How DALP applies per-asset compliance rules

Understand how DALP combines identity records, compliance modules, lifecycle hooks, and governance controls to decide whether regulated token operations can execute.

An asset policy is the per-token rule set DALP checks before a regulated mint, transfer, or burn changes balances. Use it to answer one question: can this asset perform this operation for these wallets and this amount right now?

The policy combines the token's identity registry, token compliance engine, active token-scoped compliance modules, system-level compliance modules, and module parameters. If any required check rejects the operation, DALP reverts before accepting the balance change.

Asset policy is not the same as custody policy. Asset policy explains the token rule set. Compliance and custody split separates on-chain eligibility checks from signer, wallet, and custody-provider approvals.

Recovery uses a different path. DALP checks the identity registry's lost-wallet relationship before moving a lost wallet's full balance to the replacement wallet. You should review recovery permissions separately from transfer rules because recovery does not prove that every ordinary transfer module approved the balance move.

What belongs to an asset policy

An asset policy is asset-scoped. Two assets can use the same deployed compliance module contract while carrying different parameters, such as different allowed countries, holding limits, approval windows, or claim-expression requirements.

Policy part	Scope	What it controls
Identity registry	Per asset	Which wallet maps to which OnchainID for this token.
Token compliance	Per asset reference	The token-bound compliance engine that evaluates token-scoped modules and delegates to system-level modules.
Compliance modules	Per asset list	Rule contracts active for this token, such as country restrictions, identity verification, investor limits, or transfer approval.
Module parameters	Per asset and per module	Settings the module reads when evaluating this token.
Module scope	Per installed binding	Optional filters that decide when a module instance applies. Empty scope means the module applies to all transfers.
Lifecycle hooks	Per operation	Post-operation calls that let stateful modules update counters, approval usage, holding periods, or issuance trackers.
Governance roles	Per asset and system	Which operators can add, remove, disable, enable, or reconfigure modules.

The module implementation and the asset configuration are separate. A module contract defines reusable logic. The asset policy decides whether that module is active for a given token, which parameters it receives, and whether any scope filters narrow the operations it checks.

Smallest example

A simple asset policy for a Belgian-only bond can be described as three checks:

The recipient wallet must map to an identity in the asset's identity registry.
The identity verification module must confirm the recipient has the required claim expression.
The country allow-list module must confirm the recipient's registered country is Belgium.

If Alice transfers the bond to Bob, DALP evaluates the policy before moving tokens:

transfer(Alice, Bob, 100)
  -> check Bob's token identity record
  -> run identity-verification module with this asset's claim parameters
  -> run country-allow-list module with this asset's country parameters
  -> run any system-level compliance modules
  -> move the balance only if all checks pass
  -> run lifecycle hooks after the balance change succeeds

This is the smallest useful mental model for integrators: configure the module list and parameters for the asset, then test the exact paths the asset will allow.

How DALP evaluates policy

For an ordinary regulated operation, DALP follows this order:

Resolve the token's current compliance module list and parameters.
Verify the relevant wallet identity through the token's identity registry.
Call each active token-scoped module for the requested token, sender, recipient, and amount.
Evaluate system-level modules that apply across bound tokens.
Revert if any required module rejects the operation.
Execute the token state change only after the checks pass.
Run lifecycle hooks so stateful modules can update counters, approval usage, holding periods, or issuance trackers.

The same policy model applies to ordinary issuance and destruction paths. Modules that only care about minting can inspect from == address(0). Modules that maintain state can use creation, transfer, and destruction hooks to update their accounting after the token operation succeeds.

Recovery is different. A custodian recovery checks the lost-wallet relationship in the identity registry, then executes the balance move as a forced update. During that forced update, DALP verifies the replacement wallet's identity, but it does not run the ordinary compliance-module canTransfer path. Treat recovery permissions, lost-wallet records, and operator approval as separate controls from ordinary transfer rules.

Rendering diagram...

How policy is configured

Asset policy can be set at creation time and changed later by governed roles. The same concept appears in three operator surfaces: asset creation, token compliance management, and platform compliance-module management.

Moment	What changes	What to verify
Create an asset	Initial module and parameter pairs are passed into token setup.	The selected modules and encoded parameters match the instrument, jurisdiction, and holder rules for that asset.
Change a live token policy	Governed operators install, disable, enable, uninstall, or reconfigure token-scoped modules.	The change was approved for that asset and the compliance engine accepts the new parameter payload before it becomes active.
Manage reusable module types	Platform operators make compliance-module implementations available to assets.	Making a module available does not by itself attach it to every token or rewrite stored asset parameters.

The token exposes its active module list and parameters so the compliance engine can evaluate the current policy at execution time.

For scoped module bindings, the live policy also includes the module scope. Scope is part of the binding, not just a UI filter. An empty scope means every transfer goes through that module instance. A narrowed scope means the module applies only to the operations covered by that binding. When operators update a scoped module, DALP can update the module parameters and scope together so the policy does not pass through a half-updated state.

This keeps reusable compliance logic separate from live asset configuration. Updating a template or module implementation does not silently rewrite every asset's stored policy parameters. Treat live policy changes as governed operational changes that require review and verification for the specific asset.

How to read a policy decision

When a policy blocks an operation, read the failed check by enforcement question rather than by module name alone. The same asset can combine broad eligibility rules, stateful limits, approval workflows, and backing checks.

