FinCEN proposal on beneficial ownership information access

Proposal to establish who may access, for what purposes, and necessary safeguards; second of three related proposals

December 2022

KPMG Insight. FinCEN’s second of three rulemaking announcements on beneficial ownership looks to establish rules for who may access beneficial ownership information (BOI), for what purposes, and the safeguards that are required to ensure the information is secured and protected. As proposed, the circumstances under which BOI may be disclosed would vary by recipient and include:

  • Federal agencies (for national security, intelligence or law enforcement activities);
  • State, local, tribal, and foreign governments (with court authorization); and
  • Financial institutions (to support customer due diligence (CDD) requirements, and also for the regulators supervising them).

The third BOI rulemaking will revise the CDD requirements for financial institutions to conform to the Corporate Transparency Act and the related implementing regulations.

BOI is considered to be sensitive information and will be held to the government’s “high rating”. Authorized recipients of BOI will need standards and procedures for storing the information, with restrictions in place for authorized personnel access only and for authorized purposes only. Any authorized entity or individual that is transmitting, receiving, accessing and/or analyzing BOI data should expect to have MOUs/agreements in place for all procedural and control requirements before obtaining BOI. Further, entities and individuals should anticipate audit requirements and compliance certifications if they hope to access the information.


The Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) has issued a notice of proposed rulemaking Proposal) to implement the beneficial ownership information access and related safeguards provisions of the Corporate Transparency Act (CTA). When finalized, these regulations will govern authorized access to the BOI database that is expected to become operational on January 1, 2024 (pursuant to FinCEN’s BOI Reporting Rule - see KPMG Regulatory Alert, here).

The Proposal lays out regulations to establish the following:

  • Authorized Recipients
  • Security and Confidentiality
  • Violations and Penalties
  • FinCEN Identifiers

Comments on this Proposal will be accepted through February 14, 2023. FinCEN is proposing an effective date of January 1, 2024, to align with the effective date of the BOI Reporting Rule.

Key provisions of the Proposal are outlined below.

Beneficial Ownership Information Access and Safeguards

FinCEN states that it has completed initial system engineering, architectures, and program planning activities for a secure, nonpublic, cloud-based beneficial ownership IT system to receive, store, and maintain reported BOI. The target date for the system to begin accepting reports is January 1, 2024, the day the BOI Reporting Rule becomes effective. Consistent with the statutory requirements and limitations on disclosure of BOI, the system functionality will vary by recipient category.

Authorized Recipients

The CTA authorizes FinCEN to disclose BOI to five categories of recipients highlighted in the table below. The Proposal outlines each category’s unique access to FinCEN’s IT system, the purposes for which recipients can request BOI, and associated restrictions and requirements.

Recipients

Access

Purpose

Restrictions/Requirements

U.S. Federal, state, local, and Tribal government agencies

Direct

In furtherance of national security, intelligence, or law enforcement activities

  • Justifications for accessing BOI in system would need to be filed by federal agencies with FinCEN and subject to audit by FinCEN
  • A “court of competent jurisdiction” would need to authorize state, local, and tribal law enforcement access to BOI in system

Foreign law enforcement and central authorities (foreign requesters)

Indirect

In furtherance of national security, intelligence, or law enforcement activities

Requests must come through an intermediary (federal agency) channel and be made either:

  • In compliance with international treaties, agreements, or conventions, or
  • By law enforcement, judicial, or prosecutorial authorities in a trusted foreign country

If approved, intermediary would retrieve BOI from system and securely transmit to foreign requester

Financial Institutions (FIs)

Direct, but limited

Facilitate compliance with customer due diligence (CDD) requirements

Must have relevant reporting company’s consent and FinCEN identifier to query BOI directly from system

Federal Functional Regulators and Other Regulatory Agencies

 

Direct, but limited

Supervisory capacity for assessing FIs’ compliance with CDD requirements

  • May access the same BOI as the FIs they supervise directly from system
  • May directly access BOI for law enforcement activities

Department of the Treasury

Direct

Any purpose tied to any Treasury officer or employee’s official duties, including BOI inspection or disclosure, and tax administration; permitted to use BOI for tax administration, enforcement actions, intelligence and analytical purposes, sanctions designation investigations, identification of blocked property, audits, and oversight.

