FinCEN Issues Its Proposed Rule About Accessing Beneficial Ownership Information

On December 15, 2022, the US Financial Crimes Enforcement Network (“FinCEN”) published a Notice of Proposed Rulemaking to implement the beneficial ownership information (“BOI”) access requirements of the Corporate Transparency Act (“CTA”) (the “Access NPRM”). The Access NPRM addresses how authorized recipients can access beneficial ownership information that will be reported to FinCEN, how FinCEN will place protocols on security and confidentiality required by the CTA to protect sensitive personally identifiable information, and how reporting companies can use FinCEN identifiers to report the BOI of entities. FinCEN notes that the disclosure of BOI to authorized recipients in accordance with appropriate protocols and oversight will help law enforcement and national security agencies prevent and combat money laundering, terrorist financing, tax fraud, and other illicit activity, as well as protect national security.¹

In this Legal Update, we provide background regarding the Access NPRM, discuss some of the key changes proposed by the Access NPRM, and note the Access NPRM’s implications for financial institutions (“FIs”).

I. Background

On September 30, 2022, FinCEN issued one of three rulemakings implementing the BOI requirements of the CTA (“BOI Reporting Rule”).² The CTA was enacted into law as part of the National Defense Authorization Act (“NDAA”) and requires a broad array of legal entities, both domestic and foreign, to register with FinCEN and disclose their ultimate beneficial owners.³ The final BOI Reporting Rule addresses who will be required to file beneficial owner information with the CTA Registry, who will be exempt from filing, what must be filed, and when the required reports must be made.⁴ The CTA and FinCEN’s implementing regulations fit within a broader Biden administration strategy to combat financial crimes.⁵ (For more information regarding the BOI Reporting Rule, please see our previous Legal Update.)

The CTA also authorizes FinCEN to share BOI with certain government agencies, FIs, and regulators, subject to appropriate protocols.⁶ As discussed in further detail below, the Access NPRM explains the circumstances in which specified recipients would have access to BOI and outlines data protection protocols and oversight mechanisms applicable to each recipient category.⁷

II. Notice of Proposed Rulemaking

Access by Authorized Recipients

Prohibition on Disclosure

FinCEN proposes to expand the prohibition on disclosure of BOI as stated in the CTA.⁸ First, the Access NPRM would clarify that any individual authorized to receive BOI is prohibited from disclosing it except as expressly authorized by FinCEN. This provision would extend the prohibition on disclosure to any individual who receives BOI regardless of whether they continue to serve in the position through which they were authorized to receive BOI. Second, it would also extend the prohibition on disclosure to any individual who receives BOI as a contractor or agent of the United States; a contractor or agent of a state, local, or tribal agency; or a member of the board of directors, contractor, or agent of an FI.⁹

Authorized Recipients of BOI

FinCEN proposes to share BOI information with those who fall into the following categories:

