FinCEN Proposes New Rule on Beneficial Ownership Information Access and Safeguards for Corporate Transparency Act

The US Treasury’s Financial Crimes Enforcement Network (FinCEN) recently proposed a new rule (the Proposed Rule) regarding beneficial ownership information access and safeguards pursuant to the Corporate Transparency Act.

As discussed in our prior report, Congress enacted the Corporate Transparency Act (CTA) on January 1, 2021, establishing a reporting regime for the beneficial owners of corporations and limited liability companies in an effort to make beneficial ownership information (BOI) available to law enforcement and, in some circumstances, financial institutions for use in combatting money laundering.

As also discussed in our prior report, on September 30, FinCEN published a final rule (the Final Rule) establishing BOI reporting requirements pursuant to the CTA whereby most corporations, limited liability companies, and other similar entities created in or registered to do business in the United States must report their BOI to FinCEN.

The Proposed Rule implements provisions of the CTA that govern the access to and protection of the BOI reported to FinCEN pursuant to the Final Rule. The Final Rule is the first and the Proposed Rule is the second of three rulemakings planned to fully implement the CTA.

FinCEN will accept comments on the Proposed Rule until February 14, 2023. FinCEN is proposing an effective date of January 1, 2024, to align with the date on which the Final Rule becomes effective.

AUTHORIZED RECIPIENTS OF BOI

Pursuant to the CTA, the Proposed Rule authorizes FinCEN to disclose BOI to the five following general categories of authorized recipients in specified circumstances.

Federal Agencies

The Proposed Rule would allow FinCEN to disclose BOI to federal agencies for use in the furtherance of national security, intelligence, or law enforcement activity, including both criminal and civil investigations and actions. Authorized users from qualifying federal agencies would be able to log in to the beneficial ownership information technology (IT) system directly, run queries using multiple search fields, and review one or more results returned immediately. Users would have to submit justifications to FinCEN for their searches, and these justifications would be subject to oversight and audit by FinCEN. “Law enforcement activity” here would include both criminal and civil investigations and actions, such as actions to impose civil penalties, civil forfeiture actions, and civil enforcement through administrative proceedings.

State, Local, and Tribal Law Enforcement Agencies

The Proposed Rule would allow FinCEN to disclose BOI to state, local, and tribal law enforcement agencies if a court of competent jurisdiction has authorized the law enforcement agency to seek the information in a criminal or civil investigation. A “court of competent jurisdiction” would be any court with jurisdiction over the criminal or civil investigation for which the state, local, or tribal law enforcement agency requests BOI. Authorized users from these agencies would be required to upload a document issued by a court of competent jurisdiction authorizing the agency to seek BOI from FinCEN. After FinCEN has reviewed the relevant authorization and approved the request, an agency could then conduct searches within the beneficial ownership IT system using the same search functionality available to federal agencies engaged in national security, intelligence, or law enforcement activity.

Federal Agencies on Behalf of Certain Foreign Authorities

The Proposed Rule would allow FinCEN to disclose BOI to federal agencies that have requested BOI on behalf of a law enforcement agency, prosecutor, or judge of another country, or on behalf of a foreign central authority or foreign competent authority (or like designation) under an applicable international treaty, agreement, or convention, for use in the furtherance of foreign national security, intelligence, or law enforcement activity. Foreign requesters would be required to make their requests for BOI through intermediary federal agencies. Therefore, foreign requesters would not have direct access to the beneficial ownership IT system. They would instead rely on the intermediary federal agencies through which they route their requests to retrieve and furnish them with requested BOI.

Financial Institutions and Federal Functional Regulators

The Proposed Rule would allow FinCEN to disclose BOI to financial institutions to facilitate compliance with customer due diligence (CDD) requirements, and only with the consent of the reporting company to which the BOI pertains. Instead of having the direct ability to query for information, FinCEN anticipates that a financial institution would submit identifying information specific to a reporting company and receive in return an electronic transcript with that entity’s BOI. This more limited information-retrieval process is meant to reduce the overall risk of inappropriate use or unauthorized disclosures of BOI.

