What Financial Institutions Should Know About FinCEN's Final

On December 21, 2023, the Financial Crimes Enforcement Network (FinCEN) finalized its long-anticipated Access Rule, the second of its three major rulemakings to implement the Corporate Transparency Act (CTA).¹ The Access Rule prescribes the circumstances under which beneficial ownership information (BOI) reported to FinCEN may be disclosed to authorized recipients, and how recipients must safeguard the BOI. The Access Rule takes effect on February 20; however, FinCEN will stage access to its BOI database, with financial institutions (and financial institution supervisors) being the last category of users to receive access.²

Key Access Rule Provisions

The final Access Rule largely adopts the proposed rule (summarized in our prior Advisory) as-is, with several modifications intended to align with fundamental CTA objectives, including safeguarding reported BOI, ensuring the reporting system will be "highly useful" in combatting the abuse of shell and front companies, and facilitating financial institutions' compliance with their Bank Secrecy Act (BSA), anti-money laundering (AML), countering the financing of terrorism (CFT), and customer due diligence (CDD) legal requirements.

Key provisions of the Access Rule for financial institutions include:

Scope/Qualified Financial Institution Recipients: FinCEN may provide BOI database access to "covered financial institutions" as defined in the 2016 CDD Rule, i.e., banks, including credit unions; broker dealers; futures commission merchants and introducing brokers in Commodity Futures Trading Commission-registered commodities; and mutual funds subject to 31 C.F.R. § 1020.320. In a modification to the proposed rule, FinCEN has determined that, under the CTA, it also has discretion to provide access to other financial institutions with AML program requirements, such as money service businesses; insurance companies; casinos; and dealers in precious metals, precious stones, or jewels. Initially, however, FinCEN will provide access only to the defined "covered financial institutions" while it further evaluates whether it is appropriate and feasible to expand access to such other entities.
Purpose of Financial Institution's Request for BOI: Under the proposed rule, a financial institution would have been permitted access to FinCEN's BOI database only for use in complying with its obligations under the 2016 CDD Rule, i.e., identifying and verifying the beneficial owners of certain legal entity customers at account opening. The final Access Rule expands the permissible use of BOI obtained from FinCEN to include "any legal requirement or prohibition designed to counter money laundering or the financing of terrorism, or to safeguard the national security of the United States," if, to comply with such obligations, it is reasonably necessary to obtain or verify BOI of a legal entity customer. This means that financial institutions can use BOI obtained from FinCEN "to help discharge its AML/CFT obligations under the BSA, including its AML program, customer identification, SAR filing, and enhanced due diligence requirements."

Financial institutions are not permitted to use BOI for other reasons. For example, FinCEN stated that BOI cannot be used for ordinary business reasons, such as assessing whether to extend credit to a legal entity or for client development purposes.

Obtaining Customer Consent: The CTA authorizes FinCEN to disclose a reporting company's BOI to a financial institution only if the reporting company consents to the disclosure. The final Access Rule removes a proposed requirement that consent be in writing, and only requires that consent be documented. Financial institutions are not required to notify a reporting company each time it obtains the reporting company's BOI from FinCEN, nor are financial institutions required to submit proof of consent to FinCEN. The Access Rule only requires that a financial institution obtain a reporting company's consent prior to its initial request to FinCEN for the reporting company's BOI; the financial institution may rely on that consent for subsequent requests, including when opening additional accounts for that reporting company, unless consent is revoked.
Securing BOI Obtained From FinCEN: Although the specific requirements vary based on the category of authorized recipient, the Access Rule generally requires that recipients establish a secure system for storing BOI, restrict access to BOI to only authorized personnel and only for authorized purposes, maintain auditable BOI request records, conduct audits, and provide FinCEN with reports and certifications. The Access Rule provides that a financial institution may satisfy its obligations under the rule by applying to BOI obtained from FinCEN the same security and information handling procedures used to comply with section 501 of the Gramm-Leach-Bliley Act and its implementing regulations.
Third-Party Access: A financial institution may rely on a third-party service provider or contractor to request, obtain, or access BOI from FinCEN. The financial institution will ultimately be responsible for the activity of any provider accessing BOI on its behalf. Service providers are not permitted to repurpose BOI for their own use, such as in data aggregation or on behalf of other financial institution clients.
Re-Disclosure of BOI: As a general matter, financial institutions may not re-disclose BOI they receive from FinCEN. Financial institution personnel may, however, re-disclose BOI obtained from FinCEN to other personnel or third-party service providers of the same financial institution so long as the re-disclosure is for the particular purpose or activity for which the BOI was requested, is consistent with the security and confidentiality requirements of the Access Rule, and is not sent to Russia, China, any jurisdiction designated as a state sponsor of terrorism, or any jurisdiction that is subject to comprehensive sanctions under U.S. law. (This is a notable modification from the proposed rule, which authorized internal re-disclosure only to personnel and service providers located in the U.S.) The authorization to re-disclose BOI to personnel of the "same financial institution" does not include affiliated financial institutions. FinCEN has indicated that it may consider future guidance on the re-disclosure of BOI in other situations, for example, sharing BOI obtained from FinCEN in response to another financial institution's 314(b) request or sharing BOI with other financial institutions in a syndicated loan arrangement. In the meantime, financial institutions seeking to re-disclose BOI in such circumstances should request written authorization from FinCEN, which will evaluate requests on a case-by-case basis.

