On Dec. 21, 2023, to implement the Corporate Transparency Act ("CTA"),1 the US Department of Treasury's Financial Crimes Enforcement Network ("FinCEN") issued a final rule ("Access Rule")2 providing access to reporting company and beneficial ownership information ("BOI")3 to: (1) several different types of government authorities; and (2) certain financial institutions to assist them in satisfying their anti-money laundering and counter terrorist financing ("AML/CFT") obligations, but only with the consent of the reporting company. All BOI will be maintained in a private searchable database managed by FinCEN, called the Beneficial Ownership Secure System ("BOSS"). The Access Rule also imposes the security protocols for those with access to such BOI, and the penalties for failing to adhere to such security protocols or unauthorized disclosure or use of such BOI. The Access Rule goes into effect Feb. 20, 2024, and FinCEN will begin providing access to BOI information maintained in the BOSS in phases beginning with key federal agency users in 2024.

Summarized below are key considerations regarding the Access Rule. While it largely tracks FinCEN's original proposal issued on Dec. 16, 2022 ("Proposed Rule"),4 and the text of the CTA, below are notable deviations from the Proposed Rule.

Who will have access to BOI under the Access Rule and under what circumstances?

The Access Rule authorizes FinCEN to disclose BOI to the following six general categories of recipients (collectively, "BOI Recipients") in certain circumstances:

  1. US federal government agencies. The Access Rule permits FinCEN to disclose BOI to US federal agencies engaged in "national security, intelligence, or law enforcement activity," such that the BOI would be in furtherance of those activities.
  2. US state, local and tribal government agencies (collectively with US federal government agencies, "Law Enforcement Requesters"). State, local and tribal law enforcement agencies will be authorized to access BOI if "a court of competent jurisdiction" rules that those agencies should be allowed access to that information. A "court of competent jurisdiction" is "any court with jurisdiction over the investigation for which a state, local or tribal law enforcement agency requests information" under the Access Rule.5 In order to obtain BOI, state, local and tribal law enforcement agencies must "(1) certify to FinCEN that they have received authorization to seek BOI from a court of competent jurisdiction and that the BOI is relevant to a civil or criminal investigation, and (2) provide a description of the information the court has authorized the agency to seek."6
  3. Foreign law enforcement agencies, judges, prosecutors, central authorities and competent authorities (collectively, "Foreign Requesters"). Foreign Requesters do not have open-ended query access to the database and must request access to BOI through intermediary US federal agencies. In requesting access, the Foreign Requesters must show that (1) the request is for assistance in a law enforcement investigation or prosecution, or for a national security or intelligence activity, that is authorized under the laws of the foreign country and (2) either (a) the request is made under an international treaty, agreement or convention or (b) the request is being made by law enforcement, judicial or prosecutorial authorities in a "trusted" foreign country. Notably, the Access Rule does not define "trusted" foreign country.
  4. Financial institutions ("FIs") with customer due diligence ("CDD") requirements for purposes of complying with AML/CFT regulations and safeguarding national security. The Access Rule provides for access to BOI to FIs that are subject to customer due diligence requirements under the Bank Secrecy Act implementing regulations (i.e., 31 C.F.R. § 1010.380) ("CDD Rule"), which currently consists of the following types of FIs: banks, brokers or dealers in securities, mutual funds, futures commission merchants and introducing brokers in commodities (collectively, "FI Requesters"). Other types of FIs, such as money services businesses and insurance companies, and other entities not yet subject to FinCEN's regulations, such as registered investment advisers and the private funds they manage, will not have access to BOI unless there are separate regulations issued that would subject them to the CDD Rule.7 Under the Access Rule, FI Requesters can only access BOI about a specific Reporting Company for purposes reasonably necessary to obtain or verify BOI of a legal entity customer (including a Reporting Company) to ensure compliance with AML/CFT legal requirements or prohibitions, or the safeguarding of US national security. The FI Requester must obtain and document consent from the Reporting Company prior to making the request to FinCEN.8 The Access Rule, however, does not specify how an FI Requester should obtain consent from the Reporting Company, the form the consent must take, nor does it delineate procedures if a Reporting Company does not grant consent or later revokes consent. Such points will likely be addressed in a third rulemaking implementing the CTA.
  5. Federal functional regulators and other regulatory agencies, acting in a supervisory capacity to FI Requesters ("Regulator Requesters").9 The Access Rule authorizes Regulator Requesters to access BOI disclosed to FI Requesters (see paragraph 4 above) from either FinCEN or a FI Requester, provided that the Regulator Requesters can meet the following three conditions. First, the Regulator Requester must be "authorized by law to access, supervise, enforce, or otherwise determine the compliance of [a particular FI Requester] with its customer due diligence requirements under applicable law." Second, the BOI requested to be disclosed must only be used to supervise, enforce, or otherwise determine the compliance of a particular FI Requester with its customer due diligence requirements under applicable law. Third, the Regulator Requester must "[enter] into an agreement with FinCEN to properly safeguard BOI." Where a Regulator Requester is obtaining the information directly from the FI Requester, the FI Requester can rely on a statement from a Regulator Requester that it meets the three conditions.10
  6. US Department of the Treasury. Finally, certain officers or employees of Treasury, including its offices and bureaus, such as the Office of Foreign Assets Control, FinCEN and the Internal Revenue Service, will have broad access to BOI where the Secretary of the Treasury determines it necessary for such Treasury officers and employees to meet their official duties, including for tax administration.

