# Country Restrictions

Source: https://docs.settlemint.com/docs/architecture/security/compliance/country
CountryAllowList and CountryBlockList modules for geographic transfer restrictions. Covers sanctions/OFAC use cases, EU MiCA jurisdiction selection, and ISO 3166-1 country codes.



Country restrictions let an asset accept or reject token recipients based on the country code stored on the recipient's identity. DALP evaluates these controls before minting or transferring regulated tokens.

Use CountryAllowList when only selected jurisdictions may receive the asset. Use CountryBlockList when selected jurisdictions must be blocked while the rest remain eligible.

## Decide which country control to use [#decide-which-country-control-to-use]

| Policy goal                                     | Use this module       | Result                                                                      |
| ----------------------------------------------- | --------------------- | --------------------------------------------------------------------------- |
| Limit distribution to a defined market          | CountryAllowList      | Recipients must have one of the configured ISO 3166-1 numeric country codes |
| Exclude sanctioned or unsupported jurisdictions | CountryBlockList      | Recipients must not have one of the configured blocked country codes        |
| Combine permitted and prohibited jurisdictions  | Both modules together | The recipient must pass both checks before DALP allows the token operation  |

Country modules check the recipient's country code from identity registry storage. The recipient must already have a registered identity with a non-zero country code before DALP can evaluate the module.

## Where these modules apply [#where-these-modules-apply]

| Operation        | CountryAllowList         | CountryBlockList         |
| ---------------- | ------------------------ | ------------------------ |
| Minting          | Checks recipient country | Checks recipient country |
| Transfers        | Checks recipient country | Checks recipient country |
| Burns            | Not applicable           | Not applicable           |
| Forced transfers | Not applicable           | Not applicable           |

## Configure country restrictions [#configure-country-restrictions]

1. Choose the asset's policy requirement: allow only selected countries, block selected countries, or combine both.
2. Convert each jurisdiction to its ISO 3166-1 numeric country code.
3. Add the chosen country module when configuring the asset's compliance controls.
4. Enter the country-code list for that module.
5. Verify the recipient identity records have the expected country code before minting or transferring tokens.
6. Test with one eligible recipient and one ineligible recipient before opening the asset to wider operations.

### Interface (capabilities) [#interface-capabilities]

**CountryAllowList**

| Capability            | Who can call                 | Inputs                                    | On-chain effect                                      | Emits | Notes                                            |
| --------------------- | ---------------------------- | ----------------------------------------- | ---------------------------------------------------- | ----- | ------------------------------------------------ |
| `setModuleParameters` | Token admin (via compliance) | Array of ISO 3166-1 numeric country codes | Stores allowed country list                          | None  | Empty list blocks all transfers                  |
| `canTransfer`         | Compliance engine            | Sender, recipient, amount                 | Checks recipient's country code against allowed list | None  | Country code read from identity registry storage |

**CountryBlockList**

| Capability            | Who can call                 | Inputs                         | On-chain effect                                      | Emits | Notes                                       |
| --------------------- | ---------------------------- | ------------------------------ | ---------------------------------------------------- | ----- | ------------------------------------------- |
| `setModuleParameters` | Token admin (via compliance) | Array of blocked country codes | Stores blocked country list                          | None  | Empty list permits known-country recipients |
| `canTransfer`         | Compliance engine            | Sender, recipient, amount      | Checks recipient's country code against blocked list | None  | Unknown identity or country still fails     |

![Country allowlist configuration for geographic transfer restrictions](/docs/screenshots/asset-designer/asset-designer-compliance-country-allowlist.webp)

## Use cases [#use-cases]

| Use case                 | Module           | Example                       |
| ------------------------ | ---------------- | ----------------------------- |
| MiCA EU compliance       | CountryAllowList | 27 EU member state codes      |
| OFAC sanctions screening | CountryBlockList | Sanctioned jurisdiction codes |
| Reg D (US only)          | CountryAllowList | `[840]` (United States)       |
| Singapore MAS            | CountryAllowList | `[702]` (Singapore)           |
| Japan FSA                | CountryAllowList | `[392]` (Japan)               |
| UK FCA                   | CountryAllowList | `[826]` (United Kingdom)      |

## ISO 3166-1 numeric codes [#iso-3166-1-numeric-codes]

Selected common codes:

| Country        | Code |
| -------------- | ---- |
| United States  | 840  |
| United Kingdom | 826  |
| Japan          | 392  |
| Singapore      | 702  |
| Germany        | 276  |
| France         | 250  |

Full EU 27 member state codes are included in the MiCA EU Standard template. Use the full ISO 3166-1 numeric code list for other jurisdictions.

## Key invariants [#key-invariants]

* Country check applies to the recipient, not the sender
* The recipient must have a registered identity and a non-zero country code before the module can approve the operation
* Using CountryAllowList and CountryBlockList together creates a combination restriction, so both modules must pass
* An empty allow list blocks all recipients; an empty block list permits recipients with known countries

## Operational signals [#operational-signals]

No events emitted by these modules. Monitor for `ComplianceCheckFailed` revert errors in failed transactions when transfers violate country restrictions.

## Failure modes & edge cases [#failure-modes--edge-cases]

* Recipient identity not registered: the operation reverts with `ComplianceCheckFailed("Receiver identity unknown")`
* Recipient country code not set or stored as zero: the operation reverts with `ComplianceCheckFailed("Receiver identity unknown")`
* CountryAllowList does not include the recipient country: the operation reverts with `ComplianceCheckFailed("Receiver country not allowed")`
* CountryBlockList includes the recipient country: the operation reverts with `ComplianceCheckFailed("Receiver country blocked")`
* Sanctioned country added to block list after tokens already transferred: existing holders are not affected until they attempt a new transfer
* Using both CountryAllowList and CountryBlockList creates a combination restriction, so both must pass independently

## See also [#see-also]

* [Asset policy](/docs/architecture/concepts/asset-policy): how this module fits into per-asset compliance checks
* [Compliance overview](/docs/architecture/security/compliance): module architecture and regulatory templates
* [Identity verification](/docs/architecture/security/compliance/identity-verification): verifying that country claims are properly attested
* [Identity lists](/docs/architecture/security/compliance/identity-lists): granular identity and address-level access control
* [Supply & investor limits](/docs/architecture/security/compliance/supply-investor-limits): InvestorCount enforces per-country investor limits