The beneficial ownership information (“BOI”) registry under the Corporate Transparency Act (“CTA”) is now up and running at the Financial Crimes Enforcement Network (“FinCEN”).  This post will follow up on a previous blog regarding the recently-published CTA BOI access regulations (the “Access Rule”).  As we will discuss, the Access Rule leaves open many important questions for financial institutions (“FIs”) covered by the CTA, as they await further proposed regulations from FinCEN regarding alignment of the CTA with the Customer Due Diligence (“CDD”) Rule.

The full federal register publication for the Access Rule is here.  It is 82 pages long.  We therefore have created this separate 13-page document, which is slightly more user-friendly, setting forth only the actual regulations (now published at 31 C.F.R. § 1010.955).

The Basics

The Access Rule allows disclosure of BOI by FinCEN for five groups of audiences, for specific purposes:

• Disclosure to federal agencies for use in furtherance of national security, intelligence, or law enforcement activity;
• Disclosure to State, local, and Tribal law enforcement agencies for use in criminal or civil investigations;
• Disclosure for use in furtherance of foreign national security, intelligence, or law enforcement activity;
• Disclosure to FIs subject to the CDD Rule and their federal regulators to facilitate compliance with CDD Rule requirements; and
• Disclosure to officers or employees of the Department of the Treasury, including for the purposes of tax administration.

As we also previously blogged, access to BOI will be rolled out in phases.  FinCEN explains this process as follows in the federal register:

The first stage will be a pilot program for a handful of key Federal agency users starting in 2024, as required MOUs and policies and procedures are completed.  The second stage will extend access to Treasury Department offices and certain Federal agencies engaged in law enforcement and national security activities that already have Bank Secrecy Act [Memorandums of Understanding] (e.g., FBI, IRS-CI, HSI, DEA, Federal banking agencies (FBAs)).  Subsequent stages will extend access to additional Federal agencies engaged in law enforcement, national security, and intelligence activities, as well as key State, local, and Tribal law enforcement partners; to additional State, local, and Tribal law enforcement partners[.]

Domestic Agencies

Federal, State, local or tribal agencies which receive BOI must enter into an agreement with FinCEN specifying the standards, procedures and systems to be maintained by the agency to protect the security and confidentiality of the information.  Their systems must be audited annually, and the head of each agency must certify to FinCEN semi-annually that the agency’s standards and procedures are compliant.  The agency also must provide FinCEN with an annual report describing its standards and procedures.  Although the Access Rule lays out detailed requirements for a BOI request by an agency, FinCEN still needs to promulgate the proposed forms.  The Access Rule states that “[t]he requesting agency shall limit, to the greatest extent practicable, the scope of such information it seeks, consistent with the agency’s purposes for seeking such information.”

State, local and Tribal authorities may obtain BOI if they certify that they have received “court authorization.”  FinCEN has stated that “as a policy matter, it will not conduct individual reviews of each request for BOI by State, local, or Tribal law enforcement agencies when they are submitted.  Rather, consistent with requirements of the CTA, FinCEN will conduct robust audit and oversight of State, local, and Tribal law enforcement agency searches for BOI to ensure that BOI is requested for authorized purposes by authorized recipients.”

Foreign Recipients of Information

Foreign requesters will not have direct access to the BOI database.  Instead, they will submit their requests for BOI to Federal intermediary agencies, which will need to be identified.  If the foreign request is approved, then the Federal agency intermediary will retrieve the BOI from the system and transmit it to the foreign requester. 

The Access Rule states that upon receipt of a request for BOI “from a Federal agency on behalf of a law enforcement agency, prosecutor, or judge of another country, or on behalf of a foreign central authority or foreign competent authority (or like designation) under an applicable international treaty, agreement, or convention,” FinCEN may disclose BOI if the request “is for assistance in a law enforcement investigation or prosecution, or for a national security or intelligence activity, that is authorized under the laws of the foreign country;” and (ii) the request is either “[m]ade under an international treaty, agreement, or convention;” or, if no such treaty, agreement, or convention exists, the request is an “official request by a law enforcement, judicial, or prosecutorial authority of a foreign country determined by FinCEN, with the concurrence of the Secretary of State and in consultation with the Attorney General or other agencies as necessary and appropriate, to be a trusted foreign country.”  The key word in the last sentence is “trusted.”

Financial Institutions

FIs obtaining BOI from FinCEN must implement “administrative, technical, and physical safeguards reasonably designed to protect the security, confidentiality, and integrity of such information.”  FIs generally may satisfy these requirements by complying with the Gramm-Leach-Bliley Act (“GBLA”), or, if the FI is not directly subject to the GBLA, procedures which satisfy GBLA requirements.  Further, an FI must obtain and document the prior consent of the reporting company to the FI’s request for its BOI.  In regards to customer consent, FinCEN has explained that “reporting company consent must be documented but need not specifically be in writing . . . Financial institutions may satisfy this requirement through any lawful method of obtaining meaningful consent from a customer.  As a consequence of offering this flexibility, however, FinCEN cannot offer a safe harbor for any particular method used to obtain consent.”

Again, FinCEN still must promulgate the proposed form for FIs to request BOI.

The Access Rule removes a requirement in the initially proposed regulations that BOI access by FIs is limited to personnel within the U.S.  However, FIs must notify FinCEN within three days of receiving a request from a foreign government, law enforcement entity or party for access to BOI held by the FI.  Further, FIs cannot store BOI in, or make it available to persons located in, certain geographical jurisdictions, such as China, Russia or a jurisdiction that is blocked by U.S. sanctions.

