Richards Comments on Proposed Beneficial Ownership Access Rule – December 2022

Merry Christmas!
Section 6403 of the Corporate Transparency Act (CTA), enacted into law as part of the Anti-Money Laundering Act of 2020 (AML Act), which is itself part of the National Defense Authorization Act for Fiscal Year 2021 (NDAA), required the Treasury Department’s Financial Crimes Enforcement Network, or FinCEN, to build and administer a national database of companies’ beneficial ownership. The CTA allowed federal, local, state, and Tribal law enforcement agencies, and some financial institutions, to access that database for specific reasons, and under some very strict controls.
FinCEN is implementing the CTA through a series of rulemakings. The process for rulemaking is lengthy and tortuous: often beginning with an Advance Notice of Proposed Rule Making (ANPRM), followed by comments from interested parties, then a Notice of Proposed Rule Making (NPRM), followed by comments from interested parties, then a Final Rule. The first Final Rule on reporting beneficial ownership information (BOI) was published September 30, 2022. This covers the what and how for the roughly 36 million or so existing “reporting companies”, and the estimated 5 million such entities formed every year, that are required to report their beneficial ownership information to FinCEN.
The second rule on accessing the BOI is now in the proposed stage: An ANPRM covering both reporting and access was published on April 5, 2021. Interested parties, and some cranks, submitted 220 comments. On December 8, 2021 the Reporting NPRM was published. Over 240 comments were submitted. On September 30, 2022 a final BOI Reporting Rule was published. This NPRM on BOI Access was published in the Federal Register on December 16, 2022. FinCEN also published a Fact Sheet that provides a summary of the NPRM.
(For a complete list of AML Act of 2020 legislative and regulatory activity, see FinCEN’s AMLA of 2020 Landing Page.)
The NPRM was published in the Federal Register on December 16, 2022 (87 FR 77404 – 77457). Where the “public inspection” version of the NPRM (released on December 15th) was 150 pages long, the official version is 54 pages, mainly due to itty-bitty font and the three-column formatting of the Federal Register. In both cases, though, the NPRM is set out the same, beginning with a summary (page 77404), supplementary information (pages 77404 – 77453), and the actual proposed regulations (pages 77453 – 77457). The supplementary information section is the meat of the NPRM. It is organized as follows:
  • (I) Executive Summary – page 77404
  • (II) Background of the CTA and reporting final rule and access proposed rule – pages 77404 – 77408
  • (III) Overview of Access Framework and Protocols – pages 77408 – 77411
  • (IV) Section-by-section Analysis – BOI retention and disclosure at pages 77411 – 77424, FinCEN identifier at pages 77424 – 77425
  • (V) Final Rule Effective Date (January 1, 2024) – page 77425
  • (VI) Request for Comment (28 questions – the questions go from 1 through 26, then 29 and 30) – pages77425 – 77426
  • (VII) Regulatory analysis of the costs, benefits, burdens on the public and private sector entities and persons impacted – pages 77426 – 77453
FinCEN gave interested parties 60 days (to February 14, 2023) to submit comments. I submitted my comments on December 24, 2022. The comment letter is reproduced below. At the end of the letter I have added (1) the twenty-eight questions posed by FinCEN, and (2) the test of the proposed access rule, 31 CFR s. 1010.955.

Richards Comment Letter on the Proposed BOI Access Rule

December 24, 2022

Financial Crimes Enforcement Network

P.O. Box 39

Vienna, VA 22183

Submitted electronically to https://www.regulations.gov

Re: Request for Comments, Docket Number FINCEN-2022-27031  – Notice of Proposed Rulemaking Regarding Beneficial Ownership Information Access and Safeguards, and Use of FinCEN Identifiers for Entities – Comments of James Richards, Principal and Founder of RegTech Consulting LLC.

Dear Acting Director Das:

I appreciate the opportunity to comment on the Notice of Proposed Rulemaking Regarding Beneficial Ownership Information Access and Safeguards, and Use of FinCEN Identifiers for Entities, or the proposed BOI Access Rule (as it is commonly called).

I am submitting these comments with a three-decade background fighting financial crimes in both the private and public sectors and a strong desire to see the U.S. AML/CFT regime become truly effective. I am offering suggestions and, where appropriate, providing answers to some of the questions that FinCEN has posed. Some of my comments are critical of what has been proposed. I am not critical of the bona fides, efforts, and integrity of those that have put together the proposed access rule: we simply differ on some aspects of the proposed rule. And, as you will read below, we differ greatly on the expected costs and burdens that the private sector will incur in implementing the rule.

By way of background, I have been actively involved in AML/CFT since the late 1990s. Currently, I am the principal and founder of RegTech Consulting LLC, a private consulting firm focused on providing strategic advice on all aspects of financial crimes risk management to AML software providers, financial technology start-ups, cannabis-related businesses, mid-size banks, and money services businesses. I am also a Senior Advisor to Verafin Inc., the leading provider of fraud detection and BSA/AML collaboration software for financial institutions in North America, and serve on the board of advisors for two providers of financial crimes compliance technologies and services, Duality Technologies, and Quantifind Inc. and Duality Technologies, Inc. From 2005 through April 2018, I served as the BSA Officer and Director of Global Financial Crimes Risk Management for Wells Fargo & Co. As BSA officer, I was responsible for governance, training, and program oversight for BSA, anti-money laundering (AML), and sanctions for Wells Fargo’s global operations. As Director of Global Financial Crimes Risk Management, I was responsible for BSA, AML, counter-terrorist financing (CTF), external fraud and internal fraud and misconduct investigations, the identity theft prevention program, global sanctions, financial crimes analytics, and high-risk customer due diligence. Prior to my role with Wells Fargo, I was the AML operations executive at Bank of America where I was responsible for the operational aspects of Bank of America’s global AML and CTF monitoring, surveillance, investigations, and related SAR reporting. I represented Bank of America and Wells Fargo as a three-term member of the BSA Advisory Group (BSAAG). I was also a founding board member of ACAMS and the AFCFS. Prior to my 20-year career in banking, I was a prosecutor in Massachusetts, a barrister in Ontario, Canada, and a Special Constable with the Royal Canadian Mounted Police. I am the author of “Transnational Criminal Organizations, Cybercrime, and Money Laundering” (CRC Press 1998). I earned a Bachelor of Commerce (BComm.) degree and Juris Doctorate (JD) from the University of British Columbia.

Introduction to the CTA and Related Rulemaking

Section 6403 of the Corporate Transparency Act (CTA), enacted into law as part of the Anti-Money Laundering Act of 2020 (AML Act), which is itself part of the National Defense Authorization Act for Fiscal Year 2021 (NDAA), required FinCEN to build and administer a national database of companies’ beneficial ownership. The CTA allowed federal, local, state, and Tribal law enforcement agencies, and some financial institutions, to access that database for specific reasons, and under some very strict controls.

As we are aware, the process for rulemaking is lengthy and tortuous.[1] In this case, an ANPRM that covered both reporting and access was published on April 5, 2021. It took twenty months for FinCEN to publish this access NPRM, with a “promise” to publish the final rule by December 31, 2023.[2] The comment period is 60 days, taking us to February 14, 2023. We can expect hundreds of substantive comments (over 500 comments were submitted for the proposed reporting rule).[3] It will take FinCEN months to consider and incorporate, where needed, those comments, then circulate a draft final rule to the required legislative and executive branch agencies for feedback. Then 30+ days for OMB approval. It is unlikely that FinCEN will be able to promulgate a final access rule by the end of 2023.[4] It is also unlikely that the database will be built, tested, and operational by the end of 2023. It is also unlikely that the federal, state, Tribal, and local law enforcement agencies will have met their (new) regulatory obligations to access, use, and store BOI. FinCEN should begin the process of setting out a manageable, realistic timeline, communicate that to all public and private sector participants, and manage to it.

Summary of My Comments

I have fourteen enumerated comments. They generally follow the Section-by-section Analysis. Where appropriate, I have referred to one of the twenty-eight questions that were posed by FinCEN.[5]

I made one comment on the regulatory analysis of the costs, benefits, burdens on the public and private sector entities and persons impacted. As I’ve written before, FinCEN really needs to revise its process for estimating the costs and burdens imposed on the private sector.[6] The estimates are generally inaccurate: put another way, I couldn’t find one that was reasonable. The only estimate that appears reasonable is FinCEN’s estimate of its own “burdens” in managing its IT help desk and regulatory support function. More on those later.

Comment 1 – FinCEN Identifier: Theory vs Practice

FinCEN is proposing to revise the just-promulgated FinCEN identifier rule to clarify the “intermediate entity” issue. A FinCEN identifier is a creation of the CTA: once a reporting company has filed an initial BOI report, it and the individuals identified as beneficial owners, may apply for and obtain a unique identifying number. That unique identifying number will then be used in lieu of the individual’s BOI and, in some remarkably convoluted circumstances involving something called an “intermediate entity”, allow the reporting company to report its FinCEN identifier in lieu of providing certain beneficial owners’ BOI.[7] As explained in the proposed rule, FinCEN identifiers will only be available for individuals that are BOs of both the reporting company and the intermediate entity.

FinCEN’s apparent desire to “clean up” the FinCEN identifier sections of the just-issued reporting final rule reflects the complexities of the concept, the muddled and confused comments submitted about it, and FinCEN’s own struggles to explain it.[8]

Here is an example of the complexities. At page 77424 is this excerpt:

“… if the intermediate entity has any beneficial owners who are not also beneficial owners of the reporting company, the reporting company’s use of the intermediate entity’s FinCEN identifier would identify multiple individuals as beneficial owners of the reporting company, when in fact they are only beneficial owners of the intermediate entity. Additionally, if an individual is a beneficial owner of a reporting company through multiple intermediate entities but is not a beneficial owner of one of those entities, the reporting company’s use of that entity’s FinCEN identifier could obscure the identity of that beneficial owner. In this case, the reporting company’s use of an intermediate entity’s FinCEN identifier would fail to identify an individual as a beneficial owner of the reporting company, when in fact the individual is such a beneficial owner.”

