Law Firm Warns of Compliance Risks From New Cloud KYC Rules
Upcoming know-your-customer rules for U.S. cloud service providers come with a new set of compliance risks, with providers potentially facing lability not just from the Commerce Department but also from U.S. sanctions authorities, Sidley Austin said in a client alert this month.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The proposed rules would require cloud service providers to collect certain information on customers and foreign resellers (see 2401290015), which “could result in violations for administrative errors,” Sidley said. The law firm also warned that Commerce may conduct “compliance assessments” and audits of U.S. providers “depending on risks the Department perceives based on the” provider or its customer identification procedures. The agency may impose penalties as a result of those audits.
Sidley also stressed that the Treasury’s Office of Foreign Assets Control will expect cloud service providers to use the new information they collect to comply with sanctions programs. This means that providers should “screen user information and compare it against relevant sanctions lists to ensure that they are not providing services to sanctioned countries or persons,” the firm said.
Commerce is planning for a one-year grace period and is still soliciting comments through April 29. “Industry members should take advantage of the notice and comment period to weigh in on the effectiveness and potential burdens of this proposed regulation,” Sidley said.