The Corporate Transparency Act: FinCEN Finalizes Beneficial Ownership Information Access Rule as Reporting Rule Takes Effect

8 minute read | January.05.2024

The U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) has issued a final rule (the Access Rule) regarding access to and use of beneficial ownership information (BOI) maintained by FinCEN.

The Access Rule details the circumstances under which FinCEN can disclose BOI to authorized recipients. It also spells out how FinCEN will protect that information and outlines data protection protocols and oversight mechanisms for those who receive beneficial ownership information.

The rule takes effect February 20, 2024. It is the second of three FinCEN rulemakings to implement the Corporate Transparency Act (CTA).

The first rule, the Beneficial Ownership Reporting Rule, took effect January 1, 2024. As covered previously, it requires certain domestic and foreign companies created, or registered to conduct business, in the United States to report information to FinCEN regarding their beneficial owners – individuals who directly or indirectly own or control 25 percent or more of the ownership interests of a reporting company or who exercise substantial control over such an entity.

Reporting companies in existence as of January 1, 2024, have until January 1, 2025, to file initial BOI reports.
Those created or registered during 2024 will have 90 days from creation or registration to file an initial report.
Reporting companies created or registered after 2024 will have 30 days from creation or registration to file a report.

Companies created or registered after January 1, 2024 must also report information on certain individuals involved in the creation or registration.

Use our Beneficial Ownership Reporting Tool to help determine whether your company is required to report information on beneficial owners.

How Does the Final Access Rule Compare with the Proposed Rule?

The final Access Rule largely tracks FinCEN’s proposed rule (see our prior client alert), with several key changes to address concerns commenters raised during the rulemaking process.

Importantly, the Access Rule expands the purposes for which financial institutions subject to anti-money laundering requirements under the Bank Secrecy Act can use BOI they access from FinCEN’s database.
- The proposed rule would have limited financial institutions’ use of BOI to comply with FinCEN’s Customer Due Diligence Rule.
- The final rule permits covered financial institutions to use BOI to comply with anti-money laundering and U.S. economic sanctions requirements, more generally.
The Access Rule also addresses whether and to what degree financial institutions can share BOI they access from FinCEN’s database with people outside the United States.
- The proposed rule would have limited offshore access to BOI.
- The final rule permits financial institutions to share BOI with employees, agents and contractors outside the United States – but prohibits sending BOI to China, Russia, or any jurisdiction designated as a state sponsor of terrorism or that is the target of comprehensive U.S. economic sanctions.

Who Has Access – and For What Purpose?

The Access Rule permits these recipients to access BOI, provided they meet required security and confidentiality protocols:

Federal agencies engaged in national security, intelligence, or law enforcement activity can request BOI to use for national security, intelligence, or criminal or civil law enforcement purposes.
U.S. state, local, and tribal law enforcement agencies with court authorization may access BOI in criminal or civil investigations. The agencies must certify they are engaged in a qualifying activity, describe the information they are authorized by the court to seek, and specify the information’s relevance.
Foreign law enforcement agencies, judges, prosecutors, and other authorities may seek BOI for assistance in a law enforcement investigation or prosecution, or for a national security or intelligence activity authorized under the foreign country’s laws. Such requests must:
- Come to FinCEN through an intermediary federal agency.
- Be made pursuant to an international treaty, agreement, or convention, or via a request of law enforcement, judicial, or prosecutorial authorities in a trusted foreign country (although the rule does not define “trusted”).

Financial institutions subject to FinCEN’s Customer Due Diligence Rule – banks, brokers and dealers in securities, futures commission merchants and introducing brokers, and mutual funds – can access BOI with respect to a particular reporting company, with the company’s consent, to comply with customer due diligence requirements.
- The rule defines “due diligence requirement” as “any legal requirement or prohibition designed to counter money laundering or the financing of terrorism, or to safeguard the national security of the United States.”
- That includes using BOI for sanctions-related reasons.
Regulators who supervise financial institutions may access BOI, if reasonably necessary, to assess, supervise, or otherwise determine a financial institution’s compliance with customer due diligence requirements, including anti-money laundering, counterterrorist financing, sanctions, or national security-related legal requirements.
- Regulators will be provided only BOI the institutions they supervise have received from FinCEN.
- Self-regulatory organizations (SROs) may not access FinCEN’s database, though the Access Rule permits financial institutions and federal regulators to redisclose BOI to certain qualifying SROs.
U.S. Treasury Department officers and employees may access BOI if their official duties require it or if the information is needed for tax administration.

FinCEN declined to permit other financial institutions, such as money services businesses, to access the BOI database, but indicated it intends to evaluate whether to expand access.

