Regulated financial services must also store the documentation and results for how they verified a user's identity, too. This involves talking to third parties that can tell you if a given user's name matches their tax identifiers, street addresses, phone number, et cetera.

Anyone competent is storing both their requests to those external APIs, as well as those responses, for the entirety of the recordkeeping requirement period.