On December 15, 2022, the Financial Crimes Enforcement Network (“FinCEN”) of the Department of the Treasury announced a Notice of Proposed Rulemaking (the “Access Rule NPRM”) to implement the requirements of the Corporate Transparency Act (“CTA”) with respect to access to beneficial ownership information (“BOI”) reported to FinCEN under the CTA. The Access Rule NPRM would implement the CTA’s provisions on who may access BOI held by FinCEN, the circumstances under which access may be granted, and the conditions regarding use, security, and oversight of BOI. Separately, it proposes an approach to the use of “FinCEN identifiers” for corporate entities that FinCEN’s final BOI Reporting Rule left unaddressed.
The Access Rule NPRM may disappoint financial institutions interested in understanding how the CTA might facilitate compliance with existing know-your-customer and customer due diligence (“CDD”) obligations under the Bank Secrecy Act (“BSA”) and other anti-money laundering (“AML”) laws and regulations. This is because it proposes to allow access only to a limited set of financial institutions, and for a single, narrow purpose—requesting BOI for specific customers in order to comply with FinCEN’s 2016 customer due diligence rule (the “CDD Rule”). Access would not be granted for broader BSA/AML compliance efforts, despite its potentially broader utility (for example, in transaction monitoring and investigations of suspicious activity). Access would also entail additional regulatory burdens and subject financial institutions to examination for compliance with the rule’s use and information security requirements.
Comments on the Access Rule NPRM are due February 14, 2023.
The CTA requires a range of U.S. legal entities and non-U.S. legal entities registered to do business in the United States to report BOI to FinCEN, which FinCEN will retain in a secure, non-public database. The Access Rule NPRM is the second of three separate rulemakings to implement the CTA. As described in our alert memorandum, FinCEN finalized the Reporting Rule on September 30, 2022. The Reporting Rule addresses who must report BOI and what BOI is required to be reported, and provides that the CTA’s reporting requirements will become effective January 1, 2024. The third rulemaking, which will make changes to conform FinCEN’s CDD Rule to the CTA, is due one year after the Reporting Rule becomes effective, and has not yet been proposed.
Separately, FinCEN is in the process of building the IT infrastructure to receive and securely retain BOI, and has proposed a variety of other outreach and guidance activities in advance of the Reporting Rule’s effective date. FinCEN continues to warn, however, that resource constraints may limit its implementation and outreach efforts.
Access to BOI under the NPRM
The Access Rule NPRM would authorize FinCEN to disclose BOI to specified categories of recipients, and would impose unique requirements and restrictions with respect to each category of recipient.
- Financial institutions: Certain financial institutions would be given limited access to BOI information held by FinCEN, but only for the purpose of complying with the CDD Rule. Access would be limited to submitting a specific query to FinCEN regarding a specific reporting company, in order to receive the registry’s BOI information for that company. Financial institutions would not have the ability to run open-ended queries or to receive multiple search results. For each request, the financial institution would need to certify that (1) it is requesting the information to facilitate its compliance with the CDD Rule, (2) it obtained the written consent of the reporting company to access its BOI, and (3) the other requirements of the rule have been fulfilled.
Only financial institutions subject to the CDD Rule—including banks, broker-dealers, mutual funds, futures commission merchants, and introducing brokers in commodities—would be permitted to submit requests to FinCEN under the Access Rule NPRM. Other financial institutions with BSA/AML obligations, such as money services businesses, would not be given access.
- Federal agencies: When engaged in national security, intelligence, or law enforcement activity, authorized users from federal agencies would be able to log in to the beneficial ownership IT system directly, run queries using multiple search fields, and review one or more results immediately. The NPRM defines “law enforcement activity” to include not only criminal investigations, but also civil investigations and actions, such as actions to impose civil penalties, civil forfeiture actions, and civil enforcement through administrative proceedings.
- State, local, and Tribal law enforcement agencies: If a court of competent jurisdiction has authorized a state, local, or Tribal law enforcement agency to seek BOI in a criminal or civil investigation (and FinCEN has reviewed and approved the request), the agency could then conduct searches within the beneficial ownership IT system using the same search functionality available to federal agencies. The NPRM defines “law enforcement agency” broadly to include any agency authorized by law to engage in the investigation or enforcement of civil or criminal violations of law.
- Foreign law enforcement agencies, judges, prosecutors, central authorities and competent authorities (“foreign requesters”): Foreign requesters would be required to make their requests for BOI through intermediary federal agencies. In addition to meeting other criteria, requests from foreign requesters would have to be made either (1) under an international treaty, agreement, or convention or (2) via a request made by law enforcement, judicial, or prosecutorial authorities in a trusted foreign country. Foreign requesters would not have direct access to the beneficial ownership IT system. Instead, they would rely on the intermediary federal agency to retrieve and furnish the requested BOI.
