On December 16, 2022, FinCEN issued a Notice of Proposed Rulemaking (Beneficial Ownership Information Access and Safeguards, and Use of FinCEN Identifiers for Entities) (the "Access NPRM"). The Access NPRM represents FinCEN's proposed regulations for accessing the Beneficial Ownership Information ("BOI") that FinCEN will collect under the Corporate Transparency Act.
FinCEN will store the BOI in a "Registry" that it makes available to law enforcement and other government agencies under the rules in adopts through the Access NPRM.
Access NPRM Overview
The Access NPRM claims that all information reported to FinCEN under the Reporting Rule is confidential and may not be disclosed except for permitted disclosures to five categories of entities.
Federal agencies / law enforcement and national security
Federal agencies engaged in national security, intelligence, or law enforcement activity may access the Registry. The rule defines "national security," "intelligence" and "law enforcement" broadly so that employees of applicable federal agencies will not need to prove their intentions or purposes when requesting access.
State, local and tribal law enforcement / criminal and civil investigation
State, local and tribal (SLT) law enforcement may obtain access to BOI only with a court order.
Foreign agencies / law enforcement and national security
A foreign governmental agency may access the Registry only if (a) the foreign governmental agency submits a request to a U.S. federal agency, and the request is (b) either (i) made under an international treaty, agreement or convention, or (ii) if no treaty, agreement or convention exists, is an official request by a law enforcement, judicial or prosecutorial authority of a trusted foreign country. Interestingly, the Access NPRM does not define "trusted foreign country" or provide any context to clarify how federal government employees should determine which foreign countries are to be trusted.
U.S. financial institutions and regulators / customer due diligence requirements
U.S. financial institutions may access the BOI Registry only if (a) the reporting company that is the subject of the inquiry has given its consent to the financial institution, and (b) the purpose of the financial institution obtaining access is for "facilitating [compliance with] customer due diligence requirements under applicable law."
U.S. banks and other financial institutions are subject to several different customer due diligence ("CDD") requirements based upon the regulatory status of the institution.
Regulators of U.S. banks and other financial institutions may also access the same BOI that the U.S. financial institution accesses only if the agency (1) is legally authorized to supervise customer due diligence requirements with respect to the financial institution, (2) will use the information solely for the purpose of assessing, supervising or investigating activity within its regulatory purview, and (3) has entered into an agreement with FinCEN to adopt protocols governing the safekeeping of the BOI.
U.S. Treasury officers and employees
The regulations proposed in the Access NPRM offer the broadest level of access to officers and employees of the Treasury Department whose official duties require their access to BOI and also for tax administration purposes.
FinCEN proposes in the Access NPRM that before any federal, state, local or tribal agency may obtain access to the Registry, the agency must first satisfy several FinCEN requirements aimed at preserving the confidentiality of the BOI.
First, the agency must enter into an agreement with FinCEN that specifies standards, procedures and systems the agency must maintain to protect the security and confidentiality of the BOI.
Second, the agency must establish standards and procedures to protect the security and confidentiality of BOI it obtains, including procedures for training agency personnel on the appropriate handling and safeguarding of BOI. Such standards and procedures must be personally approved by the head of the agency.
Third, the agency must report to FinCEN on its standards and procedures and the head of the agency must personally certify that the agency has implemented its standards and procedures.
Fourth, the agency must establish and maintain a secure system in which it will store any BOI it receives, and that system must comply with information security standards to be prescribed by FinCEN.
Fifth, the agency must establish and maintain a permanent, auditable system of standardized records for requests it makes for BOI including, for each request, the date of the request, the name of the individual who makes the request, the reason for the request, any disclosure of such information made by or to the requesting agency, and information or references to such information sufficient to reconstruct the justification for the request.
The agency must restrict access to its BOI to individuals who are directly engaged in the activity for which the BOI was requested and who have received the agency's requisite training for handling such information.
The agency must conduct an annual audit of its use of BOI to determine whether the agency has complied with the standards and procedures it adopted to govern such use. The agency must provide a copy of the audit to FinCEN upon request and cooperate with FinCEN's own audit procedures.
