Rule2023-27973
Beneficial Ownership Information Access and Safeguards
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
December 22, 2023
Effective
February 20, 2024
Issuing agencies
Treasury DepartmentFinancial Crimes Enforcement Network
Abstract
FinCEN is promulgating regulations regarding access by authorized recipients to beneficial ownership information (BOI) that will be reported to FinCEN pursuant to section 6403 of the Corporate Transparency Act (CTA), enacted into law as part of the Anti-Money Laundering Act of 2020 (AML Act), which is itself part of the National Defense Authorization Act for Fiscal Year 2021 (NDAA). The regulations implement the strict protocols required by the CTA to protect sensitive personally identifiable information (PII) reported to FinCEN and establish the circumstances in which specified recipients have access to BOI, along with data protection protocols and oversight mechanisms applicable to each recipient category. The disclosure of BOI to authorized recipients in accordance with appropriate protocols and oversight will help law enforcement and national security agencies prevent and combat money laundering, terrorist financing, tax fraud, and other illicit activity, as well as protect national security.
Full Text
<html>
<head>
<title>Federal Register, Volume 88 Issue 245 (Friday, December 22, 2023)</title>
</head>
<body><pre>
[Federal Register Volume 88, Number 245 (Friday, December 22, 2023)]
[Rules and Regulations]
[Pages 88732-88813]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2023-27973]
[[Page 88731]]
Vol. 88
Friday,
No. 245
December 22, 2023
Part III
Department of the Treasury
-----------------------------------------------------------------------
Financial Crimes Enforcement Network
-----------------------------------------------------------------------
31 CFR Part 1010
Beneficial Ownership Information Access and Safeguards; Final Rule
��Federal Register / Vol. 88 , No. 245 / Friday, December 22, 2023 /
Rules and Regulations��
[[Page 88732]]
-----------------------------------------------------------------------
DEPARTMENT OF THE TREASURY
Financial Crimes Enforcement Network
31 CFR Part 1010
RIN 1506-AB59
Beneficial Ownership Information Access and Safeguards
AGENCY: Financial Crimes Enforcement Network (FinCEN), Treasury.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: FinCEN is promulgating regulations regarding access by
authorized recipients to beneficial ownership information (BOI) that
will be reported to FinCEN pursuant to section 6403 of the Corporate
Transparency Act (CTA), enacted into law as part of the Anti-Money
Laundering Act of 2020 (AML Act), which is itself part of the National
Defense Authorization Act for Fiscal Year 2021 (NDAA). The regulations
implement the strict protocols required by the CTA to protect sensitive
personally identifiable information (PII) reported to FinCEN and
establish the circumstances in which specified recipients have access
to BOI, along with data protection protocols and oversight mechanisms
applicable to each recipient category. The disclosure of BOI to
authorized recipients in accordance with appropriate protocols and
oversight will help law enforcement and national security agencies
prevent and combat money laundering, terrorist financing, tax fraud,
and other illicit activity, as well as protect national security.
DATES: These rules are effective February 20, 2024.
FOR FURTHER INFORMATION CONTACT: The FinCEN Regulatory Support Section
at 1-800-767-2825 or electronically at <a href="/cdn-cgi/l/email-protection#cdabbfae8daba4a3aea8a3e3aaa2bb"><span class="__cf_email__" data-cfemail="4620342506202f2825232868212930">[email protected]</span></a>.
SUPPLEMENTARY INFORMATION:
I. Introduction
This final rule implements the beneficial ownership information
(BOI) access and safeguard provisions in the Corporate Transparency Act
(CTA).\1\ The rule balances the statutory requirement to create a
database of BOI that is highly useful to authorized BOI recipients,
with the requirement to safeguard BOI from unauthorized use. This final
rule reflects FinCEN's understanding of the critical need for the
highest standard of security and confidentiality protocols to maintain
confidence in the U.S. Government's ability to protect sensitive
information while achieving the objective of the CTA noted above--
establishing a database of BOI that will be highly useful in combatting
illicit finance and the abuse of shell and front companies by
criminals, corrupt officials, and other bad actors.
---------------------------------------------------------------------------
\1\ The CTA is Title LXIV of the William M. (Mac) Thornberry
National Defense Authorization Act for Fiscal Year 2021, Public Law
116-283 (Jan. 1, 2021) (the NDAA). Division F of the NDAA is the
Anti-Money Laundering Act of 2020 (AML Act), which includes the CTA.
Section 6403 of the CTA, among other things, amends the Bank Secrecy
Act (BSA) by adding a new section 5336, Beneficial Ownership
Information Reporting Requirements, to Subchapter II of Chapter 53
of Title 31, United States Code.
---------------------------------------------------------------------------
Specifically, this final rule implements the provisions in the CTA,
codified at 31 U.S.C. 5336(c), that authorize certain recipients to
receive disclosures of identifying information associated with
reporting companies, their beneficial owners, and their company
applicants (together, BOI). The CTA requires reporting companies to
report BOI to FinCEN pursuant to 31 U.S.C. 5336(b). This rule reflects
FinCEN's careful consideration of public comments, including those
received in response to (1) an advance notice of proposed rulemaking
(ANPRM) \2\ on the implementation of the CTA, (2) an NPRM regarding BOI
reporting requirements (Reporting NPRM),\3\ and (3) an NPRM regarding
BOI access and safeguards (Access NPRM).\4\
---------------------------------------------------------------------------
\2\ 86 FR 17557 (Apr. 5, 2021).
\3\ 86 FR 69920 (Dec. 8, 2021).
\4\ 87 FR 77404 (Dec. 16, 2022).
---------------------------------------------------------------------------
As Congress explained in the CTA, ``malign actors seek to conceal
their ownership of corporations, limited liability companies, or other
similar entities in the United States to facilitate illicit activity,
including money laundering, the financing of terrorism, proliferation
financing, serious tax fraud, human and drug trafficking,
counterfeiting, piracy, securities fraud, financial fraud, and acts of
foreign corruption, harming the national security interests of the
United States and allies of the United States.'' \5\ Access by
authorized recipients to BOI reported under the CTA would significantly
aid efforts to protect U.S. national security and safeguard the U.S.
financial system from such illicit use. It would impede illicit actors'
ability to use legal entities to conceal proceeds from criminal acts
that undermine U.S. national security and foreign policy interests,
such as corruption, human trafficking, drug and arms trafficking, and
terrorist financing. BOI can also add critical data to financial
analyses in activities the CTA contemplates, including tax
investigations. It can also provide essential information to the
intelligence and national security professionals who work to prevent
terrorists, proliferators, and those who seek to undermine our
democratic institutions or threaten other core U.S. interests from
raising, hiding, or moving money in the United States through anonymous
shell or front companies.\6\
---------------------------------------------------------------------------
\5\ CTA, section 6402(3).
\6\ A front company generates legitimate business proceeds to
commingle with illicit earnings. See U.S. Department of the
Treasury, National Money Laundering Risk Assessment (2018), p. 29,
available at <a href="https://home.treasury.gov/system/files/136/2018NMLRA_12-18.pdf">https://home.treasury.gov/system/files/136/2018NMLRA_12-18.pdf</a>.
---------------------------------------------------------------------------
The United States currently does not have a centralized or complete
store of information about who owns and operates legal entities within
the United States. The beneficial ownership data available to law
enforcement and national security agencies are generally limited to
certain commercial databases and the information collected by financial
institutions on legal entity accounts pursuant to their Customer Due
Diligence (CDD) or broader Customer Identification Program (CIP)
obligations, some of which has been included in Suspicious Activity
Reports (SARs) or provided to law enforcement in response to judicial
process.\7\ As set out in detail in the Notice of Proposed Rulemaking
regarding BOI reporting requirements \8\ and the BOI reporting final
rule,\9\ U.S. law enforcement officials and the Financial Action Task
Force (FATF),\10\ among others, have for years noted how the lack of
timely access to accurate and adequate BOI by law enforcement and other
authorized
[[Page 88733]]
recipients remained a significant gap in the United States' anti-money
laundering/countering the financing of terrorism (AML/CFT) and
countering the financing of proliferation (CFP) framework. Broadly, and
critically, BOI can identify linkages between potential illicit actors
and opaque business entities, including shell companies. Furthermore,
comparing BOI reported pursuant to the CTA against data collected under
the Bank Secrecy Act (BSA) and other relevant government data is
expected to significantly further efforts to identify illicit actors
and combat their financial activities.
---------------------------------------------------------------------------
\7\ See, e.g., 31 CFR 1010.230. Even then, any BOI a financial
institution collects is not systematically reported to any central
repository.
\8\ Supra note 3, 86 FR at 69923-69924.
\9\ 87 FR 59498, 59506 (Sept. 30, 2022).
\10\ The FATF, of which the United States is a founding member,
is an international, inter-governmental task force whose purpose is
the development and promotion of international standards and the
effective implementation of legal, regulatory, and operational
measures to combat money laundering, terrorist financing, the
financing of weapons proliferation, and other related threats to the
integrity of the international financial system. The FATF assesses
over 200 jurisdictions against its minimum standards for beneficial
ownership transparency. Among other things, it has established
standards on transparency and beneficial ownership of legal persons,
to deter and prevent the misuse of corporate vehicles. See FATF
Recommendation 24, Transparency and Beneficial Ownership of Legal
Persons, The FATF Recommendations: International Standards on
Combating Money Laundering and the Financing of Terrorism and
Proliferation (updated Oct. 2020), available at <a href="https://www.fatf-gafi.org/publications/fatfrecommendations/documents/fatf-recommendations.html">https://www.fatf-gafi.org/publications/fatfrecommendations/documents/fatf-recommendations.html</a>; FATF Guidance, Transparency and Beneficial
Ownership, Part III (Oct. 2014), available at <a href="https://www.fatf-gafi.org/media/fatf/documents/reports/Guidance-transparency-beneficial-ownership.pdf">https://www.fatf-gafi.org/media/fatf/documents/reports/Guidance-transparency-beneficial-ownership.pdf</a>.
---------------------------------------------------------------------------
At the same time, however, FinCEN recognizes that BOI is sensitive
information. This final rule reflects FinCEN's commitment to creating a
highly useful database for authorized BOI recipients while protecting
this sensitive information from unauthorized disclosure. To this end,
the final rule aims to ensure that: (1) only authorized recipients have
access to BOI; (2) authorized recipients use that BOI only for purposes
permitted by the CTA; and (3) authorized recipients re-disclose BOI
only in ways that balance protection of the security and
confidentiality of the BOI with furtherance of the CTA's objective of
making BOI available to a range of users for purposes specified in the
CTA. The final rule also provides a robust framework to ensure that BOI
reported to FinCEN, and received by authorized recipients, is subject
to strict cybersecurity controls, confidentiality protections and
restrictions, and robust audit and oversight measures. Coincident with
the protocols described in this final rule, FinCEN continues to work to
develop a secure, nonpublic database in which to store BOI, using
rigorous information security methods and controls typically used in
the Federal government to protect nonclassified yet sensitive
information systems at the highest security level. Against this
backdrop and consistent with the CTA, FinCEN will permit certain
Federal, State,\11\ local, and Tribal officials, as well as foreign
officials acting through a Federal agency, to obtain BOI for use in
furtherance of statutorily authorized activities such as those related
to national security, intelligence, and law enforcement. Financial
institutions with customer due diligence requirements under applicable
law will have access to BOI to facilitate compliance with those
requirements, as will the Federal functional regulators or other
appropriate regulatory agencies that supervise or assess those
financial institutions' compliance with such requirements.
---------------------------------------------------------------------------
\11\ FinCEN will interpret the term ``State'' consistent with
the definition of that term in the final Beneficial Ownership
Information Reporting Requirements rule at 87 FR 59498 (Sep. 30,
2022) (which defines the term ``State'' to mean ``any state of the
United States, the District of Columbia, the Commonwealth of Puerto
Rico, the Commonwealth of the Northern Mariana Islands, American
Samoa, Guam, the United States Virgin Islands, and any other
commonwealth, territory, or possession of the United States.'').
---------------------------------------------------------------------------
II. Background
A. Access to Beneficial Ownership Information
For more than two decades, the U.S. government has been raising
awareness about the misuse of legal entities by criminal actors for
illicit ends.\12\ Recently, Secretary of the Treasury Janet L. Yellen
affirmed that:
---------------------------------------------------------------------------
\12\ See 87 FR 59501-59503 (Sept. 30, 2022).
``The United States has a unique obligation to tackle
corruption. Corrupt actors from around the world continually attempt
to exploit the vulnerabilities in the U.S. framework--for countering
money laundering, terrorist financing, and other forms of illicit
finance. . . . Just like legitimate investors, corrupt actors move
their money through the United States to take advantage of the
world's largest and most dynamic economy. They incorporate companies
to benefit from our strong legal system, buy assets like real
estate, and invest in our deep and liquid markets. . . . Unmasking
shell corporations is the single most significant thing we can do to
make our financial system inhospitable to corrupt actors. . . . The
beneficial ownership database will deter dirty money from entering
the U.S.--and give law enforcement and other partners the tools they
need to follow the money when it does.'' \13\
---------------------------------------------------------------------------
\13\ U.S. Department of the Treasury (Treasury), ``Remarks by
Secretary Janet L. Yellen on Anti-Corruption as a Cornerstone of a
Fair, Accountable, and Democratic Economy at the Summit for
Democracy,'' (Mar. 28, 2023), available at <a href="https://home.treasury.gov/news/press-releases/jy1371">https://home.treasury.gov/news/press-releases/jy1371</a>.
The Department of the Treasury (Treasury) has previously observed
in its 2020 National Strategy for Combating Terrorist and other Illicit
Financing (the 2020 Illicit Financing Strategy) that ``[m]isuse of
legal entities to hide a criminal beneficial owner or illegal source of
funds continues to be a common, if not the dominant, feature of illicit
finance schemes, especially those involving money laundering, predicate
offences, tax evasion, and proliferation financing. . . .'' \14\ The
2020 Illicit Financing Strategy further noted a Treasury finding that,
between 2016 and 2019, legal entities were used in a substantial
proportion of adjudicated Internal Revenue Service (IRS) cases to
perpetrate tax evasion and fraud.\15\ In a separate report, the Drug
Enforcement Administration highlighted that drug trafficking
organizations frequently use shell and front companies to commingle
illicit drug proceeds with legitimate front company revenue to launder
the illicit drug proceeds.\16\
---------------------------------------------------------------------------
\14\ Treasury, National Strategy for Combating Terrorist and
Other Illicit Financing (2020), p. 13, available at <a href="https://home.treasury.gov/system/files/136/National-Strategy-to-Counter-Illicit-Financev2.pdf">https://home.treasury.gov/system/files/136/National-Strategy-to-Counter-Illicit-Financev2.pdf</a>. The 2022 National Strategy for Combating
Terrorist and Other Illicit Financing noted that ``[t]he passage of
the CTA was a critical step forward in closing a long-standing gap
and strengthening the U.S. AML/CFT regime'' and that ``[a]ddressing
the gap in collection at the time of entity formation is the most
important AML/CFT regulatory action for the U.S. government.''
Treasury, National Strategy for Combating Terrorist and Other
Illicit Financing (May 2022), p. 8, available at <a href="https://home.treasury.gov/system/files/136/2022-National-Strategy-for-Combating-Terrorist-and-Other-Illicit-Financing.pdf">https://home.treasury.gov/system/files/136/2022-National-Strategy-for-Combating-Terrorist-and-Other-Illicit-Financing.pdf</a> (``2022 Illicit
Financing Strategy'').
\15\ Id. at 14.
\16\ Drug Enforcement Administration, 2020 Drug Enforcement
Administration National Drug Threat Assessment (``DEA 2020 NDTA'')
(2020), pp. 87-88, available at <a href="https://www.dea.gov/sites/default/files/2021-02/DIR-008-21%202020%20National%20Drug%20Threat%20Assessment_WEB.pdf">https://www.dea.gov/sites/default/files/2021-02/DIR-008-21%202020%20National%20Drug%20Threat%20Assessment_WEB.pdf</a>.
---------------------------------------------------------------------------
As Treasury stressed in its 2022 Illicit Financing Strategy, law
enforcement's lack of access to uniform BOI hinders its ability to
swiftly investigate those entities created and used to hide ownership
for illicit purposes.\17\ Consequently, authorized recipients' access
to BOI reported under the CTA will significantly aid efforts to protect
U.S. national security; safeguard the U.S. financial system; and
support U.S. foreign policy and other interests by providing a tool to
counter corruption, human smuggling, drug and arms trafficking,
terrorist financing, and other criminal acts. BOI can also add critical
data to financial analyses in activities the CTA contemplates,
including tax investigations. BOI can also provide essential
information to the intelligence and national security professionals who
work to prevent terrorists, proliferators, and those who seek to
undermine our democratic institutions or threaten other core U.S.
interests from raising, hiding, or moving money in the United States
through anonymous shell or front companies.
---------------------------------------------------------------------------
\17\ See Treasury, 2022 Illicit Financing Strategy, supra note
3, p. 12.
---------------------------------------------------------------------------
Entity formation and registration in the United States happen at
the state and Tribal levels. Although state- and Tribal-level entity
formation laws vary, most jurisdictions do not require the party
forming an entity to identify its individual beneficial owners at or
after the time of formation. Additionally, the vast majority of states
require little to no contact information or other information about an
entity's officers or others who
[[Page 88734]]
control it.\18\ Furthermore, although many financial institutions are
required to collect certain beneficial ownership information pursuant
to FinCEN's 2016 Customer Due Diligence Rule (2016 CDD Rule),\19\ and
broader Customer Identification Program (CIP) obligations,\20\ that
information is not systematically reported to a central repository.
---------------------------------------------------------------------------
\18\ See CTA, section 6402(2) (``[M]ost or all States do not
require information about the beneficial owners of corporations,
limited liability companies, or other similar entities formed under
the laws of the State''); U.S. Government Accountability Office,
Company Formations: Minimal Ownership Information Is Collected and
Available (Apr. 2006), available at <a href="https://www.gao.gov/assets/gao-06-376.pdf">https://www.gao.gov/assets/gao-06-376.pdf</a>; see also, e.g., The National Association of Secretaries
of State (NASS), NASS Summary of Information Collected by States
(Jun. 2019), available at <a href="https://www.nass.org/sites/default/files/company%20formation/nass-business-entity-info-collected-june2019.pdf">https://www.nass.org/sites/default/files/company%20formation/nass-business-entity-info-collected-june2019.pdf</a>.
\19\ Final Rule, Customer Due Diligence Requirements for
Financial Institutions, 81 FR 29398-29402 (May 11, 2016); 31 CFR
1010.230.
\20\ See e.g., 31 CFR 1020.220.
---------------------------------------------------------------------------
Identifying individual beneficial owners of legal entities in the
United States therefore is often a significant challenge for law
enforcement,\21\ and it represents a significant weakness in the United
States' AML/CFT and CFP frameworks, as Treasury \22\ and the FATF \23\
have noted for some time. Currently, obtaining BOI through grand jury
subpoenas and other means can involve considerable effort. Grand jury
subpoenas, for example, require an underlying grand jury investigation
into a possible violation of law. Furthermore, the law enforcement
officer or investigator must work with a prosecutor's office, such as a
U.S. Attorney's Office, to open a grand jury investigation, obtain the
grand jury subpoena, and issue it on behalf of the grand jury. The
investigator also needs to determine who should receive the subpoena
and coordinate service, which creates additional complications in cases
involving complicated corporate structuring. Sometimes this work is all
for naught because the investigation involves an entity formed or
registered in a jurisdiction that does not require BOI for formation or
registration.
---------------------------------------------------------------------------
\21\ In 2019, for example, Steven M. D'Antuono, Acting Deputy
Assistant Director of the FBI's Criminal Investigative Division
testified before Congress that ``[t]he process for the production of
[beneficial ownership] records can be lengthy, anywhere from a few
weeks to many years, and . . . can be extended drastically when it
is necessary to obtain information from other countries . . . . [I]f
an investigator obtains the ownership records, either from a
domestic or foreign entity, the investigator may discover that the
owner of the identified corporate entity is an additional corporate
entity, necessitating the same process for the newly discovered
corporate entity. Many professional launderers and others involved
in illicit finance intentionally layer ownership and financial
transactions in order to reduce transparency of transactions. As it
stands, it is a facially effective way to delay an investigation.''
