Onchain Geofencing: A New Path for Tokenized Securities

Onchain securities are split into two extremes right now, neither of which is working. 

On one end, you have permissioned securities that are clearly compliant. These are mostly tokenized funds issued and managed by the most sophisticated firms in the world, like BlackRock’s BUIDL and Apollo’s ACRED. Because these institutions have full-blown compliance teams and massive businesses to protect, they adopt a compliance-first approach. That approach lands on a permissioned “whitelist” model: users must KYC (providing extensive documentation and personal information) and be approved by an intermediary (e.g., a broker or transfer agent) before transacting. They can then only transfer securities to others who have gone through this process. This is horrible UX, reintroducing significant friction that blockchain was meant to solve. This friction is a key reason these securities do not have product-market fit more broadly with crypto users.

On the other end, you have permissionless securities with questionable compliance. There are two flavors of this. 

First, you have unregistered fund interests that pass yield back and act as a type of “stablecoin.” They have significant product-market fit amongst crypto users because they’re fully permissionless — anyone can hold them without going through the whitelisting process. But the legal risks they introduce creates an adverse selection problem. The best issuers and managers don’t need to take on significant legal risk to raise capital — they have plenty of demand under existing non-crypto means. This results in a market of less sophisticated managers and issuers who do need to take on that legal risk to raise capital and, consequently, much higher-risk securities. We’ve seen time and again in crypto how this can blow up, with users left holding the bag.

Second, you have wrapped securities where a third party (e.g., xStocks, Ondo) acquires the underlying security on the open market and issues a permissionless token that represents debt on the issuer (an offshore SPV) that’s collateralized by the underlying security held in custody. Like the first flavor, the permissionless nature is the appeal and can enable objectively great UX. But sophisticated traditional issuers won’t participate directly in this model because the liability exposure of a non-compliant securities offering is too high. This limits this model to securities with deep, liquid secondary markets that do not require issuer consent, like large-cap public equities. But because these securities already trade on liquid markets, the value prop of wrapping them to put them onchain for increased access is significantly diminished. On top of that, the user takes counterparty risk on the wrapper itself.

A massive opportunity is created by bridging these two extremes: devising a legal strategy that allows sophisticated issuers to remain compliant while offering something with great UX that looks much closer to permissionless securities. We believe the solution lies in an underexplored area: onchain geofencing. 

Why US Securities Laws (and Related Statutes) Require Permissioning

To understand why onchain geofencing can fix our dilemma, we must first determine what is motivating sophisticated issuers to whitelist. The short answer is that permissioning is largely demanded by US securities laws (and related statutes). Let’s unpack that.

1. 1. Permissioning for registered securities 

SEC-registered securities (those offered or sold pursuant to a registration statement made effective with the SEC, like securities that trade on a national securities exchange) require permissioning for a variety of reasons. One core reason is that registered securities require a registered transfer agent to maintain their shareholder register, and transfer agent rules require keeping a “master securityholder file” that includes the securityholder’s name and address. Permissioning is introduced to keep track of this master securityholder file. The user must provide KYC information during onboarding with the transfer agent; the transfer agent then adds the user to the whitelist. Users cannot transact until they have been added to the whitelist.

Every registered security onchain today (not represented as a derivative like xStocks) follows this structure. For example, Superstate Services LLC is a transfer agent that manages the whitelist for tokenized GLXY; Franklin Templeton Investor Services, LLC manages it for BENJI.

2. Permissioning to qualify for and maintain securities law exemptions/limits 

US securities laws offer issuers a menu of exemptions from registration, but many of the most useful options require the issuer’s holders to meet specific conditions and to keep meeting them on every secondary transfer. Enforcing those conditions requires permissioning. The conditions fall into two categories: wealth thresholds and holder counts. 

There are three wealth-threshold exemptions worth calling out. First, under the Securities Act, Rule 506(c) of Regulation D permits the unregistered offer or sale of securities to “accredited investors” (individuals and entities meeting defined income or net worth thresholds). So even if the issuer escapes the permissioning that registered securities require (discussed in the previous section), they still need to KYC to qualify for this exemption. Second, §3(c)(7) of the Investment Company Act (ICA) lets a fund avoid registration as an investment company if all investors are qualified purchasers (an even higher threshold). Third, under the Investment Advisers Act, Rule 205-3 permits a registered investment adviser to charge performance-based compensation (think: carry) on “qualified clients” (yet another wealth threshold). 

