The Corporate Transparency Act (CTA) requires certain businesses to provide beneficial ownership information (BOI) to the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN). BOI received by FinCEN is not disclosed to the general public, but certain businesses may obtain access to it. In late December, 2023, FinCEN issued a final rule (the Access Rule) that prescribes the circumstances under which BOI reported to FinCEN may be disclosed to authorized BOI recipients, and how it must be protected. Recently, FinCEN published a four-section Small Entity Compliance Guide (Guide) that provides an overview of the Access Rule’s requirements for small entities that obtain BOI from FinCEN.
While the Guide’s title and introductory paragraphs indicate the Guide is only directed at small entities or small financial institutions, the Guide summarizes the Access Rule’s requirements that apply to “financial institutions” more broadly, to assist these entities with understanding FinCEN’s expectations in accessing the BOI database in compliance with the Access Rule. Financial institutions currently do not have access to BOI, and FinCEN is taking a phased approach to providing access.
The issuance of the Access Rule and the Guide do not create new regulatory requirements or supervisory expectations for banks or non-bank financial institutions to access BOI. FinCEN is required to revise the current Customer Due Diligence (CDD) Rule as directed by Section 6403(d)(1) of the CTA.
Section 1 – Use of BOI
The Guide details the authorized use, access, disclosure, and re-disclosure of BOI obtained from FinCEN by a financial institution as provided by the Access Rule. Financial institutions are permitted to use the BOI obtained to fulfill their CDD and other legal obligations under the Bank Secrecy Act (BSA). While the Guide provides a nonexhaustive list of permissible uses for BOI, financial institutions are not permitted to use the BOI obtained for their general business or commercial activities, such as using the information in decisioning credit applications or for client development.
Financial institutions are generally prohibited from disclosing BOI obtained from FinCEN. However, financial institutions are able to disclose in three limited circumstances: (1) to another director, officer, or other employee of the same financial institution for the particular purpose or activity for which the BOI was initially requested; (2) to the financial institution’s federal functional regulator, self-regulatory organization, or other appropriate regulatory agency; or (3) as authorized by FinCEN in a prior written authorization, or by protocols or guidance that FinCEN issues.
Section 2 – Security and Confidentiality Requirements
Under the Access Rule, financial institutions will be required to develop and implement administrative, technical, and physical safeguards designed to protect the security, confidentiality, and integrity of BOI. This includes restrictions from storing or disclosing BOI received from FinCEN in or from certain restricted geographies; implementing and applying procedures established to protect customers’ nonpublic personal information under section 501 of the Gramm-Leach Bliley Act; notifying FinCEN within 3 business days of receiving a subpoena demanding to disclose BOI from any foreign government; implementing geographic restrictions; and obtaining customers’/reporting companies’ consent prior to the initial request of BOI from FinCEN.
When FinCEN makes the BOI available to financial institutions, the financial institutions are required to certify through the Beneficial Ownership Information Technology (BO IT) system that: the information requested is to facilitate compliance with CDD requirements under applicable law; consent of the reporting company was obtained and documented; and the financial institution has complied with all other requirements under the Access Rule.
Section 3 – Administration Requirements
FinCEN will reject any request by a financial institution if the request is not made in the form and manner prescribe by FinCEN. FinCEN may reject any request for BOI and also suspend or debar a financial institutions’ access from receiving or accessing BOI if the requester has failed to meet FinCEN’s requirements to access BOI, the information is being requested for an unlawful purpose, or for other good cause.
Section 4 – Violations
Unless expressly authorized by the CTA and implementing regulations, a person is prohibited from knowingly disclosing or knowingly using BOI obtained by the person, directly or indirectly, through a report submitted to FinCEN via BOI report or a disclosure made to FinCEN under the Access Rule. Violations include accessing BOI obtained from FinCEN without authorization or any violation of security and confidentiality under the Access Rule. The CTA provides both civil and criminal penalties including monetary penalties and imprisonment for reporting violations and for unauthorized use or disclosure of BOI. Additionally, the CTA provides for enhanced criminal penalties.