D'Antuono further acknowledged that these challenges may be even
greater for State, local, and Tribal law enforcement agencies that
may not have the same resources as their Federal counterparts to
undertake long and costly investigations to identify beneficial
owners. D'Antuono noted that requiring the disclosure of BOI by
legal entities and the creation of a central BOI repository
available to law enforcement and regulators could address these
challenges. Federal Bureau of Investigation (FBI), Testimony of
Steven M. D'Antuono, Section Chief, Criminal Investigative Division,
``Combatting Illicit Financing by Anonymous Shell Companies'' (May
21, 2019), available at <a href="https://www.fbi.gov/news/testimony/combating-illicit-financing-by-anonymous-shell-companies">https://www.fbi.gov/news/testimony/combating-illicit-financing-by-anonymous-shell-companies</a>.
\22\ Treasury, Treasury Announces Key Regulations and
Legislation to Counter Money Laundering and Corruption, Combat Tax
Evasion, May 5, 2016, available at <a href="https://home.treasury.gov/news/press-releases/jl0451">https://home.treasury.gov/news/press-releases/jl0451</a>.
\23\ See FATF Recommendation 24, Transparency and Beneficial
Ownership of Legal Persons, The FATF Recommendations: International
Standards on Combating Money Laundering and the Financing of
Terrorism and Proliferation (updated Oct. 2020), available at
<a href="https://www.fatf-gafi.org/publications/fatfrecommendations/documents/fatf-recommendations.html">https://www.fatf-gafi.org/publications/fatfrecommendations/documents/fatf-recommendations.html</a>.
---------------------------------------------------------------------------
FinCEN's existing regulatory tools help, but they provide only
partial solutions. The 2016 CDD Rule, for example, requires that
certain types of U.S. financial institutions identify and verify the
beneficial owners of legal entity customers at the time of account
opening.\24\ The information financial institutions must collect under
the 2016 CDD Rule, however, is generally neither comprehensive nor
reported to the U.S. government (nor to State, local, or Tribal
governments), except when filed in suspicious activity reports (SARs)
or in response to judicial process. Moreover, the 2016 CDD Rule applies
only to legal entities that open accounts at certain U.S. financial
institutions. Other FinCEN authorities--geographic targeting orders
\25\ and the so-called ``311 measures'' (i.e., special measures imposed
on foreign jurisdictions, foreign financial institutions, or
international transactions of primary money laundering concern) \26\--
offer temporary and targeted tools. Neither provides law enforcement
the ability to reliably, efficiently, and consistently identify new
entities for investigation or follow investigatory leads.
---------------------------------------------------------------------------
\24\ 31 CFR 1010.230(b)(1).
\25\ 31 U.S.C. 5326(a); 31 CFR 1010.370.
\26\ 31 U.S.C. 5318A, as added by section 311 of the USA PATRIOT
Act (Pub. L. 107-56).
---------------------------------------------------------------------------
This Final Rule will help to fill in these gaps while creating a
framework to keep BOI secure and confidential.
B. The CTA
The CTA is part of the AML Act, which is a part of the 2021 NDAA.
The CTA added a new section, 31 U.S.C. 5336, to the BSA to enhance
beneficial ownership transparency while minimizing the burden on the
regulated community.\27\ This new section requires certain types of
domestic and foreign entities, called ``reporting companies,'' to
submit BOI to FinCEN.\28\ Specifically, reporting companies must submit
to FinCEN, for each beneficial owner and each individual who files an
application to form a domestic entity or register a foreign entity to
do business in the United States (the ``company applicant''), four
pieces of information: the individual's full legal name, date of birth,
current residential or business street address, and either a unique
identifying number from an acceptable identification document (e.g., a
passport) or the individual's ``FinCEN identifier.'' \29\
---------------------------------------------------------------------------
\27\ CTA, section 6403.
\28\ 31 U.S.C. 5336(b)(1), (2). The CTA generally exempts from
the reporting requirements banks and other entities that are already
subject to significant regulatory regimes meant to expose their
beneficial owners, among other purposes. See id. at 5336(a)(11)(B).
\29\ Id. at 5336(b)(2).
---------------------------------------------------------------------------
The CTA establishes that BOI is ``sensitive information.'' \30\ The
statute treats it as such by limiting its access and use to specified
parties for particular purposes.\31\ In particular, Congress authorized
FinCEN to disclose BOI only to a statutorily defined group of
governmental authorities and financial institutions, and only in
defined circumstances. The CTA further provides that the Secretary of
the Treasury (Secretary) must ``maintain [BOI] in a secure, nonpublic
database, using information security methods and techniques that are
appropriate to protect nonclassified information systems at the highest
security level.'' \32\ As discussed in detail in section II.E, FinCEN
is currently building the secure information technology (IT) system
into which reporting companies will submit, and from which authorized
recipients will generally obtain, BOI.
---------------------------------------------------------------------------
\30\ CTA, section 6402(6).
\31\ Id.
\32\ CTA, section 6402(7)(A). While the statutory language seems
to include a typographical error that refers to another provision
(not related to BOI), it also seems clear that the object of
protection in this case is BOI.
---------------------------------------------------------------------------
In addition to setting out requirements and restrictions related to
BOI reporting and access, the CTA requires that FinCEN revise the 2016
CDD Rule within one year of the BOI reporting requirements taking
effect. In particular, the CTA directs FinCEN to revise the 2016 CDD
Rule to: (1) bring it into conformity with the AML Act as a whole,
including the CTA; (2) account for financial institutions' access to
BOI
[[Page 88735]]
reported to FinCEN ``in order to confirm the beneficial ownership
information provided directly to the financial institutions'' for AML/
CFT and customer due diligence purposes; and (3) reduce unnecessary or
duplicative burdens on financial institutions and legal entity
customers.\33\ In carrying out these provisions, the CTA further
requires FinCEN to rescind paragraphs (b) through (j) of 31 CFR
1010.230.\34\
---------------------------------------------------------------------------
\33\ CTA, section 6403(d)(1)(A)-(C).
\34\ CTA, section 6403(d)(1)-(2). The CTA orders the rescission
of paragraphs (b) through (j) directly (``the Secretary of the
Treasury shall rescind paragraphs (b) through (j)'') and orders the
retention of paragraph (a) by a negative rule of construction
(``nothing in this section may be construed to authorize the
Secretary of the Treasury to repeal . . . [31 CFR]
1010.230(a)[.]''). The statute also provides a list of
considerations to take into account when revising the 2016 CDD Rule.
See generally CTA, section 6403(d)(3).
---------------------------------------------------------------------------
FinCEN began implementing the CTA by publishing an ANPRM on April
5, 2021.\35\ The ANPRM sought input on five open-ended categories of
questions, including questions on clarifying key CTA definitions and on
how FinCEN should implement CTA provisions governing FinCEN's
maintenance and disclosure of BOI subject to appropriate access
protocols. In response to the ANPRM, FinCEN received and considered 220
comments from parties that included businesses, civil society
organizations, trade associations, law firms, secretaries of state and
other state officials, Indian Tribes, members of Congress, and private
citizens.
---------------------------------------------------------------------------
\35\ 86 FR 17557 (Apr. 5, 2021).
---------------------------------------------------------------------------
FinCEN next published the Reporting NPRM on December 8, 2021.\36\
The Reporting NPRM described Treasury's efforts to address the lack of
transparency in the ownership of certain legal entities, and proposed
regulations specifying what BOI must be reported to FinCEN pursuant to
CTA requirements, by whom, and when. These regulations also proposed
processes for obtaining, updating, and using FinCEN identifiers. The
Reporting NPRM included a 60-day comment period, which closed on
February 7, 2022. FinCEN received over 240 comments on the Reporting
NPRM.
---------------------------------------------------------------------------
\36\ 86 FR 69920 (Dec. 8, 2021).
---------------------------------------------------------------------------
After considering those comments, FinCEN published a final rule
implementing the CTA's BOI reporting requirements on September 30, 2022
(Reporting Rule).\37\ The Reporting Rule takes effect on January 1,
2024, and is the first of three rulemakings required by the CTA. Under
the Reporting Rule, reporting companies in existence before the
effective date will have until January 1, 2025, to report.\38\ The
Reporting Rule also provided that reporting companies created or
registered to do business on or after January 1, 2024 would need to
submit BOI to FinCEN within 30 days of receiving notice of a company's
creation or registration.\39\ However, on November 30, 2023, FinCEN
published a final rule to extend the timeframe for reporting companies
created or registered on or after January 1, 2024, and before January
1, 2025, to submit their initial BOI reports to FinCEN. Under this
amendment to the Reporting Rule, reporting companies created or
registered on or after January 1, 2024, and before January 1, 2025,
will have 90 days to submit their initial BOI reports, instead of 30
days. Reporting companies formed on or after January 1, 2025, will
continue to be required to submit their initial BOI reports within 30
days.
---------------------------------------------------------------------------
\37\ 87 FR 59498 (Sept. 30, 2022).
\38\ Reporting Rule, 31 CFR 1010.380(a)(1)(i)-(ii).
\39\ Id. at 1010.380(a)(iii).
---------------------------------------------------------------------------
The Reporting Rule also reserved for further consideration certain
provisions concerning the use of FinCEN identifiers for entities.
FinCEN next published the Access NPRM regarding the CTA's BOI
access and safeguard provisions on December 16, 2022.\40\ The proposed
regulations reflected information gleaned from over 30 outreach
sessions with representatives from Federal agencies, state courts,
state and local prosecutors' offices, Tribal governments, financial
institutions, financial self-regulatory organizations (SROs), and
government offices that had established beneficial ownership databases,
as well as from comments to the prior CTA-related publications. The
Access NPRM also included proposed amendments to the reporting
regulations that would finalize the remaining Reporting Rule provisions
concerning the use of FinCEN identifiers for entities. The comment
period for the Access NPRM closed on February 14, 2023.
---------------------------------------------------------------------------
\40\ 87 FR 77404 (Dec. 16, 2022).
---------------------------------------------------------------------------
This final rule adopts, with modifications, the proposed
regulations in the Access NPRM and is the second rulemaking required by
the CTA. These final access and safeguard regulations (``Access Rule'')
aim to ensure that: (1) only authorized recipients have access to BOI;
(2) authorized recipients use that access only for purposes permitted
by the CTA; and (3) authorized recipients only re-disclose BOI in ways
that balance protecting its security and confidentiality with the CTA
objective of making BOI available to a range of users for authorized
purposes. The regulations also provide a robust framework to ensure
that BOI reported to FinCEN, and received by authorized recipients, is
subject to strict cybersecurity controls, confidentiality protections
and restrictions, and robust audit and oversight measures.
FinCEN will implement the CTA requirement to revise the 2016 CDD
Rule through a future rulemaking process. That process will provide the
public with an opportunity to comment on the effect of the final
provisions of the BOI reporting and access rules on financial
institutions' customer due diligence obligations.
Finally, the CTA requires the Inspector General of the Department
of the Treasury to provide public contact information to receive
external comments or complaints regarding the BOI notification and
collection process or regarding the accuracy, completeness, or
timeliness of such information.\41\ Treasury's Office of Inspector
General (``Treasury OIG'') has established the following email inbox to
receive such comments or complaints:
<a href="/cdn-cgi/l/email-protection#ecaf839e9c839e8d9889b89e8d829f9c8d9e89828f95ac83858bc2989e898d9fc28b839a"><span class="__cf_email__" data-cfemail="02416d70726d706376675670636c71726370676c617b426d6b652c76706763712c656d74">[email protected]</span></a>.
---------------------------------------------------------------------------
\41\ See 31 U.S.C. 5336(h)(4).
---------------------------------------------------------------------------
C. The Access NPRM
As noted above in section II.B, FinCEN published the Access NPRM on
December 16, 2022. The NPRM had a 60-day comment period that closed on
February 14, 2023. FinCEN received over 80 comments. The NPRM described
who would be authorized to access BOI reported to FinCEN, how those
parties could use the information, and how they would be required to
safeguard it.
The proposed regulations would amend 31 CFR 1010.950(a) to clarify
that the disclosure of BOI would be governed by proposed 31 CFR
1010.955, rather than 31 CFR 1010.950(a), which governs disclosure of
other BSA information. The CTA specifies disclosure rules applicable to
BOI that are distinct from BSA provisions authorizing disclosure of
other BSA information.\42\
---------------------------------------------------------------------------
\42\ See 31 U.S.C. 5336(c)(2), (5).
---------------------------------------------------------------------------
The Access NPRM proposed to incorporate the CTA's general
prohibition on the disclosure of BOI by individual recipients to others
unless authorized to do so under the statute or its implementing
regulations, with certain clarifications regarding the applicability
and duration of that prohibition. The proposed regulations would
authorize the disclosure and use of BOI to facilitate the purposes of
the CTA, with FinCEN further proposing to retain the authority to
permit in writing the re-disclosure of BOI in other circumstances.
The proposed regulations included provisions that would address a
range of
[[Page 88736]]
administrative matters, e.g., circumstances under which FinCEN could
decline to provide requested BOI or debar or suspend an authorized
recipient, and would incorporate CTA provisions that impose civil and
criminal penalties for knowingly disclosing or knowingly using BOI in
ways that were not authorized by the CTA. The proposed rule also would
reinforce the security and confidentiality requirements of the CTA by
making clear the range of actions that could constitute unauthorized
disclosure and use.
Finally, the Access NPRM made a new proposal regarding the use of
FinCEN identifiers for entities, which was initially addressed in the
Reporting NPRM and then deferred in the Final Reporting Rule.
Specifically, the proposed regulations would clarify that a reporting
company would be permitted to report the FinCEN identifier of an
intermediate entity (i.e., an entity through which an individual
beneficial owner exercises substantial control or owns ownership
interests in a reporting company) in lieu of a beneficial owner's PII
only when three criteria are met. Taken together, these requirements
sought to avoid the use of FinCEN identifiers to obscure beneficial
ownership in a reporting company when the entity's ownership structure
involves multiple beneficial owners and intermediate entities. FinCEN
published a final rule to implement these provisions regarding the use
of FinCEN identifiers for entities on November 8, 2023.\43\
---------------------------------------------------------------------------
\43\ 88 FR 76995 (Nov. 8, 2023).
---------------------------------------------------------------------------
The Access NPRM, however, primarily focused on the scope of and
requirements for access to and protection of BOI reported to FinCEN.
The following subsections outline how the proposed regulations would
apply to five categories of authorized recipients for which the CTA
prescribes specific requirements with respect to access to and use of
BOI.
i. Domestic Agencies
The first category of BOI recipients authorized by the CTA consists
of (1) Federal agencies engaged in national security, intelligence, or
law enforcement activity if the requested BOI is for use in furtherance
of such activity; \44\ and (2) State, local, and Tribal law enforcement
agencies if ``a court of competent jurisdiction'' authorizes the law
enforcement agency to seek the information in a criminal or civil
investigation.\45\ Federal agency access to BOI would be contingent on
the type of activity an agency engages in. In contrast, State, local,
and Tribal access would be contingent on two conditions; (1) whether
the recipient is a law enforcement agency, i.e., the type of agency;
and (2) whether a State, local, or Tribal law enforcement agency
receives authorization from a court of competent jurisdiction to
request BOI from FinCEN.
---------------------------------------------------------------------------
\44\ 31 U.S.C. 5336(c)(2)(B)(i)(I).
\45\ 31 U.S.C. 5336(c)(2)(B)(i)(II).
---------------------------------------------------------------------------
The Access NPRM proposed definitions for ``national security,''
``intelligence,'' and ``law enforcement'' activities in a manner
consistent with the CTA. In particular, the Access NPRM proposed that
``law enforcement'' include both criminal and civil investigations and
actions, including actions to impose civil penalties, civil forfeiture
actions, and civil enforcement through administrative proceedings. For
access by State, local and Tribal law enforcement, the Access NPRM
proposed to define ``court of competent jurisdiction'' as any court
with jurisdiction over the criminal or civil investigation for which
the State, local, or Tribal law enforcement agency requested BOI. The
Access NPRM further proposed that the requisite court authorization
would have to be in the form of a court order, with the understanding
that the term ``order'' could encompass many authorization types issued
by a range of court officers (i.e., individuals empowered to exercise a
court's authority and issue authorizations on its behalf, excluding
individual attorneys). The NPRM specifically sought feedback on the
scope of this definition.
The proposed regulations would also require all Federal agencies
engaged in national security, intelligence, or law enforcement activity
to provide a brief justification for each search for BOI in the FinCEN
IT system and certify compliance with the applicable regulatory
requirements. State, local, and Tribal law enforcement agencies would
also have had to provide a brief justification for each search for BOI
and submit copies of their court orders for FinCEN review. Upon meeting
these requirements, both Federal agencies engaged in national security,
intelligence, or law enforcement activity and State, local, and Tribal
law enforcement agencies would have the ability to conduct searches for
BOI in the beneficial ownership IT system (the ``BO IT system'')
relevant to their investigation. The BO IT system would provide these
users with both a reporting company's BOI at the time of the request as
well as any previously submitted BOI.
Furthermore, the Access NPRM proposed that Federal agencies engaged
in a national security, intelligence, or law enforcement activity, as
well as State, local, and Tribal law enforcement agencies, would be
authorized to disclose BOI obtained directly from FinCEN to courts of
competent jurisdiction or parties to a civil or criminal proceeding.
This authorization would only apply to civil or criminal proceedings
involving U.S. Federal, State, local, and Tribal laws. In the preamble
to the Access NPRM, FinCEN explained that it envisioned agencies
relying on this provision when, for example, a prosecutor would need to
provide a criminal defendant with BOI in discovery or use it as
evidence in a court proceeding or trial.\46\
---------------------------------------------------------------------------
\46\ See CTA, section 6402(5)(D).
---------------------------------------------------------------------------
The CTA prescribes a number of security and confidentiality
requirements that the Secretary must impose on requesting Federal,
State, local, and Tribal agencies and their heads. These include
requirements for secure storage systems and access policies and
procedures; personnel access controls; recordkeeping, reporting, and
audit requirements; and written certifications. These requirements
affirm the importance of the security and confidentiality protocols and
the need for a high degree of accountability for the protection of BOI.
The proposed regulations described how each requesting agency, before
it could obtain BOI from FinCEN, would be required to enter into a
memorandum of understanding (MOU) with FinCEN specifying the standards,
procedures, and systems that the agency would be required to maintain
to protect BOI, including security plans. FinCEN explained in the
preamble to the Access NPRM that these requirements are extensive by
necessity given the broad search functionality within the BO IT system
that would be available to this category of authorized recipients.
ii. Foreign Requesters
The second category consists of foreign law enforcement agencies,
judges, prosecutors, central authorities, and competent authorities
(``foreign requesters''), provided their requests come through an
intermediary Federal agency, meet additional criteria, and are made
either (1) under an international treaty, agreement, or convention; or
(2) via a request made by law enforcement, judicial, or prosecutorial
authorities in a trusted foreign country (when no international treaty,
agreement, or convention is available).\47\
---------------------------------------------------------------------------
\47\ See 31 U.S.C. 5336(c)(2)(B)(ii).
---------------------------------------------------------------------------
[[Page 88737]]
FinCEN generally did not propose to identify in the Access NPRM any
specific Federal agencies that would serve as intermediaries with
foreign governments.\48\ FinCEN instead indicated that it would work
with Federal agencies to identify those that are well positioned to be
intermediaries, based on several factors, including: the level of
engagement with foreign law enforcement agencies, judges, prosecutors,
central authorities, or competent authorities; responsibility under
international treaties, agreements, or conventions; and capacity to
process requests for BOI while managing risks of unauthorized
disclosure. The Access NPRM proposed to permit intermediary Federal
agencies to use BOI obtained from FinCEN at the behest of a foreign
requester only to facilitate a response to that foreign requester.
