Skip to content
zkDB
Industry

Your bank's stress-test submission is cryptographic theater

The CCAR / DFAST process is the most expensive performance of supervisory verification in finance. None of it is mathematically verified. Here is what would change if it were.

By zkDB Editorial7 min read
Your bank's stress-test submission is cryptographic theater — zero-knowledge database (zkDB) insight

A US Globally Systemically Important Bank — a G-SIB, in the supervisory dialect — spends somewhere between $200 million and $400 million per year on its stress-testing programme. The number includes the modeling group, the data ingestion infrastructure, the model risk management function, the internal audit dependency, the Big Four review, and the regulator-facing submission machinery. The output is a multi-thousand-page submission to the Federal Reserve under CCAR (now DFAST under the 2024 regime), describing how the bank's capital ratio would behave under nine quarters of a defined stress scenario.

The Federal Reserve then reproduces the calculation, partially, using its own models and the data the bank has submitted. Where the regulator's number diverges from the bank's, a remediation cycle begins. The cycle can last another full year.

It is the most expensive performance of supervisory verification in modern finance, and almost none of it is mathematically verified. It is theater — well-rehearsed, well-funded, professionally produced theater of trust. Strip the performance away and what remains is a regulator asking a bank for a number, and a bank asking the regulator to trust the people, the process, and the auditor's signature beneath that number.

What is actually verified

Inside the bank, three things are checked.

The modeling group runs the bank's internal stress-loss models on the bank's portfolio data under the supervisory scenario. Outputs are validated by the model risk management (MRM) function, which reviews each model against the SR 11-7 standard. Final aggregates are reviewed by internal audit, which samples calculations and traces a small number end-to-end.

The Federal Reserve's supervisory team reviews the submission and runs an independent DFAST-AKA-supervisory model on the bank-submitted data. The two numbers are compared. Where the bank's CET1 ratio is materially different from the supervisor's CET1 ratio, the bank is asked to explain, recompute, or revise.

None of these reviews is a mathematical verification of the computation. Every one is a sampled human review with disclaimers.

Big Four firms — KPMG, Deloitte, PwC, EY — provide the attestation infrastructure on the bank side, and their teams have built sub-practices specifically around CCAR / DFAST attestation. The attestations are signed under the standard auditing standards (PCAOB AS 5, AICPA SSAE 18). They say, with the usual qualifications, that the bank's process is consistent with the documented methodology. They do not — cannot — verify that the methodology was applied correctly across the full portfolio. The data volume is wrong by three orders of magnitude.

What zkDB would change

A zero-knowledge database wrapping the bank's general ledger and risk data would let the bank do the following at every stress submission:

  1. Commit publicly to the dataset. A 32-byte cryptographic fingerprint of the bank's submission-eligible portfolio is published on a public bulletin board (could be a private append-only log signed by the Federal Reserve, or a public chain, or both). From this moment, the bank cannot retroactively alter rows without invalidating every subsequent proof.

  2. Submit the CET1 ratio (or any other supervisory aggregate) with a proof. The proof is a 38-kilobyte file. It attests that the submitted number is the exact computation of the published methodology on the committed dataset.

  3. Allow the regulator to verify in under 50 milliseconds. No supervisory model rerun is needed for the arithmetic of the submission. The math is checked by the math.

The supervisory function does not disappear. It moves. The Federal Reserve's team no longer needs to recompute. It now does three things that are actually appropriate to its role:

  • Methodology review. Is the bank's loss model correct? Is the scenario being applied properly? This is judgment, not arithmetic — exactly where supervisory expertise belongs.
  • Spot-checks at the edges. Sample specific portfolios for which the bank's commitment ceremony might have excluded data. This is the equivalent of audit attestation today, but with a much smaller scope.
  • Trend supervision. Is this bank's CET1 ratio behaving the way it should, year over year, scenario over scenario? Are the explanations of variance consistent? This is where supervisory pattern recognition shines, and where it currently gets crowded out by arithmetic disputes.

