On December 21, 2023, the Financial Crimes Enforcement Network (“FinCEN”) published its final rule setting forth the circumstances under which beneficial ownership information reported to FinCEN pursuant to the Corporate Transparency Act (“CTA”) may be disclosed to authorized recipients, and how that information must be protected (the “Access Rule”).
The Access Rule is the second of three planned FinCEN rulemakings pursuant to the CTA. The first rule, setting forth the obligation for legal entities to file beneficial ownership reports with FinCEN, was issued in September 2022, and as of January 1, 2024, the registry for submitting such information has opened up. Legal entities required to file this information that were in existence prior to 2024 have until January 1, 2025 to submit their information to the registry. New legal entities formed in 2024 and going forward, have 90 days from being established to submit their information to the registry. (A third rule to harmonize the 2016 Customer Due Diligence rule with the CTA is expected, but has not yet been proposed.)
The CTA and the Access Rule establish the circumstances under which the information obtained by FinCEN’s registry may be disclosed to authorized parties and confirms that this beneficial ownership information (“BOI”) is confidential and may not be disclosed except as permitted.
The Access Rule authorizes six categories of recipients of BOI:
Federal agencies engaged in national security, intelligence, or law enforcement activity;
State, local, and Tribal law enforcement agencies;
Official foreign requesters;
Federal functional regulators;
S. Treasury personnel; and
Financial institutions subject to Bank Secrecy Act (“BSA”) customer due diligence requirements.
While financial institutions may access the BOI for purposes of complying with anti-money laundering (“AML”) obligations and sanctions administered by Treasury’s Office of Foreign Assets Control (“OFAC”), they may only do so if the reporting company has consented to the disclosure. (The other categories of authorized recipients may access the BOI regardless.) Accordingly, financial institutions that obtain BOI from FinCEN are required to implement reasonably designed data-protection safeguards; the Access Rule confirms that financial institutions will be able to satisfy these requirements by applying the same procedures used to protected customer nonpublic information in compliance with section 501 of the Gramm-Leach-Bliley Act and its implementing regulations, including the Safeguards Rule.
FinCEN plans to grant access to registry first to key Federal agencies in 2024. Additional categories of authorized recipients will be granted access in phases; financial institutions will be the last category of authorized recipients to be granted access.
In an interagency statement issued the same day to financial institutions, the FDIC, Federal Reserve, NCUA, OCC, state financial regulators, and FinCEN confirmed that for now the Access Rule creates no new regulatory requirements for financial institutions to affirmatively access BOI from the registry, and does not create a supervisory expectation that they do so. Further, they confirmed that the Access Rule does not presently necessitate changes to the BSA/AML compliance programs financial institutions have designed to comply with the 2016 Customer Due Diligence rule and other existing BSA requirements.