End-to-end compliance pipeline for the JIL Sovereign settlement network. Four interconnected services enforce KYC, AML, sanctions screening, anti-dump rules, and zone-based policy across 13 jurisdictions with a fail-closed design.
Every transaction in the JIL Sovereign settlement pipeline passes through the compliance layer before finalization. The compliance architecture is composed of four tightly integrated services that collectively enforce KYC verification, AML screening, sanctions checks, anti-dump rules, and jurisdiction-specific policy across all 20 mainnet validator zones.
The system follows a fail-closed design - if any compliance service is unavailable or returns an indeterminate result, transactions queue in Kafka rather than bypassing compliance. No transaction can reach settlement finalization without an explicit compliance approval.
The compliance pipeline processes every transaction through three stages:
Only transactions with a final APPROVED decision proceed to settlement finalization. Transactions marked BLOCKED are rejected with a compliance reason code. Transactions flagged for REVIEW are held in a pending queue until a compliance officer resolves them manually.
The compliance layer consists of four microservices, each with a distinct responsibility within the pipeline. All services communicate over Kafka for asynchronous event processing and expose HTTP endpoints for synchronous lookups.
| Service | Port | Role | Technology | Kafka Topics |
|---|---|---|---|---|
compliance-api |
8100 |
Core compliance decision engine | Express/TypeScript, PostgreSQL, Redis | jil.compliance.decisions |
compliance-checker |
8055 |
Settlement pipeline compliance consumer | Express/TypeScript, Kafka consumer | jil.settlements (consume), jil.compliance.results (produce) |
analytics-integrations |
8770 |
Multi-provider blockchain analytics | Express/TypeScript, PostgreSQL | jil.analytics.screening |
bid-service |
8750 |
Beneficiary identity verification | Express/TypeScript, PostgreSQL | jil.bid.events |
The core decision engine. It receives compliance check requests from the settlement pipeline, aggregates risk signals from analytics-integrations and bid-service, applies zone-specific policy rules, evaluates ATCE constraints, and produces a final APPROVED, BLOCKED, or REVIEW decision. All decisions are persisted to PostgreSQL and emitted to Kafka for downstream consumers.
A dedicated Kafka consumer that sits in the settlement pipeline. It consumes raw settlement intents from the jil.settlements topic, forwards them to compliance-api for evaluation, and produces compliance results to jil.compliance.results. This service acts as the bridge between the high-throughput settlement consumer and the compliance decision engine.
Aggregates blockchain analytics from three external providers - Chainalysis KYT, TRM Labs, and Elliptic. It normalizes risk scores from each provider into a composite weighted score, caches results to reduce API costs, and provides graceful degradation when a provider is unavailable. The composite score feeds directly into compliance-api risk assessment.
Handles beneficiary identity verification - confirming that the receiving party of a transaction is a known, verified entity. It performs phone, email, address, person, and company identity checks and provides a trust score that factors into the overall compliance decision. BID verification is required for institutional transactions above configurable thresholds.
The analytics-integrations service aggregates blockchain risk intelligence from three industry-leading providers to deliver a composite risk assessment that is more reliable than any single-vendor score.
| Provider | Weight | Capability | Coverage |
|---|---|---|---|
| Chainalysis KYT | 40% |
Real-time transaction monitoring, risk scoring, sanctions screening | BTC, ETH, ERC-20, 30+ chains |
| TRM Labs | 35% |
Wallet screening, transaction risk, entity attribution | BTC, ETH, ERC-20, 25+ chains |
| Elliptic | 25% |
Holistic screening, source-of-funds analysis, exposure mapping | BTC, ETH, ERC-20, 20+ chains |
Each provider returns a normalized risk score between 0 (no risk) and 100 (maximum risk). The composite score is calculated as a weighted average:
// Composite risk score calculation
compositeScore = (chainalysis.score * 0.40)
+ (trmLabs.score * 0.35)
+ (elliptic.score * 0.25)If one provider is unavailable, the remaining providers auto-reweight proportionally to maintain full coverage:
All provider responses are cached in Redis with a 5-minute TTL. This reduces external API costs, lowers response latency for repeated address lookups, and provides a buffer during brief provider outages. Cache keys are scoped by provider, address, and chain ID.
