Home/Docs/Pillars/01 - Regulatory Attestation Network

JIL Regulatory Attestation Network (RAN)

Regulator-facing subscription API. Agencies (FinCEN, SEC, IRS-CI, FCA, MAS, FINMA, BaFin) get read-only cryptographically-verifiable access to JIL attestations. $2-4B market; Year-1 $3-8M target.

NDA Confidential Version 2026-04-21
How the 4 pillars relate

Four pillars, one shared substrate, plus Sovereign Stack as a productized deployment

Every pillar captures value from the attestation work the platform produces anyway. This pillar is highlighted in gold. Sovereign Stack is the productized deployment of the whole stack - see /sovereign.

Shared Substrate
fleet-signer attestation engine L1 anchor MPC asset-intelligence YubiKey trust
01
RAN
Regulator-facing API
02
CourtChain
Litigation artifact
03
PoCS
Settlement rail
04
Sealed Escrow
Cross-industry primitive

JIL Regulatory Attestation Network (RAN) - Pillar 1

Document ID: RAN-PILLAR-001 Version: 1.0 Status: Planning. Ready for executive review. Owner: Jeff Mendonca (exec sponsor); Head of Government Affairs + Compliance (TBH); engineering lead TBD. Shared substrate: see pillars README

1. The thesis

Regulators today verify compliance by receiving CSV files and PDF reports from the institutions they oversee. The reports are self-attested by the filer. There is no independent cryptographic verification. Every "we were compliant" claim sits on the honor system.

JIL has already solved this problem for our customers internally. Every settlement produces a sealed, quorum-signed, post-quantum-bound attestation. Productizing this for regulators flips compliance from filer-attested to system-attested. Regulators stop trusting what the bank tells them and start verifying what the platform produced.

The move: a regulator-facing subscription API where agencies (Treasury, SEC, FinCEN, IRS-CI, FCA, MAS, FINMA, BaFin) get read-only access to verify JIL attestations in real time. Zero integration cost for the regulator. JIL monetizes per-query + annual subscription.

Why this is a moat: once a regulator treats JIL-attested records as authoritative for their reporting regime (SAR, CTR, MiFID II, DORA, Travel Rule), every institution in that jurisdiction needs JIL to operate. This is the Plaid-for-regulators play - infrastructure positioning with regulatory gravity.

2. Market gap

The broken state

  • SAR filing (FinCEN): 4.5M SARs filed in 2024 via the BSA E-Filing System. Zero cryptographic verification. FinCEN analysts manually triage + escalate. False-positive rate estimated 95%+.
  • CTR filing: 20M+/year. Same problem.
  • MiFID II transaction reporting (EU): 3B+ records/year across ESMA-connected venues. Self-reported, no independent verification.
  • Travel Rule (FATF R.16): fragmented - Sumsub, Notabene, Shyft, TRP, IVMS101 all compete. None offer regulator-verifiable attestation.
  • Crypto 1099 reporting (IRS, 2025+): new Form 1099-DA. Every broker self-files. IRS has no mechanism to verify.

What regulators actually want (from public comment letters + conference speeches)

  1. Real-time visibility into covered institution compliance posture - not quarterly paper filings.
  2. Cryptographic assurance that the filed data matches what actually happened on the wire.
  3. Standardized format across institutions - not 50 different CSV schemas.
  4. Reduced false-positive triage burden - signal, not noise.
  5. Self-service verification - regulator staff shouldn't need to subpoena supporting evidence.

RAN delivers all five. We already produce the output; we just need to build the regulator-facing product layer.

3. Product structure

3.1 RAN Portal (regulator-facing subscription)

What it is: a hosted portal + API for regulator staff. Authenticated with government PIV/CAC/SSO. Regulators can: - Query any JIL-attested transaction by counterparty, date range, jurisdiction, verdict code, FWEA category - Receive sealed verdict records (same artifact as CourtChain) for any transaction - Subscribe to alerts (e.g. SAR-trigger events across all JIL customers in their jurisdiction) - Independently verify every query result against the public trust bundle

Customer: regulatory agencies (US federal + state, EU, UK, SG, CH, JP, UAE, others).

