Hi L0la, great article. As someone with a bit of familiarity of AML and IDV systems at financial institutions I can assure you that IP addresses and device IDs are already collected and used widely (mainly to attempt to detect fraud rings, although loads of false positives from people who share devices). Banks balance the privacy constraints of GDPR with the stronger demands of their financial regulators (who are indeed influenced by Wolfsberg and FATF).