Menu icon Access the Business Officer Magazine menu by clicking or touching here.
Colorado Lawyer Magazine logo, click or touch this logo to return to the homepage Click or touch the Colorado Lawyer Magazine logo to return to the homepage. Search

Security “Tokens”

Blockchain Technology and Article 8 of the UCC

November 2023

Download This Article (.pdf)

This article explains the application of Article 8 to securities registered and transferred using distributed ledger (blockchain) technology and identifies issues attorneys should consider when representing issuers of such security “tokens.”

For some years now, there has been interest in using distributed ledger technology (DLT, also known as blockchain technology) to record and transfer securities. People sometimes talk of creating DLT “tokens” that represent securities in the same manner as a security certificate. This metaphorical “security token” can lead to confusion if taken literally, particularly if the token is regarded as something separate from the security. As this article will explain, DLT is just a new means of recording ownership of an uncertificated security or security entitlement in compliance with the Uniform Commercial Code (UCC).1 Properly understood, “token” signifies the technology employed for a security rather than a separate asset linked to a security.

DLT can be applied to various functions relating to securities, such as conducting shareholder meetings or distributing dividends. But the terms “security tokens” or “tokenizing securities” typically refer to using DLT to record the issuance and transfer of securities to their holders. This article considers this particular application of DLT. It does not address collateral legal concerns, such as compliance with anti-money-laundering and sanctions regulations, tax reporting, or registration as a clearing agency, transfer agent,2 or broker-dealer under the Securities Exchange Act of 1934 or similar state blue sky laws.3

Classifications of Securities

Our analysis begins with considering what forms of securities may be tokenized. All 50 states have adopted Article 8 of the UCC (Article 8),4 which governs the ownership and transfer of “securities.”5 Article 8 provides three ways of obtaining a property interest in a security:

  • if the security is represented by a certificate (a “certificated security”6), by a person acquiring possession of the certificate and, if the security is in registered form, having the issuer or its agent register the person as the owner;7
  • by having the issuer or its agent register the person as the owner of an uncertificated security;8 or
  • by having a securities intermediary (such as a clearing corporation, broker-dealer, or bank) credit the security to the person’s securities account, thereby creating a “security entitlement” to the security.9

Because ownership of a certificated security requires a transfer of possession, the certificate must be in a tangible form. DLT operates on data in electronic rather than paper form, so it cannot be used to transfer ownership of certificated securities. This means that only uncertificated securities and security entitlements can be tokenized.

Uncertificated Securities and Security Entitlements

Having established that tokenization must involve uncertificated securities or security entitlements, we next consider how ownership of these forms of securities is established and transferred in compliance with Article 8. This will define the minimum functions that DLT must perform to successfully tokenize these securities.

Uncertificated Securities

Ownership of an uncertificated security requires only that the issuer or the issuer’s agent register the owner (or another person who acknowledges holding the security on behalf of the owner, like a nominee).10 Article 8 does not specify how ownership should be “registered.” In the context of certificated securities, however, “registered form” means “a form in which . . . a transfer of the security may be registered upon books maintained for that purpose by or on behalf of the issuer.” This definition has been extended to uncertificated securities11 and implies that an issuer of uncertificated securities must maintain “books” for the purpose of registering ownership. Such books can be maintained using DLT.

Subject to several conditions discussed below, an issuer must comply with “a request to register [the] transfer of an uncertificated security” upon delivery of an “instruction” made by the currently registered owner or authorized agent.12 An “instruction” is “a notification communicated to the issuer of an uncertificated security that directs that the transfer of the security be registered or that the security be redeemed.”13

Security Entitlements

Security entitlements provide an indirect means of owning a security by giving the entitlement holder “a pro rata property interest in all interests in that [security] held by [a] securities intermediary.”14 Generally, “a person acquires a security entitlement if a securities intermediary . . . indicates by book entry that a [security] has been credited to the person’s securities account.”15 Article 8

does not attempt to specify exactly what accounting, record-keeping, or information transmission steps suffice to indicate that the intermediary has credited the account. That is left to agreement, trade practice, or rule in order to provide the flexibility necessary to accommodate varying or changing accounting and information processing systems.16

Article 8 therefore gives a securities intermediary and its entitlement holders latitude to agree on the method of crediting securities to their securities accounts, including a method using DLT.