Significant changes in the Final Rule from the Proposed Rule

While the Access Rule largely tracks the Proposed Rule, there are three notable deviations from the Proposed Rule, each of which is described below.

  1. Streamlined process for state, local and tribal law enforcement agencies to access BOI. The Access Rule provides for three changes to the process to be used by state, local and tribal law enforcement agencies obtaining BOI. Such agencies: (1) will only need a "'court authorization' to seek BOI from FinCEN as part of a civil or criminal investigation," not a specific form of authorization, such as a court order;11 (2) must certify that they have received the necessary court authorization and provide a description of the information the court has authorized the agency to seek rather than submit to FinCEN a copy of the court authorization received by the agency; and (3) will not be required to provide to FinCEN a written justification of the request because FinCEN will not review each state, local or tribal law enforcement request in advance of releasing the BOI but will audit and conduct oversight of such agencies' searches for BOI to ensure that BOI is requested for authorized purposes by authorized recipients.12
  2. Reduced limitations on offshore access to BOI. Under the Access Rule, FI Requesters receiving BOI are not required to store such information in the US, but are prohibited from sending BOI to certain foreign jurisdictions and categories of jurisdictions, such as Russia, China, any jurisdiction designated as a state sponsor of terrorism and any jurisdiction that is subject to comprehensive sanctions under US law.13 And "in order for FinCEN to monitor foreign government interest in obtaining BOI, the Access Rule requires that financial institutions notify FinCEN within three business days of receiving a demand from a foreign government for BOI obtained from FinCEN."14
  3. Broadened scope of FI Requester access to BOI. The Access Rule adopts a broader interpretation of the phrase "customer due diligence requirements under applicable law" that allows FIs to use BOI for compliance with their AML programs, customer identification and verification, suspicious activity reporting obligations filing and sanctions, anti-fraud and anti-bribery compliance.15 FI Requesters "can also use BOI to satisfy other requirements, so long as those requirements are designed to counter money laundering or the financing of terrorism or safeguard US national security, and so long as it is reasonably necessary to obtain or verify BOI of legal entity customers to satisfy those requirements."16 Use of BOI for general business purposes is not permitted.

Safeguards for BOI

BOI Recipients will be required to have standards and procedures for storing any BOI released by FinCEN in a secure system that will limit access to such information only to authorized personnel. Law Enforcement Requesters are required to enter into a memorandum of understanding with FinCEN specifying the standards, procedures and systems for protecting the security of BOI prior to that Law Enforcement Requester obtaining access to BOI. For FI Requesters to access BOI, they must "satisfy the requirement to safeguard BOI by applying the security and information handling procedures used to comply with Gramm-Leach-Bliley and its implementing regulations."17 These standards and procedures may be subject to audit, and BOI Recipients would have to maintain information about specific BOI searches or requests, such that the searches or requests could be reviewed by FinCEN.

Penalties

The CTA and the Access Rule make it unlawful to knowingly engage in an unauthorized disclosure or use of BOI obtained directly or indirectly through a BOI report submitted to FinCEN pursuant to the BOI reporting obligation18, or an authorized disclosure made by FinCEN pursuant to the Access Rule. An "unauthorized use" of BOI would be accessing information without authorization and would include violating any BOI security safeguards or confidentiality requirements.19

Any unauthorized disclosure or use of BOI may result in significant civil and criminal penalties.20 In addition, any individual requester or requesting entity may be debarred or suspended by FinCEN for: (1) any failure to meet the requirements of the Access Rule; (2) if information is requested for an unlawful purpose, or (3) if other good cause exists.21

Additional FinCEN guidance on the Access Rule

  1. Re-disclosure of BOI. Re-disclosure of BOI by BOI Recipients is generally prohibited. However, the Access Rule allows re-disclosure in the following specific circumstances: "[1<] among officers, employees, agents, and contractors within a particular authorized recipient entity; [2] among FIs and their regulators, including qualifying SROs; [3] from intermediary Federal agencies to foreign requesters; [4] from specified authorized BOI recipient Federal agencies to courts of competent jurisdiction or parties to a civil or criminal proceeding; [5] from authorized BOI recipient agencies to prosecutors or for use in litigation related to the activity for which the requesting agency requested the information; and [6] by foreign authorities consistent with the international treaty, agreement, or convention under which BOI was received. FinCEN may also authorize the re-disclosure of BOI by an authorized recipient in other situations, so long as the re-disclosure is for an authorized purpose."22
  2. Implementation of BOI access. FinCEN will begin providing access to BOI in phases beginning with a pilot program for key federal agency users in 2024. The second phase will include Treasury officials and certain other federal agencies engaged in law enforcement and national security activities that already have a memorandum of understanding in place to access Bank Secrecy Act information. The third and subsequent stages will call for access by additional federal agencies, state, local and tribal law enforcement agencies and FI Requesters and Regulator Requesters. FinCEN expects to provide additional details on the phased implementation approach in early 2024.23

