Beneficial Ownership Information Access and Safeguards, and Use of FinCEN Identifiers for Entities, 77404-77457 [2022-27031]
Download as PDF
<![CDATA[
77404
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
DEPARTMENT OF THE TREASURY
Financial Crimes Enforcement Network
31 CFR Part 1010
RIN 1506–AB59
RIN 1506–AB49
Beneficial Ownership Information
Access and Safeguards, and Use of
FinCEN Identifiers for Entities
Financial Crimes Enforcement
Network (FinCEN), Treasury.
ACTION: Notice of proposed rulemaking
(NPRM).
AGENCY:
FinCEN is promulgating
proposed regulations regarding access
by authorized recipients to beneficial
ownership information (BOI) that will
be reported to FinCEN pursuant to
Section 6403 of the Corporate
Transparency Act (CTA), enacted into
law as part of the Anti-Money
Laundering Act of 2020 (AML Act),
which is itself part of the National
Defense Authorization Act for Fiscal
Year 2021 (NDAA). The proposed
regulations would implement the strict
protocols on security and
confidentiality required by the CTA to
protect sensitive personally identifiable
information (PII) reported to FinCEN.
The NPRM explains the circumstances
in which specified recipients would
have access to BOI and outlines data
protection protocols and oversight
mechanisms applicable to each
recipient category. The disclosure of
BOI to authorized recipients in
accordance with appropriate protocols
and oversight will help law enforcement
and national security agencies prevent
and combat money laundering, terrorist
financing, tax fraud, and other illicit
activity, as well as protect national
security. FinCEN is also proposing
regulations to specify when and how
reporting companies can use FinCEN
identifiers to report the BOI of entities.
DATES: Written comments on this
proposed rule may be submitted on or
before February 14, 2023.
ADDRESSES: Comments may be
submitted by any of the following
methods:
• Federal E-rulemaking Portal:
https://www.regulations.gov. Follow the
instructions for submitting comments.
Refer to Docket Number FINCEN–2021–
0005 and RIN 1506–AB49/AB59.
• Mail: Policy Division, Financial
Crimes Enforcement Network, P.O. Box
39, Vienna, VA 22183. Refer to Docket
Number FINCEN–2021–0005 and RIN
1506–AB49/AB59.
FOR FURTHER INFORMATION CONTACT: The
FinCEN Regulatory Support Section at
lotter on DSK11XQN23PROD with PROPOSALS4
SUMMARY:
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
1–800–767–2825 or electronically at
frc@fincen.gov.
SUPPLEMENTARY INFORMATION:
I. Executive Summary
These proposed regulations would
implement the provisions in the CTA,
codified at 31 U.S.C. 5336(c),1 that
authorize certain recipients to receive
disclosures of identifying information
associated with reporting companies,
their beneficial owners, and their
company applicants (together, BOI). The
CTA requires reporting companies to
report BOI to FinCEN pursuant to 31
U.S.C. 5336(b). This NPRM reflects
FinCEN’s careful consideration of
public comments, including those
received in response to an advance
notice of proposed rulemaking
(ANPRM) 2 on the implementation of
the CTA, and in response to an NPRM
regarding BOI reporting requirements
(Reporting NPRM).3 This NPRM also
reflects FinCEN’s understanding of the
critical need for the highest standard of
security and confidentiality protocols to
maintain confidence in the U.S.
government’s ability to protect sensitive
information while achieving the
objective of the CTA—establishing a
database of beneficial ownership
information (BOI) that will be highly
useful in combatting illicit finance and
the abuse of shell and front companies
by criminals, corrupt officials, and other
bad actors.
The proposed regulations aim to
ensure that: (1) only authorized
recipients have access to BOI; (2)
authorized recipients use that access
only for purposes permitted by the CTA;
and (3) authorized recipients only redisclose BOI in ways that balance
protection of the security and
confidentiality of the BOI with
furtherance of the CTA’s objective of
making BOI available to a range of users
for purposes specified in the CTA. The
proposed regulations also provide a
robust framework to ensure that BOI
reported to FinCEN, and received by
authorized recipients, is subject to strict
cyber security controls, confidentiality
protections and restrictions, and robust
audit and oversight measures.
Coincident with the protocols described
1 The CTA is Title LXIV of the William M. (Mac)
Thornberry National Defense Authorization Act for
Fiscal Year 2021, Public Law 116–283 (Jan. 1, 2021)
(the NDAA). Division F of the NDAA is the AntiMoney Laundering Act of 2020 (AML Act), which
includes the CTA. Section 6403 of the CTA, among
other things, amends the Bank Secrecy Act (BSA)
by adding a new Section 5336, Beneficial
Ownership Information Reporting Requirements, to
Subchapter II of Chapter 53 of Title 31, United
States Code.
2 86 FR 17557 (Apr. 5, 2021).
3 86 FR 69920 (Dec. 8, 2021).
PO 00000
Frm 00002
Fmt 4701
Sfmt 4702
in this NPRM, FinCEN is working to
develop a secure, non-public database
in which to store BOI, using rigorous
information security methods and
controls typically used in the Federal
government to protect non-classified yet
sensitive information systems at the
highest security level. Against this
backdrop and consistent with the CTA,
FinCEN will permit Federal, State, local,
and Tribal officials, as well as certain
foreign officials acting through a Federal
agency, to obtain BOI for use in
furtherance of statutorily authorized
activities such as those related to
national security, intelligence, and law
enforcement. Financial institutions (FIs)
with customer due diligence (CDD)
requirements under applicable law will
have access to BOI to facilitate CDD
compliance. Their regulators will
likewise have access to BOI to make
assessments of CDD compliance.
Additionally, FinCEN is proposing
certain amendments to the BOI
reporting regulations regarding the use
of FinCEN identifiers.4 The proposed
amendments would specify how
reporting companies would be able to
use an entity’s FinCEN identifier to
fulfill their BOI reporting obligations
under 31 CFR 1010.380.
II. Background
A. Access to Beneficial Ownership
Information
As Congress explained in the CTA,
‘‘malign actors seek to conceal their
ownership of corporations, limited
liability companies, or other similar
entities in the United States to facilitate
illicit activity, including money
laundering, the financing of terrorism,
proliferation financing, serious tax
fraud, human and drug trafficking,
counterfeiting, piracy, securities fraud,
financial fraud, and acts of foreign
corruption, harming the national
security interests of the United States
and allies of the United States.’’ 5 Access
by authorized recipients to BOI reported
under the CTA would significantly aid
efforts to protect U.S. national security
and safeguard the U.S. financial system
from such illicit use. It would impede
illicit actors’ ability to use legal entities
to conceal proceeds from criminal acts
that undermine U.S. national security
and foreign policy interests, such as
corruption, human smuggling, drug and
arms trafficking, and terrorist financing.
BOI can also add critical data to
financial analyses in activities the CTA
4 Id., as defined in 31 CFR 1010.380(f)(2), a
FinCEN identifier is a unique identifying number
assigned by FinCEN to an individual or reporting
company under 31 CFR 1010.380.
5 CTA, Section 6402(3).
E:\FR\FM\16DEP4.SGM
16DEP4
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS4
contemplates, including tax
investigations. It can also provide
essential information to the intelligence
and national security professionals who
work to prevent terrorists, proliferators,
and those who seek to undermine our
democratic institutions or threaten other
core U.S. interests from raising, hiding,
or moving money in the United States
through anonymous shell or front
companies.6
The United States currently does not
have a centralized or complete store of
information about who owns and
operates legal entities within the United
States. The beneficial ownership data
available to law enforcement and
national security agencies are generally
limited to the information collected by
financial institutions on legal entity
accounts pursuant to their CDD or
broader Customer Identification
Program (CIP) obligations, some of
which has been included in Suspicious
Activity Reports (SARs) or provided to
law enforcement in response to judicial
process.7 As set out in detail in the
Reporting NPRM 8 and the BOI reporting
final rule,9 U.S. law enforcement
officials and the Financial Action Task
Force (FATF),10 among others, have for
years noted how the lack of timely
access to accurate and adequate BOI by
law enforcement and other authorized
recipients remained a significant gap in
the United States’ anti-moneylaundering-/countering-the-financing-of6 A front company generates legitimate business
proceeds to commingle with illicit earnings. See
U.S. Department of the Treasury, National Money
Laundering Risk Assessment (2018), p. 29, available
at https://home.treasury.gov/system/files/136/
2018NMLRA_12-18.pdf.
7 31 CFR 1010.230. Even then, any BOI a financial
institution collects is not systematically reported to
any central repository.
8 Supra note 3.
9 87 FR 59498 (Sept. 30, 2022).
10 The FATF, of which the United States is a
founding member, is an international, intergovernmental task force whose purpose is the
development and promotion of international
standards and the effective implementation of legal,
regulatory, and operational measures to combat
money laundering, terrorist financing, the financing
of weapons proliferation, and other related threats
to the integrity of the international financial system.
The FATF assesses over 200 jurisdictions against its
minimum standards for beneficial ownership
transparency. Among other things, it has
established standards on transparency and
beneficial ownership of legal persons, to deter and
prevent the misuse of corporate vehicles. See FATF
Recommendation 24, Transparency and Beneficial
Ownership of Legal Persons, The FATF
Recommendations: International Standards on
Combating Money Laundering and the Financing of
Terrorism and Proliferation (updated Oct. 2020),
available at https://www.fatf-gafi.org/publications/
fatfrecommendations/documents/fatfrecommendations.html; FATF Guidance,
Transparency and Beneficial Ownership, Part III
(Oct. 2014), available at https://www.fatf-gafi.org/
media/fatf/documents/reports/Guidancetransparency-beneficial-ownership.pdf.
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
terrorism (AML/CFT) and countering
the financing of proliferation (CFP)
framework. Broadly, and critically, BOI
can identify linkages between potential
illicit actors and opaque business
entities, including shell companies.
Furthermore, comparing BOI reported
pursuant to the CTA against data
collected under the Bank Secrecy Act
(BSA) and other relevant government
data is expected to significantly further
efforts to identify illicit actors and
combat their financial activities.
As law enforcement and other U.S.
government officials have noted,
investigations into, and prosecutions of,
money laundering, corruption, and
other illicit financial activities are often
prolonged or stymied by those officials’
inability to rapidly access BOI in a
centralized database. Kenneth A.
Blanco, then-Director of FinCEN and a
former State and Federal prosecutor,
observed in 2019 testimony to the U.S.
Senate Committee on Banking, Housing
and Urban Affairs that based on his
experience as a former State and Federal
prosecutor, identifying the ultimate
beneficial owner of a shell or front
company in the United States ‘‘often
requires human source information,
grand jury subpoenas, surveillance
operations, witness interviews, search
warrants, and foreign legal assistance
requests to get behind the outward
facing structure of these shell
companies. This takes an enormous
amount of time—time that could be
used to further other important and
necessary aspects of an investigation—
and wastes resources, or prevents
investigators from getting to other
equally important investigations.’’ 11
The FBI’s Steven M. D’Antuono
elaborated on these difficulties,
testifying before the Senate Banking
Housing and Urban Affairs Committee
in 2019 that ‘‘[t]he process for the
production of records can be lengthy,
anywhere from a few weeks to many
years, and . . . can be extended
drastically when it is necessary to
obtain information from other countries
. . . . [I]f an investigator obtains the
ownership records, either from a
domestic or foreign entity, the
investigator may discover that the
owner of the identified corporate entity
is an additional corporate entity,
necessitating the same process for the
newly discovered corporate entity.
Many professional launderers and
others involved in illicit finance
11 FinCEN, Testimony for the Record, Kenneth A.
Blanco, Director, U.S. Senate Committee on
Banking, Housing and Urban Affairs (May 21,
2019), available at https://www.banking.senate.gov/
imo/media/doc/Blanco%20Testimony%205-2119.pdf.
PO 00000
Frm 00003
Fmt 4701
Sfmt 4702
77405
intentionally layer ownership and
financial transactions in order to reduce
transparency of transactions. As it
stands, it is a facially effective way to
delay an investigation.’’ 12 D’Antuono
acknowledged that these challenges may
be even starker for State, local, and
Tribal law enforcement agencies that
may not have the same resources as
their Federal counterparts to undertake
long and costly investigations to
identify the beneficial owners of these
entities.13 During the testimony, he
noted that requiring the disclosure of
BOI by legal entities and the creation of
a central BOI repository available to law
enforcement and regulators could
address these challenges.14
The process of obtaining BOI through
grand jury subpoenas and other means
can be time-consuming and of limited
utility in some cases. Grand jury
subpoenas, for example, require an
underlying grand jury investigation into
a possible violation of law. In addition,
the law enforcement officer or
investigator must work with a
prosecutor’s office, such as a U.S.
Attorney’s Office, to open a grand jury
investigation, obtain the grand jury
subpoena, and issue it on behalf of the
grand jury. The investigator also needs
to determine the proper recipient of the
subpoena and coordinate service, which
raises additional complications in cases
where there is excessive layering of
corporate structures to hide the identity
of the ultimate beneficial owners. In
some cases, however, BOI still may not
be attainable via grand jury subpoena
because it is not recorded. For example,
because most states do not require the
disclosure of BOI when forming or
registering an entity, BOI cannot be
obtained from the secretary of state or
similar office. Furthermore, many states
permit corporations to acquire property
without disclosing BOI, and therefore
BOI cannot be obtained from property
records.
FinCEN’s existing regulatory tools
also have significant limitations. The
2016 CDD Rule,15 for example, requires
that certain types of U.S. financial
institutions identify and verify the
beneficial owners of legal entity
customers at the time those financial
institutions open a new account for a
12 Federal Bureau of Investigation (FBI),
Testimony of Steven M. D’Antuono, Section Chief,
Criminal Investigative Division, ‘‘Combatting Illicit
Financing by Anonymous Shell Companies’’ (May
21, 2019), available at https://www.fbi.gov/news/
testimony/combating-illicit-financing-byanonymous-shell-companies.
13 Id.
14 Id.
15 81 FR 29397 (May 11, 2016).
E:\FR\FM\16DEP4.SGM
16DEP4
77406
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS4
legal entity customer,16 but the rule
provides only a partial solution.17 The
information provided to U.S. financial
institutions about beneficial owners of
certain U.S. entities is generally not
comprehensive and not reported to the
U.S. government (nor to State, local, or
Tribal governments), except when filed
in SARs or in response to judicial
process. It is therefore not immediately
available to law enforcement,
intelligence, and national security
agencies. Moreover, the CDD rule
applies only to legal entities that open
accounts at certain U.S. financial
institutions. Other FinCEN authorities—
geographic targeting orders 18 and the
so-called ‘‘311 measures’’ (i.e., special
measures imposed on jurisdictions,
financial institutions, or international
transactions of primary money
laundering concern) 19—offer temporary
and targeted tools. Neither provides law
enforcement the ability to reliably,
efficiently, and consistently follow
investigatory leads.
The utility and value of BOI reported
to FinCEN, therefore, rests in large part
on the bureau’s ability to provide
authorized recipients predictable and
efficient access to reported BOI while
protecting the confidentiality and
integrity of the information. As Congress
noted, ‘‘[f]ederal legislation providing
for the collection of beneficial
ownership information for corporations,
limited liability companies, or other
similar entities formed under the laws
of the States is needed’’ to protect vital
U.S. ‘‘national security interests . . .
[and] better enable critical national
security, intelligence, and law
16 The CDD Rule NPRM contained a requirement
that covered financial institutions conduct ongoing
monitoring to maintain and update customer
information on a risk basis, specifying that
customer information includes the beneficial
owners of legal entity customers. As noted in the
supplementary material to the final rule, FinCEN
did not construe this obligation as imposing a
categorical, retroactive requirement to identify and
verify BOI for existing legal entity customers.
Rather, these provisions reflect the conclusion that
a financial institution should obtain BOI from
existing legal entity customers when, in the course
of its normal monitoring, the financial institution
detects information relevant to assessing or
reevaluating the risk of such customer. Final Rule,
Customer Due Diligence Requirements for Financial
Institutions, 81 FR 29398, 29404 (May 11, 2016).
17 See U.S. Money Laundering Threat Assessment
Working Group, U.S. Money Laundering Threat
Assessment (2005), pp. 48–49, available at https://
www.treasury.gov/resource-center/terrorist-illicitfinance/documents/mlta.pdf. See also
Congressional Research Service, Miller, Rena S. and
Rosen, Liana W., Beneficial Ownership
Transparency in Corporate Formation, Shell
Companies, Real Estate, and Financial
Transactions (Jul. 8, 2019), available at https://
crsreports.congress.gov/product/pdf/R/R45798.
18 31 U.S.C. 5326(a); 31 CFR 1010.370.
19 31 U.S.C. 5318A, as added by section 311 of the
USA PATRIOT Act (Pub. L. 107–56).
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
enforcement efforts to counter money
laundering, the financing of terrorism,
and other illicit activity.’’ 20
Furthermore, providing authorized
recipients in FIs access to BOI reported
to FinCEN, as the CTA requires, will
assist FIs in complying with AML/CFT
and CDD requirements.
B. The Corporate Transparency Act
The CTA is part of the AML Act,
which is itself a part of the 2021 NDAA.
The CTA added a new section, 31 U.S.C.
5336, to the BSA to address the broader
objectives of enhancing beneficial
ownership transparency while
minimizing the burden on the regulated
community. In brief, 31 U.S.C. 5336
requires certain types of domestic and
foreign entities, called ‘‘reporting
companies,’’ to submit specified BOI to
FinCEN. FinCEN is authorized to share
this BOI with certain Government
agencies, financial institutions, and
regulators, subject to appropriate
protocols.21 The requirement for
reporting companies to submit BOI
takes effect ‘‘on the effective date of the
regulations prescribed by the Secretary
of the Treasury under [31 U.S.C.
5336].’’ 22 Reporting companies formed
or registered after the effective date will
need to submit the requisite BOI to
FinCEN at the time of formation, while
preexisting reporting companies will
have a specified period to comply and
report.23
The CTA reporting requirements
generally exempt entities that are
otherwise subject to significant
regulatory regimes—e.g., banks—where
Congress presumably expected primary
regulators to have visibility into the
identities of the owners and ownership
structures of the entities. The
exemptions thus avoid imposing
duplicative requirements in these cases.
The provision at 31 U.S.C. 5336
requires reporting companies to submit
to FinCEN, for each beneficial owner
and company applicant, either the
individual’s full legal name, date of
birth, current residential or business
street address, and a unique identifying
number from an acceptable
identification document (e.g., a
nonexpired passport)—four readily
accessible pieces of information that
should not be unduly burdensome for
individuals to produce, or for reporting
companies to collect and submit to
FinCEN—or a FinCEN identifier.24 A
FinCEN identifier is a unique
20 CTA,
Section 6402(5)(B),(D).
generally 31 U.S.C. 5336(b), (c).
22 31 U.S.C. 5336(b)(5).
23 See 31 U.S.C. 5336(b)(1)(B), (C).
24 See 31 U.S.C. 5336(b)(2).
21 See
PO 00000
Frm 00004
Fmt 4701
Sfmt 4702
identifying number that FinCEN will
issue to individuals or entities upon
request.25 In certain instances, the
FinCEN identifier may be reported in
lieu of an individual’s name, birth date,
address, and unique identification
number.26 As noted in Section II.E.
below, FinCEN addressed the regulatory
requirements related to BOI reporting
pursuant to the CTA through the recent
issuance of a final BOI reporting rule.27
Given the sensitivity of the reportable
BOI, the CTA imposes strict
confidentiality and security restrictions
on the storage, access, and use of BOI.
Congress authorized FinCEN to disclose
BOI to a statutorily defined group of
governmental authorities and financial
institutions, in limited circumstances.
The CTA establishes that BOI is
‘‘sensitive information,’’ 28 and provides
that the Secretary of the Treasury
(Secretary) shall ‘‘maintain [it] in a
secure, nonpublic database, using
information security methods and
techniques that are appropriate to
protect nonclassified information
systems at the highest security level.’’ 29
The statute further provides that BOI is
only to be used by specified parties for
specified purposes.30 Access to and
disclosure of BOI is the focus of this
NPRM.
In addition to setting out
requirements and restrictions related to
BOI reporting and access, the CTA
requires that FinCEN revise the current
CDD Rule within one year of January 1,
2024, the effective date of the final BOI
reporting rule, by rescinding paragraphs
(b) through (j) of 31 CFR 1010.230.31
The CTA identifies three purposes for
this revision: (1) to bring the rule into
conformity with the AML Act as a
whole, including the CTA; (2) to
account for financial institutions’ access
to BOI reported to FinCEN ‘‘in order to
confirm the beneficial ownership
information provided directly to the
financial institutions’’ for AML/CFT and
customer due diligence purposes; and
(3) to reduce unnecessary or duplicative
25 See
31 U.S.C. 5336(b)(3)(A)(i).
31 U.S.C. 5336(b)(3)(B).
27 Supra note 7.
28 CTA, Section 6402(6).
29 CTA, Section 6402(7)(A). While the statutory
language seems to include a typo that refers to
another provision, it also seems clear that the object
of protection in this case is BOI.
30 CTA, Section 6402(6).
31 CTA, Section 6403(d)(1), (2). The CTA orders
the rescission of paragraphs (b) through (j) directly
(‘‘the Secretary of the Treasury shall rescind
paragraphs (b) through (j)’’) and orders the retention
of paragraph (a) by a negative rule of construction
(‘‘nothing in this section may be construed to
authorize the Secretary of the Treasury to repeal ...
[31 CFR] 1010.230(a)[.]’’).
26 See
E:\FR\FM\16DEP4.SGM
16DEP4
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
burdens on financial institutions and
legal entity customers.32
FinCEN intends to satisfy the
requirements related to the revision of
the CDD Rule through a future
rulemaking process that will provide the
public with an opportunity to comment
on the proposal. FinCEN anticipates that
this rulemaking to revise the CDD Rule
will touch on the issue of the interplay
between financial institutions’ CDD
efforts and the beneficial ownership IT
system that FinCEN is developing to
receive, store, and maintain BOI.
lotter on DSK11XQN23PROD with PROPOSALS4
C. The Advance Notice of Proposed
Rulemaking
On April 5, 2021, FinCEN published
the ANPRM related to implementing the
CTA.33 The ANPRM sought input on
five open-ended categories of questions,
including on clarifying key definitions
and on FinCEN’s implementation of the
related provisions of the CTA that
govern the bureau’s maintenance and
disclosure of BOI subject to appropriate
access protocols.
In response to the ANPRM, FinCEN
received 220 comments from parties
that included businesses, civil society
organizations, trade associations, law
firms, secretaries of state and other State
officials, Indian Tribes, members of
Congress, and private citizens. Some
comments focused on issues that pertain
to this access rulemaking, such as the
structure of the BOI database, certain
users’ need for access, the importance of
ensuring the security of the database,
specific technological decisions that
FinCEN could make, and the
desirability of a FinCEN commitment to
verifying the information in the
database.
FinCEN has considered all of the
comments that it received in response to
the ANPRM in drafting this proposed
rule.
D. The Reporting Notice of Proposed
Rulemaking
FinCEN followed the ANPRM with
the December 8, 2021, publication of the
Reporting NPRM, the first of the three
CTA-related rulemakings.34 In the
Reporting NPRM, FinCEN described in
detail Treasury’s efforts to address the
lack of transparency in certain legal
entity ownership, the value of BOI, the
national security and law enforcement
implications of legal entities with
anonymous beneficial owners, and the
need for centralized BOI collection.35
The Reporting NPRM acknowledged the
32 CTA,
Section 6403(d)(1)(A)–(C).
33 Supra note 2.
34 86 FR 69920 (Dec. 8, 2021).
35 Id. at 69921–69928.
VerDate Sep<11>2014
22:00 Dec 15, 2022
current environment in which criminals
and other bad actors can exploit the
creation and use of legal entities in the
United States.
The Reporting NPRM proposed
regulations specifying what BOI must be
reported to FinCEN pursuant to CTA
requirements, by whom, and when. In
particular, it proposed that domestic
and foreign reporting companies report
to FinCEN four pieces of BOI for each
of their beneficial owners and company
applicants: full legal name, birthdate,
current residential or business street
address, and a unique identifying
number from an acceptable
identification document (e.g., a
nonexpired passport or driver’s license).
In the alternative, the proposed rule
would permit a reporting company to
report a FinCEN identifier for an
individual or entity in certain
circumstances.36 These regulations also
proposed processes for obtaining,
updating, and using FinCEN identifiers.
The Reporting NPRM included a 60-day
comment period, which closed on
February 7, 2022, and FinCEN received
over 240 comments on the NPRM.
E. The Final Reporting Rule
On September 30, 2022, FinCEN
published a final rule implementing the
CTA’s BOI reporting requirements and
addressing the comments submitted on
the NPRM. The final regulations require
certain legal entities to file with FinCEN
reports that identify the beneficial
owners of the entity, and individuals
who filed (or who are primarily
responsible for directing or controlling
the filing of) an application with
specified governmental authorities to
create the entity or register it to do
business. Further, the regulations
describe who must file a report, what
information must be provided, and
when a report is due. These reporting
requirements are intended to help
prevent and combat money laundering,
terrorist financing, corruption, tax fraud,
and other illicit activity, while
minimizing the burden on reporting
companies.
In addition, as the final BOI reporting
rule noted, providing authorized users
in the law enforcement, national
security, and regulatory communities,
and in FIs, access to the reported BOI
will diminish the ability of illicit actors
to obfuscate their activities through the
use of anonymous shell and front
companies. FinCEN also recognized in
the final BOI reporting rule the vital
importance of protecting the reported
BOI and ensuring, through the issuance
of regulations governing access to the
36 See
Jkt 259001
PO 00000
31 U.S.C. 5336(b).
Frm 00005
Fmt 4701
Sfmt 4702
77407
reported BOI, that the BOI is subject to
stringent use and security protocols.
The BOI final reporting regulations
become effective on January 1, 2024.
Furthermore, the final BOI reporting
rule reserved certain provisions
concerning the use of FinCEN
identifiers for entities for further
consideration. This Access NPRM
includes proposed amendments to the
reporting regulations that would finalize
these remaining provisions.
F. Beneficial Ownership Information
Infrastructure
i. Beneficial Ownership Information IT
System Development
The CTA directs the Secretary to
maintain BOI ‘‘in a secure, nonpublic
database, using information security
methods and techniques that are
appropriate to protect non-classified
information security systems at the
highest security level . . . .’’ 37 To
implement this requirement, FinCEN
has been developing a secure
information technology (IT) system to
receive, store, and maintain BOI.
FinCEN has gathered requirements and
completed initial system engineering,
architectures, and program planning
activities. The initial build of the cloud
infrastructure is complete and the
development of the first set of system
products is in progress. The target date
for the system to begin accepting BOI
reports is January 1, 2024, the same day
the reporting rule takes effect.
FinCEN is taking a very deliberative
approach to designing and building the
system, factoring in the requirements set
out in the CTA as well as guidance from
Congress. As Senator Sherrod Brown,
the then-Ranking Member of the Senate
Committee on Banking, Housing, and
Urban Affairs and one of the primary
authors of the CTA, noted in his
December 9, 2020, floor statement
accompanying the CTA, ‘‘[i]n designing
the [system], FinCEN should survey
other beneficial ownership databases to
determine their best features and design,
and create a structure that secures the
data as required by law.’’ 38 Among
other actions FinCEN has undertaken in
the development of the system, FinCEN
met not only with future stakeholders to
better understand their need to access
BOI and how they currently safeguard
sensitive information (see Section II.H.
‘‘Outreach’’ below), but also with other
government entities that had developed
37 CTA,
Section 6402(7).
Sherrod Brown, National Defense
Authorization Act, Congressional Record 166:208
(Dec. 9, 2020), p. S7312, available at https://
www.govinfo.gov/content/pkg/CREC-2020-12-09/
pdf/CREC-2020-12-09.pdf.
38 Senator
E:\FR\FM\16DEP4.SGM
16DEP4
77408
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
beneficial ownership databases, such as
the District of Columbia’s (DC’s)
Superintendent of Corporations (within
DC’s Department of Consumer and
Regulatory Affairs Corporations), and
the United Kingdom’s Companies
House.
Senator Brown also encouraged
FinCEN to ‘‘ensure that [F]ederal,
[S]tate, local and tribal law enforcement
can access the beneficial ownership
database without excessive delays or red
tape in a manner modeled after its
existing systems providing law
enforcement access to databases
containing currency transaction and
suspicious activity report
information.’’ 39 Keeping BOI secure and
confidential is one of FinCEN’s highest
priorities in building the system.
Serving that interest requires not only
designing and implementing
appropriate technical controls around
BOI security and storage, but also
thoroughly understanding the ways in
which prospective authorized BOI
recipients intend to access, handle, and
use BOI. This knowledge in turn
informs the policies, procedures, and
processes that will govern how
authorized recipients treat BOI when
they access it.
This balance is reflected in the
ongoing development of the system.
Consistent with the CTA’s
requirement,40 the system will be cloudbased and is being implemented to meet
the highest Federal Information Security
Management Act (FISMA) 41 level
(FISMA High).42 A FISMA High rating
indicates that losing the confidentiality,
integrity, or availability of information
within a system would have a severe or
catastrophic adverse effect on the
organization maintaining the system,
including on organizational assets or
individuals.43 The rating carries with it
a requirement to implement certain
baseline controls to protect the relevant
information.44
FinCEN recognizes that BOI is highly
sensitive information. FinCEN therefore
views it as critical to mitigate the risk
of unauthorized disclosure of BOI as
much as possible. To that end, system
functionality will vary by recipient
category consistent with statutory
requirements and limitations on BOI
lotter on DSK11XQN23PROD with PROPOSALS4
39 Id.
40 31
U.S.C. 5336(c)(8).
41 44 U.S.C 3541 et seq.
42 See U.S. Department of Commerce, Federal
Information Processing Standards Publication:
Standards for Security Categorization of Federal
Information and Information Systems (‘‘FIPS Pub
199’’) (Feb. 2004), available at https://
nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf.
43 Id. at 3.
44 Id.
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
disclosure—for example, financial
institutions will have a different level of
access to BOI than law enforcement
agencies. The regulations proposed in
this Access NPRM complement this
functionality by clarifying and codifying
those requirements and limitations,
including through recipient-specific
access protocols designed to protect BOI
security and confidentiality.
ii. CTA Implementation Efforts
FinCEN continues to face resource
constraints in developing and deploying
the Beneficial Ownership IT System and
efforts to put in place processes to
support the collection and use of BOI.
There are a myriad of areas that need
additional investment, including
additional personnel to support efforts
beyond the initial build of the Beneficial
Ownership IT System. These include
efforts to provide clear and transparent
guidance to reporting companies and
authorized users of BOI, negotiating and
implementing memoranda of
understanding (MOUs) with domestic
government agencies, reviewing
requests for BOI and accompanying
court authorizations from State, local, or
tribal law enforcement agencies,
auditing the handling and use of BOI,
and enforcement activities.
FinCEN is particularly focused on
providing adequate customer service
resources for reporting companies in the
first year and beyond as they file their
BOI. FinCEN currently fields
approximately 13,000 inquiries a year
through its Regulatory Support Section,
and approximately 70,000 external
technical inquiries a year through the IT
Systems Helpdesk. FinCEN has
estimated that there will be
approximately 32 million reporting
companies in Year 1 of the reporting
requirement and approximately 5
million new reporting companies each
year thereafter.45 If 10 percent of those
reporting companies have questions
about the reporting requirement or the
form, or technical issues when filing,
that could result in upwards of 3
million inquiries in Year 1, and 500,000
per year after that.
Without the availability of additional
appropriated funds to support this
project and other mission-critical
services, FinCEN may need to identify
trade-offs, including with respect to
guidance and outreach activities, and
the staged access by different authorized
users to the database. FinCEN is
currently identifying the range of
considerations implicated by potential
budget shortfalls and the trade-offs that
are available and appropriate.
45 87
PO 00000
FR 59498, 59549 (Sept. 30, 2022).
Frm 00006
Fmt 4701
Sfmt 4702
G. Verification
FinCEN continues to evaluate options
for verifying reported BOI.46
‘‘Verification,’’ as that term is used here,
means confirming that the reported BOI
submitted to FinCEN is actually
associated with a particular individual.
A number of commenters to the ANPRM
and Reporting NPRM have affirmed the
importance of verifying BOI to support
authorized activities that rely on the
information. FinCEN continues to
review the options available to verify
BOI within the legal constraints in the
CTA.
H. Outreach
FinCEN has conducted more than 30
outreach sessions to solicit input on
how best to implement the statutory
authorizations and limitations regarding
BOI disclosure. Participants included
representatives from Federal agencies,
State courts, State and local prosecutors’
offices, Tribal governments, FIs,
financial self-regulatory organizations
(SROs), and, as noted previously,
government offices that had established
BOI databases. Topics discussed
included how stakeholders might use
BOI, potential information technology
(IT) system features, circumstances in
which potential stakeholders might
need to re-disseminate BOI, and how
different approaches might help further
the purposes of the CTA. These
conversations helped FinCEN refine its
thinking about how to create a useful
database for stakeholders while
protecting BOI and individual privacy.
III. Overview of Access Framework and
Protocols
A. Statutory Framework
The CTA authorizes FinCEN to
disclose BOI to five categories of
recipients.47 The first category consists
of recipients in Federal, State, local and
Tribal government agencies. Within this
category, FinCEN may disclose BOI to
Federal agencies engaged in national
security, intelligence, or law
enforcement activity if the requested
BOI is for use in furtherance of such
activity.48 Note that Federal agency
access is activity-based. Thus, an agency
such as a Federal functional regulator,
while perhaps not a ‘‘law enforcement
46 Pursuant to Sections 6502(b)(1)(C) and (D) of
the AML Act, the Secretary, in consultation with
the Attorney General, will conduct a study no later
than two years after the effective date of the BOI
reporting final rule, to evaluate the costs associated
with imposing any new verification requirements
on FinCEN and the resources necessary to
implement any such changes.
47 31 U.S.C. 5336(c)(2)(B) and 31 U.S.C.
5336(c)(5).
48 31 U.S.C. 5336(c)(2)(B)(i)(I).
E:\FR\FM\16DEP4.SGM
16DEP4
lotter on DSK11XQN23PROD with PROPOSALS4
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
agency’’ in the conventional sense, may
still be engaged in ‘‘law enforcement
activity’’ such as civil law enforcement,
and can therefore still request BOI from
FinCEN for use in furtherance of that
activity. FinCEN may also disclose BOI
to State, local, and Tribal law
enforcement agencies if ‘‘a court of
competent jurisdiction’’ has authorized
the law enforcement agency to seek the
information in a criminal or civil
investigation.49
The second category consists of
foreign law enforcement agencies,
judges, prosecutors, central authorities,
and competent authorities (‘‘foreign
requesters’’), provided their requests
come through an intermediary Federal
agency, meet certain additional criteria,
and are made either (1) under an
international treaty, agreement, or
convention, or (2) via a request made by
law enforcement, judicial, or
prosecutorial authorities in a trusted
foreign country (when no international
treaty, agreement, or convention is
available).50
The third authorized recipient
category is FIs using BOI to facilitate
compliance with CDD requirements
under applicable law, provided the FI
requesting the BOI has the relevant
reporting company’s consent for such
disclosure.51
The fourth category is Federal
functional regulators and other
appropriate regulatory agencies acting
in a supervisory capacity assessing FIs
for compliance with CDD
requirements.52 These agencies may
access the BOI information that FIs they
supervise received from FinCEN.
The fifth and final category of
authorized BOI recipients is the U.S.
Department of the Treasury (Treasury)
itself, for which the CTA provides
relatively unique access to BOI tied to
an officer or employee’s official duties
requiring BOI inspection or disclosure,
including for tax administration.53
The CTA directs the Secretary to
‘‘take all steps, including regular
auditing, to ensure that government
authorities accessing [BOI] do so only
for authorized purposes consistent with
[the CTA].’’ 54 The CTA also requires the
Secretary to establish protocols
governing access by authorized
recipients to BOI and protecting the
information’s security and
confidentiality.55
Specifically, the statute provides that
the Secretary shall establish protocols
requiring: (1) the heads of requesting
agencies to approve standards and
procedures for protecting BOI, and make
related certifications; 56 (2) requesting
agencies to ‘‘establish and maintain, to
the satisfaction of the Secretary, a secure
system in which [BOI] provided directly
by the Secretary shall be stored’’; 57 (3)
requesting agencies to ‘‘furnish a report
to the Secretary, at such time and
containing such information as the
Secretary may prescribe, that describes
the procedures established and utilized
by such agency to ensure the
confidentiality of [BOI] provided
directly by the Secretary’’; 58 (4) certain
requesting agencies to provide a written
certification that the requirements for
access to BOI have been met; 59 (5)
requesting agencies to ‘‘limit, to the
greatest extent practicable, the scope of
information sought, consistent with the
purposes for seeking [BOI];’’ 60 (6)
requesting agencies to ‘‘establish and
maintain, to the satisfaction of the
Secretary, a permanent system of
standardized records with respect to an
auditable trail of each request for [BOI]
submitted to the Secretary by the
agency, including the reason for the
request, the name of the individual who
made the request, the date of the
request, any disclosure of [BOI] made by
or to the agency, and any other
information the Secretary of the
Treasury determines is appropriate’’; 61
and (7) requesting agencies to ‘‘conduct
an annual audit to verify that the [BOI]
received from the Secretary has been
accessed and used appropriately, and in
a manner consistent with this paragraph
and provide the results of that audit to
the Secretary upon request.62 The
Secretary is likewise required to
‘‘conduct an annual audit of the
adherence of the agencies to the
protocols established under this
paragraph to ensure that agencies are
requesting and using beneficial
ownership information
appropriately.’’ 63
The CTA expressly restricts access to
BOI to only those authorized users at a
requesting agency: (1) who are directly
engaged in an authorized investigation
or activity; (2) whose duties or
responsibilities require access to BOI;
(3) who have undergone appropriate
56 31
49 31
U.S.C. 5336(c)(2)(B)(i)(II).
50 See 31 U.S.C. 5336(c)(2)(B)(ii).
51 31 U.S.C. 5336(c)(2)(B)(iii).
52 31 U.S.C. 5336(c)(2)(B)(iv).
53 31 U.S.C. 5336(c)(5).
54 CTA, Section 6402(7)(B).
55 See generally 31 U.S.C. 5336(c)(3).
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
U.S.C. 5336(c)(3)(B).
U.S.C. 5336(c)(3)(C).
58 31 U.S.C. 5336(c)(3)(D).
59 31 U.S.C. 5336(c)(3)(E).
60 31 U.S.C. 5336(c)(3)(F).
61 31 U.S.C. 5336(c)(3)(H).
62 See 31 U.S.C. 5336(c)(3)(I).
63 See 31 U.S.C. 5336(c)(3)(J).
57 31
PO 00000
Frm 00007
Fmt 4701
Sfmt 4702
77409
training or use staff to access the system
who have undergone appropriate
training; (4) who use appropriate
identity verification to obtain access to
the information; and (5) who are
authorized by agreement with the
Secretary to access BOI.64
The statute further provides the
Secretary with discretionary authority to
prescribe by regulation such other
safeguards as she deems necessary and
appropriate to protect BOI
confidentiality.65 The Secretary has
delegated the authority to prescribe
appropriate protocols to protect the
security and confidentiality of BOI
pursuant to 31 U.S.C. 5336(c)(3) to
FinCEN.66
B. Disclosure to Authorized Domestic
Government Agency Users for NonSupervisory Purposes
Under the first category of BOI
recipients, FinCEN expects three types
of domestic agency users to be able to
access and query the beneficial
ownership IT system directly: (1)
Federal agencies engaged in national
security, intelligence, and law
enforcement activity; (2) Treasury
officers and employees who require
access to BOI to perform their official
duties or for tax administration; and (3)
State, local, and Tribal law enforcement
agencies. This type of access would
permit authorized individuals within an
authorized recipient agency to log in,
run queries using multiple search fields,
and review one or more results returned
immediately.
These agencies often lack
comprehensive information about a
subject or other relevant individuals or
entities when conducting investigations.
The ability to query the database
directly and iteratively is therefore
necessary to enable them to use BOI
effectively. Nevertheless, to protect
against potential abuse, Federal-agency
users engaged in national security,
intelligence, or law enforcement activity
would have to submit brief justifications
to FinCEN for their searches, explaining
how their searches further a particular
qualifying activity, and these
justifications would be subject to
oversight and audit by FinCEN. FinCEN
will develop guidance for agencies on
submitting the required justifications.
Consistent with the CTA’s
restrictions, authorized users from State,
local, and Tribal law enforcement
agencies would be required to upload
the document issued by a court of
competent jurisdiction authorizing the
64 31
U.S.C. 5336(c)(3)(G).
31 U.S.C. 5336(c)(3)(K).
66 Treasury Order 180–01 (Jan. 14, 2020).
65 See
E:\FR\FM\16DEP4.SGM
16DEP4
77410
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
agency to seek BOI from FinCEN.67
After FinCEN has reviewed the relevant
authorization for sufficiency and
approved the request, an agency could
then conduct searches using multiple
search fields consistent in scope with
the court authorization and subject to
audit by FinCEN. These searches would
return results immediately.
Such broad search capabilities within
the beneficial ownership IT system
require domestic agencies to clearly
understand the scope of their
authorization and their responsibilities
under it. That is why the proposed rule
establishes protocols for requirements,
limitations, and expectations with
respect to searches by domestic agencies
of the beneficial ownership IT system.
As part of these protocols, each
domestic agency would first need to
enter into a memorandum of
understanding (MOU) with FinCEN
before being allowed access to the
system. FinCEN is developing draft
MOUs based on similar agreements it
uses to share BSA data. FinCEN will
also provide training for agency
personnel and exercise oversight and
audit functions discussed in more detail
in Section IV below.
None of the remaining authorized
recipient categories will have access to
the broad search capabilities within the
system.
C. Disclosure to Authorized Foreign
Requesters
Foreign requesters—foreign law
enforcement agencies, judges,
prosecutors, central authorities, or
competent authorities (or a like
designation)—will not have direct
access to the beneficial ownership IT
system. They will instead submit their
requests for BOI to Federal intermediary
agencies as the CTA requires.68 If the
foreign request meets the applicable
criteria of the CTA 69 and the proposed
rule, then the Federal agency
intermediary will retrieve the BOI from
67 See
31 U.S.C. 5336(c)(2)(B)(i)(II).
U.S.C. 5336(c)(2)(B)(ii).
69 Section 6403 of the CTA requires that the
foreign request be made by a Federal agency on
behalf of a law enforcement agency, foreign central
authority or competent authority (or like
designation), under an international treaty,
agreement, convention, or official request made by
law enforcement, judicial, or prosecutorial
authorities in trusted foreign countries when no
treaty, agreement, or convention is available. The
CTA goes on to state that the foreign request must
(1) be issued in response to a request for assistance
in an investigation or prosecution by such foreign
country; and (2) either (a) require compliance with
the disclosure and use provisions of the treaty,
agreement, or convention publicly disclosing any
BOI received; or (b) limit the use of the information
for any purpose other than the authorized
investigation or national security or intelligence
activity. See 31 U.S.C. 5336(c)(2)(B)(ii).
lotter on DSK11XQN23PROD with PROPOSALS4
68 31
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
the system and transmit it to the foreign
requester.
FinCEN intends to work with Federal
agencies to identify agencies that are
well positioned to serve as
intermediaries between FinCEN and
foreign requesters. FinCEN expects that
these possible intermediary Federal
agencies will have regular engagement
and familiarity with foreign law
enforcement agencies, judges,
prosecutors, central authorities, or
competent authorities on matters related
to law enforcement, national security, or
intelligence activity, and will have
established policies, procedures, and
communication channels for sharing
information with those foreign parties.
