- On December 22, 2023, FinCEN finalized its framework for access to and protection of beneficial ownership information reported to the federal government pursuant to the Corporate Transparency Act.
- The final rule, which takes effect on February 20, 2024, broadens the scope of financial institutions that may be authorized to access the beneficial ownership information registry and expands the purposes for which they may use information from the registry, among other key changes.
- However, FinCEN reserved guidance on important questions related to financial institutions’ access to and use of the registry, and the timing for financial institution access is still to be determined.
- This Debevoise In Depth describes key provisions of the final rule, with a focus on implications for financial institutions.
On December 22, 2023, the U.S. Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) issued a final rule (the “Access Rule”) establishing the framework for access to and protection of beneficial ownership (“BO”) information reported to the federal government pursuant to the Corporate Transparency Act (the “CTA”).
The Access Rule is the second of three primary rulemakings required to implement the CTA’s BO reporting regime. The first rule, specifying which entities must report BO information to FinCEN, what information must be reported and when reports are due, was finalized in 2022 and took effect on January 1, 2024. The third rule, to revise the existing customer due diligence rule for financial institutions (the “CDD Rule”) to bring it into conformance with the BO reporting regime, is expected to be proposed later this year.
The Access Rule, which takes effect on February 20, 2024, provides for phased access to FinCEN’s beneficial ownership IT (“BO IT”) system. The first stage will be a pilot program, starting this year, for a small group of federal agencies. Access for authorized financial institution users is expected to coincide with FinCEN’s upcoming revisions to the CDD Rule.
In this Debevoise In Depth, we describe the Access Rule’s key provisions and highlight several changes from FinCEN’s December 16, 2022 access and safeguards proposal (the “Proposed Rule”), with a focus on important changes for financial institutions.
As we have covered previously, the CTA requires various legal entities created or registered to do business in the United States to report information about their beneficial owners and control persons to FinCEN.
The CTA requires FinCEN to maintain this information in a secure, nonpublic database for use, subject to appropriate protocols, by certain government agencies, financial institutions and foreign requesters. Accordingly, the Access Rule aims to ensure that: (1) only authorized recipients have access to BO information; (2) information is used only for purposes permitted by the CTA; and (3) authorized recipients re-disclose information only in ways that further the statute’s objectives. The Access Rule also subjects BO information reported to FinCEN, and received by authorized recipients, to strict cybersecurity controls, confidentiality protections and audit and oversight mechanisms.
Key Changes for Financial Institutions
The Access Rule implements the framework outlined in the Proposed Rule largely as proposed. Key modifications and clarifications with implications for financial institutions include the following:
- A broader range of financial institutions may be granted access to the BO registry.
- The Proposed Rule would have limited access to the BO registry to “covered financial institutions” under the CDD Rule (i.e., banks, broker-dealers, futures commission merchants, introducing brokers in commodities and mutual funds). That interpretation meant that other financial institutions with anti-money laundering (“AML”) program obligations, such as insurers and money services businesses, would have been excluded from registry access.
- A broader interpretation is reflected in the Access Rule. In particular, the Access Rule authorizes registry access for financial institutions subject to “customer due diligence requirements under applicable law,” which phrase FinCEN interprets broadly to mean “any legal requirement or prohibition designed to counter money laundering or the financing of terrorism, or to safeguard the national security of the United States, to comply with which it is reasonably necessary for a financial institution to obtain or verify beneficial ownership information of a legal entity customer.”
- However, as an initial matter, access will be provided only to covered financial institutions under the CDD Rule. This approach will allow FinCEN to focus on institutions with established compliance and supervisory frameworks to ensure the security and confidentiality of BO information. FinCEN intends to further evaluate the appropriateness and feasibility of expanding access to other types of financial institutions.
- As discussed below, financial institutions seeking access to the BO IT system will be required to certify their compliance with certain additional requirements.
- Authorized financial institutions may leverage registry information for an expanded range of customer due diligence activities, but important questions remain. The Access Rule’s interpretation of “customer due diligence requirements under applicable law,” as described above, means financial institutions with access to the BO IT system may use information from the registry to discharge AML program, customer identification, SAR filing and enhanced due diligence obligations. In addition, institutions may use BO information from the registry in connection with sanctions compliance and anti-fraud and anti-bribery activities.