Financial institutions also may re-disclose BOI received from FinCEN to federal functional regulators, specified Self-Regulatory Organizations (SROs), and other appropriate regulatory agencies (including state regulators) that: (1) are authorized by law to determine the financial institution's compliance with CDD requirements under applicable law; (2) will use the information solely for making such determination; and (3) have entered into an agreement with FinCEN providing for appropriate protocols governing the safekeeping of information.

Violations for Unauthorized Disclosure: The Access Rule tracks the CTA's language making it unlawful for individuals to knowingly disclose or knowingly use BOI — regardless of whether the BOI was obtained directly or indirectly from FinCEN — except as authorized by the CTA and the Access Rule. Violations may result in civil penalties of $500 each day a violation continues or is not remedied, or criminal penalties of up to a $250,000 fine or up to five years imprisonment, or both. Criminal penalties may be enhanced up to $500,000, 10 years imprisonment, or both, if a person commits the violation while violating another U.S. law or as part of a pattern of any illegal activity involving more than $100,000 in a 12-month period.

Practical Considerations for Financial Institutions

In an interagency statement to banks issued the same day as the Access Rule, FinCEN and the banking agencies clarified that the Access Rule does not create a regulatory requirement or supervisory expectation that banks obtain BOI from FinCEN, and therefore the Access Rule does not necessitate changes to banks' existing BSA/AML compliance programs designed to comply with the 2016 CDD Rule or other BSA requirements, such as customer identification program and suspicious activity reporting requirements.³

The interagency statement reiterated, however, that the access and use of BOI obtained from FinCEN must comply with the requirements of the CTA and the Access Rule. Financial institutions, therefore, might consider the following in advance of their ability to access FinCEN's BOI database:

Developing and implementing policies and procedures for obtaining and recording legal entity customer consent to access their BOI from FinCEN. While FinCEN is giving financial institutions "substantial discretion" in the manner in which they obtain customer consent, FinCEN is requiring that such consent be documented. Financial institutions should update their onboarding forms and customer files accordingly.
Developing and implementing policies that govern (1) a limited number of individuals within the institution who will be authorized to directly request BOI from FinCEN; (2) the individuals authorized to receive "re-disclosed" BOI (consider limiting the list on a "need to know" basis); and (3) the permissible reasons to request BOI from FinCEN and to re-disclose such BOI to colleagues or service providers.
Assessing current and future service contracts to ensure that third-party providers will comply with all requirements for accessing, using, and safeguarding BOI in accordance with the CTA and Access Rule.
Establishing an Access Rule training program. The Access Rule requires financial institutions to train its employees who will access FinCEN's BOI database on the institution's BOI access, use, and security protocols. Such personnel also are required to complete FinCEN-provided online training.

Footnotes

1. The other two key rulemakings are (1) the BOI Reporting Rule, issued on September 22, 2022, which requires certain entities to report their BOI to FinCEN (see our BOI Reporting Resource Page) and (2) a revised version of FinCEN's 2016 Customer Due Diligence Rule (2016 CDD Rule) that, among other things, will account for financial institutions' access to BOI reported to FinCEN. The CTA requires FinCEN to revise the 2016 CDD Rule by January 1, 2025.

2. According to FinCEN, financial institutions' access to its BOI database will roughly coincide with the implementation of the revised 2016 CDD Rule. FinCEN anticipates providing information on the timing and details regarding the staged access approach in early 2024.

3. FinCEN and Treasury issued a similar statement to non-bank financial institutions the same day.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.