The Corporate Transparency Act ("CTA") directs the Financial Crimes Enforcement Network ("FinCEN") to establish and maintain a national registry of corporate beneficial ownership information ("BOI"). The CTA is comprised of three separate FinCEN rules: the reporting rule, the access rule, and revisions to the 2016 Customer Due Diligence Rule. FinCEN's Beneficial Ownership Information Reporting Rule (the "Reporting Rule") becomes effective January 1, 2024, and requires certain entities to report beneficial ownership information to FinCEN.

In the second of the three rules, FinCEN is charged with developing a new IT system to house BOI, the Beneficial Ownership Secure System ("BOSS") and regulating security and access to the BOSS system (the "Access Rule"). The proposed rulemaking for the Access Rule closed for comment on February 14, 2023, but has not been issued in final form. The Access Rule proposes to allow access to the BOSS system for five specific categories of recipients in limited circumstances.

Who will have access to FinCEN's BOI database?

The five categories of designated recipients allowed to access FinCEN's BOSS system include:

  1. Federal, state, local, or tribal agencies conducting law enforcement activities;
  2. Foreign law enforcement agencies, provided that the request is submitted through an intermediary Federal agency;
  3. Financial institutions performing required customer due diligence under the 2016 Customer Due Diligence Rule ("CDD") with the consent of the Reporting Company;
  4. Federal functional regulators and other appropriate regulatory agencies in a supervisory capacity assessing Financial Institutions' compliance with CDD requirements; and
  5. The Department of the Treasury in cases when disclosure or inspection of BOI is required, including tax administration.

Under What Circumstances will BOI be shared?

Those allowed to access FinCEN's BOSS system may do so only under specific permitted circumstances and for specific permitted purposes.

Federal agency access under the first category is activity-based. In essence, any federal agency conducting national security, intelligence, or law enforcement activity may access BOSS in furtherance of such activity. This is different from state, local, and tribal agencies, who may only access BOSS if "a court of competent jurisdiction" has authorized the agency to seek the information.

Foreign law enforcement access to BOSS has several requirements. First, the request must come through an intermediary federal agency. Second, the request must be made (1) pursuant to an international treaty, agreement, or convention, or (2) by law enforcement, judicial, or prosecutorial authorities in a trusted foreign country. Trusted foreign country is undefined, but the CTA requires that the use of the information by the requesting foreign agency be either in compliance with all of the disclosure requirements of the authorizing treaty, or in the absence of a treaty, be limited only to the authorized investigation, national security activity, or intelligence activity for which the BOI access was granted.

Financial institutions are permitted to access the BOSS database only with the prior consent of the Reporting Company. The Financial institution must obtain consent from the Reporting Company before requesting access to their customer's BOI. The proposed rule also limits financial institutions' access strictly for purposes of customer due diligence as required under 31 CFR 1010.230, which requires covered financial institutions to identify and verify beneficial owners of legal entity customers. They may not access BOI data for any other due diligence purpose, including compliance with AntiMoney Laundering ("AML") programs. Compliance with FinCEN's separate "Customer Identification Program" or "CIP" regulations would not be sufficient for a financial institution to access the BOSS system.

Federal functional regulators and other appropriate regulatory agencies will have access to FinCEN's BOSS system only to oversee the compliance of the entities that they regulate. They will, for example, be able to request from FinCEN a complete record of all of the BOI data that a financial institution under their oversight has received, for the purpose of verifying the financial institution's compliance with its CDD requirements.

Finally, the proposed Access Rule rule grants BOSS access to the U.S. Treasury and its employees in cases where their official duties would require such access. The Secretary of the Treasury is invested with the authority to establish safeguards and procedures to oversee such access. This access explicitly includes "tax administration," and FinCEN has incorporated by reference the definition of Tax Administration from the Internal Revenue Code. IRS employees would have direct access in any case where their duties require it.

The Access Rule is to be followed by the third installment of FinCEN rulemaking, which will revise the 2016 CDD Rule to "eliminate any requirements that would be duplicative." As we await those proposed rule changes, the final impact of the CTA on financial institutions remains to be seen.

Continue to watch this blog for CTA updates including information on the CTA's impact on financial institutions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.