---------------------------------------------------------------------------
\48\ Given its longstanding relationships and relevant
experience as the financial intelligence unit of the United States,
FinCEN proposed to directly receive, evaluate, and respond to
requests for BOI from foreign financial intelligence units.
---------------------------------------------------------------------------
With respect to the requirement that a foreign request be made
under an ``international treaty, agreement, or convention,'' FinCEN
explained that it understood those terms to cover a legally binding
agreement governed by international law. FinCEN did not propose to
identify specific countries it would treat as ``trusted'' in situations
when no international treaty, agreement, or convention applied. The
Access NPRM explained that to define ``trusted foreign country'' would
have risked arbitrarily excluding foreign requesters with whom sharing
BOI might be appropriate in some cases but not others. FinCEN instead
proposed to conduct case-by-case assessments in consultation with
relevant U.S. government agencies to determine whether to disclose BOI
to a foreign requester in a particular instance.
In the Access NPRM, FinCEN explained that it did not expect foreign
requesters to have direct access to the BO IT system, but rather that
intermediary Federal agencies would perform BOI searches in the system
on a foreign requester's behalf. Before acting as intermediaries,
Federal agencies would first have to fulfill several requirements,
including: (1) ensuring that they have secure systems for BOI storage;
(2) entering into MOUs with FinCEN outlining expectations and
responsibilities; (3) incorporating the CTA foreign sharing
requirements into evaluation criteria with which to review BOI requests
from foreign requesters; (4) integrating the evaluation criteria into
their existing information-sharing policies and procedures; (5)
developing additional security protocols and systems as required under
the CTA and this rule; and (6) ensuring that their personnel have
sufficient training on BOI security and use requirements and
restrictions.
Under the Access NPRM, an intermediary Federal agency would be
authorized to submit foreign requests for BOI to FinCEN only after
meeting these requirements. Such requests would need to include certain
information, including: (1) the names of both the individual within the
intermediary Federal agency making the request and the individual
affiliated with the foreign requester on whose behalf the request was
being made; and (2) either the international treaty, agreement, or
convention under which the request was being made, or a statement that
no such instrument governs along with an explanation of the
information's intended use. Intermediary Federal agencies would also
need to certify that a request meets applicable eligibility criteria.
After doing so, an intermediary Federal agency could then search for
and retrieve requested BOI from the system and respond to the foreign
requester in a manner consistent with either the international treaty,
agreement, or convention, or the request from the trusted foreign
country. Intermediary Federal agencies would be required to maintain
records documenting specified elements of each search, both for the
agency's own internal auditing and for FinCEN audits as required under
the CTA.
Recognizing the importance that all authorized BOI recipients--
including foreign requesters--take appropriate steps to keep BOI
confidential and secure and to prevent misuse, FinCEN also proposed
requiring foreign requesters to handle, disclose, and use BOI
consistent with the requirements of the applicable international
treaty, agreement, or convention under which it is requested. When no
treaty, agreement, or convention applies, the Access NPRM proposed that
the head of an intermediary Federal agency, acting on behalf of a
foreign requester, or their designee, would need to submit to FinCEN a
written explanation of the specific purpose for which the foreign
requester is requesting BOI. The intermediary Federal agency in such
cases would have also needed to provide FinCEN with a certification
that the requested BOI would be: (1) used in furtherance of a law
enforcement investigation or prosecution, or for a national security or
intelligence activity that is authorized under the laws of the relevant
foreign country; (2) only used for the particular purpose or activity
for which it was requested; and (3) handled in accordance with
specified security and confidentiality requirements. Under the proposed
rule, the certification would reflect what the head of the intermediary
Federal agency head or their designee understands to be the intended
use for the BOI, rather than a guarantee from the intermediary Federal
agency that the foreign requester would not use the information for
unauthorized purposes. The Access NPRM further specified that FinCEN
could request additional information from the requester to support
FinCEN's evaluation of whether to disclose BOI to a foreign requester
when the request is not pursuant to an international treaty, agreement,
or convention.
iii. Financial Institutions With Customer Due Diligence Compliance
Obligations Under Applicable Law
The third authorized recipient category under the CTA is financial
institutions that use BOI ``to facilitate compliance with customer due
diligence requirements under applicable law.'' \49\ FinCEN proposed to
define the term ``customer due diligence requirements under applicable
law'' to mean FinCEN's customer due diligence regulations at 31 CFR
1010.230, which require covered financial institutions to identify and
verify beneficial owners of legal entity customers. FinCEN considered
other approaches, but concluded that focusing on its 2016 CDD Rule
alone would make this access category easier to administer, reduce
uncertainty about which financial institutions could access BOI under
the proposed rule, and better protect the security and confidentiality
of sensitive BOI by limiting the circumstances under which financial
institutions could access the information. There also did not appear to
be any State, local, or Tribal customer due diligence requirements
comparable in substance to FinCEN's 2016 CDD Rule.\50\
---------------------------------------------------------------------------
\49\ 31 U.S.C. 5336(c)(2)(B)(iii).
\50\ In the Access NPRM, FinCEN specifically asked commenters to
identify any Federal, State, local, or Tribal law requirements
comparable to the 2016 CDD Rule regarding financial institutions
identifying and verifying beneficial owners of legal entity
customers. FinCEN received no responses to that request.
---------------------------------------------------------------------------
The CTA further requires that a reporting company's consent is
necessary in order for a financial institution to obtain BOI from
FinCEN. FinCEN proposed to make financial institutions responsible for
obtaining this consent. That proposal reflected FinCEN's assessment
that financial institutions are best positioned to obtain and manage
consent through existing
[[Page 88738]]
processes and by virtue of having direct relationship with reporting
companies as customers. Although certain certifications would be
required, the Access NPRM did not propose that financial institutions
submit proof of a reporting company's consent. FinCEN recognized that
it would not have the capacity to review, verify, and store consent
forms, and additional FinCEN involvement would create undue delays for
the ability of financial institutions to onboard customers. FinCEN also
explained that a financial institution's compliance with these
requirements would be assessed by Federal functional regulators in the
ordinary course during examinations, or by financial SROs during their
routine BSA examinations.\51\
---------------------------------------------------------------------------
\51\ The CTA requirements financial institutions must satisfy to
qualify for BOI disclosure from FinCEN are part of the BSA, a
statute enacted in pertinent part in Chapter X of the Code of
Federal Regulations. FinCEN has delegated its authority to examine
financial institutions for compliance with Chapter X to the Federal
functional regulators. See 31 CFR 1010.810. Separately, the FBAs
have their own authority to examine the financial institutions that
they supervise for compliance with the BSA. See 12 U.S.C.
1786(q)(2), 1818(s)(2).
---------------------------------------------------------------------------
FinCEN described in the Access NPRM its plan to establish for
financial institutions a more circumscribed BO IT system interface than
would be available to most Federal agencies and State, local, and
Tribal law enforcement agencies. This would be based on the defined
purposes for which financial institutions can use BOI under the CTA and
the proposed requirement that they obtain reporting company consent
before requesting the information from FinCEN. The interface would
require financial institutions to submit identifying information
specific to a particular reporting company (for example, the company
name and tax identification number). In return, the financial
institution would receive an electronic transcript with that reporting
company's BOI at the time of the request. The transcript would not
include any previously submitted BOI for the reporting company.
Although the CTA does not specifically address the safeguards that
financial institutions must implement as a condition for requesting
BOI, the CTA authorizes FinCEN to prescribe by regulation any other
safeguards determined to be necessary or appropriate to protect the
confidentiality of BOI.\52\ In exercising this authority, FinCEN
proposed a principles-based approach by requiring that financial
institutions develop and implement administrative, technical, and
physical safeguards reasonably designed to protect BOI as a
precondition for receiving the information. The proposed regulations
would establish that the security and information handling procedures
necessary to comply with section 501 of the Gramm-Leach-Bliley Act
(Gramm-Leach-Bliley) \53\ and related regulations to protect nonpublic
customer personal information, if applied to BOI under the control of
the financial institution, would satisfy this requirement. Financial
institutions not subject to regulations issued pursuant to section 501
of Gramm-Leach-Bliley would be held to these same substantive standards
under the proposed rules.
---------------------------------------------------------------------------
\52\ 31 U.S.C. 5336(c)(3)(K).
\53\ Public Law 106-102, 113 Stat. 1338, 1436-37 (1999).
---------------------------------------------------------------------------
Subject to certain conditions, the Access NPRM proposed to
authorize financial institutions to share BOI that they obtained from
FinCEN for use in fulfilling customer due diligence obligations with:
(1) their Federal functional regulators, (2) qualifying SROs, or (3)
any other appropriate regulatory agency. FinCEN proposed this
authorization for the sake of efficiency and to more easily provide
regulators with a complete picture of how financial institutions are
obtaining and using BOI for customer due diligence compliance, thereby
supporting the aims and purposes of the CTA, as well as helping them
detect compliance failures.
iv. Regulatory Agencies
The fourth category of authorized recipient under the proposed
regulations is Federal functional regulators and other appropriate
regulatory agencies that (1) are authorized to assess, supervise,
enforce, or otherwise determine financial institution compliance with
customer due diligence requirements under applicable law; (2) use BOI
solely to conduct an assessment, supervision, or authorized
investigation or activity under 31 U.S.C. 5336(c)(2)(C)(i); and (3)
enter into an agreement with FinCEN describing appropriate protocols
for obtaining BOI.
The proposed regulations also incorporated the CTA's limitation on
the scope of access by these agencies. The CTA states that BOI that
FinCEN discloses to financial institutions should ``also be available
to [their qualifying regulators].'' \54\ The Access NPRM therefore
proposed to allow only qualifying regulators to obtain from FinCEN BOI
that financial institutions that they supervise for customer due
diligence compliance had already obtained under the CTA and its
implementing regulations. Obtaining BOI from FinCEN would require
Federal functional regulators and other appropriate regulatory agencies
to certify to FinCEN when requesting BOI that the agency (1) is
authorized by law to assess, supervise, enforce, or otherwise determine
the relevant financial institution's compliance with customer due
diligence requirements under applicable law, and (2) would use the
information solely for that activity.
---------------------------------------------------------------------------
\54\ 31 U.S.C. 5336(c)(2)(C) (emphasis added).
---------------------------------------------------------------------------
FinCEN made clear in the Access NPRM that it did not believe this
customer due diligence-specific authorization was the exclusive means
through which one of these regulators could obtain BOI. The access
provision for Federal agencies engaged in national security,
intelligence, or law enforcement activities focuses on activity
categories, not agency types. To the extent that a Federal functional
regulator, like the Securities and Exchange Commission (SEC), engages
in civil law enforcement activities, agency officers, employees,
contractors, and agents responsible for those activities could obtain
BOI under the access provision for Federal law enforcement activity.
The same principle applies to other agencies with both supervisory
responsibility and authority to engage in other covered activity,
including, potentially, State, local, and Tribal law enforcement
agencies.
In the Access NPRM, FinCEN clarified that it would adopt its
existing regulatory definition of ``Federal functional regulators'' to
minimize the risk of confusion.\55\ FinCEN did not propose to define
``other appropriate regulatory agencies,'' because it assessed that the
requirement that an agency be authorized by law to supervise financial
institutions for customer due diligence compliance sufficiently
circumscribed the category.
---------------------------------------------------------------------------
\55\ Under this definition, the six Federal functional
regulators that supervise financial institutions with customer due
diligence obligations are the Board of Governors of the Federal
Reserve System (FRB), the Office of the Comptroller of the Currency
(OCC), the Federal Deposit Insurance Corporation (FDIC), the
National Credit Union Administration (NCUA), the SEC, and the
Commodity Futures Trading Commission (CFTC). See 31 CFR 1010.100(r).
---------------------------------------------------------------------------
In the Access NPRM, FinCEN considered whether SROs registered with
or designated by a Federal functional regulator pursuant to Federal
statute \56\ (``qualifying SROs'') should qualify as ``other
appropriate regulatory agencies.'' These organizations--like the
Financial Industry Regulatory Authority (FINRA) or the National Futures
Association (NFA)--are not traditionally
[[Page 88739]]
understood to be agencies of the U.S. government,\57\ but they do
exercise self-regulatory authority within the framework of Federal law,
and work under the supervision of Federal functional regulators to
assess, supervise, and enforce financial institution compliance with,
among other things, customer due diligence requirements.\58\ These
qualifying SROs also are subject to extensive oversight by Federal
agencies.\59\
---------------------------------------------------------------------------
\56\ See, e.g., 7 U.S.C. 21; 15 U.S.C. 78o-3.
\57\ See, e.g., In re William H. Murphy & Co., SEC Release No.
34-90759, 2020 WL 7496228, *17 (Dec. 21, 2020) (explaining that
FINRA ``is not a part of the government or otherwise a [S]tate
actor'' to which constitutional requirements apply).
\58\ See, e.g., FINRA Rule 3310(f); NFA Compliance Rule 2-
9(c)(5).
\59\ See, e.g., Scottsdale Cap. Advisors Corp. v. FINRA, 844
F.3d 414, 418 (4th Cir. 2016) (``Before any FINRA rule goes into
effect, the SEC must approve the rule and specifically determine
that it is consistent with the purposes of the Exchange Act. The SEC
may also amend any existing rule to ensure it comports with the
purposes and requirements of the Exchange Act.'' (citations
omitted); Birkelbach v. SEC, 751 F.3d 472, 475 (7th Cir. 2014) (``A
[FINRA] member can appeal the disposition of a FINRA disciplinary
proceeding to the SEC, which performs a de novo review of the record
and issues a decision of its own.'').
---------------------------------------------------------------------------
FinCEN believed that qualifying SROs fulfill a critical role in
overseeing participants in the financial services sector which
justified their limited and derivative access to BOI: Without this
level of access, qualifying SROs would not be able to effectively
evaluate a financial institution's customer due diligence compliance.
The CTA provides FinCEN broad discretion to specify the conditions
under which authorized recipients of BOI may re-disclose that
information to others. Consequently, the Access NPRM proposed to permit
both financial institutions and Federal functional regulators to re-
disclose to qualifying SROs any BOI they obtained from FinCEN for use
in complying with customer due diligence requirements under applicable
law. A qualifying SRO would (1) need to satisfy the same three
conditions applicable to Federal functional regulators and other
appropriate regulatory agencies, and (2) be permitted to use the
information for the limited purpose of examining compliance with
applicable customer due diligence obligations.
The Access NPRM further proposed that Federal functional regulators
would also be permitted to disclose BOI to DOJ for purposes of making a
referral to DOJ or for use in litigation related to the activity for
which the requesting agency requested the information.
v. Department of the Treasury Access
The CTA includes separate, Treasury-specific provisions for
accessing BOI, tying the access to a Treasury officer's or employee's
official duties requiring BOI inspection or disclosure,\60\ including
for tax administration purposes.\61\ Proposed 31 CFR 1010.955(b)(5)
tracked these authorizations, and provided that Treasury officers and
employees may receive BOI where their official duties require such
access, or for tax administration, consistent with procedures and
safeguards established by the Director of FinCEN. The proposed
regulations also clarified the term ``tax administration purposes'' by
adding a reference to the definition of ``tax administration'' in the
Internal Revenue Code.\62\
---------------------------------------------------------------------------
\60\ See 31 U.S.C. 5336(c)(5)(A).
\61\ See 31 U.S.C. 5336(c)(5)(B).
\62\ 26 U.S.C. 6103(b)(4).
---------------------------------------------------------------------------
The Access NPRM explained that FinCEN envisioned Treasury
components having broad search functionality comparable to that of
Federal agencies engaged in national security, intelligence, or law
enforcement activity. This would include using BOI for enforcement
actions, intelligence and analytical purposes, sanctions-related
investigations, and identifying property blocked pursuant to sanctions,
as well as for activities unique to Treasury, such as for tax
administration and administration of the BOI framework, including
audits, enforcement, and oversight. As with other Federal agencies
requesting BOI for their own use, Treasury would also be permitted to
disclose BOI for purposes of making a referral to DOJ or for use in
litigation related to the activity for which Treasury officers,
employees, contractors, or agents requested the information.
The Access NPRM further explained that FinCEN expected to work with
other Treasury components to establish internal policies and procedures
governing Treasury access to BOI. FinCEN noted that it anticipated that
the security and confidentiality protocols in those policies and
procedures would include elements of the protocols described in
proposed 31 CFR 1010.955(d)(1) as applicable to Treasury activities and
organization. Furthermore, officers and employees identified as having
duties potentially requiring access to BOI would receive training on,
among other topics, determining when their duties require access to
BOI, what they can do with the information, and how to handle and
safeguard it. Their activities would also be subject to audit.
D. CTA Implementation Efforts
i. Beneficial Ownership IT System
The CTA directs the Secretary to maintain BOI ``in a secure,
nonpublic database, using information security methods and techniques
that are appropriate to protect nonclassified information security
systems at the highest security level . . . .'' \63\ FinCEN is
implementing this requirement by developing a secure BO IT system to
receive, store, and maintain BOI. Consistent with the CTA's requirement
\64\ and FinCEN's recognition that BOI is sensitive information
warranting stringent security, the system will be cloud-based and will
meet the highest Federal Information Security Management Act (FISMA)
\65\ level (FISMA High).\66\ A FISMA High rating indicates that losing
the confidentiality, integrity, or availability of information within a
system would have a severe or catastrophic adverse effect on the
organization maintaining the system, including on organizational assets
or individuals.\67\ The rating carries with it a requirement to
implement certain baseline controls to protect the relevant
information.\68\ System functionality will vary by recipient category
consistent with statutory requirements, limitations on BOI disclosure,
and FinCEN's objective of minimizing access to the data as much as
practicable to minimize the risk of unauthorized disclosure. The target
date for the system to begin accepting BOI reports is January 1, 2024,
the same day on which the Reporting Rule takes effect.
---------------------------------------------------------------------------
\63\ CTA, section 6402(7).
\64\ 31 U.S.C. 5336(c)(8).
\65\ 44 U.S.C. 3541 et seq.
\66\ See U.S. Department of Commerce, Federal Information
Processing Standards Publication: Standards for Security
Categorization of Federal Information and Information Systems
(``FIPS Pub 199'') (Feb. 2004), available at <a href="https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf">https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf</a>.
\67\ Id. at 3.
\68\ Id.
---------------------------------------------------------------------------
ii. Additional CTA Implementation Efforts
In addition to continuing development of the BO IT system, FinCEN
is working across several other CTA implementation efforts. First, it
is working intensively to develop guidance and other educational
materials to ensure that small businesses have the information they
need to comply and that reporting beneficial ownership information is
as streamlined and straightforward as possible. On March 24, 2023, for
example, FinCEN published its first set
[[Page 88740]]
of guidance materials to aid the public, and in particular the small
business community, in understanding the BOI reporting requirements
taking effect on January 1, 2024.\69\ That guidance, available on
FinCEN's website, includes Frequently Asked Questions (FAQs), guidance
on BOI filing dates, and informational videos.\70\ FinCEN published a
Small Entity Compliance Guide on September 18, 2023, as well as
additional guidance to address more complex topics around BOI
reporting. FinCEN is also developing the infrastructure to respond to
queries, conduct audit and oversight, and provide partner agencies and
financial institutions with access to BOI.
---------------------------------------------------------------------------
\69\ FinCEN, FinCEN Issues Initial Beneficial Ownership
Information Reporting Guidance (Mar. 24, 2023), available at <a href="https://www.fincen.gov/news/news-releases/fincen-issues-initial-beneficial-ownership-information-reporting-guidance">https://www.fincen.gov/news/news-releases/fincen-issues-initial-beneficial-ownership-information-reporting-guidance</a>.
\70\ FinCEN, Beneficial Ownership Information Reporting,
available at <a href="https://www.fincen.gov/boi">https://www.fincen.gov/boi</a>.
