Technical Deep-Dive · Hyperledger Fabric · Cross-Border Settlement
A concrete reference architecture for cross-border, account-to-account payment tokenization between two European credit institutions and one Saudi commercial bank, executed on a permissioned Hyperledger Fabric network. Channel design, MSP configuration, Go chaincode, the Fabric Token SDK, Raft ordering, ISO 20022 message embedding, Travel Rule treatment via private data collections, and net settlement against TARGET2 and SARIE.
Scenario
A German exporter paying a Saudi beneficiary. Bayerische Handelsbank (Munich) originates. Banque Méridienne (Paris) provides SAR liquidity. Bank Al-Madinah (Riyadh) receives and credits in SAR.
Technology
Permissioned network with three organizations, a five-node Raft ordering service, and four channels. Go chaincode for EUR/SAR tokens, FX oracle, and atomic swap. Fabric Token SDK (fabtoken driver). CouchDB world state. FIPS 140-2 HSMs for all key material.
Settlement
EUR and SAR legs settle atomically on-ledger via MVCC-enforced read-write set. Net interbank positions settle via TARGET2 (EUR) and SARIE (SAR) end-of-day in central bank money. No nostro pre-funding required intraday.
Section 01
A German mid-market exporter of precision machine tools instructs its house bank in Munich to pay EUR 4,820,000 to a contracting authority in Riyadh in respect of a desalination project milestone. The originator's bank lacks a direct correspondent account in Saudi riyal; it relies on a Paris-based affiliate that runs a SAR nostro at the Riyadh receiver. All three banks are members of the same permissioned Fabric network.
The transfer is to be effected as an on-ledger token movement settled in commercial bank money, with the corresponding fiat positions flattened end-of-day through the existing real-time gross settlement (RTGS) systems on each side. The corridor is denominated in EUR and SAR. The Saudi riyal has been pegged to the U.S. dollar at SAR 3.75 = USD 1 since 1986, and the EUR/SAR cross is a function of the ECB euro reference rate against the dollar. For this paper we take an indicative EUR/SAR mid of 4.0825 and apply a 6 bp spread to the taker, yielding a SAR-side notional of approximately SAR 19,683,765.
Originator · Org1MSP · Munich
House bank of the corporate payer. Holds EUR commercial bank money on-ledger as EUR-CBM tokens; debits the corporate account in core banking; submits the proposal to the corridor channel.
Liquidity provider · Org2MSP · Paris
Pan-European correspondent. Operates the SAR nostro at the Riyadh receiver and quotes the EUR/SAR price into the on-ledger FX oracle. Endorses both legs of the atomic swap as the liquidity counter-party.
Beneficiary · Org3MSP · Riyadh
Receiving institution. Issues SAR-CBM tokens backed one-for-one by SAMA settlement balances; credits the beneficiary's current account on final commit and emits the MT/MX confirmation upstream.
Ordering Service · Five-Node Raft Cluster · Distributed across DE, FR, SA, and two independent technical operators
The five-node Raft orderer cluster is distributed to ensure no single jurisdiction can unilaterally censor the channel. Each bank contributes one orderer node (orderer0.de, orderer1.fr, orderer2.sa); two additional nodes are hosted by an independent technical operator in Frankfurt and Bahrain for Byzantine survivability. Orderer logs are mirrored to WORM storage at each site. Block-cutting parameters: BatchTimeout=200ms, BatchSize.MaxMessageCount=500, BatchSize.AbsoluteMaxBytes=10MB. SmartBFT migration is planned for Fabric 3.x once IBM enterprise support reaches GA.
Why this corridor
The EU–GCC payment relationship is structurally underbanked: very few EU institutions hold direct riyal accounts, and bilateral nostro maintenance is expensive. A permissioned Fabric corridor lets a small group of correspondents net flows continuously and settle once per day, without the operational drag of running shared infrastructure on a public network and without exposing counter-party identity outside the consortium.
