Record retention schedule for compliance. Auditors and regulators will come ask for it (or rather, a sampling demonstrating you are retaining the records).

(this is a component of my work at a fintech)

Any reason to not store a hash or something? Both you and the govt should have matching info on a person.

Because that is not the retention requirement unfortunately. I’d love for the US gov to allow identity proofing with Login.gov so we get a Boolean or tokenized response and that’d be sufficient (with the record of that response being our obligation to retain), we’re just not there yet.

That'd be great for everyone. A citizen would be able to view and revoke tokens.