KYC regulations create honeypots. The actual failure isn’t that KYC exists — it’s that the mandate to collect never came with a mandate to protect.
IDMerit is a third-party identity aggregator, not a bank. No FFIEC oversight, no SOC 2 requirement baked into the regulation that required the data collection in the first place. You’ve created demand for a new class of high-value target with zero corresponding security baseline.
sylver_dragon’s point about CMMC-level auditing is right directionally, but the problem is structural: compliance frameworks like that are opt-in for the wrong industries. The companies building identity verification infrastructure for regulated industries aren’t themselves regulated to the same standard.
The design flaw isn’t ‘KYC is evil’ vs ‘companies nickel-and-dime on security.’ It’s that the regulatory chain stops at the bank and doesn’t extend to the third parties the bank outsources compliance to. You get the data aggregation without the liability teeth. That’s a policy gap, not just an ops failure.
This one is a mixed bag. KYC regulations are very useful in detecting and prosecuting money laundering and crimes like human trafficking. But ya, if this data needs to be kept, the regulations around secure storage need to be just as tight. This sort of thing should be required to be kept to cybersecurity standards like CMMC Level 3, audited by outside auditors and violations treated as company and executive disqualifying events (you ran a company so poorly you failed to secure data, you’re not allowed to run such a company for the next 10 years). The sort of negligence of leaving a database exposed to the web should already result in business crippling fines (think GDPR style fines listed in percentages of global annual revenue). A database which is exposed to the web and has default credentials or no access control at all should result in c-level exec seeing the inside of a jail cell. There is zero excuse for that happening in a company tasked with protecting data. And I refuse to believe it’s the result of whatever scape-goat techs they try to pin this on. This sort of failure always comes from the top. It’s caused by executives who want everything done fast and cheap and don’t care about it being done right.
I’m uninformed about this, but do KYC laws come into effect at some profit point or are they globally enforced. I don’t see how any small businesses could possibly afford a 3rd party audit, or how that would even scale. I agree it’s necessary, but logistically it seems problematic.
KYC thresholds vary by jurisdiction and institution type, but the short answer: in the US, KYC obligations under the Bank Secrecy Act apply to ‘financial institutions’ — a category that’s broader than banks but still defined. Crypto exchanges, MSBs (money service businesses), and broker-dealers are all in scope. A random small e-commerce shop selling widgets is not.
The audit burden you’re describing is real, but it mostly falls on the institutions that are in scope, not every business that ever touches money. The problem with the IDMerit breach is a layer removed: the banks were complying with KYC, and they outsourced the identity verification piece to a third-party aggregator. That aggregator (IDMerit) is not itself a regulated financial institution — so no FFIEC exam, no mandatory pen testing cadence, no breach notification timeline baked into their operating license.
The compliance chain stops at the bank’s front door. Everything behind that — the vendors, the data processors, the identity APIs — operates in a much softer regulatory environment. That’s the structural gap. CMMC-style requirements for third-party processors handling regulated data would close it, but that’s a different law than the one that created the data collection requirement in the first place.
Ah, makes sense it would be targeted twards banking and financial businesses specifically. Better pinch point than some random commerce. In that case audits would be less problematic, though I’m not sure why outsourcing this data is even an option with the current rules. It’s not like a business can be completely hands off in the acquisition or processing of that info.
In a catastrophic security failure, an AI-powered tool used by IDMerit, a global leader in digital identity verification, has exposed a staggering one billion personal records
Didn’t it happened already that AI seriously compromised a production database? Will people ever learn?
This is genuinely grim
Nothing evil in preventing funding of criminals. GTFO with this sensational subject line.
PS. To clarify, because there is some confusion, I’m referring to OP using post title starting with: ‘If you had any doubts that Know-Your-Customer laws were evil,’
Criminals and scammers are going to have a great day with the personal info of the 1 billion people now.
Criminals also have great time with knives, or rope, or crowbars. Not reason to say all those things are evil. Problems are companies who nickel-and-dime on security.
If you gather all ropes, crowbars and knives then don’t stop the criminal from getting access then it’s the gov’t fault. It’s better if they just leave all those private knives alone and not gather it to one spot.
You’re just confirming what I’ve written: Problems are companies who nickel-and-dime on security. And yes, we need punishments for data breaches. This has nothing to do with KYC laws being evil. It’s just OP being a money launderer.
So why don’t KYC laws come with punishments for data breaches?
If it’s only there to help law enforcement and not protect anybody else what do you call that?
I certainly don’t call that evil. There are many laws that exist solely to help law enforcement, they aren’t automatically evil.
KYC laws resulted in the personal data of a billion people leaking. Criminals and scammers will use this data to cause much harm.
Yes, I can condemn supporters of KYC laws for their incompetence and stupidity. This was obviously going to happen at some point. If you stockpile data, it eventually leaks.
And if you don’t collect that data, criminals and scammers will use free access to banking system to fund their scams and crimes. Letting people drive cars will obviously lead to accidents and deaths, that’s not a reason to outright ban people from driving. Just like risk of data branches is not a reason to outright call KYC evil.
The Post Title Says “12M Aussies personal data leaked - and 1 Billion worldwide”.
That’s not really sensational, it’s two facts included in the article. Sensational would be “12m Aussies hacked” or something, implying something entirely different.
There’s no assertion from the article or the title that KYC shouldn’t happen - you seem to be imagining that.
However, if a service uses a third party to collect and store KYC data then that third party needs to take reasonable steps to safe guard that data.
I have no issues with the article. I have issue with the post which calls KYC laws evil. That’s what sensational (though maybe a different word would fit better).
PS. Oh, I see. You came from the recent cross-post at Australia. Observe that poster there used an objective title giving straight numbers. OP here used a completely different title.
Yeah my bad, I agree the title you saw is bullshit.
