2026: SELECTIVE DISCLOSURE IS NOT ENOUGH FOR MASS INSTITUTIONAL ADOPTION
A market research on privacy infrastructure and institutional adoption in 2026
INTRODUCTION
Irrefutably, on-chain privacy demand is no longer limited to retailers or normal users. Institutions and enterprises, especially in finance, are increasingly seeking ways to reconcile transparency with confidentiality.
As stated by A16z Crypto:
“Privacy will be the most important moat in crypto in 2026. Many industries and users (like finance and healthcare) require companies to keep sensitive data private. It’s also a massive blocker for the institutions looking to tokenize real-world assets (RWAs) right now.”
The first era of privacy, exemplified by Tornado Cash, has disclosed the limits of full anonymity in cryptocurrency transfer under regulatory pressure. Today, newer privacy protocols like Railgun, Midnight, Fairblock built on Ethereum, alongside the evolution of early privacy chains like Monero with a more advanced model, have shifted toward selective disclosure as a balance between privacy and transparency in the traditional and decentralized finance, between Crypto Asset Service Provider (CASP) and regulators.
However, while selective disclosure may be necessary, it alone is unlikely to fully drive mass institutional adoption in 2026.
This article examines the crypto privacy landscape from an institutional perspective to explain why.
KEY TAKEAWAYS
Our research is structured around 3 key sections:
Section 1: Major requirements for institutional participation in DeFi
Section 2: Why selective disclosure is necessary, and how it improves upon earlier anonymity models such as Tornado Cash
Section 3: The limitations of selective disclosure in attracting large-scale TradFi capital flows in 2026
SECTION 1: KEY FACTORS OF INSTITUTIONAL ADOPTION OF DEFI
What institutions need before entering DeFi?
First, we need to clarify the “institution” here.
Institutional adoption is often discussed as a single trend, but in practice, there’re two main kinds of institutions, including: crypto-native funds and traditional financial institutions.
Crypto-native funds, like hedge funds, market makers, or proprietary trading firms, can experiment security tools relatively quickly as their compliance requirements are lighter and their competitive advantage depends on confidentiality in their operations.
However, TradFi institutions operate under stricter legal constraints. Banks, pension funds, and asset managers must provide disclosure to regulators and auditors regarding all stakeholders, cash flows, and risk sources. For them, privacy is not just a technical feature but a legal responsibility.
To attract trillions of dollars from TradFi, DeFi in general and privacy protocols in particular need to meet some main requirements, as follows.
1/ Confidentiality And Auditability
Institutional transactions often reveal sensitive information: what bonds they are buying, how much stablecoin they are withdrawing, how much collateral they are depositing, etc. Some enterprises don’t want to publicize their investment portfolios, capital sources or their customers’ data.
If these information are all publicized and fully tracked on-chain, their commercial secrets can be exposed, and their competitors may take advantage of this.
Also, regulations related to anti-money laundering (AML) and combating the finance of terrorism (CFT) require regulatory bodies to be able to examine and retrieve transaction history when needed. For example, FATF Travel Rule requires retaining information on senders/recipients of transactions of over $1,000 or more and sharing it with relevant VASPs (exchanges, wallets).
Organizations need to report financial statements periodically, demonstrating that on-chain assets match off-chain records. Regulators, like SEC, FCA, MAS, require access to transactions (with orders) to investigate fraud, tax evasion, or violations of sanctions. It means: if there’s a lack of auditability, the organization might be perceived as concealing information.
2/ Legal Certainty
An institution in TradFi requires an absolute legal certainty to protect themselves from the risk of being sued and sanctioned. If there are no clear regulations on “what constitutes a legal private transaction,” regulators may automatically assume it as violating AML/CFT.
If there’re still many “gray areas” where the legislation of crypto or DeFi is ambiguous, institutions may need to hire their own lawyers for transaction analysis, which is both costly and hard to scale.
3/ Operational Reliability And Security Assurance
Every individual and organization tapping in the DeFi world also need to be careful, especially when it comes to investment. TradFi institutions, like JP Morgan, Goldman Sachs or other banks often execute large volume of transactions, up to billions, and they don’t want to risk their own portfolios if a privacy-based protocol faces chain downtime or a single network error. Traditional systems like SWIFT, Fedwire, and DTCC offer nearly 99.999% uptime, and organizations expect similar performance if they switch to on-chain.
