Permuto: Regulated Fintech on Chia Blockchain

Regulated fintech. Compliance as architecture. Audit-ready.

regulated fintech development·asset tokenization platform·KYC AML blockchain development·Chia blockchain tokenization

Regulated Fintech

Environment

KYC/AML Integrated

Compliance

Production, Active Use

Status

On Time, Passed Audit

Delivery

SolidityErc 20Kyc AmlNode.js

Permuto

In standard software development, compliance is a layer you add. In regulated environments, compliance is the architecture.

Industry: Fintech, Compliance | Stack: Solidity, ERC-20, KYC/AML, Node.js | Status: Production, Active Use | Client: Confidential | Delivery: On time, audit-passed

what Permuto is#

Permuto is a production asset tokenization platform built for a regulated fintech client on the Chia blockchain. It manages the full lifecycle of regulated digital assets: issuance, transfer, compliance verification, and audit-ready record keeping. KYC/AML checks are built into the transaction workflow itself. Users cannot complete regulated actions without verified identity status, and every action that matters produces an audit log entry suitable for regulatory review.

This is a live, deployed system in active use. Specific client details are confidential.

when the architecture is the compliance#

Regulated fintech is a different engineering problem than standard software. The difference is not "add more security." Every architectural decision, from data models to access control to logging structure to failure modes, has to satisfy regulatory requirements. Retrofit does not work. A system designed for compliance from day one has fundamentally different internals than one with a compliance layer bolted on afterward.

Most teams learn this the hard way: they build the system, then try to make it compliant, and end up rebuilding significant parts of it.

Permuto was scoped with that principle from the first design session. The compliance requirements were not a checklist reviewed before launch. They were the architectural constraints that shaped every component. Identity verification, transaction record integrity, access controls, and audit logging were designed as core system features from the start.

The client also had executive stakeholders who were technically informed and operationally invested, which meant tradeoffs had to be explained honestly and positions had to hold up under real scrutiny. That is a different dynamic than typical agency work, and not every team handles it well.

what we built#

The smart contracts implement ERC-20 and custom extension interfaces with added access control, transfer restrictions, and event logging sized for the regulatory requirements of the use case. Smart contract development in a regulated context carries higher scrutiny than standard Web3 builds. Exploits or edge cases carry legal consequences alongside financial ones. For context, smart contract audits for regulated token issuance platforms typically run $20,000 to $150,000 depending on complexity (Hacken/CertiK, 2025).

The architecture separates concerns between on-chain and off-chain layers. On-chain handles immutable records, enforced state transitions, and auditable history. The off-chain layer handles identity verification, regulatory documentation, PII storage, and flexible query interfaces: the things blockchains are genuinely bad at. The bridge between these layers, specifically how on-chain events trigger off-chain compliance checks and how off-chain state controls on-chain authorization, is the real engineering problem in any regulated tokenization system. It is where most implementations break down.

KYC/AML verification is a persistent state, not a one-time onboarding step. Verification status is stored, updated on re-verification cycles, and propagated to the transaction authorization layer. The system enforces compliance programmatically rather than relying on manual process adherence. It integrates with third-party identity verification providers (Persona, Onfido, Sumsub, or equivalent) through a state machine that tracks verification status across its full lifecycle.

Every action is scoped to a role. Administrative, compliance, and user functions have different access boundaries enforced at both the application layer and the smart contract layer. The audit log captures who acted, when, under what authorization, and what their verification status was at the time.

Architecture:

  • Smart contracts: ERC-20 standard with custom extensions for regulated transfer restrictions and event logging
  • On-chain layer: immutable transaction records, state enforcement, auditable history
  • Off-chain layer: KYC/AML verification, regulatory documentation, PII storage (Node.js)
  • Bridge layer: on-chain/off-chain state synchronization and authorization propagation
  • Identity verification: API integration with third-party KYC/AML providers
  • Role-based access control: application-level and contract-level enforcement
  • Audit logging: complete, retrievable records of every significant action

key capabilities#

  • Regulated token issuance: smart contracts with transfer restrictions, access control, and event logging designed for regulatory compliance
  • KYC/AML integration: identity verification built into the transaction workflow, not added as a separate onboarding step
  • Dual-layer architecture: on-chain integrity for immutable records, off-chain compliance for identity and regulatory documentation
  • Audit-ready logging: every action recorded with full context, including actor, timestamp, authorization level, and verification status
  • Role-based access: application and contract-level access boundaries for administrative, compliance, and user functions
  • Executive delivery: direct accountability to technically informed leadership with transparent reporting

results#

  • Production system in active use with a regulated fintech client
  • Delivered on time against commitments made at the executive level
  • Passed regulatory audit, which is the actual test for this kind of work
  • Clean on-chain/off-chain separation enabling both immutable records and flexible compliance controls
  • KYC/AML verification state machine enforcing compliance programmatically across all regulated actions
  • Ongoing client relationship following successful delivery

Building in a regulated environment? See our Web3 and Blockchain Development service or KYC/AML Systems service. Ready to talk? Book a free Automation Audit.

Last updated: March 20, 2026

Back to Projects

[ Related ]

More Projects

AI Toolbar: Chrome Extension Scaled to 100,000 Users

Chrome productivity extension. 100K users at peak. 10M+ AI responses.

GlanceAI: AI Web Summaries for 24,700+ Users

AI web summaries. 24,700+ users. 4.7-star rating.

RAW: Dating App Built on Dual-Camera Authenticity

A dating app that cannot be faked. 500K+ downloads.

[ How It Works ]

Free Automation Audit

We find the 20% of your manual work that costs you the most, then show you exactly how to eliminate it.

STEP 1.0
Tell Us What Hurts

Tell Us What Hurts

A 30-minute call. Walk us through your daily operations and we'll spot the bottlenecks you've stopped noticing.

STEP 2.0
We Rank the Wins

We Rank the Wins

We score every opportunity by impact and effort, so you can see where AI saves the most time and money.

STEP 3.0
You Get the Playbook

You Get the Playbook

A prioritized roadmap you can act on. Execute it with us or on your own. Yours to keep either way.