What the bank saves

The hard savings are obvious. The arithmetic-dispute cycle disappears. The remediation cycle compresses from a year to weeks. The Big Four attestation scope contracts, materially — they sign that the methodology and commitment ceremony are correctly executed, not that the arithmetic of millions of position calculations is correct.

The bank's MRM team continues to validate the models. That is necessary, expensive, and unaffected. But the bank's data engineering, internal audit, and Big Four attestation work in support of CCAR / DFAST contracts substantially.

Conservative single-G-SIB estimate, drawn from CCAR programme cost benchmarks publicly disclosed in 2023 SEC filings of Big Four firms and large bank shareholder letters: a 25–40% reduction in stress-test programme cost within three submission cycles of integration. At a $300M annual programme, that is $75–120M per G-SIB per year. With 33 G-SIBs globally, the addressable saving is in the range of $2.5–4B annually, before counting the second- and third-order effects on supervisor staffing, regulatory cycle time, and capital-allocation feedback into bank planning.

We are not yet pricing engagements. We are saying the math works.

What the regulator gets back

The Federal Reserve does not lose oversight. It gains the thing it has been missing.

Today, the supervisor consumes detailed firm-level data, becomes a data custodian, absorbs the data-protection liability that custody implies, and runs a parallel modeling exercise it cannot afford to scale.

In a verifiable submission regime, the supervisor receives the aggregate, the proof, and a hash of the underlying data. The supervisor's breach surface contracts, because the supervisor no longer holds golden copies of position-level data. The supervisor's staffing leans toward methodology and trend analysis rather than arithmetic reconciliation — work that is more supervisory than supervisory work has ever been.

The same logic applies, with minor modifications, to:

  • Basel III/IV LCR, NSFR, leverage ratio submissions
  • MiFID II transaction reporting
  • EBA stress tests in the EU
  • FFIEC Call Reports
  • OFAC sanctions screening attestations
  • AML transaction-monitoring effectiveness reporting
  • FATCA / CRS cross-border tax reporting

Each is a context where a supervisor consumes detailed data because the alternative is to trust the firm's word. Each becomes a zero-knowledge submission of an answer and a proof.

The objection we hear most

A senior risk officer at a US G-SIB asked us, in a recent briefing: "This is interesting. Why isn't the Fed asking for it?"

The honest answer is: the Federal Reserve, like most regulators, builds its supervisory infrastructure on what the regulated entity can supply. The bank supplies what the bank supplies. The supervisor takes it. The supervisor does not yet ask for cryptographic submission because no bank has yet offered one as a credible alternative, and the supervisor would not know what to do with it if a bank did.

The window is short. The first G-SIB to publish a verifiable CCAR pilot — even on a synthetic portfolio, even with one or two non-controversial submissions — will shape what the supervisor expects of every other bank by 2030.

The institutions that move first will set the standards everyone else inherits. We have made this point before. It applies here more sharply than anywhere else in the regulated economy.

What to do next

If you are a CRO, CFO, or Head of Regulatory Reporting at a regulated bank, request a briefing. The conversation is confidential. The first session is technical. Most briefings do not become engagements — that is the discipline of the firm. If zkDB is the wrong tool for your stress-testing problem, we will say so.

If you are at a supervisory authority — Federal Reserve, ECB, BoE, Bundesbank, Swiss FINMA, Singapore MAS, HKMA — we would welcome an off-the-record technical conversation. We are not advocating any specific regulatory move. We are documenting what becomes possible.

Further reading

Briefing Notes

Receive the next issue.

One considered email a month, for the people who build and regulate data systems.

One considered email a month, on verifiable data.

Continue readingAll insights →
The Data Trust Paradox — zero-knowledge database (zkDB) insight
Industry5 min

The Data Trust Paradox

Every regulated data architecture forces a binary choice — share and lose control, or protect and lose verifiability. The choice is now obsolete.

A decade of verifiable databases, read and annotated — zero-knowledge database (zkDB) insight
Literature6 min

A decade of verifiable databases, read and annotated

From IntegriDB (2015) to PoneglyphDB (2025), every system that has shaped how we think about cryptographic verifiability for SQL — and what we learned reading them in sequence.