From Pilot to Scale: Engineering Tokenization Platforms for Real Users

Decision-makers finally have a playbook: tokenization is out of the lab and in production. In 2025, tokenized Treasuries and money funds are used as collateral on tier‑1 venues, repo settles on DLT at hundreds of billions per day, and regulators are publishing detailed frameworks to industrialize the stack. This guide distills what to build, how to scale, and where the risks really are.

Summary: Tokenization moved from proofs‑of‑concept to production. This post lays out a reference architecture, concrete design patterns, and regulatory‑aware practices to take a tokenization platform from a controlled pilot to multi‑jurisdictional scale with real users, assets, and cash flows.

1) Why 2025 is different: proof that real users exist

• Tokenized “real‑world assets” on public and permissioned ledgers have grown ~5x in three years to roughly $24B, with credible projections for an order‑of‑magnitude expansion over the next decade. (coindesk.com)
• Tokenized U.S. Treasuries and money‑market funds crossed ~$7.4B by July 2025 and are increasingly used instead of stablecoins for yield‑bearing collateral. (ft.com)
• BlackRock’s BUIDL launched in March 2024, surpassed $1B AUM by March 2025, then expanded into multi‑chain share classes (Ethereum originally; Aptos, Arbitrum, Avalanche, Optimism, Polygon in Nov 2024; later Solana and BNB Chain) and is now accepted as collateral on major exchanges. (prnewswire.com)
• Franklin Templeton’s FOBXX enabled peer‑to‑peer token transfers in April 2024 and added new chains (Avalanche, Base/Aptos connectivity, and Solana in 2025), pushing on‑chain fund functionality into mainstream back‑office flows. (franklintempleton.com)
• In repo, Broadridge’s DLR processed ~$385B average daily volume in October 2025 (roughly 0.03–0.04 of U.S. tri‑party scale), up ~492% YoY—evidence that DLT settlement is handling real balance sheets. (prnewswire.com)
• Collateral tokenization is past the “demo” phase: JPMorgan’s Onyx TCN has moved MMF shares on‑chain for margin, with participants including BlackRock, Barclays and Fidelity International pilots. (coindesk.com)
• Governments are issuing at scale: Hong Kong priced HK$10B (multi‑currency) tokenized green bonds in Nov 2025, integrating tokenized central‑bank money (e‑HKD, e‑CNY) into the primary settlement workflow and publishing ISO‑24165 Digital Token Identifiers linked to ISIN/LEI. (hkma.gov.hk)
• Cost curves have shifted: Ethereum’s Dencun (EIP‑4844) pushed L2 fees down by ~95–99%, turning L2s into practical rails for tokenized funds and transfer activity—while reminding teams that blob‑fee supply/demand volatility is real. (cointelegraph.com)
• Regulators are publishing playbooks, not just speeches: MiCA’s stablecoin provisions have applied since June 30, 2024 (with full CASP rules from Dec 30, 2024) and EU supervisors pushed for stablecoin compliance by Q1 2025; the UK opened the Digital Securities Sandbox and is consulting on “Blueprint” tokenized funds; MAS’s Project Guardian published detailed Guardian Funds and Fixed‑Income frameworks. (finance.ec.europa.eu)

Takeaway: The blockers to scale are no longer “does it work?” but “how do we engineer it for custody, compliance, cash, and connectivity across multiple venues and chains?”

---

2) What “engineering for real users” actually means

Your first pilot probably proved issuance and basic transfers. Scaling means designing for:

• Hard SLOs: settlement finality targets (e.g., ≤ T+0 for primary, ≤ minutes for collateral substitutions); availability ≥ 99.9%; RTO/RPO ≤ 1h.
• Deterministic cash legs: multiple settlement assets (fiat rails, regulated stablecoins, tokenized MMFs, eventual tokenized deposits/CBDC) with failover.
• Investor UX: account abstraction, P2P transfers, recovery flows, and multi‑sig/MPC approvals that your operations and auditors buy.
• Compliance by construction: jurisdictional allow‑lists, transfer restrictions, sanction screening, and auditable forced‑action controls.
• Market connectivity: custodians, transfer agents/TA, pricing and NAV, order‑routing, broker/dealer and ATS links, and collateral utilities (tri‑party, exchange collateral).
• Multi‑chain governance: version‑controlled share classes and cross‑chain state consistency.

---

3) A reference architecture you can ship

Design the platform in layers; don’t hard‑code policy into business logic you can’t upgrade.

1. Legal and registry layer

• Choose a clean legal wrapper (fund/notes/SPV) and map beneficial ownership to a canonical register (TA of record, or DSD/CSD in sandboxes).
• Implement reconciliation between the canonical register and token balances; design key exception queues (lost keys, dead wallets, sanctions hits).

