For Institutions
Settlement infrastructure for the regulated end of agentic commerce.
Banks, asset managers, regulated fintechs, and corporate treasury teams use Rivier as the agentic-commerce layer they can pass an audit with. Chainlink CCIP for the wire, ERC-3643 for the gate, Proof-of-Reserve for the mint, AP2 for the audit trail, and Travel Rule for the regulator. Every claim on this page maps to running code.
$18B
CCIP March 2026 monthly volume
$27B
RWA sector AUM, April 2026
11k+
Swift members reachable via CCIP
15
Chains in the wallet provisioning matrix
Surface
Inside the institutional stack.
Three places Rivier transacts: Canton via Tenzro's validator, the permissionless public rails, and public tokenized assets. Plus a fourth surface — bank-issued deposit tokens, permissioned funds, and central-bank corridors — rendered for awareness so a multi-rail treasury sees everything in one view.
Canton
Rivier launches on Canton via Tenzro's validator on the Global Synchronizer. Same plumbing the largest tokenized-collateral and intraday-repo flows already settle on. Privacy-by-default: sub-transaction visibility is per-deal, not network-wide.
Permissionless public rails
Cross-chain settlement through the Rivier router. No partner approval required — these are public infrastructure. Output-ratio + per-provider risk bias picks the safest viable path per quote.
Public tokenized assets
Backed Finance xStocks (TSLAx, NVDAx, SPYx + 11 more) on Ethereum + Solana + BNB + TRON. Backed treasuries (bIB01, bIBTA, bC3M). LBMA gold (XAUm, PAXG). Ripple USD across XRPL + Ethereum + EVM Sidechain. Yield-bearing public stables (USDY, sUSDS).
Awareness — bank-rail tokens & permissioned funds
Bank-issued tokenized deposits and permissioned tokenized funds. Rivier never holds these — the issuing bank or fund manager is the gate. Surfaced so a treasury planning multi-rail posture sees the full surface; onboarding deeplinks straight to the issuer.
The Stack
Six pillars, all already wired.
Most agent-payment narratives in 2026 are slideware. Rivier’s institutional surface is in production code today — contract-enforced where the contract is the right place, policy-enforced where flexibility matters more.
Chainlink CCIP — primary settlement rail
RIVR registers via the self-serve Cross-Chain Token (CCT) standard on CCIP v1.5. Burn-and-mint pool, per-lane rate limits, and a CCIP_ADMIN role-split that's enforced at deploy time. Same rail as BUIDL, OUSG, syrupUSDC, Coinbase Wrapped Assets — institutional flow stays in one neighborhood.
ERC-3643 + ONCHAINID compliance
T-REX standard verification at the router layer for permissioned RWAs — the swap path runs an on-chain ONCHAINID identity check before quoting, so a non-eligible holder never sees a route they can't execute. KYCRegistry-gated and allowlist-gated tokens surface issuer onboarding deeplinks instead of failed transactions.
Chainlink Proof-of-Reserve gate
RIVR's mint() and mintReserve() functions consult a Chainlink PoR feed before issuing. Stale feed reverts. Non-positive answer reverts. Issuance above attested reserve reverts. Bypass-by-default while POR_FEED == address(0) is documented and intentional for testnet bootstrap; mainnet operators wire the feed via the CCIP admin multisig before going live.
Chainlink ACE — automated compliance engine
Policy-engine pre-flight runs ACE attestation lookups before any high-value movement. Sanctions screening, jurisdictional gating, and counterparty risk classification land as policy decisions before the router fans out to bridge adapters — not after the transaction has cleared.
AP2 mandates · x402 settlement
Every agent-driven action is wrapped in a Google AP2 IntentMandate carrying principal, agent identity, intent class, and spend constraints. Mandate constraints project directly into Coinbase x402 EIP-3009 settlement — the wallet enforces caps and asset allowlists before signing. Forward-compatible with Stripe Tempo and the Visa / Mastercard agent-payment standards as they finalise. Audit trail by construction.
CCTP V2 + Hooks for canonical USDC
Direct integration with Circle's CCTP V2 with Hooks for canonical USDC burn/mint — no LP risk, no wrapped-token surface, settlement finality determined by Circle attester quorum. Sits alongside CCIP and DLN in the bridge router with a +0.02 priority bias on USDC pairs.
Travel Rule
IVMS 101 by default.
FATF Recommendation 16 isn’t a future problem. Rivier emits IVMS 101-shaped originator and beneficiary payloads on every transfer that crosses the regulator’s de minimis line, and the outbound mailbox is compatible with Sumsub, Notabene, and TRP-compliant counterparties out of the box.
IVMS 101 originator + beneficiary payloads
FATF-aligned data shape on every transfer above the regulator's de minimis threshold.
Sumsub / Notabene-compatible signed messages
Outbound mailbox conforms to the major Travel Rule rails — drop-in for institutional counterparties already on either network.
Pre-flight VASP discovery
Counterparty VASP lookup runs before settlement — never broadcast a transfer to a destination we can't verify.
Per-jurisdiction de minimis honoured
FinCEN $1,000, EU TFR ~$1,100, MAS ~$1,100, HKMA $1,000 — thresholds enforced at the policy layer, not the application layer. FATF high-risk jurisdictions trigger reporting at any notional.
What you can show your auditor on day one.
- Per-transfer mandate trail. Every agent action carries an AP2 IntentMandate with principal, agent identity, intent, and spending constraints. Mandates are durable and replayable.
- On-chain reserve attestation. RIVR mint events carry the PoR feed timestamp and answer that authorised them. Issuance is mathematically bounded by attested reserves.
- Permissioned-token gating. The router refuses to quote BUIDL / OUSG / syrupUSDC for non-verified addresses; refusals are logged with the gating reason.
- Bridge selection rationale. Every bridge route the system picks is logged with the score breakdown — output ratio, speed, and per-provider bias. Reproducible after the fact.
- MPC custody.Server-side key shares never reconstruct the full key in memory. User shares stay client-side. Rivier cannot move funds without the user’s passkey ceremony.
- Travel-Rule mailbox. Outbound IVMS 101 messages, inbound counterparty receipts, and VASP discovery results all land in a queryable audit log.
Get In Touch
Underwriting agentic commerce
starts with the rail.
If your team is evaluating settlement infrastructure for tokenized securities, agent-driven treasury operations, or programmable B2B payments — we’d like to walk you through the stack live.