraudulent counterparties.

The practical implication is that a wallet cannot become a holder by accident. A regulated tokenised MMF cannot be airdropped to a curious retail address, cannot be received by an exchange that has not been onboarded as an investor, and cannot end up in a smart-contract pool that the issuer has not explicitly approved. Every address in the holder register has been through a documented onboarding flow, which is the property the SEC, MAS, HKMA, and FSA all want to see when they look at a tokenised security on a public chain.

Three implementation patterns, ranked by frequency

Allow-list at the token contract. The simplest version, and the one used by the earliest production tokenised funds. The token contract holds a mapping(address => bool) of approved wallets, gated by an onlyOwner or onlyComplianceAdmin role. The transfer function checks require(allowList[to], "recipient not whitelisted") before executing. Easy to understand, easy to audit, easy to operate. The cost is that adding a new investor requires a transaction signed by the compliance admin, which couples investor onboarding to chain throughput and gas conditions. Acceptable when onboarding cadence is low (a few institutions per week) and the issuer wants to keep the contract surface minimal.

Identity Registry pattern (ERC-3643). The dominant pattern for new institutional issuance. The token contract delegates the eligibility check to a separate IdentityRegistry contract. Each approved investor has an OnchainID (an on-chain identity contract) holding signed claims from one or more trusted KYC providers. The registry maps wallet addresses to OnchainIDs, and the token's canTransfer hook calls identityRegistry.isVerified(to) rather than reading a local flag. The architectural advantage is that the same OnchainID can be reused across multiple tokenised products from the same issuer, the same OnchainID can be referenced by other issuers running on shared identity infrastructure (this is the Tokeny T-REX vision), and the verification logic can be upgraded independently of the token. Securitize runs an equivalent identity layer for BUIDL and the rest of its issuer book; Apollo's ACRED uses the same pattern through the same provider.

Role-based access control (RBAC) on top. Most production deployments combine the whitelist with role flags on each approved address: issuer, transfer agent, compliance admin, holder, frozen-holder, redemption-only. A frozen-holder address can keep its balance but cannot transfer outwards; a redemption-only address can return tokens to the issuer for cash but cannot move them peer to peer. OpenZeppelin's AccessControl is the reference implementation, with each role represented as a bytes32 hash. The benefit is that the protocol expresses operational states the issuer needs anyway. A wallet under sanctions investigation can be flipped to frozen-holder for the duration of the review without removing it from the registry, which preserves the audit trail.

The institutional wallet is not a single key

The wallet on the whitelist is almost always a custody construct, not a key pair held by a person. When MONY whitelists a Singapore family-office investor, the address being whitelisted is typically a Fireblocks vault, a BitGo MPC wallet, an Anchorage qualified-custody account, a Gnosis Safe controlled by a multi-signer policy, or a Copper account. Behind that single address sits a key-management arrangement that may involve three to seven signers, geographic key sharding, hardware security modules, and policy engines that gate every outbound transaction. The token contract sees one address; the institution sees a custody architecture.

This matters for two operational reasons that come up later in the chapter. First, the unit of compliance is the address, not the underlying signer set, which means changes to the signer policy do not require re-whitelisting the wallet. The institution can rotate a signer, change the threshold from 3-of-5 to 4-of-7, or migrate from one MPC provider to another, without touching the issuer's registry. Second, when a key is lost or compromised the address itself often has to change, because the underlying custody construct is gone. That is the recovery and rotation problem that Part 5 returns to, and the reason any serious whitelist design needs a documented procedure for replacing a wallet without a redemption-and-resubscription cycle.

What the whitelist does not do

The whitelist answers "is this address allowed to hold the token at all." It does not answer "is this specific transfer allowed right now." Jurisdictional rules, sophistication thresholds, lock-up periods, and per-investor caps all live in the compliance module above the registry. Part 3 walks through how those layer on top of canTransfer to produce the full eligibility decision. The whitelist is the floor; the rest of the compliance stack is what gets layered on top of it. Part 2 first covers how an address gets onto the whitelist in the first place, which is where the off-chain KYC pipeline meets the on-chain identity layer.