GCG 2024-02-23
  • Share

    1. URL

U.S. Department of Commerce Pushes for Cloud Providers’ Mandatory Disclosure of Foreign User Information

U.S. Department of Commerce Pushes for Cloud Providers’ Mandatory Disclosure of Foreign User Information



On January 19, 2021, the Trump administration issued an Executive Order (“EO”) 13984, which directs the U.S. Department of Commerce (“DOC”) to establish regulations requiring U.S. cloud providers, i.e., infrastructure as a service (“IaaS”) providers, to verify the identity of foreign customers and report to the U.S. government.

Furthermore, President Joe Biden issued an EO 14410 on October 30, 2023, to expand the application of identification and reporting obligations to include resellers. In addition, EO 14410 directs the U.S. DOC to establish regulations imposing obligations on IaaS providers to report their usage to the DOC when foreign companies use their IaaS products for large AI model training.

In response, on January 29, 2024, the U.S. DOC issued a new proposed regulatory rule (the “Proposed Rule”) requiring U.S. IaaS providers and their overseas resellers to verify the identities of foreign customers and report them to the U.S. government when the foreign customers use their IaaS products to train large AI models. In other words, the Proposed Rule mandates U.S. IaaS providers to comply with Know Your Customer (KYC) obligations by identifying and reporting not only direct customers, but also end customers to the U.S. government.

During the announcement of the Proposed Rule, the U.S. DOC clarified that the purpose of the Proposed Rule was to deter foreign customers from using U.S. IaaS products for training large AI models with potential capabilities that can be utilized in malicious cyber activities that could threaten national security. However, U.S. Secretary of Commerce Gina Raimondo has consistently identified China as a threat to U.S. cybersecurity and mentioned China as a specific target while announcing the Proposed Rule. Therefore, experts believe that the real purpose of enacting the Proposed Rule is to prevent China from gaining the computing operation capacity required for AI development through cloud computing services that utilize advanced AI semiconductors to circumvent the recent U.S. export controls on advanced AI semiconductors.

Details of the Proposed Rule

1. Mandatory Introduction of Customer Identification Program

According to the Proposed Rule, U.S. IaaS providers are required to implement a customer identification program (“CIP”) to verify the identity of their customers.

The CIP must include procedures to verify the identity of potential customers and their beneficial owners. If both are identified as American citizens through these procedures, no further tracking is necessary. However, if either the potential customer or its beneficial owner is a foreigner, the IaaS provider must collect their name, address, payment method and source, email address, phone number, and IP address. If such information is not identified, U.S. IaaS providers shall (i) refrain from opening an account; (ii) provide an account with restricted access while attempting further verification; (iii) close the account or conduct further monitoring; or (iv) set a correction period. In addition, the CIP should include procedures for customers to update the beneficial owner information and periodically verify the accuracy of the information they have provided.

Although the obligation to introduce CIP applies only to U.S. IaaS providers, they are required under the Proposed Rule to (i) ensure that foreign resellers of U.S. IaaS products adopt and maintain CIP and (ii) transmit the CIP of foreign resellers to the U.S. DOC within ten days upon request by the DOC. Therefore, the obligation may also be indirectly imposed on foreign resellers. In addition, the U.S. DOC may exempt certain U.S. IaaS providers from the obligation to adopt and maintain CIP under certain conditions.

U.S. IaaS providers must submit a CIP certification to the U.S. DOC annually, which demonstrates that they operate appropriate CIP. Additionally, they must report to the U.S. DOC information, such as software used for identifying foreign customers and their beneficial owners, processes for continuous customer identity verification, and procedures for identifying foreign customers using IaaS products for large AI model training. They are also required to continuously update information in cases where there are significant changes related to business operations, corporate structure, or CIP implementation.

2. Imposition of Obligation for Reporting Foreign Customers’ Large AI Model Training

According to the Proposed Rule, U.S. IaaS providers must submit a report to the U.S. DOC each time they engage in a “covered transaction” with a foreign customer who attempts to use IaaS products for training large AI models with potential capabilities that could be used in malicious cyber-enabled activity. These reports must include information, such as the customer’s name, contact information, payment information, number of tasks, duration of tasks, and the name of the AI model.   

A “covered transaction” broadly refers to any transaction by, for, or on behalf of a foreign person (i) which results or could result in the training of a large AI model with potential capabilities that could be used in malicious cyber-enabled activity, or (ii) in which the original arrangements provided for in the terms of the transaction would not result in the training of a large AI model, but a development or update in the arrangements means the transaction now does or could result in such training.