Section 02
Each participating bank operates a single Fabric organization with two endorsing peers (active/standby) and one Fabric CA. The orderer set is operated jointly across all three banks plus two independent technical operators. Peers expose the Fabric Gateway service over mTLS to the bank's payment hub. The deployment runs on Hyperledger Fabric 2.5.x LTS — the long-term-support line maintained by IBM and the Linux Foundation.
Fabric network topology: three organizations · five-node Raft ordering service · one corridor channel · three bilateral channels
World state is kept in CouchDB on each peer to permit rich JSON queries against payment metadata. Container images are pinned by sha256 digest and signed with cosign; chaincode is packaged as the lifecycle v2 external builder artefact and approved per the channel's lifecycle endorsement policy.
Section 03
Every actor on a Fabric network — peer, orderer, client, or chaincode caller — authenticates with an X.509 certificate issued by an organization's Membership Service Provider. Each bank operates an isolated Fabric CA whose root certificate is configured in the channel's MSP stanza. There is no cross-signed root: the consortium trusts each bank's CA explicitly, and revocation is propagated through periodic CRL updates committed by the channel administrators via the UpdateConfig transaction path.
Within each bank, identities are partitioned by Organizational Unit: the peer OU for nodes, the client OU for the payment hub gateway, the admin OU for lifecycle operations, and a custom treasury OU that gates the Mint and Redeem functions of the token contract. Operators carry an additional role=approver attribute used by the dual-control logic in the chaincode.
| Identity class | OU / Attributes | Permitted actions |
|---|---|---|
| peer | OU=peer | Endorse, gossip, commit blocks |
| orderer | OU=orderer | Sequence and cut blocks (Raft) |
| treasury operator | OU=client, treasury=true, role=approver | Mint, Redeem; second signature on settlement window |
| payment gateway | OU=client, gateway=true | Submit Transfer, query world state |
| compliance officer | OU=client, compliance=true | Read private data collection (Travel Rule) |
| auditor (regulator) | OU=client, audit=true, jurisdiction=DE/FR/SA | Read-only on the bank's namespace |
Private keys are generated and held in FIPS 140-2 Level 3 HSMs and presented to Fabric via the PKCS#11 BCCSP. Treasury operators authenticate via smart-card-backed certificates with a 12-hour validity, regenerated by an online enrolment service that consults the bank's identity-and-access-management directory before signing.
Section 04
Channels in Fabric are independent ledgers — each is a separate sequence of blocks ordered by the same orderer set but isolated at the gossip layer. We provision four channels: one shared corridor channel for all three organizations and three bilateral channels for nostro reconciliation between each pair of banks.
The shared eursar-corridor channel carries the EUR/SAR token contract, the FX oracle contract, and the netting contract. The three bilateral channels — de-fr-bilateral, fr-sa-bilateral, and de-sa-bilateral — carry position reconciliation and bilateral repo traffic that should not be visible to the third party.
Even on the shared corridor channel, Travel Rule data and the underlying ISO 20022 message body never reach the third bank's ledger. We use a private data collection named PDC_TR whose policy restricts visibility to the originating and beneficiary organizations only. The hash of the private data is committed to the public channel ledger so the liquidity bank can verify integrity without seeing personal data.
# collections_config.json — registered at chaincode install [ { "name": "PDC_TR_DE_SA", "policy": "OR('Org1MSP.member','Org3MSP.member')", "requiredPeerCount": 1, "maxPeerCount": 2, "blockToLive": 1095, # ~3 years; AML retention minimum "memberOnlyRead": true, "memberOnlyWrite": true, "endorsementPolicy": { "signaturePolicy": "AND('Org1MSP.peer','Org3MSP.peer')" } } ]
The corridor channel's endorsement policy for the token contract is AND(OutOf(2,'Org1MSP.peer','Org2MSP.peer','Org3MSP.peer')): any two of three banks must endorse a transfer. This is enforced by the Validation System Chaincode at commit time, after the orderer has cut the block but before the peers update world state.
Section 05
Three chaincodes are deployed on the corridor channel: cbm-token implements per-currency commercial bank money tokens; fx-oracle publishes EUR/SAR mid prices signed by the liquidity provider; and a2a-router orchestrates the atomic delivery-versus-payment construct that ties a debit on one currency to a credit on the other. All three are written in Go against the contract-api-go v1 framework.
