Re: Beneficial Ownership Information Reporting Requirements, Anti-Money Laundering Act of 2020 Notice of Proposed Rule Making, Docket Number FINCEN-2021-0005 and RIN 1506- AB49 – Comments of James Richards, Principal and Founder of RegTech Consulting LLC.
Posted on February 6, 2022 Richards Comments
Dear Acting Director Das:
I appreciate the opportunity to comment on the notice of proposed rulemaking (NPRM) for the beneficial ownership information reporting requirements.
Many people are touting the proposed Anti-Money Laundering Act of 2020 (“AMLA2020”) and one of the titles of that Act, the Corporate Transparency Act, as the biggest change to American efforts to fight crime and corruption since the USA PATRIOT Act of 2001.
And they are right. As a whole, the AMLA2020 will ultimately have the effect of shifting the US AML/CFT regime from a domestic-focused, regulator-versus-regulated, compliance inputs-based regime to an international, collaborative public/private sector, threat-focused, outputs-driven regime. Those are the positives. But there are some limitations that will reduce the impact and effectiveness of this new AML law. The NPRM provides an opportunity for all stakeholders to address some of these limitations, and to provide suggestions on how to overcome those limitations.
I consider myself to be one of those stakeholders. I am the principal and founder of RegTech Consulting LLC, a private consulting firm focused on providing strategic advice on all aspects of financial crimes risk management to AML software providers, financial technology start-ups, cannabis-related businesses, mid-size banks, and money services businesses. I am also a Senior Advisor to Verafin Inc., the leading provider of fraud detection and BSA/AML collaboration software for financial institutions in North America, and serve on the board of advisors for two providers of financial crimes compliance technologies and services. From 2005 through April 2018 I served as the BSA Officer and Director of Global Financial Crimes Risk Management for Wells Fargo & Co. As BSA officer, I was responsible for governance, training, and program oversight for BSA, anti-money laundering (AML), and sanctions for Wells Fargo’s global operations. As Director of Global Financial Crimes Risk Management, I was responsible for BSA, AML, counter-terrorist financing (CTF), external fraud and internal fraud and misconduct investigations, the identity theft prevention program, global sanctions, financial crimes analytics, and high-risk customer due diligence. Prior to my role with Wells Fargo, I was the AML operations executive at Bank of America where I was responsible for the operational aspects of Bank of America’s global AML and CTF monitoring, surveillance, investigations, and related SAR reporting. I represented Bank of America and Wells Fargo as a three-term member of the BSA Advisory Group (BSAAG). I was also a founding board member of ACAMS and the AFCFS. Prior to my 20-year career in banking, I was a prosecutor in Massachusetts, a barrister in Ontario, Canada, and a Special Constable with the Royal Canadian Mounted Police. I am the author of “Transnational Criminal Organizations, Cybercrime, and Money Laundering” (CRC Press 1998). I earned a Bachelor of Commerce (BComm.) degree and Juris Doctorate (JD) from the University of British Columbia.
It is with this 20+-year background fighting financial crimes in both the private and public sectors, and a strong desire to see the U.S. AML/CFT regime become truly effective, that I am offering these comments.
Summary of Key Issues with the Proposed Rule
From my perspective there are ten key matters in this proposed rule that need to be addressed. Greater detail is provided in the comments to the supplementary information, section-by-section analysis, and the specific questions:
- Beneficial Owner(s) – unlike the existing rule, the proposed regulation does NOT require that a reporting company have at least one beneficial owner (the rule requires at least one beneficial owner: someone who exercised control). The proposed regulation must be clear that every company have at least one person in control. And only one control person.
- Multiple control persons – the current rule has a single individual under the control prong. FinCEN feels strongly that there can be, and should be, multiple control persons. The statute refers to “an individual” exercising control: FinCEN sees that as “any individual” exercising control (see page 69933). I think FinCEN is wrong, both on its interpretation of the word “an” and on the idea that there needs to be more than one person with substantial control. A better approach is to start simple: who is the single person who controls that reporting company? If, over time, law enforcement and national security agencies have strong evidence that collecting the names and identities of multiple control persons provides actionable intelligence, then add them.
