security token

Progmat-Led Consortium Unveils Framework to Unlock Security Token Data Utility

Norbert Gehrke

04 Nov 2025 — 8 min read

Progmat, the core developer behind Japan's leading security token (ST) platform, has released the findings of a critical industry study, culminating in a standardized legal and operational framework designed to streamline the utilization of rights holder data in the ST ecosystem.

The comprehensive "ST Data Linkage Streamlining Working Group (WG)" report, conducted under the auspices of the Digital Asset Co-Creation Consortium (DCC)—an organization boasting 315 member entities—is poised to dismantle significant regulatory and practical barriers that have hindered the full potential of digital securities in Japan.

The report sets forth standardized data utilization requirements, evaluates optimal data linkage patterns, and formalizes the necessary legal structures under Japanese Personal Information Protection (PII) laws, specifically for two major ST asset classes: Trust-type ST (often used for real estate) and Bond-type ST (corporate debt).

Progmat CEO Tatsuya Saito commented that the framework is intended to strengthen the connection between token issuers and investors, facilitating a smoother and more beneficial customer experience across the Japanese digital asset landscape.

I. The ST Data Dilemma: Why Standardization Was Imperative

The fundamental promise of Security Tokens over traditional transfer agency securities (振替証券) is the ability for all relevant parties—issuers, administrators, and investors—to access information in a paperless, real-time manner. However, translating this theoretical advantage into practical reality has been fraught with complexity, primarily due to the stringent requirements of Japan’s PII laws and the need for complex, bespoke contractual arrangements among multiple service providers.

The DCC WG was established in March 2025 with 24 participating organizations, including major securities firms, banks, trust banks, and legal advisors, to address these cross-industry practical hurdles.

The primary objective was two-fold:

Define data utilization purposes and linkage routes.
Establish a clear, legal framework for compliant data sharing that reduces operational burden and maximizes efficiency for all parties post-issuance.

The DCC’s investigation focused heavily on the dual benefits achievable through streamlined data sharing:

A. “Offensive” Data Utilization (Marketing and Investor Engagement)

This includes fan marketing initiatives, where ST issuers (or associated marketing partners) can leverage rights holder data—such as ownership balance and duration—to offer tailored benefits and incentives (e.g., loyalty programs, digital perks). This enhances investor appeal and potentially lowers capital procurement costs.

B. “Defensive” Data Utilization (Investor Protection)

This is vital for risk management, particularly in the event of default, especially for high-yield corporate bonds tokenized as STs. Real-time access to the rights holder ledger allows for rapid identification of bondholders, enabling swift coordination of bond manager duties, creditor protection, and convening of bondholder assemblies.

Progmat noted that achieving these benefits previously required burdensome processes, including obtaining granular consent from rights holders for PII sharing and negotiating complex delegation contracts between numerous parties involved in the ST lifecycle (issuer, securities firm, trust bank, bond manager, and ledger administrator).

II. Core Requirements: Distinguishing Marketing Needs from Statutory Duties

The WG identified that data requirements vary significantly based on the purpose of use. The study established two main axes of data utility:

1. Marketing and Enhanced Investor Experience (Discretionary Use)

For issuers to provide attractive investor experiences, they require attribute data (name, address, gender, date of birth) and transaction/holding data (ST issuance details, purchase date, holding period, investment experience).

A key challenge noted by the WG is that intermediaries (securities firms) often regard sensitive contact data (email addresses, phone numbers) as proprietary sales assets. They are generally reluctant to provide unrestricted sharing of this data to external parties, even the issuer, requiring case-by-case judgment and strict adherence to specific consent parameters.

2. Statutory and Administrative Duties (Mandatory Use)

This requirement centers on ensuring accurate identity verification for corporate actions, such as convening bondholder assemblies (社債権者集会) and executing tax compliance (源泉徴収) related to coupon payments or redemption.

For Bond STs, the Bond Manager (社債管理者) needs access to the rights holder’s legal identification data (name, address, date of birth) to fulfill mandatory obligations under the Companies Act, particularly during potential distress or default scenarios.