// cbm-token/contract.go — relevant excerpts type TokenContract struct { contractapi.Contract } type Account struct { Owner string `json:"owner"` // MSP-id::CN Currency string `json:"ccy"` // "EUR" | "SAR" Balance uint64 `json:"bal"` // minor units Frozen bool `json:"frozen"` } func (t *TokenContract) Transfer( ctx contractapi.TransactionContextInterface, from, to, ccy string, amount uint64, ref string, ) error { // 1. caller must own the debit account caller, _ := cid.GetID(ctx.GetClientIdentity()) if caller != from && !hasAttr(ctx, "treasury") { return errors.New("unauthorized debit") } // 2. travel-rule witness must be present in transient map tMap, _ := ctx.GetStub().GetTransient() trHash, ok := tMap["travel_rule_hash"] if !ok { return errors.New("missing travel-rule witness") } // 3. atomic debit/credit against world state src, _ := getAccount(ctx, from, ccy) dst, _ := getAccount(ctx, to, ccy) if src.Frozen || dst.Frozen { return errors.New("frozen") } if src.Balance < amount { return errors.New("insufficient") } src.Balance -= amount; dst.Balance += amount putAccount(ctx, src); putAccount(ctx, dst) // 4. emit event for off-chain payment hub ev := TransferEvent{From: from, To: to, Ccy: ccy, Amt: amount, Ref: ref, TRHash: hex.EncodeToString(trHash)} payload, _ := json.Marshal(ev) return ctx.GetStub().SetEvent("Transfer", payload) }
The a2a-router chaincode composes a Transfer on the EUR token and a Transfer on the SAR token in a single proposal, both conditional on a fresh fx-oracle reading whose timestamp is within 90 seconds. Because Fabric processes each transaction atomically against the read-write set produced by endorsing peers, both legs either commit together or neither does — the multi-version concurrency control (MVCC) layer rejects the entire proposal if any read key has been written between simulation and commit.
Atomicity in Fabric is MVCC, not 2PC
Fabric does not run two-phase commit. Atomicity across both legs is achieved by collecting both writes into a single transaction's read-write set. If the orderer sequences a conflicting write before this transaction's block is committed, the validator marks the transaction as MVCC_READ_CONFLICT and discards both legs. The payment hub must resubmit. In practice, sub-second resubmission succeeds in >99.7% of cases at the target throughput of 40 TPS per channel.
Section 06
Fabric supports two practical token implementation patterns. The minimal account-based model keeps a single composite-key entry per (owner,ccy) pair in world state. It is simple and readable, but serializes all transfers from a given account, which becomes a contention bottleneck under load. For the corridor we use the Fabric Token SDK maintained by IBM Research, which implements a UTXO-style fungible token on top of Fabric.
Each EUR-CBM note is an unspent output bound to its owner's identity by a Pedersen commitment; transfers consume one or more notes and produce new ones. The SDK supports two drivers: fabtoken (plaintext, suitable for consortium settings where amounts may be visible inside the channel) and zkat (zero-knowledge based on Idemix and bulletproofs, hiding amounts and owner identities from non-participants). We deploy the fabtoken driver on the corridor channel because the consortium has agreed that bilateral amounts are visible to all three members in exchange for simpler audit. The zkat driver is reserved for future expansion where additional banks join and amount confidentiality becomes commercially necessary.
| Property | Account model | Token SDK (fabtoken) | Token SDK (zkat) |
|---|---|---|---|
| state shape | balance per (owner, ccy) | set of UTXO notes | set of Pedersen-committed notes |
| parallelism | serialized per account | parallel across notes | parallel across notes |
| amount privacy | visible in world state | visible to all channel members | hidden; ZK-proven balance |
| auditability | direct read | auditor view via Token SDK role | auditor view via selective disclosure |
| deployed here? | No | Yes (corridor channel) | No (future expansion) |
Section 07
A complete EUR→SAR cross-border payment from a Munich corporate client to a Riyadh beneficiary moves through 16 distinct steps across three Fabric organizations, the Raft ordering service, two RTGS systems, and two core banking integrations. The on-ledger portion completes in under one second under normal network conditions. Steps 15–16 involve off-ledger RTGS net settlement at end-of-day.
