Alerts
FinCEN Issues Proposed Access Rule and Proposed Forms to Further Implement the CTA
February 7, 2023
In December 2022, the Financial Crimes Enforcement Network, a bureau of the United States Department of the Treasury (“FinCEN” and “Treasury,” respectively), issued a notice of proposed rulemaking (“Proposed Access Rule”)[1] continuing the process of implementing regulations required under the Corporate Transparency Act (“CTA”).[2] The CTA requires certain companies created or registered to do business in the United States (each, a “Reporting Company”) to report certain identifying and beneficial ownership information (“BOI”) directly to FinCEN to be maintained in a database managed by FinCEN.[3] The Proposed Access Rule addresses which persons will be authorized to access such BOI, how such persons will receive BOI that is reported, how FinCEN would implement the strict protocols on security and confidentiality required by the CTA to protect sensitive personally identifiable information (PII) reported to FinCEN, and the penalties associated for failing to adhere to the regulatory requirements. FinCEN is accepting public comments on the Proposed Access Rule until Feb. 14, 2023.
The Proposed Access Rule is the second of three rulemakings that will be conducted by FinCEN to implement the CTA. FinCEN completed the first rulemaking on Sept. 30, 2022, by issuing a final rule (“BOI Final Rule”) that sets forth the BOI reporting obligations required by the CTA.[4]
Separately, related to the rulemaking, on Jan. 17, 2023, FinCEN issued two notices seeking comment on (1) the mechanism FinCEN proposes to use in collecting BOI from covered companies (the “BOI Report Notice”),[5] and (2) the application FinCEN proposes to use when requiring individuals to obtain a FinCEN identifier (“FinCEN Identifier Notice”).[6] Comments on both notices are due on or before March 20, 2023.
Provisions of the Proposed Access Rule
Authorized Recipients of Reported Beneficial Ownership Information
Pursuant to the requirements of the CTA, the Proposed Access Rule authorizes FinCEN to disclose BOI to five general categories of recipients in certain circumstances:
- U.S. federal, state, local and tribal government agencies (collectively, “Law Enforcement Requesters”). Mirroring the requirements of the CTA, the Proposed Access Rule would permit FinCEN to disclose BOI to U.S. federal agencies engaged in “national security, intelligence, or law enforcement activities,” such that the BOI would be in furtherance of those activities. Under the Proposed Access Rule, if a federal agency requests access to the FinCEN database for BOI, the federal agency would have to submit justification to FinCEN for the searches. FinCEN could then audit the justifications and searches to ensure the federal agencies are using their access appropriately.
State, local and tribal law enforcement agencies could access BOI if “a court of competent jurisdiction” ruled that those agencies should be allowed access to that information. The Proposed Access Rule defines a “court of competent jurisdiction” as “any court with jurisdiction over the criminal or civil investigation for which a State, local, or Tribal law enforcement agency requests BOI.”[7] Before being allowed to access BOI, the authorized user of the agency would need to upload the permitting document (which FinCEN could review) from the court of competent jurisdiction.
- Foreign law enforcement agencies, judges, prosecutors, central authorities and competent authorities (collectively, “Foreign Requesters”). Under the Proposed Access Rule, unlike Law Enforcement Requesters, Foreign Requesters would not have open-ended query access to the database. Foreign Requesters would have to request access to BOI through intermediary U.S. federal agencies and show that either (1) the request is authorized under an international treaty, agreement, or convention or (2) the request is being made by law enforcement authorities in a “trusted” foreign country. No definition of a “trusted” foreign country is provided in the Proposed Access Rule.
