[Nextgrid]

From reading the other comments my understanding is that you need to keep the document itself, where as most KYC companies will verify the document (and potentially other factors such as credit history) but then discard it and only give you a pass/fail status code.

[bostik]

This is correct. Fintech (and gambling, which I am intimately familiar with) companies are required to keep the submitted KYC documents on file for several years from the last customer interaction/activity.

You can't even delete dud uploads. If a customer is involved in fraud or money laundering investigation, every document they have ever uploaded is evidence. So is the type, time and timing of different uploads: in fact, the uploading of a bad document is itself a valid and potentially valuable data point. Multiple uploads in tight sequence with duds in the mix? Hello...

The submitted KYC documentation is TOXIC. It is essentially an archive to impersonate customers. Hell, I consider the material so dangerous that we built a dedicated protection system to guarantee the fraud potential of our archive would be seriously limited even if the whole archive leaked[0].

0: https://smarketshq.com/shields-up-on-user-information-b7093f...