Compliance attestations on-ledger
A Musubi FXOrder doesn’t re-perform KYC or sanctions screening. Those run in the custodian’s existing stack — Persona, Chainalysis, CODE / Notabene — exactly as they always have. What Musubi captures on-ledger is an attestation that those checks ran, bound to the specific intent. Four concrete things fall out of that design:-
Atomic refusal-to-settle.
ExecuteSettlementvalidates every required attestation before firing the four-leg DvP. A missing or stale gate aborts the transaction atomically: no tokens move, no partial state, no post-facto cleanup. Pre-chain, a missed compliance check was a policy violation to chase down. On-chain, the DvP simply does not happen. -
Cryptographic dual-control. Regulators require separation of duties for clearance decisions (operations + compliance officer). Procedural dual-control can be bypassed — a rogue operator back-dates a sign-off, an audit trail gets reconstructed. Dual signature on a Canton contract cannot.
ComplianceClearancerequires both signatures on the same transaction; neither party can unilaterally ratify. -
Single canonical dossier.
/compliance/orders/{intent_id}returns the full cryptographically-linked record in one retrieval: FXOrder + IVMS 101 + every attestation + settlement hash. Traditional compliance reconstructs this from five disparate systems (KYC vendor, sanctions feed, Travel Rule log, STR portal, accounting), each with its own audit trail quality. Regulators asking “what happened on intent X?” get one answer, not five. - Counterparty visibility with privacy. Canton sub-transaction privacy lets the beneficiary VASP see the IVMS 101 payload the sender transmitted, while the market maker never sees identity data. This is a native Canton primitive — approximating it on a transparent ledger requires ZK proofs, off-chain coordination, and new trust assumptions.
Canton architectural fit
On-chain compliance for regulated financial infrastructure isn’t a novel pattern — it’s the established use case Canton was built for. Deployed Canton systems using the same model:- Digital Asset × DTCC Project Ion — US securities clearing + settlement
- Goldman Sachs DAP — tokenized bond issuance with regulatory compliance
- HSBC Orion — tokenized gold with UK FCA reporting
- Deutsche Börse Clearstream D7 — tokenized securities with CSDR compliance
- Progmat (Mitsubishi UFJ Trust / Datachain) — JP stablecoin platform with EPI provider integration
- Compliance attestations as separate on-ledger contracts, bound to a transaction intent
- Dual-signature for regulated actions (operator + officer, or equivalent)
- Observer visibility for regulators and counterparties via Canton sub-transaction privacy
- Multi-party DvP with atomic settlement
- Gate logic in the settlement choice validating attestations before tokens move
- Custodian co-signs the FXOrder itself rather than observing + off-chain sign-off. Cryptographically enforces custodian authorization of every intent.
- Full IVMS 101 inline on every intent. Daml Finance typically references PII off-ledger; Musubi inlines because the counterparty VASP needs to receive the payload via sub-transaction privacy, and the
payload_sha256chain in the compliance archive needs something canonical to hash. - Per-intent cross-border PII consent record. Less common in Canton financial contracts; captured per-transfer to satisfy a strict reading of JP APPI Art. 28 / KR PIPA Art. 28-8.
When this model isn’t right
Worth naming: the on-chain attestation pattern has costs. It works where:- Participants are licensed VASPs / EPI providers — attestations are the custodian’s own representation, not a generic claim
- Settlement is bilateral or small-set counterparty — Canton’s privacy model assumes known parties, not anonymous pool
- The regulatory regime expects bank-grade audit trails — FATF Rec 16 Travel Rule, FSC / JFSA supervisory reporting