Which begs the question “why bother with a FinCEN identifier at all?” The complexities it introduces, and the mischief that malign actors can make with it far outweigh the privacy-related benefits (which I still do not understand) that it apparently provides. Frankly, I still don’t understand what the FinCEN identifier accomplishes, or how it will actually work in practice. Indeed, the theory behind the FinCEN identifier may be sound, but putting it into practice may prove unworkable.[9] But I commend your efforts to clarify something that, to this three-decades-of-experience practitioner, is incomprehensible.

Comment 2 – Will FinCEN Need To Add Hundreds of Staff to Implement the CTA?

At page 77408 FinCEN notes “FinCEN continues to face resource constraints in developing and deploying the beneficial ownership IT System and efforts to put in place processes to support the collection and use of BOI.”

Indeed. As you explain FinCEN currently fields approximately 13,000 inquiries a year to its Regulatory Support Section and 70,000 inquiries a year into its IT Systems Help Desk. With the CTA and FinCEN’s “particular focus on providing adequate customer support” to the estimated 32 million reporting companies in Year 1 and 5 million additional reporting companies in Year 2 that will be reporting BOI, FinCEN is estimating thirty-six times as many requests the first year and six times as many requests every year thereafter.[10] Think of that: if FinCEN has ten people manning the Support Section and Help Desk today, it will need 360 people for 2024 and 60 people every year thereafter; if FinCEN has twenty people manning the Support Section and Help Desk today, it will need 720 people for 2024 and 120 people every year thereafter just to help reporting companies. Then there will be the 16,671 public and private sector agencies and institutions that will have access to, and use, the systems and BOI information. They will also need support and technical help.

As best I know, FinCEN has not sought Congressional approval for the headcount and funding needed to manage its CTA support needs. FinCEN needs to hire and train hundreds of support personnel in the next twelve months. That effort should be started today.

Comment 3 – Staged Access?

At page 77408 FinCEN hints that it may have to use a staged access by different authorized users:

“Without the availability of additional appropriated funds to support this project and other mission-critical services, FinCEN may need to identify trade-offs, including with respect to guidance and outreach activities, and the staged access by different authorized users to the database. FinCEN is currently identifying the range of considerations implicated by potential budget shortfalls and the trade-offs that are available and appropriate.”

This was a surprise and deserves a more fulsome explanation.

Comment 4 – Verification of BOI Without Verifying BOs

At page 77408 FinCEN provides that it will verify that the named BOI is an actual person, but not that the named BOI is an actual BOI of that reporting company (“FinCEN continues to evaluate options for verifying reported BOI. ‘Verification,’ as that term is used here, means confirming that the reported BOI submitted to FinCEN is actually associated with a particular individual.”).

This is the same problem with the current CDD Rule, which has financial institutions verifying that the named beneficial owner(s) is (are) actual persons, not that they are actually beneficial owners. Footnote 46 provides: “Pursuant to Sections 6502(b)(1)(C) and (D) of the AML Act, the Secretary, in consultation with the Attorney General, will conduct a study no later than two years after the effective date of the BOI reporting final rule, to evaluate the costs associated with imposing any new verification requirements on FinCEN and the resources necessary to implement any such changes.” This is an implicit admission that FinCEN’s “verification” is a limited concept. This is repeated at page 77427, where FinCEN’s estimates for the costs of building and running the program “do not include certain potential additional costs, such as for IT personnel or information verification …”.

Comment 5 – Law Enforcement Access

At pages 77409 – 77410 is a summary of the access. Federal agencies will have immediate access to “run queries using multiple search fields” after submitting “submit brief justifications to FinCEN for their searches, explaining how their searches further a particular qualifying activity”. The proposed rule does not address how this will be done: “FinCEN will develop guidance for agencies on submitting the required justifications.”

Apparently, Congress does not have the same faith in the integrity of state, tribal, and local law enforcement agencies, as those agencies are required to obtain a court authorization to access BOI. After uploading a court order that is approved by FinCEN, those agencies can then “conduct searches using multiple search fields”.  All of the agencies – Federal, State, local, and Tribal – will have “broad search capabilities”.

Yet these broad search capabilities may not be utilized because of the strict controls imposed on law enforcement. How strict are those controls? By far the lengthiest section of the 3,963-word proposed rule (31 CFR 1010.955) is 1010.955(d)(1), “Security and confidentiality requirements for domestic agencies”, at 1,316 words.[11] But, like financial institutions’ access (see Comment 7), the complexities of law enforcement access have a legislative source, not a regulatory source, so any solutions lie with Congress, not FinCEN.

Comment 6 – Trusted Foreign Country, or Trusted Country?

The CTA provides that FinCEN may disclose BOI upon receipt of a request “from a Federal agency on behalf of a law enforcement agency, prosecutor, or judge of another country, including a foreign central authority or competent authority (or like designation), under an international treaty, agreement, convention, or official request made by law enforcement, judicial, or prosecutorial authorities in trusted foreign countries when no treaty, agreement, or convention is available.”

FinCEN sought comments on the following question (question 10): “Should FinCEN define the term ‘trusted foreign country’ in the rule, and if so, what considerations should be included in such a definition?”

I can’t think of a situation where the United States would consider a country to be a “trusted foreign country” where there is no international treaty, agreement, or convention. There was nothing in the proposed rule about how that designation would be made, and which federal agency would make it (e.g., the State Department?). FinCEN should provide clarity and, if possible, publish a list of trusted countries.

Also, the modifier “foreign” is redundant. There is one “domestic country” – the United States. Every other country is foreign.[12]

Comment 7 – Financial Institution Access Remains Too Limited

FinCEN correctly notes that “broadly, and critically, BOI can identify linkages between potential illicit actors and opaque business entities, including shell companies” (page 77405). That is true. Unfortunately, the CTA, and the proposed access rule, prevent financial institutions from being able to fully use BOI to identify linkages between potential illicit actors and opaque business entities.

FinCEN explains that financial institutions will have direct access “albeit in more limited form” than Federal, State, local, and Tribal law enforcement agencies. In fact, “FinCEN is therefore not planning to permit FIs to run broad or open-ended queries in the beneficial ownership IT System or to receive multiple search results … [they will only] receive an electronic transcript with that entity’s BOI.” (page 77410). This is consistent with the Fact Sheet:

“Consistent with the CTA, the proposed rule would only permit FIs to request BOI from FinCEN for purposes of complying with CDD requirements under applicable law, and only with the consent of the reporting company to which the BOI pertains. FinCEN thus anticipates that an FI, instead of being able to run open-ended queries in the beneficial ownership IT system or to receive multiple search results, would submit identifying information specific to a reporting company and receive in return an electronic transcript with that entity’s BOI. This more limited information-retrieval process would reduce the overall risk of inappropriate use or unauthorized disclosures of BOI.”[13]

This remains the biggest flaw in the CTA that cannot be corrected by regulation: financial institutions cannot query the BOI database to identify linkages between potential illicit actors and opaque business entities, including shell companies. Financial institutions can only query the BOI database to determine the names of the beneficial owners that are provided by the reporting company.

There are always at least two questions that a financial institution needs to ask when onboarding a legal entity customer: (1) who are the beneficial owners of the legal entity customer? And (2) are those beneficial owners also beneficial owners of any other legal entities? Financial institutions can only query the database for the beneficial ownership information for a particular reporting company, as long as that reporting company provides its consent. So financial institutions could get BOI for RegTech Consulting LLC, as long as RegTech Consulting LLC provides its consent, but they could not determine if RegTech Consulting LLC’s beneficial owner – Jim Richards – is also the beneficial owner of other reporting companies. This is the biggest flaw in the CTA and in the proposed rule. But, since the flaw is legislative and not regulatory, the solution lies with Congress, not FinCEN.

Comment 8 – A Proposed Solution to the Phrase “CDD Under Applicable Law”

The CTA authorizes FinCEN to disclose BOI upon receipt of a request “made by a financial institution subject to customer due diligence requirements, with the consent of the reporting company, to facilitate the compliance of the financial institution with customer due diligence requirements under applicable law.” (31 U.S.C. 5336(c)(2)(B)(iii)). FinCEN deliberately, and with some detail, limited those requirements. It wrote, at page 77415:

“the proposed rule would define ‘customer due diligence requirements under applicable law’ to mean FinCEN’s customer due diligence (CDD) regulations at 31 CFR 1010.230, which require covered FIs to identify and verify beneficial owners of legal entity customers. FinCEN considered interpreting the phrase ‘customer due diligence requirements under applicable law’ more broadly to cover a range of activities beyond compliance with legal obligations in FinCEN’s regulations to identify and verify beneficial owners of legal entity customers. FinCEN’s separate Customer Identification Program regulations [1010.220], for example, could be considered customer due diligence requirements. FinCEN decided not to propose this broader approach, however. The bureau believes a more tailored approach will be easier to administer, reduce uncertainty about what FIs may access BOI under this provision, and better protect the security and confidentiality of sensitive BOI by limiting the circumstances under which FIs may access BOI. That said, FinCEN solicits comments on whether a broader reading of the phrase ‘‘customer due diligence requirements’’ is warranted under the framework of the CTA, and, if so, how customer due diligence requirements should be defined in order to provide regulatory clarity, protect the security and confidentiality of BOI, and minimize the risk of abuse.”

