Department Of Commerce Seeks Comment On Proposed CIP Requirement And Foreign Access Restrictions For Us Infrastructure As A Service (IAAS) Providers - Export Controls & Trade & Investment Sanctions

On January 29, 2024, the US Department of Commerce's Bureau of Industry and Security (the “Department”) issued a notice of proposed rulemaking seeking comment on a proposed regulation in response to the Executive Order (E.O.) 14110 of October 30, 2023, “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence”¹ and E.O. 13984 of January 19, 2021, “Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities.” The proposed regulation would require providers of infrastructure as a service (IaaS) products to: (i) have a Customer Identification Program, similar to what banks and other financial institutions have had for many years (ii) authorizes the Department to prohibit or restrict IaaS transactions involving jurisdictions or persons engaged in malicious cyber activities involving US IaaS products, and (iii) to impose reporting requirements with respect to the use by foreign persons of cloud computing services for training large AI models.

The proposed rule is the latest in a series of recent US government actions to address potential national security risks posed by information and communications technology supply chains.² In responding to the proposal, IaaS providers might consult with subject matter experts in banking, cybersecurity, and export control/technology transfer compliance to help identify problematic or unworkable aspects of the proposal. It would be surprising if intricate procedures could be transplanted wholesale from one industry to another, and therefore, it is likely that the proposal will require further tailoring to reflect the commercial realities of IaaS.

Comments must be submitted by April 29, 2024. In this Legal Update, we discuss the background to the proposal, the proposal itself, and how it builds on the requirements that banks have complied with since 2003.

Background: Risks Posed by IaaS Activities Involving Foreign Persons

IaaS, or Infrastructure as a Service, is a product that supplies computing resources, such as the ability to run software and store data, over the internet.³ The main benefit of IaaS is that it alleviates the need for companies to incur costs related to the purchase or maintenance of servers, storage, networking and related software. However, the US government has identified a series of threats caused by foreign malicious cyber actors using US IaaS products. Foreign cyber actors have used US IaaS products to steal confidential data, engage in covert espionage activities, and target US infrastructure.

The government has experienced difficulty tracking these actors for a myriad of reasons. Foreign cyber actors may prefer to use US infrastructure for their activities for a variety of reasons, including its stability and quality and because US infrastructure may be less likely to attract suspicion from information security tools and personnel. US law also regulates the surveillance of US infrastructure differently from foreign infrastructure, which is a distinction foreign cyber actors may choose to exploit. Finally, IaaS products are often readily exchanged, making it easier for a cyber actor to change their infrastructure (and erase their tracks), and thereby harder for US authorities to investigate them. On top of all of this, these actors can also gain access to US IaaS products through foreign-person resellers. The access to US IaaS products through foreign-person resellers adds a layer of complexity when the government is seeking to track these malicious actors because the resellers generally do not track the identity of their customers.

In light of these challenges and the rapid growth of IaaS, in 2021, President Donald Trump issued E.O. 13984, “Taking Additional Steps to Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities.”⁴ E.O. 13984 directed the Department of Commerce to require IaaS providers in the United States to verify the identity of their foreign customers, and, in limited circumstances, to limit access to US IaaS products. Although the Department of Commerce issued an ANPRM in September of that year, no rule was forthcoming. Then, approximately two years later, in October 2023, President Joe Biden issued E.O. 14110, “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence.”⁵ E.O. 14110 directs the Department of Commerce to require that US IaaS providers ensure that their foreign resellers verify the identity of foreign users. Moreover, E.O. 14110 grants the Department of Commerce authority to require US IaaS providers in the United States to submit a report to the Department whenever a foreign user transacts with the provider to train a large AI model that could be used in illicit cyber-enabled activity.

