Oh BOI! Another Resource on the Requirements of Beneficial Ownership – Part I
Recently, in February, the Financial Crimes Enforcement Network (FinCEN) published the “Small Entity Compliance Guide for Beneficial Ownership Information Access and Safeguards Requirements.” The small entity guide was published to provide an overview of the Beneficial Ownership Information Access and Safeguards Rule, otherwise known as the Access Rule. Initially, in September 2023, FinCEN published one other small entity compliance guide related to the new beneficial ownership reporting requirements, which was updated in December 2023. The most recently published small entity guide is primarily for financial institutions on obtaining beneficial ownership information (BOI) from FinCEN. However, the first small entity guide issued back in September seemed to be for reporting companies rather than financial institutions. In this article, I am going to save you some time by summarizing what is covered in the “Small Entity Compliance Guide for Beneficial Ownership Information Access and Safeguards Requirements.”
To recap, the Access Rule was issued on December 22, 2023, and was established to implement the requirements of the Corporate Transparency Act (CTA). In general, the Access Rule authorizes certain persons the ability to obtain access to beneficial ownership information. The Access Rule also addresses the importance of confidentiality related to BOI that is reported to FinCEN. The Small Entity Compliance Guide for Beneficial Ownership Information Access and Safeguards Requirements applies to financial institutions, even though they do not have access to BOI reported to FinCEN at this time. I encourage financial institutions to utilize this 6-page Guide to determine how BOI reported to FinCEN can be obtained as it relates to compliance with Customer Due Diligence (CDD) requirements.
The Guide is broken down into the following four sections: Use of BOI, Security and Confidentiality Requirements, Administration of Requests, and Violations. I will address what is covered in Sections 1 & 2 in this article, and be on the lookout for my summary of Sections 3 & 4 in a future article.
Within Section 1 of the Guide, it addresses the use of BOI. Under current Customer Due Diligence (CDD) requirements, financial institutions are required to identify and verify beneficial owners of any legal entity customer who opens a new account with their institution. Under certain circumstances related to satisfying their BSA/AML requirements, institutions may utilize the BOI reported to FinCEN. However, institutions are not permitted to utilize BOI for their general business activities, such as credit underwriting or for client development. Overall, the financial institution must have an authorized use for the BOI obtained through FinCEN.
Section 1.2 addresses limits on the re-disclosure of BOI by financial institutions. Due to the confidentiality and privacy of information reported to FinCEN, an employee, director, or agent of a financial institution may not disclose BOI obtained from FinCEN. However, there are three exceptions when a financial institution is permitted to disclose BOI received from FinCEN. First, BOI may be re-disclosed to another director, officer, employee, contractor, or agent of the same institution as long as the information is kept confidential and secure. Not all employees should have access to BOI obtained from FinCEN. Secondly, the institution may share BOI obtained from FinCEN with their federal regulator if the federal regulator has the authority to do so. In addition, the federal regulator may only access the information for purposes of determining the institution’s compliance with the customer due diligence requirements and have a written agreement with FinCEN addressing the safekeeping of the information. The third exception to when BOI may be re-disclosed is when authorized by FinCEN in a prior written authorization or by guidance that FinCEN issues.
Moving on to Section 2 of the Guide, it addresses security and confidential requirements. A financial institution that requests to obtain BOI from FinCEN will be required to establish administrative, technical, and physical safeguards. The safeguards must be designed to protect the integrity, confidentiality, and security of BOI. The Guide provides five subsections within Section 2 to give financial institutions additional details on specific requirements for security and confidentiality.
The first subsection of Section 2 addresses FinCEN’s established geographic restrictions on BOI received from FinCEN related to persons that the U.S. Department of State has determined to sponsor terrorism, are subject to financial and economic sanctions under U.S. law or has been determined by the Secretary of the Treasury to risk BOI security and confidentiality requirements or U.S. national security. This also applies to persons physically located in the People’s Republic of China and the Russian Federation.
Also addressed within the small entity compliance guide in section 2.2 is information procedures when receiving BOI from FinCEN. To ensure confidentiality and privacy with the beneficial ownership information (BOI) received from FinCEN, compliance with the Gramm-Leach Bliley Act requirements must be established and adhered to. For financial institutions subject to the provisions of the Gramm-Leach Bliley Act, procedures may need to be modified to address the requirements of the Access Rule. For institutions not subject to the Gramm-Leach Bliley Act requirements, procedures must be implemented to ensure the BOI received from FinCEN is protected based on the Gramm-Leach Bliley Act standards. In the event that a financial institution receives any foreign government subpoena or legal demand request for BOI, the financial institution must notify FinCEN within three business days of receiving the request.
The third subsection addresses the requirements for obtaining consent. Although financial institutions must have procedures in place to ensure information remains protected and confidential, before they can obtain a customer’s information from FinCEN, they must obtain the customer’s consent. The consent is not required to be obtained in writing; however, it must be documented. In addition, the customer must have the ability to revoke their consent. Once consent is provided, unless it is revoked, the financial institution can obtain the reporting company’s BOI from FinCEN. The institution can rely on the consent to obtain the customer’s BOI for future occasions unless the consent is revoked.
Lastly, Section 2 of the Guide addresses the requirement for financial institutions to certify to FinCEN within the Beneficial Ownership Information Technology (BO IT) system that they are requesting BOI to comply with CDD requirements under applicable law. In addition, they must certify that they have documented and obtained consent from their customer (the reporting company) to request the BOI from FinCEN. The third component of the financial institution’s certification to FinCEN is that the institution has fulfilled all other requirements of 31 CFR 1010.955(d)(2).
Stay tuned for Part II of this article, in which I will cover the remaining content addressed in the Small Entity Compliance Guide for Beneficial Ownership Information Access and Safeguards Requirements. In the meantime, if you have any questions about compliance requirements with the Beneficial Ownership Final Rule, do not hesitate to reach out to us!