Despite the preferences of data protection fundamentalists for minimal disclosure, disclosure obligations are legally required in several areas with the aim of protecting the integrity of the financial system and ensuring legal and ethical conduct. These include Know Your Customer (KYC) processes, beneficial ownership reporting, sanctions compliance, and tax reporting. Increasingly, individuals and entities face the complex task of balancing these legal obligations with growing demands for data privacy and confidentiality. At the same time, privacy-enhancing technologies (PETs) introduce new complexity, as they can obscure transaction flows or organizational structures, potentially hindering transparency. Privacy laws, which vary across jurisdictions but increasingly reflect global principles, establish the boundaries for how personal data can be collected, used, and shared, aiming to protect individual rights while enabling responsible data flows across borders.
In the following, we will discuss whether and how privacy-enhancing technologies, in particular Zero-Knowledge Proofs (ZKPs), can challenge, reinforce, or redefine these disclosure obligations.
Examples of Legal Disclosure Obligations
Legal disclosure obligations exist in various areas. With the intent to combat money laundering and terrorism financing, most countries require domestic companies to disclose their beneficial owners, the natural persons who ultimately own or control a legal entity. For example, the U.S. Corporate Transparency Act (CTA), enacted as part of the broader National Defense Authorization Act, requires most entities registered to do business in the United States to report their beneficial ownership. Similarly, in the European Union (EU), the Anti‑Money Laundering and Terrorist Financing Directive IV (EU 2015/849) (AMLD IV) requires EU member states to set up central registers of beneficial ownership (for example, Germany’s Transparenzregister) where legal entities must identify and report their beneficial owners.
Under anti-money laundering (AML) and counter-terrorist financing (CTF) rules, banks and other financial intermediaries, lawyers, and notaries are required to verify the identity of their clients through the KYC process. Additionally, they must assess the source of their fund and report any suspicious activities to the relevant authorities.
International organizations such as the United Nations and the EU, along with national authorities like the U.S. Treasury’s Office of Foreign Assets Control (OFAC), issue sanctions with the aim of upholding national and international law, preventing international crises, supporting conflict resolution, fighting terrorism, addressing the proliferation of weapons, and holding violators of human rights accountable for their crimes. While sanctions are not universally supported from a political standpoint, they nonetheless carry legal force. This means private and corporate actors must operate within these requirements and ensure they do not engage in activities that breach these economic or trade sanctions. Sanction compliance involves screening partners, monitoring transactions, enforcing internal policies, reporting violations, maintaining records for legal compliance, and avoiding dealings with sanctioned parties. These processes inherently involve the collection, processing, and disclosure of sensitive data.
Tax reporting and financial transparency require individuals and entities to report financial data, ownership structures, and cross-border transactions to tax and regulatory authorities. These disclosure obligations, based on frameworks like the Foreign Account Tax Compliance Act (FATCA), the OECD’s Common Reporting Standard (CRS), and the EU Anti-Money Laundering Directives, aim to combat tax evasion, strengthen financial transparency, and support fair taxation.
Privacy Technologies Create Tension
These disclosure obligations are challenged by PETs, which are designed to protect users’ data and identities by limiting the amount of information disclosed during digital interactions, particularly in financial or blockchain systems.
For example, Zcash, a privacy-focused cryptocurrency, uses a type of zero-knowledge proof called zk-SNARKs to enable fully encrypted transactions, concealing the sender, receiver, and amount while still allowing the network to verify their validity. Zcash is designed to provide strong privacy for its users through shielded transactions while also incorporating features, such as selective disclosure, which allow participants to share transaction details when required to meet legal and regulatory obligations.
Traditional compliance frameworks rely on the presence of identifiable entities and clear lines of control. Such structures make it easier for regulators to assign responsibility, monitor activities, and enforce laws through established oversight mechanisms. These assumptions are fundamentally challenged by Decentralized Autonomous Organization (DAOs), which are blockchain-based governance structures that operate through smart contracts, enabling participants to coordinate and make decisions without centralized control. DAOs aim to make participation more accessible and increase efficiency through automation. However, their participants are often pseudonymous, making it difficult to identify beneficial owners or responsible parties and thus complicating enforcement of disclosure and compliance obligations. Some jurisdictions, such as Wyoming (USA), the Marshall Islands, and Switzerland, offer DAOs some legal protections, often through forms of entity registration. However, legal recognition only defines a DAO’s status as an entity, and it does not exempt them from broader regulatory obligations that apply to all organizations (for example, taxes, security laws).
The Potential of Zero-Knowledge Proofs
ZKPs have the potential to balance disclosure and privacy by allowing entities to prove compliance or reveal specific facts to regulators without exposing unrelated or sensitive information. When properly applied, they can enable a party to prove a statement is true without revealing the underlying data.