Initiation · 10:14:02.118 CET · Munich
The corporate payer submits a SEPA-instant-style instruction through Bayerische Handelsbank's online banking portal. The portal validates IBAN mod-97, BIC ALMDSARI, sanctions screen, and submits to the bank's payment hub as internal reference PAY-IN-2026-04-21-887412.
Timing: <1 second · Automated validation · ISO 20022 pacs.008 standard
Compliance · 10:14:02.244 CET
The payment hub builds the ISO 20022 pacs.008.001.10 message including the originator's name, address, and BIC, and the beneficiary's name, address, IBAN/account, and BIC. It hashes the message body with SHA-256 to produce the travel-rule witness that will be placed in the transient map — never landing on the public ledger.
Timing: <1 second · Travel Rule witness computed
FX Quote · 10:14:02.281 CET
The hub sends an EvaluateTransaction to the fx-oracle chaincode requesting EUR/SAR. The oracle returns mid 4.0825 and ask 4.0833 (6 bp spread), signed by Org2's treasury identity and timestamped by the orderer's last block. The quote is valid for 90 seconds.
Timing: 0.5–2 seconds · Oracle rate validity window: 90 seconds
Proposal Construction · 10:14:02.310 CET
The hub uses Fabric Gateway to build a single proposal invoking a2a-router:AtomicSwap with both leg parameters and the FX quote. The Travel Rule hash is placed in the transient map so it is gossiped directly between Org1 and Org3 peers without entering the public block.
Timing: <1 second · AMQP point-to-point · travel-rule in transient map
Endorsement · 10:14:02.387 CET
Gateway forwards to peer0.de, then to peer0.sa. Each peer simulates the chaincode against its local world state, produces a signed read-write set, and returns it. Org2's endorsement is fetched in parallel for resilience, though only two endorsements are required to satisfy the corridor policy.
Timing: <1 second · Parallel endorsement · 2-of-3 required
Private Data · 10:14:02.388 CET (concurrent with 05)
During simulation, the chaincode writes the full pacs.008 body into PDC_TR_DE_SA. The private data is gossiped directly between Org1 and Org3 peers; only its SHA-256 hash enters the public block. Org2 sees only the hash, sufficient for nostro reconciliation without exposure to underlying party personal data.
Timing: Concurrent with endorsement · Bilateral gossip only
Submission · 10:14:02.401 CET
Gateway packages the proposal plus collected endorsements and submits to the Raft orderer cluster via gRPC. The leader (currently orderer1.fr) appends to its log and replicates to the four followers; on quorum acknowledgment it schedules the entry for the next block.
Timing: <1 second · Quorum of 3 required for block entry
Block Cut · 10:14:02.508 CET · Block 884,213
BatchTimeout=200ms or BatchSize=500 transactions — whichever is reached first. The block is signed by the Raft leader and gossiped to one peer per organization, which fan out to organizational peers via the Fabric gossip protocol.
Timing: ≤200ms batch window · Gossip dissemination
VSCC Validation · 10:14:02.531 CET
Each peer runs VSCC against the block: signature check, endorsement-policy check (≥2-of-3 valid), and MVCC check on read key versions. The transaction passes; both legs of the atomic swap are marked VALID.
Timing: <50ms per block · MVCC conflict check · 2-of-3 endorsement verified
World State Commit · 10:14:02.547 CET
CouchDB world state is updated atomically: Org1 EUR balance −4,820,000.00, Org2 EUR balance +4,820,000.00, Org2 SAR balance −19,683,765.00, Org3 SAR balance +19,683,765.00. The block hash is written to the channel's levelDB ledger store. This is the moment of on-ledger finality — irrevocable.
Timing: <20ms after VSCC · Atomic world-state update · IRREVOCABLE
Events · 10:14:02.549 CET
Each peer fires the Transfer events to its local payment hub via the block-listener API. Hubs match the event to the pending instruction by reference and update internal state from SUBMITTED to SETTLED-ON-LEDGER.
