FinCEN Issues Final Rule About Accessing Beneficial Ownership Information
On December 21, 2023, the Financial Crimes Enforcement Network (“FinCEN”) released a final rule to implement the beneficial ownership information (“BOI”) access requirements of the Corporate Transparency Act (“CTA”) (the “Access Rule”).1
The Access Rule addresses how authorized recipients can access and use BOI that will be reported to FinCEN, and how FinCEN and authorized recipients will place protocols on security and confidentiality required by the CTA to protect sensitive personally identifiable information. While it largely tracks the 2022 proposal, it also includes certain material changes to substance and procedure.
The Access Rule becomes effective February 20, 2024, but will be phased in over an extended period of time. In this Legal Update, we provide background regarding the Access Rule, discuss some of the key changes from the proposed rule, and note the Access Rule’s implications for financial institutions (“FIs”).
I. Background
The CTA was enacted into law as part of the National Defense Authorization Act (“NDAA”) and requires a broad array of legal entities, both domestic and foreign, to register with FinCEN and disclose their ultimate beneficial owners.2 The final BOI reporting rule that was adopted in 2022, and becomes effective on January 1, 2024, addresses who will be required to file beneficial owner information with the CTA Registry, who will be exempt from filing, what must be filed, and when the required reports must be made.3
The CTA also authorizes FinCEN to share BOI with certain government agencies, FIs, and regulators, subject to appropriate protocols.4 On December 15, 2022, FinCEN issued a proposal to implement the access and safeguarding aspects of the BOI reporting regime.5 As discussed in further detail below, the Access Rule finalizes the proposal, explains the circumstances in which specified recipients would have access to BOI, and outlines data protection protocols and oversight mechanisms applicable to each recipient category.
II. Final Access Rule
Access by Authorized Recipients
Prohibition on Disclosure
FinCEN originally proposed to expand the prohibition on disclosure of BOI as stated in the CTA, and this has been implemented in the final rule.6 First, the Access Rule clarifies that any individual authorized to receive BOI is prohibited from disclosing it, except as expressly authorized by FinCEN. This provision extends the prohibition on disclosure to any individual who receives BOI, regardless of whether they continue to serve in the position through which they were authorized to receive BOI. Second, it also extends the prohibition on disclosure to any individual who receives BOI as a contractor or agent of the United States; a contractor or agent of a state, local, or tribal agency; or a member of the board of directors, contractor, or agent of an FI.7
Authorized Recipients of BOI
The Access Rule permits FinCEN to share BOI information with those who fall into the following categories:
- Federal Agencies Engaged in National Security, Intelligence, or Law Enforcement Activity. The Access Rule permits FinCEN to disclose BOI to federal agencies engaged in (1) national security, (2) intelligence, or (3) law enforcement activity, if the requested BOI is for use in furtherance of such activity. “Law enforcement activity” here means both criminal and civil investigations and actions.
- State, Local, and Tribal Law Enforcement Agencies. The Access Rule allows FinCEN to disclose BOI to state, local, and tribal law enforcement agencies if “a court of competent jurisdiction” has authorized the law enforcement agency to seek the information in a criminal or civil investigation (e.g., through a court’s issuance of an order or approval of a subpoena). A “court of competent jurisdiction” is any court with jurisdiction over the criminal or civil investigation for which the state, local, or tribal law enforcement agency requests BOI.
Under the proposal, authorized users from these agencies would have been required to upload a document issued by a court of competent jurisdiction authorizing the agency to seek BOI from FinCEN. The Access Rule changes this in two important respects. First, the Access Rule does not require that these agencies obtain a specific form of court authorization, such as a court order. Instead, the Access Rule requires only that state, local, and tribal law enforcement agencies obtain “court authorization” to seek BOI from FinCEN as part of a civil or criminal investigation. Second, rather than submit a copy of the authorization to FinCEN, the Access Rule only requires that state, local, and tribal law enforcement agencies (1) certify that they have received authorization to seek BOI from a court of competent jurisdiction and that the BOI is relevant to a civil or criminal investigation, and (2) provide a description of the information the court has authorized the agency to seek.