Enforcement question	Typical policy mechanism	What the operator should inspect
Is this wallet eligible for this asset?	Identity verification, claim expressions, identity allow lists, identity block lists, or country restrictions.	The wallet's token identity record, current claims, issuer trust, and geography or list parameters for this asset.
Does this operation fit the asset's configured limits?	Supply limits, investor-count limits, issuance limits, or collateral checks.	The current counters, the requested mint or transfer amount, and the unit or threshold encoded for the active module.
Does this transfer need prior approval or a hold period?	Transfer approval and time-lock modules.	Approval authority records, expiry, consumed amount, approval mode, acquisition batches, and configured hold period.
Did the policy state update after a successful operation?	Lifecycle hooks after mint, transfer, or burn.	Counter updates, approval consumption, holding-period batches, and any hook failure that reverted the operation.

This makes the policy auditable without turning every module into a separate operating procedure. First identify the question the failed module answers, then verify the identity record, configured parameters, and lifecycle state for the affected asset.

Where custodian controls fit

Custodian controls protect balances through a separate role path from ordinary asset policy. The Custodian role can freeze a full address, freeze part of a wallet balance, unfreeze balances, force-transfer tokens, and recover a lost wallet to a replacement wallet. These controls handle exceptional cases. They do not replace the compliance modules that decide whether ordinary holder activity can proceed.

This split matters when you design an operating model:

Question	Use ordinary asset policy	Use custodian controls	Verify outside the token policy
Can this holder receive or transfer this asset?	Yes. Configure identity, country, holding-limit, transfer-approval, or other compliance modules.	No. A custody procedure should not be the normal eligibility test for holder transfers.	Check which wallet verification, signer selection, request approval, and provider custody rules must pass before signing.
Should a wallet be stopped during review?	Only if the compliance rule itself should reject the next ordinary operation.	Yes. Freeze the address or a partial amount while the operational review runs.	Check who can request the freeze, who signs it, which provider approval path applies, and how the operation is recorded.
Should an operator move assets without holder initiation?	No. Ordinary policy evaluates holder-initiated mint, transfer, and burn paths.	Yes, when the asset's governance and operating procedures permit a forced transfer or recovery.	Check the custody procedure for quorum, destination controls, exception approval, signer custody, and post-operation review evidence.

Ordinary transfers still check freeze state before they move balances. Forced updates deliberately use the custodian path instead of the normal transfer path, so the approval, evidence, and post-operation review for those controls belong in the operator's custody procedure.

Before publishing or approving an integration design, separate the controls by enforcement point:

Enforcement point	Verify
DALP asset policy	Active modules, module parameters, identity registry records, issuance limits, holding limits, approval windows, and lifecycle hooks for mint, transfer, and burn paths.
DALP custodian role	Which addresses can freeze, partially freeze, unfreeze, force-transfer, pause, unpause, or recover balances for the asset.
Application or custody provider	Wallet verification, signer custody, signing quorum, destination allowlists, amount limits, request approval, and custody-provider exception procedures.
Operating evidence	The approval record, actor identity, provider decision, transaction hash, and post-operation review evidence for each exceptional custody procedure.

DALP enforces the on-chain policy and custodian-role checks on the configured EVM token. Provider wallet, signing, approval, and custody policies sit outside the token compliance module. Treat them as required integration controls, not as implicit asset-policy behavior.

Where recovery fits

Lost-wallet recovery is related to asset policy because it changes balances, but it does not run as an ordinary transfer. The recovery path checks that the identity registry marks the source wallet as lost and maps it to the replacement wallet. The token then moves the full lost-wallet balance through a forced update and runs recovery hooks, including migration of full-freeze and partial-freeze state to the replacement wallet.

That distinction matters operationally:

Transfer approval modules are evaluated for ordinary transfers, not as the operator approval record for a wallet recovery.
Country, claim, and holding-limit modules should be tested against the mint, transfer, and burn paths they govern.
Recovery procedures need their own controls around identity recovery, custodian permissions, replacement-wallet verification, and post-recovery review.

Asset policy vs. token features

Asset policy and token features are different extension points.

Extension point	Purpose	Example
Asset policy	Decide whether ordinary regulated operations are allowed and update compliance state.	Country allow lists, identity verification, investor-count limits, transfer approvals, issuance caps.
Token features	Add ordered token behavior around configured feature contracts.	Feature hooks that affect token behavior beyond compliance-module checks.

Use compliance modules when the rule belongs to ordinary transfer, mint, or burn eligibility. Use recovery-specific procedures and roles for lost-wallet recovery controls. Use token features when the asset needs additional token behavior that is not simply a compliance rule.

What to check before production

Before using a policy on a live asset, verify:

The identity registry points to the intended identity records for the token.
Each active compliance module is required for the asset's jurisdiction, instrument, and operating model.
Every module parameter payload is encoded for that module's expected schema.
Stateful modules are tested across the full lifecycle they track, including mint, transfer, burn, and any recovery-side state migration that applies to the asset.
Recovery controls are reviewed separately from ordinary transfer policy. Confirm who can mark a wallet as lost, who can recover balances, and how the replacement wallet is verified.
Governance roles for adding, removing, disabling, enabling, or reconfiguring modules are restricted to the intended operators.
Asset policy changes have an operational approval path outside the smart contract transaction itself.

For auditors, this checklist defines the evidence to review. Check the configured modules, parameters, identity records, role assignments, and operational approvals for the specific asset. Derive each asset's eligibility model from that asset's own configuration, even when another asset uses the same module contract.

Create an asset for the operator path that sets the initial policy on a new asset.
Compliance modules for the available rule families and compliance-module controls.
Claims and identity for the identity records and trusted-issuer claims that policy checks can require.
Compliance and custody split for separating asset-policy checks from signing and custody-provider approvals.
Compliance transfer flow for the end-to-end transfer decision path.
SMART Protocol integration for the token standard layer underneath DALP assets.
Token features for token behaviour that is not simply a compliance rule.

Asset policy

On this page