Skip to main content

Compliance Enforcement Process

Purpose

On-chain compliance actions against a target address: freeze / unfreeze, and seize. Applies to both EVM (public) and ZK (encrypted) addresses.

The token contract enforces a freeze precondition on seize — seizePublic reverts with AddressNotFrozen(), seizeEncrypted with EpkNotFrozen(). There is no path to seize without a prior freeze.

The Chainalysis sanctions oracle provides a separate automatic OFAC layer at the contract level, independent of this process.

Enforcement Actions

Freeze (reversible)

Bidirectional immobilisation — blocks inbound and outbound on the public layer (freezeAddress) and the encrypted layer (freezeEpk). The whitepaper-disclosed "block" and "freeze" features are one mechanism. Reversed by unfreeze. Bidirectional blocking is intentional: it pins a stable balance so a downstream seize can rely on a settled snapshot.

Seize (one-way, freeze-gated)

Moves a specified amount from a frozen target to a destination set by the order:

  • Public seize (seizePublic) — forced ERC-20 transfer between public addresses.
  • Encrypted seize (seizeEncrypted) — drains encrypted balance from the target EPK and mints public tokens to the destination. The contract has no view into the encrypted balance, so the seizer must obtain the plaintext amount off-chain via the TRC committee before signing (see Step 2).

Partial freezes are operationalised as a seize to an EMI-controlled address. No in-process reversal — return is the destination party's responsibility.

Trigger

Action is mandatory once a trigger is established; see Constraints for legal basis.

  • EMI-initiated — freeze on AML suspicion (Art. 16(2)), sanctions hit, Travel Rule Art. 23.
  • Authority-compelled — FCIS order (Art. 16(6)), prosecutor restriction (Art. 16(7)), supervisory order (Art. 36(1)(5)), court / MiCA Art. 94(3)(f). Seize is authority-compelled only — EMI cannot self-initiate seize.

Information sources: internal compliance flags, external reports, monitoring tooling, sanctions-list updates, law-enforcement communications.

Overview

  1. Compliance Officer creates an enforcement request (target, action, legal ground, rationale; for seize: destination and amount).
  2. For ZK seize only — Compliance Officer requests decryption from the TRC committee; the response is logged on the request.
  3. Multisig signs on-chain:
    • Freeze / unfreeze → Compliance Multisig (2-of-3, Compliance Officer mandatory).
    • Seize → Seize Multisig (2-of-3).

To reverse a freeze, Compliance Officer creates a new unfreeze request through the same path. Seize has no in-process reversal.

Constraints

Whitepaper disclosure (holder-facing)

  • Whitepaper D.1 — smart contract controls: the token contract supports four compliance features disclosed to holders: (1) block an address from receiving tokens, (2) freeze tokens at an address (preventing outgoing transfers), (3) force transfer tokens from one address to another, (4) decode transaction histories and wallet addresses via the compliance quorum.
  • Whitepaper D.1 — grounds for action: the issuer may use these features when an address is associated with illegal activity or activity breaching holder obligations, or to comply with a lawful request from a competent authority.

Legal triggers — EMI-initiated (self-executing)

  • AML suspicionLT AML Act Art. 16(2): "nustatę, kad jų klientas atlieka įtartiną piniginę operaciją ar sandorį … privalo tą operaciją ar sandorį sustabdyti" (once suspicion is established, the EMI must suspend the operation).
  • EU sanctions listingLT Sanctions Act Art. 4(1): "All natural persons and legal persons must comply with and implement international sanctions implemented in the Republic of Lithuania"; Art. 6(1): "International sanctions imposed by directly applicable legal acts of the European Union shall be implemented in full."
  • Sanctions — prohibition on transactionsLT Sanctions Act Art. 7(1): "It shall be prohibited to conclude transactions … the performance whereof contradicts the international sanctions implemented in the Republic of Lithuania, with such transactions being null and void." Art. 7(2): "It shall be prohibited to perform, during the period of the implementation of international sanctions, the transactions and obligations the performance whereof contradicts the international sanctions." Art. 7(3): pre-existing obligations "must be terminated without delay."
  • Travel Rule sanctionsTravel Rule Art. 23: CASPs must have "internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures."

