Proposed Rule2022-27031
Beneficial Ownership Information Access and Safeguards, and Use of FinCEN Identifiers for Entities
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
December 16, 2022
Issuing agencies
Treasury DepartmentFinancial Crimes Enforcement Network
Abstract
FinCEN is promulgating proposed regulations regarding access by authorized recipients to beneficial ownership information (BOI) that will be reported to FinCEN pursuant to Section 6403 of the Corporate Transparency Act (CTA), enacted into law as part of the Anti-Money Laundering Act of 2020 (AML Act), which is itself part of the National Defense Authorization Act for Fiscal Year 2021 (NDAA). The proposed regulations would implement the strict protocols on security and confidentiality required by the CTA to protect sensitive personally identifiable information (PII) reported to FinCEN. The NPRM explains the circumstances in which specified recipients would have access to BOI and outlines data protection protocols and oversight mechanisms applicable to each recipient category. The disclosure of BOI to authorized recipients in accordance with appropriate protocols and oversight will help law enforcement and national security agencies prevent and combat money laundering, terrorist financing, tax fraud, and other illicit activity, as well as protect national security. FinCEN is also proposing regulations to specify when and how reporting companies can use FinCEN identifiers to report the BOI of entities.
Full Text
<html>
<head>
<title>Federal Register, Volume 87 Issue 241 (Friday, December 16, 2022)</title>
</head>
<body><pre>
[Federal Register Volume 87, Number 241 (Friday, December 16, 2022)]
[Proposed Rules]
[Pages 77404-77457]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2022-27031]
[[Page 77403]]
Vol. 87
Friday,
No. 241
December 16, 2022
Part VI
Department of the Treasury
-----------------------------------------------------------------------
Financial Crimes Enforcement Network
-----------------------------------------------------------------------
31 CFR Part 1010
Beneficial Ownership Information Access and Safeguards, and Use of
FinCEN Identifiers for Entities; Proposed Rule
��Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 /
Proposed Rules��
[[Page 77404]]
-----------------------------------------------------------------------
DEPARTMENT OF THE TREASURY
Financial Crimes Enforcement Network
31 CFR Part 1010
RIN 1506-AB59
RIN 1506-AB49
Beneficial Ownership Information Access and Safeguards, and Use
of FinCEN Identifiers for Entities
AGENCY: Financial Crimes Enforcement Network (FinCEN), Treasury.
ACTION: Notice of proposed rulemaking (NPRM).
-----------------------------------------------------------------------
SUMMARY: FinCEN is promulgating proposed regulations regarding access
by authorized recipients to beneficial ownership information (BOI) that
will be reported to FinCEN pursuant to Section 6403 of the Corporate
Transparency Act (CTA), enacted into law as part of the Anti-Money
Laundering Act of 2020 (AML Act), which is itself part of the National
Defense Authorization Act for Fiscal Year 2021 (NDAA). The proposed
regulations would implement the strict protocols on security and
confidentiality required by the CTA to protect sensitive personally
identifiable information (PII) reported to FinCEN. The NPRM explains
the circumstances in which specified recipients would have access to
BOI and outlines data protection protocols and oversight mechanisms
applicable to each recipient category. The disclosure of BOI to
authorized recipients in accordance with appropriate protocols and
oversight will help law enforcement and national security agencies
prevent and combat money laundering, terrorist financing, tax fraud,
and other illicit activity, as well as protect national security.
FinCEN is also proposing regulations to specify when and how reporting
companies can use FinCEN identifiers to report the BOI of entities.
DATES: Written comments on this proposed rule may be submitted on or
before February 14, 2023.
ADDRESSES: Comments may be submitted by any of the following methods:
<bullet> Federal E-rulemaking Portal: <a href="https://www.regulations.gov">https://www.regulations.gov</a>.
Follow the instructions for submitting comments. Refer to Docket Number
FINCEN-2021-0005 and RIN 1506-AB49/AB59.
<bullet> Mail: Policy Division, Financial Crimes Enforcement
Network, P.O. Box 39, Vienna, VA 22183. Refer to Docket Number FINCEN-
2021-0005 and RIN 1506-AB49/AB59.
FOR FURTHER INFORMATION CONTACT: The FinCEN Regulatory Support Section
at 1-800-767-2825 or electronically at <a href="/cdn-cgi/l/email-protection#2b4d59486b4d4245484e45054c445d"><span class="__cf_email__" data-cfemail="0365716043656a6d60666d2d646c75">[email protected]</span></a>.
SUPPLEMENTARY INFORMATION:
I. Executive Summary
These proposed regulations would implement the provisions in the
CTA, codified at 31 U.S.C. 5336(c),\1\ that authorize certain
recipients to receive disclosures of identifying information associated
with reporting companies, their beneficial owners, and their company
applicants (together, BOI). The CTA requires reporting companies to
report BOI to FinCEN pursuant to 31 U.S.C. 5336(b). This NPRM reflects
FinCEN's careful consideration of public comments, including those
received in response to an advance notice of proposed rulemaking
(ANPRM) \2\ on the implementation of the CTA, and in response to an
NPRM regarding BOI reporting requirements (Reporting NPRM).\3\ This
NPRM also reflects FinCEN's understanding of the critical need for the
highest standard of security and confidentiality protocols to maintain
confidence in the U.S. government's ability to protect sensitive
information while achieving the objective of the CTA--establishing a
database of beneficial ownership information (BOI) that will be highly
useful in combatting illicit finance and the abuse of shell and front
companies by criminals, corrupt officials, and other bad actors.
---------------------------------------------------------------------------
\1\ The CTA is Title LXIV of the William M. (Mac) Thornberry
National Defense Authorization Act for Fiscal Year 2021, Public Law
116-283 (Jan. 1, 2021) (the NDAA). Division F of the NDAA is the
Anti-Money Laundering Act of 2020 (AML Act), which includes the CTA.
Section 6403 of the CTA, among other things, amends the Bank Secrecy
Act (BSA) by adding a new Section 5336, Beneficial Ownership
Information Reporting Requirements, to Subchapter II of Chapter 53
of Title 31, United States Code.
\2\ 86 FR 17557 (Apr. 5, 2021).
\3\ 86 FR 69920 (Dec. 8, 2021).
---------------------------------------------------------------------------
The proposed regulations aim to ensure that: (1) only authorized
recipients have access to BOI; (2) authorized recipients use that
access only for purposes permitted by the CTA; and (3) authorized
recipients only re-disclose BOI in ways that balance protection of the
security and confidentiality of the BOI with furtherance of the CTA's
objective of making BOI available to a range of users for purposes
specified in the CTA. The proposed regulations also provide a robust
framework to ensure that BOI reported to FinCEN, and received by
authorized recipients, is subject to strict cyber security controls,
confidentiality protections and restrictions, and robust audit and
oversight measures. Coincident with the protocols described in this
NPRM, FinCEN is working to develop a secure, non-public database in
which to store BOI, using rigorous information security methods and
controls typically used in the Federal government to protect non-
classified yet sensitive information systems at the highest security
level. Against this backdrop and consistent with the CTA, FinCEN will
permit Federal, State, local, and Tribal officials, as well as certain
foreign officials acting through a Federal agency, to obtain BOI for
use in furtherance of statutorily authorized activities such as those
related to national security, intelligence, and law enforcement.
Financial institutions (FIs) with customer due diligence (CDD)
requirements under applicable law will have access to BOI to facilitate
CDD compliance. Their regulators will likewise have access to BOI to
make assessments of CDD compliance.
Additionally, FinCEN is proposing certain amendments to the BOI
reporting regulations regarding the use of FinCEN identifiers.\4\ The
proposed amendments would specify how reporting companies would be able
to use an entity's FinCEN identifier to fulfill their BOI reporting
obligations under 31 CFR 1010.380.
---------------------------------------------------------------------------
\4\ Id., as defined in 31 CFR 1010.380(f)(2), a FinCEN
identifier is a unique identifying number assigned by FinCEN to an
individual or reporting company under 31 CFR 1010.380.
---------------------------------------------------------------------------
II. Background
A. Access to Beneficial Ownership Information
As Congress explained in the CTA, ``malign actors seek to conceal
their ownership of corporations, limited liability companies, or other
similar entities in the United States to facilitate illicit activity,
including money laundering, the financing of terrorism, proliferation
financing, serious tax fraud, human and drug trafficking,
counterfeiting, piracy, securities fraud, financial fraud, and acts of
foreign corruption, harming the national security interests of the
United States and allies of the United States.'' \5\ Access by
authorized recipients to BOI reported under the CTA would significantly
aid efforts to protect U.S. national security and safeguard the U.S.
financial system from such illicit use. It would impede illicit actors'
ability to use legal entities to conceal proceeds from criminal acts
that undermine U.S. national security and foreign policy interests,
such as corruption, human smuggling, drug and arms trafficking, and
terrorist financing. BOI can also add critical data to financial
analyses in activities the CTA
[[Page 77405]]
contemplates, including tax investigations. It can also provide
essential information to the intelligence and national security
professionals who work to prevent terrorists, proliferators, and those
who seek to undermine our democratic institutions or threaten other
core U.S. interests from raising, hiding, or moving money in the United
States through anonymous shell or front companies.\6\
---------------------------------------------------------------------------
\5\ CTA, Section 6402(3).
\6\ A front company generates legitimate business proceeds to
commingle with illicit earnings. See U.S. Department of the
Treasury, National Money Laundering Risk Assessment (2018), p. 29,
available at <a href="https://home.treasury.gov/system/files/136/2018NMLRA_12-18.pdf">https://home.treasury.gov/system/files/136/2018NMLRA_12-18.pdf</a>.
---------------------------------------------------------------------------
The United States currently does not have a centralized or complete
store of information about who owns and operates legal entities within
the United States. The beneficial ownership data available to law
enforcement and national security agencies are generally limited to the
information collected by financial institutions on legal entity
accounts pursuant to their CDD or broader Customer Identification
Program (CIP) obligations, some of which has been included in
Suspicious Activity Reports (SARs) or provided to law enforcement in
response to judicial process.\7\ As set out in detail in the Reporting
NPRM \8\ and the BOI reporting final rule,\9\ U.S. law enforcement
officials and the Financial Action Task Force (FATF),\10\ among others,
have for years noted how the lack of timely access to accurate and
adequate BOI by law enforcement and other authorized recipients
remained a significant gap in the United States' anti-money-laundering-
/countering-the-financing-of-terrorism (AML/CFT) and countering the
financing of proliferation (CFP) framework. Broadly, and critically,
BOI can identify linkages between potential illicit actors and opaque
business entities, including shell companies. Furthermore, comparing
BOI reported pursuant to the CTA against data collected under the Bank
Secrecy Act (BSA) and other relevant government data is expected to
significantly further efforts to identify illicit actors and combat
their financial activities.
---------------------------------------------------------------------------
\7\ 31 CFR 1010.230. Even then, any BOI a financial institution
collects is not systematically reported to any central repository.
\8\ Supra note 3.
\9\ 87 FR 59498 (Sept. 30, 2022).
\10\ The FATF, of which the United States is a founding member,
is an international, inter-governmental task force whose purpose is
the development and promotion of international standards and the
effective implementation of legal, regulatory, and operational
measures to combat money laundering, terrorist financing, the
financing of weapons proliferation, and other related threats to the
integrity of the international financial system. The FATF assesses
over 200 jurisdictions against its minimum standards for beneficial
ownership transparency. Among other things, it has established
standards on transparency and beneficial ownership of legal persons,
to deter and prevent the misuse of corporate vehicles. See FATF
Recommendation 24, Transparency and Beneficial Ownership of Legal
Persons, The FATF Recommendations: International Standards on
Combating Money Laundering and the Financing of Terrorism and
Proliferation (updated Oct. 2020), available at <a href="https://www.fatf-gafi.org/publications/fatfrecommendations/documents/fatf-recommendations.html">https://www.fatf-gafi.org/publications/fatfrecommendations/documents/fatf-recommendations.html</a>; FATF Guidance, Transparency and Beneficial
Ownership, Part III (Oct. 2014), available at <a href="https://www.fatf-gafi.org/media/fatf/documents/reports/Guidance-transparency-beneficial-ownership.pdf">https://www.fatf-gafi.org/media/fatf/documents/reports/Guidance-transparency-beneficial-ownership.pdf</a>.
---------------------------------------------------------------------------
As law enforcement and other U.S. government officials have noted,
investigations into, and prosecutions of, money laundering, corruption,
and other illicit financial activities are often prolonged or stymied
by those officials' inability to rapidly access BOI in a centralized
database. Kenneth A. Blanco, then-Director of FinCEN and a former State
and Federal prosecutor, observed in 2019 testimony to the U.S. Senate
Committee on Banking, Housing and Urban Affairs that based on his
experience as a former State and Federal prosecutor, identifying the
ultimate beneficial owner of a shell or front company in the United
States ``often requires human source information, grand jury subpoenas,
surveillance operations, witness interviews, search warrants, and
foreign legal assistance requests to get behind the outward facing
structure of these shell companies. This takes an enormous amount of
time--time that could be used to further other important and necessary
aspects of an investigation--and wastes resources, or prevents
investigators from getting to other equally important investigations.''
\11\
---------------------------------------------------------------------------
\11\ FinCEN, Testimony for the Record, Kenneth A. Blanco,
Director, U.S. Senate Committee on Banking, Housing and Urban
Affairs (May 21, 2019), available at <a href="https://www.banking.senate.gov/imo/media/doc/Blanco%20Testimony%205-21-19.pdf">https://www.banking.senate.gov/imo/media/doc/Blanco%20Testimony%205-21-19.pdf</a>.
---------------------------------------------------------------------------
The FBI's Steven M. D'Antuono elaborated on these difficulties,
testifying before the Senate Banking Housing and Urban Affairs
Committee in 2019 that ``[t]he process for the production of records
can be lengthy, anywhere from a few weeks to many years, and . . . can
be extended drastically when it is necessary to obtain information from
other countries . . . . [I]f an investigator obtains the ownership
records, either from a domestic or foreign entity, the investigator may
discover that the owner of the identified corporate entity is an
additional corporate entity, necessitating the same process for the
newly discovered corporate entity. Many professional launderers and
others involved in illicit finance intentionally layer ownership and
financial transactions in order to reduce transparency of transactions.
As it stands, it is a facially effective way to delay an
investigation.'' \12\ D'Antuono acknowledged that these challenges may
be even starker for State, local, and Tribal law enforcement agencies
that may not have the same resources as their Federal counterparts to
undertake long and costly investigations to identify the beneficial
owners of these entities.\13\ During the testimony, he noted that
requiring the disclosure of BOI by legal entities and the creation of a
central BOI repository available to law enforcement and regulators
could address these challenges.\14\
---------------------------------------------------------------------------
\12\ Federal Bureau of Investigation (FBI), Testimony of Steven
M. D'Antuono, Section Chief, Criminal Investigative Division,
``Combatting Illicit Financing by Anonymous Shell Companies'' (May
21, 2019), available at <a href="https://www.fbi.gov/news/testimony/combating-illicit-financing-by-anonymous-shell-companies">https://www.fbi.gov/news/testimony/combating-illicit-financing-by-anonymous-shell-companies</a>.
\13\ Id.
\14\ Id.
---------------------------------------------------------------------------
The process of obtaining BOI through grand jury subpoenas and other
means can be time-consuming and of limited utility in some cases. Grand
jury subpoenas, for example, require an underlying grand jury
investigation into a possible violation of law. In addition, the law
enforcement officer or investigator must work with a prosecutor's
office, such as a U.S. Attorney's Office, to open a grand jury
investigation, obtain the grand jury subpoena, and issue it on behalf
of the grand jury. The investigator also needs to determine the proper
recipient of the subpoena and coordinate service, which raises
additional complications in cases where there is excessive layering of
corporate structures to hide the identity of the ultimate beneficial
owners. In some cases, however, BOI still may not be attainable via
grand jury subpoena because it is not recorded. For example, because
most states do not require the disclosure of BOI when forming or
registering an entity, BOI cannot be obtained from the secretary of
state or similar office. Furthermore, many states permit corporations
to acquire property without disclosing BOI, and therefore BOI cannot be
obtained from property records.
FinCEN's existing regulatory tools also have significant
limitations. The 2016 CDD Rule,\15\ for example, requires that certain
types of U.S. financial institutions identify and verify the beneficial
owners of legal entity customers at the time those financial
institutions open a new account for a
[[Page 77406]]
legal entity customer,\16\ but the rule provides only a partial
solution.\17\ The information provided to U.S. financial institutions
about beneficial owners of certain U.S. entities is generally not
comprehensive and not reported to the U.S. government (nor to State,
local, or Tribal governments), except when filed in SARs or in response
to judicial process. It is therefore not immediately available to law
enforcement, intelligence, and national security agencies. Moreover,
the CDD rule applies only to legal entities that open accounts at
certain U.S. financial institutions. Other FinCEN authorities--
geographic targeting orders \18\ and the so-called ``311 measures''
(i.e., special measures imposed on jurisdictions, financial
institutions, or international transactions of primary money laundering
concern) \19\--offer temporary and targeted tools. Neither provides law
enforcement the ability to reliably, efficiently, and consistently
follow investigatory leads.
---------------------------------------------------------------------------
\15\ 81 FR 29397 (May 11, 2016).
\16\ The CDD Rule NPRM contained a requirement that covered
financial institutions conduct ongoing monitoring to maintain and
update customer information on a risk basis, specifying that
customer information includes the beneficial owners of legal entity
customers. As noted in the supplementary material to the final rule,
FinCEN did not construe this obligation as imposing a categorical,
retroactive requirement to identify and verify BOI for existing
legal entity customers. Rather, these provisions reflect the
conclusion that a financial institution should obtain BOI from
existing legal entity customers when, in the course of its normal
monitoring, the financial institution detects information relevant
to assessing or reevaluating the risk of such customer. Final Rule,
Customer Due Diligence Requirements for Financial Institutions, 81
FR 29398, 29404 (May 11, 2016).
\17\ See U.S. Money Laundering Threat Assessment Working Group,
U.S. Money Laundering Threat Assessment (2005), pp. 48-49, available
at <a href="https://www.treasury.gov/resource-center/terrorist-illicit-finance/documents/mlta.pdf">https://www.treasury.gov/resource-center/terrorist-illicit-finance/documents/mlta.pdf</a>. See also Congressional Research Service,
Miller, Rena S. and Rosen, Liana W., Beneficial Ownership
Transparency in Corporate Formation, Shell Companies, Real Estate,
and Financial Transactions (Jul. 8, 2019), available at <a href="https://crsreports.congress.gov/product/pdf/R/R45798">https://crsreports.congress.gov/product/pdf/R/R45798</a>.
\18\ 31 U.S.C. 5326(a); 31 CFR 1010.370.
\19\ 31 U.S.C. 5318A, as added by section 311 of the USA PATRIOT
Act (Pub. L. 107-56).
---------------------------------------------------------------------------
The utility and value of BOI reported to FinCEN, therefore, rests
in large part on the bureau's ability to provide authorized recipients
predictable and efficient access to reported BOI while protecting the
confidentiality and integrity of the information. As Congress noted,
``[f]ederal legislation providing for the collection of beneficial
ownership information for corporations, limited liability companies, or
other similar entities formed under the laws of the States is needed''
to protect vital U.S. ``national security interests . . . [and] better
enable critical national security, intelligence, and law enforcement
efforts to counter money laundering, the financing of terrorism, and
other illicit activity.'' \20\ Furthermore, providing authorized
recipients in FIs access to BOI reported to FinCEN, as the CTA
requires, will assist FIs in complying with AML/CFT and CDD
requirements.
---------------------------------------------------------------------------
\20\ CTA, Section 6402(5)(B),(D).
---------------------------------------------------------------------------
B. The Corporate Transparency Act
The CTA is part of the AML Act, which is itself a part of the 2021
NDAA. The CTA added a new section, 31 U.S.C. 5336, to the BSA to
address the broader objectives of enhancing beneficial ownership
transparency while minimizing the burden on the regulated community. In
brief, 31 U.S.C. 5336 requires certain types of domestic and foreign
entities, called ``reporting companies,'' to submit specified BOI to
FinCEN. FinCEN is authorized to share this BOI with certain Government
agencies, financial institutions, and regulators, subject to
appropriate protocols.\21\ The requirement for reporting companies to
submit BOI takes effect ``on the effective date of the regulations
prescribed by the Secretary of the Treasury under [31 U.S.C. 5336].''