The result is that FinCEN is defining “CDD requirements” as those in 31 CFR 1010.230 (the 2016 beneficial ownership rule). FinCEN did not include the CIP requirements in 1010.220 or the ongoing CDD requirements in 1010.210 (which refers to each type of FI’s requirements, such as 1020.210 for banks), which include a requirement to identify and report suspicious activity.

Does this mean that FIs cannot use BOI for ongoing monitoring to identify and report suspicious activity?

FinCEN appears to have some doubts about its restrictive definition of “customer due diligence requirements under applicable law” as it has posed two (actually five) questions about it:

“Question 12. FinCEN proposes to define “customer due diligence requirements under applicable law” to mean the bureau’s 2016 CDD Rule, as it may be amended or superseded pursuant to the AML Act. The 2016 CDD Rule requires FIs to identify and verify beneficial owners of legal entity customers. Should FinCEN expressly define “customer due diligence requirements under applicable law” as a larger category of requirements that includes more than identifying and verifying beneficial owners of legal entity customers? If so, what other requirements should the phrase encompass? How should the broader definition be worded? It appears to FinCEN that the consequences of a broader definition of this phrase would include making BOI available to more FIs for a wider range of specific compliance purposes, possibly making BOI available to more regulatory agencies for a wider range of specific examination and oversight purposes, and putting greater pressure on the demand for the security and confidentiality of BOI. How does the new balance of those consequences created by a broader definition fulfill the purpose of the CTA?”

“Question 13. If FinCEN wants to limit the phrase “customer due diligence requirements under applicable law” to apply only to requirements like those imposed under its 2016 CDD Rule related to FIs identifying and verifying beneficial owners of legal entity customers, are there any other comparable requirements under Federal, State, local, or Tribal law? If so, please specifically identify these requirements and the regulatory bodies that supervise for compliance with or enforce them.”

I would point out that Congress provided Treasury with some instruction on promulgating regulations under the CTA. The new section 5336(b)(1)(F) provides, in part:

“(F) REGULATION REQUIREMENTS. – In promulgating the regulations required under subparagraphs (A) through (D), the Secretary of the Treasury shall, to the greatest extent practicable … (iv) collect information described in paragraph (2) [the required BOI] in a form and manner that ensures the information is highly useful in (I) facilitating important national security, intelligence, and law enforcement activities; and (II) confirming beneficial ownership information provided to financial institutions to facilitate the compliance of the financial institutions with anti-money laundering, countering the financing of terrorism, and customer due diligence requirements under applicable law.”

It appears Congress has laid out two conflicting requirements. First, 5336(b)(1)(F) provides that BOI should be highly useful to financial institutions “to facilitate the compliance of the financial institutions with anti-money laundering, countering the financing of terrorism, and customer due diligence requirements under applicable law.” Those are three things: AML, CFT, and CDD. Put another way, AML and CFT – the identification and reporting of suspicious activity – are different from, or in addition to, CDD. But then in 5336(c)(2)(B)(iii) FinCEN may only disclose BOI upon receipt of a request ‘‘made by a financial institution subject to customer due diligence requirements, with the consent of the reporting company, to facilitate the compliance of the [FI] with customer due diligence requirements under applicable law.’’

FinCEN is soliciting comments on whether a broader reading of the phrase ‘‘customer due diligence requirements’’ is warranted under the framework of the CTA, and, if so, how customer due diligence requirements should be defined in order to provide regulatory clarity, protect the security and confidentiality of BOI, and minimize the risk of abuse.”

A broader reading of CDD to encompass the CIP requirements in 1010.220 (identifying a customer is a precondition of performing CDD on the customer) and the ongoing CDD requirements in 1010.210 would allow financial institutions to “confirm[] beneficial ownership information provided to financial institutions to facilitate the compliance of the financial institutions with anti-money laundering, countering the financing of terrorism, and customer due diligence requirements under applicable law”, as Congress intended. And the next two points below (points 9 and 10) – that FinCEN is proposing to limit the use of BOI to financial institution employees physically located in the United States, and the information security requirements under Gramm-Leach-Bliley section 501 – should suffice to protect the security and confidentiality of BOI and thus minimize the risk of abuse.

The change would be easy to make: the proposed section 1010.955(b)(4)(i) reads, in part: “For purposes of this section, customer due diligence requirements under applicable law are the beneficial ownership requirements for legal entity customers at § 1010.230, as those requirements may be amended or superseded.” That section could be changed to:

“For purposes of this section, customer due diligence requirements under applicable law are –

          (I) the anti-money laundering program requirements at § 1010.210,

          (II) the customer identification program requirements at § 1010.220, and

          (III) the beneficial ownership requirements for legal entity customers at § 1010.230,

as those requirements may be amended or superseded.”

Comment 9 – Private Sector Security Protocols Should Dictate Where BOI Can Be Accessed, Not The Location of the Person

“FinCEN envisions that there are circumstances in which FI employees may have a similar need [similar to law enforcement] to share BOI with counterparts, e.g., if they are working together to onboard a new customer. Proposed 31 CFR 1010.955(c)(2)(ii) therefore extends a comparable authority to FIs. One difference should be noted: FinCEN proposes to expressly limit FIs to redisclosing BOI to other officers, employees, contractors, and agents of the FI physically present in the United States.” (page 77418)

FinCEN explained its concerns:

“Allowing U.S. FIs to re-disclose BOI outside of the United States creates the potential for a foreign government agency to obtain such BOI by serving a judicial or administrative warrant, summons, or subpoena directly on the foreign entity or location where the BOI is stored. Prohibiting FIs from moving BOI outside the United States reinforces and complements the requirements associated with the requirements through which foreign governments can obtain BOI under the proposed rule.”

In question 23 FinCEN asks whether the proposed restriction to require FIs to limit BOI disclosure to FI directors, officers, employees, contractors, and agents within the United States would (1) impose undue hardship on FIs, and (2) what the practical implications and potential costs of this limitation would be.

First, it should be noted that the restricting phrase “within the United States” is used in two places in the proposed rule: paragraph (c)(2)(ii) provides:

“… any director, officer, employee, contractor, or agent of a financial institution who receives information disclosed by FinCEN pursuant to a request under paragraph (b)(4)(i) of this section may disclose such information to another director, officer, employee, contractor, or agent within the United States of the same financial institution for the particular purpose or activity for which such information was requested, consistent with the requirements of paragraph (d)(2) of this section.”

And paragraph (d)(2)(i), titled “Restrictions on personnel access to information” provides that “the financial institution shall restrict access to information obtained from FinCEN under paragraph (b)(4)(i) of this section to directors, officers, employees, contractors, and agents within the United States.”[14]

The result is clear: FinCEN is “prohibiting FIs from moving BOI outside the United States”. FinCEN has effectively “onshored” any offshore CDD team that every financial institution has set up. This will be particularly onerous on the largest financial institutions and those US branches of foreign institutions. It will take years and millions of dollars to move CDD teams onshore.

FinCEN should reconsider this US-only approach. It is less about the physical location of the people accessing and using BOI and more about the safeguards developed and implemented. FinCEN addresses this at page 77421, the introduction to the safety and security of the BOI for financial institutions. FinCEN is proposing a “principles-based approach by requiring FIs to develop and implement administrative, technical, and physical safeguards reasonably designed to protect BOI as a precondition for receiving BOI.” And the safe harbor standard is the existing Gramm-Leach-Bliley section 501. GLB s. 501 should suffice to protect BOI, wherever it is physically accessed.

Another consideration would be to allow a financial institution’s offshore staff to access BOI if the BOI is protected by privacy enhancing technologies such as fully homomorphic encryption.

Comment 10 – A Proposed Solution to Obtaining Reporting Company Consent

FinCEN proposes that financial institutions be required to obtain the reporting company’s consent in order to request the reporting company’s BOI from FinCEN. FinCEN invited commenters to “indicate what barriers or challenges FIs may face in fulfilling such a requirement, as well as any other considerations” (Question 11).

Current proposed section 1010.955(d)(2)(iii) provides:

“(iii) Consent to obtain information. Before making a request for information regarding a reporting company under paragraph (b)(4)(i) of this section, the financial institution shall obtain and document the consent of the reporting company to request such information. The documentation of the reporting company’s consent shall be maintained for 5 years after it is last relied upon in connection with a request for information under paragraph (b)(4)(i) of this section.”

There is nothing in the NPRM about obtaining consent through a notice in the institution’s account opening terms and conditions. That section can be revised to allow financial institutions to obtain such consent at the time of account opening or in any other customer-acknowledged agreement. Two existing regulations require financial institution customers to provide a certification or acknowledgment, or be given notice of an AML requirement, at account opening. These could be models for a 1010.955 consent. First is the certification regarding beneficial owners of legal entity customers, appendix A to 1010.230. Second is in the current CIP rule, 31 CFR 1010.220, which in turn refers to the regulations for each of the financial institution types. Using the banking regulation as an example, 31 CFR 1020.220(a)(5), the CIP “notice provisions are:

1020.220(a)(5)(i) Customer notice. The CIP must include procedures for providing bank customers with adequate notice that the bank is requesting information to verify their identities.

1020.220(a)(5)(ii) Adequate notice. Notice is adequate if the bank generally describes the identification requirements of this section and provides the notice in a manner reasonably designed to ensure that a customer is able to view the notice, or is otherwise given notice, before opening an account. For example, depending upon the manner in which the account is opened, a bank may post a notice in the lobby or on its Web site, include the notice on its account applications, or use any other form of written or oral notice.

