US Department of Commerce Wants to Impose KYC on Cloud Services and AI Training

The Commerce Department is soliciting comment on the proposed rules for 90 days, with submissions due to the agency by April 29, 2024.

US Department of Commerce Wants to Impose KYC on Cloud Services and AI Training
  • "The new rule would require that U.S. providers of IaaS products (including U.S. resellers) implement and maintain a written, risked-based Customer Identification Program (CIP). The CIP is a Know-Your-Customer (KYC) program that would consist of data collection procedures for ascertaining and verifying the identities of current and prospective customers. For many companies, the requirements extend beyond the identification information currently collected from customers."
  • "Moreover, U.S. IaaS providers would need to ensure that foreign resellers of their IaaS products maintain and implement adequate CIP programs. U.S. IaaS provider would need to terminate their relationship with foreign resellers who do not adequately comply."
"The proposed definition for “Infrastructure as a Service product” is "any product or service offered to a consumer, including complimentary or “trial” offerings, that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications."
    • "The term is inclusive of “managed” products or services, in which the provider is responsible for some aspects of system configuration or maintenance, and “unmanaged” products or services, in which the provider is only responsible for ensuring that the product is available to the consumer."
    • "The term is also inclusive of “virtualized” products and services, in which the computing resources of a physical machine are split between virtualized computers accessible over the internet ( e.g., “virtual private servers”), and “dedicated” products or services in which the total computing resources of a physical machine are provided to a single person ( e.g., “baremetal” servers)."
    • "Note that this definition includes all service offerings for which a consumer does not manage or control the underlying hardware, but rather contracts with a third party to provide access to this hardware. This definition would capture services such as content delivery networks, proxy services, and domain name resolution services."
"To reduce compliance burdens, the Department proposes to allow foreign resellers, by agreement, to adopt or reference CIP programs created by U.S. IaaS providers."
  • "Providers would need to report to Commerce that they and their foreign resellers have a CIP, and annually certify information about the CIP thereafter. Although the Department is considering an adjustment period, compliance with any final rule would be required within one year of publication."

Key takeways

  • The proposed rule would institute a CIP requirement for U.S. IaaS providers akin to the “know your customer” requirements applicable to banks, introducing a complex compliance protocol that will require resources and lead time.
  • Under the proposed framework, companies can seek an exemption from the CIP requirement by adopting an ADP and applying to Commerce for an exemption.
  • Under the proposed rule, U.S. companies newly seeking to become IaaS providers would need to adopt a CIP before starting business as a provider.
  • The proposed rule’s reporting requirements regarding foreign persons’ use of IaaS products to engage in certain AI training would impose a significant monitoring obligation on providers.
  • The proposed rule would require U.S. providers to flow the CIP and reporting requirements through to foreign resellers.
The stakes of noncompliance would be high, with violations punishable under the International Emergency Economic Powers Act, which provides for civil penalties of up to the greater of ~$368,000 per violation or twice the value of the transaction connected to the violation, or criminal penalties of up to $1 million and/or 20 years’ imprisonment.
  • Notably, Commerce is proposing to implement the rules by amending the ICTS regulations, which otherwise are focused on threats to the U.S. technology supply chain. The technology should monitor developments relating to these rules, as they likely will be an important vehicle for technology regulation in the months and years to come.
  • Commerce is also considering imposing controls on the use of U.S. export-controlled advanced computing items to provide cloud services for use in training large AI models. This is an important part of the policy conversation and should be part of the risk calculus for companies in the industry.
  • Affected or interested parties may submit comments on the proposed regulations until April 29, 2024.

Full Proposal / Archive
National Review Article / Archive
JDSupra Post / Archive Discussion