On Dec. 15, 2022, the Financial Crimes Enforcement Network (FinCEN) issued a proposed regulation governing access to, and the protection of, beneficial ownership information (BOI) that companies are required to report under a recently finalized federal regulation.

As discussed in a previous Taft law bulletin, FinCEN issued a final regulation in September 2022 under the Corporate Transparency Act (CTA) that requires most domestic companies and certain foreign companies to file a report with the federal government identifying the company’s beneficial owners. That regulation takes effect on Jan. 1, 2024, and reporting companies in existence prior to that date must file an initial report no later than Jan. 1, 2025.

The latest proposal — the so-called “access rule” — is FinCEN’s second installment of regulations mandated by the CTA. The proposed regulation governs access to BOI,  permissible purposes for using BOI, and measures designed to protect BOI from unauthorized use and disclosure.

As authorized recipients of BOI under the CTA, financial institutions with customer due diligence (CDD) requirements should carefully examine the proposed rule’s requirements for, and restrictions related to, the use of BOI in carrying out CDD compliance obligations. Below is a brief summary of provisions related to financial institutions, followed by a discussion of a few issues for financial institutions to consider.

For what purpose may a financial institution use BOI?

Consistent with the CTA, the proposed regulation provides that financial institutions may access BOI only to the extent that disclosure of the information facilitates the institution’s CDD requirements under applicable law. FinCEN has defined “customer due diligence requirements under applicable law” in the proposed rule to mean FinCEN’s CDD regulations under 31 C.F.R. § 1010.230.

How may a financial institution obtain access to BOI?

The proposed regulation requires the financial institution to obtain the consent of the reporting company before requesting BOI from FinCEN. For each BOI request, the financial institution must make a written certification that it is requesting the information to facilitate compliance with CDD requirements, that it has obtained the reporting company’s written consent to request the BOI, and that it has fulfilled security and confidentiality requirements which will be discussed below.

In terms of receiving BOI, FinCEN contemplates that financial institutions will have direct access to the forthcoming FinCEN BOI database but will have limited search capability within that database. Unlike domestic government agencies — who will have the capability to run broader searches in the BOI database — financial institutions will be permitted to search the database using only information specific to the reporting company. In return, the financial institution will receive an electronic transcript containing BOI only for that company. FinCEN justifies this more limited access based on the constraints placed upon financial institutions in the CTA itself, though the CTA does not expressly call for financial institutions to have limited access to reported BOI.

May financial institutions “re-disclose” BOI received from FinCEN?

The proposed regulation provides that any individual authorized to receive BOI is prohibited from disclosing it, except as expressly authorized, and then goes on to list express authorizations for such “re-disclosure.” With respect to financial institutions, the proposed regulation expressly permits personnel to re-disclose BOI where the re-disclosure:

(1) Is made to others within the same institution;
(2) Is made for the same activity and purpose for which the information was originally obtained; and
(3) Is made only to personnel physically located in the United States.

Additionally, financial institution personnel may re-disclose BOI to regulators or other agencies where the disclosure is for the purpose of fulfilling CDD obligations.

What other security and confidentiality measures regarding BOI apply to financial institutions?

The proposed regulation provides that financial institutions may allow access to BOI only to personnel located in the United States. Financial institutions also must employ adequate security and information handling procedures with respect to BOI. The proposed rule provides that security and information handling procedures necessary to comply with the Gramm-Leach-Bliley Act, if applied to BOI, will satisfy CTA requirements.

What are the penalties for misuse and unauthorized disclosure of BOI?

The proposed regulation makes it unlawful for any person to knowingly disclose or knowingly use BOI in a manner not authorized by the CTA or its implementing regulations. Unauthorized use is defined to include accessing BOI without authorization, and any violation of the security and confidentiality requirements set out in the proposed regulation.

Penalties for these violations are outlined in the CTA, which provides for civil penalties in the amount of $500 for each day a violation continues or has not been remedied and for criminal penalties that include a fine of not more than $250,000, imprisonment for not more than five years, and enhanced penalties for cases involving other illegal activity.

In addition to civil and criminal penalties, the proposed regulation provides FinCEN with authority to permanently debar or temporarily suspend any requesting party from receiving or accessing BOI if FinCEN finds that the information has been used for an unlawful purpose.

Issues for consideration

Financial institutions should note that FinCEN has requested that written comments to the proposed regulation be submitted on or before Feb. 14, 2023.

When assessing the proposed rule, financial institutions should carefully examine provisions that may impede CDD processes in cases where BOI is requested to allow the financial institution to comply with CDD obligations. For example, because many financial institutions operate internationally and the BOI reporting regulation applies to certain foreign companies, financial institutions should consider whether potential problems may arise from the proposed rule’s geographic restrictions related to the disclosure and re-disclosure of BOI. Similarly, financial institutions should consider whether limited search capability within the BOI database may hinder CDD efforts.

Additionally, financial institutions should consider what modifications to existing CDD processes and procedures, or information systems, may be necessary to ensure compliance with the proposed rule. While financial institutions are not required to request BOI from FinCEN in all cases, financial institutions should work now to ensure their processes and information systems comply with the rule so BOI can be requested by the institution when needed.

Finally, financial institutions should expect at least one more set of proposed regulations from FinCEN that should provide further clarity with respect to how the BOI access rule will intersect with CDD requirements. The CTA requires FinCEN to make amendments to existing CDD requirements to bring those requirements into conformity with the CTA.  The acting director of FinCEN, in remarks on Dec. 6, 2022, indicated that FinCEN is working to complete that task, which is due no later than Jan. 1, 2025. In comments accompanying the proposed access rule, FinCEN stated it anticipates that the CDD rule revisions “will touch on the issue of the interplay between financial institutions’ CDD efforts and the beneficial ownership IT system that FinCEN is developing to receive, store, and maintain BOI.”

Dominick Gerace is a partner in Taft’s Compliance, Investigations, and White Collar Defense practice and is a Certified Anti-Money Laundering Specialist. If you have any questions regarding the information in this bulletin, please contact the author or the Taft attorney with whom you regularly work.