FinCEN releases proposed rule on access to beneficial ownership registry
The proposed rule is the second step in creating a national registry of beneficial ownership information and would govern access to and the protection of information in the registry.
On December 15, 2022, the Financial Crimes Enforcement Network (FinCEN) issued a Notice of Proposed Rulemaking that, when finalized, will establish the standards for financial institutions and government entities to access beneficial ownership information (BOI) reported to FinCEN (the Access Rule or the Proposed Rule). The Access Rule is the second of three rulemakings implementing the Corporate Transparency Act (CTA), a statute intended to enhance transparency in the ownership of corporate entities in the United States through the creation of a national registry of BOI (the Registry). As described in our recent client update, on September 30, 2022, FinCEN published the final Beneficial Ownership Information Reporting Rule (the BOI Reporting Rule), which will require certain legal entities to submit to FinCEN a report containing information related to the beneficial owner and company applicant information of the reporting company. The Access Rule will govern access to and safeguarding of BOI submitted to FinCEN pursuant to the BOI Reporting Rule. The third and final rulemaking will make conforming amendments to the beneficial ownership requirements of FinCEN’s existing Customer Due Diligence (CDD) Rule.
Under the Access Rule, FinCEN will only permit certain government entities and financial institutions to access BOI, which include (1) Federal, State, local and Tribal officials for national security, law enforcement, and intelligence activities, as well as certain foreign law enforcement, judicial, and government entities; (2) Federal functional regulators acting in a supervisory capacity; (3) and financial institutions subject to the CDD Rule’s beneficial ownership requirements. The Access Rule also provides a detailed framework for ensuring that BOI is subject to cyber security controls, confidentiality protections, and oversight measures. Finally, the Access Rule also proposes amendments to the BOI Reporting Rule regarding the use of FinCEN identifiers.
While the Access Rule provides insight as to how FinCEN intends to administer the Registry, important questions and issues remain. For example, it is not clear the extent to which banks and other financial institutions are expected or required to use the Registry or may (or must) continue to rely on current CDD procedures. Moreover, the Access Rule only authorizes "covered financial institutions" to access BOI, meaning cryptocurrency companies and other entities registered as money service businesses (MSBs) will not have access to BOI despite the anti-money laundering (AML) and other illicit finance risks they face. Finally, FinCEN has stated that it continues to face resource constraints in developing and deploying the Registry, and there are many areas that will need additional investment.
Given the potential challenges and operational issues presented by the Access Rule, financial institutions should avail themselves of the opportunity to provide feedback to FinCEN; comments are due on February 14, 2023.
Access to BOI under the Proposed Rule
The BOI Reporting Rule and the registry
The BOI Reporting Rule requires certain new and existing corporate entities (Reporting Companies) to file reports with FinCEN that identify their beneficial owners and company applicants. The BOI will be housed in the Registry and will be made available to authorized recipients through various means, in accordance with the Access Rule’s requirements.
Standards for access under the Proposed Rule
The CTA and Access Rule authorize FinCEN to disclose BOI to five categories of recipients: (1) financial institutions to facilitate compliance with CDD requirements under applicable law; (2) U.S. Federal, State, local, and Tribal government agencies requesting BOI for specified purposes; (3) foreign law enforcement agencies, judges, prosecutors, central authorities, and competent authorities (Foreign Requesters); (4) Federal functional regulators and other regulatory authorities when assessing financial institutions for compliance with CDD requirements; and (5) the U.S. Department of the Treasury.  The CTA and Access Rule impose specific requirements for each authorized recipient category, including limitations on the scope of information that can be accessed, the purposes for which BOI may be used, restrictions on re-disclosure of BOI, data security requirements, and training requirements for personnel that will access BOI.
The Access Rule authorizes FinCEN to disclose BOI to the "covered financial institutions" that are subject to the beneficial ownership requirements of the CDD Rule, which are banks, mutual funds, securities brokers and dealers, futures commission merchants, and introducing brokers on commodities. Other financial services companies that are not subject to the CDD Rule, such as MSBs (a classification that includes many cryptocurrency companies), will therefore not be granted access to BOI under the Proposed Rule. FinCEN interpreted the CTA as only authorizing the disclosure of BOI to financial institutions to facilitate compliance with “customer due diligence requirements under applicable law,” which FinCEN believes is a reference to the CDD Rule. FinCEN solicited public comment, however, on whether the agency should adopt a broader interpretation of the statutory language. Given that MSBs and other types of financial institutions are also subject to AML risks, and could benefit from access to BOI, their exclusion from the scope of the Access Rule is a significant omission.
