FinCEN’s Access Rule and BanksPublications - Client Alert | January 19, 2024
On December 22, 2023, the Financial Crimes Enforcement Network (“FinCEN”) published a final rule establishing standards for banks to access beneficial ownership information (“BOI”) reported to FinCEN (the “Access Rule”).1 The Access Rule is the second of three rulemakings to implement the Corporate Transparency Act (“CTA”),2 a new law designed to increase ownership transparency in corporate entities. The Access Rule followed the BOI reporting rule (the “Reporting Rule”) requiring certain corporations, limited liability companies and other entities (collectively, “reporting companies”) to report identifying information about themselves, their beneficial owners, and the company applicants who form or register them.3 BOI reported to FinCEN under the Reporting Rule will be kept in a national database that went “live” on January 1, 2024 (the “System”). The Access Rule prescribes the circumstances under which BOI may be disclosed to certain governmental authorities and other entities, including banks, through the System, the purposes for which BOI may be used, and the standards for safeguarding BOI. The third and final CTA rulemaking will make conforming amendments to the beneficial ownership requirements of FinCEN’s existing Customer Due Diligence (“CDD”) Rule (the “CDD Rule”) applicable to banks.4 FinCEN plans to address further issues through its impending CDD Rule rulemaking, as well as additional guidance specific to the Access Rule.5
According to FinCEN, the Access Rule aims to ensure that: (a) only authorized recipients have access to BOI; (b) authorized recipients use BOI only for purposes permitted by the CTA; and (c) authorized recipients re-disclose BOI only in ways that balance protection of the security and confidentiality of the BOI with furtherance of the CTA’s objective of making BOI available to a range of users.
FinCEN is taking a phased approach to providing access to the System, beginning with a pilot program in 2024 that will extend access to a handful of key federal agency users. Banks and their regulators will be one of the last categories of users that will have access to the System. As such, banks likely will have to wait for access to the System. Banks will not be required to use the System or report discrepancies to FinCEN, and thus until the CDD Rule is amended, their current compliance obligations under the CDD Rule and Bank Secrecy Act (“BSA”) remain unchanged.
The Access Rule will become effective on February 20, 2024.
Who has access to BOI?
Under the Access Rule, FinCEN is authorized to disclose BOI under specific circumstances to:
- U.S. federal agencies engaged in national security, intelligence, or law enforcement activity;
- U.S. state, local and tribal law enforcement agencies for criminal or civil investigations;
- Foreign law enforcement agencies, judges, prosecutors, central authorities and competent authorities for assistance in law enforcement investigation or prosecution, or a national security or intelligence activity authorized under foreign law;
- Financial institutions subject to CDD requirements (which includes banks) to facilitate the financial institution’s compliance with CDD requirements;
- Federal functional regulators and other appropriate regulatory agencies acting in a supervisory capacity assessing financial institutions’ compliance with CDD; and
- Treasury officers and employees for tax administration.
Bank’s access to BOI
With the prior consent of the customer, the CTA and Access Rule authorize FinCEN to disclose BOI with respect to a bank customer stored in the System to banks to facilitate compliance with CDD requirements, and federal functional regulators and other appropriate regulatory agencies acting in a supervisory capacity to assess the banks’ compliance with applicable CDD requirements.6
The Access Rule authorizes banks to use BOI “to facilitate compliance with customer due diligence requirements under applicable law”7 which includes any anti-money laundering/countering the financing of terrorism (AML/CFT) obligations under the BSA, as well as other legal requirements designed to safeguard U.S. national security (e.g., sanctions laws and regulations), provided that such compliance reasonably requires a bank to identify and verify beneficial ownership.8 Accordingly, a bank will be permitted to use BOI to satisfy its broader BSA compliance obligations, including its AML program, customer identification, SAR filing, and enhanced due diligence requirements, as well as compliance with U.S. sanctions (e.g., through sanctions screening). Banks are prohibited from using BOI for any unrelated purpose such as business development, solicitation of prospects, or assessing whether to extend credit to a legal entity.
The CTA does not direct FinCEN to provide access to banks, but rather states that FinCEN “may disclose” BOI to qualifying banks, consistent with the CTA’s security, confidentiality, and provisions regarding the usefulness of the database.9 The Access Rule preserves this discretion accorded to FinCEN.10 In the exercise of this discretion, FinCEN intends to provide access as an initial matter to banks (and other financial institutions) that are covered financial institutions under the CDD Rule. Thus, certain BSA-regulated financial institutions, such as money services business, casinos, insurance companies, precious metals dealers, and others that are not subject to the CDD Rule, will not have System access initially. FinCEN explained that security standards associated with such entities warrant additional scrutiny prior to granting access.
