By Jackson Wood, Director, Industry Strategy, Global Trade Intelligence, Descartes Systems Group

The goal is to improve IaaS providers’ ability to quickly identify “foreign malicious actors”. 

The U.S. Department of Commerce is proposing requiring Infrastructure as a Service (IaaS) providers and their overseas resellers to verify foreign users’ identities under a Know Your Customer (KYC) program to more efficiently safeguard national security interests. 

KYC legislation is mainly aimed at financial institutions, but this move sends a strong signal to the general business community that they too should have equivalent processes in place. 

In a notice of proposed rulemaking, the department said the new requirement was to “address the risk of foreign malicious actors using U.S. cloud services that could be used in malicious cyber-enabled activity to harm U.S. critical infrastructure or national security, including to train large artificial intelligence (AI) models”.

Key Takeaways

  • The KYC rule for cloud infrastructure providers aims to minimize U.S. national security risks in cyberspace. 
  • It is also aimed at preventing malicious actors from using AI in the cloud to threaten American national security. 
  • Accurate customer information and risk assessment are key compliance requirements. 
  • Denied party screening is a quick way of removing bad actors from an organization’s customer base. 
  • The draft legislation signals businesses in general need to deploy equivalent Know Your Customer processes. 

What is “Know Your Customer” (KYC)? 

The “Know Your Customer” program is designed to reduce the risk of fraud, corruption, money laundering and terrorist financing occurring at financial institutions, especially in businesses that deal with customers when they open an account and in the ongoing maintenance of those accounts. As such, these rules have long formed part of the compliance fabric at banks, crypto operators, and accounting, real estate and recruitment firms. 

There are three main components that make up the Know Your Customer process. They are as follows: 

1. Customer Identification Program (CIP), which requires organizations to obtain four fundamental pieces of information about a client: 

– Name;

– Date of Birth; 

– Address; and 

– Identification Number. 

2. Customer Due Diligence (CDD), which analyzes the market activities of customers and how these activities are funded. 

3. Enhanced Due Diligence (EDD), which assesses the risk profile of customers in terms of money laundering, terrorism financing, fraud and theft. 

Many other industries also closely follow KYC guidelines from an export compliance perspective as defined by the Commerce Department’s Bureau of Industry and Security. 

What this Means for Cloud Infrastructure Providers 

The proposed regulations will require American cloud infrastructure providers and their foreign resellers to implement and manage a KYC Customer Identification Program in order to establish an accurate identity of a client. A good screening and periodic rescreening system also comes in handy here to help ensure that new and existing customers are not on any denied, debarred, or blocked persons lists. 

The draft rules stress minimum verification standards and record-keeping requirements that providers must adopt. 

U.S. Objectives 

Under Secretary for Industry and Security Alan Estevez said the move represents an effort to address national security risks in the cyber arena, including risks associated with frontier AI models and the abuse of U.S. cloud infrastructure by malicious actors, while at the same time facilitating legitimate businesses. 

He said that the proposed rule “puts foreign malicious cyber actors on notice that we are taking action to prevent them from using our own cloud infrastructure to undermine our national security interests.” He added: “The proposed rule gives the Secretary of Commerce the tools she needs to address risks while maintaining the Department’s overall approach to national security: to innovate and do business wherever we can, and to protect what we must.” 

General Business Considerations

Know Your Customer programs have traditionally been most prevalent in financial institutions, but the new government directive requiring cloud infrastructure providers to also strictly follow KYC rules confirms that businesses of all types  need to make sure that they are not interacting with a denied party. 

It goes without saying that businesses understand the need to keep accurate records of their customers from an operational point of view, however, it is not so clear cut from the compliance perspective, especially when meeting financial targets is a priority objective. That said, it should be noted breaches of the rules can result in penalties that could erode, or even worse wipe out, bottom line gains. 

Looking at the issue through a compliance lens, organizations should (at a minimum) be screening new and existing customers against restricted parties lists and making sure they are located where they say they are via IP geolocation screening. This is an efficient way to be sure that their customer base is cleansed of malicious bad actors whose goal is to compromise national security. And by minimizing risk in this way, they can actually accelerate sales velocity, enable growth, and increase shareholder value in both the public and private senses. 

How Descartes Can Help 

Descartes Visual Compliance™ is a provider of industry-leading international trade and regulatory compliance solutions that help organizations to comply with export control rules and regulations in the U.S. and around the world. Its extensive, accurate, and up-to-date compliance data makes it an easy choice for organizations of all sizes, industries, and geographies aiming to minimize their potential exposure to international  compliance violations. 

To help companies manage their export compliance risk more effectively, there are solutions available for restricted party screening, export classification, license determination and management, risk management, and sanctioned party ownership screening, all of which can help organizations ensure they are not falling foul of new and existing compliance regulations. Having proper and thorough compliance processes in place can help organizations remain on the right side of the law, and avoid potential bad press, fines, and other financial and reputational damages that violations of export regulations may incur. 

See also what our customers are saying about our range of denied party screening solutions on G2, a third-party business software review website. 

Ready to learn how we can help? Reach out or book a demo today to discover how we can help you stay ahead of the latest compliance trends.