Holder-count limits work similarly. §3(c)(1) is an alternative ICA exclusion to §3(c)(7) above that caps a fund at 100 beneficial owners to avoid registration. §12(g) of the Exchange Act forces public-company reporting once an issuer crosses 2,000 holders of record (or 500 non-accredited holders). 

These conditions are ongoing. The issuer must (generally, depending on the exemption) ensure the wealth threshold or holder count is met on a continuing basis, including on secondary transfers. To enforce that, issuers (or their transfer agents) whitelist. BUIDL, for example, whitelists only qualified purchasers to preserve its §3(c)(7) exemption; ACRED whitelists only accredited investors to meet Rule 506(c). 

3. Permissioning for anti-financial-crime / counter-terrorism financing 

Under the Bank Secrecy Act (BSA) and its implementing regulations, “financial institutions” must maintain a customer identification program (CIP) and an anti-money laundering (AML) program, which means KYCing all customers before they can transact. The BSA defines financial institutions to include brokers, which it in turn defines by reference to US securities laws. So while the BSA is not itself a securities law, its scope for securities transactions is pinned to the securities laws. 

Issuers themselves are usually not financial institutions, but distribution at scale historically runs through brokers that are. For example, BlackRock distributes BUIDL through Securitize’s brokerage arm, Securitize Markets LLC. This introduces a major bottleneck for KYC and permissioning because once a broker is in the chain, KYC is mandatory. In practice, this KYC includes uploading a government-issued photo ID and a recent proof of address and submitting to a liveness check matched against the ID. Each user must pass these KYC checks before touching the security through a broker, mandating the whitelist model.

A Word on Other Sources of Permissioning

The above is not an exhaustive list of areas where securities may require permissioning. For example, there are a series of practical reasons for an issuer of equity securities to KYC the holders of its securities (corporate governance, dividends, etc.). However, as we’ll discuss at the end of this piece, we set these aside because we believe an issuer can work around these constraints by selecting the correct security/corporate form. 

One area worth calling out is sanctions. Permissioning helps with sanctions compliance because it lets you screen holders against the SDN list at onboarding. But sanctions law is a strict-liability regime that does not, on its own, require KYC — it only bars you from interacting with sanctioned parties. Stablecoin issuers have shown that regulators can get comfortable with ongoing transaction screening (TRM, Chainalysis) plus an issuer-controlled freeze function at the secondary-market level, rather than whitelisting every holder. The GENIUS Act codified this non-whitelist/freeze-capability model: KYC at the issuer-customer interface and permissionless transfers subject to freezing at the secondary market. With sufficient controls, the same architecture should be available to onchain securities issuers.

The Law of Geofencing: Morrison v. National Australia Bank (and Its Progeny)

Geofencing is an established compliance strategy where a company puts itself outside the reach of a jurisdiction’s laws by erecting a virtual “fence” that blocks its online touchpoints to that jurisdiction. The logic is simple: it reinstates physical-world borders of sovereignty in the digital realm. Given that US securities laws (and related statutes) require permissioning (for the reasons above), onchain geofencing done correctly can take issuers outside the scope of those laws so they can compliantly offer securities without the whitelist.

As we’ve written about before, the law of geofencing in the US all stems from a Supreme Court case called Morrison. In that case, the Court held that a federal statute does not apply extraterritorially unless Congress clearly expressed that it does. If a statutory provision doesn’t explicitly address extraterritoriality, the Court said it applies only to cases involving “domestic activity.” According to the Court, that requires defining the regulated activity and evaluating where it allegedly occurred. If the location is domestic, the law applies; if foreign, it does not.

Most US securities laws don’t have such explicit extraterritoriality provisions. So we’re left with the hard question of what counts as “domestic” under US securities laws. That analysis starts by asking what activity the law seeks to regulate — a fact-specific exercise outside the scope of this piece (do it with your counsel). But for the purpose of this discussion, we can say that the US securities laws as a whole regulate the purchase and sale of securities with a US nexus. 