• Federal Agencies Engaged in National Security, Intelligence, or Law Enforcement Activity. The Access NPRM would permit FinCEN to disclose BOI to federal agencies engaged in (1) national security, (2) intelligence, or (3) law enforcement activity if the requested BOI is for use in furtherance of such activity. “Law enforcement activity” here would include both criminal and civil investigations and actions.¹⁰
• State, Local, and Tribal Law Enforcement Agencies. The Access NPRM would allow FinCEN to disclose BOI to state, local, and tribal law enforcement agencies if “a court of competent jurisdiction” has authorized the law enforcement agency to seek the information in a criminal or civil investigation (e.g., through a court’s issuance of an order or approval of a subpoena). A “court of competent jurisdiction” would be any court with jurisdiction over the criminal or civil investigation for which the state, local, or tribal law enforcement agency requests BOI.¹¹ Authorized users from these agencies would be required to upload a document issued by a court of competent jurisdiction authorizing the agency to seek BOI from FinCEN.¹²
• Foreign Requesters. Foreign requesters would be required to make their requests for BOI through intermediary federal agencies rather than obtaining direct access to the beneficial ownership IT system. In addition to meeting other criteria, requests from foreign requesters would have to be made either (1) under an international treaty, agreement, or convention or (2) via a request made by law enforcement, judicial, or prosecutorial authorities in a trusted foreign country. FinCEN would look to US interests and priorities in consultation with other relevant US government agencies when determining whether to disclose BOI to foreign requesters when no treaty or other agreement applies.¹³ The Access NPRM’s approach to foreign requester access to BOI aligns with FinCEN’s increased focused on international cooperation.¹⁴
• FIs Subject to CDD Requirements. The Access NPRM would only permit FIs to request BOI from FinCEN for purposes of complying with CDD requirements under applicable law and only with the consent of the reporting company to which the BOI pertains. The FI would be responsible for obtaining a reporting company’s consent.¹⁵ FinCEN thus anticipates that an FI, instead of being able to run open-ended queries in the beneficial ownership IT system or to receive multiple search results, would submit identifying information specific to a reporting company and receive in return an electronic transcript with that entity’s BOI.¹⁶
• Federal Functional Regulators or Other Appropriate Regulatory Agencies. The CTA authorizes federal functional regulators and other appropriate regulatory agencies to request from FinCEN the BOI that the FIs they supervise have already obtained for purposes of assessing the FIs’ compliance with CDD requirements. Regulators under this category who also engage in law enforcement activity may also access BOI for this purpose as well but only under the criteria for access related to law enforcement activity. Additionally, certain self-regulatory organizations (e.g., FINRA) would be able to receive BOI to facilitate CDD compliance reviews under certain circumstances.¹⁷
• US Department of the Treasury. The Access NPRM follows the CTA’s requirements, which allow access to BOI to any Treasury officer or employee (1) whose official duties require BOI inspection or disclosure or (2) for tax administration. FinCEN would work with other Treasury components to establish internal policies and procedures governing Treasury officer and employee access to BOI.¹⁸

Additionally, certain domestic government agency users—such as (1) federal agencies engaged in national security, intelligence, and law enforcement; (2) Treasury officers and employees who require access to BOI to perform their official duties or for tax administration; and (3) state, local, and tribal law enforcement agencies—would be permitted to access the beneficial ownership IT system directly. They would also be able to log in, run multiple queries using multiple search fields, and review one or more results returned immediately. None of the remaining authorized recipient categories would have access to the broad search capabilities within the system.¹⁹

Use of Information

The Access NPRM proposes to implement the CTA’s provisions by clarifying that, unless otherwise authorized by FinCEN, any person who receives information disclosed by FinCEN under the Access NPRM is authorized to use it only for the particular purpose or activity for which it was disclosed. Additionally, the Access NPRM specifies the circumstances under which authorized recipients of BOI can redisclose the BOI to another person.²⁰ For example, FIs would be prohibited from redisclosing BOI outside of the United States to prevent a foreign government from seeking to obtain BOI from a foreign office or foreign affiliate of an FI pursuant to foreign law.

Protocols on Security and Confidentiality

The Access NPRM would impose specific security and confidentiality requirements for the following categories:

• Domestic Agencies. First, the Access NPRM would require each requesting agency, before it could obtain BOI, to enter into a Memorandum of Understanding (“MOU”) with FinCEN specifying the standards, procedures, and systems that the agency would be required to maintain to protect BOI. These MOUs would, among other things, memorialize and implement requirements, including those regarding reports and certifications, periodic training of individual recipients of BOI, personnel access restrictions, re-disclosure limitations, and access to audit and oversight mechanisms. Second, the Access NPRM proposes specific requirements for each request, such as requiring all requesting agencies to limit (to the greatest extent practicable) the amount of BOI they seek or requiring the heads of certain requesting agencies to provide specific certifications.²¹
• FIs. Under the Access NPRM, complying with section 501 of the Gramm-Leach Bliley Act and applicable regulations to protect non-public customer personal information would satisfy the Access NPRM’s requirement to protect BOI even if the FI or BOI is not subject to section 501. Additionally, the Access NPRM would require FIs to certify in writing for each BOI request that (1) the FI is requesting the information to facilitate its compliance with CDD requirements under applicable law, (2) it obtained the reporting company’s written consent to request its BOI, and (3) it fulfilled the other requirements of the section. FinCEN would not require FIs to submit proof of reporting company consent at the time of the request for BOI.²²
• Foreign Requesters. The Access NPRM would require foreign requesters to handle, disclose, and use BOI consistent with the requirements of the applicable treaty, agreement, or convention under which it was requested. Requirements applicable to foreign requesters when no treaty, agreement, or convention applies include having security standards and procedures, maintaining a secure storage system that complies with whatever security standards the foreign requester applies to the most sensitive unclassified information it handles, minimizing the amount of information requested, and restricting personnel access to it. The Access NPRM would also impose on foreign BOI requesters certain general requirements the CTA imposes on all requesting agencies.²³

