Image: On-premise ISVs don’t really need to be concerned with what their users are doing. This is not the case for SaaS, where the service provider needs to meet “know your customer” and other legal requirements.

ISVs must consider their jurisdiction, as well as that of their customers, suppliers, processing utilities and data storage providers. Not knowing enough about your customers can be expensive, and could even land you in jail. PaaS providers can add value to European ISVs by abstracting these jurisdiction issues and keeping track of future legal changes.

In Is jetting to Cuba this summer a bad idea for European SaaS ISVs? I reported on how the US Treasury’s Office of Foreign Asset Control (OFAC) can impact non-US companies. A European travel agent appeared on the OFAC blacklist for selling Cuban holidays.

The travel agent’s only US assets were the DNS database registrations for their .com domain names. The domain register froze the .co domains following a call from OFAC; the travel agent’s websites disappeared from the Internet.

New US rules intended to prevent identify theft came into force on January 1st 2008. These new rules are part of the US Fair and Accurate Credit Transactions Act (FACT). The FACT rules cover all companies that keep consumer accounts with personally identifiable information. Companies covered by the new rules must comply by November 1st 2008.

Companies will have to check customers against the FACT list of suspected identity-theft criminals. They must also watch customer’s transactions and report anything suspicious (so-called “red flags”). There are threats of fines and even jail for breaking the reporting rules.

FACT does not just apply to banks and financial institutions. As online service providers, SaaS ISVs will also have to worry about these rules. It will take time, and you face complex questions about jurisdictions.

Welcome to law enforcement

As a SaaS ISV you provide services and have customer accounts involving money and online identity. It is likely you will also have to meet Know Your Customer rules. What’s more, you must identify all suspicious transactions and report these to the proper authorities.

The US is not the only country moving towards privatising law enforcement in this way. The UK also has strict Know Your Customer laws intended to prevent identity theft fraud, money laundering and terrorist financing. Even China now has similar rules.

Many of these laws overlap and could even be in direct conflict. It will be many years before consistent rules apply between the US and EU. Meanwhile you must stay up-to-date with the latest rules in each jurisdiction.

It is not just where you are, but where your customers and suppliers are as well. You have to get it right as the penalties are severe, and ignorance of the law is no defence. Hobby developers might not care about these rules, but business ISVs must.

Jurisdiction-abstraction as a service?

Mapping these new rules to your utility computing and PaaS providers will be a complex, and lasting, problem. However, it is a problem common to all ISVs; it is not different for each vertical niche.

It must be possible to find a common solution. PaaS providers are therefore in an ideal position to provide jurisdiction abstraction features on their platform.

I look forward to seeing how PaaS providers will solve this problem. It is not so much a technical issue, but is critical for SaaS in general and PaaS in particular. Those that can abstract away US, EU and other jurisdiction problems will have a real benefit to talk about.

Image: Location independence is a great architectural concept but legal reality for PaaS is radically different You’ll need to keep track of what’s where in the real world if you want to stay out of trouble.

While Cuba is a popular holiday spot for Europeans, a 46-year old trade ban puts Cuba off-limits to Americans. Strictly enforced laws prevent US companies from doing direct or indirect business with Cuba.

The US trade ban became a big problem for travel agent Tour & Marketing International. Although based in Spain, the US Treasury’s Office of Foreign Asset Control (OFAC) added them to a blacklist. Why? For selling Cuban holidays to Europeans (US citizens cannot travel to Cuba).

As a result, their US-based domain register blocked about 80 of their .com domains for Cuba-related websites. The domain register gave no notice and refused to transfer the domains (they must freeze all US-based assets).

Are you breaking US law?

You might not have customers in Cuba, but what about all the subscribers of your SaaS solution:

• Do you know who and where they are?
• Are you sure your information is accurate?
• Could you prove it in a court of law?
• How will you track future changes?

Your PaaS provider could get a call from OFAC to suspend your SaaS application. You get no notice and appealing is difficult. This is not going to be good for your SLA…

Is storing data in Europe enough?

Metadata is also important, not just your application and data. For example, Amazon’s S3 storage service allows you to store your data in Europe, but what about your account data? If it is in the USA, Amazon could get a call from OFAC. While your European-data is still there, you might not be able to use it.

I am not sure that all ISVs building their business on Amazon S3 have fully considered this issue.

Wait for the law to catch-up?

It is not just the US and Cuba; cloud computing and cross-border trade disputes are an accident waiting to happen. The law will take years to catch up with cloud computing.

Until then, you need to know where your PaaS provider is storing your applications, data and metadata.

What can PaaS providers do today?

PaaS providers must make their customers aware of these potential problems. They will not convince European ISVs with an easy “Everything’s in the cloud; do not worry”; PaaS providers must be transparent and make it clear exactly where they are storing applications and data.

Splitting workloads by region could be a good differentiator. This might also open the market to non-US PaaS and utility-computing providers.