FinCEN Issues Final Rule Implementing Access and Safeguard Provisions of the CTA
- The U.S. Department of the Treasury's Financial Crimes Enforcement Network (FinCEN) issued a final rule on Dec. 21, 2023 (Access Rule), implementing the access and safeguard provisions of the Corporate Transparency Act (CTA), which came into effect Jan. 1, 2024.
- The Access Rule establishes the circumstances under which beneficial ownership information (BOI) may be disclosed to authorized recipients, as well as the necessary protections to avoid unauthorized disclosure of BOI. The Access Rule will become effective Feb. 20, 2024.
- This alert discusses key components of the Access Rule, including the definition of an authorized recipient, the security and confidentiality requirements for accessing BOI required to be reported by reporting companies to FinCEN, how BOI access will be implemented, and the acts that may result in violations and penalties under the Access Rule.
The Corporate Transparency Act (CTA) was enacted in 2021 and became effective on Jan. 1, 2024. The CTA was passed with the aim of enhancing transparency in corporate ownership, so as to combat the proliferation of anonymous shell companies that facilitate the flow and sheltering of illicit money into the United States.
Under the beneficial owner information reporting provisions (the BOI Final Rule) promulgated by U.S. Department of the Treasury's (Treasury) Financial Crimes Enforcement Network (FinCEN) in September 2022, certain corporations, limited liability companies and other similar entities are required to report to FinCEN identifying information about the reporting company itself, the individuals who directly or indirectly own or control a reporting company (the beneficial owners), and company applicants (the individuals who assist in the formation of the entity), unless the entity is out of scope or an exemption to the reporting requirement applies. A reporting company has an obligation to file an initial report, an updated report (if information changes with respect to the reporting company itself or its beneficial owners, but not its company applicants), and a corrected report (if necessary, to correct inaccurate information).
The Access Regulations
FinCEN issued a final rule on Dec. 21, 2023, implementing the access and safeguard provisions of the CTA (Access Rule). The Access Rule establishes the circumstances under which beneficial ownership information (BOI) may be disclosed to authorized recipients, as well as the necessary protections to avoid unauthorized disclosure of BOI. The Access Rule follows FinCEN's BOI Final Rule, discussed above. The third and final set of regulations dealing with the conformance of the customer due diligence rules applicable to financial institutions (often referred to as the CDD Rule) to those of the CTA's BOI Final Rule is anticipated to be released no later than Jan. 1, 2025. Importantly, financial institutions have independent obligations under the BSA to conduct due diligence relating to their legal entity customers and their beneficial owners. When the Anti-Money Laundering Act of 2020 (AMLA) and the CTA were enacted, these laws directed FinCEN to make changes and updates to the CDD Rule given that beneficial ownership information would eventually be reported under the BOI Final Rule.
Will BOI Be Confidential?
In a nutshell, yes. By statute, BOI is considered "sensitive information," and will be maintained by FinCEN in a secure, non-public database and accessible only by certain persons, as discussed further below.
Under the CTA, BOI is confidential and can only be disclosed under specific circumstances to six categories of recipients. This reflects FinCEN's commitment to protect BOI, as the level of access granted will be based on the identity of the authorized recipient. BOI will be stored on the BOI IT system developed by FinCEN and authorized recipients will be subject to specific security and confidentiality requirements.
Who Can Access BOI?
Federal agencies engaged in national security, intelligence or law enforcement activity may access BOI provided the requested information is for use in furtherance of such activity. Notably, "law enforcement activity" includes civil investigations, as well as criminal investigations. By way of example, FinCEN may disclose BOI to a federal agency upon a request pertaining to a civil forfeiture action. Prior to any request, federal agency users will have to provide a certification attesting to their engagement in a national security, intelligence or law enforcement activity. Federal agency users will also have to attest that the requested BOI furthers their official activity, including specific reasons the information is relevant.
State, Local and Tribal Law Enforcement Agencies
State, local and tribal law enforcement agencies may access BOI if a "court of competent jurisdiction" – meaning, any court with jurisdiction over the criminal or civil investigation for which a state, local or tribal agency requests BOI – has authorized the law enforcement agency to seek the information in a criminal or civil investigation. Prior to any request, such agency users must certify that a court of competent jurisdiction has authorized the agency to seek BOI information in a criminal or civil investigation and that the requested information is relevant to the investigation. The certification must include a description of the information the court has authorized the agency to seek, but will not require agencies to submit the court order itself.