Timing: Automated · Block-listener API · Reference matching
Core Banking Debit · 10:14:02.612 CET · Munich
Core banking debits the corporate's EUR current account by 4,820,000.00 against an internal suspense account that mirrors the on-ledger token holdings. Booking carries reference PAY-IN-2026-04-21-887412 / FBR-884213.
Timing: Automated via event · Straight-through processing
Core Banking Credit · 10:14:02.681 CET · Riyadh
Bank Al-Madinah's core banking credits the beneficiary's SAR account by 19,683,765.00. The intra-day position against Banque Méridienne is reduced by the same amount in the nostro reconciliation tab. A SARIE-formatted credit advice is pushed to the beneficiary's online banking and SMS channels.
Timing: Automated via event · Beneficiary notified in real time
Audit Trail · Both Orgs
Both Org1 and Org3 now have an immutable, timestamped, cryptographically signed record in their ledger stores. The Travel Rule pacs.008 is preserved in PDC_TR_DE_SA with a 3-year retention policy. Compliance modules generate BaFin/ACPR and SAMA reporting records automatically.
Timing: Automated · Immutable from block 884,213 forward
End-of-Window Netting · 17:00:00 CET
The netting chaincode aggregates all corridor flows since the last cycle and produces a triangular net position per pair. For 21 April 2026: Org1 owes Org2 EUR 12,440,118 net; Org2 owes Org3 SAR 8,206,040 net. Net amounts are submitted to TARGET2 and SARIE respectively.
Timing: 17:00 CET daily · Multilateral netting
RTGS Settlement · 17:14 CET / 18:14 AST
Net positions are paid through TARGET2 (EUR leg) and SARIE (SAR leg) in central bank money. Once SAMA and Bundesbank confirmations are received, each hub submits a coordinated Burn transaction on-chain, removing the EUR-CBM and SAR-CBM tokens from world state and restoring the per-bank token issuance to its net opening position.
Timing: Post-RTGS confirmation · Tokens burned · Cycle complete
Section 08
The corridor uses the standard etcd/Raft ordering service that ships with Fabric 2.5. Raft is a crash-fault-tolerant protocol: with five orderer nodes, the cluster tolerates two simultaneous node failures and continues to make progress as long as three nodes remain reachable. It does not tolerate Byzantine behaviour — a malicious orderer could in principle withhold or reorder transactions within the batch timeout window, though it cannot forge endorsements or alter committed state.
To mitigate this, orderers are physically distributed across three bank-operated sites (Munich, Paris, Riyadh) and two technically independent operators (a Frankfurt colocation facility and a Bahrain regional data centre). No single jurisdiction or operator can unilaterally censor the channel. Orderer logs are mirrored to immutable WORM storage at each site for after-the-fact audit.
Fabric 3.x introduces a SmartBFT consensus plug-in (SBFT-CHS), which provides full Byzantine fault tolerance at the orderer layer. The consortium has agreed an upgrade path: once Fabric 3.x reaches IBM enterprise support GA and a six-month parallel-run window has been completed on a staging channel, the corridor will migrate to SmartBFT. In the interim, Raft is acceptable because the threat model assumes Byzantine endorsing peers, not Byzantine orderers — endorsement by the 2-of-3 bank policy is the cryptographic anchor.
Caveat: Raft assumes honest orderers
A coordinated take-over of Raft leadership could in principle censor transactions or reorder them within the BatchTimeout window. The bank consortium mitigates this through (a) jurisdictional diversity of orderer operators, (b) cryptographic chain-of-custody on orderer logs, and (c) a hot-swap procedure documented in the operations runbook that allows a degraded cluster to be reconstituted from any majority subset within 30 minutes.
Section 09
The corridor speaks ISO 20022 internally — both sides are migrating their cross-border traffic to the MX standard ahead of SWIFT's MT discontinuation milestones. The full pacs.008.001.10 message is written into the private data collection so that compliance and auditors at the originating and beneficiary banks can reconstruct the regulated payment context, while the public corridor ledger stores only the SHA-256 hash for integrity-witnessing.
