The US Department of Commerce is preparing new rules that may go into effect soon which will require intense Know Your Customer (KYC) rules for hosting providers.
According to news reports:
The CIP includes robust KYC requirements, including a requirement that U.S. Providers identify the “beneficial owner” of all accounts (i.e., U.S. and foreign customer accounts) and additional requirements related to foreign-customer accounts. The proposed rule also requires U.S. Providers to report information about their non-U.S. customer base to the U.S. government.
And what providers are in scope?
The Proposed Rule broadly defines “IaaS products” to include “a product or service offered to a consumer . . . that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications.” This definition suggests that the Proposed Rule will apply broadly to, e.g., cloud-service providers (CSP) and anyone that resells computing capacity from a CSP.
The full text of the proposal is available online.
The impetus for these new rules dates back to a Trump-era executive order to improve cyber security.
I, DONALD J. TRUMP, President of the United States of America, find that additional steps must be taken to deal with the national emergency related to significant malicious cyber-enabled activities…to address the use of United States Infrastructure as a Service (IaaS) products by foreign malicious cyber actors. IaaS products provide persons the ability to run software and store data on servers offered for rent or lease without responsibility for the maintenance and operating costs of those servers.
Foreign malicious cyber actors aim to harm the United States economy through the theft of intellectual property and sensitive data and to threaten national security by targeting United States critical infrastructure for malicious cyber-enabled activities. Foreign actors use United States IaaS products for a variety of tasks in carrying out malicious cyber-enabled activities, which makes it extremely difficult for United States officials to track and obtain information through legal process before these foreign actors transition to replacement infrastructure and destroy evidence of their prior activities; foreign resellers of United States IaaS products make it easier for foreign actors to access these products and evade detection. This order provides authority to impose record-keeping obligations with respect to foreign transactions.
These new regulations impose the same record-keeping obligations on foreign resellers as well as the US companies.
Today much of this record-keeping already takes place. You can’t sign up for AWS or DigitalOcean without giving your name and a credit card. However, it remains to be seen how much further the identity verification will go.
For example, will providers be required now to see some form of photo identification? Is just verifying the email address and taking a credit card enough or do they need to get into those “what was your street address four years ago” kinds of questions? Will we have to scan passports and send copies of utility bills?
Over the past few years, I’ve opened several 0nline bank accounts without needing in the U.S. without having to send a scan of my ID. I can’t imagine more onerous requirements for buying a VM, but we’ll see.
Regardless, providers will need to comply and document that they comply, which is an added cost to their business. And those costs are ultimately borne by their customers.
Related Posts:
I also enjoy using LEBs! I have an empire of little guys for VPNs, larger guys for apps, and big guys for databases and storage. When I'm not in front a screen I'm into German Shepherd dogs, quality knives, target shooting, theology, tabletop roleplaying games, and forest hiking.
I enjoy writing technical articles here on LowEndBox to help people get more out of their systems. You can find me on LowEndTalk @raindog308
Is this going to apply to US customers who use international services like Contabo? Whats the situation for minors?