Legal triggers — authority-compelled

  • FCIS-ordered suspensionLT AML Act Art. 16(6): on receipt of an FCIS written instruction, the EMI "privalo nuo jame nurodyto laiko … iki 10 darbo dienų sustabdyti šias operacijas ar sandorius" (must suspend up to 10 working days).
  • Criminal-procedure restrictionLT AML Act Art. 16(7): temporary restriction of ownership rights under the Lithuanian Code of Criminal Procedure (Baudžiamojo proceso kodeksas), imposed by a prosecutor or pre-trial investigating body.
  • Supervisory-ordered freezeLT AML Act Art. 36(1)(5): "laikinas teisės finansų įstaigoms … disponuoti lėšomis … apribojimas"; operationalised by Art. 45(1)-(2).
  • Court / market-abuse freezeMiCA Art. 94(3)(f): BoL / national court may "request the freezing or sequestration of assets, or both."

Auto-resumption and lifting

  • Automatic 10-working-day resumptionLT AML Act Art. 16(7): freeze under Art. 16(2) or Art. 16(6) lifts automatically after 10 working days unless a criminal-procedure restriction is imposed.
  • FCIS written liftLT AML Act Art. 16(5): FCIS may lift before the 10-working-day expiry once legality of the operation is substantiated.
  • Sanctions freeze lifting — only on EU delisting or derogation under LT Sanctions Act Art. 11(1)(2).

Steps

The list of currently frozen addresses lives on-chain and is the source of truth. The backoffice maintains the request history.

Step 1 — Create Enforcement Request

Owner: Compliance Officer · Status: newawaiting_decryption (ZK seize) / awaiting_execution (other) / closed_dismissed

  • Compliance Officer creates a record with: target address, action type (freeze, unfreeze, seize), legal-ground tag (one of aml_art_16_2, fcis_art_16_6, criminal_procedure_art_16_7, sanctions_art_7, supervisory_art_36_1_5, court_mica_94_3_f, other), input source, rationale, evidence references.
  • For seize: also destination_address and destination_kind (emi_segregated / case_designated). seize_amount is set now for public seize; left blank for ZK seize and filled in Step 2.
  • Compliance Officer may instead dismiss; dismissal rationale is recorded.
  • Validations: target valid, action set, rationale present, legal ground present, input source recorded; for seize — destination set and target already frozen on-chain (mirrors the contract precondition).
  • Inline Known Addresses check surfaces partner / prior request / existing enforcement state.

Step 2 — Decryption Request (ZK seize only)

Owner: Compliance Officer · Status: awaiting_decryptionawaiting_execution

For ZK seize, the encrypted-layer balance is not visible on-chain. The seize amount must be obtained off-chain from the TRC committee before signing.

Compliance Officer sends the request to the TRC committee out-of-band (see TRC Committee) and, on response, records on the enforcement record:

  • seize_amount — plaintext balance returned by the committee (or a smaller amount per the order)
  • decryption_responded_at — timestamp
  • decryption_response_reference — pointer to the off-chain artefact (ceremony ID, signed receipt, ticket reference)

Step is skipped for public seize and for freeze / unfreeze.

Step 3 — Execute Action

Status: awaiting_executionclosed_executed

The backoffice prepares the on-chain transaction matching the request and routes it to the correct multisig:

  • Freeze / unfreezeOwner: Compliance Multisig (2-of-3, Compliance Officer mandatory). Co-signers independently review the case file before signing.
  • SeizeOwner: Seize Multisig (2-of-3). Co-signers independently review the case file and, for ZK seize, the recorded decryption response (amount, reference, timestamp).

