
Crypto spent fifteen years arguing the ledger is the truth. Tokenized securities quietly reversed it. The token in your wallet is a receipt, and a company you have never heard of keeps the record that actually decides who owns what.
Summary
- A transfer agent maintains the official register of who owns a security, processes subscriptions and redemptions, issues and cancels shares, and pays out distributions. In the United States they must register with the SEC.
- In tokenized securities, the transfer agent’s off-chain register remains the authoritative legal record of ownership. The token is a digital representation that enables on-chain mobility, not the source of truth.
- If the blockchain and the register disagree, the register wins. Administrators including JPMorgan retain authority to correct the on-chain ledger against the legal record.
- Transfer agents run the allow-list. They screen identity, add approved wallets to an on-chain list, and the token contract blocks transfers to any address that is not on it.
- This inverts crypto’s founding assumption. Whether that is a betrayal or the precise reason institutions will tokenize anything at all is the argument worth having.
Every crypto explainer starts from the same premise: the blockchain is the record, possession of the key is ownership, and no intermediary can reverse it. That premise is true for Bitcoin. It is false for essentially every tokenized security in existence, including the ones BlackRock and JPMorgan are issuing right now. In those products, the authoritative record of who owns what is a database maintained by a company called a transfer agent, and the token in your wallet is a mirror of that database. If the two diverge, the database is right, and the chain gets corrected. Understanding this is not a technicality. It is the difference between understanding what tokenized securities are and repeating a marketing claim about them.
What a transfer agent does
The transfer agent is one of the least glamorous and most load-bearing roles in traditional finance. It exists because a company issuing shares needs someone to answer a deceptively hard question: who owns them right now?
The core functions are these. The transfer agent maintains the register of security holders, the official list of names and balances. It processes transfers when securities change hands, updating that register. It issues new shares when investors subscribe and cancels them when investors redeem. It distributes dividends, interest, and other payments to the holders on the register. And it handles corporate actions, communications, and the reconciliation that keeps everything consistent.
In the United States, transfer agents must register with the SEC under the Exchange Act and operate under its rules. This is not an informal bookkeeping role. It is a regulated function with legal consequences, because the register the agent maintains is what a court would consult to determine ownership.
Traditionally, shares in most listed securities are recorded through a central securities depository, with the Depository Trust and Clearing Corporation performing that function in the US. Each institution keeps its own books, and post-trade steps such as confirmation, clearing, and settlement require multiple intermediaries and repeated reconciliation between those books. The transfer agent sits inside that architecture as the issuer’s official record-keeper.
What changes when a security gets tokenized
The pitch for tokenization is that a shared, consensus-validated ledger replaces fragmented books and eliminates the reconciliation. Instead of every institution maintaining a separate record that must be checked against every other record, all participants read one ledger.
In practice, tokenized securities did not do that. They did something more modest and more interesting.
Tokenized funds use distributed ledger technology to issue and maintain their shares instead of recording them solely through a central depository. That is a real change: settlement collapses from a T+1 or T+2 cycle to minutes, and the share becomes programmable. But the transfer agent did not disappear. It moved.
The structure now looks like this. The transfer agent still maintains the official ownership record. A tokenization platform, most prominently Securitize and also Tokeny, runs the smart contracts that mint tokens on subscription and burn them on redemption. An oracle, typically Chainlink, publishes the fund’s net asset value on-chain. And the token contract enforces the transfer restrictions that the transfer agent’s compliance rules require.
Securitize Transfer Agent LLC is the reference example. It is an SEC-registered transfer agent and broker-dealer, and it maintains the official record for BlackRock’s BUIDL fund. BlackRock’s filing for its OnChain Shares describes Securitize Transfer Agent as maintaining the official record through a permissioned system connected to multiple public, permissionless blockchains, with wallets linked to off-chain identity records.
Franklin Templeton’s structure works the same way: one FOBXX share links to one BENJI token, while the transfer agent maintains the official ownership record through the Benji platform.
Read those descriptions carefully and the architecture becomes clear. A permissioned system, connected to public blockchains, with wallets linked to off-chain identity. The chain is a distribution and mobility layer bolted onto a conventional register. It is not the register.