Other factors would include whether a
prospective intermediary Federal
agency represents the U.S. government
in relevant international treaties,
agreements, or conventions, the
expected number of requests that the
agency could receive, and the ability of
the agency to efficiently process
requests while managing risks of
unauthorized disclosure.
Once identified, FinCEN will then
work with intermediary Federal
agencies to: (1) ensure that they have
secure systems for BOI storage; (2) enter
into MOUs outlining expectations and
responsibilities; (3) translate the CTA
foreign sharing requirements into
evaluation criteria against which
intermediaries can compare requests
from foreign requesters; (4) integrate the
evaluation criteria into the
intermediaries’ existing informationsharing policies and procedures; (5)
develop additional security protocols
and systems as required under the CTA
and this rule; and (6) ensure that
intermediary agency personnel have
sufficient training on the requirements
of the CTA and the proposed rule.
FinCEN would exercise oversight and
audit functions to ensure that Federal
intermediary agencies adhere to
requirements and take appropriate
measures to mitigate the risk of foreign
requesters abusing the information.
Given its longstanding relationships
and relevant experience as the financial
intelligence unit of the United States,
FinCEN proposes to directly receive,
evaluate, and respond to requests for
BOI from foreign financial intelligence
units.
D. Disclosure to FIs and Regulatory
Agencies for CDD Compliance
Unlike foreign requesters, both FIs
and their regulators (Federal functional
regulators and other appropriate
regulatory agencies, when assessing FIs’
compliance with CDD requirements)
would both have direct access to BOI
PO 00000
Frm 00008
Fmt 4701
Sfmt 4702
contained in the beneficial ownership
IT system, albeit in more limited form
than Federal agencies engaged in
national security, intelligence, or law
enforcement activity, or State, local, and
Tribal law enforcement agencies.
The CTA authorizes FinCEN to
disclose a reporting company’s BOI to
an FI only to the extent that such
disclosure facilitates the FI’s
compliance with CDD requirements
under applicable law, and only if the
reporting company first consents.70
FinCEN takes these constraints seriously
given the sensitive nature of BOI and
the potential number of FI employees
who could have access to it. FinCEN is
therefore not planning to permit FIs to
run broad or open-ended queries in the
beneficial ownership IT system or to
receive multiple search results. Rather,
FinCEN anticipates that a FI, with a
reporting company’s consent, would
submit to the system identifying
information specific to that reporting
company, and receive in return an
electronic transcript with that entity’s
BOI. To the extent the FI makes a trivial
data-entry error in its request for BOI,
the FI could still obtain the requested
BOI, provided the errors do not
compromise BOI security and
confidentiality and result in the FI
retrieving information on the wrong
reporting company. This more limited
information-retrieval process would
reduce the overall risk of inappropriate
use or unauthorized disclosures of BOI.
The CTA permits similarly narrow
access for Federal functional regulators
and other appropriate regulatory
agencies exercising supervisory
functions. The statute allows these
agencies to request from FinCEN BOI
that the FIs they supervise have already
obtained from the bureau, but only for
assessing an FI’s compliance with CDD
requirements under applicable law.71
Consequently, Federal functional
regulators and other appropriate
regulatory agencies will generally have
limited access to the beneficial
ownership IT system if requesting BOI
for the purpose of ascertaining CDD
compliance. FinCEN is still developing
this access model and accompanying
functionality, but expects regulators to
be able to retrieve any BOI that the FIs
they supervise received from FinCEN
during a particular period, as opposed
to data that might reflect subsequent
updates. This would both satisfy CTA
requirements and facilitate smoother
70 31
U.S.C. 5336(c)(2)(B)(iii).
31 U.S.C. 5336(c)(2)(C), providing that BOI
FinCEN discloses to a financial institution ‘‘shall
also be available to a Federal functional regulator
or other appropriate regulatory agency, as
determined by the Secretary . . . .’’
71 See
E:\FR\FM\16DEP4.SGM
16DEP4
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
examinations by ensuring regulators
receive the same BOI that FIs received
for purposes of their CDD reviews.
FinCEN expects that Federal
functional regulators responsible for
bringing civil enforcement actions will
be able to avail themselves of the
Federal law enforcement access
provision and functionality described in
Section III.B. above.72 State, local, and
Tribal agencies with both a qualifying,
CDD-focused regulatory function and a
law enforcement function could
similarly avail themselves of the access
provisions applicable to those distinct
BOI recipient categories. Each agency
would be responsible for ensuring
unauthorized disclosure does not occur
between its various components. In
addition, FinCEN is required under the
CTA to perform annual audits to ensure
agencies are requesting and using BOI
appropriately and consistently with
their internal protocols.73 As with other
Federal agencies, MOUs will further
specify the expectations with respect to
the handling and sharing of BOI by
components of the same agency that
may access BOI under different
circumstances. FIs, meanwhile, would
have to agree to terms of use that would
be a condition of access to the beneficial
ownership IT system. This distinction
reflects the more limited, less flexible
functionality FIs will enjoy relative to
government agencies with multi-field
search capabilities within the beneficial
ownership IT system.
lotter on DSK11XQN23PROD with PROPOSALS4
IV. Section-by-Section Analysis
As described below in Section IV.A.,
this proposed rule would add new
access-to-information rules in a new
§ 1010.955 (‘‘Availability of information
reported pursuant to 31 CFR 1010.380’’)
in subpart J (‘‘Miscellaneous’’) of part
1010 (‘‘General Provisions’’) of chapter
X (‘‘Financial Crimes Enforcement
Network’’) of title 31, Code of Federal
Regulations. To avoid confusion, it
would also rename and clarify the scope
of the existing 31 CFR 1010.950
(‘‘Availability of information—
general’’).
The following sections describe the
elements of the proposed rule: (i)
availability of information—general; (ii)
prohibition on disclosure; (iii)
disclosure of information by FinCEN;
(iv) use of information; (v) security and
confidentiality requirements; (vi)
administration of requests for
information reported pursuant to 31
72 Federal functional regulators engaged in
national security activity would similarly be able to
make use of the search functionality associated with
the ‘‘national security activity’’ access provision.
73 See 31 U.S.C. 5336(c)(3)(J).
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
CFR 1010.380; and (vii) violations and
penalties.
Additionally, Section IV.B. below
describes the FinCEN identifier
provisions of the proposed rule.
A. Beneficial Ownership Information
Retention and Disclosure Requirements
i. Availability of Information—General
FinCEN proposes to amend 31 CFR
1010.950(a) to clarify that the disclosure
of BOI would be governed by proposed
31 CFR 1010.955, rather than 31 CFR
1010.950(a), which governs disclosure
of other BSA information. Currently 31
CFR 1010.950(a) authorizes the
disclosure of all BSA information
received by FinCEN and states that
‘‘[t]he Secretary may within his
discretion disclose information reported
under this chapter for any reason
consistent with the purposes of the
Bank Secrecy Act, including those set
forth in paragraphs (b) through (d) of
this section.’’ The CTA authorizes
FinCEN to disclose such information
only in limited and specified
circumstances that are separate and
distinct from provisions authorizing
disclosure of other BSA information.74
Accordingly, FinCEN is proposing to
amend 31 CFR 1010.950(a) to clarify
that the disclosure of BOI would instead
be governed by proposed 31 CFR
1010.955.
ii. Prohibition on Disclosure
The CTA provides that, except as
authorized by 31 U.S.C. 5336(c) and the
protocols promulgated under that
subsection, BOI reported pursuant to 31
U.S.C. 5336 ‘‘shall be confidential and
may not be disclosed by . . . (i) an
officer or employee of the United States;
(ii) an officer or employee of any State,
local, or Tribal agency, or (iii) an officer
or employee of any [FI] or regulatory
agency receiving information under [31
U.S.C. 5336(c)].’’ 75
Proposed 31 CFR 1010.955(a) would
incorporate this prohibition, with two
clarifications. First, it would clarify that
any individual authorized to receive
BOI pursuant to proposed 31 CFR
1010.955(b) is prohibited from
disclosing it except as expressly
authorized by FinCEN. Critically, this
provision would extend the prohibition
on disclosure to any individual who
receives BOI regardless of whether they
continue to serve in the position
through which they were authorized to
receive BOI. Otherwise, the regulations
could be read to permit disclosure of
sensitive BOI after an individual leaves
the relevant position. Second, it would
74 See
75 See
PO 00000
31 U.S.C. 5336(c)(2), (5).
31 U.S.C. 5336(c)(2)(A).
Frm 00009
Fmt 4701
Sfmt 4702
77411
also extend the prohibition on
disclosure to any individual who
receives BOI as a contractor or agent of
the United States; a contractor or agent
of a State, local, or Tribal agency; or a
member of the board of directors,
contractor, or agent of an FI. FinCEN
believes that this clarification is needed
to ensure that agents acting on behalf of
an authorized BOI recipient agency or
other entity are subject to the same
prohibition on the disclosure of BOI as
officers and employees of an authorized
BOI recipient agency or other entity.
Such an approach is necessary to avoid
the different treatment of employees and
officers in relation to contractors and
agents.
Although the CTA does not expressly
refer to agents, contractors, or directors,
FinCEN would extend the prohibition
on disclosure to such individuals
pursuant to 31 U.S.C. 5336(c)(3)(K),
which provides that ‘‘the Secretary of
the Treasury shall establish by
regulation protocols described in [31
U.S.C. 5336(2)(A)] that . . . provide
such other safeguards which the
Secretary determines (and which the
Secretary prescribes in regulations) to be
necessary or appropriate to protect the
confidentiality of the beneficial
ownership information.’’ 76 FinCEN also
believes this approach is consistent with
the CTA’s overall focus on preventing
unauthorized disclosure 77 and the
broad scope of the provisions penalizing
unauthorized disclosure by ‘‘any
person.’’ 78 FinCEN invites comments
on this approach.
iii. Disclosure of Information to
Authorized Recipients
The CTA authorizes FinCEN to
disclose BOI to five categories of
recipients in specified circumstances.79
The statutory authorization is generally
permissive: with one exception, the
CTA provides that FinCEN ‘‘may
disclose’’ BOI to authorized recipients
in qualifying circumstances.80 This
76 Section 6003(1) of the AML Act defines the
BSA as comprising Section 21 of the Federal
Deposit Insurance Act (12 U.S.C. 1829b), Chapter 2
of Title I of Public Law 91–508 (12 U.S.C. 1951 et
seq.), and Subchapter II of Chapter 53 of Title 31,
United States Code, which includes 31 U.S.C. 5336.
Congress has authorized the Secretary to administer
the BSA. The Secretary has delegated to the
Director of FinCEN the authority to implement,
administer, and enforce compliance with the BSA
and associated regulations (Treasury Order 180–01
(Jan. 14, 2020)).
77 See generally 31 U.S.C. 5336(c).
78 See generally 31 U.S.C. 5336(h)(2), (3).
79 See 31 U.S.C. 5336(c)(2)(B).
80 31 U.S.C. 5336(c)(2)(B). Under 5336(c)(2)(C),
BOI that a reporting company consents to share
with a financial institution ‘‘shall’’ be available to
a Federal functional regulator to supervise
Continued
E:\FR\FM\16DEP4.SGM
16DEP4
77412
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS4
language affords FinCEN discretion to
ensure that BOI is disclosed only to
authorized recipients that are able to
keep the information confidential and
secure. FinCEN intends to foster a
culture of responsibility around BOI
that treats security and confidentiality
as a paramount objective.
a. Federal Agencies Engaged in National
Security, Intelligence, or Law
Enforcement Activity
Section 6403 of the CTA authorizes
FinCEN to disclose BOI upon receipt of
a request, through appropriate
protocols, from a Federal agency
engaged in national security,
intelligence, or law enforcement activity
for use in furtherance of one of those
activities.81 Federal agency access is to
be based upon the type of activity an
agency is conducting rather than the
identity of the agency or how it might
be categorized. The key consideration is
the scope of the types of activities
described in the CTA for which the
agency may seek BOI: national security
activities, intelligence activities, and
law enforcement activities.
The CTA does not specify what
agency activities fall within those three
categories, and FinCEN proposes to do
so consistent with the text, structure,
and purpose of the CTA. Proposed 31
CFR 1010.955(b)(1)(i) would define
‘‘national security activity’’ as any
‘‘activity pertaining to the national
defense or foreign relations of the
United States, as well as activity to
protect against threats to the security or
economy of the United States.’’ This
approach draws, in large part, from 8
U.S.C. 1189(d)(2), which defines
‘‘national security’’ for purposes of
designating foreign terrorist
organizations (FTOs) that threaten U.S.
national security. FinCEN believes this
definition is appropriate for several
reasons. First, the FTO statute covers a
broad range of national security threats
to the United States, including those
with an economic dimension. That
scope is consonant with the CTA’s goal
to combat national security threats that
are financial in nature, such as money
laundering, terrorist financing,
counterfeiting, fraud, and foreign
corruption.82 Second, the FTO statute
arises in a related context insofar as it
involves efforts to hinder illicit actors’
economic activities.
Proposed 31 CFR 1010.955(b)(1)(ii)
would define ‘‘intelligence activity’’
based upon Executive Order 12333 of
compliance with customer due diligence
requirements under applicable law.
81 See 31 U.S.C. 5336(c)(2)(B)(i)(I).
82 See CTA, Section 6402(3).
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
December 4, 1981, as amended.83
Executive Order 12333 remains ‘‘a
foundational document for the United
States’ foreign intelligence efforts.’’ 84 It
establishes ‘‘a framework that applies
broadly to the government’s collection,
analysis, and use of foreign intelligence
and counterintelligence—from human
sources, by interception of
communications, by cameras and other
sensors on satellites and aerial systems,
and through relationships with
intelligence services of other
governments.’’ 85 FinCEN believes that
relying on Executive Order 12333 would
be consistent with existing agency
understanding and would provide
flexibility to accommodate Intelligence
Community missions and activities.86
Proposed 31 CFR 1010.955(b)(1)(ii)
would therefore define intelligence
activity to include ‘‘all activities
conducted by elements of the United
States Intelligence Community that are
authorized pursuant to Executive Order
12333, as amended, or any succeeding
executive order.’’
Finally, proposed 31 CFR
1010.955(b)(1)(iii) would define ‘‘law
enforcement activity’’ to include
‘‘investigative and enforcement
activities relating to civil or criminal
violations of law.’’ Proposed 31 CFR
1010.955(b)(1)(iii) is intended broadly to
cover the types of functions in which
Federal agencies engage when they
work to enforce the laws of the United
States. FinCEN believes that it is
consistent with the CTA to authorize
Federal agencies to access BOI at all
stages of the law enforcement process.
Additionally, the proposed rule
would make clear that law enforcement
activity can include both criminal and
civil investigations and actions, such as
actions to impose or enforce civil
penalties, civil forfeiture actions, and
civil enforcement through
administrative proceedings. The CTA is
concerned with combating all manner of
illicit activity,87 and many laws that
prohibit such activity are enforced by
Federal agencies in both civil and
criminal actions. The CTA does not
limit ‘‘law enforcement activity’’ to
criminal investigations or actions.
Moreover, FinCEN’s clarification in the
proposed rule would place Federal
83 Exec. Order No. 12333, 46 FR 59941 (Dec. 4,
1981) (‘‘United States Intelligence Activities’’).
84 5 Privacy and Civil Liberties Oversight Board,
Executive Order 12333 (accessed Apr. 28, 2022),
https://documents.pclob.gov/prod/Documents/
OversightReport/4f1d0d87-233b-4555-9b8779089ad9845e/12333%20Public%20Capstone.pdf.
85 Id.
86 By ‘‘Intelligence Community,’’ FinCEN means
the agencies identified in paragraph 3.4(f) of
Executive Order 12333.
87 See CTA, Section 6402(3).
PO 00000
Frm 00010
Fmt 4701
Sfmt 4702
agencies on the same footing as State,
local, and Tribal law enforcement
agencies, for which the CTA authorizes
use of BOI in a ‘‘criminal or civil
investigation.’’ Nothing in the CTA
suggests that Federal agencies should
have more limited access to BOI than
their State, local, and Tribal
counterparts engaged in civil
investigations, and FinCEN does not
believe it would be appropriate to limit
Federal agencies’ access in this manner.
The proposed rule would also facilitate
law enforcement cooperation by
providing access to BOI in both civil
and criminal investigations, as both
types of investigations often proceed in
parallel.88
Among the Federal agencies with
access to BOI for law enforcement
purposes would be Federal functional
regulators that investigate civil
violations of law.89 Although the CTA
separately authorizes Federal functional
regulators to access BOI for the purpose
of supervising compliance with CDD
requirements, this access does not
preclude Federal functional regulators
from accessing BOI when engaging in
law enforcement activity.90 The CTA
specifically references ‘‘securities fraud,
financial fraud, and acts of foreign
corruption’’ as types of illicit activity
that the statute is intended to help
combat.91 These are areas in which a
significant amount of law enforcement
activity is conducted by Federal
functional regulators such as the
Securities and Exchange Commission
(SEC), which brings hundreds of civil
enforcement actions, including
administrative proceedings, each year
against individuals and entities engaged
in market manipulation, Ponzi schemes,
offering fraud, insider trading, and other
violations of the Federal securities
laws.92 Under the proposed rule, the
SEC and other Federal functional
regulators would be able to obtain BOI
directly from the beneficial ownership
IT system for use in furtherance of this
critical law enforcement activity. The
proposed rule would also place the SEC
and other Federal functional regulators
88 See
31 U.S.C. 5336(c)(2)(B)(i)(II).
31 U.S.C. 5336(c)(2)(B)(i)(II).
90 The two provisions contemplate different
processes depending on the purpose for which
access is sought. Under Section 5336(c)(2)(B)(i)(I),
FinCEN ‘‘may’’ disclose BOI upon request from a
Federal agency engaged in law enforcement
activity. In contrast, under 5336(c)(2)(C), BOI that
a reporting company consents to share with a
financial institution ‘‘shall’’ be available to a
Federal functional regulator to supervise
compliance with customer due diligence
requirements pursuant to an agreement with the
regulator.
91 CTA, Section 6402(3).
92 See, e.g., https://www.sec.gov/news/pressrelease/2021-238.
89 See
E:\FR\FM\16DEP4.SGM
16DEP4
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
on equal footing with other Federal
agencies that lack a regulatory or
supervisory function, but that are
engaged in civil and criminal law
enforcement activity, like the U.S.
Department of Justice (DOJ).
For all three types of activities—
national security, intelligence, and law
enforcement—FinCEN considered
proposing more restrictive definitions
involving exhaustive lists of activities.
The bureau believes these approaches
would risk being either under- or overinclusive and could arbitrarily limit
access to BOI for activities that the
regulations may fail to specify. The
CTA, among other things, was enacted
to ‘‘protect vital United States national
security interests,’’ ‘‘protect interstate
and foreign commerce,’’ and ‘‘better
enable critical national security,
intelligence, and law enforcement
efforts to counter . . . illicit activity.’’ 93
The statute targets a wide array of illicit
actors who use opaque corporate
structures to conceal their illicit
activities. FinCEN believes the risk of
unintentionally hindering a Federal
agency’s important national security,
intelligence, or law enforcement
activities supports the flexible approach
the bureau has proposed. This approach
will also have more flexibility to
develop alongside the evolving threats
facing the United States.
FinCEN invites comments on its
proposed definitions of national
security, intelligence, and law
enforcement activities.
b. State, Local, and Tribal Law
Enforcement Agencies
The CTA permits FinCEN to disclose
BOI upon receipt of a request, through
appropriate protocols, ‘‘from a State,
local, or Tribal law enforcement agency,
if a court of competent jurisdiction,
including any officer of such a court,
has authorized the law enforcement
agency to seek the information in a
criminal or civil investigation.’’ 94
Proposed 31 CFR 1010.955(b)(2)
similarly would allow FinCEN to
disclose BOI to a State,95 local, or Tribal
law enforcement agency ‘‘if a court of
competent jurisdiction has authorized
the agency to seek the information in a
93 CTA,
Section 6402(5)(B), (D).
U.S.C. 5336(c)(2)(B)(i)(II).
95 FinCEN will interpret the term ‘‘State’’
consistent with the definition of that term in the
final Beneficial Ownership Information Reporting
Requirements rule at 87 FR 59498 (Sep. 30, 2022)
(which defines the term ‘‘State’’ to mean ‘‘any
[S]tate of the United States, the District of
Columbia, the Commonwealth of Puerto Rico, the
Commonwealth of the Northern Mariana Islands,
American Samoa, Guam, the United States Virgin
Islands, and any other commonwealth, territory, or
possession of the United States.’’)
lotter on DSK11XQN23PROD with PROPOSALS4
94 31
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
criminal or civil investigation.’’ FinCEN
recognizes that State practices are likely
to be varied with respect to how law
enforcement agencies may be authorized
by a court to seek information in
connection with an investigation or
prosecution.96 FinCEN has not sought to
define what it means for a court to
‘‘authorize’’ the law enforcement agency
to seek BOI, but aims to ensure that BOI
access at the State, local, and Tribal
level is highly useful to law
enforcement and has consistent
application across jurisdictions.
At a minimum, the proposed rule
would allow a State, local, or Tribal law
enforcement agency (including a
prosecutor) to access BOI where a court
specifically authorizes access in the
context of a criminal or civil
proceeding, for example, through a
court’s issuance of an order or approval
of a subpoena. Other circumstances,
however, are less clear. For example,
depending on State, local, or Tribal
practices, grand jury subpoenas may or
may not satisfy the CTA’s court
authorization requirement. Grand juries
have traditionally played a central role
in criminal discovery and may help
determine whether sufficient evidence
exists to indict an individual.97 The
State and local law enforcement
agencies, prosecutors, and court officials
with whom FinCEN consulted
emphasized the importance of ensuring
that BOI could be obtained in
connection with grand jury
investigations. FinCEN agrees that
providing BOI at the investigative stage
may further the CTA’s statutory
objectives by helping State, local, and
Tribal authorities uncover links between
96 31 U.S.C. 5336(c)(2)(B)(i)(II) authorizes FinCEN
to disclose BOI to a State, local, or Tribal law
enforcement agency in the context of ‘‘a criminal or
civil investigation.’’ FinCEN believes this provision
permits the agency to disclose of BOI to a State,
local, or Tribal law enforcement agency, with the
required court authorization, for use in a civil or
criminal law enforcement action that follows the
investigation. FinCEN believes this is a reasonable
interpretation of the statutory language given that
disclosure provisions for Federal agencies engaged
in law enforcement, and foreign requests pertaining
to an ‘‘investigation or prosecution,’’ under the CTA
would cover the disclosure to those recipients in
the context of a prosecution. See 31 U.S.C.
5336(c)(2)(B)(i)(I), (c)(2)(B)(ii)(I). FinCEN does not
believes Congress intended to allow Federal and
foreign law enforcement agencies to obtain BOI for
use in prosecutions while prohibiting State, local,
and Tribal law enforcement agencies doing so. A
more restrictive interpretation would severely limit
the utility of BOI for State, local, and Tribal law
enforcement agencies and run counter to the
purposes of the CTA. See CTA, Section 6402(8)(C)
(directing FinCEN to create a database of BOI that
is ‘‘highly useful to national security, intelligence,
and law enforcement agencies . . . ’’).
97 See generally Sara Sun Beale et al.,
Investigative Grand Jury and Indicting Grand Jury,
Grand Jury Law and Practice § 1:7 (2d ed. rev. Dec.
2021).
PO 00000
Frm 00011
Fmt 4701
Sfmt 4702
77413
criminals and entities they may be using
to conceal illicit activities.98 Ultimately,
however, FinCEN determined that it
needs more information about State,
local, and tribal practices in order to
determine whether they would involve
court authorization, as required by the
CTA. State practices can vary, and grand
jury subpoenas may be issued by the
grand jury in some jurisdictions or
signed by a prosecutor seeking
information to present to a grand jury in
others. Neither courts nor grand juries
always play a meaningful role in
authorizing subpoenas,99 and a majority
of states no longer use grand juries to
screen criminal cases.100
FinCEN requests comments on this
subject. In particular, commenters
should explain the mechanisms State,
local, and Tribal authorities use to
gather evidence in criminal and civil
cases. With respect to these particular
mechanisms, commenters should
describe the extent to which court
authorization is involved. More
generally, commenters should also
explain what role courts or court
officers play in authorizing evidencegathering activities, what existing
practices involve court authorization,
and the extent to which new court
processes could be developed and
integrated into existing practices to
satisfy the CTA’s authorization
requirement. Commenters should also
address the need for access to BOI at
different stages of an investigation, as
well as the privacy interests that may be
implicated by such access.
Proposed 31 CFR 1010.955(b)(2)
would clarify that the authorized
recipient of BOI under this provision
would be the State, local, or Tribal
agency that makes a proper request for
BOI consistent with the proposed rule.
The proposed rule would also define
‘‘law enforcement agency’’ in a manner
similar to the definition of ‘‘law
enforcement activity’’ used to define the
scope of access for Federal agencies
engaged in law enforcement activity.
This approach is intended to ensure
consistency regardless of whether law
enforcement activity occurs at the local,
State, Tribal, or Federal level, including
in circumstances involving cooperation
among and across jurisdictions, such as
through task forces.
98 See
CTA, Section 6402(3), (4), (5)(D).
Sara Sun Beale et al., Role of Prosecutor
and Grand Jurors in Subpoenaing Evidence, Grand
Jury Law and Practice § 6:2 (2d ed. rev. Dec. 2021).
For example, Massachusetts permits district
attorneys to ‘‘issue subpoenas under their hands for
witnesses to appear and testify on behalf of the
commonwealth.’’ Mass. Gen. Laws Ann. ch. 277,
§ 68.
100 See id.
99 See
E:\FR\FM\16DEP4.SGM
16DEP4
77414
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
Proposed 31 CFR 1010.955(b)(2)
would clarify that ‘‘a court of competent
jurisdiction’’ is any court with
jurisdiction over the criminal or civil
investigation for which a State, local, or
Tribal law enforcement agency requests
BOI. The proposed rule does not specify
which officials qualify as officers of the
court because courts have varying
practices. FinCEN expects, however,
that individuals who may exercise a
court’s authority and issue
authorizations on its behalf would
qualify. FinCEN invites comment on
whether it should more specifically
identify officers of the court for
purposes of the rule, and if so, what the
potential qualifying criteria might be.
FinCEN does not believe that
individual attorneys acting alone would
fall within the definition of ‘‘court
officer’’ for purposes of this provision.
Though lawyers are sometimes referred
to as ‘‘officers of the court’’ to
emphasize their professional obligations
to the legal system, they are not all
‘‘officers of the court’’ in the sense of
exercising the court’s authority. FinCEN
does not believe the CTA—which
includes numerous provisions limiting
who may access BOI—intended to
empower any individual admitted to
practice law to authorize the disclosure
of BOI.
lotter on DSK11XQN23PROD with PROPOSALS4
c. Foreign Requesters
The CTA provides that FinCEN may
disclose BOI upon receipt of a request
‘‘from a Federal agency on behalf of a
law enforcement agency, prosecutor, or
judge of another country, including a
foreign central authority or competent
authority (or like designation), under an
international treaty, agreement,
convention, or official request made by
law enforcement, judicial, or
prosecutorial authorities in trusted
foreign countries when no treaty,
agreement, or convention is
available.’’ 101 Such a request from a
Federal agency must be ‘‘issued in
response to a request for assistance in an
investigation or prosecution by such
foreign country,’’ 102 and must
‘‘require[e] compliance with the
disclosure and use provisions of the
treaty, agreement, or convention,
publicly disclosing [sic] any beneficial
ownership information received,’’ 103 or
limit BOI use ‘‘for any purpose other
than the authorized investigation or
national security or intelligence
activity.’’ 104
101 31
U.S.C. 5336(c)(2)(B)(ii).
U.S.C. 5336(c)(2)(B)(ii)(I).
103 31 U.S.C. 5336(c)(2)(B)(ii)(II)(aa).
104 31 U.S.C. 5336(c)(2)(B)(ii)(II)(bb).
Proposed 31 CFR 1010.955(b)(3)
clarifies that a request for BOI from a
foreign requester would have to derive
from a law enforcement investigation or
prosecution, or from national security or
intelligence activity, authorized under
the foreign country’s laws. This would
permit foreign requesters to obtain BOI
for, and use it in, the full range of
activities contemplated by 31 U.S.C.
5336(c)(2)(B)(ii) (i.e., law enforcement,
national security, and intelligence
activities), thereby giving effect to all of
the language in that subparagraph. The
proposed rule also resolves ambiguities
arising from inconsistent statutory
language. Specifically, one part of the
CTA’s foreign-access provision appears
to require a request to flow from a
foreign ‘‘investigation or
prosecution,’’ 105 while another appears
to allow a foreign requester to use BOI
to further any ‘‘authorized investigation
or national security or intelligence
activity.’’ 106 FinCEN believes the
proposed rule best resolves this
discrepancy by clarifying that
authorized national security and
intelligence activities could be a basis
for a BOI request, in addition to a law
enforcement investigation or
prosecution. FinCEN would view the
scope of the phrase ‘‘law enforcement
investigation or prosecution’’ similarly
to how it interprets the term ‘‘law
enforcement activity’’ under proposed
31 CFR 1010.955(b)(3): such activity can
include both criminal and civil
investigations and actions, including
actions to impose civil penalties, civil
forfeiture actions, and civil enforcement
through administrative proceedings.
The proposed rule next makes clear
that the relevant ‘‘foreign central
authority or foreign competent
authority’’ would be the agency
identified in the international treaty,
agreement, or convention under which
a foreign request is made. FinCEN
understands that ‘‘foreign central
authority’’ and ‘‘foreign competent
authority’’ are terms of art typically
defined within the context of a
particular agreement. This proposed
regulatory clarification should therefore
remove any ambiguity around the terms
without unduly excluding appropriate
foreign requesters from access to BOI.
Third, the proposed rule explains
that, consistent with the CTA, foreign
requests would need to fall into one of
two categories in order for the foreign
requester to receive BOI. The first
category is requests made pursuant to an
international treaty, agreement, or
convention. The second category is
102 31
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
105 31
106 31
PO 00000
U.S.C. 5336(c)(2)(B)(ii)(I).
U.S.C. 5336(c)(2)(B)(ii)(II)(bb).
Frm 00012
Fmt 4701
Sfmt 4702
official requests by a law enforcement,
judicial, or prosecutorial authority of a
trusted foreign country where there is
no international treaty, agreement, or
convention that governs.107 The security
and confidentiality requirements
applicable to each of these two
categories are different.
Under the proposed rule, an
intermediary Federal agency responding
to a foreign request under an
international treaty, agreement, or
convention would first need to ensure
that the request is consistent with the
requirements of the relevant treaty,
agreement, or convention, and the
requirements of proposed 31 CFR
1010.955(b)(3). FinCEN understands
that an ‘‘international treaty, agreement,
or convention’’ is a legally binding
agreement governed by international
law. FinCEN would appreciate views on
whether there are other types of
international arrangements under which
the sharing of beneficial ownership
information would be important to
achieve the goals of the CTA (such as
information sharing arrangements with
foreign law enforcement agencies that
do not have legal force) and whether
there are means to do so consistent with
the CTA. The intermediary Federal
agency would provide basic information
to FinCEN about who is requesting the
information and the treaty, agreement,
or convention under which the request
is being made. The intermediary Federal
agency would then search for and
retrieve the requested BOI from the
system and respond to the request in a
manner consistent with the treaty,
agreement, or convention. The
intermediary Federal agency would be
subject to certain recordkeeping
requirements to ensure that FinCEN is
able to perform appropriate audit and
oversight functions in accordance with
an MOU to be agreed between the
intermediary Federal agency and
FinCEN. The intermediary Federal
agency would also be subject to the
security and confidentiality protocols
applicable to other domestic agencies
that receive and handle BOI at proposed
31 CFR 1010.955(d)(1).
Where a request for BOI includes a
request that the information be
authenticated for use in a legal
proceeding in the foreign country
making the request, FinCEN may
establish a process for providing such
authentication via MOU with the
107 The regulatory text here uses ‘‘judicial or
prosecutorial authority’’ instead of the earlier
‘‘judge or prosecutor’’ to mirror an identical
language shift in the corresponding statutory
provision. See 31 U.S.C. 5336(c)(2)(B)(ii). FinCEN
does not view this difference as significant or
having practical effect.
E:\FR\FM\16DEP4.SGM
16DEP4
lotter on DSK11XQN23PROD with PROPOSALS4
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
relevant intermediary Federal agency.
Such process may include an
arrangement where FinCEN searches the
beneficial ownership IT system and
provides the information and related
authentication to the intermediary
Federal agency consistent with the
terms of the relevant MOU.
With respect to an official request by
a law enforcement, judicial, or
prosecutorial authority of a trusted
foreign country where no international
treaty, agreement, or convention
applies, FinCEN would establish a
mechanism to address such requests
either on a case-by-case basis or
pursuant to alternative arrangements
with intermediary Federal agencies
where those intermediary Federal
agencies have ongoing relationships
with the foreign requester. The CTA
does not provide criteria for
determining whether a particular
foreign country is ‘‘trusted,’’ but rather,
provides FinCEN with considerable
discretion to make this determination.
FinCEN considered identifying
particular countries or groups of
countries as ‘‘trusted’’ for the purposes
of receiving BOI. Ultimately, however,
FinCEN determined that such a
restrictive approach could arbitrarily
exclude foreign requesters with whom
sharing BOI might be appropriate in
some cases but not others. The United
States participates in many formal and
informal international relationships
through which data are sometimes
shared. FinCEN does not believe any of
these relationships, or any combination
of them, sets appropriate potential
boundaries for BOI disclosure given the
purposes of the CTA. The bureau, in
consultation with relevant U.S.
government agencies, will therefore look
to U.S. interests and priorities in
determining whether to disclose BOI to
foreign requesters when no international
treaty, agreement, or convention
applies. In making these determinations,
FinCEN will also consider the ability of
a foreign requester to maintain the
security and confidentiality of requested
BOI. Once FinCEN makes the
determination to disclose BOI to a
foreign requester, the intermediary
Federal agency would be permitted to
retrieve and disseminate BOI to the
foreign requester, subject to applicable
security and confidentiality protocols.
FinCEN considered an alternative
structure under which intermediary
Federal agencies would relay foreign
requester requests under an
international treaty, agreement, or
convention to FinCEN, which would
then assess the requests, retrieve
requested BOI, and transmit it either
directly to the requester or indirectly via
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
77415
the intermediary Federal agency for
subsequent dissemination to the
requester. While neither of these
approaches presents the security risks
associated with the other two potential
approaches FinCEN rejected, both are
likely to be much less efficient. For
example, intermediary Federal agencies
are likely to have ongoing relationships
with foreign requesters, including
established points of contact. They are
also likely more familiar than FinCEN
with existing treaty obligations and
information exchange channels and
processes. Finally, FinCEN believes its
proposed approach aligns best with the
text of the CTA, which assumes Federal
agencies will serve as the intermediary
on behalf of foreign requesters.108
FinCEN invites comment on this
proposal and on any other alternatives.
requirements.110 FinCEN decided not to
propose this broader approach,
however. The bureau believes a more
tailored approach will be easier to
administer, reduce uncertainty about
what FIs may access BOI under this
provision, and better protect the
security and confidentiality of sensitive
BOI by limiting the circumstances under
which FIs may access BOI.111 That said,
FinCEN solicits comments on whether a
broader reading of the phrase ‘‘customer
due diligence requirements’’ is
warranted under the framework of the
CTA, and, if so, how customer due
diligence requirements should be
defined in order to provide regulatory
clarity, protect the security and
confidentiality of BOI, and minimize the
risk of abuse.
FinCEN also considered including
State, local, and Tribal customer due
d. FIs Subject to CDD Requirements
diligence requirements comparable in
The CTA authorizes FinCEN to
substance to FinCEN’s own CDD
disclose BOI upon receipt of a request
regulations in the proposed definition of
‘‘made by a[n] [FI] subject to customer
‘‘customer due diligence requirements
due diligence requirements, with the
under applicable law.’’ However, the
consent of the reporting company, to
bureau has not identified any such
facilitate the compliance of the [FI] with requirements. FinCEN invites comments
customer due diligence requirements
identifying any specific State, local, or
under applicable law.’’ 109 This statutory Tribal customer due diligence
language leaves unspecified both the
requirements that are substantially
mechanism by which consent should be similar to the bureau’s CDD
registered and the meaning of the term
regulations—i.e., requirements related
‘‘customer due diligence requirements
to FIs in a State, local, or Tribal
under applicable law.’’
jurisdiction identifying and verifying
Proposed 31 CFR 1010.955(b)(4)
beneficial owners of legal entity
would address both issues. Under the
customers—for potential inclusion in
proposed rule, an FI would be
the proposed definition.
responsible for obtaining a reporting
e. Federal Functional Regulators or
company’s consent. This reflects
Other Appropriate Regulatory Agencies
FinCEN’s assessment that FIs are best
The CTA authorizes FinCEN to
positioned to obtain and manage
disclose BOI to ‘‘Federal functional
consent through existing processes and
regulator[s] and other appropriate
by virtue of having direct contact with
regulatory agenc[ies] consistent with’’
the reporting company as a customer.
certain requirements.112 This access is
Additionally, the proposed rule would
define ‘‘customer due diligence
subject to three statutory conditions.
requirements under applicable law’’ to
First, a ‘‘Federal functional regulator or
mean FinCEN’s customer due diligence
other appropriate regulatory agency’’
(CDD) regulations at 31 CFR 1010.230,
must be ‘‘authorized by law to assess,
which require covered FIs to identify
supervise, enforce, or otherwise
and verify beneficial owners of legal
determine the compliance of [a
entity customers. FinCEN considered
particular FI] with’’ its CDD
interpreting the phrase ‘‘customer due
110 See, e.g., 31 CFR 1020.220 (requiring banks to
diligence requirements under applicable
implement a Customer Identification Program).
law’’ more broadly to cover a range of
111 The CTA requires FinCEN to revise the 2016
activities beyond compliance with legal
CDD Rule within a year of the effective date of the
obligations in FinCEN’s regulations to
final Reporting Rule. See CTA, Section 6403(d)(1).
identify and verify beneficial owners of
One purpose of this revision is to account for FIs’
access to BOI, which the Sense of Congress portion
legal entity customers. FinCEN’s
of the CTA states may be used to facilitate the FI’s
separate Customer Identification
‘‘with anti-money laundering,
Program regulations, for example, could compliance
countering the financing of terrorism, and customer
be considered customer due diligence
due diligence requirements under applicable law.’’
108 See
31 U.S.C. 5336(c)(2)(B)(ii) (providing that
‘‘FinCEN may disclose [BOI] only upon receipt of
. . . a request from a Federal agency on behalf of’’
a qualified foreign requester (emphasis added)).
109 See 31 U.S.C. 5336(c)(2)(B)(iii).
PO 00000
Frm 00013
Fmt 4701
Sfmt 4702
Id. 6403(d)(1)(B) (emphasis added). That the CTA
identifies ‘‘[CDD] requirements under applicable
law’’ as distinct from broader AML/CFT
requirements suggests that Congress intended that
phrase not to include other AML/CFT obligations.
112 See 31 U.S.C. 5336(c)(2)(B)(iv).
E:\FR\FM\16DEP4.SGM
16DEP4
lotter on DSK11XQN23PROD with PROPOSALS4
77416
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
requirements.113 Second, such regulator
may use the BOI only ‘‘for the purpose
of conducting [an] assessment,
supervision, or authorized investigation
or activity’’ related to the CDD
requirements the regulator is
responsible for overseeing.114 Finally,
the regulator must ‘‘[enter] into an
agreement with the Secretary providing
for appropriate protocols governing the
safekeeping of the information.’’ 115
FinCEN’s proposed rule at 31 CFR
1010.955(b)(4) tracks these conditions.
In order to obtain BOI from FinCEN, a
regulator would need to be authorized
by law to assess, supervise, enforce, or
otherwise determine a FI’s compliance
with its CDD requirements, and it would
have to enter into an agreement with
FinCEN that describes appropriate
protocols to obtain BOI. FinCEN would
only disclose to the regulator the BOI
that a relevant FI has already received.
This is in keeping with the CTA
requirement that BOI disclosed to an FI
under 31 U.S.C. 5336(c)(2)(B)(iii) ‘‘also
be available to [regulators]’’ that meet
specified criteria.116
FinCEN does not believe this CDDspecific provision is the exclusive
means through which a financial
regulator can access BOI from the
beneficial ownership IT system. The
access provisions for Federal agencies
engaged in national security,
intelligence, or law enforcement
activities, and for State, local, and Tribal
law enforcement agencies, focus on
activity categories, not agency types. To
the extent a Federal functional regulator
engages in civil law enforcement
activities, those activities would be
covered by the law-enforcement access
provisions. For example, the SEC—
which supervises broker-dealers and
other securities market participants,
including for compliance with the CDD
regulations—also investigates and
litigates civil violations of Federal
securities laws. Consequently,
consistent with the CTA, the SEC would
be able to broadly search the beneficial
ownership IT system for BOI for use in
furtherance of its law enforcement
activity. Separately, the SEC would also
be able to receive BOI subject to the
constraints at proposed 31 CFR
1010.955(b)(4) for use in supervising
broker-dealers and other regulated
entities for CDD compliance.
Regarding who qualifies for access
under this proposed provision, the CTA
refers to Federal functional regulators
and ‘‘other appropriate regulatory
113 31
U.S.C. 5336(c)(2)(C)(i).
U.S.C. 5336(c)(2)(C)(ii).
115 31 U.S.C. 5336(c)(2)(C)(iii).
116 31 U.S.C. 5336(c)(2)(C) (emphasis added).
114 31
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
agencies.’’ The AML Act defines
‘‘Federal functional regulator’’ to
include six financial regulatory
authorities 117 as well as ‘‘any Federal
regulator that examines a financial
institution for compliance with the
Bank Secrecy Act.’’ 118 The proposed
rule would adopt FinCEN’s existing
regulatory definition, which the bureau
believes will minimize the risk of
confusion. FinCEN’s regulations already
define the term ‘‘Federal functional
regulator’’ to include the six agencies
identified in the AML Act’s definition
as well as the Commodity Futures
Trading Commission (CFTC).119
Because the CFTC has been delegated
authority to examine certain FIs for
compliance with the BSA,120 it also falls
within the AML Act’s definition.
FinCEN does not propose to define
‘‘other appropriate regulatory agencies’’
at this time. FinCEN believes the
requirement in 31 U.S.C. 5336(c)(2)(C)(i)
that such an agency be ‘‘authorized by
law to assess, supervise, enforce, or
otherwise determine the compliance of
such FIs with customer due diligence
requirements under applicable law’’
sufficiently defines the category (e.g., it
could include State banking regulators).
However, FinCEN invites comment on
this proposed approach.
FinCEN considered whether financial
self-regulatory organizations that are
registered with or designated by a
Federal functional regulator pursuant to
Federal statute 121 (‘‘qualifying
SROs’’)—like the Financial Industry
Regulatory Authority (FINRA) or the
National Futures Association (NFA)—
qualify as ‘‘other appropriate regulatory
agencies.’’ These organizations though
authorized by Federal law, are not
traditionally understood to be agencies
of the government,122 but they do
exercise self-regulatory authority within
the framework of Federal law and work
under the supervision of Federal
functional regulators to assess,
supervise, and enforce FI compliance
with, among other things, CDD
117 The six Federal functional regulators that
supervise financial institutions with CDD
obligations are the Board of Governors of the
Federal Reserve System (FRB), the Office of the
Comptroller of the Currency (OCC), the Federal
Deposit Insurance Corporation (FDIC), the National
Credit Union Administration (NCUA), the SEC, and
the Commodity Futures Trading Commission
(CFTC).