Sold as: annual agency subscription + per-query overage.

Pricing: $250K-$2M/year per agency depending on query volume + seat count.

3.2 RAN Institution Export (institution-facing compliance tooling)

What it is: a pull-based export that lets regulated institutions hand their regulator a cryptographically-sealed compliance package instead of a CSV. Regulator's system consumes it; no more back-and-forth on data integrity.

Customer: any regulated entity filing SARs, CTRs, 1099-DAs, MiFID II reports, DORA ICT risk reports, etc.

Sold as: annual subscription per institution.

Pricing: $50K-$500K/year per institution depending on filing volume.

3.3 RAN Certification (compliance-posture certificate)

What it is: a point-in-time sealed record certifying an institution's current compliance posture across the JIL FWEA check catalog. Like a SOC 2 report, but cryptographically verifiable in real time and updated continuously instead of annually.

Customer: institutions undergoing regulator exam, entering new jurisdictions, or responding to counterparty due-diligence requests.

Sold as: per-certification fee.

Pricing: $10K-$100K per certification depending on scope.

3.4 RAN Whistleblower Vault (bonus capability, high-strategic-value)

What it is: a MPC-held, time-locked vault where an institution's internal compliance officers can seal an attested report. If the institution later retaliates or falsifies records, the regulator (or a court) can unseal it. Combines JIL sealed verdict + MPC timed release + Claim 53 court-admissibility.

Customer: Dodd-Frank whistleblower programs (SEC + CFTC pay 10-30% of recovery); compliance officers protecting themselves.

Sold as: per-seal fee + contingent upside tied to whistleblower recoveries.

Pricing: $5K seal + 5% of successful whistleblower awards (capped).

4. Target customers

US federal

Agency Relevant regime Sales motion
FinCEN SAR + CTR + 314(b); BSA direct BD + Treasury procurement
IRS-CI 1099-DA + crypto income GSA Schedule 70
SEC Enforcement Rule 10b-5 + crypto registration per-matter contracts
CFTC commodity manipulation + swap reporting direct BD
OCC + FDIC bank supervision direct BD
Treasury OFAC sanctions enforcement direct BD
Fed (FRB) bank supervision + FedNow oversight direct BD

US state (attorneys general, departments of financial services)

State Priority
NY DFS highest - they set the US bar on BitLicense
CA DFPI, TX SSB, WY DoB, FL OFR high
46 other states medium - NAAG summer/winter meetings

International

Jurisdiction Regulator Priority
EU ESMA, EBA, ECB (MiCA + DORA) very high
UK FCA high
Singapore MAS high
Switzerland FINMA high
Germany BaFin high
Japan FSA medium
UAE VARA medium
Hong Kong SFC medium
Brazil CVM medium

5. Service architecture

services/ran/ - the regulator-facing product layer. Like other pillars, thin on top of the shared substrate.