1020.220(a)(5)(iii) Sample notice. If appropriate, a bank may use the following sample language to provide notice to its customers:

Important Information About Procedures for Opening a New Account

To help the government fight the funding of terrorism and money laundering activities, Federal law requires all financial institutions to obtain, verify, and record information that identifies each person who opens an account.

What this means for you: When you open an account, we will ask for your name, address, date of birth, and other information that will allow us to identify you. We may also ask to see your driver’s license or other identifying documents.

Proposed section 1010.955(d)(2)(iii) could be revised to provide:

“(iii)(A) Consent to obtain information. Before making a request for information regarding a reporting company under paragraph (b)(4)(i) of this section, the financial institution shall obtain and document the consent of the reporting company to request such information.

(iii)(B) Obtaining adequate consent. Consent is adequate if the bank generally describes the consent requirements of this section and provides the notice in a manner reasonably designed to ensure that a customer is able to view the consent, or is otherwise given notice, before opening an account. For example, depending upon the manner in which the account is opened, a bank may post a consent in the lobby or on its Web site, include the consent on its account applications, or use any other form of written or oral notice.

(iii)(C) Recordkeeping requirements. The documentation of the reporting company’s consent shall be maintained for 5 years after it is last relied upon in connection with a request for information under paragraph (b)(4)(i) of this section.”

Comment 11 – The Regulatory Analysis Estimates Are, Overall, Unrealistic

The NPRM cost benefit analysis, beginning on page 77426, includes many estimates that appear unrealistic, at best, and wildly off base, at worst. Some examples follow.

A. FinCEN underestimates the number of times financial institutions will need to access the database – FinCEN estimates that 16,252 financial institutions have CDD responsibilities, and that the average financial institution will access the database 1.5 times a day for all 250 business days a year.[15] “FinCEN assumes that financial institutions would submit BOI requests related to newly open[ed] legal entity customer accounts in alignment with the 2016 CDD Rule.” (page 77442). This assumption is wrong in three ways. First, the 2016 CDD Rule requires financial institutions to collect and verify BOI for every new customer, and every existing customer opening a new account. Second, the definition of “legal entity customer” under the 2016 CDD Rule is broader than the definition of “reporting company” under the CTA. An example is a money services business which is a “legal entity customer” but not a “reporting company”. And third, the use of an average for such a diverse set of institutions may not be appropriate (see below for a discussion of the use of averages).

B. FinCEN underestimates the number of employees that will need to access the database – To come up with cost and benefit estimates, FinCEN has broken out financial institutions into two buckets – large and small – based on the Small Business Administration’s definition of “small”, which is (simply) having assets of less than $750 million. With this, FinCEN has determined that there are 2,201 large financial institutions and 14,051 small financial institutions.

FinCEN then makes an assumption: “FinCEN assumes one to two employees per small financial institution and five to six employees per large financial institution” will be performing CDD and will need to access the BOI database. (page 77442). In fairness, FinCEN acknowledges “this number could significantly vary across financial institutions” and requests comment on these assumptions.

Which is good, because the assumption is wildly, dramatically, off. And averages should not be used in an industry that is anything but average.

I looked at FDIC bank data from December 31, 2021 that includes asset size and employee count. There were 4,849 FDIC-insured banks and savings associations as of 12/31/21, and 1,263 had assets of more than $750 million and 3,586 had assets of $750 million or less.

Large Banks:

  • The top 4 by asset size had 134,000 to 218,000 employees
  • The next tier of large banks – numbers 5 through 25 by asset size – had between 9,500 and 67,700 employees; the median bank in this tier had 19,200 employees
  • The next tier of large banks – numbers 26 through 100 by asset size – had between 1,800 and 9,300 employees; the median bank in this tier had 3,100 employees
  • The last tier of large banks – numbers 101 through 1,263 with assets of $750 million or more – had between 0 (as indicated by the FDIC) and 1,250 employees; the median bank in this tier had 34 employees.[16]

Small Banks:

Based on FDIC data, there were 3,586 “small” banks and savings associations as of December 31, 2021. The number of such banks, by asset range and average employee count (apologies for using average!) were:

  • 481 banks with assets of $500 million to $750 million averaged 99 employees
  • 323 banks with assets of $400 million to $500 million averaged 78 employees
  • 442 banks with assets of $300 million to $400 million averaged 59 employees
  • 607 banks with assets of $200 million to $300 million averaged 43 employees
  • 915 banks with assets of $100 million to $200 million averaged 28 employees
  • 818 banks with assets of $0 million to $100 million averaged 13 employees

I then made some assumptions on how many employees in the first and second line would have some responsibilities for opening customer accounts, dealing with customer onboarding, performing second-line CDD, or having some QA/QC or audit (testing) responsibilities for these functions. I assumed that the largest banks would have at least 5 percent of their employees that dealt with customers: onboarding customers, performing onboarding and ongoing CDD, testing and validating and auditing this work. I assumed that 10 percent to 15 percent of employees in the next three tiers of large banks performed similar functions. And for the small banks, I assumed 10 percent performed similar functions. The following table summarizes these results:

FinCEN determined that between 1 and 2 people in the small banks, and 5 to 6 people in the large banks, on average, would access the BOI database. In addition, “based on feedback from Federal agency outreach, FinCEN assumes a minimum of one financial institution employee and a maximum of six financial institution employees would undergo annual BOI training.”

As seen in the table above, I estimate that the 3,586 small banks will have 1.5 to 10 people performing CDD, with the average small bank having 4 to 5 people performing CDD. I estimate that the 1,263 large banks will have between 5 and 5,000 people performing CDD, with the average large bank having 26 to 27 people performing CDD.

C. FinCEN has not included all private sector employees that will need to access the database and obtain training – FinCEN has not included FIs’ audit costs related to the CTA. FinCEN includes the audit costs for the federal and local law enforcement agencies, but not for financial institutions. Audit costs must be included.

The training estimates are also underestimated. FinCEN assumes the only people that need training are those that are accessing the database: “Based on feedback from Federal agency outreach, FinCEN assumes a minimum of one financial institution employee and a maximum of six financial institution employees would undergo annual BOI training.” (page 77442). FinCEN forgets about all the people opening accounts and dealing with customers. They must be included.

D. FinCEN has underestimated the implementation times – FinCEN estimates that it will take a financial institution 10 hours to update its customer consent forms and processes. This is not reasonable. It will take 10 hours to read the proposed rule, let alone implement a final rule. Updating policies, procedures, processes, and forms involves compliance officers, lawyers, marketing experts, process engineers, project managers, technology specialists, etc. It will take 10,000 hours of personnel time … perhaps 100,000 hours in the largest institutions, to update account opening policies, procedures, processes, and forms.

The same holds true estimates for the one-time administration costs to establish “admin and physical safeguards”. The estimates of 40 to 80 hours is exponentially off and needs to be revisited.

I recommend that FinCEN re-visit its estimates on the private sector’s costs and burdens of meeting the requirements of the Access Rule.

What is Not in the NPRM But Should Be

Comment 12 – Notice to FIs When BOI is Corrected or Updated

The initial reporting of beneficial ownership provides a point-in-time snapshot of the then-current roster of a reporting company’s beneficial owners. But the CTA and reporting final rule also provided for updating that initial report “if there is any change with respect to required information previously submitted to FinCEN concerning a reporting company or its beneficial owners, including any change with respect to who is a beneficial owner or information reported for any particular beneficial owner.”[17]  There is nothing in the NPRM about financial institutions getting notice from FinCEN when an already-queried reporting company corrects or amends its BOI.

The new section 5336(b)(1)(F) provides that BOI should be highly useful to financial institutions “to facilitate the compliance of the financial institutions with anti-money laundering, countering the financing of terrorism, and customer due diligence requirements under applicable law.”

If a financial institution’s customer files an amended or corrected BOI report with FinCEN, FinCEN will have current and accurate BOI on that reporting company, but the reporting company’s financial institution will not. The financial institution will have information that is stale, incomplete, or wrong. That is the opposite of “highly useful”.

FinCEN should develop a process to provide notice to financial institutions when an already-queried reporting company corrects or amends its BOI. This will not be easy: currently there are no provisions in the proposed rules that require the financial institution to indicate whether the reporting company is not yet a customer or is a customer. And there are no provisions requiring financial institutions to report to FinCEN when the previously queried reporting company ceases to be a customer.

Comment 13 – Tipping Off

When FinCEN revises the final rule to allow financial institutions to use accessed BOI for identifying and reporting suspicious activity (see Comment 8), there will need to be provisions about not “tipping off” a reporting company prospect or customer when seeking its consent to obtain that reporting company’s BOI, and whether there should be a “safe harbor”.

Comment 14 – Accessed BOI Differing from Existing BOI

Section 6403(d) of the CTA is clear that the new BOI rules will not repeal the requirement that financial institutions identify and verify beneficial owners under 31 CFR 1010.230(a).[18]

By the time the BOI database is functioning, and reporting companies are submitting BOI reports and financial institutions are accessing BOI reports, those financial institutions will likely have obtained beneficial ownership information on all of their legal entity customers. Although the number of potential beneficial owners under the CDD rule differs from the number of potential beneficial owners under the CTA,[19] and the definitions of, and exceptions to, legal entity customers and reporting companies differ,[20] financial institutions will have to manage two versions of BOI.

There is nothing in the proposed rule about what financial institutions are supposed to do if the accessed BOI that comes back is not consistent with what they have obtained or know about their customer (or prospective customer). I expect that FinCEN considers this to be part of the third rule that will bring the current CDD rule into conformity with the current BOI reporting rule and expected final BOI access rule. However, financial institutions will need to develop risk tolerance provisions and risk assessments; develop policies, procedures, processes, and systems; and train their staff for accessing the BOI data well before the revised CDD Rule is developed by FinCEN.

