The previous four parts described the steady-state machine: addresses get whitelisted, KYC produces on-chain claims, transfers are gated by a compliance module, custody sits in MPC or qualified-custody arrangements. Sophisticated counterparties care about the cases where steady state breaks: a custody key is lost, a regulator demands a freeze, an institutional holder is acquired. This part walks through the three edge cases that distinguish a serious implementation from a brittle one, the contract-level primitives that handle them, and the procedural wrappers institutional issuers run on top.
Recovery and rotation when keys are lost or compromised
The wallet is the unit of compliance, and the wallet sometimes has to change. A key compromise (leaked seed, phished signer, defective hardware module, MPC shard loss beyond the recovery threshold) can render the original wallet unusable. The institution's holdings are still its property; the holder register still recognises the wallet. But the institution can no longer sign. Without a recovery procedure, the only option is forced redemption to fiat and fresh subscription, which fragments holding history, generates a tax event, and pushes capital around a regulated MMF for an avoidable reason.
The contract-level primitive is wallet rotation, not key rotation. ERC-3643-style compliance modules expose an issuer-controlled function that takes an old whitelisted address and a new one, and atomically migrates the balance, OnchainID linkage, lock-up state, and compliance state. The old wallet is removed; the new wallet is added; the holder's economic position is unchanged. Gated on the compliance admin role and typically requires multi-sig approval.
The procedural wrapper is what matters in practice. A serious issuer will require: a notarised attestation from the custody provider that the original key is unusable, a confirmation from the institution's authorised signatories that the new wallet is under the same beneficial control, a re-verification against the OnchainID claims, and a recorded approval from compliance and ops. The flow takes hours to days; the on-chain transaction is the last step. Fireblocks and Anchorage have specific recovery runbooks aligned to issuer-side requirements.
Emergency freeze and forced transfer for regulatory enforcement
The issuer needs the ability to freeze a holder's tokens or move them against the holder's will, and the architecture has to support it. Most controversial element from a DeFi-native perspective; most non-negotiable from a regulator's. A US-regulated tokenised security has to handle: a court order freezing a specific holder's position pending litigation; an overnight sanctions designation requiring immediate freeze; a confirmed fraud or theft where the asset has to be moved back to the legitimate owner; and a transfer-agent correction reversing a settlement error.
ERC-3643 includes both freeze and forceTransfer in the standard. A freeze(address) call sets a flag causing canTransfer to reject outbound transfers from the wallet, leaving the balance visible. A forceTransfer(from, to, amount) moves the tokens regardless of holder consent, with the compliance admin as the authorised caller. Both emit clear on-chain events, so every freeze and forced transfer is publicly auditable. Transparency is the design feature: a regulator can verify a freeze was applied and lifted on schedule; a holder can verify nothing happened against them silently.
Governance around these functions is where institutional credibility is made or lost. A compliance module letting a single insider arbitrarily freeze or move balances is unacceptable; one requiring multi-sig approval from compliance, legal, and risk, with documented escalation and post-action audit, is acceptable. JPM's internal compliance framework runs the freeze and forced-transfer roles for JPMD and MONY through the bank's standard sanctions and operational-loss governance. Securitize runs the equivalent for BUIDL and ACRED through its transfer-agent compliance perimeter. Same contract function, different procedural wrapper.
The DeFi-native objection is that an issuer-controlled forced-transfer makes the asset less than fully bearer. The objection is correct and is precisely the point. A regulated security has never been bearer in the legal sense; pretending otherwise on-chain would force a choice between operating outside regulatory perimeters and not operating at all.
Beneficial ownership change tracking through M&A and restructuring
Institutional holders are not static legal entities. A whitelisted holder may go through a merger, acquisition, parent-company change of control, fund liquidation, manager substitution, or beneficial-ownership change at the underlying investor level. Each can change the KYC status that justified whitelisting. A wallet whitelisted under entity A is not automatically valid once entity A becomes a wholly owned subsidiary of entity B with a different sanctions profile; a fund-of-funds with a new manager may move outside or inside the issuer's accepted manager set.
The contractual mechanism is a notification obligation. Subscription documents oblige the holder to notify the issuer of any material change in beneficial ownership, control, regulatory status, or sanctions exposure. The notification triggers a re-verification at the KYC provider, which produces updated OnchainID claims that the compliance module reads on the next transfer attempt. Failed re-verification freezes the wallet pending resolution. A different rule-set determination (the new parent is a US person where the old was non-US) is applied automatically because the modules read the live OnchainID, not a cached snapshot.
Detection is the harder problem than enforcement. The contract layer handles the change once it knows. Major issuers run periodic refresh cycles (annual minimum, more often for higher-risk classifications) re-pulling beneficial-ownership records from regulatory filings, sanctions databases, and the client-relationship system. Continuous sanctions screening catches newly designated parents or affiliates. M&A activity is harder to detect automatically; the contractual notification obligation is the primary defence, supplemented by relationship management and KYC refresh cycles.
What ties the chapter together
Regulated tokenised assets work because the access-control layer is a coherent stack. The whitelist is the floor; KYC produces the claims that justify it; the compliance module enforces transfer rules above; the custody provider handles key management below; operational procedures handle the cases where steady state breaks. The architecture is what regulated issuers deploy, what allocators pay for, and what the regulator checks. Chapter VII turns to oracles and price feeds.