Assessing know-your-customer vulnerability