-
(I) Executive Summary – page 77404
-
(II) Background of the CTA and reporting final rule and access proposed rule – pages 77404 – 77408
-
(III) Overview of Access Framework and Protocols – pages 77408 – 77411
-
(IV) Section-by-section Analysis – BOI retention and disclosure at pages 77411 – 77424, FinCEN identifier at pages 77424 – 77425
-
(V) Final Rule Effective Date (January 1, 2024) – page 77425
-
(VI) Request for Comment (28 questions – the questions go from 1 through 26, then 29 and 30) – pages77425 – 77426
-
(VII) Regulatory analysis of the costs, benefits, burdens on the public and private sector entities and persons impacted – pages 77426 – 77453
Richards Comment Letter on the Proposed BOI Access Rule
Financial Crimes Enforcement Network
P.O. Box 39
Vienna, VA 22183
Submitted electronically to https://www.regulations.gov
Re: Request for Comments, Docket Number FINCEN-2022-27031 – Notice of Proposed Rulemaking Regarding Beneficial Ownership Information Access and Safeguards, and Use of FinCEN Identifiers for Entities – Comments of James Richards, Principal and Founder of RegTech Consulting LLC.
Dear Acting Director Das:
I appreciate the opportunity to comment on the Notice of Proposed Rulemaking Regarding Beneficial Ownership Information Access and Safeguards, and Use of FinCEN Identifiers for Entities, or the proposed BOI Access Rule (as it is commonly called).
I am submitting these comments with a three-decade background fighting financial crimes in both the private and public sectors and a strong desire to see the U.S. AML/CFT regime become truly effective. I am offering suggestions and, where appropriate, providing answers to some of the questions that FinCEN has posed. Some of my comments are critical of what has been proposed. I am not critical of the bona fides, efforts, and integrity of those that have put together the proposed access rule: we simply differ on some aspects of the proposed rule. And, as you will read below, we differ greatly on the expected costs and burdens that the private sector will incur in implementing the rule.
By way of background, I have been actively involved in AML/CFT since the late 1990s. Currently, I am the principal and founder of RegTech Consulting LLC, a private consulting firm focused on providing strategic advice on all aspects of financial crimes risk management to AML software providers, financial technology start-ups, cannabis-related businesses, mid-size banks, and money services businesses. I am also a Senior Advisor to Verafin Inc., the leading provider of fraud detection and BSA/AML collaboration software for financial institutions in North America, and serve on the board of advisors for two providers of financial crimes compliance technologies and services, Duality Technologies, and Quantifind Inc. and Duality Technologies, Inc. From 2005 through April 2018, I served as the BSA Officer and Director of Global Financial Crimes Risk Management for Wells Fargo & Co. As BSA officer, I was responsible for governance, training, and program oversight for BSA, anti-money laundering (AML), and sanctions for Wells Fargo’s global operations. As Director of Global Financial Crimes Risk Management, I was responsible for BSA, AML, counter-terrorist financing (CTF), external fraud and internal fraud and misconduct investigations, the identity theft prevention program, global sanctions, financial crimes analytics, and high-risk customer due diligence. Prior to my role with Wells Fargo, I was the AML operations executive at Bank of America where I was responsible for the operational aspects of Bank of America’s global AML and CTF monitoring, surveillance, investigations, and related SAR reporting. I represented Bank of America and Wells Fargo as a three-term member of the BSA Advisory Group (BSAAG). I was also a founding board member of ACAMS and the AFCFS. Prior to my 20-year career in banking, I was a prosecutor in Massachusetts, a barrister in Ontario, Canada, and a Special Constable with the Royal Canadian Mounted Police. I am the author of “Transnational Criminal Organizations, Cybercrime, and Money Laundering” (CRC Press 1998). I earned a Bachelor of Commerce (BComm.) degree and Juris Doctorate (JD) from the University of British Columbia.
Introduction to the CTA and Related Rulemaking
Section 6403 of the Corporate Transparency Act (CTA), enacted into law as part of the Anti-Money Laundering Act of 2020 (AML Act), which is itself part of the National Defense Authorization Act for Fiscal Year 2021 (NDAA), required FinCEN to build and administer a national database of companies’ beneficial ownership. The CTA allowed federal, local, state, and Tribal law enforcement agencies, and some financial institutions, to access that database for specific reasons, and under some very strict controls.
As we are aware, the process for rulemaking is lengthy and tortuous.[1] In this case, an ANPRM that covered both reporting and access was published on April 5, 2021. It took twenty months for FinCEN to publish this access NPRM, with a “promise” to publish the final rule by December 31, 2023.[2] The comment period is 60 days, taking us to February 14, 2023. We can expect hundreds of substantive comments (over 500 comments were submitted for the proposed reporting rule).[3] It will take FinCEN months to consider and incorporate, where needed, those comments, then circulate a draft final rule to the required legislative and executive branch agencies for feedback. Then 30+ days for OMB approval. It is unlikely that FinCEN will be able to promulgate a final access rule by the end of 2023.[4] It is also unlikely that the database will be built, tested, and operational by the end of 2023. It is also unlikely that the federal, state, Tribal, and local law enforcement agencies will have met their (new) regulatory obligations to access, use, and store BOI. FinCEN should begin the process of setting out a manageable, realistic timeline, communicate that to all public and private sector participants, and manage to it.