A securities intermediary must comply with an entitlement order originated by the entitlement holder.17 An “entitlement order” is “a notification communicated to a securities intermediary directing transfer or redemption of a [security] to which the entitlement holder has a security entitlement.”18 An agreement between the securities intermediary and its entitlement holder may govern how the securities intermediary will comply with entitlement orders.19

Execution of an entitlement order results in a transfer of the property interest in the security rather than a transfer of the security entitlement. The securities intermediary may execute an entitlement order by delivering the security (in certificated or uncertificated form, as applicable) to the transferee or by causing the transferee to acquire a new security entitlement to the security. Coincident with this delivery, the securities intermediary will make book entries that terminate or reduce the transferor’s security entitlement to the security. Transfers of publicly traded securities are typically settled entirely through book entries by the transferor’s and transferee’s respective securities intermediaries operating through a clearing corporation, as illustrated in the accompanying chart.


A person acquires a property interest in an uncertificated security by being registered as the owner in the issuer’s “books” and can transfer the security by sending an instruction to the issuer. A person may also acquire an indirect property interest in a security (either uncertificated or certificated) through a security entitlement created by the person’s securities intermediary. Someone acquires the security entitlement when their securities intermediary credits the security to their securities account, and they can transfer the security by sending an entitlement order to the securities intermediary.

Distributed Ledger Technology

Fortunately, our analysis of security tokens requires only a basic understanding of DLT. “All blockchain technologies should allow connected computers to reach agreement over shared data.”20 In the case of a security token, the shared data are the amount of the security registered to each holder (a “register”). The connected computers (a “network”) processing this data may be limited (a “permissioned” network) or open to anyone who downloads and runs the required software (an “open-source” or “public” network). Using a public network to register security holders presents significant challenges that are beyond the scope of this article,21 which focuses on the legal effects of using either form of network to maintain a securities register.

A network uses a consensus mechanism to bring the data on the connected computers into agreement. There are various protocols for synchronizing the data maintained by a network, which may include blockchains.22 Regardless of the protocol employed, to register ownership of uncertificated securities or security entitlements, the consensus mechanism must:

  • logically and exclusively associate each holder with the amount of securities held;
  • provide a means for appropriate persons to input an instruction or entitlement order into the network and for the network to verify the authenticity of the instruction or entitlement order;
  • record a transaction as specified in any authentic instruction or entitlement order on every computer running the protocol;23
  • update the amount of securities logically associated with each holder as a result of the most recently recorded transactions; and
  • maintain records of transactions in the correct sequence, such that the transaction history for a particular security can be traced back to its original issuance.

Currently available DLT applications can satisfy all these requirements for registering uncertificated securities and security entitlements.

Using DLT to Register Ownership of Uncertificated Securities

An attorney must address several legal issues for an issuer that intends to use DLT to record and transfer uncertificated securities. First, the attorney must determine what constitutes the “book” in which the owners of an uncertificated security will be registered. Recall that Article 8 requires the issuer to register a purchaser as the owner of an uncertificated security. To satisfy this requirement, the issuer or at least one authorized agent of the issuer (such as a transfer agent) must run a copy of the DLT protocol and treat the resulting register as the “book.” Although a DLT consensus mechanism does not give priority to the records maintained by one computer on the network over those maintained by any other computers, under Article 8 the register maintained by the issuer is the only one that counts. This means the issuer must run the DLT protocol during any period in which the network is processing instructions. The terms of the uncertificated security should also provide that this version of the register is the exclusive means of registering ownership of the security.

Second, the attorney must determine how instructions will be “communicated” to the issuer. Under § 8‑102(a)(6), “communicate” means “to (i) send a signed writing or (ii) transmit information by any mechanism agreed upon by the persons transmitting and receiving the information.”