---------------------------------------------------------------------------
FinCEN is particularly focused on providing helpful customer
service to reporting companies in the first year and beyond as they
file their BOI. FinCEN currently fields approximately 13,000 inquiries
a year through its Regulatory Support Section, and approximately 70,000
external technical inquiries a year through the IT Systems Helpdesk.
FinCEN has estimated that there will be approximately 32 million
reporting companies in Year 1 of the reporting requirement and
approximately 5 million new reporting companies each year
thereafter.\71\ Given the expected increase in incoming inquiries,
FinCEN is working to stand up a dedicated beneficial ownership contact
center to respond to inquiries about the beneficial ownership reporting
requirements, and to provide assistance to users encountering technical
issues with the BO IT system. FinCEN expects the contact center to
begin operations prior to January 1, 2024.
---------------------------------------------------------------------------
\71\ 87 FR 59498, 59549 (Sept. 30, 2022).
---------------------------------------------------------------------------
FinCEN is also working to establish internal policies and
procedures governing Treasury officer and employee access to BOI, as
well as to draft and negotiate MOUs for access to BOI and related
materials. In keeping with protocols described in this final rule,
Federal, State, local and Tribal agencies outside of Treasury will be
required to enter into MOUs with FinCEN specifying the standards,
procedures, and systems they will be required to maintain to protect
BOI. Agency MOUs will, among other things, memorialize and implement
requirements regarding reports and certifications, periodic training of
individual recipients of BOI, personnel access restrictions, re-
disclosure limitations, and access to audit and oversight mechanisms.
MOUs will also include security plans covering topics related to
personnel security (e.g., eligibility limitations, screening standards,
and certification and notification requirements); physical security
(i.e., system connections and use, conditions of access, and data
maintenance); computer security (i.e., use and access policies,
standards related to passwords, transmission, storage, and encryption);
and inspections and compliance. Agencies will be able to rely on
existing databases and related IT infrastructure to satisfy the
requirement to ``establish and maintain'' secure systems in which to
store BOI where those systems have appropriate security and
confidentiality protocols, and FinCEN will engage with recipient
agencies on these protocols during the MOU development process.
iii. Administration of Access to BOI
For any given user agency, the administrative steps described in
the preceding section will need to be completed before authorized users
obtain access to the BO IT system. These steps will require resources
to complete. Every Federal, State, local, and tribal user agency will
need to enter into an MOU with FinCEN for access to the BO IT system
and put in place the policies and procedures required under the final
Access Rule and the MOU. FinCEN will also need to establish BO IT
system individual user accounts for all personnel who are authorized to
access the system at agencies and financial institutions.
To smoothly manage the draw on resources that this process will
demand, FinCEN will take a phased approach to providing access to the
BO IT system. The first stage will be a pilot program for a handful of
key Federal agency users starting in 2024, as required MOUs and
policies and procedures are completed. The second stage will extend
access to Treasury Department offices and certain Federal agencies
engaged in law enforcement and national security activities that
already have Bank Secrecy Act MOUs (e.g., FBI, IRS-CI, HSI, DEA,
Federal banking agencies (FBAs)). Subsequent stages will extend access
to additional Federal agencies engaged in law enforcement, national
security, and intelligence activities, as well as key State, local, and
Tribal law enforcement partners; to additional State, local, and Tribal
law enforcement partners; in connection with foreign government
requests; and finally, to financial institutions and their supervisors.
FinCEN believes that starting with a small pilot program of users
in 2024 will help test the system and ensure that any issues can be
addressed before expanding access to other users. Making access more
broadly available in the four subsequent stages outlined above will
help ensure the orderly onboarding of authorized users and will space
out the timing of the annual audits of agency users that FinCEN is
required to conduct under the CTA. Additionally, there is a good reason
for FinCEN's sequencing of access, making financial institutions and
their supervisors the last category of users that will receive access
to the BO IT system: FinCEN expects that the timing of their access
will roughly coincide with the upcoming revision of FinCEN's 2016 CDD
Rule. This will allow financial institutions to enjoy certain
administrative efficiencies by bundling system and compliance changes.
FinCEN anticipates providing additional information on the timing and
details regarding this phased implementation approach in early 2024.
E. Comments Received
In response to the NPRM, FinCEN received over 80 comments.
Submissions came from a broad array of individuals and organizations,
including members of Congress, the financial industry and related trade
associations, groups representing small business interests, corporate
transparency advocacy groups, law enforcement representatives,
regulatory associations, legal associations, and other interested
groups and individuals.
In general, many commenters expressed support for the proposed
regulations. These commenters agreed that the proposed regulations were
a significant step forward in improving the ability of law enforcement
and national security agencies to identify illicit actors hiding behind
anonymous shell and front companies. One of the commenters stated that
the proposed regulations would confer benefits to both the United
States and its overseas partners and bring the United States in line
with emerging global practices relating to beneficial ownership
information reporting. These commenters viewed the proposed regulations
as being consistent with the statutory text. They supported the
approach taken to provide access to BOI to authorized recipients and
were encouraged by the proposed limitations and security provisions to
protect the BOI and prevent unauthorized disclosure. These commenters
were
[[Page 88741]]
particularly supportive of the proposed regulations with respect to
U.S. Federal agencies' access to the BOI database. Supportive
commenters agreed that U.S. Federal agencies accessing the database for
law enforcement, intelligence, and national security purposes should
have broad access, and that foreign requesters should be able to
request BOI for similar purposes.
Other commenters expressed general opposition to the proposed
regulations, arguing that the proposed regulations deviate from the CTA
and congressional intent. These commenters argued that the proposed
regulations, if finalized without significant changes, would impose
unnecessary requirements, limitations, and burdens with respect to
certain types of access. Commenters also argued that the proposed
regulations would be too costly and burdensome for small businesses. In
particular, commenters expressed concern over the access provisions
relating to State, local, and Tribal law enforcement authorities and
financial institutions. Some commenters stated that certain
requirements for law enforcement access to BOI, such as the requirement
to submit ``a copy of a court order'' and ``written justification'' in
proposed 31 CFR 1010.955(d)(1)(ii)(B)(2), would create undue barriers
for State, local and Tribal law enforcement and contradict the
statutory text. Other commenters argued that the proposed restrictions
on access by financial institutions and their regulators would
significantly limit the utility of the database. These commenters
argued that proposed regulations interpreted ``customer due diligence
requirements under applicable law'' in 31 U.S.C. 5336(c)(2)(B)(iii) too
narrowly and objected to the requirement that individuals with access
to BOI be located in the United States (31 CFR 1010.955(c)(2)(ii)).
These commenters suggested that FinCEN adopt a broader approach to
financial institutions' access to BOI and asked for clarification on a
number of related provisions, including, for example, expectations
around customer consent, database usage, and discrepancy reporting. One
commenter suggested that FinCEN withdraw the proposed regulations and
engage with the financial services industry and small businesses to
develop a new proposal to better achieve the objectives of the CTA and
the AML Act.
Many commenters, regardless of their overarching views, suggested
specific modifications to the proposed regulations to enhance clarity,
refine policy expectations, ensure technical accuracy, and improve
implementation more broadly. Commenters sought clarification on
specific definitions, use cases, technical requirements and processes,
and database functionality, among other things. Several commenters
advocated for providing certain additional categories of users access
to BOI, while others shared views on the sensitivity of BOI. Several
commenters emphasized their view that BOI needed to be verified and
suggested ways to improve the quality of the database.
Commenters also shared views on future revisions to the 2016 CDD
Rule, highlighting the ways in which they anticipated the proposed
regulations with respect to access would interact with the 2016 CDD
Rule. Among other things, these commenters expressed concerns about
potential inconsistencies between BOI in the database and the customer
information that financial institutions maintain pursuant to customer
due diligence obligations. Many of these commenters urged FinCEN to
address these concerns before 2016 CDD Rule revisions are finalized;
some suggested that these concerns be addressed as part of the final
Access Rule. Several commenters expressed frustration over the
sequencing of the CTA rulemakings, stating, for example, that it is
difficult to provide meaningful comments on the proposed regulations
given uncertainties about revisions to the 2016 CDD Rule.
Commenters shared views on the proposed regulations on FinCEN
identifiers for reporting companies. While some commenters were
supportive of FinCEN's approach, others found the proposal complex and
confusing. Whether or not generally supportive, commenters suggested
specific modifications to the proposal and asked for clarification on
the availability of the information underlying FinCEN identifiers. One
commenter expressed generalized concern about the availability of
FinCEN identifiers and their potential misuse.
FinCEN also received comments on topics not directly related to the
proposed regulations. Some of these comments focused on elements of the
Reporting Rule, e.g., information to be reported, company applicants,
enforcement mechanism, and the proposed BOI report form. Others
identified typographical errors, offered specific recommendations with
respect to MSBs and mutual funds, and urged FinCEN to take steps to
prevent the creation of fraudulent FinCEN websites. One commenter
suggested that FinCEN should be designated as part of the intelligence
community, while another suggested that Congress should repeal the USA
PATRIOT Act. Finally, one commenter highlighted that some individuals
may feel discouraged from submitting comments on proposed regulations
if their views do not align with those of their employer.
FinCEN carefully reviewed and considered each comment submitted.
Many specific proposals will be discussed in more detail in section III
below. FinCEN's analysis and approach has been guided by the statutory
text, including the statutory obligations to disclose BOI to authorized
users for specified purposes while following strict security and
confidentiality protocols and minimizing burdens on stakeholders.
In implementing this final rule, FinCEN took into account the many
comments and suggestions intended to clarify and refine the scope of
the rule and to reduce burdens on authorized users to the greatest
extent practicable. FinCEN further notes that implementation of the
final rule will require additional engagement with stakeholders to
ensure a clear understanding of the rule's requirements, including
through additional guidance, FAQs, and help lines. FinCEN intends to
work within Treasury and with interagency partners to inform these
specific efforts and the broader implementation of this final rule.
III. Discussion of Final Rule
This final rule builds on the Access NPRM and is the next step
after the Reporting Rule in FinCEN's implementation of the CTA. The
final rule aims to ensure that: (1) only authorized recipients have
access to BOI; (2) authorized recipients use that access only for
purposes permitted by the CTA; and (3) authorized recipients only re-
disclose BOI in ways that balance protecting its security and
confidentiality with the CTA objective of making BOI available to users
for a range of authorized purposes. The regulations also provide a
robust framework to ensure that BOI reported to FinCEN, and received by
authorized recipients, is subject to strict cybersecurity controls,
confidentiality protections and restrictions, and robust audit and
oversight measures.
FinCEN is adopting the proposed rule largely as proposed, but with
certain modifications that are responsive to comments received and
intended to reduce barriers to the effective use of BOI, while
maintaining appropriate protections for the information. Among other
things, the final rule broadens the purposes for which financial
institutions may use BOI, and
[[Page 88742]]
streamlines the requirements for State, local, and Tribal law
enforcement access to BOI. FinCEN believes that these changes will help
to ensure that the database is highly useful to relevant stakeholders
who are authorized to access BOI. FinCEN has made certain other
clarifying and technical revisions throughout the rule. We discuss
specific comments, modifications, revisions, and the shape of the final
rule section by section here.
We discuss the elements of the final rule under seven headings: (A)
availability of information--general; (B) prohibition on disclosure;
(C) disclosure of information by FinCEN; (D) use of information; (E)
security and confidentiality requirements; (F) administration of
requests for information reported pursuant to 31 CFR 1010.380; and (G)
violations. In addition, this section discusses general implementation
efforts as they apply to the development of the IT system.
A. Availability of Information--General
Proposed Rule. FinCEN proposed to amend 31 CFR 1010.950(a) to
clarify that the disclosure of BOI would not be governed by Sec.
1010.950(a) but instead by proposed 31 CFR 1010.955.
Comments Received. FinCEN did not receive comments on this
proposal.
Final Rule. The final rule adopts the amendments to 31 CFR
1010.950(a) as proposed. The amendments clarify that the disclosure of
BOI is governed by a new provision, 31 CFR 1010.955, rather than 31 CFR
1010.950(a). Section 1010.950(a) governs disclosure of other BSA
information by Treasury and states that ``[t]he Secretary may within
his discretion disclose information reported under this chapter for any
reason consistent with the purposes of the Bank Secrecy Act, including
those set forth in paragraphs (b) through (d) of this section.'' In
contrast, the CTA authorizes FinCEN to disclose BOI only in limited and
specified circumstances.\72\ As these CTA provisions are separate and
distinct from provisions authorizing disclosure of other BSA
information, distinct regulatory treatment is warranted.\73\
---------------------------------------------------------------------------
\72\ See 31 U.S.C. 5336(c)(2), (5).
\73\ See, e.g., 31 U.S.C. 5319.
---------------------------------------------------------------------------
B. Prohibition on Disclosure
Proposed Rule. Proposed 31 CFR 1010.955(a) would implement the
broad prohibition in the CTA on the disclosure of information reported
to FinCEN pursuant to 31 CFR 1010.380, except as authorized under the
proposed rule. Specifically, the CTA provides that, except as
authorized by 31 U.S.C. 5336(c) and the protocols promulgated
thereunder, BOI reported to FinCEN by reporting companies is
confidential and shall not be disclosed by (1) an officer or employee
of the United States, (2) an officer or employee of any State, local,
or Tribal agency, or (3) an officer or employee of any financial
institution or regulatory agency receiving information under this
subsection of the CTA.\74\ The proposed rule adopted this broad
prohibition on disclosure but extended it in two ways. First, it
extended the prohibition to any of the officers or employees described
in (1) through (3) above regardless of whether they continue to serve
in the position through which they were authorized to receive BOI.
Second, it extended the prohibition on disclosure to any individual who
receives BOI as a contractor or agent of the United States; as a
contractor or agent of a State, local, or Tribal agency; or as a member
of the board of directors, contractor, or agent of a financial
institution.
---------------------------------------------------------------------------
\74\ See 31 U.S.C. 5336(c)(2)(A).
---------------------------------------------------------------------------
Comments Received. One commenter supported the proposed extension
of the prohibition on disclosure of BOI to contractors or agents of the
United States and State, local or Tribal law enforcement agencies, and
to contractors, agents, and directors of financial institutions. The
commenter noted that this extension furthers the purpose of the CTA and
would close potential loopholes around prohibited disclosures of BOI.
Several commenters requested greater clarity on the prohibition on
disclosure or further extension of the prohibition to additional
individuals. One commenter opposed extending the prohibition to agents,
contractors, and, in the case of financial institutions, directors,
arguing that the existing prohibition in the statute was already overly
protective of BOI. One commenter did not believe that the proposed rule
adequately clarifies that the prohibition on disclosure covers
individuals who receive BOI even after they leave the position in which
they were authorized to receive the BOI. This commenter suggested that
the rule should include language that explicitly addresses this
scenario. This commenter also asked that the prohibition on disclosure
explicitly extend to an officer, employee, contactor, or agent of
foreign law enforcement agencies, foreign law enforcement agencies,
foreign judges, foreign prosecutors, or other foreign authorities.
Another commenter suggested adding a provision to prohibit disclosure
by attorneys or parties who may receive BOI in the context of a civil
or criminal proceeding. Another commenter suggested extending access
requirements (which would include the prohibition on disclosure of BOI)
to any individual under contract or under the remit of an entity
authorized to access BOI (non-employee agents), such as consultants,
auditors, and third-party service providers.
Final Rule. The final rule adopts 31 CFR 1010.955(a) as proposed.
FinCEN believes that the proposed rule, including the extension of the
disclosure prohibition to certain specified individuals, is necessary
to fully carry out the CTA's intent to protect sensitive BOI and
prevent unauthorized disclosure of this information. FinCEN proposed
these extensions pursuant to 31 U.S.C. 5336(c)(3)(K), which provides
that ``the Secretary of the Treasury shall establish by regulation
protocols described in [31 U.S.C. 5336(2)(A)] that . . . provide such
other safeguards which the Secretary determines (and which the
Secretary prescribes in regulations) to be necessary or appropriate to
protect the confidentiality of the beneficial ownership information.''
Further, after considering the comments to this provision, FinCEN has
concluded that this provision is sufficiently clear, in terms of the
prohibition on disclosure applying to those individuals who leave a
position in which they were previously authorized to receive BOI. The
proposed rule stated that, except as authorized, BOI is confidential
and ``shall not be disclosed by any individual who receives such
information as'' an officer, employee, contractor, agent, or director.
This prohibition means that individuals who receive BOI when acting in
these specified roles cannot disclose BOI (except as authorized in the
rule) regardless of whether they continue in or leave these roles.
FinCEN has also determined not to add language extending the
prohibition on disclosure to an officer, employee, contactor, or agent
of foreign law enforcement agencies, foreign law enforcement agencies,
foreign judges, foreign prosecutors, or other foreign authorities.
FinCEN believes there are existing mechanisms in place under the CTA
that would appropriately protect BOI in these circumstances. For
example, in the context of foreign access to BOI through a request made
under an international treaty, agreement, or convention, the handling
and use of BOI would be governed by the disclosure and use provisions
of the relevant international treaty, agreement, or
[[Page 88743]]
convention.\75\ As for trusted foreign countries, the CTA explicitly
limits the use of BOI ``for any purpose other than the authorized
investigation or national security or intelligence activity'' \76\ and
proposed 31 CFR 1010.955(c)(2)(ix) (now renumbered as 31 CFR
1010.955(c)(2)(x)) provided that ``any information disclosed by FinCEN
under paragraph (b) of this section shall not be further disclosed to
any other person for any purpose without the prior written consent of
FinCEN, or as authorized by applicable protocols or guidance that
FinCEN may issue.'' In the event of improper disclosure of BOI by a
trusted foreign country, FinCEN would consider all available remedies
including FinCEN's authority to reject a request for BOI or suspend a
requesting party's access to such information.\77\
---------------------------------------------------------------------------
\75\ See 31 U.S.C. 5336(c)(2)(B)(ii)(I)(aa).
\76\ 31 U.S.C. 5336(c)(2)(B)(ii)(II)(bb).
\77\ See proposed 31 CFR 1010.955(e)(3).
---------------------------------------------------------------------------
FinCEN has also decided not to specifically extend the prohibition
on disclosure to parties in a civil and criminal proceeding because it
views this scenario as being covered by the regulations, specifically
by the provision prohibiting redisclosure without the prior consent of
FinCEN.\78\ FinCEN will consider, however, whether to issue guidance or
FAQs to further address issues relating to public disclosure of BOI in
civil or criminal proceedings. With respect to the commenter suggesting
that FinCEN add language to specify that individuals under contract or
under the remit of an entity authorized to access BOI (including
consultants, auditors, and third-party service providers) are covered
by the prohibition on disclosure, FinCEN believes that proposed 31 CFR
1010.955(a) sufficiently covers these individuals as contractors or
agents.
---------------------------------------------------------------------------
\78\ 31 CFR 1010.955(c)(2)(ix).
---------------------------------------------------------------------------
C. Disclosure of Information by FinCEN
As discussed in the proposed rule, the CTA authorizes FinCEN to
disclose BOI to five categories of recipients. The first category
consists of recipients in Federal, State, local and Tribal government
agencies.\79\ Within this category, FinCEN may disclose BOI to Federal
agencies engaged in national security, intelligence, or law enforcement
activity if the requested BOI is for use in furtherance of such
activity.\80\ FinCEN may also disclose BOI to State, local, and Tribal
law enforcement agencies if ``a court of competent jurisdiction'' has
authorized the law enforcement agency to seek the information in a
criminal or civil investigation.\81\
---------------------------------------------------------------------------
\79\ 31 U.S.C. 5336(c)(2)(B) and 31 U.S.C. 5336(c)(5).
\80\ 31 U.S.C. 5336(c)(2)(B)(i)(I).
\81\ 31 U.S.C. 5336(c)(2)(B)(i)(II).
