I do not know enough about Know Your Customer (KYC) to be definitive about this, but legislation, regulation and industry guidance doesn’t usually state that documents have to be kept. Rather, that there are adequate (risk-based) identity verification and recording processes in place to counter fraud, money laundering, etc.
Thus for example, many employers believe they have to keep copies of people’s visas and passports to confirm someone’s right to work int he UK. But this is not a requirement from the Home Office if you read their guidance. The employer should undertake checks before employment commences, but there is no obligation to keep copies of everything seen, and in any case that becomes an increasing overhead to store, maintain and protect. A better solution would be to have a management approved process that reviews the documents, assesses whether they are adequate, keeps a record of the process & outcome, and the IDs/dates/facts of the documents reviewed and then delete them securely. This reduces operational risk, and the risk to the data subjects themselves.
Unfortunately the Data Protection Act doesn’t prevent data breaches, data misuse, data ageing and use for purposes other than originally consented to.