The token is not the record
This is the single most important idea here, and it is stated backwards in most coverage.
The beneficial ownership of tokenized fund shares remains recorded in the transfer agent’s official register. The token acts as a digital receipt that enables on-chain movement. When a token transfers between two authorized wallets, the system updates the off-chain ownership record to reflect the change. The chain does not replace the register; it triggers an update to it.
And when they disagree? The register wins. JPMorgan, among others, retains the authority to correct discrepancies between the on-chain ledger and the legal record, so that the technological holding never diverges from the legal reality. There is a company with a button that can change what your wallet says, because your wallet was never the authority.
Holding the token does not, by itself, prove ownership. The exact rights depend on the fund’s legal documents, the official ownership record maintained by the transfer agent, and the product’s wallet and transfer rules. The official record is generally the authoritative source.
Consider what that means for a scenario crypto users take for granted. You send tokens to a friend’s wallet. In Bitcoin, that is final and your friend owns them. In a tokenized security, either the transfer fails because the wallet is not allow-listed, or it succeeds and the transfer agent updates the register to reflect the new holder, which happens only because the wallet was pre-approved and identity-linked. There is no version of that transaction where a stranger acquires the security by receiving the token.
Who controls the allow-list
The transfer agent’s most consequential power in tokenized securities is not record-keeping. It is the gate.
Before any subscription, the transfer agent runs know-your-customer and sanctions screening on the wallet owner. The wallet address is then added to an on-chain allow list maintained by the token contract. Smart contracts enforce restrictions from that list: any transfer to an address that is not allow-listed reverts. The BIS has noted that these products rely on the allow-listing of blockchain wallets to constrain peer-to-peer trading and meet regulatory compliance requirements.
The enforcement lives in the token standards. Where stablecoins typically use plain fungible standards such as ERC-20 with unrestricted transfers, tokenized securities often employ security token standards such as ERC-1400 or ERC-3643. Under ERC-3643, a function called isVerified confirms that a recipient appears in the register of allow-listed investors, and canTransfer enforces any additional conditions required before a transfer proceeds. As compliance needs evolve, programmable checks let more complex rules be applied in code.
That is the whole architecture in one sentence: compliance rules, written by a regulated intermediary, enforced automatically by a smart contract, on a public blockchain that anyone can read and almost nobody can transact on.
The practical consequences are worth spelling out. Moving a token to a wallet not on the allow list may be blocked at the protocol or transfer agent level, which is why verifying transfer eligibility before attempting to move a position is not optional. Access through secondary markets or unapproved wallets may not carry the same rights as subscribing directly through the fund or its authorized platform. And restrictions vary sharply by product: some funds are limited to qualified purchasers, some exclude US persons entirely, some impose institutional minimums.
Why this exists
It would be easy to read all of this as institutions gutting the point of a blockchain. The steelman is stronger than that, and it deserves stating properly.
Securities law does not care what technology you use. If an instrument is a security, then rules about who may hold it, how ownership is evidenced, what disclosures are owed, and how sanctions screening works all apply regardless of whether the record sits in Oracle or Ethereum. A tokenized fund that let anonymous wallets hold shares would not be an innovation. It would be an unregistered securities offering with an anti-money-laundering failure attached.
The allow-list model is what makes tokenized funds work inside existing securities and AML frameworks. Without it, none of these products would exist, because no regulated manager would issue them and no regulator would permit it. The choice was never between a permissioned tokenized fund and a permissionless one. It was between a permissioned tokenized fund and no tokenized fund.
And the benefits are real even with the gate in place. Settlement in minutes instead of days. Around-the-clock operation. Shares usable as collateral without leaving the fund, which is why crypto prime brokers accept BUIDL as margin. Real-time auditable records for regulators. Programmability that lets a share do things a book entry cannot. None of that requires the ledger to be the final authority. It only requires the ledger to be fast, shared, and honest about what it is.
