Last week, the Financial Crimes Enforcement Network (FinCEN) issued a final rule implementing the access and safeguard provisions of the Corporate Transparency Act (CTA) (the “Access Rule”). The Access Rule defines the terms under which beneficial ownership information (BOI) reported to FinCEN under the CTA may be disclosed to specified recipients. The Access Rule also imposes requirements on those recipients for them to safeguard the BOI in their possession.
FinCEN had previously issued a proposed version of the Access Rule which came under heavy criticism from both Congressional and industry critics. The Treasury Department quickly promised to make changes. This final version of the Access Rule represents FinCEN’s attempt to mollify those critics.
This Access Rule follows the final BOI Reporting Rule FinCEN issued on September 30, 2022 (the “Reporting Rule”), which requires corporations, limited liability companies, and other similar entities created in or registered to do business in the United States to report to FinCEN information about themselves, their beneficial owners, and, in some cases, their company applicants. FinCEN will store these reports of BOI data in a so-called “beneficial ownership secure system” or “BOSS”. By making this BOI data available to law enforcement and government regulators, FinCEN hopes to protect national security, enforce laws, and promote other policy objectives identified in the CTA.
The Access Rule Framework
The CTA establishes that BOI is confidential and may not be disclosed except as authorized under the CTA and the Access Rule. FinCEN may disclose BOI only under specific circumstances to six categories of recipients:
(1) U.S. Federal agencies engaged in national security, intelligence, or law enforcement activity;
(2) U.S. State, local, and Tribal law enforcement agencies;
(3) Foreign law enforcement agencies, judges, prosecutors, central authorities, and competent authorities (foreign requesters);
(4) Financial institutions using BOI to facilitate compliance with customer due diligence (CDD) requirements under applicable law;
(5) Federal functional regulators and other appropriate regulatory agencies acting in a supervisory capacity assessing financial institutions for compliance with CDD requirements under applicable law; and
(6) Treasury officers and employees.
The Access Rule imposes security and confidentiality requirements on each category of authorized recipient.,
Federal Government Agencies
Under the Access Rule, FinCEN may disclose BOI to Federal agencies engaged in national security, intelligence, or law enforcement activity if the requested BOI is for use in furtherance of such activity. The Access Rule defines “Law enforcement activity” to include both criminal and civil investigations and actions, such as actions to impose civil penalties, civil forfeiture actions, and civil enforcement through administrative proceedings.
Prior to requesting BOI, Federal agency users must certify that the agency is engaged in a national security, intelligence, or law enforcement activity and that the information requested is for use in furtherance of that activity. They must also provide specific reasons why the requested information is relevant to the activity.
State, Local, and Tribal Law Enforcement Agencies
FinCEN may disclose BOI to State, local, and Tribal law enforcement agencies if “a court of competent jurisdiction” has authorized the law enforcement agency to seek the information in a criminal or civil investigation.
Before requesting BOI, State, local, and Tribal law enforcement agency users must certify that a court of competent jurisdiction has authorized the agency to seek the information in a criminal or civil investigation and that the requested information is relevant to the criminal or civil investigation. Such users must also provide a description of the information the court has authorized the agency to seek.
FinCEN may disclose BOI to foreign requesters only if their requests meet certain criteria. Specifically, the foreign request for BOI must be on behalf of a law enforcement agency, prosecutor, or judge of another country, or on behalf of a foreign central authority or foreign competent authority, and:
(1) Come to FinCEN through an intermediary Federal agency;
(2) Be for assistance in a law enforcement investigation or prosecution, or for a national security or intelligence activity, authorized under the laws of the foreign country; and
(3) Either be made under an international treaty, agreement, or convention, or, when no such instrument is available, be an official request by a law enforcement, judicial, or prosecutorial authority of a trusted foreign country.
FinCEN may disclose BOI to financial institutions using BOI to facilitate compliance with customer due diligence requirements under applicable law, only if the financial institution requesting the BOI has the relevant reporting company’s consent for such disclosure.
In response to comments on the proposed rule, the final Access Rule broadens the definition of “customer due diligence requirements under applicable law” to include “any legal requirement or prohibition designed to counter money laundering or the financing of terrorism, or to safeguard the national security of the United States, to comply with which it is reasonably necessary for a financial institution to obtain or verify beneficial ownership information of a legal entity customer.”
Such requirements may include AML (anti-money laundering)/CFT (countering the financing of terrorism) obligations under the Bank Secrecy Act (BSA) — including AML program, customer identification, Suspicious Activity Report filing, and enhanced due diligence requirements — as well as, for example, compliance with sanctions imposed by Treasury’s Office of Foreign Assets Control, provided it is reasonably necessary to obtain or verify BOI of legal entity customers to satisfy those requirements. General business or commercial use of BOI is not authorized.
Federal Functional Regulators and Other Appropriate Regulatory Agencies
FinCEN may disclose BOI to Federal functional regulators and other appropriate regulatory agencies acting in a supervisory capacity assessing financial institutions for compliance with customer due diligence requirements. Such regulators may only access BOI that financial institutions they supervise received from FinCEN, and may only use the information to assess, supervise, enforce, or otherwise determine the compliance of those financial institutions with customer due diligence requirements as defined above.
Treasury Officers and Employees
The CTA provides Treasury with a unique degree of access to BOI, making the information available to any Treasury officer or employee (1) whose official duties require BOI inspection or disclosure, or (2) for tax administration.
