[boldfield]

I worked for a financial services related startup for a while and was involved in implementing KYC/AML protections and AFAIK there isn't any relation between this and those laws. KYC is simply identifying your customers (nothing related to what they are doing) e.g. drivers license info, home address, etc. AML has to do with financial instruments passing through a business' account from customer (a) to customer (b) (in some cases (a) and (b) being the same individual). Given they are processing subscriptions here it seems far more likely that this is somehow related to RIAA/MPAA, or at least a fear of said groups.

[dogma1138]

It's not about onboarding/general KYC since this isn't about end users.

Paypal does it's own risk assessment for business partners, what I'm pretty sure this is is a simple "classification" case.

Paypal classifies the type of business you are and if you belong to certain types of businesses they put some requirements on you based on regulations and their own internal requirements usually produced by their legal department.

Paypal has probably seen what happened to file sharing websites like Mega and if you are tagged as a file sharing service they want to ensure that you do everything to prevent it being used for piracy, including being able to audit it themselves and to be able to either put pressure on you or cut off their services if they think they are at too much of a risk.

Now I understand that Seafile isn't anything like Mega but It's also not exactly on the scale of dropbox this also means that most likely no one at Paypal really knows what it is, or where they are heading business wise and so they just stick some additional requirements on them.

Also (this is true for 2-3 years ago, I don't know if it is still the case) filesharing websties and other sites that you can buy "premium currency" such as various online games, vidoe chat apps (usually porgnography) etc. are the main source of fraud for compromised accounts as far as Paypal goes this on it's own can bring on additional requirements from Paypal.

[ckastner]

KYC is simply identifying your customers

That's the minimum, but it's certainly not all there is to it.

Know Your Customer really means know your customer.

As one of many practical examples, when dealing with a legal entity such a trust, merely identifying its officers is insufficient -- you must also identify the beneficial owner (BO). Effectively, this means that you have to look through all possible shell companies until you arrive at a natural person.

[kolbe]

I don't know if you want to advertise lack of enforcement so loudly. Your practices would leave you to vulnerable to litigation if one of your customers were laundering money or committing crimes through your service. You've done enough to survive an audit if there have been no issues, but you'd be found negligent if there are.

[Zancarius]

To be fair, boldfield did say "worked for ... for a while" which implies they're no longer with the company (which might be a story in its own right). Still, it's good advice for others chiming in who may presently be in the same position.