US Treasury issues final beneficial ownership information access rule: A balancing act

On December 21, 2023, the US Treasury Department’s Financial Crimes Enforcement Network (FinCEN) issued a final rule regarding access to beneficial ownership information (BOI) under the Corporate Transparency Act (CTA). This is the second of three rulemakings planned as part of CTA implementation.

The final rule focuses on the access and safeguard provisions of the CTA, as well as provides the circumstances under which BOI reported to FinCEN may be disclosed to third parties and how it must be protected (Final Access Rule). The Final Access Rule seeks to balance supporting law enforcement efforts to “reliably, efficiently, and consistently identify new entities for investigation and follow investigatory leads” on one hand, with “creating a framework to keep BOI secure and confidential” on the other.

While the CTA’s reporting requirements take effect on January 1, 2024 (with a 90-day compliance period for non-exempt reporting companies created on or after that date), the Final Access Rule will take effect on February 20, 2024.

Who will receive access and under what circumstances?

BOI is generally confidential and may not be disclosed except as authorized under the CTA and the Final Access Rule. Access is provided to a number of organizations; however, the type of the organization dictates when and how the organization may access the information. Under the Final Access Rule, the CTA provides access to BOI to:

1. Federal agencies engaged in national security, intelligence, or law enforcement activity
2. State, local, and Tribal law enforcement agencies with court authorization
3. Foreign law enforcement agencies, judges, prosecutors, and other authorities that meet specific criteria
4. Financial institutions with customer due diligence requirements and regulators supervising those financial institutions, and
5. Certain US Treasury Department officers and employees. Each category of authorized users will be subject to security and confidentiality requirements to protect the confidentiality of BOI.

Federal agencies

Before a federal agency engaged in national security, intelligence, or law enforcement (civil or criminal) activity may request access to BOI, its users must certify that the agency is engaged in one of those activities, and that the information requested is for use in furtherance of that activity. Users will also be required to provide the specific reasons why the requested information is relevant to their activities/investigations.

State, local, and Tribal law enforcement agencies

For FinCEN to disclose BOI to state, local, and Tribal law enforcement agencies, a court of competent jurisdiction must authorize the law enforcement agency to seek the information in a criminal or civil investigation. Before requesting the information, the agency’s users must certify that they have received appropriate authorization from the court and that the requested information is relevant to the criminal or civil investigation. These users must also provide a description of the information the court has authorized the agency to seek.

Foreign law enforcement and other authorities

Foreign requesters must request BOI on behalf of a law enforcement agency, prosecutor, or judge of another country, or on behalf of a foreign central authority or foreign competent authority. Such requests must also (1) come to FinCEN through an intermediary federal agency; (2) be for assistance in a law enforcement investigation or prosecution, or for a national security or intelligence activity, authorized under the laws of a foreign country; and (3) either be made under an international treaty, agreement, or convention, or, when no such avenue is available, be made as an official request by a law enforcement, judicial, or prosecutorial authority of a trusted foreign country.

Subject to significant industry commentary in the run-up to the final rule, FinCEN ultimately declined to define the term “trusted foreign country” in the Final Access Rule because there are “likely too many situations in which providing other countries with BOI might be in the best interest of the United States to reduce that complexity to a single definition or list.” According to FinCEN, that “same variability also weighs against preemptively identifying certain countries as either wholly trusted or not.”

Instead, FinCEN apparently will “conduct case-by-case assessments,” at a minimum, seeking the concurrence of the US State Department and in consultation with the US Department of Justice and other agencies as appropriate – for instance, where such agencies have “relevant equities, expertise, or relationships with foreign governments.”

Financial institutions

FinCEN will also permit financial institutions, as defined under the US Bank Secrecy Act (BSA), to access BOI to aid their compliance with customer due diligence requirements under applicable law. However, for a financial institution subject to due diligence requirements to access the ownership information, the institution must have the reporting company’s consent for such disclosure.

FinCEN also broadened the meaning of “customer due diligence requirements under applicable law” in the Final Access Rule to include “any legal requirement or prohibition designed to counter money laundering or the financing of terrorism, or to safeguard the national security of the United States, to comply with which it is reasonably necessary for a financial institution to obtain or verify beneficial ownership information of a legal entity customer.” This may include obligations under the BSA or compliance with sanctions imposed by the Treasury’s Office of Foreign Assets Control.

Importantly, this broadened definition evidently pertains to institutions’ access to BOI. However, FinCEN’s long-awaited potential updates to the types of information institutions must gather to comply with Know Your Customer (KYC) requirements under the 2016 Customer Due Diligence Rule (CDD Rule) are not expected until January 2025.

In addition to phasing in access to BOI across federal agencies, FinCEN will initially use its discretion to allow only certain financial institutions such access. At this time, FinCEN “intends to permit only financial institutions with obligations under the 2016 CDD Rule to have access to the BOI database.” Thus, certain BSA-regulated financial institutions, such as Money Services Business, casinos, insurance companies, precious metals dealers, and others which are not subject to the 2016 CDD Rule, will not have database access initially, creating potential information imbalances among BSA-regulated entities. FinCEN explained that security standards associated with such entities warrant additional scrutiny prior to granting access.

