Financial compliance has always been balanced on a delicate line: regulators need enough visibility to keep bad actors out, but users want their financial lives to be kept private just to make a payment or exchange. In 2025, that tension is sharper than ever. We have stricter anti-money laundering (AML) rules, broader data protection regimes, more cross-border activity and, at the same time, better privacy-enhancing technology than we’ve ever had.
The good news is that we no longer have to sacrifice privacy to ensure compliance. Zero-knowledge proofs (ZKPs) provide a solution to the so-called privacy paradox: regulators need assurance that rules are followed, but exposing full identities and transaction details creates security, legal and data protection risks. ZKPs let us flip the model from “show me the data” to “show me the proof,” enabling companies to demonstrate compliance without revealing underlying information.
This approach is not designed to obfuscate regulatory oversight. Instead, it modernizes the compliance toolkit so that regulated firms can demonstrate compliance with their legal duties (sanctions screening checks, KYC obligations, segregation of client assets, capital checks) without transferring or exposing the underlying data. ZKPs can be better for users and in the long term for regulatory compliance because evidence is verifiable and tamper-proof.
What zero knowledge actually does
A zero-knowledge proof is a cryptographically driven way of saying, “I can prove to you that I followed rule X, but I won’t show you the sensitive information normally required to prove it.” In the financial sector, “rule X” can be very specific: “this wallet was screened against the current sanctions list”; “this user has a valid KYC credential from a trusted issuer”; “this exchange holds client assets 1:1 and they match liabilities”; “this transaction is below (or within) an allowed range,” and so on.
Today, we may be required by law to report large data sets to specific regulators. We comply with applicable data protection laws, but this also increases the risk of cyber security breaches and abuse. A ZK-based approach proves the output, not all inputs. If a regulator needs to go deeper, a process can be designed for selective disclosure of certain required data (view keys, timed access and full audit logs, provided under due process as needed), as an approved regulatory portal or window.
Why this matters now
Three trends are converging.
In the EU, regulators are making anti-money laundering (AML) controls more detailed, while GDPR and other privacy regimes emphasize data minimization and purpose limitation. These can be complementary rather than opposing each other: compliance should provide the same or better security with less routine exposure of personal data. This goal can be achieved by using reporting techniques that protect privacy.
Second, digital identity frameworks (such as those envisioned under eIDAS 2.0) are coming closer to reality. They are built on the same building blocks as ZK: verifiable credentials, selective disclosure, and cryptographic certificates. It makes it much more realistic to issue portable “I’ve passed KYC” or “I’m not sanctioned” credentials that can be proven, not retrieved, across multiple services.
Third, supervisors are exploring privacy-enhancing technologies, including evidence verification models.
What an evidence-based compliance stack could look like
We already have living examples. ZK-enhanced proof-of-reserves is the best known: an exchange proves that it has the assets to meet customer obligations without revealing individual balances. It is an insurance of zero knowledge.
You can do the same for sanction screening. Instead of sending the full identity each time, a wallet presents proof that it was checked against the most recent list at a specific time. The regulator, or a regulated VASP on the other hand, runs a verifier node to confirm that the proof is valid and up-to-date. It is important to note that “verifier nodes” are a policy proposal that act as a supervisory infrastructure for supervisors to validate evidence without collecting mass data.
You can also do it for segregation: a custodian proves that client assets are not commingled with house funds via an interval or sum proof without publishing the entire ledger. You can even distribute this in smart contracts: transactions are not executed unless the proof passes. It is “programmable compliance” – rules are enforced at the time of the transaction in ‘real time’ rather than afterwards.
For regulators, the key shift is from collecting raw data to verifying cryptographic evidence. They still get security, auditability and traceability when there is a legal basis to disclose. But they do not need to store or process significant amounts of personal data by default, reducing both operational and legal risks.
Answering key questions
Regulators are already beginning to embrace targeted ZK pilots, from verifiable proof-of-reserves to Travel Rule compliance that validates user attributes without revealing full datasets. As these primitives mature, they naturally scale to market integrity controls, allowing companies to demonstrate that they are within concentration and exposure limits through range and sum proofs without disclosing underlying positions.
Critically, ZK is not a synonym for opacity; well-designed systems exploit selective disclosure via display or multi-party keys. This ensures that law enforcement access is narrow, demonstrable and subject to due process rather than remaining universal and tacit.
What regulators may require
To work across borders, we need standards: standard evidence types (eg “not on sanctions list X as of date Y”), standard credential formats and standard verifier logic that can be inspected. In this way, you avoid each exchange, wallet or bank building its own version and creating unnecessary supervisory complexity for supervisors.
Specifically, regulators can benefit from six things:
- Results over data (tell me what you proved, not everything you have);
- At least information evidence (prove only what is necessary for this obligation);
- Programmable checks (enforced at the time of the transaction, where applicable);
- Strong data availability and exit mechanisms (users can always confirm their balances and withdraw);
- Verifiable Verifier Logic (inspections, test vectors, audit logs);
- No generalized back doors (disclosure only under legitimate, narrow, logged processes).
Binance is a global exchange that already uses ZKPs to demonstrate reserves. Our proof-of-reserves (POR) system uses a Merkle tree – a cryptographic structure that condenses many account records into a single “fingerprint” – along with zero-knowledge proofs to demonstrate that customer assets are fully supported without revealing individual balances. With each POR update, users can confirm that their balance is included in the tree, while ZKPs ensure that grand totals are correct and that no negative or false balances are included. The result is independent, privacy-preserving verification of reserves that builds trust without compromising personal data.
But this is bigger than one company. If we get this right, we can make financial compliance more accurate, more respectful of privacy laws, and easier to oversee.
This will require cooperation. Regulators will need to develop evidentiary standards they accept; industry will need to adapt and incorporate the standards of evidence, and standard-setting bodies will ensure that standards of evidence are interoperable across borders.
What does success look like
Success is when a user can prove legitimacy without oversharing; a bank, VASP or stock exchange can meet AML/Travel Rules obligations with less disclosure of data; a regulator can run a verifier node and get real-time assurance; and bad actors can be exposed under clear, narrow, legal conditions.
In short, security with less transparency. As cyber risk increases, privacy laws evolve and cross-border digital finance proliferates, moving from routine mass data collection to verifiable evidence is a pragmatic upgrade of supervisory practices.
References to EU privacy law in this opinion reflect the November 2025 framework; The Commission’s digital omnibus proposal remains subject to change through the regular legislative process.
