Industry News

New Export Control Know-Your-Customer (KYC) Requirements for IaaS Providers

Feb. 9, 2024
By: Marvin E. McPherson

The Bureau of Industry and Security (BIS) is doing its best to remain ahead of the curve, in an era where cybersecurity threats are a large risk and digital infrastructure plays an increasingly vital role in global operations. Executive Order 14110 charges the agency with addressing malicious cyber-enabled activities. In specific, the January 19, 2021 Executive Order, entitled “Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities,” mandated significant action to fortify the nation’s defenses against cyber threats. Therefore, BIS published a notice of proposed rulemaking (NPRM) for establishing new requirements for Infrastructure as a Service providers (IaaS or “cloud infrastructure providers”).

Under this directive, BIS promulgated the NPRM which includes the implementation of Know-Your-Customer (KYC) programs within the Infrastructure as a Service (IaaS) sector, particularly targeting foreign entities accessing U.S. cloud infrastructure.

U.S. cloud infrastructure providers, and their foreign resellers would be required to verify the identity of foreign persons accessing or utilizing their services. BIS proposes to define “IaaS” as any product or service offered to a consumer that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined. This will be inclusive or paid, free or free of charge products and services.

This initiative aims to identify and mitigate risks associated with the misuse of cloud resources for malicious cyber activities. By conducting thorough identity verification processes, aka KYC, providers can better track and monitor potentially nefarious actors operating within their networks.

BIS proposes a process for U.S IaaS providers to report instances where the provider has knowledge that they will engage or have engaged in a transaction with a foreign person that could allow that foreign person to train a large AI model with potential capabilities that could be used in malicious cyber-enabled activity. BIS proposes to define large AI model as “any AI model with the technical conditions of a dual-use foundation model, or that otherwise has technical parameters of concern, that has capabilities that could be used to aid or automate aspects of malicious cyber-enabled activity” BIS states that it will further come up with performance parameters and adjust as needed.

It is worth noting that KYC requirements are not unprecedented. Similar protocols are already in place in various industries to help service providers identify and mitigate risks posed by certain customers. However, implementing KYC for cloud providers represents a new requirement and infrastructure not yet done by all in the industry.

Stay informed about these regulatory updates for compliance in the evolving landscape. If you have any questions surrounding proposed rule or implementing a KYC program, please contact any attorney at Barnes Richardson and Colburn.