FinCEN has committed to clarifying the manner and technical procedures for financial institutions to access BOI in subsequent guidance (and has yet to provide significant details in that regard). FinCEN noted in the Proposed Rule, however, that financial institutions will likely not be permitted to run “open-ended queries in the beneficial ownership IT system or to receive multiple search results,” but would instead be required to “submit identifying information specific to a reporting company and receive in return an electronic transcript with that entity’s BOI.” Financial institutions may only request BOI after obtaining a customer’s consent, and prior to requesting BOI from FinCEN they would be required to certify that they have obtained such consent and are requesting the information to facilitate compliance with CDD requirements. FinCEN further expects financial institutions to maintain procedures, including employee training, to ensure that the requirements of the Access Rule are satisfied and that appropriate records are maintained.
Under the Access Rule, FinCEN may also disclose BOI to Federal functional regulators, Federal and state law enforcement, the Treasury Department, and certain Foreign Requesters. The Access Rules imposes specific conditions for each of these categories of recipients to obtain BOI:
- Federal functional regulators may request BOI from FinCEN that has previously been provided to the financial institutions that they supervise, for purposes of assessing a financial institution’s compliance with CDD requirements. Federal functional regulators would also be permitted to search the Registry directly for purposes of law enforcement activity (e.g., a civil enforcement action). Self-regulatory organizations (SROs)—e.g., the Financial Industry Regulatory Authority and the National Futures Association—would not be permitted to access the Registry directly, but Federal functional regulators would be permitted to share BOI with SROs to facilitate the examination of a financial institution’s compliance with the CDD Rule.
- Federal agencies engaged in national security, intelligence, or law enforcement activity (both civil and criminal) would be permitted to search the Registry directly for a specified purpose, provided that they submit a written certification to FinCEN that explains the relevancy of the BOI to the specified purpose and only use the BOI for that purpose. State, local, and Tribal law enforcement agencies would similarly be permitted to access Registry if they submit documentation to FinCEN showing that “a court of competent jurisdiction” has authorized the agency to seek the information in a criminal or civil investigation.
- Foreign Requesters would be permitted to request BOI from FinCEN in two scenarios: (1) through intermediary Federal agencies pursuant to either an international treaty, agreement, or convention or (2) a request made by law enforcement, judicial, or prosecutorial authorities in a trusted foreign country, which FinCEN will determine on a case-by-case basis.
Security, confidentiality, disclosure, and violations/penalties
Limitations on re-disclosure of information by authorized recipients
Under the Access Rule, authorized recipients of BOI may only use BOI for the particular purpose or activity for which it was disclosed and are prohibited from re-disclosing BOI outside of certain enumerated scenarios. Authorized recipients that fail to follow any applicable use of information limitations risk losing the ability to receive BOI in the future and may be subject to the penalties discussed below. Some of the circumstances in which BOI may be re-disclosed include the following:
- A financial institution may share BOI to (A) its Federal functional regulator; (B) a qualifying SRO; and (C) any other appropriate regulatory agency. In addition, officers, employees, contractors and agents of a financial institution may re-disclose BOI to other officers, employees, contractors and agents of the financial institution as long as the individuals are physically present within the U.S.
- Federal, State, local and Tribal agencies are allowed to re-disclose BOI to others within their organizations if (A) the re-disclosure is consistent with the security and confidentiality requirements of the Access Rule, or applicable internal Treasury policies, procedures, orders or directives; and (B) is in furtherance of the same purpose for which the BOI was requested. Federal, State, local, and Tribal agencies are also allowed to disclose BOI to a court of competent jurisdiction or parties to a civil or criminal proceeding.
- FinCEN may authorize disclosure on a case-by-case basis.