1. Token and control layer

• Use a permissioned token standard with native compliance hooks. ERC‑3643 (formerly T‑REX) is now a finalized EIP for permissioned tokens with identity gating, pre‑transfer checks, freezing/forced‑transfer, and recovery—ideal for securities and funds. (erc3643.org)
• For vaults/fee accounting, keep ERC‑20/4626 compatibility where possible to integrate with DeFi/staking wrappers while preserving policy checks via 3643 extensions.

1. Identity and compliance layer

• Adopt W3C Verifiable Credentials (v2.0) for KYC/KYB, with selective disclosure (BBS+ / SD‑JWT) and optional ZK proofs (Polygon ID/zk‑KYC) so investors can satisfy eligibility predicates without exposing raw PII. (w3.org)
• Bind credentials to an on‑chain identity (e.g., ONCHAINID with ERC‑3643). This lets you enforce complex, jurisdiction‑specific rules at transfer time rather than at venue‑level only. (erc3643.org)

1. Money and settlement layer

• Implement a strategy matrix: fiat DvP (Fedwire/ACH/SWIFT), regulated stablecoins (MiCA‑compliant in the EU), tokenized MMFs (e.g., BUIDL/FOBXX), and (forward‑compatible) tokenized deposits/CBDC per BIS Project Agorá. (finance.ec.europa.eu)
• Wire DvP flows with canonical sequencing and cancellation windows; log settlement asset identifiers (DTI ISO‑24165) and link to ISIN/LEI where available (Hong Kong’s 2025 digital green bonds are a live blueprint). (hkma.gov.hk)

1. Orchestration and operations

• Use an event‑sourced ledger off‑chain (Kafka/CDC into a data lake) mirrored to chain state and your TA/CSD records.
• Build idempotent “sagas” for multi‑step operations (subscribe, mint, NAV strike, distribute, redeem, cross‑chain swap, corporate actions).

1. Observability and risk

• Real‑time transfer policy metrics, blob‑fee budget alarms on L2s, chain reorg monitors, proof‑of‑reserves (for stablecoins) and daily exposure reports by settlement asset.

---

4) Chain selection and share‑class strategy

• Multi‑chain is now practical—and expected. BUIDL demonstrates per‑chain share classes to “meet users where they are” across EVM L2s and newer L1s. You gain distribution and composability, but you must version control prospectus language, fee accrual logic, and transfer restrictions across each chain. (prnewswire.com)
• Post‑Dencun economics: median L2 transfers often price in cents, but blob fees are variable with demand. Engineer a “fee guardrail”: batch operations, pre‑fund relays, and pause non‑critical jobs when blobspace spikes. (coindesk.com)
• Permissioned/consortium chains remain optimal for some venues (repo/TCN, regulated venues) and can interoperate at the edge via messaging/oracles (e.g., SWIFT/Chainlink pilots under MAS Project Guardian). (coindesk.com)

Practical tip: treat each chain as its own product line with chain‑specific SLAs, incident runbooks, and a strict change‑control calendar aligned to protocol upgrades.

---

5) Identity, compliance, and privacy that actually scales

• Don’t rely on exchange‑level KYC alone: put the policy with the asset. ERC‑3643 lets you encode “who may hold/transfer” into the token itself (jurisdiction, investor category, sanctions list, holding periods), with agent‑level controls for pause, freeze, and forced transfer. (eips-wg.github.io)
• Move from PDFs to portable credentials. W3C VC 2.0 plus OpenID4VC flows allow investors to reuse attested KYC/KYB across products while keeping data minimization. ZK‑KYC providers (e.g., Polygon ID ecosystem) let you validate predicates like “accredited in X” without exposing the document. (w3.org)
• Europe specifics: under MiCA, stablecoin (EMT/ART) rules applied from June 30, 2024 with full scope from Dec 30, 2024; ESMA urged member states to ensure platforms restrict non‑compliant ARTs/EMTs by end‑Q1 2025—this shapes what you can list and how you distribute in the EU. (finance.ec.europa.eu)
• UK specifics: the FCA’s Digital Securities Sandbox (DSS) is live through 2028/29, and the FCA’s CP25/28 consults on tokenized funds and direct‑to‑fund dealing—the cleanest path to fully on‑chain registers under supervision. Align your operating model and documentation to the “Blueprint” language. (fca.org.uk)
• APAC specifics: MAS’s Guardian Funds Framework and Fixed‑Income deliverables (with ICMA/ISDA/GFMA) set practical standards for tokenized funds and bonds—use their DvP and custody patterns. (fca.org.uk)

---

6) Settlement assets: stablecoins, tokenized MMFs, tokenized deposits

You need redundancy across cash rails:

