So the platform would keep data against the wishes of the client? That doesn't sound good.

A better interpretation is that there might be multiple channels used for different identification purposes (a la 2-factor authentication) and the provider can ask for confirmation in a higher security channel. Whether this is done/feasible in practice is debatable.

More like it would include a more elaborate, person to person process.