Financial institutions may find the restriction on disclosing BOI to employees, contractors and agents working in foreign jurisdictions to be particularly challenging. For example, domestic and international financial institutions often outsource BSA/AML compliance functions, tasking foreign employees, contractors and agents with conducting certain compliance activities, such as CDD. Under the Access Rule, these financial institutions would be prohibited from disclosing BOI to any personnel located outside of the U.S., even if such personnel are assisting with CDD Rule compliance. In addition, in January 2022, FinCEN issued a proposed rule that, when finalized, would establish a limited-duration pilot program that would allow financial institutions to share suspicious activity reports (SARs) with their foreign business units, and financial institutions have long had limited authority to share SAR information with controlling parents. Given the BOI restrictions on the re-disclosure of BOI to foreign jurisdictions, financial institutions may find it difficult to determine whether and to what extent they may share SARs that contain BOI with their foreign affiliates.
Security and confidentiality requirements
The Access Rule establishes several protocols to prevent the unauthorized disclosure of BOI and to ensure that BOI is used solely for the purposes described in the CTA. The security and confidentiality requirements imposed upon each authorized recipient differ based on the level of access each has to BOI. For example:
- Financial institutions. The Access Rule requires financial institutions to develop and implement administrative, technical, and physical safeguards reasonably designed to protect BOI as a precondition for receiving BOI, following a principles-based approach. While the Access Rule does not prescribe any specific safeguards, it establishes that security and information handling procedures must align with the standards required under section 501 of the Gramm-Leach Bliley Act and its implementing regulations. FinCEN expects financial institutions to establish protocols to ensure that records are maintained for audit and oversight, and to provide training to relevant personnel, who must also complete FinCEN-provided online training. FinCEN also expects Federal functional regulators to assess compliance with the Access Rule during the course of safety and soundness examinations or by SROs during their routine BSA examinations.
- Government agencies and Foreign Requesters. The Access Rule requires each requesting domestic agency to enter into memorandums of understanding (MOUs) with FinCEN before obtaining BOI, which will specify the standards, procedures, and systems that the agency will maintain to protect BOI. Foreign Requesters would be required to handle and disclose BOI in a manner consistent with any treaty, agreement, or convention underlying the request for BOI and, if there is no underlying international agreement, Foreign Requesters would be required to implement security standards comparable to the most sensitive unclassified information it handles.
Violations and penalties
Pursuant to the CTA, the Access Rule provides for civil and criminal penalties that may be imposed for violations of the rule. Violations of the CTA may result in a civil penalty of $500 per day for each violation that continues or has not been remedied. Criminal penalties may result in a fine of no more than $250,000 or imprisonment for not more than 5 years (or both).
Proposed amendments to BOI Reporting Rule
The Access Rule also includes proposed amendments to the BOI Reporting Rule. As described in our previous Client Update, the BOI Reporting Rule introduces the concept of a FinCEN identifier, a unique identifying number that FinCEN will issue to individuals who have provided FinCEN with their BOI and to reporting companies that have filed initial BOI reports. The Access Rule provides useful clarity with respect to how reporting companies may report an intermediary entity's FinCEN identifier in lieu of a beneficial owner's BOI. Specifically, the proposed amendment would allow a reporting company to use an intermediate entity’s FinCEN identifier only if the two entities have the same beneficial owners.
Questions for comment and open issues
FinCEN requested public comment on the Access Rule generally and on several specific substantive topics. Given the numerous operational considerations (and potential challenges) that access to BOI presents for financial institutions, interested stakeholders are encouraged to avail themselves of the opportunity to comment. Notable topics on which FinCEN requests comment include:
- Availability of BOI to other financial services entities;
- Obtaining customer consent;
- Re-disclosure of BOI;
- Sharing of BOI outside the United States; and
- Data security standards for BOI.
Beyond the specific issues raised by FinCEN, the Access Rule presents a number of questions for stakeholders. The Access Rule will require financial institutions to implement a range of updates to their policies and procedures covering, among other things: access, storage, and sharing of BOI; obtaining and documenting customer consent; cyber security protocols; employee training; and potential changes to onboarding procedures. Regulators’ compliance expectations with respect to each of those requirements and the expected timeline for their implementation remains unclear. Likewise, until the CDD Rule is amended (and absent further guidance from FinCEN), it is unclear the extent to which financial institutions will be expected or required to use the Registry as part of their CDD procedures or they may or must continue to rely on existing CDD procedures. Relatedly, FinCEN has not yet specified what financial institutions will be expected or required to do if they identify a discrepancy between information in the Registry and their own internal records. More broadly, until FinCEN both amends the CDD Rule and issues technical guidance on the Access Rule and the BOI Reporting Rule, it is uncertain what (if any) changes financial institutions will need to make to their AML compliance programs.
