The US Department of the Treasury's Financial Crimes Enforcement Network (FinCEN) issued proposed regulations (Proposed Regulations) on 15 December 2022, governing the disclosure, access and safeguarding of beneficial ownership information (BOI) required to be submitted to FinCEN by in-scope US and foreign reporting companies under the Corporate Transparency Act (CTA).
Since the CTA's passage on 1 January 2021, FinCEN has been developing regulations for implementing the Act's numerous provisions. In September 2022, FinCEN issued the first set of final regulations detailing rules as to the reporting of BOI. Now, FinCEN has issued the second set of guidance in the form of proposed regulations as to how BOI is accessed and about how the agency maintains and protects that information, including through the establishment of a national, non-public, secure, centralised database that is "accessible and highly useful" to national security, intelligence and law enforcement agencies. This notice of proposed rulemaking, issued for review and comment, is a significant step in the rollout of the CTA, which will be implemented on 1 January 2024. The third set of guidance dealing with revised customer due diligence rules is anticipated to be issued by 1 January 2025.
Proposed "Access" Regulations
As noted in the Proposed Regulations, "Congress authorized FinCEN to disclose BOI to a statutorily defined group of governmental authorities and financial institutions, in limited circumstances." This group includes 1) US federal, state, local and tribal agencies conducting either civil or criminal investigations; 2) foreign law enforcement agencies, judges, prosecutors and other authorities, provided their requests meet certain criteria; 3) financial institutions using BOI to facilitate compliance with customer due diligence (CDD) requirements under applicable law; 4) federal functional regulators and other regulatory agencies acting in a supervisor capacity assessing compliance with CDD requirements; and 5) the US Department of the Treasury itself.
General Prohibition Against BOI Disclosure And Exceptions
The text of the CTA provides that BOI provided to FinCEN is "highly sensitive" information that "shall" be kept "confidential" and may not be disclosed by officers and employees of 1) the United States; 2) any state, local or tribal agency; or 3) any financial institution or regulatory agency who receives or accesses such information, except as authorised by law or regulation.
Notably, the CTA provides that FinCEN "may disclose" BOI to certain authorised recipients. The law "affords FinCEN discretion to ensure that BOI is disclosed only to authorized recipients that are able to keep the information confidential and secure." Through the Proposed Regulations, FinCEN sets forth protocols relating to authorised recipients' scope of access and use, and requirements for maintaining access, as well as verification of such procedures through a requirement to establish a "paper trail" and subsequent audits. These key requirements for access by authorised recipients are summarised below.
Federal, State, Local And Tribal Governmental Agencies, Provided Certain Conditions Are Satisfied
The Proposed Regulations envision granting federal agencies engaged in national security, intelligence or law enforcement activities (inclusive of criminal and civil investigations and actions) the greatest level of access to BOI, including the ability to directly access and query FinCEN's database. To protect against abuse, federal agency users will be required to submit "brief justifications" for their searches and explain how those searches further a "qualifying activity."
Likewise, state, local and tribal "law enforcement agencies" would have direct access to the database but would be required to first upload a document issued by a "court of competent jurisdiction" authorising the requesting agency to seek BOI from FinCEN. FinCEN would then have an opportunity to review the court authorisation for "sufficiency" and approve the request. The Proposed Regulations define a "court of competent jurisdiction" as any court with jurisdiction over the criminal or civil investigation for which a state, local or tribal law enforcement agency requests BOI.
The Proposed Regulations note that before any agency can access FinCEN's database, it would be required to enter into a Memorandum of Understanding with FinCEN, outlining the parameters of the agencies' access and FinCEN's requirements, limitations and expectations regarding such access.
Foreign Law Enforcement Agencies, Judges, Prosecutors, Central Authorities And Competent Authorities
Under the Proposed Regulations, "foreign requesters" would be granted access to BOI under certain circumstances but would not be granted direct access to FinCEN's database. Instead, foreign requesters would submit their requests for BOI to a federal intermediary agency, which would retrieve BOI from the database and transmit it to the foreign requester. To obtain information under the Proposed Regulations, the request must arise from a law enforcement investigation (or activity, which includes both criminal and civil matters) or prosecution, or from national security or intelligence activity, authorised under the foreign country's laws. Furthermore, the request must be made either 1) under an international treaty, agreement or convention or 2) via a request made by law enforcement, judicial or prosecutorial authorities in a trusted foreign country (in cases when no international treaty, agreement or convention is available). FinCEN would have considerable discretion to determine whether a particular foreign country is "trusted" and must consider, inter alia, the ability of a foreign requester to maintain the security and confidentiality of BOI.
Financial Institutions And Regulator Agencies Conducting CDD Compliance
Financial institutions will be granted access to BOI for the purpose of facilitating compliance with CDD requirements under applicable law,[i] provided that the requesting institution has received consent for such disclosure from the relevant reporting company as required by statute.[ii] Under the Proposed Regulations, financial institutions would have direct access to FinCEN's database, but access would be limited such that they would be required to submit a specific reporting company's identifying information and, in turn, receive an "electronic transcript with that entity's BOI.” This more limited information-retrieval process would reduce the overall risk of inappropriate use or unauthorised disclosures of BOI.
Federal functional regulators and other appropriate regulatory agencies exercising supervisory functions[iii] also would be granted "narrow access" to BOI, with access granted only for the purposes of assessing a financial institution's compliance with CDD requirements under applicable law. Functional regulators would only be allowed to receive information that already has been received by a financial institution and would be required to enter into an agreement with the Secretary of the Treasury outlining appropriate protocols for safekeeping of information before receiving such information.
