Briefings·Regulation
8 May 2026 6 min read GSIG-B-2026-004

Tokenised Real-World Assets: The Compliance Gap That Will Define the Next Cycle

A tokenised asset has two compliance surfaces: issuance and secondary market. The first is well-controlled. The second is structurally invisible to the institutions that intermediate it. The gap between them is where the next regulatory cycle of headline enforcement will come from.

The tokenisation of institutional finance is no longer a debate about whether it will happen. It is a deployment timeline. Tokenised money-market funds, Treasury exposures, private credit, equity strips, and fund interests are all in production today, with eleven-figure balances, settling on public infrastructure.

The deployment is real. The compliance framework around it is not — at least, not at the layer that matters operationally. This briefing is about that gap, why it exists, and why every institution that intermediates these assets in any capacity should expect to be tested on it within the next regulatory cycle.

Two compliance surfaces, one institutional gap

Every tokenised RWA has two distinct compliance surfaces.

The issuance surface is well-controlled. Issuers maintain robust KYC and AML at onboarding. They enforce permissioned transfer lists where regulation requires them. They run sanctions screening on their primary market. The compliance posture of a tokenised money-market fund at the issuer level frequently exceeds the equivalent traditional-finance fund.

The secondary-market surface is structurally invisible. Once a tokenised asset leaves the issuer's directly permissioned environment, the institutional supervisory posture collapses. Tokens that are restricted to permissioned holders at issuance can still:

  • Be bridged across chains into permissioned contracts with different transfer-restriction regimes
  • Be used as collateral in permissionless lending protocols, producing a derivative position that is unrestricted by construction
  • Be paired against other assets in liquidity pools whose counterparty disclosure is weaker than the issuer's standard
  • Be wrapped into synthetic instruments whose underlying composition is opaque to both the issuer and the holder of the wrapper

Each of these patterns is legitimate decentralised-finance activity. Each of them also represents a point at which an asset originally issued under strict compliance controls can end up exposed to counterparties whom no party in the chain — issuer, custodian, or bridge — can identify.

The compliance framework governing tokenised RWA issuance is strong. The framework governing its secondary-market circulation is embryonic. The gap between them is where the next cycle of headline enforcement will come from. — GSIG Intelligence

Why the gap exists

The gap is not a regulatory oversight. It is a property of how supervisory frameworks are constructed. Issuer-level rules are written for an instrument whose lifecycle stays within a defined regulatory perimeter — fund administration, custody chains, transfer agents. The secondary markets where tokenised assets actually circulate are public blockchains whose participants are pseudonymous and whose protocols are not regulatory subjects in the same way.

Two practical consequences follow.

First, the institutions intermediating tokenised RWA cannot rely on the issuer's compliance posture. A custodian holding tokenised Treasury exposure on behalf of a client cannot infer from the issuer's KYC that the client's broader transactional behaviour is clean. A prime broker financing a position in tokenised private credit cannot infer from the underlying credit's compliance that the borrower's wallet activity is unproblematic. Each layer down the chain requires its own attribution work — work that the issuer is structurally unable to perform.

Second, the regulatory instruments that govern this layer are partial. MiCA in the EU and the emerging US framework under the GENIUS Act each provide useful issuer-level controls, but neither solves the secondary-market supervision problem. The enforcement surface that matters — what tokens do once they leave the issuer's directly permissioned environment — is a harder problem for which the regulatory instruments do not yet exist at scale.

The four operational questions institutions actually need to answer

For institutions holding, custodying, or intermediating tokenised RWA — and for their counsel — four practical questions are becoming concrete:

  1. Transfer-restriction posture. Is the token you hold restricted to permissioned addresses, and if so, at what layer is the restriction enforced? On-chain whitelist, off-chain compliance check, or hybrid?
  2. Wrapped exposure. Have holders of the token produced wrapped or derivative positions that circulate in permissionless markets? If so, what is your indirect exposure to the unwrapped-equivalent pool?
  3. Bridge transit. Has the token been bridged to chains other than its issuance chain? If so, are the transfer restrictions preserved at the bridge endpoint, or has bridging effectively converted the position into an unrestricted instrument?
  4. Counterparty resolution. Can you resolve the beneficial owners of the positions that sit alongside yours in whatever pool, protocol, or wrapper you are using?
Operational implication If the answer to question 4 is "no, and our vendor cannot tell us either," the institution's compliance posture on the position is materially weaker than it would be for an equivalent traditional-finance exposure. This is the gap. Closing it requires blockchain intelligence, not fund administration.

What changes in the next cycle

Three predictions worth considering.

Issuer-level enforcement will tighten further. Both MiCA and GENIUS implementations will continue to clarify issuer obligations. The gap will not close from this direction alone — issuer-level rules cannot govern the secondary market — but the floor will rise.

Intermediary-level supervision will become explicit. Custodians, prime brokers, OTC desks, and fund-of-funds with tokenised RWA exposure will be expected to produce evidence of independent counterparty intelligence on the assets they hold. The current default — relying on the issuer's screening and the screening vendor's address labels — will not survive a serious examination cycle.

Headline enforcement will surface from the bridge and wrapper layer. The first significant regulatory action against an institution holding tokenised RWA will not come from a primary-market problem. It will come from a position that bridged out of the permissioned environment, was wrapped, and re-entered the institution's book through a synthetic exposure whose underlying composition was not screened. This is the most exposed surface in the current architecture and the most likely first failure.

Closing

Tokenised RWA is one of the most consequential structural shifts in institutional finance of the decade. It will also produce the compliance gap of the decade unless the institutions building exposure to it build the corresponding intelligence capability. That capability is not fund administration. It is on-chain forensic intelligence — topology-level, multi-chain, attribution-grade — applied to the secondary-market behaviour of the assets in question.

The institutions that build this capability ahead of the next examination cycle will be operating above the standard their supervisors will define. The institutions that wait will define it.

GSIG maintains coverage of tokenised RWA across issuance and secondary-market venues. Intelligence on RWA compliance posture is available to vetted institutional clients, custodians, prime brokers, and counsel under engagement.

Suggested citation
Global Sanctions Intelligence Group (2026). "Tokenised Real-World Assets: The Compliance Gap That Will Define the Next Cycle." GSIG Briefing GSIG-B-2026-004, 8 May 2026. Available at: https://gsig.uk/briefings/rwa-compliance-frontier
GSIG-B-2026-004 · Regulation · 8 May 2026 ← All briefings