- This represents a significant change from the Proposed Rule, under which institutions would have been permitted to use BO information only for purposes of compliance with the CDD Rule obligation to identify and verify beneficial owners of legal entity customers.
- However, FinCEN has reserved guidance on important questions that could impact the registry’s utility for financial institutions. These include whether institutions may re-disclose BO information from the registry to affiliated financial institutions, other financial institutions in a syndicated loan transaction, other institutions eligible to participate in information sharing under Section 314(b) of the USA PATRIOT Act and/or external compliance monitors.
- The preamble to the Access Rule suggests that FinCEN may plan to assess disclosures in these types of situations on a case-by-case basis.
- Such an approach may require institutions to separately store, or demarcate, BO information from the registry, to ensure it is not shared, for example, with other 314(b) participants or compliance monitors.
- FinCEN has made clear that a financial institution may use BO information obtained from the registry only for purposes that relate directly to the institution’s compliance with applicable customer due diligence requirements. An institution may not use BO information for general business or commercial uses.
- The geographic restriction on financial institution access to BO information has been narrowed. The Access Rule prohibits financial institutions from sending BO information to Russia, China, jurisdictions designated as state sponsors of terrorism and jurisdictions subject to comprehensive U.S. sanctions (currently Cuba, Iran, North Korea, Syria and certain regions of Ukraine). Financial institutions are not otherwise required to keep BO information confined to the United States but must notify FinCEN within three business days of receiving a demand from a foreign government for such information.
- The Proposed Rule would have required financial institutions to limit access to BO information obtained from FinCEN to their directors, officers, employees, contractors and agents in the United States.
- Industry commenters pointed out that this approach would have significantly impeded the registry’s utility, as many institutions operate global compliance programs and use offshore personnel and contractors for various AML-related functions.
- With a phased implementation approach, the timing for financial institution access to the registry is still to be determined. The Access Rule implements a phased approach to providing authorized recipients with access to the BO IT system, with authorized financial institution users gaining access in the last stage.
- The first stage will provide access under a pilot program to “a handful of” key federal agency users beginning in 2024.
- Subsequent stages will extend access, in turn, to: (i) Treasury Department offices and certain federal agencies engaged in law enforcement and national security activities that have Bank Secrecy Act memoranda of understanding in place with FinCEN; (ii) other federal agencies engaged in law enforcement, national security and intelligence activities and “key” state, local and tribal law enforcement partners; (iii) other state, local and tribal law enforcement users; (iv) intermediary federal agencies in connection with foreign government requests; and, finally, (v) financial institutions and their supervisors.
- FinCEN anticipates providing additional information on this phased implementation approach in early 2024. With respect to financial institutions in particular, FinCEN notes that access to the BO IT system should roughly coincide with its revisions to the CDD Rule. FinCEN suggests that this approach should allow financial institutions to bundle system and compliance changes.
- The Access Rule does not create new regulatory requirements for financial institutions—yet. In the regulatory preamble and guidance issued concurrently with FinCEN’s release of the Access Rule, FinCEN joins with the federal functional regulators to make clear that the Access Rule does not create a new regulatory requirement or any supervisory expectation for financial institutions to access BO information from the BO IT system.
- FinCEN will address the question of whether financial institutions are required to access the BO IT system for customer due diligence purposes when it revises the CDD Rule.
- The Access Rule also does not require financial institutions accessing the BO IT system to report discrepancies, if any are discovered, between the information obtained from customers and that obtained from FinCEN. However, FinCEN may issue additional guidance or regulatory changes on the subject, as necessary.
Key Components of the Final Access Rule
Which entities may access BO information reported to FinCEN?
The Access Rule authorizes FinCEN to disclose BO information to five categories of authorized recipients:
- Domestic government agencies seeking information for specified purposes, including:
- Federal agencies that (i) are engaged in national security, intelligence or law enforcement activity and request information for use in furtherance of such activity and (ii) provide a written certification to FinCEN as to compliance with the requirements of clause (i).
- State, local and tribal law enforcement agencies that (i) seek information relevant to a criminal or civil investigation, (ii) are authorized by a court of competent jurisdiction to seek BO information in such investigation and (iii) provide a written certification to FinCEN as to compliance with the requirements of clauses (i) and (ii) that also describes the information the agency is authorized to seek.
