>There are no penalties for leaking users' data. Bad PR? Oh please, it won't hurt a company which is already universally hated.

Unlike credit bureaus (also hated), there's no moat for KYC providers. All you need is some AI model + humans to do the verification, and away you go. At best there's some compliance costs for soc2 or whatever, but not too pricey compared to the cost of a few programmers. There's definitely penalties for leaks/bad PR, as seen by discord cutting relationships with providers that turned out to have leaked data, or for Persona, seemingly bad PR.