I talked to a lot of KYC/AML "providers" on BtcMiami conference. They are all pitching their cool solutions (some of them really cool - such as apps with face recognition, connected to driver licenses db in US, etc). $3-$10 per person.

Hardest questions noone of them could answer:

- what guarantee you have that your solution is compliant? There are none, because noone has these guidelines/policies to match. There are AML regulations for financial institutions, but they are totally different

- they store your data on their servers, no certification of security compliance and probably illegal in most countries due to collision with their privacy terms

- where and how they obtained blacklists / databases of private personal data? I bet there is no way DB for face recognition of US citizens can be given to a "blockchain" company

Hopefully it helps.

And to answer (2) - if your project passes Howey and has all ingredients of utility, such as immediate use in platform - you actually dont need KYC/Aml. But it's still a gray area, because it's not a black and white test, and all depends on wording and experience of your legal team.