FinCEN issues rule governing access to beneficial ownership information

Overview

On December 21, 2023, the Financial Crimes Enforcement Network (FinCEN) issued a final rule (the Access Rule) regarding access to and protection of beneficial ownership information (BOI) reported to FinCEN in accordance with the Corporate Transparency Act (CTA). FinCEN issued a final BOI reporting rule on September 30, 2022 that went into effect on January 1, 2024. The BOI reporting rule requires certain US established or registered entities that do business in the US to report BOI information to FinCEN. The Access Rule prescribes who has access to BOI as well as how such BOI must be safeguarded.

Summary of the final rule

The Access Rule aims to ensure that only authorized recipients (i) have access to BOI, (ii) use BOI for purposes permitted by the CTA and (iii) re-disclose BOI on a limited basis using secure means. FinCEN is developing a secure, nonpublic database (the Database) to securely store and share BOI in accordance with the Access Rule. This Database is an important tool to help secure and safely transmit BOI to the authorized users outlined below.

Disclosures

The Access Rule affirms that BOI is confidential, but FinCEN may disclose such BOI under specific circumstances to the following categories of recipients:

1. US Federal agencies engaged in national security, intelligence or law enforcement activity;
2. US State, local and Tribal law enforcement agencies;
3. Foreign law enforcement agencies, judges, prosecutors, central authorities and competent authorities (foreign requesters);
4. Financial institutions using BOI to facilitate compliance with customer due diligence (CDD) requirements under applicable law;
5. Federal functional regulators and other appropriate regulatory agencies acting in a supervisory capacity assessing financial institutions for compliance with CDD requirements under applicable law; and
6. Treasury officers and employees.

Domestic agencies, financial institutions and foreign requesters that receive BOI all must establish protections and standards to safely do so. These three categories of entities have varying levels of requirements to ensure that they have implemented appropriate safeguards to protect BOI. Financial institutions can fulfill the safeguards requirement by using the same security and information handling procedures they use to protect customers’ nonpublic personal information in compliance with section 501 of the Gramm-Leach-Bliley Act. 

Re-disclosures

Authorized BOI recipients cannot re-disclose BOI, except in specific circumstances:

1. Re-disclosure among officers, employees, agents and contractors within a requesting agency;
2. Financial institutions and their regulators, including qualifying self-regulatory organizations;
3. From intermediary Federal agencies to foreign requesters;
4. From specified authorized BOI recipient Federal agencies to courts of competent jurisdiction or parties to a civil or criminal proceeding;
5. From authorized BOI recipient agencies to prosecutors or for use in litigation related to the reason for requesting the information; and
6. By foreign authorities consistent with an international agreement under which BOI was received.

Penalties

Unless disclosure is expressly authorized in one of the situations described above, it is unlawful to knowingly disclose or utilize BOI obtained from a report submitted to FinCEN. Violators may be subject to:

• Civil penalties of US$500 for each day a violation continues unremedied; and
• Criminal penalties of a fine of no more than US$250,000 and/or imprisonment for no more than five years. 

There are also enhanced criminal penalties of a fine of up to US$500,000 and/or imprisonment for no more than ten years if a person commits a violation while violating another US law, or as part of an illegal activity pattern involving more than US$100,000 in a 12-month period. 

Violation of requirements of the Access Rule could also result in suspension or removal from access to the Database.

Effective date

The Access Rule is effective as of February 20, 2024. FinCEN will take a phased approach starting with a pilot program for a few key Federal agency users starting in 2024. Financial institutions and government agencies that meet the requirements set forth in the Access Rule will begin to gain access to BOI from FinCEN in 2024.

Interagency statements

FinCEN also simultaneously released two interagency statements for banks and non-bank financial institutions (NBFIs) to provide guidance on the interplay between the Access Rule and FinCEN’s existing CDD Rule. 

The Office of the Comptroller of the Currency (OCC), Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation (FDIC), FinCEN, the National Credit Union Administration and state bank and credit union regulators issued an Interagency Statement for Banks regarding the Access Rule. It clarifies that the Access Rule does not create a new regulatory requirement for federally supervised banks to access BOI from the Database as part of their CDD procedures. While banks are free to be approved to obtain BOI information from the Database, the Interagency Statement makes clear that there is no obligation to do so and, in addition, obtaining BOI information from the Database will not serve as a substitute for, nor an exemption from, fulfilling the requirements specified by the CDD Rule. Additionally, the Interagency Statement clarified that the Access Rule does not impact or conflict with the Bank Secrecy Act (BSA)/anti-money laundering (AML) compliance programs. 

FinCEN and the US Department of the Treasury issued a similar Statement for NBFIs providing that the Access Rule does not create a new regulatory requirement for NBFIs to access BOI from the Database or an expectation that they do so, nor is it meant to conflict with or require changes to BSA/AML compliance programs.

Both interagency statements note that FinCEN will be updating CDD Rule currently applicable to banks and NBFIs to align the CDD Rule with the CTA, including the Access Rule.

Key takeaways

The Database will offer a safe method of transmitting BOI to those who need to access it. It can help ensure that sensitive information stays confidential, is transmitted by secure methods and is not inadvertently shared with unauthorized users. 

However, the Database will not necessarily provide significant benefit to banks and NBFIs for BOI due diligence obligations. Obtaining approval to access the BOI database may be procedurally difficult. Accordingly, if an institution accesses BOI, it should be well-informed and prepared to ensure that the information is handled appropriately so as not to violate limitations placed on re-disclosure. Covered institutions must also adhere to data protection standards set by FinCEN.

As made clear in the interagency statements released by FinCEN, banks and certain other financial institutions are still required to conduct their own due diligence reviews as required by the CDD Rule and cannot solely rely on information obtained from the Database.