FinCEN will be issuing additional guidance on the Access Rule and is establishing a contact center that will be of assistance to BOI Recipients, which is expected to be operational by Jan. 1, 2024.

FI Requestors should monitor future FinCEN guidance to ascertain whether or not they wish to take advantage of the Access Rule and seek BOI from FinCEN. To do that, they should determine whether access to BOI would facilitate their AML compliance efforts. If they determine to obtain access to BOI, they should implement proper safeguards to allow only authorized personnel to access BOI and update their procedures to obtain consent from Reporting Companies.

The information in this Alert should be considered in conjunction with any applicable guidance that FinCEN may issue. Future FinCEN guidance could differ or add nuance to the information discussed above.

Footnotes

1. For more information regarding the CTA please see our prior Alert "Passage of Anti-Money Laundering Act of 2020 Includes Comprehensive BSA/AML Reform Measures," available here.

2. FinCEN, Final Rule, Beneficial Ownership Information Access and Safeguards, 88 Fed. Reg. 88,732 (Dec. 22, 2023), available here and codified at 31 C.F.R. §§ 1010.950 and 1010.955. The Access Rule is the second of three rulemakings that will implement the CTA. The third rulemaking, which is still being drafted, will revise FinCEN's customer due diligence rule to align it with the CTA.

3. For more information on the BOI reporting obligation please see our prior Alerts: (1) "FinCEN Issues Final Rule Requiring Reporting of Beneficial Ownership Information," available here; (2) "The Corporate Transparency Act: Key Considerations for Compliance With the Beneficial Ownership Reporting Rule," available here and (3) "The Corporate Transparency Act: The Private Funds Guide to Compliance With the Beneficial Ownership Reporting Rule," available here.

4. FinCEN, Notice of Proposed Rulemaking, Beneficial Ownership Information Access and Safeguards, and Use of FinCEN Identifiers for Entities, 87 Fed. Reg. 77,404 (Dec. 16, 2022), available here. For more information on the Proposed Rule, please see our prior Alert: "FinCEN Issues Proposed Access Rule and Proposed Forms to Further Implement the CTA," available here.

5. 31 C.F.R. § 1010.955(b)(2)(i).

6. The Access Rule, 88 Fed. Reg. at 88,748.

7. FinCEN reserved the right to determine that access to BOI should be extended to other FIs at a later time. Id. at 88,757.

8.Id. at 88,772.

9. The Access Rule provides that the six Federal functional regulators that supervise Fis with customer due diligence obligations are the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Securities and Exchange Commission and the Commodity Futures Trading Commission. The Access Rule also provides BOI access to any self-regulatory organization registered with or designated by a Federal functional regulator pursuant to Federal Statute, that supervises and enforces FI compliance with customer due diligence requirements, such as the Financial Industry Regulatory Authority (FINRA) or the National Futures Association (NFA).

10. A Regulator Requester also has the same access that Law Enforcement Requesters have if the Regulator Requester engages in civil law enforcement activities. The Access Rule, 88 Fed. Reg. at 88,745.

11. The Access Rule, 88 Fed. Reg. at 88,747.

12. Id. at 88,748.

13. Id. at 88,769; 31 C.F.R. § 1010.955(d)(2)(i).

14. The Access Rule, 88 Fed. Reg. at 88,769; 31 C.F.R. § 1010.955(d)(2)(ii)(B).

15. The Access Rule, 88 Fed. Reg. at 88,757. The Proposed Rule limited "customer due diligence requirements under applicable law" to compliance with the CDD Rule. See Proposed Rule, 87 Fed. Reg. at 77,415.

16. The Access Rule, 88 Fed. Reg. at 88,748.

17. Id. at 88,770.

18. Supra n.3.

19. 31 C.F.R. § 1010.955(f).

20. 31 U.S.C. § 5336(h)(3)(B) (authorizing a civil penalty of $500 per day for each violation that has not ceased or been remedied, criminal penalties of a fine of up to $250,000 or imprisonment for not more than five years, or both, and enhanced criminal penalties of a fine of up to $500,000 and up to 10 years' imprisonment).

21. 31 C.F.R. § 1010.955(e)(3).

22. Financial Crimes Enforcement Network, Fact Sheet: Beneficial Ownership Information Access and Safeguards Final Rules (Dec. 21, 2022), available here.

23. Id.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.