TL;DR
Most banks know they want to test tokenized receivables. Few know how to structure the test. This roadmap defines a controlled 90-day pilot: one borrower, one receivables pool, one lender, one eligibility policy, and one approved settlement path tested under normal, delayed, and failure conditions. It covers sandbox architecture, three phase gates, six success metrics, legal enforceability stress scenarios, governance controls, and exit criteria.
Why Pilot Design Determines Pilot Outcomes
HKMA Project Ensemble moved from experimentation into real-value pilot transactions in November 2025. The shift illustrates why banks need controlled pilot designs before moving tokenized assets into real-value workflows. Banks that define their sandbox scope precisely produce useful results. Banks that run open-ended proofs of concept produce inconclusive ones.
The difference is structure. A controlled pilot answers specific operational questions. An unstructured pilot answers none of them reliably.
This roadmap applies that discipline to tokenized receivables collateral.
Pilot Scope Definition
Before any technical work begins, the bank must define five boundaries.
Single borrower. Choose one borrower with a clean credit profile and an active receivables flow. The borrower needs to be linked to ERP or have structured invoice data. Multiple borrowers complicate and mask which variables drive results.
Single receivables pool. Define upfront the type of invoice that is eligible, the currency, the debtor jurisdiction and the maturity range. A pool of domestic trade invoices, in a single currency, is the lowest risk starting point. Cross-border or multi-currency pools introduce legal and FX variables that complicate interpretation.
Single lender. Run the pilot within one internal lending unit. Multi-lender structures introduce priority and registry complexity that belongs in a later phase.
Controlled eligibility policy. Write a one-page eligibility policy before the pilot starts. It should specify minimum invoice amount, maximum maturity, acceptable debtor credit ratings and advance rate. Every eligibility decision during the pilot is measured against this policy.
One approved settlement path. Select one approved settlement rail, such as the bank’s existing fiat account-to-account settlement process. Simulate that rail during Phases 1 and 2. Use restricted real settlement in Phase 3 only after approval. Test this path under normal, delayed, and failure conditions. Additional settlement rails (e.g., tokenized deposits) may be simulated optionally but should not become part of primary go/no-go criteria.
These five constraints are not permanent. They are the conditions that make pilot results interpretable.
Sandbox Architecture
The pilot runs in an isolated environment. It does not touch production systems, production data, or live customer accounts during Phases 1 and 2.
Isolated environment. The sandbox must be a separate instance of the tokenization platform. It must have its own registry, data store and API endpoints. No sandbox event should be visible in production dashboards. Use synthetic invoice data based on real borrower profiles for Phases 1-2. Phase 3 uses a restricted pre-production environment with specifically approved live data and integrations.
Test data. Data should be representative of the invoice volumes, amounts, currencies and types of debtors that the bank expects to encounter in production. Unrealistic test data leads to unrealistic results.
Mock settlement. Phases 1 and 2 use simulated fund movement. No real money is transferred. Phase 3 uses the approved settlement path with defined transaction limits, access controls, and rollback procedures. Real settlement requires explicit risk committee approval.
Audit logging. Enable audit logging in full from the outset. All sandbox events are logged. KPI measurement and governance review are largely based on evidence from audit logs.
Architecture Components
The pilot architecture includes:
Borrower ERP → ingestion API → validation and verification engine → collateral registry → settlement adapter → reconciliation engine → audit and reporting
Role-based access control (RBAC) with segregation of duties
Key and wallet management for cryptographic operations
Data minimization and retention policies
Encryption in transit (TLS 1.2+) and at rest (AES-256)
Security monitoring and incident response procedures
Backup and recovery mechanisms
Integration kill switch for emergency disconnection
Phase 1 (Days 1 to 30): Foundation
Phase one has four workstreams running in parallel.
Data mapping. Map the fields of the borrower’s ERP invoice to the data schema of the platform. Identify gaps between the available fields and needed fields. Define how missing fields will be sourced or substituted. Document every mapping decision. This documentation becomes the integration specification for phase two.
Verification workflow design. Design the eight-step verification sequence for the pilot pool. Define pass and fail criteria for each check. Assign ownership for each step to a specific team or system. Document the exception-handling procedure for each failure type.