The terms of the uncertificated security or an agreement with the registered owners (e.g., an account agreement with a transfer agent) should provide that the DLT protocol is an agreed-upon mechanism for transmitting and receiving instructions as permitted in § 8-102(a)(6)(ii).

An attorney should also address § 8-102(a)(6)(i), which permits a “signed writing” as a means of communication. The UCC defines “writing” as a “tangible form,”24 so this would permit instructions in a form other than an encrypted electronic communication. Just designating the DLT protocol as a means of transmitting instructions will not override this provision and may leave the holder with the option of sending written instructions. The issuer may not be able to comply with a written instruction, however, if the DLT protocol requires the holder to enter a private key or password to update the applicable record. The UCC generally provides that “the effect of provisions of [the UCC] may be varied by agreement” and that the “presence in certain provisions of [the UCC] of the phrase ‘unless otherwise agreed’, or words of similar import, does not imply that the effect of other provisions may not be varied by agreement.”25 This should permit security holders to agree to use the DLT protocol exclusively to communicate any instructions. An alternative approach would be to add a “further assurances” clause requiring registered owners to take such actions as may be required to execute their written instructions, including authenticating the instructions through the DLT protocol.

Third, the attorney should consider § 8‑402(a), which authorizes an issuer to require “assurance that . . . each instruction is genuine and authorized.” This section lists various forms of assurance, such as signature guarantees26 and certificates of incumbency, which issuers are entitled to require. If the issuer and its security holders intend to rely exclusively on the DLT protocol to authenticate instructions, it would not be appropriate for the issuer to require these paper forms of assurances as well, so it should waive its rights under § 8-402(a).

Fourth, an attorney should consider the possibility that the issuer may need to prevent the DLT protocol from executing certain instructions. This may be necessary, for example, to comply with an injunction, restraining order, or other legal process enjoining the issuer from registering the transfer. In addition, § 8‑403(a) gives the registered owner of an uncertificated security the right to “demand that the issuer not register transfer of a security.”27 These eventualities make it advisable to use a DLT protocol that allows the issuer to “freeze” transfers of specific securities. This feature also could be used to help a registered owner who verifies that they have lost their private key28 or password reestablish control over their securities by freezing the current address and replicating their holdings at a new address. The terms of the security or another agreement with the registered owners should address the right to freeze transfers and any process for requesting a freeze.29 The terms should also specify whether these requests must be communicated through the DLT protocol or through other means.

Using DLT to Record Security Entitlements

Regardless of whether DLT is used, any security entitlement will involve an agreement between the securities intermediary and the entitlement holder that establishes and regulates a securities account. This agreement should address the obligations of the securities intermediary under part 5 of Article 8, including the obligation to obtain and thereafter maintain a sufficient amount of the security to satisfy all of its outstanding security entitlements.30 It is common for a securities account agreement to disclose that the securities intermediary maintains its customers’ securities in book-entry form with clearing corporations and other securities intermediaries so that customers understand that the intermediary will not be registering securities in the customers’ names. If the securities intermediary intends to maintain uncertificated securities registered through a DLT network, an attorney should consider adding this to these disclosures.

An attorney for a securities intermediary that uses DLT to make book entries31 will also need to address the same issues as an issuer of uncertificated securities using DLT. First, § 8‑501(b)(1) requires the securities intermediary to be the one indicating by “book entry” that the security has been credited to the securities account. This requires the securities intermediary to run the DLT protocol during any period in which the network is processing entitlement orders. The securities account agreement should specify that only the securities intermediary’s copy of the register created by the network is binding.

Second, § 8‑507(a) requires a securities intermediary to “comply with an entitlement order if the entitlement order is originated by the appropriate person, the securities intermediary has had reasonable opportunity to assure itself that the entitlement order is genuine and authorized, and the securities intermediary has had reasonable opportunity to comply with the entitlement order.” Recall that an entitlement instruction is defined as a “notification communicated to the securities intermediary,” so the securities account agreement should provide that entitlement holders can transmit entitlement orders through the DLT protocol and that the securities intermediary can treat entitlement orders originated through the protocol as genuine and authorized. The agreement should also address whether written or telephonic entitlement orders are permitted.

