I once had a dapp that KYC’d people through https://cognitohq.com and I didn’t have any of the data, just relied on cognito to tell me if the user passed or not. Are you saying that’s not ok in the current reg environment?
Is it because they need a known throat to choke? I worked in KYC for two years, and that seemed to be the primary reason. Assuming the fear is that people can KYC a wallet, then sell the wallet/pass the private keys to someone? Can't you do that with usernames and passwords as well though?
If you got subpoenaed for information, you must probably had a term with cognito wgich allowed you to ask them to provide info against given identifier. You cannot say “oh no, we don’t hold pii but we kyc everyone”
I think the A16 blog summaries things really well: https://a16zcrypto.com/privacy-protecting-regulatory-solutions-using-zero-knowledge-proofs-full-paper/
bottom line: there’s no clear reg requirement for kyc’ed defi rn. if there was, uni and aave would be doing it. they’re fighting the good fight. MiiCA is ~year to enforcement. when reg comes hopefully it will be aligned with progress in ZK. but vendors like this (and some) are creating fud
You could login and view the data, right? That part shouldn’t exist. The baseline need is upon subpoena