Security Token Standards Series – Standards Are Mandatory For Institutional Adoption

There are differing views on how to approach standards in the security token industry and I’d like to give my view based on over a decade of experience in financial services as a network architect. I designed, delivered and directly managed networks for financial services organisations that handle trillions of dollars of transactions.

There are initiatives in the security token industry to create standards, such as The Verified Token Framework as well as The Security Token Standard.

There are counter arguments that it’s too early to define standards and that the industry should follow an iterative approach and standards should be defined by real world lessons and requirements.

The Web (Startup) Approach

The Web Approach allows for organic development. Rapid iterations and the natural selection based on real world usage of standards make a lot of sense; see what works, see what doesn’t, and then an unbiased body (not a company with possible vested interests) ratifies a standard that everyone must adhere to. It’s similar to the approach that startups (should) take for product development.

This partially worked with web browsers as we now have very well defined and powerful standards.  However, the costs of the browser wars to businesses was huge and refinement took a decade. Web apps had to be tested and tailored to work with dozens of web browsers. UI’s were broken resulting in services that test 1500 browsers.

Whilst it was bad for the internet community, it was painful for banks who developed apps using Microsoft Internet Explorer (IE6) and were locked into legacy standards and operating systems for years as a result. This slowed their (already slow) technical development, increased costs, and impacted their customers.

The Enterprise Standards Approach

Whilst the IBM’s of the world did a pretty bad job with Service Oriented Architectures (SOAs) due to their vested interests to be thought leaders and thus drive deal-flow (as highlighted in Jesus Rodriguez article), other industries such as networking did well. 

Companies like Nortel, Cisco, Google, HP, and community efforts like OpenFlow, created standards in which the whole industry adopted and that glue together today’s global communication networks. Massive corporations and online communities worked together to develop and adhere to these standards. It was / is far from perfect, but it has worked.

If you look back to 1992, the ISIS routing protocol (for large service provider network backbones) was developed to be scalable and flexible. A decade after development upgrading the protocol to support IPv6 was possible without low level changes.


Interoperability is key

The point here is that complex software standards, when architected correctly, do work and have been proven to work, and these frameworks allow for new features to be added as the industry develops. We should learn from what what has worked in the past.

Seamless Communications

The great thing about the internet is that transport protocols (IP), transmission protocols (TCP), and application protocols (HTTP), are standardised. Whether you’re reading this on an airplane on your iPhone connected to the internet by satellite, or at home with your AT&T broadband connection, it works.


1981 standards, still going strong

Like IP packets bouncing around the internet, security tokens must support interoperability between many key players; wallets, custodians, exchanges, broker / dealers, and even different blockchains.

Standards in Financial Services

The Bank of New York Mellon Costly Network Standard

A decade ago I was working as a network architect designing and implementing metro-networks and data centres for large and heavily regulated financial services organisations. One standard (which initially seemed odd) was that every Layer 3 network switch in BNYM had to run the same Cisco Catalyst 6500 hardware and IOS software.

The result of this was that a small network deployment could cost $250k, when it should have cost $25k. At the time a lower end and perfectly suitable Cisco switch was $3k, whereas the Catalyst 6500 was $30k. Scale this up to a huge global network and the costs are very significant.

Crazy heh?
No, not really because they knew the technology worked. That platform had been battled tested in that network for years. The operational and regulatory risk to the bank, with “$1.9 trillion in assets under management and $33.3 trillion in assets under custody” (source Wikipedia), was so high that it was a price worth paying.

Having seen major IT outages in banks, and the aftermath, such as people being fired and six month regulatory investigations, I understood why.

FIX Protocol

FIX protocol is the WWW or HTTP of banking. It’s used by buyers, sellers, broker/dealers, mutual funds, exchanges, and investment banks for the real-time trading and sharing of information on securities.

The security token industry needs their FIX, which is heavily standardised.

The Lesson

Not only are there business and reputational costs when there is an infrastructure or application failure, there are often times regulatory fines.


In order for global stock exchanges, investment banks, and the remainder of institutional finance to support and implement the underlying technology for security tokens, it will require extensive testing and validation that will take years.


The security token projects of 2019/2020 are pioneering the technology, and with that comes risk. Hopefully the rewards outways the risk, however those companies will almost certainly have to undertake some future administrative work as standards are reworked and better defined.

In order for institutional acceptance by the financial services industry we need to consider:


Stress tested on mission critical systems. The banks will do this, but they will need something stable to work with.


Must work between all stakeholders in the ecosystem.


The frameworks should be backwards compatible, so once committed, the code will work for a decade or more.

Today we have many standards, including: T-REX, ST20, R-Token, DS Protocol, SRC20, Neufund, ERC1404, TM-01, ERC1450, Atomic DSS, CAT Token, and SFT.

Many protocols and standards we see today won’t exist, yet we as an industry need to work towards a common goal of standardisation.