118 AML Act, Section 6003(3).
119 31 CFR 1010.100(r).
120 See 31 CFR 1010.810(b)(9).
121 See, e.g., 7 U.S.C. 21; 15 U.S.C. 78o–3.
122 See, e.g., In re William H. Murphy & Co., SEC
Release No. 34–90759, 2020 WL 7496228, *17 (Dec.
21, 2020) (explaining that FINRA ‘‘is not a part of
the government or otherwise a [S]tate actor’’ to
which constitutional requirements apply).
PO 00000
Frm 00014
Fmt 4701
Sfmt 4702
requirements.123 Qualifying SROs are
subject to extensive oversight by Federal
agencies.124
Although it may be unclear whether
SROs are ‘‘regulatory agencies’’ to
which direct access to BOI shall be
provided, FinCEN believes that their
unique position,125 and the critical role
they play in overseeing participants in
the financial services sector, justify
providing SROs with a limited and
derivative form of access. The CTA
provides FinCEN broad discretion to
specify the conditions under which
authorized recipients of BOI may redisclose that information to others.
Therefore, the proposed rule would
permit FIs to re-disclose to qualifying
SROs the BOI they have obtained from
FinCEN for use in complying with CDD
requirements under applicable law. A
qualifying SRO would need to satisfy
the same three conditions applicable to
Federal functional regulators and other
appropriate regulatory agencies, and a
qualifying SRO that receives BOI from
an FI it supervises may in turn use the
information for the limited purpose of
examining compliance with those same
CDD obligations. Without this level of
access, these organizations would not be
able to effectively evaluate an FI’s CDD
compliance. FinCEN invites comments
on this proposed approach.
f. Department of the Treasury Access
The CTA includes separate, Treasuryspecific provisions for accessing BOI.
One of those provisions makes BOI
‘‘accessible for inspection or disclosure
to officers and employees of the
Department of the Treasury whose
official duties require such inspection or
123 See, e.g., FINRA Rule 3310(f); NFA
Compliance Rule 2–9(c)(5).
124 See, e.g., Scottsdale Cap. Advisors Corp. v.
FINRA, 844 F.3d 414, 418 (4th Cir. 2016) (‘‘Before
any FINRA rule goes into effect, the SEC must
approve the rule and specifically determine that it
is consistent with the purposes of the Exchange Act.
The SEC may also amend any existing rule to
ensure it comports with the purposes and
requirements of the Exchange Act.’’ (citations
omitted); Birkelbach v. SEC, 751 F.3d 472, 475 (7th
Cir. 2014) (‘‘A [FINRA] member can appeal the
disposition of a FINRA disciplinary proceeding to
the SEC, which performs a de novo review of the
record and issues a decision of its own.’’).
125 See NASD v. SEC, 431 F.3d 803, 804 (D.C. Cir.
2005) (explaining that FINRA’s predecessor’s
‘‘authority to discipline its members for violations
of Federal securities law is entirely derivative. The
authority it exercises ultimately belongs to the
SEC’’); see also Turbeville v. FINRA, 874 F.3d 1268,
1276 (11th Cir. 2017) (‘‘When exercising [their
regulatory and enforcement] functions, SROs act
under color of [F]ederal law as deputies of the
[F]ederal [G]overnment.’’); In re Series 7 Broker
Qualification Exam Scoring Litig., 548 F.3d 110,
114 (D.C. Cir. 2008) (‘‘When an SRO acts under the
aegis of the Exchange Act’s delegated authority, it
is absolutely immune from suit for the improper
performance of regulatory, adjudicatory, or
prosecutorial duties delegated by the SEC.’’).
E:\FR\FM\16DEP4.SGM
16DEP4
lotter on DSK11XQN23PROD with PROPOSALS4
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
disclosure subject to procedures and
safeguards prescribed by the Secretary
of the Treasury.’’ 126 The other grants
officers and employees of Treasury
‘‘access to [BOI] for tax administration
purposes.’’ 127
Proposed 31 CFR 1010.955(b)(5)
tracks these authorizations and would
provide that Treasury officers and
employees may receive BOI where their
official duties require such access, or for
tax administration, consistent with
procedures and safeguards established
by the Secretary. The proposed rule
clarifies the term ‘‘tax administration
purposes’’ by adding a reference to the
definition of ‘‘tax administration’’ in the
Internal Revenue Code.128 FinCEN
believes adopting this definition is
appropriate because Treasury officers
and employees who administer tax laws
are already familiar with it and have a
clear understanding of the activity it
covers. Furthermore, FinCEN believes
the definition is broad enough to avoid
inadvertently excluding a tax
administration-related activity that
would be undermined by lack of access
to BOI. FinCEN welcomes comments on
the proposed scope of the term ‘‘tax
administration.’’
FinCEN envisions Treasury
components using BOI for appropriate
purposes, such as tax administration,
enforcement actions, intelligence and
analytical purposes, use in sanctions
designation investigations, and
identifying property blocked pursuant
to sanctions, as well as for
administration of the BOI framework,
such as for audits, enforcement, and
oversight. FinCEN will work with other
Treasury components to establish
internal policies and procedures
governing Treasury officer and
employee access to BOI. These policies
and procedures will ensure that FinCEN
discloses BOI only to Treasury officers
or employees with official duties
requiring BOI access, or for tax
administration. FinCEN anticipates that
the security and confidentiality
protocols in those policies and
procedures will include elements of the
protocols described in proposed 31 CFR
1010.955(d)(1) as applicable to Treasury
activities and organization. Officers and
employees identified as having duties
potentially requiring access to BOI
would receive training on, among other
topics, determining when their duties
require access to BOI, what they can do
with the information, and how to
handle and safeguard it. Their activities
would also be subject to the same audit.
126 31
U.S.C. 5336(c)(5)(A).
31 U.S.C. 5336(c)(5)(B).
128 26 U.S.C. 6103(b)(4).
127 See
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
iv. Use of Information
a. Use of Information by Authorized
Recipients
The CTA includes numerous
provisions limiting how BOI may be
used. Federal agencies engaged in
national security, intelligence, or law
enforcement activity may use BOI only
‘‘in furtherance of such activity’’ 129 and
must provide written certifications to
FinCEN that ‘‘at a minimum, se[t] forth
the specific reason or reasons why [BOI]
is relevant to’’ an authorized activity.130
State, local, and Tribal law enforcement
agencies must obtain authorization from
a court of competent jurisdiction to
obtain BOI in criminal or civil
investigations.131 Federal agencies
requesting BOI on behalf of foreign law
enforcement agencies, judges, or
prosecutors may do so only pursuant to
an international treaty, agreement, or
convention or pursuant to an official
request from a trusted foreign country
for assistance in an official
investigation, prosecution, or authorized
national security or intelligence
activity.132 FIs must have a reporting
company’s consent to request its BOI
from FinCEN as part of CDD compliance
activities,133 and a financial regulator
assessing an FI’s compliance with CDD
requirements may request and receive
only the BOI that the FI previously
requested when conducting such an
assessment.134 Each of these
requirements reflects a general
expectation that authorized recipients
not obtain BOI for one authorized
activity and then use it for another
unrelated purpose. The statute also
requires authorized recipients of BOI to
narrowly tailor their requests as much
as possible. For example, the CTA
instructs the Secretary to require
requesting agencies ‘‘to limit, to the
greatest extent practicable, the scope of
information sought, consistent with the
purposes for seeking BOI.’’ 135
Proposed 31 CFR 1010.955(c)(1)
would implement these provisions by
clarifying that, unless otherwise
authorized by FinCEN, any person who
receives information disclosed by
FinCEN under proposed 31 CFR
1010.955(b) would be authorized to use
it only for the particular purpose or
activity for which it was disclosed.
Thus, for example, a Federal agency
employee, contractor, or agent who
129 31
U.S.C. 5336(c)(2)(B)(i)(I).
U.S.C. 5336(c)(3)(E)(ii).
131 See 31 U.S.C. 5336(c)(2)(B)(i)(II).
132 See 31 U.S.C. 5336(c)(2)(B)(ii).
133 See 31 U.S.C. 5336(c)(2)(B)(iii).
134 See 31 U.S.C. 5336(c)(2)(B)(iv) and 31 U.S.C.
5336(c)(2)(C).
135 31 U.S.C. 5336(c)(3)(F).
130 31
PO 00000
Frm 00015
Fmt 4701
Sfmt 4702
77417
obtains BOI from FinCEN for use in
furtherance of national security activity
would be authorized to use the BOI only
for the particular national security
activity for which the request was made.
FinCEN believes this limitation is
necessary to ensure that BOI is used
only for proper purposes and only to the
extent necessary.
Proposed 31 CFR 1010.955(c)(1)
further clarifies that a Federal agency
receiving BOI pursuant to the foreign
access provision at proposed 31 CFR
1010.955(b)(3), i.e., an intermediate
Federal agency, can use the BOI only to
facilitate a response to the relevant
foreign requester. This limitation
ensures that Federal intermediary
agencies handling BOI in this context
would do so only for the permissible
use of transmitting it to a foreign
requester.
Authorized recipients that fail to
follow applicable use limitations would
risk losing the ability to receive BOI.
b. Limitations on Re-Disclosure of
Information by Authorized Recipients
Although the CTA expressly limits
the circumstances under which FinCEN
may initially disclose BOI to other
agencies or FIs, the CTA does not
specify the circumstances under which
an authorized recipient of BOI may redisclose the BOI to another person or
organization. The CTA instead prohibits
re-disclosure except as authorized in the
protocols promulgated by regulation,
thereby leaving it to FinCEN to establish
the appropriate re-disclosure rules in
the protocols.136 The proposed rule
would permit the disclosure by
authorized recipients of BOI in limited
circumstances that would further the
core underlying national security,
intelligence, and law enforcement
objectives of the CTA while at the same
time ensuring that BOI is disclosed only
where appropriate for those purposes.
Generally, authorized re-disclosures
would be subject to protocols designed,
as with those applicable to initial
disclosures of BOI from the beneficial
ownership IT system, to protect the
security and confidentiality of BOI.
First, proposed 31 CFR
1010.955(c)(2)(i) would authorize a
Federal, State, local or Tribal agency
that receives BOI from FinCEN to redisclose it to others within the same
organization, if the re-disclosure is
consistent with the security and
confidentiality requirements of 31 CFR
136 31 U.S.C. 5336(c)(2)(A). The CTA appears to
presume that some re-disclosure will be permitted
when it requires requesting agencies to keep records
related to their requests, including of ‘‘any
disclosure of beneficial information made by . . .
the agency.’’ 31 U.S.C. 5336(c)(3)(H).
E:\FR\FM\16DEP4.SGM
16DEP4
lotter on DSK11XQN23PROD with PROPOSALS4
77418
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
1010.955(d)(1)(i)(F), (d)(2), or applicable
internal Treasury policies, procedures,
orders or directives; and is in
furtherance of the same purpose for
which the BOI was requested. Without
this authorization, the statutory
prohibitions at 31 U.S.C. 5336(c)(2)(A)
and corresponding regulatory
prohibitions at proposed 31 CFR
1010.955(a) could be viewed to
constrain officers, employees,
contractors, and agents within the same
authorized requesting agency from
efficiently sharing BOI in a manner
consistent with the objectives of the
CTA. FinCEN recognizes that authorized
individuals that receive BOI within
authorized recipient organizations may
need limited flexibility to disclose BOI
to others in their organization to the
extent those other individuals need the
BOI to further the original purpose for
which the BOI request was made to
FinCEN. An employee working on a law
enforcement case within a Federal
agency, for example, might need to
disclose BOI obtained from FinCEN to
another employee working on the same
law enforcement matter.
FinCEN envisions that there are
circumstances in which FI employees
may have a similar need to share BOI
with counterparts, e.g., if they are
working together to onboard a new
customer. Proposed 31 CFR
1010.955(c)(2)(ii) therefore extends a
comparable authority to FIs. One
difference should be noted: FinCEN
proposes to expressly limit FIs to
redisclosing BOI to other officers,
employees, contractors, and agents of
the FI physically present in the United
States. FinCEN believes this limitation
is necessary to provide appropriate
protection to BOI against disclosures to
foreign governments outside of the
framework established by the CTA. The
CTA confirms, among other things,
foreign government agencies should
only obtain the BOI of reporting
companies for limited purposes and
through intermediary Federal agencies.
Allowing U.S. FIs to re-disclose BOI
outside of the United States creates the
potential for a foreign government
agency to obtain such BOI by serving a
judicial or administrative warrant,
summons, or subpoena directly on the
foreign entity or location where the BOI
is stored. Prohibiting FIs from moving
BOI outside the United States reinforces
and complements the requirements
associated with the requirements
through which foreign governments can
obtain BOI under the proposed rule.
Next, proposed 31 CFR
1010.955(c)(2)(iii) would allow an FI,
subject to certain conditions, to share
BOI that it obtains from FinCEN for use
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
in fulfilling its CDD obligations with (1)
the FI’s Federal functional regulator, (2)
a qualifying SRO, or (3) any other
appropriate regulatory agency. The CTA
specifies that BOI provided to an FI
‘‘shall also be available’’ to a Federal
functional regulator or other appropriate
regulatory agency, under certain
conditions, and proposed 31 CFR
1010.955(b)(4)(ii) would authorize the
agency to obtain the BOI directly from
FinCEN. Proposed 31 CFR
1010.955(c)(2)(ii) would complement
that authorization by also allowing the
agency to obtain the BOI from the FI.
FinCEN believes this may be a more
efficient means of access for agencies
conducting assessments of an FI’s
compliance with CDD requirements
under applicable law. Such redisclosure would more easily provide
regulators with a complete picture of
how FIs are obtaining and using BOI for
CDD compliance, thereby supporting
the aims and purposes of the CTA, and
would also help them detect compliance
failures. Proposed 31 CFR
1010.955(c)(2)(ii) would also authorize
re-disclosure to qualifying SROs. SROs
perform important supervisory and
regulatory functions under the oversight
of Federal functional regulators to assess
FI compliance with CDD requirements
among their member firms. Given that
SROs can perform these supervisory
functions, FinCEN believes that access
to BOI would be as helpful to qualifying
SROs as to Federal functional regulators
in ensuring a complete and accurate
assessment of CDD compliance.
Qualifying SROs, like any supervisory
agency, would need to enter into an
MOU with FinCEN, and agree to
implement security and confidentiality
protocols, including audit requirements,
prior to receiving BOI from their
regulated institutions.
Fourth, proposed 31 CFR
1010.955(c)(2)(iv) would allow a Federal
functional regulator to disclose
information to a qualifying SRO.
Consistent with the purposes of the
CTA, the proposed rule makes clear that
BOI may be accessed, used, and redisclosed for examinations for
compliance with CDD requirements
under applicable law.
Fifth, proposed 31 CFR
1010.955(c)(2)(v), consistent with the
CTA, would allow an intermediary
Federal agency to disclose BOI to the
foreign person for whom the
intermediary Federal agency requested
the information in accordance with
proposed 31 CFR 1010.955(b)(3).
Without an express regulatory provision
to effectuate the CTA’s provisions
relating to BOI access by a foreign law
enforcement agency, prosecutor, or
PO 00000
Frm 00016
Fmt 4701
Sfmt 4702
judge, questions could arise as to
whether the intermediary Federal
agency would be able to then share with
a foreign requester the information
obtained on its behalf.
Sixth, proposed 31 CFR
1010.955(c)(2)(vi) would allow a
Federal, State, local, or Tribal law
enforcement agency to disclose BOI to a
court of competent jurisdiction or
parties to a civil or criminal proceeding.
This authorization would only apply to
civil or criminal proceedings involving
U.S. Federal, State, local, and Tribal
laws. FinCEN envisions agencies relying
on this provision when, for example, a
prosecutor must provide a criminal
defendant with BOI in discovery or use
it as evidence in a court proceeding or
trial.137
FinCEN considered requiring Federal,
State, local, or Tribal law enforcement
agencies to request permission to
disclose BOI on a case-by-case basis.
The bureau decided against that
approach for the sake of efficiency and
the administration of justice. FinCEN
would be unlikely to oppose disclosing
BOI for use by law enforcement agencies
in a civil or criminal proceeding; the
CTA explicitly contemplates using BOI
in this scenario.138 Additionally,
manual review of individual disclosure
requests in this context could also delay
the relevant legal proceeding. FinCEN
invites comment on this proposed
approach.
Seventh, proposed 31 CFR
1010.955(c)(2)(vii) would allow a
Federal agency that receives BOI from
FinCEN pursuant to proposed 31 CFR
1010.955(b)(1), (b)(4)(ii), or (b)(5) to
disclose that BOI to DOJ in a case
referral. While DOJ would also be able
to request the relevant BOI from FinCEN
in furtherance of law enforcement
activity, allowing the requesting Federal
agency to share that BOI with DOJ
would allow for more efficient
investigation and law enforcement
activity. The proposed provision would
also make clear that the requesting
agency can disclose BOI to DOJ for use
in litigation related to the activity for
which the BOI is requested. Such
authorization will allow DOJ to have a
complete record—including BOI—when
fulfilling its responsibilities to represent
the requesting agency in litigation.
Eighth, proposed 31 CFR
1010.955(c)(2)(viii) would allow a
foreign requester that receives BOI
pursuant to a request made under an
international treaty, agreement, or
convention to disclose and use that BOI
in accordance with the requirements of
137 See
138 See
E:\FR\FM\16DEP4.SGM
CTA, Section 6402(5)(D).
id.
16DEP4
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS4
the relevant agreement. This approach
harmonizes 31 U.S.C.
5336(c)(2)(B)(ii)(II)(aa) 139 with the
process described in the introductory
paragraph in 31 U.S.C. 5336(c)(2)(B)(ii),
which establishes a preference for
disclosing BOI to foreign requesters
under international agreements. For
foreign requests that are not governed by
an international treaty, agreement, or
convention, FinCEN would review redisclosure requests from foreign
requesters either on a case-by-case basis
or pursuant to alternative arrangements
with intermediary Federal agencies
where those intermediary Federal
agencies have ongoing relationships
with the particular foreign requesters.
Finally, proposed 31 CFR
1010.955(c)(2)(ix) would make clear that
re-disclosing BOI obtained under 31
CFR 1010.955(b) in any circumstances
other than those defined in proposed 31
CFR 1010.955(c)(2) would be prohibited
unless FinCEN provided prior
authorization for the re-disclosure in
writing, or such re-disclosure were
made in accordance with applicable
protocols, guidance, and regulations as
FinCEN may issue. This provision
would give FinCEN the ability to
authorize, either on a case-by-case basis
or categorically through written
protocols, guidance, or regulations, the
re-disclosure of BOI in limited cases to
further the purposes of the CTA.140
FinCEN welcomes comments on any of
the proposed provisions permitting the
re-disclosure of BOI for activities
consistent with the purposes of the
CTA.
Proposed 31 CFR 1010.955(c)(2)(ix)
would also enable FinCEN to authorize
the re-disclosure of BOI in appropriate
circumstances. For example, FinCEN
envisions instances when it might be
necessary for one law enforcement
agency to disclose BOI obtained from
FinCEN to another agency for an
authorized purpose. The ability to share
BOI in such circumstances would
ensure that authorized recipients are
able to further the goals of the CTA of
protecting U.S. national security and
combatting illicit activity, including
corruption, money laundering, tax
fraud, and terrorist financing, while at
the same time, ensuring that appropriate
security and confidentiality are
139 Requiring requests for BOI from foreign
requesters to ‘‘[comply] with the disclosure and use
provisions of the treaty, agreement, or convention,
publicly disclosing [sic] any beneficial ownership
information received . . . .’’
140 For example, FinCEN could authorize the
supervisory component of a Federal functional
regulator that identifies a CDD-related deficiency at
an FI to share BOI with its enforcement component
as part of a referral in which the BOI would be used
in furtherance of law enforcement activity.
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
maintained in a way that ensures
appropriate audit and oversight.
For example, a Federal agency to
which FinCEN disclosed BOI in
furtherance of that agency’s national
security activities may identify a
possible criminal violation and need to
provide the information to a Federal law
enforcement agency for investigation,
and prosecution, if appropriate. Federal
agencies that are a part of a task force
to target specific criminal activity, such
as drug trafficking or corruption, may
also need to share BOI within the task
force. In such cases, it would be more
efficient for the agencies involved to
share BOI directly among themselves
instead of each agency having to
separately request the same BOI from
FinCEN.
The requirements that an agency
would need to satisfy to obtain BOI
through re-disclosure are the same as
those an agency would need to satisfy
to obtain BOI from FinCEN directly
under this proposed rule. FinCEN also
envisions including re-disclosure
limitations in the BOI disclosure MOUs
it enters into with recipient agencies.
These provisions would make clear that
it would be the responsibility of a
recipient agency to take necessary steps
to ensure that BOI is made available for
purposes specifically authorized by the
CTA, and not for the general purposes
of the agency. Such agency-to-agency
agreements can be effective at creating
and enforcing standards on use, reuse,
and redistribution of sensitive
information. However, FinCEN solicits
comments from the public as to whether
other mechanisms, such as the
imposition of redistribution standards
by regulation, mandatory redistribution
logs, regular audit requirements, or
other techniques, may be more
appropriate in this context.
v. Security and Confidentiality
Requirements
The CTA directs the Secretary to
establish by regulation protocols to
protect the security and confidentiality
of any BOI provided directly by
FinCEN.141 FinCEN views safeguarding
BOI to be a top priority. The security
and confidentiality of BOI would be
protected through several protocols to
prevent unauthorized disclosure and to
ensure that BOI is used solely for the
purposes described in the CTA. These
include high standard security protocols
in the implementation of the beneficial
ownership IT system, robust MOUs that
will impose security requirements on
agencies that have access to BOI, such
as current background checks on
141 31
PO 00000
U.S.C. 5336(c)(3)(A).
Frm 00017
Fmt 4701
Sfmt 4702
77419
personnel accessing the information and
controls to ensure appropriate use,
regular training, and robust audit and
oversight at the agency level and by
FinCEN. In addition, FinCEN is
committed to regularly reviewing
protocols and information security
practices to ensure they protect BOI
from unauthorized use or disclosure.
While the CTA enumerates specific
requirements applicable to ‘‘requesting
agencies,’’ FinCEN believes it is
necessary and appropriate to impose
comparable requirements on FIs and
foreign requesters, taking into account
considerations unique to those recipient
categories.142 Clear expectations for all
recipients and comparable data
management requirements across
different categories of authorized
recipients will facilitate high standard
information security and confidentiality
practices and will contribute to more
effective audits and oversight. This
subsection discusses requirements
applicable to both ‘‘requesting agencies’’
and other authorized requesters.
a. Security and Confidentiality
Requirements for Domestic Agencies
The CTA prescribes with specificity a
number of requirements that the
Secretary must impose on requesting
agencies and their heads. These
requirements affirm the importance of
the security and confidentiality
protocols and the need for a high degree
of accountability for the protection of
BOI.
Specifically, the statute provides that
the Secretary shall require requesting
agencies to (1) ‘‘establish and maintain,
to the satisfaction of the Secretary, a
secure system in which [BOI] provided
directly by the Secretary shall be
stored;’’ 143 (2) ‘‘furnish a report to the
Secretary, at such time and containing
such information as the Secretary may
prescribe, that describes the procedures
established and utilized by such agency
to ensure the confidentiality of [BOI]
provided directly by the Secretary;’’ 144
(3) ‘‘limit, to the greatest extent
practicable, the scope of information
sought, consistent with the purposes for
seeking [BOI];’’ 145 and (4) ‘‘establish
and maintain, to the satisfaction of the
Secretary, a permanent system of
standardized records with respect to an
auditable trail of each request for [BOI]
submitted to the Secretary by the
agency, including the reason for the
request, the name of the individual who
made the request, the date of the
142 31
U.S.C. 5336(c)(3)(K).
U.S.C. 5336(c)(3)(C).
144 31 U.S.C. 5336(c)(3)(D).
145 31 U.S.C. 5336(c)(3)(F).
143 31
E:\FR\FM\16DEP4.SGM
16DEP4
lotter on DSK11XQN23PROD with PROPOSALS4
77420
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
request, any disclosure of [BOI] made by
or to the agency, and any other
information the Secretary of the
Treasury determines is appropriate.’’ 146
The CTA also instructs the Secretary
to establish by regulation protocols: (1)
‘‘requir[ing] the head of any requesting
agency, on a non-delegable basis, to
approve the standards and procedures
utilized by the requesting agency and
certify to the Secretary semi-annually
that such standards and procedures are
in compliance with the requirements of
[31 U.S.C. 5336(c)(3)];’’ 147 (2)
‘‘requir[ing] a written certification for
each authorized investigation or other
activity [giving rise to an authorized BOI
disclosure] from the head of [a Federal
agency acting in furtherance of national
security, intelligence, or law
enforcement activity, or a State, local, or
Tribal law enforcement agency], or their
designees, that (a) states that applicable
requirements have been met, in such
form and manner as the Secretary may
prescribe; and (b) at a minimum, sets
forth the specific reason or reasons why
the [BOI] is relevant to [the] authorized
investigation or other activity . . .’’; and
(3) ‘‘restrict[ing], to the satisfaction of
the Secretary, access to [BOI] to whom
disclosure may be made under the [CTA
disclosure provisions] to only users at
the requesting agency (a) who are
directly engaged in the authorized
investigation [for which BOI disclosure
is authorized]; (b) whose duties or
responsibilities require such access; (c)
who have undergone appropriate
training, or use staff to access the
database who have undergone
appropriate training; (d) who use
appropriate identity verification
mechanisms to obtain access to the
information; and (e) who are authorized
by agreement with the Secretary to
access the information.’’ 148
Finally, the CTA instructs the
Secretary to require requesting agencies
receiving BOI from FinCEN to ‘‘conduct
an annual audit to verify that the [BOI]
received from the Secretary has been
accessed and used appropriately, and in
a manner consistent with this paragraph
and provide the results of that audit to
the Secretary upon request.’’ 149 The
statute imposes a corresponding
requirement on the Secretary to
‘‘conduct an annual audit of the
adherence of the agencies to the
protocols established under [31 U.S.C.
5336(c)(3)] to ensure that agencies are
146 31
U.S.C. 5336(c)(3)(H).
U.S.C. 5336(c)(3)(B).
148 31 U.S.C. 5336(c)(3)(G).
149 31 U.S.C. 5336(c)(3)(I).
requesting and using [BOI]
appropriately.’’ 150
The proposed regulation would
organize these requirements into two
subsections. The first, proposed 31 CFR
1010.955(d)(1)(i), would address general
requirements applicable to Federal,
State, local, and Tribal requesting
agencies, including intermediary
Federal agencies acting on behalf of
authorized foreign requesters, Federal
functional regulators, and other
appropriate regulatory agencies. This
proposed subsection would require each
requesting agency, before it could obtain
BOI, to enter into a MOU with FinCEN
specifying the standards, procedures,
and systems that the agency would be
required to maintain to protect BOI.151
These MOUs would, among other
things, memorialize and implement
requirements contained in proposed 31
CFR 1010.955(d)(1)(i), including those
regarding reports and certifications,
periodic training of individual
recipients of BOI, personnel access
restrictions, re-disclosure limitations,
and access to audit and oversight
mechanisms. The MOUs would also
include security plans covering topics
related to personnel security (e.g.,
eligibility limitations, screening
standards, certification and notification
requirements); physical security (system
connections and use, conditions of
access, data maintenance); computer
security (use and access policies,
standards related to passwords,
transmission, storage, and encryption);
and inspections and compliance.
Agencies may rely on existing databases
and related IT infrastructure to satisfy
the requirement to ‘‘establish and
maintain’’ secure systems in which to
store BOI where those systems have
appropriate security and confidentiality
protocols, and FinCEN will engage with
recipient agencies on this issue during
the development of an MOU on BOI
sharing.
Because security protocol details may
vary based on each agency’s particular
circumstances and capabilities, FinCEN
believes individual MOUs are preferable
to a ‘‘one-size-fits-all’’ approach of
specifying particular requirements by
regulation. FinCEN invites comment on
this MOU-based approach, and on
whether additional requirements should
be incorporated into the regulations or
into FinCEN’s MOUs.
The second subsection would apply
to each request for BOI. It includes
specific requirements with which each
individual request for BOI must comply,
as described in the CTA, as well as
147 31
VerDate Sep<11>2014
22:00 Dec 15, 2022
150 31
U.S.C. 5336(c)(3)(J).
151 31 CFR 1010.955(d)(1)(i)(A).
Jkt 259001
PO 00000
Frm 00018
Fmt 4701
Sfmt 4702
additional requirements that FinCEN
believes are necessary to ensure that
BOI is subject to security and
confidentiality requirements of a
sufficiently high standard.152
Proposed 31 CFR 1010.955(d)(1)(ii)(A)
(referred to as a ‘‘minimization’’
requirement) would require all
requesting agencies to limit, to the
greatest extent practicable, the amount
of BOI they seek, consistent with the
agency’s purpose for seeking it. The
provision mirrors the CTA requirement
at 31 U.S.C. 5336(c)(3)(F) and would
enhance information security and
confidentiality by limiting disclosure of
BOI only to those situations in which
BOI is necessary for a particular
purpose.
Proposed 31 CFR
1010.955(d)(1)(ii)(B)(1) would
incorporate the requirement of 31 U.S.C.
5336(c)(3)(E) that the head of a
requesting Federal agency acting in
furtherance of national security,
intelligence, or law enforcement
activity, or their designees, certify in
writing, for each request made by the
agency to FinCEN, that (1) the agency
was engaged in a national security,
intelligence, or law enforcement
activity, and (2) the BOI requested was
for use in furthering that activity, setting
forth specific reasons why the requested
BOI was relevant. FinCEN expects that
the certification and justification would
be made by the individual at the
authorized Federal agency at the time of
the BOI request. Similarly, proposed 31
CFR 1010.955(d)(1)(ii)(B)(2) would
require the head of a requesting State,
local, or Tribal law enforcement agency,
or their designee, to submit to FinCEN
a copy of the court authorization
required under proposed 31 CFR
1010.955(b)(2), as well as a written
justification setting forth specific
reasons why the requested information
was relevant to the investigation.
FinCEN believes that collecting the
underlying court authorizations will
help to ensure compliance with 31
U.S.C. 5336(c)(2)(B)(i)(II) and facilitate
audit and oversight of such requests.
Moreover, the submission of brief
justification narratives will make it
easier for FinCEN personnel to identify
the relevant information in a court
authorization, thereby allowing for
faster reviews and more focused audits.
FinCEN considered not requiring State,
local, and Tribal law enforcement
agencies to submit corresponding
justifications in addition to the court
authorizations, but in some cases the
152 The additional measures are being proposed
pursuant to the authority delegated to FinCEN
under 31 U.S.C. 5336(c)(3)(K).
E:\FR\FM\16DEP4.SGM
16DEP4
lotter on DSK11XQN23PROD with PROPOSALS4
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
relationship between a court
authorization and the search in question
might not be apparent on the face of the
court authorization.
Proposed 31 CFR
1010.955(d)(1)(ii)(B)(3) and (4) would
identify the information that an
intermediary Federal agency would
need to obtain, and in some cases,
submit to FinCEN, when making a
request for BOI on behalf of foreign law
enforcement, prosecutors, or judges. The
information that would need to be
submitted to FinCEN pursuant to these
provisions is dependent on whether the
foreign request at issue is pursuant to an
international treaty, agreement, or
convention.
Regardless of whether an
international treaty, agreement, or
convention applies, the head of an
intermediary Federal agency acting on
behalf of a foreign requester, or their
designee, would always need to: (1)
identify to FinCEN both the individual
within the intermediary Federal agency
making the request; (2) identify to
FinCEN the individual affiliated with
the foreign requester on whose behalf
the request is being made; and (3) either
identify to FinCEN the international
treaty, agreement, or convention under
which the request was being made or
provide a statement that no such
instrument governs. When an
international treaty, agreement, or
convention applies, the head of an
intermediary Federal agency acting on
behalf of a foreign requester, or their
designee, would need to retain the
request for information under the
relevant international treaty, agreement,
or convention, and would also have to
certify to FinCEN that the requested BOI
is for use in furtherance of a law
enforcement investigation or
prosecution, or for a national security or
intelligence activity, that is authorized
under the laws of the relevant foreign
country. This certification would apply
to the intermediary Federal agency head
or designee’s understanding of the
intended use for the BOI, and would not
constitute a guarantee from the
intermediary Federal agency that the
foreign requester would not use the
information for other activities without
authorization.
In circumstances in which an
international treaty, agreement, or
convention does not apply, the head of
an intermediary Federal agency acting
on behalf of a foreign requester, or their
designee, would need to submit to
FinCEN a written explanation of the
specific purpose for which the foreign
requester is requesting BOI. The
intermediary Federal agency would also
need to provide FinCEN with a
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
certification that requested BOI: (1) will
be used in furtherance of a law
enforcement investigation or
prosecution, or for a national security or
intelligence activity that is authorized
under the laws of the relevant foreign
country; (2) will only be used for the
particular purpose or activity for which
it is requested; and (3) will be handled
in accordance with applicable security
and confidentiality requirements as
discussed in detail in Section IV.A.v.c.
below with respect to proposed 31 CFR
1010.955(d)(3). Again, this certification
would apply to the intermediary Federal
agency head or designee’s
understanding of the intended use for
the BOI, and would not constitute a
guarantee from the intermediary Federal
agency that the foreign requester would
not use the information for other
activities without authorization. The
proposed rule further specifies that
FinCEN may request additional
information to support its evaluation of
whether to disclose BOI to a foreign
requester when a request is not pursuant
to an international treaty, agreement, or
convention. FinCEN anticipates the
implementation of a case management
function in the beneficial ownership IT
system to manage this information and
certification submission process.
Finally, proposed 31 CFR
1010.955(d)(1)(ii)(B)(5) would require
the head of Federal functional regulators
and other appropriate regulatory
agencies, or their designee, to certify to
FinCEN when requesting BOI that the
agency (1) is authorized by law to
assess, supervise, enforce, or otherwise
determine the relevant FI’s compliance
with CDD requirements under
applicable law, and (2) will use the
information solely for the purpose of
conducting the assessment, supervision,
or authorized investigation or activity
described in proposed 31 CFR
1010.955(b)(4)(ii)(A).
b. Security and Confidentiality
Requirements for FIs
Although the CTA does not
specifically address the safeguards FIs
must implement as a precondition to
requesting BOI, the CTA authorizes
FinCEN to prescribe by regulation any
other safeguards determined to be
necessary or appropriate to protect the
confidentiality of BOI.153 Proposed 31
CFR 1010.955(d)(2) contains the
safeguards applicable to FIs, including
security standards for managing the BOI
data.
Any security standards FinCEN
imposes should keep BOI reasonably
secure and confidential, but not be so
153 31
PO 00000
U.S.C. 5336(c)(3)(K).
Frm 00019
Fmt 4701
Sfmt 4702
77421
stringent as to make the information
practically inaccessible or useless to FIs.
Such overly burdensome requirements
would frustrate the CTA’s objective of
facilitating FI compliance with CDD
requirements under applicable law. To
strike an appropriate balance, proposed
31 CFR 1010.955(d)(2)(i) would take a
principles-based approach by requiring
FIs to develop and implement
administrative, technical, and physical
safeguards reasonably designed to
protect BOI as a precondition for
receiving BOI. Although proposed 31
CFR 1010.955(d)(2)(i) would not
prescribe any specific safeguards, it
would establish that the security and
information handling procedures
necessary to comply with section 501 of
the Gramm-Leach-Bliley Act (GrammLeach-Bliley) 154 and applicable
regulations issued under it to protect
non-public customer personal
information, if applied to BOI under the
control of the FI, would satisfy this
requirement. This would be true for any
FI, regardless of whether that FI was
subject to section 501, so long as the FI
actually applied procedures at the
appropriate level of protection. The safe
harbor in proposed 31 CFR
1010.955(d)(2)(i) would therefore
establish baseline security and
confidentiality standards that are the
same for all FIs. The approach of
establishing a baseline standard would
be consistent with other provisions in
FinCEN’s regulations that impose
standards for handling sensitive
information.155
Section 501 of Gramm-Leach-Bliley,
codified at 15 U.S.C. 6801(b) and 6805,
requires each Federal functional
regulator to establish appropriate
standards for the FIs subject to its
jurisdiction relating to administrative,
technical, and physical safeguards to (1)
ensure the security and confidentiality
of customer records and information; (2)
protect against any anticipated threats
or hazards to the security or integrity of
such records; and (3) protect against
unauthorized access to or use of such
records or information which could
result in substantial harm or
inconvenience to any customer. The
Federal functional regulators have
implemented these requirements in
different ways. The OCC, FRB, FDIC,
and NCUA incorporated into their
regulations the Interagency Guidelines
Establishing Interagency Security
154 Public Law 106–102, 113 Stat. 1338, 1436–37
(1999).
155 See, e.g., 31 CFR 1010.520(b)(3)(iv)(C), 31 CFR
1010.540(b)(4)(ii).
E:\FR\FM\16DEP4.SGM
16DEP4
77422
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS4
Standards (Interagency Guidelines).156
The Interagency Guidelines add detail
to the more general Gramm-Leach-Bliley
requirements, covering specific subjects
related to identifying, managing, and
controlling risk (e.g., physical and
electronic access controls, encryption
and training requirements, and testing).
The CFTC has incorporated the GrammLeach-Bliley expectations of FIs into its
regulations 157 and recommended best
practices for meeting them that are
‘‘designed to be generally consistent
with’’ the Interagency Guidelines.158
The SEC has also incorporated the
Gramm-Leach-Bliley expectations of FIs
into its regulations,159 but evaluates the
reasonableness of Gramm-Leach-Bliley
compliance policies and procedures on
a case-by-case basis and communicates
findings of insufficiency through
supervision and enforcement actions.160
This blended approach for complying
with the Gramm-Leach-Bliley
requirements is well-suited to protecting
sensitive information generally and BOI
in particular. Gramm-Leach-Bliley
provides general baseline expectations
for keeping data secure and
confidential, while each agency’s
implementing regulations take into
account factors unique to the FIs they
supervise. Allowing FIs to meet the
requirement to safeguard BOI by
extending to it the same processes they
use to comply with regulations issued
pursuant to section 501 of GrammLeach-Bliley would avoid duplicative or
inconsistent requirements for
information security and protocols and
would be less burdensome for FIs to
administer without sacrificing a high
level of protection.
In order to ensure that security and
confidentiality standards are consistent
across the entire financial industry,
even FIs not subject to regulations
issued pursuant to section 501 of
Gramm-Leach-Bliley would be held to
these same substantive standards. For
FIs not subject to section 501, the
Interagency Guidelines might serve as a
useful checklist against which such FIs
could evaluate their existing security
156 See Interagency Guidelines Establishing
Standards for Safeguarding Customer Information
and Rescission of Year 2000 Standards for Safety
and Soundness, 66 FR 8616 (Feb. 1, 2001). The
agencies implementing regulations are at 12 CFR
part 30, app. B (OCC); 12 CFR. Part 208, app. D–
2 and Part 225, app. F (FRB); 12 CFR part 364, app.
B (FDIC); and 12 CFR part 748, apps. A & B
(NCUA).
157 See 17 CFR 160.
158 See CFTC Staff Advisory No. 14–21 (February
16, 2014).
159 See 17 CFR 248.30(a).
160 See, e.g., Morgan Stanley Smith Barney, SEC
Administrative Proceeding File No. 3–21112 (Sept.
20, 2022).
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
and confidentiality practices, and a
useful guide to possible modifications to
bring the FI to the level of security and
confidentiality necessary to justify
obtaining BOI.
Proposed 31 CFR 1010.955(d)(2)(ii)
would require FIs to obtain and
document a reporting company’s
consent before requesting that reporting
company’s BOI from FinCEN. FIs are
well-positioned to obtain consent—and
to track any revocation of such
consent—given that they maintain
direct customer relationships and are
able to leverage existing onboarding and
account maintenance processes to
obtain reporting company consent.
FinCEN considered the alternative
approach of FinCEN obtaining consent
directly from the reporting company,
but rejected the approach given
potential delays and the lack of any
direct relationship with the reporting
company.
Finally, proposed 31 CFR
1010.955(d)(2)(iii) would require the FI
to certify in writing for each BOI request
that it: (1) is requesting the information
to facilitate its compliance with CDD
requirements under applicable law, (2)
obtained the reporting company’s
written consent to request its BOI, and
(3) fulfilled the other requirements of
the section. FinCEN anticipates that an
FI would be able to make the
certification via a checkbox when
requesting BOI via the beneficial
ownership IT system. FinCEN expects
that FIs will establish protocols to direct
authorized staff to ensure that the
requirements are satisfied and that
appropriate records are maintained for
the purposes of audit and oversight.
FinCEN further expects FIs to provide
training on these protocols and to
require system users from FIs to
complete FinCEN-provided online
training about the system and related
responsibilities as a condition for
creating and maintaining system
accounts.
Under the proposed rule, FinCEN
would not require FIs to submit proof of
reporting company consent at the time
of the request for BOI. FinCEN would
not have the capacity to review, verify,
and store consent forms and additional
FinCEN involvement would create
undue delays for the ability of FIs to
onboard customers. In addition, FinCEN
expects that FI compliance with these
requirements would be assessed by
Federal functional regulators in the
ordinary course during safety and
soundness examinations or by the SROs
during their routine BSA
PO 00000
Frm 00020
Fmt 4701
Sfmt 4702
examinations.161 FIs therefore have a
strong incentive to retain evidence of a
reporting company’s consent for the
purposes of supervisory examinations
and compliance and for use in cases
involving suspected or alleged
violations of the requirement. Together
with potential civil and criminal
penalties under the CTA, such
examinations would create a robust
control and oversight mechanism.
FinCEN invites comments on this
proposed approach to FI security and
confidentiality requirements, including
any views regarding how consent
should be obtained from reporting
companies and on the applicability of
auditing requirements to FIs.
c. Security and Confidentiality
Requirements for Foreign Requesters
It is critical that all authorized BOI
recipients—including foreign
requesters—take steps to keep BOI
confidential and secure and to prevent
misuse. To that end, proposed 31 CFR
1010.955(d)(3)(i) would require foreign
requesters to handle, disclose, and use
BOI consistent with the requirements of
the applicable treaty, agreement or
convention under which it was
requested. 31 CFR 1010.955(d)(3)(ii),
meanwhile, would impose on foreign
BOI requesters certain general
requirements the CTA imposes on all
requesting agencies. FinCEN believes
these measures are necessary to protect
the security and confidentiality of BOI
provided to foreign requesters.162
Requirements applicable to foreign
requesters when no treaty, agreement, or
convention applies include having
security standards and procedures,
maintaining a secure storage system that
complies with whatever security
standards the foreign requester applies
to the most sensitive unclassified
information it handles, minimizing the
amount of information requested, and
restricting personnel access to it.
Foreign requesters that request and
receive BOI under an applicable
international treaty, agreement, or
convention would not have these
requirements under the proposed rule,
given that such requesters would be
governed by standards and procedures
under the applicable international
treaty, agreement, or convention.
