KYC/AML Selective Disclosure

Are you still photocopying the same KYC packet for every bank, exchange, and counterparty? Every time PII crosses a border, does another team have to revalidate it against GDPR, the amended APPI, or local data protection laws?

"Share to demonstrate compliance" and "minimize data sharing" coexist inside the same regulation. Do you have a technical path that satisfies both at once?

• CCOs, KYC/AML leads, and DPOs at banks, fintechs, and crypto-asset service providers
• Teams aligning to FATF Travel Rule, extraterritorial GDPR, the amended APPI, and FSA guidelines
• Cross-border payments and crypto-asset onboarding teams stuck between PII transfers and data residency requirements
• Architects who want to design around the breach radius of centralized KYC utilities
• Security teams running DLP, SIEM, and existing KYC vendors who still want attribute verification cryptographically sealed

Lemma lets the institution that already performed KYC (the issuer) emit each customer attribute as an independent cryptographic attestation. Source documents — full address, date of birth, transaction history — stay under the issuer's control. What crosses to the verifier is a per-attribute ZK proof: "sanctions-list clear," "Japan-resident," "18 or older."

Without sharing the data, the attribute's authenticity, issuer, expiry, and the customer's consent become independently verifiable by the regulator, the receiving institution, and the customer. Data residency requirements and FATF Travel Rule alignment ride on top of this structure.

Where this attestation layer slots into your existing KYC/AML pipeline (Onfido, Persona, in-house screening) is what we map out in a first conversation.

Tell us where your current KYC/AML pipeline is duplicating work and where it's accumulating regulatory risk. We'll explore together whether Lemma's selective-disclosure layer could fit. No technical details or sensitive information required.

If we see a fit, we move to NDA and then into sector-specific regulatory mapping, reference architecture, and PoC design.

Book a Discovery Call → Download whitepaper

A mid-cap manufacturer's representative completed KYC at regional bank B two years ago — ID documents, residence record, tax certificate, work history, shareholder composition. To streamline inbound transfers from an overseas subsidiary, the rep opens a corporate account at city bank C. C asks for the entire packet from scratch.

Two problems. C re-verifies what B already verified — pure duplicate work. And PII that previously lived inside B alone is now also replicated inside C. The breach radius spreads, one institution at a time.

With Lemma, the representative simply presents the per-attribute ZK proofs that B issued at the time of original KYC. Source documents stay under B's control. C's systems hold only the verified attributes and their proofs. A year later, when the FSA audits C, every attribute can be cryptographically traced back to the original issuer within its validity window — without ever exposing the underlying PII.

Detailed attribute catalogs, FATF Travel Rule integration patterns, and audit response time estimates are shared in the sector-specific kit we send after the consultation call.

Lemma does not replace your KYC vendor or your customer management system. We add one cryptographic layer between the issuer (the institution that already completed KYC) and the verifier (the new institution or regulator).

Each attribute is issued as an independent proof carrying the issuer's signature, expiry, and a cryptographic record of customer consent. Verifiers check those proofs directly — they never receive the source data. Revocation and refresh status propagate in real time.

The attribute catalog design, FATF Travel Rule integration, and patterns for plugging into existing KYC vendors (Onfido, Persona, etc.) are detailed in the whitepaper and the post-call technical kit.

• Per-attribute issuer, issuance time, and validity window, plus the authenticity of each category (residence, age, sanctions, PEP, source of funds)
• A cryptographic record of the customer's disclosure consent
• No exposure of source PII (no personal data leaks from the attribute proofs)
• Independent verification by the issuer, the receiving institution, and the regulator

AI Audit Log Proof — Permanent Decision Record

Audited ≠ explainable

When AI agents perform KYC screening, attribute verification (this page) and decision process permanent records (AI Audit Log Proof) function as a set. "What was seen" and "what was decided" are both cryptographically sealed.

View use case →

Supply Chain ESG — CBAM, EUDR, DPP Compliance

Declared ≠ proven

The same principle — "prove regulatory compliance without data disclosure" — applied from finance to manufacturing. The attribute subject changes from customers to components and suppliers, but the cryptographic structure is isomorphic.

View use case →

Delegated Treasury — Agent Authority Delegation

Authorized ≠ attested

When a corporate customer delegates operational authority and spending limits to an AI agent. Combined with KYC attribute proofs, a three-link trust chain is established: "an identity-verified corporation issued an agent with valid authority."

View use case →