Significant work remains in implementing the CTA, as FinCEN grapples with limited staffing and resources. Although FinCEN has stated that it expects the Registry to go live by January 1, 2024, this timeline appears aggressive given the agency’s limited resources and the other rulemakings on its docket. Despite the uncertainty regarding timing, the standards imposed under the Access Rule will likely be material to financial institutions' AML compliance programs moving forward. The Access Rule’s comment period offers an important opportunity for stakeholders to weigh in on the final rule, which include financial institutions that will rely on FinCEN’s Registry as well as those that would not have access to BOI under the current language of the Proposed Rule.
 For example, the CDD Rule has a narrower definition of “beneficial owner” than that in the BOI Reporting Rule and its exemptions to the definition of "legal entity customer" do not align with the exemptions to the "reporting company" definition in the BOI Reporting Rule. See 31 CFR § 1010.230.
 For domestic Reporting Companies (i.e., entities established in the U.S.), the “company applicant” is the individual who files the document that creates the entity. For foreign Reporting Companies (i.e., entities established in foreign jurisdictions), the company applicant is the individual who files the document that registers the entity to do business in the U.S.
 In contrast, other countries such as the United Kingdom have established public databases of beneficial owners in order to promote transparency in the ownership of corporate entities. The CTA treats all BOI as highly sensitive (even those details that might already be publicly available through local secretaries of state), and this policy is reflected in the restrictions on access and disclosure imposed under the Access Rule.
 31 CFR § 1010.230.
 31 CFR § 1010.605(e)(1).
 FinCEN noted, for example, that the due diligence activities that financial institutions conduct pursuant to the agency’s Customer Identification Program Rule could theoretically be considered “customer due diligence."
 FinCEN anticipates that financial institutions “would be able to make the certification via a checkbox when requesting BOI via the beneficial ownership IT system.”
 The Federal functional regulators that regulate financial institutions subject to the CDD Rule are the Board of Governors of the Federal Reserve System (FRB), the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Securities and Exchange Commission (SEC), and the Commodity Futures Trading Commission (CFTC).
 The Access Rule would define “national security activity” as any “activity pertaining to the national defense or foreign relations of the United States, as well as activity to protect against threats to the security or economy of the United States.”
 The Access Rule extends the restrictions on re-disclosure to any individual who has received BOI, regardless of whether they continue to serve in the position through which they were authorized to receive BOI.
 FinCEN has clarified that the limitation that BOI only be disclosed to individuals in the U.S. prevents foreign government agencies from circumventing the Access Rule and obtaining BOI by serving a judicial or administrative warrant, summons or subpoena directly on a foreign entity as opposed to submitting the request through an intermediary Federal agency.
 As previously noted, Federal functional regulators are allowed to disclose BOI to qualifying SROs, specifically for examinations for compliance with the CDD Rule.
 See 15 U.S.C. 6801(b) and 6805. Section 501 of the Gramm-Leach-Bliley Act requires each Federal functional regulator to establish appropriate standards for the financial institutions subject to its jurisdiction relating to administrative, technical, and physical safeguards to (1) ensure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of such records; and (3) protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer. The Federal functional regulators have implemented these requirements in different ways. For example, the OCC, FRB, FDIC, and NCUA have issued the standards in the form of interagency guidelines, while the CFTC and SEC have incorporated the Gramm-Leach-Bliley standards into their regulations, respectively 17 CFR § 160 and 17 CFR § 248.30(a).
 The Access Rule would also require all requesting agencies to limit, to the greatest extent practicable, the amount of BOI that the agency seeks, consistent with the stated purpose of the BOI.
 Foreign Requesters that request and receive BOI under an applicable international treaty, agreement, or convention would not have these requirements under the Access Rule, given that such requesters would be governed by standards and procedures under the applicable international treaty, agreement, or convention.
 If a person commits a violation of the CTA while violating another U.S. law or as pattern of any illegal activity involving more than $100,000 in a 12-month period, the criminal penalty may result in a fine of up to $500,000, imprisonment of not more than 10 years (or both).