In a press release issued shortly after the Access Rule was released, Congressman Patrick McHenry, chairman of House Financial Services Committee, issued a statement criticizing FinCEN for lowering the standard of documentation from “court order” to “court authorization.”8
- Foreign Requesters. Foreign requesters are required to make their requests for BOI through intermediary federal agencies rather than obtaining direct access to the beneficial ownership IT system. In addition to meeting other criteria, requests from foreign requesters must be made either (1) under an international treaty, agreement, or convention or (2) via a request made by law enforcement, judicial, or prosecutorial authorities in a trusted foreign country. FinCEN will look to US interests and priorities, in consultation with the US Department of State and other relevant US government agencies, when determining whether to disclose BOI to foreign requesters when no treaty or other agreement applies. The Access Rule’s approach to foreign requester access to BOI aligns with FinCEN’s increased focused on international cooperation.9
- Financial Institutions Subject to CDD Requirements. The Access Rule only permits FIs to request BOI from FinCEN for purposes of complying with CDD requirements under applicable law and only with the consent of the reporting company to which the BOI pertains. The FI is responsible for obtaining a reporting company’s documented consent. FinCEN thus anticipates that an FI, instead of being able to run open-ended queries in the beneficial ownership IT system or to receive multiple search results, would submit identifying information specific to a reporting company and receive in return an electronic transcript with that entity’s BOI.10 Further, FIs would only receive a reporting company’s current BOI, as opposed to the current and historical BOI provided to federal agencies engaged in national security, intelligence, or law enforcement activity, and to state, local, and tribal law enforcement agencies.
In a significant change from the proposal, the Access Rule broadens the definition of CDD requirements under applicable law to include “any legal requirement or prohibition designed to counter money laundering or the financing of terrorism, or to safeguard the national security of the United States, to comply with which it is reasonably necessary for a financial institution to obtain or verify beneficial ownership information of a legal entity customer.” Such requirements may include AML compliance obligations, and compliance with US economic sanctions, provided it is reasonably necessary to obtain or verify BOI of legal entity customers to satisfy those requirements. General business or commercial use of BOI is not authorized. Further, use in assessing whether to extend credit to a legal entity, or in establishing the price of that credit, is not permitted.
The Access Rule also expands the set financial institutions that may receive BOI to include money services businesses and other financial institutions with AML program requirements, such as casinos. However, FinCEN plans to only provide access to financial institutions that are covered financial institutions under the 2016 CDD Rule while it further evaluates access for other financial institutions.
- Federal Functional Regulators or Other Appropriate Regulatory Agencies. The CTA authorizes federal functional regulators, and other appropriate regulatory agencies, to request from FinCEN the BOI that the FIs they supervise have already obtained, for purposes of assessing the FIs’ compliance with CDD requirements (as expanded above). Regulators under this category who also engage in law enforcement activity may also access BOI for this purpose as well but only under the criteria for access related to law enforcement activity. Additionally, certain self-regulatory organizations (e.g., FINRA) would be able to receive BOI to facilitate CDD compliance reviews under certain circumstances.
- US Department of the Treasury. The Access Rule follows the CTA’s requirements, which allow access to BOI to any Treasury officer or employee (1) whose official duties require BOI inspection or disclosure or (2) for tax administration. FinCEN will work with other Treasury components to establish internal policies and procedures governing Treasury officer and employee access to BOI.
Certain of the domestic government agency users—namely (1) federal agencies engaged in national security, intelligence, and law enforcement; (2) Treasury officers and employees who require access to BOI to perform their official duties or for tax administration; and (3) state, local, and tribal law enforcement agencies—will be permitted to access the beneficial ownership IT system directly. They will also be able to log in, run multiple queries using multiple search fields, and review one or more results returned immediately. None of the remaining authorized recipient categories will have access to the broad search capabilities within the system, although the Access Rule states that FIs will be able to use an Application Programming Interface to submit and receive BOI-related data on an automated basis.
Use of Information
The Access Rule implements the CTA’s provisions by clarifying that, unless otherwise authorized by FinCEN, any person who receives information disclosed by FinCEN under the Access Rule is authorized to use it only for the particular purpose or activity for which it was disclosed. Additionally, the Access Rule specifies the circumstances under which authorized recipients of BOI can redisclose the BOI to another person.
