On December 15, 2022, the Financial Crimes Enforcement Network (FinCEN) issued a Notice of Proposed Rulemaking that would implement provisions of the Corporate Transparency Act (CTA) governing access to and protection of beneficial ownership information (BOI) required to be filed with FinCEN by certain domestic and foreign reporting companies. This is the second of three regulations concerning implementation of CTA.

The FinCEN proposal limits access to BOI to federal agencies engaged in national security, intelligence, or law enforcement activities; state, local, and tribal enforcement agencies with court authorization; financial institutions with customer due diligence requirements and regulators supervising them for compliance with such requirements; foreign law enforcement agencies, provided the requests come through an intermediary federal agency and meet certain additional criteria; and the US Department of the Treasury, tied to an officer’s or employee’s official duties requiring BOI inspection or disclosure, including for tax administration. For purposes of this article, we will focus on financial institutions and federal functional banking regulators as authorized recipients.

Both financial institutions and their regulators will have direct access to BOI contained in the FinCEN beneficial ownership database in a form more limited than the information available to federal agencies engaged in national security, intelligence, or law enforcement activity. FinCEN may disclose a reporting company’s BOI to a financial institution only to the extent that such disclosure facilitates the financial institution’s compliance with its customer due diligence requirements under applicable law and only if the reporting company first grants consent to the financial institution. FinCEN does not plan on allowing financial institutions to conduct a broad or open-ended query in the beneficial ownership system or to receive multiple search results. A financial institution, with the reporting company’s consent, may submit requests identifying information specific to a reporting company and receive an electronic transcript with that entity’s BOI. The functional regulators of financial institutions are permitted similar access in exercising their supervisory functions. These federal functional regulators may request from FinCEN the BOI that the financial institution they supervise has already obtained from FinCEN, but only for assessing a financial institution’s compliance with its customer due diligence requirements under applicable law.

The CTA did not address the mechanism by which consent would be received from a reporting company or what constitutes “customer due diligence requirements under applicable law.” The proposed regulation requires the financial institution to obtain the reporting company’s consent to access the BOI database. Further, “customer due diligence requirements under applicable law” means FinCEN’s customer due diligence regulations under 31 CFR 1010.230, which require covered financial institutions to identify and verify beneficial owners of legal entity customers.

Any person or entity receiving information disclosed by FinCEN would be authorized to use such information only for the particular purpose or activity for which it was disclosed. A financial institution may share BOI obtained from FinCEN for use in fulfilling its customer due diligence obligations with (1) the financial institution’s functional regulator, (2) a qualifying federal self-regulatory organization such as FINRA, or (3) any other appropriate regulatory agency. A financial institution must certify, for each BOI request, that it is requesting the information to facilitate its compliance with its customer due diligence requirements under applicable law, that it obtained a reporting company’s written consent to request its BOI, and that it has fulfilled the other requirements of that section. Certification should be simplified via a checkbox.

The proposed regulation imposes security and confidentiality requirements on financial institutions by requiring such institutions to develop and implement administrative, technical, and physical safeguards reasonably designed to protect BOI as a precondition for receiving BOI. The proposal establishes that the security and information handling procedures necessary to comply with Section 501 of the Gramm-Leach-Bliley Act and applicable regulations issued under it to protect nonpublic customer personal information, if applied to BOI under the control of the financial institution, would satisfy this requirement. This avoids duplicative or inconsistent requirements for information security and protocols.

The CTA makes it unlawful for any person to knowingly disclose or knowingly use BOI from FinCEN unless such disclosure is authorized by the CTA. The proposed regulation tracks this CTA language and further explains that for purposes of the regulation, unauthorized use would include any unauthorized accessing of information submitted to FinCEN, including any activity in which an employee of a financial institution knowingly violates applicable security and confidentiality requirements in connection with access to such information.

This proposal grants financial institutions direct access to the BOI of reporting companies. As noted in previous articles, there are numerous exceptions to the reporting requirements — so it remains to be seen whether the proposal significantly reduces any workload since BOI will continue to be collected and banks likely will be required to police the compliance of reporting companies as the most common nexus between FinCEN and the reporting company. Banks will need to ensure collection of BOI, where necessary, from companies exempt from a reporting requirement and to confirm the exemption. Hopefully, release of the third regulation addressing reduction of customer due diligence obligations of financial institutions will actually be helpful. One known item to be addressed soon is to modify customer intake forms to build in reporting company written consent to allow the financial institution to access the FinCEN database.