Finally, regulators supervising due diligence compliance for financial institutions may only access BOI that the supervised financial institutions have received from FinCEN, and they may only use that information to assess, supervise, enforce, or otherwise determine compliance of those financial institutions with customer due diligence requirements.

US Department of the Treasury

While the CTA grants US Treasury personnel broader access to BOI than most other federal agencies, there are still limits to that access. The information is available to any Treasury officer or employee (1) whose official duties require BOI inspection or disclosure or (2) for tax administration. The Treasury is also required to establish internal policies and procedures governing Treasury officer and employee access to BOI, and it is anticipated that these forthcoming policies and procedures will include elements of security and confidentiality requirements applicable to other domestic agencies.

Conditions for access

Before accessing BOI, all agencies must:

• Establish standards and procedures to protect the security and confidentiality of BOI
• Enter into an agreement with FinCEN specifying those standards and procedures
• Establish and maintain a secure system for storing BOI once received
• Establish and maintain auditable BOI request records
• Restrict access to BOI, conduct audits, and
• Provide FinCEN with reports and certifications.

Furthermore, financial institutions who obtain access to BOI must develop and implement administrative, technical, and physical safeguards reasonably designed to protect it. The security and information handling procedures they use to protect BOI should be the same procedures they use to protect personal information in compliance with the Gramm-Leach-Bliley Act.

Foreign requesters must comply with applicable handling, disclosure, and use requirements under the international treaty, agreement, or convention under which the request was made. They must also establish security and confidentiality standards and maintain the information in a secure system and restrict access.

Limits on re-disclosure and penalties for unauthorized use

As described above, FinCEN carefully oversees the disclosure of BOI to enumerated groups and maintains discretion with respect to certain entities. Once BOI is disclosed, the Final Access Rule further governs re-disclosure of BOI, which is generally prohibited unless the re-disclosure meets one of the specific exceptions. It is authorized:

1. Among officers, employees, agents, and contractors within a particular authorized recipient entity
2. Among financial institution and their regulators, including qualifying self-regulatory organizations
3. From intermediary federal agencies to foreign requestors
4. From specified authorized BOI recipient federal agencies to courts of competent jurisdiction or parties to a civil or criminal proceeding
5. From authorized BOI recipient agencies to prosecutors or for use in litigation related to the activity for which the requesting agency requested the information, and
6. By foreign authorities consistent with the international treaty, agreement, or convention under which BOI was received.

FinCEN may also authorize re-disclosure of BOI by an authorized recipient in other situations as long as the re-disclosure is for the authorized purpose.

The CTA imposes strict penalties for unauthorized disclosure of BOI if no exceptions apply. The Final Access Rule defines “unauthorized use” as any unauthorized access to BOI, including a situation where an employee, officer, director, contractor, or agent of an authorized recipient knowingly violates the requirements for access noted above.

Penalties may include civil penalties in the amount of $500/day as long as the violation continues or has not been remedied. Criminal penalties include a fine of not more than $250,000 or imprisonment not more than 5 years, or both. More severe penalties are available for a person who commits a disclosure violation while violating another law as part of a pattern of illegal activity involving more than $100,000 in a 12-month period: a fine of up to $500,000, imprisonment not more than 10 years, or both.

Rollout of access

Beginning in February 2024, FinCEN will grant authorized users access in a phased approach. The first phase will be a pilot program for a few key federal agency users. The second phase will extend access to Treasury offices and certain federal agencies engaged in law enforcement and national security activity that have pre-existing Memoranda of Understanding for access to BSA information.

Access will be granted to additional authorized users in subsequent phases (the timing of which remains to be seen) in the following order:

1. Additional federal agencies as well as state, local, and Tribal law enforcement partners
2. Intermediary federal agencies in connection with foreign government requests, and
3. Financial institutions and their regulating supervisors.

Key takeaways

While much remains to be seen regarding how access to BOI – including the long-awaited debut of FinCEN’s Beneficial Ownership Secure System – will work in practice, the Final Access Rule provides guidance as to what entities and individuals subject to the CTA’s reporting requirements can expect regarding access to their BOI and personal information.

FinCEN has attempted to strike a balance between allowing access to BOI for law enforcement purposes and maintaining privacy and security of the information, to prevent it from falling into the wrong hands. As detailed in our prior alert, understanding the CTA’s reporting requirements is critical if your business will be required to report. Prudent companies that fall under these requirements will start gathering the required information ahead of time. Additionally, BSA-regulated financial institutions that are complying with the Final Access Rule and maintaining the security of BOI in connection with performing customer due diligence face additional layers of complexity for anti-money laundering, sanctions, and compliance professionals. In both cases, preparation is key to ensuring compliance with the CTA.

To learn more about the Final Access Rule or the CTA’s reporting requirements, please contact any of the authors.