\22\ Reporting companies formed or registered after the effective date
will need to submit the requisite BOI to FinCEN at the time of
formation, while preexisting reporting companies will have a specified
period to comply and report.\23\
---------------------------------------------------------------------------
\21\ See generally 31 U.S.C. 5336(b), (c).
\22\ 31 U.S.C. 5336(b)(5).
\23\ See 31 U.S.C. 5336(b)(1)(B), (C).
---------------------------------------------------------------------------
The CTA reporting requirements generally exempt entities that are
otherwise subject to significant regulatory regimes--e.g., banks--where
Congress presumably expected primary regulators to have visibility into
the identities of the owners and ownership structures of the entities.
The exemptions thus avoid imposing duplicative requirements in these
cases.
The provision at 31 U.S.C. 5336 requires reporting companies to
submit to FinCEN, for each beneficial owner and company applicant,
either the individual's full legal name, date of birth, current
residential or business street address, and a unique identifying number
from an acceptable identification document (e.g., a nonexpired
passport)--four readily accessible pieces of information that should
not be unduly burdensome for individuals to produce, or for reporting
companies to collect and submit to FinCEN--or a FinCEN identifier.\24\
A FinCEN identifier is a unique identifying number that FinCEN will
issue to individuals or entities upon request.\25\ In certain
instances, the FinCEN identifier may be reported in lieu of an
individual's name, birth date, address, and unique identification
number.\26\ As noted in Section II.E. below, FinCEN addressed the
regulatory requirements related to BOI reporting pursuant to the CTA
through the recent issuance of a final BOI reporting rule.\27\
---------------------------------------------------------------------------
\24\ See 31 U.S.C. 5336(b)(2).
\25\ See 31 U.S.C. 5336(b)(3)(A)(i).
\26\ See 31 U.S.C. 5336(b)(3)(B).
\27\ Supra note 7.
---------------------------------------------------------------------------
Given the sensitivity of the reportable BOI, the CTA imposes strict
confidentiality and security restrictions on the storage, access, and
use of BOI. Congress authorized FinCEN to disclose BOI to a statutorily
defined group of governmental authorities and financial institutions,
in limited circumstances. The CTA establishes that BOI is ``sensitive
information,'' \28\ and provides that the Secretary of the Treasury
(Secretary) shall ``maintain [it] in a secure, nonpublic database,
using information security methods and techniques that are appropriate
to protect nonclassified information systems at the highest security
level.'' \29\ The statute further provides that BOI is only to be used
by specified parties for specified purposes.\30\ Access to and
disclosure of BOI is the focus of this NPRM.
---------------------------------------------------------------------------
\28\ CTA, Section 6402(6).
\29\ CTA, Section 6402(7)(A). While the statutory language seems
to include a typo that refers to another provision, it also seems
clear that the object of protection in this case is BOI.
\30\ CTA, Section 6402(6).
---------------------------------------------------------------------------
In addition to setting out requirements and restrictions related to
BOI reporting and access, the CTA requires that FinCEN revise the
current CDD Rule within one year of January 1, 2024, the effective date
of the final BOI reporting rule, by rescinding paragraphs (b) through
(j) of 31 CFR 1010.230.\31\ The CTA identifies three purposes for this
revision: (1) to bring the rule into conformity with the AML Act as a
whole, including the CTA; (2) to account for financial institutions'
access to BOI reported to FinCEN ``in order to confirm the beneficial
ownership information provided directly to the financial institutions''
for AML/CFT and customer due diligence purposes; and (3) to reduce
unnecessary or duplicative
[[Page 77407]]
burdens on financial institutions and legal entity customers.\32\
---------------------------------------------------------------------------
\31\ CTA, Section 6403(d)(1), (2). The CTA orders the rescission
of paragraphs (b) through (j) directly (``the Secretary of the
Treasury shall rescind paragraphs (b) through (j)'') and orders the
retention of paragraph (a) by a negative rule of construction
(``nothing in this section may be construed to authorize the
Secretary of the Treasury to repeal ... [31 CFR] 1010.230(a)[.]'').
\32\ CTA, Section 6403(d)(1)(A)-(C).
---------------------------------------------------------------------------
FinCEN intends to satisfy the requirements related to the revision
of the CDD Rule through a future rulemaking process that will provide
the public with an opportunity to comment on the proposal. FinCEN
anticipates that this rulemaking to revise the CDD Rule will touch on
the issue of the interplay between financial institutions' CDD efforts
and the beneficial ownership IT system that FinCEN is developing to
receive, store, and maintain BOI.
C. The Advance Notice of Proposed Rulemaking
On April 5, 2021, FinCEN published the ANPRM related to
implementing the CTA.\33\ The ANPRM sought input on five open-ended
categories of questions, including on clarifying key definitions and on
FinCEN's implementation of the related provisions of the CTA that
govern the bureau's maintenance and disclosure of BOI subject to
appropriate access protocols.
---------------------------------------------------------------------------
\33\ Supra note 2.
---------------------------------------------------------------------------
In response to the ANPRM, FinCEN received 220 comments from parties
that included businesses, civil society organizations, trade
associations, law firms, secretaries of state and other State
officials, Indian Tribes, members of Congress, and private citizens.
Some comments focused on issues that pertain to this access rulemaking,
such as the structure of the BOI database, certain users' need for
access, the importance of ensuring the security of the database,
specific technological decisions that FinCEN could make, and the
desirability of a FinCEN commitment to verifying the information in the
database.
FinCEN has considered all of the comments that it received in
response to the ANPRM in drafting this proposed rule.
D. The Reporting Notice of Proposed Rulemaking
FinCEN followed the ANPRM with the December 8, 2021, publication of
the Reporting NPRM, the first of the three CTA-related rulemakings.\34\
In the Reporting NPRM, FinCEN described in detail Treasury's efforts to
address the lack of transparency in certain legal entity ownership, the
value of BOI, the national security and law enforcement implications of
legal entities with anonymous beneficial owners, and the need for
centralized BOI collection.\35\ The Reporting NPRM acknowledged the
current environment in which criminals and other bad actors can exploit
the creation and use of legal entities in the United States.
---------------------------------------------------------------------------
\34\ 86 FR 69920 (Dec. 8, 2021).
\35\ Id. at 69921-69928.
---------------------------------------------------------------------------
The Reporting NPRM proposed regulations specifying what BOI must be
reported to FinCEN pursuant to CTA requirements, by whom, and when. In
particular, it proposed that domestic and foreign reporting companies
report to FinCEN four pieces of BOI for each of their beneficial owners
and company applicants: full legal name, birthdate, current residential
or business street address, and a unique identifying number from an
acceptable identification document (e.g., a nonexpired passport or
driver's license). In the alternative, the proposed rule would permit a
reporting company to report a FinCEN identifier for an individual or
entity in certain circumstances.\36\ These regulations also proposed
processes for obtaining, updating, and using FinCEN identifiers. The
Reporting NPRM included a 60-day comment period, which closed on
February 7, 2022, and FinCEN received over 240 comments on the NPRM.
---------------------------------------------------------------------------
\36\ See 31 U.S.C. 5336(b).
---------------------------------------------------------------------------
E. The Final Reporting Rule
On September 30, 2022, FinCEN published a final rule implementing
the CTA's BOI reporting requirements and addressing the comments
submitted on the NPRM. The final regulations require certain legal
entities to file with FinCEN reports that identify the beneficial
owners of the entity, and individuals who filed (or who are primarily
responsible for directing or controlling the filing of) an application
with specified governmental authorities to create the entity or
register it to do business. Further, the regulations describe who must
file a report, what information must be provided, and when a report is
due. These reporting requirements are intended to help prevent and
combat money laundering, terrorist financing, corruption, tax fraud,
and other illicit activity, while minimizing the burden on reporting
companies.
In addition, as the final BOI reporting rule noted, providing
authorized users in the law enforcement, national security, and
regulatory communities, and in FIs, access to the reported BOI will
diminish the ability of illicit actors to obfuscate their activities
through the use of anonymous shell and front companies. FinCEN also
recognized in the final BOI reporting rule the vital importance of
protecting the reported BOI and ensuring, through the issuance of
regulations governing access to the reported BOI, that the BOI is
subject to stringent use and security protocols. The BOI final
reporting regulations become effective on January 1, 2024.
Furthermore, the final BOI reporting rule reserved certain
provisions concerning the use of FinCEN identifiers for entities for
further consideration. This Access NPRM includes proposed amendments to
the reporting regulations that would finalize these remaining
provisions.
F. Beneficial Ownership Information Infrastructure
i. Beneficial Ownership Information IT System Development
The CTA directs the Secretary to maintain BOI ``in a secure,
nonpublic database, using information security methods and techniques
that are appropriate to protect non-classified information security
systems at the highest security level . . . .'' \37\ To implement this
requirement, FinCEN has been developing a secure information technology
(IT) system to receive, store, and maintain BOI. FinCEN has gathered
requirements and completed initial system engineering, architectures,
and program planning activities. The initial build of the cloud
infrastructure is complete and the development of the first set of
system products is in progress. The target date for the system to begin
accepting BOI reports is January 1, 2024, the same day the reporting
rule takes effect.
---------------------------------------------------------------------------
\37\ CTA, Section 6402(7).
---------------------------------------------------------------------------
FinCEN is taking a very deliberative approach to designing and
building the system, factoring in the requirements set out in the CTA
as well as guidance from Congress. As Senator Sherrod Brown, the then-
Ranking Member of the Senate Committee on Banking, Housing, and Urban
Affairs and one of the primary authors of the CTA, noted in his
December 9, 2020, floor statement accompanying the CTA, ``[i]n
designing the [system], FinCEN should survey other beneficial ownership
databases to determine their best features and design, and create a
structure that secures the data as required by law.'' \38\ Among other
actions FinCEN has undertaken in the development of the system, FinCEN
met not only with future stakeholders to better understand their need
to access BOI and how they currently safeguard sensitive information
(see Section II.H. ``Outreach'' below), but also with other government
entities that had developed
[[Page 77408]]
beneficial ownership databases, such as the District of Columbia's
(DC's) Superintendent of Corporations (within DC's Department of
Consumer and Regulatory Affairs Corporations), and the United Kingdom's
Companies House.
---------------------------------------------------------------------------
\38\ Senator Sherrod Brown, National Defense Authorization Act,
Congressional Record 166:208 (Dec. 9, 2020), p. S7312, available at
<a href="https://www.govinfo.gov/content/pkg/CREC-2020-12-09/pdf/CREC-2020-12-09.pdf">https://www.govinfo.gov/content/pkg/CREC-2020-12-09/pdf/CREC-2020-12-09.pdf</a>.
---------------------------------------------------------------------------
Senator Brown also encouraged FinCEN to ``ensure that [F]ederal,
[S]tate, local and tribal law enforcement can access the beneficial
ownership database without excessive delays or red tape in a manner
modeled after its existing systems providing law enforcement access to
databases containing currency transaction and suspicious activity
report information.'' \39\ Keeping BOI secure and confidential is one
of FinCEN's highest priorities in building the system. Serving that
interest requires not only designing and implementing appropriate
technical controls around BOI security and storage, but also thoroughly
understanding the ways in which prospective authorized BOI recipients
intend to access, handle, and use BOI. This knowledge in turn informs
the policies, procedures, and processes that will govern how authorized
recipients treat BOI when they access it.
---------------------------------------------------------------------------
\39\ Id.
---------------------------------------------------------------------------
This balance is reflected in the ongoing development of the system.
Consistent with the CTA's requirement,\40\ the system will be cloud-
based and is being implemented to meet the highest Federal Information
Security Management Act (FISMA) \41\ level (FISMA High).\42\ A FISMA
High rating indicates that losing the confidentiality, integrity, or
availability of information within a system would have a severe or
catastrophic adverse effect on the organization maintaining the system,
including on organizational assets or individuals.\43\ The rating
carries with it a requirement to implement certain baseline controls to
protect the relevant information.\44\
---------------------------------------------------------------------------
\40\ 31 U.S.C. 5336(c)(8).
\41\ 44 U.S.C 3541 et seq.
\42\ See U.S. Department of Commerce, Federal Information
Processing Standards Publication: Standards for Security
Categorization of Federal Information and Information Systems
(``FIPS Pub 199'') (Feb. 2004), available at <a href="https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf">https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf</a>.
\43\ Id. at 3.
\44\ Id.
---------------------------------------------------------------------------
FinCEN recognizes that BOI is highly sensitive information. FinCEN
therefore views it as critical to mitigate the risk of unauthorized
disclosure of BOI as much as possible. To that end, system
functionality will vary by recipient category consistent with statutory
requirements and limitations on BOI disclosure--for example, financial
institutions will have a different level of access to BOI than law
enforcement agencies. The regulations proposed in this Access NPRM
complement this functionality by clarifying and codifying those
requirements and limitations, including through recipient-specific
access protocols designed to protect BOI security and confidentiality.
ii. CTA Implementation Efforts
FinCEN continues to face resource constraints in developing and
deploying the Beneficial Ownership IT System and efforts to put in
place processes to support the collection and use of BOI. There are a
myriad of areas that need additional investment, including additional
personnel to support efforts beyond the initial build of the Beneficial
Ownership IT System. These include efforts to provide clear and
transparent guidance to reporting companies and authorized users of
BOI, negotiating and implementing memoranda of understanding (MOUs)
with domestic government agencies, reviewing requests for BOI and
accompanying court authorizations from State, local, or tribal law
enforcement agencies, auditing the handling and use of BOI, and
enforcement activities.
FinCEN is particularly focused on providing adequate customer
service resources for reporting companies in the first year and beyond
as they file their BOI. FinCEN currently fields approximately 13,000
inquiries a year through its Regulatory Support Section, and
approximately 70,000 external technical inquiries a year through the IT
Systems Helpdesk. FinCEN has estimated that there will be approximately
32 million reporting companies in Year 1 of the reporting requirement
and approximately 5 million new reporting companies each year
thereafter.\45\ If 10 percent of those reporting companies have
questions about the reporting requirement or the form, or technical
issues when filing, that could result in upwards of 3 million inquiries
in Year 1, and 500,000 per year after that.
---------------------------------------------------------------------------
\45\ 87 FR 59498, 59549 (Sept. 30, 2022).
---------------------------------------------------------------------------
Without the availability of additional appropriated funds to
support this project and other mission-critical services, FinCEN may
need to identify trade-offs, including with respect to guidance and
outreach activities, and the staged access by different authorized
users to the database. FinCEN is currently identifying the range of
considerations implicated by potential budget shortfalls and the trade-
offs that are available and appropriate.
G. Verification
FinCEN continues to evaluate options for verifying reported
BOI.\46\ ``Verification,'' as that term is used here, means confirming
that the reported BOI submitted to FinCEN is actually associated with a
particular individual. A number of commenters to the ANPRM and
Reporting NPRM have affirmed the importance of verifying BOI to support
authorized activities that rely on the information. FinCEN continues to
review the options available to verify BOI within the legal constraints
in the CTA.
---------------------------------------------------------------------------
\46\ Pursuant to Sections 6502(b)(1)(C) and (D) of the AML Act,
the Secretary, in consultation with the Attorney General, will
conduct a study no later than two years after the effective date of
the BOI reporting final rule, to evaluate the costs associated with
imposing any new verification requirements on FinCEN and the
resources necessary to implement any such changes.
---------------------------------------------------------------------------
H. Outreach
FinCEN has conducted more than 30 outreach sessions to solicit
input on how best to implement the statutory authorizations and
limitations regarding BOI disclosure. Participants included
representatives from Federal agencies, State courts, State and local
prosecutors' offices, Tribal governments, FIs, financial self-
regulatory organizations (SROs), and, as noted previously, government
offices that had established BOI databases. Topics discussed included
how stakeholders might use BOI, potential information technology (IT)
system features, circumstances in which potential stakeholders might
need to re-disseminate BOI, and how different approaches might help
further the purposes of the CTA. These conversations helped FinCEN
refine its thinking about how to create a useful database for
stakeholders while protecting BOI and individual privacy.
III. Overview of Access Framework and Protocols
A. Statutory Framework
The CTA authorizes FinCEN to disclose BOI to five categories of
recipients.\47\ The first category consists of recipients in Federal,
State, local and Tribal government agencies. Within this category,
FinCEN may disclose BOI to Federal agencies engaged in national
security, intelligence, or law enforcement activity if the requested
BOI is for use in furtherance of such activity.\48\ Note that Federal
agency access is activity-based. Thus, an agency such as a Federal
functional regulator, while perhaps not a ``law enforcement
[[Page 77409]]
agency'' in the conventional sense, may still be engaged in ``law
enforcement activity'' such as civil law enforcement, and can therefore
still request BOI from FinCEN for use in furtherance of that activity.
FinCEN may also disclose BOI to State, local, and Tribal law
enforcement agencies if ``a court of competent jurisdiction'' has
authorized the law enforcement agency to seek the information in a
criminal or civil investigation.\49\
---------------------------------------------------------------------------
\47\ 31 U.S.C. 5336(c)(2)(B) and 31 U.S.C. 5336(c)(5).
\48\ 31 U.S.C. 5336(c)(2)(B)(i)(I).
\49\ 31 U.S.C. 5336(c)(2)(B)(i)(II).
---------------------------------------------------------------------------
The second category consists of foreign law enforcement agencies,
judges, prosecutors, central authorities, and competent authorities
(``foreign requesters''), provided their requests come through an
intermediary Federal agency, meet certain additional criteria, and are
made either (1) under an international treaty, agreement, or
convention, or (2) via a request made by law enforcement, judicial, or
prosecutorial authorities in a trusted foreign country (when no
international treaty, agreement, or convention is available).\50\
---------------------------------------------------------------------------
\50\ See 31 U.S.C. 5336(c)(2)(B)(ii).
---------------------------------------------------------------------------
The third authorized recipient category is FIs using BOI to
facilitate compliance with CDD requirements under applicable law,
provided the FI requesting the BOI has the relevant reporting company's
consent for such disclosure.\51\
---------------------------------------------------------------------------
\51\ 31 U.S.C. 5336(c)(2)(B)(iii).
---------------------------------------------------------------------------
The fourth category is Federal functional regulators and other
appropriate regulatory agencies acting in a supervisory capacity
assessing FIs for compliance with CDD requirements.\52\ These agencies
may access the BOI information that FIs they supervise received from
FinCEN.
---------------------------------------------------------------------------
\52\ 31 U.S.C. 5336(c)(2)(B)(iv).
---------------------------------------------------------------------------
The fifth and final category of authorized BOI recipients is the
U.S. Department of the Treasury (Treasury) itself, for which the CTA
provides relatively unique access to BOI tied to an officer or
employee's official duties requiring BOI inspection or disclosure,
including for tax administration.\53\
---------------------------------------------------------------------------
\53\ 31 U.S.C. 5336(c)(5).
---------------------------------------------------------------------------
The CTA directs the Secretary to ``take all steps, including
regular auditing, to ensure that government authorities accessing [BOI]
do so only for authorized purposes consistent with [the CTA].'' \54\
The CTA also requires the Secretary to establish protocols governing
access by authorized recipients to BOI and protecting the information's
security and confidentiality.\55\
---------------------------------------------------------------------------
\54\ CTA, Section 6402(7)(B).
\55\ See generally 31 U.S.C. 5336(c)(3).
---------------------------------------------------------------------------
Specifically, the statute provides that the Secretary shall
establish protocols requiring: (1) the heads of requesting agencies to
approve standards and procedures for protecting BOI, and make related
certifications; \56\ (2) requesting agencies to ``establish and
maintain, to the satisfaction of the Secretary, a secure system in
which [BOI] provided directly by the Secretary shall be stored''; \57\
(3) requesting agencies to ``furnish a report to the Secretary, at such
time and containing such information as the Secretary may prescribe,
that describes the procedures established and utilized by such agency
to ensure the confidentiality of [BOI] provided directly by the
Secretary''; \58\ (4) certain requesting agencies to provide a written
certification that the requirements for access to BOI have been met;
\59\ (5) requesting agencies to ``limit, to the greatest extent
practicable, the scope of information sought, consistent with the
purposes for seeking [BOI];'' \60\ (6) requesting agencies to
``establish and maintain, to the satisfaction of the Secretary, a
permanent system of standardized records with respect to an auditable
trail of each request for [BOI] submitted to the Secretary by the
agency, including the reason for the request, the name of the
individual who made the request, the date of the request, any
disclosure of [BOI] made by or to the agency, and any other information
the Secretary of the Treasury determines is appropriate''; \61\ and (7)
requesting agencies to ``conduct an annual audit to verify that the
[BOI] received from the Secretary has been accessed and used
appropriately, and in a manner consistent with this paragraph and
provide the results of that audit to the Secretary upon request.\62\
The Secretary is likewise required to ``conduct an annual audit of the
adherence of the agencies to the protocols established under this
paragraph to ensure that agencies are requesting and using beneficial
ownership information appropriately.'' \63\
---------------------------------------------------------------------------
\56\ 31 U.S.C. 5336(c)(3)(B).
