Today, the Financial Crimes Enforcement Network (FinCEN) issued a final rule implementing the access and safeguard provisions of the Corporate Transparency Act (CTA) (the “Access Rule”). The Access Rule prescribes the circumstances under which beneficial ownership information (BOI) reported to FinCEN may be disclosed to authorized BOI recipients, and how it must be protected. The Access Rule reflects FinCEN’s commitment to creating a highly useful database for authorized BOI recipients while protecting this sensitive information from unauthorized disclosure.
In accordance with the CTA, the Access Rule provides access to BOI to Federal agencies engaged in national security, intelligence, or law enforcement activity; State, local, and Tribal law enforcement agencies with court authorization; foreign law enforcement agencies, judges, prosecutors, and other authorities that meet specific criteria; financial institutions with customer due diligence requirements and regulators supervising them for compliance with such requirements; and U.S. Department of the Treasury (Treasury) officers and employees. Each category of authorized recipients is subject to security and confidentiality protocols aligned with applicable access and use provisions.
This Access Rule follows the final BOI Reporting Rule FinCEN issued on September 30, 2022, which requires certain corporations, limited liability companies, and other similar entities created in or registered to do business in the United States to report to FinCEN information about themselves, their beneficial owners, and, in some cases, their company applicants to help authorized BOI recipients protect national security, enforce laws, and promote other policy objectives identified in the CTA. For more information about the BOI Reporting Rule, please see www.fincen.gov/boi.
The Access Rule reflects FinCEN’s careful consideration of detailed public comments received in response to its December 16, 2022 Notice of Proposed Rulemaking on the topic, along with extensive interagency consultations. The following provides a general overview of the key elements of the Access Rule and related administrative details. Please refer to the full rule for further details, including important definitions.
The Access Framework
- The CTA establishes that BOI is confidential and may not be disclosed except as authorized under the CTA and the Access Rule. FinCEN is authorized to disclose BOI under specific circumstances to six categories of recipients: (1) U.S. Federal agencies engaged in national security, intelligence, or law enforcement activity; (2) U.S. State, local, and Tribal law enforcement agencies; (3) foreign law enforcement agencies, judges, prosecutors, central authorities, and competent authorities (foreign requesters); (4) financial institutions using BOI to facilitate compliance with customer due diligence (CDD) requirements under applicable law; (5) Federal functional regulators and other appropriate regulatory agencies acting in a supervisory capacity assessing financial institutions for compliance with CDD requirements under applicable law; and (6) Treasury officers and employees.
- Each category of authorized user will be subject to specific security and confidentiality requirements, in line with the CTA, to protect the security and confidentiality of BOI.
Authorized Recipients
- Federal government agency access to BOI. Under the Access Rule and as authorized by the CTA, FinCEN may disclose BOI to Federal agencies engaged in national security, intelligence, or law enforcement activity if the requested BOI is for use in furtherance of such activity. “Law enforcement activity” includes both criminal and civil investigations and actions, such as actions to impose civil penalties, civil forfeiture actions, and civil enforcement through administrative proceedings. Prior to requesting BOI, Federal agency users will be required to certify that the agency is engaged in a national security, intelligence, or law enforcement activity and that the information requested is for use in furtherance of that activity. They will also be required to provide the specific reasons why the requested information is relevant to the activity.
- State, local, and Tribal law enforcement agency access to BOI. FinCEN may disclose BOI to State, local, and Tribal law enforcement agencies if “a court of competent jurisdiction” has authorized the law enforcement agency to seek the information in a criminal or civil investigation. Prior to requesting BOI, State, local, and Tribal law enforcement agency users must certify that a court of competent jurisdiction has authorized the agency to seek the information in a criminal or civil investigation and that the requested information is relevant to the criminal or civil investigation. Such users must also provide a description of the information the court has authorized the agency to seek.
- Foreign requesters. FinCEN may disclose BOI to foreign requesters, provided their requests meet certain criteria. Specifically, the foreign request for BOI must be on behalf of a law enforcement agency, prosecutor, or judge of another country, or on behalf of a foreign central authority or foreign competent authority, and: (1) come to FinCEN through an intermediary Federal agency; (2) be for assistance in a law enforcement investigation or prosecution, or for a national security or intelligence activity, authorized under the laws of the foreign country; and (3) either be made under an international treaty, agreement, or convention, or, when no such instrument is available, be an official request by a law enforcement, judicial, or prosecutorial authority of a trusted foreign country.
- Financial institutions subject to customer due diligence requirements. FinCEN may disclose BOI to financial institutions using BOI to facilitate compliance with customer due diligence requirements under applicable law, provided the financial institution requesting the BOI has the relevant reporting company’s consent for such disclosure. In response to comments on the proposed rule, the final Access Rule broadens the definition of “customer due diligence requirements under applicable law” to include “any legal requirement or prohibition designed to counter money laundering or the financing of terrorism, or to safeguard the national security of the United States, to comply with which it is reasonably necessary for a financial institution to obtain or verify beneficial ownership information of a legal entity customer.” Such requirements may include AML (anti-money laundering)/CFT (countering the financing of terrorism) obligations under the Bank Secrecy Act (BSA) — including AML program, customer identification, Suspicious Activity Report filing, and enhanced due diligence requirements — as well as, for example, compliance with sanctions imposed by Treasury’s Office of Foreign Assets Control, provided it is reasonably necessary to obtain or verify BOI of legal entity customers to satisfy those requirements. General business or commercial use of BOI is not authorized.
- Federal functional regulators and other appropriate regulatory agencies. FinCEN may disclose BOI to Federal functional regulators and other appropriate regulatory agencies acting in a supervisory capacity assessing financial institutions for compliance with customer due diligence requirements. In keeping with the CTA, such regulators may only access BOI that financial institutions they supervise received from FinCEN, and may only use the information to assess, supervise, enforce, or otherwise determine the compliance of those financial institutions with customer due diligence requirements as defined above.
