On Dec. 15, 2022, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued a Notice of Proposed Rulemaking (NPRM or Proposed Rule) implementing the provisions of the Corporate Transparency Act (CTA) that govern access to beneficial ownership information (BOI) FinCEN collects and maintains.
Enacted as part of the Anti-Money Laundering Act of 2020 (AML Act), the CTA established federal BOI reporting requirements for certain types of corporate entities, and it directed FinCEN to maintain BOI in a confidential registry available only to: (i) U.S. federal, state, local, and Tribal government agencies; (ii) foreign law enforcement agencies, judges, prosecutors, central authorities and competent authorities (collectively, foreign requesters); (iii) financial institutions (FIs) using BOI to facilitate compliance with customer due diligence (CDD) requirements under applicable law; (iv) federal functional regulators and other appropriate regulatory agencies acting in a supervisory capacity that are assessing FIs for compliance with CDD requirements; and (v) officers and employees of the U.S. Department of the Treasury (Treasury) whose official duties require inspection or disclosure of BOI and for tax administration purposes.
The Proposed Rule: (1) outlines the terms of access by government officials, banks, and others to the confidential BOI data; (2) discusses aspects of the secure, non-public information technology (IT) system that FinCEN is building to store BOI and manage disclosures and its legal safeguards; and (3) proposes rules specifying when and how reporting companies may report FinCEN identifiers tied to entities. This GT Alert covers each of these three aspects of the Proposed Rule and other more recent FinCEN updates.
The Proposed Rule goes into effect Jan. 1, 2024.
1. Who Can Access BOI Data?
Under the Proposed Rule, as authorized by the CTA, FinCEN would share confidential BOI with:
Federal agencies engaged in national security, intelligence, or law enforcement activity, upon request, for use in furtherance of such activity. FinCEN proposes to define “law enforcement activity” to include both criminal and civil action, including civil enforcement through administrative proceedings. “National security” would be defined to include any “activity pertaining to the national defense or foreign relations of the United States, as well as activity to protect against threats to the safety and security of the United States.” Given the breadth of these proposed definitions, the BOI of reporting companies would potentially end up in the hands of a range of federal authorities in the event they faced legal scrutiny.
State, local, and Tribal law enforcement, with the authorization of a court of competent jurisdiction. The Proposed Rule defines “court of competent jurisdiction” as any court with jurisdiction over the criminal or civil investigation for which the state, local, or Tribal law enforcement agency requests BOI.
Foreign law enforcement or judicial entities. Foreign authorities seeking information for use in law enforcement, intelligence, or national security matters would have to rely on an intermediary U.S. agency to request information on their behalf, and even if approved, would not have direct access to BOI. FinCEN proposes to entertain requests where (i) there is a treaty that contemplates the information sharing (which commonly requires that the offense under investigation be criminalized in both jurisdictions); or (ii) no treaty applies but the request comes from a “trusted foreign country.” The CTA does not provide criteria for determining whether a particular foreign country is “trusted”; rather, it provides FinCEN with considerable discretion to make this determination. FinCEN proposes to establish a mechanism to address such requests either on a case-by-case basis or pursuant to alternative arrangements with intermediary federal agencies where those agencies have ongoing relationships with the foreign requester.
FinCEN, in consultation with relevant U.S. government agencies, would, therefore, look to U.S. interests and priorities in determining whether to disclose BOI to foreign requesters when no international treaty, agreement, or convention applied. In making these determinations, FinCEN would also consider the ability of a foreign requester to maintain the security and confidentiality of requested BOI. Once FinCEN made the determination to disclose BOI to a foreign requester, the intermediary federal agency would be permitted to retrieve and disseminate the requested BOI to the foreign requester, subject to applicable security and confidentiality protocols.
Financial institutions, for purposes of complying with FinCEN’s CDD Rule. Only FIs that are subject to the CDD Rule are eligible to access BOI, and even then, they must first obtain the consent of the reporting company to which the information pertains. FinCEN proposes to limit FI’s redisclosure of BOI to other officers, employees, contractors, and agents of the FI physically present in the United States. Given these limitations, the utility of the new registry for financial institutions remains an open question. FinCEN is obligated under the CTA to revise the CDD Rule in light of the CTA; however, it need not do so until one year after the reporting requirements go into effect, further complicating the interplay between the CTA and CDD Rule for financial institutions.