Therefore, a privacy protocol that can maintain a robust infrastructure and secure no vulnerabilities is a requirement from an institution to pour their money in.
4/ Institutional Precedent
To broaden the institutional adoption, DeFi needs a successful pioneer from TradFi who leads the privacy trend. The larger the business, the more cautious they must be with every step they take. If a privacy protocol can truly prove their spectacular success with the participation of major organizations, a network effect will rise up and this would lead to involvement from many other parties.
These are four main factors that TradFi institutions need before tapping in DeFi, where privacy sits at the center. Without confidentiality and compliance, institutional participation becomes impossible.
This is where selective disclosure emerges as a practical fix to the limitations of earlier privacy models such as Tornado Cash. But whether it’s an ideological feature or not remains a question that needs to be answered.
SECTION 2: SELECTIVE DISCLOSURE – THE FIX FROM THE OLD RATIONALE (TORNADO CASH)
1/ The Failure Of Tornado Cash
In the first era of privacy, from 2009 to 2021, besides Monero and ZCash protocol, Tornado Cash, launched in 2019, is one of the most notable decentralized privacy protocols that enables transferring crypto without being traceable on public chains. Tornado Cash uses smart contracts and zero-knowledge proofs (ZKP) to hide the on-chain connection between the sender and receiver address of a transaction, which can be tracked easily on other public chains like Ethereum or Arbitrum.
One way to think about ZKPs is like proving you know the password to a vault without ever saying the password out loud. The verifier gains confidence, but no sensitive information is exposed.
However, despite good technology behind, this protocol was sanctioned by the OFAC (The Treasury Department’s Office of Foreign Assets Control in the US) for allegedly facilitating money laundering ($7B in virtual currency since launch) on Aug 8th, 2022. This sanction led to the founder’s imprisonment and the halt of project development.
What got Tornado Cash into trouble is its non-compliance by design. All funds deposited in Tornado lie in the same pool (i.e. Tornado Cash 0.1 ETH/1ETH/10 ETH/100 ETH) without any filtering or classification as clean or hacked money. Its mechanism doesn’t consider any proof to acknowledge whether money from sanctioned address or clean source.
Source: Etherscan
This feature drew significant attention from regulators, who became concerned about the potential for criminal activities such as money laundering, terrorism financing or other forms of illicit finance. As such, this caused Tornado Cash involved in regulatory non-compliance, including nearly $150M laundered by North Korea’s Lazarus Group hackers.
This model may serve legitimate privacy needs, but it also makes it easier for illicit funds to infiltrate, creating unacceptable risks for organizations.
In order to survive, privacy CASP must find a way to harmonize between privacy need and compliance. And selective disclosure, or programmable/selective privacy, is currently the most viable solution.
2/ The Need For Selective Disclosure And A Typical Case From Railgun
Institutions don’t seek to hide from the law but to avoid broadcasting sensitive business information to the world. And selective disclosure is a way to prove that some information is true or clean without revealing all underlying data. In practice, this is often achieved through cryptographic tools such as ZKPs or FHE (Fully Homomorphic Encryption) to create “selective proof”.
In crypto, it solves the privacy and compliance paradox we discussed earlier: If you want to be highly private (anonymous/secure), you’re easily suspected of illicit activity (money laundering) by regulators. Yet, if you want to be compliant (follow the law), you have to reveal everything, which means losing privacy.
Source: Coingecko
Since early 2024, despite some ups and downs, the total value of crypto treasuries held by companies and governments has grown at an unprecedented pace, with the all-time high of over $200B on October 2025. This trend highlights the need for programmable privacy core infrastructure, which allows many companies to both hide their investment strategies/commercial secrets from public scrutiny or competitor front-running, while still remaining regulatory-compliant.
In order to attract meaningful inflows from TradFi, selective privacy is a requirement. Recognizing this need, from the late of 2025 to early 2026, a new wave of protocols with compliant, programmable privacy designs emerged, including some notable names such as Aztec, Railgun, Fairblock, Midnight ...
Source: Ethereum Daily
Now, we will take Railgun as an example for clearer comparison in the design.
Railgun is a privacy protocol designed to strike a balance between privacy and compliance. The link between the sender and receiver addresses is still severed while the protocol still follows the law of OFAC.