\57\ 31 U.S.C. 5336(c)(3)(C).
\58\ 31 U.S.C. 5336(c)(3)(D).
\59\ 31 U.S.C. 5336(c)(3)(E).
\60\ 31 U.S.C. 5336(c)(3)(F).
\61\ 31 U.S.C. 5336(c)(3)(H).
\62\ See 31 U.S.C. 5336(c)(3)(I).
\63\ See 31 U.S.C. 5336(c)(3)(J).
---------------------------------------------------------------------------
The CTA expressly restricts access to BOI to only those authorized
users at a requesting agency: (1) who are directly engaged in an
authorized investigation or activity; (2) whose duties or
responsibilities require access to BOI; (3) who have undergone
appropriate training or use staff to access the system who have
undergone appropriate training; (4) who use appropriate identity
verification to obtain access to the information; and (5) who are
authorized by agreement with the Secretary to access BOI.\64\
---------------------------------------------------------------------------
\64\ 31 U.S.C. 5336(c)(3)(G).
---------------------------------------------------------------------------
The statute further provides the Secretary with discretionary
authority to prescribe by regulation such other safeguards as she deems
necessary and appropriate to protect BOI confidentiality.\65\ The
Secretary has delegated the authority to prescribe appropriate
protocols to protect the security and confidentiality of BOI pursuant
to 31 U.S.C. 5336(c)(3) to FinCEN.\66\
---------------------------------------------------------------------------
\65\ See 31 U.S.C. 5336(c)(3)(K).
\66\ Treasury Order 180-01 (Jan. 14, 2020).
---------------------------------------------------------------------------
B. Disclosure to Authorized Domestic Government Agency Users for Non-
Supervisory Purposes
Under the first category of BOI recipients, FinCEN expects three
types of domestic agency users to be able to access and query the
beneficial ownership IT system directly: (1) Federal agencies engaged
in national security, intelligence, and law enforcement activity; (2)
Treasury officers and employees who require access to BOI to perform
their official duties or for tax administration; and (3) State, local,
and Tribal law enforcement agencies. This type of access would permit
authorized individuals within an authorized recipient agency to log in,
run queries using multiple search fields, and review one or more
results returned immediately.
These agencies often lack comprehensive information about a subject
or other relevant individuals or entities when conducting
investigations. The ability to query the database directly and
iteratively is therefore necessary to enable them to use BOI
effectively. Nevertheless, to protect against potential abuse, Federal-
agency users engaged in national security, intelligence, or law
enforcement activity would have to submit brief justifications to
FinCEN for their searches, explaining how their searches further a
particular qualifying activity, and these justifications would be
subject to oversight and audit by FinCEN. FinCEN will develop guidance
for agencies on submitting the required justifications.
Consistent with the CTA's restrictions, authorized users from
State, local, and Tribal law enforcement agencies would be required to
upload the document issued by a court of competent jurisdiction
authorizing the
[[Page 77410]]
agency to seek BOI from FinCEN.\67\ After FinCEN has reviewed the
relevant authorization for sufficiency and approved the request, an
agency could then conduct searches using multiple search fields
consistent in scope with the court authorization and subject to audit
by FinCEN. These searches would return results immediately.
---------------------------------------------------------------------------
\67\ See 31 U.S.C. 5336(c)(2)(B)(i)(II).
---------------------------------------------------------------------------
Such broad search capabilities within the beneficial ownership IT
system require domestic agencies to clearly understand the scope of
their authorization and their responsibilities under it. That is why
the proposed rule establishes protocols for requirements, limitations,
and expectations with respect to searches by domestic agencies of the
beneficial ownership IT system. As part of these protocols, each
domestic agency would first need to enter into a memorandum of
understanding (MOU) with FinCEN before being allowed access to the
system. FinCEN is developing draft MOUs based on similar agreements it
uses to share BSA data. FinCEN will also provide training for agency
personnel and exercise oversight and audit functions discussed in more
detail in Section IV below.
None of the remaining authorized recipient categories will have
access to the broad search capabilities within the system.
C. Disclosure to Authorized Foreign Requesters
Foreign requesters--foreign law enforcement agencies, judges,
prosecutors, central authorities, or competent authorities (or a like
designation)--will not have direct access to the beneficial ownership
IT system. They will instead submit their requests for BOI to Federal
intermediary agencies as the CTA requires.\68\ If the foreign request
meets the applicable criteria of the CTA \69\ and the proposed rule,
then the Federal agency intermediary will retrieve the BOI from the
system and transmit it to the foreign requester.
---------------------------------------------------------------------------
\68\ 31 U.S.C. 5336(c)(2)(B)(ii).
\69\ Section 6403 of the CTA requires that the foreign request
be made by a Federal agency on behalf of a law enforcement agency,
foreign central authority or competent authority (or like
designation), under an international treaty, agreement, convention,
or official request made by law enforcement, judicial, or
prosecutorial authorities in trusted foreign countries when no
treaty, agreement, or convention is available. The CTA goes on to
state that the foreign request must (1) be issued in response to a
request for assistance in an investigation or prosecution by such
foreign country; and (2) either (a) require compliance with the
disclosure and use provisions of the treaty, agreement, or
convention publicly disclosing any BOI received; or (b) limit the
use of the information for any purpose other than the authorized
investigation or national security or intelligence activity. See 31
U.S.C. 5336(c)(2)(B)(ii).
---------------------------------------------------------------------------
FinCEN intends to work with Federal agencies to identify agencies
that are well positioned to serve as intermediaries between FinCEN and
foreign requesters. FinCEN expects that these possible intermediary
Federal agencies will have regular engagement and familiarity with
foreign law enforcement agencies, judges, prosecutors, central
authorities, or competent authorities on matters related to law
enforcement, national security, or intelligence activity, and will have
established policies, procedures, and communication channels for
sharing information with those foreign parties. Other factors would
include whether a prospective intermediary Federal agency represents
the U.S. government in relevant international treaties, agreements, or
conventions, the expected number of requests that the agency could
receive, and the ability of the agency to efficiently process requests
while managing risks of unauthorized disclosure.
Once identified, FinCEN will then work with intermediary Federal
agencies to: (1) ensure that they have secure systems for BOI storage;
(2) enter into MOUs outlining expectations and responsibilities; (3)
translate the CTA foreign sharing requirements into evaluation criteria
against which intermediaries can compare requests from foreign
requesters; (4) integrate the evaluation criteria into the
intermediaries' existing information-sharing policies and procedures;
(5) develop additional security protocols and systems as required under
the CTA and this rule; and (6) ensure that intermediary agency
personnel have sufficient training on the requirements of the CTA and
the proposed rule. FinCEN would exercise oversight and audit functions
to ensure that Federal intermediary agencies adhere to requirements and
take appropriate measures to mitigate the risk of foreign requesters
abusing the information.
Given its longstanding relationships and relevant experience as the
financial intelligence unit of the United States, FinCEN proposes to
directly receive, evaluate, and respond to requests for BOI from
foreign financial intelligence units.
D. Disclosure to FIs and Regulatory Agencies for CDD Compliance
Unlike foreign requesters, both FIs and their regulators (Federal
functional regulators and other appropriate regulatory agencies, when
assessing FIs' compliance with CDD requirements) would both have direct
access to BOI contained in the beneficial ownership IT system, albeit
in more limited form than Federal agencies engaged in national
security, intelligence, or law enforcement activity, or State, local,
and Tribal law enforcement agencies.
The CTA authorizes FinCEN to disclose a reporting company's BOI to
an FI only to the extent that such disclosure facilitates the FI's
compliance with CDD requirements under applicable law, and only if the
reporting company first consents.\70\ FinCEN takes these constraints
seriously given the sensitive nature of BOI and the potential number of
FI employees who could have access to it. FinCEN is therefore not
planning to permit FIs to run broad or open-ended queries in the
beneficial ownership IT system or to receive multiple search results.
Rather, FinCEN anticipates that a FI, with a reporting company's
consent, would submit to the system identifying information specific to
that reporting company, and receive in return an electronic transcript
with that entity's BOI. To the extent the FI makes a trivial data-entry
error in its request for BOI, the FI could still obtain the requested
BOI, provided the errors do not compromise BOI security and
confidentiality and result in the FI retrieving information on the
wrong reporting company. This more limited information-retrieval
process would reduce the overall risk of inappropriate use or
unauthorized disclosures of BOI.
---------------------------------------------------------------------------
\70\ 31 U.S.C. 5336(c)(2)(B)(iii).
---------------------------------------------------------------------------
The CTA permits similarly narrow access for Federal functional
regulators and other appropriate regulatory agencies exercising
supervisory functions. The statute allows these agencies to request
from FinCEN BOI that the FIs they supervise have already obtained from
the bureau, but only for assessing an FI's compliance with CDD
requirements under applicable law.\71\ Consequently, Federal functional
regulators and other appropriate regulatory agencies will generally
have limited access to the beneficial ownership IT system if requesting
BOI for the purpose of ascertaining CDD compliance. FinCEN is still
developing this access model and accompanying functionality, but
expects regulators to be able to retrieve any BOI that the FIs they
supervise received from FinCEN during a particular period, as opposed
to data that might reflect subsequent updates. This would both satisfy
CTA requirements and facilitate smoother
[[Page 77411]]
examinations by ensuring regulators receive the same BOI that FIs
received for purposes of their CDD reviews.
---------------------------------------------------------------------------
\71\ See 31 U.S.C. 5336(c)(2)(C), providing that BOI FinCEN
discloses to a financial institution ``shall also be available to a
Federal functional regulator or other appropriate regulatory agency,
as determined by the Secretary . . . .''
---------------------------------------------------------------------------
FinCEN expects that Federal functional regulators responsible for
bringing civil enforcement actions will be able to avail themselves of
the Federal law enforcement access provision and functionality
described in Section III.B. above.\72\ State, local, and Tribal
agencies with both a qualifying, CDD-focused regulatory function and a
law enforcement function could similarly avail themselves of the access
provisions applicable to those distinct BOI recipient categories. Each
agency would be responsible for ensuring unauthorized disclosure does
not occur between its various components. In addition, FinCEN is
required under the CTA to perform annual audits to ensure agencies are
requesting and using BOI appropriately and consistently with their
internal protocols.\73\ As with other Federal agencies, MOUs will
further specify the expectations with respect to the handling and
sharing of BOI by components of the same agency that may access BOI
under different circumstances. FIs, meanwhile, would have to agree to
terms of use that would be a condition of access to the beneficial
ownership IT system. This distinction reflects the more limited, less
flexible functionality FIs will enjoy relative to government agencies
with multi-field search capabilities within the beneficial ownership IT
system.
---------------------------------------------------------------------------
\72\ Federal functional regulators engaged in national security
activity would similarly be able to make use of the search
functionality associated with the ``national security activity''
access provision.
\73\ See 31 U.S.C. 5336(c)(3)(J).
---------------------------------------------------------------------------
IV. Section-by-Section Analysis
As described below in Section IV.A., this proposed rule would add
new access-to-information rules in a new Sec. 1010.955 (``Availability
of information reported pursuant to 31 CFR 1010.380'') in subpart J
(``Miscellaneous'') of part 1010 (``General Provisions'') of chapter X
(``Financial Crimes Enforcement Network'') of title 31, Code of Federal
Regulations. To avoid confusion, it would also rename and clarify the
scope of the existing 31 CFR 1010.950 (``Availability of information--
general'').
The following sections describe the elements of the proposed rule:
(i) availability of information--general; (ii) prohibition on
disclosure; (iii) disclosure of information by FinCEN; (iv) use of
information; (v) security and confidentiality requirements; (vi)
administration of requests for information reported pursuant to 31 CFR
1010.380; and (vii) violations and penalties.
Additionally, Section IV.B. below describes the FinCEN identifier
provisions of the proposed rule.
A. Beneficial Ownership Information Retention and Disclosure
Requirements
i. Availability of Information--General
FinCEN proposes to amend 31 CFR 1010.950(a) to clarify that the
disclosure of BOI would be governed by proposed 31 CFR 1010.955, rather
than 31 CFR 1010.950(a), which governs disclosure of other BSA
information. Currently 31 CFR 1010.950(a) authorizes the disclosure of
all BSA information received by FinCEN and states that ``[t]he
Secretary may within his discretion disclose information reported under
this chapter for any reason consistent with the purposes of the Bank
Secrecy Act, including those set forth in paragraphs (b) through (d) of
this section.'' The CTA authorizes FinCEN to disclose such information
only in limited and specified circumstances that are separate and
distinct from provisions authorizing disclosure of other BSA
information.\74\ Accordingly, FinCEN is proposing to amend 31 CFR
1010.950(a) to clarify that the disclosure of BOI would instead be
governed by proposed 31 CFR 1010.955.
---------------------------------------------------------------------------
\74\ See 31 U.S.C. 5336(c)(2), (5).
---------------------------------------------------------------------------
ii. Prohibition on Disclosure
The CTA provides that, except as authorized by 31 U.S.C. 5336(c)
and the protocols promulgated under that subsection, BOI reported
pursuant to 31 U.S.C. 5336 ``shall be confidential and may not be
disclosed by . . . (i) an officer or employee of the United States;
(ii) an officer or employee of any State, local, or Tribal agency, or
(iii) an officer or employee of any [FI] or regulatory agency receiving
information under [31 U.S.C. 5336(c)].'' \75\
---------------------------------------------------------------------------
\75\ See 31 U.S.C. 5336(c)(2)(A).
---------------------------------------------------------------------------
Proposed 31 CFR 1010.955(a) would incorporate this prohibition,
with two clarifications. First, it would clarify that any individual
authorized to receive BOI pursuant to proposed 31 CFR 1010.955(b) is
prohibited from disclosing it except as expressly authorized by FinCEN.
Critically, this provision would extend the prohibition on disclosure
to any individual who receives BOI regardless of whether they continue
to serve in the position through which they were authorized to receive
BOI. Otherwise, the regulations could be read to permit disclosure of
sensitive BOI after an individual leaves the relevant position. Second,
it would also extend the prohibition on disclosure to any individual
who receives BOI as a contractor or agent of the United States; a
contractor or agent of a State, local, or Tribal agency; or a member of
the board of directors, contractor, or agent of an FI. FinCEN believes
that this clarification is needed to ensure that agents acting on
behalf of an authorized BOI recipient agency or other entity are
subject to the same prohibition on the disclosure of BOI as officers
and employees of an authorized BOI recipient agency or other entity.
Such an approach is necessary to avoid the different treatment of
employees and officers in relation to contractors and agents.
Although the CTA does not expressly refer to agents, contractors,
or directors, FinCEN would extend the prohibition on disclosure to such
individuals pursuant to 31 U.S.C. 5336(c)(3)(K), which provides that
``the Secretary of the Treasury shall establish by regulation protocols
described in [31 U.S.C. 5336(2)(A)] that . . . provide such other
safeguards which the Secretary determines (and which the Secretary
prescribes in regulations) to be necessary or appropriate to protect
the confidentiality of the beneficial ownership information.'' \76\
FinCEN also believes this approach is consistent with the CTA's overall
focus on preventing unauthorized disclosure \77\ and the broad scope of
the provisions penalizing unauthorized disclosure by ``any person.''
\78\ FinCEN invites comments on this approach.
---------------------------------------------------------------------------
\76\ Section 6003(1) of the AML Act defines the BSA as
comprising Section 21 of the Federal Deposit Insurance Act (12
U.S.C. 1829b), Chapter 2 of Title I of Public Law 91-508 (12 U.S.C.
1951 et seq.), and Subchapter II of Chapter 53 of Title 31, United
States Code, which includes 31 U.S.C. 5336. Congress has authorized
the Secretary to administer the BSA. The Secretary has delegated to
the Director of FinCEN the authority to implement, administer, and
enforce compliance with the BSA and associated regulations (Treasury
Order 180-01 (Jan. 14, 2020)).
\77\ See generally 31 U.S.C. 5336(c).
\78\ See generally 31 U.S.C. 5336(h)(2), (3).
---------------------------------------------------------------------------
iii. Disclosure of Information to Authorized Recipients
The CTA authorizes FinCEN to disclose BOI to five categories of
recipients in specified circumstances.\79\ The statutory authorization
is generally permissive: with one exception, the CTA provides that
FinCEN ``may disclose'' BOI to authorized recipients in qualifying
circumstances.\80\ This
[[Page 77412]]
language affords FinCEN discretion to ensure that BOI is disclosed only
to authorized recipients that are able to keep the information
confidential and secure. FinCEN intends to foster a culture of
responsibility around BOI that treats security and confidentiality as a
paramount objective.
---------------------------------------------------------------------------
\79\ See 31 U.S.C. 5336(c)(2)(B).
\80\ 31 U.S.C. 5336(c)(2)(B). Under 5336(c)(2)(C), BOI that a
reporting company consents to share with a financial institution
``shall'' be available to a Federal functional regulator to
supervise compliance with customer due diligence requirements under
applicable law.
---------------------------------------------------------------------------
a. Federal Agencies Engaged in National Security, Intelligence, or Law
Enforcement Activity
Section 6403 of the CTA authorizes FinCEN to disclose BOI upon
receipt of a request, through appropriate protocols, from a Federal
agency engaged in national security, intelligence, or law enforcement
activity for use in furtherance of one of those activities.\81\ Federal
agency access is to be based upon the type of activity an agency is
conducting rather than the identity of the agency or how it might be
categorized. The key consideration is the scope of the types of
activities described in the CTA for which the agency may seek BOI:
national security activities, intelligence activities, and law
enforcement activities.
---------------------------------------------------------------------------
\81\ See 31 U.S.C. 5336(c)(2)(B)(i)(I).
---------------------------------------------------------------------------
The CTA does not specify what agency activities fall within those
three categories, and FinCEN proposes to do so consistent with the
text, structure, and purpose of the CTA. Proposed 31 CFR
1010.955(b)(1)(i) would define ``national security activity'' as any
``activity pertaining to the national defense or foreign relations of
the United States, as well as activity to protect against threats to
the security or economy of the United States.'' This approach draws, in
large part, from 8 U.S.C. 1189(d)(2), which defines ``national
security'' for purposes of designating foreign terrorist organizations
(FTOs) that threaten U.S. national security. FinCEN believes this
definition is appropriate for several reasons. First, the FTO statute
covers a broad range of national security threats to the United States,
including those with an economic dimension. That scope is consonant
with the CTA's goal to combat national security threats that are
financial in nature, such as money laundering, terrorist financing,
counterfeiting, fraud, and foreign corruption.\82\ Second, the FTO
statute arises in a related context insofar as it involves efforts to
hinder illicit actors' economic activities.
---------------------------------------------------------------------------
\82\ See CTA, Section 6402(3).
---------------------------------------------------------------------------
Proposed 31 CFR 1010.955(b)(1)(ii) would define ``intelligence
activity'' based upon Executive Order 12333 of December 4, 1981, as
amended.\83\ Executive Order 12333 remains ``a foundational document
for the United States' foreign intelligence efforts.'' \84\ It
establishes ``a framework that applies broadly to the government's
collection, analysis, and use of foreign intelligence and
counterintelligence--from human sources, by interception of
communications, by cameras and other sensors on satellites and aerial
systems, and through relationships with intelligence services of other
governments.'' \85\ FinCEN believes that relying on Executive Order
12333 would be consistent with existing agency understanding and would
provide flexibility to accommodate Intelligence Community missions and
activities.\86\ Proposed 31 CFR 1010.955(b)(1)(ii) would therefore
define intelligence activity to include ``all activities conducted by
elements of the United States Intelligence Community that are
authorized pursuant to Executive Order 12333, as amended, or any
succeeding executive order.''
---------------------------------------------------------------------------
\83\ Exec. Order No. 12333, 46 FR 59941 (Dec. 4, 1981) (``United
States Intelligence Activities'').
\84\ 5 Privacy and Civil Liberties Oversight Board, Executive
Order 12333 (accessed Apr. 28, 2022), <a href="https://documents.pclob.gov/prod/Documents/OversightReport/4f1d0d87-233b-4555-9b87-79089ad9845e/12333%20Public%20Capstone.pdf">https://documents.pclob.gov/prod/Documents/OversightReport/4f1d0d87-233b-4555-9b87-79089ad9845e/12333%20Public%20Capstone.pdf</a>.
