Law Firm Warns of Compliance Risks From New Cloud KYC Rules
Upcoming know-your-customer rules for U.S. cloud service providers come with a new set of compliance risks, with providers potentially facing lability not just from the Commerce Department but also from U.S. sanctions authorities, Sidley Austin said in a client alert this month.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
The proposed rules would require cloud service providers to collect certain information on customers and foreign resellers (see 2401290015), which “could result in violations for administrative errors,” Sidley said. The law firm also warned that Commerce may conduct “compliance assessments” and audits of U.S. providers “depending on risks the Department perceives based on the” provider or its customer identification procedures. The agency may impose penalties as a result of those audits.
Sidley also stressed that the Treasury’s Office of Foreign Assets Control will expect cloud service providers to use the new information they collect to comply with sanctions programs. This means that providers should “screen user information and compare it against relevant sanctions lists to ensure that they are not providing services to sanctioned countries or persons,” the firm said.
Commerce is planning for a one-year grace period and is still soliciting comments through April 29. “Industry members should take advantage of the notice and comment period to weigh in on the effectiveness and potential burdens of this proposed regulation,” Sidley said.