The Corporate Transparency Act: Access Rules
The Corporate Transparency Act: Access Rules
On December 21, 2023, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued final rules establishing a framework for accessing, using, and protecting beneficial ownership information (BOI) maintained by FinCEN (the “Access Rule”). This is the second in a series of three rules from FinCEN implementing the Corporate Transparency Act (CTA),[1] which was enacted as part of the Anti-Money Laundering Act of 2020 (AMLA). The CTA is designed to combat illicit financial activity perpetrated through shell companies and opaque ownership structures in the U.S.[2]
The first rule implemented BOI reporting requirements for certain companies created or registered to do business in the U.S. (the “Reporting Rule”). Reported BOI is kept in FinCEN’s secure database. | This second issuance, the Access Rule, addresses how certain stakeholders, including financial institutions (FIs), may obtain and re-disclose BOI under specific conditions. It also addresses security and confidentiality issues. | The forthcoming third rule will revise the Customer Due Diligence Rule (“CDD Rule”) to, among other things, align with the AMLA and reduce burdens on FIs. |
FinCEN’s secure database, the Beneficial Ownership Information Technology (BOIT) System, went live on January 1, 2024. The Access Rule goes into effect on February 20, 2024, and sets the parameters for accessing the database, circumscribes the purposes for which BOI may be used, and establishes standards for safeguarding BOI.
FinCEN is taking a phased approach to access, starting with a pilot program in 2024 that extends access to a small group of federal agency users. Financial institutions and regulators will be among the last category of recipients to have access to the BOIT System. Moreover, financial institutions will not be obligated to use the BOIT System or to report discrepancies between the BOI and their own records.
FinCEN sets out a number of different recipient types.
The access permissions for a FI subject to CDD requirements and for CDD compliance purposes is broader than the proposed rule, which would have limited access to FIs subject to the CDD Rule for CDD Rule compliance purposes. The generic use of “CDD,” rather than the reference to the “CDD Rule,” specifically provides access to more FIs, e.g., money services businesses not subject to the CDD Rule, and allows the BOI to be used for a wider range of compliance purposes.
The Access Rule sets requirements for each category of recipients. Each recipient must abide by security and confidentiality protocols, must use the BOI only for the intended purpose or activity, and cannot re-disclose BOI, subject to limited exemptions. FinCEN reserves rights to deny BOI requests.
If any requester fails to meet the requirements of the Access Rule or requests information for an unlawful purpose, FinCEN may debar or suspend an individual or entity requester.
FinCEN will begin providing BOI to limited categories of authorized recipients, beginning with certain federal agencies, to be followed by extending access to certain federal law enforcement and national security agencies, such as the Federal Bureau of Investigation and federal banking agencies, followed by other federal and state agencies. FIs and their supervisors will be the last among the permitted recipients to obtain access to BOI. This timing is designed to provide FinCEN time to revise the CDD Rule before providing BOI to FIs. More information on this phased approach will be provided by FinCEN in early 2024.
FI access, at least initially, will be limited to FIs covered under the current CDD Rule. These FIs have standard security requirements and are subject to supervision, while FinCEN cannot evaluate the security standards of non-covered FIs.
The Access Rule prohibits “any person” from knowingly using or disclosing the BOI that the person obtained, whether directly or indirectly, through a report submitted to FinCEN under the Reporting Rule or a disclosure made by FinCEN pursuant to the Access Rule. Under the Access Rule, this specifically includes accessing information without authorization and any violation of the security and confidentiality requirements[3] in connection with what would otherwise be authorized access.
Together with the Access Rule, FinCEN released two statements providing guidance to banks and NBFIs on the interaction between the Access Rule and the existing CDD Rule (the “Statements”). The bank Statement was issued jointly with the federal and state banking agencies, in consultation with staff from the Securities and Exchange Commission and the Commodity Futures Trading Commission. The NBFI Statement was issued by FinCEN and the U.S. Department of the Treasury.
Per the Statements, FIs subject to CDD requirements will be authorized to access BOI from FinCEN’s database, the BOIT System. FIs will not, however, be required to access the BOIT System, nor will there be a supervisory expectation that they do so. The Statements confirm that FIs will not need to revise their AML programs to comply with the current CDD Rule or other BSA requirements.
Critics of the CTA generally have expressed their concern with FinCEN collecting personal information and whether the BOIT System is sufficiently secure. But with the launch of the BOIT System on January 1, 2024, FinCEN has addressed the BOI gaps identified by the Financial Action Task Force and has brought the U.S. into alignment with many of its Western counterparts that collect BOI. It remains to be seen how smoothly the BOIT System will operate and whether this will effectively combat illicit financial activity in the U.S. While FinCEN shows no signs of slowing down, FinCEN will need significant resources to continue implementing the AMLA and even more to enforce it.
[1] Specifically, the Access Rule implements 31 U.S.C. 5336(c) of the CTA in a new regulation: 31 CFR 1010.955.
[2] FinCEN maintains a BOI informational webpage at the FinCEN website.
[3] In 31 CFR 1010.955(d).