\85\ Id.
\86\ By ``Intelligence Community,'' FinCEN means the agencies
identified in paragraph 3.4(f) of Executive Order 12333.
---------------------------------------------------------------------------
Finally, proposed 31 CFR 1010.955(b)(1)(iii) would define ``law
enforcement activity'' to include ``investigative and enforcement
activities relating to civil or criminal violations of law.'' Proposed
31 CFR 1010.955(b)(1)(iii) is intended broadly to cover the types of
functions in which Federal agencies engage when they work to enforce
the laws of the United States. FinCEN believes that it is consistent
with the CTA to authorize Federal agencies to access BOI at all stages
of the law enforcement process.
Additionally, the proposed rule would make clear that law
enforcement activity can include both criminal and civil investigations
and actions, such as actions to impose or enforce civil penalties,
civil forfeiture actions, and civil enforcement through administrative
proceedings. The CTA is concerned with combating all manner of illicit
activity,\87\ and many laws that prohibit such activity are enforced by
Federal agencies in both civil and criminal actions. The CTA does not
limit ``law enforcement activity'' to criminal investigations or
actions. Moreover, FinCEN's clarification in the proposed rule would
place Federal agencies on the same footing as State, local, and Tribal
law enforcement agencies, for which the CTA authorizes use of BOI in a
``criminal or civil investigation.'' Nothing in the CTA suggests that
Federal agencies should have more limited access to BOI than their
State, local, and Tribal counterparts engaged in civil investigations,
and FinCEN does not believe it would be appropriate to limit Federal
agencies' access in this manner. The proposed rule would also
facilitate law enforcement cooperation by providing access to BOI in
both civil and criminal investigations, as both types of investigations
often proceed in parallel.\88\
---------------------------------------------------------------------------
\87\ See CTA, Section 6402(3).
\88\ See 31 U.S.C. 5336(c)(2)(B)(i)(II).
---------------------------------------------------------------------------
Among the Federal agencies with access to BOI for law enforcement
purposes would be Federal functional regulators that investigate civil
violations of law.\89\ Although the CTA separately authorizes Federal
functional regulators to access BOI for the purpose of supervising
compliance with CDD requirements, this access does not preclude Federal
functional regulators from accessing BOI when engaging in law
enforcement activity.\90\ The CTA specifically references ``securities
fraud, financial fraud, and acts of foreign corruption'' as types of
illicit activity that the statute is intended to help combat.\91\ These
are areas in which a significant amount of law enforcement activity is
conducted by Federal functional regulators such as the Securities and
Exchange Commission (SEC), which brings hundreds of civil enforcement
actions, including administrative proceedings, each year against
individuals and entities engaged in market manipulation, Ponzi schemes,
offering fraud, insider trading, and other violations of the Federal
securities laws.\92\ Under the proposed rule, the SEC and other Federal
functional regulators would be able to obtain BOI directly from the
beneficial ownership IT system for use in furtherance of this critical
law enforcement activity. The proposed rule would also place the SEC
and other Federal functional regulators
[[Page 77413]]
on equal footing with other Federal agencies that lack a regulatory or
supervisory function, but that are engaged in civil and criminal law
enforcement activity, like the U.S. Department of Justice (DOJ).
---------------------------------------------------------------------------
\89\ See 31 U.S.C. 5336(c)(2)(B)(i)(II).
\90\ The two provisions contemplate different processes
depending on the purpose for which access is sought. Under Section
5336(c)(2)(B)(i)(I), FinCEN ``may'' disclose BOI upon request from a
Federal agency engaged in law enforcement activity. In contrast,
under 5336(c)(2)(C), BOI that a reporting company consents to share
with a financial institution ``shall'' be available to a Federal
functional regulator to supervise compliance with customer due
diligence requirements pursuant to an agreement with the regulator.
\91\ CTA, Section 6402(3).
\92\ See, e.g., <a href="https://www.sec.gov/news/press-release/2021-238">https://www.sec.gov/news/press-release/2021-238</a>.
---------------------------------------------------------------------------
For all three types of activities--national security, intelligence,
and law enforcement--FinCEN considered proposing more restrictive
definitions involving exhaustive lists of activities. The bureau
believes these approaches would risk being either under- or over-
inclusive and could arbitrarily limit access to BOI for activities that
the regulations may fail to specify. The CTA, among other things, was
enacted to ``protect vital United States national security interests,''
``protect interstate and foreign commerce,'' and ``better enable
critical national security, intelligence, and law enforcement efforts
to counter . . . illicit activity.'' \93\ The statute targets a wide
array of illicit actors who use opaque corporate structures to conceal
their illicit activities. FinCEN believes the risk of unintentionally
hindering a Federal agency's important national security, intelligence,
or law enforcement activities supports the flexible approach the bureau
has proposed. This approach will also have more flexibility to develop
alongside the evolving threats facing the United States.
---------------------------------------------------------------------------
\93\ CTA, Section 6402(5)(B), (D).
---------------------------------------------------------------------------
FinCEN invites comments on its proposed definitions of national
security, intelligence, and law enforcement activities.
b. State, Local, and Tribal Law Enforcement Agencies
The CTA permits FinCEN to disclose BOI upon receipt of a request,
through appropriate protocols, ``from a State, local, or Tribal law
enforcement agency, if a court of competent jurisdiction, including any
officer of such a court, has authorized the law enforcement agency to
seek the information in a criminal or civil investigation.'' \94\
---------------------------------------------------------------------------
\94\ 31 U.S.C. 5336(c)(2)(B)(i)(II).
---------------------------------------------------------------------------
Proposed 31 CFR 1010.955(b)(2) similarly would allow FinCEN to
disclose BOI to a State,\95\ local, or Tribal law enforcement agency
``if a court of competent jurisdiction has authorized the agency to
seek the information in a criminal or civil investigation.'' FinCEN
recognizes that State practices are likely to be varied with respect to
how law enforcement agencies may be authorized by a court to seek
information in connection with an investigation or prosecution.\96\
FinCEN has not sought to define what it means for a court to
``authorize'' the law enforcement agency to seek BOI, but aims to
ensure that BOI access at the State, local, and Tribal level is highly
useful to law enforcement and has consistent application across
jurisdictions.
---------------------------------------------------------------------------
\95\ FinCEN will interpret the term ``State'' consistent with
the definition of that term in the final Beneficial Ownership
Information Reporting Requirements rule at 87 FR 59498 (Sep. 30,
2022) (which defines the term ``State'' to mean ``any [S]tate of the
United States, the District of Columbia, the Commonwealth of Puerto
Rico, the Commonwealth of the Northern Mariana Islands, American
Samoa, Guam, the United States Virgin Islands, and any other
commonwealth, territory, or possession of the United States.'')
\96\ 31 U.S.C. 5336(c)(2)(B)(i)(II) authorizes FinCEN to
disclose BOI to a State, local, or Tribal law enforcement agency in
the context of ``a criminal or civil investigation.'' FinCEN
believes this provision permits the agency to disclose of BOI to a
State, local, or Tribal law enforcement agency, with the required
court authorization, for use in a civil or criminal law enforcement
action that follows the investigation. FinCEN believes this is a
reasonable interpretation of the statutory language given that
disclosure provisions for Federal agencies engaged in law
enforcement, and foreign requests pertaining to an ``investigation
or prosecution,'' under the CTA would cover the disclosure to those
recipients in the context of a prosecution. See 31 U.S.C.
5336(c)(2)(B)(i)(I), (c)(2)(B)(ii)(I). FinCEN does not believes
Congress intended to allow Federal and foreign law enforcement
agencies to obtain BOI for use in prosecutions while prohibiting
State, local, and Tribal law enforcement agencies doing so. A more
restrictive interpretation would severely limit the utility of BOI
for State, local, and Tribal law enforcement agencies and run
counter to the purposes of the CTA. See CTA, Section 6402(8)(C)
(directing FinCEN to create a database of BOI that is ``highly
useful to national security, intelligence, and law enforcement
agencies . . . '').
---------------------------------------------------------------------------
At a minimum, the proposed rule would allow a State, local, or
Tribal law enforcement agency (including a prosecutor) to access BOI
where a court specifically authorizes access in the context of a
criminal or civil proceeding, for example, through a court's issuance
of an order or approval of a subpoena. Other circumstances, however,
are less clear. For example, depending on State, local, or Tribal
practices, grand jury subpoenas may or may not satisfy the CTA's court
authorization requirement. Grand juries have traditionally played a
central role in criminal discovery and may help determine whether
sufficient evidence exists to indict an individual.\97\ The State and
local law enforcement agencies, prosecutors, and court officials with
whom FinCEN consulted emphasized the importance of ensuring that BOI
could be obtained in connection with grand jury investigations. FinCEN
agrees that providing BOI at the investigative stage may further the
CTA's statutory objectives by helping State, local, and Tribal
authorities uncover links between criminals and entities they may be
using to conceal illicit activities.\98\ Ultimately, however, FinCEN
determined that it needs more information about State, local, and
tribal practices in order to determine whether they would involve court
authorization, as required by the CTA. State practices can vary, and
grand jury subpoenas may be issued by the grand jury in some
jurisdictions or signed by a prosecutor seeking information to present
to a grand jury in others. Neither courts nor grand juries always play
a meaningful role in authorizing subpoenas,\99\ and a majority of
states no longer use grand juries to screen criminal cases.\100\
---------------------------------------------------------------------------
\97\ See generally Sara Sun Beale et al., Investigative Grand
Jury and Indicting Grand Jury, Grand Jury Law and Practice Sec. 1:7
(2d ed. rev. Dec. 2021).
\98\ See CTA, Section 6402(3), (4), (5)(D).
\99\ See Sara Sun Beale et al., Role of Prosecutor and Grand
Jurors in Subpoenaing Evidence, Grand Jury Law and Practice Sec.
6:2 (2d ed. rev. Dec. 2021). For example, Massachusetts permits
district attorneys to ``issue subpoenas under their hands for
witnesses to appear and testify on behalf of the commonwealth.''
Mass. Gen. Laws Ann. ch. 277, Sec. 68.
\100\ See id.
---------------------------------------------------------------------------
FinCEN requests comments on this subject. In particular, commenters
should explain the mechanisms State, local, and Tribal authorities use
to gather evidence in criminal and civil cases. With respect to these
particular mechanisms, commenters should describe the extent to which
court authorization is involved. More generally, commenters should also
explain what role courts or court officers play in authorizing
evidence-gathering activities, what existing practices involve court
authorization, and the extent to which new court processes could be
developed and integrated into existing practices to satisfy the CTA's
authorization requirement. Commenters should also address the need for
access to BOI at different stages of an investigation, as well as the
privacy interests that may be implicated by such access.
Proposed 31 CFR 1010.955(b)(2) would clarify that the authorized
recipient of BOI under this provision would be the State, local, or
Tribal agency that makes a proper request for BOI consistent with the
proposed rule. The proposed rule would also define ``law enforcement
agency'' in a manner similar to the definition of ``law enforcement
activity'' used to define the scope of access for Federal agencies
engaged in law enforcement activity. This approach is intended to
ensure consistency regardless of whether law enforcement activity
occurs at the local, State, Tribal, or Federal level, including in
circumstances involving cooperation among and across jurisdictions,
such as through task forces.
[[Page 77414]]
Proposed 31 CFR 1010.955(b)(2) would clarify that ``a court of
competent jurisdiction'' is any court with jurisdiction over the
criminal or civil investigation for which a State, local, or Tribal law
enforcement agency requests BOI. The proposed rule does not specify
which officials qualify as officers of the court because courts have
varying practices. FinCEN expects, however, that individuals who may
exercise a court's authority and issue authorizations on its behalf
would qualify. FinCEN invites comment on whether it should more
specifically identify officers of the court for purposes of the rule,
and if so, what the potential qualifying criteria might be.
FinCEN does not believe that individual attorneys acting alone
would fall within the definition of ``court officer'' for purposes of
this provision. Though lawyers are sometimes referred to as ``officers
of the court'' to emphasize their professional obligations to the legal
system, they are not all ``officers of the court'' in the sense of
exercising the court's authority. FinCEN does not believe the CTA--
which includes numerous provisions limiting who may access BOI--
intended to empower any individual admitted to practice law to
authorize the disclosure of BOI.
c. Foreign Requesters
The CTA provides that FinCEN may disclose BOI upon receipt of a
request ``from a Federal agency on behalf of a law enforcement agency,
prosecutor, or judge of another country, including a foreign central
authority or competent authority (or like designation), under an
international treaty, agreement, convention, or official request made
by law enforcement, judicial, or prosecutorial authorities in trusted
foreign countries when no treaty, agreement, or convention is
available.'' \101\ Such a request from a Federal agency must be
``issued in response to a request for assistance in an investigation or
prosecution by such foreign country,'' \102\ and must ``require[e]
compliance with the disclosure and use provisions of the treaty,
agreement, or convention, publicly disclosing [sic] any beneficial
ownership information received,'' \103\ or limit BOI use ``for any
purpose other than the authorized investigation or national security or
intelligence activity.'' \104\
---------------------------------------------------------------------------
\101\ 31 U.S.C. 5336(c)(2)(B)(ii).
\102\ 31 U.S.C. 5336(c)(2)(B)(ii)(I).
\103\ 31 U.S.C. 5336(c)(2)(B)(ii)(II)(aa).
\104\ 31 U.S.C. 5336(c)(2)(B)(ii)(II)(bb).
---------------------------------------------------------------------------
Proposed 31 CFR 1010.955(b)(3) clarifies that a request for BOI
from a foreign requester would have to derive from a law enforcement
investigation or prosecution, or from national security or intelligence
activity, authorized under the foreign country's laws. This would
permit foreign requesters to obtain BOI for, and use it in, the full
range of activities contemplated by 31 U.S.C. 5336(c)(2)(B)(ii) (i.e.,
law enforcement, national security, and intelligence activities),
thereby giving effect to all of the language in that subparagraph. The
proposed rule also resolves ambiguities arising from inconsistent
statutory language. Specifically, one part of the CTA's foreign-access
provision appears to require a request to flow from a foreign
``investigation or prosecution,'' \105\ while another appears to allow
a foreign requester to use BOI to further any ``authorized
investigation or national security or intelligence activity.'' \106\
FinCEN believes the proposed rule best resolves this discrepancy by
clarifying that authorized national security and intelligence
activities could be a basis for a BOI request, in addition to a law
enforcement investigation or prosecution. FinCEN would view the scope
of the phrase ``law enforcement investigation or prosecution''
similarly to how it interprets the term ``law enforcement activity''
under proposed 31 CFR 1010.955(b)(3): such activity can include both
criminal and civil investigations and actions, including actions to
impose civil penalties, civil forfeiture actions, and civil enforcement
through administrative proceedings.
---------------------------------------------------------------------------
\105\ 31 U.S.C. 5336(c)(2)(B)(ii)(I).
\106\ 31 U.S.C. 5336(c)(2)(B)(ii)(II)(bb).
---------------------------------------------------------------------------
The proposed rule next makes clear that the relevant ``foreign
central authority or foreign competent authority'' would be the agency
identified in the international treaty, agreement, or convention under
which a foreign request is made. FinCEN understands that ``foreign
central authority'' and ``foreign competent authority'' are terms of
art typically defined within the context of a particular agreement.
This proposed regulatory clarification should therefore remove any
ambiguity around the terms without unduly excluding appropriate foreign
requesters from access to BOI.
Third, the proposed rule explains that, consistent with the CTA,
foreign requests would need to fall into one of two categories in order
for the foreign requester to receive BOI. The first category is
requests made pursuant to an international treaty, agreement, or
convention. The second category is official requests by a law
enforcement, judicial, or prosecutorial authority of a trusted foreign
country where there is no international treaty, agreement, or
convention that governs.\107\ The security and confidentiality
requirements applicable to each of these two categories are different.
---------------------------------------------------------------------------
\107\ The regulatory text here uses ``judicial or prosecutorial
authority'' instead of the earlier ``judge or prosecutor'' to mirror
an identical language shift in the corresponding statutory
provision. See 31 U.S.C. 5336(c)(2)(B)(ii). FinCEN does not view
this difference as significant or having practical effect.
---------------------------------------------------------------------------
Under the proposed rule, an intermediary Federal agency responding
to a foreign request under an international treaty, agreement, or
convention would first need to ensure that the request is consistent
with the requirements of the relevant treaty, agreement, or convention,
and the requirements of proposed 31 CFR 1010.955(b)(3). FinCEN
understands that an ``international treaty, agreement, or convention''
is a legally binding agreement governed by international law. FinCEN
would appreciate views on whether there are other types of
international arrangements under which the sharing of beneficial
ownership information would be important to achieve the goals of the
CTA (such as information sharing arrangements with foreign law
enforcement agencies that do not have legal force) and whether there
are means to do so consistent with the CTA. The intermediary Federal
agency would provide basic information to FinCEN about who is
requesting the information and the treaty, agreement, or convention
under which the request is being made. The intermediary Federal agency
would then search for and retrieve the requested BOI from the system
and respond to the request in a manner consistent with the treaty,
agreement, or convention. The intermediary Federal agency would be
subject to certain recordkeeping requirements to ensure that FinCEN is
able to perform appropriate audit and oversight functions in accordance
with an MOU to be agreed between the intermediary Federal agency and
FinCEN. The intermediary Federal agency would also be subject to the
security and confidentiality protocols applicable to other domestic
agencies that receive and handle BOI at proposed 31 CFR 1010.955(d)(1).
Where a request for BOI includes a request that the information be
authenticated for use in a legal proceeding in the foreign country
making the request, FinCEN may establish a process for providing such
authentication via MOU with the
[[Page 77415]]
relevant intermediary Federal agency. Such process may include an
arrangement where FinCEN searches the beneficial ownership IT system
and provides the information and related authentication to the
intermediary Federal agency consistent with the terms of the relevant
MOU.
With respect to an official request by a law enforcement, judicial,
or prosecutorial authority of a trusted foreign country where no
international treaty, agreement, or convention applies, FinCEN would
establish a mechanism to address such requests either on a case-by-case
basis or pursuant to alternative arrangements with intermediary Federal
agencies where those intermediary Federal agencies have ongoing
relationships with the foreign requester. The CTA does not provide
criteria for determining whether a particular foreign country is
``trusted,'' but rather, provides FinCEN with considerable discretion
to make this determination.
FinCEN considered identifying particular countries or groups of
countries as ``trusted'' for the purposes of receiving BOI. Ultimately,
however, FinCEN determined that such a restrictive approach could
arbitrarily exclude foreign requesters with whom sharing BOI might be
appropriate in some cases but not others. The United States
participates in many formal and informal international relationships
through which data are sometimes shared. FinCEN does not believe any of
these relationships, or any combination of them, sets appropriate
potential boundaries for BOI disclosure given the purposes of the CTA.
The bureau, in consultation with relevant U.S. government agencies,
will therefore look to U.S. interests and priorities in determining
whether to disclose BOI to foreign requesters when no international
treaty, agreement, or convention applies. In making these
determinations, FinCEN will also consider the ability of a foreign
requester to maintain the security and confidentiality of requested
BOI. Once FinCEN makes the determination to disclose BOI to a foreign
requester, the intermediary Federal agency would be permitted to
retrieve and disseminate BOI to the foreign requester, subject to
applicable security and confidentiality protocols.
FinCEN considered an alternative structure under which intermediary
Federal agencies would relay foreign requester requests under an
international treaty, agreement, or convention to FinCEN, which would
then assess the requests, retrieve requested BOI, and transmit it
either directly to the requester or indirectly via the intermediary
Federal agency for subsequent dissemination to the requester. While
neither of these approaches presents the security risks associated with
the other two potential approaches FinCEN rejected, both are likely to
be much less efficient. For example, intermediary Federal agencies are
likely to have ongoing relationships with foreign requesters, including
established points of contact. They are also likely more familiar than
FinCEN with existing treaty obligations and information exchange
channels and processes. Finally, FinCEN believes its proposed approach
aligns best with the text of the CTA, which assumes Federal agencies
will serve as the intermediary on behalf of foreign requesters.\108\
FinCEN invites comment on this proposal and on any other alternatives.
---------------------------------------------------------------------------
\108\ See 31 U.S.C. 5336(c)(2)(B)(ii) (providing that ``FinCEN
may disclose [BOI] only upon receipt of . . . a request from a
Federal agency on behalf of'' a qualified foreign requester
(emphasis added)).
