Transparency & Compliance

The compliance pack, in public.

Security tokens governed by Swiss law, issued under a base prospectus approved by the Liechtenstein Financial Markets Authority (FMA), out of a bankruptcy-remote Cayman SPV with an independent director, each token backed 1:1 by the underlying security at SEC-registered broker-dealers. Forward this page to your compliance team. Most teams sign off after one read.

The one-paragraph version

If your compliance team only reads one page, this is it. The structure, the instrument, and the insolvency-remote design that protects holders.

Token governing law

Switzerland

Swiss-law structured notes

Prospectus

FMA-approved

Liechtenstein · EEA passportable

Issuer

Cayman SPV

Bankruptcy-remote · independent director

Backing

1:1 at SEC-registered BDs

IB + Alpaca · Rule 15c3-3 segregation

3

Independent audits

Sherlock · Halborn · Cantina

Daily 00:00 UTC

Merkle-root cadence

Per-block on-chain attestation

$0.01

Reconciliation tolerance

Zero on unit count

Up to $500K

Bug bounty (critical)

Coordinated disclosure

3 chains

Live deployment

Base · Arbitrum · Ethereum

Flo issues blockchain-based structured notes, on-chain certificates that track publicly traded equities one-to-one. The notes are governed by Swiss law and issued under a base prospectus filed in Liechtenstein and approved by the Liechtenstein Financial Markets Authority (FMA), which is passportable across the EEA under the EU Prospectus Regulation. Each note is backed 1:1 by the underlying security held in an institutional custody account at a SEC-registered broker-dealer under SEC Rule 15c3-3 segregation, on behalf of a bankruptcy-remote SPV incorporated in the Cayman Islands. The SPV has a trust-like shareholding arrangement and is governed by an independent director, keeping the issuance vehicle structurally separate from Flo's operating company. Distribution is B2B to integrators, fintechs, exchanges, neobanks, institutional clients, and startups, each of whom completes a one-time business KYC and handles jurisdictional compliance and user-level KYC for their own end users.

Go deeper

Three dedicated pages for the evidence behind the claims on this one.

Security

Every line of code, reviewed

Audit history, $500K bug bounty, SOC 2, SSO/MFA, incident response, BCP/DR, ForDefi MPC, vendor risk.

Open security →

Reports & Artifacts

Independent verification, every 30 days

Monthly attestations from Accountable. Cayman legal opinions, trust deed, SOC 2, and DPA. Indexed by artifact ID.

Open reports →

Proof of Reserves

On-chain. Permissionless. Verifiable.

Live reserve status. Self-verify with Merkle proofs. Cross-reference against broker-dealer positions. The math, not the marketing.

Verify reserves →

Entity & Regulatory Structure

SPV design

Holder assets sit inside an SPV with a trust-like shareholding arrangement and an independent director on the board. The issuance vehicle is structurally separate from Flo's operating company, a common institutional pattern for bankruptcy remoteness.

Trust-like shareholding arrangement
    │   Holds 100% of the shares of the issuance SPV in a
    │   standard structure.
    │
    │   Holds ↓
    │
Flo Issuance SPV  (Cayman Islands)
    │   Bankruptcy-remote SPV. Independent director
    │   appointed to the board. Sole purpose: issuance and
    │   administration of blockchain-based structured notes
    │   backed 1:1 by the underlying security.
    │
    │   Beneficial owner of ↓
    │
Institutional custody accounts at SEC-registered broker-dealers
    ·   Interactive Brokers LLC  (primary)
    ·   Alpaca Securities LLC    (secondary, for business continuity)
    ·   SIPC-covered. Customer property segregated under Rule 15c3-3.

Flo Finance  (operating company)
    ·   Employees, IP, vendor contracts, technology platform.
    ·   Provides services to the SPV under an arm's-length agreement.
    ·   Has no ownership interest in the SPV.

Flo Issuance SPV (Cayman)

SPV with a trust-like shareholding arrangement, governed by an independent director. Dedicated to the single purpose of issuing blockchain-based structured notes and administering the institutional custody chain that backs them.

