In our previous blog, we covered what the Corporate Transparency Act (CTA)[1] is, and what it means for your company. As expected, there has been an update to the CTA that our firm believes is important to communicate to our clients and community.
On December 12, 2023, the Financial Crimes Enforcement Network (FinCEN) issued the “Access Rule.” This article breaks down this update and why it was enacted.
Per the CTA, there are six types of authorized users that can request access to beneficial ownership information (BOI). These include:
- Federal law enforcement agencies
- State, local, or tribal law enforcement agencies
- Federal agencies on behalf of a foreign country
- Financial institutions for customer due diligence
- Federal functional regulators
- Treasury personnel[2]
BOI is sensitive data that should not be handed over, without question. The Access Rule was put in place to define the circumstances in which BOI may be disclosed to the above requestors. This CTA update ensures that:
- Only authorized recipients have access to BOI
- Authorized recipients use that access only for purposes permitted by the CTA
- Authorized recipients only re-disclose BOI in secure, confidential, permitted ways
Requestor Requirements
The Access Rule explicitly outlines the requirements that requestors must meet to access BOI. There are limitations on each of category of authorized user:
Federal Law Enforcement Agencies
The agency must certify it is engaged in national security, intelligence, or law enforcement activities[3], state how the requested BOI will be used in that activity, and state the specific reasons how the information is relevant to the activity.
State, Local, or Tribal Law Enforcement Agencies
The agencies must certify that a court of competent jurisdiction[4] has authorized them to seek the information in a criminal or civil investigation, state how the requested BOI is related to the investigation, and provide a description of the information that the court has authorized them to seek.[5]
Federal Agencies on Behalf of a Foreign Country
In this scenario, the request must be from a law enforcement agency, prosecutor, or judge of a foreign country. Or the request must be on behalf of a foreign central authority or competent authority, and come from a federal agency to assist in a law enforcement investigation or prosecution, or for a national security or intelligence activity authorized by the laws of the foreign country, and, either is under an international treaty, agreement, or convention. Or if there is not an international treaty, agreement, or convention, then the request must come by a law enforcement, judicial or prosecutorial authority of a “trusted foreign country”[6].[7]
Financial Institutions
Financial institutions that have obtained the reporting company’s consent[8] and use BOI to comply with “customer due diligence requirements under applicable law,” which is defined as “any legal requirement or prohibition designed to counter money laundering or the financing of terrorism, or to safeguard the national security of the United States, to comply with which it is reasonably necessary for a financial institution to obtain or verify beneficial ownership information of a legal entity customer.”
Federal Regulators
BOI can be disclosed to federal functional regulators and other regulatory agencies that supervise financial institutions for compliance with customer due diligence requirements as previously defined. However, they will only have access to BOI of those financial institutions in which they supervise and may only use the information to assess, supervise, enforce, or otherwise determine the financial institutions compliance with customer due diligence requirements.[9]
Treasury Personnel
Any Treasury Department officer or employee whose duties require BOI inspection or disclosure, or for tax administration, can request the information. The Treasury Department will establish internal policies and procedures governing its personnel’s access to BOI.[10]
Technical Requirements for Requestors
As required under the CTA and Access Rule, domestic agencies must meet minimum security standards to access BOI. These include:
- Establishing standards and procedures to protect the security and confidentiality of BOI
- Disclosing to FinCEN the standards and procedures
- Establishing and maintaining a secure system in which to store BOI
- Maintaining records with the ability to audit BOI requests
- Providing FinCEN with reports and clarifications.[11]
For financial institutions to obtain BOI, they must have administrative, technical, and physical safeguards reasonably designed to protect the information.[12]
Foreign requesters must follow the handling, disclosure, and use requirements described within the international treaty, agreement, or convention under which they requested the BOI, but they must also have in place standards and procedures to prevent unauthorized disclosure of the BOI.[11]
Note that once these authorized entities receive BOI, they are only allowed to disclose the information in very limited circumstances.[13]
BOI Access Opens This Year
Starting later in 2024, access to the system where authorized users can obtain BOI will be slowly rolled out. Stage one is a pilot program where key Federal agency users will be allowed access. In stage two, Treasury Department offices and specific Federal agencies engaged in law enforcement and national security activities will be able to request BOI. Additional authorized recipients will be able to request BOI in subsequent stages.[13]
If you need legal advice on the Access Rule or how your organization should handle the CTA, contact us.
1 NDAA §6403(c)(2)(B)
2 “any court with jurisdiction over the criminal or civil investigation for which the State, local, or Tribal law enforcement agency requested BOI.” https://www.federalregister.gov/d/2023-27973/p-82
3 https://www.federalregister.gov/d/2023-27973/p-79
4 “FinCEN did not propose to identify specific countries it would treat as “trusted” in situations when no international treaty, agreement, or convention applied. The Access NPRM explained that to define “trusted foreign country” would have risked arbitrarily excluding foreign requesters with whom sharing BOI might be appropriate in some cases but not others. FinCEN instead proposed to conduct case-by-case assessments in consultation with relevant U.S. government agencies to determine whether to disclose BOI to a foreign requester in a particular instance.”
5 https://www.federalregister.gov/d/2023-27973/p-87
6 https://www.federalregister.gov/d/2023-27973/p-95
7 https://www.federalregister.gov/d/2023-27973/p-105
[8] FinCEN anticipates that the security and confidentiality protocols in those policies and procedures will include elements of security and confidentiality requirements applicable to other domestic agencies. https://www.federalregister.gov/d/2023-27973/p-105
[9] https://www.federalregister.gov/d/2023-27973/p-105
[10] able to satisfy this requirement by applying to BOI the same security and information handling procedures they use to protect customers’ nonpublic personal information in compliance with section 501 of the Gramm-Leach-Bliley Act and its implementing regulations. For each BOI request that it makes, a financial institution will have to certify that the request satisfies applicable criteria. Certain geographic restrictions will also apply. https://www.federalregister.gov/d/2023-27973/p-101
[11] https://www.federalregister.gov/d/2023-27973/p-933
[12] Re-disclosure is authorized among officers, employees, agents, and contractors within an authorized BOI recipient, among financial institutions and their regulators, including qualifying self-regulatory organizations, from Federal agencies requesting on the behalf of foreign requesters, from authorized BOI recipient Federal agencies to courts of competent jurisdiction or parties in a civil or criminal proceeding, from authorized BOI recipient agencies to prosecutors or for use in litigation involving activity the requesting agency requested the information, and by foreign authorities acting in compliance with the international treaty, agreement, or convention under which BOI was requested and received. Also, FinCEN may authorize the re-disclosure of BOI by an authorized recipient in other situations, if the re-disclosure is for an authorized purpose. https://www.federalregister.gov/d/2023-27973/p-414
[13] https://www.federalregister.gov/d/2023-27973/p-138