Federal functional regulators and similar. Regulators may obtain BOI information for purposes of supervising financial institutions’ CDD compliance, and they may share this information with certain self-regulatory agencies (SROs) such as the Financial Industry Regulatory Authority (FINRA) or the National Futures Association (NFA). This authority is in addition to federal functional regulators’ authority to access BOI for law enforcement, intelligence, or national security purposes.
The Department of the Treasury. Officers and employees of the Treasury would be permitted access to BOI not only for purposes related to administration of the registry but also for other authorized functions, including sanctions designations, identification of blocked property, and tax administration (as defined in the U.S. Internal Revenue Code). The Proposed Rule characterizes BOI as “critical” for tax investigations, lending reason to anticipate that the IRS may make widespread use of the corporate registry in reviewing tax returns.
2. Procedures to Access BOI and Data Security Safeguards
Proposed Access Rules. The Proposed Rules sets forth different levels of accessibility for which BOI information can be viewed and retrieved. For example:
- Federal agencies engaged in national security, intelligence, or law enforcement. Under FinCEN’s proposal, authorized users would be able to log into and query FinCEN’s BOI system directly, run queries using multiple search fields, and review one or more results returned immediately – potentially increasing its utility to law enforcement but also raising the risk of misuse.
- State, local, and Tribal law enforcement. Unlike federal authorities discussed in the prior paragraph, these state, local, and Tribal agencies would acquire access to the corporate registry system only upon FinCEN’s approval of their request. After receiving such approval, these state and local agencies could then conduct searches within the BOI IT system using the same search functionality available to federal agencies.
- Financial institutions. Consistent with the CTA, the proposed rule would only permit FIs to request BOI from FinCEN for purposes of complying with CDD Rule requirements under applicable law, and only with the consent of the reporting company to which the BOI pertains. FIs would not have the ability to query FinCEN’s system openly; instead, they would submit identifying information of a reporting company to FinCEN and receive a report with that entity’s BOI.
Security and Confidentiality Safeguards. Pursuant to the CTA, the Secretary of Treasury delegated to FinCEN the authority to prescribe certain security and confidentiality protocols to handle BOI information obtained by various agencies. Under the NPRM, FinCEN proposes the following security safeguards:
- Security and Confidentiality Requirements for Domestic Agencies: The Proposed Rule organizes the safety and confidentiality requirements that would have to be followed by a federal agency, or a state, local, or Tribal law enforcement agency when accessing and handling BOI in two categories:
– General Security Requirements: Each requesting agency would enter into a memorandum of understanding (MOU) with FinCEN before it could obtain BOI, specifying the standards, procedures, and systems that the agency would be required to maintain to protect BOI. These MOUs would, among other things, memorialize and implement certain CTA requirements, including those regarding reports and certifications, periodic training of individual recipients of BOI, personnel access restrictions, re-disclosure limitations, and access to audit and oversight mechanisms.
– Security Requirements for Each Individual Request for BOI: Under the NPRM, for each request made by:
• a domestic federal agency to FinCEN, the head of the agency would be required to certify in writing that: (1) the agency was engaged in a national security, intelligence, or law enforcement activity, and (2) the BOI requested was for use in furthering that activity, setting forth specific reasons why the requested BOI was relevant. FinCEN expects that the certification and justification would be made by the individual at the authorized federal agency at the time of the BOI request.
• a state, local, or Tribal law enforcement agency would have to include a copy of the court authorization that authorizes such agencies to request BOI information, as well as a written justification setting forth specific reasons why the requested information was relevant to the investigation.
- Security and Confidentiality Requirements for Financial Institutions: The NPRM proposes to require FIs to certify to FinCEN in writing, for each BOI request, that it: (1) is requesting the information to facilitate its compliance with CDD requirements; (2) obtained the reporting company’s written consent to request its BOI; and (3) fulfilled all security and confidentiality requirements set forth in the section of final rule applicable to FIs’ requests of BOI. FinCEN anticipates that FIs would be able to make such certification via a checkbox when requesting BOI via the beneficial ownership IT system.
Additionally, the NPRM proposes that FIs use the technical procedures they have in place to comply with the requirements of section 501 of the Gramm-Leach-Bliley Act to satisfy its requirements under the NPRM. Such procedures include administrative, technical, and physical safeguards that: (1) ensure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of such records; and (3) protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.
- Security and Confidentiality Requirements for Foreign Requesters: Foreign requesters would be required to handle, disclose, and use BOI consistent with the requirements of the applicable treaty, agreement, or convention under which it was requested. Additionally, the NPRM would establish requirements for foreign requesters when no treaty, agreement, or convention applied that include maintaining secure storage systems that comply with whatever security standards the foreign requester applied to the most sensitive unclassified information it handled, minimizing the amount of information requested, and restricting personnel access to it.
