The Corporate Transparency Act: FinCEN Finalizes Beneficial Ownership Information Access Rule as Reporting Rule Takes Effect

The U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) has issued a final rule (the Access Rule) regarding access to and use of beneficial ownership information (BOI) maintained by FinCEN.

The Access Rule details the circumstances under which FinCEN can disclose BOI to authorized recipients. It also spells out how FinCEN will protect that information and outlines data protection protocols and oversight mechanisms for those who receive beneficial ownership information.

The rule takes effect February 20, 2024.  It is the second of three FinCEN rulemakings to implement the Corporate Transparency Act (CTA).

The first rule, the Beneficial Ownership Reporting Rule, took effect January 1, 2024. As covered previously, it requires certain domestic and foreign companies created, or registered to conduct business, in the United States to report information to FinCEN regarding their beneficial owners – individuals who directly or indirectly own or control 25 percent or more of the ownership interests of a reporting company or who exercise substantial control over such an entity.

• Reporting companies in existence as of January 1, 2024, have until January 1, 2025, to file initial BOI reports.
• Those created or registered during 2024 will have 90 days from creation or registration to file an initial report.
• Reporting companies created or registered after 2024 will have 30 days from creation or registration to file a report.

Companies created or registered after January 1, 2024 must also report information on certain individuals involved in the creation or registration.

Use our Beneficial Ownership Reporting Tool to help determine whether your company is required to report information on beneficial owners.

How Does the Final Access Rule Compare with the Proposed Rule?

The final Access Rule largely tracks FinCEN’s proposed rule (see our prior client alert), with several key changes to address concerns commenters raised during the rulemaking process.

• Importantly, the Access Rule expands the purposes for which financial institutions subject to anti-money laundering requirements under the Bank Secrecy Act can use BOI they access from FinCEN’s database.
  • The proposed rule would have limited financial institutions’ use of BOI to comply with FinCEN’s Customer Due Diligence Rule.
  • The final rule permits covered financial institutions to use BOI to comply with anti-money laundering and U.S. economic sanctions requirements, more generally.
• The Access Rule also addresses whether and to what degree financial institutions can share BOI they access from FinCEN’s database with people outside the United States.
  • The proposed rule would have limited offshore access to BOI.
  • The final rule permits financial institutions to share BOI with employees, agents and contractors outside the United States – but prohibits sending BOI to China, Russia, or any jurisdiction designated as a state sponsor of terrorism or that is the target of comprehensive U.S. economic sanctions.

Who Has Access – and For What Purpose?

The Access Rule permits these recipients to access BOI, provided they meet required security and confidentiality protocols:

• Federal agencies engaged in national security, intelligence, or law enforcement activity can request BOI to use for national security, intelligence, or criminal or civil law enforcement purposes.
• U.S. state, local, and tribal law enforcement agencies with court authorization may access BOI in criminal or civil investigations. The agencies must certify they are engaged in a qualifying activity, describe the information they are authorized by the court to seek, and specify the information’s relevance.
• Foreign law enforcement agencies, judges, prosecutors, and other authorities may seek BOI for assistance in a law enforcement investigation or prosecution, or for a national security or intelligence activity authorized under the foreign country’s laws. Such requests must:
  • Come to FinCEN through an intermediary federal agency.
  • Be made pursuant to an international treaty, agreement, or convention, or via a request of law enforcement, judicial, or prosecutorial authorities in a trusted foreign country (although the rule does not define “trusted”).

• Financial institutions subject to FinCEN’s Customer Due Diligence Rule – banks, brokers and dealers in securities, futures commission merchants and introducing brokers, and mutual funds – can access BOI with respect to a particular reporting company, with the company’s consent, to comply with customer due diligence requirements.
  • The rule defines “due diligence requirement” as “any legal requirement or prohibition designed to counter money laundering or the financing of terrorism, or to safeguard the national security of the United States.”
  • That includes using BOI for sanctions-related reasons.
• Regulators who supervise financial institutions may access BOI, if reasonably necessary, to assess, supervise, or otherwise determine a financial institution’s compliance with customer due diligence requirements, including anti-money laundering, counterterrorist financing, sanctions, or national security-related legal requirements.
  • Regulators will be provided only BOI the institutions they supervise have received from FinCEN.
  • Self-regulatory organizations (SROs) may not access FinCEN’s database, though the Access Rule permits financial institutions and federal regulators to redisclose BOI to certain qualifying SROs.
• U.S. Treasury Department officers and employees may access BOI if their official duties require it or if the information is needed for tax administration.