• Regulated stablecoins: In the EU, only MiCA‑authorized EMT/ART issuers can scale; platforms are expected to restrict non‑authorized tokens. Keep an EU/EAA distribution toggle and plan for issuer fungibility nuances (same ticker across EU/US entities). (coindesk.com)
• Tokenized MMFs: BUIDL and FOBXX now support P2P transfers and exchange collateralization. Engineer “NAV‑time” handling, dividend accrual, and cutoff coordination with TA. Expect address allow‑listing and custody whitelists (e.g., Fireblocks/Anchorage/Coinbase Custody). (theblock.co)
• Tokenized deposits and wholesale CBDC: Project Agorá (BIS + 7 central banks, >40 private firms) is building the public‑private model. Make your settlement layer pluggable for unified‑ledger style assets (tokenized deposits + wCBDC). (coindesk.com)

Pattern: maintain a “cash policy registry” mapping instrument → jurisdiction → limits (issuer caps, transferability, haircuts) and automatic fallbacks (e.g., convert non‑compliant EU stablecoin balances to EMT/EURC or cash‑settle at redemption).

---

7) Custody, keys, and controls that pass audit

• Use MPC wallets with HSM options to remove single points of failure and to meet bank security postures. Fireblocks’ MPC‑CMP plus HSM/TEE deployments are now a standard institutional pattern. (fireblocks.com)
• Enforce policy at the signing layer: quorum thresholds, segregation by business line, velocity limits, and code‑based verifiers for large flows. Externalize policy to avoid “policy drift” across apps. (fireblocks.com)
• Institutional attestations matter (SOC 1/2 Type II, insurance, segregated accounts). Don’t assume exchange custody is acceptable to your auditors—treat exchange connectivity as settlement plumbing, not safekeeping. (crypto.com)

Emerging practice: tokenized MMF shares (e.g., BUIDL) recognized as off‑exchange collateral on tier‑1 venues demands precise tri‑party controls (eligibility lists, margin haircuts, recall SLAs). Bake those into your orchestration. (prnewswire.com)

---

8) Pricing, NAV, and distribution details that trip teams up

• On‑chain funds require precise daily NAV strike, accrual, and distribution logic. Cache NAV as signed oracle values with timestamp/epoch and freeze mint/redemptions during strike to avoid stale price issuance.
• Support P2P transfers only between eligible holders and cut off transfers during corporate actions. FOBXX’s P2P launch is a precedent for TA‑synced transfers. (franklintempleton.com)
• Publish machine‑readable terms: decimals, cutoffs, holidays, subscription windows, and dividend calendars on‑chain and via API so integrators don’t guess.

---

9) Interoperability and market connectivity

• Messaging and interop: SWIFT + Chainlink + UBS/others showed fiat redemption/settlement flows for tokenized funds—integrate off‑chain banking rails with on‑chain state via standard messages and attestation proofs. (coindesk.com)
• Standards to adopt:
  • Token: ERC‑3643 for permissioned securities. (erc3643.org)
  • Identity: W3C VC 2.0 + OpenID4VC; consider Polygon ID/zk‑KYC for privacy. (w3.org)
  • Identifiers: ISO‑24165 DTI; link to ISIN/LEI (as in HKMA’s 2025 digital bonds). (hkma.gov.hk)
  • Data: Align fixed‑income fields with ICMA’s Bond Data Taxonomy per MAS Guardian Fixed‑Income Framework. (icmagroup.org)
• Venues/sandboxes: UK DSS enables live trading/settlement by Digital Securities Depositories under caps—use it to run production‑grade operations while regulation is finalized. (fca.org.uk)

---

10) Delivery plan: from 90‑day pilot to scaled production

Phase 0 (0–30 days)

• Legal/operating model sprint: decide registry of record (TA vs. DSD/CSD), draft terms supporting forced actions, lost‑key recoveries, and share‑class per chain.
• Chain and custody baseline: pick 1–2 chains (one EVM L2 plus optional permissioned) and a custody model (MPC with HSM option); define address whitelisting and policy quorums.
• Identity design: select VC schema, issuers, and verification predicates; integrate ONCHAINID/allowlist for ERC‑3643. (erc3643.org)

Phase 1 (30–90 days)

• MVP flows: primary issuance, subscription/mint, accrual, distribution, redemption/burn, and P2P transfers between verified holders. Validate NAV strike process and cutoff handling with the TA. (franklintempleton.com)
• Cash rails: one regulated stablecoin plus bank DvP; simulate failover to tokenized MMF for intraday collateral needs.
• Controls: deploy policy verifiers and operator runbooks (pause/freeze, forced transfer) and complete a tabletop exercise with auditors.