Background: Customer Identification Program (CIP) Under Banking Law

Notably, E.O. 13984 raised the prospect that US IaaS providers would be required to establish a know-your-customer program or Customer Identification Program (CIP), similar to the CIP requirement for financial institutions that Congress implemented following the September 11, 2001 attacks to prevent future terrorist attacks and fraud.⁶ The CIP requirement made it mandatory for banks and certain nonbank financial institutions to establish procedures to collect information on the identity of their customers and verify the identity of their customers.⁷ Such procedures “must enable the bank to form a reasonable belief that it knows the true identify of each customer.”⁸ Moreover, the procedures must be based on an assessment that takes into account several factors, such as the types of accounts maintained by the bank, the bank's methods of opening accounts, the types of identifying information available, and the bank's size, location, and customer base.

A bank must, at a minimum, obtain each customer's name, date of birth, address,⁹ and identification number¹⁰ before opening an account for the customer. A bank may rely on documents or non-documentary methods to verify a customer's identity. As a general rule, for customers who are individuals, banks require an unexpired government-issued form of identification that includes the customer's nationality or residence (e.g., driver's license or passport). On the other hand, for customers other than an individual, banks require evidence proving the existence of the entity (e.g., articles of incorporation or partnership agreement), and since 2016, information on the identities of the beneficial owners of the entity.¹¹ Non-documentary methods of verification may include verifying the customer's information by comparing it to another source, such as a consumer reporting agency or public database. A bank may also, based on its procedures, require additional identifying information for certain customers or product lines. A bank must also verify whether the customer appears on any list of known or suspected terrorists or terrorist organizations.¹² Moreover, banks must continue to verify the identity of the customer for a reasonable period of time after the account is open, and maintain all identifying information for a period of five years after the account is closed.

CIP programs also require banks to have defined procedures to address situations where a bank cannot form a reasonable belief that it knows the true identity of the customer. The procedures “should describe when a bank should not open an account, the terms under which a customer may use an account while the bank attempts to verify the customer's identity, when the bank should close an account, after attempts to verify a customer's identity have failed, and when the bank should file a suspicious activity report (SAR) in accordance with applicable law and regulation.”¹³

When implementing and revising its CIP, banks may look to Frequently Asked Questions (FAQs) resources issued by the US Department of the Treasury, FinCEN, and the federal banking agencies.

Proposed Regulation for IaaS Providers

Following E.O. 13894's mandate, on September 24, 2021, the Department of Commerce published a notice of proposed rulemaking, requesting comments on how the Department should implement sections 1 and 2 of E.O. 13984 and section 5 of E.O. 13894. Upon consideration of the comments, the Department is now requesting comments on sections 1, 2, and 5 of E.O. 13984 relating to CIP procedures and the applicable provisions of E.O. 14110 to require US IaaS providers to ensure that their foreign resellers verify the identity of foreign users.

Customer Identification Program Regulations and Relevant Exemptions:

The proposed rule requires US IaaS providers and foreign resellers to “maintain CIPs, perform effective customer verification, and maintain identifying information about their foreign customers.”¹⁴ Each CIP must contain procedures that providers and resellers will use to collect information from existing and prospective customers.¹⁵ The resellers' CIP is likely to be a “pushdown” of the providers' CIP, akin to what we have seen with bank-fintech partnerships.

US IaaS providers and foreign resellers must, at a minimum, obtain the customer's name, address, means and source of payment for each account, email address, telephone number, and internet protocol (IP) addresses used for access or administration of the account. They also would need to collect the same identifying information and verify the identity of beneficial owners of legal entity customers. Providers, however, are free to create their own procedures and methods to verify the identity of their customers, so long as the provider can form a reasonable belief about the true identity of each customer and beneficial owner. US IaaS providers must maintain all identifying information for a period of two years after the account is closed.

