>There are no penalties for leaking users' data. Bad PR? Oh please, it won't hurt a company which is already universally hated.

Unlike credit bureaus (also hated), there's no moat for KYC providers. All you need is some AI model + humans to do the verification, and away you go. At best there's some compliance costs for soc2 or whatever, but not too pricey compared to the cost of a few programmers. There's definitely penalties for leaks/bad PR, as seen by discord cutting relationships with providers that turned out to have leaked data, or for Persona, seemingly bad PR.

KYC stuff is something that no one wants, everyone hates and something that everybody is forced into from both sides: users and companies

Is this accurate? I’m sure there are significant portion of people with a ‘if you have nothing to hide’ attitude. Companies also don’t care as long a it makes them money.

That's a model that works with SpaceX, which holds a unique grip on American orbital launch capability and capacity; less so for Anduril, which has been rather unsuccessful so far in its big-ticket drone-warfare efforts but has, to its credit, diversified key defense manufacturing areas by jumping into, e.g., SRMs; and possibly not at all for Palantir, which doesn't do anything a copy of Neo4J doesn't. And there's a real question regarding their ability to continue, post-DJT, holding security clearances given their personal lives and behaviors, their contacts with foreign officials, and whether they had derogatory information on other clearance holders that they did not bring forward.