- Treasury personnel. The CTA provides Treasury with a unique degree of access to BOI, making the information available to any Treasury officer or employee (1) whose official duties require BOI inspection or disclosure, or (2) for tax administration. As authorized by the CTA, Treasury will establish internal policies and procedures governing Treasury officer and employee access to BOI. FinCEN anticipates that the security and confidentiality protocols in those policies and procedures will include elements of security and confidentiality requirements applicable to other domestic agencies. Treasury expects to use BOI for appropriate purposes, such as tax administration, enforcement actions, intelligence and analytical purposes, use in sanctions investigations and designations, and identification of property blocked pursuant to sanctions, as well as for administration of the BOI framework, such as for audits, enforcement, and oversight.
Security and Confidentiality Requirements
- To access BOI, domestic agencies must satisfy several security and confidentiality requirements set out in the CTA and the Access Rule. The requirements include establishing standards and procedures to protect the security and confidentiality of BOI, entering into an agreement with FinCEN specifying those standards and procedures, establishing and maintaining a secure system for storing BOI, establishing and maintaining auditable BOI request records, restricting access to BOI, conducting audits, and providing FinCEN with reports and certifications.
- Financial institutions that obtain BOI from FinCEN must develop and implement administrative, technical, and physical safeguards reasonably designed to protect the information. Financial institutions will be able to satisfy this requirement by applying to BOI the same security and information handling procedures they use to protect customers’ nonpublic personal information in compliance with section 501 of the Gramm-Leach-Bliley Act and its implementing regulations. For each BOI request that it makes, a financial institution will have to certify that the request satisfies applicable criteria. Certain geographic restrictions will also apply.
- Foreign requesters who obtain BOI under an international treaty, agreement, or convention must comply with all applicable handling, disclosure, and use requirements of the international treaty, agreement, or convention under which the request was made. Foreign requesters who obtain BOI pursuant to a request from a “trusted foreign country” must establish standards and procedures to protect the security and confidentiality of BOI, maintain the BOI in a secure system, and restrict access to the information, among other requirements.
Re-Disclosure of BOI By Authorized Recipients
- Authorized BOI recipients are generally prohibited from re-disclosing BOI except in eight specific circumstances. Re-disclosure is authorized among officers, employees, agents, and contractors within a particular authorized recipient entity; among financial institutions and their regulators, including qualifying self-regulatory organizations; from intermediary Federal agencies to foreign requesters; from specified authorized BOI recipient Federal agencies to courts of competent jurisdiction or parties to a civil or criminal proceeding; from authorized BOI recipient agencies to prosecutors or for use in litigation related to the activity for which the requesting agency requested the information; and by foreign authorities consistent with the international treaty, agreement, or convention under which BOI was received. FinCEN may also authorize the re-disclosure of BOI by an authorized recipient in other situations, so long as the re-disclosure is for an authorized purpose.
Violations and Penalties
- The CTA makes it unlawful for any person to knowingly disclose or knowingly use BOI obtained by that person from a report submitted to, or an authorized disclosure made by, FinCEN, unless such disclosure is authorized under the CTA. The CTA provides civil penalties in the amount of $500 for each day a violation continues or has not been remedied. Criminal penalties are a fine of not more than $250,000 or imprisonment for not more than 5 years, or both. The CTA also provides for enhanced criminal penalties, including a fine of up to $500,000, imprisonment of not more than 10 years, or both, if a person commits a violation while violating another law of the United States or as part of a pattern of any illegal activity involving more than $100,000 in a 12-month period. Violating applicable requirements could also lead to FinCEN suspending or debarring a requester from access to the beneficial ownership (BO) IT system.
- Under the Access Rule, “unauthorized use” includes any unauthorized access to BOI submitted to FinCEN, including any activity in which an employee, officer, director, contractor, or agent of an authorized recipient knowingly violates applicable security and confidentiality requirements in connection with accessing such information.
Implementation of BOI Access
- FinCEN will take a phased approach to providing access to the BO IT system from which authorized users may obtain BOI. The first stage will be a pilot program for a handful of key Federal agency users starting in 2024. The second stage will extend access to Treasury offices and certain Federal agencies engaged in law enforcement and national security activities that already have Memoranda of Understanding (MOUs) for access to BSA information. Subsequent stages will extend access to additional Federal agencies engaged in law enforcement, national security, and intelligence activities, as well as to State, local, and Tribal law enforcement partners; to intermediary Federal agencies in connection with foreign government requests; and finally, to financial institutions and their supervisors.
- Federal agencies engaged in national security, intelligence, and law enforcement activity; State, local, and Tribal law enforcement agencies; and Treasury personnel will be able to access and query the BO IT system directly using multiple search fields with results returned immediately. Foreign BOI recipients will have no access to the beneficial ownership IT system, as their requests will flow through intermediary Federal agencies. Financial institutions and their regulators will both have direct access to the BO IT system, though in more limited fashion than the aforementioned domestic government agency users.
Next Steps
- The Access Rule is the second of three rulemakings planned to implement the CTA. FinCEN will next engage in a third rulemaking to revise FinCEN’s customer due diligence rule, consistent with the requirements of the CTA. The Access Rule does not make any changes to FinCEN’s customer due diligence rule.
- Consistent with its obligations under the Paperwork Reduction Act, FinCEN will publish in the Federal Register for public comment the forms that State, local, and Tribal law enforcement agencies and financial institutions will fill out to obtain BOI from FinCEN.
- FinCEN will develop compliance and guidance documents to assist authorized users in complying with this rule.