Summary of My Comments
I have fourteen enumerated comments. They generally follow the Section-by-section Analysis. Where appropriate, I have referred to one of the twenty-eight questions that were posed by FinCEN.[5]
I made one comment on the regulatory analysis of the costs, benefits, burdens on the public and private sector entities and persons impacted. As I’ve written before, FinCEN really needs to revise its process for estimating the costs and burdens imposed on the private sector.[6] The estimates are generally inaccurate: put another way, I couldn’t find one that was reasonable. The only estimate that appears reasonable is FinCEN’s estimate of its own “burdens” in managing its IT help desk and regulatory support function. More on those later.
Comment 1 – FinCEN Identifier: Theory vs Practice
FinCEN is proposing to revise the just-promulgated FinCEN identifier rule to clarify the “intermediate entity” issue. A FinCEN identifier is a creation of the CTA: once a reporting company has filed an initial BOI report, it and the individuals identified as beneficial owners, may apply for and obtain a unique identifying number. That unique identifying number will then be used in lieu of the individual’s BOI and, in some remarkably convoluted circumstances involving something called an “intermediate entity”, allow the reporting company to report its FinCEN identifier in lieu of providing certain beneficial owners’ BOI.[7] As explained in the proposed rule, FinCEN identifiers will only be available for individuals that are BOs of both the reporting company and the intermediate entity.
FinCEN’s apparent desire to “clean up” the FinCEN identifier sections of the just-issued reporting final rule reflects the complexities of the concept, the muddled and confused comments submitted about it, and FinCEN’s own struggles to explain it.[8]
Here is an example of the complexities. At page 77424 is this excerpt:
“… if the intermediate entity has any beneficial owners who are not also beneficial owners of the reporting company, the reporting company’s use of the intermediate entity’s FinCEN identifier would identify multiple individuals as beneficial owners of the reporting company, when in fact they are only beneficial owners of the intermediate entity. Additionally, if an individual is a beneficial owner of a reporting company through multiple intermediate entities but is not a beneficial owner of one of those entities, the reporting company’s use of that entity’s FinCEN identifier could obscure the identity of that beneficial owner. In this case, the reporting company’s use of an intermediate entity’s FinCEN identifier would fail to identify an individual as a beneficial owner of the reporting company, when in fact the individual is such a beneficial owner.”
Which begs the question “why bother with a FinCEN identifier at all?” The complexities it introduces, and the mischief that malign actors can make with it far outweigh the privacy-related benefits (which I still do not understand) that it apparently provides. Frankly, I still don’t understand what the FinCEN identifier accomplishes, or how it will actually work in practice. Indeed, the theory behind the FinCEN identifier may be sound, but putting it into practice may prove unworkable.[9] But I commend your efforts to clarify something that, to this three-decades-of-experience practitioner, is incomprehensible.
Comment 2 – Will FinCEN Need To Add Hundreds of Staff to Implement the CTA?
At page 77408 FinCEN notes “FinCEN continues to face resource constraints in developing and deploying the beneficial ownership IT System and efforts to put in place processes to support the collection and use of BOI.”
Indeed. As you explain FinCEN currently fields approximately 13,000 inquiries a year to its Regulatory Support Section and 70,000 inquiries a year into its IT Systems Help Desk. With the CTA and FinCEN’s “particular focus on providing adequate customer support” to the estimated 32 million reporting companies in Year 1 and 5 million additional reporting companies in Year 2 that will be reporting BOI, FinCEN is estimating thirty-six times as many requests the first year and six times as many requests every year thereafter.[10] Think of that: if FinCEN has ten people manning the Support Section and Help Desk today, it will need 360 people for 2024 and 60 people every year thereafter; if FinCEN has twenty people manning the Support Section and Help Desk today, it will need 720 people for 2024 and 120 people every year thereafter just to help reporting companies. Then there will be the 16,671 public and private sector agencies and institutions that will have access to, and use, the systems and BOI information. They will also need support and technical help.
As best I know, FinCEN has not sought Congressional approval for the headcount and funding needed to manage its CTA support needs. FinCEN needs to hire and train hundreds of support personnel in the next twelve months. That effort should be started today.
Comment 3 – Staged Access?
At page 77408 FinCEN hints that it may have to use a staged access by different authorized users:
“Without the availability of additional appropriated funds to support this project and other mission-critical services, FinCEN may need to identify trade-offs, including with respect to guidance and outreach activities, and the staged access by different authorized users to the database. FinCEN is currently identifying the range of considerations implicated by potential budget shortfalls and the trade-offs that are available and appropriate.”
This was a surprise and deserves a more fulsome explanation.
Comment 4 – Verification of BOI Without Verifying BOs
At page 77408 FinCEN provides that it will verify that the named BOI is an actual person, but not that the named BOI is an actual BOI of that reporting company (“FinCEN continues to evaluate options for verifying reported BOI. ‘Verification,’ as that term is used here, means confirming that the reported BOI submitted to FinCEN is actually associated with a particular individual.”).
This is the same problem with the current CDD Rule, which has financial institutions verifying that the named beneficial owner(s) is (are) actual persons, not that they are actually beneficial owners. Footnote 46 provides: “Pursuant to Sections 6502(b)(1)(C) and (D) of the AML Act, the Secretary, in consultation with the Attorney General, will conduct a study no later than two years after the effective date of the BOI reporting final rule, to evaluate the costs associated with imposing any new verification requirements on FinCEN and the resources necessary to implement any such changes.” This is an implicit admission that FinCEN’s “verification” is a limited concept. This is repeated at page 77427, where FinCEN’s estimates for the costs of building and running the program “do not include certain potential additional costs, such as for IT personnel or information verification …”.