- Financial institutions (“FIs”) in connection with customer due diligence (“CDD”) requirements. The Proposed Access Rule proposes that the following types of financial institutions will have access to the BOI reported: banks, brokers or dealers in securities, mutual funds, futures commission merchants and introducing brokers in commodities (collectively, “FI Requesters”). Other types of financial institutions, such as money services businesses and insurance companies, and other entities not yet subject to FinCEN’s regulations, such as registered investment advisers and the private funds they manage, will not have access. Under the Proposed Access Rule, FI Requesters could only access BOI about a specific Reporting Company in order to facilitate CDD compliance, and the FI Requester must obtain consent from the Reporting Company prior to making the request to FinCEN.[8] FinCEN notes that this consent provision “reflects FinCEN’s assessment that FIs are best positioned to obtain and manage consent through existing processes and by virtue of having direct contact with the [Reporting Company] as a customer.”[9] The Proposed Access Rule, however, does not specify how an FI Requester should obtain consent from the Reporting Company, nor does it delineate procedures if a Reporting Company should not grant consent or later revoke consent.
In addition, the Proposed Access Rule uses the definition of CDD provided under 31 CFR 1010.230 (“CDD Rule”), which only requires covered FIs to identify and verify each 25% or more beneficial owner and a single person with operational control of a legal entity customer. FinCEN notes that proposing this narrower definition of CDD will be “easier to administer, reduce uncertainty about what FIs may access BOI under this provision, and better protect the security and confidentiality of sensitive BOI by limiting the circumstances under which FIs may access BOI.”[10] We note, however, that the definition of CDD may change when FinCEN revises the CDD Rule to align with the requirements of the CTA.
- Federal functional regulators and other regulatory agencies, acting in a supervisory capacity (“Regulator Requesters”). The Proposed Access Rule envisions two scenarios in which Regulator Requesters could access BOI. The first scenario, which is outlined in the CTA, provides for access to federal functional regulators and other appropriate regulatory agencies for purposes of assessing a financial institution’s compliance with the CDD Rule (which is expected to be modified in the near future), subject to three conditions: (1) the Regulator Requester must be “authorized by law to access, supervise, enforce, or otherwise determine the compliance of [a particular FI] with its CDD requirements,” (2) the BOI must only be used “for the purpose of conducting [an] assessment, supervision, or authorized investigation or activity related to the CDD requirements the regulator is responsible for overseeing,” and (3) the Regulator Requester must “[enter] into an agreement with the Secretary providing for appropriate protocols governing the safekeeping of the information.” In the second scenario, a Regulator Requester could have the same access that Law Enforcement Requesters have if the Regulator Requester “engages in civil law enforcement activities,” such as the SEC, for example, which “investigates and litigates civil violations of Federal securities laws.” The Proposed Access Rule contemplates that the Federal functional regulators with access to BOI will include the Board of Governors of the Federal Reserve System (“FRB”), the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (“FDIC”), the National Credit Union Administration (“NCUA”), the SEC, and the Commodity Futures Trading Commission (“CFTC”). The Proposed Access Rule also provides that Financial Institution Requesters could share BOI that they have obtained from FinCEN with their financial self-regulatory organization (“SRO”) for use in complying with CDD requirements under applicable law. Specifically, the Proposed Access Rule states that “[a] qualifying SRO would need to satisfy the same three conditions applicable to [Regulator Requesters], and a qualifying SRO that receives BOI from an FI it supervises may in turn use the information for the limited purpose of examining compliance with those same CDD obligations.”[11]
- U.S. Department of the Treasury. Finally, Treasury, including its offices and bureaus, such as the Office of Foreign Assets Control, FinCEN and the Internal Revenue Service, would have broad access to BOI. The Proposed Access Rule would allow access to Treasury officers and employees who require BOI for their official duties requiring BOI access, or for tax administration. FinCEN envisions Treasury components using BOI for “tax administration, enforcement actions, intelligence and analytical purposes, use in sanctions designation investigations, and identifying property blocked pursuant to sanctions, as well as for administration of the BOI framework, such as for audits, enforcement, and oversight.”[12] FinCEN invites comments on the proposed scope of the term “tax administration.”
Safeguards
The Proposed Access Rule states that BOI will have strong access-control protocols such that recipients of BOI will be required to have standards and procedures for storing the information in a secured system that will limit access to the information only to authorized personnel. These standards and procedures could be subject to audit, and authorized recipients of BOI would have to maintain information about specific beneficial ownership information searches or requests such that the searches or requests could be reviewed.
