United States: FinCEN Releases Proposed Regulations For Accessing, Safeguarding Beneficial Owner Information

Highlights

• The U.S. Department of the Treasury's Financial Crimes Enforcement Network (FinCEN) has issued proposed regulations (Proposed Regulations) governing the disclosure, access and safeguarding of beneficial ownership information (BOI) required to be submitted to FinCEN by in-scope U.S. and foreign reporting companies under the Corporate Transparency Act (CTA) and discussing the planned non-public, centralized national database to be established by FinCEN called "BOSS."
• The Proposed Regulations contain a detailed discussion of 1) the limited categories of persons who can access the highly sensitive and confidential BOI to be stored and maintained in the FinCEN database, 2) the conditions and reasons these limited categories of persons must satisfy to access and use the BOI, 3) the detailed protocols to be implemented by FinCEN and the persons accessing the database to protect the security and confidentiality of BOI, and 4) details about the classification of the BOI as "sensitive and confidential" data.
• The ability of authorized national security, intelligence and law enforcement agencies to easily access and use the BOI stored in BOSS will, in large part, determine how useful the BOI will be in unmasking shell companies and combating financial crime.

The U.S. Department of the Treasury's Financial Crimes Enforcement Network (FinCEN) issued proposed regulations (Proposed Regulations) on Dec. 15, 2022, governing the disclosure, access and safeguarding of beneficial ownership information (BOI) required to be submitted to FinCEN by in-scope U.S. and foreign reporting companies under the Corporate Transparency Act (CTA). The CTA, passed as part of the Anti-Money Laundering (AML) Act of 2020, requires in-scope U.S. and foreign reporting companies to report to FinCEN certain information identifying their "beneficial owners."

Since the CTA's passage on Jan. 1, 2021, FinCEN has been developing regulations for implementing the Act's numerous provisions. In September 2022, FinCEN issued the first set of final regulations detailing rules as to the reporting of BOI. (See previous Holland & Knight alert, "FinCEN Issues Final Rule Implementing Corporate Transparency Act Requirement," Oct. 6, 2022.) Now, FinCEN has issued the second set of guidance in the form of proposed regulations as to how BOI is accessed and safeguarded. This notice of proposed rulemaking, issued for review and comment, is a significant step in the rollout of the CTA, which is expected to be implemented Jan. 1, 2024. The third set of guidance dealing with revised customer due diligence rules is anticipated to be issued by Jan. 1, 2025.

Background

Prior to the enactment of the CTA, the United States did not have a beneficial ownership law, which, according to proponents of the CTA, made the U.S. the jurisdiction of choice for those seeking to establish shell companies that hide the identities of their beneficial owners. In fact, more public and anonymous companies were created in the United States than in any other country, based on a 2019 Global Financial Integrity report. ¹ The lack of a BOI registry was viewed by the Financial Action Task Force (FATF) and U.S. trading partners as a significant loophole in the U.S.'s anti-money laundering/countering the financing terrorism (AML/CFT) regime that weakened U.S. efforts to combat illicit activity, including money laundering, the financing of terrorism, proliferation financing, tax fraud, human and drug trafficking, counterfeiting, piracy, securities fraud, financial fraud and acts of foreign corruption. In passing the CTA, Congress has attempted to close that loophole while at the same time balancing concerns about the safety and security of highly sensitive information. To that end, FinCEN has proposed regulations governing how the agency maintains and protects that information, including through the establishment of a national, non-public, secure, centralized database that is "accessible and highly useful" to national security, intelligence and law enforcement agencies.

Proposed "Access" Regulations

The purpose of the Proposed Regulations is to set forth rules about how beneficial ownership information is accessed and safeguarded. As noted in the Proposed Regulations, "Congress authorized FinCEN to disclose BOI to a statutorily defined group of governmental authorities and financial institutions, in limited circumstances." This group includes 1) U.S. federal, state, local and tribal agencies conducting either civil or criminal investigations, 2) foreign law enforcement agencies, judges, prosecutors and other authorities, provided their requests meet certain criteria, 3) financial institutions using BOI to facilitate compliance with customer due diligence (CDD) requirements under applicable law, 4) federal functional regulators and other regulatory agencies acting in a supervisor capacity assessing compliance with CDD requirements and 5) the U.S. Department of the Treasury itself.

General Prohibition Against BOI Disclosure and Exceptions

The text of the CTA provides that BOI provided to FinCEN is "highly sensitive" information that "shall" be kept "confidential" and may not be disclosed by officers and employees of 1) the United States, 2) any state, local or tribal agency or 3) any financial institution or regulatory agency who receives or accesses such information, except as authorized by law or regulation.