<!-- pacs.008.001.10 — abbreviated --> <FIToFICstmrCdtTrf> <GrpHdr> <MsgId>BHDLDE2M-20260421-887412</MsgId> <CreDtTm>2026-04-21T10:14:02.244+02:00</CreDtTm> <NbOfTxs>1</NbOfTxs> <SttlmInf><SttlmMtd>CLRG</SttlmMtd> <ClrSys><Prtry>FABRIC-EURSAR-CORRIDOR</Prtry></ClrSys> </SttlmInf> </GrpHdr> <CdtTrfTxInf> <PmtId><EndToEndId>PAY-IN-2026-04-21-887412</EndToEndId> <UETR>5e9c4e8a-2f1b-4b3a-9d0e-1c8f4a7b6d52</UETR></PmtId> <IntrBkSttlmAmt Ccy="EUR">4820000.00</IntrBkSttlmAmt> <ChrgBr>SHAR</ChrgBr> <Dbtr><Nm>Präzision Werkzeug GmbH</Nm> <PstlAdr><Ctry>DE</Ctry></PstlAdr></Dbtr> <DbtrAcct><Id><IBAN>DE89370400440532013000</IBAN></Id></DbtrAcct> <DbtrAgt><FinInstnId><BICFI>BHDLDE2M</BICFI></FinInstnId></DbtrAgt> <CdtrAgt><FinInstnId><BICFI>ALMDSARI</BICFI></FinInstnId></CdtrAgt> <Cdtr><Nm>Saudi Water Authority</Nm> <PstlAdr><Ctry>SA</Ctry></PstlAdr></Cdtr> <CdtrAcct><Id><Othr><Id>SA0380000000608010167519</Id></Othr></Id></CdtrAcct> <RmtInf><Ustrd>Desalination plant — milestone 3 of 7</Ustrd></RmtInf> </CdtTrfTxInf> </FIToFICstmrCdtTrf>
The hub canonicalises the XML per W3C Canonical XML 1.1, hashes it with SHA-256, and that 32-byte hash is what the chaincode persists on the public ledger as the trHash field of the transfer event. Any subsequent dispute can be resolved by replaying the private data from either bank's PDC and re-canonicalising — a hash mismatch flags tampering.
Section 10
Each bank performs KYC and CDD on its own customer at onboarding under its home regime: BaFin GwG for Germany, ACPR/AMF for France, and SAMA AML/CFT Rules for Saudi Arabia. The corridor ledger does not store customer identity directly — identity remains in each bank's internal KYC vault. What the ledger guarantees is that an authenticated bank gateway, holding a valid MSP identity, has attested at the moment of submission that the underlying customer has been screened.
The FATF Travel Rule (Recommendation 16, transposed into the EU's Transfer of Funds Regulation 2023/1113 and the SAMA AML/CFT Rules Article 17) requires the originator's name, account, address, and identifier, plus the beneficiary's name and account, to travel with the payment. We satisfy this by storing the full pacs.008 in the bilateral private data collection between originator and beneficiary banks. The liquidity provider (Org2) sees only the public block and the hash — sufficient for nostro reconciliation without unnecessary exposure to the underlying parties' personal data.
Sanctions screening is performed by each bank's gateway against its own list (EU Consolidated List, OFAC SDN where applicable, UN Security Council list, SAMA's domestic list). The screening result is asserted in the transient map as a signed JSON Web Token whose subject is the customer's hashed identifier. The chaincode does not validate the JWT contents — that would require sharing keys across the consortium — but it rejects any transfer whose transient map lacks the witness, and the witness is preserved in the PDC for audit.
AML false-positive reduction with ISO 20022
The structured LEI + structured name in pacs.008 allows sanctions screening against legal entity registries rather than free-text name fields. Industry studies document 30–50% false-positive reduction in structured-data environments versus legacy MT formats — a direct operational cost saving for each bank's compliance function, and a significant reduction in payment delays caused by manual review queues.