This leads to the question: Where does a purchase or sale of a security occur? If domestic, US securities laws apply; if not, they don’t. There is much case law on this point, and courts are not always consistent: What matters most is the location where the parties became irrevocably bound to the transaction.

To support this point, consider the Second Circuit’s decision in Absolute Activist. The plaintiffs alleged a domestic transaction on the theory that they had purchased shares of SEC-registered, US-incorporated penny stock companies through a California-based, SEC-registered broker-dealer whose principals included a California resident. The Second Circuit held those allegations insufficient under Morrison. The fact that the issuers were US companies and their securities were SEC-registered was irrelevant: Morrison dealt in “domestic transactions in other securities,” not “transactions in domestic securities.” The residency of the defendants was likewise irrelevant: “a party’s residency or citizenship is irrelevant to the location of a given transaction.” And the broker’s US location, standing alone, did not establish where the contract was executed. What the plaintiffs needed to plead — and had not — were “facts concerning the formation of the contracts, the placement of purchase orders, the passing of title, or the exchange of money” sufficient to show that the purchaser became irrevocably bound to take and pay, or the seller became irrevocably bound to deliver, within the United States.

When it comes to assessing the formation of the contracts, the placement of purchase orders, the passing of title, or the exchange of money, the most important factor for our purposes is the location of the purchaser at the time of the transaction. This is because the other factors are more generally in the issuer’s control. For example, the issuer can take means (e.g., select an ex-US entity, place directors outside the US at the time of the transaction, put in their terms of service language on where the contract is formed, etc.) to try and remove the likelihood that their side of the transaction was in the US. The purpose of geofencing is to try and exert some control on the side the issuer does not readily control, the purchasing side. So this is where we will focus our analysis.

A Word on Reg S

Before continuing, we should clarify Reg S versus Morrison. 

Reg S is the rule issuers normally use to sell securities to buyers outside the US. It treats an offer or sale made offshore as falling outside Section 5, the Securities Act’s registration requirement, so the issuer can skip SEC registration. It has very specific requirements.

You might wonder, then, where Reg S fits into our analysis. The answer is that if US securities laws do not apply under Morrison, Reg S is moot — Reg S is an exemption within US securities laws, but Morrison is about taking us outside of US securities laws entirely. So we do not conduct further analysis of Reg S in this piece.

Onchain Geofencing and the Path for Sophisticated Issuers

Putting all this together:

• If we had a way to guarantee the purchasers of securities were not in the US at the time of the transaction, we would have a strong argument that the transaction falls outside the territorial reach of US securities laws.
• If US securities laws did not apply, issuers would have a strong legal basis to abandon the broken KYC/whitelist model. This would provide sophisticated issuers a way to compliantly offer their securities without terrible UX.

Geofencing is already a popular strategy in crypto — why can’t issuers just copy what major projects are already doing? The problem is that none of the existing approaches deliver on both fronts: a real guarantee about location, at the time of the transaction. We can review three popular methods to show why.

The first and most popular approach is to geofence based on IP addresses only on the frontend. This fails the “guarantee” point in two ways.

• First, users can bypass the frontend and interact with the smart contract directly or through another frontend that doesn’t implement the geofence.
• Second, IP addresses are unreliable. Users can spoof them with a VPN. And even if the frontend blocks VPN access (which boxes out 1 in 3 internet users), IP-based geolocation is highly inaccurate, particularly at borders.

The second approach is to geofence only at primary issuance, usually under Reg S (Ondo and xStocks rely on this model). This fails the “time of the transaction” point because it only applies to the first transaction. The result is a flowback problem: the primary issuance is compliant, but securities can move to US persons in subsequent secondary trades, likely triggering US securities laws.

The third approach is to rely on a KYC/whitelist model to obtain the residency of the parties and use that to enforce a geofence. This fails the “time of the transaction” point because it misunderstands the relevant question under Morrison, which asks not about the residency of the parties but where the transaction occurred. This is the worst of all worlds — permissioned and based on a misread of Morrison.

What’s missing is infrastructure that produces a verifiable guarantee about a user’s location at the moment of the transaction. The fix is a cryptographic proof of location that is embedded onchain.