Like banks, US IaaS providers may rely on documents or non-documentary methods—or both—to verify a customer's identity. Providers must define the procedures to follow when the provider cannot verify the customer's identity. And, like financial institutions, the procedure should explain when a customer may continue to have access to an account while the customer's identity is being verified and when a provider would close the account for failure to verify the customer's identity. In connection with the requirements, the Department is seeking comment on:

whether to require specific verification methods, such as email or payment verification, for all prospective customers;
whether other forms of identification, such as digital or technology-based identification, should be included as an acceptable means by which IaaS providers may verify customers' identities, and if companies have privacy-protecting or privacy-enhancing technologies to verify this same information or other alternatives that can effectively achieve identity verification;
whether the Department should allow providers to grant potential customers access to Accounts prior to successful identity verification;¹⁶ and
whether including reference to National Institute of Standards and Technology (NIST) Special Publication (SP) 800-63 regarding digital identity guidelines would help IaaS providers meet requirements for identity verification.

Section 7.306 of the proposed rule creates a process for the Secretary to exempt both US IaaS providers and foreign resellers from the CIP requirements (but not the requirements pertaining to AI training), if the provider demonstrates compliance with best practices to deter abuse of IaaS products, through an “Abuse of IaaS products Deterrence Program” (ADP) that enables the provider to detect and appropriately respond to “red flags” of platform abuse. In considering whether to grant an exemption, the Secretary will consider the provider's participation in information-sharing programs with the public sector and its cooperation with law enforcement.

On the other hand, as part of the proposed regulation, the Department will have the authority to impose “special measures” against a specific foreign jurisdiction or person. The Department will take special measures whenever there are reasonable grounds to conclude that a jurisdiction or person outside of the United States “has any significant number of foreign persons offering US IaaS products that are used for malicious cyber-enabled activities or any significant number of foreign persons directly obtaining US IaaS products for use in malicious cyber-enabled activities.” Should special measures be necessary, the Secretary will issue a determination in the Federal Register indicating the reasonable grounds for the determination and the special measure that will be taken. The determination will take effect 30 days after publication.

US IaaS providers must also submit a report to the Department with respect to certain transactions between a covered IaaS provider and a foreign person that could result in the training of a large AI model for malicious cyber-enabled activity. The report must include the identity of the foreign person (e.g., the customer's name, email address, and IP address) and the existence of any training run. The Department will then determine whether the model could be used in malicious cyber-enabled activity.

As proposed, this reporting requirement could be quite broad. IaaS providers would be required to report any transaction where they have “knowledge” (including reason to know based on the surrounding circumstances) they will engage or have engaged in a transaction with a foreign person that “results or could result in the training of a large AI model with potential capabilities that could be used to enable malicious cyber-enabled activity.”¹⁷ The proposed rule makes clear that the Department would adopt the same knowledge standard as it uses under the export control laws, to include not only actual knowledge but “reason to know” based on all of the facts and circumstances surrounding the transaction. In addition to the provider's core reporting obligation, US IaaS providers would also be obligated to ensure their foreign resellers report to them whenever they have “knowledge” of a covered transaction. Providers must file reports within 15 days of the covered transaction occurring, or of the provider having knowledge or reason to know that such a transaction has occurred. In addition, the proposed rule would also require providers receiving reports from foreign resellers to file those reports within 30 days of the covered transaction. As a practical matter, this imposes a heightened due diligence standard with respect to such transactions, and it is important that IaaS providers consider and develop appropriate risk-based controls that reflect the agency's practice in this area.

Considerations for US IaaS Providers

US IaaS providers, as well as the general public, should consider submitting comments to the proposed regulation, which are due by April 29, 2024.

The proposed regulation will impose significant and costly requirements on US IaaS providers. Some costs, according to the Department, may include (i) learning about the proposed rule, (ii) developing, implementing, and updating CIP programs, and (iii) ensuring that foreign resellers are complying with the proposed regulation. Nonetheless, the Department recognizes that IaaS products are increasingly used by threat actors to refine and enhance their attacks against the operations and functionality of the nation's infrastructure. Therefore, reducing those threat actors' access to IaaS products is a top priority.

