On 2/20/23, FinCEN published the Small Entity Compliance Guide for Beneficial Ownership Information Access and Safeguards Requirements. The (six-pages and four sections) BOI Access & Safeguards Guide provides an overview of the Beneficial Ownership Information Access and Safeguards Rule (Access Rule) requirements for small entities that obtain BOI from FinCEN and only pertains to authorized access by financial institutions to BOI from FinCEN.

The Access Rule (published by FinCEN on 12/22/23) implements the provisions of the Corporate Transparency Act that authorize certain persons to obtain access to identifying information associated with reporting companies, their beneficial owners, and their company applicants (authorized recipients).

Affected Financial Institutions

As stated in the Access Rule, FinCEN estimates the number of affected financial institutions are small entities totaling 13,699. To identify whether a financial institution is small, FinCEN uses the Small Business Administration’s (SBA) latest annual size standards for small entities in a given industry and U.S. Census Bureau’s publicly available 2017 Statistics of U.S. Businesses survey data.

Of note, FinCEN states in the Access Rule that: “All of these small financial institutions will have a significant economic impact in the first year of implementation, which FinCEN believes meets the threshold for a substantial number. Therefore, FinCEN concludes the rule will have a significant economic impact on a substantial number of small entities”.

Small Entities as per the SBA

“The SBA currently defines small entity size standards for affected financial institutions as follows: less than $850 million in total assets for commercial banks, savings institutions, and credit unions; less than $47 million in annual receipts for trust companies; less than $47 million in annual receipts for broker-dealers; less than $47 million in annual receipts for portfolio management; less than $40 million in annual receipts for open-end investment funds; and less than $47 million in annual receipts for futures commission merchants and introducing brokers in commodities”.

BOI Access & Safeguards Requirements Guide includes 4 sections summarizing the Access Rule’s requirements that pertain to financial institutions only

Section 1 Summary – Use of BOI

Permissible uses of BOI obtained from FinCEN include:

• Customer identification requirements (KYC)
• Enhanced Due Diligence (EDD) required under the BSA
• Suspicious Activity Report (SAR) filing
• Uses that facilitate compliance with sanctions imposed by Treasury’s Office of Foreign
• Assets Control (OFAC), such as for sanctions screening
• AML/CFT related requests, reviews, and investigations

A director, officer, employee, contractor, or agent of a financial institution may not disclose BOI received from FinCEN. However, there are three limited scenarios in which a financial institution is permitted to re-disclose BOI it received from FinCEN:

1. To another director, officer, employee, contractor, or agent of the same financial institution for the particular purpose or activity for which the BOI was requested, subject to security and confidentiality requirements.
2. To the financial institution’s Federal functional regulator, a self-regulatory organization that is registered with or designated by a Federal functional regulator pursuant to Federal statute, or other appropriate regulatory agency, provided they: possess the authority to assess, supervise, enforce, or otherwise determine the compliance of the financial institution with customer due diligence requirements; will use the information solely for such purposes; and have a written agreement with FinCEN governing the safekeeping of the information.
3. As authorized by FinCEN in prior written authorization, or by protocols or guidance that FinCEN issues.

Section 2 Summary – Security and Confidentiality Requirements

• Financial institutions may not store or disclose BOI they will receive from FinCEN to persons physically located in the People’s Republic of China, the Russian Federation, or any jurisdiction that: has been determined by the U.S. Department of State to be a state sponsor of terrorism, is subject to comprehensive financial and economic sanctions under U.S. law; or in the determination of the Secretary of the Treasury, undermine the enforcement of financial institutions’ BOI security and confidentiality requirements or U.S. national security.
• To receive BOI from FinCEN, financial institutions subject to the Gramm-Leach Bliley Act will be required to apply to BOI the procedures that the institution has established to protect customers’ nonpublic personal information under section 501 of the Gramm-Leach-Bliley Act.
• To receive BOI from FinCEN, financial institutions not subject to the Gramm-Leach Bliley Act must implement procedures that are at least as protective of customer information as procedures that satisfy Gramm-Leach-Bliley Act standards.
• When a financial institution receives any foreign government subpoena or foreign legal demand to disclose BOI that the financial institution received from FinCEN, the financial institution must notify FinCEN within three business days of receipt of such request.
• In order to request customers’ (reporting companies’) BOI from FinCEN, financial institutions must first obtain and document those customers’ consent to request such customers’ BOI from FinCEN. Consent only needs to be obtained prior to an initial request for a customer’s BOI. Financial institutions may rely on this consent to retrieve the same customer’s BOI on subsequent occasions, including to open additional accounts for the same reporting company, unless the consent is revoked. It is at the financial institution’s discretion to determine appropriate procedures and mechanisms for revocation or expiration of customer consent. Consent is not required specifically to be in writing. It is at the financial institution’s discretion to determine the method of obtaining and documenting each customer’s consent. The documentation of the customer’s consent must be maintained for five years after it was last relied on to make a BOI request to FinCEN.
• Once FinCEN makes BOI available to financial institutions, financial institutions must certify to FinCEN when requesting BOI via the Beneficial Ownership Information Technology (BO IT) system that: 1. They are requesting the information to facilitate their compliance with CDD requirements under applicable law; 2. They have obtained and documented the consent of the reporting company to request the information from FinCEN; and 3. They have fulfilled all other requirements of 31 CFR 1010.955(d)(2).

Section 3 Summary – Administration of Requests

FinCEN may reject any request for BOI, as well as suspend or debar a financial institution’s access from receiving or accessing BOI, if it finds: that the requester has failed to meet any of FinCEN’s requirements to access BOI; that the information is being requested for an unlawful purpose; or other good cause exists to deny the request or suspend/debar the financial institution.

Section 4 Summary – Violations

The CTA provides civil penalties for reporting violations in the amount of $500 for each day a violation continues or has not been remedied. Criminal penalties include fines not more than $10,000, imprisonment for not more than 2 years, or both. Unauthorized disclosure or use violations carry civil penalties in the amount of $500 for each day a violation continues or has not been remedied. Criminal penalties include fines not more than $250,000, imprisonment for not more than five years, or both. The CTA also provides for enhanced criminal penalties, including a fine of up to $500,000, imprisonment of not more than 10 years, or both, if a person commits a violation while violating another law of the United States or as part of a pattern of any illegal activity involving more than $100,000 in a 12-month period.

Will you be able to meet the BOI Access & Safeguards Requirements?

Who is your Corporate Governance Advisor?