- The Access Rule streamlines and clarifies such agencies’ access in certain respects, including by removing the proposed requirements that agencies obtain a court order, submit the order to FinCEN and submit to FinCEN for review a justification for any request for BO information.
- Treasury Department personnel, (i) with respect to official duties requiring inspection or disclosure of BO information, or (ii) for tax administration.
- Financial institutions subject to “customer due diligence requirements under applicable law,” when (i) BO information will be used to facilitate compliance with such requirements, (ii) the company whose information will be accessed consents to the disclosure and (iii) the financial institution certifies to FinCEN as to compliance with the requirements of clause (i), clause (ii) and the Access Rule’s security and confidentiality requirements.
- See the discussion above regarding FinCEN’s interpretation of the phrase “customer due diligence requirements under applicable law” and the impact of this interpretation on access to and use of BO information for financial institutions.
- The required company consent must be obtained at a time prior to a financial institution’s initial request for the company’s BO information from FinCEN and can be relied on for subsequent requests for BO information, unless revoked.
- Financial institutions have substantial discretion in the manner in which they obtain the required consent, which must be documented but need not be in writing.
- FinCEN anticipates that financial institutions will provide the required certification via a checkbox when requesting BO information.
- Federal functional regulators and other appropriate regulatory agencies assessing a financial institution’s compliance with AML- or national security-related legal requirements for which access to BO information is reasonably necessary.
- Foreign requesters, including foreign law enforcement agencies, prosecutors and judges, as well as foreign central authorities and foreign competent authorities under an applicable international treaty, agreement or convention, when requesting BO information (i) through an intermediary U.S. federal agency (ii) for purposes of assistance in a law enforcement investigation or prosecution, or for a national security or intelligence activity, authorized under the laws of the foreign country.
- Such requests must be made under an international treaty, agreement or convention or as an official request via authorities of a country determined by FinCEN, with the concurrence of the Secretary of State and in consultation with the Attorney General, to be a trusted foreign country.
What information will authorized users receive, and what level of access will be provided?
FinCEN will disclose to authorized users an electronic transcript containing the information that a company is required to report under FinCEN’s reporting rule, including information about the company itself, its beneficial owners and any company applicants. Such transcripts will include information associated with any FinCEN identifiers reported in a company’s BO information report. Domestic government agencies (but not other authorized users) will also receive images of individuals’ identification documents.
Levels of access to the BO IT system vary depending on the type of authorized user:
- Domestic government agencies and Treasury users will be able to access and query the BO IT system directly, including the ability to run queries using multiple search fields and review one or more results returned immediately.
- Financial institutions and their regulators will have direct access to the BO IT system, but no ability to run broad searches.
- Upon submitting identifying information specific to a reporting company, a financial institution immediately would receive a transcript with the company’s BO information.
- The transcript would not include any previously submitted BO information for the relevant company.
- Nor will the BO IT system automatically notify a financial institution of updates to information reported by a company the institution has previously queried, although FinCEN will consider this functionality as a possible future enhancement.
- FinCEN does not anticipate providing bulk data exports of BO information. However, FinCEN expects that financial institutions will use application programming interfaces to access the BO IT system and will have the ability to submit multiple search requests simultaneously.
- Federal functional regulators and other appropriate regulatory agencies exercising supervisory functions will be able to request from FinCEN BO information that the institutions they supervise have already obtained from FinCEN, but only for the purpose of assessing the institutions’ compliance with applicable customer due diligence requirements.
- Foreign requesters will have no access to the BO IT system; their requests will flow through an intermediary federal agency.
How will BO information reported to FinCEN be secured?
- The BO IT system, which will be cloud-based, will meet the highest Federal Information Security Management Act (“FISMA”) level (i.e., FISMA High). This rating requires the highest level of security controls for a system at the unclassified level.
- The Access Rule also imposes specific security and confidentiality requirements on each category of authorized recipient that must be satisfied in order to obtain access to BO information.
- For financial institutions, these include: (i) obtaining the necessary customer consents; (ii) complying with geographic restrictions on the disclosure of BO information, as described above; (iii) notifying FinCEN of any foreign government subpoena or legal demand requiring disclosure of BO information from the BO IT system; and (iv) developing and implementing administrative, technical and physical safeguards reasonably designed to protect the security, confidentiality and integrity of BO information.
