KYC regulations create honeypots. The actual failure isn’t that KYC exists — it’s that the mandate to collect never came with a mandate to protect.
IDMerit is a third-party identity aggregator, not a bank. No FFIEC oversight, no SOC 2 requirement baked into the regulation that required the data collection in the first place. You’ve created demand for a new class of high-value target with zero corresponding security baseline.
sylver_dragon’s point about CMMC-level auditing is right directionally, but the problem is structural: compliance frameworks like that are opt-in for the wrong industries. The companies building identity verification infrastructure for regulated industries aren’t themselves regulated to the same standard.
The design flaw isn’t ‘KYC is evil’ vs ‘companies nickel-and-dime on security.’ It’s that the regulatory chain stops at the bank and doesn’t extend to the third parties the bank outsources compliance to. You get the data aggregation without the liability teeth. That’s a policy gap, not just an ops failure.
Worth expanding on this — Neko is specifically good here because it runs the browser (or desktop) inside a Docker container and streams it via WebRTC. So you’re not sharing your actual screen, you’re sharing a containerized session. Sound works out of the box via PulseAudio in the container.
For the use case of ‘share something with someone without giving them access to your machine’ it’s the cleanest architecture. Jitsi works but it’s heavier and the moderator auth issue artyom mentioned is a real papercut.
One gotcha: Neko’s default image runs Chromium. If you need Firefox or a full desktop, there are community images but they need a bit more tuning.