A 128-Page Thesis Just Described What Concordium Built. The Author Has No Idea.
A few weeks ago I stumbled on a thesis. 128 pages. Published on SSRN by an independent researcher named Nicolin Decker. Title: "Zero-Knowledge Proofs: A Privacy-Preserving Cryptographic Model for Financial Compliance and Global Banking Security."
Decker builds, from first principles, a formal mathematical case for what a privacy-preserving financial compliance system should look like. He develops original models for AML/KYC verification, credit assessment, fraud detection, Basel III liquidity compliance, and cross-border settlement. He proves completeness, soundness, and zero-knowledge properties for each system. He runs Monte Carlo simulations across 10 million+ transactions. He stress-tests against Basel III crisis scenarios. And he proposes a ten-year implementation roadmap.
Concordium is not mentioned anywhere in the paper. The author, as far as I can tell, has no idea it exists. And yet the system he argues must be built is, in its essential architecture, already running on Concordium's mainnet. This article walks through the paper's key arguments and maps them against what Concordium has deployed. It also identifies where the paper gets things wrong.
The Paper's Thesis
The abstract sets the frame:
"Integrating ZKPs into financial infrastructure can resolve the long-standing tradeoff between transparency and privacy, offering a paradigm shift toward a privacy-preserving yet fully compliant global financial system."
— Decker (2025), p. 2
Decker's starting point is a structural paradox that institutional authorities have acknowledged but not resolved. Financial compliance requires centralised data collection. That data collection creates the very vulnerabilities the system is supposed to prevent. The numbers are stark: compliance costs exceeding $200 billion annually (BIS, 2023), AML screening false positive rates above 95% (FATF, 2022), $6.6 billion in AML/KYC-related fines in 2023 alone, and 1.4 billion adults excluded from banking because they lack the identity documentation traditional KYC demands (IMF, 2024).
But the paper goes further than cataloguing failures. It names the structural root cause:
"Financial institutions have increasingly shifted toward surveillance-based compliance models, forcing banks, payment processors, and digital platforms to collect, analyze, and report user financial data. The IMF and FATF acknowledge that current AML/KYC frameworks often violate privacy rights while failing to significantly curb illicit financial flows. Financial institutions actively monetize user transaction data, further incentivizing mass financial surveillance and data collection risks."
— Decker (2025), p. 10
And it names the architectural requirement:
"The Decker-ZKP Compliance Model eliminates the need for financial institutions to store identity data, allowing banks to validate compliance without revealing personal details. Regulatory overreach is prevented by ensuring that only necessary compliance verifications occur. Data breaches are minimized by eliminating mass identity storage requirements.
— Decker (2025), p. 10
This is where the convergence begins. Because that sentence — eliminating identity data storage while maintaining compliance verification — is not just the paper's proposed model. It is a precise description of Concordium's ID Layer, which has been live since genesis. Three accredited third-party providers verify identity. Only an encrypted hash is stored on-chain. The institution sees an attestation. Never the data.
The Convergence
It does not stop at identity. The paper systematically builds a framework that maps, component by component, onto Concordium's deployed architecture.
Self-sovereign wallets
Decker proposes consumer wallets with self-sovereign identity as part of his Phase 2 rollout, scheduled for years three to five:
"Self-sovereign financial identity (SSI): Users prove identity for AML/KYC without exposing PII. ZKP-enabled smart contract payments: Ensuring regulatory compliance in decentralized transactions. Privacy-preserving credit scoring: Consumers can demonstrate creditworthiness without disclosing income or debt history."
— Decker (2025), p. 12
Every Concordium wallet has been a self-sovereign identity wallet since genesis. On-device zero-knowledge proofs let users prove they are over 18, that they reside in a specific jurisdiction, that they have passed KYC — without revealing a single piece of personal data. The proof is generated on the user's own device. Nothing leaves their control. The institution receives only the cryptographic attestation it needs.
Decker's Phase 2 is Concordium's day one.
The GDPR-MiCA conflict
One of the paper's sharpest observations is a regulatory conflict that most of the industry has either missed or ignored:
"GDPR and MiCA requirements directly conflict with AML transparency mandates, creating legal ambiguity for global banks."
— Decker (2025), p. 10
MiCA demands transaction transparency, AML/KYC enforcement, and data retention. GDPR demands data minimisation, purpose limitation, and the right to erasure. For any blockchain-based financial service in the EU, these frameworks pull in opposite directions. Decker proposes ZKPs as the resolution and flags the need for legislative reform:
"GDPR-Compliant ZKP Identity Verification: Ensures banks comply with GDPR's right to data privacy while maintaining AML/KYC transparency. MiCA-Compatible Stablecoin Transactions: ZKPs enable privacy-compliant stablecoin verification, allowing compliance without exposure."
