Access to the Database – None for the Public, Limited for Financial Institutions, Difficult for Law Enforcement
On September 30, 2022, the Financial Crimes Enforcement Network (FinCEN) published the final Beneficial Ownership Information Reporting Rule (the BOI Rule), one of three FinCEN rules that will eventually implement the requirements of the Corporate Transparency Act (CTA). FinCEN has committed to additional rules to (1) govern access to the database FinCEN is building that will accept, contain, and disclose beneficial ownership information (the Access Rule); and (2) make conforming amendments to FinCEN’s existing Customer Due Diligence (CDD) Rule.
The CTA’s BOI Rule will eventually replace the existing (since 2016) CDD Rule. The CDD Rule requires certain legal entities to provide beneficial ownership information to their bank about (i) at least one person exercising control over the entity, and (ii) as many as four people with at least a 25 percent ownership interest in the entity. The CTA requires certain “reporting companies” to submit their beneficial ownership information to this central database. With the BOI Rule, we now know what will be going into the database, by what kinds of reporting companies, and when. The effective date for the Beneficial Ownership Rule is January 1, 2024: reporting companies created or registered before January 1, 2024 will have until January 1, 2025 to file their initial Reports, while reporting companies created or registered after January 1, 2024, will have 30 days after receiving notice of their creation or registration to file their initial Reports.
In the supplemental information submitted with the BOI Rule, FinCEN committed to issuing the final Access Rule in time for the rollout of the database on January 1, 2014. As of this writing (October 8, 2022) FinCEN has yet to publish a proposed Access Rule (which is required so that the public can provide comments), let alone a final Access Rule.
So now that we know what is going into the database, let’s turn our attention to the Access Rule: who will be able to access the database, on what conditions, and how will they do so? In the absence of any proposed rules, we need to turn to the statute.
Section 6403 of the CTA added a new section (5336) to what we call the Bank Secrecy Act, or BSA. Section 5336 has eight subsections, (a) through (h). Subsection (a) includes the definitions: applicant, beneficial owner, FinCEN identifier, reporting company, etc. Subsection (b) provides for beneficial ownership information reporting. The BOI Rule implements this subsection. Subsection (c) is titled “retention and disclosure of beneficial ownership information by FinCEN”. The Access Rule will implement this subsection.
§ 5336(c) – Retention and Disclosure of Beneficial Ownership Information By FinCEN
This section begins with how long FinCEN can keep the BOI information: BOI “shall be maintained by FinCEN for not fewer than 5 years after the date on which the reporting company terminates”. With this, we can expect the Access Rule to include something on how FinCEN will find out when a reporting company terminates. Interestingly, there was nothing in the BOI Rule, which included details on when, how, and why a reporting company would file a report, including when there were any changes to the information previously reported, that referred to the termination of the reporting company itself. Indeed, if a reporting company is “terminated”, it would not be able to file a report of termination. It will be interesting to see how (if?) FinCEN deals with this.
Notably, the registry itself will have to comply with strict information security requirements, including encryption, set out in sections 3551-3559 of subchapter II (information security) of chapter 35 (federal government information policy) of title 44 of the US Code. That is reasonable. However, section 5336(8) provides that the registry will be a “high impact system”, which is a system that holds “sensitive information, the loss of which could cause individuals, the government, or the nation catastrophic harm”. This is the highest standard, applied to only 9% of all federal government agency systems. One could easily argue that the registry is a moderate, or even low risk system.
Who Can Access the BOI Database?
Subsection 5336(c)(2)(B) lists the five types of public and private sector entities to whom FinCEN may disclose beneficial ownership information. In each case FinCEN may disclose BOI “upon receipt of a request” from:
(i)(I) a federal agency engaged in national security, intelligence, or law enforcement activity, for use in furtherance of such activity;
(i)(II) a State, Tribal, or local law enforcement agency with a court order” (emphasis added);
(ii) a federal agency on behalf of a foreign government pursuant to a treaty, mutual legal assistance treaty, etc.;
(iii) “a financial institution subject to customer due diligence [CDD] requirements, with the consent of the reporting company, to facilitate the compliance of the financial institution with customer due diligence requirements under applicable law”; and
(iv) a Federal functional regulator.
