As described in DWT's October 2021 post, the Corporate Transparency Act ("CTA"), enacted as part of the Anti-Money Laundering Act of 2020,[1] establishes beneficial ownership reporting requirements for a broad range of entities beginning January 1, 2024. The U.S. Treasury's Financial Crimes Enforcement Network ("FinCEN") is implementing the provisions of the CTA in three phases addressing, in order: (i) requirements for reporting beneficial ownership information ("BOI") to FinCEN;[2] (ii) access to and protection of information in the FinCEN database that will hold BOI reported to FinCEN (the "BOI Access Rule," which is the subject of this post); and (iii) amendments to FinCEN's customer due diligence ("CDD") rule to maintain consistency with the BOI requirements of the CTA.

BOI Access Rule: Notice of Proposed Rulemaking

FinCEN issued an Notice of Proposed Rulemaking ("NPRM") for the BOI Access Rule, the second phase of its efforts to implement the CTA, on December 15, 2022.[3] The NPRM requests comment by February 14, 2023, on issues raised in providing access to BOI reported to FinCEN pursuant to CTA § 6403, including the strict protocols on security and confidentiality required by the CTA to protect sensitive personally identifiable information ("PII") reported to FinCEN. The NPRM outlines these parameters for specified recipients to access the BOI database and the data protection protocols and oversight mechanisms that will be applicable to the various types of recipients.

1. Proposed Recipients of BOI Access

Pursuant to the CTA, BOI is required to be reported to FinCEN by designated "reporting companies." Under the structure proposed in the NPRM, FinCEN would only be permitted to share BOI with parties falling into one of five categories:

(i) National security, intelligence, and law enforcement agencies;

  • BOI may be accessed through open-end query for use in and furtherance of law enforcement purposes upon submitting justification for requested access to BOI.

(ii) Foreign governmental authorities, including foreign law enforcement authorities;

  • A foreign governmental authority may request access to BOI through intermediary U.S. federal agencies and must show that either (1) the foreign requester that made the request is authorized under an international treaty, agreement, or convention (e.g., Mutual Legal Assistance Treaty (MLAT)); or (2) the request was otherwise made by law enforcement authorities in a "trusted" foreign country.[4]

(iii) Financial institutions;

  • BOI may be accessed but only to fulfill CDD obligations.

(iv) Federal functional regulators; and

  • BOI may be accessed for the purpose of assessing financial institutions' compliance with CDD obligations.

(v) U.S. Department of the Treasury.

  • Treasury officers and employees may request access to BOI for their official duties or for tax administration including sanctions investigations, identifying property blocked pursuant to sanctions, and for audits, enforcement, and oversight of the BOI framework.

2. BOI Access by Financial Institutions

In contrast to the broad BOI access granted to domestic and foreign governmental organizations and law enforcement by the NPRM, only limited BOI access is proposed for financial institutions. Under the NPRM, financial institutions may request (and FinCEN is authorized to share) BOI solely for the limited purpose of conducting CDD.[5] Thus, only Financial Institutions with customer due diligence requirements under applicable law will have access to BOI to facilitate CDD compliance. Financial institutions seeking BOI will first need to obtain consent from the reporting company that was the source of the applicable BOI before FinCEN will share BOI.

Financial institutions seeking to obtain BOI for CDD purposes would be limited in re-disclosing the BOI within the requesting institution. Under the NPRM, financial institutions could only re-disclose BOI to officers, employees, agents, or contractors that are physically present in the United States. Financial institutions could also re-disclose BOI to Self-Regulatory Organizations and Federal Functional Regulators.

For each BOI request fulfilled by FinCEN, financial institutions would be required to certify in writing that: (1) the request is being made to facilitate compliance with CDD requirements, and (2) that the reporting company's written consent has been obtained. However, financial institutions would not be required to submit proof of the reporting company's consent at the time of the BOI request.

3. Policy Considerations and Implications

The policy objectives of the CTA are extremely important, particularly given recent concerns regarding the possibility of multiple fictional accounts being opened to facilitate transactions with Russian entities in violation of existing U.S. sanctions laws. However, implementing the CTA and, particularly, the database creation and access requirements of the CTA, presents a number of significant challenges and risks that, in some cases, may counterbalance the intended benefits and protections of the law.

For example, the BOI access provisions set forth in the NPRM would significantly restrict access to BOI by the banking industry, which is currently tasked with an outsized role in gathering, monitoring, and protecting such information. As noted above, banks would only be able to access BOI to satisfy CDD obligations and, perhaps more significantly, banks (and other financial institutions) would only be able to investigate the information provided by a particular reporting company (or companies) via a targeted inquiry, and only if the reporting company provided its consent for the bank to do so. And if an institution fails to adequately protect accessed BOI, even inadvertently, there is the potential for significant civil and criminal penalties. Further complicating the picture is that there are no clear parameters regarding what activities constitute satisfying CDD obligations and requirements. Thus, the potential for penalty may be even greater with a misstep in an area not clearly defined.