FinCEN clarified in the Access Rule that banks are not required to use the System and may continue to use their existing processes to comply with the CDD Rule, and the BSA more broadly. FinCEN, together with federal banking regulators, also released a statement to the same effect (the “Interagency Statement”), which reiterated that the Access Rule “does not create a new regulatory requirement for banks to access BOI from the System or a supervisory expectation that they do so.”11 However, to the extent that banks use BOI from the System, they must comply with the Access Rule.12
Timeline for Access
FinCEN intends to take a phased approach to providing access to the System. In 2024, FinCEN intends to administer a pilot program that will initially extend access to the System to key federal agency users, followed by a second stage extending access to certain federal law enforcement and national security agencies working with FinCEN, and a third phase that extends access to other federal and state agencies and partners. Finally, covered banks (and certain other financial institutions subject to the CDD Rule) and their regulators will be the last category of users that will have access to the System. FinCEN said the agency expects “that the timing of their access will roughly coincide with the upcoming revision of FinCEN’s 2016 CDD Rule.”
Government entities and banks will receive different degrees of access to the System. Certain government entities (e.g., Treasury personnel and federal law enforcement and intelligence agencies) will have the ability to run multiple direct searches through the System, while banks, on the other hand, will have more limited access. In particular, banks will be required to submit specific identifying information for a reporting company “and receive in return an electronic transcript with that entity’s BOI.”13 The Access Rule does not specify the parameters or technical standards for access to the System; however, FinCEN stated that it expects that banks will use Application Programming Interfaces (APIs) to access BOI and that the System will accommodate the use of APIs for this purpose (including the submission of required certifications (see below)).
FinCEN indicated that it will provide additional information about the timing of this phased approach in early 2024, but given that CDD revisions have yet to be proposed, it seems likely that banks will not have access to the BOI database until late 2024 or early 2025.14
Re-Disclosure of BOI
The Access Rule provides that any individual authorized to receive BOI is prohibited from disclosing it, except as expressly authorized by FinCEN. FinCEN has clarified that banks will be permitted to share BOI with beneficial ownership data service providers, “RegTech” firms, due diligence vendors, and other third-party service providers, provided that “they and their employees are ‘agents’ or ‘contractors’ of a financial institution” and “are performing a function on behalf of the financial institution that requires direct access to it.” A bank’s “contractors” and “agents” also include individuals and entities performing work for the bank by contract, such as outside counsel, auditors, and providers of data analysis software tools.15 Banks would remain liable for any failure by contractors or agents to comply with the Access Rule, and agents and contractors would only be permitted to use BOI for purposes permitted under the CTA and Access Rule.16
Data Security and Consent
The Access Rule requires banks to implement controls and policies to safeguard BOI and ensure that it is only used for permissible purposes. Banks must, among other things, establish security and information-handling procedures that align with the standards required under section 501 of the Gramm-Leach-Bliley Act and its implementing regulations17 and implement procedures for employee training. FinCEN expects that federal regulators will assess compliance with the Access Rule during safety and soundness examinations.
Under the CTA, banks are also required to obtain customer consent prior to accessing BOI. The Access Rule does not prescribe any particular means through which banks must obtain a customer’s consent, and FinCEN noted that the Rule affords banks “substantial discretion” to obtain consent through any lawful method.18
The Access Rule requires that banks certify the consent, and document it for five years, but does not require that the customer consent and certification be written. The certification to FinCEN will be “in such form and manner as FinCEN shall prescribe,” and FinCEN “anticipates that a financial institution will be able to make the certification via a simple checkbox when requesting BOI.”
Violations and Penalties
The CTA and Access Rule provide for civil and criminal penalties for violations of the rule. Violations of the CTA may result in a civil penalty of $500 per day for each violation that continues or has not been remedied. Criminal penalties may result in a fine of no more than $250,000 or imprisonment for not more than five years (or both). In addition, FinCEN will have discretion to suspend or revoke access to the System if a bank fails to comply with the strictures of the Access Rule. FinCEN stated that decisions to suspend or revoke access will be made on a case-by-case basis, based on all facts and circumstances.
Considerations for Banks Seeking BOI From FinCEN
The Interagency Statement clarified that the Access Rule does not create a regulatory requirement or supervisory expectation that banks obtain BOI from the System, and as such, the Access Rule does not require changes to existing BSA/AML compliance programs designed to comply with the CDD Rule or other BSA requirements. The Interagency Statement, however, requires that the access and use of BOI obtained from FinCEN must comply with the requirements of the CTA and the Access Rule. Banks, therefore, should consider the following before accessing the System:
- Assessing whether the bank intends to query the System. While banks are not required to query the System, ignoring a potential source of CDD information in developing a customer risk profile or investigating money laundering or terrorist financing could lead to negative consequences in enforcement matters or collateral litigation.
Implementing policies and procedures for obtaining and recording legal entity customer consent to access their BOI from FinCEN. While FinCEN is giving banks “substantial discretion” in the manner in which they obtain customer consent, FinCEN is requiring that such consent be documented. Banks should update their onboarding and application forms and customer files to address this customer consent requirement.