First, what is not on this list is the public. Unlike the United Kingdom’s national database of company and beneficial ownership information (called “Companies House”), the FinCEN database of reporting companies and beneficial ownership information is not accessible by the public.
Second, Congress doesn’t seem to have the same faith in state, tribal, or local law enforcement agencies as it has in federal agencies. Best to have a judge make sure the locals are not running roughshod over BOI.
Third, financial institutions that have CDD program obligations can only query the database “with the consent of the reporting company to facilitate compliance … with CDD requirements”. This is a significant limitation. In fact, perhaps the biggest issue with the central registry of beneficial ownership information may be the limitations placed on financial institutions’ access and use. Examples of these limitations are:
- By limiting requests to those made with the consent of the reporting company, financial institutions cannot query the database without “tipping off” the reporting company, so financial institutions may only be able to use the database for onboarding due diligence or updating general due diligence, and not for investigations of unusual or possible suspicious activity;
- It is not clear whether financial institutions can perform due diligence on individuals by querying the database to determine if an individual customer is a beneficial owner of the institution’s new or proposed customer (a legal entity customer under the current rules, or a reporting company under the AMLA2020). For example, if a bank wants to know if its new customer, Al Capone, is the beneficial owner of (or company applicant for), any reporting companies, it does not appear that it can submit a request to FinCEN, asking it to return information on all reporting companies that Al Capone is tied to;
- It is not clear what information FinCEN will return in response to a request for beneficial ownership information: will it release the PII of the applicant and beneficial owner(s), or just the name(s) and address(es)?
- The database won’t be fully populated with the ~33 million existing reporting companies until 2025: what will financial institutions do if they get a “null return” from FinCEN for a company the financial institution knows should be registered? What will financial institutions be expected to do when the information they have in their files is different than what is returned by FinCEN?
How Anyone Uses and Discloses Beneficial Ownership Information – Beware! Danger!
Even before the law sets out which public sector agencies and private sector institutions can access the database , Congress decided to insert a dire warning for any individuals of those entities that did so.
Subsection 5336(c)(2)(A) sets out a prohibition: “Except as authorized by this subsection and the protocols promulgated under this subsection, beneficial ownership information reported under this section shall be confidential and may not be disclosed by – (i) an officer or employee of the United States; (ii) an officer or employee of any State, local, or Tribal agency; or (iii) an officer or employee of any financial institution or regulatory agency receiving information under this subsection.”
And what if those protocols are violated or BOI is disclosed or improperly used? Subsection 5336(4) provides for criminal and civil penalties. Those penalties are set out in subsection 5336(h)(3)(B): a civil penalty of not more than $500 for each day that the violation continues or has not been remedied; and criminal penalties of a fine of not more than $250,000, or imprisonment for not more than 5 years, or both. If the protocols are violated, or the improper use or disclosure occurs “while violating another law of the United States or as part of a pattern of any illegal activity involving more than $100,000 in a 12-month period” the possible fine and imprisonment are doubled, to not more than $500,000 or imprisonment for not more than 10 years, or both.
I can envision a situation where a bank (and bankers) violate the suspicious activity reporting law – 31 USC 5318(g) – and, in doing so, improperly use and disclose BOI in violation of 31 USC 5336. If prosecutors decided to tack on a 5336 charge, the potential for that charge would be as much as a $500,000 fine and ten years in prison. Although Sentencing Guidelines generally don’t provide for maximum sentences, the possibility of serving ten years in prison will have a chilling effect on banks and bankers.
Accessing the Database – It May Be So Daunting, Why Bother?
The procedures and controls for law enforcement and other federal agencies are daunting enough that they may be discouraged from accessing the database. Note that these procedures and controls seem only to apply to law enforcement agencies: it may be left to the financial regulators to impose controls on financial institutions, apart from the Access Rule itself.
Subsection 5336(c)(3) sets both the tone for, and requirements of, the “appropriate protocols” for public sector agencies to access the BOI database and using the information.
First, the tone is set in subsection 5336(c)(3)(A): The Secretary of the Treasury shall establish by regulation protocols that “protect the security and confidentiality of any beneficial ownership information provided directly by the Secretary”. Note that there was no balancing the security and confidentiality of the BOI with “while providing law enforcement and national security with valuable, actionable intelligence to protect the national security of the country”. This was likely deliberate (see the Congressional comments below).