Until the revised CDD Rule is published, FinCEN should be prepared to use FAQs, Advisories, and/or Guidance to provide financial institutions with information on how to manage discrepancies between the CDD Rule BOI and the Reporting Rule BOI.

Conclusion

Rulemaking must be one of the most difficult tasks you face. And rulemaking for beneficial ownership information disclosure, access, security, and confidentiality appears to be particularly difficult. So I commend the efforts that you and your teams, and your public sector partners, have clearly expended. The proposed rule is excellent, and it fairly reflects the bounds imposed by the CTA itself.

My intent with these comments was to provide constructive feedback and to provide some possible solutions. The effect, though, may be seen as overly critical. “Being a critic is easy. But if the critic tries to run the operation, he soon understands that nothing is as easy as his criticisms” wrote Haemin Sunim more than ten years ago.[21] I certainly do not want to, nor could, do your job nor draft a beneficial ownership information access rule that would remotely match what has been done to date. But with the comments you will receive over the next 52 days, I am confident the final rule will ensure that beneficial ownership information is highly useful in facilitating important national security, intelligence, and law enforcement activities.

Thank you for your consideration

s/

James Richards

Principal and Founder, RegTech Consulting, LLC

Walnut Creek, CA

(925) 818-6612

richards@thinkrtc.net

Endnotes

[1] The current beneficial ownership rule is a good example of this lengthy, tortuous process. It began in 2003 with a FATF recommendation, non-compliance with that recommendation in the 2006 Mutual Evaluation of the United States, guidance on beneficial ownership in 2010, and ANPRM in 2012, an NPRM in 2014, a Final Rule in May 2016, and the implementation of the Final Rule in May 2018.

[2] In fairness, a technical reading of the CTA imposed a one-year time period (from the enactment of the AMLA and CTA) for FinCEN to implement rules for reporting BOI under the then-new 31 USC s. 5336(b). There was no similar time-period within which FinCEN was to promulgate rules for the retention and disclosure of BOI in 5336(c), or what we now refer to as the Access Rule.

[3] Interested parties, and some cranks, submitted 220 comments to the ANPRM. Many of the same interested parties, and some of the same cranks, submitted over 240 comments to the December 8, 2021 Reporting NPRM.

[4] The Reporting Rule took a total 17 months from the ANPRM (April 5, 2021) to the NPRM (December 8, 2021) to the Final Rule (September 30, 2022). It took over 9 months to move from the NPRM to Final Rule. If the Access Rule follows the same course, a Final Rule will be published in late September 2023, leaving public and private sector agencies and institutions a mere three months to design, develop, test, and implement new policies, procedures, processes, and systems.

[5] Although there were thirty enumerated questions in part (VI) Request for Comment, they were numbered 1 through 26, then 29 and 30. See pages 77425 – 77426 of the NPRM.

[6] See, for example, https://regtechconsulting.net/aml-regulations-and-enforcement-actions/fincens-estimate-of-the-costs-and-burden-of-filing-sars-is-evolving-but-needs-private-sector-input/

[7] See page 77424 of the proposed rule.

[8] FinCEN’s use of words and phrases such as “implicit assumption” and “straightforward” in explaining its changes on page 77424 reflect these struggles.

[9] Yogi Berra explained this more eloquently than me: “In theory there is no difference between theory and practice. In practice there is.”

[10] See page 77408, where FinCEN estimates that 10 percent of those reporting companies “will have questions

about the reporting requirement or the form, or technical issues when filing, that could result in upwards of 3 million inquiries in Year 1, and 500,000 per year after that.”

[11] The section on security and confidentiality for foreign recipients is a mere 374 words. The section on security and confidentiality for financial institutions is only 374 words.

[12] Credit to Mae West, who said ““I only like two kinds of men, domestic and imported.”

[13] https://www.fincen.gov/nprm-fact-sheet

[14] Paragraph (b)(4)(i) is the BOI that financial institutions will receive from FinCEN.

[15] Footnote 228, page 77442

[16] The average bank in this large bank tier had 45 employees.

[17] 31 CFR § 1010.380(b) implementing new section 31 USC § 5336(b)(1)(D).

[18] Section 6403(d) provides that the Secretary shall revise the May 11, 2016 final rule entitled ‘‘Customer Due Diligence Requirements for Financial Institutions’’ (81 Fed. Reg. 29397) – that section is titled “revised due diligence rulemaking”, not “rescinded due diligence rulemaking”. The revisions shall “bring the [CDD} rule into conformance with” the CTA, “account for the access of financial institutions to beneficial ownership information filed by reporting companies under section 5336 … in order to confirm the beneficial ownership information provided directly to the financial institutions to facilitate the compliance of those financial institutions with anti-money laundering, countering the financing of terrorism, and customer due diligence requirements …”. And in carrying this out, “the Secretary of the Treasury shall rescind paragraphs (b) through (j) of section 1010.230 …”. Finally, section 6403(d) ends with “nothing in this section may be construed to authorize the Secretary of the Treasury to repeal the requirement that financial institutions identify and verify beneficial owners of legal entity

customers under section 1010.230(a) of title 31, Code of Federal Regulations.”

[19] There can be only one person under the “control prong” of the CDD Rule; there can be any number of persons with “substantial control” under the BOI reporting rule. Also, there are no applicants under the CDD Rule.

[20] For example, under the BOI Rule, legal entity customers that are not reporting companies include charities, money services businesses, and businesses with 20 or more employees, revenue of $5 million or more, and primary location in the United States.

[21] https://www.goodreads.com/book/show/30780006-the-things-you-can-see-only-when-you-slow-down. Sunim also wrote that “criticism without a solution is merely an inflation of the critic’s ego.” Thus I was careful to offer a few solutions.

