The U.S. Department of the Treasury’s (the Treasury) Financial Crimes Enforcement Network (FinCEN) issued a highly anticipated final rule on September 29, 2022, implementing the beneficial ownership information (BOI) reporting requirements of the Corporate Transparency Act (CTA). As we previously reported, this final rule marked a sea change in the U.S. anti-money laundering/countering the financing of terrorism (AML/CFT) compliance framework. One of the outstanding issues left unaddressed by that final rule, however, was how FinCEN intended to store BOI and safeguard access to this information.

On December 15, 2022, FinCEN issued a Notice of Proposed Rulemaking (NPRM) to address this outstanding issue. The NPRM proposes a framework of restrictions and security controls to protect the sensitive BOI that will be required to be shared with FinCEN by all reporting companies beginning on January 1, 2024. Under the proposal, certain federal, state, and local authorities would have access to the database, but only under defined circumstances and subject to strict requirements for storage of any information retained. Foreign authorities will only have access to limited information stored in the database through their U.S. counterparts, consistent with international treaties governing mutual legal assistance. Private parties will not have access to information stored in the database, except for financial institutions complying with laws governing customer due diligence (CDD), and even then, access will only be permitted with authorization from the reporting company that provided the information.

Below is a breakdown of key takeaways from the NPRM and what the notice means for storing and managing BOI.

Recipients Authorized To Access BOI

The CTA authorized FinCEN to disclose BOI to five general categories of recipients under specific circumstances. First, the NPRM proposes that FinCEN would disclose BOI to U.S. federal agencies broadly engaged in national security, intelligence, or law enforcement activities where the information would be used in furtherance of those purposes. When a federal agency requests access to run queries of BOI information in the database, the federal agency users would be required to submit justification to FinCEN for the searches they run in the database, which would be subject to audit by FinCEN to ensure access is being limited to appropriate circumstances.

Second, in addition to the aforementioned federal agencies, the NPRM states that FinCEN would disclose BOI to state, local, and tribal law enforcement agencies if “a court of competent jurisdiction” ruled that those agencies should be allowed access to that information. A “court of competent jurisdiction” is defined by the NPRM as any court with jurisdiction over the underlying criminal or civil investigation that requires the BOI. In such a case, the agency’s authorized user would need to upload a document from such a court, subject to FinCEN review, before being allowed access to BOI. Like federal agencies dealing with national security, intelligence, or law enforcement activities, authorized users from state, local, and tribal law enforcement agencies would have open-ended query access to the BOI database if justified pursuant to court order.

Third, foreign law enforcement requesters of BOI are required to make their requests for BOI through intermediary U.S. federal agencies and must show that either (1) the foreign requesters made the requests authorized under an international treaty, agreement, or convention (e.g., Mutual Legal Assistance Treaty (MLAT)), or (2) the request was otherwise made by law enforcement authorities in a “trusted” foreign country. The NPRM does not define a “trusted” foreign country. Unlike the two previous categories of requesters, foreign requestors would receive BOI data through an intermediary U.S. federal agency specific to their request, as opposed to having open-ended query access to the database.

Fourth, for a financial institution (FI) that seeks access to BOI, the NPRM limits the FI’s access to only BOI sought in relation to a specific reporting company in order to meet CDD requirements under applicable law and—critically—only if the reporting company of the BOI consents to the search. This limited access also applies, by extension, to federal functional regulators and other regulatory agencies, except where they are acting in a law enforcement capacity. Such regulatory agencies and regulators may only access BOI pertaining to the FIs they supervise for the purpose of assessing CDD compliance.

The final category of access is broad but exclusive to the Treasury. Specifically, the NPRM would allow access to Treasury officers and employees who require BOI for their official duties or for tax administration. Examples of such access provided in the NPRM include accessing BOI for sanctions investigations, identifying property blocked pursuant to sanctions, and for audits, enforcement, and oversight of the BOI framework.

Safeguards and Penalties

Throughout the rulemaking process, FinCEN has consistently emphasized the agency’s commitment to providing strong restrictions on access and security protocols for its BOI database. The NPRM clarifies that the BOI database will meet the highest Federal Information Security Management Act (FISMA) level for baseline information security controls. Additionally, the NPRM states that BOI will be subject to strict access-control protocols, which will require BOI recipients to have standards and procedures for storing the obtained information in secured systems with safeguards to limit access to authorized personnel only. Recipients of such information would be subject to civil and criminal penalties for violating the security and confidentiality requirements set out under the rule, including enhanced criminal penalties of up to 10 years of imprisonment for willful violations. Violating such requirements may also lead to a suspension or debarment from access to the BOI database.

What This Means for Businesses and Individuals

This NPRM represents an important next step for FinCEN’s implementation of the CTA. The upshot of the NPRM is that FinCEN is taking substantive steps toward implementing access restrictions and requirements for BOI data and assigning strong penalties for violations. While implementation of the CTA’s BOI reporting requirements will undoubtedly be a heavy lift for the business community over the next few years, adoption of restrictions on access—including restrictions applicable to law enforcement access—may provide businesses some comfort as they move toward filing the first reports in January 2024.

© 2022 Perkins Coie LLP