"Foreign requesters" may access BOI on behalf of a law enforcement agency, prosecutor or judge of another country, or on behalf of a foreign central authority or foreign competent authority, under certain circumstances. The foreign requesters must seek information from FinCEN through an intermediary U.S. federal agency. Further, the request must be 1) for assistance in a law enforcement investigation or prosecution, or for a national security or intelligence activity, authorized under the laws of the foreign country, and 2) made either under an international treaty, agreement or convention, or, when no such instrument is available, by official request for a law enforcement, judicial or prosecutorial authority of a "trusted" foreign country, as "determined by FinCEN, with the concurrence of the Secretary of State and in consultation with the Attorney General or other agencies as necessary and appropriate."
Financial institutions that use BOI to facilitate compliance with customer due diligence requirements under applicable law may access BOI. The Access Rule broadly defines "applicable law" to include any legal requirement or prohibition designed to counter money laundering or the financing of terrorism, or to safeguard U.S. national security. In any event, it must be reasonably necessary for a financial institution to obtain or verify BOI of a legal entity customer. Business or commercial use of BOI is not permitted under the Access Rule. Among other reasons, financial institutions may, but are not required to, request BOI information to satisfy their obligations under the BSA or facilitate compliance with sanctions imposed by the Treasury Department's Office of Foreign Assets Control (OFAC), provided it is reasonably necessary to obtain or verify BOI to satisfy such requirements. Importantly, financial institutions requesting BOI must have the respective reporting company's consent for disclosure. This will require financial institutions to review their disclosures to ensure such consent is clearly and conspicuously given.
Federal Functional Regulators and Other Appropriate Regulatory Agencies
Federal functional regulators and other appropriate regulatory agencies acting in a supervisory capacity assessing financial institutions for compliance with customer due diligence requirements may access BOI. Access is limited, however, such that these regulators and agencies can only access BOI that financial institutions they supervise received from FinCEN. The information can only be used to assess, supervise, enforce or otherwise determine compliance by those financial institutions with customer due diligence requirements under applicable law.
Treasury officers and employees may access BOI, provided their official duties involve tax administration or BOI inspection or disclosure. To illustrate, BOI may be accessed with respect to enforcement actions, tax investigations, sanctions investigations and designations, and identification of property blocked pursuant to sanctions. Treasury officers and employees will also use BOI to administer the BOI framework (i.e., to conduct audits, enforcement and oversight).
Will BOI Be Redisclosed?
Generally speaking, authorized recipients are prohibited from redisclosing BOI. FinCEN has carved out exceptions and authorized redisclosure among authorized recipients in the following circumstances:
- Any officer, employee, contractor or agent of a requesting agency who receives information disclosed by FinCEN may disclose such information to another officer, employee, contractor or agent of the same requesting agency for the particular purpose or activity for which such information was requested.
- Any officer, employee, contractor or agent of the Treasury Department who receives information disclosed by FinCEN may disclose such information to another Treasury officer, employee, contractor or agent for the particular purpose or activity for which such information was requested consistent with internal Treasury policies, procedures, orders or directives.
- Any director, officer, employee, contractor or agent of a financial institution who receives information disclosed by FinCEN may disclose such information to another director, officer, employee, contractor or agent of the same financial institution for the particular purpose or activity for which such information was requested, consistent with the requirements.
- Any director, officer, employee, contractor or agent of a financial institution who receives information disclosed by FinCEN may disclose such information to the financial institution's federal functional regulator, a self-regulatory organization that is registered with or designated by a federal functional regulator pursuant to federal statute, or other appropriate regulatory agency, provided that the federal functional regulator, self-regulatory organization, or other appropriate regulatory agency meets the requirements mentioned above. It is worth noting that a financial institution may rely on a federal functional regulator, self-regulatory organization or other appropriate regulatory agency's representation that it meets the requirements.
- Any officer, employee, contractor or agent of a federal functional regulator who receives information disclosed by FinCEN may disclose such information to a self-regulatory organization that is registered with or designated by the federal functional regulator, provided that the self-regulatory organization meets the requirements discussed above.
- Any officer, employee, contractor or agent of a federal agency who receives information from FinCEN may disclose such information to the foreign person on whose behalf the federal agency made the request.
