On Dec. 22, 2023, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) published a final rule (Access Rule) establishing the parameters for authorized access to BOI reported to FinCEN. The Access Rule is the second of three rulemakings implementing the Corporate Transparency Act (CTA), a law designed to increase transparency in the ownership and control of U.S. legal entities and foreign entities registered to do business in the United States.
Issuance of the Access Rule preceded the Jan. 1, 2024, effective date of the Beneficial Ownership Information Reporting requirements final rule (BOI Reporting Rule). The BOI Reporting Rule mandates that certain U.S. entities and foreign entities registered to do business in the U.S. (collectively, Reporting Companies) to report identifying information about themselves, their beneficial owners, and company applicants who form or register them.[1] BOI reported to FinCEN is stored in a nonpublic database (BOI Database), which FinCEN protects using security methods and controls typically used in federal government to protect nonclassified yet sensitive information systems at the highest security level. The Access Rule prescribes the circumstances under which BOI may be disclosed to authorized recipients, the purposes for which BOI may be used, and the standards for safeguarding BOI. The third and final CTA rulemaking, which has not yet been proposed, will make conforming amendments to the BOI requirements of FinCEN’s existing Customer Due Diligence (CDD) rule.
The Access Rule largely adopts the language of the proposed access rule, but with certain modifications to address some of the key concerns raised by the public. Among other things, the Access Rule broadens the purposes for which financial institutions may use BOI and streamlines the requirements for state, local and Tribal law enforcement access to BOI. The Access Rule becomes effective Feb. 20, 2024, but FinCEN will take a phased approach in providing access to BOI to authorized recipients.
Access to BOI Under the Access Rule
BOI may be disclosed to the following categories of recipients:
- U.S. Federal Agencies Engaged in National Security, Intelligence, or Law Enforcement Activity, provided that the requested BOI is for use in furtherance of such activity. “[L]aw enforcement activity” covers civil and criminal investigations and enforcement actions.
- State, Local, and Tribal Law Enforcement Agencies, where a “court of competent jurisdiction” has authorized the law enforcement agency to seek the information in a criminal or civil investigation. A “court of competent jurisdiction” is any court with jurisdiction over the criminal or civil investigation for which the state, local, or Tribal agency requests BOI.
In an effort streamline agencies’ access to BOI, the Access Rule eliminates the original proposed requirement that agencies submit to FinCEN a copy of the relevant court order and a written explanation as to why the request is relevant to a civil or criminal investigation. Instead, the Access Rule only requires certification that court authorization was received, together with a description of the information the agency is authorized to receive. FinCEN notes that, with this change, the Access Rule provides flexibility so that a variety of court officers—such as a judge, clerk of court, or magistrate—may provide the necessary authorization at appropriate stages of the investigation process.
- Foreign Authorities, including an enforcement agency, prosecutor, or judge of another country, or a foreign central authority or foreign competent authority, provided the request: (i) is presented to FinCEN through an intermediary federal agency; (ii) serves to assist in a law enforcement investigation or prosecution, or a national security or intelligence activity; and (iii) is made under an international treaty, agreement or convention or the request is an official request by law enforcement, judicial, or prosecutorial authority of a “trusted foreign country.” In determining whether to disclose BOI when no treaty applies, FinCEN will look to the U.S. Department of State, Department of Justice, and other agencies, as it deems appropriate, to determine whether the request is from a “trusted foreign country.”
- Financial Institutions Subject to CDD Requirements, provided that the FI: (i) has obtained the Reporting Company’s consent for the disclosure; and (ii) will use the BOI to facilitate compliance with “[CDD] requirements under applicable law.”
The Access Rule does not require that the Reporting Company’s consent be in writing, so long as it is documented, and FinCEN has opted to provide FIs with flexibility on how they will implement this requirement. FinCEN notes it will not offer a safe harbor for any particular method to obtain consent, but it will issue additional guidance if further clarity becomes necessary.
In response to comments, FinCEN broadened the BOI use requirement by defining “[CDD] requirements under applicable law” to include “any legal requirement or prohibition designed to counter money laundering or the financing of terrorism, or to safeguard the national security of the United States, to comply with which it is reasonably necessary for a [FI] to obtain or verify [BOI] of a legal entity customer.” These requirements can include anti-money laundering (AML) program, customer identification, Suspicious Activity Report filing, and enhanced due diligence requirements—as well as compliance with U.S. Department of the Treasury’s Office of Foreign Assets Control sanctions, provided it is reasonably necessary to obtain or verify BOI of legal entity customers to satisfy those requirements.
Consistent with the expanded use, the Access Rule authorizes FinCEN to disclose BOI to other financial institutions with AML program requirements, such as money services businesses (MSBs) and casinos, subject to appropriate security and confidentiality protocols. Implementation of disclosure to financial institutions will be implemented in a phased approach, with FinCEN initially granting access to financial institutions that have CDD requirements. With this approach, FinCEN will work toward providing timely access for financial institutions, which are subject to Gramm-Leach-Bliley security requirements, while evaluating whether it is appropriate and feasible to expand access to other financial institutions, such as MSBs and casinos, which are subject to more fragmented security standards.
- Federal Functional Regulators and Other Appropriate Agencies, including state bank supervisors and other state supervisory authorities, for purposes of assessing, supervising, enforcing, or otherwise determining supervised FI compliance with CDD requirements. Certain self-regulatory organizations (e.g., FINRA) will also be able to access BOI to evaluate an FI’s CDD compliance in certain circumstances.