Legal control review. Legal counsel must review three things before phase two begins. First, the assignment notice format for the pilot jurisdiction. Second, the perfection requirements for the receivable type in scope. Third, the governing law of the security agreement. This review must produce a written sign-off. Phase two does not start without it.
Settlement path mapping. Document the one approved settlement path, including the expected trigger, confirmation mechanism, reconciliation method, and finality criteria. Define how delayed settlement and settlement failures will be tested as failure scenarios around this primary path.
Phase 1 gate criteria.
Deliverable | Owner | Status Required |
ERP-to-platform field mapping document | Integration lead | Complete |
Verification workflow specification | Operations lead | Complete |
Legal control review sign-off | General counsel | Written approval |
Settlement path mapping document | Treasury and operations | Complete |
Sandbox environment deployed and tested | Technology lead | Confirmed live |
Platform capability confirmed (internal or vendor) | Technology lead | Decision documented |
Phase 2 (Days 31 to 60): Integration and Simulation
Phase two tests the workflow end to end with synthetic data.
Integration testing. Using the defined API, connect the borrower’s ERP to the sandbox. Run 50-100 synthetic invoices through the full ingestion, validation and verification process. Record the pass rate, the rejection rate and reasons for failure for each batch. Seek a pass rate above 90 percent before proceeding to the next step.
Debtor confirmation workflow. Test the confirmation channel using a simulated debtor. Run confirmation requests, approvals, rejections and timeout scenarios. Measure average time from request to confirmed acknowledgement. Identify any workflow steps that require manual intervention.
Pledge and funding simulation. Perform the pledge registration, advance calculation and sample funding disbursement cycle on 20 to 30 invoices. Ensure that status changes are recorded appropriately at each step. Validate the audit trail is correct for each test transaction.
Settlement path validation. Test the approved settlement path under three conditions:
Normal settlement: Verify reconciliation match and pledge release initiation
Delayed settlement: Simulate payment arriving 5 days post-due date. Confirm late payment alert triggers, pledge remains active during delay, and release initiates correctly upon receipt
Settlement failure: Simulate settlement instruction failure or reversal. Confirm that the platform blocks pledge release and further funding, alerts treasury, and activates the approved fallback procedure.
Failure scenario testing. Run all five operational failure scenarios:
Registry or platform outage during pledge registration
Debtor revocation after confirmation
Partial repayment combined with dispute
Duplicate invoice or conflicting pledge detected
Settlement or reconciliation failure
Failure Scenario | Trigger | Expected Response | Response or Recovery SLA | Evidence Required | Pass Criterion |
Registry outage | Platform unavailable during pledge | Queue request, retry, hold pending | 5 minutes alert | Timing logs | Alert within 5 min, no funding until confirmed |
Debtor revocation | Debtor rejects after confirmation | Halt funding, update status, notify parties | Immediate | Audit trail | Full event trail logged |
Partial repayment + dispute | Partial payment with dispute flag | Split status, maintain pledge on disputed balance | Immediate | Dashboard split | Correct balance split shown |
Duplicate detection | Conflicting pledge detected | Freeze position, notify compliance, trigger review | Immediate | Compliance notice | No release until review resolves |
Settlement failure | Settlement instruction fails | Block pledge release and further funding, alert treasury, activate fallback | Immediate | Treasury alert | Fallback activated without duplicate processing or unauthorized pledge release |
Phase 2 gate criteria.
Metric | Target | Actual |
Invoice ingestion pass rate | Above 90% | |
Debtor confirmation turnaround | Under 24 hours | |
Status transition log completeness | 100% of simulated transactions | |
Settlement path tested under all three conditions | All three conditions | |
All five failure scenarios tested | 5 of 5 | |
Open integration defects | Zero critical, under 3 minor |
Phase 3 (Days 61 to 90): Live Rehearsal and Go or No-Go
Live transaction rehearsal. Select five to ten real invoices from the pilot borrower's receivables pool. Select short-dated invoices scheduled to mature within the Phase 3 window. Where repayment cannot occur within the window, test release using an approved simulated maturity event. Run them through the entire collateral life cycle: intake, verification, debtor confirmation, pledge registration, funding, repayment and release. Use real data and real debtor confirmations. Use the approved settlement path with real settlement only if the risk committee has approved it and defined transaction limits.