---------------------------------------------------------------------------
The second category consists of foreign law enforcement agencies,
judges, prosecutors, central authorities, and competent authorities
(``foreign requesters''), provided their requests come through an
intermediary Federal agency, meet certain additional criteria, and are
made either (1) under an international treaty, agreement, or
convention, or (2) via a request made by law enforcement, judicial, or
prosecutorial authorities in a trusted foreign country (when no
international treaty, agreement, or convention is available).\82\
---------------------------------------------------------------------------
\82\ 31 U.S.C. 5336(c)(2)(B)(ii).
---------------------------------------------------------------------------
The third authorized recipient category are financial institutions
using BOI to facilitate compliance with customer due diligence
requirements under applicable law, provided the financial institution
requesting the BOI has the relevant reporting company's consent for
such disclosure.\83\
---------------------------------------------------------------------------
\83\ 31 U.S.C. 5336(c)(2)(B)(iii).
---------------------------------------------------------------------------
The fourth category is Federal functional regulators and other
appropriate regulatory agencies acting in a supervisory capacity
assessing financial institutions for compliance with customer due
diligence requirements.\84\ These agencies may access the BOI
information that financial institutions they supervise received from
FinCEN.
---------------------------------------------------------------------------
\84\ 31 U.S.C. 5336(c)(2)(B)(iv).
---------------------------------------------------------------------------
The fifth and final category of authorized BOI recipients is the
Treasury itself, for which the CTA provides access to BOI tied to an
officer or employee's official duties requiring BOI inspection or
disclosure, including for tax administration.\85\
---------------------------------------------------------------------------
\85\ 31 U.S.C. 5336(c)(5).
---------------------------------------------------------------------------
i. Disclosure to Federal Agencies for Use in Furtherance of National
Security, Intelligence, or Law Enforcement Activity
a. Definition of National Security Activity
Proposed Rule. Proposed 31 CFR 1010.955(b)(1)(i) specified that
national security activity includes activity pertaining to the national
defense or foreign relations of the United States, as well as activity
to protect against threats to the safety and security of the United
States.
Comments Received. Commenters generally provided broad support for
the definition of national security activity in proposed 31 CFR
1010.955(b)(1)(i), stating that the activity-based approach is
reasonable, clear, and adequately justified. Some commenters expressed
the view that the definition should not be further delimited or
narrowed, as this may impede the intent of the CTA. One recommended
that FinCEN clarify that the proposed definition is not meant to limit
Congress's language identifying specific national security threats in
the CTA's Sense-of-Congress provision.\86\ Another commenter suggested
adding a reference in the preamble to the illicit finance strategy, as
defined in the 2021 Memorandum on Establishing the Fight Against
Corruption as a Core United States National Security Interest. One
commenter urged FinCEN to include the words ``threats to'' before
``national defense or foreign relations,'' and two commenters suggested
substituting the word ``means'' for ``includes'' to clarify that the
definition is finite. In particular, one of those two commenters noted
that replacing ``includes'' with ``means'' would be consistent with the
statute cited in support of the proposed regulation, 8 U.S.C.
1189(d)(2), which provides that national security ``means'' the
national defense, foreign relations, or economic interests of the
United States.
---------------------------------------------------------------------------
\86\ See CTA, section 6402(3).
---------------------------------------------------------------------------
Final Rule. The final rule largely adopts the proposed rule, but
substitutes ``means'' for ``includes'' in definition in the final rule.
FinCEN agrees that changing ``includes'' to ``means'' will provide
additional clarity while still retaining the approach described by the
proposed rule that draws, in large part, from 8 U.S.C. 1189(d)(2).
Section 1189(d)(2) defines ``national security'' for purposes of
designating foreign terrorist organizations (FTOs) that threaten U.S.
national security. As stated in the proposed rule, FinCEN believes this
definition is appropriate for several reasons. First, the FTO statute
covers a broad range of national security threats to the United States,
including those with an economic dimension. That scope is consonant
with the CTA's goal to combat national security threats that are
financial in nature, such as money laundering, terrorist financing,
counterfeiting, fraud, and foreign corruption.\87\ Second, the FTO
statute arises in a related context insofar as it involves efforts to
hinder illicit actors' economic activities. FinCEN does not intend this
definition to exclude any national security threats that Congress
identified in the CTA. FinCEN also notes that it will determine whether
an agency's activities are ``national security activities'' that
qualify the agency for
[[Page 88744]]
access to BOI during the process to establish a MOU governing access
between the agency and FinCEN. Some undertakings, such as vetting
potential recipients of foreign assistance and procurement contract
awards, might constitute ``national security activities'' depending on
the particular facts and circumstances, and therefore may be evaluated
as part of that process. FinCEN declines to incorporate into the final
rule reference to specific strategies to counter corruption or other
types of specific national security threats. Acts of foreign corruption
are specifically mentioned in the CTA as acts that harm the national
security interests of the United States, and as discussed above, are
already contemplated by the final rule. Referencing specific strategy
documents is therefore unnecessary and could cause confusion.
---------------------------------------------------------------------------
\87\ See CTA, section 6402(3)-(6).
---------------------------------------------------------------------------
b. Definition of Intelligence Activity
Proposed Rule. Proposed 31 CFR 1010.955(b)(1)(ii) defines
intelligence activity to include ``all activities conducted by elements
of the United States Intelligence Community that are authorized
pursuant to Executive Order 12333 (``E.O. 12333''), as amended, or any
succeeding executive order.''
Comments Received. A number of commenters supported the proposed
rule's definition of ``intelligence activity,'' and noted the approach
taken by FinCEN is reasonable. Some commenters expressed that the
definition should not be further delimited or narrowed, as this may
impede the intent of the CTA. Three commenters suggested that the use
of the word ``includes'' was too broad, and it should be replaced with
``means'' to clarify that the definition is finite. One commenter
argued that ``includes'' implies that the proposed rule might allow
sharing BOI under the intelligence activity provisions of 31 U.S.C.
5336, outside of the authorization provided by E.O. 12333. This
commenter also argued that the definition of ``intelligence activity''
in proposed 31 CFR 1010.955(b)(1)(ii) conflicts with proposed 31 CFR
1010.955(b)(3)(i), which refers to disclosures of BOI by FinCEN to an
intermediary Federal agency for transmission to a foreign agency for
assistance in intelligence activity authorized under the laws of a
foreign country. The commenter suggested that FinCEN should revise
Sec. 1010.955(b)(1)(ii) to read ``(ii) intelligence activity, when
used in this section in reference to an activity of the United States,
means all activities that elements of the United States intelligence
community are authorized to conduct pursuant to E.O. 12333, as amended,
or any successor [E]xecutive order.'' A different commenter recommended
that FinCEN make clear that E.O. 12333's limitation on the use of
United States person information by the Intelligence Community would
not constrain use of BOI, if the use was otherwise permitted by the
CTA. One commenter, while concurring with the proposed rule as sensible
and workable, suggested it should include a reference to the 2021 U.S.
Strategy on Countering Corruption and its calls for increasing
intelligence activity on corrupt actors and bolstering information
sharing between the Intelligence Community and law enforcement.
Final Rule. The final rule adopts the proposed rule with two
clarifying edits. First, FinCEN adopts the recommendation to substitute
``means'' for ``includes'' within the definition, in order to clarify
that ``intelligence activity'' covers only those activities conducted
by elements of the United States Intelligence Community that are
authorized pursuant to E.O. 12333, as amended, or any succeeding
executive order. Second, FinCEN agrees that the definition of
``intelligence activity'' in proposed 31 CFR 1010.955(b)(1)(ii) was
incompatible with the authorization for sharing of BOI with foreign
requesters in proposed 31 CFR 1010.955(b)(3)(i), as it proposed to
define intelligence activities throughout the rule exclusively by
reference to U.S. legal authorities. The final rule corrects this
mistake by inserting new 31 CFR 1010.955(b)(3)(iv), a definition of the
term ``intelligence activity authorized under the laws of a foreign
country'' that clearly relates such activity to foreign legal
authorities that establish what constitute legally acceptable
intelligence activities under the laws of another country, as E.O.
12333 does for U.S. law.\88\
---------------------------------------------------------------------------
\88\ FinCEN has addressed an analogous drafting problem in
proposed 31 CFR 1010.955(b)(1)(i) with reference to the term
``national security activity'' by defining the term ``national
security activity authorized under the laws of a foreign country''
in new 31 CFR 1010.955(b)(3)(iii).
---------------------------------------------------------------------------
FinCEN does not believe that additional clarifications are
necessary regarding the scope of access to BOI by Federal agencies
engaged in intelligence activity, to the extent the activity relates to
United States persons. E.O. 12333 sets out the scope of authorized
activity and, among other things, provides that agencies shall,
consistent with the provisions of the Order, prepare and provide
intelligence in a manner that ``allows the full and free exchange of
information, consistent with applicable law and presidential
guidance.'' Internal procedures established pursuant to the Order
further govern the handling of information relating to U.S. persons.
Finally, FinCEN declines to incorporate into the final rule reference
to specific strategies to counter corruption or other national security
threats, while noting that acts of foreign corruption are specifically
mentioned in the CTA as acts that harm the national security interests
of the United States.
c. Definition of Law Enforcement Activity
Proposed Rule. Proposed 31 CFR 1010.955(b)(1)(iii) defined ``law
enforcement activity'' to include ``investigative and enforcement
activities relating to civil or criminal violations of law.'' The
proposed rule specified that such activity does not include routine
supervision or examination of a financial institution by a Federal
regulatory agency with authority described in 31 CFR
1010.955(b)(4)(ii)(A). The inclusion of both investigation and
enforcement as ``law enforcement activity'' was based on FinCEN's view
that it is consistent with the CTA to authorize Federal agencies to
access BOI at all stages of the law enforcement process.
Comments Received. Commenters generally agreed with the definition
in 31 CFR 1010.955(b)(1)(iii), stating that the proposed rule is
reasonable and workable. One commenter emphasized the need for law
enforcement to have access to BOI during all stages of criminal or
civil investigations. Two commenters suggested that the use of the word
``includes'' was too broad, and it should be replaced with ``means'' to
clarify that the definition is finite. Some commenters expressed that
the definition should not be further delimited or narrowed, as this may
impede the intent of the CTA. One commenter concurred with the
exclusion of routine supervision and examination by Federal regulator
agencies, as these activities are covered by a separate section of the
CTA, and the proposed rule also recognizes that Federal functional
regulators engage in law enforcement activities that will enable them
to request BOI. However, two commenters took an opposite view, arguing
that the proposed rule should be modified either at 31 CFR
1010.955(b)(1) or 31 CFR 1010.955(b)(1)(iii) to explicitly include
disclosure to Federal regulatory agencies for law enforcement purposes
as a disclosure governed by 1010.955(b)(1). Another commenter supported
the broad definition of law enforcement activity but sought an explicit
extension of the definition to State, local, and Tribal authorities, as
[[Page 88745]]
well as the inclusion of specific exemplar criminal violations related
to taxes, wages, theft, forgery, insurance fraud, and human
trafficking.
Final Rule. The final rule adopts the proposed rule with the
exception of one clarifying edit. Specifically, FinCEN adopts the
recommendation to substitute ``means'' for ``includes'' within the
definition to further clarify the definition, while retaining the
approach from the proposed rule. FinCEN also notes that it will
determine whether an agency's activities are ``law enforcement
activities'' qualifying it for access to BOI during the process to
establish a MOU between the agency and FinCEN governing such access.
FinCEN declines to incorporate into the final rule reference to
specific criminal violations, as this is redundant considering the
existing language regarding civil or criminal violations of law.
Regarding the role of Federal regulatory agencies, FinCEN does not
believe that a change to the proposed language is warranted. As stated
in the proposed rule, the access provision for Federal agencies engaged
in national security, intelligence, or law enforcement activities
focuses on activity categories, not agency types. To the extent a
Federal functional regulator engages in civil law enforcement
activities, those activities would be covered by the law enforcement
access provision.
ii. Disclosure to State, local, and Tribal Law Enforcement Agencies for
Use in Criminal or Civil Investigations
a. A Court of Competent Jurisdiction
Proposed Rule. The CTA permits FinCEN to disclose BOI upon receipt
of a request, through appropriate protocols, ``from a State, local, or
Tribal law enforcement agency, if a court of competent jurisdiction,
including any officer of such a court, has authorized the law
enforcement agency to seek the information in a criminal or civil
investigation.'' \89\ Proposed 31 CFR 1010.955(b)(2) implements this
provision and would allow FinCEN to disclose BOI to a State, local, or
Tribal law enforcement agency that requests this information if a court
of competent jurisdiction has authorized the agency's request for the
BOI for use in a criminal or civil investigation. Proposed 31 CFR
1010.955(b)(2)(i) further provided that a court of competent
jurisdiction is ``any court'' with jurisdiction over the criminal or
civil investigation for which a State, local, or Tribal agency requests
BOI.
---------------------------------------------------------------------------
\89\ 31 U.S.C. 5336(c)(2)(B)(i)(II).
---------------------------------------------------------------------------
Comments Received. Commenters were generally supportive of the
definition of the phrase ``court of competent jurisdiction'' in
proposed 31 CFR 1010.955(b)(2)(i). These commenters noted that the
proposed definition is flexible enough to encompass a wide variety of
courts and will facilitate the ability of State, local, or Tribal law
enforcement agencies to seek court authorization for the purpose of
requesting BOI from FinCEN. Several commenters requested that FinCEN
explicitly include administrative courts and adjudicatory bodies such
as boards and commissions. One commenter noted that state and local
governments allow civil law enforcement proceedings to occur in
hearings before adjudicators that are independent of law enforcement,
such as administrative law judges. Some commenters also recommended
that ``court of competent jurisdiction'' should explicitly account for
jurisdiction over an investigation or a ``case'' because BOI may be
relevant to both.
Final Rule. The final rule adopts 31 CFR 1010.955(b)(2)(i) as
proposed. FinCEN agrees with the commenters who thought the level of
clarity provided by this provision is sufficient to encompass the
various types of courts and adjudicatory bodies that exist in State,
local, and Tribal jurisdictions, including those which some commenters
suggested that FinCEN explicitly reference. The reference in this
provision to ``any court'' that has jurisdiction over an investigation
provides broad and, in FinCEN's view, sufficiently clear applicability.
As such, FinCEN believes it is unnecessary to list specific types of
adjudicatory bodies that would qualify as a court of competent
jurisdiction. Further, in response to the comments that requested that
FinCEN clarify that a court of competent jurisdiction includes an
adjudicative body with jurisdiction over both investigations and
``cases'' (understood as ongoing civil or criminal court proceedings),
FinCEN has followed the formulation in the CTA, which uses the term
``criminal or civil investigation.'' \90\ However, FinCEN does not
believe that this clause excludes State, local, or Tribal agencies from
seeking a request for BOI as part of an ongoing ``case,'' whether that
be a civil proceeding or a criminal prosecution following an initial
investigation.
---------------------------------------------------------------------------
\90\ See 31 U.S.C. 5336(c)(2)(B)(i)(II).
---------------------------------------------------------------------------
b. State, Local, or Tribal Law Enforcement Agencies
Proposed Rule. Proposed 31 CFR 1010.955(b)(2)(ii) defined a
``State, local, or Tribal law enforcement agency'' as ``an agency of a
State, local, or Tribal government that is authorized by law to engage
in the investigation or enforcement of civil or criminal violations of
law.'' The proposed rule defined this term in a manner similar to the
proposed definition of ``law enforcement activity'' for Federal
agencies to ensure consistency regardless of whether law enforcement
activity occurs at the Federal, State, local, or Tribal, level.
Comments Received. Several commenters argued that FinCEN should
clarify in the final rule that State, local, and Tribal law enforcement
agencies include various types of administrative and regulatory bodies
covering a range of subject areas such as labor and employment,
contracting, tax, unemployment insurance, and workers' compensation,
among others. One commenter recommended that FinCEN amend 31 CFR
1010.955(b)(2)(ii) to state that a State, local or Tribal law
enforcement agency is one that is authorized by law to investigate or
enforce civil, criminal, ``or administrative'' violations of law. Some
commenters noted that many State, local, and Tribal regulatory agencies
also have law enforcement functions insofar as they have the authority
to both issue regulations and enforce compliance with regulations. One
of these commenters believed that proposed 31 CFR 1010.955(b)(2)(ii)
already covers these regulatory agencies. Finally, one commenter
suggested that FinCEN clarify that local enforcement agencies include
non-Federal agencies within the government of the District of Columbia.
Final Rule. FinCEN is adopting 31 CFR 1010.955(b)(2)(ii) as
proposed. FinCEN believes that this provision is adequately clear and
sufficiently flexible to encompass the many varieties of State, local,
and Tribal law enforcement agencies that engage in the investigation or
enforcement of civil or criminal violations of law, including
regulatory violations. As a result, it is not necessary, in FinCEN's
view, to specifically list examples of State, local, and Tribal law
enforcement agencies, as some commenters requested. Furthermore, in
response to the commenter's request that the final rule explicitly
include non-Federal agencies within the District of Columbia, FinCEN
believes this is unnecessary because the
[[Page 88746]]
definition of ``State'' in the CTA includes the District of
Columbia.\91\
---------------------------------------------------------------------------
\91\ 31 U.S.C. 5336(a)(12); see also supra note 5.
---------------------------------------------------------------------------
c. Court Authorization and Written Certification
Proposed Rule. The CTA provides that FinCEN may disclose BOI to a
State, local, or Tribal law enforcement agency ``if a court of
competent jurisdiction, including any officer of such a court, has
authorized the law enforcement agency to seek the information in a
criminal or civil investigation.'' \92\ Proposed 31 CFR 1010.955(b)(2)
would implement this provision of the CTA by allowing FinCEN to
disclose BOI to a State, local, or Tribal law enforcement agency that
requests this information if a court of competent jurisdiction
authorizes the agency's request for the BOI for use in a criminal or
civil investigation. FinCEN did not propose to identify every kind of
court authorization that would satisfy the CTA, and it did not propose
to specify which officers of a court may provide authorization. That is
because FinCEN recognized that State, local, and Tribal practices are
likely to be varied with respect to how law enforcement agencies may be
authorized by a court to seek information in connection with an
investigation or prosecution.
---------------------------------------------------------------------------
\92\ See 31 U.S.C. 5336(c)(2)(B)(i)(II).
---------------------------------------------------------------------------
In addition, the proposed rule included safeguards designed to
protect the confidentiality of BOI and ensure it is not misused. These
requirements were also meant to ensure that FinCEN could properly audit
requests for BOI from State, local, and Tribal law enforcement
agencies, consistent with the CTA's audit requirements.\93\ As a
result, proposed 31 CFR 1010.955(d)(1)(ii)(B)(2) required that when a
State, local, or Tribal law enforcement agency requests BOI from
FinCEN, the head of such an agency or their designee would have to
submit to FinCEN, ``in the form and manner as FinCEN shall prescribe:''
(i) a copy of a court order from a court of competent jurisdiction
authorizing the agency to seek the BOI in a criminal or civil
investigation, and (ii) a written justification explaining why the
request for BOI is relevant to the civil or criminal investigation. The
proposed rule further explained that after FinCEN reviewed the relevant
authorization for sufficiency and approved the request, an agency could
then conduct searches using multiple search fields consistent in scope
with the court authorization and subject to audit by FinCEN.\94\ Thus,
the court order and written justification requirements in the proposed
rule were meant to serve multiple purposes--i.e., to ensure that a
court of competent jurisdiction has authorized an agency's request for
the BOI, protect the security of confidential BOI, and enable FinCEN to
conduct required audits of searches by State, local, or Tribal law
enforcement agencies.
---------------------------------------------------------------------------
\93\ See 31 U.S.C. 5336(c)(3)(J).
\94\ 87 FR at 77409-10.
---------------------------------------------------------------------------
These requirements were proposed alongside other security and
confidentiality requirements applicable to all domestic government
requesters of BOI. For example, the proposed rule explained that
Federal agency users of FinCEN's BOI database would be required to
submit brief justifications to FinCEN for their searches, explaining
how their searches further a particular qualifying activity, and these
justifications would be subject to oversight and audit by FinCEN.
