
Sean Bryan’s article, “Access to Beneficial Ownership Information under the Corporate Transparency Act,”—addresses new guidelines regarding who can access this information and the measures to safeguard it from misuse and unauthorized access.
Access to Beneficial Ownership Information under the Corporate Transparency Act
by Sean Bryan, Partner and Tax Section Chair at Kelly Hart & Hallman LLP
In connection with the commencement in 2024 of reporting under the Corporate Transparency Act of beneficial ownership information (“BOI”) by substantially all small businesses in the United States, the Financial Crimes Enforcement Network of the U.S. Department of the Treasury in December 2022 (“FinCEN”) issued a proposed second set of regulations under the CTA, which have not yet been finalized. Where the initial regulations describe what, when and how information is to be reported, this second set of regulations sets forth criteria for whom has access to such information and how it is intended to be protected from misuse and improper access.
The goal of the proposed regulations is to restrict BOI only to authorized recipients for an authorized purpose and who adhere to strict controls (including robust audit and oversight measures). Authorized purposes include U.S. national security, safeguard of the U.S. financial system, tax investigations, and national intelligence, in order to identify linkage between “potential illicit actors and opaque business entities”, including by comparing the collected date with that received under the U.S. Bank Secrecy Act. Information is to be maintained by FinCEN in a cloud-based system designed to meet the highest Federal Information Security Management Act level.
Recipients in the following five categories are authorized to obtain BOI:
(i) Federal, State, local and Tribal government agencies, who are expected to be only agencies involved in national security, intelligence and law enforcement, Treasury officers and employees, and State, local and Tribal law enforcement agencies who obtain a court approval authorizing access to BOI. Disclosure is to be based on the activity being conducted by the agency rather than the identity of the agency, and these activities include both civil and criminal investigations and actions.
(ii) Foreign law enforcement agencies, judges, prosecutors, central authorities and competent authorities whose request (a) comes through an intermediary Federal agency, (b) meets specified criteria, and (c) is made either under an international treaty, agreement or convention, or else is from a “trusted foreign country” (where the definition of “trusted” is determined by FinCEN and will look to U.S. interests and priorities). Foreign requestors generally are not to have direct access to the BOI system but must channel requests through Federal intermediaries who are required to vet such requests, although this does not apply to foreign financial intelligence units. FinCEN acknowledges that once BOI is received by a foreign requestor, the use of that information for only authorized purposes cannot be guaranteed. FinCEN estimates 200-900 requests annually from foreign requestors.
(iii) Financial institutions to the limited extent necessary to facilitate compliance with statutory and regulatory due diligence requirements. Such access requires the consent of the disclosing company, which must be obtained and maintained by the financial institution. Information received by a financial institution may be shared only with officers and employees physically in the United States, although it is unclear how world-wide computer systems will implement this limitation.
(iv) Federal functional regulators who supervise regulatory compliance by financial institutions; such regulators may only access the information received by the regulated financial institution. These regulators include the Federal Reserve System, the Comptroller of the Currency, the FDIC, the NCUA, the SEC and the CFTC.
(v) United States Department of Treasury, for official duties including tax administration. The definition of “tax administration” for such purpose is set forth in IRC Section 6103(b)(4).
FinCEN’s estimate (as of January 2022) of agencies who could qualify to obtain BOI include 202 Federal agencies and subagencies, 153 State and local law enforcement agencies, 64 Federal regulatory agencies, and 16,242 financial institutions.
The safeguards provided in the proposed regulations include requirements that the heads of requesting agencies (without delegation) approve the procedures for protecting BOI, that such agencies maintain a security system by which accessed BOI is stored, provide written certification that requirements have been met, that requesting agencies limit the scope of BOI sought, and conduct an annual audit to verify compliance. Written certificates are required with specific reasons why BOI is requested. The CTA expressly limits access only to authorized individuals who are directly engaged in the investigation, who require access to BOI, and who have undergone “appropriate training” (estimated at one hour per year, even for local law enforcement and foreign requestors). Finally, the proposed regulations require that each domestic agency enter into a memorandum of understanding with FinCEN (to include standards, procedures and systems to be maintained to safeguard BOI) in order to be allowed access, based on a form prepared by FinCEN for Bank Secrecy Act purposes, although these agreements are likely to be individualized on a per-agency basis. Individuals who obtain BOI are to be prohibited from disclosing such BOI to other individuals unless expressly authorized by FinCEN, which includes furtherance of the same purpose for which the BOI was obtained but not a general sharing within the receiving agency.
FinCEN expects that U.S. recipients maintain high standard security protocols in IT systems containing BOI, conduct background checks on individuals accessing BOI, and conduct regular training. In the interest of full information sharing and cooperation, FinCEN will not require an audit of a foreign requestor’s compliance with security protocols.
FinCEN may decline to provide BOI for failure to meet applicable requirements, if requested for an unlawful purpose, or for other good cause. Grounds for rejecting a request are also grounds for suspending or terminating the right of an agency to obtain BOI. The preamble to the proposed regulations are filled with “expects”, “envisions” and “anticipates”, and states that BOI obtained for one authorized activity not be used for an unrelated purpose, but whether these aspirations will be met by the recipients of BOI remain to be seen.
Extension of Reporting Period
In addition to the December 2022 proposed regulations, FinCEN recently proposed to amend the period required for reporting information from 30 days after formation to 90 days after formation, but only for entities formed in 2024, so as to ramp up familiarity of reporting companies with the new requirements and process. In 2025, the period would change to 30 days.
FinCEN also published FAQs (https://www.fincen.gov/boi-faqs) and a Small Entity Compliance Guide to assist in complying with the new requirements (https://www.fincen.gov/sites/default/files/shared/BOI_Small_Compliance_Guide_FINAL_Sept_508C.pdf).
This material is made available by Kelly Hart & Hallman LLP and its attorneys solely for educational and informational purposes, to provide general knowledge of applicable law to its users, and does not constitute legal advice or a solicitation to provide legal advice. Although Kelly Hart & Hallman LLP attempts to ensure the information contained in the material is complete, accurate, and up to date, Kelly Hart & Hallman LLP assumes no responsibility for the completeness, accuracy, or timeliness of any of the information set forth in the material. This material is not intended to and does not provide specific legal advice. Your receipt and use of this material does not and will not create an attorney-client relationship between you and Kelly Hart & Hallman LLP or any of its attorneys, and you acknowledge and agree that no such attorney-client relationship exists or will exist as a result of your using the material in any way. The information contained in the material is not necessarily appropriate for every individual or entity nor is it necessarily appropriate for every situation referred to or described in the material. The material and the content therein are not a substitute for competent legal advice from a licensed attorney. The material contains the opinions of the author and should not be construed as also containing the opinion or position of Kelly Hart & Hallman LLP or any other attorney at Kelly Hart & Hallman LLP concerning the issues addressed therein.
The information set forth in the material may contain links to independent third-party websites and services, including social media. Kelly Hart & Hallman LLP provides these links for your convenience, and you access them at your own risk. Kelly Hart & Hallman LLP has no control over and does not monitor the content or policies (including privacy policies) of these third-party websites and has no responsibility for, and no liability with respect to, their content, accuracy, or reliability. Unless expressly stated, Kelly Hart & Hallman LLP does not endorse any of the linked websites or any product, service, or publication referenced herein or therein.