The new Corporate Transparency Act ("CTA"), as part of the National Defense Authorization Act ("NDAA"), directs the Financial Crimes Enforcement Network ("FinCEN") to establish and maintain a national registry of corporate beneficial ownership information ("BOI"). The CTA is designed to combat illicit activity such as money laundering, terrorist financing, and tax fraud by inhibiting the use of shell companies to facilitate the laundering of criminal funds.

The CTA is comprised of three separate FinCEN rulemakings. The first is the Beneficial Ownership Information Reporting Requirement (the "BOI Reporting Rule"), which was issued in final form on September 30, 2022, and will go into effect January 1, 2024. The BOI Reporting Rule requires certain entities to file reports with FinCEN to identify the entity's beneficial ownership and to identify company applicants, those responsible for filing the initial formation of the entity, whether directly or indirectly. The CTA authorizes FinCEN to develop a confidential database to collect and manage the reported beneficial ownership information⸺the Beneficial Ownership Secure System, or "BOSS".

The second rulemaking addresses security and access to the BOSS reporting database ⸺ The Beneficial Ownership Information Access and Safeguards, and Use of FinCEN Identifiers for Entities (the "BOI Access Rule"). The notice of proposed rulemaking closed for public comment on February 14, 2023, but has yet to be issued in its final form. The BOI Access Rule allows certain authorized recipients to access the BOI contained in the BOSS system and provides requirements for safeguarding the BOI. The BOI Access Rule authorizes FinCEN to allow access to the BOSS system for five specific categories of recipients, one of which is financial institutions for use in compliance with existing customer due diligence requirements.

The third and final installment in this trio of rulemakings is expected to be issued no later than January 2025 and will revise FinCEN's 2016 Customer Due Diligence Rule ("CDD") to address overlap and duplicity created by CTA. The CTA was not intended to replace or repeal the CDD, rather it was intended to compliment the CDD and serve as an additional tool to combat the use of anonymous shell companies.

Currently, the CDD requires covered financial institutions to obtain ultimate beneficial ownership information for customers as part of the financial institutions' Anti-Money Laundering ("AML") program. Financial institutions must obtain, update, and verify beneficial ownership information and record of the persons who directly or indirectly control the company each time a new or existing business customer opens an account.

With the implementation of the CTA, confidential BOI reports will be maintained by FinCEN in BOSS, and will only be disclosed to certain recipients in very limited circumstances. Financial institutions will be allowed access to the BOI database only for the purpose of compliance with CDD requirements, and only with the express consent of the Reporting Company. Even then, the financial institution's access to the BOI will be limited strictly to the purposes under 31 CFR 1010.230, which requires the financial institution to identify Beneficial Owners for the legal entity account holders. No other access would be permitted. As proposed, financial institutions would be required to certify to FinCEN that such consent has been obtained and that the BOI is being requested strictly for the purpose of compliance with CDD. Under the Access Rule, FinCEN's separate Customer Identification Program (CIP) is not sufficient cause to permit access to the BOI database.

As proposed, after obtaining the Reporting Company's consent, financial institutions would be allowed to submit the company's identifying information and receive in return an electronic transcript containing that company's BOI.

Accessing the BOSS system is not required under the CTA. The proposed Access Rule explains that accessing the BOI is not mandatory, however, those who choose to access BOI through the BOSS system will be required to establish necessary procedures and safeguards and to comply with other requirements. "In particular, financial institutions would develop and implement administrative, technical, and physical safeguards reasonably designed to protect the security, confidentiality, and integrity of BOI."1"Financial institutions would also be required to obtain and document customer consent, as well as maintain a record of such consent for five years after it was relied upon."2 Financial institutions that choose to access BOI must provide a written certification along with each submitted request in a form to be issued by FinCEN.

Until FinCEN releases revisions to the CDD Rule, CTA's Access Rule may have minimal impact on financial institutions' obligations under the CDD Rule. Financial institutions should ensure compliance with both current CDD Rule and CTA requirements as we await further FinCEN guidance.

Footnotes

1. 87 Fed. Reg. 77446 (December 16, 2022)

2. 87 Fed. Reg. 77446 (December 16, 2022)

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.