Could still be done by re-incorporating companies in countries without kyc laws. And if fines for being breached get high enough, that's probably what would happen.
That would probably be bad for tax receipts though, so it's more realistic that there's an upper bound on infosec related fines
That would probably be bad for tax receipts though, so it's more realistic that there's an upper bound on infosec related fines