JIL Sovereign operates across 13 compliance zones, each mapping to a mainnet validator jurisdiction. The zone policy engine within compliance-api applies jurisdiction-specific rules, risk thresholds, and reporting requirements on top of the base compliance checks.
| Zone | Jurisdiction | Regulator | Key Rules | Review / Block |
|---|---|---|---|---|
US |
United States | FinCEN / OFAC | OFAC SDN list, BSA reporting, $10K CTR | 70 / 90 |
DE |
Germany | BaFin | EU AML 6D, travel rule | 65 / 85 |
EU |
European Union | EBA | MiCA, AMLD6, travel rule | 65 / 85 |
SG |
Singapore | MAS | Payment Services Act, travel rule | 70 / 90 |
CH |
Switzerland | FINMA | AMLA, qualified financial intermediary | 70 / 90 |
JP |
Japan | JFSA | PSA, travel rule, registered VASP | 60 / 80 |
GB |
United Kingdom | FCA | MLR 2017, travel rule, FCA registration | 65 / 85 |
AE |
UAE | VARA | VARA framework, FATF compliance | 70 / 90 |
BR |
Brazil | CVM | CVM Resolution 175, crypto asset rules | 70 / 90 |
GENESIS |
Global | Base layer | Default compliance layer, conservative thresholds | 70 / 90 |
Each zone has the following configurable parameters that compliance operators can adjust without code changes:
ATCE is a patented compliance mechanism designed to prevent post-vesting dump attacks that could crash the JIL token price. It enforces graduated sell limits on addresses that receive tokens through vesting unlocks, ensuring that large token holders cannot liquidate their entire position in a single burst.
When a vesting unlock occurs, ATCE activates a 30-day enforcement window for the receiving address. During this window, the address is limited to selling no more than 10% of their unlocked balance per calendar day. This prevents coordinated sell pressure while still allowing holders to realize value at a measured pace.
| Tier | Unlock Percentage | Enforcement Window | Daily Sell Limit |
|---|---|---|---|
| Tier 1 | 33% of vested allocation | 30 days after unlock | 10% of unlocked amount per day |
| Tier 2 | 33% of vested allocation | 30 days after unlock | 10% of unlocked amount per day |
| Tier 3 | 34% of vested allocation (remainder) | 30 days after unlock | 10% of unlocked amount per day |
Each tier triggers its own independent 30-day enforcement window. If Tier 1 and Tier 2 unlock on the same day, both enforcement windows run in parallel and daily limits are calculated independently for each tier's unlocked amount.
ATCE state is tracked across three tables in PostgreSQL:
atce_unlock_events - Records each vesting unlock: address, tier, amount, unlock timestamp, enforcement window end timestamp.atce_daily_sales - Tracks cumulative sell volume per address per day per enforcement window. Reset at midnight UTC.atce_decisions - Audit log of every ATCE evaluation: address, requested amount, allowed amount, decision, reasons.JIL Sovereign maintains a comprehensive sanctions screening capability that checks addresses and entities against multiple international sanctions lists at every compliance checkpoint.
Sanctions screening occurs at three points in the transaction lifecycle:
External sanctions lists are automatically refreshed on a daily schedule at 02:00 UTC. The refresh process downloads updated lists from official sources, computes a diff against the current list, and triggers re-screening of any active addresses that match newly added entries. The internal watchlist can be updated in real-time by authorized compliance operators.