The counterargument is equally real. If an intermediary maintains the authoritative record, screens participants, and can reverse the chain, then the blockchain is performing the role of a message bus, and a permissioned database could deliver most of the benefits with less complexity. The transparency argument weakens too, since the interesting record is off-chain. What you are left with is faster settlement and composability with other on-chain assets, which is genuinely valuable but a long way from disintermediation.
Where the two worlds are colliding
The most interesting developments sit exactly at this seam.
The DTCC, the central node in US securities infrastructure, ran its Smart NAV pilot with Chainlink, showing how mutual fund net asset value data can be published on-chain using cross-chain interoperability infrastructure, with multiple global asset managers participating. It has also unveiled a platform for real-time tokenized collateral management. The depository is not being disintermediated. It is tokenizing.
Meanwhile some tokenized funds are pushing the other way. Products including Superstate’s short-duration government securities fund and Franklin’s OnChain US Government Money Fund enable peer-to-peer transactions among approved holders, and BUIDL has been listed on Uniswap’s decentralized exchange for eligible traders. Each step widens the set of things an allow-listed holder can do without going through the issuer, which is a slow migration of function toward the chain without ever surrendering the register.
The tension shows up plainly in retail products. Robinhood’s Stock Tokens are structured as tokenized debt securities that track a stock’s economic performance but confer no voting rights, no shareholder rights, and no direct legal ownership claim on the shares, and they are unavailable to US persons. That is a different structure from a tokenized fund share, and it exists because building a token that conveys actual equity ownership across borders runs straight into the transfer agent and registrar architecture that governs real shares. It is easier to issue a derivative of a stock than to tokenize the stock.
What a failure would look like
A useful way to test whether you understand an architecture is to ask how it breaks, and the transfer agent model has failure modes that differ sharply from the ones crypto users are trained to watch for.
The register and the chain diverge. This is the mundane one and it will happen. A subscription is recorded off-chain but the mint fails. A transfer succeeds on-chain but the register update does not process. For a period, the two records disagree about who owns what. In a permissionless system this would be a crisis with no resolution path. Here it is a reconciliation task, because the hierarchy is defined in advance: the register is authoritative, the chain gets corrected, and administrators such as JPMorgan hold explicit authority to do exactly that. The failure is contained precisely because the system is not decentralized. That is the trade in one sentence.
The transfer agent itself fails. This is the interesting one, and it has no on-chain answer.
If the entity maintaining the register suffers an outage, an insolvency, or a compromise, the authoritative record of ownership is impaired. The tokens still sit in wallets, still display balances, still move between allow-listed addresses. And none of that settles what anyone owns, because the record that decides ownership is the impaired register. Traditional finance has procedures for transfer agent succession, because this risk predates blockchains by a century. But the crypto instinct, which is to point at the chain and say the record is right there, is precisely wrong here. The chain is a mirror. A mirror does not help when the original is gone.
The allow-list becomes the attack surface. Whoever controls which addresses may hold the token controls the asset in a way no key holder does. A compromised allow-list could add unauthorized addresses or, more disruptively, remove legitimate ones, freezing holders out of transfers they are entitled to make. The smart contract will faithfully enforce whatever the list says, because faithful enforcement is its only job. Decentralization does not protect you here; it is what is being enforced against.
Composability breaks at the edge. Tokenized fund shares are increasingly used as collateral across DeFi. But a permissioned token cannot be liquidated to an arbitrary buyer, because arbitrary buyers are not allow-listed. A lending protocol that accepts BUIDL as collateral must have a liquidation path that terminates in an approved wallet, which means its liquidation mechanism depends on a whitelist maintained by a company that has no obligation to that protocol. The composability that makes these tokens attractive is conditional on a permission layer sitting outside the protocol using them, and that dependency has not been tested during a genuine stress event.
None of these are arguments against the model. They are the actual risk register, and it is a different register from the one crypto is used to reading. Nobody is going to lose a tokenized fund position because they mismanaged a seed phrase. They would lose it because an intermediary’s database, an approval list, or a reconciliation process failed, which are exactly the risks tokenization was supposed to have removed and instead relocated.
The question underneath
Strip away the mechanics and one question remains, and it is the one that decides whether tokenization matters.
