Back to All Posts
Privacy by Design: Can the Bank of Italy’s

Privacy by Design: Can the Bank of Italy’s "Constrained Privacy" Save Stablecoins?

Regulators are pulling in opposite directions on crypto privacy. In March 2025, the US Treasury lifted its sanctions on Tornado Cash after a federal appeals court ruled the agency had exceeded its authority, a reversal of the 2022 action that had chilled privacy tech investment across the industry. Meanwhile, the EU is heading the other way: under the AML Regulation, anonymous crypto accounts and privacy coins face an effective ban from 2027, with the Travel Rule extended to crypto transfers with no minimum threshold.

Into that gap steps a paper from an unexpected source. A new study published by Italy's Financial Intelligence Unit at the Bank of Italy argues that privacy in payments isn't a bug to be regulated away. It's a feature money needs, provided the privacy is deliberately bounded. The paper's term for this is "constrained privacy," and its central claim is that privacy-preserving stablecoins built on Layer-2 infrastructure could be the first crypto instruments to offer it at scale.

This post works through the paper's argument, the technical architecture behind it, and the honest caveats the author himself raises. We've focused on the economic framework and the compliance design rather than the full cryptographic detail.

The Starting Point: Why Stablecoins Still Aren't Money

The paper opens with a blunt diagnosis. Stablecoins have reached roughly $300 billion in market capitalization, about 94 percent of it dollar-pegged and concentrated in Tether and USD Coin. Yet that's about 1 percent of the US M2 money stock. For all the growth, stablecoins aren't functioning as mainstream money: they're not widely accepted for everyday payments, not used as a unit of account, and not integrated into household balance sheets.

Even the headline transaction numbers mislead. On-chain volume for USDT and USDC hit an estimated $32 trillion in 2025, roughly a third of what the entire US ACH network processed. But the paper shows that if you treat that figure as payments, the implied velocity of stablecoins would exceed that of US M2 by a factor of nearly 30, which is implausible. The overwhelming majority of flows are trading, market-making, and arbitrage, not people buying things. This matches what on-chain research has found about stablecoin activity being dominated by complex DeFi transactions rather than simple transfers, a pattern we examined in an earlier analysis.

Notably, cost isn't the problem. Moving $5,000 in stablecoins typically costs a few cents, against 1.5 to 3 percent merchant fees on cards and 6 to 7 percent on cross-border retail payments. Something else is holding adoption back.

The No-Questions-Asked Test

The paper's framework borrows a concept from monetary economics: the no-questions-asked (NQA) principle. An instrument becomes mainstream money when people accept it without doing due diligence. Nobody checks a $20 bill's backing before taking it. By contrast, an asset whose value swings (Bitcoin) or whose fees and settlement times are unpredictable (congested blockchains) forces users to ask questions, and that alone disqualifies it from everyday use.

To pass the NQA test at scale, the author argues a payment instrument needs three things at once:

  • Dimensional scalability: performance that holds up as users and volumes grow. Public Layer-1 blockchains fall far short here. Bitcoin handles about 7 transactions per second and Ethereum's base layer 20 to 60, against more than 20,000 for Visa at peak and over 500,000 recorded by Alipay. Even optimistic estimates put sustainable decentralized L1 throughput at 1,000 to 10,000 TPS.
  • Legal scalability: compliance that stays workable as volumes grow. Today's model, where KYC happens at exchanges and investigators use forensic chain analysis to link pseudonymous addresses to people, doesn't scale. If every enforcement action requires bespoke detective work, the system fails the test.
  • Constrained privacy: confidentiality for ordinary users, bounded by rules set in advance. Today's public blockchains get this exactly backwards. They give too much privacy at the edges to illicit actors using obfuscation tools, and too little to ordinary users, whose entire transaction history sits on a public ledger waiting to be deanonymized.

That last inversion is worth sitting with. The paper cites research showing payment instruments become more attractive as their privacy improves, for entirely legitimate reasons: commercial confidentiality, personal safety, protection from profiling. Conventional banking gets the balance roughly right, with identity checks at onboarding and confidential transactions afterward, subject to lawful access. Transparent blockchains don't.

The Proposed Fix: Privacy at the Execution Layer

The paper's answer isn't a new coin. A "privacy stablecoin," in its definition, is typically an existing stablecoin (USDC, USDT) transacted through a Layer-2 environment that adds encryption. The stability comes from the asset; the privacy comes from the infrastructure.

The architecture splits work between layers. A Layer-2 sequencer orders and executes transactions at high speed, then a prover generates a zero-knowledge proof certifying the whole batch followed the rules. Ethereum's base layer verifies only the compact proof, not the individual transactions. The result: L2 rollups already run at 3,000 to 10,000 TPS with confirmation in a few seconds, closing most of the performance gap with card networks.

