The Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued a proposed rule (Proposed Rule)¹ on December 15, 2022, implementing the requirements of Section 6403 of the Corporate Transparency Act (Act) governing access to and protection of beneficial ownership information (BOI).² The Act, enacted on January 1, 2021, as part of the Anti-Money Laundering Act of 2020 within the National Defense Authorization Act of 2021, requires FinCEN to promulgate regulations mandating “reporting companies” to disclose to FinCEN the identity of all “beneficial owners” and “company applicants,” among other requirements.³ The Proposed Rule would implement the Act’s related mandate that FinCEN promulgate rules that “authorize certain recipients to receive disclosures of identifying information associated with reporting companies, their beneficial owners, and company applicants,” while maintaining BOI in a “secure, nonpublic database, using information security methods and techniques that are appropriate to protect non-classified information security systems at the highest level.”⁴ In addition, FinCEN is proposing to amend the BOI Reporting Rule (as defined below) to “specify when and how reporting companies can use FinCEN identifiers to report BOI of entities.”⁵

The comment period for the Proposed Rule closes on February 14, 2023. The Proposed Rule is the second of three planned rulemakings to implement the requirements of the Act. The first rule (BOI Reporting Rule), finalized on September 29, 2022, defined and implemented the beneficial ownership reporting requirements of the Act.⁶ If adopted without modification, the Proposed Rule would become effective on January 1, 2024, to coincide with the effective date of the BOI Reporting Rule.

Five Categories of Authorized Recipients

The Proposed Rule is intended to help governmental agencies and certain private institutions easily access a central repository with BOI of reporting companies while protecting the safety and confidentiality of the BOI received by FinCEN.

The Proposed Rule sets forth five categories of recipients authorized to access and use the BOI stored in FinCEN’s centralized information technology (IT) system, provided that the authorized recipients: (i) follow the procedures by which BOI may be requested, as defined for each category; and (ii) take measures to safeguard the BOI, as mandated by the Proposed Rule. Failure to meet these two requirements could result in civil and criminal penalties for such authorized recipients. (Please refer to “Access Control Requirements and Penalties” section below for more details.)

The five categories of authorized recipients are:

• U.S. governmental agencies at the Federal, state, local and Tribal level;
• Foreign authorities, including “law enforcement agencies, judges, prosecutors, central authorities and other competent authorities”;
• Financial institutions, but only for the purpose of complying with Customer Due Diligence (CDD) requirements;
• Supervising regulators of financial institutions, but only for the purpose of determining whether the supervised financial institutions are complying with CDD requirements; and
• U.S. Department of the Treasury officers and employees acting in their official capacities.

U.S. Federal and State Government Agencies

Federal agencies’ access to BOI would be “activity-based.”⁷ Under the Proposed Rule, federal agencies that are engaged in “national security, intelligence, and law enforcement activities” would be allowed to run direct queries in FinCEN’s BOI system. Such direct access to BOI would aid agencies in conducting criminal investigations. However, a requesting Federal agency would be required to submit a “brief justification” to FinCEN, and FinCEN would retain authority to review and audit such justifications. In the Proposing Release, FinCEN noted that “law enforcement activities” include investigations and enforcement of both criminal and civil violations of law, and, therefore, agencies investigating civil violations of law, including the SEC, may also access the BOI database.

A State, local or Tribal agency would also be permitted to run direct queries in FinCEN’s BOI system, provided that (i) it uploads a document issued by “a court of competent jurisdiction” authorizing such agency to access BOI; and (ii) FinCEN has reviewed and approved such authorization. To facilitate consistency across a variety of evidence-gathering procedures, FinCEN is requesting comments that detail such procedures currently implemented by state, local and Tribal agencies during criminal and civil proceedings as well as the “extent to which court authorization is involved” (e.g., through a “court’s issuance of an order” or “approval of a subpoena”).⁸

Foreign Authorities

Certain defined categories of foreign authorities (i.e., foreign law enforcement agencies, judges, prosecutors, central authorities and competent authorities) would be able to access BOI indirectly by routing their requests for BOI through a U.S. intermediary Federal entity. Among other requirements to be granted, such requests would be required to be made: (i) pursuant to an “international treaty, agreement, or convention”; or (ii) by a foreign authority located in a “trusted foreign country.”⁹ When no specific treaties or agreements apply, FinCEN would consider “U.S. interests and priorities in consultation with other relevant U.S. government agencies” when determining whether to grant a request. If FinCEN were to grant a request, the U.S. Federal intermediary entity would retrieve the BOI on the foreign authority’s behalf and transmit such information to the requesting foreign authority.

Financial Institutions and Federal Regulators

The Proposed Rule would permit FinCEN to disclose a reporting company’s BOI to financial institutions to facilitate their compliance with applicable CDD requirements. The financial institution would be required to secure consent from the relevant reporting companies. As discussed in the Proposing Release, FinCEN would not allow financial institutions to run “broad or open-ended queries in the beneficial ownership IT system or to receive multiple search results.” Rather, financial institutions would “submit to the system identifying information specific to that reporting company, and receive in return an electronic transcript with that entity’s BOI.”

