A CFO of a fintech in São Paulo asked me last quarter, two minutes into a diligence call, what happens if Flo goes bankrupt. He had not asked whether the tokens were backed. He had assumed they were. What he wanted to know, and what every other treasurer who has done real diligence on a tokenization platform wants to know, is what the chain of custody looks like when something goes wrong.
That question is the right one. The phrase "1:1 backed" is so worn out at this point that nobody who has been around the space for more than a year takes it at face value. There have been enough projects that called themselves 1:1 backed and turned out not to be that the phrase, on its own, reads more like a marketing flag than a guarantee. The thing that actually matters is what stands behind it.
I want to walk through the chain of custody one share at a time, in the way I find myself doing it on diligence calls anyway, because the parts the industry has glossed over are the parts that determine whether the asset is actually safe.
The share starts at a regulated prime broker
When a user mints a tokenized stock on GM Markets, the underlying share gets bought into a segregated brokerage account at a regulated prime broker. We use Interactive Brokers and Alpaca. The share lives on the broker's ledger, but it is held under the issuer's segregated client account, not on the broker's balance sheet.
This part matters more than people give it credit for. Segregated client accounts are a regulatory primitive. In every major jurisdiction we operate in, a regulated broker is required to keep client positions segregated from their own. If the broker fails, those positions don't become part of the bankruptcy estate. They remain client property. The same regulation that protects an Interactive Brokers retail customer from broker insolvency protects the underlying share in our segregated account.
I think this is the part most retail-oriented coverage gets wrong. The risk people imagine, the broker losing the share, is the most regulated part of the chain. The risks worth thinking about are the legal layer above the broker.
The issuer holds the share, and the issuer has to be bankruptcy-remote
The next layer up is the entity that holds the share. If that entity is the operating company that runs the platform, then the share is on the operating company's balance sheet, and if the operating company files for bankruptcy, the share becomes part of the estate. Token holders become unsecured creditors of the operator. That is the structure that has historically taken down tokenization projects.
The right structure, and the one we use, is a bankruptcy-remote issuer entity. That entity is a separate legal vehicle whose only purpose is to hold the underlying assets that back the tokens. It has its own director. It has no operational role in the platform. If the operator fails, the issuer entity is not part of the operator's estate. The share keeps backing the token.
I want to be honest about what this does and does not protect against. It does not protect against fraud at the issuer entity itself. It does not protect against a regulatory action that seizes the assets. It does not protect against a smart contract bug that breaks the token. What it protects against is the single largest historical source of loss in tokenization, which is the operator going under and dragging the underlying with it.
The collateral agent is the part nobody talks about
This is the part that surprised me most when I learned it. A bankruptcy-remote issuer is necessary but not sufficient. You also need a third party with the legal authority to enforce the token holders' claim against the issuer if the operator can't.
The reason is that a bankruptcy-remote SPV, on its own, has no native legal mechanism for paying out token holders. Someone has to administer the redemption. Someone has to receive the on-chain burn signal, instruct the broker to liquidate, and distribute the proceeds. If that someone is the operator, you have a circular problem in operator failure. The operator can't administer the redemption because it doesn't exist anymore.
The solution is a collateral agent. A regulated trust company, paid by the issuer, contractually obligated to act on behalf of token holders if the operator fails. They survive operator insolvency. Their fee comes from the issuer entity's assets, not from the operator's revenue. Their mandate is independent.
I get nervous when I read pitches that talk about 1:1 backing without mentioning who the collateral agent is, because that's the actual fail-safe. Without it, the bankruptcy-remote structure is a nice idea that has no enforcement layer.
The on-chain side is reconciled hourly, not daily
The last piece is the on-chain ledger versus the off-chain ledger. The token contract on Ethereum, Base, or Arbitrum tracks on-chain supply. The broker tracks the underlying position. These two numbers should be equal. If they drift, that drift is the most important signal in the system.
We reconcile hourly. The reconciliation is performed by an independent attestation provider, not by us, and the result is signed using a key the attestor controls and posted on-chain in a way anyone can verify. The user does not have to trust GM Markets that the numbers match. They can check the attestor's signature against the public key.
The thing this catches is operational drift. A failed mint that didn't reflect on-chain. A burn that didn't trigger the broker liquidation. A reconciliation lag from a settlement boundary. Hourly cadence is a tradeoff: tight enough to catch drift quickly, loose enough not to swamp the attestor with noise. I'd rather move it tighter. We probably will once the volume justifies the cost.
What "1:1 backed" should actually unpack to
If you're a treasurer or an asset manager doing diligence on any tokenization platform and you want a quick test for whether the 1:1 backing claim is real, here are the four questions I'd want to be able to answer, in order.
One. Is the underlying held in a segregated account at a regulated broker, and can you name the broker.
Two. Is the issuer entity bankruptcy-remote from the operating company, with an independent director, and can you see the corporate structure.
Three. Who is the collateral agent, and does their fee come from the issuer entity rather than the operator.
Four. Who reconciles on-chain supply to underlying holdings, how often, and where is the attestation published.
If the platform can't answer all four, the 1:1 claim is a marketing claim, not an architectural one. I am not saying every platform that can't answer four is unsafe. I am saying every platform that can answer four has done the work, and that's the bar that should be standard rather than exceptional.
The CFO in São Paulo I started this with eventually got through the four questions and then asked me one more, which I didn't have a good answer for at the time, which was whether the segregated account would survive a regulator-ordered freeze on the broker. The honest answer is that I'm not sure. There is some jurisdictional precedent that suggests yes, and some that suggests it depends on the nature of the freeze. I told him that, he wrote it down, and we moved on. If there is one thing I've learned doing diligence calls with serious operators, it's that the answer they trust is the answer that names what isn't yet known.
I might be drawing some of these lines too tightly. There are platforms doing this differently and getting reasonable outcomes. The shape of the architecture is still moving. But the chain I just walked through is the one I would want if I were on the other side of the call, and that's the bar we're holding.
