Tokenized Money Market Funds: Architecture and Risks

Definition and Scope

Tokenized money market funds are blockchain-based representations of MMF shares that enable digital movement and programmability while preserving the fund’s traditional legal and operational structure. In most institutional implementations, the official books and records remain with the transfer agent or custodian, and onchain tokens mirror the legally binding share register rather than replace it.

A live example is the BNY LiquidityDirect and Goldman Sachs platform using mirrored record tokenization, where BNY maintains the official shareholder records and mirrors positions as tokens on the GS DAP network. The arrangement is designed to add transferability and future collateral use without altering the fund’s legal ownership record. The outstanding US market for tokenized MMFs reached roughly 7 billion dollars by June 2025, according to the Banque de France’s analysis of financial stability implications.

What tokenization changes and what stays the same

• What changes: near-instantaneous transfer on permissioned or public ledgers, programmability for controls and reporting, and potential integration with digital collateral and settlement rails.
• What stays the same: the MMF’s investment mandate and risk profile, daily NAV calculation, custody and shareholder servicing roles, and the primacy of the official register for legal ownership.

Architecture and Workflows

Production deployments vary across permissioned and public networks, but most share a common pattern of offchain fund administration with onchain reflection.

Mirror tokens and official records

The BNY LiquidityDirect and GS DAP Phase One workflow runs as follows:

1. An investor subscribes or redeems through LiquidityDirect.
2. BNY, acting as shareholder servicer and custodian, updates the official register.
3. BNY, acting as tokenization manager, mints or burns mirrored tokens on the private, permissioned GS DAP ledger so that token balances reflect the official record.
4. Tokens can be transferred within the permissioned network according to allowlists and policy controls, but the token ledger does not replace the legal register.

Phase One focuses on mirrored tokens and controlled transferability rather than public distribution. The explicit aim is operational readiness for future settlement and collateral use while preserving the standard MMF operating model.

Permissioned versus public networks

Security-token standards inform how transfer restrictions and metadata are enforced. Frameworks such as ERC‑1400 shape permissioning models, and ERC‑3643 is emerging for permissioned tokens that require identity checks and granular compliance controls.

A public-chain contrast is the Franklin OnChain U.S. Government Money Fund. In that model, one BENJI token equals one share, transfers occur on public blockchains, and the transfer agent still maintains the official record. Franklin has expanded public-chain connectivity to multiple networks, illustrating how MMF shares can operate on public rails while retaining traditional shareholder servicing.

Settlement and Collateral Utility

Tokenized MMFs aim to reduce settlement frictions and broaden collateral mobility, but several prerequisites remain.

Atomic settlement prerequisites

The industry objective is atomic delivery-versus-payment, where tokenized fund shares and cash settle simultaneously. Achieving this consistently requires on-ledger cash instruments that can serve as the cash leg. Banks and market infrastructures are exploring tokenized deposits and CBDC for tokenized funds to enable true atomicity at scale. Without on-ledger cash, workflows revert to bridged settlement or delayed reconciliation, reducing the benefits of tokenization.

Collateral pathways

The BNY and Goldman Sachs initiative explicitly signals future transferability and collateral use of tokenized MMF positions. Launch participants span major managers, including BlackRock, Dreyfus, Federated Hermes, Fidelity, and GSAM, indicating broad industry engagement around operational utility rather than short-term trading.

Beyond a single platform, collateral networks show how tokenized positions can be mobilized across institutions. JPMorgan’s Tokenized Collateral Network demonstrates how tokenized assets, including MMF shares, can be pledged and rehypothecated with reduced settlement frictions. These models are conceptually aligned with the aim of moving high-quality liquid assets digitally across venues and time zones.

Regulation and Access

Tokenized MMFs remain subject to the same fund regulations as their traditional counterparts, with additional considerations for digital transfer and market access.

• United States: Money market funds are regulated under Rule 2a‑7. The SEC’s 2023 money market fund reforms increased required daily and weekly liquidity thresholds and introduced a mandatory liquidity-fee framework for certain funds during stress. Tokenized transfer rails must interoperate with these constraints, especially if tokens trade continuously outside traditional market hours.
• European Union: The DLT Pilot Regime provides a framework for supervised experimentation with DLT-based market infrastructures. In parallel, MiCA governs crypto-asset service providers and asset-referenced tokens, shaping the broader digital-asset rails that tokenized securities may interact with, even though MMFs themselves remain regulated as funds.
• Jurisdictional examples: France and Luxembourg have developed regimes that support digital securities issuance and tokenized shares. BNP Paribas Asset Management’s tokenised MMF shares launched on Allfunds Blockchain show how distribution can be integrated with regulated tokenization platforms.

Access remains permissioned in many deployments due to KYC, AML, and transfer restrictions. Public-chain offerings that retail investors can hold must rely on transfer-agent controls, allowlists, or other mechanisms to ensure compliance while preserving onchain transferability.

Risks and Controls

Tokenized MMFs combine the conservative risk profile of MMFs with the operational and market-structure risks of digital assets. A defensible approach starts with identifying how tokenization changes liquidity dynamics, cyber exposure, and operational dependencies.

Redemption dynamics in always-on markets

Continuous token markets can create new channels for rapid investor flows. The Banque de France highlights financial stability implications, including the possibility that 24/7 liquidity and connectivity to crypto markets may accelerate redemptions or contagion under stress, even if current tokenized amounts are modest. Controls should align onchain transfer windows, cutoff times, and NAV timestamping with the fund’s official operations. The SEC’s liquidity-fee framework and higher liquidity buffers provide structural mitigants that can be reflected in token policies and transfer rules.

