The Financial Crimes Enforcement Network (FinCEN) issued the Beneficial Ownership Information Access and Safeguards Rule¹ (Access Rule) establishing the framework for access to and protection of beneficial ownership information (BOI). The Access Rule is the second of three rulemakings required to implement the Corporate Transparency Act (CTA), which was enacted to “strengthen the integrity of the US financial system”² and reduce abuse of the US financial system for money laundering and other illicit financial activity.³ The Access Rule largely adopted FinCEN’s Notice of Proposed Rulemaking issued on December 16, 2022⁴ (NPRM), with slight modifications responsive to the comments received. The Access Rule takes effect on February 20, 2024.

BOI reported to FinCEN will be housed in a national database that FinCEN launched January 1, 2024 (BO IT System). The CTA authorizes FinCEN to disclose BOI to five categories of recipients: (1) financial institutions; (2) regulatory agencies; (3) domestic recipients; (4) foreign requesters; and (5) the US Department of Treasury. Authorized recipients of BOI must use the information for the “particular purpose or activity for which such information was disclosed.”⁵ FinCEN can authorize the re-disclosure of BOI via written consent, or through applicable protocols or guidance, that FinCEN may issue.⁶

The Access Rule also provides specific steps to request BOI and confidentiality and security requirements based on the category of authorized recipient. As further explained below, financial institutions should begin preparing to comply with the requesting process and mandatory security and confidentiality protocols prescribed by the Access Rule.

1. Financial Institutions

Authorized Purpose: Financial institutions can request BOI to facilitate their compliance with customer due diligence requirements under applicable law. Financial institutions’ requests for BOI should directly relate to its “compliance with a legal obligation . . . designed to counter money laundering or the financing of terrorism, or to safeguard the national security of the United States.”⁷ While the Access Rule is broadly drafted to permit “financial institutions” to access BOI from the BO IT System, “FinCEN, in the exercise of its discretion, intends to permit only financial institutions with obligations under the 2016 CDD Rule to have access to the BO IT System.”⁸

How to Request: A financial institution needs the reporting company’s consent to request its BOI. This consent must be documented (but it does not have to be in writing) and maintained for five years after the financial institution last relied upon the consent in connection with the request for BOI.⁹ Additionally, the financial institution must make a written certification that it: (1) is requesting the information to facilitate its compliance with customer due diligence requirements under applicable law, (2) obtained the reporting company’s consent, and (3) fulfilled the other security and confidentiality requirements.

Financial institutions are authorized to re-disclose BOI information received from FinCEN under the following circumstances:

• Any director, officer, employee, contractor, or agent of a financial institution who received BOI from FinCEN may re-disclose the information to another director, officer, employee, contractor, or agent of the same financial institution for the particular purpose or activity for which the BOI was requested.
• Financial institutions can re-disclose BOI to regulators that meet certain requirements set forth in the Access Rule.¹⁰

Security and Confidentiality Requirements: Financial institutions must develop and implement administrative, technical, and physical safeguards reasonably designed to protect BOI as a precondition for receiving BOI. Financial institutions must implement security and information handling procedures that satisfy the requirements of section 501 of the Gramm-Leach-Bliley Act and its implementing regulations.¹¹ In addition, financial institutions will need to notify FinCEN within three business days if it receives a foreign government subpoena or legal demand that would require disclosure of the received BOI. They also will need to ensure that the BOI is not available to persons physically located in, and is not stored in, certain jurisdictions, such as the People’s Republic of China, the Russian Federation, and countries deemed to be a state sponsor of terrorism or subject to comprehensive financial or economic sanctions.

2. Regulatory Agencies

Authorized Purpose: Federal functional regulators and other appropriate regulatory agencies acting in a supervisory capacity assessing financial institutions for compliance with customer due diligence requirements can access BOI previously made available to the financial institutions that they supervise.¹² Additionally, the rule allows regulatory agencies to use BOI to conduct “the assessment, supervision, or authorized investigation” in connection with a financial institution’s use of BOI obtained from FinCEN to comply with legal requirements to counter money laundering or the financing of terrorism, or to safeguard the national security of the United States.¹³

How to Request: For a regulatory agency to request BOI, the regulatory agency must certify that it (1) is acting in its supervisory capacity, (2) will use BOI solely for that purpose, (3) and has entered into an agreement with FinCEN to properly safeguard BOI received. Regulatory agencies will be able to retrieve any BOI that the financial institutions they supervise received from FinCEN during a particular period, but will not be able to broadly search the BO IT System.¹⁴

The Access Rule also includes a provision that would permit FinCEN to disclose BOI to any “other appropriate regulatory agency that assessed, supervised, enforced, or otherwise determined the compliance of such financial institution with customer due diligence requirements under applicable law.” FinCEN noted that state bank supervisors, as defined in the AML Act, state credit union regulators and other state supervisory authorities that meet the criteria set forth in the Access Rule may have access to the BO IT System. However, although SROs are not a part of this category the Access Rule allows qualifying SROs to receive BOI disclosed to them from a financial institution or Federal functional regulator.¹⁵

Security and Confidentiality Requirements: Any access to and use of BOI obtained from the BO IT System must comply with the requirements of the CTA and the Access Rule.

