#HyFi for Security Tokens — pooled assets and ownership tracking

Once Digital Securities from multiple users are mixed together inside a DeFi Smart Contract, it is important to establish rights and attributions that are consistent with the regulatory constraints of the security.

This post is part of a series that analyzes how Digital Securities can benefit from DeFi protocols bridging Decentralized and Centralized Finance in a Hybrid approach (#HyFi), and the different aspects that need to be taken into consideration to leverage this ecosystem while remaining compliant. You can read Securitize’s introduction to HyFi here, learn about the impact of KYC and transfer controls here, and understand the impact of assets being deposited into smart contracts here.

In my previous post, I discussed the impact on compliance controls for Digital Securities when they are deposited into a smart contract controlled by a single owner, like a Balancer private pool or a Maker Vault. But this is not the most frequent case for DeFi. Protocols like UniSwap, Aave, or Balancer with their public pools rely on multiple investors depositing their tokens as a shared pool inside a smart contract.

When this happens, the Digital Security controls cannot match the pool address to a single identity, so the attribution of ownership for those balances is not straightforward. As discussed in the previous post, the smart contract can still be “allowed” to hold the tokens, following the “compliance at the edge approach” but that is a bit like looking the other way when it refers to these tokens because this does not provide answers to many specific questions:

• Who is the person (physical or legal) that should appear as holder for those assets in the issuer’s records? Since the issuer has reporting obligations for their holders, there must be an answer for that. In the “non-blockchain world” (some people say the “real world”, but at this point debating the reality of blockchain is pointless), when securities are deposited in an exchange there is a custodian or broker-dealer that is the Holder of Record for those assets in the issuer’s books. In a DeFi context, “decentralized” is the key concept, so there is no such holder.
• Who should receive the economic rights derived from asset ownership? If the Digital Security is paying a dividend or performing a governance event like voting, is the smart contract holding the tokens expected to get those rights?
• How does this impact investor counts for regulatory limits? Some securities have a limit in the number of worldwide holders or holders for a certain category — like non-accredited investors — that can be allowed to keep it within the present regulatory guidelines. If the compliance controls in the Digital Security keep track of those limits, how should it consider they are impacted when the tokens are deposited on a pooled smart contract?

The easiest solution to all these points is for some entity to take responsibility for all the above. For instance, a Broker-Dealer could create (or take responsibility for) the smart-contract pool, allow anyone holding the securities to provide liquidity (which by definition would be allowed holders, since otherwise, they could not hold the asset in the first place as enforced by the Digital Security smart contract), but then show up in the issuer’s records as the single Holder of Record and take the responsibility of distributing the corresponding rights to the beneficial owners. This, from the issuer’s (and issuer’s agents) perspective, reduces the issue to the one discussed in our previous post: a smart contract that can be associated with a single identity (the Broker Dealer’s in this case). But this is just a case of kicking the can down the road, because while tracking ownership and right distribution inside the pool is no longer a problem for the issuer or Transfer Agent, it becomes a problem for the Broker-Dealer itself. So we still need to find a solution for that.

Such a solution is not simple but can be addressed with the appropriate technological approach. For instance, we can consider two alternatives for handling it:

a) Have the Digital Security smart contract and the DeFi protocol have a deeper integration, so an accurate tracking of associated balances can be enforced on-chain. The DeFi protocol would communicate transactions and operations that usually are not relevant for a regular ERC20 token, but that become important for securities. While this approach is possible, it has some downsides like scalability issues for protocols in order to support a variety of specialized assets, and an increased cost of gas in all its operations. This approach may be explored in partnership with some DeFi protocol developers, and with a smart contract infrastructure that helps to address this (for instance, Securitize’s Omnibus Controller smart contract, which we will discuss in the future), but this may not be the right solution for the short term.

b) Track the pool activity off-chain via the events it produces, so that while the token smart contract will only record the total balance on the pool, the issuer’s records (Master Securityholder File, Transaction Log, snapshot infrastructure…) will have an accurate representation of the ownership structure inside. This is not a purely-decentralized approach, but a hybrid one (one more reason to consider that the intersection of DeFi and Digital Securities is a HyFi approximation), but one that is aligned with regulatory requirements and expectations.

If this approach is valid from a regulatory perspective, Securitize’s technology would be able to do this tracking and make it available via its Transfer Agent Services, which allow issuers to provide more flexible options to investors holding their assets. This tracking works by making some specific interpretation of what happens when investors interact with the corresponding DeFi protocol.

For instance, let’s say we had a UniSwap pool allowing to exchange a tokenized security called DS1 (for “Digital Security 1”) for USDC, and this pool has 2 liquidity providers owing 40% and 60% of the assets respectively which currently include 10,000 DS1 tokens. If a third party investor uses the pool to buy 5,000 tokens, and the operation is approved — because the investor is authorized by the security compliance controls — the blockchain will reflect a single movement of 5,000 tokens from the pool to the new investor. But in practice, since the pool is actually co-owned by the 2 liquidity providers, for securities regulation purposes the issuer’s records will show a transaction for 2,000 tokens from one of the LPs and 3,000 from the second, and their corresponding positions will be updated in such a way.

The compliance and record-keeping capabilities required to ensure this process are far from trivial, but their diligent implementation ensures that investors can interact with each other through the DeFi ecosystem, preventing bad actors to be involved in the process and providing accurate and comprehensive records that can determine at each point the rights and responsibilities of all stakeholder.

The Securitize platform has the technology which can identify interactions with these kinds of pools, and expand them in the corresponding records to reflect the relevant impact. This way the behavior of a DeFi protocol could be translated into what it actually means from a proper record-keeping standpoint. And since for this to happen specific integrations with each protocol are required, the controls are in place to only support protocols that are vetted and reviewed to guarantee issuers and investors would not get exposed by their usage. As a Registered Transfer Agent, we take this responsibility for investor protection very seriously and we understand we must perform a gatekeeping role.

Throughout this post, I have discussed depositing Digital Securities in a shared pool and the correct tracking of the transactions that happen with it. A similar approach must be taken when assets are withdrawn from the pool by liquidity providers. But there is one aspect of this process I have not discussed yet, which is that LPs can usually withdraw those assets from the pool using additional DeFi protocol tokens that the investor receives at deposit time. I will discuss these receipt tokens in a forthcoming post.

Disclaimer: The scenarios discussed in this article serve to illustrate the application of certain technological solutions. Securitize is not provided advice about the regulatory compliance of any those scenarios, nor actively involved in pursuing any such scenarios at this time.

Securitize is reinventing private capital markets by delivering trusted end-to-end security token solutions that leverage our leading blockchain technology, which increases access to private markets for eligible investors while simultaneously making them more efficient, compliant, and liquid. Securitize is an SEC-registered transfer agent and its subsidiary, Securitize Markets, LLC, is an SEC and FINRA registered broker-dealer and alternative trading system (ATS).

You can learn more about Securitize at our website: www.securitize.io

And you can join the conversation about the Digital Securities revolution in our Telegram channel.