services/ran/
├── src/
│   ├── index.ts
│   ├── types.ts
│   │
│   ├── api/
│   │   ├── query.ts                # POST /v1/ran/query - search attested records
│   │   ├── subscribe.ts            # POST /v1/ran/subscriptions - alert subscriptions
│   │   ├── certify.ts              # POST /v1/ran/certify - institution posture certificate
│   │   ├── export.ts               # POST /v1/ran/export - institution-side export
│   │   ├── verify.ts               # GET  /v1/ran/verify/:id - public verifier reuse
│   │   └── whistleblower.ts        # POST /v1/ran/wb/seal  (MPC seal)
│   │                                 POST /v1/ran/wb/unseal (regulator-triggered)
│   │
│   ├── auth/
│   │   ├── gov-sso.ts              # SAML + PIV/CAC for US federal
│   │   ├── eidas.ts                # eIDAS for EU regulators
│   │   └── tenant-isolation.ts     # per-agency data partition
│   │
│   ├── query-engine/
│   │   ├── attestation-index.ts    # inverted index over courtchain.records
│   │   ├── filters.ts              # by jurisdiction, FWEA code, date, counterparty
│   │   └── rate-limit.ts           # per-agency quota
│   │
│   ├── alerts/
│   │   ├── subscription-manager.ts
│   │   ├── trigger-engine.ts       # evaluates against fraud-attestation-engine verdicts
│   │   └── delivery.ts             # webhook + email + secure-message-bus
│   │
│   └── whistleblower/
│       ├── mpc-seal.ts             # 2-of-3 MPC time-lock (user shard + agency shard + JIL shard)
│       ├── policy.ts               # release conditions (date, court order, regulator subpoena)
│       └── evidence-chain.ts       # CourtChain-compatible sealed evidence
│
└── migrations/
    ├── 001_init.sql                # ran.agencies, ran.seats, ran.subscriptions
    ├── 002_quotas.sql              # per-agency rate limits + billing
    └── 003_whistleblower.sql       # ran.wb_seals with MPC shard refs

Endpoints

Path Purpose
POST /v1/ran/query search attestations (agency auth)
POST /v1/ran/subscriptions create alert subscription
POST /v1/ran/certify issue posture certificate
POST /v1/ran/export institution export bundle
GET /v1/ran/verify/:id public verification (no auth)
POST /v1/ran/wb/seal whistleblower seal (MPC)
POST /v1/ran/wb/unseal MPC unseal (requires quorum)

Infra requirements

  • FedRAMP Moderate - minimum for US federal agencies. ~9 months, ~$500K.
  • FISMA Moderate for federal subcontracting
  • StateRAMP for state government
  • ISO 27001 + 27017 + 27018 for international
  • SOC 2 Type II baseline for all enterprise

6. Pricing

SKU Unit Price
RAN Agency Subscription - Tier 1 (large federal: FinCEN, IRS, SEC) annual $1M-$2M
RAN Agency Subscription - Tier 2 (state AG, mid-size federal) annual $250K-$500K
RAN Agency Subscription - International (EU/UK/SG/CH) annual $500K-$1M
RAN Institution Export (small: <$1B assets) annual $50K
RAN Institution Export (mid: $1-10B) annual $150K
RAN Institution Export (large: >$10B) annual $500K
RAN Certification - standard per-cert $25K
RAN Certification - extended scope (multi-jurisdiction) per-cert $100K
Whistleblower Seal per-seal $5K + 5% contingent

7. Phased build

Phase 1 - MVP Portal (Months 0-4)

Ship: - services/ran/ skeleton with query + certify endpoints - Government SSO (SAML + PIV/CAC for US federal) - Per-agency tenant isolation - Attestation index (Postgres + Elasticsearch) - First pilot customer - target: NY DFS (longest-running, most sophisticated state regulator; BitLicense gives them the mandate)

Team: 1 engineer + 0.5 compliance lead. Cost: ~$100K loaded. Milestone: NY DFS staff running weekly queries in production.

Phase 2 - FedRAMP + institution-side export (Months 4-12)

Ship: - FedRAMP Moderate ATO in flight - Institution export API - Posture certification product - First federal pre-sales (FinCEN) - 2nd-3rd state pilots (CA DFPI, TX SSB)

Team: +1 engineer, +1 FedRAMP consultant, +1 BD. Cost: ~$700K loaded + $500K FedRAMP. Milestone: FedRAMP ATO granted (~month 12).

Phase 3 - Federal expansion + international (Months 12-24)

Ship: - First federal contract (FinCEN or IRS-CI) - EU launch (MiCA/DORA compliance) - UK/SG/CH pilots - Whistleblower Vault launch

Team: +2 engineers, +1 GovTech BD, +1 EU representative. Cost: ~$1.5M loaded. Milestone: 3+ federal agencies, 5+ state, 3+ international.