- Federal functional regulators and self-regulatory organizations: Federal functional regulators would be able to request BOI that the financial institutions they supervise have already obtained from FinCEN for purposes of assessing a financial institution’s compliance with the CDD Rule. Separately, when engaged in law enforcement activity, the federal functional regulators would be able to access BOI in the broader way described above. Self-regulatory organizations (“SROs”), like the Financial Industry Regulatory Authority or the National Futures Association, would not be able to directly access BOI, but financial institutions would be permitted to re-disclose BOI to SROs.
- Department of the Treasury: BOI would be available to any Treasury officer or employee (1) whose official duties require BOI inspection or disclosure or (2) for tax administration.
Security and Oversight Provisions
The Access Rule NPRM would require recipients to have standards and procedures for storing the information in a secure system to which only authorized personnel have access and only for authorized purposes.
Financial institutions would be required to develop and implement administrative, technical, and physical safeguards reasonably designed to protect BOI as a precondition for receiving BOI. The Access Rule NPRM does not propose specific safeguards, but it proposes that compliance with the security and information handling procedures necessary to comply with the data privacy provisions of section 501 of the Gramm-Leach-Bliley Act and its implementing regulations would be deemed to satisfy that requirement. In addition, financial institutions would be prohibited from sharing BOI with personnel and agents outside the United States, which FinCEN suggests is necessary to ensure foreign governments do not access BOI without following CTA procedures for access.
Domestic agencies would be subject to separate requirements, including entering into a memorandum of understanding with FinCEN specifying the standards, procedures, and systems that the agency would be required to maintain to protect BOI.
Violations and Penalties
The CTA provides for both civil and criminal penalties for knowing disclosure or use of BOI in a way that is not authorized by the CTA. The Access Rule NPRM would clarify that accessing BOI without authorization would be an example of unauthorized use of BOI, as would a violation of the security and oversight provisions described above.
Separate from the proposed approach to accessing BOI, the Access Rule NRPM also proposes to resolve an issue left unaddressed in the Reporting Rule. The CTA provides an option for individuals and companies to obtain unique “FinCEN identifiers” from FinCEN, and for reporting companies to provide those FinCEN identifiers, rather than the underlying BOI, in reports to FinCEN. The Access Rule NPRM would limit the circumstances in which an intermediate entity’s FinCEN identifier can be provided. It would permit a reporting company to report an intermediate entity’s FinCEN identifier instead of an individual beneficial owner’s BOI only when:
- the intermediate entity has obtained a FinCEN identifier and provided it to the reporting company;
- the individual is a beneficial owner by virtue of an interest in the reporting company that the individual holds through the intermediate entity; and
- only the individuals that are beneficial owners of the intermediate entity are beneficial owners of the reporting company, and vice versa.
 Beneficial Ownership Information Reporting Requirements, 87 Fed. Reg. 77,404 (NPRM) (Dec. 16, 2022). The Access Rule NPRM follows (1) an advanced notice of proposed rulemaking released in April 2021 where FinCEN invited comments on a broad range of topics associated with the CTA and (2) adoption of a final rule implementing the CTA’s BOI reporting requirements (the “Reporting Rule”). Beneficial Ownership Information Reporting Requirements, 86 Fed. Reg. 17,557 (ANPRM) (Apr. 5, 2021); Beneficial Ownership Information Reporting Requirements, 87 Fed. Reg. 59,498 (final rule) (Sept. 30, 2022).
 The CTA was enacted as part of the Anti-Money Laundering Act of 2020. The William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, Pub. L. 116-283, 134 Stat. 3388 §§ 6001-6511 (2020).
 Customer Due Diligence Requirements for Financial Institutions, 81 Fed. Reg. 29,397 (May 11, 2016).
 See, e.g., Interagency Guidelines Establishing Standards for Safeguarding Customer Information and Rescission of Year 2000 Standards for Safety and Soundness, 66 Fed. Reg. 8,616 (Feb. 1, 2001).
 This is in stark contrast to the current framework, under which sharing of beneficial ownership information collected through compliance with the CDD Rule may, subject to other applicable laws, be shared with non-U.S. affiliates and parents. Currently, even suspicious activity reports may be shared with non-U.S. parent companies. The non-U.S. parents of U.S. financial institutions should consider whether these BOI access restrictions could raise conflicts with home country AML obligations. For example, EU financial institutions are required under Commission Delegated Regulation 2019/758 to inform their home country regulator of restrictions on sharing customer data for AML purposes within the group, assess the risks arising from such restrictions, and seek consent (where feasible) to the sharing of data or implement additional measures to manage the resulting AML risks.