 

Security and Confidentiality

The CTA imposes access-control protocols on “requesting agencies” and FinCEN is proposing comparable requirements for FIs, self-regulatory organizations (SROs), and “others who may receive BOI.” The proposed BOI data security and confidentiality protocols would vary by recipient category, but would generally require recipients to:

  • Have standards and procedures for storing the information in a secure system to which only authorized personnel have access and only for authorized purposes.
  • Maintain for review or audit key information about specific BOI searches or requests.
  • Provide certifications regarding compliance with the statute and implementing regulations, as applicable.

The Proposal would specifically require FI recipients to:

  • Develop and implement administrative, technical, and physical safeguards “reasonably designed” to protect BOI as a precondition for receiving it (based on the safeguard requirements for FIs under the Section 501 of the Gramm-Leach-Bliley Act – notably FIs not subject to regulations issued pursuant to Section 501 of the GLBA would be held to these same standards).
  • Obtain and document a reporting company’s consent before requesting that company’s BOI (though FinCEN will not require proof at the time of request).
  • Certify in writing for each BOI request that the FI:
    • Is requesting the information to facilitate its compliance with CDD requirements under applicable law.
    • Obtained the reporting company's written consent to request its BOI.
    • Has fulfilled other requirements of the section, including those related to restrictions on personnel access to the information and safeguards to protect the security, confidentiality, and integrity of the information.

FinCEN anticipates FI compliance with these requirements would be assessed by their Federal Functional Regulators in the ordinary course of safety and soundness examinations or by the SROs during their routine Bank Secrecy Act examinations.

Violations and Penalties

The Proposal would define “unauthorized use” of BOI to include any unauthorized access of BOI, including any activity in which an employee, officer, director, contractor, or agent of an authorized recipient knowingly violates applicable security and confidentiality requirements in connection with accessing such information.

The CTA provides for both civil and criminal penalties, including enhanced criminal penalties of imprisonment in some instances. Violating applicable requirements could also lead to FinCEN suspending or debarring a requester from access to the beneficial ownership IT system.

FinCEN Identifiers

FinCEN identifiers are unique identifying numbers that FinCEN issues to individuals who have provided FinCEN with their BOI, as well as reporting companies that have filed initial BOI reports.  In certain instances, beneficial owners, company applicants, and reporting companies may provide the FinCEN Identifier to a reporting company in lieu of providing required BOI.

In particular, the CTA provides for the use of a reporting company’s FinCEN Identifier instead of an individual’s BOI in cases where the individual “is or may be a beneficial owner of a reporting company by an interest held by the individual in an entity that, directly or indirectly, holds an interest in the reporting company.” The Proposal includes amendments to the provisions in the BOI Reporting Rule that would permit a reporting company to report another entity’s  FinCEN identifier in lieu of an individual beneficial owner’s BOI only when:

  • The intermediate entity has obtained a FinCEN identifier and provided it to the reporting company;
  • The individual is a beneficial owner by virtue of an interest in the reporting company that the individual holds through the intermediate entity; and
  • Only the individuals that are beneficial owners of the intermediate entity are beneficial owners of the reporting company, and vice versa.

Please refer to:

—   KPMG Regulatory Alert | Financial Crime: FinCEN final rule on beneficial ownership

—   KPMG Regulatory Alert | Bank Secrecy Act and Anti-Money Laundering Reform


For more information, please contact:

Amy S. Matsuo

Amy S. Matsuo

Regulatory and ESG Insights Leader, KPMG US

+1 919-664-7100
John Caruso

John Caruso

Principal, Forensic, KPMG US

+1 212-954-6831