The Financial Crimes Enforcement Network of the U.S. Treasury Department (“FinCEN”) issued a Notice of Proposed Rulemaking (the “Proposed Access Rule”) on December 15, 2022 to implement the second key provision of the Corporate Transparency Act (“CTA”) regarding access by certain authorized government entities and financial institutions to beneficial ownership information (“BOI”) that will be reported to FinCEN. The CTA requires FinCEN to create and maintain a secure central database containing the BOI of “reporting companies” it collects. The Proposed Access Rule establishes how recipients of BOI may use the information they access, how they must secure it, and the penalties for failing to comply with the applicable requirements.
The Proposed Access Rule is the second of three regulations required to be implemented under the CTA. On September 30, 2022, FinCEN issued the first final rule, which will become effective January 1, 2024 (the “BOI Rule”), to implement the CTA’s beneficial ownership reporting requirements for certain legal entities. As described in our prior client alert, the BOI Rule will require “reporting companies” to disclose to FinCEN identifying information regarding the entities, their “beneficial owners” (including those individuals that exercise “substantial control” over them), and their “company applicants.”
The BOI Rule discusses the creation of a Beneficial Ownership Information IT System: a private database to store information collected from BOI reports. Given the privacy concerns regarding the sensitive company information FinCEN will collect in BOI reports, the CTA imposes strict confidentiality, security, and access restrictions on the data stored in the IT system.
The third rule required by the CTA, which will revise FinCEN’s customer due diligence rule (“CDD Rule”), must be implemented within one year of the effective date of the BOI Rule.
Government Authorities and Financial Institutions with Access to Beneficial Ownership Information
The Proposed Access Rule, in limited circumstances, would authorize FinCEN to disclose BOI to five general categories of recipients, as provided by the CTA:
- U.S. federal, state, local, and tribal government agencies;
- Foreign law enforcement agencies, judges, prosecutors, central authorities, and competent authorities (“foreign requesters”);
- Financial institutions that are subject to the CDD Rule;
- Federal functional regulators and other appropriate regulatory agencies; and
- The U.S. Treasury Department itself.
The Proposed Access Rule would authorize FinCEN to grant access to BOI to permitted recipients under the following circumstances:
- National security: FinCEN would be permitted to disclose BOI to federal agencies that seek such information in furtherance of national security, intelligence, or law enforcement activity related to criminal or civil investigations. These agencies would be able to log into the Beneficial Ownership Information IT System directly and run searches. Agency users would have to submit justifications for their searches to FinCEN and would be subject to audit and oversight by FinCEN.
- Court-authorized release of BOI for certain investigations: FinCEN could disclose BOI to a state, local, or tribal law enforcement agency engaged in a criminal or civil investigation if a court with appropriate jurisdiction authorized the agency to seek the information in the investigation.
- Foreign requests: Foreign governmental authorities’ requests to FinCEN for BOI would have to come through intermediary federal agencies pursuant to an international treaty, agreement, or convention, or by a request made by law enforcement, judicial, or prosecutorial authorities in a trusted foreign country.  Foreign requesters would have to rely on the intermediary U.S. agencies to retrieve the requested BOI, as they would not have direct access to the IT system themselves.
- Financial institutions complying with CDD requirements: With consent from a reporting company, the Proposed Access Rule would permit “covered financial institutions”—which include banks, mutual funds, securities brokers and dealers, futures commission merchants, and introducing brokers on commodities—to request BOI to facilitate compliance with their existing CDD requirements, defined by the Proposed Access Rule to mean the CDD Rule. Covered financial institutions do not include money services businesses, which are not subject to the CDD Rule. FinCEN anticipates that to obtain BOI, covered financial institutions would submit a request for BOI to a reporting company and would receive an electronic transcript with that entity’s BOI, but that financial institutions would not be permitted to run searches in the database themselves.
- Regulatory agencies: In order to assess a financial institution’s compliance with CDD requirements, federal functional regulators and regulatory agencies would be able to receive the BOI that the financial institutions they supervise receive from FinCEN. Regulators could also directly and broadly access BOI in furtherance of law enforcement activity.
- Treasury: The Treasury Department would have broader access to BOI—any Treasury officer or employee could access the IT database (1) if the employee’s official duties require BOI inspection or disclosure or (2) for tax administration. The CTA requires that the Treasury Department establish internal policies and procedures governing Treasury officer and employee access to BOI.
Prohibition on Disclosure Outside the United States
The Proposed Access Rule would prohibit financial institutions from disclosing BOI to their directors, officers, employees, contractors, and agents located outside the United States due to the risks of allowing a foreign government agency to obtain such BOI via judicial or administrative warrant, summons, or subpoena directly on the foreign entity or location where the BOI is stored. This measure is in line with and complements the requirements associated with the process through which foreign governments would be permitted to obtain BOI under the Proposed Access Rule.
Safeguards and Penalties for Unauthorized Disclosure
The Proposed Access Rule contains safeguards to prevent unauthorized disclosure or use of BOI, including:
- Domestic Agencies:
- Federal, state, local, and tribal requesting agencies, including intermediary federal agencies acting on behalf of authorized foreign requesters, federal functional regulators, and other appropriate regulatory agencies would be required to:
- Establish and maintain a secure system in which BOI will be stored;
- Provide a report describing the procedures established to ensure confidentiality of BOI;
- Limit the scope of information sought; and
- Establish and maintain a permanent system of standardized records with an auditable trail for the requests.