FinCEN also clarified that:

The Access Rule authorizes FinCEN to disclose BOI to regulatory technology firms, beneficial ownership data service providers, due diligence vendors, or other third-party service providers to financial institutions.
- These service providers can access FinCEN’s database as long as they or their employees are “agents” or “contractors” of a financial institution and are performing a function on behalf of the financial institution that requires direct access.
- A financial institution will ultimately bear responsibility for service providers accessing BOI on its behalf, and service providers must protect and store BOI in compliance with the Access Rule and ensure that BOI is used for appropriate purposes.

Financial institutions are not required to access FinCEN’s BOI database. FinCEN and various bank regulators issued an interagency statement clarifying that the Access Rule does not create a new regulatory requirement for banks to access BOI in FinCEN’s database or any supervisory expectation that they do so.

How and When Will FinCEN Provide Access?

FinCEN plans to grant access to its BOI database in phases, as follows:

Key federal agencies will be the first to obtain access.
Treasury Department offices and certain federal agencies engaged in law enforcement and national security activities will be next.
Additional federal agencies, as well as state, local, and tribal law enforcement partners, will then gain access.
Next, intermediary federal agencies with connections to foreign government requests will have access.
Finally, financial institutions and their supervisors will receive access.

The Access Rule does not provide a time frame for access.

All authorized recipients except foreign recipients will have direct access to the BOI database, but financial institutions and supervisors will have more limited access than their federal, state, local, and Treasury counterparts. In particular, covered financial institutions may only request information on customers that have provided consent and will not be permitted to conduct broad searches for BOI. Financial institutions will submit identifying information specific to a reporting company and immediately receive an electronic transcript with that entity’s BOI. FinCEN expects that financial institutions will use Application Programming Interfaces (APIs) to access the BOI database.

What Are the Safeguards and Penalties for Unauthorized Disclosure?

The CTA establishes BOI as “sensitive information” and imposes strict security and confidentiality requirements on its collection, storage, and use. The Access Rule includes safeguards to prevent unauthorized disclosure or use of BOI. In maintaining BOI, FinCEN must adhere to the Federal Information Security Management Act’s “High” standards, which are the highest level of security controls that U.S. government agencies must apply to unclassified information. Additionally, the Treasury Department has established a process to escalate data breaches and compromises.

Unauthorized use of BOI includes unauthorized access to BOI or violation of security and confidentiality requirements in connection with access.

To access BOI collected by FinCEN, domestic agencies must establish:

Standards and procedures to protect the security and confidentiality of the information.
A secure system for storing the information.
Auditable request records.

Agencies must also enter into an agreement with FinCEN specifying their standards and procedures to protect BOI, and restrict access, conduct audits, and provide FinCEN with reports and certifications.

Financial institutions accessing BOI must develop and implement administrative, technical, and physical safeguards reasonably designed to protect BOI. These requirements can be satisfied by using the same safeguards as those required by Section 501 of the Gramm-Leach-Bliley Act and its implementing regulations. Financial institutions are also required to certify that each request for BOI satisfies the applicable criteria.

Foreign requesters obtaining BOI under an applicable treaty, agreement, or convention must comply with all applicable handling, disclosure, and use requirements of the applicable treaty, agreement, or convention. Foreign requesters obtaining BOI pursuant to a request from a trusted foreign country must establish standards and procedures to protect the security and confidentiality of the BOI, maintain the BOI in a secure system, and restrict access. Recipients of BOI are generally prohibited from re-disclosing it, with certain exceptions.

The rule authorizes penalties for anyone who knowingly discloses or uses BOI except as authorized by the CTA, including civil penalties of $500 for each day a violation continues. Criminal penalties include a fine of up to $250,000 and/or imprisonment for up to five years. If a violation occurs during the commission of other violations of U.S. law, violators can face fines of up to $500,000 and imprisonment for up to 10 years.

FinCEN may suspend or revoke a financial institution’s access to the BOI database for violations of the Access Rule.

What’s Next?

FinCEN will issue a third rule, by January 1, 2025, to revise the Customer Due Diligence Rule and bring it into conformance with the CTA and the Access Rule. FinCEN also deferred consideration of certain comments raised on the proposed access rule to address in the third rulemaking or future guidance.

Authors

Jeanine P. McGuinness Partner, International Trade and Investment, FCPA & Anti–Corruption

Washington, D.C.

See my bio

D:+1 202 339 8543
E: [email protected]

Practice:

International Trade and Investment
FCPA & Anti–Corruption
Anti‐Money Laundering and Bank Secrecy Act
Mergers & Acquisitions
Responsible Business
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Jeanine P. McGuinness Partner

Washington, D.C.

Jeanine’s clients include major U.S. and foreign financial institutions, and pharmaceutical, technology, telecommunications, energy, and natural resources companies.