Additionally, the proposed rule required a Federal, State, local, or
Tribal agency requesting BOI to minimize to the greatest practicable
extent the scope of BOI it seeks, consistent with the agency's purpose
in requesting BOI.
Comments Received. Commenters generally opposed the requirements in
proposed 31 CFR 1010.955(d)(1)(ii)(B)(2)(i) that the head of a State,
local, or Tribal law enforcement agency, or their designee, must obtain
and submit a copy of a court order to FinCEN authorizing the agency to
seek BOI in a criminal or civil investigation. Commenters opposed the
court order requirements for two broad reasons: they argued that,
first, these requirements conflict with the plain language of the CTA
as well as with congressional intent; and second, these requirements
would create burdens on State, local, and Tribal agencies that would
impede their ability to access BOI in a timely manner, which would be
contrary to the goals of the CTA. In general, commenters encouraged
FinCEN to take a more flexible approach in specifying the manner in
which a court authorizes a request for BOI, which court personnel can
provide that authorization, and at what stage in an investigation or
proceeding agencies may seek the BOI from FinCEN. In sum, these
commenters argued that the final rule should adopt the broader concept
of court authorization from the CTA.
Commenters also generally opposed for largely the same reasons the
requirement in proposed 31 CFR 1010.955(d)(1)(ii)(B)(2)(i) that the
agency head must also submit a written justification to FinCEN
explaining the relevance of the BOI for the investigation.
Specifically, some commenters noted that the CTA does not contain such
a requirement, expressed concerns that this requirement would unduly
delay requests by agencies for BOI, and highlighted the challenges
involved in FinCEN reviewing each justification provided by an agency
that requests BOI.
In the first category of objections to the court order requirement,
several commenters argued that the proposed rule conflicts with the
plain language of the CTA which does not require a court order for
State, local, or Tribal law enforcement agencies seeking access to BOI.
Instead, these commenters pointed out that the CTA uses the general
concept of court authorization, which could also include other kinds of
authorization. Commenters also cited the legislative history of the CTA
in arguing that Congress intended to create a less formal and more
flexible process. These commenters noted that Congress had considered
and rejected a narrower concept than court authorization when debating
the CTA's provision concerning State, local, and Tribal law enforcement
agency access to BOI.
In the second category of objections to the proposed court order
requirement, commenters argued that a court order requirement would
place unnecessary burdens on State, local, and Tribal law enforcement
agencies as well as the courts involved because of the need to take
additional efforts to obtain a court order. These burdens would be
exacerbated because these agencies often face greater resource
constraints compared to their Federal counterparts. The result would be
delays in investigations. One commenter noted that the requirement
could give some courts the impression that formal pleadings, evidence-
based standards, or a hearing is necessary to authorize a request for
BOI.
Furthermore, commenters argued that a court order requirement would
effectively restrict agencies to working only with a narrow category of
court officers, most likely a judge, rather than ``any officer of such
court'' as the CTA permits. These commenters also argued that, as a
result, the court order requirement conflicts with the CTA. One
commenter recommended that the final rule should clearly state that a
court officer includes any individual who exercises court authority,
including a judge, magistrate, clerk, bailiff, sheriff, prosecutor,
clerk assistant, or other personnel that the court designates to
authorize a request for BOI. A few commenters argued that since an
attorney is commonly considered a ``court officer,'' and many
jurisdictions allow attorneys to issue subpoenas,
[[Page 88747]]
attorneys should be able to authorize a request for BOI. However, one
commenter disagreed with this view, arguing that only court personnel
should be allowed to authorize an agency's request for BOI. In
addition, one commenter requested that FinCEN provide guidance to court
officials who are involved in authorizing an agency's request for BOI,
setting forth the proper procedures for reviewing these requests as
well as potentially providing an authorization form for agencies and
courts to use. Commenters also recommended that FinCEN provide
flexibility in how the court order was reported to FinCEN.
Several commenters also highlighted the need for flexibility
regarding when in the course of a civil or criminal investigation
courts may authorize a State, local, or Tribal law enforcement agency
to seek BOI. For example, some commenters requested that FinCEN clarify
in the final rule that a grand jury subpoena qualifies as court
authorization under the CTA. Some commenters also argued that the final
rule should provide more clarity regarding how prosecutors can draft
grand jury subpoenas to ensure that they would satisfy the court
authorization requirement. Commenters also requested that the final
rule clarify that courts should be permitted to authorize BOI requests
throughout the full life cycle of an investigation, including after the
initiation of a civil or criminal proceeding.
As for the written justification requirement in the proposed rule,
commenters argued that it could limit the ability of State, local, and
Tribal law enforcement agencies to access BOI, and commenters noted
that there is no such requirement in the text of the CTA. Several
commenters argued that the written justification requirement would
create a double review process in which these agencies would first have
to obtain approval from a court for their request for BOI, and then
they would need to gain a second level of approval from FinCEN.
According to these commenters, FinCEN would compare the written
justification to the court order, and based on its review, could reject
the court's decision to authorize an agency's request for BOI. Some
commenters argued that such case-by-case review of justifications by
FinCEN would overwhelm FinCEN's resources and cause significant delays
in the ability of State, local, and Tribal law enforcement agencies to
access BOI.\95\ The result, according to several commenters, is that
the written justification requirement would undermine the CTA's policy
goal that the database be ``highly useful'' to law enforcement.\96\
---------------------------------------------------------------------------
\95\ Commenters made several other arguments against the written
justification requirement. For example, another commenter argued
that it would be inappropriate for FinCEN to require
``justification'' from State, local, or Tribal law enforcement
agencies because the CTA only required ``certifications'' from
Federal agency heads; that FinCEN does not have the required subject
matter expertise to evaluate justifications; and that the term
``justification'' implied a level of persuasiveness that would be
required in the written statements that State, local, or Tribal law
enforcement agencies provide when they request BOI.
\96\ See CTA, section 6402(8)(C).
---------------------------------------------------------------------------
Finally, some commenters focused on alternative approaches to
State, local, and Tribal law enforcement access to BOI. One commenter
argued that the final rule should require that State, local, and Tribal
law enforcement agencies obtain a grand jury subpoena in order to
request BOI, and this commenter also supported the written
justification requirement. One commenter raised concerns about whether
courts could adequately protect the privacy of BOI and argued that a
separate government agency should be responsible for managing BOI
access requests on behalf of State, local, and Tribal agencies.
Further, one commenter noted that the CTA itself had imposed stricter
requirements on State, local, and Tribal agencies than it imposed upon
their Federal counterparts since the CTA imposed a court authorization
requirement on the former agencies. This commenter believed that
statutory changes would be necessary to remove the court authorization
requirement in order to make it simpler for State, local, and Tribal
agencies to access the BOI database.
Final Rule. The final rule adopts the requirements for State,
local, and Tribal law enforcement agencies' access to BOI in proposed
31 CFR 1010.955(b)(2) without change. However, FinCEN was persuaded by
comments that were critical of the requirements in proposed 31 CFR
1010.955(d)(1)(ii)(B)(2) that State, local, and Tribal law enforcement
agencies submit a copy of a court order and written justification for
FinCEN review prior to searching for BOI. Accordingly, FinCEN has made
several changes to that provision in the final rule. These revisions
are intended to streamline State, local, and Tribal law enforcement
agency access to BOI and reduce burdens on these agencies and courts as
well as on FinCEN, while at the same time maintaining robust
confidentiality and security requirements for these agencies and FinCEN
oversight and audit of these requests.
First, Sec. 1010.955(d)(1)(ii)(B)(2)(i) will no longer require
that these agencies obtain a specific form of court authorization, such
as a court order. Instead, the final rule requires only that State,
local, and Tribal law enforcement agencies obtain ``court
authorization'' to seek BOI from FinCEN as part of a civil or criminal
investigation. As the preamble to the proposed rule noted, FinCEN
requested comment on the various types of relevant court authorization
that exist at the State, local, and Tribal level, and requested that
commenters explain what role courts or court officers play in
authorizing evidence-gathering activities, what existing practices
involve court authorization, and the extent to which new court
processes could be developed and integrated into existing practices to
satisfy the CTA's authorization requirement. FinCEN also requested
comment on the need for access to BOI at different stages of an
investigation, as well as the privacy interests that may be implicated
by such access. In requesting comment on these topics, FinCEN sought
greater clarity on the various mechanisms in which courts might satisfy
the CTA standard of ``court authorization.'' The comments that FinCEN
received provided greater clarity on how State, local, and Tribal law
enforcement agencies could satisfy the CTA's court authorization
requirement while also meeting FinCEN's obligations under the CTA to
protect the confidentiality of BOI and prevent potential misuse,
including by being able to audit requests by agencies for BOI.
FinCEN agrees that requiring State, local, and Tribal law
enforcement agencies to obtain a court order may create unnecessary
burdens. FinCEN further agrees that the statutory language concerning
court authorization would maintain sufficient flexibility and
facilitate access to BOI by State, local, and Tribal law enforcement
agencies while still protecting against unauthorized use or disclosure.
FinCEN intends the final rule to provide enough flexibility so that a
variety of court officers--such as a judge, clerk of the court, or
magistrate--could provide authorization at appropriate stages of the
investigation process. FinCEN may issue guidance or FAQs on this
subject in the future if needed, including, for example, on how the
court authorization requirement would apply to grand jury proceedings.
Such guidance may also further address questions about court personnel,
stages of the investigation, court procedures
[[Page 88748]]
for reviewing requests for BOI, and other topics concerning court
authorization in the context of specific factual circumstances.
However, FinCEN agrees with those commenters who argued that being
an attorney, by itself, is not sufficient to empower an individual to
grant the required court authorization under the CTA. As discussed in
the proposed rule, FinCEN does not believe the CTA, which includes
numerous provisions limiting who may access BOI, permits any individual
with a license to practice law to authorize the disclosure of BOI, even
if they are sometimes referred to as ``officers of the court'' in other
contexts. FinCEN further does not agree with the commenter that
suggested that a separate government agency, apart from a court of
competent jurisdiction, should handle BOI requests from State, local,
or Tribal law enforcement agencies. The CTA is clear that these
agencies must seek court authorization in order to request BOI from
FinCEN, and FinCEN believes that the security and confidentiality
requirements reflected in the final rule will be sufficient to protect
against unauthorized use or disclosure.
Second, rather than submit a copy of the authorization (such as a
copy of a court order) to FinCEN, Sec. 1010.955(d)(1)(ii)(B)(2) now
only requires that State, local, and Tribal law enforcement agencies
(1) certify that they have received authorization to seek BOI from a
court of competent jurisdiction and that the BOI is relevant to a civil
or criminal investigation, and (2) provide a description of the
information the court has authorized the agency to seek.\97\ FinCEN is
persuaded by comments stating that the requirement in the proposed rule
would have set more stringent requirements for State, local, and Tribal
law enforcement agencies than would apply to their Federal
counterparts. FinCEN is further persuaded by comments that FinCEN
should instead allow these agencies to certify that they have obtained
appropriate authorization from a court of competent jurisdiction.
---------------------------------------------------------------------------
\97\ FinCEN will specify the precise method of certification at
a later date.
---------------------------------------------------------------------------
FinCEN does not intend to look behind these certifications to
assess the sufficiency of a court's authorization at the time a request
is submitted. Instead, the final rule clearly reflects FinCEN's role in
auditing requesting agencies' BOI requests, which requires a process to
ensure that a request for BOI by a State, local, or Tribal law
enforcement agency remains within the terms of the court authorization.
FinCEN believes that the certification requirement, along with the
requirement to provide a description of the information the court has
authorized the agency to seek, will provide FinCEN with a sufficiently
robust means to effectively conduct oversight and audit of such access.
Third, in response to commenters' concerns, the final rule
eliminates the written justification requirement in proposed 31 CFR
1010.955(d)(1)(ii)(B)(2)(ii). Moreover, after considering commenters'
concerns about potential delays associated with a case-by-case review
of written justifications from these agencies in connection with BOI
requests, and taking into account available resources, FinCEN has
determined that, as a policy matter, it will not conduct individual
reviews of each request for BOI by State, local, or Tribal law
enforcement agencies when they are submitted. Rather, consistent with
requirements of the CTA, FinCEN will conduct robust audit and oversight
of State, local, and Tribal law enforcement agency searches for BOI to
ensure that BOI is requested for authorized purposes by authorized
recipients. Finally, by adopting the broad notion of court
authorization that the CTA uses, FinCEN is also choosing not to further
specify in the rule the particular stages of an investigation during
which courts could authorize a request for BOI by State, local, or
Tribal agencies.
iii. Disclosure for Use in Furtherance of Foreign National Security,
Intelligence, or Law Enforcement Activity
a. General
Proposed Rule. Proposed 31 CFR 1010.955(b)(3) authorized FinCEN to
disclose BOI to foreign requesters when certain criteria were
satisfied. The criteria were that the foreign request for BOI must (1)
come to FinCEN through an intermediary Federal agency; (2) be for
assistance in a law enforcement investigation or prosecution, or for a
national security or intelligence activity, authorized under the laws
of the foreign country; and (3) either be made under an international
treaty, agreement, or convention, or, when no such instrument was
available, be an official request by a law enforcement, judicial, or
prosecutorial authority of a trusted foreign country.
Comments Received. A few commenters supported both foreign
requester access to BOI and the threshold requirements for that access.
Another commenter stated that the proposed rule should specify
timelines for processing and responding to foreign requests. One
commenter stated that BOI should not be shared with foreign requesters
at all.
Final Rule. FinCEN adopts the proposed rule without changes. The
final rule is consistent with the letter, spirit, and purposes of the
CTA by permitting foreign requesters to obtain BOI for, and use it in,
the full range of activities contemplated by 31 U.S.C.
5336(c)(2)(B)(ii) (i.e., law enforcement, national security, and
intelligence activities). The rule also resolves ambiguities arising
from inconsistent statutory language. Specifically, one part of the
CTA's foreign access provision appears to require a request to arise
from a foreign ``investigation or prosecution,'' \98\ while another
appears to allow a foreign requester to use BOI to further any
``authorized investigation or national security or intelligence
activity.'' \99\ The final rule resolves this discrepancy by clarifying
that authorized national security and intelligence activities, as well
as law enforcement investigations or prosecutions, could be a basis for
a BOI request.
---------------------------------------------------------------------------
\98\ 31 U.S.C. 5336(c)(2)(B)(ii)(I).
\99\ 31 U.S.C. 5336(c)(2)(B)(ii)(II)(bb).
---------------------------------------------------------------------------
FinCEN declines to specify timelines for processing and responding
to foreign requests. At this juncture, FinCEN does not have sufficient
data to support a prediction about the average amount of time it will
take to issue a response to a foreign request. Average response times
for requests from foreign countries when no international treaty,
agreement, or convention applies are particularly hard to predict.
These may often require highly fact-intensive assessments of both the
requester and the request, require broad analysis of U.S. interests and
priorities, and involve consultation with other relevant U.S.
government agencies. Such assessments could take a matter of days or
significantly longer. While sharing under international treaties,
conventions, or agreements might follow more predictable timelines,
unforeseeable procedural, legal, or inter-governmental impediments
hurdles could create delays. FinCEN commits to processing requests as
quickly as practicable with available resources rather than establish
deadlines based on limited data.
b. Intermediary Federal Agency
Proposed Rule. Proposed 31 CFR 1010.955(b)(3) authorized FinCEN to
disclose BOI to foreign requesters when certain criteria were
satisfied. One criterion identified by the CTA and the proposed
regulation was that requests for BOI must come to FinCEN through an
intermediary Federal agency.
[[Page 88749]]
The CTA did not identify particular intermediary Federal agencies,
and FinCEN did not propose to identify any by regulation. FinCEN
instead stated its intention to work with Federal agencies to identify
agencies suited to serving as intermediaries between FinCEN and foreign
requesters. For example, one indicator of potential suitability
identified by FinCEN in the Access NPRM was a Federal agency having
regular engagement and familiarity with foreign law enforcement
agencies, judges, prosecutors, central authorities, or competent
authorities on matters related to law enforcement, national security,
or intelligence activity. Other factors would include whether a
prospective intermediary Federal agency has established policies,
procedures, and communication channels for sharing information with
those foreign parties, and whether the prospective intermediary Federal
agency represents the U.S. government in relevant international
treaties, agreements, or conventions; other factors include the
expected number of requests that the agency could receive, and the
ability of the agency to efficiently process requests while managing
risks of unauthorized disclosure.
In the Access NPRM, FinCEN stated that it would work with potential
intermediary Federal agencies to: (1) ensure that they have secure
systems for BOI storage; (2) enter into MOUs outlining expectations and
responsibilities; (3) translate the CTA foreign sharing requirements
into evaluation criteria against which intermediary Federal agencies
could review requests from foreign requesters; (4) integrate the
evaluation criteria into the intermediary Federal agencies' existing
information-sharing policies and procedures; (5) develop additional
security protocols and systems as required under the CTA and its
implementing regulations; and (6) ensure that intermediary Federal
agency personnel have sufficient training on applicable requirements
under the CTA and its implementing regulations. Under the proposal,
FinCEN would exercise oversight and audit functions to ensure that
intermediary Federal agencies adhere to requirements and take
appropriate measures to mitigate the risk of foreign requesters abusing
the information.
Given its longstanding relationships and relevant experience as the
financial intelligence unit (FIU) of the United States, FinCEN proposed
to directly receive, evaluate, and respond to requests for BOI from
foreign FIUs.
Comments Received. One commenter expressed surprise that the
proposed rule did not include examples of intermediary Federal
agencies, while another commenter supported the potential for any
Federal agency to become an intermediary Federal agency. There were
varying perspectives on the proposal that FinCEN should act as an
intermediary Federal agency for BOI requests from foreign FIUs. One
commenter stated that foreign requesters might funnel all requests for
BOI through their FIUs if FinCEN served as an intermediary Federal
agency for foreign FIU requests, which would significantly increase
FinCEN's workload. That commenter also said that exchanges through FIUs
were not admissible in court. In contrast, one commenter indicated that
FinCEN's role should be broadened to include receiving, reviewing, and
evaluating all foreign requests, not just those from foreign FIUs.
Another commenter asked FinCEN to clarify that, when reviewing and
responding to requests for BOI from foreign FIUs, FinCEN would adhere
to the proposed requirements applicable to other intermediary Federal
agencies.
Final Rule. FinCEN adopts the proposed rule without any changes.
FinCEN is still in the early stages of working to identify intermediary
Federal agencies, and therefore is not in a position to list those
agencies in a regulation. FinCEN can anticipate several Federal
agencies that likely could serve as intermediary Federal agencies given
that (1) the rule contemplates FinCEN taking indirect requests for BOI
from foreign requesters; (2) requests will be for assistance in law
enforcement investigations or prosecutions, or for a national security
or intelligence activity, authorized under the laws of the relevant
foreign country; and (3) many requests for BOI will come under
international treaties, agreements, and conventions. Federal agencies
that are likely to meet these criteria include the U.S. Departments of
State and Justice, the Federal Bureau of Investigation, U.S. Customs
and Border Protection, the IRS, and member agencies of the Intelligence
Community. This list only provides examples of Federal agencies whose
activities seem to align with the functions of an intermediary Federal
agency and is not intended to create expectations regarding possible
intermediary Federal agencies.
FinCEN itself will very likely act as the intermediary Federal
agency for requests for BOI from foreign FIUs. As the FIU for the
United States, FinCEN already has policies and procedures for, and
extensive experience in, sharing information related to national
security, intelligence, and law enforcement activities with foreign
FIUs through the Egmont Group. Accordingly, FinCEN could leverage
existing processes and relationships to fulfill the requirements of the
CTA and its implementing regulations.
