FinCEN Takes Fire on its Access NPRM

FinCEN recently issued a Notice of Proposed Rulemaking (Beneficial Ownership Information Access and Safeguards, and Use of FinCEN Identifiers for Entities) (the "Access NPRM") to announce its proposed regulations for accessing the Beneficial Ownership Information ("BOI") that FinCEN will collect under the Corporate Transparency Act.

FinCEN will store the BOI in a "Registry" that it makes available to law enforcement and other government agencies under the rules in adopts through the Access NPRM.  FinCEN's proposed regulations have stirred up a regulatory firestorm that is likely to drive headlines for the next few months.

How does the Access NPRM Work?

The Access NPRM grants access to the BOI Registry in five different ways.

1. Federal agencies engaged in national security, intelligence, or law enforcement activity may access the Registry. The rule defines "national security," "intelligence" and "law enforcement" broadly so that employees of applicable federal agencies will not need to prove their intentions or purposes when requesting access.

2. State, local and tribal (SLT) law enforcement may obtain access to BOI only with a court order.

3. A foreign governmental agency may access the Registry only if (a) the foreign governmental agency submits a request to a U.S. federal agency, and the request is (b) either (i) made under an international treaty, agreement or convention, or (ii) if no treaty, agreement or convention exists, is an official request by a law enforcement, judicial or prosecutorial authority of a trusted foreign country. Interestingly, the Access NPRM does not define "trusted foreign country" or provide any context to clarify how federal government employees should determine which foreign countries are to be trusted.

4. U.S. financial institutions may access the BOI Registry only if (a) the reporting company that is the subject of the inquiry has given its consent to the financial institution, and (b) the purpose of the financial institution obtaining access is for "facilitating [compliance with] customer due diligence requirements under applicable law."

U.S. banks and other financial institutions are subject to several different customer due diligence ("CDD") requirements based upon the regulatory status of the institution.

Regulators of U.S. banks and other financial institutions may also access the same BOI that the U.S. financial institution accesses only if the agency (1) is legally authorized to supervise customer due diligence requirements with respect to the financial institution, (2) will use the information solely for the purpose of assessing, supervising or investigating activity within its regulatory purview, and (3) has entered into an agreement with FinCEN to adopt protocols governing the safekeeping of the BOI.

5. The regulations proposed in the Access NPRM offer the broadest level of access to officers and employees of the Treasury Department whose official duties require their access to BOI and also for tax administration purposes.

Confidentiality Requirements

FinCEN proposes in the Access NPRM that before any federal, state, local or tribal agency may obtain access to the Registry, the agency must first satisfy several FinCEN requirements aimed at preserving the confidentiality of the BOI.

First, the agency must enter into an agreement with FinCEN that specifies standards, procedures and systems the agency must maintain to protect the security and confidentiality of the BOI.

Second, the agency must establish standards and procedures to protect the security and confidentiality of BOI it obtains, including procedures for training agency personnel on the appropriate handling and safeguarding of BOI. Such standards and procedures must be personally approved by the head of the agency.

Third, the agency must report to FinCEN on its standards and procedures and the head of the agency must personally certify that the agency has implemented its standards and procedures.

Fourth, the agency must establish and maintain a secure system in which it will store any BOI it receives, and that system must comply with information security standards to be prescribed by FinCEN.

Fifth, the agency must establish and maintain a permanent, auditable system of standardized records for requests it makes for BOI including, for each request, the date of the request, the name of the individual who makes the request, the reason for the request, any disclosure of such information made by or to the requesting agency, and information or references to such information sufficient to reconstruct the justification for the request.

The agency must restrict access to its BOI to individuals who are directly engaged in the activity for which the BOI was requested and who have received the agency's requisite training for handling such information.

The agency must conduct an annual audit of its use of BOI to determine whether the agency has complied with the standards and procedures it adopted to govern such use. The agency must provide a copy of the audit to FinCEN upon request and cooperate with FinCEN's own audit procedures.

The head of the agency must personally certify, two times per year, that the agency's standards and procedures comply with FinCEN's regulations and must also provide an annual report that describes the agency's standards and procedures.

Bipartisan Group of Senators Criticize the Access NPRM 

A bipartisan group of senators recently wrote a joint letter to FinCEN that harshly criticized FinCEN's proposed regulations. The group, composed of Senators  Sheldon Whitehouse (D-RI), Ron Wyden (D-OR), and Elizabeth Warren (D-MA) along with Republicans Chuck Grassley (R-IA) and Marco Rubio (R-FL), wrote that the draft regulations "strayed from Congressional intent."   They urged FinCEN to revise their draft in a way that would make it easier for banks and for law enforcement to access the BOI Registry.

Criticism from Banking Associations

The  American Bankers Association and 51 state bankers associations also criticized FinCEN's draft regulations.  They said that while they supported the CTA and its goals, the Access NPRM was "fatally flawed and should be withdrawn."

Their primary argument is the draft regulations limited access too much, making banks' access to the Registry "effectively useless."  They claimed that this would result "in a dual reporting regime for both banks and small businesses." By limiting the purpose of accessing BOI to CDD compliance, the ABA argued, FinCEN's regulations would make it impossible for banks also to use BOI data for other regulatory compliance purposes. 

The ABA urged FinCEN to start over and produce a new regulation that would achieve six goals:

• Allowing banks to use BOI more broadly
• Allowing banks to share BOI with bank personnel outside the U.S.
• Clarifying that banks are not required to access the Registry
• Utilizing "modern technological solutions" that would provide a secure and efficient means of accessing the Registry
• Including a safe harbor from liability for banks' use of BOI data
• Amending the CDD rule to clarify that banks are not required to collect and maintain BOI in all cases.

The fact that FinCEN's approach is drawing fire both from industry groups as well as from influential Senators on the Senate Finance Committee increases the likelihood that FinCEN's next effort will vary significantly from the current draft.