Phase 2 (90–180 days)

• Multi‑chain rollout: add a second share class on an L2 or alternate L1 (replicate compliance, accrual, and distribution). Confirm disclosure updates per chain. (prnewswire.com)
• Connectivity: integrate at least one collateral venue or tri‑party, plus an ATS or MTF if in the EU pilot regime or UK DSS.
• Observability: fee guardrails for blobs, policy drift alarms, and daily exposure limits by settlement asset. (thedefiant.io)

Phase 3 (180–360 days)

• Scale limits: move from thousands to tens of thousands of holders; automate credential refresh and sanctions updates without mass key resets.
• Expand cash: add tokenized deposits proof‑of‑concept to your settlement adaptor to prepare for Agorá‑style rails. (coindesk.com)

Success metrics

• Time‑to‑settle (PvP/DvP), rejection causes (policy vs. technical), blob‑fee per transfer, credential refresh failure rates, NAV vs. price deviations, and corporate action SLA adherence.

---

11) Common failure modes (and how to avoid them)

• “Venue‑gated compliance” only: if your token freely moves once it leaves your venue, you’ve lost control. Encode policy in the token standard (ERC‑3643) with identity‑bound eligibility. (eips-wg.github.io)
• Ignoring the cash leg: pilots mint tokens and assume fiat settles. In production, DvP, cutoff coordination, and fallback settlement assets are everything. Use a cash policy registry and dual rails. (hkma.gov.hk)
• Underestimating TA/registrar complexity: P2P transfers require TA‑synced state and lost‑key procedures. FOBXX’s 2024 P2P upgrade is your model—copy the ops, not just the code. (franklintempleton.com)
• Treating L2 fees as “always negligible”: blob spikes happen; batch, pre‑fund, and rate‑limit non‑critical flows. (coindesk.com)
• One‑size‑fits‑all custody: auditors expect segregated keys, MPC/HSM controls, and attestation. Don’t mix client assets, and don’t rely on exchange custody as safekeeping. (fireblocks.com)
• Skipping identifiers: if you don’t issue DTIs and link to ISIN/LEI, your data governance and reconciliation will hurt as you scale. (hkma.gov.hk)

---

12) What’s next (and how to future‑proof now)

• EU: MiCA is live; ESMA is pushing DLT Pilot improvements toward permanence. Expect more DLT MTF/DSD authorizations and clarity on stablecoin fungibility across issuers. Build for authorization events, not just sandboxes. (esma.europa.eu)
• UK: DSS gate‑progression will graduate the first Digital Securities Depositories; tokenized fund “Blueprint” guidance will harden. Use DSS to run supervised production, then port to a permanent regime by 2028–2029. (fca.org.uk)
• APAC: Project Guardian’s frameworks and pilots continue, with banks launching tokenized notes and funds on public chains. Design your stack to drop into Guardian‑aligned workflows (DvP, custody, data taxonomies). (icmagroup.org)
• Payments: Project Agorá will standardize tokenized deposits + wholesale CBDC on a unified ledger. Keep your settlement adaptor modular so you can add deposit‑tokens alongside stablecoins/MMFs without a re‑platform. (coindesk.com)

---

Appendix: concrete build choices we recommend in 2025

• Token standard: ERC‑3643 with ONCHAINID; expose a “pre‑transfer check” endpoint for wallets and brokers so they can fail fast without gas. (eips-wg.github.io)
• Identity: W3C VC 2.0, OpenID4VC issuance/verification, and a zk‑predicate option for sensitive attributes (accredited, country, age). Roll keys for issuers and create a credential‑refresh schedule (e.g., 365‑day KYC validity). (w3.org)
• Chains: start with one EVM L2 optimized post‑Dencun plus one permissioned network if needed for bilateral repo/collateral or regulated trading. Track blob‑fee metrics and set per‑flow fee caps. (coindesk.com)
• Custody: MPC with quorum and HSM wrapping; policy‑as‑code for spending limits and multisig roles; SOC 2/SOC 1 attestations for institutional integrations. (fireblocks.com)
• Cash: prioritize one MiCA‑compliant EMT in EU, one USD stablecoin in US, plus a tokenized MMF rail with clear NAV cutoffs. Prepare a pluggable Agorá adaptor. (coindesk.com)
• Market data: adhere to ICMA Bond Data Taxonomy fields for any fixed‑income tokenization and publish DTIs linked to ISIN/LEI for secondary data consumers. (icmagroup.org)

If you start here, you won’t just have a demo—you’ll have a regulated, interoperable, upgradable platform that real investors, counterparties, and supervisors can rely on.

---

7Block Labs builds tokenization platforms for institutions. If you want a 6‑week blueprint tailored to your regulatory footprint, asset classes, and custody stack, we’re ready to help.