8
March
2024
DLx Alert: Commerce Department Proposes Rule to Require Cloud Infrastructure Service Providers to Adopt Enhanced KYC and Due Diligence Procedures, Citing National Security Concerns

Important Alert
The U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”) has proposed a rule1 that could mark a significant development in the regulation of network infrastructure providers and digital assets (or “crypto assets”). The proposed rule seeks to address national security concerns associated with what the proposal refers to as U.S. “Infrastructure-as-a-Service” (“IaaS”) providers.2 The proposal nevertheless also could have a significant impact on users and service providers in the crypto asset sector in the United States. The proposal focuses on what are very broadly described as “significant malicious cyber-enabled activities” under a set of Executive Orders remaining in place from 20153 and 20214.
More specifically, among other things, the proposed rule introduces stringent requirements for laaS providers, including crypto asset infrastructure and infrastructure services providers involved in decentralized finance (DeFi), Staking as a Service, the exchange and availability of crypto assets, or the broader blockchain environment. The proposed rule is unprecedented in scope, seeking to require cloud infrastructure providers and all others it characterizes as IaaS providers to adopt enhanced know-your-customer (“KYC”) and due diligence procedures. While the proposal is applicable to U.S. IaaS providers, the requirements imposed on “foreign resellers” of U.S. “IaaS products” could potentially extend extraterritorially and impose the proposed requirements on a global scale. Consider the notes below, which focus on the proposed rule’s potential impact on those IaaS providers contributing to the U.S. digital asset sector.
Key components of the proposed rule
- Enhanced KYC requirements: IaaS providers, potentially including many service providers in the digital asset sector, would be required to implement advanced KYC procedures to prevent “misuse” of their platforms for malicious cyber activities.
- Due diligence requirements: IaaS providers would be required to conduct thorough due diligence to ensure their services are not exploited by actors engaged in cyber-enabled threats.
- National security focus: The rule underscores the national security implications of inadequate controls in the digital assets space, aiming to mitigate risks associated with “significant malicious cyber-enabled activities.”
Potential impact on the digital asset sector
- Operational challenges: The enhanced KYC and due diligence requirements could potentially be impractical if not impossible to implement, because it would likely impose significant operational burdens on crypto asset service providers, potentially limiting their efficiency and scalability.
- Compliance costs: Small and medium-sized enterprises (“SMEs”) in the blockchain sector would likely face significantly increased (if not prohibitive) compliance costs, which could impact their competitiveness and innovation capabilities, as well as the willingness of early-stage capital providers to fund these businesses.
- Market dynamics: In light of these compliance costs, there is a high likelihood the proposed rule would lead to a consolidation in the digital asset sector, favoring large players with sufficient resources to comply with the extensive new regulations.
- Innovation & growth: While the proposed rule would aim to protect national security, there is a risk that overly stringent regulations could stifle innovation and growth within the digital assets industry.
- International considerations: The global nature of the digital assets sector means the proposed rule could have far-reaching implications, potentially affecting international cooperation and regulatory alignment.
Conclusion
The BIS’s proposed rule represents a pivotal moment in the regulation, and perhaps viability, of the crypto asset sector, reflecting a growing recognition of the sector’s national security implications. While the proposed rule would aim to safeguard against malicious cyber activities, for the continued viability of the crypto asset sector, it is imperative that the proposal’s implementation balances security concerns with the need to protect ongoing technological innovation and growth in the crypto assets industry.
Comments are due by April 29, 2024. Stakeholders ought to strongly consider providing thoughtful comments and closely monitor the proposed rule’s development. While the commentary could result in a re-proposal or at least important modifications to the proposed rule, IaaS providers engaging in the crypto asset sector should prepare for its potential impact on operational practices, compliance costs, and market dynamics. Collaboration and dialogue between the industry and regulators will be crucial to ensure any final rule achieves its security objectives without unduly hampering the vibrant blockchain and crypto asset sector.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
NOTES
1. Comm. Dep’t, Ind. & Sec. Bur., Proposed Rule Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities, 89 Fed. Reg. 5698, 5698-5735 (Jan. 29, 2024), available at https://www.federalregister.gov/documents/2024/01/29/2024-01580/taking-additional-steps-to-address-the-national-emergency-with-respect-to-significant-malicious [hereinafter Commerce Department Proposed Rule].
2. A U.S. IaaS provider could potentially include at least any provider of blockchain-based infrastructure or infrastructure services and any provider of cloud-based storage or computer processing services. As defined in the proposed rule, “United States Infrastructure as a Service provider” means any U.S. person offering any product or service “to a consumer, including complimentary or ‘trial’ offerings, that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications,” and where “[t]he consumer typically does not manage or control most of the underlying hardware but has control over the operating systems, storage, and any deployed applications …” See Congress Department Proposed Rule, 89 Fed. Reg. 5726 (§ 7.301) for the full definition.
3. See E.O. 13694, Executive Order Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities (Apr. 1, 2015), https://www.federalregister.gov/documents/2015/04/02/2015-07788/blocking-the-property-of-certain-persons-engaging-in-significant-malicious-cyber-enabled-activities.
4. See E.O. 13984, Executive Order Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities (Jan. 19, 2021), https://www.federalregister.gov/documents/2021/01/25/2021-01714/taking-additional-steps-to-address-the-national-emergency-with-respect-to-significant-malicious
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
IMPORTANT NOTICE ABOUT ATTORNEY ADVERTISING
The contents of this communication are intended for general informational purposes only. This is not an attorney-client communication, and you therefore should not consider the content of this communication as legal or regulatory advice or a legal opinion in connection with any specific facts or circumstances. This communication is not intended as attorney advertising, but it might be considered attorney advertising in certain jurisdictions. Read our full legal disclaimer.