Section 11
The corridor operates across two distinct regulatory jurisdictions. The EU side is governed by the consolidated CRR/CRD framework plus the MiCA, DORA, and TFR regulations. The Saudi side is governed by SAMA's licensing and AML/CFT framework. Neither side currently mandates daily on-ledger reporting, but each bank's auditor identity has read-only access to the corridor channel and to the bank's bilateral PDC.
European Union
Kingdom of Saudi Arabia
Section 12
On-ledger transfers move commercial bank money tokens: a liability of the issuing bank denominated in fiat. They are not final in the legal sense until the corresponding central-bank-money settlement has occurred between the banks. The corridor flattens this through end-of-day net settlement against TARGET2 for the EUR leg and SARIE for the SAR leg.
At 17:00 CET the netting chaincode produces a multilateral net position per currency per bank. For 21 April 2026, after netting all corridor flows:
| Pair | Currency | Net direction | Net amount | Settlement venue |
|---|---|---|---|---|
| Org1 → Org2 | EUR | Org1 pays Org2 | 12,440,118.42 | TARGET2 |
| Org2 → Org3 | SAR | Org2 pays Org3 | 8,206,040.05 | SARIE |
| Org3 → Org1 | EUR | Org3 pays Org1 | 1,217,330.18 | TARGET2 |
EUR leg: Bayerische Handelsbank submits an MT 202 / pacs.009 to the TARGET2-Bundesbank component for credit to Banque Méridienne's TARGET2 PM account. Settlement is final on the books of the Eurosystem at 17:14 CET — a direct claim on the ECB itself, the highest-quality settlement asset available.
SAR leg: Banque Méridienne instructs its Riyadh nostro provider to settle through SARIE — the Saudi Arabian Riyal Interbank Express, operated by SAMA — for credit to Bank Al-Madinah's SAMA settlement account. Final at 18:14 AST (15:14 UTC).
Once SAMA and Bundesbank confirmations are received, each hub submits a Burn proposal to the corridor: the EUR-CBM and SAR-CBM tokens corresponding to the net amounts settled are removed from world state, restoring the per-bank token issuance to its net opening position. The cycle then begins again at 17:00:01 CET.
Why net settlement and not gross
Gross on-RTGS settlement of every individual transfer would defeat the purpose of the corridor: SARIE and TARGET2 fees, plus the timing mismatch between European and Saudi RTGS operating hours, would make small payments uneconomic. Net settlement preserves the throughput and finality benefits of the on-ledger token movement while reducing the number of central-bank transactions to one per bank per currency per day.
Section 13
Any production deployment of a permissioned Fabric corridor in a regulated cross-border context faces a set of well-understood technical and governance risks. The following are the six most material risks for this architecture, together with their mitigations.
A compromised majority of orderer nodes could censor transactions within the BatchTimeout window. Mitigation: jurisdictional diversity across five orderer nodes, WORM-mirrored orderer logs, and scheduled migration to SmartBFT in Fabric 3.x when IBM enterprise support reaches GA.
An attacker holding a treasury HSM credential could mint or burn unbacked tokens. Mitigation: dual-control endorsement policy (two approvers required), 12-hour treasury cert validity, real-time issuance cap monitored by an off-chain reconciliation service against core banking systems.
If the oracle stops publishing, atomic swaps fail; if it publishes wrong prices, the liquidity provider loses or wins value. Mitigation: chaincode rejects quotes >90 seconds old; a circuit-breaker disables atomic-swap if oracle drift exceeds 25 bp from the ECB reference rate.
High throughput against the same world-state keys causes MVCC_READ_CONFLICT rejections. Mitigation: the UTXO-style Fabric Token SDK distributes load across multiple token notes, eliminating the single-account contention bottleneck present in the simpler account-based model.
If a bank's RTGS leg fails to settle by cycle close, the Burn transaction is not submitted; the unburned tokens remain on-ledger as a visible obligation. Threshold limits per bank prevent unbounded build-up; the netting cycle for the following day absorbs the carry.
Lifecycle v2 requires per-organization approval before commit. We run a 30-day soak on a sandbox channel before any chaincode upgrade proposal is approved, and the upgrade is gated on a notarised release attestation signed by the consortium technical committee.
References