The announcements came fast this week. eToro would become an Identity Provider on Midnight. Then MoneyGram completed their integration as an identity oracle. Two financial giants, both choosing to build on a network that hasn't even launched yet. The headlines wrote themselves: privacy meets compliance, institutional DeFi is here, the future has arrived.
I read them the same way I've read every announcement in this space for the last five years. With genuine interest, but also with a question that never seems to get asked until after something goes wrong. eToro and MoneyGram will issue credentials. Users will prove they're verified without revealing their data. Regulators will have viewing keys to audit what they need. That's the architecture. That's the plan.
Here's what I haven't seen anyone ask. When a regulator uses a viewing key to audit a transaction on Midnight, and they find something that shouldn't have happened, who is responsible? The user who initiated the transaction? The Identity Provider who issued the credential? The validator who processed the block? The developer who wrote the contract?
This is not a theoretical question. Every major financial infrastructure project eventually faces it. The architecture of selective disclosure works beautifully until the moment something breaks. Then the question becomes: who explains to the regulator what happened, and who faces the consequences if the explanation isn't enough.
I think about this differently now than I did a year ago. Midnight is not launching as a experiment. It's launching with MoneyGram, with eToro, with Google Cloud and Vodafone. These are not crypto-native startups testing a hypothesis. They're regulated institutions with compliance teams, legal liabilities, and reputations to protect. When they commit to running nodes and issuing credentials, they're not making a philosophical statement about decentralization. They're making a business decision about where to put operational risk.
The viewing key system is elegant. The holder of the key can decrypt specific details. Regulators get what they need. Users keep what they own. But elegance in cryptography does not automatically translate to clarity in liability. If a regulator audits a transaction and finds evidence of non-compliance, the cryptographic proof tells them what happened. It does not tell them who is accountable.
In a truly decentralized network, the answer is often nobody. That's the point. But Midnight is not building a truly decentralized network at launch. It's building a federated network with institutional node operators. Those operators have legal obligations. Their obligations don't disappear because the transaction data is encrypted. If anything, they become more complex.
I keep coming back to the same tension. The Identity Provider issues the credential. The user holds the credential. The application requests a proof. The network verifies the proof. The regulator holds a viewing key. Every piece works independently. But when something goes wrong, the pieces don't naturally point to a single source of accountability.
This is not a criticism of Midnight. It's a question about how any network that bridges crypto and regulated finance will need to operate. The technology is solving the data problem. Who is solving the liability problem?
The announcements this week were historic. Two major financial institutions choosing to build on a privacy-first blockchain before mainnet is something the industry has been waiting for since Bitcoin launched. But historic announcements don't answer the hard questions. They just make the questions more urgent.
When mainnet opens in three days, the first transactions will be tests, experiments, proofs of concept. That's the right way to start. But at some point, real money will move. Real credentials will be issued. Real regulators will use real viewing keys. And someone will need to explain what happened, who authorized it, and who is responsible if something went wrong.
I want to know how Midnight answers that before the first real audit, not after.