On December 21, 2023, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued final rules establishing a framework for accessing, using, and protecting beneficial ownership information (BOI) maintained by FinCEN (the “Access Rule”). This is the second in a series of three rules from FinCEN implementing the Corporate Transparency Act (CTA),[1] which was enacted as part of the Anti-Money Laundering Act of 2020 (AMLA). The CTA is designed to combat illicit financial activity perpetrated through shell companies and opaque ownership structures in the U.S.[2]

Background

The Access Rule

FinCEN’s secure database, the Beneficial Ownership Information Technology (BOIT) System, went live on January 1, 2024. The Access Rule goes into effect on February 20, 2024, and sets the parameters for accessing the database, circumscribes the purposes for which BOI may be used, and establishes standards for safeguarding BOI.

FinCEN is taking a phased approach to access, starting with a pilot program in 2024 that extends access to a small group of federal agency users. Financial institutions and regulators will be among the last category of recipients to have access to the BOIT System. Moreover, financial institutions will not be obligated to use the BOIT System or to report discrepancies between the BOI and their own records.

Access

FinCEN sets out a number of different recipient types.

1. Upon request, FinCEN may disclose BOI to federal agencies engaged in national security, intelligence, or law enforcement activity (collectively, “NILE Activities”), for use furthering NILE Activities.
2. Upon request, FinCEN may disclose BOI to state, local, and tribal law enforcement agencies, and if a court of competent jurisdiction has authorized the agency to seek the requested BOI for use in a criminal or civil investigation.
3. Upon request from a federal agency and pursuant to an applicable international treaty, agreement, or convention, FinCEN may disclose BOI to such federal agency for transmission to a foreign agency, person, or authority—including a foreign law enforcement agency, prosecutor, judge, or foreign central or competent authority (or like designation)—provided the request is for assistance in a law enforcement investigation or prosecution, or for a national security or intelligence activity that is authorized under the relevant foreign laws.
4. Upon request from an FI, FinCEN may disclose BOI to the FI, if the FI is subject to customer due diligence (CDD) requirements under applicable law, for the purpose of facilitating CDD compliance, and if the relevant reporting company consents to the disclosure. FIs may also redisclose BOI to certain people within the same FI for a permissible purpose and subject to certain requirements and limitations.
   1. Upon request from a federal functional regulator or other appropriate regulatory agency, FinCEN shall disclose BOI that was disclosed to an FI for the purpose of assessing an FI’s compliance with CDD requirements.
5. Officers and employees of the Department of Treasury may access and inspect BOI if authorized by their official duties that require such inspection or disclosure or for the purposes of tax administration.

The access permissions for a FI subject to CDD requirements and for CDD compliance purposes is broader than the proposed rule, which would have limited access to FIs subject to the CDD Rule for CDD Rule compliance purposes. The generic use of “CDD,” rather than the reference to the “CDD Rule,” specifically provides access to more FIs, e.g., money services businesses not subject to the CDD Rule, and allows the BOI to be used for a wider range of compliance purposes.

The Access Rule sets requirements for each category of recipients. Each recipient must abide by security and confidentiality protocols, must use the BOI only for the intended purpose or activity, and cannot re-disclose BOI, subject to limited exemptions. FinCEN reserves rights to deny BOI requests.

If any requester fails to meet the requirements of the Access Rule or requests information for an unlawful purpose, FinCEN may debar or suspend an individual or entity requester.

Phased Approach to Access

FinCEN will begin providing BOI to limited categories of authorized recipients, beginning with certain federal agencies, to be followed by extending access to certain federal law enforcement and national security agencies, such as the Federal Bureau of Investigations and federal banking agencies, followed by other federal and state agencies. FIs and their supervisors will be the last among the permitted recipients to obtain access to BOI. This timing is designed to provide FinCEN time to revise the CDD Rule before providing BOI to FIs. More information on this phased approach will be provided by FinCEN in early 2024.

FI access, at least initially, will be limited to FIs covered under the current CDD Rule. These FIs have standard security requirements and are subject to supervision, while FinCEN cannot evaluate the security standards of non-covered FIs.

Unauthorized Access and Penalties

The Access Rule prohibits “any person” from knowingly using or disclosing the BOI that the person obtained, whether directly or indirectly, through a report submitted to FinCEN under the Reporting Rule or a disclosure made by FinCEN pursuant to the Access Rule. Under the Access Rule, this specifically includes accessing information without authorization and any violation of the security and confidentiality requirements[3] in connection with what would otherwise be authorized access.

Statement for Banks; Statement for Non-Bank Financial Institutions (NBFI)

Together with the Access Rule, FinCEN released two statements providing guidance to banks and NBFIs on the interaction between the Access Rule and the existing CDD Rule (the “Statements”). The bank Statement was issued jointly with the federal and state banking agencies, in consultation with staff from the Securities and Exchange Commission and the Commodity Futures Trading Commission. The NBFI Statement was issued by FinCEN and the U.S. Department of the Treasury.

Per the Statements, FIs subject to CDD requirements will be authorized to access BOI from FinCEN’s database, the BOIT System. FIs will not, however, be required to access the BOIT System, nor will there be a supervisory expectation that they do so. The Statements confirm that FIs will not need to revise their AML programs to comply with the current CDD Rule or other BSA requirements.

Looking Ahead

Critics of the CTA generally have expressed their concern with FinCEN collecting personal information and whether the BOIT System is sufficiently secure. But with the launch of the BOIT System on January 1, 2024, FinCEN has addressed the BOI gaps identified by the Financial Action Task Force and has brought the U.S. into alignment with many of its Western counterparts that collect BOI. It remains to be seen how smoothly the BOIT System will operate and whether this will effectively combat illicit financial activity in the U.S. While FinCEN shows no signs of slowing down, FinCEN will need significant resources to continue implementing the AMLA and even more to enforce it.

[1] Specifically, the Access Rule implements 31 U.S.C. 5336(c) of the CTA in a new regulation: 31 CFR 1010.955.

[2] FinCEN maintains a BOI informational webpage at the FinCEN website.

[3] In 31 CFR 1010.955(d).

[View source.]