It is important that IaaS providers and resellers consider the rule within the context of the broader series of changes to the national security framework governing information and communications technology and services (ICTS) supply chains, cybersecurity and related technology transfer controls, as well as the relevant Department regulatory and enforcement practice in these areas. In addition, the CIP aspects of the rule implicate important principles that have long been used in the banking sector, which may be particularly beneficial to clients as part of their broader development of risk-based compliance measures. Based on our experience with ICTS services providers and financial institutions, US IaaS providers and their trade associations should strongly consider submitting comments on the proposal. For more information on submitting a comment, click here or contact us.

Footnotes

1 89 Fed. Reg. 5698 (Jan. 29, 2024), https://www.federalregister.gov/documents/2024/01/29/2024-01580/taking-additional-steps-to-address-the-national-emergency-with-respect-to-significant-malicious.

2 For additional information, please see our alerts on the ICTS Supply Chain regulatory framework (here) and (here) and on the Cybersecurity Executive Order ( here) and ( here).

3 What is IaaS?, GOOGLE, https://cloud.google.com/learn/what-is-iaas. The proposal would define IaaS as “any product or service offered to a consumer, including complimentary or ‘trial' offerings, that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications.”

4 E.O. 13984, 86 Fed. Reg. 6837 (Jan. 25, 2021), https://www.federalregister.gov/documents/2021/01/25/2021-01714/taking-additional-steps-to-address-the-national-emergency-with-respect-to-significant-malicious.

5 E.O. 14110, 88 Fed. Reg. 75191 (Nov. 1, 2023), https://www.federalregister.gov/documents/2023/11/01/2023-24283/safe-secure-and-trustworthy-development-and-use-of-artificial-intelligence.

6 Codified at 31 U.S.C. § 5318(l).

7 68 Fed. Reg. 25,090 (May 9, 2003), https://www.federalregister.gov/documents/2003/05/09/03-11019/customer-identification-programs-for-banks-savings-associations-credit-unions-and-certain.

8 Assessing Compliance with BSA Regulatory Requirements, FFIEC, https://bsaaml.ffiec.gov/manual/AssessingComplianceWithBSARegulatoryRequirements/01.

9 31 C.F.R. § 1020.220(a)(2)(i)(A)(3). For an individual: a residential or business street address, or if the individual does not have such an address, an Army Post Office (APO) or Fleet Post Office (FPO) box number, or the residential or business street address of next of kin or of another contact individual. For a “person” other than an individual (such as a corporation, partnership, or trust): a principal place of business, local office, or other physical location.

10 An identification number for a US person is a taxpayer identification number (TIN) (or evidence of an application for one consistent with 31 C.F.R. § 1020.220(a)(2)(i)(B)). An identification number for a non-US person is one or more of the following: a TIN (or evidence of an application for one consistent with 31 C.F.R. § 1020.220(a)(2)(i)(B)); a passport number and country of issuance; an alien identification card number; or a number and country of issuance of any other government-issued document evidencing nationality or residence and bearing a photograph or similar safeguard.

11 31 C.F.R. § 1010.230.

12 Many banks screen against the list of specially designated nationals and blocked persons, although this has not been formally designated as the list to screen against for purposes of the CIP requirements.

13 See Assessing Compliance with BSA Regulatory Requirements, supra note 3.

14 The proposal would define foreign resellers as: “a foreign person who has established an IaaS Account to provide IaaS subsequently, in whole or in part, to a third party.”

15 The proposal would define a CIP as “a program created by a US IaaS provider or foreign reseller that dictates how the IaaS provider will collect identifying information about its customers, how the IaaS provider will verify the identity of its foreign customers, store and maintain identifying information, and notify its customers about the disclosure of identifying information.”

16 In the banking context, there are typically account restrictions put in place when access is granted prior to verification. It is a careful balance that recognizes the reality that most customers aren't malicious actors, but also prevents the worst case scenario in the event a customer turns out to be one post-verification.

17 Such AI models include any that “could be used to aid or automate aspects of malicious cyber-enabled activity.” This could include any AI model used to generate content such as text or video, as those can be used for social engineering attacks. It could also include any AI model that can be used for coding or creating applications, as that can be used to facilitate the creation of malware and exploit vulnerabilities.

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.