New FinCEN Guide Provides Useful BOI Context For Banks

Law360 - Expert Analysis

This article originally appeared in Law360 on March 4, 2024 and is reprinted with permission. All rights reserved.

On Feb. 20, the U.S. Treasury Department's Financial Crimes Enforcement Network issued a six-page compliance guide for financial institutions on accessing and safeguarding the beneficial ownership information, or BOI, that their customers are required to report under the Corporate Transparency Act.[1]

The new guidance implements an access rule that was issued by the agency on Dec. 22, 2023, and only pertains to authorized access of BOI by financial institutions from FinCEN.[2]

The CTA requires that reporting companies and applicants electronically file specified BOI with FinCEN. The reports and BOI will be maintained by FinCEN in a secure, nonpublic database that may be accessed by federal law enforcement agencies and certain financial institutions for customer due diligence. Financial institutions are not, however, allowed to obtain access to BOI from FinCEN without obtaining their customer's consent and following certain security protocols with respect to the information.

The compliance guide provides useful guidance to financial institutions for understanding FinCEN's expectations for how the agency's BOI database should be used. As evident from the compliance guide and the timing of its release, it is incumbent upon all financial institutions to perform a thoughtful review of internal policies and procedures in light of the regulatory requirements of the CTA in order to allow for efficient compliance with the new law.

Scope of Access Rule

Financial institutions do not yet have access to the FinCEN BOI database, due to the agency's decision to take a phased approach to access. Financial institutions will be granted access after other priorities, including a pilot program for federal agencies, are addressed. FinCEN also anticipates revising the existing customer due diligence rule for financial institutions to align with the CTA.

Notably, the compliance guide makes clear that the limitations imposed by the access rule and the CTA as it relates to BOI are only applicable to the extent a financial institution obtains that information from FinCEN. In other words, BOI obtained directly from the customer or another source is not subject to the CTA.

Customer Consent Required

Customer consent is required as a condition of accessing FinCEN's database. However, as the guide says, "It is at the financial institution's discretion to determine the method of obtaining and documenting each customer's consent." The compliance guide makes clear that:

• Consent does not necessarily need to be in writing;


• Consent is required to be obtained only once; it remains effective until revoked by a customer; and


• Consent documentation must be maintained for five years after it was used to make a BOI request to FinCEN.

Financial institutions should consider whether permission should be built into the lender commitment letter and other customer interfacing agreements at the outset and subsequently reaffirmed in credit documents. Financial institutions should include consent for related parties to ensure coverage of upstream affiliates.

Restrictions on Use of BOI

The access rule of the CTA imposes restrictions on how financial institutions may access, use and disclose BOI obtained from FinCEN.

According to the compliance guide, financial institutions are instructed to not use any BOI obtained from the agency for general business or commercial activities such as credit assessments and client development. Rather, the permitted uses of such BOI are to enable the financial institution to fulfill its customer due diligence requirements under applicable law. This would include facilitating compliance with the institution's know-your-customer requirements and obligations to report suspicious activity.

FinCEN has provided additional examples of permissible uses of BOI, which include:

• Conducting enhanced due diligence;


• Facilitating compliance with sanctions imposed by the U.S. Treasury Department's Office of Foreign Assets Control; and


• Complying with requests, reviews and investigations related to anti-money laundering and countering financing of terrorism.

Limits on Disclosure

The compliance guide prohibits financial institutions from re-disclosing BOI they receive from FinCEN, although there are limited exceptions, including providing such BOI to authorized federal regulators and to directors, officers, employees, contractors or agents of the same financial institution who are subject to security and confidentiality requirements.

Security and Confidentiality

Financial institutions are required to implement certain administrative, technical and physical safeguards to protect all BOI that they obtain from FinCEN. The integrity, security and confidentiality of BOI is paramount, and the guide imposes the following requirements.

Geographic Restrictions

BOI received from FinCEN may not be stored or disclosed to persons physically located in the People's Republic of China, the Russian Federation or any jurisdiction that has been determined by the U.S. Department of State to be a state sponsor of terrorism, subject to financial and economic sanctions under U.S. law, or in the determination of the secretary of treasury, undermine national security.

Financial institutions are not otherwise required to keep BOI confined to the U.S.

Information Procedures

In order to obtain BOI from FinCEN, financial institutions will be required to treat BOI in the same manner and subject to the same procedures that such institution has established to protect customer, nonpublic data as required under other applicable laws. Limiting access to the BOI registry to authorized personnel should be a component of such procedures.

Notification of Information Demands

To the extent a financial institution receives any demand or subpoena from any foreign government, the financial institution must notify FinCEN within three business days.

Certification

A financial institution that obtains access to BOI from FinCEN will be required to make the certifications to FinCEN that the financial institution:

1. Is requesting the information to facilitate its compliance with customer due diligence required under applicable law;

2. Has obtained its customer's consent; and

3. Has fulfilled all security standards and other applicable requirements of the BOI rules.

Implementation of BOI Access

Financial institutions do not yet have access to FinCEN's database at this point. FinCEN anticipates providing access in phases beginning with a pilot program for a handful of key federal agency users to be expanded in the future.

FinCEN will provide additional guidance in the coming months that includes clarifications on the certification process described above and other issues.

Penalties

The CTA and the access rule make it unlawful to knowingly engage in unauthorized disclosures or uses of BOI. An unauthorized use of BOI would include accessing information without consent and violating any BOI security safeguards or confidentiality requirements.

The CTA also provides for enhanced criminal penalties if a person commits a violation while violating another U.S. law or as part of a pattern of illegal activity. The penalties for violations can result in significant civil and criminal penalties.

The law also permits FinCEN to permanently debar or temporarily suspect, for any period of time, an individual requester or requesting entity for failing to meet any requirement of the access rule or other good cause.

Conclusion

The guide recently released by FinCEN for financial institutions, while helpful, leaves open questions and necessitates careful thought.[3] Financial institutions should continue to closely monitor changes and future guidance with respect to both the access rule as well as the obligations placed on reporting companies — which are the bank's customers.

The threshold question for a financial institution will be whether it makes sense to take advantage of the access rule and obtain BOI from FinCEN, or simply require a reporting company borrower to furnish certified copies of all FinCEN reports as part of due diligence.

The answer to that question should, at least in part, be determined with reference to whether access to BOI directly from FinCEN facilitates the institution's know-your-customer and anti-money laundering compliance programs.

The opinions expressed are those of the author(s) and do not necessarily reflect the views of their employer, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
 

[1] https://www.fincen.gov/sites/default/files/shared/BOI_Access_and_Safeguards_SECG_508C.pdf (Feb. 20, 2024). The CTA became effective Jan. 1 as part of the Anti-Money Laundering Act of 2020 as a tool designed to combat the use of shell companies by those seeking to evade anti-money laundering laws and economic sanctions. See 31 U.S.C. § 5336. The focus of the CTA is greater transparency of state registered entities. The new law requires millions of companies formed or registered to do business in the U.S. to report identifying information about the companies, and their beneficial owners and applicants, to FinCEN.

[2] 31 C.F.R. § 1010.955. Notably, FinCEN has made clear that while the goal of the CTA is to enhance beneficial ownership transparency, regulators also wanted to minimize the burden on financial institutions and have made clear that the new law does "not create a new regulatory requirement for banks [or non-bank financial institutions] to access BOI ... or a supervisory expectation that they do so." Id.

[3] See George H. Singer, Corporate Transparency Act Takeaways for Banking Industry, Law360 (Jan. 5, 2024), available at https://www.law360.com/articles/1781281/corporate-transparency-act-takeaways-for-banking-industry.