Penalty provisions in the Proposed Rule support the security and confidentiality requirements discussed above by confirming the CTA’s civil and criminal penalties for knowingly disclosing or using BOI without authorization. In general, under the CTA, unlawful disclosure of BOI may result in civil penalties in the amount of $500 for each day a violation continues or has not been remedied and criminal penalties as a fine of not more than $250,000 or imprisonment for not more than five years, or both.
4. FinCEN Identifiers
A FinCEN identifier is a unique identifying number that FinCEN will issue (i) to individuals who have provided FinCEN with their BOI and (ii) to reporting companies that have filed initial BOI reports with FinCEN. The NPRM adopts language clarifying certain CTA requirements related to the use of FinCEN identifiers of intermediary entities that were not addressed in the final BOI reporting rule FinCEN issued in September 2022. In circumstances where an individual is a beneficial owner of a reporting company simply because such individual holds an interest in another entity (an “intermediary entity”) that, directly or indirectly, holds an interest in the reporting company, the CTA provides that such reporting company may use the FinCEN identifier of the intermediary entity instead of providing the individual’s BOI.
However, in the background section of the Proposed Rule, FinCEN recognizes that using a FinCEN identifier of an intermediary entity may lead to significant problems of:
- overreporting BOI in circumstances where a reporting company’s ownership structure involves multiple beneficial owners and/or intermediate entities; or
- underreporting BOI when an individual is a beneficial owner of a reporting company through multiple intermediate entities but is not a beneficial owner of one of those intermediary entities, which could obscure the identity of that beneficial owner.
Therefore, the Proposed Rule would permit a reporting company to report the FinCEN identifier of an intermediary entity in lieu of the individual’s BOI only when the intermediate entity and the reporting company have exactly the same beneficial owners.
More recently, on Jan. 17, 2022, FinCEN issued a notice and request for comments in which the agency set forth a proposed identifier application form that FinCEN intends to use to collect information from individuals in order to issue them a FinCEN identifier. The notice provides an opportunity to comment on: (1) the FinCEN identifier application form that FinCEN proposes to require individuals to use; and (2) FinCEN’s estimate of the burden involved in completing the application. The notice requests feedback on or before March 20, 2023.
Takeaways and Next Steps
The Proposed Rule marks the second of three rulemakings mandated by the CTA. It follows FinCEN’s issuance on Sept. 30, 2022, of a final rule defining the types of entities subject to the BOI reporting requirement and the information that must be reported.
The Proposed Rule raises several hurdles FinCEN needs to overcome to implement the Proposed Rule, including resource constraints in developing and deploying the BOI IT System and efforts to put in place processes to support the collection and use of BOI. FinCEN must overcome these hurdles before it allows for access to BOI and may have to identify trade-offs, including with respect to guidance and outreach activities, to be able to provide adequate customer service resources for reporting companies in the first year and beyond as they file their BOI.
With respect to FIs, although the NPRM may bring some benefits (e.g., FIs may be able to request BOI from FinCEN to facilitate their compliance with CDD requirements), FIs looking to prepare for these new regulations should be mindful that the Proposed Rule would require the implementation of several updates to existing policies and procedures, particularly those covering access, storage, and sharing of BOI; cybersecurity protocols; obtaining and documenting customer consent to access BOI; employee training; and potential changes to onboarding procedures. Such changes to existing systems may result in unforeseen costs, timely implementation, and potential security concerns with respect to BOI of its customers. Therefore, issues and concerns regarding the requirements of the Proposed Rule should be raised now by submitting written commentary to FinCEN.
Written comments on the Proposed Rule must be submitted to FinCEN by Feb. 14, 2023.
Proposed Collection of Beneficial Ownership Information.
Relatedly, on Jan. 17, 2023, following the BOI reporting final rule, FinCEN issued a notice and request for comment on the form the agency proposes to use to collect BOI from reporting companies. The notice gives the public an opportunity to comment on: (1) the report that FinCEN proposes to require reporting companies to use to report that information; and (2) FinCEN’s estimate of the burden involved in preparing and submitting that report. Of note, despite FinCEN’s mandate to obtain BOI of beneficial owners of reporting companies, the proposed form has options for “not able to obtain this information about the Beneficial Owner” and “Unable to identify all Beneficial Owners.” The notice requests feedback on or before March 20, 2023.