3. Domestic Recipients

Authorized Purpose: Federal agencies engaged in “national security,” “intelligence,” or “law enforcement activity” can request BOI if the requested BOI is limited in scope and for use in furtherance of such activity.¹⁶

State, local and Tribal law enforcement agencies (Local Enforcement Agencies) also can request BOI if “a court of competent jurisdiction” has authorized the law enforcement agency to seek the information in a criminal or civil investigation.¹⁷ Local Enforcement Agencies can obtain court authorization from a variety of court officers (including a judge, clerk of the court, or magistrate), but “being an attorney, by itself, is not sufficient to…grant the required court authorization under the CTA.”¹⁸

How to Request: A federal agency must certify that (1) it is engaged in a national security, intelligence, or law enforcement activity, and (2) that BOI requested is for use in such activity, along with the specific reasons why BOI is relevant to the activity. Local Enforcement Agencies must (1) certify that they have received authorization to seek BOI from a court of competent jurisdiction and that requested BOI is relevant to a civil or criminal investigation, and (2) provide a description of the information the court has authorized the agency to seek.

Federal, state, local, or Tribal agencies are permitted to re-disclose BOI for making a referral to another state, local, or Tribal agency for possible prosecution. FinCEN declined to include a “joint investigation” provision in the Access Rule and indicated that it would issue guidance to address this scenario.

Security and Confidentiality Requirements: To be eligible to receive BOI from FinCEN, a domestic requesting agency must establish standards and procedures to protect the security and confidentiality of BOI, restrict access to BOI, and provide reports and certifications throughout the year to FinCEN.

4. Foreign Requesters

Authorized Purpose: Foreign law enforcement agencies, judges, prosecutors, central authorities, and competent authorities (Foreign Requesters) can request BOI for assistance in a law enforcement investigation or prosecution, or for a national security or intelligence activity, authorized under the laws of the foreign country.¹⁹

How to Request: Foreign Requesters must (1) make their request through a Federal agency, (2) tailor their request to be for assistance in a law enforcement investigation or prosecution, or for a national security or intelligence activity, authorized under the laws of the foreign country, and (3) make their request pursuant to an international treaty, agreement, or convention, or, when no agreement is available, be an official request by a law enforcement, judicial, or prosecutorial authority of a trusted foreign country.²⁰

Security and Confidentiality Requirements: Foreign Requesters who request BOI when a treaty, agreement, or convention applies must handle, disclose, and use BOI consistent with the requirements of the applicable international treaty, agreement, or convention under which it was requested. Foreign Requesters who make a BOI request when no treaty, agreement, or convention applies must (1) have security standards and procedures, (2) maintain a secure storage system that complies with the security standards that the foreign requester applies to the most sensitive unclassified information it handles, (3) minimize the amount of information requested, and (4) restrict personnel access to BOI to persons who have undergone training on the appropriate handling and safeguarding.²¹

5. US Department of the Treasury

Officers or employees of the US Department of the Treasury can access BOI when “official duties require such inspection or disclosure, subject to internal procedures and safeguards.” The access also extends to officers or employees of the Department of the Treasury for tax administration.

*****

FinCEN has yet to propose the third rule revising the 2016 CDD Rule to be consistent with the CTA’s requirements. In the meantime, financial institutions with customer due diligence obligations can use the information in the Access Rule to begin implementing the procedures and controls that will be required to access BOI. These financial institutions should ensure that their systems and procedures fully comply with section 501 of the Gramm-Leach-Bliley Act, and implement procedures and controls for obtaining and maintaining record of customers’ consent, promptly notifying FinCEN about foreign government subpoenas or legal demands that require disclosure of BOI, and limiting BOI access to certain jurisdictions. In addition, financial institutions may want to consider updating their policies, procedures, and trainings regarding the handling of customers’ nonpublic personal information to account for these changes, and creating a plan to audit whether BOI received from FinCEN has been accessed and used appropriately.

_________

_{1 Beneficial Ownership Information Access and Safeguards.}

_{2 Beneficial Ownership Information Reporting Rule Fact Sheet | FinCEN.gov}

_{3 Beneficial Ownership Information Reporting Rule Fact Sheet, FinCEN.gov (Sept. 29, 2022), (BOI}

_{Rule Fact Sheet). Congress passes the Anti-Money Laundering Act of 2020, amending and}

_{modernizing the Bank Secrecy Act - Eversheds Sutherland (eversheds-sutherland.com); Congress}

_{passes the Anti-Money Laundering Act of 2020, amending and modernizing the Bank Secrecy Act -}

_{Eversheds Sutherland (eversheds-sutherland.com).}

_{4 87 Fed. Reg. 77404 (Dec. 16, 2022).
5 Id. at 88762.
6 Id. at 88765.
7 Id.
8 87 Fed. Reg. 88756 (Dec. 16, 2022).}

_{9 Id. at 88772.
10 31 CFR 1010.955(b)(4)(ii)(A)–(C).
11 87 Fed. Reg. 88769 (Dec. 16, 2022).
12 Id. at 88757.
13 Id. at 88758.
14 Id. at 88778.
15 See 31 C.F.R. § 1010.955(c)(2)(iii), (iv).
16 31 U.S.C. 5336(c)(2)(B)(i)(I).
17 Id. 5336(c)(2)(B)(i)(II).
18 88 Fed. Reg. 88748 (Dec. 22, 2023).
19 Id. at 88748.
20 Id.
21 Id. at 88751.}

[View source.]