In a change from the proposal, FIs would be permitted to redisclose BOI to directors, officers, employees, contractors, and agents outside of the United States, as long as it is not sent to certain foreign jurisdictions and categories of jurisdictions. Additionally FIs will be required to notify FinCEN if a foreign government subpoenas or issues a legal demand for information that the FI has received under the Access Rule.
Protocols on Security and Confidentiality
The Access Rule imposes specific security and confidentiality requirements for the following categories:
- Domestic Agencies. First, the Access Rule requires each requesting agency, before it could obtain BOI, to enter into a Memorandum of Understanding (“MOU”) with FinCEN specifying the standards, procedures, and systems that the agency will be required to maintain to protect BOI. These MOUs will, among other things, memorialize and implement requirements, including those regarding reports and certifications, periodic training of individual recipients of BOI, personnel access restrictions, re-disclosure limitations, and access to audit and oversight mechanisms. Second, the Access Rule imposes specific requirements for each request, such as requiring all requesting agencies to limit (to the greatest extent practicable) the amount of BOI they seek, or requiring the heads of certain requesting agencies to provide specific certifications.
- FIs. Under the Access Rule, complying with section 501 of the Gramm-Leach Bliley Act, and other applicable regulations to protect non-public customer personal information, will satisfy the Access Rule’s requirement to protect BOI even if the FI or BOI is not subject to section 501. Additionally, the Access Rule requires FIs to certify—for each BOI request—that (1) the FI is requesting the information to facilitate its compliance with CDD requirements under applicable law, (2) it obtained the reporting company’s written consent to request its BOI, and (3) it fulfilled the other requirements of the section. FinCEN will not require FIs to submit proof of reporting company consent at the time of the request for BOI, relying instead on a certification of the existence of documented consent.
- Foreign Requesters. The Access Rule will require foreign requesters to handle, disclose, and use BOI consistent with the requirements of the applicable treaty, agreement, or convention under which it was requested. Requirements applicable to foreign requesters when no treaty, agreement, or convention applies include having security standards and procedures, maintaining a secure storage system that complies with whatever security standards the foreign requester applies to the most sensitive unclassified information it handles, minimizing the amount of information requested, and restricting personnel access to it. The Access Rule also imposes on foreign BOI requesters certain general requirements the CTA imposes on all requesting agencies.
Administration of Requests
Based on the Access Rule, agencies and FIs will be required to submit requests for BOI to FinCEN in the form and manner FinCEN prescribes. FinCEN intends to provide additional detail regarding the form and manner of BOI requests for all categories of authorized users through specific instructions and guidance as it continues developing the beneficial ownership IT system.
The Access Rule also expands on the reasons for rejecting requests to access BOI, and provides that FinCEN is permitted to deny requests from both agencies and any other authorized recipient, including FIs. The bases for rejecting a request could also be bases for suspension or debarment.
Violations and Penalties
The Access Rule clarifies that “unauthorized use” includes any unauthorized accessing of information submitted to FinCEN, including any activity in which an employee, officer, director, contractor, or agent of a federal, state, local, or tribal agency or FI knowingly violates applicable security and confidentiality requirements in connection with accessing such information.
Bank and Non-Bank Guidance
At the same time the Access Rule was issued, FinCEN also issued two interagency statements to give banks and non-bank financial institutions guidance on the interplay between the Access Rule and the CDD Rule.11 The statements indicate that banks and other financial institutions will not be required to access BOI through FinCEN, but if they decide to do so, they must comply with the requirements of the CTA and Access Rule.
Next Steps
The Access Rule becomes effective on February 20, 2024. However, FinCEN intends to take a phased approach to providing access to the BOI system. The first stage will be a pilot program for a handful of federal agency users starting in 2024, after required MOUs and policies and procedures are completed. The second stage will extend access to Treasury Department offices and certain federal agencies engaged in law enforcement and national security activities that already have MOUs with FinCEN (e.g., FBI, IRS-CI, HSI, DEA, federal banking regulators). Subsequent stages will extend access to additional federal agencies engaged in law enforcement, national security, and intelligence activities, as well as state, local, and tribal law enforcement partners; in connection with foreign government requests; and finally, to FIs and their regulators. Additionally, FinCEN will release its third rulemaking amending the CDD Rule and harmonizing it with the BOI Reporting Rule no later than one year after the effective date of the BOI reporting rule (January 1, 2024).