Comment 5 – Law Enforcement Access
At pages 77409 – 77410 is a summary of the access. Federal agencies will have immediate access to “run queries using multiple search fields” after submitting “submit brief justifications to FinCEN for their searches, explaining how their searches further a particular qualifying activity”. The proposed rule does not address how this will be done: “FinCEN will develop guidance for agencies on submitting the required justifications.”
Apparently, Congress does not have the same faith in the integrity of state, tribal, and local law enforcement agencies, as those agencies are required to obtain a court authorization to access BOI. After uploading a court order that is approved by FinCEN, those agencies can then “conduct searches using multiple search fields”. All of the agencies – Federal, State, local, and Tribal – will have “broad search capabilities”.
Yet these broad search capabilities may not be utilized because of the strict controls imposed on law enforcement. How strict are those controls? By far the lengthiest section of the 3,963-word proposed rule (31 CFR 1010.955) is 1010.955(d)(1), “Security and confidentiality requirements for domestic agencies”, at 1,316 words.[11] But, like financial institutions’ access (see Comment 7), the complexities of law enforcement access have a legislative source, not a regulatory source, so any solutions lie with Congress, not FinCEN.
Comment 6 – Trusted Foreign Country, or Trusted Country?
The CTA provides that FinCEN may disclose BOI upon receipt of a request “from a Federal agency on behalf of a law enforcement agency, prosecutor, or judge of another country, including a foreign central authority or competent authority (or like designation), under an international treaty, agreement, convention, or official request made by law enforcement, judicial, or prosecutorial authorities in trusted foreign countries when no treaty, agreement, or convention is available.”
FinCEN sought comments on the following question (question 10): “Should FinCEN define the term ‘trusted foreign country’ in the rule, and if so, what considerations should be included in such a definition?”
I can’t think of a situation where the United States would consider a country to be a “trusted foreign country” where there is no international treaty, agreement, or convention. There was nothing in the proposed rule about how that designation would be made, and which federal agency would make it (e.g., the State Department?). FinCEN should provide clarity and, if possible, publish a list of trusted countries.
Also, the modifier “foreign” is redundant. There is one “domestic country” – the United States. Every other country is foreign.[12]
Comment 7 – Financial Institution Access Remains Too Limited
FinCEN correctly notes that “broadly, and critically, BOI can identify linkages between potential illicit actors and opaque business entities, including shell companies” (page 77405). That is true. Unfortunately, the CTA, and the proposed access rule, prevent financial institutions from being able to fully use BOI to identify linkages between potential illicit actors and opaque business entities.
FinCEN explains that financial institutions will have direct access “albeit in more limited form” than Federal, State, local, and Tribal law enforcement agencies. In fact, “FinCEN is therefore not planning to permit FIs to run broad or open-ended queries in the beneficial ownership IT System or to receive multiple search results … [they will only] receive an electronic transcript with that entity’s BOI.” (page 77410). This is consistent with the Fact Sheet:
“Consistent with the CTA, the proposed rule would only permit FIs to request BOI from FinCEN for purposes of complying with CDD requirements under applicable law, and only with the consent of the reporting company to which the BOI pertains. FinCEN thus anticipates that an FI, instead of being able to run open-ended queries in the beneficial ownership IT system or to receive multiple search results, would submit identifying information specific to a reporting company and receive in return an electronic transcript with that entity’s BOI. This more limited information-retrieval process would reduce the overall risk of inappropriate use or unauthorized disclosures of BOI.”[13]
This remains the biggest flaw in the CTA that cannot be corrected by regulation: financial institutions cannot query the BOI database to identify linkages between potential illicit actors and opaque business entities, including shell companies. Financial institutions can only query the BOI database to determine the names of the beneficial owners that are provided by the reporting company.
There are always at least two questions that a financial institution needs to ask when onboarding a legal entity customer: (1) who are the beneficial owners of the legal entity customer? And (2) are those beneficial owners also beneficial owners of any other legal entities? Financial institutions can only query the database for the beneficial ownership information for a particular reporting company, as long as that reporting company provides its consent. So financial institutions could get BOI for RegTech Consulting LLC, as long as RegTech Consulting LLC provides its consent, but they could not determine if RegTech Consulting LLC’s beneficial owner – Jim Richards – is also the beneficial owner of other reporting companies. This is the biggest flaw in the CTA and in the proposed rule. But, since the flaw is legislative and not regulatory, the solution lies with Congress, not FinCEN.
