FinCEN issues final reporting regulations and proposed access regulations to implement the US Corporate Transparency Act

On September 30, 2022, the US Department of the Treasury's Financial Crimes Enforcement Network ("FinCEN") issued final regulations (the "Final Reporting Regulations") implementing the beneficial ownership information ("BOI") reporting requirements of the Corporate Transparency Act (the "CTA").  The CTA was enacted by Congress in January 2021 as part of the Anti-Money Laundering Act of 2020 and requires certain domestic and foreign entities formed or registered to do business in the US to report BOI to FinCEN.  The Final Reporting Regulations go into effect on January 1, 2024 and detail who must file a BOI report, what information must be reported, and when a report is due.  FinCEN has stated that the reporting requirements are "intended to help prevent and combat money laundering, terrorist financing, corruption, tax fraud, and other illicit activity, while minimizing the burden on entities doing business in the United States."  

In addition to the Final Reporting Regulations, a second set of regulations to implement the CTA have recently been proposed.  On December 15, 2022, FinCEN issued a Notice of Proposed Rulemaking regarding access to and disclosure of BOI by authorized recipients under the CTA (the "Proposed Access Regulations").  The Proposed Access Regulations detail the circumstances in which specified recipients would have access to BOI and outline data protection protocols and oversight mechanisms applicable to each category of recipients.  

FinCEN is also working to develop a secure, non-public database in which to store BOI.  The target date for the system to begin accepting BOI reports is January 1, 2024 – the same day the Final Reporting Regulations take effect.  

The Final Reporting Regulations

Which entities are required to report?

The CTA requires any "reporting company" to file a report to FinCEN.  A "reporting company" includes any domestic or foreign entity created or registered by the filing of a document or registration with a secretary of state or similar office of any US state or Indian tribe.  Under this definition, FinCEN expects corporations, limited liability companies, limited liability partnerships, limited liability limited partnerships, business trusts, and most limited partnerships to be required to submit BOI reports.  Most kinds of trusts (except business trusts) are not included within the definition of "reporting company".  The Final Reporting Regulations exempt 23 types of entities from the definition of "reporting company", including publicly traded companies, large operating companies (with more than 20 employees and more than $5 million in annual revenue), as well as entities that are already heavily regulated like banks, securities brokers, and accounting firms.

What information must be reported?

Any reporting company created or registered before January 1, 2024 will be required to report information about the reporting company and its beneficial owners.  Any reporting company created or registered on or after such date will be required to report information about its "company applicants" (meaning any individuals who file the document that forms the entity or registers the entity to do business in the US), in addition to information about the reporting company and beneficial owners.  

Information required to be provided about the reporting company includes: (1) its full legal name, (2) any trade or “doing business as” names, (3) the street address of its principal place of business in the US, (4) the jurisdiction of formation or registration, and (5) the IRS Taxpayer Identification Number ("TIN") or similar identifying number issued by a foreign jurisdiction. Information required to be provided about each beneficial owner (and company applicant, for new reporting companies) includes (1) full legal name, (2) date of birth, (3) current residential address (or business address, in the case of a company applicant), (4) unique identifying number and the issuing jurisdiction from one of a list of enumerated identification documents, and (5) an image of the document from which the unique identifying number was obtained.

Who is a "beneficial owner"?

A "beneficial owner" is defined as any individual who, directly or indirectly, either (1) exercises substantial control over a reporting company, or (2) owns or controls at least twenty-five (25) percent of the ownership interests of a reporting company.  The Final Reporting Regulations stipulate that an individual exercises "substantial control" if such individual (1) serves as a senior officer, or exercises the authority or performs the functions of a senior officer, of the reporting company; (2) has authority over the appointment or removal of any senior officer or a majority of the board of directors (or similar body) of the reporting company; (3) directs, determines or has substantial influence over important matters made by the reporting company; or (4) has "any other form of substantial control" over the reporting company.  Certain types of individuals are excepted from the definition of "beneficial owner", including nominees, intermediaries, custodians, and agents of reporting companies.  However, the Final Reporting Regulations emphasize that a "trustee of a trust or similar arrangement" can be considered to exercise substantial control over a reporting company.  

"Ownership interests" include equity, stock, capital, profits or convertible interests, or options or privileges to acquire such interests, in a reporting company, and can be owned or controlled directly or indirectly, including through joint ownership or through a trust or other similar arrangement.  For a trust, an individual may be considered to own or control ownership interests in the reporting company if the individual is (1) a grantor or settlor and such individual has the right to revoke the trust or withdraw the trust assets; (2) a beneficiary, if such individual is the sole permissible recipient of income and principal, or has the right to demand a distribution of or withdraw substantially all of the trust assets; or (3) a trustee or any other individual with authority to dispose of trust assets.

When must a reporting company file a report?

The Final Reporting Regulations require any reporting company created or registered on or after January 1, 2024 to file a report within 30 calendar days of receiving notice of the effectiveness of its creation or registration.  This is a more generous deadline than the 14-calendar-day deadline that was included in the proposed form of the reporting regulations.  Any reporting company created or registered before January 1, 2024 will have one year (until January 1, 2025) to file a report.  If any reporting information related to a reporting company or its beneficial owner(s) changes, such reporting company will be required to file an updated report with FinCEN within 30 calendar days after such change.

