The United States Department of Commerce (Commerce) issued a notice of proposed rulemaking (NPRM) seeking comments on new proposed regulations that would, if enacted, impose extensive Know Your Customer (KYC) and Customer Identification Program (CIP) requirements on U.S. Infrastructure as a Service (IaaS) providers. The regulations would subject aspects of the U.S. technology industry to the type of regulation more commonly associated with the financial industry, and would impose, among other things, extensive new compliance programs to validate the identity of foreign users, U.S. government review and approval of internal compliance measures, and new reporting requirements. It would also grant the U.S. government authority to prohibit the provision of certain IaaS services to customers that may be engaged in malign activities.
The proposed regulations, referred to as “Infrastructure as a Service Providers’ Responsibility To Verify the Identity of Their Customers, Special Measures, and the Use of Their Products for Large AI Model Training,” are the latest move by the Biden administration to address national security concerns about bad actors exploiting vulnerabilities in U.S. cloud computing to steal sensitive data and intellectual property and launching disruptive denial-of-service attacks against critical industries.
The NPRM implements executive orders 14110 and 13894, authorizing Commerce to issue regulations that help identify foreign malicious cyber actors and to impose measures against such actors. The rules will be administered by the Office of Information and Communications Technology and Services, within the Bureau of Industry and Security, which includes within its mandate export controls, the review of certain ICTS transactions, and other national security-focused trade controls.
Companies with IaaS offerings should closely review the proposed rules, as they could impose substantial new compliance burdens on U.S. technology companies and their foreign partners. Comments on the NPRM must be submitted by April 29, 2024.
The NPRM contains a number of key definitions on which Commerce seeks comments from the industry. Companies in the cloud computing industry should carefully review the “expansive” proposed definition of “IaaS products,” as U.S. providers and resellers of such products would be subject to the new KYC, CIP, and reporting obligations. Commerce is seeking comments from the industry on the categories of products or services that fall within the proposed definition, and notes that content delivery networks, proxy services, and domain name resolution services would be in scope. The NPRM defines IaaS products as:
“[A] product or service offered to a consumer, including complimentary or ‘trial’ offerings, that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications. The consumer typically does not manage or control most of the underlying hardware but has control over the operating systems, storage, and any deployed applications. The term is inclusive of ‘managed’ products or services, in which the provider is responsible for some aspects of system configuration or maintenance, and ‘unmanaged’ products or services, in which the provider is only responsible for ensuring that the product is available to the consumer. The term is also inclusive of ‘virtualized’ products and services, in which the computing resources of a physical machine are split between virtualized computers accessible over the internet (e.g., ‘virtual private servers’), and ‘dedicated’ products or services in which the total computing resources of a physical machine are provided to a single person (e.g., ‘bare-metal servers’).”
Customer Identification Program
The proposed rule would require U.S. IaaS providers, along with their U.S. and foreign resellers, to implement and maintain a comprehensive CIP, or a KYC program, to verify the identity of foreign persons that sign up for or maintain accounts that access or use a provider’s products or services. The NPRM would require CIPs to contain the following elements, among others:
- Customer identification: U.S. IaaS providers and resellers would be required to conduct diligence on customers and their foreign beneficial owners, including individuals that exercise substantial control over or own at least 25% of a customer. Under the proposed rule, Commerce would expect a CIP, as a baseline, to include information-gathering procedures and to collect customer names, addresses, payment information, email addresses, telephone numbers, and IP address information.
- Customer verification: IaaS providers would be required to develop risk-based identity verification procedures to form a reasonable belief about the true identity of each foreign customer and beneficial owner. If the identity of such a customer or beneficial owner cannot be verified, the NPRM requires the CIP to include remedial steps the provider would take, including additional monitoring pending verification or closing an account.
- Record retention and security: IaaS providers would be required to maintain procedures for storing, protecting, and obtaining access to information received during the verification process, and to retain those records for at least two years after an account is closed or last accessed.
- Foreign resellers: U.S. IaaS providers would be required to mandate that foreign resellers establish their own CIPs and, if requested by Commerce, produce a copy of a foreign reseller’s CIP to the U.S. government. Should a provider uncover evidence that such a reseller does not maintain a CIP or evidence of malicious cyber-enabled activity, the NPRM would require the provider to report the malicious activity and terminate the accounts and agreements of the noncompliant reseller within 30 days. Copies of foreign reseller CIPs would need to be provided to Commerce within 10 business days of a request.
- Certifications: The NPRM would also require U.S. IaaS providers to submit annual certifications of their CIPs, notify Commerce of any updates to their CIPs or those of their non-U.S. resellers, and attest to compliance with the regulations.
- Exemptions: Under the proposed rule, U.S. IaaS providers and their resellers may request an exemption from the CIP requirement if the provider demonstrates that it or its foreign reseller has implemented security policies and procedures that identify, detect, and respond to red flags. If an exemption is granted, providers must continue to update their security programs and submit annual notifications to Commerce on their programs, including any exempt foreign resellers’ programs.
In addition to the above, Commerce is seeking industry comments on requirements related to third-party and internal audits, U.S. government preapproval of CIPs, proactive notifications to the U.S. government of potential red flags, and whether small businesses might find it more difficult to develop a CIP.
Commerce May Impose “Special Measures”
The NPRM would empower Commerce to impose “special measures” that prohibit or restrict access to IaaS products by foreign jurisdictions or designated persons that the agency determines are engaged in malicious cyber-enabled activities. Before imposing a special measure, Commerce must find, in consultation with other agencies, that there are reasonable grounds to believe that a foreign jurisdiction or foreign person is using U.S. IaaS for malicious cyber-enabled activities. Special measures may be imposed for up to one year and may be extended upon a finding that the measures remain necessary for additional time. Failure to implement a special measure may expose a provider to penalties.
New Reporting Requirements for Large AI Model Training
The NPRM would require U.S. IaaS providers and resellers to file a report whenever they have knowledge of a covered transaction, defined to include a transaction by, for, or on behalf of a foreign person that results or could result in the training of a large AI model with potential capabilities that could be used in malicious cyber-enabled activity. Such a model is defined as one with “the technical conditions of a dual-use foundation model, or that otherwise has technical parameters of concern, that has capabilities that could be used to aid or automate aspects of malicious cyber-enabled activity, including but not limited to social engineering attacks, vulnerability discovery, denial-of-service attacks, data poisoning, target selection and prioritization, disinformation or misinformation generation and/or propagation, and remote command-and-control, as necessary and appropriate of cyber operations.” Commerce would publish and update technical definitions of qualifying models in the Federal Register.
Civil and Criminal Penalties
Violations of the new regulations, including the failure to create a CIP, failure to file certifications, and failure to seek reauthorization of CIPs, would be subject to civil and criminal penalties imposed by the International Emergency Economic Powers Act (IEEPA). Penalties under IEEPA are significant, including a maximum civil penalty not to exceed the greater of $250,000 per violation or twice the transaction amount, as well as criminal penalties for willful violations, including imprisonment of up to 20 years and/or a fine of up to $1 million. IEEPA penalties are indexed to inflation and therefore rise over time. This is the same penalty framework used by the U.S. government to enforce most of its economic sanction regimes, and fines can be substantial when multiple violations are found or are ongoing.
IaaS providers should carefully review the NPRM and consider submitting comments prior to the April 29, 2024, deadline. Please reach out to your Fenwick Trade & National Security contact with any questions about these proposed rules.