- Any officer, employee, contractor or agent of a federal agency engaged in a national security, intelligence or law enforcement activity, may disclose BOI it has obtained directly from FinCEN to a court of competent jurisdiction or parties to a civil or criminal proceeding.
- Any officer, employee, contractor or agent of a requesting agency who receives information disclosed by FinCEN may disclose such information to any officer, employee, contractor, or agent of the U.S. Department of Justice (DOJ) for purposes of making a referral to the DOJ or for use in litigation related to the activity for which the requesting agency requested the information.
- Any officer, employee, contractor or agent of a state, local or tribal law enforcement agency who receives information disclosed by FinCEN may disclose such information to any officer, employee, contractor or agent of another state, local, or tribal agency for purposes of making a referral for possible prosecution by that agency, or for use in litigation related to the activity for which the requesting agency requested the information.
- A law enforcement agency, prosecutor, judge, foreign central authority or foreign competent authority of another country that receives information from a federal agency may disclose and use such information consistent with the international treaty, agreement or convention under which BOI was received.
FinCEN may also authorize the redisclosure of BOI by an authorized recipient for an authorized purpose in its discretion in other circumstances.
What Are the Security and Confidentiality Requirements?
The CTA and the Access Rule establish requirements related to standards and procedures that protect the security and confidentiality of BOI. Authorized users must enter into an agreement with FinCEN as to compliance with the CTA, which includes representations as to maintaining a secure system for storing BOI and restricting access to BOI. Financial institutions must ensure safeguards are implemented to protect BOI. In some cases, financial institutions may already have security procedures in place that will satisfy the CTA's requirements. Upon requesting BOI, financial institutions will have to certify that their requests comply with the CTA. Significantly, FinCEN will restrict BOI access in certain geographical locations, including a prohibition on sharing information with persons in China, Russia or any country that is a state sponsor of terrorism or that is otherwise considered a blocked country.
How Will BOI Access Be Implemented?
FinCEN has clarified that it will provide access to the BOI IT system to authorized users in phases. The pilot program will commence with selected federal agencies in 2024. Thereafter, access will extend to Treasury officers and employees, as well as certain federal agencies that already have Memoranda of Understanding for access to Bank Secrecy Act (BSA) information. Additional stages will include 1) additional federal agencies, 2) state, local and tribal law enforcement agencies, 3) intermediary federal agencies acting on behalf of foreign governments, and 4) financial institutions and their supervisors. It is worth noting that financial institutions and their supervisors will have limited access to the BOI IT system, while foreign governments and their intermediaries will not have any direct access at all.
It is unclear at this point whether all categories of authorized recipients will receive access in 2024. Thus, impacted parties (including financial institutions) will need to monitor ongoing developments regarding this access to ensure they assess and potentially implement policies, procedures and internal controls to ensure they comply with redisclosure and use limitations relating to the BOI information they receive.
Will There Be Violations and/or Penalties?
The CTA makes it unlawful for any person to knowingly disclose or knowingly use BOI obtained by that person from a report submitted to, or an authorized disclosure made by, FinCEN, unless such disclosure is authorized. Unauthorized use may result in civil penalties in the amount of $500 for each day a violation continues unremedied, as well as criminal penalties, such as imprisonment for up to five years and a fine of up to $250,000. The CTA also authorizes enhanced criminal penalties under certain circumstances, including a fine of up to $500,000, imprisonment of not more than 10 years, or both. Violators may also have their BOI access revoked temporarily or permanently.
FinCEN intends to issue an additional rule pertaining to customer due diligence applicable to financial institutions requirements, which will be the third and final rule implementing the CTA. FinCEN will seek public comment as to the forms that must be completed by state, local and tribal law enforcement agencies and financial institutions to obtain BOI. Expect FinCEN to release guidance pertaining to the customer due diligence rule, as well as information regarding the request forms.
Financial Scam Attempts
Importantly, FinCEN has issued advisories indicating that FinCEN has been receiving calls and reports of financial scam attempts pertaining to the implementation of the BOI Final Rule and reporting of BOI information. Reporting companies and foreign reporting companies should be aware of fraudulent attempts to collect BOI information and remain vigilant. Per FinCEN's advisory, if you have received an unsolicited communication from someone via phone, text or email claiming to represent or be an employee of FinCEN, it is a scam and you should not respond. You may contact the Treasury Department's Office of Inspector General to report a fraud scam utilizing Treasury Bureaus, seals and/or employees.
Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.