Octet is building this infrastructure. Octet provides an SDK that any application/protocol can integrate to generate cryptographic proofs about a user’s location at the time of the transaction. The SDK runs on the user’s mobile device that can guarantee a user’s location, then wraps the result in cryptography to produce verifiable yes/no proofs about location that can be submitted onchain. 

Using Octet, the issuer selects which jurisdictions to geofence. The issuer can block the US for the Morrison argument. Issuers can also block comprehensively sanctioned jurisdictions like North Korea and Iran as one layer of sanctions compliance (separate from SDN address screening and freeze controls). When a user wants to interact with the security onchain, they must provide an Octet proof that they are not in these jurisdictions at the time of the transaction. 

Onchain protocols can then implement the Octet standard and check for a valid proof on “before transfer” calls to ensure the initiator is not in the US at the time of the transaction. Because the geofence is enforced onchain, we solve the flowback problem of secondary transactions. 

One could argue that onchain geofencing is just permissioning by another name. Fair — it is a fence after all. But it is a significantly better permissioning mechanism than the whitelist model because it solves the broken flow of KYC friction. Instead of forcing the user to leave their application/wallet and KYC with a broker or transfer agent in a painful off-application experience, any application/wallet can drop in the SDK and the verification happens invisibly. Permissioning shifts from upfront user burden (bad UX 101) to invisible infrastructure. 

With an onchain geofence in place, sophisticated issuers could rely on the Morrison argument and actually issue securities onchain without the whitelist model. We think there’s a particular opportunity for sophisticated issuers to offer high-yield/exotic securities to ex-US retail. One could imagine an issuer like Apollo offering a tokenized credit fund akin to USDAI, which finances GPU hardware for AI startups and passes high yield back to global retail. Ex-US users would access these securities from the world’s best issuers right from their existing wallet, without even noticing the geofencing happening behind the scenes. These would be net-new securities that do not currently have good distribution channels for retail. 

Practically, the structure could look like this:

1. Choose an ex-US corporate form to issue a security that minimizes post-issuance permissioning for reasons outside of securities laws. Using a Cayman Islands exempted company to issue debt is one plausible option because KYC is only required at issuance and redemption of the loan notes under Cayman Islands law, not secondary transactions. This removes the need to implement a whitelist model for reasons outside of US securities laws.
2. Enforce the geofence on the token contract. Implement a pre-transfer hook that verifies an Octet proof showing the party initiating the transaction is not in an excluded jurisdiction at the time of the transaction (e.g., the US, sanctioned countries, any other countries the issuer wants to block). For primary issuance, run the offering entirely offshore, where each purchaser must submit a valid Octet proof of extraterritoriality to mint. 
3. Extend the geofence to DeFi venues via hooks. For secondary trading, create the canonical liquidity pools with a “geofence hook” on DeFi venues that support pool-level hooks (Uniswap v4 is the leading example). The hook reads the Octet proof passed in by the user and gates the swap accordingly, so trades through issuer-supported pools follow the same jurisdictional controls as direct token transfers. This won’t prevent every conceivable off-platform or synthetic arrangement. The practical goal is narrower: keep the canonical token and issuer-supported liquidity gated, so the issuer’s own distribution architecture does not facilitate U.S. flowback.
4. Layer in continuous sanctions screening for monitoring and maintain a freeze function on the token contract. This forms a meaningful centralization point, but is accepted as table stakes for compliant tokenized products (the same primitive Circle uses for USDC). 

The result is a security that lives entirely onchain, that ex-US retail can access from any wallet without the transfer-agent-style onboarding flow that breaks today’s tokenized securities UX, and that sophisticated issuers can confidently offer as legally compliant.

Conclusion

The permissioning conversation in crypto has spent years stuck between two bad answers: a whitelisting regime that impairs UX, or a permissionless model that is too risk-on for sophisticated issuers to get comfortable. Onchain geofencing is a third path that can actually bring sophisticated issuers onchain. By solving the technical challenge of verifiable location at the time of transaction, this approach offers a strong legal basis — rooted in the Morrison precedent — for compliant, high-yield securities to be distributed globally to retail investors, without the friction of the traditional KYC/whitelist model.

Thank you to Zack Shapiro (Rains), Melissa Lim (Walkers) and Jason Gottlieb (Morrison Cohen) for their thoughtful feedback on this article.