The WG confirmed that while the core ledger information (managed by the Trustee Bank or Ledger Administrator) is updated at minimum monthly, marketing activities focused on current holdings often necessitate information synced at least daily or, ideally, in real-time (最速日次, Fastest Daily).

III. Data Linkage Patterns and Evaluation

The WG systematically charted potential data linkage routes between the five key entities involved in an ST issuance:

Rights Holder (Investor)
Intermediary / Custodian (Securities Firm)
Ledger Administrator / Trustee Bank (Trust Bank)
Issuer (Issuance Company)
Bond Manager / Marketing Partner

The analysis evaluated linkage patterns based on four criteria: Contract clarity, Policy compatibility, Administrative efficiency (事務負荷), and Versatility (汎用性).

A. Marketing Data Linkage (Trust-type ST Focus)

For marketing purposes, maximizing flexibility for the issuer is paramount. The WG concluded that Pattern A, which utilizes the Ledger Administrator (Trust Bank) as the primary conduit, is the most favorable and viable route for Trust-type STs:

Pattern A (Preferred): Rights Holder (1) → Intermediary (2) → Ledger Admin (3) → Issuer (7) → Marketing Partner (9).

Evaluation of Pattern A:

Contract Clarity: Highly favorable. It leverages existing delegation contracts between the Issuer and the Trustee/Ledger Administrator, making the legal structure clear and easily replicable, relying on established precedents in past ST issuances.
Policy Compatibility: Favorable. Since data flows through the Trustee, policy alignment is smoother, and the responsibility of the data provider is clearly delineated.
Efficiency/Feasibility: Requires multiple steps (data normalization/name matching by the Trustee, transmission to the Issuer), incurring some administrative burden. However, if the route is standardized, this burden can be minimized through platform automation.
Versatility: High. This pattern represents the standard model for trust-based ST schemes and is widely applicable.

The WG ruled out patterns that involve direct transfers between the Intermediary/Custodian and the Issuer/Marketing Partner without the Ledger Administrator's involvement, citing significant hurdles in contract establishment, policy conflicts (especially the Custodian’s proprietary view of client data), and lack of established precedents.

B. Bond Management Data Linkage (Bond-type ST Focus)

For Bond STs, the focus shifts to statutory compliance and ensuring functionality even if the Issuer faces insolvency. The WG analyzed several patterns, recognizing that the role of the Bond Manager (BM) introduces new complexities.

The key operations analyzed were:

Issuer (E, F): The Issuer convenes the assembly.
Bond Manager (H, I): The BM convenes the assembly (critical if the Issuer is distressed).

Evaluation Summary (Bond Manager Perspective):

Pattern E (Issuer-led): Issuer (1) → Intermediary (2) → Ledger Admin (3). This is the simplest Issuer-led option but is not feasible for complex tasks like written/electronic voting, which requires delegation to an entity with a direct investor connection (the Intermediary/Custodian).
Pattern F (Issuer delegates to Intermediary): Issuer (1) → Intermediary (2) → Ledger Admin (3). Feasible, as the delegate (Intermediary) has a direct connection to the rights holder, reducing ID verification risk.
Pattern H (BM-led): BM (1) → Intermediary (2) → Ledger Admin (11). This is the Bond Manager-led equivalent of Pattern E. The WG cautioned that BM-led actions should ideally be operationally separated from the Issuer’s needs (e.g., in default scenarios).
Pattern I (BM delegates to Intermediary): BM (1) → Intermediary (2) → Ledger Admin (11). Highly feasible, as the BM delegates the crucial ID verification/assembly notice tasks to the Intermediary, mirroring the structure deemed effective for Issuer-led processes (Pattern F).

The WG ultimately concluded that Patterns E, F, H, and I are the most viable structures for statutory duties, with the delegation routes (F and I) favored for their administrative practicality and ability to mitigate risk regarding accurate rights holder identification.

IV. The Legal Breakthrough: PII Framework Standardization

The most critical contribution of the WG is the clarification of the legal basis for data sharing, relying on two key provisions of Japan’s PII law: Third-Party Provision (Daisansha Teikyo) and Outsourcing (Itaku).

