Update as of 3/4/2024
On March 1, 2024, the Corporate Transparency Act was declared unconstitutional in federal court. The status of the information contained in this article is pending the courts’ next steps. The information below is based on the original rule issued by the Financial Crimes Enforcement Network at the end of 2023.
The U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued a final rule at the end of 2023 that establishes a long-awaited framework for accessing and protecting beneficial ownership information (BOI). This rule – called the “Access Rule” under the Corporate Transparency Act (CTA) – will soon permit financial institutions and other authorized groups to access BOI from a single database. This is the second of three rules issued by FinCEN governing the implementation of the CTA, the first being the “Reporting Rule” in 2022 which established BOI reporting requirements for companies doing business in the United States. The third rule, not yet proposed, will revise the existing Customer Due Diligence (CDD) Rule to bring it into better conformity with the CTA and the AML Act of 2020.
KEY TAKEAWAYS:
- The rule took effect as of January 1, 2024, with additional changes forthcoming throughout this year and beyond. Newly established businesses are the most immediately impacted
- Companies will report BOI via the BOI E-Filing System. It is not yet clearly defined how financial institutions and other authorized recipients will access the information
- Authorization to access BOI will be granted in three phases, with financial institutions and their regulators being among the last to receive access
- Financial institutions do not have to utilize the system, but doing so requires potential enhancements to their existing BSA/AML programs
- The rule does not change the existing CDD Rule at this time
WHO IS AFFECTED?
An entity required to register BOI is called a reporting company and includes, with exemptions, a domestic or foreign entity that registers with a secretary of state or similar office under the law of a state or Indian tribe. FinCEN began accepting BOI reports on January 1, 2024. Community banks should expect that most of their legal entity customers will be impacted by the rule.
IMPLEMENTATION OF BOI ACCESS
Authorization to access BOI will be granted in phases beginning in early 2024, first as a pilot program to certain federal agencies, then to the Treasury and certain federal law enforcement agencies. Next will be additional law enforcement agencies and intermediary federal agencies responding to foreign government requests. Finally, financial institutions and their supervisors will receive access. FinCEN has not yet issued a specific timeframe around these phases.
Notably for financial institutions, the Access Rule does not obligate them, either through statute or supervisory expectation, to utilize the system; therefore, no changes to existing BSA/AML compliance programs are required. If financial institutions choose to access the system, they must comply with the requirements put forth by the CTA and Access Rule involving the security and confidentiality of BOI, the highlights of which include:
- Establishing standards and procedures to protect the confidentiality of BOI, and entering into an agreement with FinCEN that such standards are met,
- Developing and maintaining a secure system for storing BOI,
- Creating and maintaining auditable BOI request records, and
- Developing and implementing administrative, technical, and physical safeguards reasonably designed to protect BOI, which may be met with the same handling procedures used in compliance with section 501 of the Gramm-Leach-Bliley Act to protect customers’ nonpublic personal information.
CONSIDERATIONS REGARDING DUE DILIGENCE
The Access Rule does not make any changes to the CDD Rule, so it remains necessary to perform due diligence to verify BOI, whether it is captured from the system or directly from customers. FinCEN accepted comments at the end of 2022 after its notice of proposed rulemaking for accessing BOI, among which the following considerations arose:
- Access to the system requires customer consent, so there may be situations where consent isn’t granted
- Since financial institutions must continue to capture and verify the validity of BOI under the CDD rule, accessing the system adds additional steps to the process
- It’s duplicative and unnecessary to continue monitoring for changes in the accuracy of BOI since reporting companies are subject to criminal penalties for providing false BOI to FinCEN
- Businesses may not be aware of these new requirements
FinCEN’s response to this last concern is that it is engaged in a robust outreach program to raise awareness of reporting companies’ obligations, as well as the issuance of content such as the Small Entity Compliance Guide. Changes to the CDD rule are forthcoming but, in the meantime, financial institutions will need to consider their own methods of complying with the current CDD Rule, whether utilizing the BOI system enhances that process, and how they wish to interact with their unique customer bases while maintaining compliance.
NEXT STEPS FOR FINANCIAL INSTITUTIONS
FinCEN will engage in a third rulemaking that revises the CDD Rule. While not yet proposed, it’s said to bring the rule more in alignment with the CTA, allow financial institutions to better confirm BOI provided directly from customers by accessing the system and minimize duplication in verifying BOI reported to financial institutions and FinCEN. FinCEN has also stated that it will publish guidance to assist authorized recipients in complying with the Access Rule.
Anders Banking and Financial Institution advisors will continue to follow FinCEN guidance regarding BOI and the CTA to help institutions like yours navigate new challenges. Learn more about the support our advisors can provide, and the associated fees, by requesting a meeting with an advisor below.
All Insights
