Back
Department of Commerce's proposed rule
webLegal blog analysis of a U.S. regulatory proposal to require cloud providers to vet foreign AI compute customers, relevant to compute governance and efforts to limit unauthorized access to frontier AI training resources.
Metadata
Importance: 52/100blog postanalysis
Summary
The U.S. Department of Commerce proposed a rule requiring Infrastructure-as-a-Service (IaaS) providers to implement Know Your Customer (KYC) verification for foreign users accessing cloud computing resources above certain thresholds. The rule aims to prevent adversarial actors from using U.S. cloud infrastructure to train advanced AI models. This legal analysis covers the regulatory implications for cloud providers and the AI industry.
Key Points
- •Proposed rule mandates IaaS providers verify identities of foreign customers using cloud compute above defined thresholds to prevent misuse
- •Targets national security concerns around foreign adversaries using U.S. cloud infrastructure to train frontier AI models
- •Establishes compliance obligations for major cloud providers (AWS, Azure, GCP) similar to financial sector KYC requirements
- •Compute thresholds define which transactions trigger reporting/verification requirements, linking to broader AI governance frameworks
- •Legal analysis highlights implementation challenges, jurisdictional questions, and potential burden on cloud service providers
Cited by 2 pages
| Page | Type | Quality |
|---|---|---|
| Compute Monitoring | Approach | 69.0 |
| US Executive Order on Safe, Secure, and Trustworthy AI | Policy | 91.0 |
Cached Content Preview
HTTP 200Fetched Mar 20, 202615 KB
[Skip to content](https://www.dwt.com/blogs/artificial-intelligence-law-advisor/2024/02/commerce-department-proposes-kyc-ai-rules-for-iaas#main-content)
Insights
[Communications](https://www.dwt.com/expertise/industries/communications)
# Commerce Department Proposes Cybersecurity/AI Reporting and "KYC" Requirements for Certain Cloud Providers
IaaS providers would need to verify foreign users' identities (aka "know your customer") and report certain AI model training activities under the proposed rules
By [Robert Stankey](https://www.dwt.com/people/s/stankey-robert), [K.C. Halm](https://www.dwt.com/people/h/halm-kc), [Michael T. Borgia](https://www.dwt.com/people/b/borgia-michael), [Andrew M. Lewis](https://www.dwt.com/people/l/lewis-andrew-m), and Assaf Ariely
02.14.24
Share
[Click to share URL on Twitter.](https://twitter.com/intent/tweet?url=Commerce+Department+Proposes+Cybersecurity%2fAI+Reporting+and+%22KYC%22+Requirements+for+Certain+Cloud+Providers+&text=https%3a%2f%2fwww.dwt.com%2fblogs%2fartificial-intelligence-law-advisor%2f2024%2f02%2fcommerce-department-proposes-kyc-ai-rules-for-iaas)[Click to share URL on Facebook.](https://www.facebook.com/sharer/sharer.php?u=https%3a%2f%2fwww.dwt.com%2fblogs%2fartificial-intelligence-law-advisor%2f2024%2f02%2fcommerce-department-proposes-kyc-ai-rules-for-iaas)[Click to share URL on LinkedIn.](https://www.linkedin.com/shareArticle?mini=true&url=https%3a%2f%2fwww.dwt.com%2fblogs%2fartificial-intelligence-law-advisor%2f2024%2f02%2fcommerce-department-proposes-kyc-ai-rules-for-iaas&title=Commerce+Department+Proposes+Cybersecurity%2fAI+Reporting+and+%22KYC%22+Requirements+for+Certain+Cloud+Providers+)
[Print this page](https://www.dwt.com/blogs/artificial-intelligence-law-advisor/2024/02/commerce-department-proposes-kyc-ai-rules-for-iaas#print)
The U.S. Department of Commerce's ("Commerce") Bureau of Industry and Security ("BIS") has issued a [proposed rule](https://www.federalregister.gov/documents/2024/01/29/2024-01580/taking-additional-steps-to-address-the-national-emergency-with-respect-to-significant-malicious) (the "Proposed Rule") that would impose significant diligence, reporting, and recordkeeping requirements on U.S. providers of Infrastructure as a Service (IaaS) and their foreign resellers. IaaS is generally considered to be a cloud computing model that provides users with remote access to servers, storage, networking, and virtualization.
The Proposed Rule would require U.S. IaaS providers to:
- Implement and maintain a "Customer Identification Program" (CIP), which must include detailed know-your-customer (KYC) procedures for identifying and reporting foreign customers to Commerce; and
- Report transactions involving foreign persons that "could result in the training of a large AI model with potential capabilities that could be used in malicious cyber-enabled activity."
BIS has requested public comment on "all aspects of the proposed rule" and specifically has requested comme
... (truncated, 15 KB total)Resource ID:
dc9c71640f5c01b3 | Stable ID: N2JkZTE4ZD