8. Go-to-market

Year 1 targets

  • 2+ state regulator subscriptions live
  • 10+ institution export customers
  • FedRAMP ATO application filed
  • First Dodd-Frank whistleblower seal → successful award recovery

Sales channels

  • Direct BD to regulator general counsels + deputy directors
  • Conference presence: FinCEN Exchange, NACHA Payments, NAAG meetings, RSA (federal), Money 20/20, Singapore FinTech Festival
  • Partnerships:
  • ACI Worldwide - they have FinCEN + bank relationships
  • Jumio, Trulioo - KYC vendors that already sell to regulators
  • Everlaw - e-discovery for regulator investigations
  • Content: white paper "Cryptographic Compliance: Regulator-Verifiable Attestation Architectures" - presented at FinCEN Exchange.

Narrative

"Regulators today ask a bank 'are you compliant?' and get a 400-page PDF back. We let regulators ask the system - 'show me every settlement in your jurisdiction last quarter where the FWEA sanctions check triggered' - and get cryptographically verifiable answers in milliseconds."

9. Risks

Risk Mitigation
Agencies move slowly; sales cycles 18-36 months Start with state regulators (NY DFS, CA DFPI - faster) to fund long federal cycles
Competitor (Chainalysis) tries to build this Their compliance tool is investigator-facing, not regulator-facing. They'd need to rebuild quorum signing + PQ + civil-admissibility. Patent Claim 53 is our wedge here too
Regulators reluctant to trust cryptographic verification over their own analysts Integration is additive - replaces no existing workflow in Phase 1. Analysts still review; we give them better signal
Institutions don't want regulators to see more than PDFs Exact data feeds are opt-in per regulator regime; institution controls the scope
FedRAMP takes longer than budgeted State + EU markets fund the business while FedRAMP is in flight
Whistleblower Vault creates legal/privilege risk Clear terms: user shard held by the user's counsel, not JIL; JIL is an escrow agent only

10. Success metrics (Year 2)

  • 3+ federal agencies on subscription
  • 10+ state regulators
  • 5+ international regulators (minimum EU/UK)
  • $10M+ ARR from agencies alone
  • 50+ institutions on the export product
  • FedRAMP Moderate granted
  • 1+ successful whistleblower recovery tied to a Vault seal

11. Strategic value

RAN is the most defensible pillar. A competitor that wants to displace us needs: - A federal ATO (9 months minimum) - Sign-on from multiple regulators (2+ years) - Patent-adjacent architecture (Claim 53 + likely 2-3 follow-on claims) - Post-quantum-anchored attestation (years of NIST cryptography adoption)

This is effectively un-catchable once we're in. The network effect is regulatory - the more regulators on JIL, the more institutions need JIL to operate in those jurisdictions.

Even if CourtChain or PoCS outsell RAN in Year 1, RAN is the pillar to prioritize for long-term moat construction.

Pricing estimates · Pillar 1 · Regulatory Attestation Network

Pricing & revenue profile

All figures below are illustrative estimates for VC/investor and enterprise-buyer reference. Final pricing is scoped per engagement; contact sales for a firm quote.

Operator SKU
$150-$500/attestation
12-month credential validity · volume tiers below $150 at scale
Per-entity signed attestation, cross-regime portable; satisfies 5+ compliance regimes from a single sealed credential.
Regulator license
$500K-$2.5M/yr
Scoped by supervised-population size
Full regulator console + supervisor API, sealed audit exports, dedicated compliance SLA.
Year-2 revenue target
$10M+ ARR
Agencies alone · Export product additive
3+ federal, 10+ state, 5+ international regulators subscribed; 50+ institutions on cross-border export product.
See full pricing → Schedule a conversation