[34721]
December 23, 2022
TO: ICI Members SUBJECTS: Anti-Money LaunderingCompliance
Operations
Transfer Agency RE: FinCEN Proposes Rule Regarding Access to Beneficial Ownership Information
On December 15, 2022, the Financial Crimes Enforcement Network ("FinCEN") issued a proposed rule ("Proposed Rule") regarding access to beneficial ownership information ("BOI").[1] The Proposed Rule follows a recently adopted BOI reporting rule[2] ("BOI Reporting Rule") and is the second of three planned rulemakings to implement Section 6403 of the Corporate Transparency Act ("CTA"), which was enacted into law as part of the National Defense Authorization Act for Fiscal Year 2021. The Proposed Rule "would implement the strict protocols on security and confidentiality required by the CTA to protect sensitive personally identifiable information reported to FinCEN" and sets forth "the circumstances in which specified recipients would have access to BOI."[3] The Proposed Rule would also clarify when and how reporting companies would be permitted to use FinCEN identifiers to report the BOI of certain entities. FinCEN has proposed an effective date of January 1, 2024.
The proposed requirements are discussed in more detail below.
BOI Reporting Rule Background
Under the BOI Reporting Rule, reporting companies will be required to file beneficial ownership information reports containing certain specified information about the reporting company, beneficial owner(s) of the reporting company, and the company applicant(s). The effective date for the BOI Reporting Rule is January 1, 2024.[4]
Beneficial Ownership Information Infrastructure
The CTA requires FinCEN to maintain BOI "in a secure, nonpublic database, using information security methods and techniques that are appropriate to protect non-classified information security systems at the highest security level."[5] FinCEN is developing a security system to receive, store, and maintain BOI (the "system"). FinCEN reports that "the initial build of the cloud infrastructure is complete and the development of the first set of system products is in progress."[6] FinCEN is targeting January 1, 2024 as the date on which the system will begin accepting BOI reports.
Categories of Individuals Permitted to Access BOI
The Proposed Rule generally tracks the CTA requirements with respect to who may access BOI and would permit each of the categories of individuals discussed below to access BOI.
Recipients in Federal Agencies Engaged in National Security, Intelligence, or Law Enforcement Activity. FinCEN proposes to permit disclosure of BOI to Federal agencies engaged in national security, intelligence, or law enforcement activity. Access to BOI under this category is based on the type of activity that an agency is engaged in, not on the identity of the agency itself. FinCEN proposes to adopt the following definitions to clarify the types of activities for which recipients in this category may access BOI:
- National Security Activity: any activity pertaining to the national defense or foreign relations of the United States, as well as activity to protect against threats to the security or economy of the United States;
- Intelligence Activity: any activity conducted by elements of the United States Intelligence Community that are authorized pursuant to Executive Order 12333, as amended, or any succeeding executive order; and
- Law Enforcement Activity: any investigative and enforcement activities relating to civil or criminal violations of law.
Recipients in State, Local, and Tribal Law Enforcement Agencies. FinCEN proposes to permit disclosure of BOI to a State, local, or Tribal law enforcement agency "if a court of competent jurisdiction has authorized the agency to seek the information in a criminal or civil investigation."[7] FinCEN has not proposed to define what it means for a court to authorize the agency to seek BOI, instead recognizing that State, local and Tribal practices are likely to vary.
Foreign Requesters. FinCEN proposes to permit disclosure of BOI to a Federal (U.S.) agency requesting the information on behalf of a "law enforcement agency, prosecutor, or judge of another country, including a foreign central authority or competent authority, under an international treaty, agreement, convention" or, where there is no treaty, agreement, or convention that governs, based on official requests by a law enforcement, judicial, or prosecutorial authority of a trusted foreign country.[8] The foreign request must "derive from a law enforcement investigation or prosecution, or from national security or intelligence activity, authorized under the foreign country's laws."[9]
Financial Institutions Subject to CDD Requirements. The Proposed Rule would permit FinCEN to disclose BOI to a financial institution to facilitate compliance with the financial institution's CDD requirements, provided the reporting company consents to such disclosure.[10] The Proposed Rule would define "customer due diligence requirements under applicable law" to mean FinCEN's beneficial ownership requirements pursuant to 31 C.F.R. 1010.230, which require covered financial institutions to identify and verify beneficial owners of legal entity customers.
Federal Functional Regulators or Other Appropriate Regulatory Agencies. The Proposed Rule would also permit FinCEN to disclose BOI to Federal functional regulators and other appropriate regulatory agencies that are authorized to assess, supervise, enforce, or otherwise determine the compliance of a financial institution with its CDD requirements.
Department of the Treasury. The Proposed Rule would permit disclosure of BOI to officers and employees of the Department of the Treasury whose official duties require such inspection or disclosure, or for tax administration, subject to procedures and safeguards that FinCEN and the Department of the Treasury will establish.