- Each requesting agency would be required to enter into a Memorandum of Understanding with FinCEN specifying the standards, procedures, and systems that the agency would be required to maintain to protect BOI.
- Financial Institutions:
- Financial institutions would have to develop and implement administrative, technical, and physical safeguards reasonably designed to protect BOI as a precondition for receiving such information. Applying existing procedures necessary to comply with Section 501 of the Gramm-Leach-Bliley Act and applicable implementing regulations would generally satisfy this requirement.
- Financial institutions would be required to obtain and document a reporting company’s consent before requesting that reporting company’s BOI from FinCEN.
- Financial institutions would have to certify in writing for each BOI request that it:
- Requested the information to facilitate its compliance with CDD requirements;
- Obtained the reporting company’s written consent to request its BOI; and
- Fulfilled the other relevant security and confidentiality requirements.
- Foreign Requesters:
- Foreign requesters would have to handle, disclose, and use BOI consistent with the requirements of the applicable treaty, agreement, or convention under which it was requested.
- Foreign requesters with no underlying treaty, agreement, or convention would be required to 1) have security standards and procedures in place, 2) maintain a secure storage system that complies with whatever security standards the foreign requester applies to the most sensitive unclassified information it handles, 3) minimize the amount of information requested, and 4) restrict personnel access to the information it requested.
- Officers, Employees, Contractors, and Agents:
- Any officer, employee, contractor, or agent of a requesting agency that receives BOI disclosed by FinCEN would be permitted to disclose such information to another officer, employee, contractor, or agent of the same requesting agency for the particular purpose or activity for which such information was requested.
- Any director, officer, employee, contractor, or agent of a financial institution that receives BOI disclosed by FinCEN could disclose such information to the financial institution’s federal regulatory agency, or as indicated above, to qualifying SROs.
The Proposed Access Rule provides civil and criminal penalties for any person who knowingly discloses or uses BOI obtained by the person, unless such disclosure is authorized under the CTA.
FinCEN is seeking written comment on the Proposed Access Rule until February 14, 2023 from the public, including federal, state, local, and tribal government entities. It sets forth a series of questions and invites public comment regarding several specific issues, including the following:
- Narrow Definition of CDD Requirements:
- FinCEN seeks input as to whether it should broaden the term “customer due diligence requirements under applicable law.” As noted, FinCEN proposes to define this term to mean the CDD Rule, as it may be amended or superseded by the Anti-Money Laundering Act. This definition would not include, for example, FinCEN’s separate customer identification program regulations. It would also exclude financial institutions not subject to the CDD Rule that may maintain customer due diligence requirements in order to implement a risk-based anti-money laundering program—such as money services businesses—from accessing the BOI Registry.
- Obtaining Reporting Company Consent:
- FinCEN proposes that financial institutions be required to obtain a reporting company’s consent in order to request the reporting company’s BOI from FinCEN. FinCEN invites commenters to indicate what barriers or challenges financial institutions may face in fulfilling such a requirement.
- Security and Confidentiality Requirements:
- FinCEN seeks input on whether it should impose any additional security or confidentiality requirements on authorized recipients of any type, and if so, what requirements and why.
- Prohibition on Access to BOI by Financial Institutions’ Directors, Officers, Employees, Contractors, and Agents Outside the United States:
- FinCEN asks whether its proposed requirement that financial institutions limit BOI disclosure to their directors, officers, employees, and agents within the United States will impose undue hardship on financial institutions.
- FinCEN asks what specific issues it should address via public guidance or FAQs. It also seeks specific recommendations on engagement with stakeholders to ensure that the authorized recipients, and in particular, state, local, and tribal authorities and small and midsized financial institutions, are aware of requirements for access to the beneficial ownership IT system.
Recent Paperwork Reduction Act notice
Separately, on January 17, 2023, FinCEN issued notices and requests for comment on two issues related to BOI reporting: the application that will be used to collect information from individuals who seek to obtain a FinCEN identifier and the report that will be used to collect BOI. With regard to both, FinCEN requests comments on ways to enhance the quality, utility, and clarity of the information to be collected and to minimize the burden of the collection of information on respondents, including through the use of technology, among other things. Comments are due by March 20, 2023.
 31 C.F.R. § 1010.230.
 The Proposed Access Rule does not define “trusted foreign country,” but requests comments regarding whether FinCEN should define the term, and if so, what considerations should be included in the definition.
 However, self-regulatory agents that are registered with or designated by a federal functional regulator pursuant to federal statute (“qualifying SROs”), such as the Financial Industry Regulatory Authority, would not be permitted to access the registry. Because SROs are in a unique position with a critical role in overseeing financial services institutions, FinCEN plans to permit financial institutions to re-disclose to qualifying SROs the BOI they obtain from FinCEN for use in complying with CDD requirements. An SRO that receives BOI from a financial institution it supervises could use the information for the limited purpose of examining compliance with CDD obligations.