On December 15, 2022, the Financial Crimes Enforcement Network (FinCEN) issued a notice of proposed rulemaking to implement the provisions of the Corporate Transparency Act (CTA) specific to beneficial ownership information (BOI) access and safeguards. FinCEN is accepting comments on the proposed rule until February 14, 2023. This is the second of three planned rulemakings by FinCEN to implement the CTA. The proposed rule is of particular importance to financial institutions, including banks, as it addresses the conditions under which financial institutions can access BOI for purposes of complying with their customer due diligence (CDD) obligations.
By way of background, the CTA was passed in 2021 as part of the Anti-Money Laundering Act, with a goal of combatting money laundering and other illicit activity conducted through the use of shell companies. It is thought that a centralized source of BOI will greatly speed up law enforcement investigations into these illegal activities and also facilitate CDD compliance by banks and other financial institutions. FinCEN’s initial rulemaking package was finalized on September 30, 2022, and it clarified the specific BOI required to be reported to FinCEN, by whom, and when. Beginning on January 1, 2024, corporations, limited liability companies, and certain other legal entities created or registered in the United States must report beneficial information about their owners to FinCEN. The required information consists of: full legal name, birthdate, current residential or business street address, and a unique identifying number from an acceptable identification document. The final rulemaking has yet to be announced but will be focused on revising FinCEN’s CDD regulations to better align with the CTA. As directed by the CTA, FinCEN is also in the process of developing a secure database for receiving and maintaining the BOI. It’s important to note that banks are exempt from the CTA’s reporting requirements given that their beneficial ownership information is already well known to regulators.
Shifting back to this most recent FinCEN rule proposal, financial institutions must comply with several requirements before access to BOI will be granted. First, under the proposed rule, financial institutions must obtain and document the consent of the reporting company before making a request to FinCEN for BOI. The rule commentary explains this step is perceived as necessary due to the sensitive nature of BOI and the number of financial institution employees that will potentially have access once it’s granted.
The other conditions financial institutions must meet under the proposed rule before receiving BOI are: 1) the access to BOI obtained from FinCEN must be restricted to directors, officers, employees, contractors and agents within the United States; 2) the financial institution must develop and implement administrative, technical, and physical safeguards reasonably designed to protect the security, confidentiality, and integrity of any BOI received; and 3) for each request for BOI, a financial institution must make a written certification to FinCEN that it is (i) requesting the information to facilitate its compliance with CDD requirements, (ii) has obtained the written consent of the reporting company to request the BOI from FinCEN, and (iii) has fulfilled all of the requirements for requesting BOI from FinCEN. Be aware that accessing BOI is not mandatory under the proposed rule as, again, it is intended to offer financial institutions another avenue to meet CDD compliance.
Finally, beyond financial institutions themselves, the proposed rule also allows a bank’s federal functional regulator and, for state-chartered banks, their state regulator to request from FinCEN any BOI disclosed to the bank. However, such a request must be made solely for the purpose of conducting an assessment, supervision or investigation of the compliance of the relevant bank with its customer CDD requirements.
While this rule has just been proposed, and not finalized, it’s likely that many of the provisions will remain unchanged or end up substantially similar to what’s been proposed. Accordingly, banks should begin to evaluate how they might incorporate the BOI access rules into their BSA/AML compliance programs. This should include, for example, consideration of the processes for obtaining and documenting reporting company consent, how the requisite administrative and physical safeguards will be established, and whether existing IT safeguards are sufficient.
Contact your Vorys lawyer if you have questions about the proposed rule or its potential impact on your institution.