Comment 8 – A Proposed Solution to the Phrase “CDD Under Applicable Law”
The CTA authorizes FinCEN to disclose BOI upon receipt of a request “made by a financial institution subject to customer due diligence requirements, with the consent of the reporting company, to facilitate the compliance of the financial institution with customer due diligence requirements under applicable law.” (31 U.S.C. 5336(c)(2)(B)(iii)). FinCEN deliberately, and with some detail, limited those requirements. It wrote, at page 77415:
“the proposed rule would define ‘customer due diligence requirements under applicable law’ to mean FinCEN’s customer due diligence (CDD) regulations at 31 CFR 1010.230, which require covered FIs to identify and verify beneficial owners of legal entity customers. FinCEN considered interpreting the phrase ‘customer due diligence requirements under applicable law’ more broadly to cover a range of activities beyond compliance with legal obligations in FinCEN’s regulations to identify and verify beneficial owners of legal entity customers. FinCEN’s separate Customer Identification Program regulations [1010.220], for example, could be considered customer due diligence requirements. FinCEN decided not to propose this broader approach, however. The bureau believes a more tailored approach will be easier to administer, reduce uncertainty about what FIs may access BOI under this provision, and better protect the security and confidentiality of sensitive BOI by limiting the circumstances under which FIs may access BOI. That said, FinCEN solicits comments on whether a broader reading of the phrase ‘‘customer due diligence requirements’’ is warranted under the framework of the CTA, and, if so, how customer due diligence requirements should be defined in order to provide regulatory clarity, protect the security and confidentiality of BOI, and minimize the risk of abuse.”
The result is that FinCEN is defining “CDD requirements” as those in 31 CFR 1010.230 (the 2016 beneficial ownership rule). FinCEN did not include the CIP requirements in 1010.220 or the ongoing CDD requirements in 1010.210 (which refers to each type of FI’s requirements, such as 1020.210 for banks), which include a requirement to identify and report suspicious activity.
Does this mean that FIs cannot use BOI for ongoing monitoring to identify and report suspicious activity?
FinCEN appears to have some doubts about its restrictive definition of “customer due diligence requirements under applicable law” as it has posed two (actually five) questions about it:
“Question 12. FinCEN proposes to define “customer due diligence requirements under applicable law” to mean the bureau’s 2016 CDD Rule, as it may be amended or superseded pursuant to the AML Act. The 2016 CDD Rule requires FIs to identify and verify beneficial owners of legal entity customers. Should FinCEN expressly define “customer due diligence requirements under applicable law” as a larger category of requirements that includes more than identifying and verifying beneficial owners of legal entity customers? If so, what other requirements should the phrase encompass? How should the broader definition be worded? It appears to FinCEN that the consequences of a broader definition of this phrase would include making BOI available to more FIs for a wider range of specific compliance purposes, possibly making BOI available to more regulatory agencies for a wider range of specific examination and oversight purposes, and putting greater pressure on the demand for the security and confidentiality of BOI. How does the new balance of those consequences created by a broader definition fulfill the purpose of the CTA?”
“Question 13. If FinCEN wants to limit the phrase “customer due diligence requirements under applicable law” to apply only to requirements like those imposed under its 2016 CDD Rule related to FIs identifying and verifying beneficial owners of legal entity customers, are there any other comparable requirements under Federal, State, local, or Tribal law? If so, please specifically identify these requirements and the regulatory bodies that supervise for compliance with or enforce them.”
I would point out that Congress provided Treasury with some instruction on promulgating regulations under the CTA. The new section 5336(b)(1)(F) provides, in part:
“(F) REGULATION REQUIREMENTS. – In promulgating the regulations required under subparagraphs (A) through (D), the Secretary of the Treasury shall, to the greatest extent practicable … (iv) collect information described in paragraph (2) [the required BOI] in a form and manner that ensures the information is highly useful in (I) facilitating important national security, intelligence, and law enforcement activities; and (II) confirming beneficial ownership information provided to financial institutions to facilitate the compliance of the financial institutions with anti-money laundering, countering the financing of terrorism, and customer due diligence requirements under applicable law.”
It appears Congress has laid out two conflicting requirements. First, 5336(b)(1)(F) provides that BOI should be highly useful to financial institutions “to facilitate the compliance of the financial institutions with anti-money laundering, countering the financing of terrorism, and customer due diligence requirements under applicable law.” Those are three things: AML, CFT, and CDD. Put another way, AML and CFT – the identification and reporting of suspicious activity – are different from, or in addition to, CDD. But then in 5336(c)(2)(B)(iii) FinCEN may only disclose BOI upon receipt of a request ‘‘made by a financial institution subject to customer due diligence requirements, with the consent of the reporting company, to facilitate the compliance of the [FI] with customer due diligence requirements under applicable law.’’
FinCEN is soliciting comments on whether a broader reading of the phrase ‘‘customer due diligence requirements’’ is warranted under the framework of the CTA, and, if so, how customer due diligence requirements should be defined in order to provide regulatory clarity, protect the security and confidentiality of BOI, and minimize the risk of abuse.”
A broader reading of CDD to encompass the CIP requirements in 1010.220 (identifying a customer is a precondition of performing CDD on the customer) and the ongoing CDD requirements in 1010.210 would allow financial institutions to “confirm[] beneficial ownership information provided to financial institutions to facilitate the compliance of the financial institutions with anti-money laundering, countering the financing of terrorism, and customer due diligence requirements under applicable law”, as Congress intended. And the next two points below (points 9 and 10) – that FinCEN is proposing to limit the use of BOI to financial institution employees physically located in the United States, and the information security requirements under Gramm-Leach-Bliley section 501 – should suffice to protect the security and confidentiality of BOI and thus minimize the risk of abuse.
The change would be easy to make: the proposed section 1010.955(b)(4)(i) reads, in part: “For purposes of this section, customer due diligence requirements under applicable law are the beneficial ownership requirements for legal entity customers at § 1010.230, as those requirements may be amended or superseded.” That section could be changed to:
“For purposes of this section, customer due diligence requirements under applicable law are –
(I) the anti-money laundering program requirements at § 1010.210,
(II) the customer identification program requirements at § 1010.220, and
(III) the beneficial ownership requirements for legal entity customers at § 1010.230,
as those requirements may be amended or superseded.”