PII Provision	Scope of Use	Consent Required?	Record Keeping Duty?
Third-Party Provision	Provided party uses data under its own management for its own purposes.	Generally Required	Required (detailed record of transfer source, recipient, and purpose).
Outsourcing	Provided party handles data on behalf of the delegating party, under their instruction/supervision.	Not Required	Not Required

A. Marketing Data: Embracing "Third-Party Provision on Behalf of the Individual"

For flexible marketing utilization, the "Third-Party Provision" framework is legally appropriate, but it carries a heavy burden: mandatory consent and record-keeping duties.

The WG found that standardizing marketing data sharing requires leveraging the exemption for Third-Party Provision made on behalf of the individual (本人に代わる第三者提供). When acting on behalf of the rights holder, the onerous record-keeping requirements are waived.

Key conclusions for Marketing:

Consent Necessity: Since marketing objectives are dynamic and specific (e.g., offering perks based on a specific investment trait), relying solely on boilerplate language in the ST agreement (約款, yakkan) is insufficient. Individualized consent forms (個別同意書) are the only realistic method to secure the necessary level of specificity required by PII guidelines regarding purpose, data items, and recipient identification.
The Ideal Structure: Intermediaries (Custodians) must secure comprehensive consent from the rights holder to cover all subsequent transfers (to the Ledger Admin, Issuer, and Marketing Partner).
Secondary Delegation (Issuer to Marketing Partner): While the transfer from the Intermediary to the Issuer must be structured as Third-Party Provision, the subsequent transfer from the Issuer to an associated marketing company can, if narrowly defined, be structured as Outsourcing, provided the Issuer maintains strict supervision and control over the marketing company’s handling of the data. However, the WG suggests a flexible approach, allowing for either Outsourcing or Third-Party Provision depending on the specific arrangement.

B. Statutory Data: Delegation for Efficiency

For duties related to Bond Management (e.g., assembly notice and ID verification), the WG favored the Outsourcing (Delegation) model for efficiency, provided the task is a mandatory statutory duty.

The transfer of personal data related to ledger management (Ledger Admin/Trustee Bank to Issuer/Bond Manager) is typically considered "Provision based on Law" (法令に基づく提供) under Trust Law (信託法), rendering consent and record-keeping irrelevant.

Key conclusions for Bond Management:

Issuer/BM to Intermediary: If the Issuer or Bond Manager delegates the operational task of sending assembly notices or confirming ID to the Intermediary (Patterns F and I), this data transfer is best categorized as Outsourcing. This allows the Intermediary, which has the direct customer relationship, to perform the work without triggering the PII record-keeping obligation for Third-Party Provision.
Maintaining Robustness: Critically, data linkage for mandatory duties (assembly, verification) must be structured such that the Bond Manager’s operation is decoupled from the Issuer’s state of health, ensuring that investor protection functions remain robust even if the Issuer defaults.

V. Practical Implementation and Next Steps

To realize these legal frameworks, the WG developed draft model consent forms for both Trust-type ST and Bond-type ST transactions. These models clearly articulate the three necessary components for PII consent:

Third-party recipients (Who gets the data?)
Data items to be shared (What data is shared?)
Purpose of use (Why is the data shared?)

For the Bond ST model, the consent form explicitly includes the Bond Manager as a data recipient and lists statutory duties (assembly notice, ID verification) as core utilization purposes, alongside marketing activities.

While the WG's collaborative study is now formally complete, its "Report" is designed to be the definitive reference document for all future Progmat-based ST issuances.

The focus shifts to Step 5 of the original plan: the application of these legal principles to actual ST issuance documentation and contracts, which will be executed within individual projects by participating DCC members.

By establishing a clear, standardized approach to PII consent and data delegation, the Progmat-led DCC has cleared a major regulatory hurdle, paving the way for the ST ecosystem to fully realize the digital advantages of real-time data utilization, thereby strengthening issuer-investor ties and enhancing overall market efficiency. The report marks a significant step toward the maturation and mass adoption of tokenized assets in Japan.