161 The CTA requirements FIs must satisfy to
qualify for BOI disclosure from FinCEN are part of
the BSA, a statute enacted in pertinent part in
Chapter X of the Code of Federal Regulations.
FinCEN has delegated its authority to examine FIs
for compliance with Chapter X to the Federal
functional regulators. See 31 CFR 1010.810. See
also, e.g., 12 U.S.C. 1818(s)(2), 12 U.S.C. 1786(q)(2).
162 See 31 U.S.C. 5336(c)(3)(A), (K).
E:\FR\FM\16DEP4.SGM
16DEP4
lotter on DSK11XQN23PROD with PROPOSALS4
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
FinCEN considered proposing a
requirement that foreign requesters
enter into MOUs comparable to
domestic requesting agencies for
situations in which an international
treaty, agreement, or convention
applies. The bureau decided not to
propose such an approach because
foreign requesters will not have direct
access to the beneficial ownership IT
system and because FinCEN anticipates
a significantly lower volume of foreign
requests in general relative to other
stakeholders. FinCEN believes MOUs
are appropriate with domestic agencies
to account for the risks inherent in
repeated, detailed interaction with the
beneficial ownership IT system. Foreign
BOI requesters, by contrast, would only
receive BOI through intermediary
Federal agencies that would themselves
be subject to detailed MOUs. Those
intermediary Federal agencies would in
turn work with foreign requesters to
safeguard BOI in accordance with
applicable treaties, agreements, or
conventions when applicable, and
under governing protocols in other
circumstances.
FinCEN considered imposing audit
requirements on foreign requesters as
part of these security and confidentiality
protocols, but determined that it would
not be feasible. First, in situations
involving international treaties,
agreements, or conventions, such audits
would only be permissible if allowed by
the international agreement. In
situations in which no such
international agreement applied, it
would nevertheless be practically
challenging for FinCEN to conduct
meaningful audits of a foreign
requester’s BOI handling systems and
practices given that it would involve
extensive negotiations and the
commitment of substantial FinCEN
personnel to considerable document
review (potentially involving
translation) and travel. Foreign
governments under any circumstances
are also unlikely to grant FinCEN access
to their secure IT systems to the degree
that a comprehensive audit demands.
While FinCEN considered whether to
refrain from sharing information with a
foreign requester that refused to be
subject to audit requirements, such an
approach would result in reduced
information sharing and cooperation
overall. The United States regularly
collaborates bilaterally and in global
task forces, for example, to combat
terrorism, transnational criminal
organizations, and other threats to
national security. The success of these
initiatives depends upon effective
international cooperation and robust
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
efforts by foreign counterparts. Those
foreign counterparts might decide not to
request BOI at all, depriving our
partners of information that would
support these efforts, with potentially
negative direct consequences for the
United States.
FinCEN invites comments on its
proposal with respect to security and
confidentiality requirements applicable
to foreign requesters.
vi. Administration of Requests for
Information Reported Pursuant to 31
CFR 1010.380
The CTA includes several provisions
regarding how FinCEN should
administer requests for BOI. Proposed
31 CFR 1010.955(e) would implement
these CTA provisions.
Proposed 31 CFR 1010.955(e)(1)
would require agencies and FIs to
submit requests for BOI to FinCEN in
the form and manner FinCEN shall
prescribe.163 The bureau intends to
provide additional detail regarding the
form and manner of BOI requests for all
categories of authorized users through
specific instructions and guidance as it
continues developing the beneficial
ownership IT system. To the extent
required by the Paperwork Reduction
Act (PRA), FinCEN would publish for
notice and comment any proposed
information collection associated with
BOI requests.
Proposed 31 CFR 1010.955(e)(2)
would implement 31 U.S.C.
5336(c)(6)(B), which describes the
circumstances under which the
Secretary ‘‘may decline to provide’’
requested BOI. The CTA describes three
permissible reasons for declining to
provide BOI: (a) a ‘‘requesting agency’’
failing to meet applicable requirements;
(2) ‘‘the information is being requested
for an unlawful purpose;’’ or (3) ‘‘other
good cause exists to deny the
request.’’ 164 Proposed 31 CFR
1010.955(e)(2) would make minor
changes to the statutory text to clarify its
scope and to provide appropriate cross
references. While 31 U.S.C.
5336(c)(6)(B)(i) speaks directly to
requests made by a ‘‘requesting agency,’’
FinCEN believes the CTA also permits
the bureau to deny requests from any
authorized recipient, including FIs, that
fail to comply with any requirements to
receive BOI (e.g., refusing to obtain
consent from reporting companies
before making BOI requests or failing to
fully comply with the proposed security
and confidentiality requirements).165
FinCEN’s ability to decline requests in
these circumstances is necessary to
‘‘protect the security and confidentiality
of [BOI]’’ that the agency provides to
authorized recipients.166 Moreover,
FinCEN would consider an FI’s failure
to comply with any requirements to
constitute ‘‘good cause’’ sufficient to
justify denying a request for BOI.167
Proposed 31 CFR 1010.955(e)(3)
would specify that the reasons for
rejecting a request are also bases for
suspension or debarment. The CTA
permits the Secretary to suspend or
debar a ‘‘requesting agency’’ from access
to BOI for any of the reasons for
rejection in the preceding paragraph,
including for ‘‘repeated or serious
violations’’ of any requirement
established as a precondition for
receiving BOI.168 FinCEN would again
extend the availability of the suspension
or debarment authority to FIs to ensure
the integrity of BOI, ensure the security
of the beneficial ownership IT system,
and implement the confidentiality
requirements imposed by the CTA.
Under the proposed rule, suspension of
access to BOI would be a temporary
measure, while debarment would be
permanent. The proposed rule would
also permit FinCEN to determine in its
sole discretion the length of any
suspension. Additionally, the proposed
rule would clarify that FinCEN may
reinstate suspended or debarred
requesters upon satisfaction of any
terms or conditions FinCEN in its sole
discretion believes are appropriate. As
with the authority to reject requests,
FinCEN views suspension and
debarment as important tools for
protecting sensitive information from
potential misuse.
vii. Violations; Penalties
The CTA makes it unlawful for any
person to knowingly disclose or
knowingly use BOI obtained by the
person through a report submitted to, or
an authorized disclosure made by,
FinCEN, unless such disclosure is
authorized under the CTA.169 Proposed
31 CFR 1010.955(f)(1) tracks this
prohibition, and further clarifies that
such disclosure authorized under the
CTA includes disclosure authorized
under the regulations issued pursuant to
the CTA. Proposed 31 CFR
1010.955(f)(2) then explains that for
purposes of paragraph (f)(1),
unauthorized use would include any
unauthorized accessing of information
submitted to FinCEN under 31 CFR
1010.380, including any activity in
166 Id.;
163 31
U.S.C. 5336(c)(2)(C).
164 Id.
165 See
PO 00000
31 U.S.C. 5336(c)(3)(A).
Frm 00021
Fmt 4701
Sfmt 4702
77423
see also 31 U.S.C. 5336(c)(3)(K).
U.S.C. 5663(c)(6)(B)(iii).
168 31 U.S.C. 5336(c)(7).
169 See 31 U.S.C. 5336(h)(2).
167 31
E:\FR\FM\16DEP4.SGM
16DEP4
77424
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
which an employee, officer, director,
contractor, or agent of a Federal, State,
local, or Tribal agency or FI knowingly
violates applicable security and
confidentiality requirements in
connection with accessing such
information.170 This reflects FinCEN’s
view that the security and
confidentiality requirements under the
CTA and this proposed rule
circumscribe the ways in which
authorized recipients can use BOI,
consistent with the statute’s emphasis
on keeping BOI secure and confidential.
Proposed 31 CFR 1010.955(f)(3) lists
the CTA’s enumerated civil and
criminal penalties for knowingly
disclosing or using BOI without
authorization. The CTA provides civil
penalties in the amount of $500 for each
day a violation continues or has not
been remedied. Criminal penalties are a
fine of not more than $250,000 or
imprisonment for not more than 5 years,
or both.171 The CTA also provides for
enhanced criminal penalties, including
a fine of up to $500,000, imprisonment
of not more than 10 years, or both, if a
person commits a violation while
violating another law of the United
States or as part of a pattern of any
illegal activity involving more than
$100,000 in a 12-month period.172
lotter on DSK11XQN23PROD with PROPOSALS4
B. Use of FinCEN Identifiers for Entities
A FinCEN identifier is a unique
identifying number that FinCEN will
issue to individuals who have provided
FinCEN with their BOI and to reporting
companies that have filed initial BOI
reports.173 Consistent with the CTA, the
final BOI reporting rule describes the
manner in which FinCEN will issue a
FinCEN identifier to individuals and to
entities.174 It also describes
circumstances in which a reporting
company may report an individual
beneficial owner’s FinCEN identifier to
FinCEN in lieu of providing the
individual’s BOI.175
The CTA also provides for the use of
a reporting company’s FinCEN
identifier, specifying that if an
individual ‘‘is or may be a beneficial
owner of a reporting company by an
interest held by the individual in an
170 31 U.S.C. 5336(c)(4) explicitly applies civil
and criminal penalties to employees and officers of
‘‘requesting agencies’’ who violate applicable
security and confidentiality protocols, including
through unauthorized disclosure or use. FinCEN
views this as a self-executing reinforcement
provision to support 31 U.S.C. 5336(h)(3)(B), which
focuses on unlawful disclosure or use by any
person.
171 31 U.S.C. 5336(h)(3)(B).
172 See 31 U.S.C. 5336(h)(3)(B)(ii)(II).
173 31 U.S.C. 5336(b)(3).
174 See 31 CFR 1010.380(b)(4).
175 See 31 CFR 1010.380(b)(4)(ii)(B).
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
entity that, directly or indirectly, holds
an interest in the reporting company,’’
the reporting company may report the
entity’s FinCEN identifier in lieu of
providing the individual’s BOI.176 The
Reporting NPRM proposed to
incorporate this language without
significant clarification. Some
commenters, however, expressed
concerns that the use of FinCEN
identifiers could obscure the identities
of beneficial owners in a manner that
might result in greater secrecy or
incomplete or misleading disclosures.
Several commenters noted that the
proposed language may be confusing
and pose problems when a reporting
company’s ownership structure involves
multiple beneficial owners and
intermediate entities. In light of this
feedback, the final BOI reporting rule
did not adopt the proposed language,
and FinCEN is now proposing different
language to implement the CTA in a
manner that better clarifies when a
company may report an intermediate
entity’s FinCEN identifier in lieu of an
individual’s BOI.
Proposed 31 CFR 1010.380(b)(4)(ii)(B)
would permit a reporting company to
report an intermediate entity’s FinCEN
identifier in lieu of a beneficial owner’s
BOI only when: (1) the intermediate
entity has obtained a FinCEN identifier
and provided that FinCEN identifier to
the reporting company; (2) an
individual is or may be a beneficial
owner of the reporting company by
virtue of an interest in the reporting
company that the individual holds
through the entity; and (3) only the
individuals that are beneficial owners of
the intermediate entity are beneficial
owners of the reporting company, and
vice versa. The first and second
requirements are straightforward
clarifications, while the third
requirement reflects an implicit
assumption in the statutory language.
It is straightforward to allow a
reporting company to use an
intermediate entity’s FinCEN identifier
where a single individual is the sole
beneficial owner of a reporting company
through a single intermediate entity. In
this simple scenario, the same
individual would be the beneficial
owner of both the reporting company
and the intermediate entity. Reporting
the intermediate entity’s FinCEN
identifier in lieu of the individual’s BOI
would thus accurately indicate that the
individual is a beneficial owner of both
entities, and the intermediate entity
would have already reported the
individual’s BOI when it filed its initial
report and obtained a FinCEN identifier.
176 31
PO 00000
U.S.C. 5336(b)(3)(C).
Frm 00022
Fmt 4701
Sfmt 4702
However, the use of an intermediate
company’s FinCEN identifier beyond
this simple scenario encounters
significant problems when a reporting
company’s ownership structure involves
multiple beneficial owners and/or
intermediate entities. For instance, if the
intermediate entity has any beneficial
owners who are not also beneficial
owners of the reporting company, the
reporting company’s use of the
intermediate entity’s FinCEN identifier
would identify multiple individuals as
beneficial owners of the reporting
company, when in fact they are only
beneficial owners of the intermediate
entity. Additionally, if an individual is
a beneficial owner of a reporting
company through multiple intermediate
entities but is not a beneficial owner of
one of those entities, the reporting
company’s use of that entity’s FinCEN
identifier could obscure the identity of
that beneficial owner. In this case, the
reporting company’s use of an
intermediate entity’s FinCEN identifier
would fail to identify an individual as
a beneficial owner of the reporting
company, when in fact the individual is
such a beneficial owner.
In light of the core objective of the
CTA to establish a comprehensive
beneficial ownership database and to
ensure that the information it contains
is accurate and highly useful, FinCEN
does not believe the FinCEN identifier
provision was intended to enable
reporting companies to misidentify
beneficial owners. As explained in the
prior paragraph, there are some
scenarios in which FinCEN would be
unable to accurately identify which
reported beneficial owners are
extraneous, or which BOI reports are
incomplete, thereby making it more
difficult for FinCEN and authorized
recipients of BOI to identify the true
beneficial owners of each reporting
company. This would make the
beneficial ownership database less
accurate and undermine the
fundamental goals of the CTA.
Moreover, FIs that obtain BOI reports
that are either under- or over-inclusive
may have difficulty reconciling this BOI
with other information they receive
during the CDD process, impeding
another goal of the CTA. Furthermore,
over-inclusive BOI would require
FinCEN to disclose more BOI than
necessary in response to authorized
requests. Instead of only disclosing BOI
for individuals who are beneficial
owners of the reporting company that is
the subject of a request, FinCEN would
have to also disclose BOI for other
individuals who are beneficial owners
of a different company that may not be
E:\FR\FM\16DEP4.SGM
16DEP4
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
the subject of the request. This overdisclosure would be in significant
conflict with the confidentiality and
privacy protections the CTA instructs
FinCEN to implement, including the
requirement to ‘‘limit, to the greatest
extent practicable, the scope of the
information sought.’’ 177
For all of these reasons, permitting a
reporting company to use an
intermediate entity’s FinCEN identifier
would appear consistent with the CTA’s
overall statutory scheme only if the two
entities have the same beneficial
owners. In this case, as in the simple
scenario previously described, reporting
the intermediate entity’s FinCEN
identifier would be equivalent to
reporting the BOI of the reporting
company’s beneficial owners. There
would be no mismatch. Accordingly,
proposed 31 CFR 1010.380(b)(4)(ii)(B)
makes this requirement explicit by
permitting a reporting company to
report an intermediate entity’s FinCEN
identifier only when the intermediate
entity and the reporting company have
the same beneficial owners. FinCEN
believes this requirement is implicit in
the CTA, and is necessary for FinCEN to
avoid collection of potentially
incomplete information and to prevent
disclosure of inaccurate reports that
contain extraneous sensitive
information or that lack relevant BOI.
FinCEN solicits comment on this
proposal.
lotter on DSK11XQN23PROD with PROPOSALS4
V. Final Rule Effective Date
FinCEN is proposing an effective date
of January 1, 2024, to align with the date
on which the final BOI reporting rule at
31 CFR 1010.380 becomes effective. A
January 1, 2024, effective date is
intended to provide the public and
authorized users of BOI with sufficient
time to review and prepare for
implementation of the rule. FinCEN
solicits comment on the proposed
effective date for this rule.
VI. Request for Comment
FinCEN seeks comment from all parts
of the public, as well as Federal, State,
local, and Tribal government entities,
with respect to the proposed rule as a
whole and specific provisions discussed
above in Section IV. FinCEN invites
comment on any and all aspects of the
proposed rule, and specifically seeks
comments on the following questions:
Understanding the Rule
1. Can the organization of the rule text
be improved? If so, how?
2. Can the language of the rule text be
improved? If so, how?
177 31
U.S.C. 5336(c)(3)(F).
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
3. Does the proposed rule provide
sufficient guidance to stakeholders and
the public regarding the scope and
requirements for access to BOI?
Disclosure of Information
4. The CTA prohibits officers and
employees of (1) the United States, (2)
State, local, and Tribal agencies, and (3)
FIs and regulatory agencies from
disclosing BOI reported under the
statute. FinCEN proposes to extend the
prohibition to agents, contractors, and,
in the case of FIs, directors as well.
FinCEN invites comments on the
proposed scope.
5. Are FinCEN’s proposed
interpretations of ‘‘national security,’’
‘‘intelligence,’’ and ‘‘law enforcement’’
clear enough to be useful without being
overly prescriptive? If not, what should
be different? Commenters are invited to
suggest alternative interpretations or
sources for reference.
6. Should FinCEN add any specific
activities or elements to the proposed
interpretations of ‘‘national security,’’
‘‘intelligence,’’ and ‘‘law enforcement’’
that do not seem to be covered already?
If so, what?
7. FinCEN requests comments
discussing how State, local, and Tribal
law enforcement agencies are
authorized by courts to seek information
in criminal and civil investigations.
Among the particular issues that
FinCEN is interested in are: how State,
local, and Tribal authorities gather
evidence in criminal and civil cases;
what role a court plays in each of these
mechanisms, and whether in the
commenter’s opinion it rises to the level
of court ‘‘authorization’’; what role court
officers (holders of specific offices, not
attorneys as general-purpose officers of
the court) play in these mechanisms;
how grand jury subpoenas are issued
and how the court officers issuing them
are ‘‘authorized’’ by a court; whether
courts of competent jurisdiction, or
officers thereof, regularly authorize
subpoenas or other investigative steps
via court order; and whether there are
any evidence-gathering mechanisms
through which State, local, or Tribal law
enforcement agencies should be able to
request BOI from FinCEN, but that do
not require any kind of court?
8. Is requiring a foreign central
authority or foreign competent authority
to be identified as such in an applicable
international treaty, agreement, or
convention overly restrictive? If so,
what is a more appropriate means of
identification?
9. Are there alternative approaches to
managing the foreign access provision of
the CTA that FinCEN should consider?
PO 00000
Frm 00023
Fmt 4701
Sfmt 4702
77425
10. Should FinCEN define the term
‘‘trusted foreign country’’ in the rule,
and if so, what considerations should be
included in such a definition?
11. FinCEN proposes that FIs be
required to obtain the reporting
company’s consent in order to request
the reporting company’s BOI from
FinCEN. FinCEN invites commenters to
indicate what barriers or challenges FIs
may face in fulfilling such a
requirement, as well as any other
considerations.
12. FinCEN proposes to define
‘‘customer due diligence requirements
under applicable law’’ to mean the
bureau’s 2016 CDD Rule, as it may be
amended or superseded pursuant to the
AML Act. The 2016 CDD Rule requires
FIs to identify and verify beneficial
owners of legal entity customers.
Should FinCEN expressly define
‘‘customer due diligence requirements
under applicable law’’ as a larger
category of requirements that includes
more than identifying and verifying
beneficial owners of legal entity
customers? If so, what other
requirements should the phrase
encompass? How should the broader
definition be worded? It appears to
FinCEN that the consequences of a
broader definition of this phrase would
include making BOI available to more
FIs for a wider range of specific
compliance purposes, possibly making
BOI available to more regulatory
agencies for a wider range of specific
examination and oversight purposes,
and putting greater pressure on the
demand for the security and
confidentiality of BOI. How does the
new balance of those consequences
created by a broader definition fulfill
the purpose of the CTA?
13. If FinCEN wants to limit the
phrase ‘‘customer due diligence
requirements under applicable law’’ to
apply only to requirements like those
imposed under its 2016 CDD Rule
related to FIs identifying and verifying
beneficial owners of legal entity
customers, are there any other
comparable requirements under Federal,
State, local, or Tribal law? If so, please
specifically identify these requirements
and the regulatory bodies that supervise
for compliance with or enforce them.
14. Are there any State, local, or
Tribal government agencies that
supervise FIs for compliance with
FinCEN’s 2016 CDD Rule? If so, please
identify them.
15. FinCEN does not propose to
disclose BOI to SROs as ‘‘other
appropriate regulatory agencies,’’ but
does propose to authorize FIs that
receive BOI from FinCEN to disclose it
to SROs that meet specified qualifying
E:\FR\FM\16DEP4.SGM
16DEP4
77426
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
criteria. Is this sufficient to allow SROs
to perform duties delegated to them by
Federal functional regulators and other
appropriate regulatory agencies? Are
there reasons why SROs could be
included as ‘‘other appropriate
regulatory agencies’’ and obtain BOI
directly from FinCEN?
16. Are there additional
circumstances under which FinCEN is
authorized to disclose BOI that are not
reflected in this proposed rule?
lotter on DSK11XQN23PROD with PROPOSALS4
Use of Information
17. FinCEN proposes to permit U.S.
agencies to disclose BOI received under
31 CFR 1010.955(b)(1) or (2) to courts of
competent jurisdiction or parties to civil
or criminal proceedings. Is this
authorization appropriately scoped to
allow for the use of BOI in civil or
criminal proceedings?
18. In proposed 31 CFR
1010.955(c)(2)(v), FinCEN proposes to
establish a mechanism to authorize,
either on a case-by-case basis or
categorically through written protocols,
guidance, or regulations, the redisclosure of BOI in cases not otherwise
covered under 31 CFR 1010.955(c)(2)
and in which the inability to share the
information would frustrate the
purposes of the CTA because of the
categorical prohibitions against
disclosures at 31 U.S.C. 5336(c)(2)(A).
Are there other categories of
redisclosures that FinCEN should
consider authorizing? Are there
particular handling or security protocols
that FinCEN should consider imposing
with respect to such re-disclosures of
BOI?
19. Could a State regulatory agency
qualify as a ‘‘State, local, or Tribal law
enforcement agency’’ under the
definition in proposed 31 CFR
1010.955(b)(2)(ii)? If so, please describe
the investigation or enforcement
activities involving potential civil or
criminal violations of law that such
agencies may undertake that would
require access to BOI.
Security and Confidentiality
Requirements
20. Should FinCEN impose any
additional security or confidentiality
requirements on authorized recipients
of any type? If so, what requirements
and why?
21. The minimization component of
the security and confidentiality
requirements requires limiting the
‘‘scope of information sought’’ to the
greatest extent possible. FinCEN
understands this phrase, drawn from the
language of the CTA, to mean that
requesters should tailor their requests
for information as narrowly as possible,
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
consistent with their needs for BOI.
Such narrow tailoring should minimize
the likelihood that a request will return
BOI that is irrelevant to the purpose of
the request or unhelpful to the
requester. Does the phrase used in the
regulation convey this meaning
sufficiently clearly, or should it be
expanded, and if so how?
22. Because security protocol details
may vary based on each agency’s
particular circumstances and
capabilities, FinCEN believes individual
MOUs are preferable to a one-size-fits
all approach of specifying particular
requirements by regulation. FinCEN
invites comment on this MOU-based
approach, and on whether additional
requirements should be incorporated
into the regulations or into FinCEN’s
MOUs.
23. FinCEN proposes to require FIs to
limit BOI disclosure to FI directors,
officers, employees, contractors, and
agents within the United States. Would
this restriction impose undue hardship
on FIs? What are the practical
implications and potential costs of this
limitation?
24. Are the procedures FIs use to
protect non-public customer personal
information in compliance with section
501 of Gramm-Leach-Bliley sufficient
for the purpose of securing BOI
disclosed by FinCEN under the CTA? If
not, is there another set of security
standards FinCEN should require FIs to
apply to BOI?
25. Are the standards established by
section 501 of Gramm-Leach-Bliley, its
implementing regulations, and
interagency guidance sufficiently clear
such that FIs not directly subject to that
statute will know how to comply with
FinCEN’s requirements with respect to
establishing and implementing security
and confidentiality standards?
26. Do any states impose, and
supervise for compliance on, security
and confidentiality requirements
comparable to those that FFRs are
required to impose on FIs under section
501 of Gramm-Leach-Bliley? Please
provide examples of such requirements.
Outreach
29. What specific issues should
FinCEN address via public guidance or
FAQs? Are there specific
recommendations on engagement with
stakeholders to ensure that the
authorized recipients, and in particular,
State, local, and Tribal authorities and
small and mid-sized FIs, are aware of
requirements for access to the beneficial
ownership IT system?
PO 00000
Frm 00024
Fmt 4701
Sfmt 4702
FinCEN Identifiers
30. Does FinCEN’s proposal with
respect to an entity’s use of a FinCEN
identifier adequately address the
potential under- or over-reporting issues
discussed in the preamble?
VI. Regulatory Analysis
This regulatory impact analysis (RIA)
assesses the anticipated impact, both in
terms of costs and benefits, of the
proposed rule, in accordance with
Executive Order 12866. This analysis
also includes an assessment of the
impact on small entities pursuant to the
Regulatory Flexibility Act (RFA),
reporting and recordkeeping burdens
under the Paperwork Reduction Act
(PRA); and an assessment as required by
the Unfunded Mandates Reform Act of
1995 (UMRA).178
Regarding the proposed regulations
related to BOI access, the analysis
assumes a baseline scenario of no access
granted to the BOI system maintained
by FinCEN, which is the current
regulatory environment, and uses a time
horizon of 10 years. The analysis
estimates that the overall quantifiable
impact associated with the proposed
rule, which would affect U.S. Federal
agencies including FinCEN, as well as
State, local, and Tribal agencies, foreign
requesters, certain financial institutions,
and self-regulatory organizations, would
be between $108.7 million in net
savings and $840.7 million in net costs
in the first year of implementation of the
rule, and then a net impact between
$186.5 million in net savings and $672.0
million in net costs on an ongoing
annual basis.179 This proposed rule has
been determined to be a significant rule
for purposes of Executive Order 12866.
Furthermore, the proposed rule would
have a significant economic impact on
a substantial number of small entities.
Last, the proposed rule would result in
an estimated 5-year average PRA annual
cost of $642.5 million to certain State,
local, and Tribal agencies, selfregulatory organizations, and financial
178 The U.S. Bureau of Economic Analysis reports
the annual value of the gross domestic product
(GDP) deflator in 1995 (the year in which UMRA
was enacted) as 71.823, and as 118.895 in 2021. See
U.S. Bureau of Economic Analysis, Table 1.1.9.
Implicit Price Deflators for Gross Domestic Product,
available at https://apps.bea.gov/iTable/?reqid=
19&step=2&isuri=1&categories=survey#ey
JhcHBpZCI6MTksInN0ZXBzIjpbMSwy
LDMsM10sImRhdGEiOltbIkNhd
GVnb3JpZXMiLCJTdXJ2ZXk
iXSxbIk5JUEFfVGFibGVfTG
lzdCIsIjEzIl0sWyJGaXJzdF9ZZWFyIiwiMTk5NSJd
LFsiTGFzdF9ZZWFyIiwiMjAyMSJdLFsiU2Nhb
GUiLCIwIl0sWyJTZXJpZXMiLCJBIl1dfQ. Thus, the
inflation adjusted estimate for $100 million is
118.895/71.823 × 100 = $166 million.
179 All aggregate figures are approximate and not
precise estimates unless otherwise specified.
E:\FR\FM\16DEP4.SGM
16DEP4
lotter on DSK11XQN23PROD with PROPOSALS4
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
institutions. Because accessing BOI
under the proposed rule is not
mandated for State, local, and Tribal
governments or the private sector,
FinCEN does not assess any
expenditures pursuant to UMRA.
As FinCEN identified in the final BOI
reporting rule’s RIA, FinCEN will incur
costs for administering the regulation
and access to BOI.180 These costs
include development and ongoing
annual maintenance of the beneficial
ownership IT system. In particular,
developing and maintaining the
methods of access to the beneficial
ownership IT system described in this
NPRM has impacted FinCEN’s IT cost
estimates. FinCEN estimated that the
initial IT development costs associated
with the final BOI reporting rule are
approximately $72 million with an
additional $25.6 million per year
required to maintain the new BOI
system and the underlying FinCEN IT
that is needed to support the new
capabilities. These estimates do not
include certain potential additional
costs, such as for IT personnel or
information verification. The final BOI
reporting rule’s RIA also estimated $10
million per year in FinCEN personnel
costs in order to ensure successful
implementation of and compliance with
the BOI reporting requirements. Given
that these costs to FinCEN are already
accounted for in the RIA of the final BOI
reporting rule, these costs are not
included in the RIA. The costs to
FinCEN in this RIA are in addition to
those included in the final BOI
reporting rule’s RIA.
FinCEN also considers in the RIA
what costs or benefits may be associated
with the proposed rule regarding
reporting companies’ use of FinCEN
identifiers for entities. The final BOI
reporting rule’s RIA contains a
regulatory analysis that accounts for the
impact associated with obtaining,
updating, and using FinCEN identifiers,
including a summary of NPRM
comments related to the associated
estimated costs and benefits. Regarding
entities’ use of FinCEN identifiers,
FinCEN proposes to rely upon the
analysis in the final BOI reporting rule’s
RIA. That analysis states that the costs
associated with reporting companies’
use of FinCEN identifiers are captured
in that RIA’s cost estimates associated
with BOI reports. This analysis is
explained in more detail in Section
VI.A.ii. below.
A. Executive Orders 12866 and 13563
Executive Orders 12866 and 13563
direct agencies to assess costs and
180 87
FR 59578 (Sept. 30, 2022).
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
benefits of available regulatory
alternatives and, if regulation is
necessary, to select regulatory
approaches that maximize net benefits
(including potential economic,
environmental, and public health and
safety effects, as well as distributive
impacts and equity). Executive Order
13563 emphasizes the importance of
quantifying both costs and benefits,
reducing costs, harmonizing rules, and
promoting flexibility. FinCEN
conducted an assessment of the costs
and benefits of the proposed rule, as
well as the costs and benefits of
available regulatory alternatives. This
proposed rule is necessary in order to
implement Section 6403 of the CTA.
Consistent with the cost-benefit analysis
in Section VI.A.i. below, this proposed
rule has been designated a ‘‘significant
regulatory action’’ and economically
significant under section 3(f) of
Executive Order 12866. Accordingly,
the proposed rule has been reviewed by
the Office of Management and Budget
(OMB).
i. Section of Proposed Rule Regarding
BOI Access
a. Alternative Scenarios
FinCEN considered alternatives to the
proposed rule. However, for the reasons
described within this section, FinCEN
decided not to propose these
alternatives.
1. Reduce Training Burden
The first alternative would be to
reduce the training requirement for BOI
authorized recipients, which includes
appropriate training for authorized
recipients of BOI as well as annual
training for access to BOI. In its
analysis, FinCEN assumes that each
authorized recipient that would access
the BOI would be required to undergo
one hour of training per year.181 Here,
FinCEN considers the scenario where
authorized recipients would instead be
required to undergo one hour of training
every two years, in alignment with the
current BSA data access requirements.
This scenario could result in savings
every other year of $108 to $172,800 per
Federal agency, $76 to $5,168 per State,
local, and Tribal agency, $95 to $6,460
per SRO,182 $108 per foreign requester,
181 The assumption of one training hour is in
alignment with the current training requirement for
accessing BSA data. However, one notable
difference is that the proposed BOI training
requirement is annual, not biennial.
182 To calculate costs to SROs, FinCEN calculated
a ratio that applied the estimated costs to State
regulators (which would have access requirements
similar to SROs) to the wage rate estimated herein
for financial institutions, since SROs are private
organizations. FinCEN requests comment on this
assessment.
PO 00000
Frm 00025
Fmt 4701
Sfmt 4702
77427
and $146 to $241 per financial
institution. The aggregate savings could
be as much as $3.7 million to $5.2
million ($1.3 million total for domestic
agencies and SROs + $2.4 to $3.9
million for financial institutions) every
other year. This alternative scenario
could result in savings every other year
of approximately $95 to $190 per small
financial institution. The aggregate
savings could be as much as
approximately $1.3 million to $2.7
million (($95 × 14,051 small financial
institutions = $1,334,845) and ($190 ×
14,051 small financial institutions =
$2,669,690)) every other year. Given the
sensitive nature of the BOI,183 FinCEN
believes that maintaining an annual
training requirement for BOI authorized
recipients and access to BOI is
necessary to protect the security and
confidentiality of the BOI.
2. Change Customer Consent
Requirement
The second alternative that FinCEN
considered is altering the customer
consent requirement for FIs. Under the
proposed rule, financial institutions
would be required to obtain and
document customer consent once for a
given customer. FinCEN considered an
alternative approach in which FinCEN
would directly obtain the reporting
company’s consent. Under this scenario,
financial institutions would not need to
spend time and resources on the onetime implementation costs of
approximately 10 hours in year 1 to
create consent forms and processes.
Using an hourly wage estimate of $95
per hour for financial institutions,
FinCEN estimates this would result in a
one-time savings per financial
institution of approximately $950. To
estimate aggregate savings under this
scenario, FinCEN multiplies this value
by 16,252 financial institutions resulting
in a total savings of approximately $15.4
million ($950 per institution × 16,252
financial institutions = $15,439,400).
The cost savings for small financial
institutions under this scenario would
be approximately $13.3 million ($950
per institution × 14,051 small financial
institutions = $13,348,450). Though this
alternative results in a savings to
financial institutions, including small
entities, FinCEN believes that financial
institutions are better positioned to
obtain consent—and to track consent
revocation—given their direct customer
relationships and ability to leverage
existing onboarding and account
183 As noted in the preamble, the CTA establishes
that BOI is ‘‘sensitive information’’ and it imposes
strict confidentiality and security restrictions on the
storage, access, and use of BOI. See CTA, Section
6402(6), (7).
E:\FR\FM\16DEP4.SGM
16DEP4
77428
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
maintenance processes. Therefore,
FinCEN decided not to propose this
alternative.
lotter on DSK11XQN23PROD with PROPOSALS4
3. Impose Court Authorization
Requirement on Federal Agencies
The third alternative would extend
the requirement that State, local, and
Tribal law enforcement agencies
provide a court authorization with each
BOI request to 202 Federal agencies.
FinCEN expects that requests submitted
by State, local, and Tribal law
enforcement agencies have an
additional 20 to 30 hours of burden
owing to an additional requirement that
a court of competent jurisdiction,
including any officer of such a court,
authorizes the agency to seek the
information in a criminal or civil
investigation. Therefore, FinCEN
applies this additional 20 to 30 hours of
burden per BOI request to the estimated
BOI requests submitted by Federal
agencies and by State regulators. Using
FinCEN’s internal BSA request data as
a proxy, FinCEN anticipates that Federal
agencies could submit as many as
approximately 2 million total BOI
requests annually.184 Using an hourly
wage estimate of $108 per hour for
Federal employees results in additional
aggregate annual costs between
approximately $4.3 billion and $6.5
billion ((2 million Federal requests × 20
hours × $108 per hour = $4,320,000,000)
and (2 million Federal requests × 30
hours × $108 per hour =
$6,480,000,000).
This alternative could minimize the
potential for broad or non-specific
searches by any agency not currently
subject to the requirement because of
the higher initial barrier to accessing the
data. However, FinCEN believes that
imposing this requirement on
authorized recipients, for whom such a
requirement is not statutorily mandated,
is overly burdensome and would make
it too difficult to obtain BOI in a timely
fashion for active investigations. For
these reasons, FinCEN decided not to
propose this alternative.
b. Affected Entities
In order to analyze cost and benefits,
the number of entities affected by the
proposed rule must first be estimated.
Authorized recipients of BOI would be
affected by this proposed rulemaking if
they elect to access BOI, because they
are required to meet certain criteria in
order to receive that BOI. The criteria
184 While FinCEN does not estimate growth of
requests throughout the 10-year time horizon of this
analysis, the number of BOI requests could increase
significantly after the first years of implementation
of the BOI reporting requirements as awareness of
the ability to access and the utility of BOI increases.
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
vary depending on the type of
authorized recipient.
Federal agencies engaged in national
security, intelligence, and law
enforcement activity would have access
to BOI in furtherance of such activities
if they establish the appropriate
protocols prescribed for them in the
proposed rule. Additionally, Treasury
officers and employees who require
access to BOI to perform their official
duties or for tax administration would
have access. The number of agencies
that could qualify under these categories
is large and difficult to quantify.
FinCEN proposes using the number of
Federal agencies that are active
entities 185 with BSA data access 186 as
a proxy for the number of Federal
agencies that may elect to access BOI.
FinCEN believes this proxy is apt. While
the criteria for access to BSA data are
somewhat different outside of the CTA
context, Federal agencies that have
access to BSA data would generally also
meet the criteria for access to BOI under
the CTA. FinCEN believes that Federal
agencies that have access to BSA data
will most likely want access to BOI as
well, and will generally be able to
access it under the parameters specified
by the proposed rule. FinCEN includes
offices within the Department of the
Treasury, such as FinCEN itself,187 in
this proxy count. As of January 2022,
202 Federal agencies and agency
subcomponents are active entities with
BSA data access.
State, local, and Tribal law
enforcement agencies would have
access to BOI for use in criminal and
civil investigations if they follow the
process prescribed for them in the
proposed rule. FinCEN proposes using
the number of State and local law
enforcement agencies that are active
entities with BSA data access as a proxy
185 For purposes of this analysis, an agency has
active access to BSA data if the official duties of any
agency employee or contractor includes authorized
access to the FinCEN Query system, a web-based
application that provides access to BSA reports
maintained by FinCEN.
186 For purposes of this analysis, BSA data
consists of all of the reports submitted to FinCEN
by financial institutions and individuals pursuant
to obligations that currently arise under the BSA,
31 U.S.C. 5311 et seq., and its implementing
regulations. These include reports of cash
transactions over $10,000, reports of suspicious
transactions by persons obtaining services from
financial institutions, reports of the transportation
of currency and other monetary instruments in
amounts over $10,000 into or out of the United
States, and reports of U.S. persons’ foreign financial
accounts. In fiscal year 2019, more than 20 million
BSA reports were filed. See Financial Crimes
Enforcement Network, ‘‘What is the BSA data?,’’
available at https://www.fincen.gov/what-bsa-data.
187 In addition to incurring costs as an authorized
recipient of BOI, FinCEN expects to incur costs
from administering data to other authorized
recipients.
PO 00000
Frm 00026
Fmt 4701
Sfmt 4702
for the number of State, local, and Tribal
law enforcement agencies that may
access BOI, for the reasons discussed in
the Federal agency context. As of
January 2022, 153 State and local law
enforcement agencies and agency
subcomponents are active entities with
access to BSA data.188 The process that
the proposed rule sets forth involves
these agencies obtaining a court
authorization for each BOI request.
Courts of competent jurisdiction that
would issue such authorizations may
therefore also be affected by the
proposed rule; FinCEN has not
estimated the burden that may be
imposed on such entities, but is
interested in comments on the subject.
Foreign government entities, such as
law enforcement, prosecutors, judges or
other competent or central authorities,
would potentially be able to access BOI
after submitting a request as described
in the proposed rule. FinCEN does not
estimate the number of different foreign
requesters that may request BOI, but
instead estimates a range of the total
number of annual requests for BOI that
FinCEN may receive from all foreign
requesters. FinCEN requests comment
on this proposal and the estimate of
foreign requests. The proposed rule
requires that foreign requests be made
through an intermediary Federal agency.
Therefore, Federal agencies would also
be affected by foreign requests.
The six Federal functional regulators
that supervise financial institutions
with CDD obligations—the FRB, the
OCC, the FDIC, the NCUA, the SEC, and
the CFTC—may access BOI for purposes
of supervising a financial institution’s
compliance with those obligations.
Additionally, other appropriate
regulatory agencies may access BOI
under the proposed rule. FinCEN
proposes primarily using the number of
regulators that both supervise entities
with requirements under FinCEN’s CDD
Rule and are active entities with access
to BSA data as a proxy for the number
of regulatory agencies that may access
BOI. As of January 2022, 62 regulatory
agencies satisfy both criteria.189 FinCEN
adds two self-regulatory organizations
(SROs) to this count, which totals to 64
regulatory agencies. Although SROs are
188 No Tribal law enforcement agencies currently
have access to BSA data through the FinCEN Query
system. FinCEN requests comment on how many
Tribal law enforcement agencies may access BOI.
189 This includes the six Federal functional
regulators. The remaining 56 entities are State
regulators that supervise banks, securities dealers,
and other entities that currently have CDD
obligations under FinCEN regulations. FinCEN did
not include State regulatory agencies that have
active access to BSA data but do not regulate
entities with FinCEN CDD obligations, such as State
gaming authorities or State tax authorities.
E:\FR\FM\16DEP4.SGM
16DEP4
77429
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
not government agencies and they
would not have direct access to the
beneficial ownership IT system under
the proposed rule, they may receive BOI
through re-disclosure and would be
subject to the same security and
confidentiality requirements as other
regulatory agencies under the proposed
rule.
Financial institutions with CDD
requirements under applicable law
would be able to access BOI with the
consent of the reporting company.
Assuming that all financial institutions
Financial Institution Type
that are subject to FinCEN’s CDD Rule
would access BOI, FinCEN estimates the
number of affected financial institutions
in Table 1.
Table 1—Affected Financial Institutions
Coun.t
.•
Small Count
.·
.••
Banks, savings associations, thrifts, trust
companies 1
Credit unions 2
5,128
3,661
4,957
4,432
Brokers or dealers in securities3
3,527
3,439
Mutual funds 4
1,591
1,548
Futures commission merchants and introducing
brokers in commodities 5
1,049
971
Total
16,252
14,051
1 All
counts are from Q2 2022 Federal Financial Institutions Examination Council (FFIEC) Call Report data,
available at https://cdr.ffiec.gov/public/pws/downloadbulkdata.aspx. Data for institutions that are not insured,
are insured under non-FDIC deposit insurance regimes, or do not have a Federal functional regulator are from
the FDIC's Research Information System, available at https://www.fdic.gov/foia/ris/
2 Credit union data are from the NCUA for Q2 2022, available at https://www.ncua.gov/analysis/credit-unioncorporate-call-report-data.
3 According to the SEC, the number of brokers or dealers in securities for the fiscal year 2021 is 3,527. See
Securities and Exchange Commission, Fiscal Year 2023 Congressional Budget Justification, p. 33,
https://www.sec.gov/files/FY%202023%20Congressional%20Budget%20Justification%20Annual%20Perfor
mance%20Plan_FINAL.pdf.
4 Based on estimates provided for the 2018 notice to renew 0MB control number 1506-0033, 83 FR 46011
(Sept. 11, 2018).
5 As of September 30, 2022, the CFTC stated there are 60 futures commission merchants and 989 introducing
brokers in commodities, totaling 1,049.
190 The SBA currently defines small entity size
standards for affected financial institutions as
follows: less than $750 million in total assets for
commercial banks, savings institutions, and credit
unions; less than $41.5 million in total assets for
trust companies; less than $41.5 million in annual
receipts for broker-dealers; less than $41.5 million
in annual receipts for portfolio management; less
than $35 million in annual receipts for open-end
investment funds; and less than $41.5 million in
annual receipts for futures commission merchants
and introducing brokers in commodities. See U.S.
Small Business Administration’s Table of Size
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
U.S. Census Bureau’s publicly available
2017 Statistics of U.S. Businesses survey
data (Census survey data).191 FinCEN
applies SBA size standards to the
corresponding industry’s receipts in the
2017 Census survey data and
determines what proportion of a given
industry is deemed small, on
Standards, https://www.sba.gov/sites/default/files/
2022-07/Table%20of%20Size%20Standards_
Effective%20July%2014%202022_Final-508.pdf.
