Your regulation-compliant KYC is not enough to protect customer data

By Konstantin Bulatov, Ph.D., CTO of OCR Studio

KYC (Know-Your-Customer) is no longer just about convenience and conversion. In today’s environment of unprecedented digital fraud, it has become the first and most important line of defense against criminals. Effective KYC should protect businesses from multimillion-dollar losses and the many forms of fraud-related abuse.

What are the main reasons behind the rapid growth of fraud attacks targeting KYC procedures and customer onboarding? Among them is the constant leakage of users’ personal and financial data. Terabytes of leaked user data usually do not simply stay unused on hackers’ computers – they are exploited to the fullest. Some of the personal information can be used for account takeover, some can be sold on the dark web, where other criminals always find their own use for it, and some can be repurposed to enhance AI models that fraudsters use to create high-quality fake documents.

Even the most trusted institutions are not immune to data leaks. Consider one of the latest cases of the year: ANTS, the official French government agency responsible for issuing administrative documents, detected a security incident that may have involved the disclosure of data from private and professional accounts. The leaked information reportedly contained identification data such as login ID, full name, citizenship, date of birth, email address, and more. According to France Info, up to 10 million accounts were affected in total.

Constant leaks of personal and financial data make an irreparable contribution to the growth of fraud and even drive new fraud schemes that undermine the foundations of customer onboarding. And, as you can see, even the most regulated public bodies that citizens are expected to trust can become a target. This raises an uncomfortable question: is regulatory compliance really sufficient to protect customer data?

Latest Interpol assessment as a warning shot

This question becomes even more pressing once the scale of the problem is taken into account. On March 16, 2026, Interpol published an analytical report with a global threat assessment of financial fraud. According to the organization, financial fraud has become one of the five most widespread criminal threats – in 2025 global losses reached $442 billion. From 2024 to 2025, the number of financial fraud notifications in Interpol’s system increased by 54%, and in Europe alone the increase was 69% – the highest of all the regions considered. At the same time, 77% of global business leaders reported rising fraud in 2025.

Among the most common types of financial fraud, Interpol highlights impersonation, fraudulent use of personal data and identity documents, and payment fraud – these schemes often involve forged documents. One of the key drivers of growth in financial fraud has been the development of LLMs and AI agents. Schemes using such technologies are on average 4.5 times more profitable for fraudsters than traditional ones, and their improvement directly depends on the number of identity documents that end up being leaked.

We see that financial fraud has become high-tech, cheap, scalable, as well as transnational. A significant share of attacks are carried out under the control of organized crime networks, and the constant leaks of citizens’ identity document images provide raw fuel for underground factories producing forged documents. So what response does the industry give to such a global problem?

The industry response is too comfortable

A prevailing part of today’s KYC market is built around collecting, storing, and transmitting sensitive customer data – and that is precisely what makes data leaks possible on the scale we are seeing today. Those breaches feed the production of forged documents, and those forged documents are then used to attack the KYC systems that are supposed to stop fraudsters. In other words, the model meant to protect businesses from fraud is also helping fuel it.

The KYC market has become too comfortable with the idea that sensitive customer data can be stored or transferred. For years, the industry has treated these high-risk architectures as an unavoidable part of identity verification and focused mainly on regulating these practices rather than questioning them. That approach now looks outdated. If data transfer itself creates the risk surface, then the real task is not to govern it more tightly, but to build technologies that no longer require it.

To understand our point better, take the key players in the identity verification market and look at what they call data security standards compliance. You will most likely see the following 5 frameworks listed:

•     SOC 2
•     ISO/IEC 27001
•     ISO/IEC 27701
•     GDPR
•     PCI DSS

Let’s go through them in order. SOC 2 by AICPA (American Institute of Certified Public Accountants) is a framework built on five Trust Services Criteria: Security, Availability, Processing integrity, Confidentiality, and Privacy. The Security principle, in particular, is about protecting information from unauthorized disclosure. However, even data protected in the most stringent manner can still be leaked once a fraudster finds a way to bypass the security layer. Meanwhile, the Confidentiality and Privacy principles state that customer data must be transmitted and stored safely – yet many major data breaches have occurred on the side of organizations that previously claimed their data transmission and storage were completely “safe”.

ISO/IEC 27001 and 27701 are closely related international standards developed jointly by the ISO (International Organization for Standardization) and the IEC (International Electrotechnical Commission). In simple terms, ISO/IEC 27001 is about managing information security in general, while ISO/IEC 27701 adds a privacy-specific governance layer around PII (Personally Identifiable Information). Similarly to SOC 2, these ISO/IEC frameworks mainly set requirements for how user data has to be protected. They also limit the access to user information, regulate cloud-based data processing, and require data encryption. A pretty vast set of rules designed to regulate the data storage and transfer that, at the current level of technological development, could be avoided altogether.