In addition, the Proposed Rule would permit federal regulators and “other appropriate regulatory agencies” that supervise financial institutions to request BOI from FinCEN, but only to “assess, supervise, enforce, or otherwise determine” the relevant financial institutions’ compliance with CDD requirements. Importantly, self-regulatory organizations, such as the Financial Industry Regulatory Authority and the National Futures Association, would not have access to the FinCEN database; instead, the Proposed Rule would authorize financial institutions to disclose BOI received from the FinCEN database to qualifying self-regulatory organizations, which could then use the BOI for purposes of assessing the financial institution’s compliance with CDD requirements.

U.S. Department of the Treasury

Under the Act, U.S. Department of the Treasury officers and employees acting in their official capacities are granted unique access to BOI for: (i) inspection and examination by such officers and employees in furtherance of their official duties; and (ii) tax administration. Under the Proposed Rule, such unique access would be tracked to ensure the safety of sensitive BOI. In addition, under the Proposed Rule, the Secretary of the Treasury would establish formal policies and procedures to restrict the access to authorized purposes (e.g., enforcement actions and sanctions administration) and to develop safeguarding requirements with respect to the request and use of BOI.

Access Control Requirements and Penalties

The Proposing Release acknowledges the sensitivity of BOI and, in addition to the access control requirements imposed onto different categories of requesters, would mandate additional safeguarding measures regarding the storage and use of BOI. The Proposed Rule would require that each recipient establish a secure database to store BOI received from FinCEN, although the security standards vary depending on the recipient.¹⁰ Domestic agencies would be required to sign a memorandum of understanding or similar agreement with FinCEN before submitting any requests for BOI. Requestors receiving BOI would have to store BOI in a secured system accessible only by authorized users within the requesting entity and only for authorized purposes.

The Act makes it unlawful “for any person to knowingly disclose, or knowingly use, the beneficial ownership information [directly or indirectly] obtained by the person” through unauthorized use.¹¹ The Proposed Rule tracks the Act’s prohibition and would define “unauthorized use” to include unauthorized use under the Act and the regulations promulgated thereunder, which would include not only use without authorization but also any violation of the access control or safeguarding requirements. The Act enumerates civil and criminal penalties for violations. Enhanced criminal penalties are available and can include a fine of up to $500,000 and imprisonment of not more than 10 years. The Proposed Rule would track the Act’s enumerated fines and penalties.

Use of FinCEN Identifiers under Limited Circumstances

A FinCEN identifier is a “unique identifying number” that is issued to an individual or entity who has provided FinCEN with their BOI. While the BOI Reporting Rule describes the process for obtaining and using a FinCEN identifier, the Proposed Rule would clarify that the reporting of an intermediary entity’s FinCEN identifier in lieu of the beneficial owner’s BOI is permissible only when: (i) the intermediary entity has obtained a FinCEN identifier and provided it to the reporting company; (ii) the individual(s) become the beneficial owner(s) of the reporting company through interests held in the intermediary entity; and (iii) the beneficial owners of the intermediary entity and the beneficial owners of the reporting company are exactly the same. The third requirement is intended to prevent the over- or under-reporting of beneficial owners and ensure the accuracy of the records kept in FinCEN’s system.

FinCEN’s Next Steps

As noted above, the Proposed Rule is the second of three planned rulemakings to implement the requirements of the Act. As per the Proposed Rule Fact Sheet,¹² in the third and final rulemaking FinCEN plans to revise FinCEN’s CDD rule no later than one year after the effective date of the BOI Reporting Rule.

Footnotes:

1) FinCEN Issues Notice of Proposed Rulemaking Regarding Access to Beneficial Ownership Information and Related Safeguards (Proposing Release). Also see FinCEN fact sheet (Proposed Rule Fact Sheet).

2) National Defense Authorization Act for Fiscal Year 2021, Pub. L. 116-283 (Jan. 1, 2021).

3) For further information, please refer to Dechert OnPoint, FinCEN Corporate Transparency Final Rule: Beneficial Ownership Information Reporting Requirements and the Potential Impact on Financial Institutions and Pooled Investment Vehicles (Dechert OnPoint).

4) See Proposed Rule supra note 1.

5) Id.

6) Beneficial Ownership Information Reporting Requirements, Final Rule, 87 FR 59498 (Sept. 30, 2022) (BOI Adopting Release). Also see FinCEN fact sheet; see also Dechert OnPoint supra note 3.

7) See Proposing Release, supra note 1.

8) Id.

9) See Proposed Rule Fact Sheet, supra note 1.

10) For example, domestic agency recipients would have to “establish and maintain, to the satisfaction of the Secretary, a secure system in which [BOI] provided directly by the Secretary shall be stored,” and financial institutions would have to establish administrative, technical, and physical safeguards reasonably designed to protect BOI. Although the Proposed Rule does not prescribe any particular methods for meeting the reasonableness standard, it does include a safe-harbor whereby a financial institution would be deemed to meet the reasonableness standard if its administrative, technical and physical safeguards meet the standards prescribed by the Gramm-Leach-Bliley Act and regulations adopted thereunder.

11) See Adopting Release, supra note 6.

12) Supra note 1.