- To comply with the requirements of clause (iv), a financial institution must apply the information procedures established to satisfy the requirements of Section 501 of the Gramm-Leach Bliley Act (the “GLBA”) and applicable implementing regulations. If an institution is not subject to such GLBA requirements, it must implement procedures that are at least as protective.
- Government users must enter into agreements with FinCEN providing for appropriate standards, procedures and systems to protect the security and confidentiality of BO information, conduct annual audits and cooperate with audits conducted by FinCEN.
- Foreign requesters that obtain BO information under an international treaty, agreement or convention must comply with applicable handling, disclosure and use requirements of that document. A foreign requester receiving BO information outside of a treaty or convention must establish appropriate standards and procedures to safeguard the information.
- The Access Rule additionally places limitations on use and disclosure of BO information, including those discussed immediately below.
What are the limitations on use and disclosure of BO information obtained from FinCEN?
- Except as expressly permitted, authorized recipients must use information received from the BO IT system only for the purpose or activity for which it was obtained and are generally prohibited from re-disclosing such information.
- The Access Rule authorizes re-disclosure in specified circumstances. For authorized financial institutions:
- Any director, officer, employee, contractor or agent receiving information from the BO IT system may disclose it to another director, officer, employee, contractor or agent of the same financial institution (consistent with the institution’s security and confidentiality obligations).
- The Access Rule preamble indicates that a financial institution’s “contractors” and “agents” may include persons providing services to the institution by contract.
- A financial institution also may disclose information from the BO IT system to its federal functional regulator, a self-regulatory organization that is registered with or designated by a federal functional regulator or another appropriate regulatory agency, provided that the recipient meets applicable requirements of the Access Rule.
- A financial institution may rely on the representation of a federal functional regulator, self-regulatory organization or other appropriate regulatory agency that it meets the requirements.
- A financial institution (or other authorized user) may disclose information obtained from the BO IT system pursuant to prior written authorization from, or protocols or guidance issued by, FinCEN.
What are the penalties for unauthorized disclosure or use?
- The Access Rule tracks the CTA’s language making it unlawful for any person to knowingly disclose or knowingly use BO information obtained by that person, except as authorized by FinCEN’s regulations.
- FinCEN highlights in the Access Rule preamble that this prohibition applies to BO information whether it was obtained through a report submitted to FinCEN under the reporting rule or a disclosure made by FinCEN pursuant to the Access Rule.
- It appears this language may provide a basis for liability based on use or disclosure of information obtained from a BO information report that a customer provides directly to a financial institution.
- Institutions may thus wish to consider the potential implications, including with respect to security and confidentiality safeguards and use restrictions, of requesting BO information reports from their customers.
- Unauthorized use includes accessing information without authorization, as well as any violation of the Access Rule’s security and confidentiality requirements in connection with any access.
- The CTA provides for (i) civil penalties in the amount of $500 for each day a violation continues or has been not been remedied and (ii) criminal penalties of a fine of not more than $250,000 or imprisonment for up to five years, or both. The CTA also provides for enhanced criminal penalties, including a fine of up to $500,000, imprisonment of up to 10 years, or both, if a person commits a violation while violating another U.S. law or as part of a pattern of illegal activity involving more than $100,000 in a 12-month period.
- FinCEN also may permanently debar or temporarily suspend, for any period of time, an individual requester or requesting entity if it finds that (i) such person has failed to meet any requirement of the Access Rule or has requested information for an unlawful purpose, or (ii) other good cause exists for such debarment or suspension.
Will FinCEN verify BO information reported to the registry?
The Access Rule does not provide for FinCEN to confirm that BO information reported to FinCEN is associated with particular persons. FinCEN expresses the view in the regulatory preamble that such verification is an important part of ensuring that reported BO information is “accurate, complete, and highly useful.” FinCEN continues to assess options to verify BO information, taking into consideration practical, legal and resource challenges.
As described above, open questions remain regarding the Access Rule’s implications for financial institutions. Interested stakeholders may wish to consider opportunities for clarification from FinCEN, particularly through the public notice and comment process in connection with FinCEN’s revision of the CDD Rule. We are closely monitoring developments and expect to provide updates, as appropriate.