Problem
Financial institutions must verify customer identity, jurisdiction, age, and sanctions‑list status—the core of Know‑Your‑Customer (KYC) and Anti‑Money‑Laundering (AML) compliance. Today, this verification relies on full document sharing: a bank sends a customer’s passport, residence certificate, and tax ID to another bank or regulator, exposing the entire identity document.
The Privacy‑Compliance Trade‑Off
- Privacy risk – Every time a KYC document is shared, the customer’s sensitive personal data (date of birth, passport number, address) is copied and stored in another organization’s systems, multiplying breach surfaces.
- Data‑residency violations – Cross‑border transfers of full identity documents often conflict with GDPR, CCPA, and local data‑sovereignty laws.
- Self‑declared attributes are untrustworthy – A customer can claim “I am over 18” or “I am not on a sanctions list,” but without cryptographic proof, the bank cannot rely on such assertions.
- No selective disclosure – There is no standardized way to prove only that a customer is a Japanese resident over 18 and not on a sanctions list, without revealing the underlying passport number, issue date, or full name.
The Compliance Burden
- Banks spend millions on KYC utilities that still exchange full documents, because there is no alternative that satisfies both privacy and regulatory requirements.
- Regulators receive mountains of personal data they don’t need for supervision, creating unnecessary data‑protection liabilities.
- Customers lose control over their identity data after it leaves their bank; they cannot limit how it is used or who else sees it.
The Gap
Declared ≠ verified. A customer can declare they are a Japanese resident over 18, but the bank cannot verify that claim without seeing the entire passport. And even after seeing the passport, the bank cannot prove to a regulator that the claim is true without handing over the passport copy—again violating privacy.
Lemma closes this gap by enabling cryptographic selective disclosure: a customer can prove specific KYC/AML attributes (jurisdiction, age threshold, sanctions status) with a zero‑knowledge proof, revealing nothing else about their identity documents.
Scenario
The representative of mid-size manufacturer Company A opened a personal account at regional Bank B two years ago, submitting identity documents, residence certificates, tax records, employment history, and shareholder structure through rigorous procedures.
In September 2026, Company A begins opening a corporate account at City Bank C to streamline remittances from an overseas subsidiary. C requires enhanced KYC and continuous AML monitoring. The representative's personal KYC must also be completed anew with full document submission.
The representative prepares the same documents again. C independently verifies information that B has already verified. B's PII does not cross borders, but C stores duplicate PII in its internal systems, responsible for protecting it under its own mandate. In the event of a breach, the impact scope widens with each institution.
With Lemma, the flow changes.
At the point of completing the representative's KYC, B issues cryptographic proofs for each attribute. The individual stores these proofs in their proof wallet. When proceeding with the corporate account at C, the representative selectively discloses only the following attributes:
- Identity verified (Issuer: B, Date: Month X, 2024)
- Residence: Japan
- Age: Over 18
- Not on sanctions list
- Not a PEP (Politically Exposed Person)
- Source of funds legitimacy confirmed
What C receives is B's signed ZK proof and cryptographic evidence of the representative's consent. The original address, date of birth, tax amounts, and specific shareholder structure remain under B's control. Only verified attributes and their proofs enter C's internal systems.
One year later, the FSA audits C's KYC framework. Without disclosing original PII, C can prove that each attribute arrived from the authentic issuer (B), within the validity period, without tampering. The auditor independently verifies.
The customer never submits the same documents twice. B does not transfer PII across borders. C holds less data under its own responsibility. The regulator verifies the audit trail cryptographically.
Compliance is established without data sharing.
Architecture
Lemma's four cryptographic layers correspond to the KYC attribute lifecycle.
1. ENCRYPT — Sealing Originals at Issuance
Bank B encrypts the customer's KYC original data (documents, captured images, transcribed information) with AES-GCM at the point of KYC completion. Originals remain under issuer B's control. Attributes eligible for sharing are extracted from originals and converted to docHash-plus-issuer-signature form.
2. PROVE — Per-Attribute ZK Proofs
"Residence: Japan," "Age: over 18," "Not on sanctions list," "Not a PEP," "Source of funds: legitimate" — each attribute is individually proven on a ZK circuit. Independent proofs per attribute enable fine-grained disclosure control later.
3. DISCLOSE — Customer-Driven Selective Disclosure
From their proof wallet, the customer controls the disclosure recipient (financial institution, regulator, counterparty) and disclosure granularity (attribute category, specific value, proof-of-existence only). The issuer (B) signature reaches the recipient without gaps. Disclosure is executed with cryptographic evidence of the customer's consent — enabling post-hoc audit proof of agreement.
4. PROVENANCE — Permanent Issuance and Revocation History
Issuer identifier, issuance timestamp, attribute schema, and revocation status are anchored on-chain. If B updates KYC information or the customer is placed on a sanctions list, past attribute proofs are recorded as revoked. Verifiers can always independently confirm the latest status.
┌──────────────────────────────────────────────────────────┐
│ Bank B (Issuer) │
│ Verifies original data at KYC completion │
└───────────────────────┬──────────────────────────────────┘
│ KYC complete
▼
┌──────────────────────────────────────────────────────────┐
│ ENCRYPT (AES-GCM) │
│ • Encrypt original PII (documents, images, transcriptions)│
│ • Extract attributes from originals │
│ → Generate attribute proofs with docHash + issuer sig │
└───────────────────────┬──────────────────────────────────┘
│ Encrypted attribute proofs
▼
┌──────────────────────────────────────────────────────────┐
│ PROVE (ZK Circuit) │
│ Independent proofs per attribute: │
│ • Residence = Japan • Over 18 • Not on sanctions list │
│ • Not a PEP • Source of funds legitimate │
│ → Fine-grained disclosure control at verification time │
└───────────────────────┬──────────────────────────────────┘
│ Per-attribute ZK proofs
▼
┌──────────────────────────────────────────────────────────┐
│ DISCLOSE (Customer-Driven Selective Disclosure) │
│ Customer proof wallet → control recipient and granularity │
│ Disclosure includes cryptographic evidence of consent │
│ Issuer signature delivered intact to recipient │
└───────────────────────┬──────────────────────────────────┘
│ Disclosed attributes + consent evidence
▼
┌──────────────────────────────────────────────────────────┐
│ PROVENANCE (On-chain) │
│ Issuer identifier / issuance timestamp / attribute schema │
│ / revocation status │
│ → Revocation recorded on update / sanctions listing │
│ → Verifiers always confirm latest status independently │
└──────────────────────────────────────────────────────────┘Proven Facts
Lemma cryptographically guarantees the following facts in KYC/AML selective disclosure:
- Attribute issuer (financial institution name) and issuance timestamp
- Authenticity of each attribute category (residence, age, sanctions list, PEP, source of funds, occupation, etc.)
- Cryptographic evidence of the customer's disclosure consent
- Non-disclosure of original data — absence of PII cross-border transfer
- Real-time reflection of revocation and update status
- Independent verifiability by regulatory authorities
- Cross-institutional audit trail
Ready to prove?
Talk to us about your use case. We respond within one business day.