One clarification the paper is careful about, and worth repeating: zero-knowledge proofs alone don't give you privacy. Standard ZK rollups prove correctness while the sequencer still sees everything in plain text. Privacy requires an additional encryption layer, the approach taken by privacy-focused rollups. And crucially, compliance doesn't disappear in that design. It moves into the protocol:

  • Access to the shielded environment is gated: only users holding a credential from a regulated intermediary that performed KYC can enter, proven cryptographically without revealing identity.
  • Transaction integrity (no double-spends, no value creation) is enforced by commitments and nullifiers even though amounts and counterparties stay encrypted.
  • Selective-disclosure keys let a user, or compel a process, to reveal specific information to authorities under due-process procedures, without opening the whole ledger to bulk surveillance.

The paper calls this compliance-by-design, and contrasts it sharply with today's ex-post overlays. Its quadrant framework makes the point cleanly: transparent L1 stablecoins are compliant but privacy-poor; classic privacy coins are private but non-compliant; the goal is the quadrant that's both, and reaching it is a deliberate design choice, not a default.

What This Implies for Different Stakeholders

  • For banks and payment providers, the framework suggests the relevant question isn't "should we touch privacy tech" but "which quadrant does a given design sit in." A shielded environment with identity-gated access and audit pathways resembles conventional banking confidentiality more than it resembles a mixer.
  • For issuers, the paper's judgment is that new native privacy stablecoins face a steep climb against USDT and USDC network effects. The more plausible path is established stablecoins circulating through privacy layers, which keeps AML visibility at the entry and exit points of the shielded environment.
  • For regulators, the paper makes its most pointed argument: left alone, the market will converge on designs that are compliant enough for big players' reputations and private enough to attract users, which is not the same as designs that fully serve AML objectives. A wait-and-see stance risks entrenching that gap. The author, writing from inside a financial intelligence unit, calls for structured engagement instead. How individual jurisdictions come down on this question, between the US retreat from sanctioning privacy tools and the EU's 2027 anonymity ban, is exactly the kind of divergence worth following in our Stablecoin Regulation Tracker.
  • For users, the honest reading is that these systems remain a niche within a niche. Privacy stablecoins account for well below 1 percent of stablecoin activity, possibly as little as 0.1 percent.

The Caveats the Paper Doesn't Hide

Credit to the author for listing the weaknesses rather than burying them. Several mechanisms rely on users cooperating with disclosure requests, while some jurisdictions demand investigative tools that don't depend on cooperation. AML monitoring itself runs on metadata (risk scores, transaction patterns, sanctions screening), which is precisely what privacy layers minimize. Implementation risk is real: a system can land in the worst spot by satisfying compliance on paper while leaking sensitive data through faulty proofs or unencrypted metadata. And privacy layers struggle with DeFi composability, since a private token that can't be used as collateral loses much of the utility that made the transparent version successful.

There's also a longer-horizon note tucked into the cryptography: the elliptic-curve assumptions behind SNARK proofs face uncertain post-quantum security, while hash-based STARKs are considered quantum-resistant, a trade-off that echoes the migration questions we covered in our post on quantum computing and crypto.

The Bottom Line

The most striking thing about this paper is where it comes from. A financial intelligence unit, the part of a central bank whose job is catching money laundering, arguing that the future of stablecoin payments may depend on giving users more privacy, not less, so long as that privacy is bounded by protocol design rather than promised by intermediaries.

Whether privacy stablecoins get there is genuinely open. The paper frames mainstream adoption as a critical-mass phenomenon: once roughly 15 to 30 percent of a population adopts a behavior, diffusion tends to accelerate on its own, and the winner doesn't need to be the best technology, just good enough and socially legitimate. Today's sub-1-percent market share is a long way from that threshold, and the decisive variable, by the author's own account, is regulatory acceptance.

Which brings the argument full circle. The technology for private-yet-auditable payments increasingly exists. What doesn't yet exist is regulatory convergence on what "acceptably private" means, and 2027 is approaching fast in Europe. The quadrant a jurisdiction chooses may matter more than anything the engineers build.


Source: Banca d'Italia, Quaderni dell'antiriciclaggio No. 35, "Engaging with Privacy Stablecoins: A Framework for Scalable and KYC/AML-Compliant Adoption," by Michele Manna, Financial Intelligence Unit for Italy (UIF), July 2026. The views in the paper are the author's own. Regulatory context on Tornado Cash and the EU AML Regulation is drawn from US Treasury announcements and public legal analyses. We focused on the paper's economic framework and compliance design rather than its full cryptographic treatment.

This article is for informational purposes only and does not constitute financial, investment, or legal advice.