Risks of Real-World Asset Tokenization in China — 2026

Introduction

This article is a practical guide for investors, funds, and platform operators working with tokenized Real-World Assets (RWA). The goal is to analyze regulatory risks in Mainland China (PRC) and Hong Kong following the statement by Chinese financial associations on December 13, 2023, and to provide a detailed action plan to minimize them.

Glossary

• RWA (Real-World Assets): Tangible or intangible assets (real estate, debt obligations, shares) represented as tokens on a blockchain.
• VASP (Virtual Asset Service Provider): An entity that provides services related to virtual assets.
• PoR (Proof-of-Reserves): An audit confirming that an issuer holds sufficient underlying assets to back all issued tokens.
• SOF/SOW (Source of Funds / Source of Wealth): Documents confirming the legal origin of an investor's capital.
• KYC/AML (Know Your Customer / Anti-Money Laundering): Procedures for verifying a client's identity and preventing money laundering.
• PIPL (Personal Information Protection Law): The PRC's law regarding the protection of personal information.
• SPV (Special Purpose Vehicle): A legal entity created for a specific purpose (e.g., to hold an asset).
• SFC: Securities and Futures Commission of Hong Kong.

Summary (TL;DR)

On December 13, 2023, PRC financial associations issued a warning confirming that RWA activities fall under laws regarding the illegal issuance of securities and illegal fundraising. This serves as a call to action for law enforcement agencies. Any RWA project with operational, financial, or marketing ties to the PRC becomes high-risk. The key protection strategy is multi-level segregation from Mainland China, rigorous auditing, a well-thought-out custody structure, and cautious use of the Hong Kong jurisdiction.

1. The Substance of the December 13, 2023 Warning

On December 13, 2023, seven PRC industry organizations, including the National Internet Finance Association of China (NIFA), published a document titled "Warning on Risks Related to RWA." The key phrasing states that RWA projects are "suspected of illegal issuance of securities, illegal fundraising, and illegal operation of futures business" (wording in the original Chinese statement). This means that existing harsh regulatory measures, including criminal prosecution, will be applied to RWA.

• Primary Source:
  Official statement on the NIFA website dated 12.13.2023 (in Chinese)

2. Legal Framework and Enforcement Practice in the PRC

The classification of RWA as illegal activity is based on current PRC legislation, which provides for severe penalties.

Law	Article	Nature of Violation	Enforcement Examples and Sources
Criminal Law of the PRC	Art. 176	Illegal absorption of public deposits (fundraising).	PlusToken Case (2020): Organizers received up to 11 years in prison. Source: PlusToken Court Ruling (in Chinese).
Criminal Law of the PRC	Art. 225	Illegal business operations (including unlicensed financial services).	Mass blocking of bank accounts of individuals participating in crypto OTC trading (2020–2021). Source: Joint Notice by PBOC and other agencies dated 09.24.2021.
Securities Law of the PRC	Art. 2, 122	Public offering of securities without regulator (CSRC) approval.	Applied to tokens with characteristics of shares or bonds (rights to income, share in assets).

2.1. Extraterritorial Risk

PRC regulators can impact foreign projects through:

• Technical Blocking: The "Great Firewall of China" blocks access to websites and IP addresses.
• Financial Pressure: Chinese banks may freeze accounts and transactions related to unlicensed platforms at the request of the People's Bank of China (PBOC).
• Pressure on Partners: Foreign counterparties (banks, hosting providers) with business in the PRC may be forced to terminate services to the project to avoid secondary sanctions.

3. Hong Kong: A Regulated Alternative, Not a Loophole

Hong Kong is developing its own regulation but requires strict isolation from Mainland China.

• SFC Licensing: Depending on the token structure, one or more licenses may be required:
  • Type 1: Dealing in securities.
  • Type 4: Advising on securities.
  • Type 7: Providing automated trading services (for platforms).
  • Type 9: Asset management.
  • VASP License: For trading virtual assets that are not securities.
• Hong Kong Use Cases:
  • Useful: To attract international capital to a project with assets outside the PRC, using licensed partners in Hong Kong.
  • Useless: If the underlying asset or the core team is located in the PRC, the SFC is likely to deny a license due to the inability to ensure proper segregation and control.
• SFC Requirements: The SFC requires a clear separation of businesses targeting Hong Kong versus other markets, as well as strict control over retail investor access.
• Resources:
  List of licensed VASPs in Hong Kong.

