With the new year upon us, many companies now must prepare themselves to comply with the disclosure requirements of the Corporate Transparency Act (CTA), which took effect on Jan. 1, 2024. In brief, the CTA requires most entities that are organized by making a filing with a state secretary of state to register (subject to 23 statutory exemptions) with the Financial Crimes Enforcement Network (FinCEN) and, in doing so, provide information about themselves and their “beneficial owners” and “company applicants.” Entities that were formed before Jan. 1, 2024 have until Jan. 1, 2025 to file their initial reports, while entities formed thereafter have 90 days to file their initial reports if formed in 2024 or 30 days if formed in a subsequent year. There also are ongoing obligations to update information that was previously provided to FinCEN.
Of relevance to CTA watchers and anyone else who’s concerned about how information that’s reported to FinCEN will be protected, FinCEN issued a final rule in late December 2023, addressing a significant concern raised by the CTA: the safeguarding of sensitive beneficial ownership information (BOI).
This rule, which takes effect on Feb. 20, 2024, implements the CTA’s BOI access provisions, prescribing how BOI that’s been reported to FinCEN may be disclosed to authorized recipients and how it must be protected.
Six Categories of Recipients
In furtherance of the CTA’s mandate to create a usable BOI database for national security and law enforcement purposes, FinCEN may disclose BOI to six categories of recipients, each of which is subject to specific security and confidentiality requirements:
1. Federal Government Agencies. FinCEN may disclose BOI to federal agencies engaged in national security, intelligence and civil and criminal law enforcement activities, if the BOI requested is in furtherance of these activities. Agencies will be required to make certain certifications and provide certain information to FinCEN to access BOI.
2. State, Local & Tribal Law Enforcement Agencies. FinCEN also may disclose BOI to state, local and tribal law enforcement agencies for use in a civil or criminal investigation if such an agency has received authorization from a court of competent jurisdiction. For this purpose, a “court of competent jurisdiction” is one with jurisdiction over the criminal or civil investigation for which the agency requests BOI. There are certain certification and information requirements with which these agencies will need to comply as well.
3. Foreign Requesters. In certain circumstances, FinCEN may disclose BOI to foreign law enforcement agencies, prosecutors, judges or foreign central authorities or competent authorities. Any such request from a foreign requester needs to be: (1) made through an intermediary federal agency, (2) for assistance in a law enforcement investigation or prosecution, or for a national security or intelligence activity, authorized under the laws of the foreign country, and (3) made under an international treaty or other agreement, or, if that isn’t available, an official request by a law enforcement, judicial or prosecutorial authority of a trusted foreign country. FinCEN has eschewed developing a discrete definition of what constitutes a “trusted foreign country” for this purpose, opting instead for case-by-case determinations in consultation with the U.S. Departments of State and Justice.
4. Financial Institutions. FinCEN may disclose BOI to financial institutions for use in complying with customer due diligence requirements, but only if the reporting company consents to the disclosure. Customer due diligence requirements can include not only anti-money laundering and combating the financing of terrorism obligations under the Bank Secrecy Act, but also other requirements, such as Office of Foreign Assets Control sanctions compliance, provided that it’s reasonably necessary to obtain or verify the BOI of customers that are entities to satisfy those requirements. The BOI can’t be used for general business or commercial purposes.
5. Federal Functional Regulators & Other Appropriate Regulatory Agencies. BOI may be disclosed to federal functional regulators and other regulatory agencies that are supervising financial institutions for compliance with customer due diligence requirements. Regulators in this position may only access BOI that financial institutions under their supervision received from FinCEN and may only use this information to ascertain the financial institutions’ compliance with customer due diligence requirements.
6. U.S. Department of Treasury Personnel. Any Treasury officer or employee may access BOI: (1) if their official duties require BOI inspection or disclosure, or (2) for tax administration. Treasury is expected to establish internal policies and procedures governing internal access to BOI. The BOI is intended to be used for various purposes, including tax administration, enforcement, intelligence and analytical purposes, sanctions investigations and designations and administering the BOI framework generally.
Security & Confidentiality Requirements
Each requesting agency must comply with several security and confidentiality requirements when requesting BOI. For example, a requesting agency must establish standards and procedures to protect BOI, enter into an agreement with FinCEN detailing the security and confidentiality standards and systems it will maintain, establish and maintain a secure BOI storage system and auditable BOI request records, and so forth. Foreign requesters are subject to many of the same requirements. A requesting financial institution also must develop and implement safeguards to protect BOI, including geographic restrictions on where information can be stored.
Re-Disclosure of BOI
Authorized recipients of BOI generally may not re-disclose BOI, except under specified circumstances. Thus, BOI may be disclosed: (1) among officers, employees, agents and contractors of an authorized recipient entity; (2) among financial institutions and their regulators; (3) by intermediary federal agencies to foreign requesters; (4) by authorized federal agencies to courts of competent jurisdiction or to parties in a civil or criminal proceeding; (5) by authorized agencies to prosecutors or for use in litigation related to the need for BOI; (6) by foreign authorities consistent with the international treaty, agreement or convention which allowed receipt of the BOI; and (7) by authorized recipients in other situations as authorized by FinCEN.
Violations
To ensure compliance with its standards, the CTA imposes substantial civil and criminal penalties for disclosure violations.