Fact Sheet: Beneficial Ownership Information Access and Safeguards Notice of Proposed Rulemaking (NPRM)
December 15, 2022
Today, the Financial Crimes Enforcement Network (FinCEN) issued a Notice of Proposed Rulemaking (NPRM) (the “Access NPRM”) to implement the beneficial ownership information (BOI) access and safeguard provisions of the Corporate Transparency Act (CTA). The Access NPRM proposes regulations that would establish who may request BOI that will be reported to FinCEN starting on January 1, 2024, who may receive it, how recipients may use the information, how they must secure it, and the penalties for failing to follow applicable requirements. The Access NPRM also discusses aspects of the secure, non-public information technology (IT) system that FinCEN is building to store BOI and manage disclosures. It also proposes rules specifying when and how reporting companies may report FinCEN identifiers tied to entities.
The proposed rule reflects FinCEN’s commitment to creating a highly useful database for authorized BOI recipients while protecting this sensitive information from unauthorized disclosure.
The following is a general overview of key elements of the Access NPRM. Please refer to the full NPRM for further details, including important definitions.
Authorized Recipients
- The CTA authorizes FinCEN to disclose BOI under specific circumstances to five general categories of recipients: (1) U.S. Federal, state, local, and Tribal government agencies requesting BOI for specified purposes; (2) foreign law enforcement agencies, judges, prosecutors, central authorities, and competent authorities (foreign requesters); (3) financial institutions (FIs) using BOI to facilitate compliance with customer due diligence (CDD) requirements under applicable law; (4) Federal functional regulators and other appropriate regulatory agencies acting in a supervisory capacity assessing FIs for compliance with CDD requirements; and (5) the U.S. Department of the Treasury (Treasury) itself. In accordance with the CTA, the regulations proposed in the NPRM would impose upon each recipient category unique requirements and restrictions. General information about the recipient categories follows.
- Under the proposed rule and as authorized by the CTA, FinCEN would disclose BOI to Federal agencies engaged in national security, intelligence, or law enforcement activity if the requested BOI is for use in furtherance of such activity. Authorized users from qualifying Federal agencies would be able to log in to the beneficial ownership IT system directly, run queries using multiple search fields, and review one or more results returned immediately. Users would have to submit justifications to FinCEN for their searches, and these justifications would be subject to oversight and audit by FinCEN. “Law enforcement activity” here would include both criminal and civil investigations and actions, such as actions to impose civil penalties, civil forfeiture actions, and civil enforcement through administrative proceedings.
- Consistent with the CTA, the proposed rule would allow FinCEN to disclose BOI to state, local, and Tribal law enforcement agencies if “a court of competent jurisdiction” has authorized the law enforcement agency to seek the information in a criminal or civil investigation. A “court of competent jurisdiction” would be any court with jurisdiction over the criminal or civil investigation for which the state, local, or Tribal law enforcement agency requests BOI. Authorized users from these agencies would be required to upload a document issued by a court of competent jurisdiction authorizing the agency to seek BOI from FinCEN. After FinCEN has reviewed the relevant authorization and approved the request, an agency could then conduct searches within the beneficial ownership IT system using the same search functionality available to Federal agencies engaged in national security, intelligence, or law enforcement activity.
- Under the proposed rule, foreign requesters would be required to make their requests for BOI through intermediary Federal agencies. In addition to meeting other criteria, requests from foreign requesters would have to be made either (1) under an international treaty, agreement, or convention or (2) via a request made by law enforcement, judicial, or prosecutorial authorities in a trusted foreign country. Requests made under international treaties or other agreements would be subject to different requirements and procedures than requests made in situations when no such agreements apply. FinCEN would look to U.S. interests and priorities in consultation with other relevant U.S. government agencies when determining whether to disclose BOI to foreign requesters when no treaty or other agreement applies. In neither case would foreign requesters have direct access to the beneficial ownership IT system. They would instead rely on the intermediary Federal agencies through which they route their requests to retrieve and furnish them with requested BOI.
- Consistent with the CTA, the proposed rule would only permit FIs to request BOI from FinCEN for purposes of complying with CDD requirements under applicable law, and only with the consent of the reporting company to which the BOI pertains. FinCEN thus anticipates that an FI, instead of being able to run open-ended queries in the beneficial ownership IT system or to receive multiple search results, would submit identifying information specific to a reporting company and receive in return an electronic transcript with that entity’s BOI. This more limited information-retrieval process would reduce the overall risk of inappropriate use or unauthorized disclosures of BOI.
- The CTA authorizes Federal functional regulators and other appropriate regulatory agencies to request from FinCEN BOI that the FIs they supervise have already obtained from the bureau for purposes of assessing an FI’s compliance with CDD requirements under applicable law. To the extent regulators also engage in law enforcement activity, they would be able to access BOI for this purpose as well. Under the proposed rule, certain self-regulatory organizations (SROs) would be able to receive BOI to facilitate CDD compliance reviews under certain circumstances.
