This post offers an overview of the CMTAT, a security token standard designed to comply with Switzerland’s law, and widely adopted by Swiss banks and financial institutions.
The Capital Market and Technology Association (CMTA) gathers leading Swiss banks, law firms, and technology providers, with the common goal of setting industry standards to promote the adoption of digital assets in Switzerland. CMTA was instrumental in the implementation of the so-called Lex DLT, the series of amendments to Swiss law that enables the tokenization of financial instruments on distributed ledgers such as blockchains.
One of the main projects of CMTA is the CMTA Token (CMTAT), an open standard suitable to the tokenization of various financial instruments and adopted by multiple actors within the Swiss banking and finance sector. Let’s see what CMTAT is about and how to use it in your tokenization projects.
Origins of the CMTA token
The CMTAT was initially developed by a working group of CMTA's Technical Committee that included members from Atpar, Bitcoin Suisse, Blockchain Innovation Group, Hypothekarbank Lenzburg, Lenz & Staehelin, Metaco, Mt Pelerin, SEBA, Swissquote, Sygnum, Taurus, and the Tezos Foundation, with the support of ABDK, a leading team in smart contract security.
Let's define CMTAT by highlighting what it is not:
CMTAT is not a token that you can buy and sell, like an ERC-20 token or a security token; instead, it’s more like a recipe to create such tokens.
CMTAT is not tied to a blockchain platform: the CMTAT framework is a definition of a set of functionalities that a token can implement to be compliant with Swiss law, as outlined in the CMTAT’s main document.
The initial use case of CMTAT was the tokenization of equity, in particular shares of Swiss companies (see CMTA’s FAQ). But as we’ll see, it’s suitable for much more than that.
Tokenization use cases
AI-generated with DALL·E 3
The first use case of CMTAT was the tokenization of Swiss SMEs' shares. Tokenization allowed these companies to raise capital among new investor classes (such as their clients) by leveraging existing blockchain technology. Buyers could then hold the tokens on the same wallet applications they use for other cryptocurrency and Web3 ecosystems. Another key benefit is that tokens could now be easily traded on marketplaces among other tokenized assets, as well as stablecoins and cryptocurrencies.
Taurus was one of the pioneers in offering the technology solutions to support tokenization, from the custody of assets to their issuance and marketplace. Swiss companies that tokenized their shares in partnership with Taurus include:
The multi-brand Audacia Group holding company
Cité Gestion, the world’s first private bank to tokenize its share capital
E-commerce retailer QoQa Brew
Watch manufacturer CODE41
Apart from Taurus, a number of technology companies assisted SMEs in tokenizing their shares, often by leveraging the CMTAT framework.
However, CMTAT extends beyond equity. From the beginning, it was designed to also support the tokenization of:
Debt products, from simple bonds to more complex instruments. The initial CMTAT documentation describes how the token can support a bond’s attributes such as the maturity date and interest rate.
Structured products, as showcased by the proof-of-concept tokenization of an actively managed certificate (AMC) implemented using CMTAT and subject to a trade against Swiss francs, guaranteeing delivery-versus-payment (DVP), via a dedicated on-chain program.
The CMTAT reference code
The reference implementation of CMTAT is available as open-source code on GitHub. The code is free (both as in “free beer” and as in “freedom”), meaning it can be used in its original or modified form by anyone, without requiring permission from CMTA, being distributed under a permissive license.
The code in this repository is written in the Solidity language and is suitable for Ethereum, the main blockchain platform and the most common among tokenization projects, as well as for any compatible blockchain. The CMTAT token is implemented as an extension of the ERC-20 token standard, building upon battle-tested code from the OpenZeppelin project, the gold standard among open-source smart contracts.
CMTAT’s reference implementation consists of a number of modules, where users may modify the token code by adding, removing, or modifying these modules. However, the core modules must remain in place to ensure compliance with Swiss law. For example, the support of debt instruments is implemented via a dedicated module.
Following state-of-the-art development practices, the CMTAT’s code features:
The integration of a customizable rule engine (also developed by CMTA), which allows users to define their own transfer restriction logic, such as address whitelisting and amount limits.
Deployment either directly or via a proxy contract, thus making the token’s contract upgradeable. Again, CMTAT leverages established standards from OpenZeppelin.
So-called gasless deployment, where the payment of transfer fees is delegated to a separate entity (address) rather than paid by the transfer issuer. This addresses cases where an institution cannot hold cryptocurrency, yet desires to work with tokenized assets.
The main toolchains, including the Truffle Suite, Hardhat, as well as Foundry (partially).
Various gas optimization tricks.
Simplicity is one of the guiding principles behind CMTAT: it does not attempt to support all possible features imaginable for a security token, but only includes what is necessary and what is required by its users—in our case, the Swiss finance community, as an initial user basis.
To give you a concrete idea of what a CMTAT token looks like, this is the interface of the initializer, which includes the attributes passed as arguments:
string memory nameIrrevocable,
string memory symbolIrrevocable,
string memory tokenId_,
string memory terms_,
string memory information_,
This code, in its original form or a variant thereof, has been used in dozens of tokenization projects, from simple company shares to the most complex ones.
It’s worth noting that a reference implementation is also available for the Tezos platform, as a token of the FA-2 type, Tezos' latest token standard.
Last but not least, what about the security risks?
First, note that CMTAT’s use cases minimize and mitigate the risk of “hack”, by:
Using a relatively simple token format and code, as opposed to complex smart contracts commonly found in “decentralized finance” applications.
Organizing security audits by third-party expert companies, where the audit report is published in CMTAT’s public repository.
Offering simple solutions in case one’s private key is lost or compromised, or if the contract itself is exploited by an attacker. The assets tokenized being fully regulated, token holders are registered off-chain and do not lose their assets if they lose their keys. For more details, see CMTA’s FAQ answers to “What happens if I lose my private key?” and “Should I worry about being hacked?”.
What if you implemented your own version of the CMTAT standard, be it for Ethereum or another platform, and wish to be recognized as compliant with the standard?
To reassure your users and investors that a project and token are CMTAT-compliant, CMTA created a certification program. This program involves CMTA experts reviewing your tokenization project and formally confirming its alignment with the CMTAT standard, even if you haven't used the original CMTAT reference code. If you’d like to apply, or just learn more about the certification process, please visit CMTA. Tokenized Shares Certification.
The CMTAT token and its code are under continuous development, with regular releases that include changes such as:
Addition of new features
Improvement of the code quality and security
Updates with respect to new standards and best practices
CMTA’s members, from lawyers to blockchain engineers, are currently working on new features and mechanisms to include to the CMTAT reference code. To be informed of updates, don’t hesitate to “star” the project and follow the next commits pushed to modify its code.
Although initially designed for the Swiss legal framework, CMTAT has proven to be suitable for tokenization in other jurisdictions. We are looking forward to its further adoption and diverse use cases both in Switzerland and internationally.