Subsections (B) – (D), (H), and (I) describe the BOI “program” that an agency will need to establish in order to access the BOI database. Treasury shall put in place protocols that:
(B) require the head of any requesting agency, on a non-delegable basis, to approve the standards and procedures utilized by the requesting agency and certify to the Secretary semi-annually that such standards and procedures are in compliance with the requirements of this paragraph;
(C) require the requesting agency to establish and maintain, to the satisfaction of the Secretary, a secure system in which such beneficial ownership information provided directly by the Secretary shall be stored;
(D) require the requesting agency to furnish a report to the Secretary, at such time and containing such information as the Secretary may prescribe, that describes the procedures established and utilized by such agency to ensure the confidentiality of the beneficial ownership information provided directly by the Secretary.
(H) require the requesting agency to establish and maintain, to the satisfaction of the Secretary, a permanent system of standardized records with respect to an auditable trail of each request for beneficial ownership information submitted to the Secretary by the agency, including the reason for the request, the name of the individual who made the request, the date of the request, any disclosure of beneficial ownership information made by or to the agency …;
(I) require that the requesting agency … conduct an annual audit to verify that the beneficial ownership information received from the Secretary has been accessed and used appropriately, and in a manner consistent with this paragraph and provide the results of that audit to the Secretary upon request.
Let’s use the FBI as an example of an agency that wants to use BOI in its investigations. The FBI will need to build a secure system to store any BOI, it will need to have standards and procedures in place that set out how it will access, use, and store the BOI, the Director – not the Deputy Director – will need to approve and certify that these are not only in place, but are operating appropriately, ensure all use of BOI is recorded for audit purposes, and perform an annual audit .
Law Enforcement Needs to Justify, For Each Request, Why It Needs BOI
Subsection(c)(3)(E) requires “a written certification for each authorized investigation … from the head of [the requesting] agency … that – (i) states that applicable requirements have been met … and (ii) at a minimum, sets forth the specific reason or reasons why the beneficial ownership information is relevant to an authorized investigation or other activity …”. This is repeated somewhat in subsection (H), the audit trail that must include the reason for the request, the name of the individual who made the request, the date of the request, and any disclosure of beneficial ownership information made by or to the agency.
It will be interesting to see how FinCEN deals with this in the Access Rule: what level of detail will the head of an agency need to provide? “the BOI will aid our investigation” may not be enough.
And Law Enforcement Is Restricted on Who Can See the BOI, and Why
Congress certainly didn’t intend that law enforcement agencies could keep and use BOI as an investigative asset. Subsection 5336(c)(3)(F) is a general admonition that “requires the requesting agency to limit, to the greatest extent practicable, the scope of information sought, consistent with the purposes for seeking beneficial ownership information”. Following that general admonition, subsection (G) puts some tight guardrails on who can access and use the BOI, and why. It provides:
5336(c)(3)(G) restrict, to the satisfaction of the Secretary, access to beneficial ownership information … to only users at the requesting agency –
(i) who are directly engaged in the authorized investigation or activity …
(ii) whose duties or responsibilities require such access;
(iii) who – (I) have undergone appropriate training; or (II) use staff to access the database who have undergone appropriate training;
(iv) who use appropriate identity verification mechanisms to obtain access to the information; and
(v) who are authorized by agreement with the Secretary to access the information”.
Again, how FinCEN deals with the phrase “who are directly engaged in the authorized investigation or activity” will be interesting: Congress seems to have intended that a request for BOI must be tied to a particular investigation, and then can only be used for that investigation. We will see.
Congressional Intent – Lock Down the BOI Database As Tight As Possible
Why was access to the beneficial ownership registry limited to the extent it was? The answer to that question could be found in comments made by Congressman Patrick McHenry, (R. NC 10). His floor comments from December 8, 2020, as captured in the House Congressional Record, are set out, in relevant part, below. His comments bear particular weight: they not only reflect the views of the Republican caucus, but Congressman McHenry is the Ranking Member on the House Financial Services Committee (and, if the House flips in November, he would be the Chairman of that committee).
Representative McHenry’s reference to “Division F” is to the division of the National Defense Authorization Act that is the Anti-Money Laundering Act of 2020, Title LXIV of Division F is the Corporate Transparency Act.