The foundational principle of the JIL compliance architecture is that no transaction may bypass compliance checks under any circumstances. Every failure mode in the system defaults to holding the transaction rather than allowing it to proceed.
| Failure | Behavior | Recovery |
|---|---|---|
compliance-api down |
Settlements queue in Kafka (jil.settlements topic). Never bypass. |
Queued transactions process automatically when service recovers. |
analytics-integrations down |
compliance-api falls back to internal screening only (sanctions lists, velocity checks, ATCE). | Composite scoring resumes automatically when analytics service recovers. |
| Single analytics provider down | Remaining providers auto-reweight proportionally. Caution flag set on decisions. | Normal weighting restores automatically when provider recovers. |
| Redis velocity cache down | Velocity checks fail-closed. All velocity-dependent transactions blocked. | Velocity checks resume when Redis recovers. Blocked transactions can be retried. |
| PostgreSQL down | All compliance decisions blocked. Cannot persist audit trail. | Full service recovery required. Kafka retains queued transactions. |
| Kafka down | Settlement consumer cannot submit transactions. Pipeline halts at ingestion. | Transactions retry from client side when Kafka recovers. |
All external provider calls (Chainalysis, TRM Labs, Elliptic) are wrapped in a circuit breaker with the following configuration:
The compliance-api health endpoint (/health) performs a cascading dependency check:
// Health check cascade order
1. PostgreSQL connection // Primary data store
2. Redis connection // Velocity cache + provider cache
3. analytics-integrations // External provider aggregator
4. bid-service // Beneficiary identity
5. Kafka producer // Decision event publishingIf any dependency is unhealthy, the compliance-api reports itself as unhealthy, which causes the settlement consumer to stop pulling new transactions from Kafka until compliance capacity is restored.
Every compliance decision is permanently recorded in an immutable audit trail. This trail serves dual purposes - internal operational visibility and regulatory reporting to supervisory authorities across all 13 jurisdictions.
Each compliance decision is persisted to the compliance_decisions table in PostgreSQL:
| Field | Type | Description |
|---|---|---|
id |
UUID |
Unique decision identifier |
check_type |
VARCHAR |
Type of check (AML, SANCTIONS, ATCE, VELOCITY, BID) |
address |
VARCHAR |
Wallet address being evaluated |
tx_id |
VARCHAR |
Transaction ID (null for address-only checks) |
risk_score |
DECIMAL |
Composite risk score (0-100) |
decision |
VARCHAR |
Final decision (APPROVED, BLOCKED, REVIEW) |
reasons |
JSONB |
Structured array of compliance reasons and contributing factors |
zone_id |
VARCHAR |
Jurisdiction zone (US, DE, EU, SG, CH, JP, GB, AE, BR, GENESIS) |
created_at |
TIMESTAMPTZ |
Decision timestamp (UTC) |
In addition to PostgreSQL persistence, every compliance decision is emitted to the jil.compliance.decisions Kafka topic. This enables real-time streaming to downstream consumers such as the ops-dashboard, SentinelAI fleet inspector, and external SIEM integrations.
compliance_decisions table in production environments.JIL Sovereign's compliance architecture provides capabilities that are not available from any single analytics vendor or standalone compliance platform. The combination of multi-provider aggregation, native settlement integration, and patented enforcement mechanisms creates a compliance moat that is difficult to replicate.
| Capability | JIL Sovereign | Chainalysis Standalone | Elliptic Standalone |
|---|---|---|---|
| Multi-provider aggregation | Yes (3 providers) | Single provider | Single provider |
| Composite risk scoring | Weighted average | Provider score only | Provider score only |
| Zone-based policy | 13 jurisdictions | Manual configuration | Manual configuration |
| Fail-closed settlement | Built-in | Not applicable | Not applicable |
| ATCE anti-dump | Patented | Not available | Not available |
| Beneficiary identity (BID) | Integrated | Not available | Not available |
| Settlement pipeline integration | Native | API-only | API-only |
| On-chain audit anchoring | Yes | No | No |