Flo Finance (operating co)

Builds and operates the Flo platform under a services agreement with the SPV. Structurally separate from the issuance vehicle, any operating-company outcome is contained to Flo Finance and leaves the SPV and its note holders unaffected.

Cayman Structured Notes

Blockchain-based certificates

Each Flo token is a blockchain-based structured note issued by the Cayman SPV. The note tracks the economic performance of the underlying equity one-to-one and is fully backed by that same security held in an institutional custody account at a SEC-registered broker-dealer.

Instrument

Structured note

A blockchain-based structured note, an on-chain certificate issued by the SPV, representing direct entitlement to the economic performance of one specified underlying security.

Backing

1:1 backed

Each note is backed 1:1 by the underlying security held in a dedicated institutional custody account at a SEC-registered broker-dealer, held for the benefit of the SPV and its note holders.

Ledger integrity

Audited · On-chain

Independently audited smart contracts record issuance, transfers, and redemptions. The blockchain ledger itself is the authoritative record of ownership; secondary transfers are permissionless on-chain.

Holder rights

Total-return

Note holders have direct contractual entitlement to the total-return performance of the underlying. Cash dividends, coupons, and similar distributions are reinvested into more of the underlying by the SPV; token supply stays the same and NAV per token rises. On-chain transfer effects transfer of the note.

Bankruptcy remoteness

SPV · Rule 15c3-3

The SPV is an structure with a trust-like shareholding arrangement and an independent director on the board. Underlying assets sit in segregated customer accounts at the BD under SEC Rule 15c3-3, keeping them separate from both Flo the operating company and the BD's own estate.

Pass-through economics

One-to-one

Each note tracks one underlying security, one-to-one. Dividends and corporate actions flow through to note holders directly. This is a straightforward entitlement structure, a clean, single-name certificate rather than a managed or pooled product.

Cayman is the standard jurisdiction for structured-note issuance vehicles across institutional finance. The SPV pattern, trust-like shareholding plus an independent director, gives holders a clean, bankruptcy-remote issuer while keeping operational risk at Flo Finance where it belongs.

Custody & Broker-Dealer Chain

Dual-broker redundancy

The underlying security is protected by SEC Rule 15c3-3 customer-asset segregation at the broker-dealer. Flo maintains two independent broker relationships, Interactive Brokers as primary and Alpaca as secondary, so the issuance chain remains operational if either relationship becomes unavailable. One broker is always sufficient; the second is there for business continuity.

Interactive Brokers LLC

Primary

SIPC Member

$500K protection

FINRA Member

Full compliance

Publicly Traded

IBKR (Nasdaq)

Client Accounts

2.6M+

FIX API · Real-time reconciliation

Alpaca Securities LLC

Secondary

SIPC Member

$500K protection

FINRA Member

Full compliance

Regulator

SEC-registered BD

Fractional Support

Native

REST API · Redundant execution path

Chain of legal title

1

Note holder → Flo Issuance SPV

Direct contractual entitlement to the economic performance of the underlying security, issued by a bankruptcy-remote SPV with a trust-like shareholding arrangement and an independent director on the board.

2

Flo Issuance SPV → underlying asset at the BD

SEC Rule 15c3-3 customer protection, customer securities and cash are segregated from the BD's own property, held for the benefit of the SPV and its note holders.

Security Agent

Ankura Trust

Role

Holds first-priority perfected security interest in all collateral backing Flo positions.

Enforcement

Authorized to initiate liquidation upon LTV breach, ensuring lender protection at all times.

Independence

Operates separately from Flo with independent governance and decision-making authority.

Reporting

Real-time collateral monitoring via API with continuous position and valuation feeds.

On-chain Custody

ForDefi MPC

MPC Custody Solution

Threshold signing with hardware-secured shards. No single private key ever exists in full form.

SOC 2 · ISO 27001

ForDefi is SOC 2 Type II and ISO 27001 certified. Independent attestation of custody controls.

Policy engine

Transaction policies with allowlists, co-signing thresholds, and time delays on high-value operations.

Attestation

Independent · Continuous

Monthly independent attestation of backing. On-chain proof of reserves verifiable against signed custodian records. The closest thing to continuous proof of reserves this asset class permits.

