On February 20, 2024, the Financial Crimes Enforcement Network (“FinCEN”) published a small entity compliance guide (the “Guide”) that provides an overview of the requirements regarding access to beneficial ownership information (“BOI”) by small entities, as authorized by the Beneficial Ownership Information Access and Safeguards final rule issued on December 22, 2023 and codified at 31 U.S.C. 5336 (the “Access Rule”). More specifically, the Guide only pertains to authorized access to BOI by small financial institutions. The Access Rule defines financial institutions as a bank, broker or dealer in securities, a money services business, a telegraph company, a casino or gambling casino, a card club, a person subject to supervision by any state or Federal bank supervisory authority, a futures commission merchant, an introducing broker in commodities, or a mutual fund.

Under the Access Rule, FinCEN intends to provide access to financial institutions to obtain BOI through a phased approach, and only certain financial institutions will be part of the final group to be extended access to BOI. FinCEN intends to continuously update the Guide to incorporate relevant requirements and to provide more comprehensive guidance on how financial institutions can access BOI from FinCEN.

Use of BOI

Financial institutions may use BOI to fulfill customer due diligence requirements under applicable law, where it is necessary for the financial institution to identify and verify beneficial owners. This includes any legal requirement or prohibition designed to counter money laundering, the financing of terrorism or to safeguard U.S. national security.

Financial institutions may not use BOI for their general business or commercial activities. For example, financial institutions should not use BOI obtained from FinCEN to assess whether to extend credit to a legal entity, or for client development.

The general rule is that a financial institution or its agents may not disclose the BOI that such financial institutions receive from FinCEN. However, there are three instances in which a financial institution is permitted to re-disclose such BOI:

1. To another director, officer, employee, contractor, or agent (such as outside counsel, auditors, and providers of data analysis software tools) of the same financial institution for the particular purpose or activity for which the BOI was originally obtained.
2. To the financial institution’s Federal functional regulator, a self-regulatory organization that is registered with or designated by a Federal functional regulator pursuant to Federal statute, or other appropriate regulatory agency, provided they proper authority, will use the BOI solely for such purposes, and have a written agreement with FinCEN governing the safekeeping of the information.
3. As authorized by FinCEN in a prior written authorization, or by protocols or guidance that FinCEN issues.

Security and Confidentiality Requirements

Financial institutions are not permitted to store or disclose BOI to persons physically located in the People’s Republic of China, the Russian Federation or any jurisdiction that: (i) is a state sponsor of terrorism, as determined by the U.S. Department of State; (ii) is subject to comprehensive financial and economic sanctions under U.S. laws; or (iii) would undermine U.S. national security or the enforcement of financial institutions’ use of BOI, as determined by the Secretary of the Treasury.

Financial institutions subject to the Gramm-Leach-Bliley Act (the “Act”) will be required to use the same procedures that the institution has established to protect customers’ nonpublic personal information under section 501 of the Act. Financial institutions not subject to the Act must implement procedures that are at least as protective of customer information as procedures that satisfy the Act standards.

A financial institution must notify FinCEN within three business days of receipt of any foreign government subpoena or foreign legal demand to disclose BOI received from FinCEN.

Financial institutions must receive consent from customers to obtain BOI from FinCEN. Consent does not have to be in writing, but it is at the financial institution’s discretion to determine proper consent. Consent from a customer only needs to be obtained prior to an initial request for the customer’s BOI, unless the consent is revoked by the customer. Financial institutions have discretion to determine the appropriate procedures for revocation or expiration of customer consent. Financial institutions must maintain documentation of customer’s consent for five years after it was relied on to make a BOI request to FinCEN.

FinCEN will utilize the Beneficial Ownership Information Technology (“BO IT”) system to make BOI available to financial institutions. Financial institutions must certify when requesting BOI via the BO IT system that: (i) they are requesting information to facilitate their compliance with CDD requirements under applicable law; (ii) they have obtained and documented the required consent; and (iii) they have fulfilled all other requirements.^[1]

Administration of Requests

FinCEN may reject any request for BOI, as well as restrict a financial institution’s access from receiving or accessing BOI, if it finds: (i) that the requester has failed to meet any of FinCEN’s requirements; (ii) that the information is being requested for unlawful purposes; or (iii) other good cause exists to deny the request or restrict the financial institution.

Violations

Civil penalties for reporting violations can result in the amount of $500.00 for each day a violation continues. Criminal penalties include fines not more than $10,000.00, imprisonment for not more than two years, or both. Unauthorized disclosure or use violations carry civil penalties in the amount of $500.00 for each day a violation continues. Criminal penalties include fines not more than $250,000.00, imprisonment for not more than five years, or both. The CTA also provides for enhanced criminal penalties, including a fine of up to $500,000.00, imprisonment of not more than ten years, or both, if a person commits a violation while violating another U.S. law or as part of a pattern of any illegal activity involving more than $100,000.00 in a twelve-month period.

[1] FinCEN will provide further guidance on the certification process in a future update to the Guide.