FinCEN does not expect that foreign requesters will funnel all
requests for BOI through their FIUs and overwhelm FinCEN. The rule
permits foreign FIUs to request BOI in two scenarios. The first
scenario is when two conditions apply: (1) the request is for
assistance in a law enforcement investigation or prosecution, or for a
national security or intelligence activity, authorized under the laws
of the foreign country, and (2) a governing international treaty,
agreement, or convention identifies the foreign FIU as the central or
competent authority in the matter or otherwise dictates that the
foreign FIU should request BOI from FinCEN. The second scenario in
which a foreign FIU may request BOI is when there is no international
treaty, agreement, or convention available. In this scenario, the
foreign FIU may request BOI from FinCEN when (1) the request is for
assistance in a law enforcement investigation or prosecution, or for a
national security or intelligence activity, authorized under the laws
of the foreign country, and (2) the FIU qualifies as a law enforcement
(i.e., authorized by law to engage in the investigation or enforcement
of civil or criminal violations of law), judicial, or prosecutorial
authority of a trusted foreign country. Both scenarios involve multiple
requirements that a foreign FIU must satisfy to request BOI from FinCEN
and are unlikely to result in a large number of potential requests from
foreign FIUs.
On the question of BOI admissibility, FinCEN does not agree with
the claim by one commenter that information exchanges through FIUs
necessarily render the disclosed information inadmissible in courts
around the world with enough frequency to warrant concern. Furthermore,
if information exchanges between FIUs do render information
inadmissible in some foreign courts, the CTA and this final rule
provide means other than FIU exchanges by which foreign requesters may
obtain BOI, namely through foreign judges, prosecutors, law enforcement
agencies, and other central and competent authorities.\100\ FinCEN is
confident that foreign requesters that require admissible BOI, that are
[[Page 88750]]
authorized to receive BOI under the terms set forth in the CTA and this
final rule, and that satisfy all applicable criteria for BOI disclosure
will be able to obtain the information they need in an admissible form
through an intermediary Federal agency.
---------------------------------------------------------------------------
\100\ See 31 U.S.C. 5336(c)(2)(B)(ii); 31 CFR 1010.955(b)(3).
---------------------------------------------------------------------------
Nonetheless, FinCEN believes it should act as an intermediary
Federal agency for BOI requests from foreign FIUs. Receiving,
reviewing, and responding to requests for BOI from all foreign
requesters would not be feasible, given FinCEN's resource limitations.
c. Foreign Central or Competent Authority
Proposed Rule. Proposed 31 CFR 1010.955(b)(3) authorized FinCEN to
disclose BOI to foreign requesters when certain criteria were
satisfied. The CTA did not define central or competent authorities, and
so FinCEN proposed to make clear that ``[a] relevant `foreign central
authority or foreign competent authority' would be the agency
identified in an international treaty, agreement, or convention under
which a foreign request is made'' (emphasis added.) This decision was
based on FinCEN's understanding that ``foreign central authority'' and
``foreign competent authority'' are terms of art typically defined
within the context of a particular agreement. FinCEN's goal was to
remove any ambiguity around the terms without unduly excluding
appropriate foreign requesters from access to BOI.
Comments Received. One commenter pointed to the FATF and the Egmont
Group as potential means of identifying foreign central and competent
authorities. Specifically, the commenter stated that, because the
United States is a member of both organizations, either body's method
of designating foreign central or competent authorities (with
appropriate safeguards) should allow an agency designated through that
method to qualify as a foreign central or competent authority for the
purposes of the CTA.
Another commenter stated that requiring foreign central and
competent authorities to be identified as such in a governing
international treaty, agreement, or convention was overly restrictive.
The commenter's concern stems from the word ``in.'' To support its
position, the commenter points to the Hague Convention for Service
Abroad of Judicial and Extrajudicial Documents in Civil or Commercial
Matters and the Hague Convention on the Taking of Evidence Abroad in
Civil or Commercial Matters. The commenter states that both agreements
provide for the use of a central authority for the receipt of requests
for service or evidence by requiring a contracting state to designate a
central authority and organize the central authority in accordance with
its own law. Requiring designation of that central authority upfront in
the treaty itself, the commenter claims, would remove some level of
flexibility, and would require cumbersome treaty amendment processes
were a party to change the specified central authority.
As an alternative, this same commenter suggested looking to the
service provisions of the Foreign Sovereign Immunities Act, and in
particular 28 U.S.C. 1608, to allow for largely undefined ``special
arrangements'' to govern BOI disclosure through agencies other than
central authorities. The commenter again pointed to the difficulty of
changing treaties to reflect new central authorities, and viewed
``special arrangements'' as possibly providing ``an approach to better
manage the foreign access provisions of the CTA on a case-by-case
basis.''
Final Rule. FinCEN adopts the proposed rule, but with a
clarification about its meaning.
In the course of drafting the Access NPRM, FinCEN conducted
extensive outreach to the Department of State, the Department of
Justice, and other Federal agencies that participate in international
affairs on behalf of the United States. As a result, Treasury
understands that ``central authority'' and ``competent authority'' are
referents that may be reliant on international treaties, agreements,
and conventions for context and meaning. If an institution derives its
status as a central and competent authority pursuant to an
international treaty, agreement, or convention, then by definition
requiring foreign central and competent authorities to be identified as
such under governing international treaties, agreements, or conventions
is not overly restrictive. In contrast, FATF and the Egmont Group are
not international bodies established by treaty, agreement, or
convention, nor do they issue, implement, or administer any of the
international treaties, agreements, or conventions that make an
institution a central or competent authority. That said, information
from both bodies could be useful in determining whether foreign
countries are ``trusted'' in situations when no international treaty,
agreement, or convention is available.
When such an agreement is available, a commenter makes a reasonable
point that the instrument might not specifically identify particular
central or competent authorities, but might instead direct contracting
states to identify them through other means. The Hague conventions,
which the commenter points to as examples, are instructive. As the
commenter notes, both conventions require contracting states to
identify central authorities to administer convention obligations, but
do not themselves identify specific institutions of any particular
governments as central authorities. That work is left to implementing
statutes and regulations in contracting states. FinCEN understands that
this is a common arrangement in international agreements. Consequently,
for purposes of 31 CFR 1010.955(b)(3), a foreign central or competent
authority may be identified as such either directly by a governing
treaty, agreement, or convention, or by the statutes, regulations, or
other legal means by which the relevant foreign requester country has
implemented the agreement.
With this clarification, FinCEN sees no need to resort to ``special
arrangements'' under 28 U.S.C. 1608 of the Foreign Sovereign Immunities
Act to disclose BOI to foreign requesters. The CTA is clear about which
foreign requesters may obtain BOI from FinCEN, as well as the criteria
they must satisfy and the general process they must follow to obtain
it. The resulting framework reflects the requirements of the CTA but
remains flexible enough to accomplish the stated aims and purposes of
the CTA without need for supplemental measures.
d. Trusted Foreign Country
Proposed Rule. Proposed 31 CFR 1010.955(b)(3)(ii)(B) authorized
FinCEN to disclose BOI in response to official requests by law
enforcement, judicial, or prosecutorial authorities of ``trusted''
foreign countries when other criteria are satisfied. The other criteria
were that the request for BOI must (1) come to FinCEN through an
intermediary Federal agency; and (2) be for assistance in a law
enforcement investigation or prosecution, or for a national security or
intelligence activity, authorized under the laws of the foreign
country. In keeping with the CTA, the ``trusted foreign country''
requirement would come into play when there is no international treaty,
agreement, or convention available under which the relevant foreign
country could make the request.
The CTA does not provide criteria for determining whether a
particular foreign country is ``trusted,'' leaving FinCEN with
flexibility to make the determination. FinCEN considered identifying
particular countries or groups of countries as ``trusted'' for the
[[Page 88751]]
purposes of receiving BOI, but determined that such a restrictive
approach could arbitrarily exclude foreign requesters with whom sharing
BOI might be appropriate in some cases but not others. FinCEN proposed
in the Access NPRM to instead consult with relevant U.S. government
agencies on a case-by-case basis to determine whether to disclose BOI
to foreign requesters when no international treaty, agreement, or
convention applies. In making these determinations, FinCEN and the
consulting agencies would consider U.S. priorities and interests, as
well as the ability of a foreign requester to maintain the security and
confidentiality of requested BOI.
Comments Received. Commenters generally wanted to know either which
foreign countries would be ``trusted'' or the criteria by which FinCEN
would identify trusted foreign countries. One commenter wanted a
searchable list of trusted foreign countries. Multiple commenters
suggested that FinCEN publicly define its trust criteria, with some
arguing that a non-transparent case-by-case determination process could
yield unjustifiably disparate treatment. One commenter suggested either
defining ``trusted'' or dropping the term entirely and relying solely
on treaties, agreements, and conventions. Another commenter noted a
FinCEN definition would promote consistency of access.
A few commenters argued that FinCEN should not have sole discretion
to determine which countries are trusted, as such decisions have
implications for national security and foreign relations. One commenter
supported FinCEN's decision not to develop a prior list of trusted
foreign countries because such a list would inevitably change over
time. That same commenter further argued, however, that FinCEN should
define the ``relevant U.S. government agencies'' with which it would
consult to make trust determinations as including the Departments of
State and Justice, and should announce that, at a minimum, FinCEN will
treat members of NATO, the EU, and the G7 group of nations as trusted
foreign countries absent special circumstances. Another commenter
stated that FinCEN had taken a sensible approach regarding the trusted
foreign country requirements, but might consider giving advance notice
to countries that would explicitly not be trusted.
Final Rule. FinCEN adopts the proposed rule with limited
clarifications. FinCEN agrees with the commenter that the rule would
benefit from identifying particular agencies with which FinCEN is
likely to consult when no international treaty, agreement, or
convention applies to a foreign request for BOI and FinCEN needs to
determine whether the country at issue is ``trusted.'' FinCEN is
therefore specifying in the rule that, in determining whether a request
is from a ``trusted foreign country,'' FinCEN will make such
determination with the concurrence of the Department of State, and in
consultation with the Department of Justice or other agencies as
necessary and appropriate. Specifying that FinCEN will seek the
Department of State's concurrence on these determinations reflects the
Department of State's central role in conducting U.S. foreign policy
and foreign relations. FinCEN has also explicitly identified the
Department of Justice to reflect the major role that the Department
Justice plays in U.S. relations with other countries in law
enforcement, national security, and intelligence activities, and the
commensurate likelihood that FinCEN will regularly consult it when
making trust determinations. However, identifying these two agencies
within the regulation does not mean that FinCEN will only consult them
when making trust determinations, or that FinCEN is delegating its
authority to make those determinations. Indeed, FinCEN will consult
with agencies other than the Departments of State and Justice when
appropriate, e.g., when those agencies have relevant equities,
expertise, or relationships with foreign governments.
While FinCEN is choosing to clarify the interagency coordination
element of its trust determination process, it is not defining
``trusted'' or enumerating criteria it will use to assess requests for
BOI when no international treaty, agreement, or convention applies.
There are likely too many situations in which providing other countries
with BOI might be in the best interest of the United States to reduce
that complexity to a single definition or list. That same variability
also weighs against preemptively identifying certain countries as
either wholly trusted or not. Particular facts and circumstances are
relevant to the determination and may result in different outcomes
where the same foreign requester is involved. These are dynamic
situations to which FinCEN must be able to respond flexibly, in
consultation with relevant Federal agencies. At this time, FinCEN
believes that it is important to retain appropriate discretion in
making determinations regarding ``trusted'' foreign countries in
particular circumstances, and declines to adopt restrictive definitions
or criteria that could be detrimental to broader U.S. interests.
e. Training
Proposed Rule. Proposed 31 CFR 1010.955(d)(3)(i) required foreign
requesters to handle, disclose, and use BOI consistent with the
requirements of the applicable treaty, agreement, or convention under
which it was requested. 31 CFR 1010.955(d)(3)(ii), meanwhile, applied
to situations in which there was no applicable treaty, agreement, or
convention, and would have imposed on foreign BOI requesters certain
general requirements that the CTA imposes on all requesting
agencies.\101\ FinCEN believed these measures were necessary to protect
the security and confidentiality of BOI provided to foreign
requesters.\102\ Proposed requirements applicable to foreign requesters
when no treaty, agreement, or convention applies included having
security standards and procedures, maintaining a secure storage system
that complies with the security standards that the foreign requester
applies to the most sensitive unclassified information it handles,
minimizing the amount of information requested, and restricting
personnel access to BOI to persons ``[w]ho have undergone training on
the appropriate handling and safeguarding [BOI].'' Foreign requesters
that request and receive BOI under an applicable international treaty,
agreement, or convention would not have these requirements under the
proposed rule, given that such requesters would be governed by
standards and procedures prescribed by the applicable international
treaty, agreement, or convention.
---------------------------------------------------------------------------
\101\ In the Access NPRM, FinCEN misnumbered this provision as a
duplicate 31 CFR 1010.955(d)(3)(i).
\102\ See 31 U.S.C. 5336(c)(3)(A), (K).
---------------------------------------------------------------------------
Comments Received. Several commenters indicated that FinCEN should
revise the requirement that foreign requesters limit access to BOI to
persons ``[w]ho have undergone training on the appropriate handling and
safeguarding of [BOI].'' One commenter expressed the view that the
training requirement was stricter than the one proposed for domestic
agencies, under which personnel with access to BOI either had to
receive training on its handling and safeguarding or received the
information from someone who had undergone such training. Another
commenter suggested that FinCEN adopt this domestic agency standard for
[[Page 88752]]
foreign requesters. Other commenters variously stated that training in
this context is superfluous given the other requirements applicable to
foreign requesters, that training requirements would exceed reciprocal
standards imposed by foreign partners when U.S. government agencies
obtained beneficial ownership information from foreign BOI databases,
and that FinCEN should define with greater precision the requirements
for foreign requester training.
Final Rule. FinCEN adopts the proposed rule with changes. First,
FinCEN fixed the typographical error in 31 CFR 1010.955(d)(3)(ii) to
reflect the provision's correct numbering. Second, FinCEN has removed
the proposed rule's requirement that an individual from an intermediary
Federal agency submit personal details when making each request on
behalf of a foreign requester. That is because the individual will
submit identifying information to FinCEN at the time they create an
account to access FinCEN's BO IT system, which will be necessary to
make requests on behalf of foreign governments. FinCEN will provide
guidance to intermediary Federal agencies at a later time on how users
of the BO IT system will set up these accounts.
The third change to the proposed provision pertains to
certification requirements in situations involving ``trusted'' foreign
countries. FinCEN originally proposed to require each intermediary
Federal agency requesting BOI on behalf of a foreign requester under
proposed 31 CFR 1010.955(b)(3)(ii)(B) to submit to FinCEN ``[a] written
explanation of the specific purpose for which the foreign person is
seeking information . . . along with an accompanying certification that
the information is for use in furtherance of a law enforcement
investigation or prosecution, or for a national security or
intelligence activity, that is authorized under the laws of the
relevant foreign country; will be used only for the particular purpose
or activity for which it is requested; and will be handled consistent
with [applicable security and confidentiality requirements].'' FinCEN
is modifying the certification requirement to avoid unintentionally
imposing on intermediary Federal agencies a requirement to certify to a
foreign requester's future behavior with respect to the BOI obtained,
which the agency could not know with certainty. Under the final rule,
such agencies must still certify to FinCEN that the information is for
use in furtherance of a law enforcement investigation or prosecution,
or for a national security or intelligence activity, that is authorized
under the laws of the relevant foreign country. However, the remainder
of the original certification has been modified to require only that
the intermediary Federal agency certify that the foreign requester has
been informed that BOI disclosed to it may only be used for the
particular purpose or activity for which it was requested and must be
handled consistent with applicable requirements. This modified
certification better reflects what an intermediary Federal agency can
know and practically control. FinCEN's expectation that foreign
requesters will handle BOI in accordance with applicable requirements
and protect it to the best of their ability remains unchanged, as does
FinCEN's willingness to withhold BOI from requesters that fail to meet
that expectation.
FinCEN declines to make additional revisions suggested by comments.
The requirement that foreign requesters apply appropriate standards and
procedures to protect BOI and limit BOI dissemination to trained
individuals is reasonable under the circumstances and unlikely to place
undue burden on foreign requesters. It is critical that all authorized
BOI recipients-including foreign requesters-take steps to keep BOI
confidential and secure and to prevent its misuse given the sensitivity
of the personal information to be reported to the BO IT system. The
application of BOI security standards and procedures, including the
training requirement, effectuates these underlying objectives,
including by requiring individual foreign recipients to have knowledge
of those requirements. FinCEN also declines to prescribe specific
requirements on the structure and content of any training. FinCEN
recognizes that standards and procedures will vary by foreign requester
to reflect organizational and resource differences. At root, every
individual with access to BOI should understand the purposes for which
BOI can be used, the persons with whom they can share BOI with and for
what purpose, and the manner in which they must secure it.
The differences between the application of BOI security standards
and procedures for domestic and foreign requesters reflect legal and
practical considerations. First, the CTA specifically prescribes
certain standards for domestic agencies that have access to BOI, but
not for foreign requesters. Second, the Access NPRM proposed standards
and procedures that are tailored to particular circumstances and
challenges involving foreign requesters, and are arguably less
burdensome that those required of domestic agencies. For example,
FinCEN decided not to propose an MOU requirement for foreign requesters
because (1) foreign requesters will not have direct access to the BO IT
system, and (2) FinCEN anticipates a significantly lower volume of
foreign requests in general relative to other stakeholders. In
contrast, the MOUs with domestic agencies are appropriate to mitigate
the risks inherent in the expected volume and frequency of searches in
the BO IT system. FinCEN anticipates that these MOUs will, among other
things, memorialize and implement requirements regarding reports and
certifications, periodic training of individual recipients of BOI,
personnel access restrictions, re-disclosure limitations, and access to
audit and oversight mechanisms. The MOUs will also include security
plans covering topics related to personnel security (e.g., eligibility
limitations, screening standards, certifications and notification
requirements); physical security (system connections and use,
conditions of access, data maintenance); computer security (use and
access policies, standards related to passwords, transmission, storage,
and encryption); and inspections and compliance.
Foreign BOI requesters will only receive BOI through intermediary
Federal agencies that will themselves be subject to the detailed MOUs
described above. Those intermediary Federal agencies will in turn work
with foreign requesters either in accordance with applicable
international treaties, conventions, or agreements or under standards
and protocols that ``trusted'' foreign countries would be required to
develop and implement.
FinCEN also decided against the imposition of audit requirements on
foreign requesters because of practical considerations. First, for the
sharing of BOI governed by international treaties, agreements, or
conventions, the relevant treaty, agreement, or convention would govern
whether audits would be permissible. If no treaty, agreement, or
convention applied, practical challenges would limit FinCEN's ability
to conduct audits of a foreign requester's BOI systems and practices.
In order to conduct such an audit, FinCEN would need to negotiate
appropriate audit mechanisms, likely on a reciprocal basis, given that
foreign governments will likely be reluctant to allow FinCEN extensive
access to comprehensively audit their secure IT systems and records.
FinCEN would also likely need to commit substantial staff and personnel
to conduct either remote or
[[Page 88753]]
in-person audits in foreign countries. While FinCEN could refrain from
sharing BOI with foreign requesters that refuse to be subject to
audits, it would likely degrade international cooperation on law
enforcement and national security efforts and constrain the United
States' ability to combat cross-border illicit finance and criminal
activity, including fentanyl trafficking, fraud, and sanctions evasion,
among other crimes.
f. Re-Disclosure of BOI in the Context of Foreign Requests
Proposed Rule. The Access NPRM proposed rules that effectuated the
foreign government access provisions in a series of steps that, first,
would have authorized FinCEN to disclose BOI to intermediary Federal
agencies; would have then authorized those agencies to redisclose BOI
to the foreign requester; and would have authorized the foreign
requester to use the BOI, including through re-disclosure, consistent
with the applicable treaty.
Specifically, proposed 31 CFR 1010.955(b)(3) authorized FinCEN to
disclose BOI to intermediary Federal agencies for transmission to the
foreign requester where (1) an intermediary Federal agency provides
FinCEN with the foreign request; (2) the requested BOI is for
assistance in a law enforcement investigation or prosecution, or for a
national security or intelligence activity, authorized under the laws
of the foreign country; and (3) the request is made under an
international treaty, agreement, or convention, or, when no such
instrument is available, is an official request by a law enforcement,
judicial, or prosecutorial authority of a trusted foreign country.