— Decker (2025), p. 69
Concordium resolves this through architecture, not legislation. The ID Layer satisfies MiCA's identity verification requirements without storing personal data on-chain. On-device ZKPs satisfy GDPR's data minimisation mandate. What Decker identifies as requiring years of legislative reform and institutional coordination already works on mainnet.
The adoption path
The paper proposes a phased rollout that reveals its most significant blind spot:
"Regulatory Pilot Programs with Leading Financial Institutions: JP Morgan & Goldman Sachs will implement ZKP-driven compliance verification... SWIFT will serve as a testing ground for ZKP-enabled interbank communication... IMF & BIS Innovation Hub: Regulatory authorities will work alongside leading central banks (Federal Reserve, ECB, MAS, and BoE) to test ZKP applications within international financial policy frameworks."
— Decker (2025), p. 11
That is Phase 1 (Years 1–3). It requires coordinating the world's most powerful financial institutions before a single consumer touches the system. The paper then sets full adoption at 2030 at the earliest:
"Financial institutions, policymakers, and technology providers must align before 2030 to secure a future where privacy-preserving compliance and economic freedom coexist."
— Decker (2025), p. 89
Concordium did not wait. It built the infrastructure, went live, and started deploying where regulatory tailwinds already exist: age verification under the UK's Online Safety Act, similar legislation across 17 US states and the EU, geofenced payments targeted for 2026. You do not need to convince the Federal Reserve before you can verify a user's age. Adoption starts with what is already legally required and expands from there.
At a Glance
What the Paper Gets Wrong
The paper's cryptographic fundamentals are rigorous. Its understanding of how financial infrastructure actually gets adopted is not.
It assumes smart contracts as the execution layer. Every token, every compliance attestation, every financial instrument in Decker's model lives inside a smart contract. He does not consider the possibility that tokens could exist at the protocol level, eliminating custodial risk entirely. Concordium's Protocol Level Tokens do exactly this. No smart contract holds user funds. No attack surface from contract vulnerabilities, reentrancy exploits, or governance manipulation. For regulated financial instruments, the distinction between adding privacy to smart contracts and removing the smart contract custody layer entirely is not incremental. It is architectural.
It assumes top-down coordination will drive adoption. The roadmap requires JP Morgan, Goldman Sachs, SWIFT, the IMF, and the Federal Reserve to coordinate before anything reaches production. This may happen eventually. It is not how infrastructure gets built. Real adoption starts with narrow regulatory wedges — age verification, geofenced payments, stablecoin compliance — and expands from there.
It underestimates the incentive problem. The paper acknowledges that financial institutions monetise user data but treats this as a secondary obstacle. It is the primary barrier. The institutions Decker expects to adopt ZKP compliance are the same institutions profiting from surveillance-based data collection. The realistic adoption path targets environments where compliance pressure outweighs data monetisation value.
It does not account for on-device proof generation. Decker implicitly assumes proofs are generated within institutional infrastructure. Concordium's on-device model shifts the locus of control to the user. The proof is computed locally. No personal data traverses the network. That is not a privacy improvement. It is a different trust architecture entirely.
What Convergence Signals
The paper's concluding argument:
"The time for action is now. ZKP banking is not a technological option — it is a necessity for the next era of global finance."
— Decker (2025), p. 89
Concordium's founding team reached that conclusion some years ago. In April 2024, roughly a year before the paper was published, Concordium founder Lars Seier Christensen described the exact same structural problem from his experience building Saxo Bank: the absurd inefficiency of repeated KYC, the case for portable identity verification at the protocol level, and the use of zero-knowledge proofs across use cases. He described it not as a theoretical framework but as something Concordium was already building.
When a founder who ran one of Europe's largest retail brokerages and an independent cryptographer working from first principles both arrive at the same architecture without coordination, that is not coincidence. It is evidence that the compliance-privacy problem has a narrow solution space, and that both found its boundaries independently.
Decker spent 128 pages proving why systems like Concordium must exist. He did not know one already does. The paper, intentionally or not, provides formal mathematical reasoning for why the architectural choices Concordium made at genesis were not just defensible but structurally inevitable.
"The institutions that adapt early to ZKP-based models will gain a competitive advantage in privacy-compliant financial innovation, influencing the development of global banking infrastructure and monetary policy enforcement."
— Decker (2025), p. 76
The full thesis is available on SSRN. The architecture is on mainnet.