Part 5 of Article 8 does not explicitly address the possibility that a securities intermediary may be subject to a court order or other process that prevents it from complying with an entitlement order. The security account agreement may nevertheless provide that the securities intermediary will not comply with an entitlement order in contravention of an applicable law, court order, or other legal process. This again makes the ability to “freeze” securities credited to a securities account an important feature of the security intermediary’s DLT protocol.

Impact of the 2022 Amendments to the UCC

Colorado has adopted the Uniform Law Commission’s 2022 Amendments to the UCC (the 2022 Amendments).32 Although the 2022 Amendments include a new Article 12 regarding “controllable electronic records” that use DLT (among other technologies) and changes to other provisions to accommodate use of these technologies, they should not affect the forgoing analysis and recommendations for the following reasons.

First, Article 12’s definition of a “controllable electronic record” specifically excludes “investment property,” which under § 9-102(a)(49) includes “a security, whether certificated or uncertificated, security entitlement, [or] securities account.”33 Thus, Article 12 does not apply to uncertificated securities and security entitlements.

Second, although the commentary to Article 12 suggests that an instruction or entitlement order might be a controllable electronic record,34 this should not affect our analysis. An instruction or entitlement order is just a request to transfer the specified amount of a security. Undisputed ownership of an instruction does not, by itself, convey any property interest in an uncertificated security. For example, a person may pay the owner of an uncertificated security for an instruction to transfer the security to the purchaser, but the person will not become the owner of the security until the issuer registers the transfer upon presentation of the instruction. The original owner retains all the rights incident to the security until the transfer is registered.35 This would also be the case for an instruction or entitlement order in the form of a controllable electronic record—property rights to the controllable electronic record protected by Article 12 will not affect the property rights to the security under Article 8.

Third, although the 2022 Amendments change the definition of “communicate” in § 8‑102(a)(6)(i) to “send a signed record” rather than “writing,” attorneys should still address whether instructions or entitlement orders may be communicated in writing or through electronic means other than the DLT protocol. The UCC defines “records” as “information that is inscribed on a tangible medium or that is stored in an electronic or other medium and is retrievable in perceivable form.”36 Therefore, the expanded definition of “communicate” still permits communications through “tangible mediums” (i.e., written communication) or other electronic means (e.g., e-signed documents). An issuer or securities intermediary that does not want to permit these forms of communication should still include provisions in the security or account agreement overriding § 8-102(a)(6)(i)).

Security Tokens as Securities

Attentive readers will appreciate that this article has managed to explain how DLT may be used to record the issuance and transfer of uncertificated securities and security entitlements without once referring to a “token.” This is because ownership of these forms of securities depends on records maintained by an issuer or securities intermediary without regard for how the records are maintained or updated. The owner of the security can send an instruction or entitlement order requesting registration of a transfer in ownership but does not control something that represents the security itself.

People use the terms “coin” and “token” metaphorically to refer to assets recorded on a distributed ledger. The analogy to tangible objects that can be exchanged for something of value is helpful in understanding how these intangible assets can be used to the same effect. “Token” is particularly apt when recording a transaction on the network results in the owner receiving a good or service in the same manner as redeeming a tangible token.

As we have seen, however, Article 8 already has words for assets recorded by an issuer or securities intermediary in a register, namely an uncertificated security and a security entitlement. These legally defined terms apply regardless of how issuers or securities intermediaries make book entries in the register. Appending “token” to these terms does not name a different asset. Calling an asset an “uncertificated security token” is just a more verbose way of calling it an “uncertificated security.”

Therefore, it is best to understand “security token” as the intersection of (1) the set of assets that are “securities” for purposes of Article 8 and (2) the set of assets represented by records using DLT. In all events, “security tokens” are securities in and of themselves, not something that can be exchanged for a security.