Reserve Attestation

Monthly

Independent verification that on-chain Flo token supply matches the custodied underlying at Interactive Brokers and Alpaca. Reports total tokens per series, total held per CUSIP, and any delta with explanation.

Proof of Reserves

Continuous

Merkle-tree proof published on-chain. Signed attestations from the custodian are cryptographically verifiable against the on-chain supply.

Smart Contract Audits

On-chain + half-yearly retest

Three independent audits of all smart contract logic and state transitions, Sherlock, Halborn, and Cantina. Audits run on every on-chain change and are supplemented by a scheduled half-yearly retest on the full contract surface.

SOC 2 Type II

In progress

Enterprise-grade security, availability, and confidentiality controls independently assessed. Year-1 observation window under way; bridge letter available on completion.

Smart Contract Security

Triple Audit

Independent audits from Sherlock, Halborn, and Cantina.

Bug Bounty

Up to $500K for critical vulnerabilities, operated directly by Flo.

Formal Verification

Mathematically proven correctness on core settlement and liquidation contracts.

Time-Locked Governance

All governance changes subject to a 72-hour delay before execution.

Emergency Pause

Any member of the independent security council can trigger an emergency pause. Unpause requires a higher threshold, 4/7 multisig, so recovery is deliberate and well-reviewed.

Sanctions Enforcement

OFAC-sanctioned addresses are hard-denied at the token contract level.

Security & Operations

SOC 2 in progress · ISO 27001 roadmap

Production access, change management, secrets, monitoring, incident response, business continuity. The operational controls behind the attestations.

Production access

SSO, hardware MFA (WebAuthn only), scoped IAM roles. No shared credentials. No long-lived keys in environments.

Change management

All production changes via PR with two-reviewer approval. CI/CD with signed releases; artifact provenance recorded.

Secrets management

AWS Secrets Manager and Vault. No secrets in code or env files. Rotation enforced on schedule and on departure.

Logging and monitoring

Centralised SIEM with 24/7 on-call rotation. Security alerting pipelines independent from application alerting.

Incident response

Documented runbook, tested quarterly. Material-incident disclosure to partners within 24 hours; full post-mortem within 5 business days.

Business continuity

Multi-region active-passive. RTO 4 hours, RPO 5 minutes for issuance and redemption. Failover tested quarterly.

Penetration testing

Annual third-party pen test on application and infrastructure. Executive summaries available on request; retest confirmation on all critical findings.

Vendor risk

Vendor diligence run on any counterparty with access to production data or systems. Annual re-review; SOC 2 / ISO certs required for critical vendors.

Bug bounty

Program operated directly by Flo, covering issuance contracts, the mint/redeem API, and the web surface. Up to $500K for critical.

Jurisdictions, KYC & AML

Cayman AML

KYC on end users is performed by the integrator, fintech, exchange, neobank, institutional client, or startup, to the standard of the user's jurisdiction. Flo Issuance SPV runs entity-level AML (business KYC) on its direct counterparties to Cayman AML Regulations standard, under CIMA oversight for the SPV's AML program.

End-user KYC

Performed by the integrator (fintech, exchange, neobank, institutional client, or startup) to the standard of the user's jurisdiction. Flo receives no end-user PII.

Entity-level AML

Counterparty diligence on BDs, partners, and banking relationships run to Cayman AML Regulations standard with CIMA-aligned AML officer appointments.

Sanctions screening

OFAC, EU, UK, UN, and Cayman FRA lists. Onboarding plus continuous daily re-screening.

Wallet screening

Chainalysis / address risk screening on every mint and redemption flow.

Contract-level denylist

OFAC-sanctioned addresses hard-blocked at the token contract level. Not just off-chain policy.

Travel rule

Integrators are responsible for travel-rule compliance at the user layer. Flo provides the attestation data they need to comply.

Compliance Architecture

The responsibility split between Flo and the integrator. Knowing which obligations you inherit, and which you don't, is usually the first thing your compliance team wants clarified.