Notably, the CTA provides that FinCEN "may disclose" BOI to certain authorized recipients and thus the law "affords FinCEN discretion to ensure that BOI is disclosed only to authorized recipients that are able to keep the information confidential and secure." Through the Proposed Regulations, FinCEN seeks to set forth protocols relating to authorized recipients' scope of access and use, and requirements for maintaining access, as well as verification of such procedures through a requirement to establish a "paper trail" and through subsequent audits. These key requirements for access by authorized recipients are summarized below.

Federal, State, Local and Tribal Governmental Agencies, Provided Certain Conditions Are Satisfied

The Proposed Regulations envision granting federal agencies engaged in national security, intelligence or law enforcement activities (inclusive of criminal and civil investigations and actions) the greatest level of access to BOI, including the ability to directly access and query FinCEN's database. To protect against abuse, federal agency users will be required to submit "brief justifications" for their searches and explain how those searches further a "qualifying activity."

Likewise, state, local and tribal "law enforcement agencies" would have direct access to the database but would be required to first upload a document issued by a "court of competent jurisdiction" authorizing the requesting agency to seek BOI from FinCEN. FinCEN would then have an opportunity to review the court authorization for "sufficiency" and approve the request. The Proposed Regulations define a "court of competent jurisdiction" as any court with jurisdiction over the criminal or civil investigation for which a state, local or tribal law enforcement agency requests BOI.

The Proposed Regulations note that before any agency can access FinCEN's database, they would be required to enter into a Memorandum of Understanding with FinCEN, outlining the parameters of the agencies' access and FinCEN's requirements, limitations and expectations regarding such access.

Foreign Law Enforcement Agencies, Judges, Prosecutors, Central Authorities and Competent Authorities

Under the Proposed Regulations, "foreign requesters" would be granted access to BOI under certain circumstances but would not be granted direct access to FinCEN's database. Instead, foreign requesters will be required to submit their requests for BOI to a federal intermediary agency, which would retrieve BOI from the database and transmit it to the foreign requester. In order to obtain such information under the Proposed Regulations, the foreign requesters' request must derive from a law enforcement investigation (or activity, which includes both criminal and civil matters) or prosecution, or from national security or intelligence activity, authorized under the foreign country's laws. Furthermore, the request must be made either 1) under an international treaty, agreement or convention or 2) via a request made by law enforcement, judicial or prosecutorial authorities in a trusted foreign country (when no international treaty, agreement or convention is available.) FinCEN would have considerable discretion to determine whether a particular foreign country is "trusted" and will consider, among other things, the ability of a foreign requester to maintain the security and confidentiality of BOI.

Financial Institutions and Regulator Agencies Conducting CDD Compliance

Financial institutions will be granted access to BOI for the purpose of facilitating compliance with CDD requirements under applicable law,² provided that the requesting institution has received consent for such disclosure from the relevant reporting company as required by statute.³ Under the Proposed Regulations, financial institutions would have direct access to FinCEN's database, but their access would be limited such that they would be required to submit a specific reporting company's identifying information and, in turn, receive an "electronic transcript with that entity's BOI." Per FinCEN, this "more limited information-retrieval process would reduce the overall risk of inappropriate use or unauthorized disclosures of BOI."

Likewise, federal functional regulators and other appropriate regulatory agencies exercising supervisory functions⁴ would be granted "narrow access" to BOI, with such access being granted only for the purposes of assessing a financial institution's compliance with CDD requirements under applicable law. Functional regulators would only be allowed to receive information that has already been received by a financial institution and would be required to enter into an agreement with the Secretary of the Treasury outlining appropriate protocols for safekeeping of information before receiving such information.

The U.S. Department of the Treasury

Consistent with the CTA, the Proposed Regulations would provide Treasury Department officers and employees access to BOI where their official duties would require such access or for purposes of tax administration as defined in the Internal Revenue Code. Under the Proposed Regulations, authorized persons would be authorized to run queries directly in the FinCEN database using multiple search fields and would be allowed to review one or more returned results immediately. "FinCEN envisions Treasury components using BOI for appropriate purposes, such as tax administration, enforcement actions, intelligence and analytical purposes, use in sanctions designation investigations, and identifying property blocked pursuant to sanctions, as well as for administration of the BOI framework, such as for audits, enforcement, and oversight."

BOSS System

The Proposed Regulations note that FinCEN has been developing a secure information technology system to receive, store and maintain BOI. FinCEN has "gathered requirements and completed initial system engineering, architectures, and program planning activities." Likewise, the "initial build of the cloud infrastructure is complete and the development of the first set of system products is in progress." In recognition of the "highly sensitive" and confidential information to be stored in Beneficial Ownership Secure Systems (BOSS), the system will be "cloud-based and is implemented to meet the highest Federal Information Security Management Act level (FISMA High)." The system is expected to begin accepting BOI reports on Jan. 1, 2024 – the same day the reporting rule takes effect.