- The CTA provides Treasury with a unique degree of access to BOI, making the information available to any Treasury officer or employee (1) whose official duties require BOI inspection or disclosure or (2) for tax administration. The proposed rule tracks these authorizations. Treasury components would be permitted to use BOI for appropriate purposes, such as tax administration, enforcement actions, intelligence and analytical purposes, use in sanctions designation investigations, and identifying property blocked pursuant to sanctions, as well as for administration of the BOI framework, such as for audits, enforcement, and oversight. The Treasury Department would establish internal policies and procedures governing Treasury officer and employee access to BOI.
Safeguards and Penalties
- BOI is sensitive information. Protecting it from unauthorized disclosure is a top priority for FinCEN. The CTA imposes strict access-control protocols on “requesting agencies,” and FinCEN has used statutory authority delegated to it by the Secretary of the Treasury to propose comparable requirements for FIs, SROs, and others who may receive BOI, including contractors and other agents acting on an authorized recipient’s behalf. Robust protections are crucial to safeguarding BOI and ensuring that individuals that access BOI use it consistent with the requirements of the CTA and protect it from unauthorized disclosure.
- Proposed protocols vary by recipient category, but would generally require BOI recipients to have standards and procedures for storing the information in a secure system to which only authorized personnel have access and only for authorized purposes. Audit requirements would apply when prudent or mandated by the CTA, as do requirements to certify compliance with the statute and proposed regulations. In all cases, FinCEN would require authorized recipients to maintain for review key information about specific beneficial ownership information searches or requests. Memoranda of Understanding or other agreements with authorized recipients would describe applicable requirements in detail.
- Penalty provisions support the security and confidentiality requirements in the proposed rule. In general, the CTA makes it unlawful for any person to knowingly disclose or knowingly use BOI obtained by the person from a report submitted to, or an authorized disclosure made by, FinCEN, unless such disclosure is authorized under the CTA. Under the proposed rule, “unauthorized use” would include any unauthorized access of BOI submitted to FinCEN, including any activity in which an employee, officer, director, contractor, or agent of an authorized recipient knowingly violates applicable security and confidentiality requirements in connection with accessing such information. The CTA provides both civil and criminal penalties, including enhanced criminal penalties of up to 10 years imprisonment in some instances. Violating applicable requirements could also lead to FinCEN suspending or debarring a requester from access to the beneficial ownership IT system.
Beneficial Ownership IT System Development
- The beneficial ownership IT system will be cloud-based and will meet the highest Federal Information Security Management Act (FISMA) level – FISMA High. A FISMA High rating establishes standards for baseline information security controls to reflect that losing the confidentiality, integrity, or availability of system information would have a severe or catastrophic adverse effect on the organization maintaining the system, including on organizational assets or individuals.
- FinCEN has gathered requirements and completed initial system engineering, architectures, and program planning activities for the beneficial ownership IT system. The target date for the system to begin accepting BOI reports is January 1, 2024, the day the reporting rule takes effect.
FinCEN Identifiers
- As explained in FinCEN’s Final Beneficial Ownership Information Reporting Rule promulgated on September 30, 2022, reporting companies may in certain instances report a FinCEN identifier instead of BOI associated with a particular beneficial owner. A FinCEN identifier is a unique identifying number that FinCEN will issue to individuals or entities upon request. The Reporting Rule provided processes for obtaining, updating, and using FinCEN identifiers, but reserved for further consideration certain provisions concerning the use of a FinCEN identifier issued to an entity. The Access NPRM includes proposed amendments to the reporting regulations concerning these provisions.
- The proposed amendments would permit a reporting company to report the FinCEN identifier of an entity through which an individual is a beneficial owner of the reporting company in lieu of the individual’s BOI only when: (1) the intermediate entity has obtained a FinCEN identifier and provided it to the reporting company; (2) the individual is a beneficial owner by virtue of an interest in the reporting company that the individual holds through the intermediate entity; and (3) only the individuals that are beneficial owners of the intermediate entity are beneficial owners of the reporting company, and vice versa. These requirements are necessary to prevent over- or under-reporting of beneficial owners. Preventing inaccuracies from entering the beneficial ownership IT system is critical to make it useful.
Next Steps
- Written comments on this proposed rule may be submitted on or before February 14, 2023. This proposed rule is the second of three rulemakings planned to implement the CTA. The first rulemaking was the BOI Reporting Rule finalized on September 30, 2022. The third rulemaking in the trio will revise FinCEN’s CDD rule no later than one year after the effective date of the BOI Reporting Rule (January 1, 2024).
- FinCEN is working diligently to put in place the regulations and related processes and infrastructure to implement the CTA. FinCEN is pressing forward to complete as much of the CTA implementation work as possible with existing resources and staffing.