III. Implications for Financial Institutions
The Access Rule implements significant changes to the current AML regime that may lead to both benefits and risks for FIs. On one hand, the Access Rule may provide important benefits for certain FIs, such as banks and broker-dealers, who would likely be able to request BOI from FinCEN to facilitate their compliance with CDD requirements. However, the impact of the Access Rule could be more limited, as FIs who are not subject to CDD requirements, such as money services businesses and mortgage companies, will not receive access to BOI for some time.
Additionally, some have raised concerns about the Access Rule’s ability to protect sensitive information. On December 15, 2022, Congressman Patrick McHenry, chairman of the House Financial Services Committee, issued a statement commenting that the proposal did not include enough protections to prevent unauthorized access and use of the sensitive information that would be collected by FinCEN.12 Few, if any, relevant changes were made to the final rule, and the Access Rule also does not address whether or how FinCEN intends to verify the BOI it collects nor how a financial institution should reconcile discrepancies between the BOI it collects from its customers and information reported by its customers to FinCEN. FIs will need to continue to engage with FinCEN and other policymakers on these issues.
1See Beneficial Ownership Information Access and Safeguards, 88 Fed. Reg. 88,732 (Dec. 22, 2023) (to be codified at 31 C.F.R. pt. 1010), https://www.federalregister.gov/documents/2023/12/22/2023-27973/beneficial-ownership-information-access-and-safeguards.
2See 31 U.S.C. § 5336.
3 Beneficial Ownership Information Reporting Requirements, 87 Fed. Reg. 59,498 (Sept. 30, 2022) (to be codified at 31 C.F.R. pt. 1010), https://www.federalregister.gov/documents/2022/09/30/2022-21020/beneficial-ownership-information-reporting-requirements.
4 31 U.S.C. § 5336(b), (c).
5 Beneficial Ownership Information Access and Safeguards, and Use of FinCEN Identifiers for Entities, 87 Fed. Reg. 77,404 (Dec. 16, 2022), https://www.federalregister.gov/documents/2022/12/16/2022-27031/beneficial-ownership-information-access-and-safeguards-and-use-of-fincen-identifiers-for-entities.
6 The CTA provides that BOI reports “shall be confidential and may not be disclosed by . . . (i) an officer or employee of the United States; (ii) an officer or employee of any State, local, or Tribal agency, or (iii) an officer or employee of any [FI] or regulatory agency…” See 31 U.S.C. 5336(c)(2)(A).
7 FinCEN notes that a contractor may not repurpose BOI for the contractor’s own use, such as data aggregation, or for the use of other FIs.
8 Press Release, McHenry Statement on FinCEN’s Final Rule Regarding Access to Beneficial Ownership Information (Dec. 21, 2023), https://financialservices.house.gov/news/documentsingle.aspx?DocumentID=409087.
9 Please see Mayer Brown’s previous Legal Updates discussing FinCEN’s increased focus on international cooperation. FinCEN’s First-Ever National AML/CFT Priorities Provide Insights Into Key Threats (July 6, 2021), https://www.mayerbrown.com/en/perspectives-events/publications/2021/07/fincens-firstever-national-amlcft-priorities-provide-insights-into-key-threats; FinCEN Moves to Implement the Corporate Transparency Act (Apr. 5, 2021) https://www.mayerbrown.com/en/perspectives-events/publications/2021/04/fincen-moves-to-implement-the-corporate-transparency-act.
10 The preamble to the Access Rule implies that FIs would not receive images of identification documents associated with a BOI filing.
11 Press Release, FinCEN Issues Final Rule Regarding Access to Beneficial Ownership Information (Dec. 21, 2023), https://www.fincen.gov/news/news-releases/fincen-issues-final-rule-regarding-access-beneficial-ownership-information.
12 Press Release, McHenry Raises Concerns with FinCEN’s Proposal Regarding Access to Beneficial Ownership Information,” Financial Services Committee (Dec. 15, 2022), https://republicans-financialservices.house.gov/news/documentsingle.aspx?DocumentID=408491.
[View source.]