Trust & Compliance

Institutional-Grade Trust Stack

Blockchain-based structured notes, issued by a bankruptcy-remote SPV in the Cayman Islands with an independent director, each backed 1:1 by the underlying security held in institutional custody accounts at SEC-registered broker-dealers. Distributed B2B to fintechs, exchanges, neobanks, institutional clients, and startups. Designed to be forwarded to your compliance team.

The one-paragraph version

If your compliance team only reads one page, this is it. The structure, the instrument, and the insolvency-remote design that protects holders.

Issuance jurisdiction

Cayman Islands

SPV · independent director

Issuer

Bankruptcy-remote SPV

structure with trust-like shareholding

Backing

1:1 at SEC-registered BDs

IB + Alpaca

Distribution

B2B integrators

Fintechs, exchanges, neobanks, institutional clients, startups

Flo issues blockchain-based structured notes— on-chain certificates that track publicly traded equities one-to-one. Each note is backed 1:1 by the underlying security held in an institutional custody account at a SEC-registered broker-dealer, on behalf of a bankruptcy-remote SPV incorporated in the Cayman Islands. The SPV has a trust-like shareholding arrangement and is governed by an independent director, keeping the issuance vehicle structurally separate from Flo's operating company. Distribution is B2B to integrators — fintechs, exchanges, neobanks, institutional clients, and startups — each of whom completes a one-time business KYC and handles jurisdictional compliance and user-level KYC for their own end users.

Go deeper

Three dedicated pages for the evidence behind the claims on this one.

Security

Every line of code, reviewed

Audit history, $500K bug bounty, SOC 2, SSO/MFA, incident response, BCP/DR, ForDefi MPC, vendor risk.

Open security →

Reports & Artifacts

Independent verification, every 30 days

Monthly attestations from Accountable. Cayman legal opinions, trust deed, SOC 2, DPA — by artifact ID.

Open reports →

Proof of Reserves

On-chain. Permissionless. Verifiable.

Live reserve status. Self-verify with Merkle proofs. Cross-reference against broker-dealer positions. The math, not the marketing.

Verify reserves →

Entity & Regulatory Structure

SPV design

Holder assets sit inside an SPV with a trust-like shareholding arrangement and an independent director on the board. The issuance vehicle is structurally separate from Flo's operating company — a common institutional pattern for bankruptcy remoteness.

Trust-like shareholding arrangement
    │   Holds 100% of the shares of the issuance SPV in a
    │   standard structure.
    │
    │   Holds ↓
    │
Flo Issuance SPV  (Cayman Islands)
    │   Bankruptcy-remote SPV. Independent director
    │   appointed to the board. Sole purpose: issuance and
    │   administration of blockchain-based structured notes
    │   backed 1:1 by the underlying security.
    │
    │   Beneficial owner of ↓
    │
Institutional custody accounts at SEC-registered broker-dealers
    ·   Interactive Brokers LLC  (primary)
    ·   Alpaca Securities LLC    (secondary, for business continuity)
    ·   SIPC-covered. Customer property segregated under Rule 15c3-3.

Flo Holdings  (operating company)
    ·   Employees, IP, vendor contracts, technology platform.
    ·   Provides services to the SPV under an arm's-length agreement.
    ·   Has no ownership interest in the SPV.

Flo Issuance SPV (Cayman)

SPV with a trust-like shareholding arrangement, governed by an independent director. Dedicated to the single purpose of issuing blockchain-based structured notes and administering the institutional custody chain that backs them.

Flo Holdings (operating co)

Builds and operates the Flo platform under a services agreement with the SPV. Structurally separate from the issuance vehicle — any operating-company outcome is contained to Flo Holdings and leaves the SPV and its note holders unaffected.

Cayman Structured Notes

Blockchain-based certificates

Each Flo token is a blockchain-based structured note issued by the Cayman SPV. The note tracks the economic performance of the underlying equity one-to-one and is fully backed by that same security held in an institutional custody account at a SEC-registered broker-dealer.

Instrument

Structured note

A blockchain-based structured note — an on-chain certificate issued by the SPV, representing direct entitlement to the economic performance of one specified underlying security.

Backing

1:1 backed

Each note is backed 1:1 by the underlying security held in a dedicated institutional custody account at a SEC-registered broker-dealer, held for the benefit of the SPV and its note holders.

Ledger integrity

Audited · On-chain

Independently audited smart contracts record issuance, transfers, and redemptions. The on-chain ledger is the authoritative record of ownership, maintained alongside the off-chain note register kept by the transfer agent.

Holder rights

Pass-through

Note holders have direct contractual entitlement to the economic performance of the underlying — price exposure, dividends, and other corporate action proceeds. On-chain transfer effects transfer of the note.