---------------------------------------------------------------------------
d. FIs Subject to CDD Requirements
The CTA authorizes FinCEN to disclose BOI upon receipt of a request
``made by a[n] [FI] subject to customer due diligence requirements,
with the consent of the reporting company, to facilitate the compliance
of the [FI] with customer due diligence requirements under applicable
law.'' \109\ This statutory language leaves unspecified both the
mechanism by which consent should be registered and the meaning of the
term ``customer due diligence requirements under applicable law.''
---------------------------------------------------------------------------
\109\ See 31 U.S.C. 5336(c)(2)(B)(iii).
---------------------------------------------------------------------------
Proposed 31 CFR 1010.955(b)(4) would address both issues. Under the
proposed rule, an FI would be responsible for obtaining a reporting
company's consent. This reflects FinCEN's assessment that FIs are best
positioned to obtain and manage consent through existing processes and
by virtue of having direct contact with the reporting company as a
customer. Additionally, the proposed rule would define ``customer due
diligence requirements under applicable law'' to mean FinCEN's customer
due diligence (CDD) regulations at 31 CFR 1010.230, which require
covered FIs to identify and verify beneficial owners of legal entity
customers. FinCEN considered interpreting the phrase ``customer due
diligence requirements under applicable law'' more broadly to cover a
range of activities beyond compliance with legal obligations in
FinCEN's regulations to identify and verify beneficial owners of legal
entity customers. FinCEN's separate Customer Identification Program
regulations, for example, could be considered customer due diligence
requirements.\110\ FinCEN decided not to propose this broader approach,
however. The bureau believes a more tailored approach will be easier to
administer, reduce uncertainty about what FIs may access BOI under this
provision, and better protect the security and confidentiality of
sensitive BOI by limiting the circumstances under which FIs may access
BOI.\111\ That said, FinCEN solicits comments on whether a broader
reading of the phrase ``customer due diligence requirements'' is
warranted under the framework of the CTA, and, if so, how customer due
diligence requirements should be defined in order to provide regulatory
clarity, protect the security and confidentiality of BOI, and minimize
the risk of abuse.
---------------------------------------------------------------------------
\110\ See, e.g., 31 CFR 1020.220 (requiring banks to implement a
Customer Identification Program).
\111\ The CTA requires FinCEN to revise the 2016 CDD Rule within
a year of the effective date of the final Reporting Rule. See CTA,
Section 6403(d)(1). One purpose of this revision is to account for
FIs' access to BOI, which the Sense of Congress portion of the CTA
states may be used to facilitate the FI's compliance ``with anti-
money laundering, countering the financing of terrorism, and
customer due diligence requirements under applicable law.'' Id.
6403(d)(1)(B) (emphasis added). That the CTA identifies ``[CDD]
requirements under applicable law'' as distinct from broader AML/CFT
requirements suggests that Congress intended that phrase not to
include other AML/CFT obligations.
---------------------------------------------------------------------------
FinCEN also considered including State, local, and Tribal customer
due diligence requirements comparable in substance to FinCEN's own CDD
regulations in the proposed definition of ``customer due diligence
requirements under applicable law.'' However, the bureau has not
identified any such requirements. FinCEN invites comments identifying
any specific State, local, or Tribal customer due diligence
requirements that are substantially similar to the bureau's CDD
regulations--i.e., requirements related to FIs in a State, local, or
Tribal jurisdiction identifying and verifying beneficial owners of
legal entity customers--for potential inclusion in the proposed
definition.
e. Federal Functional Regulators or Other Appropriate Regulatory
Agencies
The CTA authorizes FinCEN to disclose BOI to ``Federal functional
regulator[s] and other appropriate regulatory agenc[ies] consistent
with'' certain requirements.\112\ This access is subject to three
statutory conditions. First, a ``Federal functional regulator or other
appropriate regulatory agency'' must be ``authorized by law to assess,
supervise, enforce, or otherwise determine the compliance of [a
particular FI] with'' its CDD
[[Page 77416]]
requirements.\113\ Second, such regulator may use the BOI only ``for
the purpose of conducting [an] assessment, supervision, or authorized
investigation or activity'' related to the CDD requirements the
regulator is responsible for overseeing.\114\ Finally, the regulator
must ``[enter] into an agreement with the Secretary providing for
appropriate protocols governing the safekeeping of the information.''
\115\
---------------------------------------------------------------------------
\112\ See 31 U.S.C. 5336(c)(2)(B)(iv).
\113\ 31 U.S.C. 5336(c)(2)(C)(i).
\114\ 31 U.S.C. 5336(c)(2)(C)(ii).
\115\ 31 U.S.C. 5336(c)(2)(C)(iii).
---------------------------------------------------------------------------
FinCEN's proposed rule at 31 CFR 1010.955(b)(4) tracks these
conditions. In order to obtain BOI from FinCEN, a regulator would need
to be authorized by law to assess, supervise, enforce, or otherwise
determine a FI's compliance with its CDD requirements, and it would
have to enter into an agreement with FinCEN that describes appropriate
protocols to obtain BOI. FinCEN would only disclose to the regulator
the BOI that a relevant FI has already received. This is in keeping
with the CTA requirement that BOI disclosed to an FI under 31 U.S.C.
5336(c)(2)(B)(iii) ``also be available to [regulators]'' that meet
specified criteria.\116\
---------------------------------------------------------------------------
\116\ 31 U.S.C. 5336(c)(2)(C) (emphasis added).
---------------------------------------------------------------------------
FinCEN does not believe this CDD-specific provision is the
exclusive means through which a financial regulator can access BOI from
the beneficial ownership IT system. The access provisions for Federal
agencies engaged in national security, intelligence, or law enforcement
activities, and for State, local, and Tribal law enforcement agencies,
focus on activity categories, not agency types. To the extent a Federal
functional regulator engages in civil law enforcement activities, those
activities would be covered by the law-enforcement access provisions.
For example, the SEC--which supervises broker-dealers and other
securities market participants, including for compliance with the CDD
regulations--also investigates and litigates civil violations of
Federal securities laws. Consequently, consistent with the CTA, the SEC
would be able to broadly search the beneficial ownership IT system for
BOI for use in furtherance of its law enforcement activity. Separately,
the SEC would also be able to receive BOI subject to the constraints at
proposed 31 CFR 1010.955(b)(4) for use in supervising broker-dealers
and other regulated entities for CDD compliance.
Regarding who qualifies for access under this proposed provision,
the CTA refers to Federal functional regulators and ``other appropriate
regulatory agencies.'' The AML Act defines ``Federal functional
regulator'' to include six financial regulatory authorities \117\ as
well as ``any Federal regulator that examines a financial institution
for compliance with the Bank Secrecy Act.'' \118\ The proposed rule
would adopt FinCEN's existing regulatory definition, which the bureau
believes will minimize the risk of confusion. FinCEN's regulations
already define the term ``Federal functional regulator'' to include the
six agencies identified in the AML Act's definition as well as the
Commodity Futures Trading Commission (CFTC).\119\ Because the CFTC has
been delegated authority to examine certain FIs for compliance with the
BSA,\120\ it also falls within the AML Act's definition. FinCEN does
not propose to define ``other appropriate regulatory agencies'' at this
time. FinCEN believes the requirement in 31 U.S.C. 5336(c)(2)(C)(i)
that such an agency be ``authorized by law to assess, supervise,
enforce, or otherwise determine the compliance of such FIs with
customer due diligence requirements under applicable law'' sufficiently
defines the category (e.g., it could include State banking regulators).
However, FinCEN invites comment on this proposed approach.
---------------------------------------------------------------------------
\117\ The six Federal functional regulators that supervise
financial institutions with CDD obligations are the Board of
Governors of the Federal Reserve System (FRB), the Office of the
Comptroller of the Currency (OCC), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA),
the SEC, and the Commodity Futures Trading Commission (CFTC).
\118\ AML Act, Section 6003(3).
\119\ 31 CFR 1010.100(r).
\120\ See 31 CFR 1010.810(b)(9).
---------------------------------------------------------------------------
FinCEN considered whether financial self-regulatory organizations
that are registered with or designated by a Federal functional
regulator pursuant to Federal statute \121\ (``qualifying SROs'')--like
the Financial Industry Regulatory Authority (FINRA) or the National
Futures Association (NFA)--qualify as ``other appropriate regulatory
agencies.'' These organizations though authorized by Federal law, are
not traditionally understood to be agencies of the government,\122\ but
they do exercise self-regulatory authority within the framework of
Federal law and work under the supervision of Federal functional
regulators to assess, supervise, and enforce FI compliance with, among
other things, CDD requirements.\123\ Qualifying SROs are subject to
extensive oversight by Federal agencies.\124\
---------------------------------------------------------------------------
\121\ See, e.g., 7 U.S.C. 21; 15 U.S.C. 78o-3.
\122\ See, e.g., In re William H. Murphy & Co., SEC Release No.
34-90759, 2020 WL 7496228, *17 (Dec. 21, 2020) (explaining that
FINRA ``is not a part of the government or otherwise a [S]tate
actor'' to which constitutional requirements apply).
\123\ See, e.g., FINRA Rule 3310(f); NFA Compliance Rule 2-
9(c)(5).
\124\ See, e.g., Scottsdale Cap. Advisors Corp. v. FINRA, 844
F.3d 414, 418 (4th Cir. 2016) (``Before any FINRA rule goes into
effect, the SEC must approve the rule and specifically determine
that it is consistent with the purposes of the Exchange Act. The SEC
may also amend any existing rule to ensure it comports with the
purposes and requirements of the Exchange Act.'' (citations
omitted); Birkelbach v. SEC, 751 F.3d 472, 475 (7th Cir. 2014) (``A
[FINRA] member can appeal the disposition of a FINRA disciplinary
proceeding to the SEC, which performs a de novo review of the record
and issues a decision of its own.'').
---------------------------------------------------------------------------
Although it may be unclear whether SROs are ``regulatory agencies''
to which direct access to BOI shall be provided, FinCEN believes that
their unique position,\125\ and the critical role they play in
overseeing participants in the financial services sector, justify
providing SROs with a limited and derivative form of access. The CTA
provides FinCEN broad discretion to specify the conditions under which
authorized recipients of BOI may re-disclose that information to
others. Therefore, the proposed rule would permit FIs to re-disclose to
qualifying SROs the BOI they have obtained from FinCEN for use in
complying with CDD requirements under applicable law. A qualifying SRO
would need to satisfy the same three conditions applicable to Federal
functional regulators and other appropriate regulatory agencies, and a
qualifying SRO that receives BOI from an FI it supervises may in turn
use the information for the limited purpose of examining compliance
with those same CDD obligations. Without this level of access, these
organizations would not be able to effectively evaluate an FI's CDD
compliance. FinCEN invites comments on this proposed approach.
---------------------------------------------------------------------------
\125\ See NASD v. SEC, 431 F.3d 803, 804 (D.C. Cir. 2005)
(explaining that FINRA's predecessor's ``authority to discipline its
members for violations of Federal securities law is entirely
derivative. The authority it exercises ultimately belongs to the
SEC''); see also Turbeville v. FINRA, 874 F.3d 1268, 1276 (11th Cir.
2017) (``When exercising [their regulatory and enforcement]
functions, SROs act under color of [F]ederal law as deputies of the
[F]ederal [G]overnment.''); In re Series 7 Broker Qualification Exam
Scoring Litig., 548 F.3d 110, 114 (D.C. Cir. 2008) (``When an SRO
acts under the aegis of the Exchange Act's delegated authority, it
is absolutely immune from suit for the improper performance of
regulatory, adjudicatory, or prosecutorial duties delegated by the
SEC.'').
---------------------------------------------------------------------------
f. Department of the Treasury Access
The CTA includes separate, Treasury-specific provisions for
accessing BOI. One of those provisions makes BOI ``accessible for
inspection or disclosure to officers and employees of the Department of
the Treasury whose official duties require such inspection or
[[Page 77417]]
disclosure subject to procedures and safeguards prescribed by the
Secretary of the Treasury.'' \126\ The other grants officers and
employees of Treasury ``access to [BOI] for tax administration
purposes.'' \127\
---------------------------------------------------------------------------
\126\ 31 U.S.C. 5336(c)(5)(A).
\127\ See 31 U.S.C. 5336(c)(5)(B).
---------------------------------------------------------------------------
Proposed 31 CFR 1010.955(b)(5) tracks these authorizations and
would provide that Treasury officers and employees may receive BOI
where their official duties require such access, or for tax
administration, consistent with procedures and safeguards established
by the Secretary. The proposed rule clarifies the term ``tax
administration purposes'' by adding a reference to the definition of
``tax administration'' in the Internal Revenue Code.\128\ FinCEN
believes adopting this definition is appropriate because Treasury
officers and employees who administer tax laws are already familiar
with it and have a clear understanding of the activity it covers.
Furthermore, FinCEN believes the definition is broad enough to avoid
inadvertently excluding a tax administration-related activity that
would be undermined by lack of access to BOI. FinCEN welcomes comments
on the proposed scope of the term ``tax administration.''
---------------------------------------------------------------------------
\128\ 26 U.S.C. 6103(b)(4).
---------------------------------------------------------------------------
FinCEN envisions Treasury components using BOI for appropriate
purposes, such as tax administration, enforcement actions, intelligence
and analytical purposes, use in sanctions designation investigations,
and identifying property blocked pursuant to sanctions, as well as for
administration of the BOI framework, such as for audits, enforcement,
and oversight. FinCEN will work with other Treasury components to
establish internal policies and procedures governing Treasury officer
and employee access to BOI. These policies and procedures will ensure
that FinCEN discloses BOI only to Treasury officers or employees with
official duties requiring BOI access, or for tax administration. FinCEN
anticipates that the security and confidentiality protocols in those
policies and procedures will include elements of the protocols
described in proposed 31 CFR 1010.955(d)(1) as applicable to Treasury
activities and organization. Officers and employees identified as
having duties potentially requiring access to BOI would receive
training on, among other topics, determining when their duties require
access to BOI, what they can do with the information, and how to handle
and safeguard it. Their activities would also be subject to the same
audit.
iv. Use of Information
a. Use of Information by Authorized Recipients
The CTA includes numerous provisions limiting how BOI may be used.
Federal agencies engaged in national security, intelligence, or law
enforcement activity may use BOI only ``in furtherance of such
activity'' \129\ and must provide written certifications to FinCEN that
``at a minimum, se[t] forth the specific reason or reasons why [BOI] is
relevant to'' an authorized activity.\130\ State, local, and Tribal law
enforcement agencies must obtain authorization from a court of
competent jurisdiction to obtain BOI in criminal or civil
investigations.\131\ Federal agencies requesting BOI on behalf of
foreign law enforcement agencies, judges, or prosecutors may do so only
pursuant to an international treaty, agreement, or convention or
pursuant to an official request from a trusted foreign country for
assistance in an official investigation, prosecution, or authorized
national security or intelligence activity.\132\ FIs must have a
reporting company's consent to request its BOI from FinCEN as part of
CDD compliance activities,\133\ and a financial regulator assessing an
FI's compliance with CDD requirements may request and receive only the
BOI that the FI previously requested when conducting such an
assessment.\134\ Each of these requirements reflects a general
expectation that authorized recipients not obtain BOI for one
authorized activity and then use it for another unrelated purpose. The
statute also requires authorized recipients of BOI to narrowly tailor
their requests as much as possible. For example, the CTA instructs the
Secretary to require requesting agencies ``to limit, to the greatest
extent practicable, the scope of information sought, consistent with
the purposes for seeking BOI.'' \135\
---------------------------------------------------------------------------
\129\ 31 U.S.C. 5336(c)(2)(B)(i)(I).
\130\ 31 U.S.C. 5336(c)(3)(E)(ii).
\131\ See 31 U.S.C. 5336(c)(2)(B)(i)(II).
\132\ See 31 U.S.C. 5336(c)(2)(B)(ii).
\133\ See 31 U.S.C. 5336(c)(2)(B)(iii).
\134\ See 31 U.S.C. 5336(c)(2)(B)(iv) and 31 U.S.C.
5336(c)(2)(C).
\135\ 31 U.S.C. 5336(c)(3)(F).
---------------------------------------------------------------------------
Proposed 31 CFR 1010.955(c)(1) would implement these provisions by
clarifying that, unless otherwise authorized by FinCEN, any person who
receives information disclosed by FinCEN under proposed 31 CFR
1010.955(b) would be authorized to use it only for the particular
purpose or activity for which it was disclosed. Thus, for example, a
Federal agency employee, contractor, or agent who obtains BOI from
FinCEN for use in furtherance of national security activity would be
authorized to use the BOI only for the particular national security
activity for which the request was made. FinCEN believes this
limitation is necessary to ensure that BOI is used only for proper
purposes and only to the extent necessary.
Proposed 31 CFR 1010.955(c)(1) further clarifies that a Federal
agency receiving BOI pursuant to the foreign access provision at
proposed 31 CFR 1010.955(b)(3), i.e., an intermediate Federal agency,
can use the BOI only to facilitate a response to the relevant foreign
requester. This limitation ensures that Federal intermediary agencies
handling BOI in this context would do so only for the permissible use
of transmitting it to a foreign requester.
Authorized recipients that fail to follow applicable use
limitations would risk losing the ability to receive BOI.
b. Limitations on Re-Disclosure of Information by Authorized Recipients
Although the CTA expressly limits the circumstances under which
FinCEN may initially disclose BOI to other agencies or FIs, the CTA
does not specify the circumstances under which an authorized recipient
of BOI may re-disclose the BOI to another person or organization. The
CTA instead prohibits re-disclosure except as authorized in the
protocols promulgated by regulation, thereby leaving it to FinCEN to
establish the appropriate re-disclosure rules in the protocols.\136\
The proposed rule would permit the disclosure by authorized recipients
of BOI in limited circumstances that would further the core underlying
national security, intelligence, and law enforcement objectives of the
CTA while at the same time ensuring that BOI is disclosed only where
appropriate for those purposes. Generally, authorized re-disclosures
would be subject to protocols designed, as with those applicable to
initial disclosures of BOI from the beneficial ownership IT system, to
protect the security and confidentiality of BOI.
---------------------------------------------------------------------------
\136\ 31 U.S.C. 5336(c)(2)(A). The CTA appears to presume that
some re-disclosure will be permitted when it requires requesting
agencies to keep records related to their requests, including of
``any disclosure of beneficial information made by . . . the
agency.'' 31 U.S.C. 5336(c)(3)(H).
---------------------------------------------------------------------------
First, proposed 31 CFR 1010.955(c)(2)(i) would authorize a Federal,
State, local or Tribal agency that receives BOI from FinCEN to re-
disclose it to others within the same organization, if the re-
disclosure is consistent with the security and confidentiality
requirements of 31 CFR
[[Page 77418]]
1010.955(d)(1)(i)(F), (d)(2), or applicable internal Treasury policies,
procedures, orders or directives; and is in furtherance of the same
purpose for which the BOI was requested. Without this authorization,
the statutory prohibitions at 31 U.S.C. 5336(c)(2)(A) and corresponding
regulatory prohibitions at proposed 31 CFR 1010.955(a) could be viewed
to constrain officers, employees, contractors, and agents within the
same authorized requesting agency from efficiently sharing BOI in a
manner consistent with the objectives of the CTA. FinCEN recognizes
that authorized individuals that receive BOI within authorized
recipient organizations may need limited flexibility to disclose BOI to
others in their organization to the extent those other individuals need
the BOI to further the original purpose for which the BOI request was
made to FinCEN. An employee working on a law enforcement case within a
Federal agency, for example, might need to disclose BOI obtained from
FinCEN to another employee working on the same law enforcement matter.
FinCEN envisions that there are circumstances in which FI employees
may have a similar need to share BOI with counterparts, e.g., if they
are working together to onboard a new customer. Proposed 31 CFR
1010.955(c)(2)(ii) therefore extends a comparable authority to FIs. One
difference should be noted: FinCEN proposes to expressly limit FIs to
redisclosing BOI to other officers, employees, contractors, and agents
of the FI physically present in the United States. FinCEN believes this
limitation is necessary to provide appropriate protection to BOI
against disclosures to foreign governments outside of the framework
established by the CTA. The CTA confirms, among other things, foreign
government agencies should only obtain the BOI of reporting companies
for limited purposes and through intermediary Federal agencies.
Allowing U.S. FIs to re-disclose BOI outside of the United States
creates the potential for a foreign government agency to obtain such
BOI by serving a judicial or administrative warrant, summons, or
subpoena directly on the foreign entity or location where the BOI is
stored. Prohibiting FIs from moving BOI outside the United States
reinforces and complements the requirements associated with the
requirements through which foreign governments can obtain BOI under the
proposed rule.
