By Hannah Garvey, Senior Privacy Legal Counsel, Binance
Main Takeaways
Zero-knowledge proofs (ZKPs) can modernize compliance by allowing firms to prove they followed rules such as sanctions screening, KYC, asset segregation, and capital checks without routinely exposing sensitive user data.
Regulatory tailwinds are making proof-based compliance more timely, including more granular AML expectations, stricter data-minimization requirements, emerging digital identity frameworks such as eIDAS 2.0, and growing supervisory interest in privacy-enhancing technologies.
When done well, proof-based compliance can make oversight more precise and privacy-respecting, as well as simplify supervision.
Financial compliance has always been a balancing act: regulators need enough visibility to keep bad actors out, while users should not have to expose their entire financial lives just to trade or make a payment. Now, that tension is sharper than ever, with stricter AML expectations, broader data-protection regimes, and more cross-border activity.
The good news is privacy and compliance no longer have to be a trade-off. Zero-knowledge proofs (ZKPs) offer a practical way to resolve the privacy paradox by shifting the model from “show me the data” to “show me the proof.” Firms can now demonstrate they meet obligations such as sanctions screening, KYC requirements, client-asset segregation, and capital checks without handing over the underlying sensitive information. This method upgrades compliance by using verifiable, tamper-evident proofs that preserve oversight while reducing exposure of sensitive data.
The Power of Zero-Knowledge Proofs
A zero-knowledge proof lets someone prove they followed a rule without revealing the sensitive data behind it. In finance, such rules can be very varied and concrete: “this wallet was screened against the current sanctions list”; “this user holds a valid KYC credential from a trusted issuer”; “this exchange holds client assets 1:1 and they reconcile to liabilities”; “this transaction is below (or within) an allowed range,” and so on.
Today, the law can require firms to report large datasets to regulators. Binance complies in line with applicable data-protection laws, but broad data transfer increases potential exposure to breaches and misuse. A ZK-based approach proves the outcome instead of sharing every input, and can still support selective disclosure when needed through controlled access such as viewing keys, time-bound permissions, and auditable logs under due process.
The Case for Zero Knowledge Proofs as Three Trends Emerge
Three trends are converging in a way that makes proof-based compliance timely.
In the EU, AML expectations are becoming more granular at the same time that GDPR and other privacy regimes emphasize data minimization and purpose limitation. These goals can reinforce each other: compliance should deliver the same or better assurance with less routine exposure of personal data, supported by privacy-preserving reporting.
Digital identity frameworks such as eIDAS 2.0 are also moving closer to implementation. Built on verifiable credentials, selective disclosure, and cryptographic attestations, they make portable “I passed KYC” or “I am not sanctioned” credentials more realistic, allowing checks to be proven rather than repeatedly re-collected across services.
At the same time, supervisors are increasingly exploring privacy-enhancing technologies, including proof-verification models.
What a Proof-Based Compliance Stack Could Look Like
Live examples already exist. Binance’s ZK-enhanced proof-of-reserves system is the best known one: using this approach, a platform can prove it holds enough assets to cover customer liabilities without exposing individual balances.
The same idea can be applied to sanctions screening. Instead of repeatedly sending full identity data, a wallet could present a proof showing it was checked against the latest list at a specific time. A regulator, or a regulated Virtual Asset Service Provider (VASP) on the other side, could validate that proof through a verifier node. Verifier nodes are a policy proposal that would give supervisors a way to verify proofs without collecting bulk data.
ZKPs can also support segregation checks. A custodian could prove client assets are not co-mingled with house funds using range or sum proofs without publishing the entire ledger. These checks can even be enforced at transaction time through smart contracts, enabling programmable compliance where rules are validated in real time rather than after the fact.
For regulators, ZKPs can underpin a shift from collecting raw datasets to verifying cryptographic evidence. Assurance and auditability remain, including traceability when there is a legal basis to unmask, while default data exposure is reduced, lowering both operational and legal risk.
What Acceptance Could Look Like in Practice
Regulatory acceptance is already happening in limited contexts, and the practical next step is targeted pilots. Examples include proof of reserves with regulator-verifiable parameters, Travel Rule-compatible proofs that confirm required originator and beneficiary attributes without sharing full records with every intermediary, and client-asset segregation proofs in custodial environments.
As ZKPs become more familiar, the same primitives can extend to prudential and market-integrity controls. For example, range proofs can demonstrate concentration limits, sum proofs can confirm exposure caps, and portfolio-level proofs can show margin and risk controls remain within approved parameters without revealing underlying positions.
For law enforcement, importantly, zero knowledge does not mean opacity. A well-designed model supports selective disclosure through controlled access such as user-held viewing keys or multi-party regulatory keys, usable only under due process and fully logged so disclosure is narrow, provable, and accountable, rather than universal and “silent.”
What Regulators Could Require
To work across borders, we need standards: proof types (e.g. “not on sanctions list X as of date Y”), credential formats, and verifier logic that can be inspected. Without this, exchanges, wallets, and banks may each build their own versions, creating unnecessary complexity for supervisors.
Concretely, regulators may benefit from six things:
Outcomes over data (“tell me what you proved, not everything you hold”);
Least-information proofs (“prove only what is necessary for this obligation”);
Programmable checks (enforced at transaction time where appropriate);
Strong data-availability and exit mechanisms (users can always confirm their balances and withdraw);
Verifiable verifier logic (inspections, test vectors, audit logs);
No generalized backdoors (disclosure only under lawful, narrow, logged processes).
Binance already uses these primitives in our proof of reserves. Our system combines a Merkle tree, which compresses many account entries into a single cryptographic fingerprint, with zero-knowledge proofs to show customer assets are fully backed without revealing individual balances. Users can verify their own balance is included, while the proof confirms totals and prevents negative or fabricated balances – resulting in an independent, privacy-preserving verification of reserves that builds trust without compromising personal data.
This is bigger than any one company. Done well, proof-based compliance can make oversight more precise and privacy-respecting. Getting there will require collaboration across regulators, industry, and standards bodies to align on interoperable proof standards.
Final Thoughts
Success is a compliance system where legitimacy can be proven without oversharing, delivering assurance with less disclosure. Users can demonstrate compliance with minimal disclosure; banks, VASP, and exchanges can meet AML and Travel Rule requirements with smaller data transfers; and regulators can verify proofs through oversight infrastructure such as verifier nodes while retaining the ability to unmask bad actors under clear, narrow, lawful conditions.
As cyber risk rises, privacy laws evolve, and cross-border digital finance moving from routine bulk data collection to verifiable proofs is a pragmatic upgrade to supervisory practice.
This direction aligns with Binance’s focus on building trust at scale by strengthening oversight while protecting user data. We’re ready to work with supervisors, industry, and civil society on standards-driven pilots and conformance testing so this approach is practical, auditable, and safe.
*References to EU privacy law in this op-ed reflect the framework as of November 2025; the Commission’s Digital Omnibus proposals remain subject to change through the ordinary legislative process.
Note: We welcome evidence-based contributions from regulators, supervisors, industry practitioners, academics, subject-matter experts and standard-setting bodies. Find out more here.
Further Reading
Regulation, Innovation, and Adoption – Inside Binance’s APAC Strategy With SB Seker
The 2025 CoinDesk Benchmark: The Exchange Industry’s Health Check And Binance’s Leadership
Celebrating Recognition: Binance Named Digital Assets Exchange of the Year by Regulation Asia