Bankruptcy remoteness

SPV · Rule 15c3-3

The SPV is an structure with a trust-like shareholding arrangement and an independent director on the board. Underlying assets sit in segregated customer accounts at the BD under SEC Rule 15c3-3, keeping them separate from both Flo the operating company and the BD's own estate.

Pass-through economics

One-to-one

Each note tracks one underlying security, one-to-one. Dividends and corporate actions flow through to note holders directly. This is a straightforward entitlement structure — a clean, single-name certificate rather than a managed or pooled product.

Cayman is the standard jurisdiction for structured-note issuance vehicles across institutional finance. The SPV pattern — trust-like shareholding plus an independent director — gives holders a clean, bankruptcy-remote issuer while keeping operational risk at Flo Holdings where it belongs.

Custody & Broker-Dealer Chain

Dual-broker redundancy

The underlying security is protected by SEC Rule 15c3-3 customer-asset segregation at the broker-dealer. Flo maintains two independent broker relationships — Interactive Brokers as primary and Alpaca as secondary — so the issuance chain remains operational if either relationship becomes unavailable. One broker is always sufficient; the second is there for business continuity.

Interactive Brokers LLC

Primary

SIPC Member

$500K protection

FINRA Member

Full compliance

Publicly Traded

IBKR (Nasdaq)

Client Accounts

2.6M+

FIX API · Real-time reconciliation

Alpaca Securities LLC

Secondary

SIPC Member

$500K protection

FINRA Member

Full compliance

Regulator

SEC-registered BD

Fractional Support

Native

REST API · Redundant execution path

Chain of legal title

1

Note holder → Flo Issuance SPV

Direct contractual entitlement to the economic performance of the underlying security, issued by a bankruptcy-remote SPV with a trust-like shareholding arrangement and an independent director on the board.

2

Flo Issuance SPV → underlying asset at the BD

SEC Rule 15c3-3 customer protection — customer securities and cash are segregated from the BD's own property, held for the benefit of the SPV and its note holders.

Security Agent

Ankura Trust

Role

Holds first-priority perfected security interest in all collateral backing Flo positions.

Enforcement

Authorized to initiate liquidation upon LTV breach, ensuring lender protection at all times.

Independence

Operates separately from Flo with independent governance and decision-making authority.

Reporting

Real-time collateral monitoring via API with continuous position and valuation feeds.

On-chain Custody

ForDefi MPC

MPC Custody Solution

Threshold signing with hardware-secured shards. No single private key ever exists in full form.

SOC 2 · ISO 27001

ForDefi is SOC 2 Type II and ISO 27001 certified. Independent attestation of custody controls.

Policy engine

Transaction policies with allowlists, co-signing thresholds, and time delays on high-value operations.

Attestation

Independent · Continuous

Monthly independent attestation of backing. On-chain proof of reserves verifiable against signed custodian records. The closest thing to continuous proof of reserves this asset class permits.

Reserve Attestation

Monthly

Independent verification that on-chain Flo token supply matches the custodied underlying at Interactive Brokers and Alpaca. Reports total tokens per series, total held per CUSIP, and any delta with explanation.

Proof of Reserves

Continuous

Merkle-tree proof published on-chain. Signed attestations from the custodian are cryptographically verifiable against the on-chain supply.

Smart Contract Audits

On-chain + half-yearly retest

Three independent audits of all smart contract logic and state transitions — Sherlock, Hellborn, and Cantina. Audits run on every on-chain change and are supplemented by a scheduled half-yearly retest on the full contract surface.

SOC 2 Type II

In progress

Enterprise-grade security, availability, and confidentiality controls independently assessed. Year-1 observation window under way; bridge letter available on completion.

Smart Contract Security

Triple Audit

Independent audits from Sherlock, Hellborn, and Cantina.

Bug Bounty

Up to $500K for critical vulnerabilities, operated directly by Flo.

Formal Verification

Mathematically proven correctness on core settlement and liquidation contracts.

Time-Locked Governance

All governance changes subject to a 72-hour delay before execution.

Emergency Pause

Any member of the independent security council can trigger an emergency pause. Unpause requires a higher threshold — 4/7 multisig — so recovery is deliberate and well-reviewed.

Sanctions Enforcement

OFAC-sanctioned addresses are hard-denied at the token contract level.

Security & Operations

SOC 2 in progress · ISO 27001 roadmap

Production access, change management, secrets, monitoring, incident response, business continuity. The operational controls behind the attestations.

Production access

SSO, hardware MFA (WebAuthn only), scoped IAM roles. No shared credentials. No long-lived keys in environments.

Change management

All production changes via PR with two-reviewer approval. CI/CD with signed releases; artifact provenance recorded.

Secrets management

AWS Secrets Manager and Vault. No secrets in code or env files. Rotation enforced on schedule and on departure.

Logging and monitoring

Centralised SIEM with 24/7 on-call rotation. Security alerting pipelines independent from application alerting.