Comment 9 – Private Sector Security Protocols Should Dictate Where BOI Can Be Accessed, Not The Location of the Person
“FinCEN envisions that there are circumstances in which FI employees may have a similar need [similar to law enforcement] to share BOI with counterparts, e.g., if they are working together to onboard a new customer. Proposed 31 CFR 1010.955(c)(2)(ii) therefore extends a comparable authority to FIs. One difference should be noted: FinCEN proposes to expressly limit FIs to redisclosing BOI to other officers, employees, contractors, and agents of the FI physically present in the United States.” (page 77418)
FinCEN explained its concerns:
“Allowing U.S. FIs to re-disclose BOI outside of the United States creates the potential for a foreign government agency to obtain such BOI by serving a judicial or administrative warrant, summons, or subpoena directly on the foreign entity or location where the BOI is stored. Prohibiting FIs from moving BOI outside the United States reinforces and complements the requirements associated with the requirements through which foreign governments can obtain BOI under the proposed rule.”
In question 23 FinCEN asks whether the proposed restriction to require FIs to limit BOI disclosure to FI directors, officers, employees, contractors, and agents within the United States would (1) impose undue hardship on FIs, and (2) what the practical implications and potential costs of this limitation would be.
First, it should be noted that the restricting phrase “within the United States” is used in two places in the proposed rule: paragraph (c)(2)(ii) provides:
“… any director, officer, employee, contractor, or agent of a financial institution who receives information disclosed by FinCEN pursuant to a request under paragraph (b)(4)(i) of this section may disclose such information to another director, officer, employee, contractor, or agent within the United States of the same financial institution for the particular purpose or activity for which such information was requested, consistent with the requirements of paragraph (d)(2) of this section.”
And paragraph (d)(2)(i), titled “Restrictions on personnel access to information” provides that “the financial institution shall restrict access to information obtained from FinCEN under paragraph (b)(4)(i) of this section to directors, officers, employees, contractors, and agents within the United States.”[14]
The result is clear: FinCEN is “prohibiting FIs from moving BOI outside the United States”. FinCEN has effectively “onshored” any offshore CDD team that every financial institution has set up. This will be particularly onerous on the largest financial institutions and those US branches of foreign institutions. It will take years and millions of dollars to move CDD teams onshore.
FinCEN should reconsider this US-only approach. It is less about the physical location of the people accessing and using BOI and more about the safeguards developed and implemented. FinCEN addresses this at page 77421, the introduction to the safety and security of the BOI for financial institutions. FinCEN is proposing a “principles-based approach by requiring FIs to develop and implement administrative, technical, and physical safeguards reasonably designed to protect BOI as a precondition for receiving BOI.” And the safe harbor standard is the existing Gramm-Leach-Bliley section 501. GLB s. 501 should suffice to protect BOI, wherever it is physically accessed.
Another consideration would be to allow a financial institution’s offshore staff to access BOI if the BOI is protected by privacy enhancing technologies such as fully homomorphic encryption.
Comment 10 – A Proposed Solution to Obtaining Reporting Company Consent
FinCEN proposes that financial institutions be required to obtain the reporting company’s consent in order to request the reporting company’s BOI from FinCEN. FinCEN invited commenters to “indicate what barriers or challenges FIs may face in fulfilling such a requirement, as well as any other considerations” (Question 11).
Current proposed section 1010.955(d)(2)(iii) provides:
“(iii) Consent to obtain information. Before making a request for information regarding a reporting company under paragraph (b)(4)(i) of this section, the financial institution shall obtain and document the consent of the reporting company to request such information. The documentation of the reporting company’s consent shall be maintained for 5 years after it is last relied upon in connection with a request for information under paragraph (b)(4)(i) of this section.”
There is nothing in the NPRM about obtaining consent through a notice in the institution’s account opening terms and conditions. That section can be revised to allow financial institutions to obtain such consent at the time of account opening or in any other customer-acknowledged agreement. Two existing regulations require financial institution customers to provide a certification or acknowledgment, or be given notice of an AML requirement, at account opening. These could be models for a 1010.955 consent. First is the certification regarding beneficial owners of legal entity customers, appendix A to 1010.230. Second is in the current CIP rule, 31 CFR 1010.220, which in turn refers to the regulations for each of the financial institution types. Using the banking regulation as an example, 31 CFR 1020.220(a)(5), the CIP “notice provisions are:
1020.220(a)(5)(i) Customer notice. The CIP must include procedures for providing bank customers with adequate notice that the bank is requesting information to verify their identities.
1020.220(a)(5)(ii) Adequate notice. Notice is adequate if the bank generally describes the identification requirements of this section and provides the notice in a manner reasonably designed to ensure that a customer is able to view the notice, or is otherwise given notice, before opening an account. For example, depending upon the manner in which the account is opened, a bank may post a notice in the lobby or on its Web site, include the notice on its account applications, or use any other form of written or oral notice.
1020.220(a)(5)(iii) Sample notice. If appropriate, a bank may use the following sample language to provide notice to its customers:
Important Information About Procedures for Opening a New Account
To help the government fight the funding of terrorism and money laundering activities, Federal law requires all financial institutions to obtain, verify, and record information that identifies each person who opens an account.