The US Department Of The Treasury
Consistent with the CTA, the Proposed Regulations would provide Treasury Department officers and employees access to BOI where their official duties would require such access or for purposes of tax administration as defined in the Internal Revenue Code. Under the Proposed Regulations, authorised persons would be authorised to run queries directly in the FinCEN database using multiple search fields and would be allowed to review one or more returned results immediately. FinCEN envisions Treasury personnel using BOI for purposes such as tax administration, enforcement actions, intelligence and analytical purposes, sanctions designation investigations, and identifying property blocked pursuant to sanctions, and for administration of the BOI framework, such as for audits, enforcement, and oversight.
FinCEN has been developing a secure information technology system to receive, store and maintain BOI. FinCEN has "gathered requirements and completed initial system engineering, architectures, and program planning activities." Likewise, the "initial build of the cloud infrastructure is complete and the development of the first set of system products is in progress." In recognition of the "highly sensitive" and confidential information to be stored in the Beneficial Ownership Secure Systems (BOSS), the system will be "cloud-based and implemented to satisfy the requirements of the highest Federal Information Security Management Act level (FISMA High)." The system is expected to begin accepting BOI reports on 1 January 2024, which is the same day that BOI reporting is to take effect.
The Proposed Regulations also deal with a FinCEN identifier issue, which is an identification number provided by FinCEN, to specific companies pursuant to application.
The CTA contains a rule that where an individual is or may be a beneficial owner of a reporting company through an interest in an entity that, directly or indirectly, holds an interest in the reporting company, the reporting company may report the FinCEN identifier of the entity in lieu of the information otherwise required for beneficial owners. Some commentators have expressed concern that the foregoing could obscure the identities of beneficial owners and thwart the purposes of the CTA. To deal with this issue, FinCEN proposes to permit a reporting company to use an intermediate entity's FinCEN identifier only if the two entities – the reporting company and the intermediary entity – have the same beneficial owners.
Other Matters Addressed In The Proposed Regulations
The Proposed Regulations address an exceedingly important issue that has not been resolved: the verification of BOI data; that is, confirmation that the reported BOI submitted to FinCEN is actually associated with a particular individual. The accuracy of information is central to the effective operation of the BOI system and its effective use by authorised users. FinCEN states that it is continuing to evaluate options for verifying reported BOI and notes that under the CTA, the Secretary of the Treasury, in consultation with the Attorney General, will, within two years of the effective date of the final reporting rule, evaluate the costs associated with imposing any new verification requirements on FinCEN and the resources necessary to implement any such changes.
The CTA makes it unlawful for any person to knowingly disclose or knowingly use BOI obtained by the person through a report submitted to or authorised disclosure by FinCEN unless such disclosure is authorised under the CTA, including any unauthorised accessing of information submitted to FinCEN, which would include a violation of applicable security and confidentiality requirements in connection with accessing such information. This latter violation reflects FinCEN's view that the security and confidentiality requirements under the CTA and the Proposed Regulations circumscribe the ways in which authorised recipients can use BOI, consistent with the statute's emphasis on maintaining BOI secure and confidential. There are both civil and criminal penalties.
FinCEN still has much to do after the issuance of the subject Proposed Regulations, including:
Some commentators have noted that the Proposed Regulations may be more important than the reporting provisions because easy, effective and useful access by authorised persons to BOI is central to accomplishing the informational goals of the CTA to combat illegal activity through unmasking shell companies that serve as fronts for bad actors.
Finally, FinCEN's restrictions on who can access the sensitive and confidential BOI are in sharp contrast to the approaches of various countries outside the United States, including the United Kingdom, where public access currently is permitted. The situation in the European Union is less clear because of a 22 November 2022 decision by the Court of Justice of the European Union (CJEU), holding that BOI registries can no longer be accessed by the general public, based on a violation of privacy rights under the Charter of Fundamental Rights of the European Union. Interestingly, the Governments of Guernsey, the Isle of Man and Jersey have jointly announced that they are delaying the implementation of legislation to provide full access to registers of company beneficial ownership following the aforementioned European Court of Justice decision.
[i] The proposed regulations define "customer due diligence requirements under applicable law" to mean FinCEN's customer due diligence (CDD) regulations at 31 CFR 1010.230, which require covered financial institutions to identify and verify beneficial owners of legal entity customers. FinCEN has requested comments on whether a broader interpretation of the phrase "customer due diligence requirements" should apply.
[ii] Under the Proposed Regulations, financial institutions would be required to obtain written customer consent, maintain a record of such consent for five years after it was last relied upon, and track any revocation of consent by the customer.
[iii] The AMLA defines "federal functional regulator" to include six financial regulatory authorities: 1) the Board of Governors of the Federal Reserve System, 2) the Office of the Comptroller of the Currency, 3) the Federal Deposit Insurance Corporation (FDIC), 4) the National Credit Union Administration (NCUA), 5), the US Securities and Exchange Commission (SEC), and 6) the Commodity Futures Trading Commission (CFTC).
Alan Winston Granwell
Mr. Granwell is a tax lawyer with more than 50 years of experience in the area of international taxation. He advises private clients and corporate clients on cross-border planning, transparency initiatives, controversy, and compliance. Alan is a commentator, has published numerous publications and is a frequent speaker at international tax programmes, both in the US and abroad.
Partner/Co-Chair, White Collar Defense and Investigations Team. Eddie is a commentator, has authored numerous publications and is a frequent speaker on white collar matters, as well as the Corporate Transparency Act.