More fundamentally, FIs may obtain BOI in order to “facilitate compliance with customer due diligence requirements.”  As FinCEN explains in the federal register, “[t]he revised regulation now specifies that the clause ‘customer due diligence requirements under applicable law’ includes ‘any legal requirement or prohibition designed to counter money laundering or the financing of terrorism, or to safeguard the national security of the United States, to comply with which it is reasonably necessary for a financial institution to obtain or verify beneficial ownership information of a legal entity customer.’” The Access Rule therefore broadens the purposes for which FIs may use BOI, as compared to the initially proposed regulations regarding access.  Although FinCEN still needs to issue proposed regulations aligning the CTA with the CDD Rule, the Access Rule makes clear that, unlike the previously proposed BOI access rule, FIs will not be confined to requesting and using CTA BOI only for “pure” CDD Rule compliance.  Instead, FIs will be able to access CTA BOI more broadly, such as for the purposes of maintaining their BSA/AML compliance program; compliance with sanctions screening; potential filing of SARs; and conducting enhanced due diligence.  This is an important revision, which attempts to address prior criticisms from FIs and other stakeholders that broader access to BOI is necessary to both effectuate the goals of the CTA and for FIs to comply more effectively with the BSA in general.

In the federal register, FinCEN states that the Access Rule “does not require [FIs] to access the BOI database, nor does it speak to what [FIs’] obligations may be once the 2016 CDD Rule is revised.”  Accordingly, the forthcoming proposed CDD Rule alignment regulations will need to address several important remaining questions and potential challenges facing FIs, including the following:

• First, they should reiterate that FIs are not required to access the BOI database – particularly because FinCEN’s BOI reporting form will allow reporting companies to not provide key information.  Even if the CDD Rule revision so states, however, it may become the case as a practical matter that regulators nonetheless expect FIs to access the CTA database as part of their overall BSA/AML compliance.

• Second, they should provide a clear and practical mechanism for FIs to address situations in which BOI collected under the CDD Rule does not match BOI obtained through the CTA – particularly because FinCEN has indicated that it will not verify the accuracy of BOI collected under the CTA. 

• Third, and assuming that the proposed regulations change the current exceptions to CDD Rule reporting (because exceptions to reporting under the CTA and the CDD Rule are currently different), they should explain clearly how FIs can effectively adjust their current CDD Rule reporting systems, which have been in place for years, and provide sufficient time to do so. 

• Finally, they should state explicitly that FIs may rely on BOI obtained from the CTA database, just like FIs may rely upon BOI obtained from customers under the current CDD Rule.

More to Come

FinCEN recognizes that significant future guidance is necessary.  Overall, the preamble in the federal register mentions several instances where FinCEN recognized a specific area needing further guidance and the public having more questions.  FinCEN already has a link to submit BOI- and CTA-related questions on its website.  Examples of likely future efforts and guidance include:

•  “FinCEN is currently working to implement and staff a dedicated beneficial ownership contact center to field both substantive and IT-related inquiries.  FinCEN has also hired additional full-time staff who will be assigned to support the beneficial ownership portfolio and has procured additional contractor support for FinCEN’s CTA implementation efforts.  Any changes to FinCEN’s plans to implement the CTA will be clearly communicated to the public and stakeholders.”
• FinCEN is not creating a specific re-disclosure provision in 31 C.F.R. § 1010.955(c)(2) addressing joint investigations and law enforcement task forces.  “Instead, FinCEN will address joint investigations and task forces in future guidance, with an eye toward issuing guidance that captures the most common or straightforward circumstances, and in more unusual or complex situations evaluating specific re-disclosure requests on a case-by-case basis . . . . This approach permits FinCEN greater flexibility in crafting appropriate rules for varied circumstances.”
• “FinCEN understands that financial institutions might want or need to re-disclose BOI from FinCEN to parties that are not their directors, officers, employees, contractors, agents, or regulators . . . . These are typically complex arrangements with highly variable facts and circumstances that do not lend themselves well to one broad regulation.  FinCEN will therefore address these issues in future guidance, with an eye toward evaluating specific re-disclosure requests on a case-by-case basis . . . to approve in writing re-disclosure of BOI in furtherance of an authorized purpose or activity.”

Costs

In response to multiple pointed comments, FinCEN admits that it previously misjudged the cost and time estimate to comply with the CTA.  The federal register contains many pages devoted to estimated costs for both FIs and government.

Here is Table 1 from the federal register, setting forth the estimated amount of FIs affected by the CTA.  Recall that this table only pertains to FIs covered by the CDD Rule, rather than all FIs subject to the BSA.  The column entitled “Small Count” refers to FinCEN’s determination that most FIs are “small” entities, defined as having total assets or annual receipts less than the Small Business Association (“SBA”) small entity size standard for the FI’s particular industry.  For example, the SBA currently defines a commercial bank, savings institution or credit union as “small” if it has less than $850 million in total assets.

Ultimately, FinCEN now estimates that the total annual hourly burden for CTA compliance will be over 8.7 million hours during the first year, and over 3.6 million hours during subsequent years.  Although these estimates include estimated hours for State, local and Tribal agencies, the vast majority of the hours are attributable to FIs.  The actions requiring projected hours by FIs include developing and implementing administrative and physical safeguards; developing and implementing technical safeguards; obtaining and documenting customer consent; submitting certifications for each request that it meets certain requirements; and training. 

[View source.]