If the transfer agent’s register is the truth, and the token is a receipt, what exactly has been tokenized? The optimistic answer: the settlement layer, and that alone is worth billions in operational savings and unlocks collateral mobility that did not previously exist. The skeptical answer: nothing important, because the trust assumptions are identical to the ones we had, and we added a blockchain to a system that already worked.
The honest answer is probably that this is a transitional architecture. Right now the register is authoritative and the chain is a mirror, because the law requires a registered intermediary to keep the record and the law has not changed. If it ever does, if a properly regulated on-chain register were permitted to be the record itself, the transfer agent function would not vanish. It would become code plus a compliance oracle, and something would be genuinely different.
Until then, the useful discipline for anyone touching tokenized securities is to hold the correct mental model. The wallet shows you a balance. The register decides whether that balance is yours. Those are two different claims, and only one of them is enforceable in a courtroom.
Disclaimer: This article is for information and educational purposes only and does not constitute financial, investment, or legal advice. Tokenized securities are subject to access restrictions and securities regulation, and eligibility, rights, and terms vary by product and jurisdiction. Nothing here is a recommendation to buy any product. Always do your own.
Frequently Asked Questions
What is a transfer agent?
A transfer agent maintains the official register of who owns a security, processes transfers between holders, issues shares on subscription and cancels them on redemption, distributes dividends and interest to registered holders, and handles corporate actions and reconciliation. In the United States, transfer agents must register with the SEC and operate under its rules, making it a regulated function rather than informal bookkeeping.
What does a transfer agent do in tokenized securities?
The same things, plus two more. It maintains the authoritative off-chain ownership register that the tokens mirror, and it controls the allow-list: screening investor identity, adding approved wallets to an on-chain list, and thereby determining which addresses can legally hold the token. The smart contract enforces those decisions automatically, blocking transfers to addresses that have not been approved.
If I hold the token, do I own the security?
Not by itself. The authoritative record is the register maintained by the transfer agent. The token functions as a digital receipt enabling on-chain mobility, and when it moves between approved wallets the off-chain record updates to match. Your actual rights flow from the fund’s legal documents, the register, and the product’s transfer and redemption rules.
What happens if the blockchain and the official record disagree?
The official record wins. Administrators including JPMorgan retain authority to correct discrepancies between the on-chain ledger and the legal record, so the technological holding never diverges from the legal reality. This inverts the usual crypto assumption that the ledger is the final source of truth, and it is the defining characteristic of tokenized securities as currently structured.
Why can I not send tokenized fund shares to any wallet?
Because the token contract enforces an allow-list maintained by the transfer agent. Security token standards such as ERC-1400 and ERC-3643 build the restrictions into the token itself. Under ERC-3643, isVerified checks whether a recipient appears in the register of allow-listed investors and canTransfer enforces additional conditions. A transfer to an unapproved address reverts at the contract level.
Who are the major transfer agents in tokenization?
Securitize is the most prominent. Securitize Transfer Agent LLC is an SEC-registered transfer agent and broker-dealer and maintains the official record for BlackRock’s BUIDL and its OnChain Shares filing. Tokeny is another tokenization platform operating in this space. Franklin Templeton maintains the official record for BENJI through its own Benji platform.
Does this defeat the purpose of using a blockchain?
That is the genuine argument. Critics note that if an intermediary keeps the authoritative record, screens participants, and can reverse the chain, a permissioned database could deliver similar benefits more simply. Supporters note that securities law requires a registered record-keeper regardless of technology, that the allow-list is what makes these products legal at all, and that faster settlement, continuous operation, and collateral mobility are real gains that do not require the ledger to be authoritative.
How does this differ from Robinhood’s Stock Tokens?
Considerably. Robinhood’s Stock Tokens are structured as tokenized debt securities that track a stock’s economic performance but confer no voting rights, no shareholder rights, and no direct ownership claim on the underlying shares, and they are unavailable to US persons. A tokenized fund share represents an actual registered fund position recorded by a transfer agent. It is easier to issue a derivative referencing a stock than to tokenize the stock itself, precisely because of registrar architecture.




Be the first to comment