Can Know Your Customer (KYC) requirements for infrastructure service providers help reduce cyber-enabled fraud and subsequent #moneylaundering?
In November 2023, Financial Action Task Force (FATF) Force released report "Illicit Financial Flows from Cyber-Enabled Fraud," revealing that cyber-enabled fraud is a major transnational organized crime. It has grown exponentially in recent years, causing devastating losses for individuals, organizations, and economies.
Cyber attacks can impact individuals, enterprises, and even states.
For instance, #cybercrimes enabled by phishing-as-a-service platforms facilitate not-so-tech-savvy criminals in committing #financialcrimes, etc. In past few months, international law enforcement agencies have also launched crackdowns on criminal groups offering phishing toolkits to fraudsters and organized crime groups through phishing-as-a-service platforms.
Given the gravity of situation, it is now being advocated to have #KnowYourCustomer requirements for cloud service providers.
In the time of #cyberwarfare when cyber attacks are used by non-state threat actors, countries are taking extra measures to ensure that their technical infrastructure providers are not selling their services to someone who otherwise might be undermining the security.
For instance, in February 2024, the Department of Commerce, Bureau of Industry and Security (BIS), released a proposed rule that would require U.S. cloud services providers, known as infrastructure-as-a-service providers, to have a #CIP Customer Identification Program.
The Proposed Rule defines Infrastructure as a Service (IaaS) as a product or service offering processing, storage, networks, or other computing resources for deploying and running software not predefined.
According to the rule, "U.S. IaaS providers" encompass U.S. persons selling IaaS products, including U.S. subsidiaries of foreign entities and U.S. resellers.
As per the rule, U.S. IaaS providers must establish a Customer Identification Program to identify and verify foreign user accounts, with flexibility based on provider size, product offerings, and risks.
The CIP must include procedures for identifying customers, collecting and maintaining verification information, and retaining records securely for up to two years.
Foreign resellers of U.S. IaaS must maintain their own CIP, provided to BIS upon request.
The rule may lead infrastructure service providers to do bank-style KYC.
As Anthony Rapa shared in an interview with Securityinfowatch, “The overall takeaway is that the proposed rule would establish significant due diligence and monitoring requirements for U.S. IaaS providers that would be new for the industry (as compared with, e.g., the financial industry, which is used to these rules) and would necessitate the dedication of significant resources to designing and executing a compliance program.”
#KYC #CIP #cloudasaservice #Saas #NPRM #BIS
6