Proposed 31 CFR 1010.955(c)(2)(v) would further authorize the
intermediary Federal agency to disclose the BOI to the foreign
requester, consistent with the CTA's foreign government provisions.
Lastly, proposed 31 CFR 1010.955(c)(2)(viii) allowed a foreign
requester that receives BOI pursuant to a request made under an
international treaty, agreement, or convention to re-disclose and use
that BOI in accordance with the requirements of the relevant agreement.
This approach accords with the CTA's preference for disclosing BOI to
foreign requesters under international agreements and allowing the
agreements to govern how the information is used, as indicated in the
introductory paragraph in 31 U.S.C. 5336(c)(2)(B)(ii). For foreign
requests that are not governed by an international treaty, agreement,
or convention, FinCEN proposed reviewing re-disclosure requests from
foreign requesters either on a case-by-case basis or pursuant to
alternative arrangements with intermediary Federal agencies where those
intermediary Federal agencies have ongoing relationships with the
particular foreign requester. This would occur under former 31 CFR
1010.955(c)(2)(ix), now 31 CFR 1010.955(c)(2)(x), discussed in section
III.D.ii.
Comments Received. Commenters noted several concerns regarding the
re-disclosure of BOI by intermediary Federal agencies to foreign
requesters. One commenter indicated that the proposed rule conflicted
with section 2.3 of E.O. 12333 of December 4, 1981, as amended, by
authorizing U.S. intelligence agencies to share information about U.S.
persons with other countries' intelligence agencies without regard to
the Executive Order's restrictions on collecting, retaining, and
disseminating U.S. person information.\103\ Another commenter
criticized the proposed rule as unduly vague about the foreign
recipient of BOI, the scope of application of the proposed 31 CFR
1010.955(c)(2)(viii), and whether re-disclosure would be consistent
with the CTA where no international treaty, agreement, or convention is
available. A third commenter observed that FinCEN could broaden Sec.
1010.955(c)(2)(v) to allow intermediary Federal agencies to share BOI
with ``relevant countries'' without first obtaining FinCEN's
permission, while a fourth warned FinCEN to ensure that foreign
countries do not use their tax authorities to obtain BOI for non-tax
related reasons under the pretense of tax administration.
---------------------------------------------------------------------------
\103\ E.O. 12333, 46 FR 59941 (Dec. 4, 1981) (``United States
Intelligence Activities'').
---------------------------------------------------------------------------
Final Rule. FinCEN views the proposed rules to be sufficiently
clear and adopts the provisions as proposed, though the related
provision at new 31 CFR 1010.955(c)(2)(x) is revised as discussed in
section III.D.ii. Proposed 31 CFR 1010.955(c)(2)(v) makes clear that an
intermediary Federal agency may disclose BOI only ``to the foreign
person on whose behalf the Federal agency made the request'' to FinCEN
(emphasis added). The provision is sufficiently specific as to the
foreign recipient that receives BOI. The rule also is not in conflict
with E.O. 12333, section 2.3 and, in particular, the requirement that
elements of the Intelligence Community disseminate information
concerning U.S. persons only in accordance with certain established
procedures. FinCEN expects that intermediary Federal agency requests,
and transmission of BOI to foreign requesters will be in accordance
with any legal requirements, and internal protocols, applicable to the
intermediary Federal agency. For instance, the guidelines of the Office
of the Director of National Intelligence require that, for
dissemination of information regarding U.S. persons to foreign
governments, those entities must agree to restrictions on the use and
dissemination of that information as necessary.\104\ Furthermore,
consistent with the rule, an agency's internal protocols might place
certain process requirements on the agency in making the request to
FinCEN for BOI or on the re-disclosure of the information to the
foreign requester.
---------------------------------------------------------------------------
\104\ See Office of the Direct of National Intelligence,
Attorney General (AG) Guidelines, Approved December 23, 2020,
available at <a href="https://www.intel.gov/assets/documents/702%20Documents/declassified/AGGs/ODNI%20guidelines%20as%20approved%20by%20AG%2012.23.20_OCR.pdf">https://www.intel.gov/assets/documents/702%20Documents/declassified/AGGs/ODNI%20guidelines%20as%20approved%20by%20AG%2012.23.20_OCR.pdf</a>.
---------------------------------------------------------------------------
Former 31 CFR 1010.955(c)(2)(viii)--now renumbered as 31 CFR
1010.955(c)(2)(ix)--permits foreign requesters to re-disclose BOI
consistent with the terms of the applicable international treaty,
agreement, or convention, but does not authorize disclosure in any
other contexts.
Relying on the general authority in 31 CFR 1010.955(c)(2)(x) for
FinCEN to authorize by prior written authorization, protocols, or
guidance redisclosures in furtherance of an authorized purpose or
activity, FinCEN will review redisclosure requests from foreign
requesters that did not request BOI pursuant to an international
treaty, agreement, or convention.
FinCEN also declines to permit intermediary Federal agencies to re-
disclose BOI to a defined list of countries, without either a governing
international treaty, agreement, or convention or separate FinCEN
authorization. The scenario the proposal seems to contemplate involves
an intermediary Federal agency requesting BOI from FinCEN on behalf of
one foreign requester, storing the information in the intermediary
Federal agency's own database, and then later re-disclosing that same
BOI to a different foreign requester that wants the information and
satisfies the eligibility criteria that would qualify it to have the
intermediary Federal agency request the information from FinCEN on its
behalf. In this case, however, the intermediary Federal agency would
not need to retrieve the BOI from FinCEN's BO IT system or involve
FinCEN at all because it would already have the relevant BOI in its own
system.
[[Page 88754]]
FinCEN views this proposal as infeasible for a number of reasons.
First, a reporting company might update its reported BOI in the interim
between the times when two foreign requesters want the information. The
intermediary Federal agency's stored BOI would not reflect those
updates and would be out of date and potentially useless or confounding
in an investigation or prosecution if passed to a foreign requester.
Having foreign requesters receive outdated BOI would undercut the CTA's
objective of providing useful information to authorized BOI recipients.
The second consideration weighing against the proposal has to do
with auditing. FinCEN has extensive audit requirements with respect to
Federal agencies that receive BOI under the CTA. While an intermediary
Federal agency will not need FinCEN's explicit and case-specific
``permission'' to retrieve BOI from the BO IT system on a foreign
requester's behalf, the intermediary will need to submit to FinCEN
certain information about itself, the request, and the requester.
FinCEN will in turn rely on this information to satisfy those audit
requirements. The act of an intermediary Federal agency retrieving BOI
from the BO IT system will also serve as information upon which FinCEN
will rely as a proxy record indicating that a corresponding disclosure
to a foreign requester occurred. Were FinCEN to authorize intermediary
Federal agencies to store and disseminate FinCEN-derived BOI from their
own databases instead of responding to foreign requests for BOI with
information retrieved from FinCEN's BO IT system on a one-for-one
basis, all of that information would be lost, more difficult to
collect, or more subject to tampering. All of these considerations lead
FinCEN to reject this proposal.
Finally, FinCEN takes seriously concerns about foreign requesters
and other authorized BOI recipients requesting BOI for one purpose and
using it for other purposes the CTA does not permit. This includes
concerns about pretextual requests made under the guise of activities
related to the enforcement of tax laws, a relatively narrow aspect of
``tax administration,'' as defined in 26 U.S.C. 6103(b)(4), for which
the CTA authorizes BOI disclosure to foreign requesters.\105\ These
concerns are why FinCEN is requiring intermediary Federal agencies to
certify that requests for BOI from foreign requesters satisfy
applicable CTA requirements, including the requirement that requests be
for use in furtherance of a law enforcement investigation or
prosecution, or for a national security or intelligence activity, that
is authorized under the laws of the relevant foreign country.
---------------------------------------------------------------------------
\105\ The CTA does not authorize FinCEN to provide BOI to
foreign requestors for any and all tax administration purposes. Some
foreign tax-related activities, however, including enforcement of
tax laws, may qualify as law enforcement, national security, or
intelligence activities under the CTA, 31 U.S.C. 5336(c)(2)(B)(ii),
permitting BOI to be disclosed under appropriate circumstances.
---------------------------------------------------------------------------
That said, a foreign requester that originally obtained BOI for use
in furtherance of an authorized law enforcement investigation or
prosecution (including those related to tax laws), or for an authorized
national security or intelligence activity, would not necessarily be
prohibited from also using that BOI for other purposes when the BOI was
obtained pursuant to a treaty, agreement, or convention. As explained
previously, if a foreign requester obtains BOI pursuant to a treaty,
agreement, or convention for use in an activity authorized by the CTA,
then the requester is authorized to subsequently use or re-disclose the
information in any way permitted by that treaty, agreement, or
convention. This allowance reflects the general deference to treaties,
agreements, and conventions exhibited by the CTA's foreign sharing
provision. In all cases, FinCEN will work with intermediary Federal
agencies to ensure that foreign requesters understand and agree to
abide by the restrictions and requirements associated with BOI, as well
as the potential consequences for failing to honor those commitments.
iv. Disclosure To Facilitate Compliance With Customer Due Diligence
Requirements
The Access NPRM proposed to authorize disclosure of BOI to
facilitate compliance with ``customer due diligence requirements under
applicable law'' \106\ to: (1) ``financial institutions'' subject to
such customer due diligence requirements, and (2) ``Federal functional
regulator[s] or other appropriate regulatory agenc[ies] . . .
authorized by law to assess, supervise, enforce, or otherwise determine
the compliance'' of financial institutions with such requirements.\107\
FinCEN therefore discusses the proposed terms of financial institution
and regulator access to BOI separately.
---------------------------------------------------------------------------
\106\ 31 U.S.C. 5336(c)(2)(B)(iii); proposed 31 CFR
1010.955(b)(4).
\107\ Id.; 31 U.S.C. 5336(c)(2)(B)(iii), (C)(i).
---------------------------------------------------------------------------
a. Financial Institutions
The Access NPRM proposed provisions specifying which financial
institutions \108\ could access BOI, the uses to which they could put
BOI, and the prerequisites for their access and terms of use. The
NPRM's treatment of financial institution access was the focus of many
comments. Numerous comments focused both on FinCEN's proposal to limit
the financial institutions authorized to obtain BOI to those with
responsibilities under FinCEN's 2016 CDD Rule and on FinCEN's proposal
to limit those financial institutions' use of BOI to facilitating
compliance with 31 CFR 1010.230 of the 2016 CDD Rule. Both of those
subjects are discussed here. Other issues raised by commenters on
financial institution access and use of BOI were tied to larger
systemic concerns and less closely associated with financial
institutions per se, including the consent requirement, confidentiality
and security protocols, and redisclosure of BOI. These more systemic
comments are addressed elsewhere in this document.
---------------------------------------------------------------------------
\108\ FinCEN regulations generally define ``financial
institution,'' including for the purposes of this rule, at 31 CFR
1010.100(t). This general definition is distinct from that of
``covered financial institution,'' as used in the 2016 CDD Rule and
this preamble. Under the 2016 CDD Rule (specifically, 31 CFR
1010.230(f)), ``covered financial institution'' has the meaning set
forth in 31 CFR 1010.605(e)(1).
---------------------------------------------------------------------------
Proposed Rule. The CTA authorizes FinCEN to disclose BOI upon
receipt of a request ``made by a financial institution subject to
customer due diligence requirements, with the consent of the reporting
company, to facilitate the compliance of the financial institution with
customer due diligence requirements under applicable law.'' \109\ The
CTA neither defines ``financial institution subject to customer due
diligence requirements'' nor ``customer due diligence requirements
under applicable law.'' Proposed 31 CFR 1010.955(b)(4)(i) described
both the types of financial institutions entitled to request BOI and
the purposes for which those financial institutions could use that BOI.
Under the rule, FinCEN would disclose BOI to financial institutions
``subject to customer due diligence requirements under applicable
law,'' and that BOI could be used ``in facilitating . . . compliance''
with those customer due diligence requirements.
---------------------------------------------------------------------------
\109\ 31 U.S.C. 5336(c)(2)(B)(iii).
---------------------------------------------------------------------------
Section 1010.955(b)(4)(i) further defined the phrase ``customer due
diligence requirements under applicable law'' to mean the requirement
imposed on ``covered financial institutions'' under 31 CFR 1010.230 to
identify and
[[Page 88755]]
verify beneficial owners of their ``legal entity customers,'' primarily
at account opening.\110\ These ``covered financial institutions'' are
limited to: banks (including credit unions); brokers or dealers in
securities registered, or required to be registered, with the SEC;
futures commission merchants and introducing brokers in commodities
registered, or required to be registered, with the CFTC; and mutual
funds.\111\ In contrast, other types of financial institutions, such as
money services businesses (MSBs) and insurance companies, would not be
able to access BOI from FinCEN in light of the 2016 CDD Rule
definition. Additionally, under the proposed rule, these financial
institutions would be able to use BOI only to comply with 31 CFR
1010.230, but not for other purposes. This approach was designed to
enhance security and confidentiality, and facilitate audit and
oversight, of the BOI database by describing a defined set of financial
institutions and limiting opportunities for unauthorized use or
intentional or inadvertent breaches.
---------------------------------------------------------------------------
\110\ 31 CFR 1010.230(b). Under the 2016 CDD Rule, ``legal
entity customer means a corporation, limited liability company, or
other entity that is created by the filing of a public document with
a Secretary of State or similar office, a general partnership, and
any similar entity formed under the laws of a foreign jurisdiction
that opens an account,'' with certain exceptions. Id. 1010.230(e).
This definition of ``legal entity customer'' overlaps with, but is
distinct from, the definition of ``reporting company'' in 31 CFR
1010.380(c) of the Reporting Rule.
\111\ 31 CFR 1010.230(f) (cross-referencing the definition of
``covered financial institutions'' in 31 CFR 1010.605(e)(1)).
---------------------------------------------------------------------------
FinCEN also considered a broader approach that would permit
financial institutions with CIP obligations \112\ to access the
database. A broader approach would have permitted more financial
institutions to use BOI for a wider range of compliance activities,
such as compliance with CIP regulations. FinCEN specifically requested
comments on the interpretation of the phrase ``customer due diligence
requirements under applicable law,'' including whether FinCEN should
adopt a broader definition, how to best provide regulatory clarity, and
how to maintain the security and confidentiality of BOI if a broader
definition were adopted.\113\
---------------------------------------------------------------------------
\112\ See 31 CFR 1020.220, 1023.220, 1024.220, 1026.220.
\113\ The preamble to the proposed rule noted that FinCEN also
had considered defining ``customer due diligence requirements under
applicable law'' to include State, local, and Tribal customer due
diligence requirements similar in substance to the 2016 CDD Rule.
However, FinCEN chose not to do so, noting that it was unaware of
any such requirements. FinCEN invited comments about any State,
local, or Tribal laws or regulations that require financial
institutions to identify and verify the beneficial owners of legal
entity customers. One commenter noted that some states, such as New
York, require financial institutions operating in the state to
implement AML programs that include general customer identification
and customer due diligence requirements. However, this commenter did
not cite to any requirements to identify and verify beneficial
owners of legal entities, as FinCEN's 2016 CDD Rule requires.
---------------------------------------------------------------------------
Comments Received. FinCEN received many comments that were critical
of FinCEN's proposed approach. First, commenters asserted that FinCEN's
interpretation ran counter to the plain text of the CTA. Several
commenters pointed to the CTA provision directing the Secretary to
promulgate regulations that ``facilitate the compliance of [] financial
institutions with anti-money laundering, countering the financing of
terrorism, and customer due diligence requirements under applicable
law.'' \114\ In order to implement this provision, one commenter noted
that FinCEN should allow financial institutions to access BOI for more
uses than compliance with 31 CFR 1010.230, and pointed to contrasting
references in the CTA to 31 CFR 1010.230 and ``customer due diligence
requirements under applicable law'' as indicative of Congressional
intent.\115\ Another commenter stated that FinCEN erred when it pointed
to the Sense of Congress as evidence that Congress understood
``customer due diligence requirements under applicable law'' did not
include ``anti-money laundering, [and] countering the financing of
terrorism.'' \116\
---------------------------------------------------------------------------
\114\ 31 U.S.C. 5336(b)(1)(F)(iv)(II).
\115\ CTA, section 6403(d)(1) (directing the Secretary of the
Treasury to revise the 2016 CDD Rule).
\116\ CTA, section 6402(6)(B).
---------------------------------------------------------------------------
Second, commenters argued that the proposed rule's approach would
be burdensome for financial institutions and undermine the usefulness
of the BOI database. In particular, commenters claimed that the
proposed approach conflicted with the core CTA objectives that the BOI
database be ``highly useful'' to financial institutions,\117\ and that
burdens on financial institutions should be minimized.\118\ In this
respect, one commenter listed the variety of AML/CFT compliance and
sanctions-related tasks for which banks relied on the BOI obtained from
legal entity customers under the 2016 CDD Rule, including, for example,
compliance with CIP requirements, customer risk ratings, transaction
monitoring, sanctions screening, identifying politically exposed
persons, and filing SARs or sanctions-related reports.\119\ The
commenter reiterated that the proposed rule would not provide financial
institutions with any additional AML/CFT compliance value if financial
institutions could use FinCEN-collected BOI only as described in the
proposed rule; in fact, the commenter confirmed that financial
institutions would be unlikely to use the database at all. Other
commenters pointed to likely implementation burdens and duplicative
requirements, such as the likely need to create a firewall and systems
to separate FinCEN-obtained BOI from BOI obtained under the 2016 CDD
Rule, given the different purposes for which those two types of BOI
could be used. This, in turn, would also impose duplicative
requirements on reporting companies, given their need to provide BOI to
both FinCEN and to financial institutions.
---------------------------------------------------------------------------
\117\ See 31 U.S.C. 5336(b)(1)(F)(iv).
\118\ See CTA, section 6403(d)(1)(C) (directing that the 2016
CDD Rule be revised to ``reduce any burdens on financial
institutions and legal entity customers that are, in light of the
enactment of this division and the amendments made by this division,
unnecessary or duplicative'').
\119\ The commenter noted, and FinCEN agrees, that the 2016 CDD
Rule itself imposed no specific limits on how financial institutions
could use the BOI collected under that rule, including for AML/CFT
compliance purposes.
---------------------------------------------------------------------------
Third, commenters maintained that the proposed approach conflicts
with the broader AML/CFT regulatory framework, including supervisory
expectations and FinCEN guidance on the role of customer due diligence
in a financial institution's AML program. Several commenters stated
squarely that the phrase ``customer due diligence requirements under
applicable law'' clearly encompassed AML/CFT requirements beyond the
identification and verification requirements of the 2016 CDD Rule. For
example, commenters noted that the 2016 CDD Rule itself interprets
``customer due diligence'' broadly to encompass ongoing monitoring for
reporting suspicious transactions,\120\ and amends AML program rules to
require financial institutions to implement risk-based
---------------------------------------------------------------------------
\120\ See 2016 CDD Rule, 81 FR at 29398 (``FinCEN believes that
there are four core elements of customer due diligence, and that
they should be explicit requirements in the anti-money laundering
(AML) program for all covered financial institutions, in order to
ensure clarity and consistency across sectors: (1) Customer
identification and verification; (2) beneficial ownership
identification and verification; (3) understanding the nature and
purpose of customer relationships to develop a customer risk
profile; and (4) ongoing monitoring for reporting suspicious
transactions and, on a risk-basis, maintaining and updating customer
information.'').
---------------------------------------------------------------------------
[[Page 88756]]
procedures for doing so.<SUP>121 122</SUP> Other commenters invoked
supervisory expectations around the use of BOI, noting that the Federal
Financial Institutions Examination Council (FFIEC) BSA/AML Examination
Manual \123\ states that banks should specify in their policies
[…truncated; see source link]Indexed from Federal Register on December 22, 2023.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.