4. Segregation Strategies from Mainland China

The categorical requirement for "complete segregation" is the ideal, but in practice, there are different levels of protection.

Level	Description	Advantages	Disadvantages / Estimated Costs
Complete Segregation (Gold Standard)	Separate legal entities, teams, and IT infrastructure. No PRC citizens in key positions. Strict geoblocking.	Maximum legal protection.	High operational costs, management complexity.
Controlled Segregation	Separate entities and servers, but shared back-office services (HR, accounting) may be used.	Cost reduction while maintaining legal isolation.	Risk of "piercing the corporate veil" if the separation is not clear enough.
Operational Containment Strategy	Single company, but strict internal policies, firewalls, geoblocking, and data access control.	Minimal startup costs.	Highest risk; not suitable for projects aiming for long-term operations.

5. Audit and Risk Mitigation Guide (Due Diligence)

5.1. Legal Opinion: Expanded Template

Request a Legal Opinion from a reputable law firm (with experience in FinTech and the Asian region).

Key Questions and Expected Conclusions:

1. Token Status:
   Question: Is the token a security under the laws of issuer jurisdiction X, asset jurisdiction Y, and key markets Z?
   Example Conclusion: "Based on the analysis conducted and subject to compliance with distribution restrictions (A), rights structure (B), and marketing policy (C), the [Name] token does not possess the characteristics of a security in jurisdiction X."

2. Ownership Structure and Holder Rights:
   Question: Is the token holder's right of claim against the issuer legally binding and enforceable in the courts of jurisdiction X?
   Example Conclusion: "The token holders' rights established in [Contract Name] are legally valid and can be enforced in the court of [Jurisdiction] against the assets of the SPV."

3. PRC Risk Analysis:
   Question: What measures have been taken to minimize regulatory risks associated with the PRC?
   Example Conclusion: "The project has implemented a multi-level geoblocking system, a KYC/AML policy excluding PRC residents, and a marketing strategy that does not utilize the Chinese language, which significantly reduces the risk of PRC law being applied to it."

Mandatory Appendices to Legal Opinion:

• Articles of incorporation of the issuer and SPV.
• Sales and purchase agreements or asset transfer agreements (SPA).
• Trust Deed.
• Shareholder/Beneficiary registers.
• Technical documentation (Whitepaper).

5.2. Asset Audit (Proof-of-Reserves, PoR): Technical Details

The PoR report from an independent auditor should include reconciliation of on-chain and off-chain data.

Parameter	Requirements and Methods
On-chain Evidence	A snapshot of all addresses holding tokens at a specific block. Publication of the total token supply.
Off-chain Evidence (by asset type)	Real Estate: Extract from the state registry of property rights, independent appraisal report, insurance policy.
Debt Instruments (Bonds): Depository account statement, bank guarantee, loan agreement.
Methodology and Report	The auditor's report must contain: valuation date, description of the reconciliation methodology, list of assets with supporting documents, their market value, and the collateralization ratio (asset value / value of tokens issued).
Frequency	Quarterly for stable assets (real estate), monthly for more volatile assets.

5.3. KYC/AML: Thresholds and Parameters Justification

Procedure	Requirements and Tools
Verification (KYC)	Mandatory document check (ID, passport), liveness detection, address verification. Tools: Sumsub, Veriff.
PRC Connection Check	Automatic blocking of users with PRC documents, phone numbers (+86), or PRC IP addresses.
Source of Funds (SOF/SOW)	Mandatory request for cumulative deposit volumes > $10,000 USD.
Transaction Monitoring	Analysis of wallets for links to sanctions lists and risky counterparties. Tools: Chainalysis, Elliptic.

Justification for the $10,000 SOF/SOW threshold: This threshold is an industry standard based on FATF recommendations and is similar to threshold values in traditional finance (e.g., EU AML directives). Projects should consider it a minimum. For high-risk products or jurisdictions, the threshold may be lowered to $3,000–$5,000.

6. Custody and Enforcement of Token Holder Rights

The key risk is the token holder's inability to claim the underlying asset in the event of the issuer's bankruptcy.