Incident response

Documented runbook, tested quarterly. Material-incident disclosure to partners within 24 hours; full post-mortem within 5 business days.

Business continuity

Multi-region active-passive. RTO 4 hours, RPO 5 minutes for issuance and redemption. Failover tested quarterly.

Penetration testing

Annual third-party pen test on application and infrastructure. Executive summaries available on request; retest confirmation on all critical findings.

Vendor risk

Vendor diligence run on any counterparty with access to production data or systems. Annual re-review; SOC 2 / ISO certs required for critical vendors.

Bug bounty

Program operated directly by Flo, covering issuance contracts, the mint/redeem API, and the web surface. Up to $500K for critical.

Jurisdictions, KYC & AML

Cayman AML

KYC on end users is performed by the integrator — fintech, exchange, neobank, institutional client, or startup — to the standard of the user's jurisdiction. Flo Issuance SPV runs entity-level AML (business KYC) on its direct counterparties to Cayman AML Regulations standard, under CIMA oversight for the SPV's AML program.

End-user KYC

Performed by the integrator (fintech, exchange, neobank, institutional client, or startup) to the standard of the user's jurisdiction. Flo receives no end-user PII.

Entity-level AML

Counterparty diligence on BDs, partners, and banking relationships run to Cayman AML Regulations standard with CIMA-aligned AML officer appointments.

Sanctions screening

OFAC, EU, UK, UN, and Cayman FRA lists. Onboarding plus continuous daily re-screening.

Wallet screening

Chainalysis / address risk screening on every mint and redemption flow.

Contract-level denylist

OFAC-sanctioned addresses hard-blocked at the token contract level. Not just off-chain policy.

Travel rule

Integrators are responsible for travel-rule compliance at the user layer. Flo provides the attestation data they need to comply.

Compliance Architecture

The responsibility split between Flo and the integrator. Knowing which obligations you inherit — and which you don't — is usually the first thing your compliance team wants clarified.

What Flo Does

  • FCayman structured-note issuance and administration
  • FOn-chain audit trail and immutable settlement records
  • FCustody chain into Interactive Brokers and Alpaca
  • FProof of reserves and monthly attestations
  • FCollateral enforcement via independent security agent
  • FEntity-level AML on direct counterparties (Cayman AML Regulations)
  • FContract-level OFAC sanctions enforcement
  • FAPI rate limits and operational security

What You Control

  • YKYC and AML of your end users
  • YGeographic restrictions and allowlisting
  • YUser onboarding experience
  • YRegulatory licensing in your jurisdiction
  • YTax reporting and statements to users
  • YUser-facing disclosures and suitability
  • YTravel-rule reporting at the user layer
  • YUser-relationship-level data controllership

Frequently Asked

The questions compliance teams ask most often on first calls.

What if Flo the company fails?+
The issuance vehicle is a separate, bankruptcy-remote Cayman SPV with an independent director and a trust-like shareholding arrangement. Flo Holdings has no ownership interest in the SPV — it provides services under an arm's-length agreement. Any outcome at the operating company is contained there. Note holders retain their direct entitlement from the SPV, and the underlying remains segregated at the broker-dealer under SEC Rule 15c3-3.
Is this a stablecoin or an E-money token under MiCA?+
No. The tokens are structured notes referencing specific underlying securities — they don't reference the value of a fiat currency or basket. They sit outside MiCA scope, as MiCA expressly excludes transferable securities and similar financial instruments already covered under MiFID II.
What happens on a corporate action — dividend, split, M&A?+
Economic entitlements pass through to note holders. Dividends are distributed per the note terms. Splits adjust note supply by a 1:n reissuance. Cash M&A redeems notes at the deal price.
Is Flo regulated?+
Flo Issuance SPV operates under Cayman Islands law and Cayman AML Regulations, with CIMA oversight of the SPV's AML program. Distribution is B2B — integrators handle their own local compliance and user-level KYC in their jurisdictions. Flo operates the Cayman structured-note issuance framework that institutional arrangers have used for decades, extended to on-chain distribution.
Can US persons hold the tokens?+
Not through Flo directly. US end-user distribution runs via a Reg D / Reg S-compliant pathway, accredited-only. The integrator handles that compliance; the token contract enforces allowlisting at the integration layer.
What's the recovery process if a user loses their wallet?+
Recovery is the integrator's responsibility under its agreement with the end user. Flo maintains an off-chain note register, kept by the transfer agent, that supports authorised re-issuance after appropriate KYC re-verification and cooling periods.
Who is the transfer agent?+
An independent transfer agent maintains the off-chain note register in parallel with the on-chain ledger. Name disclosed under NDA as part of the document pack.

Compliance-ready from the first call.

Forward this page to your compliance team. Request the full document pack — legal opinion, SOC 2, pen tests, attestations — under NDA. One business day turnaround.

Request document packLatest attestation