The head of the agency must personally certify, two times per year, that the agency's standards and procedures comply with FinCEN's regulations and must also provide an annual report that describes the agency's standards and procedures.
Other Compliance Requirements
Each federal agency and SLT agency that requests access to the Registry must also (a) limit, to the greatest extent possible, the scope of the information it seeks, consistent with the agency's purpose for the request, (b) certify that its request is proper.
The Access NPRM imposes other obligations on financial institutions and other entities with respect to the confidentiality of the BOI they receive and the justification for their access requests.
Remedies and Administration
FinCEN's proposed regulations permit FinCEN to reject any request for BOI that FinCEN determines does not comply with its requirements. FinCEN may also permanently debar or temporarily suspend any requesting party from receiving or accessing BOI if FinCEN, in its sole discretion, finds that the requesting party has failed to satisfy any applicable requirements.
The American Bankers Association (ABA) and 51 separate state bankers associations delivered written comments to FinCEN's Access NPRM, saying that while they supported the CTA and its goals, the Access NPRM was "fatally flawed and should be withdrawn."
The ABA's chief argument is that "banks' access to the Registry will be so limited that it will effectively be useless, resulting in a dual reporting regime for both banks and small businesses." By limiting the purpose of accessing BOI to CDD compliance, the ABA argued, FinCEN's regulations would make it impossible for banks also to use BOI data for other regulatory compliance purposes. The ABA further objected to the restriction on sharing BOI outside of the U.S. (as many banks have operations related to AML outside the U.S.) and the requirement that banks collect and maintain BOI in all cases, which it argued would be redundant after the CTA was fully implemented.
The ABA urged FinCEN to start over and produce a new regulation that would achieve six goals:
- Allowing banks to use BOI more broadly
- Allowing banks to share BOI with bank personnel outside the U.S.
- Clarifying that banks are not required to access the Registry
- Utilizing "modern technological solutions" that would provide a secure and efficient means of accessing the Registry
- Including a safe harbor from liability for banks' use of BOI data
- Amending the CDD rule to clarify that banks are not required to collect and maintain BOI in all cases.
A bipartisan group of Senators that included Democrats Sheldon Whitehouse, Ron Wyden, and Elizabeth Warren along with Republicans Chuck Grassley and Marco Rubio, also harshly criticized the proposed regulation in a letter to FinCEN. Importantly, all of these Senators (apart from Senator Rubio) serve on the Senate Finance Committee.
The Senators wrote that they believed the "proposed rule strays from congressional intent and erects unnecessary and costly barriers to accessing beneficial ownership information (BOI) that risk undermining the utility of the beneficial ownership directory."
If you are accustomed to trash talk on a basketball court, this might not sound harsh to you. For those who occupy that salons of Washington, D.C., however, telling a regulator that its draft "strays from congressional intent" is a hard slam.
The Senators encouraged FinCEN to "make several adjustments" to the draft regulations that would include:
- Giving SLT agencies easier access to the Registry
- Making it easier for law enforcement to use BOI in legal proceedings
- Eliminating filing requirements that currently are prerequisites to law enforcement access to the Registry
- Eliminating manual review requirements in which FinCEN would review and approve law enforcement requests in favor of an "automated FinCEN process for filing and responding to requests for BOI from financial institutions"
- Allowing financial institutions to use BOI for any anti-money laundering, counter-terror financing, sanctions screening and financial crime compliance programs
- Requiring FinCEN itself to "verify" the BOI in its Registry
- Requiring FinCEN to create "clear, concise, and tailored templates, forms, training videos and step-by-step guides to help authorized recipients request and access" the Registry
The substantial overlap between the changes urged these Senators and by the banking industry is likely to prompt some substantive consultations among these organizations and may well result in substantive changes in a subsequent revision.
About The Author
Jonathan Wilson is the co-founder of FinCEN Report Company with 31 years of experience in corporate, M&A and securities matters. He is the author of The Corporate Transparency Act Compliance Guide (to be published by Lexis Nexis in the summer of 2023) and the Lexis Practical Guidance Practice Note on the Corporate Transparency Act.