Administration of Requests

Based on the Access NPRM, agencies and FIs would be required to submit requests for BOI to FinCEN in the form and manner FinCEN shall prescribe. FinCEN intends to provide additional detail regarding the form and manner of BOI requests for all categories of authorized users through specific instructions and guidance as it continues developing the beneficial ownership IT system. The Access NPRM also expands on the reasons for rejecting requests to access BOI and provides that FinCEN would be permitted to deny requests from both agencies and any other authorized recipient, including FIs. The bases for rejecting a request could also be bases for suspension or debarment.²⁴

Use of FinCEN Identifiers

The Access NPRM also addresses how FinCEN identifiers could be used by reporting companies. FinCEN would permit a reporting company to report an intermediate entity’s FinCEN identifier in lieu of a beneficial owner’s BOI only when:

(1) The intermediate entity has obtained a FinCEN identifier and provided that FinCEN identifier to the reporting company;

(2) An individual is or may be a beneficial owner of the reporting company by virtue of an interest in the reporting company that the individual holds through the entity; and

(3) Only the individuals that are beneficial owners of the intermediate entity are beneficial owners of the reporting company, and vice versa.²⁵

Violations and Penalties

The proposed rule clarifies that “unauthorized use” would include any unauthorized accessing of information submitted to FinCEN, including any activity in which an employee, officer, director, contractor, or agent of a federal, state, local, or tribal agency or FI knowingly violates applicable security and confidentiality requirements in connection with accessing such information.²⁶

Next Steps

FinCEN is proposing an effective date of January 1, 2024, for the Access NPRM to align with the date on which the final BOI Reporting Rule becomes effective.²⁷ Additionally, FinCEN will release its third rulemaking amending the CDD Rule and harmonizing it with the BOI Reporting Rule no later than one year after the effective date of the BOI Reporting Rule (January 1, 2024).²⁸

II. Implications for FIs

The Access NPRM proposes significant changes to the current BSA/AML regime, which may lead to both benefits and risks for FIs. On one hand, the Access NPRM may provide important benefits for certain FIs, such as banks and broker-dealers, who would likely be able to request BOI from FinCEN to facilitate their compliance with CDD requirements. However, the impact of the Access NPRM could be more limited, as FIs who are not subject to CDD requirements, such as money services businesses and mortgage companies, would not be able to gain access to important BOI information that may be beneficial in conducting their due diligence regarding legal entity customers.

Additionally, some have raised concerns about the Access NPRM’s ability to protect sensitive information. On December 15, 2022, Congressman Patrick McHenry, chairman-elect of House Financial Services Committee, issued a statement commenting that the Access NPRM does not include enough protections to prevent unauthorized access and use of the sensitive information that would be collected by FinCEN.²⁹ Notably, the Access NPRM also does not address whether or how FinCEN intends to verify the BOI it collects nor how an FI should reconcile discrepancies between BOI it collects from its customers and information reported by its customers to FinCEN.³⁰ FIs who wish engage with FinCEN on these (and other) issues should provide their feedback regarding the Access NPRM. FIs should submit written comments to FinCEN on or before February 14, 2023.