- Multiple company applicants – similar to the control person(s), FinCEN believes that there could and should be more than one company applicant. So not only the clerk of the law firm or company formation agent who physically files the documents, but the lawyer or manager who directs them. FinCEN’s assumption that the name(s) of the company applicant(s) “should be readily available to reporting companies” is likely false: why would a company’s principals know the name, let alone the identifying information, of the law firm clerk who filed their company formation documents? And existing companies formed 10, 20, 30 years ago will not be able to find their applicant(s), let alone obtain copies of their identification documents. It would be more effective to list the registered agent, but the statute calls for the person/people who registered the reporting company. Again, make it simple: one person.
- Identification Document Images – FinCEN has interpreted the CTA to require that images of beneficial owners’ identification documents of all of the beneficial owners and company applicants must be included in the filing. Although it is arguable whether the CTA requires the documents, rather than allows for them, this adds a level of cost and complexity, both from a technology perspective and from a privacy perspective. It may be more effective and efficient to begin this new regime without these documents, then learn from law enforcement and national security agencies whether the benefits of the documents would outweigh the costs and burdens of requiring them. And although it is not part of this rule, will financial institutions get copies of these documents when FinCEN returns the beneficial owners’ information?
- Changes to information – FinCEN did not heed the comments of many people (including me) and organizations that argued that a revised or corrected filing be made only when there were material changes to material information. The proposed rule (§ 1010.380(a)(2)) requires new filings for “any changes with respect to any information” of a beneficial owner or company applicant. Clerks and principals of company formation firms will be a “company applicant” for dozens or hundreds, even thousands of companies. Under the proposed rule, if a company applicant moves or gets a new drivers’ license, every reporting company that person was an applicant for must submit a new BOI form: how will the reporting company even know whether that applicant’s information has changed? Again, why bring in this level of complexity at this stage? Also, this can impact the criminal liability of beneficial owners: company applicants cannot be held liable for failing to report changed information to their reporting companies. But the company’s beneficial owners can be held criminally or civilly responsible for failing to update that company’s information, even if they are unaware that the company applicant’s information has changed.
- Reporting company’s address – FinCEN is asking whether the reporting company’s address can be the address of the company formation agent. Thousands of PPP loans were approved for entities using the address of their company formation agent (their “company applicant”).
- Special reporting rules – The special reporting rules for exempt entities, minors as owners, etc., couldn’t be more complicated. The current CDD/BO regime does not include exemptions.
- FinCEN Identifier – I still don’t understand the FinCEN Identifier: why bother with it, what is it for, and how it will be used to obfuscate the identity of beneficial owners?
- Effective Date – FinCEN notes that “certain practical steps must be completed prior to the effective date and the initiation of the collection of information, and it is undertaking significant work towards achieving a timely effective date. These steps include the design and build of a new IT system—the Beneficial Ownership Secure System, or BOSS—to collect and provide access to BOI. Upon the CTA’s enactment, FinCEN began a process for BOSS program initiation and acquisition planning that will lead to the development of a detailed planning and implementation document. Once greater progress is made towards the final reporting rule and a parallel rulemaking effort relating to access to and disclosure of BOI, which will provide concrete guidance on the design and build of the BOSS, FinCEN will move expeditiously to the execution phase of the project, which will include several technology projects that will be executed in parallel.” With this admission, it appears that the BOSS cannot be designed until the access and disclosure rules are established. That could be mid-2022. Then three to nine months for design, six to twelve months to build and test. If all goes well. As a result, the database will not be operational until at least 2024, and will not be populated with then-existing reporting companies’ data and documents, until at least 2025. FinCEN should provide a clear, definitive timeline, or at least provide clear, actionable updates on its progress, so that financial institutions can manage their CDD obligations.
