SaaS ISVs: Know your customers or risk going to jail
In Is jetting to Cuba this summer a bad idea for European SaaS ISVs? I reported on how the US Treasury’s Office of Foreign Asset Control (OFAC) can impact non-US companies. A European travel agent appeared on the OFAC blacklist for selling Cuban holidays.
The travel agent’s only US assets were the DNS database registrations for their .com domain names. The domain register froze the .co domains following a call from OFAC; the travel agent’s websites disappeared from the Internet.
New US rules intended to prevent identify theft came into force on January 1st 2008. These new rules are part of the US Fair and Accurate Credit Transactions Act (FACT). The FACT rules cover all companies that keep consumer accounts with personally identifiable information. Companies covered by the new rules must comply by November 1st 2008.
Companies will have to check customers against the FACT list of suspected identity-theft criminals. They must also watch customer’s transactions and report anything suspicious (so-called “red flags”). There are threats of fines and even jail for breaking the reporting rules.
FACT does not just apply to banks and financial institutions. As online service providers, SaaS ISVs will also have to worry about these reules. It will take time, and you face complex questions about jurisdictions.
Welcome to law enforcement
As a SaaS ISV you provide services and have customer accounts involving money and online identity. It is likely you will also have to meet Know Your Customer rules. What’s more, you must identify all suspicious transactions and report these to the proper authorities.
The US is not the only country moving towards privatising law enforcement in this way. The UK also has strict Know Your Customer laws intended to prevent identity theft fraud, money laundering and terrorist financing. Even China now has similar rules.
Many of these laws overlap and could even be in direct conflict. It will be many years before consistent rules apply between the US and EU. Meanwhile you must stay up-to-date with the latest rules in each jurisdiction.
It is not just where you are, but where your customers and suppliers are as well. You have to get it right as the penalties are severe, and ignorance of the law is no defence. Hobby developers might not care about these rules, but business ISVs must.
Jurisdiction-abstraction as a service?
Mapping these new rules to your utility computing and PaaS providers will be a complex, and lasting, problem. However, it is a problem common to all ISVs; it is not different for each vertical niche.
It must be possible to find a common solution. PaaS providers are therefore in an ideal position to provide jurisdiction abstraction features on their platform.
I look forward to seeing how PaaS providers will solve this problem. It is not so much a technical issue, but is critical for SaaS in general and PaaS in particular. Those that can abstract away US, EU and other jurisdiction problems will have a real benefit to talk about.
Coming up…
Next time on paasTalk I will take a first look at some of the leading Platform as a Service providers.