FinCEN’s Twenty-Eight Questions

Questions Posed – FinCEN is inviting comment on “any and all aspects of the proposed rule, and specifically seeks comments on the following questions”:
Understanding the Rule
1. Can the organization of the rule text be improved? If so, how?
2. Can the language of the rule text be improved? If so, how?
3. Does the proposed rule provide sufficient guidance to stakeholders and the public regarding the scope and requirements for access to BOI?
Disclosure of Information
4. The CTA prohibits officers and employees of (1) the United States, (2) State, local, and Tribal agencies, and (3) FIs and regulatory agencies from disclosing BOI reported under the statute. FinCEN proposes to extend the prohibition to agents, contractors, and, in the case of FIs, directors as well. FinCEN invites comments on the proposed scope.
5. Are FinCEN’s proposed interpretations of “national security,” “intelligence,” and “law enforcement” clear enough to be useful without being overly prescriptive? If not, what should be different? Commenters are invited to suggest alternative interpretations or sources for reference.
6. Should FinCEN add any specific activities or elements to the proposed interpretations of “national security,” “intelligence,” and “law enforcement” that do not seem to be covered already? If so, what?
7. FinCEN requests comments discussing how State, local, and Tribal law enforcement agencies are authorized by courts to seek information in criminal and civil investigations. Among the particular issues that FinCEN is interested in are: how State, local, and Tribal authorities gather evidence in criminal and civil cases; what role a court plays in each of these mechanisms, and whether in the commenter’s opinion it rises to the level of court “authorization”; what role court officers (holders of specific offices, not attorneys as general-purpose officers of the court) play in these mechanisms; how grand jury subpoenas are issued and how the court officers issuing them are “authorized” by a court; whether courts of competent jurisdiction, or officers thereof, regularly authorize subpoenas or other investigative steps via court order; and whether there are any evidence-gathering mechanisms through which State, local, or Tribal law enforcement agencies should be able to request BOI from FinCEN, but that do not require any kind of court?
8. Is requiring a foreign central authority or foreign competent authority to be identified as such in an applicable international treaty, agreement, or convention overly restrictive? If so, what is a more appropriate means of identification?
9. Are there alternative approaches to managing the foreign access provision of the CTA that FinCEN should consider?
10. Should FinCEN define the term “trusted foreign country” in the rule, and if so, what considerations should be included in such a definition?
11. FinCEN proposes that FIs be required to obtain the reporting company’s consent in order to request the reporting company’s BOI from FinCEN. FinCEN invites commenters to indicate what barriers or challenges FIs may face in fulfilling such a requirement, as well as any other considerations.
12. FinCEN proposes to define “customer due diligence requirements under applicable law” to mean the bureau’s 2016 CDD Rule, as it may be amended or superseded pursuant to the AML Act. The 2016 CDD Rule requires FIs to identify and verify beneficial owners of legal entity customers. Should FinCEN expressly define “customer due diligence requirements under applicable law” as a larger category of requirements that includes more than identifying and verifying beneficial owners of legal entity customers? If so, what other requirements should the phrase encompass? How should the broader definition be worded? It appears to FinCEN that the consequences of a broader definition of this phrase would include making BOI available to more FIs for a wider range of specific compliance purposes, possibly making BOI available to more regulatory agencies for a wider range of specific examination and oversight purposes, and putting greater pressure on the demand for the security and confidentiality of BOI. How does the new balance of those consequences created by a broader definition fulfill the purpose of the CTA?
13. If FinCEN wants to limit the phrase “customer due diligence requirements under applicable law” to apply only to requirements like those imposed under its 2016 CDD Rule related to FIs identifying and verifying beneficial owners of legal entity customers, are there any other comparable requirements under Federal, State, local, or Tribal law? If so, please specifically identify these requirements and the regulatory bodies that supervise for compliance with or enforce them.
14. Are there any State, local, or Tribal government agencies that supervise FIs for compliance with FinCEN’s 2016 CDD Rule? If so, please identify them.
15. FinCEN does not propose to disclose BOI to SROs as “other appropriate regulatory agencies,” but does propose to authorize FIs that receive BOI from FinCEN to disclose it to SROs that meet specified qualifying criteria. Is this sufficient to allow SROs to perform duties delegated to them by Federal functional regulators and other appropriate regulatory agencies? Are there reasons why SROs could be included as “other appropriate regulatory agencies” and obtain BOI directly from FinCEN?
16. Are there additional circumstances under which FinCEN is authorized to disclose BOI that are not reflected in this proposed rule?
Use of Information
17. FinCEN proposes to permit U.S. agencies to disclose BOI received under 31 CFR 1010.955(b)(1) or (2) to courts of competent jurisdiction or parties to civil or criminal proceedings. Is this authorization appropriately scoped to allow for the use of BOI in civil or criminal proceedings?
18. In proposed 31 CFR 1010.955(c)(2)(v), FinCEN proposes to establish a mechanism to authorize, either on a case-by-case basis or categorically through written protocols, guidance, or regulations, the re[1]disclosure of BOI in cases not otherwise covered under 31 CFR 1010.955(c)(2) and in which the inability to share the information would frustrate the purposes of the CTA because of the categorical prohibitions against disclosures at 31 U.S.C. 5336(c)(2)(A). Are there other categories of redisclosures that FinCEN should consider authorizing? Are there particular handling or security protocols that FinCEN should consider imposing with respect to such re-disclosures of BOI?
19. Could a State regulatory agency qualify as a “State, local, or Tribal law enforcement agency” under the definition in proposed 31 CFR 1010.955(b)(2)(ii)? If so, please describe the investigation or enforcement activities involving potential civil or criminal violations of law that such agencies may undertake that would require access to BOI.
Security and Confidentiality Requirements
20. Should FinCEN impose any additional security or confidentiality requirements on authorized recipients of any type? If so, what requirements and why?
21. The minimization component of the security and confidentiality requirements requires limiting the “scope of information sought” to the greatest extent possible. FinCEN understands this phrase, drawn from the language of the CTA, to mean that requesters should tailor their requests for information as narrowly as possible, consistent with their needs for BOI. Such narrow tailoring should minimize the likelihood that a request will return BOI that is irrelevant to the purpose of the request or unhelpful to the requester. Does the phrase used in the regulation convey this meaning sufficiently clearly, or should it be expanded, and if so how?
22. Because security protocol details may vary based on each agency’s particular circumstances and capabilities, FinCEN believes individual MOUs are preferable to a one-size-fits all approach of specifying particular requirements by regulation. FinCEN invites comment on this MOU-based approach, and on whether additional requirements should be incorporated into the regulations or into FinCEN’s MOUs.
23. FinCEN proposes to require FIs to limit BOI disclosure to FI directors, officers, employees, contractors, and agents within the United States. Would this restriction impose undue hardship on FIs? What are the practical implications and potential costs of this limitation?
24. Are the procedures FIs use to protect non-public customer personal information in compliance with section 501 of Gramm-Leach-Bliley sufficient for the purpose of securing BOI disclosed by FinCEN under the CTA? If not, is there another set of security standards FinCEN should require FIs to apply to BOI?
25. Are the standards established by section 501 of Gramm-Leach-Bliley, its implementing regulations, and interagency guidance sufficiently clear such that FIs not directly subject to that statute will know how to comply with FinCEN’s requirements with respect to establishing and implementing security and confidentiality standards?
26. Do any states impose, and supervise for compliance on, security and confidentiality requirements comparable to those that FFRs are required to impose on FIs under section 501 of Gramm-Leach-Bliley? Please provide examples of such requirements.
Outreach
29. What specific issues should FinCEN address via public guidance or FAQs? Are there specific recommendations on engagement with stakeholders to ensure that the authorized recipients, and in particular, State, local, and Tribal authorities and small and mid-sized FIs, are aware of requirements for access to the beneficial ownership IT system?
FinCEN Identifiers
30. Does FinCEN’s proposal with respect to an entity’s use of a FinCEN identifier adequately address the potential under- or over-reporting issues discussed in the preamble?
 

Text of Proposed Regulation – 31 CFR s. 1010.955

Below is the test of the proposed new section 1010.955. There are six subsections – (a) through (f). All regulations use the same numbering and lettering pattern to designate paragraphs, subparagraphs, clauses, and subclauses. For example:
  • § 1010.955(a) – paragraph (a) of section 1010.955
  • § 1010.955(a)(1) – subparagraph (1) of paragraph (a) of section 1010.955
  • § 1010.955(a)(1)(i) – clause (i) of subparagraph (1) of paragraph (a) of section 1010.955
  • § 1010.955(a)(1)(i)(A) – subclause (A) of clause (i) of subparagraph (1) of paragraph (a) of section 1010.955
  • § 1010.955(a)(1)(i)(A)(1) – I have no idea what (1) is called of subclause (A) of clause (i) of subparagraph (1) of paragraph (a) of section 1010.955
  • § 1010.955(a)(1)(i)(A)(1)(i) – I have no idea of what (i) is called of I have no idea what (1) is called of subclause (A) of clause (i) of subparagraph (1) of paragraph (a) of section 1010.955
The longer the number, though, the more complex the regulatory requirements. You’ll see this in spades in subparagraph (1) of paragraph (d), the security and confidentiality requirements for domestic agencies. These requirements are remarkably complex and detailed and onerous: in fact, I called this out in an article I wrote about the AML Act, where I wrote: “Financial institutions’ access to the database is severely restricted, and the punishing requirements imposed on federal, State, and Tribal government agencies to gain access to the information in the database may dissuade many of them from using it at all.”
For ease of reference, I have included the numbers and letters for the paragraphs, subparagraphs, clauses, and subclauses in order to allow you to keep grounded. Just remember, although the regulation is almost 4,000 words long, it’s made up of just six paragraphs: (a) a prohibition on disclosure of BOI; (b) disclosure of BOI by FinCEN; (c) the allowed uses of BOI; (d) security and confidentiality requirements; (e) FinCEN’s handling of requests for BOI; and (f) violations of the regulation.
Note that there are two clauses numbered § 1010.955(d)(3)(i) – that appears to be a typo that FinCEN will (should) fix in the final rule.
 