191 See U.S. Census Bureau, U.S. & states, NAICS,
detailed employment sizes (U.S., 6-digit and states,
NAICS sectors) (2017), available at https://
www.census.gov/data/tables/2017/econ/susb/2017susb-annual.html. The Census survey documents
the number of firms and establishments,
employment numbers, and annual payroll by State,
industry, and enterprise every year. Receipts data,
which FinCEN uses as a proxy for revenues, is
available only once every five years, with 2017
being the most recent survey year with receipt data.
PO 00000
Frm 00027
Fmt 4701
Sfmt 4702
average.192 193 FinCEN considers a
192 FinCEN does not apply population
proportions to banks or credit unions. Because data
accessed through FFIEC and NCUA Call Report data
provides information about asset size for banks,
trusts, savings and loans, credit unions, etc.,
FinCEN is able to directly determine how many
banks and credit unions are small by SBA size
standards. Because the Call Report data does not
include institutions that are not insured, are
insured under non-FDIC deposit insurance regimes,
or that do not have a Federal financial regulator,
FinCEN assumes that all such entities listed in the
FDIC’s Research Information System data are small,
unless they are controlled by a holding company
that does not meet the SBA’s definition of a small
entity, and includes them in the count of small
banks.
193 Consistent with the SBA’s General Principles
of Affiliation, 13 CFR 121.103(a), FinCEN aggregates
the assets of affiliated financial institutions using
FFIEC financial data reported by bank holding
companies on forms Y–9C, Y–9LP, and Y–9SP
(available at https://www.ffiec.gov/npw/
E:\FR\FM\16DEP4.SGM
Continued
16DEP4
EP16DE22.020</GPH>
lotter on DSK11XQN23PROD with PROPOSALS4
Totaling these estimates results in
16,252 financial institutions that may
access BOI pursuant to the proposed
rule. Of these financial institutions,
14,051 are small entities. To identify
whether a financial institution is small,
FinCEN uses the Small Business
Administration’s (SBA) latest annual
size standards for small entities in a
given industry.190 FinCEN also uses the
77430
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
financial institution to be small if it has
total annual receipts less than the
annual SBA small entity size standard
for the financial institution’s industry.
FinCEN applies these estimated
proportions to FinCEN’s current
financial institution counts for brokers
or dealers in securities, mutual funds,
and futures commission merchants and
introducing brokers in commodities to
determine the proportion of current
small financial institutions in those
industries. Using this methodology and
data from the FFIEC and the NCUA,
approximately 14,051 small financial
institutions could be affected by the
proposed rule, as summarized in Table
1.
Table 2 summarizes the counts of
entities by category that would have
access to BOI data.
Table 2—Affected Entities
ederal agencies engaged in national security,
·ntelligence, or law enforcement activities, and Treasury
offices 1
State, local, and Tribal law enforcement agencies
153
0
NIA
NIA
egulatory agencies2
64
0
inancial institutions 3
16,252
14,051
16,671
14,051
oreign requesters
Total
1 This includes 186 active Federal agencies and 16 offices within the U.S. Department of the Treasury
·ncluding FinCEN.
includes both State and Federal regulators of institutions subject to CDD requirements, as well as SROs.
3 This includes all financial institutions subject to CDD requirements, as summarized in Table 1.
c. Potential Costs and Benefits
Ideally, a cost-benefit analysis would
identify and monetize, with certainty,
all costs and benefits of a regulation;
this would enable policymakers to
evaluate different regulatory options by
comparing dollar amounts of costs and
benefits, and pursuing those options
with the greatest net benefits. However,
regulatory impact analyses often include
both cost and benefit components that
cannot be expressed in monetary units
with any degree of certainty. As
explained by OMB in relevant costbenefit guidance, simple cost-benefit
comparisons can be misleading when
the analysis cannot express important
benefits and costs in dollar terms
‘‘because the calculation of net benefits
in such cases does not provide a full
evaluation of all relevant benefits and
costs.’’ 195 FinCEN follows OMB’s
recommendation in such instances and
provides an evaluation of nonquantifiable benefits and costs in
addition to quantified benefits and
costs.
This RIA estimates costs to the
authorized recipients for following the
proposed rule’s security and
confidentiality requirements, costs to
FinCEN for administering access to BOI,
and benefits that authorized recipients
would gain from accessing BOI. The
quantified estimates provided in this
RIA include a range of possible costs
and benefits for each type of authorized
recipient. The quantified benefits are
limited to cost savings that agencies
may obtain through accessing BOI; there
are other, non-quantified benefits that
would also be included in the agencies’
decision to request BOI. For the
purposes of estimating the overall
impact of the proposed rule, FinCEN
assumes that Federal, State, or local
agencies that access BOI would do so
only if the quantified and nonquantified benefits at least equal the
costs, since these entities would obtain
access to BOI only if they voluntarily
request it. Therefore, FinCEN expects
that in reality the minimum net impact
to these entities would be zero, meaning
that the costs equal the benefits.
However, because many of benefits to
FinancialReport/FinancialDataDownload) and
ownership data (available at https://www.ffiec.gov/
npw/FinancialReport/DataDownload) when
determining if an institution should be classified as
small. FinCEN uses four quarters of data reported
by holding companies, banks, and credit unions
because a ‘‘financial institution’s assets are
determined by averaging the assets reported on its
four quarterly financial statements for the preceding
year.’’ See U.S. Small Business Administration’s
Table of Size Standards, p. 44 n.8, https://
www.sba.gov/sites/default/files/2022-07/Table
%20of%20Size%20Standards_
Effective%20July%2014%202022_Final-508.pdf.
FinCEN recognizes that using SBA size standards to
identify small credit unions differs from the size
standards applied by the NCUA. However, for
consistency in this analysis, FinCEN applies the
SBA-defined size standards.
194 FinCEN considered whether other entities
would be considered small entities pursuant to the
Regulatory Flexibility Act. The Regulatory
Flexibility Act’s definition of a small governmental
jurisdiction is a government of a city, county, town,
township, village, school district, or special district
with a population of less than 50,000. While State,
local, and Tribal government agencies may be
affected by the proposed rule, FinCEN does not
believe that government agencies of jurisdictions
with a population of less than 50,000 would be
included in such agencies. However, FinCEN
requests comment on this assumption.
195 Office of Management and Budget, Circular A–
4:10 (Sept. 17, 2003), available at https://
obamawhitehouse.archives.gov/omb/circulars_
a004_a-4.
lotter on DSK11XQN23PROD with PROPOSALS4
As evidenced in Table 2, FinCEN
anticipates that as many as 16,671
different domestic agencies and
financial institutions could elect to
access BOI. Of these, FinCEN believes
the only entity category that would have
small entities affected is financial
institutions.194
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
PO 00000
Frm 00028
Fmt 4701
Sfmt 4702
E:\FR\FM\16DEP4.SGM
16DEP4
EP16DE22.021</GPH>
2 This
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
such agencies are not quantifiable,
FinCEN presents in the analysis an
impact estimate that incorporates the
range of quantified costs and benefits
that FinCEN expects based in part on
outreach to agencies that are authorized
recipients of BOI.
FinCEN does not attempt to estimate
a dollar value of benefits that will
accrue to financial institutions, State
regulators or SROs as a result of the
proposed rule. In order to estimate
financial institutions’ benefits, it would
be necessary to know how access to BOI
under the proposed rule would apply to
CDD obligations, which will not be
known until FinCEN revises the 2016
CDD Rule, as the CTA requires. FinCEN
estimates a dollar value of benefits that
would accrue to Federal financial
regulatory agencies on the assumption
that these agencies would access BOI for
law enforcement activity.196 However,
FinCEN does not estimate a dollar value
of benefits accruing to State regulators
and SROs because FinCEN assumes that
their primary use of BOI would be for
examinations of financial institutions
for compliance with CDD requirements,
rather than for law enforcement activity.
In addition, FinCEN assumes that no
quantifiable benefits will accrue to
FinCEN itself as a result of
administering BOI access.
The costs in the first and subsequent
years are distributed unevenly among
the different types of Federal, State, and
local agencies. The estimated average
year 1 net impact per Federal agency is
between $8,967,600 in costs and
$2,157,165 in savings,197 per State
regulator is between $1,995 and $0.5
million in costs, per State, local and
Tribal law enforcement agency is
between $52,977,200 in costs and
$1,516,485 in savings,198 per SRO is
between $2,494 and $0.6 million in
196 See
31 U.S.C. 5336(c)(2)(B)(i)(I).
maximum estimated costs in Year 1 are
$9 million per Federal agency, and the minimum
estimated benefits in Year 1 per Federal agency are
$32,400, so the maximum net cost per Federal
agency is $8,967,600 ($9,000,000¥$32,400). The
maximum estimated benefits in Year 1 per Federal
agency are $2,160,000, and the minimum estimated
costs in Year 1 per Federal agency ares $2,835, so
the maximum estimated net benefit per Federal
agency is $2,157,165 ($2,160,000¥$2,835).
198 The maximum estimated costs in Year 1 are
$53 million per State, local, and Tribal law
enforcement agency, and the minimum estimated
benefits in Year 1 are $22,800 per State, local and
Tribal law enfocement agency, so the maxium net
cost per State, local, and Tribal law enforcement
agency is $52,977,200 ($53,000,000¥$22,800). The
maximum estimated benefits in Year 1 per State,
local, and Tribal law enforcement agency are
$1,520,000, and the minimum estimated cost per
State, local, and Tribal law enforcement agency is
$3,515, so the maximum estimated net benefit in
Year 1 per State, local, and Tribal law enforcement
agency is $1,516,485 ($1,520,000¥$3,515).
lotter on DSK11XQN23PROD with PROPOSALS4
197 The
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
costs, and per financial institution is
between $12,206 and $17,695 in costs.
From year 2 and onward, the estimated
average annual net impact per Federal
agency is between $8,867,600 in costs
and $2,158,785 in savings,199 per State
regulator is between $855 and $0.4
million in costs, per State, local and
Tribal law enforcement agency is
between $52,877,200 in costs and
$1,517,625 in savings,200 per SRO is
between $1,069 at $0.5 million in costs,
and per financial institution is between
$7,456 and $9,145 in costs. Overall,
FinCEN estimates the potential overall
impact associated with the proposed
rule would be between $108.7 million
in net savings and $840.7 million in net
costs in the first year of implementation
of the rule, and then from $186.5
million in net savings to $672.0 million
in net costs on an ongoing annual
basis.201 These estimates, along with
any non-quantifiable costs and benefits,
are described in further detail within
this section.202
199 The maximum estimated costs in year 2 and
onward are $8.9 million per Federal agency, and the
minimum estimated benefits in year 2 and onward
are $32,400 per Federal agency, so the maximum
estimated net costs are $8,867,600
($8,900,000¥$32,400). The maximum estimated
benefits in year 2 and onward per Federal agency
are $2,160,000, and the minimum estimated cost
per Federal agency is $1,215, so the maximum
estimated net benefits per Federal agency are
$2,158,785 ($2,160,000¥$1,215).
200 The maximum estimated costs in year 2 and
onward are $52.9 million per State, local, and
Tribal law enforcement agency, and the minimum
estimate benefits in year 2 and onward per State,
local, and Tribal law enforcement agency are
$22,800, so the maximum estimated net costs in
years 2 and onward per State, local, and Tribal law
enforcement agency are $52,877,200
($52,900,000¥$22,800). The maximum estimated
benefits in years 2 and onward per State, local, and
Tribal law enforcement agency are $1,520,000, and
the minimum estimated costs in years 2 and
onward per State, local, and Tribal law enforcement
agency ares $2,375, so the maximum estimated net
benefits in years 2 and onward per State, local, and
Tribal law enforcement agency are $1,517,625
($1,520,000¥$2,375).
201 Both here and throughout the analysis,
FinCEN estimates a range of both costs and benefits.
These ranges reflect heterogeneity across agencies
and financial institutions in terms of requirements
to access BOI, entity size, resources, existing IT
infrastructure, and investigative caseload, among
other factors. FinCEN does not know exactly what
every authorized recipient’s unique costs and
benefits would be and instead provides ranges of
the expected minimum and maximum. FinCEN
believes that providing ranges with minimums and
maximums, rather than a point estimate, such as the
median, throughout this analysis is more
appropriate given the number of factors that could
contribute to the actual cost or benefits an
authorized recipient incurs due to the proposed
rule.
202 Throughout the analysis, FinCEN rounds each
step of the calculation to the nearest whole dollar
value for smaller estimates and to the first
significant figure after the decimal for larger
estimates (in the hundreds of thousands, millions,
and billions). Performing a sensitivity analysis
PO 00000
Frm 00029
Fmt 4701
Sfmt 4702
77431
In the analysis, FinCEN uses an
estimated compensation rate of
approximately $108 per hour for Federal
agencies and foreign requesters,
approximately $76 per hour for State,
local, and Tribal agencies, and
approximately $95 per hour for
financial institutions. This is based on
occupational wage data from the U.S.
Bureau of Labor Statistics (BLS).203 The
most recent occupational wage data
from the BLS corresponds to May 2021,
released in May 2022. To obtain these
three wage rates, FinCEN calculated the
average reported hourly wages of six
specific occupation codes assessed to be
likely authorized recipients at Federal
agencies, State, local, and Tribal
agencies, and financial
institutions.204 205 Included financial
industries were identified at the most
granular North American Industry
Classification System (NAICS) code
available and are the types of financial
institutions that are subject to regulation
under the BSA, even if these financial
institutions are not entities that are
affected by the proposed rule, including:
banks (as defined in 31 CFR
1010.100(d)); casinos; money service
businesses; broker-dealers; mutual
funds; insurance companies; futures
commission merchants and introducing
brokers in commodities; dealers in
precious metals, precious stones, or
jewels; operators of credit card systems;
and loan or finance companies. This
results in a Federal agency hourly wage
estimate of $66.78; a State, local, and
Tribal agency hourly wage estimate of
where rounding is only performed in the final step
of the whole impact calculation confirms that
FinCEN’s rounding method produces a difference of
less than 0.7 percent in the magnitude of FinCEN’s
estimates, which FinCEN does not consider to be
sufficient to affect its analysis or conclusions
regarding the impact of the proposed rule.
203 See U.S. Bureau of Labor Statistics, National
Occupational Employment and Wage Estimates
(May 2021), available at https://www.bls.gov/oes/
current/oessrci.htm.
204 To estimate government hourly wages,
FinCEN modifies the burden analysis in FinCEN’s
publication ‘‘Renewal without Change of AntiMoney Laundering Programs for Certain Financial
Institutions.’’ See 85 FR 49418 (Aug. 13, 2020).
Specifically, FinCEN uses hourly wage data from
the following six occupations to estimate an average
hourly government employee wage: chief
executives (i.e., agency heads), first-line supervisors
of law enforcement workers, law enforcement
workers, financial examiners, lawyers and judicial
clerks, and computer and information systems
managers.
205 FinCEN uses hourly wage data for the
following occupations to estimate an average hourly
financial institution employee wage: chief
executives, financial managers, compliance officers,
and financial clerks. FinCEN also includes the
hourly wages for lawyers and judicial clerks, as
well as for computer and information systems
managers.
E:\FR\FM\16DEP4.SGM
16DEP4
77432
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
$46.70; 206 and a financial institution
hourly wage estimate of $67.23.
Multiplying these hourly wage estimates
by their corresponding benefits factor
(1.62 207 for government agencies and
1.42 208 for private industry) produces a
fully loaded hourly compensation
amounts of approximately $108 for
Federal agencies, $76 for State, local,
and Tribal agencies, and $95 per hour
for financial institutions. These wage
estimates are summarized in Table 3:
Table 3—Fully Loaded Wage Estimates
Federal government agency1
$66.78
1.62
$108
State government agency
$46.02
1.62
$75
Local government agency
$47.37
1.62
$77
Equal weighted average for State,
local, and Tribal agencies 2,3
$46.70
1.62
$76
Financial institution
$67.23
1.42
$95
1 FinCEN
assumes the same hourly wage estimate for foreign requesters as for Federal agencies.
This estimate does not include Tribal wages, as BLS does not provide any estimates for Tribal agencies.
FinCEN welcomes comment on this estimate.
3 FinCEN calculates a simple average of the hourly wage estimate of State and local agencies. Estimating
the average State and local agency hourly wage using a value-weighted approach based on the likely
proportion of State versus local agency participants using internal FinCEN BSA data produced a similar
hourl wa e estimate.
2
lotter on DSK11XQN23PROD with PROPOSALS4
Each of the affected entities would
have costs associated with the proposed
rule if it elects to access FinCEN’s BOI
database. The costs would vary based on
the access procedures for the authorized
recipients.209 The proposed rule would
require different access procedures for
domestic agencies, foreign requesters,
and financial institutions. FinCEN
206 To estimate a single hourly wage estimate for
State, local, and Tribal agencies, FinCEN calculated
an average of the May 2021 mean hourly wage
estimates for State government agencies and for
local government agencies (($46.02 + $47.37)/2 =
$46.70), as wages are available for both of these
types of government workers in the BLS
occupational wage data. BLS data does not include
an estimate for Tribal government worker and thus
FinCEN does not include a Tribal government
worker wage estimate in this average. FinCEN
welcomes comment on how to obtain wage
estimates for Tribal government workers.
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
would also incur costs for administering
access to authorized recipients.
A. Domestic Agencies
Domestic agencies must meet
multiple requirements to receive BOI.
Whether the costs of these requirements
would be one-time, ongoing, or
recurring, and whether the costs accrue
on a per-recipient or per-request basis
varies from requirement to requirement.
Additionally, some requirements are
administrative and involve the creation
207 The ratio between benefits and wages for State
and local government workers is $21.15 (hourly
benefits)/$34.32 (hourly wages) = 0.62, as of March
2022. The benefit factor is 1 plus the benefit/wages
ratio, or 1.62. See U.S. Bureau of Labor Statistics,
Employer Costs for Employee Compensation
Historical Listing, available at https://www.bls.gov/
web/ecec/ececqrtn.pdf. The State and local
government workers series data for March 2022 is
available at https://www.bls.gov/web/ecec/ececgovernment-dataset.xlsx. FinCEN applies the same
benefits factor to Federal workers.
PO 00000
Frm 00030
Fmt 4701
Sfmt 4702
of documents, while others involve IT.
To estimate the costs for meeting these
requirements, FinCEN consulted with
multiple Federal agencies and utilized
statistics regarding active entities with
BSA data access. Requirements are
summarized in Table 4, which is
followed by more detailed analysis.
Costs associated with each requirement
are summarized in Table 5, at the end
of this section.
208 The ratio between benefits and wages for
private industry workers is $11.42 (hourly benefits)/
$27.19 (hourly wages) = 0.42, as of March 2022. The
benefit factor is 1 plus the benefit/wages ratio, or
1.42. See U.S. Bureau of Labor Statistics, Employer
Costs for Employee Compensation: Private industry
dataset (March 2022), available at https://
www.bls.gov/web/ecec/ecec-private-dataset.xlsx.
209 The costs would also vary by institution size
and investigation caseload, but for simplicity,
FinCEN estimates an average impact by category of
authorized recipient throughout the analysis.
E:\FR\FM\16DEP4.SGM
16DEP4
EP16DE22.022</GPH>
1. Costs
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
77433
Table 4—Requirements for Domestic
Agencies 1
1
2
3
4
Enter into an agreement with FinCEN and
establish standards and rocedures
Establish and maintain a secure system to store
BOI
Establish and maintain an auditable system of
standardized records for re uests
Restrict access to appropriate persons within the
agency, all of whom must undergo training2
One-time
Administrative
Ongoing
IT
Ongoing
IT
Ongoing
(Training cost
ient
Administrative
5
Conduct an annual audit and cooperate with
FinCEN' s annual audit
Administrative
6
Semi-annual
Obtain certification of standards and procedures
initially and then semi-annually, by the head of
the a enc
Annual
Provide initial and then an annual report on
rocedures
Submit written certification for each request that it Ongoing
(Cost is per
meets certain agency requirements
request)
Administrative
7
8
Administrative
Administrative
1
Enter into an agreement with FinCEN
and establish standards and procedures.
For requirement #1, FinCEN assumes
that domestic agencies would incur
costs during the first year of
implementation. FinCEN received the
following feedback from different
agencies on the amount of time needed
for these requirements. Agencies
described the types of activities
expected to meet these requirements in
their responses, but the feedback applies
to estimated burden for requirement #1:
• Approximately 15 to 20 hours to
formalize policies and procedures.
• Approximately 40 hours to review,
analyze and implement any unique
standards and procedures of FinCEN’s
database into the agency’s current
secure systems.
• Approximately 300 hours to draft
and shepherd standards and procedures.
Therefore, in alignment with the
feedback FinCEN received during
outreach efforts, FinCEN assumes it
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
would take a domestic agency, on
average, between 15 and 300 business
hours to complete this one-time task.
Using an hourly wage estimate of $108
per hour for Federal agencies results in
a one-time cost between approximately
$1,620 and $32,400 per Federal agency
((15 hours × $108 per hour = $1,620)
and (300 hours × $108 per hour =
$32,400)). Using an hourly wage
estimate of $76 per hour for State, local,
and Tribal agencies results in a one-time
cost between approximately $1,140 and
$22,800 per State, local, and Tribal
agency ((15 hours × $76 per hour =
$1,140) and (300 hours × $76 per hour
= $22,800)). To estimate aggregate costs,
FinCEN multiplies these ranges by 208
total Federal agencies 210 and 209 State,
210 This is derived from 202 Federal law
enforcement, national security and intelligence
agencies and agency subcomponents plus six
Federal regulators.
PO 00000
Frm 00031
Fmt 4701
Sfmt 4702
local, and Tribal agencies,211 resulting
in a total one-time cost between
approximately $0.6 million and $11.5
million ((208 Federal agencies × $1,620
per Federal agency + 209 State, local,
and Tribal agencies × $1,140 per State,
local, and Tribal agency = $575,220) and
(208 Federal agencies × $32,400 per
Federal agency + 209 State, local, and
Tribal agencies × $22,800 per State,
local, and Tribal agency = $11,504,400)).
Establish and maintain a secure
system to store BOI. The cost of
requirement #2 would vary depending
on the existing IT infrastructure of the
domestic agency. Some agencies may be
able to build upon existing systems that
generally meet the security and
confidentiality requirements. Other
agencies may need to create new
systems. FinCEN received the following
feedback from outreach on this subject.
211 This is derived from 153 State and local law
enforcement agencies plus 56 State regulators that
supervise entities with CDD obligations.
E:\FR\FM\16DEP4.SGM
16DEP4
EP16DE22.023</GPH>
lotter on DSK11XQN23PROD with PROPOSALS4
In addition to the requirements in this table, the proposed rule requires that a domestic agency shall limit, to
the greatest extent practicable, the scope of BOI it seeks. However, there is no associated cost estimated for
this requirement, and it is not included within the table.
2 While FinCEN does not assess a cost for restricting access, FinCEN assesses a cost related to the training
re uirement included under this rovision
77434
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS4
Agencies described the types of
activities expected to meet these
requirements in their responses, but the
feedback applies to estimated burden for
requirement #2:
• Approximately 60 hours to
establish a secure system for BOI, based
on the method of access. That agency
further suggested that maintaining the
secure storage system would require a
periodic review of about 4 hours to
assure system integrity.
• Approximately 300 hours to
incorporate BOI into existing
information systems. Once the system is
established, maintenance would be a
minimal additional ongoing cost.
• Approximately no cost, assuming
that the BOI would be accessed
similarly to BSA data (i.e., in a webbased system maintained by FinCEN).
This was the conclusion of multiple
agencies. One agency further noted that
this overall process would have little to
no financial impact on the agency, as
FinCEN would establish the web-based
portal, maintain the secure storage
system of the data, and develop
mechanisms to safeguard the
information contained therein from
unauthorized access.
Consistent with feedback from
agencies, FinCEN expects that certain
agencies (in particular, Federal
agencies) would bear de minimis IT
costs because Federal agencies already
have secure systems and networks in
place as well as sufficient storage
capacity in accordance with Federal
Information Security Management Act
(FISMA) standards.212 Therefore,
FinCEN assumes a range of burden for
requirement #2 in year 1 of de minimis
to 300 hours, and an ongoing burden of
de minimis to 4 hours.
Using an hourly wage estimate of
$108 per hour for Federal agencies
results in an initial cost between
approximately de minimis costs and
$32,400 (300 hours × $108 per hour =
$32,400), and $432 annually thereafter
(4 hours × $108 per hour = $432) per
Federal agency. Using an hourly wage
estimate of $76 per hour for State, local,
and Tribal agencies results in an initial
cost between approximately de minimis
costs and $22,800 (300 hours × $76 per
hour = $22,800), and $304 annually
thereafter (4 hours × $76 per hour =
$304) per State, local, and Tribal
212 Under
FISMA, Federal agencies need to
provide information security protections
commensurate with the risk and magnitude of the
harm resulting from unauthorized access, use,
disclosure, disruption, modification, or destruction
of information collected or maintained by an
agency. Federal agencies also need to comply with
the information security standards and guidelines
developed by NIST. 44 U.S.C. 3553.
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
agency. To estimate aggregate costs,
FinCEN multiplies these ranges by 208
total Federal agencies, and 209 State,
local, and Tribal agencies, resulting in a
total year 1 cost between approximately
de minimis and $11.5 million (208
Federal agencies × $32,400 per Federal
agency + 209 State, local, and Tribal
agencies × $22,800 per State, local, and
Tribal agency = $11,504,400). The
ongoing annual cost would be between
approximately de minimis and $0.2
million (208 Federal agencies × $432 per
Federal agency + 209 State, local, and
Tribal agencies × $304 per State, local,
and Tribal agency = $153,392).
Establish and maintain an auditable
system of standardized records for
requests. As with requirement #2, the
ongoing IT costs from requirement #3
would vary depending on the existing
IT infrastructure of the domestic agency.
FinCEN received the following feedback
from outreach on this subject. Agencies
described the types of activities
expected to meet these requirements in
their responses, but the feedback applies
to estimated burden for requirement #3:
• Approximately 60 hours would be
required to establish a storage system for
record requests that is in compliance
with both FinCEN and the agency’s
applicable policies and procedures. This
estimate includes a review of the
agency’s Memorandum of
Understanding (MOU) with FinCEN and
consultation with appropriate personnel
responsible for access to and disclosure
of such records. Additionally, the
agency suggested that maintenance of
BOI requests would require an
estimated 20 hours on an ongoing basis.
• Approximately 200 hours would be
needed to incorporate BOI into record
storage systems and minimal ongoing
cost.
• Approximately no additional costs,
as another agency noted that the cost
would already be included in the
estimate for establishing standards and
procedures, and that if BOI is treated
similarly to BSA data, there would not
be ongoing costs.
FinCEN expects that certain agencies
(in particular, Federal agencies) would
bear de minimis IT costs because
Federal agencies already have secure
systems and networks in place as well
as sufficient storage capacity in
accordance with FISMA standards.
Therefore, based on agency feedback,
FinCEN assumes a range of burden for
requirement #3 in year 1 of de minimis
to 200 hours, and an ongoing burden of
de minimis to 20 hours.
Using an hourly wage estimate of
$108 per hour for Federal agencies
results in an initial cost between
approximately de minimis costs and
PO 00000
Frm 00032
Fmt 4701
Sfmt 4702
$21,600 (200 hours × $108 per hour =
$21,600), and $2,160 annually thereafter
(20 hours × $108 per hour = $2,160) per
Federal agency. Using an hourly wage
estimate of $76 per hour for State, local,
and Tribal agencies results in an initial
cost between approximately de minimis
costs and $15,200 (200 hours × $76 per
hour = $15,200), and $1,520 annually
thereafter (20 hours × $76 per hour =
$1,520) per State, local, and Tribal
agency. To estimate aggregate costs,
FinCEN multiplies these ranges by 208
total Federal agencies, and 209 State,
local, and Tribal agencies, resulting in a
total year 1 cost between approximately
de minimis and $7.7 million (208
Federal agencies × $21,600 per Federal
agency + 209 State, local, and Tribal
agencies × $15,200 per State, local, and
Tribal agency = $7,669,600). The
ongoing annual cost would be between
approximately de minimis and $0.8
million (208 Federal agencies × $2,160
per Federal agency + 209 State, local,
and Tribal agencies × $1,520 per State,
local, and Tribal agency = $766,960).
Restrict access to appropriate persons
within the agency, all of whom must
undergo training. Requirement #4 notes
that employees that receive BOI access
would be required to undergo training.
The number of authorized recipients
that would have BOI access at a given
agency would vary. Using the active
entities with access to BSA data as of
January 2022 as a proxy, and consistent
with information provided by a number
of agencies, FinCEN anticipates that
each Federal agency could have
anywhere between approximately 1 and
1,600 recipients of BOI data while each
State, local, and Tribal agency could
have anywhere between 1 and 68
recipients of BOI.213
To estimate the cost of this training,
FinCEN assumes that each employee
that would access the BOI data would
be required to undergo 1 hour of
training per year.214 Using an hourly
wage estimate of $108 per hour for
Federal agencies results in an annual
cost between approximately $108 and
$172,800 (1 employee × 1 hour × $108
per hour = $108) and (1,600 employees
× 1 hour × $108 per hour)) per Federal
agency. Using an hourly wage estimate
of $76 per hour for State, local, and
Tribal agencies results in an annual cost
213 The range provided is an estimate of the
lowest and highest number of users for Federal
agencies and for State and local agencies
respectively as of a given date in January 2022 with
access to BSA data through FinCEN’s database.
214 The assumption of one training hour is in
alignment with the current training requirement for
accessing BSA data. However, one notable
difference is that the proposed BOI training
requirement is annual, not biennial.
E:\FR\FM\16DEP4.SGM
16DEP4
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
between approximately $76 and $5,168
(1 employee × 1 hour × $76 per hour =
$76) and (68 employees × 1 hour × $76
per hour = $5,168)) per State, local, and
Tribal agency.
To estimate the aggregate annual
costs, FinCEN uses aggregate user
counts of active BSA data users based
on internal FinCEN data from January
2022, which provides a more reasonable
estimate of the likely number of
authorized recipients than assuming the
previously estimated ranges would
apply to each domestic agency.
Therefore, based on internal data,
FinCEN expects that approximately
11,000 Federal employees and 1,800
employees of State, local, and Tribal
agencies would require annual training
to access BOI data.215 This translates
into an aggregate annual training cost of
approximately $1.3 million (11,000
Federal employees × 1 hour × $108 per
hour + 1,800 State, local, and Tribal
employees × 1 hour × $76 per hour =
$1,324,800).
Conduct an annual audit and
cooperate with FinCEN’s annual audit;
initially and then semi-annually certify
standards and procedures by the head
of the agency; annually provide a report
on procedures. Requirements #5–7 are
administrative costs that a domestic
agency would incur on an annual or
semi-annual basis. Specifically, they
require an agency to: (1) conduct an
annual audit and cooperate with
FinCEN’s annual audit; (2) certify
standards and procedures by the head of
the agency semi-annually; and (3)
provide an annual report on procedures
to FinCEN. Based on feedback from
outreach, FinCEN assumes it would take
a given agency between 10 hours and
160 hours per year to meet these three
requirements.
FinCEN received the following
feedback from domestic agencies
regarding the estimated costs of these
requirements. Agencies described the
types of activities expected to meet
these requirements in their responses,
but the feedback applies to estimated
burden for requirements #5–7:
• Approximately 40 hours would be
needed to perform an annual audit
related to compliance of standards,
lotter on DSK11XQN23PROD with PROPOSALS4
215 These
estimates are based on the number of
users that directly access BSA data through
FinCEN’s internal system; there are a limited
number of other ways that users may access BSA
data, which are not accounted for here.
Furthermore, FinCEN does not estimate growth of
BOI authorized recipients throughout the 10-year
time horizon of this analysis. However, FinCEN
acknowledges that the number of BOI authorized
recipients could increase significantly after the first
year of implementation of the BOI reporting
requirements as awareness of the ability to access
and utility of BOI increases.
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
procedures and storage of data. Once
acceptable and verifiable procedures are
in place, annual reporting to FinCEN
would require approximately 20 hours
and an annual outlay of 30 hours to
review and proceed with internal
processes that would result in the
agency head’s semi-annual certification.
Thus, the aggregate annual estimate of
compliance burden would be
approximately 120 hours (40 hours for
audit + (2 × 30 hours for agency head
certification) + 20 hours for reporting).
• Approximately 100 hours to
conduct an annual audit by internal
auditors, 40 hours to prepare an annual
report, and 20 hours to prepare for
review and certification, totaling 160
hours.
• Approximately 0 hours to conduct
an annual audit given the assumption
that FinCEN would maintain the
database, and 10 to 20 hours for the
annual report and agency head
review.216
• Approximately 120 to 160 hours.
One agency’s liaison to FinCEN is
responsible for, among other duties,
reviewing the results of an annual audit
conducted by FinCEN relating to system
usage, and ensuring personnel are in
compliance with the policies and
procedures set forth by FinCEN.217 The
liaison spends anywhere from 120 to
160 hours each year on these duties
relating to BSA data. One agency
anticipates that a similar number of the
liaison’s hours would be attributed to
BOI, and the administrative, procedural,
or legal requirements that may come
with it.
Using an hourly wage estimate of
$108 per hour for Federal agencies
results in annual costs between
approximately $1,080 and $17,280 per
Federal agency ((10 hours × $108 per
hour = $1,080) and (160 hours × $108
per hour = $17,280)). Using an hourly
wage estimate of $76 per hour for State,
local, and Tribal agencies results in
annual costs between approximately
$760 and $12,160 per State, local, and
Tribal agency ((10 hours × $76 per hour
= $760) and (160 hours × $76 per hour
= $12,160)). To estimate annual
aggregate costs, FinCEN multiplies these
ranges by 208 total Federal agencies and
209 State, local, and Tribal agencies,
resulting in a total annual cost between
216 This estimate assumes that FinCEN would
have audit responsibilities, and the tracking of
auditable activity would be maintained by
FinCEN’s system. This is similar to the current BSA
data structure. Therefore, the agency assumes that
it would not independently bear costs related to
this audit function.
217 Additionally, the liaison disseminates
protocols to authorized personnel relating to
requesting and maintaining access to BSA data.
PO 00000
Frm 00033
Fmt 4701
Sfmt 4702
77435
approximately $0.4 million and $6.1
million ((208 Federal agencies × $1,080
per Federal agency + 209 State, local,
and Tribal agencies × $760 per State,
local, and Tribal agency = $383,480) and
(208 Federal agencies × $17,280 per
Federal agency + 209 State, local, and
Tribal agencies × $12,160 per State,
local, and Tribal agency = $6,135,680)).
Submit written certification for each
request that it meets certain agency
requirements. Finally, for requirement
#8, domestic agencies are required to
submit a written certification for each
request for BOI. The written
certification would be in the form and
manner prescribed by FinCEN. FinCEN
anticipates that this certification would
be submitted to FinCEN via an
electronic form. The number of requests
for BOI that would be submitted to
FinCEN by domestic agencies in any
given year would vary.
FinCEN assumes that submitting a
request to FinCEN for BOI would take
one employee approximately 15
minutes, or 0.25 hours, per request. This
is based on FinCEN’s experience with
submitting requests for BSA data in
FinCEN Query, which similarly require
a written justification for a search
request. Certification requirements vary
by authorized recipient type under the
proposed rule.218 FinCEN expects that
requests submitted by State, local, and
Tribal law enforcement agencies would
have 20 to 30 hours of burden in
addition to the 0.25 hours of burden per
request owing to an additional
requirement that a court of competent
jurisdiction, including any officer of
such a court, issue a court authorization
for the agency to seek the information in
a criminal or civil investigation.219 For
purposes of estimating the cost of these
additional hours of burden, FinCEN
applies the hourly wage estimate for
State, local, and Tribal employees and
assumes that this cost would be
incurred by the State, local or Tribal
agency. In practice, employees within
the court system may also incur costs
related to this requirement. FinCEN
welcomes comment on the appropriate
218 While Federal and regulatory agencies must
certify that their request is related to specific
activities, State, local, and Tribal law enforcement
agencies must certify that a court of competent
jurisdiction, including any officer of such a court,
has authorized the agency to seek the information
in a criminal or civil investigation.
219 FinCEN believes a 20 to 30 hour burden
estimate for the additional requirement of obtaining
court authorization for a BOI request would reflect
the time needed for activities associated with
obtaining a court authorization. FinCEN requests
comment on whether this understanding is
accurate.
E:\FR\FM\16DEP4.SGM
16DEP4
77436
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
wage rate and burden for such an
estimation.
Using an hourly wage estimate of
$108 per hour for Federal employees
results in a per request cost of
approximately $27 per Federal agency
(0.25 hours × $108 per hour = $27).
Using an hourly wage estimate of $76
per hour for State, local, and Tribal
employees results in a per request cost
of approximately $19 per State and local
regulator (0.25 hours × $76 per hour =
$19) and between approximately $1,539
and $2,299 per State, local, and Tribal
law enforcement agency ((20.25 hours ×
$76 per hour = $1,539) and (30.25 hours
× $76 per hour = $2,299)).
To estimate a per agency annual cost,
FinCEN uses BSA data request statistics
from Fiscal Year 2021 as a proxy. Using
these data, FinCEN estimates that each
Federal agency could submit between 1
and 323,000 requests for BOI annually
while each State, local, and Tribal
agency could submit between 1 and
23,000 requests for BOI annually.220
Therefore, the estimated annual cost is
between $27 and $8.7 million (($27 per
request × 1 request) and ($27 per request
× 323,000 requests = $8,721,000)) per
Federal agency. The annual cost is
between $19 and $0.4 million (($19 per
request × 1 request) and ($19 per request
× 23,000 requests = $437,000)) per State
and local regulator. The annual cost is
between $1,539 and $52.9 million
(($1,539 per request × 1 request =
$1,539) and ($2,299 per request × 23,000
requests = $52,877,000) per State, local,
lotter on DSK11XQN23PROD with PROPOSALS4
220 The range is an estimate of the lowest and
highest number of BSA data requests received
through FinCEN’s database from Federal agencies
and for State and local agencies respectively during
Fiscal Year 2021.
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
and Tribal law enforcement agency.
FinCEN acknowledges that there is
burden associated with the requirement
to obtain a court authorization. As a
result, State, local, or Tribal law
enforcement agencies may submit fewer
requests for BOI information than
requests for BSA information, which do
not impose similar requirements.
FinCEN requests comment from such
authorities on whether this requirement
would make it less likely that they
would submit BOI requests, when
compared with BSA requests.
Using FinCEN’s internal BSA request
data as a proxy, FinCEN anticipates that
Federal agencies could submit as many
as 2 million total BOI requests annually
and that State, local, and Tribal agencies
could submit as many as 230,000 total
BOI requests annually.221 222 The
internal number of BSA requests
provides a more reasonable estimate of
the likely number of aggregate requests
than assuming the previously estimated
ranges would apply to each domestic
agency. This translates into aggregate
annual costs between $362.4 million
and $514.4 million ((2 million Federal
requests × $27 per request + 30,000
State and local regulatory requests × $19
per request + 200,000 State, local, and
Tribal law enforcement requests ×
$1,539 per request = $362,370,000) and
(2 million Federal requests × $27 per
request + 30,000 State and local
regulatory requests × $19 per request +
200,000 State, local, and Tribal law
enforcement requests × $2,299 per
request = $514,370,000)).
Table 5 presents the estimated costs to
domestic agencies, as well as SROs, for
requirements #1–8. Table 5 includes
both the per agency cost and the
aggregate costs for each requirement.
The estimated average per agency cost
in year 1 is between $2,835 and $9.0
million per Federal agency, between
$1,995 and $0.5 million per State and
local regulator, between $3,515 and $53
million per State, local, and Tribal law
enforcement agency, and between
$2,494 to $0.6 million per SRO.223 The
estimated average per agency cost each
year after the first year of
implementation is between $1,215 and
$8.9 million per Federal agency,
between $855 and $0.4 million per State
and local regulator, between $2,375 and
$52.9 million per State, local, and Tribal
law enforcement agency, and between
$1,069 to $0.5 million per SRO. The
total estimated aggregate cost to
domestic agencies in year 1 is between
$364.7 million and $553.1 million, and
then between $364.1 million and $523.3
million each year thereafter.
BILLING CODE 4810–02–P
221 Of
the 230,000 anticipated total annual State,
local, and Tribal BOI requests, approximately
30,000 are expected from State regulators and
approximately 200,000 from State, local, and Tribal
law enforcement agencies.
222 While FinCEN does not estimate growth of
requests throughout the 10-year time horizon of this
analysis, the number of BOI requests could increase
significantly after the first years of implementation
of the BOI reporting requirements as awareness of
the ability to access and utility of BOI increases.
PO 00000
Frm 00034
Fmt 4701
Sfmt 4702
223 To calculate total costs to SROs, FinCEN
calculated a ratio that applied the estimated costs
to State regulators (which would have access
requirements similar to SROs) to the wage rate
estimated herein for financial institutions, since
SROs are private organizations. FinCEN requests
comment on this assessment. As noted previously,
SROs would not have direct access to the beneficial
ownership IT system, but rather may receive BOI
through re-disclosure.
E:\FR\FM\16DEP4.SGM
16DEP4
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
77437
Table 5—Costs to Domestic Agencies
Requirement
Year 1 Cost Per
Agency
1
Enter into an
agreement with
FinCEN and establish
standards and
procedures
$1,620 to $32,400
per Federal
agency
$0
$1,140 to $22,800
per State, local,
and Tribal agency
de minimis to
$32,400 per
Federal agency
de minimis to
$432 per
Federal agency
de minimis de minimis
to $11.5
to $0.2
million
million
de minimis to
$22,800 per State,
local, and Tribal
agency
de minimis to
$304 per State,
local, and
Tribal agency
de minimis to
$21,600 per
Federal agency
de minimis to
$2,160 per
Federal agency
de minimis to
$15,200 per State,
local, and Tribal
agency
de minimis to
$1,520 per
State, local, and
Tribal agency
Restrict access to
appropriate persons
within the agency,
which specifies that
each appropriate
person will undergo
training 1
$108 to $172,800
per Federal
agency
$108 to
$172,800 per
Federal agency
$76 to $5,168 per
State, local, and
Tribal agency
Conduct an annual
audit and cooperate
with FinCEN's annual
audit
Obtain certification of
standards and
procedures initially
and then semiannually, by the head
of the agency
$1,080 to $17,280
per Federal
agency
$76to$5,168
per State, local,
and Tribal
agency
$1,080 to
$17,280 per
Federal agency
·.
2
3
4
5
lotter on DSK11XQN23PROD with PROPOSALS4
6
VerDate Sep<11>2014
Aggregate··
Costs
Years 2t
$0
Aggregate
Costs
Year 1
$0.6
million to
$11.5
million
Years 2+ Cost
-Per Agency
Establish and maintain
a secure system to
store BOI
Establish and maintain
an auditable system of
standardized records
for requests
22:00 Dec 15, 2022
Jkt 259001
$760 to $12,160
per State, local,
and Tribal agency
PO 00000
Frm 00035
Fmt 4701
de minimis de minimis
to $7.7
to $0.8
million
million
$1.3
million
$1.3
million
$0.4
million to
$6.1
million
$0.4
million to
$6.1
million
$760 to
$12,160 per
State, local, and
Tribal agency
Sfmt 4725
E:\FR\FM\16DEP4.SGM
16DEP4
EP16DE22.024</GPH>
#
77438
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
Provide initial and
then an annual report
on rocedures
Submit written
certification for each
request that it meets
certain agency
requirements2
7
8
Total
$27 to $8.7
million per
Federal agency
$27 to $8.7
million per
Federal agency
$19 to $0.4
$19 to $0.4
million per State
million per
and local regulator State and local
regulator
$1,539 to $52.9
million per State,
$1,539 to $52.9
local, and Tribal
million per
law enforcement
State, local, and
agency
Tribal law
enforcement
a en
$2,835 to $9.0
$1,215 to $8.9
million per
million per
Federal agency
Federal
agency
$1,995 to $0.5
million per State $855 to $0.4
and local
million per
regulator
State and local
regulator
$3,515 to $53
million per State, $2,375 to $52.9
local, and Tribal million per
law enforcement State, local,
agency
and Tribal law
enforcement
$2,494 to $0.6
agency
million per SRO
$1,069 to $0.5
million per
SRO
$362.4
million to
$514.4
million
$362.4
million to
$514.4
million
$364.7
million to
$553.1
million
$364.1
million to
$523.3
million
per agency annual cost is estimated using a range of the minimmn and maximmn nmnber of Federal
employees and of State, local, and Tribal employees of any agency that access BSA data. The aggregate costs arc
estimated using the total number of Federal employees and of State, local, and Tribal employees that directly
access BSA data.