In the near future FinCEN plans to publish for public comment the reporting forms that reporting companies will use to comply with their obligations under the BOI reporting rule.

Penalties for willful violations of the reporting requirements

If a reporting company willfully provides false or fraudulent BOI or willfully fails to report complete or updated BOI, the CTA provides for a civil penalty of up to $500 for each day that the violation continues, and criminal penalties including a fine of up to $10,000, up to 2 years imprisonment, or both.

The Proposed Access Regulations

Unlike the Anti Money Laundering Directive in force in the European Union, which requires EU member states to make beneficial owners registers fully accessible to members of the general public (although we note that the Court of Justice of the EU recently ruled on November 22, 2022 that such access to the general public constitutes a "serious interference with the fundamental rights to respect for private life and to the protection of personal data"), the CTA does not require BOI to be made publicly available.  Instead, the CTA and the Proposed Access Regulations require BOI to be stored in a secure, non-public database that FinCEN is building, and access to such database will be limited to specified types of requesters and only for specified purposes.  The Proposed Access Regulations outline who may request and receive BOI, how recipients may access and use the information, how they must secure it, and the penalties for failing to follow applicable requirements.  

Who will be permitted to access BOI?

The CTA authorizes FinCEN to disclose BOI to five categories of recipients: (1) Federal, State, local and Tribal government agencies; (2) foreign law enforcement agencies, judges, prosecutors, central authorities, and competent authorities (“foreign requesters”); (3) Financial institutions ("FIs"); (4) regulators of FIs; and (5) the US Department of the Treasury.

How and when may BOI be accessed?

Domestic government agencies

Federal government agencies will only be permitted to access BOI if they are engaged in national security, intelligence, or law enforcement activity and if the requested BOI is for use in furtherance of such activity.  State, local, and tribal law enforcement agencies will only be permitted to access BOI if “a court of competent jurisdiction” has authorized the law enforcement agency to seek the information in a criminal or civil investigation.  Authorized users of Federal, State, local, and tribal government agencies would have the broadest and most direct access to the BOI database.  It is proposed that they would be permitted to log in to the BOI database, run queries using multiple search fields, and review one or more results returned immediately.  Such authorized users would have to submit justifications to FinCEN for their searches, and these justifications would be subject to oversight and audit by FinCEN. 

Foreign requesters

Unlike domestic government agencies, foreign requesters would not be able to access the BOI database directly.  They would instead submit their requests for BOI to Federal intermediary agencies.  If the foreign request meets certain applicable criteria, then the Federal agency intermediary will retrieve the BOI from the database and transmit it to the foreign requester.  Requests for BOI from foreign requesters would have to be made either (1) under an international treaty, agreement, or convention or (2) via a request made by law enforcement, judicial, or prosecutorial authorities in a trusted foreign country.

Financial institutions

FIs will have direct access to the BOI database, but only for the purposes of complying with customer due diligence ("CDD") requirements, and only provided the FI requesting the BOI has the relevant reporting company's consent for such disclosure.  FinCEN is not planning to permit FIs to run broad or open-ended queries or to receive multiple search results.  Rather, FinCEN anticipates that a FI, with a reporting company's consent, would submit to the system identifying information specific to that reporting company, and receive in return an electronic transcript with only that entity's BOI.  

Financial regulators

Regulators of FIs will also have direct access to the BOI database, but they will generally only be able to access the BOI information that FIs they supervise have received from FinCEN, and only for the purpose of ascertaining such FIs' CDD compliance under applicable law.  

US Department of the Treasury

Employees and officers of the US Department of the Treasury whose official duties require BOI inspection or disclosure would have access to BOI.  Examples of duties requiring access to the BOI database by Treasury employees and officers include tax administration, enforcement actions, intelligence and analytical purposes, and administration of the BOI framework, such as for audits, enforcement, and oversight.

Access control protocol requirements 

FinCEN has stated that protecting BOI from unauthorized disclosure is one of its top priorities, and FinCEN will require BOI recipients to have protocols in place for storing BOI in a secure system that can only be accessed by authorized personnel and only for authorized purposes.  The CTA makes it unlawful for any person to knowingly disclose or knowingly use BOI obtained by the person through unauthorized use.  The Proposed Access Regulations expand upon this prohibition by defining “unauthorized use” as any unauthorized access of BOI, including knowingly violating any applicable security and access protocols.  

Penalties for unauthorized use or disclosure of BOI

The penalty provisions included in the Proposed Access Regulations align with the CTA, which provides both civil and criminal penalties for unauthorized use or unauthorized disclosure of BOI.  Civil penalties may be imposed in the amount of $500 for each day a violation continues.  Criminal penalties include a fine of up to $250,000 or imprisonment of up to 5 years, or both. The CTA also provides for enhanced criminal penalties, including a fine of up to $500,000, up to 10 years imprisonment, or both, if a person commits a violation "while violating another law of the United States or as part of a pattern of any illegal activity involving more than $100,000 in a 12-month period."