IT System Development for Beneficial Ownership Information Storage
The Proposed Access Rule states that the IT system for the BOI database will be cloud-based and will meet the highest Federal Information Security Management Act (FISMA) level. The Proposed Access Rule says that FinCEN completed the initial engineering and programming activities required for constructing the beneficial ownership IT system, and that the target date for the system to begin accepting BOI reports is Jan. 1, 2024.
Penalties
In general, it is unlawful under the CTA for any person to knowingly disclose or use BOI obtained by the person from a report submitted to or an authorized disclosure made by FinCEN, unless authorized under the CTA. Under the Proposed Access Rule, an “unauthorized use” of BOI would be any “unauthorized access of [BOI] submitted to FinCEN . . . including any activity in which an employee, officer, director, contractor, or agent of an authorized recipient knowingly violates applicable security and confidentiality requirements in connection with accessing such information.”[13] The CTA generally contains serious civil and criminal penalties that may be imposed for violations of the CTA. Violations can result in a civil penalty of $500 per day for each violation that has not ceased or been remedied. Enhanced criminal penalties can result in up to 10 years’ imprisonment.
FinCEN Identifiers
A FinCEN identifier is a unique identifying number that FinCEN issues to individuals who have provided FinCEN with their BOI, as well as to Reporting Companies that have filed initial BOI reports. The Proposed Access Rule includes proposed amendments to the BOI Final Rule[14] such that Reporting Companies can, in some cases, report to FinCEN a FinCEN identifier instead of BOI associated with certain beneficial owners. The CTA provides that, if an individual “is or may be a beneficial owner of a [Reporting Company] by an interest held by the individual in an entity that, directly or indirectly, holds an interest in the [Reporting Company],” the Reporting Company may submit the intermediate entity’s FinCEN identifier instead of the individual’s BOI.[15] Accordingly, and following the CTA, the Proposed Access Rule would allow a Reporting Company to report an intermediate entity’s FinCEN identifier instead of a beneficial owner’s BOI only when (1) the intermediate entity has obtained a FinCEN identifier and provided that identifier to the Reporting Company, (2) an individual is or may be a beneficial owner of the Reporting Company via an interest in the Reporting Company that the individual holds through the intermediate entity, and (3) “only the individuals that are beneficial owners of the intermediate entity are beneficial owners of the [Reporting Company], and vice versa.”[16]
BOI Report Notice
As discussed above, FinCEN separately released its BOI Report Notice proposing the mechanism by which FinCEN will collect BOI information. Specifically, the BOI Report Notice provides a summary of the data fields proposed to be included in the BOI collecting report: (1) filing information (i.e., whether this report is an initial report, a corrected report, an update to a prior report, or if the Reporting Company becomes newly exempt from BOI reporting requirements), (2) reporting company information (including legal name, U.S. state or country of formation, EIN or other tax identification number, business address, etc.), (3) Company Applicant information,[17] and (4) beneficial owner information.[18] FinCEN invites comment on the report itself as well as FinCEN’s estimate of the burden in completing the report, which FinCEN notes could range from 90 to 650 minutes, depending on the complexity of the Reporting Company’s ownership structure.
FinCEN Identifier Notice
FinCEN also released its FinCEN Identifier Notice proposing the application by which individuals who opt to seek a FinCEN Identifier would obtain one. Specifically, the FinCEN Identifier Notice proposes the application information fields, which include (1) individual information (name, date of birth, address, identifying document information and identifying document image), and (2) certification by the applicant that the information provided is true, correct, and complete and that willfully providing false or fraudulent beneficial ownership information to FinCEN may be subject to civil and criminal penalties.[19] FinCEN invites comment on the application itself as well as FinCEN’s estimate of the burden involved in completing the application, which FinCEN approximates to be about 20 minutes total.
