The KYC Fallacy
Imagine you are standing at a busy city intersection during rush hour. Cars stretch out in every direction, barely moving. From where you stand, what do you actually know about the vehicles and the drivers? Almost nothing.
You might assume every driver has a valid license, proper insurance, and is allowed to operate the vehicle they are in. But is that always true?
In most cases, drivers do go through training and testing to get a license. They usually renew it on a schedule, sometimes with additional testing. Yet in a long line of thousands of cars, some drivers will have expired licenses, suspended licenses, or the wrong type of license for the vehicle. A few might be driving without any license at all. The percentage is small, but in a huge pool of commuters it adds up to real numbers.
So how would you fix this problem?
You could require an onboard system, like the one Korben Dallas used in the movie The Fifth Element, that checks whether the driver is still legally licensed. But what if the person has a standard car license and is driving a truck or bus that needs a different endorsement? What if the vehicle is stolen or only borrowed temporarily?
The system could connect to a central database that links legal drivers to specific vehicles. Fleet managers, rental companies, and private owners would update permissions for temporary use.
What if the vehicle is stolen and the system has been disabled or bypassed? Then you would need city-wide cameras that match drivers to vehicles and flag anything suspicious. Add another database, plus AI monitoring, for constant enforcement.
What about impaired drivers? Install ignition interlocks to stop drunk driving. But what if someone bypasses the device, or the driver is impaired by medication or a medical issue? You would then need active driver-monitoring cameras that can pull the vehicle over if the person seems unfit. Of course, that raises new questions: how does the system react when someone is fleeing a storm or an attacker?
Even if the driver is properly licensed, legally allowed to operate the vehicle, and obeying every traffic law, problems remain. What if the person is committing a crime, carrying illegal items, or planning harm? All the earlier checks failed to stop it. So now you add constant GPS tracking, ALPRs, AI behavior analysis, and maybe random inspections at every red light. And on and on it goes.
This may sound like an over-the-top analogy, but it closely mirrors the current regulatory mindset. The idea is that adding KYC (Know Your Customer) checks everywhere will prevent crime and protect society. In reality, that belief could not be further from the truth.
"Papers, Please"
"You have to show an ID to buy adult products like booze, so why should accessing adult information online be any different?"
We hear this argument far too often. It sounds logical at first, but it is a false equivalence.
Showing your ID to a clerk in person is a quick, in-the-moment interaction. Once you walk away, it is over. No permanent record is created.
Uploading or sharing a digital copy of your ID online is completely different. That copy can be stored, copied, shared, or stolen by hackers months or even years later.
Globally we are seeing a wave of regulations that aim to control access to the internet. These include age verification requirements for social media or adult content. On the surface this seems reasonable to keep minors away from inappropriate material. However, it quickly turns into age verification for everyone because there is no reliable way to check only minors.
Solutions range from uploading a government ID with a live facial scan to using a credit card for age checks. They all lead to the same problem: they get hacked.
In Q4 2025 we saw the first major reports of such breaches. It was reported that government ID photos of about 70,000 global users of Discord were exposed. One would hope this would clearly show the risks, but the push for these systems continues. Discord responded by changing vendors and continues testing different solutions involving facial age estimation and document-based verification.
The end result is still the digital collection of sensitive personal information that can be stolen by bad actors. On top of that, it can be shared with authorities, leading to the tracking of ordinary internet users.
Now we are also seeing regulations that require age verification to download apps on mobile devices, or even to read the news online in case a minor might see something inappropriate. Some rules go further and demand age checks just to use any operating system. Because many of these laws are written so broadly, they end up applying not only to phones and computers but also to servers, calculators, and basically anything that runs an operating system.
This does not even touch on the many countries whose national ID systems have already been hacked. Examples include France in April 2026, where millions of identities were exposed, as well as breaches in Estonia and India. If governments want to rely on Digital IDs for age and identity checks, one would expect them to use the strongest security and best practices available.
KYC in Practice: The Bank Secrecy Act
Modern banking uses many of the same approaches in an attempt to stop bad actors from using legitimate financial institutions. Starting with the Bank Secrecy Act of 1970 (BSA) and layers of additional rules added over the decades, Americans now have very little financial privacy. Key requirements include:
- Customer Identification Program (CIP): Verifying identity when opening an account.
- Customer Due Diligence (CDD): Understanding customer relationships and assessing risk.
- Suspicious Activity Reports (SARs): Filing reports with FinCEN on anything that looks suspicious.
- Currency Transaction Reports (CTRs): Reporting every cash transaction over $10,000.
The financial industry spends about $59 billion per year on compliance and files roughly 28.7 million reports annually. Surely this massive effort has reduced crime, right?
It's questionable. Those reports triggered only about 275 criminal investigations, while an estimated $3.1 trillion in illicit funds still flowed through the global financial system in 2023. After more than 50 years of tightening rules, the impact on actual crime remains questionable.
The core problem regulators keep missing is simple: criminals do not follow the rules. They steal real identities or create synthetic ones to bypass the system entirely. ProPublica documented this in detail in "How Foreign Scammers Use U.S. Banks to Fleece Americans".
Australia’s Under-16 Social Media Ban
Australia passed a law on 10 December 2025 banning anyone under 16 from having accounts on major platforms including TikTok, YouTube, Instagram, Facebook, X, Snapchat, Reddit, Threads, Twitch, and Kick. Tech companies face fines of up to $49.5 million AUD for failing to enforce age verification, while children and parents face no penalties.
Six months later, how is it working? According to the New York Times, “most indications are that the law has largely failed at keeping young teens off the platforms.”
In a fast-moving world that rewards adaptability, KYC acts like a blunt instrument. It is a perfect example of Maslow’s hammer: when your only tool is a hammer, every problem looks like a nail. It applies a rigid, one-size-fits-all solution without truly understanding the problem it is trying to solve.
Why This Matters
The traffic jam at the beginning of this article is not just an analogy. It is the daily reality KYC creates for ordinary people. Every extra check adds friction, cost, and surveillance while determined bad actors simply drive around the system.
KYC is no longer limited to banking. The Federal Communications Commission is now considering similar requirements for telephone subscribers to reduce spam calls. Around the world, we see proposals for age verification to access the internet, along with new rules that could apply to privacy tools such as VPNs and end-to-end encrypted services.
The belief the KYC can determine intent or adding additional regulations will solve the perceived problems ignores the tools that are already available to parents globally. Most software and hardware already include some form of parental controls that are often ignored. Addition of regulations can't solve that problem.
Real safety comes from targeted enforcement, personal responsibility, and smart rules, not from forcing everyone to prove they are innocent before they can participate in normal life.
Remember: We may not have anything to hide, but everything to protect.
