Corporate Transparency Act: Beneficial Ownership Information Requirement – Access and Privacy the Final Rule – Who Has Access to Your Infomation?

On December 21, 2023, the Financial Crimes Enforcement Network (“FinCEN”) released the final rule (“Access Rule”) for the implementation of the beneficial ownership information (“BOI”) access requirements under the Corporate Transparency Act (“CTA”), set to take effect on February 20, 2024. This rule outlines the protocols for how authorized recipients can access and utilize BOI that will be reported to FinCEN, focusing on the security and confidentiality necessary to protect sensitive, personally identifiable information.

The CTA, part of the National Defense Authorization Act, requires a wide range of domestic and foreign legal entities to register with FinCEN and disclose their ultimate beneficial owners. The rule stipulates who is obligated to file this information, exemptions to the filing, the specifics of what must be filed, and the deadlines for these reports. (See our article on the CTA requirements here).

A crucial aspect of the Access Rule is the restriction on the disclosure of BOI. It states that individuals authorized to receive BOI, including contractors and agents of the U.S., state, local, or tribal agencies, and financial institutions (“FIs”)  (e.g., banks, credit unions), are prohibited from disclosing this information unless explicitly authorized by FinCEN. This extends the nondisclosure obligation to individuals who may no longer be in their authorizing position.

The rule permits certain federal agencies engaged in national security, intelligence, or law enforcement activities, as well as state, local, and tribal law enforcement agencies with court authorization, to access BOI. Additionally, FIs can request BOI from FinCEN but only to comply with Customer Due Diligence (“CDD”) requirements and with the consent of the reporting company.

The Access Rule clearly states that BOI can only be used for the specific purpose for which it was disclosed. In a notable change from the proposal, FIs can now redisclose BOI under certain conditions. This includes sharing with directors, officers, employees, contractors, and agents outside the United States, subject to specific limitations.

The rule also imposes specific security and confidentiality requirements on domestic agencies, FIs, and foreign requesters. For instance, domestic agencies must enter into a Memorandum of Understanding with FinCEN, detailing the standards and procedures for protecting BOI. FIs must comply with existing regulations like the Gramm-Leach Bliley Act to safeguard non-public customer personal information.

The foreign request for BOI must be on behalf of a law enforcement agency, prosecutor, or judge of another country, or on behalf of a foreign central authority or foreign competent authority, and (i) come to FinCEN through an intermediary Federal agency; (ii) be for the assistance in a law enforcement investigation or prosecution, or a national security or intelligence activity, authorized under the laws of the foreign country; and (iii) either be made under an international treaty, agreement, or convention, or, when no such instrument is available, be an official request by a law enforcement, judicial, or prosecutorial authority of a trusted foreign country.

The Access Rule also requires that requests for BOI by agencies and FIs be submitted in a specified form and manner. FinCEN retains the right to reject requests based on various criteria.

Here is a quick summary of the rule:

  • FinCEN can disclose BOI to specified recipients, including US Federal agencies engaged in national security, intelligence, and law enforcement activity; state, local, and tribal law enforcement agencies; foreign government entities, including law enforcement, prosecutors, judges, or other competent or central authorities; FIs using BOI for compliance with customer due diligence requirements, federal functional regulators, and Treasury officers and employees.
  • Each category of authorized recipients is subject to security and confidentiality requirements.
  • Access to BOI is granted, based on the purpose, with strict certification and authorization requirements for each authorized recipient.
  • FIs obtaining BOI must implement safeguards to protect the information and can only disclose it with the relevant reporting company’s consent.
  • Authorized recipients are generally prohibited from re-disclosing BOI, except in specific circumstances.
  • The CTA imposes civil and criminal penalties for unauthorized disclosure or use of BOI.
  • Access to the Beneficial Ownership Secure System (“BOSS”) will be phased in, starting with a pilot program for key Federal agency users.

In conjunction with the Access Rule, FinCEN issued guidance for banks and non-bank FIs, clarifying the relationship between the Access Rule and the CDD Rule. The guidance indicates that these institutions are not required to access BOI through FinCEN, but if they choose to do so, they must adhere to the CTA and Access Rule requirements.

The Access Rule will be effective February 20, 2024. However, the effective date of the Reporting Rule remains January 1, 2024. FinCEN will take a phased approach to providing access to the BOSS from which authorized users may obtain BOI.

  • The first stage will be a pilot program for a handful of key Federal agency users starting in 2024.
  • The second stage will extend access to Treasury Department offices and certain Federal agencies engaged in law enforcement and national security activities.
  • Subsequent stages will extend access to additional Federal agencies engaged in law enforcement, national security, and intelligence activities, as well as to key State, local, and Tribal law enforcement partners; to intermediary Federal agencies in connection with foreign government requests; and finally, to financial institutions and their supervisors.

The Access Rule introduces significant changes to the CTA and current anti-money laundering regime and entity transparency landscape in the US, offering potential benefits for certain FIs, such as banks and broker-dealers. However, there are concerns about the rule’s ability to protect sensitive information and the procedures for resolving discrepancies between customer-reported BOI and FinCEN’s records. Financial institutions are encouraged to continue engaging with FinCEN and other policymakers on these issues.

If you need help or have any questions, please get in touch with Allan Rooney, Steve Wilansky, Sumangali Rudrakumar, or Lauri O’Callaghan, or call us at +1 212 545 8022.


Read more insights from the Rooney Law team here.


© 2024 Rooney Law. All rights reserved. Rooney Law PC is an international corporate law firm. In accordance with the common terminology used in professional service organizations, reference to a “partner” means a person who is a partner or equivalent in such a law firm. Similarly, reference to an “office” means an office of any such law firm. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome. Nothing herein shall create an attorney-client relationship between the reader and Rooney Law PC.


Insight Search

Insight Topics

Keep in touch

Recent Posts

Related Articles

Scroll to Top