FinCEN Issues Proposed Rule on Access to Beneficial Ownership Information

Advisory

On December 15, 2022, the Financial Crimes Enforcement Network (FinCEN) issued a Notice of Proposed Rulemaking (Access NPRM) that seeks public comment on its proposed rules governing access to, and the safeguarding of, beneficial ownership information (BOI) that many companies will be required to begin reporting to FinCEN on January 1, 2024. The Access NPRM will be of particular interest to financial institutions (FIs) because it proposes a framework for how financial institutions may access the BOI for purposes of complying with their customer due diligence (CDD) requirements.

The Access NPRM follows FinCEN’s September 30, 2022, issuance of a final rule requiring certain entities to file reports with the agency identifying (1) the beneficial owners of the entity and (2) individuals who have filed an application with specified governmental authorities to create the entity or register it to do business in the US (BOI Reporting Rule). “Beneficial owners” include individuals who exercise “substantial control” over the reporting company or own or control at least 25 percent of the ownership interests in the reporting company. “Reporting companies” generally include corporations, limited liability companies, limited partnerships and trusts, and companies formed under foreign law and registered to do business in the US. A wide array of entities is excluded from the definition of “reporting company,” including SEC reporting entities, investment companies and advisers, securities brokers and dealers, banks, accounting firms, insurance companies and companies that employ more than 20 full-time employees in the US and have more than $5 million in annual sales.¹ The information collected pursuant to this process will constitute the BOI.

The Access NPRM provides that FinCEN may only disclose BOI to financial institutions subject to CDD requirements under applicable law (i.e., certain banks, broker dealers, futures commissions merchants and mutual funds subject to 31 C.F.R. 1020.320, but not money services businesses) that request such information for purposes of complying with their CDD obligations. Because of restraints imposed on FinCEN under the Corporate Transparency Act (CTA), and due to the sensitive nature of BOI, FinCEN does not intend to allow financial institutions to run open-ended queries in the system. Instead, FinCEN would return an electronic transcript with only the requested entity’s BOI.

Importantly, FinCEN has defined “customer due diligence requirements under applicable law” to mean only FinCEN’s CDD regulations under 31 C.F.R. 1010.230, which require financial institutions to identify and verify beneficial owners of legal entity customers. In drafting the proposed rule, FinCEN considered and rejected including FinCEN’s separate Customer Identification Program regulations in the definition of “customer due diligence requirements under applicable law.” In declining to adopt this broader definition that would have meaningfully eased financial institutions’ compliance obligations, FinCEN explained that “a more tailored approach will be easier to administer, reduce uncertainty about what FIs may access BOI under this provision, and better protect the security and confidentiality of sensitive BOI by limiting the circumstances under which FIs may access BOI.”

The Access NPRM also proposes regulations that would govern when BOI may be disclosed to federal agencies and state, local, tribal and foreign governments under certain circumstances:

Federal government access would be limited to law enforcement, national security and intelligence activities if the requested BOI is for use in furtherance of such activity. FinCEN stated that it considers federal functional regulators to be included in this category of law enforcement activity.²
Treasury officers and employees could gain access if their official duties require such disclosure or inspection.
State, local and tribal governments could gain access to the database with court authorization.
Foreign law enforcement and agencies that meet certain criteria could gain access.³

The Access NPRM also specifies how recipients of the BOI would need to protect against unauthorized disclosure. The proposed protocols vary by recipient category but would generally require BOI recipients to have standards and procedures for storing the information in a secure system to which only authorized personnel have access and only for authorized purposes. Audit requirements would apply when prudent or mandated by the CTA, as would requirements to certify compliance with the statute and proposed regulations. FinCEN also would require authorized recipients to maintain key information about specific BOI searches or requests.⁴ Finally, the Access NPRM also provides that unauthorized disclosure of BOI is unlawful. In the fact sheet accompanying the release of the Access NPRM, FinCEN stated that violations of the proposed security and confidentiality requirements could result in significant penalties under the CTA, including both civil and criminal penalties of up to 10 years imprisonment and suspensions or debarments from access to the BOI information technology system.