In the Access Rule, the Treasury promised to establish internal policies and procedures governing Treasury officer and employee access to BOI. FinCEN claimed that the security and confidentiality protocols in those policies and procedures will include security and confidentiality requirements similar to those applicable to other U.S. agencies. Treasury said it expected to use BOI for appropriate purposes, such as tax administration, enforcement actions, intelligence and analytical purposes, use in sanctions investigations and designations, and identification of property blocked pursuant to sanctions, as well as for administration of the BOI framework, such as for audits, enforcement, and oversight.
Security and Confidentiality Requirements
To access BOI, domestic agencies must satisfy several security and confidentiality requirements set out in the Access Rule.
The Access Rule requires these domestic agencies to establish standards and procedures to protect the security and confidentiality of BOI, enter into an agreement with FinCEN specifying those standards and procedures, establish and maintaining a secure system for storing BOI, establish and maintain auditable BOI request records, restricting access to BOI, conducting audits, and providing FinCEN with reports and certifications.
Financial institutions that obtain BOI from FinCEN must develop and implement administrative, technical, and physical safeguards reasonably designed to protect the information. Financial institutions will be able to satisfy this requirement by applying to BOI the same security and information handling procedures they use to protect customers’ nonpublic personal information in compliance with section 501 of the Gramm-Leach-Bliley Act and its implementing regulations. For each BOI request that it makes, a financial institution will have to certify that the request satisfies applicable criteria. Certain geographic restrictions will also apply.
Foreign requesters who obtain BOI under an international treaty, agreement, or convention must comply with all applicable handling, disclosure, and use requirements of the international treaty, agreement, or convention under which the request was made. Foreign requesters who obtain BOI pursuant to a request from a “trusted foreign country” must establish standards and procedures to protect the security and confidentiality of BOI, maintain the BOI in a secure system, and restrict access to the information, among other requirements.
Re-Disclosure of BOI By Authorized Recipients
Authorized BOI recipients are generally prohibited from re-disclosing BOI except in eight specific circumstances.
Re-disclosure is authorized among officers, employees, agents, and contractors within a particular authorized recipient entity; among financial institutions and their regulators, including qualifying self-regulatory organizations; from intermediary Federal agencies to foreign requesters; from specified authorized BOI recipient Federal agencies to courts of competent jurisdiction or parties to a civil or criminal proceeding; from authorized BOI recipient agencies to prosecutors or for use in litigation related to the activity for which the requesting agency requested the information; and by foreign authorities consistent with the international treaty, agreement, or convention under which BOI was received. FinCEN may also authorize the re-disclosure of BOI by an authorized recipient in other situations, so long as the re-disclosure is for an authorized purpose.
Violations and Penalties
The CTA prohibits any person to knowingly disclose or knowingly use BOI obtained by that person from a report submitted to, or an authorized disclosure made by, FinCEN, unless such disclosure is authorized under the CTA. The CTA provides civil penalties in the amount of $500 for each day a violation continues or has not been remedied. Criminal penalties are a fine of not more than $250,000 or imprisonment for not more than 5 years, or both. The CTA also provides for enhanced criminal penalties, including a fine of up to $500,000, imprisonment of not more than 10 years, or both, if a person commits a violation while violating another law of the United States or as part of a pattern of any illegal activity involving more than $100,000 in a 12-month period. Violating applicable requirements could also lead to FinCEN suspending or debarring a requester from access to the BOSS.
Under the Access Rule, “unauthorized use” includes any unauthorized access to BOI submitted to FinCEN, including any activity in which an employee, officer, director, contractor, or agent of an authorized recipient knowingly violates applicable security and confidentiality requirements in connection with accessing such information.
Implementation of BOI Access
FinCEN said that it would “take a phased approach” to providing access to the BOSS.
It described the first stage as a “pilot program” for a handful of key Federal agency users starting in 2024.
The second stage will extend access to Treasury offices and certain Federal agencies engaged in law enforcement and national security activities that already have Memoranda of Understanding (MOUs) for access to BSA information. Subsequent stages will extend access to additional Federal agencies engaged in law enforcement, national security, and intelligence activities, as well as to State, local, and Tribal law enforcement partners; to intermediary Federal agencies in connection with foreign government requests; and finally, to financial institutions and their supervisors.
Federal agencies engaged in national security, intelligence, and law enforcement activity; State, local, and Tribal law enforcement agencies; and Treasury personnel will be able to access and query the BO IT system directly using multiple search fields with results returned immediately. Foreign BOI recipients will have no access to the beneficial ownership IT system, as their requests will flow through intermediary Federal agencies. Financial institutions and their regulators will both have direct access to the BO IT system, though in more limited fashion than the aforementioned domestic government agency users.
The Access Rule is the second of three rulemakings planned to implement the CTA. FinCEN said it would engage in a third rulemaking to revise FinCEN’s customer due diligence rule, consistent with the requirements of the CTA.
The Access Rule does not change to FinCEN’s customer due diligence rule currently applicable to banks and other financial institutions.
Congressional reaction to the Access Rule was generally positive. Senator Sheldon Whitehouse, a chief sponsor of the CTA, wrote that “FinCEN’s final rule is a marked improvement over its earlier proposal, and will at long last help law enforcement and national security officials identify the kingpins behind the webs of American shell companies that facilitate all manner of corruption and criminality. I applaud the Treasury Department for thoughtfully considering and incorporating the constructive feedback the agency received during the rulemaking process.” Congressman Patrick McHenry, who has criticized FinCEN’s implementation of the CTA, called the Access rule “a step in the right direction.”
Subscribe to Taylor English Insights by topic here.