Who I(aa)S Your Foreign Customer? Department of Commerce Proposes Foreign Customer Identification Requirements For U.S. IaaS Providers

On January 29, 2024, the Department of Commerce released a proposed rule:  Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities, which solicits comments regarding a proposed  new set of regulations that would introduce significant new requirements for U.S.-based Infrastructure as a Service (IaaS) providers.  The proposed rule implements requirements from the January 2021 Executive Order Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities and part of the October 2023 Executive Order Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence.  If Commerce implements the regulations as proposed, IaaS providers would be required to create a Customer Identification Program (CIP), ensure any foreign resellers maintain a CIP, track all customer identities, verify the identities of foreign customers, and report certain transactions implicating large AI models that could be used for malicious cyber-enabled activities.  The Department is soliciting comments on all aspects of the proposed rule by April 29, 2024.

Application

The proposed rule applies to all U.S.-based providers of IaaS products.  An organization will be considered U.S.-based if it is owned by a U.S. person or if it is operated within the territory of the U.S.  Resellers of U.S. IaaS products also will be subject to these regulations.  IaaS is defined broadly to include any product or service offered to a consumer that provides processing, storage, networks, or other fundamental computing resources and with which the customer can deploy and run software that is not predefined, including operating systems and applications.

Requirements

1. Providers Must Create and Maintain a Customer Identification Program
   As proposed, the new regulations would require each U.S. IaaS provider to create a CIP explaining how it will collect, verify, store, and maintain identifying information about its customers, as well as how the provider will notify its customers about the disclosure of identifying information.  U.S. IaaS providers will be required to implement a CIP, ensure their foreign resellers also implement a CIP, and provide details of their CIP to the Department.
   
   
2. Providers and Resellers Must Collect Identifying Information on All Customers
   Under the proposed regulations, the CIP must include procedures to collect data sufficient to determine whether each potential customer is a foreign person or U.S. person.  For potential foreign customers, the provider or reseller will be required to collect, at minimum, the customer’s account number, physical address, email addresses, means of payment, telephone numbers, and internet protocol (IP) addresses.  The proposed rule requires providers to implement procedures within the CIP to maintain, protect, and access these records.
   
   
3. Providers and Resellers Must Verify the Identity of All Foreign Customers
   The proposed regulations also require providers and foreign resellers to develop procedures to verify the identity of any foreign persons obtaining an account from the provider.  In addition to the minimum data collection required for each customer, providers must verify the identity of each “foreign person that obtains an [a]ccount” or any customer with a “foreign beneficial owner” added to the account.
   
   
4. Providers Must Report Knowledge of Foreign Transactions that Could Allow Training of Large AI Models with Possibility of Malicious Cyber-Enabled Activity
   U.S. IaaS providers will be required to report knowledge of any transactions with foreign persons that could allow the foreign entity to train a large AI model with potential capabilities that could be used in malicious cyber-enabled activity.  This will require providers to report transactions they know, have reason to know, or have reason to believe could be used in malicious activity. 

Enforcement

The proposed regulations contemplate civil and criminal penalties for noncompliance with the new requirements.  Violations, including failing to implement the CIP, failing to submit reports and certifications, providing IaaS products to a foreign person without complete compliance, and making any false or misleading statements, could result in severe civil and criminal penalties. 

Global Impact

The proposed rulemaking has garnered global attention, as its cross-border data collection requirements are unprecedented in the cloud computing space.  To the extent the U.S. alone imposes these requirements, there is concern that U.S. IaaS providers could face a competitive disadvantage, as U.S. allies have not yet announced similar foreign customer identification requirements.

The proposed regulations also could be viewed as a continuation of U.S. efforts to deter China’s AI capability.  It follows a series of amendments to U.S. export controls targeting the provision of advanced semiconductors to China and additional countries that pose a risk of diversion to China, as well as the U.S. Department of the Treasury’s recent issuance of an Advance Notice of Proposed Rulemaking aimed at curbing certain U.S. outbound investments in Chinese entities operating in the advanced semiconductor, AI software, and other national security technology arenas.  Public reporting suggests that Chinese companies have continued to train and develop their AI models using the same advanced semiconductors that are restricted for export to China through reliance on U.S. and non-U.S. cloud data centers.  The proposed new set of regulations could close down China’s remote access to the controlled chips.

Due to the novel nature of this proposed regulation and potential implications for Chinese firms, this development is being watched closely in Asia and has been reported widely by the regional media.

Key Takeaways and Recommendations

• Under the new proposed regulations, U.S. IaaS providers would face significant new requirements with heavy consequences for noncompliance.
• Companies should determine whether their products could be considered U.S. IaaS under the broad definitions provided by the rule.
• Companies also should begin to analyze whether their resellers and customers are foreign-based, to determine the scope of their compliance requirements as well as whether they can securely collect, process, and maintain the requisite foreign customer data.