Next, the General Data Protection Regulation, or GDPR, is the European Union’s main data protection law. The regulation is built around key principles such as data minimization, storage limitation, and transparency. Nevertheless, GDPR’s data minimization principle still implies that data is collected, limits on data retention still imply that it can be stored, and rules governing transparent data transfer still imply that your customers’ data may be transmitted to third parties.

Last but not least, PCI DSS (Payment Card Industry Data Security Standard) is the payment industry’s main security standard developed by the PCI Security Standards Council. The framework was created to enhance financial information security and applies to entities that store, process, or transmit cardholder data or sensitive authentication data. Like the other frameworks above, PCI DSS regulates exposure rather than supports the technologies that remove the need for data storage and transfer. It requires organizations to limit cardholder data retention and encrypt stored PAN (Primary Account Number), but these protections still assume that financial data may be handled or transmitted in the first place.

Taken together, these standards make one thing clear: the industry has spent years refining the rules for high-risk architectures instead of moving technological progress in the direction of entirely local data processing. Storing customer information, sending it to a server, and then calling the whole process secure under the right controls is already the market default. The genuinely progressive direction is verification without any data transfer at all – that is, in our opinion, where the next generation of KYC should begin.

Toward the next generation of identity verification

If the weaknesses of server-based KYC are already well understood, can we reshape the identity verification market so that sensitive customer data no longer has to leave the user’s device? Not better-regulated versions of the same high-risk architectures, but a technological shift toward entirely local data processing will define the future of identity verification.

Deploying an OCR system for remote KYC directly on the end user’s device is achievable, but extremely challenging. That is why many vendors still rely on cloud infrastructure, external servers, or even crowdsourcing platforms to compensate for weaknesses in their recognition technologies. One of the most effective ways to build an on-device architecture is relying on ultra-lightweight, highly optimized neural networks. OCR Studio, for instance, has chosen this approach because of its strong speed and performance characteristics. Such solutions can run directly on the user’s device while performing a wide range of anti-fraud checks, including deepfake detection. This approach complies with all listed frameworks and at the same time truly protects businesses from vendor-side data breaches.

On-device verification works nearly instantly, does not depend on a stable internet connection, and is not exposed to delays, outages, or other failures on the side of a cloud provider or external server. In that sense, it is not merely a safer architecture, but a better-performing one. The same applies to selfie-to-ID verification: there is no technical need to store biometric data or rely on external computing resources in order to match a real-time selfie of the user against the document holder’s photo and prevent fraudsters from opening accounts with stolen identities.

One could argue that, in some cases, data retention is required by law, including for AML (Anti-Money Laundering) purposes. In practice, however, through this requirement regulators are trying to preserve traceability, evidentiary value, and the ability to reconstruct transactions. Yet none of this necessarily means that identity verification must be built around storing raw document copies and transmitting sensitive customer data to servers. If next-generation technologies can provide the same level of verifiability with less storage and less transfer, then that is the direction in which the industry should evolve.

It is time to move beyond server-based KYC

The KYC industry has started to mistake managed exposure for genuine security, and that is exactly why we need a new technological and regulatory direction. It is time for identity verification vendors and regulators to do something more ambitious than refining the same familiar controls around data storage and transfer. We need new standards designed to accelerate the shift toward autonomous KYC architectures, where sensitive customer data can be verified without leaving the user’s device.

KYC services which transfer and store ID information are the current state-of-the-art. Autonomous on-device technologies that do not need to transfer that data at all are the future.

​​About the author

Konstantin Bulatov is a scientist and Chief Technology Officer of OCR Studio, where he has led the development and implementation of advanced OCR technologies. He has designed a method for optimizing object recognition in video streams, which has improved the accuracy and efficiency of real-time OCR systems. Under his direction, OCR Studio develops secure on-device programming solutions that address diverse industry needs and contribute to advancements in the field.

Konstantin is an IEEE Senior Member, he has authored multiple patent applications and published his research in prominent academic conferences and journals. His work emphasizes innovative approaches to developing high-performance recognition systems, reinforcing OCR Studio’s position as a significant contributor to the global technology landscape.

Article Topics

cybersecurity  |  data privacy  |  data protection  |  digital identity  |  fraud prevention  |  KYC  |  OCR Studio