Users create an account, go through KYC, and add funds via a debit card.
When a user creates an account they provide a seed phrase, and this can be used to generate a hierarchical deterministic (HD) wallet.
Why would they provide a seed phrase that's pretty risky to share a seed online or to any exchange users should only provide a public key address, not the seed phrase only the owner should know the seed phrase because if someone knows it they also have full control of their wallets. How can users trust you if you ask for a seed phrase that's too risky there is no exchange that asks for a seed phrase.
Most exchanges store the seed/private key. Isn't it less risky to not do so, and only ask for it upon withdrawal, and guarantee that its not stored or logged by the server? Companies do this with /debit cards and must meet PCI standards