Schulte Roth & Zabel’s lawyers are available to assist you in addressing any questions you may have regarding these developments. Please contact the Schulte Roth & Zabel lawyer with whom you usually work, or any of the following attorneys:
Betty Santangelo – New York (+1 212.756.2587, betty.santangelo@srz.com)
Melissa G.R. Goldstein – Washington, DC (+1 202.729.7471, melissa.goldstein@srz.com)
Gary Stein
Hannah M. Thibideau – New York (+1 212.756.2382, hannah.thibideau@srz.com)
Kyle B. Hendrix – Washington, DC (+1 202.729.7465, kyle.hendrix@srz.com)
Rebecca A. Raskind – New York (+1 212.756.2396, rebecca.raskind@srz.com)
Jesse Weissman – New York (+1 212.756.2460, jesse.weissman@srz.com)
[1] Financial Crimes Enforcement Network, Beneficial Ownership Information Access and Safeguards, and Use of FinCEN Identifiers for Entities, 87 Fed. Reg. 77,404 (Dec. 16, 2022), available here (hereinafter, “Proposed Access Rule”); Financial Crimes Enforcement Network, Fact Sheet: Beneficial Ownership Information Access and Safeguards Notice of Proposed Access Rulemaking (NPRM) (Dec. 15, 2022), available here [hereinafter, “Fact Sheet”].
[2] National Defense Authorization Act for Fiscal Year 2021 (CTA §§ 6401–03), available here [hereinafter CTA].
[3] For more information regarding the CTA and AML Act generally, please see our prior Alert “Passage of Anti-Money Laundering Act of 2020 Includes Comprehensive BSA/AML Reform Measures.”
[4] Financial Crimes Enforcement Network, Beneficial Ownership Information Reporting Requirements, 87 Fed. Reg. 59.498 (Sept. 30, 2022), available here. For more information on FinCEN’s September 2022 final rule, please see our prior Alert “FinCEN Issues Final Rule Requiring Reporting of Beneficial Ownership Information.”
[5] Financial Crimes Enforcement Network, Agency Information Collection Activities; Proposed Collection; Comment Request; Beneficial Ownership Information Reports, 88 Fed. Reg. 2760 (Jan 17, 2023), available here [hereinafter “BOI Report Notice”].
[6] Financial Crimes Enforcement Network, Agency Information Collection Activities; Proposed Collection; Comment Request; Individual FinCEN Identifiers, 88 Fed. Reg. 2764 (Jan. 17, 2023), available here [hereinafter “FinCEN Identifier Notice”].
[7] Proposed Access Rule, 87 Fed. Reg. at 77,414.
[8] Id. at 77,415.
[9] Id.
[10] Id.
[11] Proposed Access Rule, 87 Fed. Reg. at 77,416.
[12] Proposed Access Rule, 87 Fed. Reg. at 77,417.
[13] Proposed Access Rule, 87 Fed. Reg. at 77,423-24.
[14] For more information regarding the beneficial ownership reporting requirements of the CTA and FinCEN identifiers, please see our prior Alert “FinCEN Issues Final Rule Requiring Reporting of Beneficial Ownership Information.”
[15] CTA § 6403(a); 31 U.S.C. § 5336(b)(3)(C).
[16] Proposed Access Rule, 87 Fed. Reg. at 77,424.
[17] For more information on the definition of “Company Applicant” and requirements of such individuals, please see our prior Alert “FinCEN Issues Final Rule Requiring Reporting of Beneficial Ownership Information.”
[18] BOI Report Notice, 88 Fed. Reg. at 2763–64.
[19] FinCEN Identifier Notice, 88 Fed. Reg. at 2766.
This communication is issued by Schulte Roth & Zabel LLP for informational purposes only and does not constitute legal advice or establish an attorney-client relationship. In some jurisdictions, this publication may be considered attorney advertising. ©2023 Schulte Roth & Zabel LLP.
All rights reserved. SCHULTE ROTH & ZABEL is the registered trademark of Schulte Roth & Zabel LLP.