Use of Disclosed BOI
The Proposed Rule would require that "any person who receives information disclosed by FinCEN under [the Proposed Rule] would be authorized to use it only for the particular purpose or activity for which it was disclosed."[11] A Federal agency receiving BOI as an intermediary for a foreign requester would only be permitted to use the BOI to facilitate a response to the foreign requester.
Re-Disclosure of BOI
The Proposed Rule would permit authorized recipients to re-disclose BOI only in the following circumstances.
Federal, State, Local, or Tribal Agencies
- A Federal, State, local, or Tribal agency could re-disclose BOI to others within the same organization if the re-disclosure is consistent with security and confidentiality requirements and is in furtherance of the same purpose for which it was requested;
- A Federal functional regulator could re-disclose BOI to a qualifying self-regulatory organization ("SRO") (for example, FINRA) for examinations for compliance with CDD requirements;
- An intermediary Federal agency could re-disclose BOI to the applicable foreign requester;
- A Federal, State, local, or Tribal law enforcement agency could re-disclose BOI to a court of competent jurisdiction or parties to a civil or criminal proceeding; and
- A Federal agency could re-disclose BOI to the Department of Justice in a case referral.
Financial Institutions
- A financial institution could re-disclose BOI to others within the same organization that are physically present in the United States if the re-disclosure is for the particular purpose or activity for which the BOI was requested; and
- A financial institution could also re-disclose BOI for use in fulfilling its CDD obligations with (i) the financial institution's federal functional regulator, (ii) a qualifying SRO, or (iii) any other appropriate regulatory agency.
Foreign Requesters
- A foreign requester that receives BOI pursuant to a request made under an international treaty, agreement, or convention could re-disclose and use that BOI in accordance with the requirements of the relevant agreement.
FinCEN would also be permitted to authorize the re-disclosure of BOI in other appropriate circumstances on a case-by-case basis.
Security and Confidentiality Requirements
The Proposed Rule would impose different security and confidentiality requirements on the various categories of BOI requesters.
Domestic (U.S.) Agencies (Federal, State, local, and Tribal requesting agencies, including federal functional regulators, other appropriate regulatory agencies, and intermediary federal agencies acting on behalf of authorized foreign requesters). The Proposed Rule would require a domestic agency to enter into a memorandum of understanding with FinCEN specifying the standards, procedures and systems that the agency would be required to maintain to protect BOI. Requesting agencies would also be required to limit, to the greatest extent practicable, the amount of BOI they seek. In addition, requesting agencies would have to make certain written certifications for each request made. The specific certifications would depend on the type of agency and the agency's purpose for requesting the BOI.[12]
Financial Institutions. The Proposed Rule would require financial institutions, before receiving BOI, to develop and implement administrative, technical, and physical safeguards reasonably designed to protect BOI. The Proposed Rule would not prescribe specific safeguards; however, it would provide that the security and information handling procedures necessary to comply with section 501 of the Gramm-Leach-Bliley Act, and applicable regulations thereunder, would satisfy the requirements of the Proposed Rule.[13] The Proposing Release states that this proposed "safe harbor . . . would therefore establish baseline security and confidentiality standards that are the same for all financial institutions."[14] Financial institutions that are not currently subject to the regulations issued pursuant to section 501 of Gramm-Leach-Bliley would be held to the same standards.
A financial institution would also be required to: (i) obtain and document a client's consent before requesting that client's BOI from FinCEN; and (ii) certify in writing, for each BOI request, that it is requesting the information to facilitate its compliance with CDD requirements under applicable law and that it obtained the reporting company's written consent to request its BOI.[15]
Foreign Requesters. The Proposed Rule would require foreign requesters to handle, disclose, and use BOI consistent with the requirements of the applicable treaty, agreement, or convention under which it was requested. If there is no applicable treaty, agreement, or convention, foreign requesters would have to meet certain enumerated requirements.[16]
Administration of BOI Requests
FinCEN states that it "intends to provide additional detail regarding the form and manner of BOI requests of all categories of authorized users through specific instructions and guidance as it continues developing the beneficial ownership IT system."[17]
The Proposed Rule would provide that FinCEN may deny a BOI request if (i) the requester fails to meet applicable requirements, (ii) the information is being requested for an unlawful purpose, or (iii) other good cause exists to deny the request. An authorized user may also be suspended or barred from using the system for any of these reasons.
Violations and Penalties
The Proposed Rule would track CTA requirements by making it unlawful for any person to knowingly disclose or knowingly use BOI obtained by the person through a report submitted to, or an authorized disclosure made by, FinCEN, unless such disclosure is authorized by the CTA or regulations issued thereunder. Unauthorized use would include unauthorized accessing of information, including knowingly violating security and confidentiality requirements. The Proposed Rule also lists civil and criminal penalties for knowingly disclosing or using BOI without authorization.
