What Regulators Actually Ask For, and Why Most Platforms Cannot Answer

The four questions every examiner asks

Across enforcement actions and examination reports, the same four questions appear with remarkable consistency. They are not complicated. They are not tricky. They are straightforward questions that any well-designed compliance system should be able to answer immediately.

First: what compliance process was required for this transaction or this investor? The examiner wants to know which regulatory framework applies. Reg D 506(c) accreditation verification. AML screening under BSA. KYC under applicable securities laws. The answer depends on the offering structure, the jurisdiction, and the investor type.

Second: was that process actually performed? Not 'do you have a policy that says it should be performed.' Was it actually performed for this specific investor, for this specific transaction, at the relevant time?

Third: who performed it? An internal team member? A third-party provider? Which provider? Under what standards?

Fourth: when did it happen? Before the transaction? After? Within the required timeframe? And can you prove the timing is accurate?

Why platform-generated exports fail

Ask a tokenized securities platform to answer those four questions today. Here is what typically happens.

The platform pulls up its internal dashboard. It shows a list of investors with status fields: 'verified,' 'pending,' 'failed.' It can export a CSV or PDF report. The report contains the investor's name, the verification status, maybe a date field.

An examiner looks at that report and asks: who generated this report? The platform. Who controls the database it was generated from? The platform. Can the platform modify records in that database? Yes. Is there any external party that can confirm the accuracy of these records? Silence.

The report answers question one (what was required) and question two (was it performed) only to the extent that the examiner trusts the platform's self-reporting. It answers question three (who performed it) partially, if the provider name is recorded. And it answers question four (when) with a timestamp from a mutable database controlled by the entity being examined.

None of these answers are independently verifiable. Every answer depends on trusting the platform's records. An examiner is trained to not extend that trust without corroboration. That is not cynicism. It is standard examination procedure.

How attestation records answer each question

Now consider the same four questions with an OMINEX attestation record in the evidence package.

Question one: what was required? The attestation record carries a structured event id from the OMINEX vocabulary (kyc.identity_verified, screening.ofac_cleared, accreditation.income_verified, suitability.assessment_completed, and so on across the twelve categories). Each id maps directly to the regulatory requirement for the specific offering and investor type.

Question two: was it performed? The attestation record exists. It was created by an independent party (OMINEX) based on a confirmation received from the platform after the verification provider returned a result. The existence of the record, signed by an entity with no commercial interest in the outcome, is evidence that the process was performed.

Question three: who performed it? The attestation record includes the provider field and a provider reference ID. The provider field identifies the KYC/AML provider. The reference ID allows the examiner to request the underlying verification details directly from the provider if needed.

Question four: when? The attestation record includes a cryptographic timestamp set at creation. It was not generated retroactively. It was not exported from a mutable database. It was signed and timestamped by OMINEX at the moment the attestation was created. The timestamp is part of the cryptographic signature, meaning any alteration to the timestamp would invalidate the signature.

Four questions. Four answers. All independently verifiable. None dependent on trusting the platform's internal records. That is the difference between compliance records and compliance evidence.

Why the four questions got more pointed in 2025

I have been describing the four-question pattern for three years. In 2025, the institutional posture behind it changed in a way that makes the questions more pointed than they used to be.

The SEC announced the Crypto Task Force in January 2025 under Commissioner Hester Peirce, then launched Project Crypto under Chair Paul Atkins later in the year. The official framing was that these initiatives would clarify how existing rules apply to digital assets. The operational consequence has been more direct: the Commission has made the application of long-standing rules to tokenized activities explicit, and examination programs across the SEC's divisions are running with that explicit application built into the procedures.

When the Crypto Task Force confirms that the Custody Rule applies to digital-asset custody arrangements, the surprise-exam question — who performed the verification, when, and can it be independently corroborated — becomes a question the examiner is specifically trained to ask of digital-asset operations. When Project Crypto coordinates examination programs across Investment Adviser, Broker-Dealer, and Investment Company exam streams, the four questions get asked in three parallel tracks, each calibrated to the registrant type, each generating its own deficiency findings if the records do not survive scrutiny.

The same dynamic plays out in the EU. MiCA went fully applicable on December 30, 2024. Article 67 recordkeeping is now an enforceable supervisory obligation, and EU national competent authorities have been issuing examination requests since the start of 2025. The four questions are the same four questions, asked in a different language and against a different statutory citation, but with the same standard for what counts as an acceptable answer.

The pattern is consistent across jurisdictions. Examiners in 2025 know what they are looking at when they request digital-asset records. The platforms that have built the records as an afterthought to the operational system are getting findings. The platforms that have built independent attestation as part of the operational system are getting routine sweeps.

The examination scenario, side by side

Without independent attestation: the examiner requests compliance records. The platform exports reports from its database. The examiner evaluates the reports knowing they were generated by the entity being examined. The examiner must assess the reliability of the platform's internal controls to determine whether the records are trustworthy. Deficiency findings are common when internal controls cannot be independently validated.

With independent attestation: the examiner requests compliance records. The platform provides its internal records plus independently signed attestation records from OMINEX. The examiner can verify the attestation signatures independently. The attestation records corroborate the platform's internal records with evidence from a third party that had no stake in the outcome. The evidentiary burden shifts from 'trust the platform' to 'verify the signature.'

That shift is significant. It reduces examination risk for the platform. It simplifies the examiner's work. And it creates the kind of reliable, verifiable compliance record that regulators are increasingly going to expect from digital asset platforms.

The evidence standard is rising

Every regulatory cycle follows the same pattern. Requirements increase. Evidence standards tighten. What was acceptable five years ago becomes insufficient. What is acceptable today will be insufficient in two years.

For tokenized capital markets, the evidence standard is still forming. But the direction is clear. Self-generated records will not be sufficient indefinitely. Independent verification, independent attestation, and independently verifiable compliance evidence are the direction that every signal from regulators points toward.

The platforms that build this infrastructure now will be ahead of the standard when it formalizes. The platforms that wait will be building remediation plans. Enforcement history across multiple regulated markets confirms this pattern consistently. The infrastructure investment is always cheaper than the enforcement response.