FinCEN declined to permit other financial institutions, such as money services businesses, to access the BOI database, but indicated it intends to evaluate whether to expand access.

FinCEN also clarified that:

• The Access Rule authorizes FinCEN to disclose BOI to regulatory technology firms, beneficial ownership data service providers, due diligence vendors, or other third-party service providers to financial institutions.
  • These service providers can access FinCEN’s database as long as they or their employees are “agents” or “contractors” of a financial institution and are performing a function on behalf of the financial institution that requires direct access.
  • A financial institution will ultimately bear responsibility for service providers accessing BOI on its behalf, and service providers must protect and store BOI in compliance with the Access Rule and ensure that BOI is used for appropriate purposes.

Financial institutions are not required to access FinCEN’s BOI database. FinCEN and various bank regulators issued an interagency statement clarifying that the Access Rule does not create a new regulatory requirement for banks to access BOI in FinCEN’s database or any supervisory expectation that they do so.

How and When Will FinCEN Provide Access?

FinCEN plans to grant access to its BOI database in phases, as follows:

1. Key federal agencies will be the first to obtain access.
2. Treasury Department offices and certain federal agencies engaged in law enforcement and national security activities will be next.
3. Additional federal agencies, as well as state, local, and tribal law enforcement partners, will then gain access.
4. Next, intermediary federal agencies with connections to foreign government requests will have access.
5. Finally, financial institutions and their supervisors will receive access.

The Access Rule does not provide a time frame for access.

All authorized recipients except foreign recipients will have direct access to the BOI database, but financial institutions and supervisors will have more limited access than their federal, state, local, and Treasury counterparts. In particular, covered financial institutions may only request information on customers that have provided consent and will not be permitted to conduct broad searches for BOI. Financial institutions will submit identifying information specific to a reporting company and immediately receive an electronic transcript with that entity’s BOI. FinCEN expects that financial institutions will use Application Programming Interfaces (APIs) to access the BOI database.

What Are the Safeguards and Penalties for Unauthorized Disclosure?

The CTA establishes BOI as “sensitive information” and imposes strict security and confidentiality requirements on its collection, storage, and use. The Access Rule includes safeguards to prevent unauthorized disclosure or use of BOI. In maintaining BOI, FinCEN must adhere to the Federal Information Security Management Act’s “High” standards, which are the highest level of security controls that U.S. government agencies must apply to unclassified information. Additionally, the Treasury Department has established a process to escalate data breaches and compromises.

Unauthorized use of BOI includes unauthorized access to BOI or violation of security and confidentiality requirements in connection with access.

To access BOI collected by FinCEN, domestic agencies must establish:

• Standards and procedures to protect the security and confidentiality of the information.
• A secure system for storing the information.
• Auditable request records.

Agencies must also enter into an agreement with FinCEN specifying their standards and procedures to protect BOI, and restrict access, conduct audits, and provide FinCEN with reports and certifications.

Financial institutions accessing BOI must develop and implement administrative, technical, and physical safeguards reasonably designed to protect BOI. These requirements can be satisfied by using the same safeguards as those required by Section 501 of the Gramm-Leach-Bliley Act and its implementing regulations. Financial institutions are also required to certify that each request for BOI satisfies the applicable criteria.

Foreign requesters obtaining BOI under an applicable treaty, agreement, or convention must comply with all applicable handling, disclosure, and use requirements of the applicable treaty, agreement, or convention. Foreign requesters obtaining BOI pursuant to a request from a trusted foreign country must establish standards and procedures to protect the security and confidentiality of the BOI, maintain the BOI in a secure system, and restrict access. Recipients of BOI are generally prohibited from re-disclosing it, with certain exceptions.

The rule authorizes penalties for anyone who knowingly discloses or uses BOI except as authorized by the CTA, including civil penalties of $500 for each day a violation continues. Criminal penalties include a fine of up to $250,000 and/or imprisonment for up to five years. If a violation occurs during the commission of other violations of U.S. law, violators can face fines of up to $500,000 and imprisonment for up to 10 years.

FinCEN may suspend or revoke a financial institution’s access to the BOI database for violations of the Access Rule.

What’s Next?

FinCEN will issue a third rule, by January 1, 2025, to revise the Customer Due Diligence Rule and bring it into conformance with the CTA and the Access Rule. FinCEN also deferred consideration of certain comments raised on the proposed access rule to address in the third rulemaking or future guidance.