What this means for you: When you open an account, we will ask for your name, address, date of birth, and other information that will allow us to identify you. We may also ask to see your driver’s license or other identifying documents.
Proposed section 1010.955(d)(2)(iii) could be revised to provide:
“(iii)(A) Consent to obtain information. Before making a request for information regarding a reporting company under paragraph (b)(4)(i) of this section, the financial institution shall obtain and document the consent of the reporting company to request such information.
(iii)(B) Obtaining adequate consent. Consent is adequate if the bank generally describes the consent requirements of this section and provides the notice in a manner reasonably designed to ensure that a customer is able to view the consent, or is otherwise given notice, before opening an account. For example, depending upon the manner in which the account is opened, a bank may post a consent in the lobby or on its Web site, include the consent on its account applications, or use any other form of written or oral notice.
(iii)(C) Recordkeeping requirements. The documentation of the reporting company’s consent shall be maintained for 5 years after it is last relied upon in connection with a request for information under paragraph (b)(4)(i) of this section.”
Comment 11 – The Regulatory Analysis Estimates Are, Overall, Unrealistic
The NPRM cost benefit analysis, beginning on page 77426, includes many estimates that appear unrealistic, at best, and wildly off base, at worst. Some examples follow.
A. FinCEN underestimates the number of times financial institutions will need to access the database – FinCEN estimates that 16,252 financial institutions have CDD responsibilities, and that the average financial institution will access the database 1.5 times a day for all 250 business days a year.[15] “FinCEN assumes that financial institutions would submit BOI requests related to newly open[ed] legal entity customer accounts in alignment with the 2016 CDD Rule.” (page 77442). This assumption is wrong in three ways. First, the 2016 CDD Rule requires financial institutions to collect and verify BOI for every new customer, and every existing customer opening a new account. Second, the definition of “legal entity customer” under the 2016 CDD Rule is broader than the definition of “reporting company” under the CTA. An example is a money services business which is a “legal entity customer” but not a “reporting company”. And third, the use of an average for such a diverse set of institutions may not be appropriate (see below for a discussion of the use of averages).
B. FinCEN underestimates the number of employees that will need to access the database – To come up with cost and benefit estimates, FinCEN has broken out financial institutions into two buckets – large and small – based on the Small Business Administration’s definition of “small”, which is (simply) having assets of less than $750 million. With this, FinCEN has determined that there are 2,201 large financial institutions and 14,051 small financial institutions.
FinCEN then makes an assumption: “FinCEN assumes one to two employees per small financial institution and five to six employees per large financial institution” will be performing CDD and will need to access the BOI database. (page 77442). In fairness, FinCEN acknowledges “this number could significantly vary across financial institutions” and requests comment on these assumptions.
Which is good, because the assumption is wildly, dramatically, off. And averages should not be used in an industry that is anything but average.
I looked at FDIC bank data from December 31, 2021 that includes asset size and employee count. There were 4,849 FDIC-insured banks and savings associations as of 12/31/21, and 1,263 had assets of more than $750 million and 3,586 had assets of $750 million or less.
Large Banks:
- The top 4 by asset size had 134,000 to 218,000 employees
- The next tier of large banks – numbers 5 through 25 by asset size – had between 9,500 and 67,700 employees; the median bank in this tier had 19,200 employees
- The next tier of large banks – numbers 26 through 100 by asset size – had between 1,800 and 9,300 employees; the median bank in this tier had 3,100 employees
- The last tier of large banks – numbers 101 through 1,263 with assets of $750 million or more – had between 0 (as indicated by the FDIC) and 1,250 employees; the median bank in this tier had 34 employees.[16]
Small Banks:
Based on FDIC data, there were 3,586 “small” banks and savings associations as of December 31, 2021. The number of such banks, by asset range and average employee count (apologies for using average!) were:
- 481 banks with assets of $500 million to $750 million averaged 99 employees
- 323 banks with assets of $400 million to $500 million averaged 78 employees
- 442 banks with assets of $300 million to $400 million averaged 59 employees
- 607 banks with assets of $200 million to $300 million averaged 43 employees
- 915 banks with assets of $100 million to $200 million averaged 28 employees
- 818 banks with assets of $0 million to $100 million averaged 13 employees
I then made some assumptions on how many employees in the first and second line would have some responsibilities for opening customer accounts, dealing with customer onboarding, performing second-line CDD, or having some QA/QC or audit (testing) responsibilities for these functions. I assumed that the largest banks would have at least 5 percent of their employees that dealt with customers: onboarding customers, performing onboarding and ongoing CDD, testing and validating and auditing this work. I assumed that 10 percent to 15 percent of employees in the next three tiers of large banks performed similar functions. And for the small banks, I assumed 10 percent performed similar functions. The following table summarizes these results:
FinCEN determined that between 1 and 2 people in the small banks, and 5 to 6 people in the large banks, on average, would access the BOI database. In addition, “based on feedback from Federal agency outreach, FinCEN assumes a minimum of one financial institution employee and a maximum of six financial institution employees would undergo annual BOI training.”
As seen in the table above, I estimate that the 3,586 small banks will have 1.5 to 10 people performing CDD, with the average small bank having 4 to 5 people performing CDD. I estimate that the 1,263 large banks will have between 5 and 5,000 people performing CDD, with the average large bank having 26 to 27 people performing CDD.
C. FinCEN has not included all private sector employees that will need to access the database and obtain training – FinCEN has not included FIs’ audit costs related to the CTA. FinCEN includes the audit costs for the federal and local law enforcement agencies, but not for financial institutions. Audit costs must be included.