Comments of Rep. McHenry
House Congressional Record from December 8, 2020 CREC-2020-12-08-pt1-PgH6919-3.pdf (congress.gov) at pages H6932-6933:
Mr. MCHENRY. Mr. Speaker, I rise in support of the conference report to the National Defense Authorization Act for fiscal year 2021. Combating illicit finance and targeting bad actors is a nonpartisan issue. However, Congress’ actions must be thoughtful and data driven. An example of this is H.R. 2514, the COUNTER Act, which is included in this conference report. Division G is a compilation of bipartisan policies that will modernize and reform the Bank Secrecy Act and anti-money laundering regimes. These policies will strengthen the Department of Treasury’s financial intelligence, anti-money laundering, and counter terrorism programs.
Division F includes the strongest privacy and disclosure protections for America’s small businesses as it relates to the collection, maintenance, and disclosure of beneficial ownership information. The new protections set out in Division F ensure that small business beneficial ownership information will be protected just like an individual’s tax return information. The protections in Division F mirror or exceed the protections set out in 26 U.S.C. 6103, including:
- Agency Head Certification. Division F requires an agency head or designee to certify that an investigation or law enforcement, national security or intelligence activity is authorized and necessitates access to the database. Designees may only be identified through a process that mirrors the process followed by the Department of Treasury for those designations set out in 26 U.S.C. 6103.
- Semi-annual Certification of Protocols. Division F requires an Agency head to make a semi-annual certification to the Secretary of the Treasury that the protocols for accessing small business ownership data ensure maximum protection of this critically important information. This requirement is non-delegable.
- Court authorization of State, Local and Tribal law enforcement requests. Division F requires state, local and tribal law enforcement officials to obtain a court authorization from the court system in the local jurisdiction. Obtaining a court authorization is the first of two steps state, local and tribal governments must take prior to accessing the database. Separately, state, local and tribal law enforcement agencies must comply with the protocols and safeguards established by the Department of Treasury.
- Limited Disclosure of Beneficial Ownership Information. Division F prohibits the Secretary of Treasury from disclosing the requested beneficial ownership information to anyone other than a law enforcement or national security official who is directly engaged in the investigation.
- System of Records. Division F requires any requesting agency to establish and maintain a system of records to store beneficial ownership information provided directly by the Secretary of the Treasury.
- Penalties for Unauthorized Disclosure. Division F prohibits unauthorized disclosures. Specifically, the agreement reiterates that a violation of appropriate protocols, including unauthorized disclosure or use, is subject to criminal and civil penalties (up to five years in prison and $250,000 fine).
With the BOI Final Rule, we know what entities must submit what information, and when. In other words, we know what will be going into the Beneficial Ownership Information Reporting database. But what comes out, and how and whether it comes out, remains unanswered. Section 6403 of the Corporate Transparency Act, which created 31 USC section 5336, tells us which public sector agencies and private sector institutions can access the database, and generally what requirements and protocols Congress expects must be put in place for them to do so. But exactly how that access will be accomplished remains to be seen. We’ll know more when FinCEN publishes a proposed Access Rule, hopefully in the next few months.
But what we do know is that law enforcement and national security agencies have a hell of a lot of work ahead of them to put the programs, policies, procedures, and systems in place to be able to satisfy Congressional requirements. I fear that some of these agencies, particularly smaller Tribal, state, and local agencies, may simply decide that costs of “managing the management of risk management” of their BOI program will outweigh the benefits of obtaining and using the information. They may not bother. At a cost of about $25 billion in the first year, and about $6 billion every year thereafter, it would be a shame if the law enforcement benefits of the BOI database weren’t realized.
Yes, the beneficial ownership information database will be protected and secure: but will it be used?
Note  The National Institute of Standards and Technology (NIST) defines how agencies should determine the security category of their information and information systems. Agencies are to consider the potential impact or magnitude of harm that could occur should there be a loss in the confidentiality, integrity, or availability of the information or information system as low, moderate, or high. Low impact is defined as the loss could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. Moderate impact is defined as the loss could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals, or could significantly reduce the agency’s capability to effectively perform its mission and functions. High impact is defined as the loss could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals, or might cause the organization to be unable to perform one or more of its primary functions or result in a major financial loss. A useful report on these high impact systems is a GAO report from May 2016 available at GAO-16-501, Information Security: Agencies Need to Improve Controls over Selected High-Impact Systems