Examples of Jeanine’s experience include:

Represents clients in preparing voluntary self-disclosures, administrative subpoena responses and license applications, and represents companies in connection with enforcement actions by the Treasury Department’s Office of Foreign Assets Control (OFAC)
Provides policy and compliance advice to clients affected by frequent changes in U.S. sanctions, including sanctions targeting Iran, Cuba, and Russia/Ukraine
Assists foreign purchasers of U.S. companies in national security reviews, including navigating the CFIUS process, through preparation of notices, meetings with CFIUS member agencies, advising on follow-on investigations, and negotiating and implementing mitigation agreements
Assists clients in developing and updating economic sanctions, anti-money laundering, and anti-corruption compliance policies and procedures
Represents financial institutions in connection with U.S. federal and state enforcement actions regarding compliance with U.S. anti-money laundering laws and regulations
Represents lenders, underwriters, borrowers, and issuers in international lending and capital markets transactions regarding sanctions, anti-corruption, and anti-money laundering issues
Advises a U.S. trade association and its member banks regarding U.S. sanctions, anti-corruption, and anti-money laundering issues in lending transactions, and prepares guidance for the industry on these matters
Advises financial institutions on the application of U.S. anti-money laundering regulations, with specific emphasis on customer identification program (CIP)/know your customer (KYC)/customer due diligence (CDD) requirements and suspicious activity reporting requirements
Regularly advises private equity and hedge funds regarding compliance with U.S. anti-money laundering and sanctions laws and regulations, including with respect to appropriate provisions in subscription materials and enhanced due diligence on high-risk investors
Advises clients regarding sanctions-related inquiries from the Securities and Exchange Commission (SEC) and state agencies implementing divestment laws and assists clients in preparing sanctions-related disclosure for inclusion in annual reports to the SEC

Jeanine is ranked in both the CFIUS Experts and Export Controls & Economic Sanctions categories by Chambers USA in 2019, 2020, 2021, and 2022. An interviewee had this to say of their experience working with Jeanine, “I am continuously impressed by her extensive knowledge, excellent communication skills and her ability to wrap her subject matter expertise around the details of the matter and then drive conclusions or recommendations for next steps."

Benjamin Hutten Partner, Anti‐Money Laundering and Bank Secrecy Act, Financial & Fintech Advisory

New York

See my bio

D:+1 212 600 2333
E: [email protected]

Practice:

Anti‐Money Laundering and Bank Secrecy Act
Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
White Collar, Investigations, Securities Litigation & Compliance
Fintech

vCard

See full bio

Benjamin Hutten Partner

New York

Ben has a deep understanding of sanctions and AML regulations and enforcement. In addition to his client work, he has participated in numerous financial industry group regulatory initiatives related to sanctions and AML issues, including The Clearing House Guiding Principles for Anti-Money Laundering Policies and Procedures in Correspondent Banking, initiatives to address “de-risking” and related to BSA information sharing. Ben also conducts international trainings in AML and sanctions issues for the Financial Services Volunteer Corps.

He has been recognized by Best Lawyers in America as "One to Watch" and by Super Lawyers as a "Rising Star." Prior to joining Orrick, Ben was counsel at Buckley LLP and an associate at Sullivan & Cromwell LLP.

Justin Seccombe Senior Associate, Complex Litigation & Dispute Resolution, Financial & Fintech Advisory

Chicago

See my bio

D:+1 312 924 9853
E: [email protected]

Practice:

Complex Litigation & Dispute Resolution
Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
Fintech

vCard

See full bio

Justin Seccombe Senior Associate

Chicago

His experience includes representing clients in high-stakes litigation throughout the country in matters concerning federal and state consumer protection statutes, as well as complex commercial disputes. He further advises and represents clients in regulatory, supervisory, and enforcement matters before federal and state agencies including the Consumer Financial Protection Bureau (CFPB), the Department of Justice (DOJ), the Office of the Inspector General (OIG), and states attorneys general. Justin assists clients through all aspects of litigation, including briefing dispositive and discovery motions, managing large-scale discovery reviews and productions, preparing expert reports, arguing motions in both state and federal court, opposing class certification, and conducting settlement negotiations. With respect to enforcement matters, Justin represents clients through supervisory actions and assists them with the PARR (Potential Action and Request for Response) and NORA (Notice and Opportunity to Respond and Advise) process, crafting responses and working with regulators to reach favorable outcomes.

Prior to joining Orrick, Justin was an associate at Buckley LLP. Before practicing law, Justin worked with sports agents for some of the most successful players in the National Football League, including league MVPs, Super Bowl winners, and numerous rookies of the year.

Related Areas

White Collar, Investigations, Securities Litigation & Compliance