2 The per agency annual cost is estimated using a range of the minimum and maximum number of requests of any
agency that access BSA data. The aggregate costs are estimated using the total number of BSA data requests
from Fiscal Year 2021 for Federal agencies, State and local regulators, and State, local, and Tribal law
enforcement agencies.
BILLING CODE 4810–02–C
VerDate Sep<11>2014
22:00 Dec 15, 2022
In addition to the costs listed in Table
5, Federal agencies may incur costs
Jkt 259001
PO 00000
Frm 00036
Fmt 4701
Sfmt 4702
related to submitting requests on behalf
of foreign requesters. These costs are
E:\FR\FM\16DEP4.SGM
16DEP4
EP16DE22.025</GPH>
lotter on DSK11XQN23PROD with PROPOSALS4
1 The
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
estimated in the next section. Federal
agencies may also bear costs related to
enforcement in cases of unauthorized
disclosure and use of BOI; however,
these costs have not been estimated in
this analysis, as the level of compliance
with the proposed rule is unknown.
B. Foreign Requesters
Foreign requesters must meet
multiple requirements to receive BOI.
FinCEN does not have an estimate of the
number of foreign requesters that may
elect to request and access BOI, or
which requesters would do so under an
applicable international treaty,
agreement, or convention, or through
another channel available under the
proposed rule, and welcomes public
comment on how to estimate this
number. Foreign requesters that request
and receive BOI under an applicable
international treaty, agreement, or
convention would not have certain
requirements under the proposed rule,
given that such requesters would be
governed by standards and procedures
under the applicable international
treaty, agreement, or convention.
However, FinCEN does not differentiate
between types of foreign requesters in
this analysis, given the lack of data.
Though FinCEN is unable to estimate
aggregate costs on foreign requesters at
this time given the lack of data on the
number of foreign requesters that may
access BOI, FinCEN provides partial
cost estimates of the requirements on a
given foreign requester. Requirements
are summarized in Table 6, which is
followed by a more detailed analysis.
Costs associated with each requirement
are summarized in Table 7 at the end of
this section.
Table 6—Requirements for Foreign
Requesters 1
1
Establish standards and procedures
One-time
Administrative
2
Establish a secure system to store BOI
Ongoing
IT
3
Restrict access to appropriate persons within the
entity, which specifies that appropriate persons
will undergo training
Provide information for each request to an
intermediary Federal agency
Ongoing per
requester
Administrative
Ongoing per
request
Administrative
4
77439
Establish standards and procedures.
For requirement #1, FinCEN assumes
that foreign requesters would incur
costs during the first year of
implementation. FinCEN assumes it
would take a foreign requester, on
average, between one and two full
business weeks (or, between 40 and 80
business hours) to establish standards
and procedures. This estimate is a
FinCEN assumption based on its
experience coordinating with foreign
partners. FinCEN requests comment on
the accuracy of this estimate. Using an
hourly wage estimate of $108 per hour
for Federal agencies, which FinCEN
assumes is a comparable hourly wage
estimate for foreign requesters, FinCEN
estimates this one-time cost would be
between approximately $4,320 and
$8,640 per foreign requester ((40 hours
× $108 per hour) and (80 hours × $108
per hour)). Foreign requesters that
request and receive BOI under an
applicable international treaty,
agreement, or convention would not
have this requirement under the
proposed rule, given that such
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
requesters would be governed by
standards and procedures under the
applicable international treaty,
agreement, or convention. However,
FinCEN does not differentiate between
types of foreign requesters in this
analysis, given the lack of data.
Establish a secure system to store BOI.
For requirement #2, the cost of the
ongoing IT requirement would vary
depending on the existing infrastructure
of the foreign requester. FinCEN
believes that foreign requesters already
have secure systems and networks in
place as well as sufficient storage
capacity, given their ongoing
coordination with the U.S. Government
on a variety of matters, which likely
adhere to applicable data security
standards. Therefore, FinCEN assumes
de minimis IT costs. FinCEN welcomes
comment on this assumption. Foreign
requesters that request and receive BOI
under an applicable international treaty,
agreement, or convention would not
have this requirement under the
proposed rule, given that such
requesters would be governed by
PO 00000
Frm 00037
Fmt 4701
Sfmt 4702
security standards under the applicable
international treaty, agreement, or
convention. However, FinCEN does not
differentiate between types of foreign
requesters in this analysis, given the
lack of data.
Restrict access to appropriate persons
within the agency, which specifies that
appropriate persons will undergo
training. For requirement #3, FinCEN
assumes that each foreign requester that
would access the BOI data would be
required to undergo 1 hour of training
per year. Using an estimated hourly
wage amount of $108, this results in an
annual training cost of approximately
$108 per foreign requester.
Provide information for each request
to an intermediary Federal agency. For
requirement #4, FinCEN assumes that
providing information for a BOI request
to a Federal intermediary agency would
take one foreign requester
approximately 45 minutes, or 0.75
hours, per request. This estimate is
based on FinCEN’s assumption that a
request for BOI submitted directly by a
Federal agency on its own behalf would
E:\FR\FM\16DEP4.SGM
16DEP4
EP16DE22.026</GPH>
lotter on DSK11XQN23PROD with PROPOSALS4
1 In addition to the requirements in this table, the proposed rule requires that a foreign requester shall limit, to
the greatest extent practicable, the scope of BOI it seeks. However, there is no associated cost estimated for
this requirement, and it is not included within the table.
77440
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
take approximately 15 minutes; given
the additional information required for
a foreign-initiated request, FinCEN
proposes tripling that estimate for
foreign requests. Using an hourly wage
estimate of $108 per hour, this would
result in a per request cost of
approximately $81 per foreign requester
(0.75 hours × $108 per hour = $81).
Based on feedback from agencies,
FinCEN believes that the total number
of foreign requests could range between
approximately 200 and 900 per year.224
This would result in an aggregate
annual cost to foreign requesters
between approximately $16,200 and
$72,900 ((200 requests × $81 per request
= $16,200) and (900 requests × $81 per
request = $72,900)).
FinCEN also assumes that Federal
agencies that submit requests on behalf
of foreign requesters to FinCEN would
incur additional costs; FinCEN itself
expects to incur costs from the
submission of such requests. Therefore,
FinCEN estimates that BOI requests on
behalf of foreign requesters would
require approximately two hours of one
1
Establish standards and procedures
2
Establish a secure system to store
BOI
Restrict access to appropriate
persons within the entity, which
specifies that each appropriate
erson will under o trainin 2
Provide information for each
request to an intermediary Federal
agency 3
Total
3
4
Federal employee’s time, resulting in a
cost per request of approximately $216
(2 hours × $108 per hour). This would
result in a total annual cost to Federal
agencies between approximately
$43,200 and $194,400 ((200 requests × 2
hours × $108 per hour = $43,200) and
(900 requests × 2 hours × $108 per hour
= $194,400)).
Table 7 presents the estimated costs to
foreign requesters for each of
requirements #1–4.
Table 7—Costs to Foreign Requesters 1
$4,320$8,640
de minimis
$0
Unknown
de minimis
de minimis de minimis
$108 per
requester
$108 per
requester
Unknown
Unknown
$81 per
request
$81 per
request
$16,200 to
$72,900
$16,200 to
$72,900
$4,509 to
$8,829
$189
$16,200 to
$72,900
$16,200 to
$72,900
Unknown
1 Due
C. Financial Institutions
lotter on DSK11XQN23PROD with PROPOSALS4
Financial institutions must meet
multiple requirements to access BOI.
224 FinCEN recognizes that the number of BOI
requests from foreign requesters may be higher in
reality, as no such U.S. beneficial ownership IT
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
Requirements are summarized in Table
8, which is followed by a more detailed
analysis. Costs associated with each
requirement are summarized in Table 9,
at the end of this section.
system currently exists. The existence of a
centralized U.S. BOI source may in fact result in a
higher number of annual requests by foreign
requesters. FinCEN welcomes comment on this
estimate.
PO 00000
Frm 00038
Fmt 4701
Sfmt 4702
E:\FR\FM\16DEP4.SGM
16DEP4
EP16DE22.027</GPH>
to a lack of data on the number of potential foreign requesters that may elect to access BOI, it is not
possible to estimate the aggregate foreign requester costs from requirements #1 and #4. The per requester and
aggregate cost estimates for foreign requesters are partial, given that aggregate costs for two of the four
requirements are unknown, since FinCEN does not have an estimate of the number of foreign requesters.
FinCEN requests comment on an estimate of the number of potential foreign requesters that may request BOI.
2 While FinCEN does not assess a cost for restricting access, FinCEN assesses a cost related to the training
requirement included under this provision. Since FinCEN does not have an estimate of the number of foreign
requesters, FinCEN does not estimate an aggregate cost associated with this requirement.
3 In addition to imposing costs on foreign requesters, BOI requests from foreign requesters would impose a
burden on Federal agencies, as Federal agencies would submit such BOI requests to FinCEN on behalf of the
foreign requester. FinCEN expects Federal agencies' efforts and coordination to result in two hours of burden, or
a roximatel $216 er re uest
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
77441
Table 8—Requirements for Financial
Institutions 1
1
Establish administrative and physical safeguards
One-time
Administrative
2
Establish technical safeguards
Ongoing
IT
3
Obtain and document customer consent
One-time
Administrative
4
Submit written certification for each request that it Ongoing per
meets certain requirements
request
Administrative
5
Undergo training2
Administrative
Ongoing per
recipient
1 In addition to
Establish administrative and physical
safeguards. For requirement #1, FinCEN
assumes that financial institutions
would incur costs during the first year
of implementation. FinCEN assumes it
would take a financial institution, on
average, between one and two full
business weeks (or, between 40 and 80
business hours) to establish
administrative and physical safeguards.
This estimate is a FinCEN assumption
based on its experience with the
financial services industry. FinCEN
requests comment on the accuracy of
this estimate. Using an hourly wage
estimate of $95 per hour for financial
institutions, FinCEN estimates this onetime cost would be between
approximately $3,800 and $7,600 per
financial institution. To estimate
aggregate costs, FinCEN multiplies this
range by 16,252 total financial
institutions resulting in a total cost
between approximately $61.8 million
and $123.5 million (($3,800 per
institution × 16,252 financial
institutions = $61,757,600) and ($7,600
per institution × 16,252 financial
institutions = $123,515,200),
respectively)).
Establish technical safeguards. For
requirement #2, the cost of the ongoing
IT requirement would vary depending
on the existing infrastructure of the
financial institution. FinCEN believes
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
that most financial institutions already
have secure systems and networks in
place as well as sufficient storage
capacity, given existing requirements
with regard to protection of customers’
nonpublic personal information.225
Therefore, FinCEN assumes de minimis
IT costs. FinCEN requests comment on
this assumption.
Obtain and document customer
consent. For requirement #3, FinCEN
assumes that financial institutions
would incur costs during the first year
of implementation due to updating
customer consent forms and processes.
Specifically, FinCEN assumes it would
take a financial institution, on average,
approximately 10 hours in year 1 to
conduct these activities. This number is
based on FinCEN’s underlying
assumption that such implementation
would involve relatively minimal
resources to update forms and
workflows. From year 2 and onward,
225 As noted in the proposed rule, financial
institutions may have established information
procedures to satisfy the requirements of section
501 of the Gramm-Leach-Bliley Act, and applicable
regulations issued thereunder, with regard to the
protection of customers’ nonpublic personal
information. If a financial institution is not subject
to section 501 of the Gramm-Leach-Bliley Act, such
institutions may be required, recommended, or
authorized under applicable Federal or State law to
have similar information procedures with regard to
protection of customer information.
PO 00000
Frm 00039
Fmt 4701
Sfmt 4702
FinCEN believes costs associated with
obtaining and documenting customers’
consent would be negligible because
consent forms and processes have
already been established and because
this requirement is a one-time and not
a periodic requirement for a given
customer. FinCEN requests comments
from financial institutions in particular
on these assumptions. Using an hourly
wage estimate of $95 per hour for
financial institutions, FinCEN estimates
this one-time cost would be
approximately $950 per financial
institution. To estimate aggregate costs,
FinCEN multiplies this estimate by
16,252 total financial institutions,
resulting in a total cost of approximately
$15.8 million ($950 per institution ×
16,252 financial institutions =
$15,439,400).
Submit written certification for each
request that it meets certain
requirements. For requirement #4, the
written certifications would be
submitted in the form and manner
prescribed by FinCEN. FinCEN
anticipates that this certification would
be submitted to FinCEN via an
electronic form. FinCEN assumes that
submitting a request to FinCEN for BOI
would take one employee
approximately 15 minutes, or 0.25
hours, per request. For purposes of this
analysis, FinCEN assumes a range of
E:\FR\FM\16DEP4.SGM
16DEP4
EP16DE22.028</GPH>
lotter on DSK11XQN23PROD with PROPOSALS4
the requirements in this table, the proposed rule requires that financial institutions shall
restrict access to BOI. However, FinCEN does not estimate a cost for this requirement, and it is not included
within the table.
2 While the proposed rule does not explicitly require training, FinCEN believes that the safeguards in the
proposed rule would require authorized recipients of BOI at these institutions to undergo training.
Additionally, FinCEN anticipates that access to the beneficial ownership IT system would be conditioned on
reci ients of BOI under oin trainin .
77442
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
approximately 5 million to 6.1 million
total requests from financial institutions
per year. The minimum amount
assumes that the number of BOI
requests from financial institutions each
year would equal the number of new
entities that qualify as a ‘‘reporting
company’’ required to submit BOI. As
estimated in the final BOI reporting
rule’s RIA, this is approximately 5
million entities annually.226 The
maximum amount assumes that
financial institutions would request BOI
for each new legal entity customer at the
time of account opening, in alignment
with the 2016 CDD Rule,227 resulting in
approximately 6.1 million entities.228
For purposes of this analysis, FinCEN
assumes that financial institutions
would submit BOI requests related to
newly open legal entity customer
accounts in alignment with the 2016
lotter on DSK11XQN23PROD with PROPOSALS4
226 In the final BOI reporting rule’s RIA, the
analysis assumes 13.1 percent growth in new
entities from 2020 through 2024, and then a stable
same number of approximately 5 million new
entities each year thereafter through 2033. FinCEN
included an alternative estimate which assumed
that the rate of new entities created will grow at a
rate of approximately 13.1 percent per year from
2020 through 2033. This resulted in a new entity
annual formation estimate of 5 million in the year
of the effective date of the final BOI reporting rule
which increases to approximately 5.6 million ten
years after the effective date of the final BOI
reporting rule (2033). See 87 FR 59582 (Sept. 30,
2022).
227 The CTA requires that the 2016 CDD Rule be
revised given FinCEN’s BOI reporting and access
requirements. Therefore, this estimate and
assumption may change after that revision.
228 The 2016 CDD Rule estimated that each
financial institution with CDD requirements will
open, on average, 1.5 new legal entity accounts per
business day. The rule also assumed there are 250
business days per year, which is in alignment with
the number of business days in 2022. Therefore,
FinCEN estimates that financial institutions would
need to conduct CDD requirements for a minimum
of approximately 6.1 million legal entities per year
(16,252 financial institutions × 1.5 accounts per day
× 250 business days per year = 6,094,500 new legal
entity accounts opened per year).
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
CDD Rule. FinCEN requests comment,
in particular from financial institutions,
on whether this range is accurate.
Therefore, the estimated aggregate
annual cost of this requirement is
between approximately $118.8 million
and $144.7 million ((5 million total
requests × 0.25 hours per request × $95
per hour = $118,750,000) and (6.1
million total requests × 0.25 hours per
request × $95 per hour = $144,700,000),
respectively). The per institution annual
cost of requirement #3 is between
approximately $7,310 and $8,904
(($118.8 million/16,252 financial
institutions) and ($144.7 million/16,252
financial institutions), respectively).
Undergo training. Last, requirement
#5 pertains to training for individuals
that access BOI. To estimate the cost of
this training, FinCEN assumes a range of
authorized recipients per financial
institution. FinCEN believes a range is
appropriate given the variation in
institution size, complexity, and
business models across the 16,252
financial institutions. Based on feedback
from Federal agency outreach, FinCEN
assumes a minimum of one financial
institution employee and a maximum of
six financial institution employees
would undergo annual BOI training.
Using an hourly wage rate of $95 per
hour, and assuming each authorized
recipient would need to undergo one
hour of training each year, FinCEN
estimates a per institution annual
training cost between approximately
$95 and $570 ((1 employee × 1 hour ×
$95 per hour = $95) and (6 employees
× 1 hour × $95 per hour = $570)). To
estimate aggregate costs, FinCEN uses
SBA size standards and identifies
approximately 14,051 small financial
institutions and 2,201 large financial
institutions (16,252 total financial
institutions¥14,051 small financial
institutions). Furthermore, FinCEN
PO 00000
Frm 00040
Fmt 4701
Sfmt 4702
assumes one to two employees per small
financial institution and five to six
employees per large financial
institution.229 This results in an
estimated minimum average hourly cost
of $146 ((14,051 small institutions × 1
employee × $95 per hour + 2,201 large
institutions × 5 employees × $95 per
hour)/16,252 total financial institutions)
and a maximum average hourly cost of
$241 ((14,051 small institutions × 2
employees × $95 per hour + 2,201 large
institutions × 6 employees × $95 per
hour)/16,252 total financial
institutions). The estimated aggregate
training cost is between approximately
$2.4 million and $3.9 million per year
((14,051 small institutions × 1 employee
× 1 training hour per person × $95 per
hour + 2,201 large institutions × 5
employees × 1 hour × $95 per hour =
$2,380,320) and (14,051 small
institutions × 2 employees × 1 hour ×
$95 per hour + 2,201 large institutions
× 6 employees × 1 hour × $95 per hour
= $3,924,260)).
Table 9 presents the estimated costs to
financial institutions for each of
requirements #1–5. Table 9 illustrates
both the financial institution cost and
the aggregate cost for each requirement.
The estimated average cost per financial
institution in year 1 is between
approximately $12,206 and $17,854 and
between approximately $7,456 and
$9,304 each year thereafter. The
estimated aggregate costs from
requirements #1–5 for financial
institutions are between approximately
$198.4 million and $290.1 million in the
first year of implementation, and then
between approximately $121.2 million
and $151.2 million each year thereafter.
229 FinCEN acknowledges this number could
significantly vary across financial institutions.
FinCEN requests comment on these assumptions.
E:\FR\FM\16DEP4.SGM
16DEP4
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
77443
Table 9—Costs to Financial Institutions
$3,800 to
$7,600
de minimis
4
Submit written
certification for each
request that it meets
certain re uirements
5 Undergo training
Total
lotter on DSK11XQN23PROD with PROPOSALS4
D. FinCEN
In addition to the costs of accessing
BOI data as a domestic agency, FinCEN
would incur costs from managing the
access of other authorized recipients. To
administer BOI access, FinCEN would
need to: develop training materials and
agreements with domestic agencies;
conduct ongoing outreach with
authorized recipients on the access
requirements and respond to inquiries
from authorized recipients; conduct
audits of authorized responsibilities;
develop procedures to review
authorized recipients’ standards and
procedures, and requests as needed; and
potentially reject requests or suspend
access if requirements are not met.
FinCEN currently administers access to
the FinCEN Query system, which
involves similar considerations;
therefore, FinCEN would build on its
experience to administer BOI access.
FinCEN would also incur an initial cost
in setting up internal processes and
procedures for administering BOI
access.230 FinCEN does not have a cost
estimate for these specific activities, but
notes that the final BOI reporting rule’s
RIA included an estimated annual
230 FinCEN would also develop the beneficial
ownership IT system that allows for the varying
types of access. The costs associated with
developing and maintaining this IT system are
addressed in the final BOI reporting rule’s RIA.
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
$0
de minimis
$61.8 million to
$123.5 million
de minimis
de minimis
$950
$0
$15.4 million
$0
$7,310 to
$8,904
$7,310 to
$8,904
$118.8 million
to $144.7
million
$118.8 million to
$144.7 million
$146 to
$241
$146 to
$241
$2.4 million to
$3.9 million
$2.4 million to
$3.9 million
$12,206 to
$17,695
$7,456 to
$9,145
$198.4 million
to $287.5
million
$121.2 million to
$148.6 million
personnel cost of approximately $10
million associated with the reporting
requirements.231 FinCEN assumes that
personnel costs associated with the
access requirements would be of a
similar magnitude, and therefore
includes a $10 million annual FinCEN
cost in its total cost estimates for this
proposed rule.
2. Benefits
The proposed rule would result in
benefits for authorized recipients.
Currently, authorized recipients may
obtain BOI through a variety of means;
however, the proposed rule would put
in place a system of direct and costsaving access to the information.
FinCEN has quantitatively estimated
such benefits in this analysis. However,
the proposed rule would also have nonquantifiable benefits to authorized
recipients of BOI and to society more
widely. This proposed rule would
facilitate U.S. national security,
intelligence, and law enforcement
activity by providing access to BOI
which, as noted in the final BOI
reporting rule’s RIA, would make these
activities more effective and efficient.
These activities would be more effective
and efficient because the improved
ownership transparency would enhance
Federal agencies’ ability to investigate,
231 87
PO 00000
FR 59578 (Sept. 30, 2022).
Frm 00041
Fmt 4701
Sfmt 4702
$0
prosecute, and disrupt the financing of
terrorism, other transnational security
threats, and other types of domestic and
transnational financial crimes.
Additionally, Treasury would gain
efficiencies in its efforts to identify the
ownership of legal entities, resulting in
improved analysis, investigations, and
policy decisions on a variety of subjects.
The Internal Revenue Service could
obtain access to BOI for tax
administration purposes, which may
provide benefits for tax compliance.
Federal regulators may also obtain
benefits by accessing BOI in civil law
enforcement matters.
Similarly, the proposed rule would
facilitate and make more efficient
investigations by State, local, and Tribal
law enforcement agencies. Access to
BOI through FinCEN would prevent
such agencies from spending time and
resources to identify BOI. Foreign
requesters would also reap similar
benefits.
Financial institutions could gain
access to key information, including
potentially additional beneficial owners,
for their CDD processes, and State
regulatory agencies and SROs could use
BOI to supervise financial institutions’
compliance with CDD requirements.
However, FinCEN is not estimating
benefits related to these types of entities
at this time, given the pending revisions
to the CDD Rule. FinCEN anticipates
E:\FR\FM\16DEP4.SGM
16DEP4
EP16DE22.029</GPH>
1 Establish administrative
and physical safeguards
2 Establish technical
safe ards
3 Obtain and document
customer consent
77444
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
that the benefits to financial institutions
in meeting their CDD obligations, and
the benefits to regulatory agencies in
supervising financial institutions for
compliance with CDD requirements,
would be discussed in that rulemaking.
These stated benefits are in alignment
with feedback FinCEN has received
from a number of agencies as part of the
outreach efforts FinCEN conducted in
formulating the proposed rule. One
agency noted that BOI would serve as an
additional resource to investigators
because having access to BOI would
enable them to immediately identify a
subject who owns a company, which
would save time conducting additional
investigations to develop subject
identity information. A second agency
also stated access to BOI could save
time and resources. One agency noted
that the vital data would further
investigations and result in more
successful and impactful investigations.
Another agency provided similar
feedback and noted that having access
to BOI would significantly enhance
investigations and bolster any analytical
product that is prepared for the agency’s
cases; and that a central repository of
BOI would save a multitude of hours
that would otherwise be spent
researching secretary of State records,
conducting law enforcement database
queries, and/or conducting open-source
intelligence research to identify a
company’s ownership. One agency
noted that the benefit would depend
upon the scope of access.
To quantify the potential benefits to
various stakeholders of being able to
access BOI, FinCEN asked for input
from numerous agencies about cost
savings that would result from such
access; cost savings are one, but not the
sole, benefit of BOI access. One agency
estimated that, contingent upon the
nature and complexity of each
individual case’s specific need for BOI
resources, access to BOI would save as
much as an approximately 300 hours
annually.232 Another agency suggested
that, with higher caseloads, having
access to BOI could save investigations
as much as thousands of hours
annually; another noted that several
hours per case would be saved by not
lotter on DSK11XQN23PROD with PROPOSALS4
232 Per the agency’s feedback, this would
comprise a range between 50 and 100 investigations
utilizing BOI.
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
having to search multiple databases for
company information. A fourth agency
suggested that having access to BOI
could save investigations as much as
20,000 hours annually that could be
repurposed toward other tasks.
Therefore, based on this feedback,
FinCEN assumes a potential quantifiable
benefit range of cost savings between
300 and 20,000 hours annually, per
domestic agency.233 234 This is
equivalent to a per Federal agency
dollar savings between $32,400 and $2.2
million (300 hours × $108 per hour =
$32,400) and (20,000 hours × $108 per
hour = $2,160,000) and a per State,
local, and Tribal agency dollar savings
between $22,800 and $1.5 million (300
hours × $76 per hour = $22,800 and
20,000 hours × $76 per hour =
$1,520,000), depending on the number
and complexity of the investigations.
The minimum dollar value of the
benefits of the proposed rule implied by
these assumptions in Year 1 is $10.2
million ((208 Federal agencies × 300
hours per agency × $108 per hour) +
(153 State, local, and Tribal law
enforcement agencies × 300 hours per
agency × $76 per hour) = $10,227,600).
The maximum estimated aggregate
annual savings is $681.8 million ((208
Federal agencies × 20,000 hours per
agency × $108 per hour) + (153 State,
local, and Tribal law enforcement
agencies × 20,000 hours per agency ×
$76 per hour) = $681,840,000). These
estimates only pertain to cost savings
benefits; agencies could also gain other
benefits from accessing BOI, such as
investigative law enforcement value,
that are not quantified in this analysis.
Therefore, FinCEN believes the benefits
could be greater than the cost savings
estimated here.
As stated previously in the RIA,
FinCEN assumes that no Federal agency
or State, local or Tribal law enforcement
agency will access BOI unless the
benefits of doing so are at least equal to
the costs, given that BOI access is
optional. Non-quantifiable benefits
233 Regarding regulators, FinCEN assumes that the
benefit would relate to civil law enforcement
activities rather than examination activities.
234 The estimated amount of direct benefits from
reduced investigation time and resources does not
account for any potential savings to financial
institutions that access BOI. Any potential benefits
to financial institutions for accessing BOI will be
accounted for in the forthcoming CDD Rule
revision.
PO 00000
Frm 00042
Fmt 4701
Sfmt 4702
would be included in this
consideration, as well as the
quantifiable benefits estimated in the
analysis. In addition to the direct
benefits of saving agencies time and
money, accessing BOI would lead to
other secondary benefits, as discussed
in the final BOI reporting rule’s RIA.235
BOI would also further the missions of
the agencies to combat crime, as well as
contribute to national security,
intelligence, and law enforcement, and
other activities. Therefore, the benefits
to agencies of accessing BOI would be
more than saving costs, as it would lead
to more effective and efficient
investigations. Enabling effective and
efficient investigations would have
additional secondary benefits of making
it more difficult to launder money
through shell companies and other
entities, in turn strengthening national
security and enhancing financial system
transparency and integrity. Barriers to
money laundering encourage a more
secure economy and more economic
activity, as businesses would have more
trust in the legitimacy of new business
partners. Finally, the sharing of BOI
with foreign partners, subject to
appropriate protocols consistent with
the CTA, may further transnational
investigations, tax enforcement, and the
identification of national and
international security threats. These
secondary benefits are not accounted for
in this analysis since they are accounted
for in the final BOI reporting rule RIA.
However, these benefits cannot come to
fruition without authorized recipients
gaining access to BOI, as considered in
this proposed rulemaking. Therefore,
the benefits between the final BOI
reporting rule and this proposed rule are
inextricably linked.
3. Overall Impact
Overall, FinCEN estimates the
potential quantifiable impact of the
proposed rule could be between $108.7
million in net savings and $840.7
million in net costs in the first year of
implementation of the rule, and then
from $186.5 million in net savings to
$672.0 million in net costs on an
ongoing annual basis. Table 10
summarizes the estimated aggregate
yearly impact of the proposed rule.
235 See
E:\FR\FM\16DEP4.SGM
87 FR 59579–59580 (Sept. 30, 2022).
16DEP4
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
77445
Table 10—Aggregate Yearly Impact of
the Proposed Rule (Dollars in millions)
oreign requester costs
inancial institution costs
Total net cost
$0.02 to $0.07
$0.02 to $0.07
$198.4 to $287.5
$121.2 to $148.6
$10
$10
$573.1 to $850.9
$495.3 to $682.2
-[10.2 to $681.8}
-[$10.2 to $681.8}
-$108. 7 to $840. 7
- $186.5 to $672.0
1 This
The estimated, quantifiable, aggregate
annual benefits of the rule, which only
reflects potential cost savings to
agencies, would be between
approximately $10.2 and $681.8
million. Likewise, FinCEN expects that
the aggregate annual quantifiable costs
of the rule would be somewhere
between approximately $573.1 and
$850.9 million in year 1, and between
approximately $495.3 and $682.2
million each year thereafter. FinCEN
believes that, in practice, entities may
choose to access BOI only if the benefits
to their operational needs, which
includes cost savings and other nonquantifiable benefits, outweigh the costs
associated with the requirements for
accessing BOI.
Using the maximum net cost impact
estimates from Table 10 as an upper
bound of the potential impact of this
proposed rule, FinCEN determines the
present value over a 10-year horizon of
approximately $5.9 billion at the three
percent discount rate and approximately
$4.9 billion at the seven percent
discount rate.
ii. Section of Proposed Rule Regarding
FinCEN Identifier Use by Entities
The proposed rule would establish a
process through which a reporting
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
company may report another reporting
company’s FinCEN identifier and full
legal name in lieu of the information
otherwise required under 31 CFR
1010.380(b)(1), subject to certain
limitations. This proposed rule would
affect reporting companies that choose
to report FinCEN identifiers of another
reporting company in their BOI report.
It may also affect reporting companies’
decision on whether or not to request a
FinCEN identifier.
FinCEN considered whether the
proposed rule would result in any
additional cost to reporting companies
beyond what is estimated in the final
BOI reporting rule’s RIA.236 FinCEN
assesses that the proposed rule is
consistent with the assumption in the
final BOI reporting rule’s RIA that the
cost associated with using entities’
FinCEN identifiers is accounted for in
the BOI report cost estimates. The
236 The final BOI reporting rule’s RIA did not
estimate the number of reporting companies that
will obtain FinCEN identifiers. The mechanism for
reporting companies to obtain a FinCEN identifier
will be to either check a box on its initial BOI report
or submit an updated BOI report with the box
checked. Therefore, FinCEN assumed that the cost
of reporting companies obtaining FinCEN
identifiers was included in the initial BOI report
cost estimates in the final BOI reporting rule RIA.
See 87 FR 59578 (Sept. 30, 2022).
PO 00000
Frm 00043
Fmt 4701
Sfmt 4702
proposed rule could reduce burden for
reporting companies that choose to
report another reporting company’s
FinCEN identifier because the reporting
company would provide fewer pieces of
information on the BOI report. However,
FinCEN assesses such burden reduction
is likely to be minimal relative to the
total cost of filling out and submitting
the report. Additionally, it is unknown
by FinCEN how many entities may
choose to utilize the proposed rule.
Therefore, FinCEN does not estimate
costs or benefits associated with the
proposed rule beyond what is separately
stated in the final BOI reporting rule
RIA. Similarly, FinCEN does not
include alternatives regarding this
proposed rule beyond what is included
in the final BOI reporting rule RIA.
B. Regulatory Flexibility Act
The Regulatory Flexibility Act 237
(RFA) requires an agency either to
provide an initial regulatory flexibility
analysis (IRFA) with a proposed rule or
certify that the proposed rule would not
have a significant economic impact on
a substantial number of small entities.
The section of the proposed rule
regarding BOI access would apply to a
237 See
E:\FR\FM\16DEP4.SGM
5 U.S.C. 601 et seq.
16DEP4
EP16DE22.030</GPH>
lotter on DSK11XQN23PROD with PROPOSALS4
estimate includes aggregate annual costs to Federal agencies engaged in law enforcement, national
security and intelligence activities, offices of the U.S. Department of the Treasury including FinCEN, State,
ocal, and Tribal law enforcement agencies, and both Federal and State regulators. Costs to SROs are also
· eluded in this aggregation.
This estimate includes the additional aggregate annual costs between approximately $43,200 and $194,400 to
ederal agencies from submitting and coordinating BOI requests on behalf of foreign partners.
This includes only costs to FinCEN associated with managing the BOI database. Costs to FinCEN as an
uthorized reci ient of BOI are included in the domestic a encies estimates.
77446
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
substantial number of small entities.
FinCEN has attempted to minimize the
burden to the greatest extent practicable,
but the proposed rule may nevertheless
have a significant economic impact on
small entities.
Accordingly, FinCEN has prepared an
IRFA. FinCEN welcomes comments on
all aspects of the IRFA. A final
regulatory flexibility analysis will be
conducted after consideration of
comments received. The IRFA addresses
the BOI access sections of the proposed
rule. With respect to the sections of the
proposed rule addressing the use of
FinCEN identifiers, FinCEN does not
assess any additional costs associated
with the proposed rule beyond the costs
separately considered in the final BOI
reporting rule’s RIA.238 Therefore,
FinCEN does not consider the proposed
rule’s FinCEN identifier provisions in
the following RFA calculations or
conclusions.
i. Statement of the Need for, and
Objectives of, the Proposed Rule
As previously noted, the proposed
rule is necessary to implement Section
6403 of the CTA. The purpose of the
proposed rule is to implement the
retention and disclosure requirements of
Section 6403 and to establish
appropriate protocols to protect the
security and confidentiality of the BOI.
ii. Small Entities Affected by the
Proposed Rule
lotter on DSK11XQN23PROD with PROPOSALS4
To assess the number of small entities
affected by the proposed rule, FinCEN
separately considered whether any
small businesses, small organizations, or
small governmental jurisdictions, as
defined by the RFA, would be affected.
FinCEN concludes that small businesses
would be substantially affected by the
proposed rule. Each of these three
categories is discussed below within
this section.
In defining ‘‘small business,’’ the RFA
relies on the definition of ‘‘small
business concern’’ from the Small
Business Act.239 This definition is based
on size standards (either average annual
receipts or number of employees)
matched to industries.240 Assuming
maximum non-mandated participation
by small financial institutions, the
proposed rule would affect
approximately all 14,051 small financial
238 See
87 FR 59577–59578 (Sept. 30, 2022).
5 U.S.C. 601(3).
240 See U.S. Small Business Administration,
Table of Small Business Size Standards Matched to
North American Industry Classification System
Codes (Jul. 14, 2022), available at https://
www.sba.gov/sites/default/files/2022-07/
Table%20of%20Size%20Standards_
Effective%20July%2014%202022_Final-508.pdf.
239 See
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
institutions. All of these small financial
institutions would have a significant
economic impact in the first year of
implementation, which FinCEN believes
meets the threshold for a substantial
number. Therefore, FinCEN concludes
the proposed rule would have a
significant economic impact on a
substantial number of small entities.
FinCEN assumes the economic impact
on an individual small entity is
significant if the total estimated impact
in a given year is greater than 1 percent
of the small entity’s total receipts for
that year. FinCEN estimates the cost for
small financial institutions to comply
with the sections of the proposed rule
addressing BOI access would be
between approximately $12,155 and
$17,644 in year 1, and approximately
$7,405 and $9,094 annually in
subsequent years, as indicated in Table
9.241 FinCEN then compares these per
financial institution cost estimates to
the average total receipts for the
smallest size category for each type of
financial institution from the 2017
Census survey data, adjusted for
inflation.242 The analysis indicates that,
even when considering the minimum
year 1 impact of $12,155, the smallest
entities of all types of financial
institutions would incur an economic
impact that exceeds 1 percent of
receipts for that industry. Therefore,
FinCEN expects that the proposed rule
would have a significant economic
impact on a substantial number of small
entities.
In defining ‘‘small organization,’’ the
RFA generally defines it as any not-forprofit enterprise that is independently
owned and operated and is not
dominant in its field.243 FinCEN
241 The minimum and maximum costs for small
entities can be determined by using $95 (1
employee × $95 per hour) as the minimum cost for
training in Table 9 and using $190 (2 employees ×
$95 per hour) as the maximum cost for training.
242 FinCEN inflation adjusted the 2017 Census
survey data using Implicit Price Deflators for Gross
Domestic Product quarterly data from the U.S.
Bureau of Economic Analysis, available at https://
apps.bea.gov/iTable/?reqid=19&step=2&isuri=1&
categories=survey#eyJhcHBpZCI6
MTksInN0ZXBzIjpbMSwyLDMsM10sImRhdGEiOl
tbIkNhdGVnb3JpZXMiLCJTdXJ2ZXkiXSxbIk5
JUEFfVGFibGVfTGlzdCIsIjEzIl0s
WyJGaXJzdF9ZZWFyIiwiMTk5NSJdLFsiTGFzdF9
ZZWFyIiwiMjAyMSJdLFsiU2NhbGUiLCIwI
l0sWyJTZXJpZXMiLCJBIl1dfQ. FinCEN estimated
an inflation factor of approximately 1.14 (the gross
domestic product deflator in the first quarter of
2017 is 107.038, while in the fourth quarter of 2021
it was 121.708; hence the inflation factor is
121.708/107.038 = 1.14). FinCEN then applied this
inflation adjustment factor of 1.14 to the 1 percent
of average annual receipts in the 2017 Census
survey data for each financial industry affected by
this proposed rule to estimate the latest inflationadjusted dollar value threshold of 1 percent of
annual receipts.
243 5 U.S.C. 601(4).
PO 00000
Frm 00044
Fmt 4701
Sfmt 4702
anticipates that the proposed rule would
not affect ‘‘small organizations,’’ as
defined by the RFA.
The RFA generally defines ‘‘small
governmental jurisdiction[s]’’ as
governments of cities, counties, towns,
townships, villages, school districts, or
special districts, with a population of
less than 50,000.244 While State, local,
and Tribal government agencies may be
affected by the proposed rule, FinCEN
does not believe that government
agencies of jurisdictions with a
population of less than 50,000 would be
included in such agencies. Therefore, no
‘‘small governmental jurisdictions’’ are
expected to be affected.
iii. Compliance Requirements
Under the proposed rule accessing
BOI is not mandatory; therefore, the
proposed rule would not impose
requirements in the strictest sense.
However, the proposed rule would
require those that wish to access BOI to
establish standards and procedures or
safeguards, and to comply with other
requirements. In particular, financial
institutions would develop and
implement administrative, technical,
and physical safeguards reasonably
designed to protect the security,
confidentiality, and integrity of BOI.
Financial institutions would also be
required to obtain and document
customer consent, as well as maintain a
record of such consent for five years
after it was last relied upon, which may
require updates to existing policies and
procedures. The proposed rule would
also require those that wish to access
BOI provide a written certification for
each BOI request, in the form and
manner prescribed by FinCEN. FinCEN
intends to provide additional detail
regarding the form and manner of BOI
requests for all categories of authorized
recipients through specific instructions
and guidance as it continues developing
the beneficial ownership IT system. To
the extent required by the PRA, FinCEN
would publish for notice and comment
any proposed information collection
associated with BOI requests.
Small entities affected by the
proposed rule, which FinCEN assesses
to be small financial institutions, would
be required to comply with these
requirements if they access BOI. FinCEN
assumes that the professional expertise
needed to comply with such
requirements already exists at small
financial institutions with CDD
obligations.
244 5
E:\FR\FM\16DEP4.SGM
U.S.C. 601(5).
16DEP4
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
iv. Duplicative, Overlapping, or
Conflicting Federal Rules
There are no Federal rules that
directly duplicate, overlap, or conflict
with the proposed rule. The proposed
rule is closely related to FinCEN’s
recent publication of the final BOI
reporting rule.245 The final BOI
reporting rule finalizes regulations to
implement the CTA’s BOI reporting
requirements, which describe who must
file a report, what information must be
provided, and when a report is due. In
contrast, this NPRM proposes
appropriate protocols for access to and
disclosure of BOI. The final BOI
reporting rule’s RIA estimated the cost
to the public of reporting and updating
BOI and information related to FinCEN
identifiers. The final BOI reporting
rule’s RIA also estimated the cost to
FinCEN of developing and maintaining
this reporting mechanism, costs to other
government agencies as a result of
reporting requirements, and the benefits
of the requirements. FinCEN has aimed
to not duplicate costs and benefits
covered in the final BOI reporting rule
herein.
v. Significant Alternatives That Reduce
Burden on Small Entities
In considering significant alternatives
that would alter burdens on small
entities, FinCEN applies two of the
previously described alternative
scenarios to small financial institutions.
lotter on DSK11XQN23PROD with PROPOSALS4
a. Reduce Training Burden
The first alternative would be to
reduce the training requirement for BOI
authorized recipients, which includes
appropriate training for authorized
recipients of BOI as well as annual
training for access to the beneficial
ownership IT system. In its analysis,
FinCEN assumes that each authorized
recipient that would access BOI would
be required to undergo one hour of
training per year.246 Here, FinCEN
considers the scenario where authorized
recipients would instead be required to
undergo one hour of training every two
years, in alignment with the current
BSA data access requirements. This
scenario could result in savings every
other year of $108 to $172,800 per
Federal agency, $76 to $5,168 per State,
local, and Tribal agency, $95 to $6,460
per SRO,247 $108 per foreign requester,
245 See
87 FR 59498 (Sept. 30, 2022).
assumption of one training hour is in
alignment with the current training requirement for
accessing BSA data. However, one notable
difference is that the proposed BOI training
requirement is annual, not biennial.
247 To calculate total costs to SROs, FinCEN
calculated a ratio that applied the estimated costs
to State regulators (which would have access
246 The
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
and $146 to $241 per financial
institution. The aggregate savings could
be as much as $3.7 million to $5.2
million ($1.3 million total for domestic
agencies and SROs + $2.4 to $3.9
million for financial institutions) every
other year. This alternative scenario
could result in savings every other year
of approximately $95 to $190 per small
financial institution. The aggregate
savings could be as much as
approximately $1.3 million to $2.7
million (($95 × 14,051 small financial
institutions = $1,334,845) and ($190 ×
14,051 small financial institutions =
$2,669,690)) every other year. Given the
sensitive nature of the BOI data,248
FinCEN believes that maintaining an
annual training requirement for BOI
authorized recipients and access to the
beneficial ownership IT system is
necessary to protect the security and
confidentiality of the BOI.
b. Change Customer Consent
Requirement
Another alternative that FinCEN
considered is altering the customer
consent requirement for financial
institutions. Under the proposed rule,
financial institutions would be required
to obtain and document customer
consent once for a given customer.