- U.S. Department of Treasury (Treasury) Access, in particular, any Treasury officer or employee (i) whose official duties require BOI inspection or disclosure; or (ii) involved in tax administration. Treasury expects to use BOI for tax administration, enforcement, intelligence and analytical purposes, sanctions investigations and designations, and identification of blocked property due to sanctions, as well as for administration of the BOI framework.
Security and Confidentiality Requirements
The Access Rule imposes strict security and confidentiality requirements for the following categories of recipients:
- Domestic Agencies. To access BOI, domestic agencies must enter into a memorandum of understanding (MOU) with FinCEN specifying the standards, procedures, and systems the agency will maintain to protect BOI. Domestic agencies will also be required to, among other things, (i) establish and maintain a secure system for storing BOI; (ii) establish and maintain auditable BOI request records; (iii) restrict access to BOI; (iv) conduct audits; and (v) provide FinCEN with reports and certifications.
- FIs. A FI must develop and implement administrative, technical, and physical safeguards reasonably designed to protect BOI before it can receive BOI from FinCEN. The Access Rule allows FIs to satisfy this requirement by applying the same security and information handling procedures used to protect customers’ nonpublic personal information in compliance with section 501 of the Gramm-Leach-Bliley Act and its implementing regulations. For each BOI request, the FI must certify that it (i) is requesting the BOI to facilitate compliance with CDD requirements under applicable law; (ii) obtained and documented the Reporting Company’s consent to request BOI from FinCEN; and (iii) satisfied other security and confidentiality requirements of the Access Rule.
- Foreign Requesters. Foreign requesters who obtain BOI under an international treaty, agreement, or convention will be required to comply with all applicable handling, disclosure, and use requirements of the relevant treaty, agreement, or convention. Other foreign requesters must maintain a secure storage system that complies with the security standards that the foreign requester applies to the most sensitive unclassified information it handles, minimizing the amount of information requested, and restricting personnel access to BOI to persons who have undergone training, among other things.
Re-Disclosure of BOI by Authorized Recipients
Authorized recipients of BOI are generally prohibited from re-disclosing BOI, except (i) among officers, employees, agents, and contractors within the authorized recipient; (ii) among FIs and their regulators, including qualifying self-regulatory organizations; (iii) from intermediary federal agencies to authorized foreign requesters; (iv) from specified authorized federal agencies to courts of competent jurisdiction or parties to a civil or criminal law enforcement proceeding; (v) from agencies to prosecutors or for use in litigation related to the activity for which the requesting agency requested the information; and (vi) by foreign authorities consistent with the international treaty, agreement, or convention under which BOI was received.
FinCEN may also authorize the re-disclosure of BOI by an authorized recipient in other situations, so long as the re-disclosure is for an authorized purpose.
With respect to FIs, the Access Rule notably expands an FI’s ability to share BOI with officers, employees, contractors and agents of the same FI who are located outside of the United States (unless these recipients are located in China, Russia, any jurisdiction that is a state sponsor of terrorism, and any jurisdiction that is subject to comprehensive U.S. economic sanctions or where re-disclosure would undermine national security efforts), provided re-disclosure is for the same purpose or activity for which the BOI was requested.
Violations and Penalties
In accordance with the CTA, the Access Rule provides for civil penalties for unauthorized disclosures in the amount of $500 for each day a violation continues or has not been remedied, and criminal penalties of up to $250,000 or imprisonment for up to five years, or both (or up to $500,000, imprisonment for up to 10 years, or both, if a person commits a violation of the CTA while violating another U.S. law or as part of a pattern of any illegal activity involving more than $100,000 in a 12-month period).
Next Steps
The Access Rule takes effect Feb. 20, 2024, but FinCEN will begin granting access to the BOI Database in phases. The first stage will be a pilot program for key federal agency users starting in 2024. The second stage will extend access to Treasury and certain federal agencies engaged in law enforcement and national security activities. Subsequent stages will extend access to additional federal agencies engaged in law enforcement, national security, and intelligence activities, as well as state, local, and Tribal law enforcement partners. Next will be intermediary federal agencies in connection with foreign government requests, and finally, FIs and their supervisors.
FinCEN will be publishing forms for comments that authorized requesters would use to request BOI from FinCEN. FinCEN also anticipates developing compliance and guidance documents to assist authorized requesters in complying with the Access Rule.
Last, FinCEN must still promulgate its third rulemaking under the CTA to amend the CDD rule and harmonize it with the BOI Reporting Rule no later than one year after the effective date of the BOI Reporting Rule (Jan. 1, 2024).
Considerations for FIs
While federal and state bank and credit union regulators have stated that the Access Rule does not create a new regulatory requirement or supervisory expectation that banks access BOI from the FinCEN database and does not require changes to Bank Secrecy Act (BSA)/AML compliance programs, it is unclear whether these regulatory expectations may later change including once the CDD rule is amended. FIs that choose to have access to the BOI Database will need to review their policies and procedures, and ensure they implement updates to cover CTA and Access Rule requirements. These updates include (i) obtaining and documenting customer consent; (ii) developing and implementing controls to access, storage, and sharing of BOI; (iii) ensuring cybersecurity protocols satisfy CTA and Access Rule requirements; and (iv) ensuring proper employee training. Importantly, FIs choosing to access the BOI Database will need to determine their response should they identify a discrepancy between information in the BOI Database and their own internal records. FIs should continue monitoring CTA rulemaking and engage with FinCEN to voice any concerns and questions relating to these new requirements and their implementation.
[1] We covered this in a previous GT Alert.