Next, proposed 31 CFR 1010.955(c)(2)(iii) would allow an FI,
subject to certain conditions, to share BOI that it obtains from FinCEN
for use in fulfilling its CDD obligations with (1) the FI's Federal
functional regulator, (2) a qualifying SRO, or (3) any other
appropriate regulatory agency. The CTA specifies that BOI provided to
an FI ``shall also be available'' to a Federal functional regulator or
other appropriate regulatory agency, under certain conditions, and
proposed 31 CFR 1010.955(b)(4)(ii) would authorize the agency to obtain
the BOI directly from FinCEN. Proposed 31 CFR 1010.955(c)(2)(ii) would
complement that authorization by also allowing the agency to obtain the
BOI from the FI. FinCEN believes this may be a more efficient means of
access for agencies conducting assessments of an FI's compliance with
CDD requirements under applicable law. Such re-disclosure would more
easily provide regulators with a complete picture of how FIs are
obtaining and using BOI for CDD compliance, thereby supporting the aims
and purposes of the CTA, and would also help them detect compliance
failures. Proposed 31 CFR 1010.955(c)(2)(ii) would also authorize re-
disclosure to qualifying SROs. SROs perform important supervisory and
regulatory functions under the oversight of Federal functional
regulators to assess FI compliance with CDD requirements among their
member firms. Given that SROs can perform these supervisory functions,
FinCEN believes that access to BOI would be as helpful to qualifying
SROs as to Federal functional regulators in ensuring a complete and
accurate assessment of CDD compliance. Qualifying SROs, like any
supervisory agency, would need to enter into an MOU with FinCEN, and
agree to implement security and confidentiality protocols, including
audit requirements, prior to receiving BOI from their regulated
institutions.
Fourth, proposed 31 CFR 1010.955(c)(2)(iv) would allow a Federal
functional regulator to disclose information to a qualifying SRO.
Consistent with the purposes of the CTA, the proposed rule makes clear
that BOI may be accessed, used, and re-disclosed for examinations for
compliance with CDD requirements under applicable law.
Fifth, proposed 31 CFR 1010.955(c)(2)(v), consistent with the CTA,
would allow an intermediary Federal agency to disclose BOI to the
foreign person for whom the intermediary Federal agency requested the
information in accordance with proposed 31 CFR 1010.955(b)(3). Without
an express regulatory provision to effectuate the CTA's provisions
relating to BOI access by a foreign law enforcement agency, prosecutor,
or judge, questions could arise as to whether the intermediary Federal
agency would be able to then share with a foreign requester the
information obtained on its behalf.
Sixth, proposed 31 CFR 1010.955(c)(2)(vi) would allow a Federal,
State, local, or Tribal law enforcement agency to disclose BOI to a
court of competent jurisdiction or parties to a civil or criminal
proceeding. This authorization would only apply to civil or criminal
proceedings involving U.S. Federal, State, local, and Tribal laws.
FinCEN envisions agencies relying on this provision when, for example,
a prosecutor must provide a criminal defendant with BOI in discovery or
use it as evidence in a court proceeding or trial.\137\
---------------------------------------------------------------------------
\137\ See CTA, Section 6402(5)(D).
---------------------------------------------------------------------------
FinCEN considered requiring Federal, State, local, or Tribal law
enforcement agencies to request permission to disclose BOI on a case-
by-case basis. The bureau decided against that approach for the sake of
efficiency and the administration of justice. FinCEN would be unlikely
to oppose disclosing BOI for use by law enforcement agencies in a civil
or criminal proceeding; the CTA explicitly contemplates using BOI in
this scenario.\138\ Additionally, manual review of individual
disclosure requests in this context could also delay the relevant legal
proceeding. FinCEN invites comment on this proposed approach.
---------------------------------------------------------------------------
\138\ See id.
---------------------------------------------------------------------------
Seventh, proposed 31 CFR 1010.955(c)(2)(vii) would allow a Federal
agency that receives BOI from FinCEN pursuant to proposed 31 CFR
1010.955(b)(1), (b)(4)(ii), or (b)(5) to disclose that BOI to DOJ in a
case referral. While DOJ would also be able to request the relevant BOI
from FinCEN in furtherance of law enforcement activity, allowing the
requesting Federal agency to share that BOI with DOJ would allow for
more efficient investigation and law enforcement activity. The proposed
provision would also make clear that the requesting agency can disclose
BOI to DOJ for use in litigation related to the activity for which the
BOI is requested. Such authorization will allow DOJ to have a complete
record--including BOI--when fulfilling its responsibilities to
represent the requesting agency in litigation.
Eighth, proposed 31 CFR 1010.955(c)(2)(viii) would allow a foreign
requester that receives BOI pursuant to a request made under an
international treaty, agreement, or convention to disclose and use that
BOI in accordance with the requirements of
[[Page 77419]]
the relevant agreement. This approach harmonizes 31 U.S.C.
5336(c)(2)(B)(ii)(II)(aa) \139\ with the process described in the
introductory paragraph in 31 U.S.C. 5336(c)(2)(B)(ii), which
establishes a preference for disclosing BOI to foreign requesters under
international agreements. For foreign requests that are not governed by
an international treaty, agreement, or convention, FinCEN would review
re-disclosure requests from foreign requesters either on a case-by-case
basis or pursuant to alternative arrangements with intermediary Federal
agencies where those intermediary Federal agencies have ongoing
relationships with the particular foreign requesters.
---------------------------------------------------------------------------
\139\ Requiring requests for BOI from foreign requesters to
``[comply] with the disclosure and use provisions of the treaty,
agreement, or convention, publicly disclosing [sic] any beneficial
ownership information received . . . .''
---------------------------------------------------------------------------
Finally, proposed 31 CFR 1010.955(c)(2)(ix) would make clear that
re-disclosing BOI obtained under 31 CFR 1010.955(b) in any
circumstances other than those defined in proposed 31 CFR
1010.955(c)(2) would be prohibited unless FinCEN provided prior
authorization for the re-disclosure in writing, or such re-disclosure
were made in accordance with applicable protocols, guidance, and
regulations as FinCEN may issue. This provision would give FinCEN the
ability to authorize, either on a case-by-case basis or categorically
through written protocols, guidance, or regulations, the re-disclosure
of BOI in limited cases to further the purposes of the CTA.\140\ FinCEN
welcomes comments on any of the proposed provisions permitting the re-
disclosure of BOI for activities consistent with the purposes of the
CTA.
---------------------------------------------------------------------------
\140\ For example, FinCEN could authorize the supervisory
component of a Federal functional regulator that identifies a CDD-
related deficiency at an FI to share BOI with its enforcement
component as part of a referral in which the BOI would be used in
furtherance of law enforcement activity.
---------------------------------------------------------------------------
Proposed 31 CFR 1010.955(c)(2)(ix) would also enable FinCEN to
authorize the re-disclosure of BOI in appropriate circumstances. For
example, FinCEN envisions instances when it might be necessary for one
law enforcement agency to disclose BOI obtained from FinCEN to another
agency for an authorized purpose. The ability to share BOI in such
circumstances would ensure that authorized recipients are able to
further the goals of the CTA of protecting U.S. national security and
combatting illicit activity, including corruption, money laundering,
tax fraud, and terrorist financing, while at the same time, ensuring
that appropriate security and confidentiality are maintained in a way
that ensures appropriate audit and oversight.
For example, a Federal agency to which FinCEN disclosed BOI in
furtherance of that agency's national security activities may identify
a possible criminal violation and need to provide the information to a
Federal law enforcement agency for investigation, and prosecution, if
appropriate. Federal agencies that are a part of a task force to target
specific criminal activity, such as drug trafficking or corruption, may
also need to share BOI within the task force. In such cases, it would
be more efficient for the agencies involved to share BOI directly among
themselves instead of each agency having to separately request the same
BOI from FinCEN.
The requirements that an agency would need to satisfy to obtain BOI
through re-disclosure are the same as those an agency would need to
satisfy to obtain BOI from FinCEN directly under this proposed rule.
FinCEN also envisions including re-disclosure limitations in the BOI
disclosure MOUs it enters into with recipient agencies. These
provisions would make clear that it would be the responsibility of a
recipient agency to take necessary steps to ensure that BOI is made
available for purposes specifically authorized by the CTA, and not for
the general purposes of the agency. Such agency-to-agency agreements
can be effective at creating and enforcing standards on use, reuse, and
redistribution of sensitive information. However, FinCEN solicits
comments from the public as to whether other mechanisms, such as the
imposition of redistribution standards by regulation, mandatory
redistribution logs, regular audit requirements, or other techniques,
may be more appropriate in this context.
v. Security and Confidentiality Requirements
The CTA directs the Secretary to establish by regulation protocols
to protect the security and confidentiality of any BOI provided
directly by FinCEN.\141\ FinCEN views safeguarding BOI to be a top
priority. The security and confidentiality of BOI would be protected
through several protocols to prevent unauthorized disclosure and to
ensure that BOI is used solely for the purposes described in the CTA.
These include high standard security protocols in the implementation of
the beneficial ownership IT system, robust MOUs that will impose
security requirements on agencies that have access to BOI, such as
current background checks on personnel accessing the information and
controls to ensure appropriate use, regular training, and robust audit
and oversight at the agency level and by FinCEN. In addition, FinCEN is
committed to regularly reviewing protocols and information security
practices to ensure they protect BOI from unauthorized use or
disclosure.
---------------------------------------------------------------------------
\141\ 31 U.S.C. 5336(c)(3)(A).
---------------------------------------------------------------------------
While the CTA enumerates specific requirements applicable to
``requesting agencies,'' FinCEN believes it is necessary and
appropriate to impose comparable requirements on FIs and foreign
requesters, taking into account considerations unique to those
recipient categories.\142\ Clear expectations for all recipients and
comparable data management requirements across different categories of
authorized recipients will facilitate high standard information
security and confidentiality practices and will contribute to more
effective audits and oversight. This subsection discusses requirements
applicable to both ``requesting agencies'' and other authorized
requesters.
---------------------------------------------------------------------------
\142\ 31 U.S.C. 5336(c)(3)(K).
---------------------------------------------------------------------------
a. Security and Confidentiality Requirements for Domestic Agencies
The CTA prescribes with specificity a number of requirements that
the Secretary must impose on requesting agencies and their heads. These
requirements affirm the importance of the security and confidentiality
protocols and the need for a high degree of accountability for the
protection of BOI.
Specifically, the statute provides that the Secretary shall require
requesting agencies to (1) ``establish and maintain, to the
satisfaction of the Secretary, a secure system in which [BOI] provided
directly by the Secretary shall be stored;'' \143\ (2) ``furnish a
report to the Secretary, at such time and containing such information
as the Secretary may prescribe, that describes the procedures
established and utilized by such agency to ensure the confidentiality
of [BOI] provided directly by the Secretary;'' \144\ (3) ``limit, to
the greatest extent practicable, the scope of information sought,
consistent with the purposes for seeking [BOI];'' \145\ and (4)
``establish and maintain, to the satisfaction of the Secretary, a
permanent system of standardized records with respect to an auditable
trail of each request for [BOI] submitted to the Secretary by the
agency, including the reason for the request, the name of the
individual who made the request, the date of the
[[Page 77420]]
request, any disclosure of [BOI] made by or to the agency, and any
other information the Secretary of the Treasury determines is
appropriate.'' \146\
---------------------------------------------------------------------------
\143\ 31 U.S.C. 5336(c)(3)(C).
\144\ 31 U.S.C. 5336(c)(3)(D).
\145\ 31 U.S.C. 5336(c)(3)(F).
\146\ 31 U.S.C. 5336(c)(3)(H).
---------------------------------------------------------------------------
The CTA also instructs the Secretary to establish by regulation
protocols: (1) ``requir[ing] the head of any requesting agency, on a
non-delegable basis, to approve the standards and procedures utilized
by the requesting agency and certify to the Secretary semi-annually
that such standards and procedures are in compliance with the
requirements of [31 U.S.C. 5336(c)(3)];'' \147\ (2) ``requir[ing] a
written certification for each authorized investigation or other
activity [giving rise to an authorized BOI disclosure] from the head of
[a Federal agency acting in furtherance of national security,
intelligence, or law enforcement activity, or a State, local, or Tribal
law enforcement agency], or their designees, that (a) states that
applicable requirements have been met, in such form and manner as the
Secretary may prescribe; and (b) at a minimum, sets forth the specific
reason or reasons why the [BOI] is relevant to [the] authorized
investigation or other activity . . .''; and (3) ``restrict[ing], to
the satisfaction of the Secretary, access to [BOI] to whom disclosure
may be made under the [CTA disclosure provisions] to only users at the
requesting agency (a) who are directly engaged in the authorized
investigation [for which BOI disclosure is authorized]; (b) whose
duties or responsibilities require such access; (c) who have undergone
appropriate training, or use staff to access the database who have
undergone appropriate training; (d) who use appropriate identity
verification mechanisms to obtain access to the information; and (e)
who are authorized by agreement with the Secretary to access the
information.'' \148\
---------------------------------------------------------------------------
\147\ 31 U.S.C. 5336(c)(3)(B).
\148\ 31 U.S.C. 5336(c)(3)(G).
---------------------------------------------------------------------------
Finally, the CTA instructs the Secretary to require requesting
agencies receiving BOI from FinCEN to ``conduct an annual audit to
verify that the [BOI] received from the Secretary has been accessed and
used appropriately, and in a manner consistent with this paragraph and
provide the results of that audit to the Secretary upon request.''
\149\ The statute imposes a corresponding requirement on the Secretary
to ``conduct an annual audit of the adherence of the agencies to the
protocols established under [31 U.S.C. 5336(c)(3)] to ensure that
agencies are requesting and using [BOI] appropriately.'' \150\
---------------------------------------------------------------------------
\149\ 31 U.S.C. 5336(c)(3)(I).
\150\ 31 U.S.C. 5336(c)(3)(J).
---------------------------------------------------------------------------
The proposed regulation would organize these requirements into two
subsections. The first, proposed 31 CFR 1010.955(d)(1)(i), would
address general requirements applicable to Federal, State, local, and
Tribal requesting agencies, including intermediary Federal agencies
acting on behalf of authorized foreign requesters, Federal functional
regulators, and other appropriate regulatory agencies. This proposed
subsection would require each requesting agency, before it could obtain
BOI, to enter into a MOU with FinCEN specifying the standards,
procedures, and systems that the agency would be required to maintain
to protect BOI.\151\ These MOUs would, among other things, memorialize
and implement requirements contained in proposed 31 CFR
1010.955(d)(1)(i), including those regarding reports and
certifications, periodic training of individual recipients of BOI,
personnel access restrictions, re-disclosure limitations, and access to
audit and oversight mechanisms. The MOUs would also include security
plans covering topics related to personnel security (e.g., eligibility
limitations, screening standards, certification and notification
requirements); physical security (system connections and use,
conditions of access, data maintenance); computer security (use and
access policies, standards related to passwords, transmission, storage,
and encryption); and inspections and compliance. Agencies may rely on
existing databases and related IT infrastructure to satisfy the
requirement to ``establish and maintain'' secure systems in which to
store BOI where those systems have appropriate security and
confidentiality protocols, and FinCEN will engage with recipient
agencies on this issue during the development of an MOU on BOI sharing.
---------------------------------------------------------------------------
\151\ 31 CFR 1010.955(d)(1)(i)(A).
---------------------------------------------------------------------------
Because security protocol details may vary based on each agency's
particular circumstances and capabilities, FinCEN believes individual
MOUs are preferable to a ``one-size-fits-all'' approach of specifying
particular requirements by regulation. FinCEN invites comment on this
MOU-based approach, and on whether additional requirements should be
incorporated into the regulations or into FinCEN's MOUs.
The second subsection would apply to each request for BOI. It
includes specific requirements with which each individual request for
BOI must comply, as described in the CTA, as well as additional
requirements that FinCEN believes are necessary to ensure that BOI is
subject to security and confidentiality requirements of a sufficiently
high standard.\152\
---------------------------------------------------------------------------
\152\ The additional measures are being proposed pursuant to the
authority delegated to FinCEN under 31 U.S.C. 5336(c)(3)(K).
---------------------------------------------------------------------------
Proposed 31 CFR 1010.955(d)(1)(ii)(A) (referred to as a
``minimization'' requirement) would require all requesting agencies to
limit, to the greatest extent practicable, the amount of BOI they seek,
consistent with the agency's purpose for seeking it. The provision
mirrors the CTA requirement at 31 U.S.C. 5336(c)(3)(F) and would
enhance information security and confidentiality by limiting disclosure
of BOI only to those situations in which BOI is necessary for a
particular purpose.
Proposed 31 CFR 1010.955(d)(1)(ii)(B)(1) would incorporate the
requirement of 31 U.S.C. 5336(c)(3)(E) that the head of a requesting
Federal agency acting in furtherance of national security,
intelligence, or law enforcement activity, or their designees, certify
in writing, for each request made by the agency to FinCEN, that (1) the
agency was engaged in a national security, intelligence, or law
enforcement activity, and (2) the BOI requested was for use in
furthering that activity, setting forth specific reasons why the
requested BOI was relevant. FinCEN expects that the certification and
justification would be made by the individual at the authorized Federal
agency at the time of the BOI request. Similarly, proposed 31 CFR
1010.955(d)(1)(ii)(B)(2) would require the head of a requesting State,
local, or Tribal law enforcement agency, or their designee, to submit
to FinCEN a copy of the court authorization required under proposed 31
CFR 1010.955(b)(2), as well as a written justification setting forth
specific reasons why the requested information was relevant to the
investigation. FinCEN believes that collecting the underlying court
authorizations will help to ensure compliance with 31 U.S.C.
5336(c)(2)(B)(i)(II) and facilitate audit and oversight of such
requests. Moreover, the submission of brief justification narratives
will make it easier for FinCEN personnel to identify the relevant
information in a court authorization, thereby allowing for faster
reviews and more focused audits. FinCEN considered not requiring State,
local, and Tribal law enforcement agencies to submit corresponding
justifications in addition to the court authorizations, but in some
cases the
[[Page 77421]]
relationship between a court authorization and the search in question
might not be apparent on the face of the court authorization.
Proposed 31 CFR 1010.955(d)(1)(ii)(B)(3) and (4) would identify the
information that an intermediary Federal agency would need to obtain,
and in some cases, submit to FinCEN, when making a request for BOI on
behalf of foreign law enforcement, prosecutors, or judges. The
information that would need to be submitted to FinCEN pursuant to these
provisions is dependent on whether the foreign request at issue is
pursuant to an international treaty, agreement, or convention.
Regardless of whether an international treaty, agreement, or
convention applies, the head of an intermediary Federal agency acting
on behalf of a foreign requester, or their designee, would always need
to: (1) identify to FinCEN both the individual within the intermediary
Federal agency making the request; (2) identify to FinCEN the
individual affiliated with the foreign requester on whose behalf the
request is being made; and (3) either identify to FinCEN the
international treaty, agreement, or convention under which the request
was being made or provide a statement that no such instrument governs.
When an international treaty, agreement, or convention applies, the
head of an intermediary Federal agency acting on behalf of a foreign
requester, or their designee, would need to retain the request for
information under the relevant international treaty, agreement, or
convention, and would also have to certify to FinCEN that the requested
BOI is for use in furtherance of a law enforcement investigation or
prosecution, or for a national security or intelligence activity, that
is authorized under the laws of the relevant foreign country. This
certification would apply to the intermediary Federal agency head or
designee's understanding of the intended use for the BOI, and would not
constitute a guarantee from the intermediary Federal agency that the
foreign requester would not use the information for other activities
without authorization.
In circumstances in which an international treaty, agreement, or
convention does not apply, the head of an intermediary Federal agency
acting on behalf of a foreign requester, or their designee, would need
to submit to FinCEN a written explanation of the specific purpose for
which the foreign requester is requesting BOI. The intermediary Federal
agency would also need to provide FinCEN with a certification that
requested BOI: (1) will be used in furtherance of a law enforcement
investigation or prosecution, or for a national security or
intelligence activity that is authorized under the laws of the relevant
foreign country; (2) will only be used for the particular purpose or
activity for which it is requested; and (3) will be handled in
accordance with applicable security and confidentiality requirements as
discussed in detail in Section IV.A.v.c. below with respect to proposed
31 CFR 1010.955(d)(3). Again, this certification would apply to the
intermediary Federal agency head or designee's understanding of the
intended use for the BOI, and would not constitute a guarantee from the
intermediary Federal agency that the foreign requester would not use
the information for other activities without authorization. The
proposed rule further specifies that FinCEN may request additional
information to support its evaluation of whether to disclose BOI to a
foreign requester when a request is not pursuant to an international
treaty, agreement, or convention. FinCEN anticipates the implementation
of a case management function in the beneficial ownership IT system to
manage this information and certification submission process.
