I agree what you say, the company that receives the KYC should be careful to check the incoming identity data, because if it is still like that, it is unfair to the person sending the real data.
But how exactly will they check these documents in the first place? Are they going to take them to the national passport agency and get everything verified?! this is a long and expensive procedure and they will not bother unless it is a big project like THEKEY