On December 15th, the FinCEN issued a Notice of Proposed Rulemaking (NPRM) (the "Access NPRM") to implement the beneficial ownership information (BOI) access and safeguard provisions of the Corporate Transparency Act (CTA). The Access NPRM proposes regulations that would establish who may request BOI that will be reported to FinCEN starting on January 1, 2024, who may receive it, how recipients may use the information, how they must secure it, and the penalties for failing to follow applicable requirements. The Access NPRM also discusses aspects of the secure, non-public information technology system that FinCEN is building to store BOI and manage disclosures. It also proposes rules specifying when and how reporting companies may report FinCEN identifiers tied to entities.
The CTA authorizes FinCEN to disclose BOI under specific circumstances to five general categories of recipients: (1) U.S. Federal, state, local, and Tribal government agencies requesting BOI for specified purposes; (2) foreign law enforcement agencies, judges, prosecutors, central authorities, and competent authorities (foreign requesters); (3) financial institutions (FIs) using BOI to facilitate compliance with customer due diligence (CDD) requirements under applicable law; (4) Federal functional regulators and other appropriate regulatory agencies acting in a supervisory capacity assessing FIs for compliance with CDD requirements; and (5) the U.S. Treasury Department itself. FinCEN's proposed Access Rule would impose requirements and restrictions on each category of recipient.
Restrictions on U.S. Federal Agencies
Under the proposed Access Rule, FinCEN would disclose BOI to Federal agencies engaged in national security, intelligence, or law enforcement activity if the requested BOI is in furtherance of such activity. Authorized users from qualifying Federal agencies would be able to log in to the beneficial ownership IT system directly, run queries using multiple search fields, and review one or more results returned immediately. Users would have to submit justifications to FinCEN for their searches, and these justifications would be subject to oversight and audit by FinCEN. "Law enforcement activity" here would include both criminal and civil investigations and actions, such as actions to impose civil penalties, civil forfeiture actions, and civil enforcement through administrative proceedings.
Restrictions on State, Local and Tribal Law Enforcement Agencies
FinCEN's proposed Access Rule would allow FinCEN to disclose BOI to state, local, and Tribal law enforcement agencies if "a court of competent jurisdiction" has authorized the law enforcement agency to seek the information in a criminal or civil investigation. The Access Rule defines "court of competent jurisdiction" as any court with jurisdiction over the criminal or civil investigation for which the state, local, or Tribal law enforcement agency requests BOI. Authorized users from these agencies would be required to upload a document issued by a court of competent jurisdiction authorizing the agency to seek BOI from FinCEN. After FinCEN has reviewed the relevant authorization and approved the request, an agency could then conduct searches within the beneficial ownership IT system using the same search functionality available to Federal agencies engaged in national security, intelligence, or law enforcement activity.
Restrictions on Foreign Requesters
Under the proposed rule, foreign requesters would have to request access for BOI through intermediary Federal agencies. In addition to meeting other criteria, requests from foreign requesters would have to be made either (1) under an international treaty, agreement, or convention or (2) via a request made by law enforcement, judicial, or prosecutorial authorities in a trusted foreign country. Requests made under international treaties or other agreements would be subject to different requirements and procedures than requests made in situations when no such agreements apply. FinCEN would look to U.S. interests and priorities in consultation with other relevant U.S. government agencies when determining whether to disclose BOI to foreign requesters when no treaty or other agreement applies. In neither case would foreign requesters have direct access to the beneficial ownership IT system. They would instead rely on the intermediary Federal agencies through which they route their requests to retrieve and furnish them with requested BOI.
Restrictions on Financial Institutions
FinCEN's proposed Access Rule would permit defined Financial Institutions to request BOI from FinCEN for purposes of complying with CDD requirements under applicable law. Financial Institutions would be required to obtain the consent of the reporting company to which the BOI pertains. FinCEN thus anticipates that an FI, instead of being able to run open-ended queries in the beneficial ownership IT system or to receive multiple search results, would submit identifying information specific to a reporting company and receive in return an electronic transcript with that entity's BOI. This more limited information-retrieval process would reduce the overall risk of inappropriate use or unauthorized disclosures of BOI.
The CTA authorizes Federal regulators to request from FinCEN BOI that the Financial Institutions they supervise have already obtained from the U.S. Treasury for purposes of assessing a Financial Institution's compliance with CDD requirements under applicable law. To the extent regulators also engage in law enforcement activity, they would be able to access BOI for this purpose as well. Under the proposed rule, certain self-regulatory organizations (SROs) would be able to receive BOI to facilitate CDD compliance reviews under certain circumstances.
