Recently, in February, the Financial Crimes Enforcement Network (FinCEN) published the “Compliance Guide for Small Entities Regarding Protection and Access Requirements for Beneficial Ownership Information.” The guidance for small entities was published to provide an overview of the Safeguards and Access to Beneficial Ownership Information Rule, also known as the Access Rule. Initially, in September 2023, FinCEN published other small entity compliance guidance related to the new beneficial ownership reporting requirements, which was updated in December 2023. The most recently published small entity guidance is primarily for financial institutions. on how to obtain beneficial ownership information (BOI). from FinCEN. However, the first guidance for small entities published in September appeared to be aimed at reporting companies and not financial institutions. In this article, I am going to save you some time by summarizing what is covered in the “Small Entity Compliance Guide to Safeguards and Access to Beneficial Ownership Information Requirements.”
In summary, the Access Rule was issued on December 22, 2023 and was established to implement the requirements of the Corporate Transparency Act (CTA). Generally, the Access Rule authorizes certain persons the ability to obtain access to beneficial ownership information. The Access Rule also addresses the importance of confidentiality related to BOI reporting to FinCEN. The Small Entity Compliance Guidance for Beneficial Ownership Information Protection and Access Requirements applies to financial institutions, even if they do not have access to the BOI reported to FinCEN at this time. I encourage financial institutions to use this 6-page Guide to determine how BOI information reported to FinCEN can be obtained in connection with compliance with Customer Due Diligence (CDD) requirements.
The Guide is divided into the following four sections: Use of BOI, Security and Confidentiality Requirements, Request Management, and Violations. I will cover what is covered in Sections 1 and 2 of this article and look out for my summary of Sections 3 and 4 in a future article.
Section 1 of the Guide discusses the use of BOIs. Under current customer due diligence (CDD) requirements, financial institutions must identify and verify the beneficial owners of any legal entity customer who opens a new account with their institution. In certain circumstances related to compliance with their BSA/AML requirements, institutions may use the BOI reported to FinCEN. However, institutions cannot use BOI for their general business activities, such as credit underwriting or customer development. Generally, the financial institution must have an authorized use for the BOI obtained through FinCEN.
Section 1.2 addresses limits on new BOI disclosure by financial institutions. Due to the confidentiality and privacy of information reported to FinCEN, an employee, director or agent of a financial institution cannot disclose BOI obtained from FinCEN. However, there are three exceptions when a financial institution is permitted to disclose BOI received from FinCEN. First, the BOI may be redisclosed to another director, officer, employee, contractor or agent of the same institution as long as the information is kept confidential and secure. Not all employees should have access to BOI obtained from FinCEN. Second, the institution can share the BOI obtained from FinCEN with its federal regulator if it has the authority to do so. Additionally, the federal regulator can only access the information for the purpose of determining the institution's compliance with customer due diligence requirements and having a written agreement with FinCEN that addresses the custody of the information. The third exception to when BOI may be redisclosed is when authorized by FinCEN through prior written authorization or through guidance issued by FinCEN.
Moving on to Section 2 of the Guide, it addresses security and confidentiality requirements. A financial institution applying to obtain BOI from FinCEN must establish administrative, technical, and physical safeguards. Safeguards must be designed to protect the integrity, confidentiality and security of BOI. The Guidance provides five subsections within Section 2 to provide financial institutions with additional details on specific security and confidentiality requirements.
The first subsection of Section 2 addresses the geographic restrictions placed by FinCEN on BOIs received from FinCEN related to persons who the U.S. Department of State has determined to sponsor terrorism, are subject to financial and economic sanctions under US law or have been determined by the Secretary of the Treasury will jeopardize the security and confidentiality requirements of the BOI or the national security of the United States. This also applies to persons physically located in the People's Republic of China and the Russian Federation.
Also addressed in the Small Entity Compliance Guidance in Section 2.2 are reporting procedures when receiving BOIs from FinCEN. To ensure the confidentiality and privacy of beneficial ownership information (BOI) received from FinCEN, it must be established and comply with the requirements of the Gramm-Leach Bliley Act. For financial institutions subject to the provisions of the Gramm-Leach Bliley Act, procedures may need to be modified to address the requirements of the Access Rule. For institutions that are not subject to the requirements of the Gramm-Leach Bliley Act, procedures must be implemented to ensure that BOI received from FinCEN is protected according to Gramm-Leach Bliley Act standards. In the event that a financial institution receives a foreign government subpoena or BOI legal demand request, the financial institution must notify FinCEN within three business days of receiving the request.
The third subsection addresses the requirements for obtaining consent. Although financial institutions must have procedures in place to ensure that information remains protected and confidential, before they can obtain a customer's information from FinCEN, they must obtain the customer's consent. It is not necessary to obtain written consent; however, it must be documented. Additionally, the client must have the ability to revoke their consent. Once consent is granted, unless revoked, the financial institution may obtain the reporting company's BOI from FinCEN. The institution may rely on the consent to obtain the client's BOI on future occasions, unless the consent is revoked.
Finally, Section 2 of the Guidance addresses the requirement that financial institutions certify to FinCEN within the beneficial ownership information technology (BO IT) system that they are requesting the BOI to comply with CDD requirements under the applicable law. Additionally, they must certify that they have documented and obtained the consent of their client (the reporting company) to request the BOI from FinCEN. The third component of the financial institution's certification to FinCEN is that the institution has complied with all other requirements of 31 CFR 1010.955(d)(2).
Stay tuned for Part II of this article, where I will cover the remaining content addressed in the Small Entity Compliance Guide for Safeguards and Access to Beneficial Ownership Information Requirements. In the meantime, if you have any questions about the compliance requirements of the Beneficial Ownership Final Rule, please feel free to contact us!