KPI measurement
KPI | Definition | Target (Illustrative) | Current-State Baseline |
Verification cycle time | Time from invoice submission to verified status | Under 4 hours | [Baseline] |
Funding cycle time | Time from verified status to advance disbursement | Under 24 hours | [Baseline] |
Reconciliation breaks | Count of payments requiring manual reconciliation | Zero unresolved | [Baseline] |
Exception triggers | Count of invoices triggering exception workflow | All resolved within approved time | [Baseline] |
Audit effort | Hours to produce a complete event log for one transaction | Under 30 minutes | [Baseline] |
Debtor confirmation turnaround | Time from request to confirmed acknowledgment | Under 24 hours | [Baseline] |
KPI | Data Source | Measurement Owner | Measurement Period |
Verification cycle time | Audit logs | Operations lead | Phase 3 |
Funding cycle time | Audit logs | Operations lead | Phase 3 |
Reconciliation breaks | Reconciliation logs | Treasury lead | Phase 3 |
Exception triggers | Exception logs | Risk lead | Phase 3 |
Audit effort | PMO tracking | PMO lead | Phase 3 |
Debtor confirmation turnaround | Audit logs | Operations lead | Phase 3 |
Note: All numeric targets are illustrative and subject to bank risk appetite and current-process baselines. With 5-10 invoice samples, rate-based metrics (e.g., <2%) are not statistically meaningful. Use count-based criteria: zero unresolved breaks, all exceptions resolved within approved time, complete evidence for every transaction.
Legal enforceability stress scenarios. Phase three must include four legal stress tests. These are distinct from operational failure scenarios. They test whether the legal framework holds under adversarial or ambiguous conditions.
Scenario A: The debtor claims that the invoice was assigned to another creditor before the bank registered the pledge. The bank must retrieve the records relevant to priority under applicable law. These may include the assignment agreement, notice-delivery record, pledge registration, and other perfection evidence. Priority evidence depends on applicable assignment, perfection, and registration rules in the pilot jurisdiction.
Scenario B: Disputed notice of assignment. The debtor contends that the notice of assignment was not served as required by the applicable law. Legal counsel must review the format of the notice and the method of delivery against the requirements of the jurisdiction. The test confirms that the format of notice used in the pilot meets the legal standard or draws attention to the particular gap to be remediated before production.
Scenario C: A search of the public filing system reveals a prior security interest filing (e.g., UCC-1 financing statement in US jurisdictions) against the borrower's receivables. The platform must flag the conflict. The bank must show it can identify and stop funding on the affected invoices within a defined response window. The test proves the duplicate financing check covers public filing systems, not just the platform registry. Filing requirements are jurisdiction-specific.
Scenario D: Cross-border legal eligibility review. The pilot pool is domestic and single-jurisdiction. However, design a synthetic cross-border scenario to test: (a) recognition of electronic records and signatures, (b) assignment and notice requirements, (c) perfection and priority rules, (d) public registration requirements if applicable, (e) conflict-of-laws analysis. This scenario is tabletop-tested in Phase 2 and evidence retrieval is verified in Phase 3. Do not include actual cross-border receivables in the Phase 3 live rehearsal.
Legal Stress Scenario | Evidence Required | Pass Criteria |
Debtor disputes invoice ownership | Assignment notice and audit timestamp | Records retrievable within 2 hours |
Assignment notice challenged | Legal review of notice format | Satisfies governing law standard |
Competing security interest | Public filing system search result | Platform flags conflict, funding halted |
Cross-border legal eligibility | Tabletop analysis and documentation | All five legal dimensions documented and reviewed |
Risk control validation. The risk team needs to review duplicate financing detection log, assignment notice records and pledge registry entries for each live rehearsal transaction. Blocker findings must be resolved before expansion.
Go or No-Go decision framework.
Function | Sign-Off Requirement |
Technology lead | Zero critical defects, all integration tests passed |
Legal counsel | Assignment, perfection, and governing law confirmed |
Risk and compliance | Mandatory KPI thresholds met, with any approved deviations documented and accepted. |
Transformation PMO | Phase gate documentation complete, pilot report drafted |
Head of Trade Finance / Business Owner | Business objectives achieved, use case validated |
A go decision requires all five sign-offs.