Restrictions on Treasury Department Access
The CTA provides the Treasury Department with a unique degree of access to BOI, making the information available to any Treasury officer or employee (1) whose official duties require BOI inspection or disclosure or (2) for tax administration. The proposed rule tracks these authorizations. Treasury components would be permitted to use BOI for appropriate purposes, such as tax administration, enforcement actions, intelligence and analytical purposes, use in sanctions designation investigations, and identifying property blocked pursuant to sanctions, as well as for administration of the BOI framework, such as for audits, enforcement, and oversight. The Treasury Department would establish internal policies and procedures governing Treasury officer and employee access to BOI.
Safeguards and Penalties
BOI is sensitive information. Protecting it from unauthorized disclosure is a top priority for FinCEN. The CTA imposes strict access-control protocols on "requesting agencies," and FinCEN has used statutory authority delegated to it by the Secretary of the Treasury to propose comparable requirements for Financial Institutions, SROs, and others who may receive BOI, including contractors and other agents acting on an authorized recipient's behalf. Robust protections are crucial to safeguarding BOI and ensuring that individuals that access BOI use it consistent with the requirements of the CTA and protect it from unauthorized disclosure.
Proposed protocols vary by recipient category, but would generally require BOI recipients to have standards and procedures for storing the information in a secure system to which only authorized personnel have access and only for authorized purposes. Audit requirements would apply when prudent or mandated by the CTA, as do requirements to certify compliance with the statute and proposed regulations. In all cases, FinCEN would require authorized recipients to maintain for review key information about specific beneficial ownership information searches or requests. Memoranda of Understanding or other agreements with authorized recipients would describe applicable requirements in detail.
The proposed Access Rule would penalize violations of its security and confidentiality requirements. In general, the CTA makes it unlawful for any person to knowingly disclose or knowingly use BOI obtained by the person from a report submitted to, or an authorized disclosure made by, FinCEN, unless such disclosure is authorized under the CTA. Under the proposed rule, "unauthorized use" would include any unauthorized access of BOI submitted to FinCEN, including any activity in which an employee, officer, director, contractor, or agent of an authorized recipient knowingly violates applicable security and confidentiality requirements in connection with accessing such information. The CTA provides both civil and criminal penalties, including enhanced criminal penalties of up to 10 years imprisonment in some instances. Violating applicable requirements could also lead to FinCEN suspending or debarring a requester from access to the beneficial ownership IT system.
Beneficial Ownership IT System Development
The proposed Access Rule provides for the beneficial ownership IT system to be cloud-based and meet the highest Federal Information Security Management Act (FISMA) level - FISMA High. A FISMA High rating establishes standards for baseline information security controls to reflect that losing the confidentiality, integrity, or availability of system information would have a severe or catastrophic adverse effect on the organization maintaining the system, including on organizational assets or individuals.
FinCEN has gathered requirements and completed initial system engineering, architectures, and program planning activities for the beneficial ownership IT system. The target date for the system to begin accepting BOI reports is January 1, 2024, the day the reporting rule takes effect.
As set forth in the Final Beneficial Ownership Information Reporting Rule promulgated on September 30, 2022, reporting companies may in certain instances report a FinCEN identifier instead of BOI associated with a particular beneficial owner. A FinCEN identifier is a unique identifying number that FinCEN will issue to individuals or entities upon request. The Reporting Rule provided processes for obtaining, updating, and using FinCEN identifiers, but reserved for further consideration certain provisions concerning the use of a FinCEN identifier issued to an entity. The Access NPRM includes proposed amendments to the reporting regulations concerning these provisions.
The proposed amendments would permit a reporting company to report the FinCEN identifier of an entity through which an individual is a beneficial owner of the reporting company in lieu of the individual's BOI only when: (1) the intermediate entity has obtained a FinCEN identifier and provided it to the reporting company; (2) the individual is a beneficial owner by virtue of an interest in the reporting company that the individual holds through the intermediate entity; and (3) only the individuals that are beneficial owners of the intermediate entity are beneficial owners of the reporting company, and vice versa. These requirements are necessary to prevent over- or under-reporting of beneficial owners. Preventing inaccuracies from entering the beneficial ownership IT system is critical to make it useful.
Comments on the Access Rule and Other Developments
Interested parties may submit written comments on the proposed rule on or before February 14, 2023.
FinCEN's third and final rulemaking under the CTA will revise FinCEN's CDD rule no later than one year after the effective date of the BOI Reporting Rule (January 1, 2024).
About The Author
Jonathan Wilson is the co-founder of FinCEN Report Company with 31 years of experience in corporate, M&A and securities matters. He is the author of The Corporate Transparency Act Compliance Guide (to be published by Lexis Nexis in the summer of 2023) and the Lexis Practical Guidance Practice Note on the Corporate Transparency Act.