Our ZKAPs Whitepaper details how ZKAPs might help to anonymize payments by disconnecting payment data from personal data, instead giving users anonymous tokens (ZKAPs) in exchange for payment. With the help of a trusted Zero-Knowledge (ZK) provider that issues a credential attesting to specific verified attributes, individuals or entities could present proof to third parties (such as auditors or authorities) to demonstrate eligibility or compliance without revealing personal information. This could be an approach to ensure compliance without full disclosure.
Instead of exposing a person’s birth date or full identity, ZKPs could be used as proof that a person is over the age of 18, holds a certain nationality, or resides in a jurisdiction not subject to sanctions. ZKPs could also demonstrate that a person holds a specific role, such as a CEO, or that they have signing authority, without revealing their identity or any other sensitive details.
Additionally, without revealing individual users or transactions, ZKPs could enable individuals or entities to demonstrate that they have conducted required Anti-Money Laundering (AML) checks, such as sanctions screening or risk scoring. This preserves privacy and minimizes data exposure.
Similarly, ZKPs could be used to prove compliance with beneficial ownership disclosure obligations without exposing the identities or ownership percentages of their stakeholders. For example, if a trusted provider were to issue ZK credentials to verified beneficial owners, a company could generate a ZKP demonstrating all owners above the regulatory threshold (for example, 25%) have been disclosed and that none are sanctioned, without revealing any sensitive information. Disclosure keys could be escrowed for regulatory access if legally required.
Thus, ZKPs offer cryptographic guarantees that enable selective disclosure, potentially allowing compliance without compromising privacy.
Emerging Solutions and Approaches
In legal and regulatory contexts, where privacy and confidentiality must still be balanced with verifiability and compliance, ZKPs, along with other privacy-enhancing and cryptographic techniques, can play a valuable role. A number of practical tools already exist, including:
- zkKYC, a ZK-based KYC system where only cryptographic attestations are shared.
- zkKYC implementations such as Polygon ID, zkMe, and RISC Zero demos use ZKPs to let users prove compliance with anti-money laundering rules without revealing their full transaction history or personal data. While these tools could potentially integrate with compliance layers, mainstream regulators have not yet formally recognized ZK credentials as sufficient on their own.
- Privacy-preserving DID (decentralized identity) frameworks, using Decentralized Identifiers (DIDs), Verifiable Credentials (VCs), and Zero-Knowledge Proofs (ZKPs) which enable users to prove specific facts about their identity (such as age or credentials) without revealing personal details.
However, these tools can only be used effectively in the legal world if they are formally recognized by legislators who are still learning to trust cryptographic proofs without human-readable data. Until standardized certifications and legal mechanisms are established, and while authorities continue to require auditable, understandable evidence, this poses a challenge for ZKPs and other advanced cryptographic techniques. As mentioned earlier, it’s a positive sign that some countries have begun developing legal frameworks to allow DAOs.
A recent example is the launch of the EU Digital Identity Wallet, a user-controlled digital platform being rolled out across EU Member States. It aims to enable EU citizens, residents, and businesses to securely store, manage, and share digital identity credentials and electronic documents. The wallet claims to feature built-in data minimization tools, including the selective disclosure of attributes and zero-knowledge proofs. The legal framework is based on the eIDAS Regulation, first adopted in 2014 and updated in April 2024 to formally introduce the digital wallet. EU Member States are expected to offer at least one certified official wallet by 2026.
These examples demonstrate that privacy-preserving technologies do not automatically conflict with legal disclosure obligations, but they may call for a redesign of the existing compliance models. The aim should be for individuals and organizations to disclose only what is absolutely necessary, and only to a trusted party, without revealing anything beyond what is required to establish proof. This approach aligns with the Principle of Least Authority (POLA), also known in information security as the principle of least privilege or minimal privilege, from which our company name is derived. As a core security best practice, it dictates that each system component should be granted only the minimum access or authority necessary to perform its intended function, and no more. Although advanced cryptographic techniques are increasingly being integrated into a variety of solutions, the full scope of their impacts and the corresponding changes required in our legal systems remain uncertain. Ongoing research into privacy-enhancing technologies is poised to drive further breakthroughs that could revolutionize how trust, compliance, and confidentiality are achieved in the digital era.
Least Authority contributes to this progress by developing, auditing, and advocating for secure, privacy-respecting systems that align technological innovation with our principles.
How We Can Help
This is where cryptography can help reshape how legal requirements are met, and where our security consulting expertise comes in. We design systems that uphold users’ rights while supporting regulatory compliance. Explore our audits and blog posts to see how we have applied these principles in our zero-knowledge work.