The backoffice records: tx hash, block number, timestamp.

If the action is freeze and the legal-ground tag is aml_art_16_2 or fcis_art_16_6, the backoffice creates an auto-resumption record linked to the enforcement record.

End States

  • closed_executed — action executed on-chain.
  • closed_dismissed — Compliance Officer evaluated and decided not to act. Dismissal rationale recorded.

TRC Committee

External dependency outside backoffice scope. The TRC committee holds the threshold key required to decrypt encrypted-layer balances. Membership, threshold, key-rotation protocol, and committee operating procedure are managed separately and not modelled here.

The backoffice's only role is to log the committee's response on the enforcement request. Trust assumption: the response amount is correct — the contract cannot verify it, so the seizer signs against the recorded value.

Chainalysis Sanctions Oracle (Automatic Layer)

Independent of the manual freeze process above, the token contract integrates the Chainalysis sanctions oracle for automatic OFAC compliance:

  • On every transfer(from, to, amount), the contract queries the oracle: isSanctioned(from)? isSanctioned(to)?
  • If either is sanctioned → the transfer reverts automatically.
  • OFAC-sanctioned addresses are blocked at the contract level before any transfer executes. Compliance Officer doesn't need to manually freeze these.
  • Everything else (law enforcement, stolen funds, mixer exposure, internal flags) goes through the manual process above.
  • If an address is both oracle-sanctioned and manually frozen, both mechanisms apply independently. Removing one doesn't bypass the other.

Notes:

  • The oracle is maintained by Chainalysis and updated when the OFAC SDN list changes. We do not control its contents.
  • Oracle supports only public EVM addresses; ZK addresses are managed only via this process.

Relationship to Other Processes

  • Issuance / Redemption: mint/redemption apply the same on-chain gates. Issuance to or redemption from a frozen address fails on both sides. Oracle applies on every transfer.
  • Reserve Validation: frozen balances stay in supply. Encrypted seize drains the encrypted side and mints public tokens at the destination — total supply is preserved across the action. No impact on validation.

SLAs

External (regulatory)

ParameterValueSource
Sanctions freeze / non-provision executionWithout delayLT Sanctions Act Art. 7(3)
FCIS-ordered suspension — maximum durationUp to 10 working daysLT AML Act Art. 16(6)
Automatic resumption absent Code-of-Criminal-Procedure restriction10 working days from suspension / FCIS orderLT AML Act Art. 16(7)

Internal

ParameterValue
Freeze execution (EMI-initiated AML suspicion)TBD — must be fast enough to satisfy Art. 16(2) 3-WH post-suspension reporting window
Freeze execution (sanctions hit)TBD — "without delay" (Art. 7(3)); internal target: within 1 hour of decision
Freeze execution (authority-compelled)Immediate on receipt of order
Unfreeze executionTBD — sources silent on numeric SLA; policy decision
Decryption request turnaround (TRC committee)TBD — depends on committee operating procedure
Seize execution after decryption / for publicTBD — policy decision

Reporting Duties

Enforcement actions trigger external reporting obligations that are Compliance Officer responsibilities outside the backoffice process and are not implemented as backoffice system flows:

  • SAR to FCIS — LT AML Act Art. 16(1): "nedelsdami, ne vėliau kaip per vieną darbo dieną" (no later than 1 working day).
  • Post-suspension FCIS report — LT AML Act Art. 16(2): "ne vėliau kaip per 3 darbo valandas nuo piniginės operacijos ar sandorio sustabdymo" (no later than 3 WH from suspension).
  • Travel Rule failure report — Travel Rule Art. 17(2): "report that failure, and the steps taken, to the competent authority."
  • Sanctions data to competent authority — LT Sanctions Act Art. 12(1): data "in accordance with the procedure and within the time limits laid down by the Government."