 

---

 

¹ See Beneficial Ownership Information Access and Safeguards, and Use of FinCEN Identifiers for Entities, 87 Fed. Reg. 77,404 (Dec. 16, 2022), https://www.federalregister.gov/documents/2022/12/16/2022-27031/beneficial-ownership-information-access-and-safeguards-and-use-of-fincen-identifiers-for-entities#footnote-21-p77406.

² See Beneficial Ownership Information Reporting Requirements, 87 Fed. Reg. 59,498 (Sept. 30, 2022) (to be codified at 31 C.F.R. pt. 1010), https://www.federalregister.gov/documents/2022/09/30/2022-21020/beneficial-ownership-information-reporting-requirements.

³ See 31 U.S.C. § 5336.

⁴ Beneficial Ownership Information Reporting Requirements, 87 Fed. Reg. 59,498 (Sept. 30, 2022) (to be codified at 31 C.F.R. pt. 1010), https://www.federalregister.gov/documents/2022/09/30/2022-21020/beneficial-ownership-information-reporting-requirements.

⁵ See United States Strategy on Countering Corruption (whitehouse.gov). (We discussed this initiative in a previous Legal Update.)

⁶ 31 U.S.C. § 5336(b), (c).

⁷ Beneficial Ownership Information Access and Safeguards, and Use of FinCEN Identifiers for Entities, 87 Fed. Reg. 77,404 (Dec. 16, 2022), https://www.federalregister.gov/documents/2022/12/16/2022-27031/beneficial-ownership-information-access-and-safeguards-and-use-of-fincen-identifiers-for-entities#footnote-21-p77406.

⁸ The CTA provides that BOI reports “shall be confidential and may not be disclosed by . . . (i) an officer or employee of the United States; (ii) an officer or employee of any State, local, or Tribal agency, or (iii) an officer or employee of any [FI] or regulatory agency…” See 31 U.S.C. 5336(c)(2)(A).

⁹ 87 Fed. Reg. at 77,411.

¹⁰ 87 Fed. Reg. at 77,412-13; see also FinCEN, “Fact Sheet: Beneficial Ownership Information Access and Safeguards Notice of Proposed Rulemaking (NPRM),” (Dec. 15, 2022), https://www.fincen.gov/nprm-fact-sheet.

11 Id. at 77,413-14.

¹² Id. at 77,409-10.

¹³ Id. at 77,414-15.

¹⁴ Please see Mayer Brown’s previous Legal Updates discussing FinCEN’s increased focus on international cooperation. Glen A. Kopp, Gina M. Parlovecchio, and Brad Resnikoff, “FinCEN’s First-Ever National AML/CFT Priorities Provide Insights Into Key Threats,” (July 6, 2021), https://www.mayerbrown.com/en/perspectives-events/publications/2021/07/fincens-firstever-national-amlcft-priorities-provide-insights-into-key-threats; Brad Resnikoff, Gina M. Parlovecchio, and Marc R. Cohen, “FinCEN Moves to Implement the Corporate Transparency Act,” (Apr. 5, 2021) https://www.mayerbrown.com/en/perspectives-events/publications/2021/04/fincen-moves-to-implement-the-corporate-transparency-act.

¹⁵ Id. at 77,415.

¹⁶ Id. at 77,410.

¹⁷ Id. at 77,415-16.

¹⁸ Id. at 77,416.

¹⁹ Id. at 77,409-10.

²⁰ Id. at 77,417-19.

²¹ Id. at 77,419-21.

²² Id. at 77,421-22.

²³ Id. at 77,422.

²⁴ Id. at 77.423.

²⁵ Id. at 77.424.

²⁶ Id. at 77.423.

²⁷ Id. at 77.425.

²⁸ Id. at 77.406.

²⁹ Press Release, “McHenry Raises Concerns with FinCEN’s Proposal Regarding Access to Beneficial Ownership Information,” Financial Services Committee – Republicans (Dec. 15, 2022), https://republicans-financialservices.house.gov/news/documentsingle.aspx?DocumentID=408491.

³⁰ The NPRM notes that FinCEN continues to evaluate options for verifying reported BOI. See 87 Fed. Reg. at 77,408.