Benefits of Tokenizing Securities

Using DLT to register ownership and transfers of uncertificated securities and security entitlements currently appears to have two principal benefits. First, it removes the element of trust from the process. Ownership depends on book entries made by the issuer or securities intermediary, but security holders typically cannot access these book entries. They may receive a confirmation that the security has been transferred to their accounts, but they cannot verify the confirmation’s accuracy.

DLT can allow security holders to independently verify that securities have been issued or transferred to them. If the terms of the security or an agreement with the issuer or securities intermediary provide that a DLT protocol will be the exclusive method used to register ownership of an uncertificated security or credit securities to a securities account, then the DLT protocol can provide security holders with either their own copy of the securities register or access to copies maintained by other computers on the network. The consensus mechanism of the DLT protocol should assure security holders that these copies are identical to the official register maintained by the issuer or securities intermediary.

Second, DLT may make it possible to trade securities on a 24/7 basis. While the issuer or securities intermediary will need to run a version of the DLT protocol on a continuous basis, it can rely on the network to authenticate and execute instructions. This effectively automates the process of transferring securities by having the network continuously update the official copy of the register maintained by the issuer or securities intermediary. In the case of uncertificated securities, this process might operate without the participation of the clearing agencies and securities intermediaries required by the current securities transfer system.


Attorneys may struggle with how to “link” or “tether” an asset to a token using DLT. This article explains why, in the case of security tokens, no link is required: The token and the security are the same asset. Article 8 presents other challenges, however, such as requiring an issuer or securities intermediary to join the network and continuously maintain a current copy of the register. Owners of security tokens must also understand the means by which instructions or entitlement orders can be communicated, particularly if owners must use the DLT protocol to authenticate their communications. Finally, it is advisable to use a DLT protocol that permits the issuer or securities intermediary to “freeze” security tokens if required to comply with court orders or to deal with lost private keys or passwords.

Stephen Keen recently retired from Perkins Coie LLP, where he was senior counsel and a member of the digital asset working group that assisted in drafting new Article 12 of the Uniform Commercial Code— He would like to thank D.J. Mills at Perkins Coie for his helpful comments on this article. Coordinating Editor: David P. Steigerwald,

Related Topics


1. CRS Title 4.

2. See Keen and Ahmadifar, “Can Mutual Fund Transfer Agents Be Automated Using Distributed Ledger Technology?,” 27 Inv. Law. 28 (2020), for a discussion of some of the challenges DLT poses for registered transfer agents.

3. For a list of some of the legal compliance issues associated with using DLT to offer and transfer security tokens, see Colorado Department of the Treasury, Security Token Offerings State Capital Financing Feasibility Study § C.1(a) (Mar. 1, 2023),

4. In Colorado, Article 8 is codified at CRS §§ 4-8-101 et seq. This article assumes the reader has some familiarity with Article 8. For an in-depth survey of Article 8, see Bjerre and Rocks, The ABCs of the UCC, Article 8: Investment Securities (2d ed. ABA 2004).

5. UCC §§ 8-102(a)(15) and -103 define the securities subject to Article 8. Article 8 also applies to certain “financial assets” as defined in UCC § 8-102(a)(9). The analysis in this article would also apply to security entitlements to any such financial asset recorded using DLT.

6. UCC § 8-102(a)(4).

7. UCC § 8-301(a).

8. UCC § 8-301(b). “[A] security that is not represented by a certificate” is an “uncertificated security.” UCC § 8-102(a)(18).

9. UCC § 8-501.

10. A person acting as agent for the issuer has the same obligations to the registered owner of uncertificated securities (e.g., to execute an instruction) as the issuer. UCC § 8-407. For brevity, “issuer” as used in this article also refers to a transfer agent or other agent of an issuer authorized to make book entries in its register.

11. Bains v. Piper, Jaffray & Hopwood, Inc., 497 N.W.2d 263, 267 (Minn.Ct.App. 1993) (“[A]n uncertificated security may only exist in registered form . . . .  Registration, therefore, is essential to establish ownership of the uncertificated security.”) (citations omitted).