Finally, proposed 31 CFR 1010.955(d)(1)(ii)(B)(5) would require the
head of Federal functional regulators and other appropriate regulatory
agencies, or their designee, to certify to FinCEN when requesting BOI
that the agency (1) is authorized by law to assess, supervise, enforce,
or otherwise determine the relevant FI's compliance with CDD
requirements under applicable law, and (2) will use the information
solely for the purpose of conducting the assessment, supervision, or
authorized investigation or activity described in proposed 31 CFR
1010.955(b)(4)(ii)(A).
b. Security and Confidentiality Requirements for FIs
Although the CTA does not specifically address the safeguards FIs
must implement as a precondition to requesting BOI, the CTA authorizes
FinCEN to prescribe by regulation any other safeguards determined to be
necessary or appropriate to protect the confidentiality of BOI.\153\
Proposed 31 CFR 1010.955(d)(2) contains the safeguards applicable to
FIs, including security standards for managing the BOI data.
---------------------------------------------------------------------------
\153\ 31 U.S.C. 5336(c)(3)(K).
---------------------------------------------------------------------------
Any security standards FinCEN imposes should keep BOI reasonably
secure and confidential, but not be so stringent as to make the
information practically inaccessible or useless to FIs. Such overly
burdensome requirements would frustrate the CTA's objective of
facilitating FI compliance with CDD requirements under applicable law.
To strike an appropriate balance, proposed 31 CFR 1010.955(d)(2)(i)
would take a principles-based approach by requiring FIs to develop and
implement administrative, technical, and physical safeguards reasonably
designed to protect BOI as a precondition for receiving BOI. Although
proposed 31 CFR 1010.955(d)(2)(i) would not prescribe any specific
safeguards, it would establish that the security and information
handling procedures necessary to comply with section 501 of the Gramm-
Leach-Bliley Act (Gramm-Leach-Bliley) \154\ and applicable regulations
issued under it to protect non-public customer personal information, if
applied to BOI under the control of the FI, would satisfy this
requirement. This would be true for any FI, regardless of whether that
FI was subject to section 501, so long as the FI actually applied
procedures at the appropriate level of protection. The safe harbor in
proposed 31 CFR 1010.955(d)(2)(i) would therefore establish baseline
security and confidentiality standards that are the same for all FIs.
The approach of establishing a baseline standard would be consistent
with other provisions in FinCEN's regulations that impose standards for
handling sensitive information.\155\
---------------------------------------------------------------------------
\154\ Public Law 106-102, 113 Stat. 1338, 1436-37 (1999).
\155\ See, e.g., 31 CFR 1010.520(b)(3)(iv)(C), 31 CFR
1010.540(b)(4)(ii).
---------------------------------------------------------------------------
Section 501 of Gramm-Leach-Bliley, codified at 15 U.S.C. 6801(b)
and 6805, requires each Federal functional regulator to establish
appropriate standards for the FIs subject to its jurisdiction relating
to administrative, technical, and physical safeguards to (1) ensure the
security and confidentiality of customer records and information; (2)
protect against any anticipated threats or hazards to the security or
integrity of such records; and (3) protect against unauthorized access
to or use of such records or information which could result in
substantial harm or inconvenience to any customer. The Federal
functional regulators have implemented these requirements in different
ways. The OCC, FRB, FDIC, and NCUA incorporated into their regulations
the Interagency Guidelines Establishing Interagency Security
[[Page 77422]]
Standards (Interagency Guidelines).\156\ The Interagency Guidelines add
detail to the more general Gramm-Leach-Bliley requirements, covering
specific subjects related to identifying, managing, and controlling
risk (e.g., physical and electronic access controls, encryption and
training requirements, and testing). The CFTC has incorporated the
Gramm-Leach-Bliley expectations of FIs into its regulations \157\ and
recommended best practices for meeting them that are ``designed to be
generally consistent with'' the Interagency Guidelines.\158\ The SEC
has also incorporated the Gramm-Leach-Bliley expectations of FIs into
its regulations,\159\ but evaluates the reasonableness of Gramm-Leach-
Bliley compliance policies and procedures on a case-by-case basis and
communicates findings of insufficiency through supervision and
enforcement actions.\160\
---------------------------------------------------------------------------
\156\ See Interagency Guidelines Establishing Standards for
Safeguarding Customer Information and Rescission of Year 2000
Standards for Safety and Soundness, 66 FR 8616 (Feb. 1, 2001). The
agencies implementing regulations are at 12 CFR part 30, app. B
(OCC); 12 CFR. Part 208, app. D-2 and Part 225, app. F (FRB); 12 CFR
part 364, app. B (FDIC); and 12 CFR part 748, apps. A & B (NCUA).
\157\ See 17 CFR 160.
\158\ See CFTC Staff Advisory No. 14-21 (February 16, 2014).
\159\ See 17 CFR 248.30(a).
\160\ See, e.g., Morgan Stanley Smith Barney, SEC Administrative
Proceeding File No. 3-21112 (Sept. 20, 2022).
---------------------------------------------------------------------------
This blended approach for complying with the Gramm-Leach-Bliley
requirements is well-suited to protecting sensitive information
generally and BOI in particular. Gramm-Leach-Bliley provides general
baseline expectations for keeping data secure and confidential, while
each agency's implementing regulations take into account factors unique
to the FIs they supervise. Allowing FIs to meet the requirement to
safeguard BOI by extending to it the same processes they use to comply
with regulations issued pursuant to section 501 of Gramm-Leach-Bliley
would avoid duplicative or inconsistent requirements for information
security and protocols and would be less burdensome for FIs to
administer without sacrificing a high level of protection.
In order to ensure that security and confidentiality standards are
consistent across the entire financial industry, even FIs not subject
to regulations issued pursuant to section 501 of Gramm-Leach-Bliley
would be held to these same substantive standards. For FIs not subject
to section 501, the Interagency Guidelines might serve as a useful
checklist against which such FIs could evaluate their existing security
and confidentiality practices, and a useful guide to possible
modifications to bring the FI to the level of security and
confidentiality necessary to justify obtaining BOI.
Proposed 31 CFR 1010.955(d)(2)(ii) would require FIs to obtain and
document a reporting company's consent before requesting that reporting
company's BOI from FinCEN. FIs are well-positioned to obtain consent--
and to track any revocation of such consent--given that they maintain
direct customer relationships and are able to leverage existing
onboarding and account maintenance processes to obtain reporting
company consent. FinCEN considered the alternative approach of FinCEN
obtaining consent directly from the reporting company, but rejected the
approach given potential delays and the lack of any direct relationship
with the reporting company.
Finally, proposed 31 CFR 1010.955(d)(2)(iii) would require the FI
to certify in writing for each BOI request that it: (1) is requesting
the information to facilitate its compliance with CDD requirements
under applicable law, (2) obtained the reporting company's written
consent to request its BOI, and (3) fulfilled the other requirements of
the section. FinCEN anticipates that an FI would be able to make the
certification via a checkbox when requesting BOI via the beneficial
ownership IT system. FinCEN expects that FIs will establish protocols
to direct authorized staff to ensure that the requirements are
satisfied and that appropriate records are maintained for the purposes
of audit and oversight. FinCEN further expects FIs to provide training
on these protocols and to require system users from FIs to complete
FinCEN-provided online training about the system and related
responsibilities as a condition for creating and maintaining system
accounts.
Under the proposed rule, FinCEN would not require FIs to submit
proof of reporting company consent at the time of the request for BOI.
FinCEN would not have the capacity to review, verify, and store consent
forms and additional FinCEN involvement would create undue delays for
the ability of FIs to onboard customers. In addition, FinCEN expects
that FI compliance with these requirements would be assessed by Federal
functional regulators in the ordinary course during safety and
soundness examinations or by the SROs during their routine BSA
examinations.\161\ FIs therefore have a strong incentive to retain
evidence of a reporting company's consent for the purposes of
supervisory examinations and compliance and for use in cases involving
suspected or alleged violations of the requirement. Together with
potential civil and criminal penalties under the CTA, such examinations
would create a robust control and oversight mechanism. FinCEN invites
comments on this proposed approach to FI security and confidentiality
requirements, including any views regarding how consent should be
obtained from reporting companies and on the applicability of auditing
requirements to FIs.
---------------------------------------------------------------------------
\161\ The CTA requirements FIs must satisfy to qualify for BOI
disclosure from FinCEN are part of the BSA, a statute enacted in
pertinent part in Chapter X of the Code of Federal Regulations.
FinCEN has delegated its authority to examine FIs for compliance
with Chapter X to the Federal functional regulators. See 31 CFR
1010.810. See also, e.g., 12 U.S.C. 1818(s)(2), 12 U.S.C.
1786(q)(2).
---------------------------------------------------------------------------
c. Security and Confidentiality Requirements for Foreign Requesters
It is critical that all authorized BOI recipients--including
foreign requesters--take steps to keep BOI confidential and secure and
to prevent misuse. To that end, proposed 31 CFR 1010.955(d)(3)(i) would
require foreign requesters to handle, disclose, and use BOI consistent
with the requirements of the applicable treaty, agreement or convention
under which it was requested. 31 CFR 1010.955(d)(3)(ii), meanwhile,
would impose on foreign BOI requesters certain general requirements the
CTA imposes on all requesting agencies. FinCEN believes these measures
are necessary to protect the security and confidentiality of BOI
provided to foreign requesters.\162\ Requirements applicable to foreign
requesters when no treaty, agreement, or convention applies include
having security standards and procedures, maintaining a secure storage
system that complies with whatever security standards the foreign
requester applies to the most sensitive unclassified information it
handles, minimizing the amount of information requested, and
restricting personnel access to it. Foreign requesters that request and
receive BOI under an applicable international treaty, agreement, or
convention would not have these requirements under the proposed rule,
given that such requesters would be governed by standards and
procedures under the applicable international treaty, agreement, or
convention.
---------------------------------------------------------------------------
\162\ See 31 U.S.C. 5336(c)(3)(A), (K).
---------------------------------------------------------------------------
[[Page 77423]]
FinCEN considered proposing a requirement that foreign requesters
enter into MOUs comparable to domestic requesting agencies for
situations in which an international treaty, agreement, or convention
applies. The bureau decided not to propose such an approach because
foreign requesters will not have direct access to the beneficial
ownership IT system and because FinCEN anticipates a significantly
lower volume of foreign requests in general relative to other
stakeholders. FinCEN believes MOUs are appropriate with domestic
agencies to account for the risks inherent in repeated, detailed
interaction with the beneficial ownership IT system. Foreign BOI
requesters, by contrast, would only receive BOI through intermediary
Federal agencies that would themselves be subject to detailed MOUs.
Those intermediary Federal agencies would in turn work with foreign
requesters to safeguard BOI in accordance with applicable treaties,
agreements, or conventions when applicable, and under governing
protocols in other circumstances.
FinCEN considered imposing audit requirements on foreign requesters
as part of these security and confidentiality protocols, but determined
that it would not be feasible. First, in situations involving
international treaties, agreements, or conventions, such audits would
only be permissible if allowed by the international agreement. In
situations in which no such international agreement applied, it would
nevertheless be practically challenging for FinCEN to conduct
meaningful audits of a foreign requester's BOI handling systems and
practices given that it would involve extensive negotiations and the
commitment of substantial FinCEN personnel to considerable document
review (potentially involving translation) and travel. Foreign
governments under any circumstances are also unlikely to grant FinCEN
access to their secure IT systems to the degree that a comprehensive
audit demands. While FinCEN considered whether to refrain from sharing
information with a foreign requester that refused to be subject to
audit requirements, such an approach would result in reduced
information sharing and cooperation overall. The United States
regularly collaborates bilaterally and in global task forces, for
example, to combat terrorism, transnational criminal organizations, and
other threats to national security. The success of these initiatives
depends upon effective international cooperation and robust efforts by
foreign counterparts. Those foreign counterparts might decide not to
request BOI at all, depriving our partners of information that would
support these efforts, with potentially negative direct consequences
for the United States.
FinCEN invites comments on its proposal with respect to security
and confidentiality requirements applicable to foreign requesters.
vi. Administration of Requests for Information Reported Pursuant to 31
CFR 1010.380
The CTA includes several provisions regarding how FinCEN should
administer requests for BOI. Proposed 31 CFR 1010.955(e) would
implement these CTA provisions.
Proposed 31 CFR 1010.955(e)(1) would require agencies and FIs to
submit requests for BOI to FinCEN in the form and manner FinCEN shall
prescribe.\163\ The bureau intends to provide additional detail
regarding the form and manner of BOI requests for all categories of
authorized users through specific instructions and guidance as it
continues developing the beneficial ownership IT system. To the extent
required by the Paperwork Reduction Act (PRA), FinCEN would publish for
notice and comment any proposed information collection associated with
BOI requests.
---------------------------------------------------------------------------
\163\ 31 U.S.C. 5336(c)(2)(C).
---------------------------------------------------------------------------
Proposed 31 CFR 1010.955(e)(2) would implement 31 U.S.C.
5336(c)(6)(B), which describes the circumstances under which the
Secretary ``may decline to provide'' requested BOI. The CTA describes
three permissible reasons for declining to provide BOI: (a) a
``requesting agency'' failing to meet applicable requirements; (2)
``the information is being requested for an unlawful purpose;'' or (3)
``other good cause exists to deny the request.'' \164\ Proposed 31 CFR
1010.955(e)(2) would make minor changes to the statutory text to
clarify its scope and to provide appropriate cross references. While 31
U.S.C. 5336(c)(6)(B)(i) speaks directly to requests made by a
``requesting agency,'' FinCEN believes the CTA also permits the bureau
to deny requests from any authorized recipient, including FIs, that
fail to comply with any requirements to receive BOI (e.g., refusing to
obtain consent from reporting companies before making BOI requests or
failing to fully comply with the proposed security and confidentiality
requirements).\165\ FinCEN's ability to decline requests in these
circumstances is necessary to ``protect the security and
confidentiality of [BOI]'' that the agency provides to authorized
recipients.\166\ Moreover, FinCEN would consider an FI's failure to
comply with any requirements to constitute ``good cause'' sufficient to
justify denying a request for BOI.\167\
---------------------------------------------------------------------------
\164\ Id.
\165\ See 31 U.S.C. 5336(c)(3)(A).
\166\ Id.; see also 31 U.S.C. 5336(c)(3)(K).
\167\ 31 U.S.C. 5663(c)(6)(B)(iii).
---------------------------------------------------------------------------
Proposed 31 CFR 1010.955(e)(3) would specify that the reasons for
rejecting a request are also bases for suspension or debarment. The CTA
permits the Secretary to suspend or debar a ``requesting agency'' from
access to BOI for any of the reasons for rejection in the preceding
paragraph, including for ``repeated or serious violations'' of any
requirement established as a precondition for receiving BOI.\168\
FinCEN would again extend the availability of the suspension or
debarment authority to FIs to ensure the integrity of BOI, ensure the
security of the beneficial ownership IT system, and implement the
confidentiality requirements imposed by the CTA. Under the proposed
rule, suspension of access to BOI would be a temporary measure, while
debarment would be permanent. The proposed rule would also permit
FinCEN to determine in its sole discretion the length of any
suspension. Additionally, the proposed rule would clarify that FinCEN
may reinstate suspended or debarred requesters upon satisfaction of any
terms or conditions FinCEN in its sole discretion believes are
appropriate. As with the authority to reject requests, FinCEN views
suspension and debarment as important tools for protecting sensitive
information from potential misuse.
---------------------------------------------------------------------------
\168\ 31 U.S.C. 5336(c)(7).
---------------------------------------------------------------------------
vii. Violations; Penalties
The CTA makes it unlawful for any person to knowingly disclose or
knowingly use BOI obtained by the person through a report submitted to,
or an authorized disclosure made by, FinCEN, unless such disclosure is
authorized under the CTA.\169\ Proposed 31 CFR 1010.955(f)(1) tracks
this prohibition, and further clarifies that such disclosure authorized
under the CTA includes disclosure authorized under the regulations
issued pursuant to the CTA. Proposed 31 CFR 1010.955(f)(2) then
explains that for purposes of paragraph (f)(1), unauthorized use would
include any unauthorized accessing of information submitted to FinCEN
under 31 CFR 1010.380, including any activity in
[[Page 77424]]
which an employee, officer, director, contractor, or agent of a
Federal, State, local, or Tribal agency or FI knowingly violates
applicable security and confidentiality requirements in connection with
accessing such information.\170\ This reflects FinCEN's view that the
security and confidentiality requirements under the CTA and this
proposed rule circumscribe the ways in which authorized recipients can
use BOI, consistent with the statute's emphasis on keeping BOI secure
and confidential.
---------------------------------------------------------------------------
\169\ See 31 U.S.C. 5336(h)(2).
\170\ 31 U.S.C. 5336(c)(4) explicitly applies civil and criminal
penalties to employees and officers of ``requesting agencies'' who
violate applicable security and confidentiality protocols, including
through unauthorized disclosure or use. FinCEN views this as a self-
executing reinforcement provision to support 31 U.S.C.
5336(h)(3)(B), which focuses on unlawful disclosure or use by any
person.
---------------------------------------------------------------------------
Proposed 31 CFR 1010.955(f)(3) lists the CTA's enumerated civil and
criminal penalties for knowingly disclosing or using BOI without
authorization. The CTA provides civil penalties in the amount of $500
for each day a violation continues or has not been remedied. Criminal
penalties are a fine of not more than $250,000 or imprisonment for not
more than 5 years, or both.\171\ The CTA also provides for enhanced
criminal penalties, including a fine of up to $500,000, imprisonment of
not more than 10 years, or both, if a person commits a violation while
violating another law of the United States or as part of a pattern of
any illegal activity involving more than $100,000 in a 12-month
period.\172\
---------------------------------------------------------------------------
\171\ 31 U.S.C. 5336(h)(3)(B).
\172\ See 31 U.S.C. 5336(h)(3)(B)(ii)(II).
---------------------------------------------------------------------------
B. Use of FinCEN Identifiers for Entities
A FinCEN identifier is a unique identifying number that FinCEN will
issue to individuals who have provided FinCEN with their BOI and to
reporting companies that have filed initial BOI reports.\173\
Consistent with the CTA, the final BOI reporting rule describes the
manner in which FinCEN will issue a FinCEN identifier to individuals
and to entities.\174\ It also describes circumstances in which a
reporting company may report an individual beneficial owner's FinCEN
identifier to FinCEN in lieu of providing the individual's BOI.\175\
---------------------------------------------------------------------------
\173\ 31 U.S.C. 5336(b)(3).
\174\ See 31 CFR 1010.380(b)(4).
\175\ See 31 CFR 1010.380(b)(4)(ii)(B).
---------------------------------------------------------------------------
The CTA also provides for the use of a reporting company's FinCEN
identifier, specifying that if an individual ``is or may be a
beneficial owner of a reporting company by an interest held by the
individual in an entity that, directly or indirectly, holds an interest
in the reporting company,'' the reporting company may report the
entity's FinCEN identifier in lieu of providing the individual's
BOI.\176\ The Reporting NPRM proposed to incorporate this language
without significant clarification. Some commenters, however, expressed
concerns that the use of FinCEN identifiers could obscure the
identities of beneficial owners in a manner that might result in
greater secrecy or incomplete or misleading disclosures. Several
commenters noted that the proposed language may be confusing and pose
problems when a reporting company's ownership structure involves
multiple beneficial owners and intermediate entities. In light of this
feedback, the final BOI reporting rule did not adopt the proposed
language, and FinCEN is now proposing different language to implement
the CTA in a manner that better clarifies when a company may report an
intermediate entity's FinCEN identifier in lieu of an individual's BOI.
---------------------------------------------------------------------------
\176\ 31 U.S.C. 5336(b)(3)(C).
---------------------------------------------------------------------------
Proposed 31 CFR 1010.380(b)(4)(ii)(B) would permit a reporting
company to report an intermediate entity's FinCEN identifier in lieu of
a beneficial owner's BOI only when: (1) the intermediate entity has
obtained a FinCEN identifier and provided that FinCEN identifier to the
reporting company; (2) an individual is or may be a beneficial owner of
the reporting company by virtue of an interest in the reporting company
that the individual holds through the entity; and (3) only the
individuals that are beneficial owners of the intermediate entity are
beneficial owners of the reporting company, and vice versa. The first
and second requirements are straightforward clarifications, while the
third requirement reflects an implicit assumption in the statutory
language.