Tipping-Off Ban

LT AML Act Art. 23(3): "draudžiama pranešti klientui ar kitiems asmenims, kad informacija … pateikta Finansinių nusikaltimų tyrimo tarnybai." (The holder and any third party must not be told that the information was provided to FCIS.)

This governs Compliance Officer's external communication and is not enforced by the backoffice system — the on-chain action and backoffice records are internal; any customer-facing messaging is handled separately by Compliance Officer.

Auto-Resumption

Freezes entered under LT AML Act Art. 16(2) (EMI-initiated) or Art. 16(6) (FCIS-ordered) must automatically lift after 10 working days unless a criminal-procedure restriction is imposed within that window. Art. 16(5) allows FCIS to issue a written lift before expiry. Partial freezes operationalised as seize follow the auto-resumption rules of the underlying freeze.

Auto-resumption record

Every freeze executed under aml_art_16_2 or fcis_art_16_6 automatically creates a child auto-resumption record at Step 3 with:

  • enforcement_id — reference to the originating freeze
  • freeze_execution_timestamp — block timestamp at which the freeze executed
  • statusopenresolved
  • resolution — set on close (see resolutions below)
  • resolution_notes — free-text reference

Compliance Officer review

Compliance Officer reviews the list of open auto-resumption records (dashboard) and resolves each with one of:

  • criminal_procedure_restriction_received — prosecutor restriction imposed under the Code of Criminal Procedure. Freeze continues under the new ground; Compliance Officer records the case reference. No new on-chain action required.
  • fcis_written_lift — FCIS Art. 16(5) written lift received. Compliance Officer files a new unfreeze enforcement request.
  • 10wd_expiry_unfreeze — 10 working days elapsed without a restriction. Per Art. 16(7), Compliance Officer files a new unfreeze request.
  • other — e.g. freeze already lifted for an unrelated reason; Compliance Officer records the reason.

Closing the auto-resumption record is bookkeeping — the auto-resumption record does not itself trigger an on-chain action. The actual unfreeze (if needed) must be triggered manually by Compliance Officer through the normal enforcement process (a new unfreeze request, signed by the Compliance Multisig).

Out of scope for auto-resumption

Sanctions freezes (LT Sanctions Act Art. 7), supervisory freezes (Art. 36(1)(5)), and court freezes (MiCA Art. 94(3)(f)) do not create an auto-resumption record. Lifting is event-driven by the authority that imposed the freeze.

Appeals

A holder subject to a block / freeze may appeal. The EMI must examine the complaint per LT EMI Law Art. 29(1): "An electronic money institution must examine a written complaint of an electronic money holder and, not later than within 15 working days from the receipt of the complaint, provide on paper or … on another durable medium a detailed, reasoned and documented response to the complaint."

Complaints handling is out of scope of this process — tracked by the Complaints-Handling Function (LT EMI Law Art. 29). Where a complaint materially contests the factual basis of an enforcement action, Compliance Officer reviews the case file and decides whether to uphold, modify, or lift the action.

The appeal procedure must be disclosed to holders in the whitepaper. MiCA Annex III Part D §2: "A description of the conditions under which the rights and obligations may be modified"; §6: "The contact details for submitting complaints and description of the complaints-handling procedures and any dispute resolution mechanism or redress procedure established by the issuer of the e-money token."

Open Decisions

DecisionSuggestedNotes
Periodic review of active freezesTBDNo specific regulatory requirement found. Possibly good governance practice.
Freeze impact on partner statusTBDIf a partner's whitelisted wallet is frozen, should the partner be auto-suspended?
Backend-bug credit correctionTBDNot an enforcement action — no regulatory ground. Current thinking: treat as a DORA ICT-related incident (Art. 17) with a documented reversal, separate from this process.
Seize Multisig staffingTBDComposition of the Seize Multisig — see Roles & Segregation.
TRC response verificationTBDShould the backoffice require a co-sign or signed receipt from the TRC committee, or rely on the off-chain response reference alone? Currently no on-chain verification path.