FinCEN considered an alternative
approach in which FinCEN would
directly obtain the reporting company’s
consent. Under this scenario, financial
institutions would not need to spend
time and resources on the one-time
implementation costs of approximately
10 hours in year 1 to create consent
forms and processes. Using an hourly
wage estimate of $95 per hour for
financial institutions, FinCEN estimates
this would result in a one-time savings
per financial institution of
approximately $950. To estimate
aggregate savings under this scenario,
FinCEN multiplies this value by 16,252
financial institutions resulting in a total
savings of approximately $15.4 million
($950 per institution × 16,252 financial
institutions = $15,439,400). The cost
savings for small financial institutions
under this scenario would be
approximately $13.3 million ($950 per
institution × 14,051 small financial
institutions = $13,348,450). Though this
alternative results in a savings to
financial institutions, including small
requirements similar to SROs) to the wage rate
estimated herein for financial institutions, since
SROs are private organizations. FinCEN requests
comment on this assessment.
248 As noted in the preamble, the CTA establishes
that BOI is ‘‘sensitive information’’ and it imposes
strict confidentiality and security restrictions on the
storage, access, and use of BOI. See CTA, Section
6402(6), (7).
PO 00000
Frm 00045
Fmt 4701
Sfmt 4702
77447
entities, FinCEN believes that financial
institutions are better positioned to
obtain consent—and to track consent
revocation—given their direct customer
relationships and ability to leverage
existing onboarding and account
maintenance processes. Therefore,
FinCEN decided not to propose this
alternative.
C. Paperwork Reduction Act
The reporting requirements in the
proposed rule are being submitted to
OMB for review in accordance with the
Paperwork Reduction Act of 1995
(PRA).249 Under the PRA, an agency
may not conduct or sponsor, and a
person is not required to respond to, a
collection of information unless it
displays a valid control number
assigned by OMB. Written comments
and recommendations for the proposed
information collection can be submitted
by visiting www.reginfo.gov/public/do/
PRAMain. This particular document
may be found by selecting ‘‘Currently
Under Review—Open for Public
Comments’’ or by using the search
function. Comments are welcome and
must be received by February 14, 2023.
In accordance with requirements of the
PRA, 44 U.S.C. 3506(c)(2)(A), and its
implementing regulations, 5 CFR 1320,
the following information concerns the
collection of information as it relates to
the proposed rule and is presented to
assist those persons wishing to
comment on the information collection.
The PRA analysis included herein is
for the sections of the proposed rule
relating to BOI access. It does not
include the sections of the proposed
rule addressing the use of FinCEN
identifiers for entities because FinCEN
does not assess any additional burden or
costs associated with the proposed rule
beyond the costs and burden separately
considered in the final BOI reporting
rule’s PRA analysis for BOI reports.250
Reporting and Recordkeeping
Requirements: The proposed rule would
require State, local, and Tribal agencies
and financial institutions that wish to
access BOI to conduct the following
activities: establish standards and
procedures or safeguards and undergo
annual training. Financial institutions
would also be required to obtain and
document customer consent,
maintaining a record of such consent for
five years after it was last relied upon,
which may require updates to existing
processes and creation of consent forms.
The proposed rule would also require
State, local, and Tribal agencies and
financial institutions that wish to access
249 See
250 See
E:\FR\FM\16DEP4.SGM
44 U.S.C. 3506(c)(2)(A).
87 FR 59589–59591 (Sept. 30, 2022).
16DEP4
77448
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
BOI to provide a written certification for
each BOI request. FinCEN intends to
provide additional detail regarding the
form and manner of BOI requests for all
categories of authorized users through
specific instructions and guidance as it
continues developing the beneficial
ownership IT system. To the extent
required by the PRA, FinCEN would
publish for notice and comment any
proposed information collection
associated with BOI requests. In
addition, the proposed rule would
require State, local, and Tribal agencies
to establish and maintain a secure
system to store BOI, as well as an
auditable system of standardized
records for requests, conduct an annual
audit, certify standards and procedures
by the agency head semi-annually, and
provide an annual report on procedures,
resulting in additional recordkeeping
and reporting requirements. Finally, the
proposed rule would require that SROs
follow the same security and
confidentiality requirements outlined
herein for State, local, and Tribal
agencies, if they obtain BOI through redisclosure by a Federal functional
regulator or financial institution.
OMB Control Numbers: 1506–XXXX.
Frequency: As required; varies
depending on the requirement.
Description of Affected Public: State,
local and Tribal agencies, SROs, and
financial institutions with CDD
obligations, as defined in the proposed
rule. While others from Federal and
foreign requesters are able to access BOI
after meeting specific requirements,
FinCEN does not include them in the
PRA analysis because the regulations
implementing the PRA define ‘‘person’’
as an individual, partnership,
association, corporation (including
operations of government-owned
contractor-operated facilities), business
trust, or legal representative, an
organized group of individuals, a State,
territorial, tribal, or local government or
branch thereof, or a political
subdivision of a State, territory, Tribal,
or local government or a branch of a
political subdivision.251 For foreign
requesters in particular, FinCEN
lotter on DSK11XQN23PROD with PROPOSALS4
251 See
5 CFR 1320.3(k).
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
assumes that such requests would be
made at the national level.
Estimated Number of Respondents:
16,463 entities. This total is composed
of an estimated 209 State, local, and
Tribal agencies, of which 153 are State,
local, and Tribal law enforcement
agencies and 56 are State regulatory
agencies, 2 SROs, and 16,252 financial
institutions.252 While the requirements
in the proposed rule are only imposed
on those that optionally access BOI, for
purposes of PRA burden analysis,
FinCEN assumes maximum
participation from State, local, and
Tribal agencies, SROs, and financial
institutions.
Estimated Total Annual Reporting
and Recordkeeping Burden: 253 FinCEN
estimates that during year 1 the annual
hourly burden would be 9,289,604
hours. In year 2 and onward, FinCEN
estimates that the annual hourly burden
would be 7,663,188 hours. The annual
estimated burden hours for State, local,
and Tribal entities as well as SROs is
6,261,856 hours in the first year, and
6,098,120 hours in year 2 and onward.
As shown in Table 11, the hourly
burden in year 1 for State, local, and
Tribal entities and SROs includes the
hourly burden associated with the
following requirements in the NPRM:
enter into an agreement with FinCEN
and establish standards and procedures
(Action B); establish a secure system to
store BOI (Action D); establish and
maintain an auditable system of
standardized records for requests
(Action E); submit written certification
for each request that it meets certain
requirements (Action G); restrict access
to appropriate persons within the entity
(Action H); conduct an annual audit and
cooperate with FinCEN’s annual audit
(Action I); obtain certification of
standards and procedures, initially and
then semi-annually, by the head of the
entity (Action J); and provide annual
reports on procedures (Action K). The
hourly burden in year 2 and onward for
State, local, and Tribal entities and
252 See Table 1 for the types of financial
institutions covered by this notice.
253 As previously noted, this is a partial amount
of the maximum overall burden associated with the
proposed rule given that the PRA analysis does not
include the potential burden on Federal and foreign
agencies. The full burden and cost are assessed in
the RIA cost analysis.
PO 00000
Frm 00046
Fmt 4701
Sfmt 4702
SROs is associated with the same
requirements as year 1, with the
exception of Action B because FinCEN
expects this action will result in costs
for these entities in year 1 only.
The annual estimated hourly burden
for financial institutions is 3,027,748
hours in the first year and 1,565,068
hours in year 2 and onward. The hourly
burden for financial institutions in year
1 is associated with the following:
establish administrative and physical
safeguards (Action A); establish
technical safeguards (Action C); obtain
and document customer consent (Action
F); submit written certification for each
request that it meets certain
requirements (Action G); and undergo
training (Action H). The hourly burden
in year 2 and onward for financial
institutions is associated only with the
requirements for Actions G and H
because FinCEN expects the other
actions will result in costs for these
entities in year 1 only.
Annual estimated burden declines in
year 2 and onward because State, local,
and Tribal agencies, SROs, and financial
institutions no longer need to complete
Actions A, B, and F, and have a lower
hourly burden for Action E. Table 11
lists the type of entity, the number of
entities, the hours per entity, and the
total hourly burden by action. For
Actions A, B, C, D, E, F, I, J, and K, the
hours per entity are the maximum of the
range estimated in the cost analysis of
the RIA. For Action G and H, the hours
per entity calculations are specified in
footnotes to Table 11. Total annual
hourly burden is calculated by
multiplying the number of entities by
the hours per entity for each action. In
each subsequent year after initial
implementation, FinCEN estimates that
the total hourly annual burden is
7,663,188 due to Actions A, B, and F
only imposing burdens in year 1 and
Actions D and E having lower annual
per entity burdens. This results in a 5year average burden estimate of
approximately 7,988,471 hours.254
BILLING CODE 4810–02–P
254 The 5-year average equals the sum of (Year 1
burden hours of 9,289,604 + Year 2 burden hours
of 7,663,188 + Year 3 burden hours of 7,663,188 +
Year 4 burden hours of 7,663,188 + Year 5 burden
hours of 7,663,88) divided by 5.
E:\FR\FM\16DEP4.SGM
16DEP4
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
77449
Table 11—Annual Hourly Burden
Associated With Proposed Rule
Requirements
Financial
insti tuti ons
16,252
B. Enter into an agreement
with FinCEN and
establish standards and
procedures
State, local,
and Tribal
agencies
and SROs
211
C. Establish technical
safeguards
Financial
insti tuti ons
D. Establish a secure system
to store BOI
E. Establish and maintain an
auditable system of
standardized records for
requests
State, local,
and Tribal
agencies
and SROs
State, local,
and Tribal
agencies
and SROs
F. Obtain and document
customer consent
G. Submit written
certification for each
request that it meets
certain requirements 1
G. Submit written
lotter on DSK11XQN23PROD with PROPOSALS4
certification for each
request that it meets
certain requirements,
including court
authorization
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
80 in Year 1;
0 in Years
2+
300 in Year
1; 0 in Years
2+
1,300,160 in Year 1; 0
in Years 2+
16,252
0 in Year 1;
0 in Years
2+
0 in Year 1; 0 in Years
2+
211
300 in Year
1; 4 in Years
2+
63,300 in Year 1; 844
in Years 2+
211
200 in Year
1; 20 in
Years 2+
42,200 in Year 1;
4,220 in Years 2+
Financial
insti tuti ons
16,252
162,520 in Year 1; 0
in Years 2+
Financial
insti tuti ons
16,252
10 in Year 1;
0 in Years
2+
93.8 in Year
1; 93.8 in
Years 2+
State, local,
and Tribal
law
enforcement
153
PO 00000
Frm 00047
Fmt 4701
Sfmt 4725
39,542.5 in
Year 1;
39,542.5 in
Years 2
E:\FR\FM\16DEP4.SGM
63,300 in Year 1; 0 in
Years 2+
1,524,438 in Year 1;
1,524,438 in Years 2+
6,050,003 in Year 1;
6,050,003 in Years
2+
16DEP4
EP16DE22.031</GPH>
A. Establish administrative
and physical safeguards
77450
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
129.3 in
Year 1;
129.3 in
Years 2+
2.5 in Year
1; 2.5 in
Years 2+
8.5 in Year
1, 8.5 in
Years 2+
7,499 in Year 1; 7,499
in Years 2+
211
160 in Year
1; 160 in
Years 2+
33,760 in Year 1;
33,760 in Years 2+
211
Included in
I.
Included in I.
G. Submit written
certification for each request
that it meets certain
re uirements
H. Undergo training2
State
regulatory
agencies
and SROs
Financial
insti tuti ons
H. Restrict access to
appropriate persons
within the entity, which
specifies that appropriate
persons will undergo
trainin 3
I. Conduct an annual audit
and cooperate with
FinCEN' s annual audit
State, local,
and Tribal
agencies
and SROs
211
State, local,
and Tribal
agencies
and SROs
State, local,
and Tribal
agencies
and SROs
Obtain certification of
standards and procedures
initially and then semiannually, by the head of
the enti
K. Provide initial and then
an annual report on
procedures
J.
State, local,
and Tribal
agencies
and SROs
58
16,252
211
40,630 in Year 1;
40,630 in Years 2+
1,794 in Year 1; 1,794
in Years 2+
Included in
I.
Included in I.
9,289,604 in Year 1;
7,663,188 in Years 2+
Total Annual Hourly Burden
1
Estimated Total Annual Reporting
and Recordkeeping Cost: 255 As
described in Table 3, FinCEN calculated
the fully loaded hourly wage for each
255 As previously noted, this is a partial amount
of the maximum overall cost associated with the
proposed rule because the PRA analysis does not
include the potential cost to Federal and foreign
agencies. The full burden and cost of the rule are
assessed in the RIA analysis.
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
type of affected entity type. Using these
estimated wages, the total cost of the
annual burden in year 1 would be
$763,745,736 In year 2 and onward,
FinCEN estimates that the total cost of
the annual burden is $612,199,760,
owing to Actions A, B, and F only
imposing burdens in year 1 and Actions
D and E having lower annual per entity
burdens. The annual estimated cost for
PO 00000
Frm 00048
Fmt 4701
Sfmt 4702
State, local, and Tribal agencies and
SROs is $476,109,676 in the first year
and $463,518,300 in year 2 and onward.
The annual estimated cost for financial
institutions is $287,636,060 in the first
year and $148,681,460 in year 2 and
E:\FR\FM\16DEP4.SGM
16DEP4
EP16DE22.032</GPH>
lotter on DSK11XQN23PROD with PROPOSALS4
For all types of entity, the hours per entity for Action G is the per entity share of the aggregate burden estimated in
the RIA
2 For financial institutions, the hours per entity for Action H equals the weighted average of the large and small
financial institutions' maximum burden estimated in the RIA
3 For State, local, and Tribal agencies and SROs, the hours per entity for Action H equals the per entity share of the
ate burden.
a
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
Table 12—Annual Cost Associated With
Proposed Rule Requirements
A. Establish
administrative and
physical safeguards
Financial
institutions
$95
1,300,160 in
Year 1; 0 in
Years 2+
$123,515,200
in Year 1; $0
in Years 2+
B. Enter into an agreement
with FinCEN and
establish standards and
procedures
C. Establish technical
safeguards
State, local,
and Tribal
agencies
$76
63,300 in Year
1; 0 in Years 2+
$4,810,800 in
Year 1; $0 in
Years 2+
Financial
institutions
$95
0 in Year 1; 0 in
Years 2+
$0 in Year 1;
$0 in Years 2+
D. Establish a secure
system to store BOI
State, local,
and Tribal
agencies
$76
63,300 in Year
1; 844 in Years
2+
$4,810,800 in
Year 1;
$64,144 in
Years 2+
E. Establish and maintain
an auditable system of
standardized records
for requests
State, local,
and Tribal
agencies
$76
42,200 in Year
1; 4,220 in Years
2+
$3,207,200 in
Year 1;
$320,720 in
Years 2+
F. Obtain and document
customer consent
Financial
institutions
$95
162,520 in Year
1; 0 in Years 2+
$15,439,400 in
Year 1; $0 in
Years 2+
G. Submit written
Financial
institutions
$95
1,524,438 in
Year 1;
1,524,438 in
Years 2+
$144,821,610
in Year 1;
$144,821,610
in Years 2+
lotter on DSK11XQN23PROD with PROPOSALS4
certification for each
request that it meets
certain requirements
256 The 5-year average equals the sum of (Year 1
costs of $763,745,736 + Year 2 costs of
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
$612,199,760 + Year 3 costs of $612,199,760 + Year
PO 00000
Frm 00049
Fmt 4701
Sfmt 4725
4 costs of $612,199,760 + Year 5 costs of
$612,199,760) divided by 5.
E:\FR\FM\16DEP4.SGM
16DEP4
EP16DE22.033</GPH>
onward. The 5-year average annual cost
estimate is $642,508,955.256
77451
77452
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
G. Submit written
certification for each
request that it meets
certain requirements,
including court
authorization
G. Submit written
certification for each
request that it meets
certain requirements
State, local,
and Tribal
law
enforcement
$76
6,050,003 in
Year I;
6,050,003 in
Years 2+
$459,800,228
in Year I;
$459,800,228
in Years 2+
State
regulatory
agencies
$76
7,499 in Year I;
7,499 in Years
2+
$569,924 in
Year I;
$569,924 in
Years 2+
H. Undergo training
Financial
institutions
$95
40,630 in Year
I; 40,630 in
Years 2+
$3,859,850 in
Year I;
$3,859,850 in
Years 2+
H. Restrict access to
appropriate persons
within the agency,
which specifies that
appropriate persons
will under o trainin
I. Conduct an annual
audit and cooperate
with FinCEN' s annual
audit
State, local,
and Tribal
agencies
$76
1,794 in Year I;
1,794 in Years
2+
$136,344 in
Year I;
$136,344 in
Years 2+
State, local,
and Tribal
agencies
$76
33,760 in Year
I; 33,760 in
Years 2+
$2,565,760 in
Year I;
$2,565,760 in
Years 2+
State, local,
and Tribal
agencies
$76
Included in I.
Included in I.
State, local,
and Tribal
a encies
SRO
$76
Included in I.
Included in I.
$95
2,196 in Year I;
644 in Years 2+
$208,620 in
Year I;
$61,180 in
Years 2+
J. Obtain certification of
standards and
procedures initially and
then semi-annually, by
the head of the entit
K. Provide initial and then
an annual report on
rocedures
Actions B, D, E, G, H, 1-K
Total Annual Cost
BILLING CODE 4810–02–C
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
PO 00000
Frm 00050
Fmt 4701
Sfmt 4702
E:\FR\FM\16DEP4.SGM
16DEP4
EP16DE22.034</GPH>
lotter on DSK11XQN23PROD with PROPOSALS4
$
763,745,736 in
Year 1;
$612,199,760
in Years 2+
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS4
D. Unfunded Mandates Reform Act
Section 202 of the Unfunded
Mandates Reform Act of 1995, Public
Law 104–4 (UMRA) requires that an
agency assess anticipated costs and
benefits and take certain other actions
before promulgating a rule that includes
a Federal mandate that may result in
expenditure by State, local, and Tribal
governments, in the aggregate, or by the
private sector, of $100 million or more
in any one year, adjusted for inflation.
The proposed regulations regarding
access by authorized recipients to BOI
do not include any Federal mandate for
State, local, and Tribal governments or
the private sector.257 Similarly, the
proposed regulations that address how
reporting companies would be able to
use an entity’s FinCEN identifier to
fulfill their obligations under FinCEN’s
BOI reporting requirements do not
contain a Federal mandate.
E. Questions for Comment
General Request for Comments under
the Paperwork Reduction Act:
Comments submitted in response to this
notice will be summarized and included
in the request for OMB approval. All
comments will become a matter of
public record. Comments are invited on:
(a) whether the collection of information
is necessary for the proper performance
of the functions of the agency, including
whether the information shall have
practical utility; (b) the accuracy of the
agency’s estimate of the burden of the
collection of information; (c) ways to
enhance the quality, utility, and clarity
of the information to be collected; (d)
ways to minimize the burden of the
collection of information on
respondents, including through the use
of technology; and (e) estimates of
capital or start-up costs and costs of
operation, maintenance, and purchase
of services required to provide
information.
Other Requests for Comment: In
addition, FinCEN generally invites
comment on the accuracy of FinCEN’s
regulatory analysis. FinCEN specifically
requests comment on the following,
which are mentioned in the preceding
text.
State, local, and Tribal agencies’ BOI
access estimates:
1. How many Tribal law enforcement
agencies, and how many authorized
recipients at such agencies, may access
BOI on an annual basis?
2. What is an appropriate wage
estimate for a Tribal government
worker?
257 FinCEN expects that requirements regarding
private sector access will be clarified in the
forthcoming revision of the CDD Rule.
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
3. Should the burden estimate for
court authorizations include the burden
on court employees? If so, what would
be the occupation code, wage, and
estimated time burden of such
employees?
4. Given the requirement to obtain
court authorization to access BOI, are
State, local, and Tribal agencies less
likely to access BOI at the rate by which
they access BSA information? If so,
what is a reasonable estimate for the
annual requests for BOI from these
agencies?
SROs’ BOI access estimates:
5. Is FinCEN’s assessment of costs to
SROs reasonable?
Foreign requesters’ BOI access
estimates:
6. How many foreign requesters may
access BOI on an annual basis, and
which requesters would do so under an
applicable international treaty,
agreement, or convention, or through
another channel available under the
proposed rule?
7. Is FinCEN’s approximation that it
would take a foreign requester, on
average, between one and two full
business weeks (or, between 40 and 80
business hours) to establish standards
and procedures accurate?
8. Is the assumption that foreign
requesters would have a de minimis IT
cost to comply with the requirements in
the proposed rule accurate?
9. Is the annual estimate of foreign
requests for BOI reasonable?
Financial institutions’ BOI access
estimates:
10. Is FinCEN’s approximation that it
would take a financial institution, on
average, between one and two full
business weeks (or, between 40 and 80
business hours) to establish
administrative and physical safeguards
accurate?
11. Is the assumption that financial
institutions would have a de minimis IT
cost to comply with the requirements in
the proposed rule accurate?
12. Is the burden estimate for
obtaining and documenting customer
consent reasonable? If not, what would
be a reasonable estimate?
13. Are the assumptions that one to
two employees per small financial
institution and five to six employees per
large institution would access BOI
reasonable? If not, what would be
reasonable estimates?
14. Is the estimated range of annual
requests from financial institutions
reasonable?
15. Are there additional categories of
burden that FinCEN should consider in
its burden estimates? If so, what are
they, and what is the estimated burden
per financial institution? Conversely, if
PO 00000
Frm 00051
Fmt 4701
Sfmt 4702
77453
any of the categories of burden in the
estimates should not be included,
identify those and explain why.
Small entities’ estimates:
16. Are FinCEN’s estimates of burden
on small entities accurate, as calculated
in the IRFA? If not, why, and on what
basis should they be updated? Provide
specific sources and data for alternative
cost estimates for each category of
burden per entity.
17. Is FinCEN’s assumption that small
governmental jurisdictions are unlikely
to access BOI accurate?
FinCEN identifier analysis:
18. Is FinCEN correct in assuming that
the proposed rule would not result in
additional burden or cost to reporting
companies beyond what is estimated in
the final BOI reporting rule’s RIA?
19. How many reporting companies
are likely to use entities’ FinCEN
identifiers to comply with the BOI
reporting requirements?
List of Subjects in 31 CFR Part 1010
Administrative practice and
procedure, Aliens, Authority
delegations (Government agencies),
Banks and banking, Brokers, Business
and industry, Commodity futures,
Currency, Citizenship and
naturalization, Electronic filing, Federal
savings associations, Federal-States
relations, Federally recognized tribes,
Foreign persons, Holding companies,
Indian law, Indians, Insurance
companies, Investment advisers,
Investment companies, Investigations,
Law enforcement, Penalties, Reporting
and recordkeeping requirements, Small
businesses, Securities, Terrorism, Tribal
government, Time.
Authority and Issuance
For the reasons set forth in the
Supplementary Information, FinCEN
proposes to amend part 1010 of chapter
X of title 31 of the Code of Federal
Regulations, as amended September 30,
2022, at 87 FR 59498, effective January
1, 2024, as follows:
PART 1010—GENERAL PROVISIONS
1. The authority citation for part 1010
continues to read as follows:
■
Authority: 12 U.S.C. 1829b and 1951–
1959; 31 U.S.C. 5311–5314 and 5316–5336;
title III, sec. 314, Pub. L. 107–56, 115 Stat.
307; sec. 2006, Pub. L. 114–41, 129 Stat. 458–
459; sec. 701, Pub. L. 114–74, 129 Stat. 599.
2. In § 1010.380, add paragraph
(b)(4)(ii)(B) to read as follows:
■
§ 1010.380 Reports of beneficial
ownership information.
*
*
*
(b) * * *
E:\FR\FM\16DEP4.SGM
16DEP4
*
*
77454
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
(4) * * *
(ii) * * *
(B) A reporting company may report
another entity’s FinCEN identifier and
full legal name in lieu of the
information required under paragraph
(b)(1) of this section with respect to the
beneficial owners of the reporting
company only if:
(1) The entity has obtained a FinCEN
identifier and provided that FinCEN
identifier to the reporting company;
(2) An individual is or may be a
beneficial owner of the reporting
company by virtue of an interest in the
reporting company that the individual
holds through the entity; and
(3) The beneficial owners of the entity
and of the reporting company are the
same individuals.
*
*
*
*
*
■ 4. In § 1010.950, revise the section
heading and paragraph (a) to read as
follows:
§ 1010.950
general.
Availability of information—
(a) The Secretary has the discretion to
disclose information reported under this
chapter, other than information reported
pursuant to § 1010.380, for any reason
consistent with the purposes of the
Bank Secrecy Act, including those set
forth in paragraphs (b) through (d) of
this section. FinCEN may disclose
information reported pursuant to
§ 1010.380 only as set forth in
§ 1010.955, and paragraphs (b) through
(f) of this section shall not apply to the
disclosure of such information.
*
*
*
*
*
■ 5. Add § 1010.955 to read as follows:
lotter on DSK11XQN23PROD with PROPOSALS4
§ 1010.955 Availability of beneficial
ownership information reported under this
part.
(a) Prohibition on disclosure. Except
as authorized in paragraphs (b), (c), and
(d) of this section, information reported
to FinCEN pursuant to § 1010.380 is
confidential and shall not be disclosed
by any individual who receives such
information as—
(1) An officer, employee, contractor,
or agent of the United States;
(2) An officer, employee, contractor,
or agent of any State, local, or Tribal
agency; or
(3) A director, officer, employee,
contractor, or agent of any financial
institution.
(b) Disclosure of information by
FinCEN—(1) Disclosure to Federal
agencies for use in furtherance of
national security, intelligence, or law
enforcement activity. Upon receipt of a
request from a Federal agency engaged
in national security, intelligence, or law
enforcement activity for information to
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
be used in furtherance of such activity,
FinCEN may disclose information
reported pursuant to § 1010.380 to such
agency. For purposes of this section—
(i) National security activity includes
activity pertaining to the national
defense or foreign relations of the
United States, as well as activity to
protect against threats to the safety and
security of the United States;
(ii) Intelligence activity includes all
activities conducted by elements of the
United States Intelligence Community
that are authorized pursuant to
Executive Order 12333, as amended, or
any succeeding executive order; and
(iii) Law enforcement activity
includes investigative and enforcement
activities relating to civil or criminal
violations of law. Such activity does not
include the routine supervision or
examination of a financial institution by
a Federal regulatory agency with
authority described in (b)(4)(ii)(A) of
this section.
(2) Disclosure to State, local, and
Tribal law enforcement agencies for use
in criminal or civil investigations. Upon
receipt of a request from a State, local,
or Tribal law enforcement agency for
information to be used in a criminal or
civil investigation, FinCEN may disclose
information reported pursuant to
§ 1010.380 to such agency if a court of
competent jurisdiction has authorized
the agency to seek the information in a
criminal or civil investigation. For
purposes of this section—
(i) A court of competent jurisdiction
is any court with jurisdiction over the
investigation for which a State, local, or
Tribal law enforcement agency requests
information under this paragraph.
(ii) A State, local, or Tribal law
enforcement agency is an agency of a
State, local, or Tribal government that is
authorized by law to engage in the
investigation or enforcement of civil or
criminal violations of law.
(3) Disclosure for use in furtherance of
foreign national security, intelligence, or
law enforcement activity. Upon receipt
of a request from a Federal agency on
behalf of a law enforcement agency,
prosecutor, or judge of another country,
or on behalf of a foreign central
authority or foreign competent authority
(or like designation) under an applicable
international treaty, agreement, or
convention, FinCEN may disclose
information reported pursuant to
§ 1010.380 to such Federal agency for
transmission to the foreign law
enforcement agency, prosecutor, judge,
foreign central authority, or foreign
competent authority who initiated the
request, provided that:
(i) The request is for assistance in a
law enforcement investigation or
PO 00000
Frm 00052
Fmt 4701
Sfmt 4702
prosecution, or for a national security or
intelligence activity, that is authorized
under the laws of the foreign country;
and
(ii) The request is:
(A) Made under an international
treaty, agreement, or convention, or;
(B) When no such treaty, agreement,
or convention is available, is an official
request by a law enforcement, judicial,
or prosecutorial authority of a trusted
foreign country.
(4) Disclosure to facilitate compliance
with customer due diligence
requirements—(i) Financial institutions.
Upon receipt of a request from a
financial institution subject to customer
due diligence requirements under
applicable law for information to be
used in facilitating such compliance,
FinCEN may disclose information
reported pursuant to § 1010.380 to such
financial institution, provided each
reporting company that reported such
information consents to such disclosure.
For purposes of this section, customer
due diligence requirements under
applicable law are the beneficial
ownership requirements for legal entity
customers at § 1010.230, as those
requirements may be amended or
superseded.
(ii) Regulatory agencies. Upon receipt
of a request by a Federal functional
regulator or other appropriate regulatory
agency, FinCEN shall disclose to such
agency any information disclosed to a
financial institution pursuant to
paragraph (b)(4)(i) of this section if the
agency—
(A) Is authorized by law to assess,
supervise, enforce, or otherwise
determine the compliance of such
financial institution with customer due
diligence requirements under applicable
law;
(B) Will use the information solely for
the purpose of conducting the
assessment, supervision, or authorized
investigation or activity described in
paragraph (b)(4)(ii)(A) of this section;
and
(C) Has entered into an agreement
with FinCEN providing for appropriate
protocols governing the safekeeping of
the information.
(5) Disclosure to officers or employees
of the Department of the Treasury.
Consistent with procedures and
safeguards established by the
Secretary—
(i) Information reported pursuant to
§ 1010.380 shall be accessible for
inspection or disclosure to officers and
employees of the Department of the
Treasury whose official duties the
Secretary determines require such
inspection or disclosure.
E:\FR\FM\16DEP4.SGM
16DEP4
lotter on DSK11XQN23PROD with PROPOSALS4
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
(ii) Officers and employees of the
Department of the Treasury may obtain
information reported pursuant to
§ 1010.380 for tax administration as
defined in 26 U.S.C. 6103(b)(4).
(c) Use of information—(1) Use of
information by authorized recipients.
Unless otherwise authorized by FinCEN,
any person who receives information
disclosed by FinCEN under paragraph
(b) of this section shall use such
information only for the particular
purpose or activity for which such
information was disclosed. A Federal
agency that receives information
pursuant to paragraph (b)(3) of this
section shall only use it to facilitate a
response to a request for assistance
pursuant to that paragraph.
(2) Disclosure of information by
authorized recipients. (i) Any officer,
employee, contractor, or agent of a
requesting agency who receives
information disclosed by FinCEN
pursuant to a request under paragraph
(b)(1) or (2) or (b)(4)(ii) of this section
may disclose such information to
another officer, employee, contractor, or
agent of the same requesting agency for
the particular purpose or activity for
which such information was requested,
consistent with the requirements of
paragraph (d)(1)(i)(F) of this section, as
applicable. Any officer, employee,
contractor, or agent of the U.S.
Department of the Treasury who
receives information disclosed by
FinCEN pursuant to a request under
paragraph (b)(5) of this section may
disclose such information to another
Treasury officer, employee, contractor,
or agent for the particular purpose or
activity for which such information was
requested consistent with internal
Treasury policies, procedures, orders or
directives.
(ii) Any director, officer, employee,
contractor, or agent of a financial
institution who receives information
disclosed by FinCEN pursuant to a
request under paragraph (b)(4)(i) of this
section may disclose such information
to another director, officer, employee,
contractor, or agent within the United
States of the same financial institution
for the particular purpose or activity for
which such information was requested,
consistent with the requirements of
paragraph (d)(2) of this section.
(iii) Any director, officer, employee,
contractor, or agent of a financial
institution that receives information
disclosed by FinCEN pursuant to
paragraph (b)(4)(i) of this section may
disclose such information to the
financial institution’s Federal functional
regulator, a self-regulatory organization
that is registered with or designated by
a Federal functional regulator pursuant
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
to Federal statute, or other appropriate
regulatory agency, provided that the
Federal functional regulator, selfregulatory organization, or other
appropriate regulatory agency meets the
requirements identified in paragraphs
(b)(4)(ii)(A) through (C) of this section.
A financial institution may rely on a
Federal functional regulator, selfregulatory organization, or other
appropriate regulatory agency’s
representation that it meets the
requirements.
(iv) Any officer, employee, contractor,
or agent of a Federal functional
regulator that receives information
disclosed by FinCEN pursuant to
paragraph (b)(4)(ii) of this section may
disclose such information to a selfregulatory organization that is registered
with or designated by the Federal
functional regulator, provided that the
self-regulatory organization meets the
requirements of paragraphs (b)(4)(ii)(A)
through (C) of this section.
(v) Any officer, employee, contractor,
or agent of a Federal agency that
receives information from FinCEN
pursuant to a request made under
paragraph (b)(3) of this section may
disclose such information to the foreign
person on whose behalf the Federal
agency made the request.
(vi) Any officer, employee, contractor,
or agent of a Federal agency engaged in
a national security, intelligence, or law
enforcement activity, or any officer,
employee, contractor, or agent of a State,
local, or Tribal law enforcement agency,
may disclose information reported
pursuant to § 1010.380 that it has
obtained directly from FinCEN pursuant
to a request under paragraph (b)(1) or (2)
of this section to a court of competent
jurisdiction or parties to a civil or
criminal proceeding.
(vii) Any officer, employee,
contractor, or agent of a requesting
agency who receives information
disclosed by FinCEN pursuant to a
request under paragraph (b)(1), (b)(4)(ii),
or (b)(5) of this section may disclose
such information to any officer,
employee, contractor, or agent of the
United States Department of Justice for
purposes of making a referral to the
Department of Justice or for use in
litigation related to the activity for
which the requesting agency requested
the information.
(viii) A law enforcement agency,
prosecutor, judge, foreign central
authority, or foreign competent
authority of another country that
receives information from a Federal
agency pursuant to a request under
paragraph (b)(3)(ii)(A) of this section
may disclose and use such information
consistent with the international treaty,
PO 00000
Frm 00053
Fmt 4701
Sfmt 4702
77455
agreement, or convention under which
the request was made.
(ix) Except as described in this
paragraph (c)(2), any information
disclosed by FinCEN under paragraph
(b) of this section shall not be further
disclosed to any other person for any
purpose without the prior written
consent of FinCEN, or as authorized by
applicable protocols or guidance that
FinCEN may issue. FinCEN may
authorize persons to disclose
information obtained pursuant to
paragraph (b) of this section in
furtherance of a purpose or activity
described in that paragraph.
(d) Security and confidentiality
requirements—(1) Security and
confidentiality requirements for
domestic agencies—(i) General
requirements. To receive information
under paragraph (b)(1), (2), or (3) or
(b)(4)(ii) of this section, a Federal, State,
local, or Tribal agency shall satisfy the
following requirements:
(A) Agreement. The agency shall enter
into an agreement with FinCEN
specifying the standards, procedures,
and systems to be maintained by the
agency, and any other requirements
FinCEN may specify, to protect the
security and confidentiality of such
information. Agreements shall include,
at a minimum, descriptions of the
information to which an agency will
have access, specific limitations on
electronic access to that information,
discretionary conditions of access,
requirements and limitations related to
re-disclosure, audit and inspection
requirements, and security plans
outlining requirements and standards
for personnel security, physical
security, and computer security.
(B) Standards and procedures. The
agency shall establish standards and
procedures to protect the security and
confidentiality of such information,
including procedures for training
agency personnel on the appropriate
handling and safeguarding of such
information. The head of the agency, on
a non-delegable basis, shall approve
these standards and procedures.
(C) Initial report and certification. The
agency shall provide FinCEN a report
that describes the standards and
procedures established pursuant to
paragraph (d)(1)(i)(B) of this section and
that includes a certification by the head
of the agency, on a non-delegable basis,
that the standards and procedures
implement the requirements of this
paragraph (d)(1).
(D) Secure system for beneficial
ownership information storage. The
agency shall establish and maintain a
secure system in which such
information shall be stored, that
E:\FR\FM\16DEP4.SGM
16DEP4
lotter on DSK11XQN23PROD with PROPOSALS4
77456
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
complies with information security
standards prescribed by FinCEN.
(E) Auditability. The agency shall
establish and maintain a permanent,
auditable system of standardized
records for requests pursuant to
paragraph (b) of this section, including,
for each request, the date of the request,
the name of the individual who makes
the request, the reason for the request,
any disclosure of such information
made by or to the requesting agency,
and information or references to such
information sufficient to reconstruct the
justification for the request.
(F) Restrictions on personnel access to
information. The agency shall restrict
access to information obtained from
FinCEN pursuant to this section to
personnel—
(1) Who are directly engaged in the
activity for which the information was
requested;
(2) Whose duties or responsibilities
require such access;
(3) Who have received training
pursuant to paragraph (d)(1)(i)(B) of this
section or have obtained the information
requested directly from persons who
both received such training and
received the information directly from
FinCEN;
(4) Who use appropriate identity
verification mechanisms to obtain
access to the information; and
(5) Who are authorized by agreement
between the agency and FinCEN to
access the information.
(G) Audit requirements. The agency
shall:
(1) Conduct an annual audit to verify
that information obtained from FinCEN
pursuant to this section has been
accessed and used appropriately and in
accordance with the standards and
procedures established pursuant to
paragraph (d)(1)(i)(B) of this section;
(2) Provide the results of that audit to
FinCEN upon request; and
(3) Cooperate with FinCEN’s annual
audit of the adherence of agencies to the
requirements established under this
paragraph to ensure that agencies are
requesting and using the information
obtained under this section
appropriately, including by promptly
providing any information FinCEN
requests in support of its annual audit.
(H) Semi-annual certification. The
head of the agency, on a non-delegable
basis, shall certify to FinCEN semiannually that the agency’s standards
and procedures established pursuant to
paragraph (d)(1)(i)(B) of this section are
in compliance with the requirements of
this paragraph (d)(1). One of the semiannual certifications may be included in
the annual report required under
paragraph (d)(1)(i)(I) of this section.
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
(I) Annual report on procedures. The
agency shall provide FinCEN a report
annually that describes the standards
and procedures that the agency uses to
ensure the security and confidentiality
of any information received pursuant to
paragraph (b) of this section.
(ii) Requirements for requests for
disclosure. A Federal, State, local, or
Tribal agency that makes a request
under paragraph (b)(1), (2), or (3) or
(b)(4)(ii) of this section shall satisfy the
following requirements in connection
with each request that it makes and in
connection with all such information it
receives.
(A) Minimization. The requesting
agency shall limit, to the greatest extent
practicable, the scope of such
information it seeks, consistent with the
agency’s purposes for seeking such
information.
(B) Certifications and other
requirements. (1) The head of a Federal
agency that makes a request under
paragraph (b)(1) of this section or their
designee shall make a written
certification to FinCEN, in the form and
manner as FinCEN shall prescribe, that:
(i) The agency is engaged in a national
security, intelligence, or law
enforcement activity; and
(ii) The information requested is for
use in furtherance of such activity,
setting forth specific reasons why the
requested information is relevant to the
activity.
(2) The head of a State, local, or Tribal
agency, or their designee, who makes a
request under paragraph (b)(2) of this
section shall submit to FinCEN, in the
form and manner as FinCEN shall
prescribe:
(i) A copy of a court order from a
court of competent jurisdiction
authorizing the agency to seek the
information in a criminal or civil
investigation; and
(ii) A written justification that sets
forth specific reasons why the requested
information is relevant to the criminal
or civil investigation.
(3) The head of a Federal agency, or
their designee, who makes a request
under paragraph (b)(3)(ii)(A) of this
section shall:
(i) Retain for its records the request for
information under the applicable
international treaty, agreement, or
convention;
(ii) Submit to FinCEN, in the form and
manner as FinCEN shall prescribe: the
name, title, email address, and
telephone number for the individual
from the Federal agency making the
request; the name, title, agency, and
country of the foreign person on whose
behalf the Federal agency is making the
request; the title and date of the
PO 00000
Frm 00054
Fmt 4701
Sfmt 4702
international treaty, agreement, or
convention under which the request is
being made; and a certification that the
information is for use in furtherance of
a law enforcement investigation or
prosecution, or for a national security or
intelligence activity, that is authorized
under the laws of the relevant foreign
country.
(4) The head of a Federal agency, or
their designee, who makes a request
under paragraph (b)(3)(ii)(B) of this
section shall submit to FinCEN, in the
form and manner as FinCEN shall
prescribe:
(i) A written explanation of the
specific purpose for which the foreign
person is seeking information under
paragraph (b)(3)(ii)(B) of this section,
along with an accompanying
certification that the information is for
use in furtherance of a law enforcement
investigation or prosecution, or for a
national security or intelligence activity,
that is authorized under the laws of the
relevant foreign country; will be used
only for the particular purpose or
activity for which it is requested; and
will be handled consistent with the
requirements of paragraph (d)(3) of this
section;
(ii) The name, title, email address, and
telephone number for the individual
from the Federal agency making the
request;
(iii) The name, title, agency, and
country of the foreign person on whose
behalf the Federal agency is making the
request; and
(iv) Any other information that
FinCEN requests in order to evaluate the
request.
(5) The head of a Federal functional
regulator or other appropriate regulatory
agency, or their designee, who makes a
request under paragraph (b)(4)(ii) of this
section shall make a written
certification to FinCEN, in the form and
manner as FinCEN shall prescribe, that:
(i) The agency is authorized by law to
assess, supervise, enforce, or otherwise
determine the compliance of a relevant
financial institution with customer due
diligence requirements under applicable
law; and
(ii) The agency will use the
information solely for the purpose of
conducting the assessment, supervision,
or authorized investigation or activity
described in paragraph (b)(4)(ii)(A) of
this section.
(2) Security and confidentiality
requirements for financial institutions.
To receive information under paragraph
(b)(4)(i) of this section, a financial
institution shall satisfy the following
requirements:
(i) Restrictions on personnel access to
information. The financial institution
E:\FR\FM\16DEP4.SGM
16DEP4
lotter on DSK11XQN23PROD with PROPOSALS4
Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules
shall restrict access to information
obtained from FinCEN under paragraph
(b)(4)(i) of this section to directors,
officers, employees, contractors, and
agents within the United States.
(ii) Safeguards. The financial
institution shall develop and implement
administrative, technical, and physical
safeguards reasonably designed to
protect the security, confidentiality, and
integrity of such information. The
requirements of this paragraph (d)(2)(i)
of this section shall be deemed satisfied
to the extent that a financial institution:
(A) Applies such information
procedures that the institution has
established to satisfy the requirements
of section 501 of the Gramm-LeachBliley Act (15 U.S.C. 6801 et seq.), and
applicable regulations issued
thereunder, with regard to the
protection of its customers’ nonpublic
personal information, modified as
needed to account for any unique
requirements imposed under this
section; or
(B) If it is not subject to section 501
of the Gramm-Leach-Bliley Act, applies
such information procedures with
regard to the protection of its customers’
nonpublic personal information that are
required, recommended, or authorized
under applicable Federal or State law
and are at least as protective of the
security and confidentiality of customer
information as procedures that satisfy
the standards of section 501 of the
Gramm-Leach-Bliley Act.
(iii) Consent to obtain information.
Before making a request for information
regarding a reporting company under
paragraph (b)(4)(i) of this section, the
financial institution shall obtain and
document the consent of the reporting
company to request such information.