The training estimates are also underestimated. FinCEN assumes the only people that need training are those that are accessing the database: “Based on feedback from Federal agency outreach, FinCEN assumes a minimum of one financial institution employee and a maximum of six financial institution employees would undergo annual BOI training.” (page 77442). FinCEN forgets about all the people opening accounts and dealing with customers. They must be included.
D. FinCEN has underestimated the implementation times – FinCEN estimates that it will take a financial institution 10 hours to update its customer consent forms and processes. This is not reasonable. It will take 10 hours to read the proposed rule, let alone implement a final rule. Updating policies, procedures, processes, and forms involves compliance officers, lawyers, marketing experts, process engineers, project managers, technology specialists, etc. It will take 10,000 hours of personnel time … perhaps 100,000 hours in the largest institutions, to update account opening policies, procedures, processes, and forms.
The same holds true estimates for the one-time administration costs to establish “admin and physical safeguards”. The estimates of 40 to 80 hours is exponentially off and needs to be revisited.
I recommend that FinCEN re-visit its estimates on the private sector’s costs and burdens of meeting the requirements of the Access Rule.
What is Not in the NPRM But Should Be
Comment 12 – Notice to FIs When BOI is Corrected or Updated
The initial reporting of beneficial ownership provides a point-in-time snapshot of the then-current roster of a reporting company’s beneficial owners. But the CTA and reporting final rule also provided for updating that initial report “if there is any change with respect to required information previously submitted to FinCEN concerning a reporting company or its beneficial owners, including any change with respect to who is a beneficial owner or information reported for any particular beneficial owner.”[17] There is nothing in the NPRM about financial institutions getting notice from FinCEN when an already-queried reporting company corrects or amends its BOI.
The new section 5336(b)(1)(F) provides that BOI should be highly useful to financial institutions “to facilitate the compliance of the financial institutions with anti-money laundering, countering the financing of terrorism, and customer due diligence requirements under applicable law.”
If a financial institution’s customer files an amended or corrected BOI report with FinCEN, FinCEN will have current and accurate BOI on that reporting company, but the reporting company’s financial institution will not. The financial institution will have information that is stale, incomplete, or wrong. That is the opposite of “highly useful”.
FinCEN should develop a process to provide notice to financial institutions when an already-queried reporting company corrects or amends its BOI. This will not be easy: currently there are no provisions in the proposed rules that require the financial institution to indicate whether the reporting company is not yet a customer or is a customer. And there are no provisions requiring financial institutions to report to FinCEN when the previously queried reporting company ceases to be a customer.
Comment 13 – Tipping Off
When FinCEN revises the final rule to allow financial institutions to use accessed BOI for identifying and reporting suspicious activity (see Comment 8), there will need to be provisions about not “tipping off” a reporting company prospect or customer when seeking its consent to obtain that reporting company’s BOI, and whether there should be a “safe harbor”.
Comment 14 – Accessed BOI Differing from Existing BOI
Section 6403(d) of the CTA is clear that the new BOI rules will not repeal the requirement that financial institutions identify and verify beneficial owners under 31 CFR 1010.230(a).[18]
By the time the BOI database is functioning, and reporting companies are submitting BOI reports and financial institutions are accessing BOI reports, those financial institutions will likely have obtained beneficial ownership information on all of their legal entity customers. Although the number of potential beneficial owners under the CDD rule differs from the number of potential beneficial owners under the CTA,[19] and the definitions of, and exceptions to, legal entity customers and reporting companies differ,[20] financial institutions will have to manage two versions of BOI.
There is nothing in the proposed rule about what financial institutions are supposed to do if the accessed BOI that comes back is not consistent with what they have obtained or know about their customer (or prospective customer). I expect that FinCEN considers this to be part of the third rule that will bring the current CDD rule into conformity with the current BOI reporting rule and expected final BOI access rule. However, financial institutions will need to develop risk tolerance provisions and risk assessments; develop policies, procedures, processes, and systems; and train their staff for accessing the BOI data well before the revised CDD Rule is developed by FinCEN.
Until the revised CDD Rule is published, FinCEN should be prepared to use FAQs, Advisories, and/or Guidance to provide financial institutions with information on how to manage discrepancies between the CDD Rule BOI and the Reporting Rule BOI.
Conclusion
Rulemaking must be one of the most difficult tasks you face. And rulemaking for beneficial ownership information disclosure, access, security, and confidentiality appears to be particularly difficult. So I commend the efforts that you and your teams, and your public sector partners, have clearly expended. The proposed rule is excellent, and it fairly reflects the bounds imposed by the CTA itself.
My intent with these comments was to provide constructive feedback and to provide some possible solutions. The effect, though, may be seen as overly critical. “Being a critic is easy. But if the critic tries to run the operation, he soon understands that nothing is as easy as his criticisms” wrote Haemin Sunim more than ten years ago.[21] I certainly do not want to, nor could, do your job nor draft a beneficial ownership information access rule that would remotely match what has been done to date. But with the comments you will receive over the next 52 days, I am confident the final rule will ensure that beneficial ownership information is highly useful in facilitating important national security, intelligence, and law enforcement activities.