U.S. IaaS providers are required to submit the aforementioned report within 15 days from the occurrence of the covered transaction or from the date they become aware of it. In cases where an overseas reseller engages in a covered transaction with a U.S. IaaS provider, the IaaS provider must receive a report from the overseas reseller within 15 days from the occurrence of the covered transaction or from the date they become aware of it and submit a report to the U.S. DOC within 30 days from the occurrence of the transaction.

Impacts and Implications of the Proposed Rule

Once the public comment period (90 days) expires and the Proposed Rule is finalized, U.S. IaaS providers will be obligated to implement a CIP, submit certification of CIP operation, and report to the U.S. DOC if foreign customers utilize their IaaS product to train large AI models. In addition, U.S. IaaS providers must establish processes to manage and supervise overseas resellers to ensure they adopt CIP and fulfill reporting obligations.

In particular, with the establishment of the Proposed Rule, the influence of U.S. IaaS providers in the Chinese market is expected to decrease significantly. According to the National Information Society Agency (NIA) Digital Service Issue Report “2022 Cloud Industry Status in China,” Chinese companies already occupy 80% of the cloud infrastructure market share in China: Alibaba Cloud (37%), Huawei Cloud (18%), Tencent Cloud (16%), and Baidu AI Cloud (9%). With the issuance of this regulatory rule, Chinese IaaS providers are likely to further strengthen their dominance in the Chinese market.

Moreover, given that the U.S. has already imposed export controls on advanced AI semiconductors against China, enacting these regulations may prompt China to focus on strengthening its own AI semiconductor capabilities. In fact, as an alternative to Nvidia’s A100, which is banned for export to China, Huawei’s Ascend 910B has already been released, and Chinese companies have gradually shifted orders for AI chips to domestic suppliers. Consequently, there is significant attention on how this DOC’s Proposed Rule will impact the industry.

DR & AJU’s Comments

Although the Proposed Rule was enacted with China as the primary target, Korean AI startups that plan to utilize U.S. IaaS products directly or indirectly through cooperation with foreign companies, such as China, should be mindful that detailed information about their operations, such as the number and duration of their tasks, may be provided to the U.S. government under the Proposed Rule.

Conversely, domestic companies planning to cooperate with U.S. IaaS providers should also understand these regulations and closely monitor related developments. Currently, the reporting obligations under the Proposed Rule apply only to U.S. IaaS providers and their overseas resellers, and the U.S. DOC has clarified that their subcontractors and subsidiaries are exempt. However, there is a possibility that the application scope of these reporting obligations may expand, given the intensification of U.S. export controls on AI semiconductors.

The enactment of the Proposed Rule by the U.S. DOC indicates a prolonged trend of stringent U.S. export controls against China. Therefore, even domestic companies that are not directly affected by this rule should stay vigilant about changes in trade policies between the U.S. and China and prepare long-term strategies for the current international trade dynamics.

DR & AJU’s Global Compliance Group, Washington, D.C. Liaison Office and D&A Advisory, Inc. deliver accurate and crucial information to help domestic companies effectively and promptly respond to changes in the U.S. and China’s trade policies and establish effective strategies to ensure compliance with applicable laws by providing comprehensive advisory on internal control strategies.

DR & AJU will continue to closely monitor development in international trade policies to respond expeditiously through close cooperation with companies when necessary. 

References: U.S. Department of Commerce, Korea Trade-Investment Promotion Agency (KOTRA), Reuters, National Information Society Agency (NIA)

Introduction to GCG

DR & AJU’s Global Compliance Group (the “GCG”) was founded with the purpose to prevent and minimize corporate risks for companies in Korea. GCG's goal is to create a favorable business environment by providing strategic solutions to prevent, manage, and minimize various risks a corporate entity may face doing business domestically or globally.

DR & AJU GCG provides various risk management services from pre-transaction investigation, strategic research, and field investigation to review of a potential dispute, monitoring, and representing in litigations and post-litigation follow-up work. Furthermore, GCG aims to be a strategic partner to our clients in their creative management by predicting and preparing political and regulatory risks due to changes in global dynamics or political landscape that our clients may face in or out of Korea.

DR & AJU GCG team comprises experienced lawyers of various backgrounds, including the prosecution, police, politicians, administration officials, military generals and intelligence officers, national security authorities, North Korea experts, investigators, computer forensics experts, and financial and media experts.