Practical controls include:

• Pre-trade checks to block transfers inconsistent with cutoff windows or investor eligibility
• Dynamic transfer throttles and circuit breakers that pause on abnormal flows
• Onchain publication of NAV and AUM data to anchor token pricing and mint/burn logic

Cyber risk and vendor concentration

Tokenized MMFs add new dependencies on ledgers, key custody, APIs, and integration gateways. Risks include smart contract vulnerabilities, key compromise, access-control misconfiguration, and concentration in a small number of service providers or permissioned networks. Mitigation should cover:

• Segregated signing keys with hardware-backed policies, quorum approvals, and recovery playbooks
• Independent code audits and continuous monitoring of smart contracts and middleware
• Vendor due diligence that assesses incident response, data segregation, and change management across the tokenization stack
• Formal reconciliation between token ledgers and the official transfer agent record, with escalation if drift is detected

Liquidity management and data integrity

Accurate, timely NAV and holdings data are essential for orderly token operations. Discrepancies between onchain mirrors and the official register can create settlement exceptions or mispriced transfers. Controls include:

• Scheduled NAV updates synchronized with fund accounting
• Mint and burn only on receipt of authenticated updates from the official record
• Circuit-breaker logic that halts transfers if NAV or AUM data fail validation or if reserve attestations drift

Platform Landscape

Production models are coalescing around two patterns.

• Permissioned platforms: GS DAP integrations with LiquidityDirect use mirrored tokens on a private ledger managed among regulated institutions. The official books and records remain offchain with BNY, while GS DAP provides tokenization, transfer controls, and interoperability hooks for future collateral use.
• Public-chain routes: Franklin’s BENJI model represents an MMF share as a transferable token on public networks, while the transfer agent remains the official recordkeeper. BlackRock’s BUIDL is a tokenized liquidity fund for qualified investors, not a 1940 Act US MMF, and it has grown across multiple chains. These paths illustrate how public networks can serve institutional liquidity while preserving regulatory guardrails through transfer-agent and smart contract controls.

​

Chainlink’s Role in Tokenized MMFs

Institutional tokenization depends on verifiable data, automated controls, and secure connectivity across heterogeneous chains and enterprise systems.

• NAV and AUM data assurances: Publishers can use NAVLink feeds delivered via NAVLink feeds to broadcast authenticated NAV and AUM onchain. Token controllers can enforce mint and burn only when feeds match the official transfer agent record, reducing drift between mirrors and legal ownership.
• Reserve and collateral verification: Proof of Reserve can attest to offchain holdings or cross-chain backing that support tokenized assets, enabling circuit breakers when attestations deviate from thresholds.
• Automation of corporate actions and controls: Chainlink Automation can schedule NAV updates, enforce subscription and redemption cutoff windows, and trigger incident-driven pausing based on pre-set rules. Chainlink Functions can fetch bespoke offchain data or run custom checks within token workflows.
• Interoperability patterns: The Cross-Chain Interoperability Protocol provides a standardized, risk-managed way to connect permissioned and public chains. CCIP enables consistent cross-chain token movement, auditability, and policy enforcement when MMF tokens need to traverse multiple networks or interact with collateral venues.

Frequently Asked Questions

Are tokenized money market funds the same as stablecoins?

No. Tokenized MMFs represent shares in regulated funds that hold short-term securities and operate under fund regulations. Stablecoins are digital representations of currency or cash-like reserves that are not fund shares and follow different regulatory frameworks.

Who holds the official record of ownership in a tokenized MMF?

The transfer agent or custodian maintains the official shareholder register. Tokens mirror those records for transfer and automation. In mirrored record tokenization, the token ledger does not replace the legal register.

Do tokenized MMFs enable instant settlement in all cases?

Not by default. Near-instant transfer is possible, but full atomic cash-versus-delivery typically requires on-ledger cash such as tokenized deposits or CBDC. Without that, settlement may involve offchain cash movements and reconciliation.

Can tokenized MMF shares be used as collateral?

That is the direction of travel. Platforms are designing for transferability and collateral eligibility, and collateral networks are demonstrating how tokenized assets can be pledged with lower friction. Eligibility depends on each venue’s rules and connectivity.

How do SEC liquidity rules interact with tokenized transfers?

Funds remain subject to Rule 2a‑7, including enhanced liquidity thresholds and potential liquidity fees during stress. Token transfer policies should honor cutoff times, NAV processes, and any fees or gates specified in the fund’s prospectus and regulations.

What are the main cyber and smart contract risks?

Key compromise, access-control errors, contract vulnerabilities, and dependency on a small number of infrastructure providers. Controls include hardware-backed keys and quorum policies, independent audits, continuous monitoring, vendor risk reviews, and strict reconciliation to the official record.

How is NAV data synchronized between the token ledger and the fund?

Fund accounting publishes NAV and AUM on a scheduled basis. Token controllers accept updates only from authenticated sources, update onchain data, and allow mint and burn when the onchain mirror matches the official register. Circuit breakers can pause transfers if data fail validation.

Are public chains or permissioned networks better for tokenized MMFs?

It depends on access requirements, compliance controls, and connectivity to collateral venues. Permissioned networks can embed strict allowlisting and privacy, while public chains offer broad interoperability and programmability. Many institutions pursue a hybrid approach with bridges to both.