Custody Model	Description	Risks
Independent Depository/Custodian	The asset is held by a licensed third party (bank, trust company) not affiliated with the issuer.	Risk of the custodian's own bankruptcy, high service costs.
Trust SPV	The asset is on the balance sheet of an SPV managed by an independent trustee. The trustee acts in the interest of the token holders.	Structural complexity, legal costs for setup and maintenance.

Typical Contractual Clauses for Rights Protection:

• Pledge Agreement: A pledge agreement where the SPV asset serves as collateral for obligations to token holders.
• Step-in Rights: The right of token holders (or their representative) to take over asset management in the event of an issuer default.

7. Operational and Technical Protection Measures

7.1. Geoblocking Plan

1. Tools:

   • Network Level: Blocking by IP addresses and Autonomous System Numbers (ASN) belonging to PRC providers (via Cloudflare/AWS WAF).
   • Application Level: Behavioral analysis to detect VPNs/proxies, browser language/time zone analysis, use of Google reCAPTCHA Enterprise.

2. Testing: Integration of bypass tests into the CI/CD pipeline. Quarterly policy review involving external specialists to conduct penetration tests from within the PRC.

3. Review Procedure: Regular updating of blocked IP/ASN lists and revision of behavioral analysis rules.

7.2. Personal Data Protection (PIPL)

Even if a project does not target the PRC, data of PRC citizens may enter the system accidentally.

• Data Storage: KYC data of PRC citizens (if collected in error) should be stored on servers outside China only with their explicit consent.
• Cross-border Transfer: Transferring personal data from the PRC requires compliance with strict procedures under PIPL, which is practically impossible for an unlicensed project.
• Recommendation: Implement a policy for immediate data deletion and service refusal upon detecting a user from the PRC to avoid PIPL violations. Appoint a Data Protection Officer (DPO).

7.3. Insurance and Capital Reserving

• Insurance:
  • E&O (Errors & Omissions): For errors and omissions in management.
  • Cyber Liability: Against cyberattacks and data breaches.
  • Fidelity Bond: Against employee fraud.
• Reserving: Creating a reserve fund to cover unforeseen legal costs, fines, and operational failures. The fund's size should be proportional to the volume of assets under management.

8. Incident Response Plan and Examples

Scenario: A project with a Cayman Islands SPV and tokenized real estate in Thailand discovers that one of its large investors is a PRC citizen. Soon, a request arrives from the partner bank demanding the freezing of this investor's funds, citing a directive from the PBOC.

Action Plan:

Timeframe	Actions
0–24 hours	"Silent Mode": Immediate temporary suspension of the investor's account to prevent fund withdrawals. Notification of the legal department and CEO. Collection of all logs related to this user.
24–72 hours	Analysis: Lawyers analyze the bank's request and applicable law (Cayman, Thailand). The project prepares an official response demonstrating that it does not operate in the PRC and complies with KYC/AML in its place of registration.
72+ hours	Communication and Remediation: Sending the official response to the bank. Depending on legal advice—either cooperation with the bank within legal frameworks or contesting the request. Review of KYC procedures to identify such cases earlier.

9. RWA Project Express Assessment Checklist

Category	Question	Yes / No
Jurisdiction	Are the underlying asset and issuer located outside the PRC and Hong Kong?
Team	Are founders, beneficiaries, and key managers not PRC citizens/residents?
Segregation	Is there clear legal and operational isolation from Mainland China?
Marketing	Does the website, documentation, and social media exclude the Chinese language and avoid targeting the PRC?
KYC/AML	Is strict geoblocking and identity verification implemented to exclude PRC users?
Legal Opinion	Is there a recent opinion from a reputable law firm confirming the legality of the structure?
PoR	Are regular collateral audits conducted by an independent third party?
Custody	Does the asset ownership structure (trust, custodian) protect token holder rights in the event of issuer bankruptcy?

Interpretation: If the answer to even two questions is "No," the project should be considered high-risk.

10. Forecast and Key Indicators for 2024–2025

• Most Likely Scenario: Tightening of enforcement in the PRC. Showcases of cases against RWA projects with Chinese roots will appear. Pressure on Hong Kong to synchronize AML approaches and prevent capital outflow will increase.
• Unlikely Scenario: Launch of state-led RWA pilot projects in closed "sandboxes" using the digital yuan (e-CNY). This is only possible as a strategic state experiment, completely isolated from the public market.