- Changes in reporting status – Proposed section 1010.380(b)(4) provides: “(4) Contents of updated or corrected report. If any required information in an initial report is inaccurate or there is a change with respect to any such required information, an updated or corrected report shall include all information necessary to make the report accurate and complete at the time it is filed with FinCEN. If a reporting company meets the criteria for any exemption under paragraph (c)(2) of this section subsequent to the filing of an initial report, its updated report shall include a notification that the entity is no longer a reporting company.” FinCEN should clarify what happens when law enforcement or a financial institution then submits a query about the beneficial owners of a company that was a reporting company but has since filed a “report of exemption”? Does FinCEN return the original beneficial owners, or does FinCEN respond with “this company is not a reporting company for purposes of the CTA”?
The table below illustrates some of the differences between the current CDD rule and the proposed BOI reporting requirements rule. There are real, substantive differences that may make the implementation of the BOIRR rule more problematic than is needed to meet the goal of the rule: providing actionable intelligence to law enforcement and national security agencies while minimizing the burdens on small businesses.
Comments on the NPRM’s Supplementary Information
Section 6403 of the CTA requires FinCEN to promulgate regulations for beneficial ownership information reporting requirements not later than one year after enactment of the AML Act of 2020. FinCEN published an Advance NPRM on April 5, 2021, and an NPRM on December 7, 2021 with a comment period that will close on February 7th. And, as set out in the “Scope” section of the NPRM, this is only the first of three sets of rulemakings that FinCEN intends to issue to implement the CTA. FinCEN should publish proposed timelines for its rulemaking and, critically, for its building of the actual registry. Financial institutions need clarity on not only what they will need to do to comply with the rules, but on when they will have to comply.
The “Background” information included a section on “Beneficial Ownership of Entities” that, in turn, included subsections on the current status of beneficial ownership information (BOI) reporting in the United States, the value of BOI and Treasury’s efforts to address the lack of corporate transparency, law enforcement’s need for BOI, etc. Over four pages of the Federal Register, the most interesting thing is not what was written, but what was not: there were no references to the results of what is (now) almost four years of collecting and validating beneficial ownership information under the May 2016 “beneficial ownership reporting” rule, codified at 31 CFR 1010.230. With that rule, beginning in May 2018 thousands of financial institutions were required to collect and validate the beneficial ownership information of legal entity customers. But the summary and record are silent as to how many legal entity customers provided that information, how that information was used, whether it was reported in Suspicious Activity Reports, whether it was used to aggregate cash transactions for Currency Transaction Report purposes, whether it was found useful by law enforcement, and what it cost those institutions to implement the rule.
Oddly, Title LXIV of the AML Act of 2020 is “Establishing Beneficial Ownership Information Reporting Requirement”, yet the United States had established beneficial ownership information reporting requirements almost four years earlier. It’s as if FinCEN never promulgated the beneficial ownership reporting rule. In fact, at this point, almost four years into an existing beneficial ownership reporting regime, we do not know if this information provides any benefit to law enforcement.
FinCEN is asking us to comment on a new beneficial ownership information reporting regime without the benefit of knowing whether the current beneficial ownership information reporting regime is providing timely, actionable intelligence to law enforcement. However, FinCEN is required by section 6403 of the CTA to report to Congress on the progress made to implement the provisions of the CTA. I strongly recommend that FinCEN include in that report a review of the current beneficial ownership information reporting regime.
For example, on page 69922 FinCEN writes “BOI can add valuable context to financial analysis in support of law enforcement and tax investigations” and “BOI can assist in the identification of linkages between potential illicit actors and business entities, including shell companies”. Has almost four years of a BOI rule added any valuable context to financial analysis in support of law enforcement and tax investigations or assisted in the identification of linkages between potential illicit actors and business entities, including shell companies?