Source: Etherscan
Unlike Tornado Cash, shielded transactions on Railgun still reveal the exact token amounts being transferred, as the protocol allows users to send arbitrary amounts rather than fixed denominations. It means, users who want their transactions to be harder to trace often need to standardize their transfer sizes to common base amounts, such as 0.1 ETH, 100 USDC, or 1,000 USDT.
Source: PPOI
In terms of compliance, by using Private Proof of Innocence (PPOI), before assets are “shielded” in the privacy pool, Railgun checks the AML/sanctions blacklist to verify that the token transferred doesn’t come from risky-tagged addresses before adding it to the privacy pool. This feature is to block suspicious funds from the start by using tag data from sources such as Chainalysis and sanctioned lists (i.e. OFAC).
Besides, Railgun users can also export their transaction history for use in the Koinly tax software, a part of compliance tools, helping users file their own taxes even when using Railgun‘s privacy wallet, without sacrificing basic privacy. This feature is specifically helpful for companies to declare and calculate their taxes.
Currently, the total volume of Railgun is about to reach $250M per month, reflecting the increasing adoption of this protocol and a rising demand of private payments in the crypto world.
SECTION 3: WHY IS SELECTIVE DISCLOSURE NOT ENOUGH TO ATTRACT TRILLIONS INFLOW FROM TRADFI IN 2026?
From all the figures and arguments above, we can’t deny that privacy is an important piece in the growth of DeFi. Despite the growth of privacy chains, selective disclosure, which is considered by some as privacy 2.0, securing the confidentiality and auditability, is not enough for DeFi to attract abundant inflows from TradFi in 2026 because of some following limitations.
1/ Delays In Regulatory Developments
One of the biggest stumbling blocks that hinders the growth of privacy techs in 2026 is the legislation progress. Public financial institutions are always careful with the legal framework, which should be clear and transparent enough for them (who manage huge assets) to avoid the risk of fines or asset freezing.
The year 2025 witnessed significant legal progress. Some crypto regulations has been in effect, including MiCA (Markets in Crypto-Assets), which provides a unified framework for cryptocurrencies within the European Union (EU). The US is currently promoting numerous laws to create a regulatory framework that is scalable and predictable, including GENIUS Act (for stablecoins), and CLARITY Act (for digital asset clarity). However, this clarity has not been fully achieved.
GENIUS Act (Guiding and Establishing National Innovation for U.S. Stablecoins Act): The effective date of this act is the earlier of January 18th, 2027, or the date that is 120 days after the date on which the federal banking regulators issue implementing regulations.
CLARITY Act (Digital Asset Market Clarity Act): This act is suffering from delays since the Senate Banking Committee postponed its markup/discussion of amendments to mid-January 2026 after Coinbase withdrew its support for the current version, meaning progress on market structure legislation has been delayed.
In reality, there are still many “gray areas”. The US and many other countries are completing the draft. With privacy, the issue is more sensitive because there is still no specific law on “privacy tokens”. A negative signal is that EU intends to ban privacy coins like Monero (XMR), ZCash (ZEC) on platforms permitted to operate within the block (i.e, exchanges, licensed CASPs). These regulations are expected to come into effect on July 1st, 2027.
Source: Cointelegraph
Moreover, reported by Chainlink, large organizations can’t disclose customer identities on public blockchains due to regulations like GDPR and GLBA (General Data Protection Regulation and Gramm-Leach-Bliley Act), which require personal data protection. Therefore, many institutions are still waiting for stricter regulations to ensure compliance with AML/CFT in private blockchain models. They are waiting for “gray” areas to turn “green”.
2/ Lack Of Infrastructure Maturity And Security
2025 witnessed a new wave of many privacy projects in DeFi, especially those run on Ethereum like Aztec, Railgun, or Miden. However, their infrastructure remains insufficiently mature to attract large-scale institutional adoption.
For example, on Railgun, it takes one hour for a shielded transaction to complete. While such latency may be acceptable for individual users, it poses a serious challenge for institutions -especially investment firms that rely on frequent and time-sensitive strategy execution.
Source: Railgun community
This delay is regarded as a trade-off in the design. Unlike Tornado Cash, which uses fixed-denomination pools (i.e. 0.1 ETH pool or 1 ETH pool) and enables withdrawals within minutes, Railgun allows arbitrary transfer amounts but requires longer settlement times to reduce traceability.
