Financial compliance has always walked a delicate line: Regulators need enough visibility to keep bad actors out, but users want their financial lives to stay private only to make a payment or complete a transaction. In 2025, that tension will be more acute than ever. We have stronger anti-money laundering (AML) rules, broader data protection regimes, more cross-border activity and, at the same time, better technology to improve privacy than ever before.
The good news is that we no longer have to sacrifice privacy to ensure compliance. Zero-knowledge proofs (ZKP) provide a solution to the so-called privacy paradox: Regulators need assurances that the rules are followed, but exposing full identities and transaction details creates security, legal and data protection risks. ZKPs allow us to change the model from “show me the data” to “show me proof,” allowing companies to demonstrate compliance without revealing underlying information.
This approach is not designed to obscure regulatory oversight. Instead, it modernizes the compliance toolkit so that regulated companies can demonstrate compliance with their legal obligations (sanctions checks, KYC obligations, segregation of client assets, capital checks) without transferring or exposing the underlying data. ZKPs can be better for users and, in the long run, for regulatory compliance, because the tests are verifiable and tamper-proof.
What does zero knowledge actually do?
A zero-knowledge proof is a cryptographic way of saying, “I can prove to you that I followed rule X, but I won’t show you the sensitive information normally required to prove it.” In finance, “rule X” can be very specific: “this wallet was checked against the current sanctions list”; “this user possesses a valid KYC credential from a trusted issuer”; “this exchange keeps clients’ assets 1:1 and reconciles them with liabilities”; “this transaction is below (or within) an allowed range”, etc.
Today, we may be required by law to report large data sets to specific regulators. We comply with applicable data protection laws, but this also increases the risk of cybersecurity breaches and misuse. A ZK-based approach demonstrates the output, not all the inputs. If a regulator needs to dig deeper, a process can be designed for selective disclosure of particular required data (viewing keys, time-bound access, and full audit trails, granted under due process as necessary), such as an authorized regulatory window or portal.
Why does this matter now?
Three trends are converging.
In the EU, supervisors are making anti-money laundering (AML) controls more granular, while the GDPR and other privacy regimes emphasize data minimization and purpose limitation. These can be complementary rather than opposed to each other: compliance should provide the same or better assurance with less routine exposure of personal data. This goal can be achieved using privacy-preserving reporting techniques.
Second, digital identity frameworks (such as those envisioned in eIDAS 2.0) are moving closer to reality. They are based on the same building blocks as ZK: verifiable credentials, selective disclosure, and cryptographic certifications. That makes it much more realistic to issue portable “I passed KYC” or “I’m not sanctioned” credentials that can be tested, not recovered, across multiple services.
Third, supervisors are exploring privacy-enhancing technologies, including evidence verification models.
What a test-driven compliance stack could look like
We already have live examples. The ZK-enhanced reserves test is the best known: an exchange proves it has the assets to meet customer liabilities without disclosing individual balances. That’s a zero-knowledge guarantee.
You can do the same for sanctions assessment. Instead of sending the full identity each time, a wallet presents proof that it was verified against the most recent list at a specific time. The regulator, or a regulated VASP on the other side, runs a verifier node to confirm that the test is valid and up to date. It is important to note that ‘verifier nodes’ are a policy proposal that operates as a supervisory infrastructure for supervisors to validate evidence without collecting massive data.
It can also be done for segregation: a custodian proves that client assets are not commingled with own funds using a range or sum test, without publishing the entire ledger. You can even include this in smart contracts: transactions are not executed unless the proof is approved. This is “programmable compliance”: rules applied at the time of the transaction in ‘real time’, rather than afterwards.
For regulators, the key shift is moving from collecting raw data to verifying cryptographic evidence. They still get security, auditability and traceability when there is a legal basis for unmasking. But they do not have to retain or process significant amounts of personal data by default, reducing both operational and legal risk.
Answering key questions
Regulators are already beginning to adopt specific ZK pilots, ranging from verifiable reservation tests to travel rule compliance that validate user attributes without exposing entire data sets. As these primitives mature, they naturally become integrated into market integrity controls, allowing firms to demonstrate that they are within concentration and exposure limits using range and sum testing without revealing underlying positions.
Fundamentally, ZK is not synonymous with opacity; Well-designed systems use selective disclosure through visualization or multi-party keys. This ensures that law enforcement access is restricted, demonstrable, and subject to due process rather than remaining universal and silent.
What regulators might require
To work across borders, we need standards: standard types of evidence (for example, “not on sanctions list X on date Y”), standard credential formats, and standard verification logic that can be inspected. This is how you prevent each exchange, wallet or bank from creating their own version and creating unnecessary supervisory complexity for supervisors.
Specifically, regulators can benefit from six things:
- Results on data (tell me what you demonstrated, not everything you have);
- Tests with minimal information (credit only what is necessary for this obligation);
- Programmable controls (applied at the time of transaction where applicable);
- Strong data availability and output mechanisms (users can always confirm their balances and withdraw);
- Verifiable verifier logic (inspections, test vectors, audit logs);
- No widespread rear doors (disclosure only under legal, restricted and registered processes).
Binance is a global exchange that already uses ZKP to demonstrate reserves. Our Proof of Reserves (POR) system uses a Merkle tree (a cryptographic structure that condenses many account entries into a single “fingerprint”) along with zero-knowledge proofs to prove that customer assets are fully backed without revealing individual balances. With each POR update, users can confirm that their balance is included in the tree, while ZKPs ensure that overall totals are correct and that no negative or false balances are included. The result is independent verification of reservations that preserves privacy and builds trust without compromising personal data.
But this is bigger than a company. If we get this right, we can make financial compliance more accurate, more respectful of privacy law, and easier to monitor.
This will require collaboration. Regulators will need to develop test standards that they accept; The industry will need to align and incorporate testing standards, and regulatory bodies will ensure that testing standards are interoperable across borders.
What success looks like
Success comes when a user can prove their legitimacy without oversharing; a bank, VASP or exchange can comply with AML/Travel Rules obligations with smaller data disclosures; a regulator can run a verifier node and obtain guarantees in real time; and bad actors can be unmasked under clear, strict and legal conditions.
In short, security with less disclosure. As cyber risk increases, privacy laws evolve, and cross-border digital finance grows, moving from routine big data collection to verifiable evidence is a pragmatic update to supervisory practice.
References to EU privacy law in this opinion piece reflect the framework as of November 2025; The Commission’s Digital Omnibus proposals remain subject to change through the ordinary legislative process.