The “Beneficial Ownership of Entities” section included material on the value of BOI. On page 69923 FinCEN wrote that:
“the CDD Rule was the culmination of years of study and consultation with industry, law enforcement, civil society organizations, and other stakeholders, on the need for financial institutions to collect BOI and the value of that information. Citing a number of examples, the preamble to the CDD Rule noted that, among other things, BOI collected by financial institutions pursuant to the CDD Rule would: (1) assist financial investigations by law enforcement and examinations by regulators; (2) increase the ability of financial institutions, law enforcement, and the intelligence community to address threats to national security; (3) facilitate reporting and investigations in support of tax compliance; and (4) advance Treasury’s broad strategy to enhance financial transparency of legal entities. [footnote omitted]”
Has almost four years of a BOI rule increased the ability of financial institutions, law enforcement, and the intelligence community to address threats to national security; facilitated reporting and investigations in support of tax compliance; and advanced Treasury’s broad strategy to enhance financial transparency of legal entities? On page 69924 FinCEN writes that “the CDD Rule increased transparency by requiring the collection of BOI by covered financial institutions at the time of an account opening”, yet nothing is offered to support that assertion.
Under the heading “The United States’ Corporate Transparency Measures Within the Broader International Framework”, FinCEN writes that “the current lack of a centralized U.S. BOI reporting requirement and database makes the United States a jurisdiction of choice to establish shell companies that hide the ultimate beneficiaries” and “the United States’ lack of a centralized BOI reporting requirement constitutes a weak link in the integrity of the global financial system.”
I would argue that the lack of verifiable beneficial ownership information, and the lack of public access to that information, make the US a jurisdiction of choice for money launderers and is the weak link. The proposed BOI reporting requirements – a limited use, non-public database of unverifiable beneficial ownership information of some, but not all legal entities – leaves the United States as a jurisdiction of choice and weak link.
Comments on the Section-by-Section Analysis
On pages 69930-69931, in the section-by-section analysis on the information to be reported on beneficial owners and company applicants, FinCEN cited one of the penalty provisions that the CTA makes it unlawful to “willfully provide, or attempt to provide … a false or fraudulent identifying photograph or document … to FinCEN”. FinCEN then concluded that this indicated “an assumption that identifying photographs or documents would be reported.”
I disagree. This provision in the CTA indicates that identifying photographs or documents could be reported. FinCEN is correct in writing that “this provision therefore indicates that FinCEN has authority to collect a scanned copy of an identification document, along with the document’s number, in prescribing reporting procedures and standards.” FinCEN should consider, though, whether it should act on that authority. A better approach would be to start without the operational, technical, and privacy complications of requiring scanned identification documents and then determine, though experience, whether including them would be an effective balance of adding to our AML/CFT and national security efforts while protecting the interests of small businesses.
On page 69931 FinCEN writes that “FinCEN believes that the inclusion of TIN reporting, even if voluntary, may help to raise standards for due diligence and transparency expectations for financial institutions and other governments. FinCEN is particularly interested in comments on this proposal to provide a voluntary mechanism to report beneficial owner and company applicant TINs.”
Voluntary mechanisms in the AML/CFT are not taken up by the covered financial institutions. Examples include CTR exemptions and the voluntary information sharing under section 314(b). CTR exemptions are few, and less than half of covered financial institutions participate in 314(b) information sharing because the regulatory risks of doing so far outweigh the incremental value to law enforcement.
Comments on the Specific Questions
Question 3. In general, is the description of the information FinCEN is proposing to require reporting companies to report about a beneficial owner and company applicant sufficiently clear? If not, what additional clarification should FinCEN provide? Are there other categories of information FinCEN should collect about beneficial owners and company applicants, taking into consideration the statutory language of the CTA? Is there additional information that would be useful for FinCEN to collect, but which would require further authorization by Congress?
Comment – There is additional information that would be useful for FinCEN to collect, but which would require further authorization by Congress: the registered agent of a company is more relevant, and easier to obtain and maintain, than company applicant. Remove the company applicant requirement and replace it with registered agent.