§ 1010.955 Availability of beneficial ownership information reported under this part.
(a) Prohibition on disclosure. Except as authorized in paragraphs (b), (c), and (d) of this section, information reported to FinCEN pursuant to § 1010.380 is confidential and shall not be disclosed by any individual who receives such information as –
(a)(1) An officer, employee, contractor, or agent of the United States;
(a)(2) An officer, employee, contractor, or agent of any State, local, or Tribal agency; or
(a)(3) A director, officer, employee, contractor, or agent of any financial institution.
(b) Disclosure of information by FinCEN
(b)(1) Disclosure to Federal agencies for use in furtherance of national security, intelligence, or law enforcement activity.
Upon receipt of a request from a Federal agency engaged in national security, intelligence, or law enforcement activity for information to be used in furtherance of such activity, FinCEN may disclose information reported pursuant to § 1010.380 to such agency. For purposes of this section –
(b)(1)(i) National security activity includes activity pertaining to the national defense or foreign relations of the United States, as well as activity to protect against threats to the safety and security of the United States;
(b)(1)(ii) Intelligence activity includes all activities conducted by elements of the United States Intelligence Community that are authorized pursuant to Executive Order 12333, as amended, or any succeeding executive order; and
(b)(1)(iii) Law enforcement activity includes investigative and enforcement activities relating to civil or criminal violations of law. Such activity does not include the routine supervision or examination of a financial institution by a Federal regulatory agency with authority described in (b)(4)(ii)(A) of this section.
(b)(2) Disclosure to State, local, and Tribal law enforcement agencies for use in criminal or civil investigations.
Upon receipt of a request from a State, local, or Tribal law enforcement agency for information to be used in a criminal or civil investigation, FinCEN may disclose information reported pursuant to § 1010.380 to such agency if a court of competent jurisdiction has authorized the agency to seek the information in a criminal or civil investigation. For purposes of this section –
(b)(2)(i) A court of competent jurisdiction is any court with jurisdiction over the investigation for which a State, local, or Tribal law enforcement agency requests information under this paragraph.
(b)(2)(ii) A State, local, or Tribal law enforcement agency is an agency of a State, local, or Tribal government that is authorized by law to engage in the investigation or enforcement of civil or criminal violations of law.
(b)(3) Disclosure for use in furtherance of foreign national security, intelligence, or law enforcement activity.
Upon receipt of a request from a Federal agency on behalf of a law enforcement agency, prosecutor, or judge of another country, or on behalf of a foreign central authority or foreign competent authority (or like designation) under an applicable international treaty, agreement, or convention, FinCEN may disclose information reported pursuant to § 1010.380 to such Federal agency for transmission to the foreign law enforcement agency, prosecutor, judge, foreign central authority, or foreign competent authority who initiated the request, provided that:
(b)(3)(i) The request is for assistance in a law enforcement investigation or prosecution, or for a national security or intelligence activity, that is authorized under the laws of the foreign country; and
(b)(3)(ii) The request is:
(b)(3)(ii)(A) Made under an international treaty, agreement, or convention, or;
(b)(3)(ii)(B) When no such treaty, agreement, or convention is available, is an official request by a law enforcement, judicial, or prosecutorial authority of a trusted foreign country.
(b)(4) Disclosure to facilitate compliance with customer due diligence requirements
(b)(4)(i) Financial institutions.
Upon receipt of a request from a financial institution subject to customer due diligence requirements under applicable law for information to be used in facilitating such compliance, FinCEN may disclose information reported pursuant to § 1010.380 to such financial institution, provided each reporting company that reported such information consents to such disclosure. For purposes of this section, customer due diligence requirements under applicable law are the beneficial ownership requirements for legal entity customers at § 1010.230, as those requirements may be amended or superseded.
(b)(4)(ii) Regulatory agencies. Upon receipt of a request by a Federal functional regulator or other appropriate regulatory agency, FinCEN shall disclose to such agency any information disclosed to a financial institution pursuant to paragraph (b)(4)(i) of this section if the agency –
(b)(4)(ii)(A) Is authorized by law to assess, supervise, enforce, or otherwise determine the compliance of such financial institution with customer due diligence requirements under applicable law;
(b)(4)(ii)(B) Will use the information solely for the purpose of conducting the assessment, supervision, or authorized investigation or activity described in paragraph (b)(4)(ii)(A) of this section; and
(b)(4)(ii)(C) Has entered into an agreement with FinCEN providing for appropriate protocols governing the safekeeping of the information.
(b)(5) Disclosure to officers or employees of the Department of the Treasury.
Consistent with procedures and safeguards established by the Secretary –
(b)(5)(i) Information reported pursuant to § 1010.380 shall be accessible for inspection or disclosure to officers and employees of the Department of the Treasury whose official duties the Secretary determines require such inspection or disclosure.
(b)(5)(ii) Officers and employees of the Department of the Treasury may obtain information reported pursuant to § 1010.380 for tax administration as defined in 26 U.S.C. 6103(b)(4).
(c) Use of information –
(c)(1) Use of information by authorized recipients. –
Unless otherwise authorized by FinCEN, any person who receives information disclosed by FinCEN under paragraph (b) of this section shall use such information only for the particular purpose or activity for which such information was disclosed. A Federal agency that receives information pursuant to paragraph (b)(3) of this section shall only use it to facilitate a response to a request for assistance pursuant to that paragraph.
(c)(2) Disclosure of information by authorized recipients.
(c)(2)(i) Any officer, employee, contractor, or agent of a requesting agency who receives information disclosed by FinCEN pursuant to a request under paragraph (b)(1) or (2) or (b)(4)(ii) of this section may disclose such information to another officer, employee, contractor, or agent of the same requesting agency for the particular purpose or activity for which such information was requested, consistent with the requirements of paragraph (d)(1)(i)(F) of this section, as applicable. Any officer, employee, contractor, or agent of the U.S. Department of the Treasury who receives information disclosed by FinCEN pursuant to a request under paragraph (b)(5) of this section may disclose such information to another Treasury officer, employee, contractor, or agent for the particular purpose or activity for which such information was requested consistent with internal Treasury policies, procedures, orders or directives.
(c)(2)(ii) Any director, officer, employee, contractor, or agent of a financial institution who receives information disclosed by FinCEN pursuant to a request under paragraph (b)(4)(i) of this section may disclose such information to another director, officer, employee, contractor, or agent within the United States of the same financial institution for the particular purpose or activity for which such information was requested, consistent with the requirements of paragraph (d)(2) of this section.
(c)(2)(iii) Any director, officer, employee, contractor, or agent of a financial institution that receives information disclosed by FinCEN pursuant to paragraph (b)(4)(i) of this section may disclose such information to the financial institution’s Federal functional regulator, a self-regulatory organization that is registered with or designated by a Federal functional regulator pursuant to Federal statute, or other appropriate regulatory agency, provided that the Federal functional regulator, self-regulatory organization, or other appropriate regulatory agency meets the requirements identified in paragraphs (b)(4)(ii)(A) through (C) of this section. A financial institution may rely on a Federal functional regulator, self-regulatory organization, or other appropriate regulatory agency’s representation that it meets the requirements.
(c)(2)(iv) Any officer, employee, contractor, or agent of a Federal functional regulator that receives information disclosed by FinCEN pursuant to paragraph (b)(4)(ii) of this section may disclose such information to a self-regulatory organization that is registered with or designated by the Federal functional regulator, provided that the self-regulatory organization meets the requirements of paragraphs (b)(4)(ii)(A) through (C) of this section.
(c)(2)(v) Any officer, employee, contractor, or agent of a Federal agency that receives information from FinCEN pursuant to a request made under paragraph (b)(3) of this section may disclose such information to the foreign person on whose behalf the Federal agency made the request.
(c)(2)(vi) Any officer, employee, contractor, or agent of a Federal agency engaged in a national security, intelligence, or law enforcement activity, or any officer, employee, contractor, or agent of a State, local, or Tribal law enforcement agency, may disclose information reported pursuant to § 1010.380 that it has obtained directly from FinCEN pursuant to a request under paragraph (b)(1) or (2) of this section to a court of competent jurisdiction or parties to a civil or criminal proceeding.
(c)(2)(vii) Any officer, employee, contractor, or agent of a requesting agency who receives information disclosed by FinCEN pursuant to a request under paragraph (b)(1), (b)(4)(ii), or (b)(5) of this section may disclose such information to any officer, employee, contractor, or agent of the United States Department of Justice for purposes of making a referral to the Department of Justice or for use in litigation related to the activity for which the requesting agency requested the information.
(c)(2)(viii) A law enforcement agency, prosecutor, judge, foreign central authority, or foreign competent authority of another country that receives information from a Federal agency pursuant to a request under paragraph (b)(3)(ii)(A) of this section may disclose and use such information consistent with the international treaty, agreement, or convention under which the request was made.
(c)(2)(ix) Except as described in this paragraph (c)(2), any information disclosed by FinCEN under paragraph (b) of this section shall not be further disclosed to any other person for any purpose without the prior written consent of FinCEN, or as authorized by applicable protocols or guidance that FinCEN may issue. FinCEN may authorize persons to disclose information obtained pursuant to paragraph (b) of this section in furtherance of a purpose or activity described in that paragraph.
(d) Security and confidentiality requirements –
(d)(1) Security and confidentiality requirements for domestic agencies –
(d)(1)(i) General requirements. To receive information under paragraph (b)(1), (2), or (3) or (b)(4)(ii) of this section, a Federal, State, local, or Tribal agency shall satisfy the following requirements:
(d)(1)(i)(A) Agreement. The agency shall enter into an agreement with FinCEN specifying the standards, procedures, and systems to be maintained by the agency, and any other requirements FinCEN may specify, to protect the security and confidentiality of such information. Agreements shall include, at a minimum, descriptions of the information to which an agency will have access, specific limitations on electronic access to that information, discretionary conditions of access, requirements and limitations related to re-disclosure, audit and inspection requirements, and security plans outlining requirements and standards for personnel security, physical security, and computer security.
(d)(1)(i)(B) Standards and procedures. The agency shall establish standards and procedures to protect the security and confidentiality of such information, including procedures for training agency personnel on the appropriate handling and safeguarding of such information. The head of the agency, on a non-delegable basis, shall approve these standards and procedures.
(d)(1)(i)(C) Initial report and certification. The agency shall provide FinCEN a report that describes the standards and procedures established pursuant to paragraph (d)(1)(i)(B) of this section and that includes a certification by the head of the agency, on a non-delegable basis, that the standards and procedures implement the requirements of this paragraph (d)(1).
(d)(1)(i)(D) Secure system for beneficial ownership information storage. The agency shall establish and maintain a secure system in which such information shall be stored, that complies with information security standards prescribed by FinCEN.
(d)(1)(i)(E) Auditability. The agency shall establish and maintain a permanent, auditable system of standardized records for requests pursuant to paragraph (b) of this section, including, for each request, the date of the request, the name of the individual who makes the request, the reason for the request, any disclosure of such information made by or to the requesting agency, and information or references to such information sufficient to reconstruct the justification for the request.