It is straightforward to allow a reporting company to use an
intermediate entity's FinCEN identifier where a single individual is
the sole beneficial owner of a reporting company through a single
intermediate entity. In this simple scenario, the same individual would
be the beneficial owner of both the reporting company and the
intermediate entity. Reporting the intermediate entity's FinCEN
identifier in lieu of the individual's BOI would thus accurately
indicate that the individual is a beneficial owner of both entities,
and the intermediate entity would have already reported the
individual's BOI when it filed its initial report and obtained a FinCEN
identifier. However, the use of an intermediate company's FinCEN
identifier beyond this simple scenario encounters significant problems
when a reporting company's ownership structure involves multiple
beneficial owners and/or intermediate entities. For instance, if the
intermediate entity has any beneficial owners who are not also
beneficial owners of the reporting company, the reporting company's use
of the intermediate entity's FinCEN identifier would identify multiple
individuals as beneficial owners of the reporting company, when in fact
they are only beneficial owners of the intermediate entity.
Additionally, if an individual is a beneficial owner of a reporting
company through multiple intermediate entities but is not a beneficial
owner of one of those entities, the reporting company's use of that
entity's FinCEN identifier could obscure the identity of that
beneficial owner. In this case, the reporting company's use of an
intermediate entity's FinCEN identifier would fail to identify an
individual as a beneficial owner of the reporting company, when in fact
the individual is such a beneficial owner.
In light of the core objective of the CTA to establish a
comprehensive beneficial ownership database and to ensure that the
information it contains is accurate and highly useful, FinCEN does not
believe the FinCEN identifier provision was intended to enable
reporting companies to misidentify beneficial owners. As explained in
the prior paragraph, there are some scenarios in which FinCEN would be
unable to accurately identify which reported beneficial owners are
extraneous, or which BOI reports are incomplete, thereby making it more
difficult for FinCEN and authorized recipients of BOI to identify the
true beneficial owners of each reporting company. This would make the
beneficial ownership database less accurate and undermine the
fundamental goals of the CTA. Moreover, FIs that obtain BOI reports
that are either under- or over-inclusive may have difficulty
reconciling this BOI with other information they receive during the CDD
process, impeding another goal of the CTA. Furthermore, over-inclusive
BOI would require FinCEN to disclose more BOI than necessary in
response to authorized requests. Instead of only disclosing BOI for
individuals who are beneficial owners of the reporting company that is
the subject of a request, FinCEN would have to also disclose BOI for
other individuals who are beneficial owners of a different company that
may not be
[[Page 77425]]
the subject of the request. This over-disclosure would be in
significant conflict with the confidentiality and privacy protections
the CTA instructs FinCEN to implement, including the requirement to
``limit, to the greatest extent practicable, the scope of the
information sought.'' \177\
---------------------------------------------------------------------------
\177\ 31 U.S.C. 5336(c)(3)(F).
---------------------------------------------------------------------------
For all of these reasons, permitting a reporting company to use an
intermediate entity's FinCEN identifier would appear consistent with
the CTA's overall statutory scheme only if the two entities have the
same beneficial owners. In this case, as in the simple scenario
previously described, reporting the intermediate entity's FinCEN
identifier would be equivalent to reporting the BOI of the reporting
company's beneficial owners. There would be no mismatch. Accordingly,
proposed 31 CFR 1010.380(b)(4)(ii)(B) makes this requirement explicit
by permitting a reporting company to report an intermediate entity's
FinCEN identifier only when the intermediate entity and the reporting
company have the same beneficial owners. FinCEN believes this
requirement is implicit in the CTA, and is necessary for FinCEN to
avoid collection of potentially incomplete information and to prevent
disclosure of inaccurate reports that contain extraneous sensitive
information or that lack relevant BOI. FinCEN solicits comment on this
proposal.
V. Final Rule Effective Date
FinCEN is proposing an effective date of January 1, 2024, to align
with the date on which the final BOI reporting rule at 31 CFR 1010.380
becomes effective. A January 1, 2024, effective date is intended to
provide the public and authorized users of BOI with sufficient time to
review and prepare for implementation of the rule. FinCEN solicits
comment on the proposed effective date for this rule.
VI. Request for Comment
FinCEN seeks comment from all parts of the public, as well as
Federal, State, local, and Tribal government entities, with respect to
the proposed rule as a whole and specific provisions discussed above in
Section IV. FinCEN invites comment on any and all aspects of the
proposed rule, and specifically seeks comments on the following
questions:
Understanding the Rule
1. Can the organization of the rule text be improved? If so, how?
2. Can the language of the rule text be improved? If so, how?
3. Does the proposed rule provide sufficient guidance to
stakeholders and the public regarding the scope and requirements for
access to BOI?
Disclosure of Information
4. The CTA prohibits officers and employees of (1) the United
States, (2) State, local, and Tribal agencies, and (3) FIs and
regulatory agencies from disclosing BOI reported under the statute.
FinCEN proposes to extend the prohibition to agents, contractors, and,
in the case of FIs, directors as well. FinCEN invites comments on the
proposed scope.
5. Are FinCEN's proposed interpretations of ``national security,''
``intelligence,'' and ``law enforcement'' clear enough to be useful
without being overly prescriptive? If not, what should be different?
Commenters are invited to suggest alternative interpretations or
sources for reference.
6. Should FinCEN add any specific activities or elements to the
proposed interpretations of ``national security,'' ``intelligence,''
and ``law enforcement'' that do not seem to be covered already? If so,
what?
7. FinCEN requests comments discussing how State, local, and Tribal
law enforcement agencies are authorized by courts to seek information
in criminal and civil investigations. Among the particular issues that
FinCEN is interested in are: how State, local, and Tribal authorities
gather evidence in criminal and civil cases; what role a court plays in
each of these mechanisms, and whether in the commenter's opinion it
rises to the level of court ``authorization''; what role court officers
(holders of specific offices, not attorneys as general-purpose officers
of the court) play in these mechanisms; how grand jury subpoenas are
issued and how the court officers issuing them are ``authorized'' by a
court; whether courts of competent jurisdiction, or officers thereof,
regularly authorize subpoenas or other investigative steps via court
order; and whether there are any evidence-gathering mechanisms through
which State, local, or Tribal law enforcement agencies should be able
to request BOI from FinCEN, but that do not require any kind of court?
8. Is requiring a foreign central authority or foreign competent
authority to be identified as such in an applicable international
treaty, agreement, or convention overly restrictive? If so, what is a
more appropriate means of identification?
9. Are there alternative approaches to managing the foreign access
provision of the CTA that FinCEN should consider?
10. Should FinCEN define the term ``trusted foreign country'' in
the rule, and if so, what considerations should be included in such a
definition?
11. FinCEN proposes that FIs be required to obtain the reporting
company's consent in order to request the reporting company's BOI from
FinCEN. FinCEN invites commenters to indicate what barriers or
challenges FIs may face in fulfilling such a requirement, as well as
any other considerations.
12. FinCEN proposes to define ``customer due diligence requirements
under applicable law'' to mean the bureau's 2016 CDD Rule, as it may be
amended or superseded pursuant to the AML Act. The 2016 CDD Rule
requires FIs to identify and verify beneficial owners of legal entity
customers. Should FinCEN expressly define ``customer due diligence
requirements under applicable law'' as a larger category of
requirements that includes more than identifying and verifying
beneficial owners of legal entity customers? If so, what other
requirements should the phrase encompass? How should the broader
definition be worded? It appears to FinCEN that the consequences of a
broader definition of this phrase would include making BOI available to
more FIs for a wider range of specific compliance purposes, possibly
making BOI available to more regulatory agencies for a wider range of
specific examination and oversight purposes, and putting greater
pressure on the demand for the security and confidentiality of BOI. How
does the new balance of those consequences created by a broader
definition fulfill the purpose of the CTA?
13. If FinCEN wants to limit the phrase ``customer due diligence
requirements under applicable law'' to apply only to requirements like
those imposed under its 2016 CDD Rule related to FIs identifying and
verifying beneficial owners of legal entity customers, are there any
other comparable requirements under Federal, State, local, or Tribal
law? If so, please specifically identify these requirements and the
regulatory bodies that supervise for compliance with or enforce them.
14. Are there any State, local, or Tribal government agencies that
supervise FIs for compliance with FinCEN's 2016 CDD Rule? If so, please
identify them.
15. FinCEN does not propose to disclose BOI to SROs as ``other
appropriate regulatory agencies,'' but does propose to authorize FIs
that receive BOI from FinCEN to disclose it to SROs that meet specified
qualifying
[[Page 77426]]
criteria. Is this sufficient to allow SROs to perform duties delegated
to them by Federal functional regulators and other appropriate
regulatory agencies? Are there reasons why SROs could be included as
``other appropriate regulatory agencies'' and obtain BOI directly from
FinCEN?
16. Are there additional circumstances under which FinCEN is
authorized to disclose BOI that are not reflected in this proposed
rule?
Use of Information
17. FinCEN proposes to permit U.S. agencies to disclose BOI
received under 31 CFR 1010.955(b)(1) or (2) to courts of competent
jurisdiction or parties to civil or criminal proceedings. Is this
authorization appropriately scoped to allow for the use of BOI in civil
or criminal proceedings?
18. In proposed 31 CFR 1010.955(c)(2)(v), FinCEN proposes to
establish a mechanism to authorize, either on a case-by-case basis or
categorically through written protocols, guidance, or regulations, the
re-disclosure of BOI in cases not otherwise covered under 31 CFR
1010.955(c)(2) and in which the inability to share the information
would frustrate the purposes of the CTA because of the categorical
prohibitions against disclosures at 31 U.S.C. 5336(c)(2)(A). Are there
other categories of redisclosures that FinCEN should consider
authorizing? Are there particular handling or security protocols that
FinCEN should consider imposing with respect to such re-disclosures of
BOI?
19. Could a State regulatory agency qualify as a ``State, local, or
Tribal law enforcement agency'' under the definition in proposed 31 CFR
1010.955(b)(2)(ii)? If so, please describe the investigation or
enforcement activities involving potential civil or criminal violations
of law that such agencies may undertake that would require access to
BOI.
Security and Confidentiality Requirements
20. Should FinCEN impose any additional security or confidentiality
requirements on authorized recipients of any type? If so, what
requirements and why?
21. The minimization component of the security and confidentiality
requirements requires limiting the ``scope of information sought'' to
the greatest extent possible. FinCEN understands this phrase, drawn
from the language of the CTA, to mean that requesters should tailor
their requests for information as narrowly as possible, consistent with
their needs for BOI. Such narrow tailoring should minimize the
likelihood that a request will return BOI that is irrelevant to the
purpose of the request or unhelpful to the requester. Does the phrase
used in the regulation convey this meaning sufficiently clearly, or
should it be expanded, and if so how?
22. Because security protocol details may vary based on each
agency's particular circumstances and capabilities, FinCEN believes
individual MOUs are preferable to a one-size-fits all approach of
specifying particular requirements by regulation. FinCEN invites
comment on this MOU-based approach, and on whether additional
requirements should be incorporated into the regulations or into
FinCEN's MOUs.
23. FinCEN proposes to require FIs to limit BOI disclosure to FI
directors, officers, employees, contractors, and agents within the
United States. Would this restriction impose undue hardship on FIs?
What are the practical implications and potential costs of this
limitation?
24. Are the procedures FIs use to protect non-public customer
personal information in compliance with section 501 of Gramm-Leach-
Bliley sufficient for the purpose of securing BOI disclosed by FinCEN
under the CTA? If not, is there another set of security standards
FinCEN should require FIs to apply to BOI?
25. Are the standards established by section 501 of Gramm-Leach-
Bliley, its implementing regulations, and interagency guidance
sufficiently clear such that FIs not directly subject to that statute
will know how to comply with FinCEN's requirements with respect to
establishing and implementing security and confidentiality standards?
26. Do any states impose, and supervise for compliance on, security
and confidentiality requirements comparable to those that FFRs are
required to impose on FIs under section 501 of Gramm-Leach-Bliley?
Please provide examples of such requirements.
Outreach
29. What specific issues should FinCEN address via public guidance
or FAQs? Are there specific recommendations on engagement with
stakeholders to ensure that the authorized recipients, and in
particular, State, local, and Tribal authorities and small and mid-
sized FIs, are aware of requirements for access to the beneficial
ownership IT system?
FinCEN Identifiers
30. Does FinCEN's proposal with respect to an entity's use of a
FinCEN identifier adequately address the potential under- or over-
reporting issues discussed in the preamble?
VI. Regulatory Analysis
This regulatory impact analysis (RIA) assesses the anticipated
impact, both in terms of costs and benefits, of the proposed rule, in
accordance with Executive Order 12866. This analysis also includes an
assessment of the impact on small entities pursuant to the Regulatory
Flexibility Act (RFA), reporting and recordkeeping burdens under the
Paperwork Reduction Act (PRA); and an assessment as required by the
Unfunded Mandates Reform Act of 1995 (UMRA).\178\
---------------------------------------------------------------------------
\178\ The U.S. Bureau of Economic Analysis reports the annual
value of the gross domestic product (GDP) deflator in 1995 (the year
in which UMRA was enacted) as 71.823, and as 118.895 in 2021. See
U.S. Bureau of Economic Analysis, Table 1.1.9. Implicit Price
Deflators for Gross Domestic Product, available at <a href="https://apps.bea.gov/iTable/?reqid=19&step=2&isuri=1&categories=survey#eyJhcHBpZCI6MTksInN0ZXBzIjpbMSwyLDMsM10sImRhdGEiOltbIkNhdGVnb3JpZXMiLCJTdXJ2ZXkiXSxbIk5JUEFfVGFibGVfTGlzdCIsIjEzIl0sWyJGaXJzdF9ZZWFyIiwiMTk5NSJdLFsiTGFzdF9ZZWFyIiwiMjAyMSJdLFsiU2NhbGUiLCIwIl0sWyJTZXJpZXMiLCJBIl1dfQ">https://apps.bea.gov/iTable/?reqid=19&step=2&isuri=1&categories=survey#eyJhcHBpZCI6MTksInN0ZXBzIjpbMSwyLDMsM10sImRhdGEiOltbIkNhdGVnb3JpZXMiLCJTdXJ2ZXkiXSxbIk5JUEFfVGFibGVfTGlzdCIsIjEzIl0sWyJGaXJzdF9ZZWFyIiwiMTk5NSJdLFsiTGFzdF9ZZWFyIiwiMjAyMSJdLFsiU2NhbGUiLCIwIl0sWyJTZXJpZXMiLCJBIl1dfQ</a>. Thus, the
inflation adjusted estimate for $100 million is 118.895/71.823 x 100
= $166 million.
---------------------------------------------------------------------------
Regarding the proposed regulations related to BOI access, the
analysis assumes a baseline scenario of no access granted to the BOI
system maintained by FinCEN, which is the current regulatory
environment, and uses a time horizon of 10 years. The analysis
estimates that the overall quantifiable impact associated with the
proposed rule, which would affect U.S. Federal agencies including
FinCEN, as well as State, local, and Tribal agencies, foreign
requesters, certain financial institutions, and self-regulatory
organizations, would be between $108.7 million in net savings and
$840.7 million in net costs in the first year of implementation of the
rule, and then a net impact between $186.5 million in net savings and
$672.0 million in net costs on an ongoing annual basis.\179\ This
proposed rule has been determined to be a significant rule for purposes
of Executive Order 12866. Furthermore, the proposed rule would have a
significant economic impact on a substantial number of small entities.
Last, the proposed rule would result in an estimated 5-year average PRA
annual cost of $642.5 million to certain State, local, and Tribal
agencies, self-regulatory organizations, and financial
[[Page 77427]]
institutions. Because accessing BOI under the proposed rule is not
mandated for State, local, and Tribal governments or the private
sector, FinCEN does not assess any expenditures pursuant to UMRA.
---------------------------------------------------------------------------
\179\ All aggregate figures are approximate and not precise
estimates unless otherwise specified.
---------------------------------------------------------------------------
As FinCEN identified in the final BOI reporting rule's RIA, FinCEN
will incur costs for administering the regulation and access to
BOI.\180\ These costs include development and ongoing annual
maintenance of the beneficial ownership IT system. In particular,
developing and maintaining the methods of access to the beneficial
ownership IT system described in this NPRM has impacted FinCEN's IT
cost estimates. FinCEN estimated that the initial IT development costs
associated with the final BOI reporting rule are approximately $72
million with an additional $25.6 million per year required to maintain
the new BOI system and the underlying FinCEN IT that is needed to
support the new capabilities. These estimates do not include certain
potential additional costs, such as for IT personnel or information
verification. The final BOI reporting rule's RIA also estimated $10
million per year in FinCEN personnel costs in order to ensure
successful implementation of and compliance with the BOI reporting
requirements. Given that these costs to FinCEN are already accounted
for in the RIA of the final BOI reporting rule, these costs are not
included in the RIA. The costs to FinCEN in this RIA are in addition to
those included in the final BOI reporting rule's RIA.
---------------------------------------------------------------------------
\180\ 87 FR 59578 (Sept. 30, 2022).
---------------------------------------------------------------------------
FinCEN also considers in the RIA what costs or benefits may be
associated with the proposed rule regarding reporting companies' use of
FinCEN identifiers for entities. The final BOI reporting rule's RIA
contains a regulatory analysis that accounts for the impact associated
with obtaining, updating, and using FinCEN identifiers, including a
summary of NPRM comments related to the associated estimated costs and
benefits. Regarding entities' use of FinCEN identifiers, FinCEN
proposes to rely upon the analysis in the final BOI reporting rule's
RIA. That analysis states that the costs associated with reporting
companies' use of FinCEN identifiers are captured in that RIA's cost
estimates associated with BOI reports. This analysis is explained in
more detail in Section VI.A.ii. below.
A. Executive Orders 12866 and 13563
Executive Orders 12866 and 13563 direct agencies to assess costs
and benefits of available regulatory alternatives and, if regulation is
necessary, to select regulatory approaches that maximize net benefits
(including potential economic, environmental, and public health and
safety effects, as well as distributive impacts and equity). Executive
Order 13563 emphasizes the importance of quantifying both costs and
benefits, reducing costs, harmonizing rules, and promoting flexibility.
FinCEN conducted an assessment of the costs and benefits of the
proposed rule, as well as the costs and benefits of available
regulatory alternatives. This proposed rule is necessary in order to
implement Section 6403 of the CTA. Consistent with the cost-benefit
analysis in Section VI.A.i. below, this proposed rule has been
designated a ``significant regulatory action'' and economically
significant under section 3(f) of Executive Order 12866. Accordingly,
the proposed rule has been reviewed by the Office of Management and
Budget (OMB).
i. Section of Proposed Rule Regarding BOI Access
a. Alternative Scenarios
FinCEN considered alternatives to the proposed rule. However, for
the reasons described within this section, FinCEN decided not to
propose these alternatives.
1. Reduce Training Burden
The first alternative would be to reduce the training requirement
for BOI authorized recipients, which includes appropriate training for
authorized recipients of BOI as well as annual training for access to
BOI. In its analysis, FinCEN assumes that each authorized recipient
that would access the BOI would be required to undergo one hour of
training per year.\181\ Here, FinCEN considers the scenario where
authorized recipients would instead be required to undergo one hour of
training every two years, in alignment with the current BSA data access
requirements. This scenario could result in savings every other year of
$108 to $172,800 per Federal agency, $76 to $5,168 per State, local,
and Tribal agency, $95 to $6,460 per SRO,\182\ $108 per foreign
requester, and $146 to $241 per financial institution. The aggregate
savings could be as much as $3.7 million to $5.2 million ($1.3 million
total for domestic agencies and SROs + $2.4 to $3.9 million for
financial institutions) every other year. This alternative scenario
could result in savings every other year of approximately $95 to $190
per small financial institution. The aggregate savings could be as much
as approximately $1.3 million to $2.7 million (($95 x 14,051 small
financial institutions = $1,334,845) and ($190 x 14,051 small financial
institutions = $2,669,690)) every other year. Given the sensitive
nature of the BOI,\183\ FinCEN believes that maintaining an annual
training requirement for BOI authorized recipients and access to BOI is
necessary to protect the security and confidentiality of the BOI.
---------------------------------------------------------------------------
\181\ The assumption of one training hour is in alignment with
the current training requirement for accessing BSA data. However,
one notable difference is that the proposed BOI training requirement
is
[…truncated; see source link]Indexed from Federal Register on December 16, 2022.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.