Question 6. What value can FinCEN reasonably expect from its proposed voluntary mechanism for collecting TINs of beneficial owners and company applicants? How can such information enhance the overall value of the information collected under this reporting requirement? Are there potentially negative consequences to a voluntary collection of this data? For instance, do businesses have particular concerns about providing or not providing such information?
Comment – as set out above, voluntary mechanisms do not work effectively.
Question 11. Are the proposed requirements for obtaining a FinCEN identifier from FinCEN and using a FinCEN identifier sufficiently clear?
Comment – No. I still don’t understand the purpose of the FinCEN Identifier, and what it is intended to accomplish or solve. It will be used for mischief. It is a loophole to be exploited by complicit gatekeepers and enablers.
Question 12. If an individual beneficial owner has obtained a FinCEN identifier and provided its FinCEN identifier to a reporting company, should a reporting company be required, rather than merely permitted, to use the FinCEN identifier in lieu of the four pieces of identification information (i.e., name, date of birth, street address, and unique identification number) the reporting company must report to FinCEN for the individual beneficial owner, as is proposed in the rule?
Comment – If an individual obtains a FinCEN identifier, and provides that to a reporting company, then that reporting company should be required to use it.
Question 19. FinCEN expects that the definition of beneficial owner is broad enough that every reporting company will have at least one beneficial owner to report. Is that expectation reasonable, and if not, what mechanism should FinCEN establish or what changes should FinCEN make to the proposed rule to make certain that every reporting company reports at least one beneficial owner?
Comment – With this, I would add 1010.380(b)(1)(i)(F) – the name and identifying information of at least one beneficial owner as described in 1010.380(b)(ii).
Question 24. In general, FinCEN believes the phrase “other similar entity created by the filing of a document with a secretary of state or similar office” in the context of the definition of “domestic reporting company” would likely include limited liability partnerships, limited liability limited partnerships, business trusts (a/k/a statutory trusts or Massachusetts trusts), and most limited partnerships, because such entities appear typically to be created by a filing with a secretary of state or similar office. However, FinCEN understands that state and Tribal laws may differ on whether certain other types of legal or business forms—such as general partnerships, other types of trusts, and sole proprietorships—are created by a filing. Are there any states or Indian Tribes where general partnerships, other types of trusts, or sole proprietorships are created by the filing of a document with a secretary of state or similar office?
Comment – Question whether the phrase “created by” is limiting: a partnership may be created when two people enter into an agreement to form a partnership, and the filing of a partnership document with the state may authorize it to do business in the state, but does not create it.
Comments on the Regulatory Analysis
At page 69948 FinCEN sets out the cost estimates for the private sector filers, and FinCEN’s estimates for designing, building, and maintaining the system. Both are remarkably low.
FinCEN estimates that it would cost each of the 25 million domestic and foreign reporting companies that are estimated to currently exist (and the 3 million that are formed each year) approximately $45 apiece to prepare and submit an initial report in the first year that the BOI reporting requirements are in effect. That figure should be reassessed: scrambling to identify all possible persons with significant control, getting legal advice, and collecting identification documents will take hours of time. I expect that this estimate is off by a factor of ten.
FinCEN then estimated its “potential” costs for information technology (IT) development and ongoing annual maintenance, processing electronic submissions of BOI data, and “additional” costs, at $33 million, $31 million per year, and less than $10 million per year, respectively. The cost of developing and building the BSA Database in 2010-2014 was in excess of $100 million, and it costs ~$27 million per year to operate. The BOSS will cost at least that much in 2022-2025 dollars.
Comments on Paperwork Reduction Act Questions
Question 16. Do some states change a driver’s license number when a driver’s license is renewed? If so, which states?
Comment – Even if a driver’s licenses is renewed without changing its number, the photograph, issue date, and expiration date will change. This is “any change to any information”. A new image of the license will need to be uploaded to the BOSS. So FinCEN should expect that every beneficial owner’s and company applicant’s driver’s license change will require an updated BOI form.