Could 2026 be the year fintech disrupters once again challenge financial incumbents? After all, we recently asserted 2025 was the year “TradFi struck back”, meaning financial institutions came to embrace the core ideas of assets that are digitally native, programmable, able to settle 24/7, and composable. This was evident in their embrace of stablecoins and tokenization. If disruption is to mean anything, it might have to start with privacy.

Against a backdrop of flagging bitcoin, Trumpian corruption, ever-more powerful internet monopolies, and crypto legislation that seems built for incumbents, the utopian ideas of Web3 look, well, like a dream. The movement for a decentralized, user-centric internet that shifts control from large corporations to individuals using blockchain technology seems at best like naive rhetoric and at worst like cynical misdirection while giant tech companies build new monopolistic chokepoints and extractive protocols.

The tenets of Web3, though, are admirable. And the tools to make it happen, particularly in the balance between privacy and transparency, are well developed. They are slowly making their way into production outside of pure crypto businesses. This offers hope that the fintech insurgency that began in 2008 (the year of the GFC, the iPhone, and bitcoin) has not been totally coopted.

Privacy and transparency may become the next arena. In the blockchain world, this means a fight over zero-knowledge proofs (ZKPs). They promise to replace institutional trust with mathematically guaranteed computation. But attempts to turn ZKPs into commercial models face headwinds.

Vitalik Buterin last year began to campaign for Ethereum, the blockchain he co-founded, to return to its cypherpunk roots by emphasizing stronger privacy, real decentralization, and user self-sovereignty. Crypto is dominated by centralized exchanges that make a mockery of these values – they’re just banks without regulatory protections – so Buterin is pushing a privacy toolkit for Ethereum wallets called Kohaku. It would make user-friendly privacy a core feature, not an afterthought.

ZKPs

More generally, entrepreneurs are extending ZKPs beyond their original narrow use cases. (And ZKPs are one of the tools in Kohaku.) What, then, are these things, and what makes them so dangerous to incumbent powers?

Zero-knowledge proofs are usually explained as a privacy technology that discloses a fact (say, an identity, or a qualification) without revealing the underlying information. I can prove I’m an accredited investor without showing you my bank account, for example.

This shorthand is not accurate, though. A better framing is to describe ZKPs as a way to prove a computation was done correctly, that is, it followed the correct algorithm (such as A+B, not A-B or A/B), without having to reveal the inputs (what is A or B).

This is radical because it skips around the processes of conventional IT architecture. Our IT is based on client/server models, in which data runs through the server of an intermediary (a bank, a tax authority, Google): you are delegating trust to their (black-box) process, because the institution can’t trust whatever you claim about your information. Or you delegate it to a distributed ledger, but then everyone can see your hash and with enough effort, triangulate who’s moving what.

ZKPs instead delegate trust to open-source algorithms whose output is just to confirm that the computation was done correctly. It turns dependency on institutional assurances into formally checkable proofs that a particular transformation on data really occurred.

This is a powerful shift, although it creates new risks – but one thing at a time.

Open finance

The big unlock in financial services isn’t stablecoins and all that: tokenization is powerful but niche. The big unlock is open finance. ZKPs make it possible to move the computation of proofs to the client (user)’s own device: your smartphone or other ‘edge’ device that lets you affirm you qualify, you hold a threshold of assets, you are not an EU citizen, whatever.

The reason the data that underpins these claims can be trusted is because it doesn’t come from you: it comes from your bank, or your government authority such as the tax department or the pensions authority. These institutions don’t send raw data to a third party: the ZKP is able to read the data straight off their servers and create the proof on the client’s device.

Imagine open financial services if siloed credentials can bypass data brokers or even the need for APIs (connective tissue between software), and turn your data (such as info from your bank account) into reusable ZK attestations that any other party could verify.

This would enable instant onboarding, composable risk scoring, cross-platform loyalty, and open-banking analytics. The question isn’t whether intermediaries are willing to share the data. That’s actually no longer in their control. Rather, it’s whether financial institutions, auditors, and regulators will accept a mathematical proof instead of the usual, notarized paperwork.

Truly transparent

Why can’t intermediaries refuse to share customer data? After all, in current open-banking frameworks, banks have the power to say no. They qualify who is a trusted third-party (TTP), and then build lots of expensive, cumbersome API channels to those TTPs or among each other.

But ZKP tech relies on the fundamental openness of internet architecture. Websites are “locked” by Transport Layer Security, or TLS, the cryptographic protocol that encrypts data between someone’s browser and the website, and authenticates that you are talking to your bank and not an impostor. It does this via a “cryptographic handshake” where browser and server agree on algorithms, verify digital certificates, and derive shared symmetric keys.

