On December 21, 2023, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) issued the final rule on Beneficial Ownership Information Access and Safeguards (the “Access Rule”) laying out the protocols for access to the beneficial ownership database by law enforcement and by eligible financial institutions. The Corporate Transparency Act requires reporting companies to report to FinCEN information about their beneficial owners and company applicants and is intended to help prevent and combat money laundering, terrorist financing, tax fraud and other illicit activity. The Beneficial Ownership Reporting Rule (the “BOI Rule”), promulgated by FinCEN in September 2022, establishes the types of entities that are reporting companies and how beneficial owners and company applicants are determined, as well as what information is required to be reported about these entities and individuals. The Access Rule aims to provide access to beneficial ownership information (“BOI”) to authorized recipients, while still maintaining the highest levels of data protection and oversight.

Who Has Access to the Information I Report?

Direct Access

The Access Rule provides access to BOI directly from the FinCEN database to three types of U.S. government agencies with search results returned immediately:

• Federal agencies engaged in national security, intelligence and law enforcement activity (which includes both civil and criminal enforcement activity) if the request is related to such activity. Federal agencies will be required to certify that the request is in furtherance of national security, intelligence or law enforcement activity, and will be required to provide specific reasons why the requested information is relevant.
• Department of the Treasury officials and employees if their official duties require BOI or for tax administration. The Department of the Treasury will establish internal policies and procedures governing access to BOI.
• State, local and Tribal law enforcement agencies in connection with criminal or civil investigations, if authorized by a court of competent jurisdiction. The initial rule proposed by FinCEN with respect to Beneficial Ownership Information Access and Safeguards would have required the state, local or tribal agency to provide documentation showing the relevant court authorized access to such BOI. The final Access Rule only requires that the state, local or tribal agency certify that a court of competent jurisdiction has authorized the agency to seek such BOI and that the information is relevant to a criminal or civil investigation. The agency must also provide a description of the information the court has authorized the agency to seek.

Indirect or Limited Access

Foreign requestors, financial institutions subject to customer due diligence requirements and federal regulators and other regulatory agencies supervising those financial institutions may have access to BOI through FinCEN.

• Foreign law enforcement agencies, judges, prosecutors, central authorities and competent authorities will not have direct access to FinCEN’s BOI database. These authorized foreign requestors will need to submit a request to a federal agency to act as an intermediary to retrieve the BOI information from FinCEN’s database. The federal agency may only provide BOI to a foreign requestor in response to a request for assistance in an investigation or prosecution by such foreign country or for national security or intelligence activity where there is an applicable treaty (or similar international agreement) between the foreign country and the U.S., or where there is no applicable treaty, as an official request by law enforcement, judicial or prosecutorial authority of a foreign country deemed to be a “trusted country” by FinCEN and the U.S. Secretary of State in consultation with the Attorney General of the U.S. The foreign requestor must limit the use of the BOI in a manner consistent with the treaty (or similar agreement) under which the request was made.
• Financial Institutions subject to customer due diligence requirements will have limited access to FinCEN’s database. These financial institutions will only have access to BOI of customers who are reporting companies to the extent a reporting company has consented to FinCEN disclosing such information to their financial institutions. For purposes of the Access Rule, customer due diligence requirements include KYC requirements as well as any legal requirement designed to protect against AML or the financing of terrorism.
• Federal regulators and other regulatory agencies supervising the compliance by those financial institutions with access to BOI to any customer due diligence requirements will also have limited access to FinCEN’s database. These regulatory authorities can only request BOI information for the purpose of supervising the financial institution and will only have access to the BOI that the financial institution has received from FinCEN. Any officer, employee, contractor or agent of a federal regulator that receives BOI from FinCEN may disclose that BOI to a self‑regulatory organization (“SRO”) registered with that regulator, provided that the SRO will use the BOI to supervise the financial institution.

Are there Confidentiality Requirements for those who have Access to BOI?

The Access Rule provides that any agency, financial institution or foreign requestors must establish standards and procedures to the security and confidentiality of BOI. Authorized recipients of BOI are permitted to re‑disclose the information in limited situations, including to others within an entity authorized to receive such BOI, among financial institutions and their regulators (including SROs), to courts of competent jurisdiction or parties to a civil or criminal proceeding and to prosecutors for use in litigation related to the activity for which the agency requested the BOI.

Violations

It is unlawful for anyone to knowingly disclose or to use BOI unless such disclosure or use of the BOI is authorized under the CTA. Civil and criminal penalties may apply to such unlawful disclosure or use of BOI or to unauthorized access to BOI or any activity that knowingly violates applicable security and confidentiality requirements in connection with accessing BOI. The CTA provides civil penalties of $500/day for ongoing violations and criminal penalties of not more than $250,000 in fines or 5 years in prison. There are also enhanced criminal penalties (fines of up to $500,000 and 10 years in prison) if a person violates the CTA while violating other U.S. laws or as a part of a pattern of illegal activity.

The analysis in this alert is based on the information available to us at the present time and the CTA and Access Rule as presently in effect. We expect FinCEN to provide updates after the Access Rule becomes effective and more questions are put to FinCEN and legislators. 

Additional Author: Elanit Snow