BIS Publishes Proposed Rule Imposing “Know Your Customer” and Reporting Requirements on U.S. Infrastructure as a Service Providers
On January 29, 2024, the U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”) issued a proposed rule that would impose, for the first time, detailed know-your-customer (“KYC”) requirements on U.S. Infrastructure as a Service (“IaaS”) providers and their foreign resellers (the “Proposed Rule”). The Proposed Rule would also allow BIS to impose “special measures” to prohibit or condition the provision of U.S. IaaS products to foreign jurisdictions and persons of concern, and require IaaS providers to report certain transactions implicating large AI models that could be used for malicious cyber-enabled activities.
The Proposed Rule comes at a time of increasing U.S. regulatory scrutiny on cloud computing and AI applications, including President Biden’s landmark Executive Order directing new rulemaking on AI across federal agencies as well as BIS’s latest effort to prevent China and twenty plus other countries from acquiring advanced semiconductors necessary for training large AI models. Specifically, the Proposed Rule seeks to implement (i) Executive Order 13984, which called for new regulations to prevent cyber-attacks, and certain provisions of (ii) Executive Order 14110, designed to strengthen U.S. defenses against dangerous uses of AI.