What Flo Does

  • FCayman structured-note issuance and administration
  • FOn-chain audit trail and immutable settlement records
  • FCustody chain into Interactive Brokers and Alpaca
  • FProof of reserves and monthly attestations
  • FCollateral enforcement via independent security agent
  • FEntity-level AML on direct counterparties (Cayman AML Regulations)
  • FContract-level OFAC sanctions enforcement
  • FAPI rate limits and operational security

What You Control

  • YKYC and AML of your end users
  • YGeographic restrictions and allowlisting
  • YUser onboarding experience
  • YRegulatory licensing in your jurisdiction
  • YTax reporting and statements to users
  • YUser-facing disclosures and suitability
  • YTravel-rule reporting at the user layer
  • YUser-relationship-level data controllership

Frequently Asked

The questions compliance teams ask most often on first calls.

What if Flo the company fails?+
The issuance vehicle is a separate, bankruptcy-remote Cayman SPV with an independent director and a trust-like shareholding arrangement. Flo Finance has no ownership interest in the SPV, it provides services under an arm's-length agreement. Any outcome at the operating company is contained there. Note holders retain their direct entitlement from the SPV, and the underlying remains segregated at the broker-dealer under SEC Rule 15c3-3.
Is this a stablecoin or an E-money token under MiCA?+
No. Flo tokens are transferable securities under MiFID II, issued as Swiss-law structured notes and documented under the EU Prospectus Regulation via the FMA-approved Liechtenstein base prospectus. MiCA expressly excludes transferable securities (Article 2(4)(a)), so MiCA's stablecoin and E-Money Token classifications do not apply.
What happens on a corporate action: dividend, split, M&A?+
Flo runs a total-return model. Token supply changes only on mint and redeem; every other economic event at the underlying flows through NAV per token. (a) Cash dividends: the SPV's broker receives the dividend net of any applicable issuer-country withholding tax, reinvests the net cash into more of the same underlying, and the resulting higher shares-per-token ratio is reflected in NAV per token. Token supply stays the same; NAV per token rises by the corresponding amount, captured in the next /v1/positions read and the next proof-of-reserves snapshot. Holders receive the dividend value as token-price appreciation, and can convert any portion to cash via the redeem endpoint at any time. (b) Stock splits: token supply stays the same. The SPV's share count adjusts by the split ratio (forward or reverse) and NAV per token reflects the new shares-per-token ratio. Dollar-value backing per token is preserved across the split. (c) Cash M&A: notes redeem at the deal price on closing; proceeds flow through the standard redeem rail. Stock-for-stock M&A: the SPV receives the new issuer's shares and the note continues to track the new entity. Special dividends, scrip dividends, and rights issues follow the same accumulating treatment: proceeds reinvest into the underlying and NAV per token captures the value. Bond coupons and money-market accruals follow the same rule: the SPV reinvests, token supply stays the same, and NAV per token accrues.
Is Flo regulated?+
Yes. Security tokens governed by Swiss law, issued under a base prospectus approved by the Liechtenstein Financial Markets Authority (FMA) and passportable across the EEA, out of a bankruptcy-remote Cayman SPV. Underlying securities are held at SEC-registered broker-dealers under Rule 15c3-3 segregation. Full document pack available under NDA via compliance@flo.finance.
Can US persons hold the tokens?+
No. Flo does not serve US persons. The token contracts allowlist non-US wallets only, and integrators are responsible for enforcing the same gating at their own user-onboarding layer. Distribution is to non-US users via integrators in their respective jurisdictions.
What's the recovery process if a wallet's keys are lost?+
Token custody sits with the integrator and their end users; Flo does not custody token-holder wallets. EOA (single-key) wallets are not recoverable: if the private key is lost, the assets at that address are permanently inaccessible. Flo strongly recommends threshold-MPC wallets for any institutional integrator (typical configurations are 5-of-7 or 3-of-5), which let any quorum of remaining key-holders rotate a lost or compromised key without any loss of access. Compatible MPC platforms are widely available; integrators choose the one that fits their team and compliance posture.
Is there a separate transfer agent?+
No. Tokens transfer permissionlessly on-chain, and the blockchain ledger itself acts as the authoritative record of ownership. There is no separate transfer-agent register parallel to the chain.

Compliance-ready from the first call.

Forward this page to your compliance team. Request the full document pack, legal opinion, SOC 2, pen tests, attestations, under NDA. One business day turnaround.

Request document packLatest attestation