Use of FinCEN Identifiers for Intermediate Entities in BOI Reports
The BOI Reporting Rule provides that FinCEN will issue a FinCEN identifier to individuals and entities and describes the circumstances in which a reporting company may include a beneficial owner's FinCEN identifier instead of the beneficial owner's BOI. The BOI Reporting Rule did not implement one related aspect of the CTA, which specifies that if an individual "is or may be a beneficial owner of a reporting company by an interest held by the individual in an entity that, directly or indirectly, holds an interest in the reporting company," the reporting company may report the intermediate entity's FinCEN identifier instead of the individual's BOI. The Proposed Rule would now seek to implement that provision of the CTA by permitting use of an intermediate entity's FinCEN identifier only when the reporting company and the intermediate entity have the same beneficial owners.
Kelly O'Donnell
Director, Transfer Agency & Operations
Erica Evans
Assistant General Counsel
Notes
[1] Beneficial Ownership Information Access and Safeguards, and Use of FinCEN Identifiers for Entities, Financial Crimes Enforcement Network, Department of the Treasury, 87 F.R. 77404 (Dec. 16, 2022) ("Proposing Release"), available at https://www.govinfo.gov/content/pkg/FR-2022-12-16/pdf/2022-27031.pdf.
[2] Beneficial Ownership Information Reporting Requirements, Financial Crimes Enforcement Network, Department of the Treasury, 87 F.R. 59498 (Sept. 30, 2022), available at https://www.govinfo.gov/content/pkg/FR-2022-09-30/pdf/2022-21020.pdf.
[3] Proposing Release at 77404.
[4] For additional detail about the BOI Reporting Rule, see ICI Memo #34331, available at https://www.ici.org/memo34331.
[5] Proposing Release at 77406.
[6] Id. at 77407.
[7] Id. at 77413.
[8] Id. at 77414.
[9] Id. In these instances, there would be an intermediary Federal agency that would receive the request from the foreign requester. The intermediary Federal agency would then provide basic information to FinCEN about the request, retrieve the relevant BOI from the system, and respond to the foreign request.
[10] Importantly, the CTA requires FinCEN to rewrite the current beneficial ownership requirements to be consistent with the new BOI requirements under the CTA and FinCEN's new rules thereunder, which will be the final phase of FinCEN's implementation of the CTA. It is also important to note that, although the CTA and the Proposed Rule reference "customer due diligence" requirements, it is only the beneficial ownership component of the CDD rule that is affected by the CTA.
[11] Proposing Release at 77417.
[12] The head of a Federal agency acting in furtherance of national security, intelligence, or law enforcement activity, or his or her designee, would have to certify in writing, for each request, that (i) the agency was engaged in a national security, intelligence, or law enforcement activity, and (ii) the BOI requested was for use in furthering that activity, setting forth specific reasons why the BOI is relevant. The head of a requesting State, local or Tribal law enforcement agency, or his or her designee, for each request, would have to submit a copy of the required court authorization and a written justification with specific reasons why the BOI is relevant. The head of a Federal functional regulator or other appropriate regulatory agency, or his or her designee, would be required to certify, for each BOI request, that the agency (i) is authorized by law to assess, supervise, enforce or otherwise determine the relevant financial institution's compliance with CDD requirements under applicable law, and (ii) will use the information solely for the purpose of conducting an appropriate assessment, supervision, or authorized investigation or activity. The Proposed Rule also sets forth information that a Federal agency acting as intermediary for a foreign requester would need to obtain from the foreign requester.
[13] The Proposing Release also recognizes that Federal functional regulators have implemented the requirements of Section 501 of Gramm-Leach-Bliley in different ways and notes that "[t]his blended approach for complying with the Gramm-Leach-Bliley requirements is well-suited to protecting sensitive information generally and BOI in particular." The Proposing Release further states FinCEN's belief that "[a]llowing [financial institutions] to meet the requirement to safeguard BOI by extending to it the same processes they use to comply with regulations issued pursuant to section 501 of Gramm-Leach-Bliley would avoid duplicative or inconsistent requirements for information security and protocols and would be less burdensome for [financial institutions] to administer without sacrificing a high level of protection." Proposing Release at 77422.
[14] Id. at 77420.
[15] FinCEN notes that it anticipates financial institutions making such certifications by clicking a checkbox in the beneficial ownership system. Financial institutions would not be required to submit proof of the reporting company's consent at the time of the request.
[16] These include having security standards and procedures, maintaining a secure storage system that complies with the foreign requester's most sensitive unclassified security standards, minimizing the amount of information requested, and restricting personnel access to the information.
[17] Proposing Release at 77423. The Proposing Release does explain however that different types of authorized recipients will likely have different levels of access to the BOI system. For example, the Proposing Release notes that FinCEN is not planning to permit financial institutions "to run broad or open-ended queries in the [system] or to receive multiple search results. Rather, FinCEN anticipates that a [financial institution], with a reporting company's consent, would submit to the system identifying information specific to that reporting company, and receive in return an electronic transcript with that entity's BOI." The Proposing Release further states, "To the extent the [financial institution] makes a trivial data-entry error in its request for BOI, the [financial institution] could still obtain the requested BOI, provided the errors do not compromise BOI security and confidentiality and result in the [financial institution] retrieving information on the wrong reporting company." Id. at 77410.