Governance and Risk Controls
Change management. Any changes to the sandbox architecture, eligibility policy, or verification workflow must be made through a documented change request. Any changes that are made outside this process invalidate phase gate evidence. The Transformation PMO maintains the change log.
Rollback procedures. Each phase must have a defined rollback procedure. Phase one rollback suspends the sandbox. Phase two rollback stops integration testing and reverts to phase one configuration. Phase three rollback stops the live rehearsal and rolls back to mock settlement. Rollback triggers should be defined before each phase begins.
Compliance sign-off. Before phase three, the compliance team must vet the pilot for AML, KYC and data privacy requirements. This is different from the legal control review in phase one. This is operational compliance, not legal enforceability.
Exit Criteria: Expansion, Extension, or Termination
Outcome | Trigger Conditions | Next Step |
Expand | All targets met, all sign-offs received | Define scale-up or production-readiness scope within 30 days |
Extend | Minor gaps only, no blockers | Set 30-day remediation plan |
Terminate | Blocker findings or material KPI misses | Root cause review before redesign |
Expansion checklist. Before the bank can expand to a second borrower or pool, five conditions must be confirmed. First, mandatory KPI thresholds were met, with any approved deviations documented and accepted. Second, all five go/no-go sign-offs were received. Third, all legal stress scenarios passed or have documented remediation plans. Fourth, the settlement path validation covered all three conditions (normal, delayed, failure). Fifth, the eligibility policy has been updated to reflect pilot findings.
Read Tokenized Receivables Collateral Guide 2026: How Banks Can Finance Verified Invoices for the full collateral lifecycle framework the pilot is designed to test.
Read Operational KPIs for Tokenized Receivables and Inventory Collateral Pilots for a deeper treatment of how to design and measure the six KPIs above.
Design a Controlled 90-Day Tokenized Receivables Pilot With TokenMinds
Banks moving from tokenization experiments to production often struggle with unstructured proofs of concept that yield inconclusive results. A successful pilot requires precise sandbox boundaries, defined phase gates, and measurable success metrics to ensure outcomes are actionable.
TokenMinds helps transformation PMOs and trade finance teams structure controlled sandbox environments, map settlement paths, and define the exact KPIs needed to make a confident go or no-go decision.
Request a 90-day sandbox roadmap tailored to your bank's trade finance workflow. https://tokenminds.co/become-our-client/
Frequently Asked Questions
Q: Can a bank run this pilot without a dedicated tokenization platform vendor?
A: Phase 2 and Phase 3 require a functioning tokenization platform capability, whether internally operated, provided by an existing enterprise platform, or supplied by an external vendor. The platform decision (build, buy, or partner) should be completed before the Phase 1 gate. Banks that do not confirm platform capability by day 20 of phase one may not meet the phase two start date. This timeline is indicative and should be adapted to the bank's procurement processes.
Q: What is the minimum team size for a 90 day pilot?
A: The pilot requires at least six working functions plus an accountable business owner. Technology may be combined with integration, while treasury may be combined with operations. Legal, risk, compliance, PMO, and business ownership must remain explicitly assigned. Without explicit PMO assignment, phase gate documentation does not get produced and the go/no-go decision lacks an evidence base.
Q: Why are legal enforceability stress scenarios included in phase three rather than phase one?
A: Legal scenarios can be designed during Phase 1 and tabletop-tested during Phase 2. Phase 1 legal review confirms that the framework is correctly designed. Phase 2 tabletop exercises validate scenario logic with synthetic data. Phase 3 stress scenarios confirm that the framework holds under adversarial conditions with real transaction data and verify evidence retrieval times. The sequencing is deliberate: design in Phase 1, simulate in Phase 2, execute and verify in Phase 3.
References
HKMA. Project Ensemble press release. November 2025. HKMA’s tokenization program has moved from experimentation to real-value pilot transactions, reinforcing demand for controlled pilot designs around tokenized assets. https://www.hkma.gov.hk/eng/news-and-media/press-releases/2025/11/20251113-3/
