On December 16, FinCEN issued a notice of proposed rulemaking (NPRM) entitled “Beneficial Ownership Information Access and Safeguards, and Use of FinCEN Identifiers for Entities.” The NPRM is intended to implement the Corporate Transparency Act (CTA) and, in particular, to govern which entities may access corporate beneficial ownership information (BOI) that certain entities will soon be required to report to FinCEN under the CTA. Steptoe previously summarized FinCEN’s final rule on BOI reporting here. The NPRM has important implications for regulated financial institutions in the blockchain industry and would exclude many blockchain companies from accessing BOI.

What Happened

The new NPRM outlines the specific situations in which FinCEN will share BOI with third parties. The majority of these situations relate to requests by other governmental entities, including: (1) US federal, state, local, and tribal government agencies requesting BOI in furtherance of national security, intelligence, or law enforcement activity; (2) certain foreign governmental entities, including law enforcement agencies, judges, and prosecutors, among others; (3) federal functional regulators and other appropriate regulatory agencies acting in a supervisory capacity assessing financial institutions for compliance with customer due diligence (CDD) requirements; and (4) the Department of the Treasury itself.

Certain private entities will also be able to access BOI in specific circumstances. More specifically, under proposed Section 1010.955(b)(4), “financial institution[s] subject to customer due diligence requirements under applicable law” may request BOI information to be used in facilitating compliance with FinCEN’s CDD rule. The CDD rule requires certain financial institutions to collect and retain information regarding the ownership and control of legal entity customers.

Under the CTA, FinCEN may disclose BOI to a financial institution only if “each reporting company that reported such information consents to such disclosure.”  Under the proposed rule, the relevant financial institution is responsible for obtaining and documenting the consent of the reporting company and must certify to FinCEN that it is a financial institution seeking to comply with the CDD rule and has obtained the required consent.

Finally, the NPRM requires financial institutions receiving BOI to take a number of measures to ensure the provided information is maintained in a secure manner, only used for authorized purposes, and only disclosed to authorized persons. Individuals working at financial institutions that receive BOI are permitted to share BOI with other individuals in the same financial institution so long as such persons are “within the United States.”  The inability of financial institutions to share BOI with non-US affiliates, or with other non-US persons who support customer due diligence functions, has potentially significant operational ramifications for international financial institutions.  

What it Means

Unlike some other jurisdictions, which make some BOI public (e.g., Companies House in the UK), the FinCEN BOI database will be confidential and accessible only by the above categories of actors. This means it will not be available to some financial institutions or to non-financial institutions seeking to conduct due diligence on their customers or suppliers. Nor will it be available to due diligence firms or software providers offering commercial screening tools.

It is notable that the NPRM treats financial institutions with CDD rule compliance requirements differently from those without, by only allowing financial institutions covered by the CDD rule to have access to the BOI in FinCEN’s database. Financial institutions subject to the CDD rule include banks, trust companies, credit unions, mutual funds, brokers or dealers in securities, futures commission merchants, and introducing brokers in commodities. (Historically certain state-chartered trust companies were not subject to the CDD rule, but this changed in September 2020.)  However, a number of other types of financial institutions, including money services businesses (MSBs) and dealers in precious metals, precious stones, and jewels, are not subject to the CDD rule. This means that, under the proposed rule, these types of financial institutions would not be able to access the FinCEN-reported BOI information for compliance purposes.

Many blockchain platforms, such as exchanges, hosted wallet providers, and dealers, are regulated as MSBs, meaning they would be excluded from BOI access. However, a small number of blockchain entities are regulated as trust companies or other entities covered by the CDD rule.

The CTA authorizes FinCEN to disclose BOI to financial institutions seeking to comply with “customer due diligence requirements under applicable law.”  The NPRM acknowledges that the CTA leaves the phrase “customer due diligence requirements” undefined and, as such, FinCEN chose to define that term narrowly to mean FinCEN’s CDD rule contained at 31 CFR § 1010.230. It explains that FinCEN considered taking a broader approach, but ultimately determined “a more tailored approach will be easier to administer, reduce uncertainty about what FIs may access BOI under this provision, and better protect the security and confidentiality of sensitive BOI by limiting the circumstances under which FIs may access BOI.”  Nonetheless, the NPRM specifically solicits comments on “whether a broader reading of the phrase ‘customer due diligence requirements’ is warranted under the framework of the CTA, and, if so, how customer due diligence requirements should be defined in order to provide regulatory clarity, protect the security and confidentiality of BOI, and minimize the risk of abuse.”

Exclusion from access to BOI for financial institutions not subject to the CDD rule has a number of implications. On one hand, such institutions will not be able to access a potentially useful and important tool in conducting know your customer (KYC) reviews and related compliance measures, potentially placing them at a disadvantage as compared to other financial institutions. On the other hand, not having access to BOI will eliminate any extra compliance burdens that may be generated by obtaining customer consent and submitting requests for BOI to FinCEN. It will also prevent scenarios in which a financial institution’s decision not to seek BOI is later questioned by a regulator.

The Path Ahead

FinCEN welcomes comments on the NPRM through February 14, 2023. The NPRM lists a number of specific questions on topics including the clarity of the rule, the disclosure limitations, limitations on the use of BOI by recipients, and the security and confidentiality requirements, among other topics. Steptoe’s Anti-Money Laundering Practice is available to assist entities in preparing comments on the NPRM.