FinCEN would also be allowed to disclose the BOI that it discloses to financial institutions to federal functional regulators and other appropriate regulatory agencies for purposes of assessing the financial institutions’ compliance with CDD requirements. To the extent that the regulator also engages in law enforcement activity, it would be able to access the BOI for that purpose as well. Under the proposed rule, self-regulatory organizations (SROs) that are registered with or designated by a federal functional regulator pursuant to federal statute, such as the Financial Industry Regulatory Authority (FINRA) or the National Futures Association (NFA), would not be able to receive BOI directly from FinCEN, but rather would only be able to have derivative access to BOI via the financial institutions they regulate to facilitate CDD compliance reviews.

More specifically, the proposed rule would permit financial institutions to redisclose the BOI they have obtained from FinCEN to a qualifying SRO, as well as to the financial institution’s federal functional regulator or other appropriate regulatory agency, provided that the qualifying SRO, federal functional regulator, or other appropriate regulatory agency:

• is authorized by law to assess, supervise, enforce, or otherwise determine the compliance of such financial institution with CDD requirements under applicable law;
• will use the information solely for the purpose of conducting such assessment, supervision, or authorized investigation; and
• has entered into an agreement with FinCEN providing for appropriate protocols governing the safekeeping of the information.

A financial institution may rely on an SRO, federal functional regulator, or other appropriate regulatory agency’s representation that it meets the above requirements.

Officers or Employees of the US Department of the Treasury

The Proposed Rule would allow FinCEN to disclose BOI to officers or employees of the US Department of the Treasury whose official duties the secretary determines require such inspection or disclosure, and for tax administration purposes.

BOI SAFEGUARDS

Under the Proposed Rule, specific BOI safeguards vary by recipient, however, the Proposed Rule subjects each category of authorized recipient to security and confidentiality protocols. Generally, BOI recipients are required under the Proposed Rule to have standards and procedures for storing BOI in a secure system to which only authorized personnel have access and only for authorized purposes. The following is a summary of safeguards specific to each category of recipient.

Security and Confidentiality Requirements for Domestic Agencies

The Proposed Rule would require federal, state, local, or tribal agencies to:

• enter into an agreement with FinCEN specifying the standards, procedures, and systems to be maintained by the agency, and any other requirements FinCEN may specify;
• establish and maintain a permanent, auditable system of records of BOI requests, and to restrict access to the BOI to certain authorized persons within the agency;
• conduct an annual audit of the BOI access and use, provide a semi-annual certification to FinCEN that the agency’s standards and procedures are compliant with FinCEN’s requirements under the Proposed Rule, and provide FinCEN with an annual report describing the agency’s standards and procedures to ensure security and confidentiality of the BOI.; and
• with respect to requests for FinCEN to disclose BOI to the agency, the agency must minimize the scope of the information it seeks from FinCEN to the extent possible and certify to FinCEN that the agency is engaged in national security, intelligence, or law enforcement, and the information sought is for use in the furtherance of that activity.

Security and Confidentiality Requirements for Financial Institutions and Federal Functional Regulators

The Proposed Rule would require financial institutions to:

• restrict access to BOI obtained from FinCEN to certain authorized persons, and develop and implement safeguards designed to protect the security and confidentiality of the BOI;
• ·obtain and document the consent of the reporting company to request the reporting company’s BOI from FinCEN, as well as retain that consent for five years from the date the financial institution last relied upon it for purposes of requesting BOI from FinCEN; and
• certify to FinCEN that it is requesting the BOI to facilitate its compliance with CDD requirements, has obtained the reporting company’s consent, and is compliant with security and confidentiality safeguard requirements under the Proposed Rule.

Security and Confidentiality Requirements for Foreign Recipients of Information

The Proposed Rule would require foreign recipients on whose behalf a federal agency made a request to FinCEN for BOI to:

• establish standards and procedures to protect the security and confidentiality of the BOI, and maintain the BOI in a secure system that complies with security standards the foreign recipient applies to the most sensitive unclassified information it handles;
• minimize the scope of the information it seeks from FinCEN to the extent possible and restrict access to the BOI to certain authorized personnel; and
• comply with applicable handling, disclosure, and use requirements of the international treaty, agreement, or convention pursuant to which the request for the BOI was made.