(d)(1)(i)(F) Restrictions on personnel access to information. The agency shall restrict access to information obtained from FinCEN pursuant to this section to personnel –
(d)(1)(i)(F)(1) Who are directly engaged in the activity for which the information was requested;
(d)(1)(i)(F)(2) Whose duties or responsibilities require such access;
(d)(1)(i)(F)(3) Who have received training pursuant to paragraph (d)(1)(i)(B) of this section or have obtained the information requested directly from persons who both received such training and received the information directly from FinCEN;
(d)(1)(i)(F)(4) Who use appropriate identity verification mechanisms to obtain access to the information; and
(d)(1)(i)(F)(5) Who are authorized by agreement between the agency and FinCEN to access the information.
(d)(1)(i)(G) Audit requirements. The agency shall:
(d)(1)(i)(G)(1) Conduct an annual audit to verify that information obtained from FinCEN pursuant to this section has been accessed and used appropriately and in accordance with the standards and procedures established pursuant to paragraph (d)(1)(i)(B) of this section;
(d)(1)(i)(G)(2) Provide the results of that audit to FinCEN upon request; and
(d)(1)(i)(G)(3) Cooperate with FinCEN’s annual audit of the adherence of agencies to the requirements established under this paragraph to ensure that agencies are requesting and using the information obtained under this section appropriately, including by promptly providing any information FinCEN requests in support of its annual audit.
(d)(1)(i)(H) Semi-annual certification. The head of the agency, on a non-delegable basis, shall certify to FinCEN semi-annually that the agency’s standards and procedures established pursuant to paragraph (d)(1)(i)(B) of this section are in compliance with the requirements of this paragraph (d)(1). One of the semi-annual certifications may be included in the annual report required under paragraph (d)(1)(i)(I) of this section.
(d)(1)(i)(I) Annual report on procedures. The agency shall provide FinCEN a report annually that describes the standards and procedures that the agency uses to ensure the security and confidentiality of any information received pursuant to paragraph (b) of this section.
(d)(1)(ii) Requirements for requests for disclosure. A Federal, State, local, or Tribal agency that makes a request under paragraph (b)(1), (2), or (3) or (b)(4)(ii) of this section shall satisfy the following requirements in connection with each request that it makes and in connection with all such information it receives.
(d)(1)(ii)(A) Minimization. The requesting agency shall limit, to the greatest extent practicable, the scope of such information it seeks, consistent with the agency’s purposes for seeking such information.
(d)(1)(ii)(B) Certifications and other requirements.
(d)(1)(ii)(B)(1) The head of a Federal agency that makes a request under paragraph (b)(1) of this section or their designee shall make a written certification to FinCEN, in the form and manner as FinCEN shall prescribe, that:
(d)(1)(ii)(B)(1)(i) The agency is engaged in a national security, intelligence, or law enforcement activity; and
(d)(1)(ii)(B)(1)(ii) The information requested is for use in furtherance of such activity, setting forth specific reasons why the requested information is relevant to the activity.
(d)(1)(ii)(B)(2) The head of a State, local, or Tribal agency, or their designee, who makes a request under paragraph (b)(2) of this section shall submit to FinCEN, in the form and manner as FinCEN shall prescribe:
(d)(1)(ii)(B)(2)(i) A copy of a court order from a court of competent jurisdiction authorizing the agency to seek the information in a criminal or civil investigation; and
(d)(1)(ii)(B)(2)(ii) A written justification that sets forth specific reasons why the requested information is relevant to the criminal or civil investigation.
(d)(1)(ii)(B)(3) The head of a Federal agency, or their designee, who makes a request under paragraph (b)(3)(ii)(A) of this section shall:
(d)(1)(ii)(B)(3)(i) Retain for its records the request for information under the applicable international treaty, agreement, or convention;
(d)(1)(ii)(B)(3)(ii) Submit to FinCEN, in the form and manner as FinCEN shall prescribe: the name, title, email address, and telephone number for the individual from the Federal agency making the request; the name, title, agency, and country of the foreign person on whose behalf the Federal agency is making the request; the title and date of the international treaty, agreement, or convention under which the request is being made; and a certification that the information is for use in furtherance of a law enforcement investigation or prosecution, or for a national security or intelligence activity, that is authorized under the laws of the relevant foreign country.
(d)(1)(ii)(B)(4) The head of a Federal agency, or their designee, who makes a request under paragraph (b)(3)(ii)(B) of this section shall submit to FinCEN, in the form and manner as FinCEN shall prescribe:
(d)(1)(ii)(B)(4)(i) A written explanation of the specific purpose for which the foreign person is seeking information under paragraph (b)(3)(ii)(B) of this section, along with an accompanying certification that the information is for use in furtherance of a law enforcement investigation or prosecution, or for a national security or intelligence activity, that is authorized under the laws of the relevant foreign country; will be used only for the particular purpose or activity for which it is requested; and will be handled consistent with the requirements of paragraph (d)(3) of this section;
(d)(1)(ii)(B)(4)(ii) The name, title, email address, and telephone number for the individual from the Federal agency making the request;
(d)(1)(ii)(B)(4)(iii) The name, title, agency, and country of the foreign person on whose behalf the Federal agency is making the request; and
(d)(1)(ii)(B)(4)(iv) Any other information that FinCEN requests in order to evaluate the request.
(d)(1)(ii)(B)(5) The head of a Federal functional regulator or other appropriate regulatory agency, or their designee, who makes a request under paragraph (b)(4)(ii) of this section shall make a written certification to FinCEN, in the form and manner as FinCEN shall prescribe, that:
(d)(1)(ii)(B)(5)(i) The agency is authorized by law to assess, supervise, enforce, or otherwise determine the compliance of a relevant financial institution with customer due diligence requirements under applicable law; and
(d)(1)(ii)(B)(5)(ii) The agency will use the information solely for the purpose of conducting the assessment, supervision, or authorized investigation or activity described in paragraph (b)(4)(ii)(A) of this section.
(d)(2) Security and confidentiality requirements for financial institutions.
To receive information under paragraph (b)(4)(i) of this section, a financial institution shall satisfy the following requirements:
(d)(2)(i) Restrictions on personnel access to information. The financial institution shall restrict access to information obtained from FinCEN under paragraph (b)(4)(i) of this section to directors, officers, employees, contractors, and agents within the United States.
(d)(2)(ii) Safeguards. The financial institution shall develop and implement administrative, technical, and physical safeguards reasonably designed to protect the security, confidentiality, and integrity of such information. The requirements of this paragraph (d)(2)(i) of this section shall be deemed satisfied to the extent that a financial institution:
(d)(2)(ii)(A) Applies such information procedures that the institution has established to satisfy the requirements of section 501 of the Gramm-Leach[1]Bliley Act (15 U.S.C. 6801 et seq.), and applicable regulations issued thereunder, with regard to the protection of its customers’ nonpublic personal information, modified as needed to account for any unique requirements imposed under this section; or
(d)(2)(ii)(B) If it is not subject to section 501 of the Gramm-Leach-Bliley Act, applies such information procedures with regard to the protection of its customers’ nonpublic personal information that are required, recommended, or authorized under applicable Federal or State law and are at least as protective of the security and confidentiality of customer information as procedures that satisfy the standards of section 501 of the Gramm-Leach-Bliley Act.
(d)(2)(iii) Consent to obtain information. Before making a request for information regarding a reporting company under paragraph (b)(4)(i) of this section, the financial institution shall obtain and document the consent of the reporting company to request such information. The documentation of the reporting company’s consent shall be maintained for 5 years after it is last relied upon in connection with a request for information under paragraph (b)(4)(i) of this section.
(d)(2)(iv) Certification. For each request for information regarding a reporting company under paragraph (b)(4)(i) of this section, the financial institution shall make a written certification to FinCEN that it:
(d)(2)(iv)(A) Is requesting the information to facilitate its compliance with customer due diligence requirements under applicable law;
(d)(2)(iv)(B) Has obtained the written consent of the reporting company to request the information from FinCEN; and
(d)(2)(iv)(C) Has fulfilled all other requirements of paragraph (d)(2) of this section.
(d)(3) Security and confidentiality requirements for foreign recipients of information.
(d)(3)(i) To receive information under paragraph (b)(3)(ii)(A) of this section, a foreign person on whose behalf a Federal agency made the request under that paragraph shall comply with all applicable handling, disclosure, and use requirements of the international treaty, agreement, or convention under which the request was made.
(d)(3)(i) [typo should be ii] To receive information under paragraph (b)(3)(ii)(B) of this section, a foreign person on whose behalf a Federal agency made the request under that paragraph shall ensure that the following requirements are satisfied:
(d)(3)(i)(A) Standards and procedures. A foreign person who receives information pursuant to paragraph (b)(3)(ii)(B) of this section shall establish standards and procedures to protect the security and confidentiality of such information, including procedures for training personnel who will have access to it on the appropriate handling and safeguarding of such information.
(d)(3)(i)(B) Secure system for beneficial ownership information storage. Such information shall be maintained in a secure system that complies with the security standards the foreign person applies to the most sensitive unclassified information it handles.
(d)(3)(i)(C) Minimization. To the greatest extent practicable, the scope of information sought shall be limited, consistent with the purposes for seeking such information.
(d)(3)(i)(D) Restrictions on personnel access to information. Access to such information shall be limited to persons –
(d)(3)(i)(D)(1) Who are directly engaged in the activity described in paragraph (b)(3) of this section for which the information was requested;
(d)(3)(i)(D)(2) Whose duties or responsibilities require such access; and
(d)(3)(i)(D)(3) Who have undergone training on the appropriate handling and safeguarding of information obtained pursuant to this section.
(e) Administration of requests –
(e)(1) Form and manner of requests. Requests for information under paragraph (b) of this section shall be submitted to FinCEN in such form and manner as FinCEN shall prescribe.
(e)(2) Rejection of requests.
(e)(2)(i) FinCEN will reject a request under paragraph (b)(4) of this section, and may reject any other request made pursuant to this section, if such request is not submitted in the form and manner prescribed by FinCEN.
(e)(2)(ii) FinCEN may reject any request, or otherwise decline to disclose any information in response to a request made under this section, if FinCEN, in its sole discretion, finds that, with respect to the request:
(e)(2)(ii)(A) The requester has failed to meet any requirement of this section;
(e)(2)(ii)(B) The information is being requested for an unlawful purpose; or
(e)(2)(ii)(C) Other good cause exists to deny the request.
(e)(3) Suspension of access.
(e)(3)(i) FinCEN may permanently debar or temporarily suspend, for any period of time, any requesting party from receiving or accessing information under paragraph (b) of this section if FinCEN, in its sole discretion, finds that:
(e)(3)(i)(A) The requesting party has failed to meet any requirement of this section;
(e)(3)(i)(B) The requesting party has requested information for an unlawful purpose; or
(e)(3)(i)(C) Other good cause exists for such debarment or suspension.
(e)(3)(ii) FinCEN may reinstate the access of any requester that has been suspended or debarred under this paragraph (e)(3) upon satisfaction of any terms or conditions that FinCEN deems appropriate.
(f) Violations –
(f)(1) Unauthorized disclosure or use. Except as authorized by this section, it shall be unlawful for any person to knowingly disclose, or knowingly use, the beneficial ownership information obtained by the person, directly or indirectly, through:
(f)(1)(i) A report submitted to FinCEN under § 1010.380; or
(f)(1)(ii) A disclosure made by FinCEN pursuant to paragraph (b) of this section.
(f)(2) For purposes of paragraph (f)(1) of this section, unauthorized use shall include accessing information without authorization, and shall include any violation of the requirements described in paragraph (d) of this section in connection with any access.