FinCEN Identifier

The CTA requires that reporting companies provide certain information about their beneficial owners to FinCEN or otherwise provide the reporting company's "FinCEN identifier," i.e., an identification number provided by FinCEN, to specific companies pursuant to application. Specifically, the CTA noted that where an individual is or may be a beneficial owner of a reporting company through an interest in an entity that, directly or indirectly, holds an interest in the reporting company, the reporting company may report the FinCEN identifier of the entity in lieu of the information otherwise required for beneficial owners.

In the Proposed Regulations, FinCEN noted that some commentators expressed concern that this provision could obscure the identities of beneficial owners and thwart the purposes of the CTA. In response, FinCEN proposes to permit a reporting company to use an intermediate entity's FinCEN Identifier only if the two entities – the reporting company and the intermediary entity – have the same beneficial owners.

Other Matters Addressed in the Proposed Regulations

The Proposed Regulations address an important issue that has not been resolved: the verification of BOI data; that is, confirmation that the reported BOI submitted to FinCEN is actually associated with a particular individual. This is key to the effective operation of the BOI system and its effective use by authorized users. FinCEN states that it continues to evaluate options for verifying reported BOI. In that regard, FinCEN notes that under the CTA, the Secretary of the Treasury, in consultation with the Attorney General, will, within two years of the effective date of the final reporting rule, evaluate the costs associated with imposing any new verification requirements on FinCEN and the resources necessary to implement any such changes.

Penalties

The CTA makes it unlawful for any person to knowingly disclose or knowingly use BOI obtained by the person through a report submitted to or authorized disclosure by FinCEN unless such disclosure is authorized under the CTA, including any unauthorized accessing of information submitted to FinCEN, which would include a violation of applicable security and confidentiality requirements in connection with accessing such information. This latter violation reflects FinCEN's view that the security and confidentiality requirements under the CTA and the Proposed Regulations circumscribe the ways in which authorized recipients can use BOI, consistent with the statute's emphasis on keeping BOI secure and confidential. There are both civil and criminal penalties.

Takeaways

After the issuance of the Final Regulations dealing with reporting of BOI, the issuance of these Proposed Regulations are the second regulatory initiative to implement the CTA. Commentators have noted that the Proposed Regulations may be more important than the reporting provisions themselves, as easy, effective and useful access to BOI is critical to accomplishing the goals of the CTA, including unmasking shell companies that serve as fronts for bad actors.

Notably, FinCEN's restrictions on who can access the sensitive and confidential BOI stand in sharp contrast to the approaches of various countries outside the United States, including the United Kingdom, where public access is permitted. The situation in the European Union is less clear because of a Nov. 22, 2022, decision by the Court of Justice of the European Union (CJEU) holding that BOI registries can no longer be accessed by the general public, based on a violation of privacy rights under the Charter of Fundamental Rights of the European Union.

FinCEN still has much to do after the issuance of the subject Proposed Regulations, including:

• finalizing the Proposed Regulations
• revising the CDD rules by Jan. 1, 2025, to align with the BOI reporting requirements under the CTA
• finalizing development of the BOSS database by Jan. 1, 2024
• developing the form BOI Report; most submissions will be electronically filed
• reaching out to stakeholders to advise them of their new responsibilities under the CTA as of Jan. 1, 2024, and
• developing substantive rules to verify BOI

Nevertheless, financial institutions should begin to consider policies and procedures that will address when and how financial institutions will request customer consent for access to BOI (which, under the Proposed Regulations, must be in writing), and under what circumstances such request will be considered appropriate.

Holland & Knight Partner Andres Fernandez also contributed to this alert.

Footnotes

1. Global Financial Integrity, "The Library Card Project: The Ease of Forming Anonymous Companies in the United States," March 21, 2019.

2. The proposed regulations would define "customer due diligence requirements under applicable law" to mean FinCEN's customer due diligence (CDD) regulations at 31 CFR 1010.230, which require covered financial institutions to identify and verify beneficial owners of legal entity customers. FinCEN is soliciting comment on whether a broader interpretation of the phrase "customer due diligence requirements" should apply.

3. Under the Proposed Regulations, financial institutions would be required to obtain written customer consent, maintain a record of such consent for five years after it was last relied upon, and also track any revocation of consent by the customer.

4. The AMLA defines "federal functional regulator" to include six financial regulatory authorities: 1) the Board of Governors of the Federal Reserve System, 2) the Office of the Comptroller of the Currency, 3) the Federal Deposit Insurance Corporation (FDIC), 4) the National Credit Union Administration (NCUA), 5), the U.S. Securities and Exchange Commission (SEC), and 6) the Commodity Futures Trading Commission (CFTC).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.