12. UCC § 8-401(a)(2) (requiring an instruction to be “made by the appropriate person or by an agent who has actual authority to act on behalf of the appropriate person”) and § 8‑107(a)(2) (defining “the registered owner of an uncertificated security” as the appropriate person to make an instruction).

13. UCC § 8-102(a)(12).

14. UCC § 8-503(b).

15. UCC § 8-501(b). A person will also acquire a security entitlement if the person’s securities intermediary acquires a security for credit to the person’s securities account or becomes obligated under other law to credit a security to the person’s securities account.

16. UCC § 8-501 cmt. 2.

17. UCC §§ 8-507(a) and -107(a)(3) define the entitlement holder as the “appropriate person” to originate an entitlement order. Both instructions and entitlement orders may also be given by “a person who has power under the law of agency to transfer the security . . . on behalf of the appropriate person.” UCC § 8-107(b)(2).

18. UCC § 8-102(a)(8).

19. UCC § 8-507(a)(1).

20. Van Valkenburgh, “What’s a Blockchain, Anyway?,” Coin Center (Apr. 25, 2017),

21. For a discussion of a few challenges related to the use of DLT by transfer agents, see Keen and Ahmadifar, supra note 2.

22. A high-level explanation of how a blockchain protocol operates using cryptographic techniques may be found in Security Token Offerings State Capital Financing Feasibility Study, supra note 3 at § B.1.

23. It is not necessary for all of the networked computers to update their registers at the same time. A network may operate “asynchronously” as long as a computer automatically updates its records to the current state of the register whenever it connects to the network.

24. UCC § 1-201(a)(43).

25. UCC § 1-302(a) and (c). Paragraph (b) of this section, however, prohibits disclaimers of “obligations of good faith, diligence, reasonableness, and care.” An issuer may also rely on UCC § 8-402(b) to require registered owners to use the DLT protocol to authenticate their instructions. (“An issuer may elect to require reasonable assurance” that an instruction is genuine and authorized.)

26. See US Securities and Exchange Commission, Medallion Signature Guarantees: Preventing the Unauthorized Transfer of Securities,

27. UCC § 8-404(a) makes an issuer liable for wrongful registration for, among other things, transfers made in violation of an effective demand to stop transfers or “after the issuer had been served with an injunction, restraining order, or other legal process enjoining it from registering the transfer.”

28. A private key is a cryptographic means of authenticating instructions. A “key” is used for encoding and decoding messages. A private key is paired with a corresponding public key maintained by the network. Instructions encrypted with the private key can be decrypted only by the public key, and vice versa. This allows a network to confirm that an encrypted instruction was communicated by the holder of a private key by successfully decrypting the instruction using the corresponding public key. For a more complete description, see US Department of Homeland Security, “Tech Note on Encryption Software Tools,” TechNote (Sept. 2013),

29. Although UCC § 8-405 applies only to lost certificate securities, it may be helpful when drafting provisions regarding lost private keys, passwords, or other information necessary to authenticate instructions.

30. UCC § 8-504(a).

31. A securities intermediary that does not use DLT to credit securities to securities accounts will not need to address these issues, even if the securities are uncertificated securities registered using DLT. In this circumstance, the securities intermediary may need to become the registered owner of the uncertificated securities using a DLT protocol, but it can use an internal recordkeeping system to register shares of such securities credited to each securities account.

32. An Act Concerning the Enactment of the 2022 Amendments to the “Uniform Commercial Code,” SB 23-090, 2023 Reg. Sess. (Colo. 2023). The 2022 Amendments took effect on August 7, 2023.

33. CRS § 4-12-102.

34. CRS § 4-8-102 cmt. 18.

35. “Before due presentment . . . of an instruction requesting registration of transfer of an uncertificated security, the issuer or indenture trustee may treat the registered owner as the person exclusively entitled to vote, receive notifications, and otherwise exercise all the rights and powers of an owner.” CRS § 4-8-207(a).

36. UCC § 1-201(a)(31).