KYC should really be renamed CYA (cover your ass), because it's borderline useless as a real security measure against determined threat actors. For anyone willing to commit fraud and/or identity theft, it would be relatively easy to "pass" a KYC process under an assumed identity, especially when no in-person/biometric verification is required.