Welcome to the first instalment of our seven-part series on institutional-grade Solana. In the introduction, we established that institutions are no longer asking if they’ll adopt crypto, but how. This shift demands a deep understanding of the tools and frameworks available to ensure security, compliance, and scalability.
This post focuses on the foundational layer of institutional adoption: Compliance and Regulatory Controls.
For any institution handling significant assets, navigating the complex web of financial regulations is a non-negotiable requirement. Know Your Customer (KYC) and Anti-Money Laundering (AML) are not just best practices; they are legal requirements in most jurisdictions. Fortunately, the Solana ecosystem has matured to a point where it offers a robust suite of tools to meet these needs.
In traditional finance, regulatory controls are mechanisms that enforce compliance—such as audit trails, transaction limits, and verified counterparties. On Solana, these controls take a programmable form: on-chain attestations, transfer restrictions, and permissioned-token standards that codify compliance directly into smart-contract logic.
For institutions navigating emerging digital-asset frameworks such as MiCA, the FATF Travel Rule, or SEC custody guidelines, Solana’s compliance stack now provides the primitives to align digital-asset operations with modern regulatory expectations.
The Solana Attestation Service: A Foundation for Trust
A key development in this area is the Solana Attestation Service. This service allows for the creation of on-chain credentials that verify information about a user or entity. Think of it as a digital passport that can be stamped to prove specific attributes, for example, that a user has completed a KYC check.
The service is designed to be flexible, enabling a wide range of use cases beyond KYC, including reputation systems, access controls, and compliance-based automation. These attestations can be read and verified directly on-chain, allowing downstream protocols to build trustless compliance layers that still preserve user privacy.
Token2022 and Transfer Hooks: Granular Control Over Assets
The Token2022 standard introduces powerful features, including transfer hooks. These hooks allow developers to embed custom logic directly into the token — for example, verifying a user’s KYC credentials before a transfer.
However, adoption across the ecosystem has been limited because transfer hooks can be complex and difficult to integrate into downstream protocols.
“We can build Token2022 transfer hooks for KYC — we’ve done this before. It’s even possible for a TransferHook to read attestations from the Solana Attestation Service. But we’ve seen most real-world asset (RWA) issuers prefer to use an allowlist within their own program for KYC instead.”
Recognising these challenges, engineers at the Solana Foundation have proposed sRFC37: Efficient Block/Allow List Token Standard, which provides a more streamlined and standardised mechanism for KYC/AML compliance. Rather than relying on transfer hooks that reject non-KYC’d wallets, sRFC37 uses the Default Account State extension, ensuring that all TokenAccounts begin in a frozen state.
A permissionless instruction can then thaw a TokenAccount if the wallet is listed on the issuer’s allowlist. This approach allows issuers to manage compliance efficiently while ensuring downstream protocols don’t need extra integration work — the allow/block logic is enforced at the account-state level rather than at each transfer event.
“The benefit of sRFC37 is that downstream protocols don’t need to do extra work for integration. Allowing or blocking tokens happens prior to the transfer, via freezing and unfreezing the TokenAccount. It’s cleaner, faster, and aligns with how institutions think about pre-trade compliance.”
Looking to take your compliance documentation even further?
Check out our latest post — Making an Auditor-Friendly Architecture Doc — where we outline how to structure technical documentation that satisfies security reviews and speeds up audits for institutional partners.
Exo: Your Partner for Compliant Token Solutions
At Exo Technologies, we specialize in custom Token2022 transfer hook development and sRFC37 integration for institutional-grade tokenization. Our engineering team has been at the forefront of this evolution, contributing to early implementations and helping RWA issuers deploy permissioned token standards safely on Solana.
We are among the first teams to integrate sRFC37 (thanks to our in-house engineers like Patricio Rodriguez), and we currently have an RWA client using this framework in production.
Our direct experience building both custom TransferHook logic and allowlist-based permission systems allows us to design solutions that meet your project’s exact compliance needs — without sacrificing composability or user experience.
If your institution is exploring compliant tokenization or regulated DeFi, Exo can guide you through the architecture, design, and deployment of secure Token2022 programs that satisfy both on-chain and off-chain compliance requirements.
Highlighting Key Projects in the Solana Ecosystem
Several projects on Solana are building innovative solutions for identity and compliance. Here are a few that institutions should be aware of:
Civic: A pioneer in decentralized identity, Civic provides a suite of tools for verification on Solana. Their Civic Pass allows users to prove liveness and verify identity while maintaining privacy. This verified information can then be used to control access to dApps and services.
Reclaim Protocol: Enables users to generate verifiable credentials from any website. These can prove attributes such as employment history, age, or reputation — without revealing underlying data.
Solana ID: A comprehensive identity protocol that enables users to create a single, unified identity usable across the Solana ecosystem. This simplifies verification for institutions and improves user experience for individuals interacting with permissioned systems.
“After building in the identity sector for almost three years, I can’t emphasize enough how much opportunity we see in this sector on Solana.
We are firm believers that global value — not just money — transfer will happen mainly on Solana eventually: a trillion-dollar market.
This requires solutions that help users, both humans and agents alike, to identify and authenticate in order to access certain services or receive special treatment in this new internet economy.”
The Importance of Legal and Regulatory Guidance
While these tools provide the technical foundation for compliance, it is crucial to remember that the regulatory landscape for digital assets is still evolving. The legal and regulatory requirements for your institution will depend on various factors, including your jurisdiction, the nature of your business, and the specific assets you are handling.
At Exo Technologies, we have extensive experience helping institutions navigate these complex issues. We can connect you with legal experts who specialise in digital assets and help you design a compliance program that is tailored to your specific needs. The cost of getting it wrong can be high, both in terms of financial penalties and reputational damage. That's why it's crucial to collaborate with a partner who understands both the technology and the regulatory landscape.
Conclusion
The Solana ecosystem offers a powerful and flexible framework for institutional-grade compliance. From attestation services and transfer-hook extensions to emerging standards like sRFC37, the groundwork for regulated finance on Solana is rapidly maturing.
However, success depends on understanding both the technology and the regulatory landscape.
That’s where partners like Exo Technologies add value — helping institutions implement compliant token architectures that withstand real-world scrutiny.
In the next part of this series, we’ll explore another critical component of the institutional Solana stack: Custody, Key Management & Policy Enforcement.
Stay tuned.