The Access NPRM additionally addresses when and how reporting companies may report FinCEN identifiers tied to entities. Under these provisions, reporting companies would be allowed, in certain instances, to report a FinCEN identifier instead of BOI associated with a particular beneficial owner. A FinCEN identifier is a unique identifying number that FinCEN will issue to individuals or entities upon request. The September 2022 BOI Reporting Rule provided processes for obtaining, updating and using FinCEN identifiers, but reserved for further consideration certain provisions concerning the use of a FinCEN identifier issued to an entity. The Access NPRM includes proposed amendments to the reporting regulations concerning these provisions and, specifically, the submission of a FinCEN identifier in lieu of BOI for intermediate entities whose beneficial owners are also beneficial owners of the reporting company. Under the proposal, the following conditions would need to be satisfied for a reporting company to use a FinCEN identifier for an intermediate entity: (1) the intermediate entity has obtained a FinCEN identifier and provided it to the reporting company; (2) the individual is a beneficial owner by virtue of an interest in the reporting company that the individual holds through the intermediate entity; and (3) only the individuals that are beneficial owners of the intermediate entity are beneficial owners of the reporting company, and vice versa. Under the third prong, by way of example, if two individuals were beneficial owners of an intermediate entity under the BOI Reporting Rule but only one had a large enough interest in the intermediate entity to constitute a beneficial ownership interest in the reporting entity under that rule, the reporting entity could not use the intermediate entity’s FinCEN identifier. These requirements are necessary to prevent inaccuracies from entering the beneficial ownership IT system as a result of under- or over-reporting.

FinCEN is soliciting feedback from the industry on these issues. Notably, FinCEN has asked the following questions:

FinCEN proposes that FIs be required to obtain the reporting company’s consent in order to request the reporting company’s BOI from FinCEN. FinCEN invites commenters to indicate what barriers or challenges FIs may face in fulfilling such a requirement, as well as any other considerations.
FinCEN proposes to define “customer due diligence requirements under applicable law” to mean the bureau’s 2016 CDD Rule, as it may be amended or superseded pursuant to the AML Act. The 2016 CDD Rule requires FIs to identify and verify beneficial owners of legal entity customers. Should FinCEN expressly define “customer due diligence requirements under applicable law” as a larger category of requirements that includes more than identifying and verifying beneficial owners of legal entity customers? If so, what other requirements should the phrase encompass? How should the broader definition be worded? It appears to FinCEN that the consequences of a broader definition of this phrase would include making BOI available to more FIs for a wider range of specific compliance purposes, possibly making BOI available to more regulatory agencies for a wider range of specific examination and oversight purposes, and putting greater pressure on the demand for the security and confidentiality of BOI. How does the new balance of those consequences created by a broader definition fulfill the purpose of the CTA?
If FinCEN wants to limit the phrase “customer due diligence requirements under applicable law” to apply only to requirements like those imposed under its 2016 CDD Rule related to FIs identifying and verifying beneficial owners of legal entity customers, are there any other comparable requirements under federal, state, local, or tribal law? If so, please specifically identify these requirements and the regulatory bodies that supervise for compliance with or enforce them.

Written comments on this proposed rule may be submitted on or before February 14, 2023. This proposed rule is the second of three rulemakings planned to implement the CTA. The first rulemaking was the BOI Reporting Rule finalized on September 30, 2022. The third rulemaking in the trio will revise FinCEN’s CDD rule no later than one year after the effective date of the BOI Reporting Rule (January 1, 2024).

For additional information on BSA/AML reform, including FinCEN efforts under the AML Act, please visit Arnold & Porter’s BSA/AML Reform Resource Center, where we track the legal developments and rulemaking resulting from the AML Act and provide our insights on the impact on the financial services industry. Financial institutions with questions about the proposed rule or the notice and comment process may contact any of the authors or their usual Arnold & Porter contact. The firm’s Financial Services team would be pleased to assist with any questions about the proposed reform or BSA/AML compliance and enforcement more broadly.

* * *

On February 1, 2023, from 12:00 to 2:00 pm ET, please join Arnold & Porter for our annual discussion of regulatory and enforcement trends in the year ahead for AML and sanctions, drawing on insight and experiences from attorneys in our Financial Services, White Collar Defense & Investigations, Anti-Corruption, and Securities & Enforcement and Litigation practices. Discussion topics will include regulatory compliance challenges in 2023, AML Act implementation, trends and predictions in global enforcement and investigations, changes in the sanctions landscape, and much more. Register for the webinar here. Additional details are forthcoming.

© Arnold & Porter Kaye Scholer LLP 2022 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.

See Beneficial Ownership Information Reporting Requirements (BOI Rule), 87 FR 59498, Sept. 30, 2022.
“Law enforcement activity” would include both criminal and civil investigations and actions, such as actions to impose civil penalties, civil forfeiture actions and civil enforcement through administrative proceedings.
Foreign requesters would have to make their request either (1) under an international treaty, agreement or convention or (2) via a request made by law enforcement, judicial or prosecutorial authorities in a trusted foreign country. Requests made under international treaties or other agreements would be subject to different requirements and procedures than requests made in situations when no such agreements apply.
Memoranda of Understanding or other agreements with authorized recipients would describe applicable requirements in detail.