Every website uses TLS. This means anyone logging onto the website of their bank, tax authority, or Google, gets a secure, authenticated channel to that institution’s server – and a stream of structured data that your device and see and process locally (eg, pages, statements, balances).

A ZKP system sitting on your device can “wrap” this TLS session, so the user can fetch their own data over the existing secure channel, run a local computation (eg, “my total balance across my accounts is at least X$”), and generate a proof about the result without exposing the raw data.

This is a real thing and there’s nothing your bank or other provider can do about it. (A very few tech companies such as Amazon can thwart this kind of access by rendering it out of date: basically, they use their cloud-based architecture to refresh their entire website surface every minute or so, rather than every few months, so the user’s ZK can’t attest that its “wrapped” data is still current.)

Accepted or anathema

The hurdle is getting other entities to accept your credential, not creating it. Inertia and a general hatred of losing control over data means banks and big corporations aren’t in a hurry to accommodate ZKPs.

Moreover, banks do have legitimate concerns about ZKPs.

Just because Web3 is about self-sovereignty doesn’t mean it can operate in a legal or institutional bubble. Yes, data can be gathered and computations proofed. But law tends to attach responsibility to entities: wallet teams, custodians, banks, infrastructure operators. It does not attach to protocols or processes. In other words, regulation may require KYC but it doesn’t spell out the way one handles these checks.

This leads to two problems. One is that ZK proof issuers (the fintechs that offer ZK proofs to customers) become interpreters of what counts as a valid identity or a clean fund. So users have to undertake serious due diligence into these companies.

Second, we must ask if we are simply shifting power from all-seeing intermediaries like custodians to all-seeing proof protocols – which leads to questions about who decides what data can be revealed or hidden, and whether regulators, or the public, or counterparties, get a say. Who chooses the circuits? Who whitelists or standardizes acceptable proofs?

What to a user seems like a magic bullet to control and protect their data could be the handing of power to an even blacker box.

(Regulators could also be the ones guilty of complacency: ZKPs can be efficient compliance tools but if the regulation itself is muddled about the nature of the data it wants to protect, then we’d just build garbage-in, garbage-out systems.)

Boiling the ocean

More prosaically, as many a fintech has learned the hard way, it’s damned difficult to get institutions (let alone an industry) to change historic operational processes. Imagine explaining to a credit officer or a bank regulator that “We rely on circuit-specific soundness, bound under these cryptographic assumptions.” They’re probably going to just say, “Show me the notary’s seal.”

This is also true even in the crypto space: Kohaku’s privacy mechanisms mean re-thinking how exchanges, DeFi protocols, and analytics vendors handle source-of-funds checks. This is not just changing code. It’s a massive coordination problem.

In effect, there is a trust gap between “the math works” and “the market and regulators treat the math as a valid substitute for the old paperwork and surveillance”.

Big benefits

The rewards, though, are also significant: re-use of selective identity or credentials support faster onboarding and cross-platform accreditation for lending, insurance, and wealth management, particularly when enabled on tokenization or DeFi platforms, and turbocharged by agentic AI.

It’s also a boon to firms that need to modernize their risk models without handing data to third-party vendors: banks don’t need to authorize TPPs or build lots of expensive API connectivity.

Third, ZKPs look like a good model should quantum computers disrupt existing cryptography. Post-quantum computing is likely to upend long-dated guarantees of privacy or integrity. Institutions are at risk of having today’s longstanding data files revealed PQC. ZKPs allow re-issuing proofs on a regular, short-term basis, so any identity data from today that gets read by a hacker’s quantum computers tomorrow is irrelevant.

For founders looking to build new financial business models, and for incumbents looking to future-proof their systems, ZKPs should be part of the toolbox, along with updates to governance, legal engineering, and market incentives. In other words, these need to be designed for institutional adoption, not just because the cryptography is cool. Relying on open standards and a clear audit trail, rather than a black box, is both commercially sensible as well as a way to ensure that the tool-makers don’t become new chokepoints.

A final word: incumbents are unlikely to favor ZKPs. In the arguments around privacy and transparency, they want their privacy and your transparency. It’s just the way they’re built. Techno-capitalism has become a paragon of oligopoly and even monopoly. One way for society to combat such overweening power is nationalization and heavy government intervention. Another way is to engender competition. But big banks and big tech companies work hard to squash anti-trust measures: even when US anti-trust regulators sue these companies, the courts are unlikely to endorse breaking them up, while big companies find plenty of loopholes to avoid European Union rules.

Well, if top-down pressure doesn’t work, then we need to re-energize bottom-up movements. Fintech can still play that role, if the commercial incentives line up.