Thank you for your consideration
s/
James Richards
Principal and Founder, RegTech Consulting, LLC
Walnut Creek, CA
(925) 818-6612
Endnotes
[1] The current beneficial ownership rule is a good example of this lengthy, tortuous process. It began in 2003 with a FATF recommendation, non-compliance with that recommendation in the 2006 Mutual Evaluation of the United States, guidance on beneficial ownership in 2010, and ANPRM in 2012, an NPRM in 2014, a Final Rule in May 2016, and the implementation of the Final Rule in May 2018.
[2] In fairness, a technical reading of the CTA imposed a one-year time period (from the enactment of the AMLA and CTA) for FinCEN to implement rules for reporting BOI under the then-new 31 USC s. 5336(b). There was no similar time-period within which FinCEN was to promulgate rules for the retention and disclosure of BOI in 5336(c), or what we now refer to as the Access Rule.
[3] Interested parties, and some cranks, submitted 220 comments to the ANPRM. Many of the same interested parties, and some of the same cranks, submitted over 240 comments to the December 8, 2021 Reporting NPRM.
[4] The Reporting Rule took a total 17 months from the ANPRM (April 5, 2021) to the NPRM (December 8, 2021) to the Final Rule (September 30, 2022). It took over 9 months to move from the NPRM to Final Rule. If the Access Rule follows the same course, a Final Rule will be published in late September 2023, leaving public and private sector agencies and institutions a mere three months to design, develop, test, and implement new policies, procedures, processes, and systems.
[5] Although there were thirty enumerated questions in part (VI) Request for Comment, they were numbered 1 through 26, then 29 and 30. See pages 77425 – 77426 of the NPRM.
[6] See, for example, https://regtechconsulting.net/aml-regulations-and-enforcement-actions/fincens-estimate-of-the-costs-and-burden-of-filing-sars-is-evolving-but-needs-private-sector-input/
[7] See page 77424 of the proposed rule.
[8] FinCEN’s use of words and phrases such as “implicit assumption” and “straightforward” in explaining its changes on page 77424 reflect these struggles.
[9] Yogi Berra explained this more eloquently than me: “In theory there is no difference between theory and practice. In practice there is.”
[10] See page 77408, where FinCEN estimates that 10 percent of those reporting companies “will have questions
about the reporting requirement or the form, or technical issues when filing, that could result in upwards of 3 million inquiries in Year 1, and 500,000 per year after that.”
[11] The section on security and confidentiality for foreign recipients is a mere 374 words. The section on security and confidentiality for financial institutions is only 374 words.
[12] Credit to Mae West, who said ““I only like two kinds of men, domestic and imported.”
[13] https://www.fincen.gov/nprm-fact-sheet
[14] Paragraph (b)(4)(i) is the BOI that financial institutions will receive from FinCEN.
[15] Footnote 228, page 77442
[16] The average bank in this large bank tier had 45 employees.
[17] 31 CFR § 1010.380(b) implementing new section 31 USC § 5336(b)(1)(D).
[18] Section 6403(d) provides that the Secretary shall revise the May 11, 2016 final rule entitled ‘‘Customer Due Diligence Requirements for Financial Institutions’’ (81 Fed. Reg. 29397) – that section is titled “revised due diligence rulemaking”, not “rescinded due diligence rulemaking”. The revisions shall “bring the [CDD} rule into conformance with” the CTA, “account for the access of financial institutions to beneficial ownership information filed by reporting companies under section 5336 … in order to confirm the beneficial ownership information provided directly to the financial institutions to facilitate the compliance of those financial institutions with anti-money laundering, countering the financing of terrorism, and customer due diligence requirements …”. And in carrying this out, “the Secretary of the Treasury shall rescind paragraphs (b) through (j) of section 1010.230 …”. Finally, section 6403(d) ends with “nothing in this section may be construed to authorize the Secretary of the Treasury to repeal the requirement that financial institutions identify and verify beneficial owners of legal entity
customers under section 1010.230(a) of title 31, Code of Federal Regulations.”
[19] There can be only one person under the “control prong” of the CDD Rule; there can be any number of persons with “substantial control” under the BOI reporting rule. Also, there are no applicants under the CDD Rule.
[20] For example, under the BOI Rule, legal entity customers that are not reporting companies include charities, money services businesses, and businesses with 20 or more employees, revenue of $5 million or more, and primary location in the United States.
[21] https://www.goodreads.com/book/show/30780006-the-things-you-can-see-only-when-you-slow-down. Sunim also wrote that “criticism without a solution is merely an inflation of the critic’s ego.” Thus I was careful to offer a few solutions.
FinCEN’s Twenty-Eight Questions
Text of Proposed Regulation – 31 CFR s. 1010.955
-
§ 1010.955(a) – paragraph (a) of section 1010.955
-
§ 1010.955(a)(1) – subparagraph (1) of paragraph (a) of section 1010.955
-
§ 1010.955(a)(1)(i) – clause (i) of subparagraph (1) of paragraph (a) of section 1010.955
-
§ 1010.955(a)(1)(i)(A) – subclause (A) of clause (i) of subparagraph (1) of paragraph (a) of section 1010.955
-
§ 1010.955(a)(1)(i)(A)(1) – I have no idea what (1) is called of subclause (A) of clause (i) of subparagraph (1) of paragraph (a) of section 1010.955
-
§ 1010.955(a)(1)(i)(A)(1)(i) – I have no idea of what (i) is called of I have no idea what (1) is called of subclause (A) of clause (i) of subparagraph (1) of paragraph (a) of section 1010.955