BOI IT SYSTEM

In issuing the Proposed Rule, FinCEN explained that it has begun developing a BOI IT system pursuant to the requirement under the CTA that the BOI be maintained in a secure, nonpublic database that employs information security methods and techniques that are appropriate to protect non-classified information security systems at the highest security level.

To that end, the BOI IT system that FinCEN is developing will be cloud-based and will meet the highest Federal Information Security Management Act (FISMA) level: FISMA High. According to FinCEN, the FISMA High rating carries with it a requirement to implement certain baseline controls to protect the relevant information. FinCEN expects the system to begin accepting BOI reports by January 1, 2024, the day the Final Rule goes into effect.

VIOLATIONS AND PENALTIES

The CTA makes it unlawful for any person to knowingly disclose or knowingly use BOI obtained by the person through a report submitted to, or an authorized disclosure made by, FinCEN, unless such disclosure is authorized under the CTA. The Proposed Rule tracks this prohibition, and further clarifies that such disclosure authorized under the CTA includes disclosure authorized under the regulations issued pursuant to the CTA.

The Proposed Rule further explains that unauthorized use would include any unauthorized accessing of information submitted to FinCEN, including any activity in which an employee, officer, director, contractor, or agent of a federal, state, local, or tribal agency or financial institution knowingly violates applicable security and confidentiality requirements in connection with accessing such information.

The Proposed Rule lists the CTA’s enumerated civil and criminal penalties for knowingly disclosing or using BOI without authorization as follows:

• Civil penalties in the amount of $500 for each day a violation continues or has not been remedied
• Criminal penalties of a fine of no more than $250,000 or imprisonment for no more than five years, or both

The CTA also provides for enhanced criminal penalties, including a fine of up to $500,000, imprisonment of no more than 10 years, or both, if a person commits a violation while violating another law of the United States or as part of a pattern of any illegal activity involving more than $100,000 in a 12-month period.

The CTA does not provide a private right of action for violations.

FinCEN IDENTIFIER

As discussed in our prior report, under the Final Rule, if an individual beneficial owner or company applicant submits this data to FinCEN directly, the individual may obtain a “FinCEN Identifier,” or unique identifying number assigned by FinCEN to the individual, which the reporting company may provide to FinCEN in its initial report in lieu of the data listed above pertaining to beneficial owners and company applicants. The Proposed Rule includes amendments to the Final Rule with respect to the use of FinCEN Identifiers.

Specifically, the Proposed Rule would permit a reporting company to report an intermediate entity’s FinCEN identifier in lieu of a beneficial owner’s BOI only when:

• the intermediate entity has obtained a FinCEN Identifier and provided it to the reporting company;
• an individual is or may be a beneficial owner of the reporting company by virtue of an interest in the reporting company that the individual holds through the entity; and
• ·only the individuals that are beneficial owners of the intermediate entity are beneficial owners of the reporting company, and vice versa.

In a Fact Sheet that FinCEN issued along with the Proposed Rule, FinCEN noted that these requirements are necessary to prevent over- or under-reporting of beneficial owners.

IMPLICATIONS

The limitations on access to BOI that FinCEN is proposing are expected and largely grounded in the CTA. However, if the Proposed Rule is adopted, it is unclear whether federal functional regulators, SROs, and other regulatory agencies would begin to expect the entities they regulate to routinely request BOI information from FinCEN as part of their AML programs. This concern may be particularly acute with respect to SROs which, unlike federal functional regulators, will not have direct access to BOI from FinCEN and rather will only have derivative access to BOI through the financial institutions they regulate.

In this regard, FinCEN should consider adding additional safeguards that would prohibit SROs from revising their rules to require that the financial institutions under their supervision be required to request BOI information, or from otherwise imposing penalties on financial institutions for not requesting BOI information from FinCEN.

In any event, FinCEN should make clear that entities are not required to request BOI information in every instance, otherwise examiners may be inclined to note deficiencies in AML programs for not routinely requesting information that is otherwise optional.