Also of note, while the NPRM would provide some, albeit limited, access for banks to BOI reported to FinCEN, certain financial institutions, such as money services businesses ("MSBs"), would be completely locked out of any access to BOI under the NPRM, despite the significant and expanding role that MSBs have in the U.S. financial system.

Equally important as getting access to BOI is the accuracy of the information to which a bank (or other permitted user) may be seeking access. In this regard, there does not appear to be any cross-check or other verification process to validate BOI reported to FinCEN, including no meaningful mechanism to compel reporting companies to check the accuracy of the BOI they report to FinCEN or for FinCEN to reconcile the information. In addition, it is not clear how amended or updated BOI would be transmitted — or if it would be transmitted — to an entity that previously received access to such information.

Another issue of concern for policymakers is protecting the security of a large database that will be operated by FinCEN, an agency that has historically been significantly underfunded and under-resourced. Not only are there concerns with managing and protecting the integrity of the data and the security of the database, there are significant concerns with the ability of FinCEN to monitor the permissible use, confidentiality, and protection of BOI by organizations and entities provided access to the BOI database.

Regulatory Action Plan

As noted above, there are a number of important issues and questions that potential BOI recipients, as well as reporting companies, may want to review in connection with the NPRM and consider commenting on to FinCEN. A regulatory action plan should include consideration (and comment, where appropriate) on the following:

  • How will FinCEN, an agency tasked with a broad range of significant regulatory issues and limited resources to address them, assume yet another significant compliance responsibility that poses significant risks if not administered and monitored appropriately and that will further constrain its limited resources?
  • More specifically, what policies and procedures will FinCEN implement to protect the PII of beneficial owners whose information is reported to FinCEN?
  • Given the role the banks have historically held with respect to enforcement of existing BSA/AML laws, why do banks have limited access to BOI, and why is such access only to gather information to satisfy CDD obligations?
  • How broadly or narrowly does FinCEN intend to construe this requirement and condition?
  • Why are banks and other financial institutions being limited to investigate the information provided only by a particular reporting company (or companies) via a targeted inquiry (rather than a comprehensive search for the BOI of a targeted group or individual(s))?
  • What purpose is served by requiring a bank to obtain the consent of a reporting company before reviewing the BOI such company reported to FinCEN? What standards will be applicable to such consent?
  • If an institution fails to adequately protect accessed BOI, even inadvertently, how aggressively will FinCEN pursue civil and criminal penalties?
  • Does FinCEN intend to provide guidance regarding what activities constitute satisfying CDD obligations and requirements?
  • Why were MSBs excluded from the group of financial institutions that can access FinCEN's BOI database?
  • Does FinCEN intend to impose any cross-checks or implement some form of verification process to validate BOI reported to FinCEN, particularly to check the accuracy of BOI reported to FinCEN?
  • Will amended or updated BOI be provided to an entity that previously received access to such information?

Outlook

The CTA will only come into clear focus with the release of the third component, which will be the revisions to the CDD rule to conform to the new reporting and access regimes for BOI. Even so, we anticipate a great number of interpretive questions will arise as these rules are finalized and implemented and financial institutions are required to revisit CDD compliance policies and procedures first deployed only in 2018. FinCEN Acting Director Himamauli Das's announcement in December 2022 that FinCEN has been working on its first set of FAQs and answers for the reporting rule along with other compliance materials is welcome. But we question if all of these interlocking rulemakings and a complex information technology project can be delivered on time and to the standard needed for smooth operation of our financial sector. We expect the implementation dates of these rules may need to be extended to allow time for FinCEN to fine-tune the regulatory approach and execute on this vast new set of responsibilities without causing significant disruption and introducing unwanted risks.

[1] Codified at 31 U.S.C. § 5336.

[2] A final rule on BOI reporting requirements was issued September 30, 2022 and is available at 87 FR 59498 (Sept. 30, 2022).

[3] 87 FR 77404 (Dec. 16, 2022).

[4] The proposed rulemaking does not define a "trusted" foreign country.

[5] In 2016 Rulemaking, FinCEN described the "four core values" of CDD as: (1) Customer identification and verification; (2) beneficial ownership identification and verification; (3) understanding the nature and purpose of customer relationships to develop a customer risk profile; and (4) ongoing monitoring for reporting suspicious transactions and, on a risk-basis, maintaining and updating customer information. Final Rule, Customer Due Diligence Requirements for Financial Institutions, 81 FR 29398, 29404 (May 11, 2016).