Banks are caught between two conflicting demands: regulators require visibility into customer transactions for compliance, while customers and competitors demand privacy to protect sensitive financial data. This tension is reshaping how financial institutions approach tokenized deposits, which McKinsey estimates already facilitate more than $4 trillion in annual transfers, far exceeding stablecoin payment volumes.

Unlike cryptocurrency-native assets, tokenized deposits represent regulated customer relationships. A bank cannot simply make them transparent to all network participants, nor can it make them completely opaque. The real challenge is designing systems that provide selective privacy, allowing regulators and auditors to see what they need while keeping customer information confidential from competitors and the general public.

What Compliance Rules Apply to Tokenized Deposits?

Tokenized deposits will follow the same core regulatory framework as traditional bank deposits because the underlying asset class does not change. Banks must continue meeting compliance obligations that have governed deposits for decades, including Know Your Customer (KYC) verification, ongoing Customer Due Diligence (CDD), transaction monitoring, and sanctions screening.

The regulatory landscape includes several key requirements:

• Know Your Customer (KYC): Banks must legally verify the identity, date of birth, address, and legal status of every individual or corporate entity opening a deposit account.
• Customer Due Diligence (CDD): Ongoing monitoring to understand the source of a depositor's wealth, with Enhanced Due Diligence (EDD) required for high-net-worth clients, politicians, and cross-border companies.
• Transaction Monitoring and Suspicious Activity Reports (SARs): Automated systems must scan all inbound and outbound deposit movements for anomalies, with unusual activity triggering mandatory confidential reports to financial intelligence units such as FinCEN in the United States.
• Sanctions Screening: Every transaction must be screened against the US OFAC and UN blacklists to prevent tokens from moving to or from restricted people or countries.
• FATF Travel Rule: For electronic funds transfers, the originating bank must securely transmit specific customer identity data, such as name, account number, and address, alongside the payment to the receiving bank.

Beyond AML and sanctions requirements, banks face data privacy obligations under regulations like GDPR, GLBA, and CCPA. These rules restrict how personal information is collected, used, and stored. Banks should avoid putting raw personally identifiable information (PII) such as tax IDs or KYC documents on-chain, instead using hashes, credentials, commitments, or zero-knowledge proofs (ZK proofs) that allow verification without exposing sensitive data.

Why Are Banks So Concerned About Privacy and Compliance?

The tension between blockchain design and banking design creates multiple pressure points. Standard blockchains make wallet balances and transaction histories public, but uploading deposit data to a shared ledger can trigger immediate compliance failures and multi-million dollar fines.

Corporate clients present another challenge. Corporations will not use a payment system that broadcasts their financial movements to competitors. Full visibility in public chains would allow rivals to see corporate payroll, supplier payouts, and merger activity in real time. If enterprise clients refuse to adopt the platform because of this transparency, it will permanently cap deposit volume at retail levels.

Public financial trails also create security risks. When large capital movements are visible before final settlement, arbitrageurs can front-run trades, causing institutions to face slippage and financial losses. This would destroy trust in the tokenized ecosystem. Additionally, regulators will veto any un-auditable, completely anonymous financial system, since purely private networks cannot fulfill anti-money laundering (AML) or Counter-Terrorism Financing (CTF) obligations.

How Can Banks Enable Selective Privacy and Compliance?

Banks have two primary approaches to solving this paradox, and many institutions will likely need both. The first is to choose a blockchain architecture that already provides the right level of control, privacy, and interoperability. The second is to add a modular privacy layer that sits between the banking application layer and the blockchain layer.

The market is moving toward three main corporate blockchain structures for tokenized deposit networks. Some banks are joining or building on third-party institutional networks such as Canton, Rayls, Midnight, Hyli, and Provenance. Canton is a privacy-enabled, interoperable network for institutional applications and tokenized assets. Rayls positions itself as blockchain infrastructure for banks, real-world assets (RWAs), central bank digital currencies (CBDCs), cross-border payments, and regulated liquidity. Both operate as public chains with public nodes.

Other networks emphasize privacy-preserving design. Midnight focuses on privacy-preserving applications with selective disclosure and zero-knowledge proofs, which allow verification of information without revealing the underlying data. Hyli describes itself as a privacy layer for private and compliant financial applications.

The challenge of interoperability remains significant. As noted in the Deposit Tokens report by Oliver Wyman and Onyx by J.P. Morgan, achieving economic fungibility among deposit tokens requires sufficient technical interoperability to enable actual exchange between different forms of money. Technical interoperability will most likely occur between an issuing bank's deposit tokens and its non-tokenized deposits, as a bank would naturally integrate its redemption process with its core banking system. The challenges of interoperability will be most pronounced in the exchange of tokens with different issuers or the redemption of tokens for non-tokenized money by a bank that is not the original issuer.

Steps Banks Are Taking to Balance Privacy and Compliance

• Data Minimization On-Chain: Banks keep personally identifiable information off-chain and put only hashes, credentials, commitments, or zero-knowledge proofs on-chain, reducing the risk of privacy violations while maintaining auditability.
• Permissioned or Semi-Permissioned Networks: Regulated finance is moving toward networks that restrict who can join, gate users, limit validators, and enforce governance, providing more control than fully public blockchains while maintaining some degree of decentralization.
• Modular Privacy Layers: Banks can add privacy infrastructure on top of existing blockchain layers, allowing them to choose their underlying chain architecture while adding selective disclosure capabilities tailored to their compliance needs.
• Zero-Knowledge Proof Integration: ZK proofs enable banks to prove that transactions comply with regulations without exposing the underlying transaction details to all network participants, satisfying both privacy and compliance requirements.

The shift toward tokenized deposits represents a fundamental change in how banks move money, but it cannot succeed without solving the privacy-compliance paradox. As institutions scale beyond pilot programs, the technical and regulatory frameworks they choose today will determine whether tokenized deposits become a mainstream payment infrastructure or remain confined to niche use cases.