IDK about that. I did say "somewhat common." It emerges in some circumstances.
GDPR is a decent example. The minimum level of privacy required by GDPR is now the standard required whenever standards are required. EG banks, regulators and such now expect you to have as little privacy as GDPR allows. Everything allowable under GDPR is now semi-mandatory for KYC.
Privacy/data related regs really have this kind of tendency. If you must destroy records after X years, this often develops into a mandate to keep records for x years.
GDPR is a decent example. The minimum level of privacy required by GDPR is now the standard required whenever standards are required. EG banks, regulators and such now expect you to have as little privacy as GDPR allows. Everything allowable under GDPR is now semi-mandatory for KYC.
Privacy/data related regs really have this kind of tendency. If you must destroy records after X years, this often develops into a mandate to keep records for x years.