Financial Services-like Regulation May be Heading Toward Big Tech
Original Publication: June 18, 2024 on LinkedIn
The PwC 2022 Global Economic Crime Survey Snapshot titled Platform Fraud: The New Frontier of Economic Crime highlighted a surge in economic crime occurring through technology platforms. The survey respondents reported that forty percent of all frauds were platform-based, showing the burgeoning role of cloud-based technologies in fraud crimes.
In addition to fraud concerns, US politicians have also increased pressure on technology companies to do more to secure cloud infrastructure from misuse for malicious artificial intelligence purposes. For example, US Senator John Warner, a former tech entrepreneur, recently introduced legislation addressing security risks associated with AI, including data supply chain security and data poisoning attacks.
In response to these growing losses, concerns, and risks, the US Department of Commerce has proposed a Know Your Customer (KYC) regulation on “Infrastructure as a Service” (IaaS) providers. The proposed rule aims to counter the risks of fraud, theft, and facilitation of terrorism, as well as other activities contrary to US national security interests.
What is IaaS?
The proposed rule defines IaaS as a product or service that provides processing, storage, and networks. The US government elsewhere defines IaaS more simply as "The most basic category of cloud computing system." As such, the rule applies to a broad definition encompassing a wide range of services and applying to US entities, including US subsidiaries of foreign entities. If the rule is approved, many technology firms could be affected by this regulation.
What are the KYC program requirements?
The proposed rule requires IaaS providers to have a written Customer Identification Program (CIP). As currently drafted, the requirement closely mirrors US bank KYC rules. The identification information goes beyond just the customer's address; it also includes IP addresses for accessing or administrating the account. This level of detail in identification indicates the seriousness with which the Department of Commerce is taking this issue.
The proposed rule also implies that customer risk rating and enhanced due diligence will be needed. This requirement suggests that IaaS providers must conduct a thorough risk assessment of new accounts and may need to gather further information based on the risk assessment.
What ongoing program maintenance is required?
In addition to the CIP, IaaS providers will have to make annual certifications of their CIP programs to demonstrate compliance with the rule. This certification is a time-consuming and expensive requirement reminiscent of the certifications required to comply with NY DFS part 504.
Moreover, if DFS part 504 is a guide, firms must also undertake a significant audit program to test their compliance assertions. This article introduces those unfamiliar with the structure and required rigor of DFS Part 504 compliance.�
The rule also requires ongoing monitoring for indicators of foreign account ownership. This significant requirement could require IaaS providers to implement robust electronic monitoring systems, even in the absence of the types of monitoring described in the exemption below.
What is the Abuse Deterrence Program Exemption?
The rule outlines an "Abuse Deterrence Program" (ADP), which includes continuous risk monitoring and, if implemented, provides an exemption to the need to maintain a CIP program. Specifically, the ADP must be designed to detect, prevent, and mitigate malicious cyber-enabled activities and include policies and procedures for identifying and responding to red flags.
The proposal outlines the principles for finding relevant Red Flags, including the types of accounts, methods for opening and accessing accounts, monitoring and assessing account activities, and earlier experiences with malicious cyber-enabled activities. It also involves finding sources of Red Flags, such as past incidents, vulnerabilities, methods of cyber-enabled activities, and alerts or notifications received. Furthermore, it recognizes categories of Red Flags, including suspicious personally identifiable information or identity evidence, suspicious or anomalous activity, and reports of fraud or abuse associated with the accounts.
To prevent and mitigate malicious cyber-enabled activities, the IaaS provider must respond appropriately to the detected Red Flags. This response may include monitoring accounts for evidence of malicious activities, contacting customers, changing security codes or passwords, reopening or closing accounts, notifying law enforcement, or deciding on a suitable response based on the circumstances. Additionally, the IaaS provider must set up procedures for the ongoing administration of the ADP, including obtaining approval from senior management or the board of directors, involving them in oversight and development, providing necessary training to staff, and exercising effective oversight of reseller arrangements.
The Department considers the participation of IaaS providers or foreign resellers in a consortium to develop privacy-preserving data sharing and analytics as a factor for granting an exemption. The consortium provides tools and ability to aid smaller IaaS providers and improve their ADPs.
What should we do now?
The US Department of Commerce's proposed rule represents a significant step in the fight against economic crime. Imposing bank-like regulations on IaaS providers may require a significant potential compliance program uplift for complex firms.
I recommend that firms begin their program analysis soon. At a minimum, this should include:
Assessing the cost and timeline of CIP program implementation;
Analyzing the cost and timeline to build a program certification process;
Evaluating the feasibility of potential ADP technology; and,
Exploration of forming a CIP and ADP consortium or utility.
If you have any questions, please contact me at jeff.lavine@jpladv.com
Related Posts