Source: PPOI
Moreover, in fact, current privacy tech still has its loophole as in November 2025, an Upbit hacker successfully laundered over 400 WETH (over $1.2 M) through Railgun and passed their ZK proof of innocence. This incident has raised concerns about privacy protocols’ robustness, which may further hinder participation from traditional organizations.
Furthermore, in terms of transaction fees, secure ZKP-based protocols like Railgun, or even Tornado Cash, generally impose significantly higher transaction fees compared to public blockchains like Ethereum, Polygon, Arbitrum, etc.
Source: Mirador
On average, transaction fee on several current privacy projects like Railgun (blue column) and Veil Cash (purple column) ranked most expensive about 0.25% - 0.3% on volume. In contrast, transferring on other public chains like Ethereum, Polygon or Arbitrum is much cheaper 0.001%-0.005%. With higher costs, traditional organizations will have even more reason to hesitate making private on-chain payments.
Finally, different from TradFi, one of the top concerns for both retailers and institutions when it comes to investing is the cybersecurity (risk of being hacked). Every project in DeFi (including privacy ones) inherently carries risks related to its logic/code, and tokenized RWA is not an exception.
Source: CertiK Report
Look at the chart above, the reality shows that hackers are increasingly interested in RWA assets as this market grows by exploiting loopholes in its logic.
The first half of 2025 already saw a significant loss of RWA assets (nearly $15M), including a $5.8M oracle manipulation attack from Loopscale and an $8.85M vulnerability exploitation from Zoth Protocol. These negative cases reflect an on-chain and operational failures within the core technology of RWA ecosystem.
All of these limitations above can further weaken the case for institutional adoption.
3/ Limited Proof Of Success And Network Effect
Large companies often wait for a clear successful case before deciding to join the game. To create an institutional FOMO, DeFi needs a proof that privacy tech actually works, with no bug or virtual yield.
A typical case in the previous cycle was when the Bitcoin/ETH ETF was approved by SEC in the early 2024, immediately a wave of capital was constantly poured in crypto.
Source: Bitcoin Strategy Platform
However, currently in the privacy tech space, there is no global adoption “leader”: no private blockchain has yet achieved widespread adoption for large volumes of institutional on-chain transactions.
In reality, Canton Network, a permissioned selective privacy chain model, backed by Goldman Sachs, BNP Paribas, and DTCC, now executes over $350B treasury repo flows per day from Broadridge’s Distributed Ledger Repo (DLR).
The report on the collaboration between Deutsche Bank and Nethermind notes numerous pilot deployments: from BIS’s Tourbillon Project, Bank of England – MIT, to Deutsche Bank’s PoC integrating the Privado platform, and “Proof-of-Reserves” systems for Binance, OKX, and others. These are signs that “on-chain privacy” has begun to be tested at the organizational level.
Yet, at present, there are still only a few small groups (Aztec, Dusk, Penumbra, Midnight...) providing privacy technology, and a dominant privacy platform has not yet emerged. Organizations are still waiting for “kicks” like a major leader announcing successful use of privacy liquidity. Realistic proof of great privacy is gradually emerging but is not enough to convince the entire industry to tap in.
CONCLUSION
2026 is a year of privacy tech growth but still not ready for mass institutional adoption. With privacy 2.0 infrastructure, protocols with selective disclosure requires more time for development and maturity, as well as harmonize perfectly between the privacy demand (of both retail users and institutions) and regulatory compliance.
In order to attract higher capital amount from traditional finance, as well as create a FOMO mentality among organizations, the duty lies not only in privacy protocols/chains only but also depends on other external factors.
Disclaimer
This research aims to analyze current trends in privacy technology and assess their implications for institutional adoption, based on observable market developments and existing infrastructure.
Privacy protocols and selective disclosure solutions are still at an early stage. Regulatory frameworks, technical designs, and adoption dynamics may change significantly over time. Any forward-looking views on institutional participation or capital inflows from traditional finance reflect market observations rather than guarantees.
Readers should treat this analysis as a reference for understanding the privacy landscape in 2026, not as investment or legal advice, and are encouraged to conduct their own independent research before forming conclusions.