- Assessing any obstacles in explaining to customers the Reporting Rule and the Access Rule to avoid customer confusion. If a bank’s customer has not complied with the CTA (or even heard of the CTA), it may be difficult to explain why the bank is requesting a consent to access the System. What does a bank do when the business customer fails to file or update their BOI with FinCEN? Does the bank comply with its CDD obligations through the old channel if their customer is not reporting the information to FinCEN under the Reporting Rule, creating a two-channel process for CDD compliance?
- Implementing policies to (1) limit the number of individuals who will be authorized to directly request BOI from the System; (2) govern the individuals authorized to receive “re-disclosed” BOI (consider limiting the list on a “need to know” basis); and (3) address the permissible reasons to request BOI from the System and to re-disclose such BOI to colleagues or service providers.
- Implementing controls and policies to safeguard BOI and ensure that it is only used for permissible purposes.
- Assessing current and future vendor agreements to ensure that vendors will comply with all requirements for accessing, using, and safeguarding BOI in accordance with the CTA and Access Rule.
- Establishing an Access Rule training program. The Access Rule requires banks to train employees who will access the System. Such personnel also are required to complete FinCEN-provided online training.
Kutak Rock is here to help clients navigate the CTA compliance process. If you have any questions about how the CTA will affect your business, please contact your Kutak Rock attorney or any member of the CTA Client Service Team listed below.
2 31 U.S.C. 5336.
3 The CTA and the Reporting Rule are described in our December 2023 client update accessed here and our November 2023 client update accessed here. The CTA and Reporting Rule generally exempt from the reporting requirements banks and other entities that are already subject to significant regulatory regimes meant to expose their beneficial owners, among other purposes. See 31 U.S.C. 5336(a)(11)(B).
4 31 CFR § 1010.230.
5 According to the FinCEN “Fact Sheet,” FinCEN will develop compliance and guidance documents to assist authorized users in complying with the Access Rule. See FinCEN Fact Sheet: Beneficial Ownership Information Access and Safeguards Final Rule (December 21, 2023).
6 Authorized agencies also include state bank supervisors and state credit union regulators.
7 31 U.S.C. 5336(c)(2)(B)(iii).
8 Specifically, the Access Rule defines “customer due diligence requirements under applicable law” to include “any legal requirement or prohibition designed to counter money laundering or the financing of terrorism, or to safeguard the national security of the United States, to comply with which it is reasonably necessary for a financial institution to obtain or verify beneficial ownership information of a legal entity customer.”
9 31 U.S.C. 5336(c)(2)(B).
10 31 CFR 1010.955(b)(4)(i).
11 FinCEN, Board of Governors of the Federal Reserve System Federal Deposit Insurance Corporation National Credit Union Administration Office of the Comptroller of the Currency, and State Bank and Credit Union Regulators, Interagency Statement for Banks on the Issuance of the Beneficial Ownership Information Access Rule (December 21, 2023), https://www.fdic.gov/news/financial-institution-letters/2023/fil23067a.pdf.
12 Note that regulators supervising due diligence compliance for banks may only access BOI that the supervised banks have received from FinCEN, and they may only use that information to assess, supervise, enforce, or otherwise determine compliance of those banks with CDD requirements.
13 Banks will have access to the information included in each reporting company’s BOI report, including identifying information about its beneficial owners (e.g., name, date of birth, residential or business address, and either a unique identifying number from an acceptable identification document such as a passport or the individual’s FinCEN identifier). However, banks will not have access to images of the identifying documents (e.g., passports or government IDs). In addition, FinCEN does not anticipate providing bulk data exports to authorized users.
14 Banks should consider these timing hurdles in connection with any implementation of CDD procedures using the System.
15 FinCEN acknowledged that banks may also be required to share BOI with other entities that do not qualify as employees, contractors, or agents (e.g., affiliated banks or other financial institutions involved in syndicated loan agreements) but deferred any further discussion of the issue for future guidance.
16 FinCEN also noted that a contractor may not repurpose BOI for the contractor’s own use, such as data aggregation, or for the use of other banks or other financial institutions.
17 See 15 U.S.C. 6801(b) and 6805. Section 501 of the Gramm-Leach-Bliley Act requires each federal functional regulator to establish appropriate standards for the banks subject to its jurisdiction relating to administrative, technical, and physical safeguards to (1) ensure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of such records; and (3) protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer. The federal functional regulators have implemented these requirements in different ways. For example, the OCC, FRB, and FDIC have issued the standards in the form of interagency guidelines.
18 FinCEN noted that the Access Rule “only requires the financial institution to obtain a reporting company’s consent at a time prior to an initial request for the reporting company’s BOI from FinCEN, and it may rely on that consent to retrieve the same reporting company’s BOI on subsequent occasions, including to open additional accounts for that reporting company, unless the consent is revoked.”