The documentation of the reporting
company’s consent shall be maintained
for 5 years after it is last relied upon in
connection with a request for
information under paragraph (b)(4)(i) of
this section.
(iv) Certification. For each request for
information regarding a reporting
company under paragraph (b)(4)(i) of
this section, the financial institution
shall make a written certification to
FinCEN that it:
(A) Is requesting the information to
facilitate its compliance with customer
due diligence requirements under
applicable law;
(B) Has obtained the written consent
of the reporting company to request the
information from FinCEN; and
VerDate Sep<11>2014
22:00 Dec 15, 2022
Jkt 259001
(C) Has fulfilled all other
requirements of paragraph (d)(2) of this
section.
(3) Security and confidentiality
requirements for foreign recipients of
information. (i) To receive information
under paragraph (b)(3)(ii)(A) of this
section, a foreign person on whose
behalf a Federal agency made the
request under that paragraph shall
comply with all applicable handling,
disclosure, and use requirements of the
international treaty, agreement, or
convention under which the request
was made.
(i) To receive information under
paragraph (b)(3)(ii)(B) of this section, a
foreign person on whose behalf a
Federal agency made the request under
that paragraph shall ensure that the
following requirements are satisfied:
(A) Standards and procedures. A
foreign person who receives information
pursuant to paragraph (b)(3)(ii)(B) of
this section shall establish standards
and procedures to protect the security
and confidentiality of such information,
including procedures for training
personnel who will have access to it on
the appropriate handling and
safeguarding of such information.
(B) Secure system for beneficial
ownership information storage. Such
information shall be maintained in a
secure system that complies with the
security standards the foreign person
applies to the most sensitive
unclassified information it handles.
(C) Minimization. To the greatest
extent practicable, the scope of
information sought shall be limited,
consistent with the purposes for seeking
such information.
(D) Restrictions on personnel access
to information. Access to such
information shall be limited to
persons—
(1) Who are directly engaged in the
activity described in paragraph (b)(3) of
this section for which the information
was requested;
(2) Whose duties or responsibilities
require such access; and
(3) Who have undergone training on
the appropriate handling and
safeguarding of information obtained
pursuant to this section.
(e) Administration of requests—(1)
Form and manner of requests. Requests
for information under paragraph (b) of
this section shall be submitted to
FinCEN in such form and manner as
FinCEN shall prescribe.
PO 00000
Frm 00055
Fmt 4701
Sfmt 9990
77457
(2) Rejection of requests. (i) FinCEN
will reject a request under paragraph
(b)(4) of this section, and may reject any
other request made pursuant to this
section, if such request is not submitted
in the form and manner prescribed by
FinCEN.
(ii) FinCEN may reject any request, or
otherwise decline to disclose any
information in response to a request
made under this section, if FinCEN, in
its sole discretion, finds that, with
respect to the request:
(A) The requester has failed to meet
any requirement of this section;
(B) The information is being requested
for an unlawful purpose; or
(C) Other good cause exists to deny
the request.
(3) Suspension of access. (i) FinCEN
may permanently debar or temporarily
suspend, for any period of time, any
requesting party from receiving or
accessing information under paragraph
(b) of this section if FinCEN, in its sole
discretion, finds that:
(A) The requesting party has failed to
meet any requirement of this section;
(B) The requesting party has requested
information for an unlawful purpose; or
(C) Other good cause exists for such
debarment or suspension.
(ii) FinCEN may reinstate the access
of any requester that has been
suspended or debarred under this
paragraph (e)(3) upon satisfaction of any
terms or conditions that FinCEN deems
appropriate.
(f) Violations—(1) Unauthorized
disclosure or use. Except as authorized
by this section, it shall be unlawful for
any person to knowingly disclose, or
knowingly use, the beneficial ownership
information obtained by the person,
directly or indirectly, through:
(i) A report submitted to FinCEN
under § 1010.380; or
(ii) A disclosure made by FinCEN
pursuant to paragraph (b) of this section.
(2) For purposes of paragraph (f)(1) of
this section, unauthorized use shall
include accessing information without
authorization, and shall include any
violation of the requirements described
in paragraph (d) of this section in
connection with any access.
Himamauli Das,
Acting Director, Financial Crimes
Enforcement Network.
[FR Doc. 2022–27031 Filed 12–15–22; 8:45 am]
BILLING CODE 4810–02–P
E:\FR\FM\16DEP4.SGM
16DEP4
]]>Agencies
[Federal Register Volume 87, Number 241 (Friday, December 16, 2022)]
[Proposed Rules]
[Pages 77404-77457]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-27031]
[[Page 77403]]
Vol. 87
Friday,
No. 241
December 16, 2022
Part VI
Department of the Treasury
-----------------------------------------------------------------------
Financial Crimes Enforcement Network
-----------------------------------------------------------------------
31 CFR Part 1010
Beneficial Ownership Information Access and Safeguards, and Use of
FinCEN Identifiers for Entities; Proposed Rule
��Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 /
Proposed Rules��
[[Page 77404]]
-----------------------------------------------------------------------
DEPARTMENT OF THE TREASURY
Financial Crimes Enforcement Network
31 CFR Part 1010
RIN 1506-AB59
RIN 1506-AB49
Beneficial Ownership Information Access and Safeguards, and Use
of FinCEN Identifiers for Entities
AGENCY: Financial Crimes Enforcement Network (FinCEN), Treasury.
ACTION: Notice of proposed rulemaking (NPRM).
-----------------------------------------------------------------------
SUMMARY: FinCEN is promulgating proposed regulations regarding access
by authorized recipients to beneficial ownership information (BOI) that
will be reported to FinCEN pursuant to Section 6403 of the Corporate
Transparency Act (CTA), enacted into law as part of the Anti-Money
Laundering Act of 2020 (AML Act), which is itself part of the National
Defense Authorization Act for Fiscal Year 2021 (NDAA). The proposed
regulations would implement the strict protocols on security and
confidentiality required by the CTA to protect sensitive personally
identifiable information (PII) reported to FinCEN. The NPRM explains
the circumstances in which specified recipients would have access to
BOI and outlines data protection protocols and oversight mechanisms
applicable to each recipient category. The disclosure of BOI to
authorized recipients in accordance with appropriate protocols and
oversight will help law enforcement and national security agencies
prevent and combat money laundering, terrorist financing, tax fraud,
and other illicit activity, as well as protect national security.
FinCEN is also proposing regulations to specify when and how reporting
companies can use FinCEN identifiers to report the BOI of entities.
DATES: Written comments on this proposed rule may be submitted on or
before February 14, 2023.
ADDRESSES: Comments may be submitted by any of the following methods:
Federal E-rulemaking Portal: https://www.regulations.gov.
Follow the instructions for submitting comments. Refer to Docket Number
FINCEN-2021-0005 and RIN 1506-AB49/AB59.
Mail: Policy Division, Financial Crimes Enforcement
Network, P.O. Box 39, Vienna, VA 22183. Refer to Docket Number FINCEN-
2021-0005 and RIN 1506-AB49/AB59.
FOR FURTHER INFORMATION CONTACT: The FinCEN Regulatory Support Section
at 1-800-767-2825 or electronically at [email protected].
SUPPLEMENTARY INFORMATION:
I. Executive Summary
These proposed regulations would implement the provisions in the
CTA, codified at 31 U.S.C. 5336(c),\1\ that authorize certain
recipients to receive disclosures of identifying information associated
with reporting companies, their beneficial owners, and their company
applicants (together, BOI). The CTA requires reporting companies to
report BOI to FinCEN pursuant to 31 U.S.C. 5336(b). This NPRM reflects
FinCEN's careful consideration of public comments, including those
received in response to an advance notice of proposed rulemaking
(ANPRM) \2\ on the implementation of the CTA, and in response to an
NPRM regarding BOI reporting requirements (Reporting NPRM).\3\ This
NPRM also reflects FinCEN's understanding of the critical need for the
highest standard of security and confidentiality protocols to maintain
confidence in the U.S. government's ability to protect sensitive
information while achieving the objective of the CTA--establishing a
database of beneficial ownership information (BOI) that will be highly
useful in combatting illicit finance and the abuse of shell and front
companies by criminals, corrupt officials, and other bad actors.
---------------------------------------------------------------------------
\1\ The CTA is Title LXIV of the William M. (Mac) Thornberry
National Defense Authorization Act for Fiscal Year 2021, Public Law
116-283 (Jan. 1, 2021) (the NDAA). Division F of the NDAA is the
Anti-Money Laundering Act of 2020 (AML Act), which includes the CTA.
Section 6403 of the CTA, among other things, amends the Bank Secrecy
Act (BSA) by adding a new Section 5336, Beneficial Ownership
Information Reporting Requirements, to Subchapter II of Chapter 53
of Title 31, United States Code.
\2\ 86 FR 17557 (Apr. 5, 2021).
\3\ 86 FR 69920 (Dec. 8, 2021).
---------------------------------------------------------------------------
The proposed regulations aim to ensure that: (1) only authorized
recipients have access to BOI; (2) authorized recipients use that
access only for purposes permitted by the CTA; and (3) authorized
recipients only re-disclose BOI in ways that balance protection of the
security and confidentiality of the BOI with furtherance of the CTA's
objective of making BOI available to a range of users for purposes
specified in the CTA. The proposed regulations also provide a robust
framework to ensure that BOI reported to FinCEN, and received by
authorized recipients, is subject to strict cyber security controls,
confidentiality protections and restrictions, and robust audit and
oversight measures. Coincident with the protocols described in this
NPRM, FinCEN is working to develop a secure, non-public database in
which to store BOI, using rigorous information security methods and
controls typically used in the Federal government to protect non-
classified yet sensitive information systems at the highest security
level. Against this backdrop and consistent with the CTA, FinCEN will
permit Federal, State, local, and Tribal officials, as well as certain
foreign officials acting through a Federal agency, to obtain BOI for
use in furtherance of statutorily authorized activities such as those
related to national security, intelligence, and law enforcement.
Financial institutions (FIs) with customer due diligence (CDD)
requirements under applicable law will have access to BOI to facilitate
CDD compliance. Their regulators will likewise have access to BOI to
make assessments of CDD compliance.
Additionally, FinCEN is proposing certain amendments to the BOI
reporting regulations regarding the use of FinCEN identifiers.\4\ The
proposed amendments would specify how reporting companies would be able
to use an entity's FinCEN identifier to fulfill their BOI reporting
obligations under 31 CFR 1010.380.
---------------------------------------------------------------------------
\4\ Id., as defined in 31 CFR 1010.380(f)(2), a FinCEN
identifier is a unique identifying number assigned by FinCEN to an
individual or reporting company under 31 CFR 1010.380.
---------------------------------------------------------------------------
II. Background
A. Access to Beneficial Ownership Information
As Congress explained in the CTA, ``malign actors seek to conceal
their ownership of corporations, limited liability companies, or other
similar entities in the United States to facilitate illicit activity,
including money laundering, the financing of terrorism, proliferation
financing, serious tax fraud, human and drug trafficking,
counterfeiting, piracy, securities fraud, financial fraud, and acts of
foreign corruption, harming the national security interests of the
United States and allies of the United States.'' \5\ Access by
authorized recipients to BOI reported under the CTA would significantly
aid efforts to protect U.S. national security and safeguard the U.S.
financial system from such illicit use. It would impede illicit actors'
ability to use legal entities to conceal proceeds from criminal acts
that undermine U.S. national security and foreign policy interests,
such as corruption, human smuggling, drug and arms trafficking, and
terrorist financing. BOI can also add critical data to financial
analyses in activities the CTA
[[Page 77405]]
contemplates, including tax investigations. It can also provide
essential information to the intelligence and national security
professionals who work to prevent terrorists, proliferators, and those
who seek to undermine our democratic institutions or threaten other
core U.S. interests from raising, hiding, or moving money in the United
States through anonymous shell or front companies.\6\
---------------------------------------------------------------------------
\5\ CTA, Section 6402(3).
\6\ A front company generates legitimate business proceeds to
commingle with illicit earnings. See U.S. Department of the
Treasury, National Money Laundering Risk Assessment (2018), p. 29,
available at https://home.treasury.gov/system/files/136/2018NMLRA_12-18.pdf.
---------------------------------------------------------------------------
The United States currently does not have a centralized or complete
store of information about who owns and operates legal entities within
the United States. The beneficial ownership data available to law
enforcement and national security agencies are generally limited to the
information collected by financial institutions on legal entity
accounts pursuant to their CDD or broader Customer Identification
Program (CIP) obligations, some of which has been included in
Suspicious Activity Reports (SARs) or provided to law enforcement in
response to judicial process.\7\ As set out in detail in the Reporting
NPRM \8\ and the BOI reporting final rule,\9\ U.S. law enforcement
officials and the Financial Action Task Force (FATF),\10\ among others,
have for years noted how the lack of timely access to accurate and
adequate BOI by law enforcement and other authorized recipients
remained a significant gap in the United States' anti-money-laundering-
/countering-the-financing-of-terrorism (AML/CFT) and countering the
financing of proliferation (CFP) framework. Broadly, and critically,
BOI can identify linkages between potential illicit actors and opaque
business entities, including shell companies. Furthermore, comparing
BOI reported pursuant to the CTA against data collected under the Bank
Secrecy Act (BSA) and other relevant government data is expected to
significantly further efforts to identify illicit actors and combat
their financial activities.
---------------------------------------------------------------------------
\7\ 31 CFR 1010.230. Even then, any BOI a financial institution
collects is not systematically reported to any central repository.
\8\ Supra note 3.
\9\ 87 FR 59498 (Sept. 30, 2022).
\10\ The FATF, of which the United States is a founding member,
is an international, inter-governmental task force whose purpose is
the development and promotion of international standards and the
effective implementation of legal, regulatory, and operational
measures to combat money laundering, terrorist financing, the
financing of weapons proliferation, and other related threats to the
integrity of the international financial system. The FATF assesses
over 200 jurisdictions against its minimum standards for beneficial
ownership transparency. Among other things, it has established
standards on transparency and beneficial ownership of legal persons,
to deter and prevent the misuse of corporate vehicles. See FATF
Recommendation 24, Transparency and Beneficial Ownership of Legal
Persons, The FATF Recommendations: International Standards on
Combating Money Laundering and the Financing of Terrorism and
Proliferation (updated Oct. 2020), available at https://www.fatf-gafi.org/publications/fatfrecommendations/documents/fatf-recommendations.html; FATF Guidance, Transparency and Beneficial
Ownership, Part III (Oct. 2014), available at https://www.fatf-gafi.org/media/fatf/documents/reports/Guidance-transparency-beneficial-ownership.pdf.
---------------------------------------------------------------------------
As law enforcement and other U.S. government officials have noted,
investigations into, and prosecutions of, money laundering, corruption,
and other illicit financial activities are often prolonged or stymied
by those officials' inability to rapidly access BOI in a centralized
database. Kenneth A. Blanco, then-Director of FinCEN and a former State
and Federal prosecutor, observed in 2019 testimony to the U.S. Senate
Committee on Banking, Housing and Urban Affairs that based on his
experience as a former State and Federal prosecutor, identifying the
ultimate beneficial owner of a shell or front company in the United
States ``often requires human source information, grand jury subpoenas,
surveillance operations, witness interviews, search warrants, and
foreign legal assistance requests to get behind the outward facing
structure of these shell companies. This takes an enormous amount of
time--time that could be used to further other important and necessary
aspects of an investigation--and wastes resources, or prevents
investigators from getting to other equally important investigations.''
\11\
---------------------------------------------------------------------------
\11\ FinCEN, Testimony for the Record, Kenneth A. Blanco,
Director, U.S. Senate Committee on Banking, Housing and Urban
Affairs (May 21, 2019), available at https://www.banking.senate.gov/imo/media/doc/Blanco%20Testimony%205-21-19.pdf.
---------------------------------------------------------------------------
The FBI's Steven M. D'Antuono elaborated on these difficulties,
testifying before the Senate Banking Housing and Urban Affairs
Committee in 2019 that ``[t]he process for the production of records
can be lengthy, anywhere from a few weeks to many years, and . . . can
be extended drastically when it is necessary to obtain information from
other countries . . . . [I]f an investigator obtains the ownership
records, either from a domestic or foreign entity, the investigator may
discover that the owner of the identified corporate entity is an
additional corporate entity, necessitating the same process for the
newly discovered corporate entity. Many professional launderers and
others involved in illicit finance intentionally layer ownership and
financial transactions in order to reduce transparency of transactions.
As it stands, it is a facially effective way to delay an
investigation.'' \12\ D'Antuono acknowledged that these challenges may
be even starker for State, local, and Tribal law enforcement agencies
that may not have the same resources as their Federal counterparts to
undertake long and costly investigations to identify the beneficial
owners of these entities.\13\ During the testimony, he noted that
requiring the disclosure of BOI by legal entities and the creation of a
central BOI repository available to law enforcement and regulators
could address these challenges.\14\
---------------------------------------------------------------------------
\12\ Federal Bureau of Investigation (FBI), Testimony of Steven
M. D'Antuono, Section Chief, Criminal Investigative Division,
``Combatting Illicit Financing by Anonymous Shell Companies'' (May
21, 2019), available at https://www.fbi.gov/news/testimony/combating-illicit-financing-by-anonymous-shell-companies.
\13\ Id.
\14\ Id.
---------------------------------------------------------------------------
The process of obtaining BOI through grand jury subpoenas and other
means can be time-consuming and of limited utility in some cases. Grand
jury subpoenas, for example, require an underlying grand jury
investigation into a possible violation of law. In addition, the law
enforcement officer or investigator must work with a prosecutor's
office, such as a U.S. Attorney's Office, to open a grand jury
investigation, obtain the grand jury subpoena, and issue it on behalf
of the grand jury. The investigator also needs to determine the proper
recipient of the subpoena and coordinate service, which raises
additional complications in cases where there is excessive layering of
corporate structures to hide the identity of the ultimate beneficial
owners. In some cases, however, BOI still may not be attainable via
grand jury subpoena because it is not recorded. For example, because
most states do not require the disclosure of BOI when forming or
registering an entity, BOI cannot be obtained from the secretary of
state or similar office. Furthermore, many states permit corporations
to acquire property without disclosing BOI, and therefore BOI cannot be
obtained from property records.
FinCEN's existing regulatory tools also have significant
limitations. The 2016 CDD Rule,\15\ for example, requires that certain
types of U.S. financial institutions identify and verify the beneficial
owners of legal entity customers at the time those financial
institutions open a new account for a
[[Page 77406]]
legal entity customer,\16\ but the rule provides only a partial
solution.\17\ The information provided to U.S. financial institutions
about beneficial owners of certain U.S. entities is generally not
comprehensive and not reported to the U.S. government (nor to State,
local, or Tribal governments), except when filed in SARs or in response
to judicial process. It is therefore not immediately available to law
enforcement, intelligence, and national security agencies. Moreover,
the CDD rule applies only to legal entities that open accounts at
certain U.S. financial institutions. Other FinCEN authorities--
geographic targeting orders \18\ and the so-called ``311 measures''
(i.e., special measures imposed on jurisdictions, financial
institutions, or international transactions of primary money laundering
concern) \19\--offer temporary and targeted tools. Neither provides law
enforcement the ability to reliably, efficiently, and consistently
follow investigatory leads.
---------------------------------------------------------------------------
\15\ 81 FR 29397 (May 11, 2016).
\16\ The CDD Rule NPRM contained a requirement that covered
financial institutions conduct ongoing monitoring to maintain and
update customer information on a risk basis, specifying that
customer information includes the beneficial owners of legal entity
customers. As noted in the supplementary material to the final rule,
FinCEN did not construe this obligation as imposing a categorical,
retroactive requirement to identify and verify BOI for existing
legal entity customers. Rather, these provisions reflect the
conclusion that a financial institution should obtain BOI from
existing legal entity customers when, in the course of its normal
monitoring, the financial institution detects information relevant
to assessing or reevaluating the risk of such customer. Final Rule,
Customer Due Diligence Requirements for Financial Institutions, 81
FR 29398, 29404 (May 11, 2016).
\17\ See U.S. Money Laundering Threat Assessment Working Group,
U.S. Money Laundering Threat Assessment (2005), pp. 48-49, available
at https://www.treasury.gov/resource-center/terrorist-illicit-finance/documents/mlta.pdf. See also Congressional Research Service,
Miller, Rena S. and Rosen, Liana W., Beneficial Ownership
Transparency in Corporate Formation, Shell Companies, Real Estate,
and Financial Transactions (Jul. 8, 2019), available at https://crsreports.congress.gov/product/pdf/R/R45798.
\18\ 31 U.S.C. 5326(a); 31 CFR 1010.370.
\19\ 31 U.S.C. 5318A, as added by section 311 of the USA PATRIOT
Act (Pub. L. 107-56).
---------------------------------------------------------------------------
The utility and value of BOI reported to FinCEN, therefore, rests
in large part on the bureau's ability to provide authorized recipients
predictable and efficient access to reported BOI while protecting the
confidentiality and integrity of the information. As Congress noted,
``[f]ederal legislation providing for the collection of beneficial
ownership information for corporations, limited liability companies, or
other similar entities formed under the laws of the States is needed''
to protect vital U.S. ``national security interests . . . [and] better
enable critical national security, intelligence, and law enforcement
efforts to counter money laundering, the financing of terrorism, and
other illicit activity.'' \20\ Furthermore, providing authorized
recipients in FIs access to BOI reported to FinCEN, as the CTA
requires, will assist FIs in complying with AML/CFT and CDD
requirements.
---------------------------------------------------------------------------
\20\ CTA, Section 6402(5)(B),(D).
---------------------------------------------------------------------------
B. The Corporate Transparency Act
The CTA is part of the AML Act, which is itself a part of the 2021
NDAA. The CTA added a new section, 31 U.S.C. 5336, to the BSA to
address the broader objectives of enhancing beneficial ownership
transparency while minimizing the burden on the regulated community. In
brief, 31 U.S.C. 5336 requires certain types of domestic and foreign
entities, called ``reporting companies,'' to submit specified BOI to
FinCEN. FinCEN is authorized to share this BOI with certain Government
agencies, financial institutions, and regulators, subject to
appropriate protocols.\21\ The requirement for reporting companies to
submit BOI takes effect ``on the effective date of the regulations
prescribed by the Secretary of the Treasury under [31 U.S.C. 5336].''
\22\ Reporting companies formed or registered after the effective date
will need to submit the requisite BOI to FinCEN at the time of
formation, while preexisting reporting companies will have a specified
period to comply and report.\23\
---------------------------------------------------------------------------
\21\ See generally 31 U.S.C. 5336(b), (c).
\22\ 31 U.S.C. 5336(b)(5).
\23\ See 31 U.S.C. 5336(b)(1)(B), (C).
---------------------------------------------------------------------------
The CTA reporting requirements generally exempt entities that are
otherwise subject to significant regulatory regimes--e.g., banks--where
Congress presumably expected primary regulators to have visibility into
the identities of the owners and ownership structures of the entities.
The exemptions thus avoid imposing duplicative requirements in these
cases.
The provision at 31 U.S.C. 5336 requires reporting companies to
submit to FinCEN, for each beneficial owner and company applicant,
either the individual's full legal name, date of birth, current
residential or business street address, and a unique identifying number
from an acceptable identification document (e.g., a nonexpired
passport)--four readily accessible pieces of information that should
not be unduly burdensome for individuals to produce, or for reporting
companies to collect and submit to FinCEN--or a FinCEN identifier.\24\
A FinCEN identifier is a unique identifying number that FinCEN will
issue to individuals or entities upon request.\25\ In certain
instances, the FinCEN identifier may be reported in lieu of an
individual's name, birth date, address, and unique identification
number.\26\ As noted in Section II.E. below, FinCEN addressed the
regulatory requirements related to BOI reporting pursuant to the CTA
through the recent issuance of a final BOI reporting rule.\27\
---------------------------------------------------------------------------
\24\ See 31 U.S.C. 5336(b)(2).
\25\ See 31 U.S.C. 5336(b)(3)(A)(i).
\26\ See 31 U.S.C. 5336(b)(3)(B).
\27\ Supra note 7.
---------------------------------------------------------------------------
Given the sensitivity of the reportable BOI, the CTA imposes strict
confidentiality and security restrictions on the storage, access, and
use of BOI. Congress authorized FinCEN to disclose BOI to a statutorily
defined group of governmental authorities and financial institutions,
in limited circumstances. The CTA establishes that BOI is ``sensitive
information,'' \28\ and provides that the Secretary of the Treasury
(Secretary) shall ``maintain [it] in a secure, nonpublic database,
using information security methods and techniques that are appropriate
to protect nonclassified information systems at the highest security
level.'' \29\ The statute further provides that BOI is only to be used
by specified parties for specified purposes.\30\ Access to and
disclosure of BOI is the focus of this NPRM.
---------------------------------------------------------------------------
\28\ CTA, Section 6402(6).
\29\ CTA, Section 6402(7)(A). While the statutory language seems
to include a typo that refers to another provision, it also seems
clear that the object of protection in this case is BOI.
\30\ CTA, Section 6402(6).
---------------------------------------------------------------------------
In addition to setting out requirements and restrictions related to
BOI reporting and access, the CTA requires that FinCEN revise the
current CDD Rule within one year of January 1, 2024, the effective date
of the final BOI reporting rule, by rescinding paragraphs (b) through
(j) of 31 CFR 1010.230.\31\ The CTA identifies three purposes for this
revision: (1) to bring the rule into conformity with the AML Act as a
whole, including the CTA; (2) to account for financial institutions'
access to BOI reported to FinCEN ``in order to confirm the beneficial
ownership information provided directly to the financial institutions''
for AML/CFT and customer due diligence purposes; and (3) to reduce
unnecessary or duplicative
[[Page 77407]]
burdens on financial institutions and legal entity customers.\32\
---------------------------------------------------------------------------
\31\ CTA, Section 6403(d)(1), (2). The CTA orders the rescission
of paragraphs (b) through (j) directly (``the Secretary of the
Treasury shall rescind paragraphs (b) through (j)'') and orders the
retention of paragraph (a) by a negative rule of construction
(``nothing in this section may be construed to authorize the
Secretary of the Treasury to repeal ... [31 CFR] 1010.230(a)[.]'').
\32\ CTA, Section 6403(d)(1)(A)-(C).
---------------------------------------------------------------------------
FinCEN intends to satisfy the requirements related to the revision
of the CDD Rule through a future rulemaking process that will provide
the public with an opportunity to comment on the proposal. FinCEN
anticipates that this rulemaking to revise the CDD Rule will touch on
the issue of the interplay between financial institutions' CDD efforts
and the beneficial ownership IT system that FinCEN is developing to
receive, store, and maintain BOI.
C. The Advance Notice of Proposed Rulemaking
On April 5, 2021, FinCEN published the ANPRM related to
implementing the CTA.\33\ The ANPRM sought input on five open-ended
categories of questions, including on clarifying key definitions and on
FinCEN's implementation of the related provisions of the CTA that
govern the bureau's maintenance and disclosure of BOI subject to
appropriate access protocols.
---------------------------------------------------------------------------
\33\ Supra note 2.
---------------------------------------------------------------------------
In response to the ANPRM, FinCEN received 220 comments from parties
that included businesses, civil society organizations, trade
associations, law firms, secretaries of state and other State
officials, Indian Tribes, members of Congress, and private citizens.
Some comments focused on issues that pertain to this access rulemaking,
such as the structure of the BOI database, certain users' need for
access, the importance of ensuring the security of the database,
specific technological decisions that FinCEN could make, and the
desirability of a FinCEN commitment to verifying the information in the
database.
FinCEN has considered all of the comments that it received in
response to the ANPRM in drafting this proposed rule.
D. The Reporting Notice of Proposed Rulemaking
FinCEN followed the ANPRM with the December 8, 2021, publication of
the Reporting NPRM, the first of the three CTA-related rulemakings.\34\
In the Reporting NPRM, FinCEN described in detail Treasury's efforts to
address the lack of transparency in certain legal entity ownership, the
value of BOI, the national security and law enforcement implications of
legal entities with anonymous beneficial owners, and the need for
centralized BOI collection.\35\ The Reporting NPRM acknowledged the
current environment in which criminals and other bad actors can exploit
the creation and use of legal entities in the United States.
---------------------------------------------------------------------------
\34\ 86 FR 69920 (Dec. 8, 2021).
\35\ Id. at 69921-69928.
---------------------------------------------------------------------------
The Reporting NPRM proposed regulations specifying what BOI must be
reported to FinCEN pursuant to CTA requirements, by whom, and when. In
particular, it proposed that domestic and foreign reporting companies
report to FinCEN four pieces of BOI for each of their beneficial owners
and company applicants: full legal name, birthdate, current residential
or business street address, and a unique identifying number from an
acceptable identification document (e.g., a nonexpired passport or
driver's license). In the alternative, the proposed rule would permit a
reporting company to report a FinCEN identifier for an individual or
entity in certain circumstances.\36\ These regulations also proposed
processes for obtaining, updating, and using FinCEN identifiers. The
Reporting NPRM included a 60-day comment period, which closed on
February 7, 2022, and FinCEN received over 240 comments on the NPRM.
---------------------------------------------------------------------------
\36\ See 31 U.S.C. 5336(b).
---------------------------------------------------------------------------
E. The Final Reporting Rule
On September 30, 2022, FinCEN published a final rule implementing
the CTA's BOI reporting requirements and addressing the comments
submitted on the NPRM. The final regulations require certain legal
entities to file with FinCEN reports that identify the beneficial
owners of the entity, and individuals who filed (or who are primarily
responsible for directing or controlling the filing of) an application
with specified governmental authorities to create the entity or
register it to do business. Further, the regulations describe who must
file a report, what information must be provided, and when a report is
due. These reporting requirements are intended to help prevent and
combat money laundering, terrorist financing, corruption, tax fraud,
and other illicit activity, while minimizing the burden on reporting
companies.
In addition, as the final BOI reporting rule noted, providing
authorized users in the law enforcement, national security, and
regulatory communities, and in FIs, access to the reported BOI will
diminish the ability of illicit actors to obfuscate their activities
through the use of anonymous shell and front companies. FinCEN also
recognized in the final BOI reporting rule the vital importance of
protecting the reported BOI and ensuring, through the issuance of
regulations governing access to the reported BOI, that the BOI is
subject to stringent use and security protocols. The BOI final
reporting regulations become effective on January 1, 2024.
Furthermore, the final BOI reporting rule reserved certain
provisions concerning the use of FinCEN identifiers for entities for
further consideration. This Access NPRM includes proposed amendments to
the reporting regulations that would finalize these remaining
provisions.
F. Beneficial Ownership Information Infrastructure
i. Beneficial Ownership Information IT System Development
The CTA directs the Secretary to maintain BOI ``in a secure,
nonpublic database, using information security methods and techniques
that are appropriate to protect non-classified information security
systems at the highest security level . . . .'' \37\ To implement this
requirement, FinCEN has been developing a secure information technology
(IT) system to receive, store, and maintain BOI. FinCEN has gathered
requirements and completed initial system engineering, architectures,
and program planning activities. The initial build of the cloud
infrastructure is complete and the development of the first set of
system products is in progress. The target date for the system to begin
accepting BOI reports is January 1, 2024, the same day the reporting
rule takes effect.
---------------------------------------------------------------------------
\37\ CTA, Section 6402(7).
---------------------------------------------------------------------------
FinCEN is taking a very deliberative approach to designing and
building the system, factoring in the requirements set out in the CTA
as well as guidance from Congress. As Senator Sherrod Brown, the then-
Ranking Member of the Senate Committee on Banking, Housing, and Urban
Affairs and one of the primary authors of the CTA, noted in his
December 9, 2020, floor statement accompanying the CTA, ``[i]n
designing the [system], FinCEN should survey other beneficial ownership
databases to determine their best features and design, and create a
structure that secures the data as required by law.'' \38\ Among other
actions FinCEN has undertaken in the development of the system, FinCEN
met not only with future stakeholders to better understand their need
to access BOI and how they currently safeguard sensitive information
(see Section II.H. ``Outreach'' below), but also with other government
entities that had developed
[[Page 77408]]
beneficial ownership databases, such as the District of Columbia's
(DC's) Superintendent of Corporations (within DC's Department of
Consumer and Regulatory Affairs Corporations), and the United Kingdom's
Companies House.
---------------------------------------------------------------------------
\38\ Senator Sherrod Brown, National Defense Authorization Act,
Congressional Record 166:208 (Dec. 9, 2020), p. S7312, available at
https://www.govinfo.gov/content/pkg/CREC-2020-12-09/pdf/CREC-2020-12-09.pdf.
---------------------------------------------------------------------------
Senator Brown also encouraged FinCEN to ``ensure that [F]ederal,
[S]tate, local and tribal law enforcement can access the beneficial
ownership database without excessive delays or red tape in a manner
modeled after its existing systems providing law enforcement access to
databases containing currency transaction and suspicious activity
report information.'' \39\ Keeping BOI secure and confidential is one
of FinCEN's highest priorities in building the system. Serving that
interest requires not only designing and implementing appropriate
technical controls around BOI security and storage, but also thoroughly
understanding the ways in which prospective authorized BOI recipients
intend to access, handle, and use BOI. This knowledge in turn informs
the policies, procedures, and processes that will govern how authorized
recipients treat BOI when they access it.
---------------------------------------------------------------------------
\39\ Id.
---------------------------------------------------------------------------
This balance is reflected in the ongoing development of the system.
Consistent with the CTA's requirement,\40\ the system will be cloud-
based and is being implemented to meet the highest Federal Information
Security Management Act (FISMA) \41\ level (FISMA High).\42\ A FISMA
High rating indicates that losing the confidentiality, integrity, or
availability of information within a system would have a severe or
catastrophic adverse effect on the organization maintaining the system,
including on organizational assets or individuals.\43\ The rating
carries with it a requirement to implement certain baseline controls to
protect the relevant information.\44\
---------------------------------------------------------------------------
\40\ 31 U.S.C. 5336(c)(8).
\41\ 44 U.S.C 3541 et seq.
\42\ See U.S. Department of Commerce, Federal Information
Processing Standards Publication: Standards for Security
Categorization of Federal Information and Information Systems
(``FIPS Pub 199'') (Feb. 2004), available at https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf.
\43\ Id. at 3.
\44\ Id.
---------------------------------------------------------------------------
FinCEN recognizes that BOI is highly sensitive information. FinCEN
therefore views it as critical to mitigate the risk of unauthorized
disclosure of BOI as much as possible. To that end, system
functionality will vary by recipient category consistent with statutory
requirements and limitations on BOI disclosure--for example, financial
institutions will have a different level of access to BOI than law
enforcement agencies. The regulations proposed in this Access NPRM
complement this functionality by clarifying and codifying those
requirements and limitations, including through recipient-specific
access protocols designed to protect BOI security and confidentiality.
ii. CTA Implementation Efforts
FinCEN continues to face resource constraints in developing and
deploying the Beneficial Ownership IT System and efforts to put in
place processes to support the collection and use of BOI. There are a
myriad of areas that need additional investment, including additional
personnel to support efforts beyond the initial build of the Beneficial
Ownership IT System. These include efforts to provide clear and
transparent guidance to reporting companies and authorized users of
BOI, negotiating and implementing memoranda of understanding (MOUs)
with domestic government agencies, reviewing requests for BOI and
accompanying court authorizations from State, local, or tribal law
enforcement agencies, auditing the handling and use of BOI, and
enforcement activities.
FinCEN is particularly focused on providing adequate customer
service resources for reporting companies in the first year and beyond
as they file their BOI. FinCEN currently fields approximately 13,000
inquiries a year through its Regulatory Support Section, and
approximately 70,000 external technical inquiries a year through the IT
Systems Helpdesk. FinCEN has estimated that there will be approximately
32 million reporting companies in Year 1 of the reporting requirement
and approximately 5 million new reporting companies each year
thereafter.\45\ If 10 percent of those reporting companies have
questions about the reporting requirement or the form, or technical
issues when filing, that could result in upwards of 3 million inquiries
in Year 1, and 500,000 per year after that.
---------------------------------------------------------------------------
\45\ 87 FR 59498, 59549 (Sept. 30, 2022).
---------------------------------------------------------------------------
Without the availability of additional appropriated funds to
support this project and other mission-critical services, FinCEN may
need to identify trade-offs, including with respect to guidance and
outreach activities, and the staged access by different authorized
users to the database. FinCEN is currently identifying the range of
considerations implicated by potential budget shortfalls and the trade-
offs that are available and appropriate.
G. Verification
FinCEN continues to evaluate options for verifying reported
BOI.\46\ ``Verification,'' as that term is used here, means confirming
that the reported BOI submitted to FinCEN is actually associated with a
particular individual. A number of commenters to the ANPRM and
Reporting NPRM have affirmed the importance of verifying BOI to support
authorized activities that rely on the information. FinCEN continues to
review the options available to verify BOI within the legal constraints
in the CTA.
---------------------------------------------------------------------------
\46\ Pursuant to Sections 6502(b)(1)(C) and (D) of the AML Act,
the Secretary, in consultation with the Attorney General, will
conduct a study no later than two years after the effective date of
the BOI reporting final rule, to evaluate the costs associated with
imposing any new verification requirements on FinCEN and the
resources necessary to implement any such changes.
---------------------------------------------------------------------------
H. Outreach
FinCEN has conducted more than 30 outreach sessions to solicit
input on how best to implement the statutory authorizations and
limitations regarding BOI disclosure. Participants included
representatives from Federal agencies, State courts, State and local
prosecutors' offices, Tribal governments, FIs, financial self-
regulatory organizations (SROs), and, as noted previously, government
offices that had established BOI databases. Topics discussed included
how stakeholders might use BOI, potential information technology (IT)
system features, circumstances in which potential stakeholders might
need to re-disseminate BOI, and how different approaches might help
further the purposes of the CTA. These conversations helped FinCEN
refine its thinking about how to create a useful database for
stakeholders while protecting BOI and individual privacy.
III. Overview of Access Framework and Protocols
A. Statutory Framework
The CTA authorizes FinCEN to disclose BOI to five categories of
recipients.\47\ The first category consists of recipients in Federal,
State, local and Tribal government agencies. Within this category,
FinCEN may disclose BOI to Federal agencies engaged in national
security, intelligence, or law enforcement activity if the requested
BOI is for use in furtherance of such activity.\48\ Note that Federal
agency access is activity-based. Thus, an agency such as a Federal
functional regulator, while perhaps not a ``law enforcement
[[Page 77409]]
agency'' in the conventional sense, may still be engaged in ``law
enforcement activity'' such as civil law enforcement, and can therefore
still request BOI from FinCEN for use in furtherance of that activity.
FinCEN may also disclose BOI to State, local, and Tribal law
enforcement agencies if ``a court of competent jurisdiction'' has
authorized the law enforcement agency to seek the information in a
criminal or civil investigation.\49\
---------------------------------------------------------------------------
\47\ 31 U.S.C. 5336(c)(2)(B) and 31 U.S.C. 5336(c)(5).
\48\ 31 U.S.C. 5336(c)(2)(B)(i)(I).
\49\ 31 U.S.C. 5336(c)(2)(B)(i)(II).
---------------------------------------------------------------------------
The second category consists of foreign law enforcement agencies,
judges, prosecutors, central authorities, and competent authorities
(``foreign requesters''), provided their requests come through an
intermediary Federal agency, meet certain additional criteria, and are
made either (1) under an international treaty, agreement, or
convention, or (2) via a request made by law enforcement, judicial, or
prosecutorial authorities in a trusted foreign country (when no
international treaty, agreement, or convention is available).\50\
---------------------------------------------------------------------------
\50\ See 31 U.S.C. 5336(c)(2)(B)(ii).
---------------------------------------------------------------------------
The third authorized recipient category is FIs using BOI to
facilitate compliance with CDD requirements under applicable law,
provided the FI requesting the BOI has the relevant reporting company's
consent for such disclosure.\51\
---------------------------------------------------------------------------
\51\ 31 U.S.C. 5336(c)(2)(B)(iii).
---------------------------------------------------------------------------
The fourth category is Federal functional regulators and other
appropriate regulatory agencies acting in a supervisory capacity
assessing FIs for compliance with CDD requirements.\52\ These agencies
may access the BOI information that FIs they supervise received from
FinCEN.
---------------------------------------------------------------------------
\52\ 31 U.S.C. 5336(c)(2)(B)(iv).
---------------------------------------------------------------------------
The fifth and final category of authorized BOI recipients is the
U.S. Department of the Treasury (Treasury) itself, for which the CTA
provides relatively unique access to BOI tied to an officer or
employee's official duties requiring BOI inspection or disclosure,
including for tax administration.\53\
---------------------------------------------------------------------------
\53\ 31 U.S.C. 5336(c)(5).
---------------------------------------------------------------------------
The CTA directs the Secretary to ``take all steps, including
regular auditing, to ensure that government authorities accessing [BOI]
do so only for authorized purposes consistent with [the CTA].'' \54\
The CTA also requires the Secretary to establish protocols governing
access by authorized recipients to BOI and protecting the information's
security and confidentiality.\55\
---------------------------------------------------------------------------
\54\ CTA, Section 6402(7)(B).
\55\ See generally 31 U.S.C. 5336(c)(3).
---------------------------------------------------------------------------
Specifically, the statute provides that the Secretary shall
establish protocols requiring: (1) the heads of requesting agencies to
approve standards and procedures for protecting BOI, and make related
certifications; \56\ (2) requesting agencies to ``establish and
maintain, to the satisfaction of the Secretary, a secure system in
which [BOI] provided directly by the Secretary shall be stored''; \57\
(3) requesting agencies to ``furnish a report to the Secretary, at such
time and containing such information as the Secretary may prescribe,
that describes the procedures established and utilized by such agency
to ensure the confidentiality of [BOI] provided directly by the
Secretary''; \58\ (4) certain requesting agencies to provide a written
certification that the requirements for access to BOI have been met;
\59\ (5) requesting agencies to ``limit, to the greatest extent
practicable, the scope of information sought, consistent with the
purposes for seeking [BOI];'' \60\ (6) requesting agencies to
``establish and maintain, to the satisfaction of the Secretary, a
permanent system of standardized records with respect to an auditable
trail of each request for [BOI] submitted to the Secretary by the
agency, including the reason for the request, the name of the
individual who made the request, the date of the request, any
disclosure of [BOI] made by or to the agency, and any other information
the Secretary of the Treasury determines is appropriate''; \61\ and (7)
requesting agencies to ``conduct an annual audit to verify that the
[BOI] received from the Secretary has been accessed and used
appropriately, and in a manner consistent with this paragraph and
provide the results of that audit to the Secretary upon request.\62\
The Secretary is likewise required to ``conduct an annual audit of the
adherence of the agencies to the protocols established under this
paragraph to ensure that agencies are requesting and using beneficial
ownership information appropriately.'' \63\
---------------------------------------------------------------------------
\56\ 31 U.S.C. 5336(c)(3)(B).
\57\ 31 U.S.C. 5336(c)(3)(C).
\58\ 31 U.S.C. 5336(c)(3)(D).
\59\ 31 U.S.C. 5336(c)(3)(E).
\60\ 31 U.S.C. 5336(c)(3)(F).
\61\ 31 U.S.C. 5336(c)(3)(H).
\62\ See 31 U.S.C. 5336(c)(3)(I).
\63\ See 31 U.S.C. 5336(c)(3)(J).
---------------------------------------------------------------------------
The CTA expressly restricts access to BOI to only those authorized
users at a requesting agency: (1) who are directly engaged in an
authorized investigation or activity; (2) whose duties or
responsibilities require access to BOI; (3) who have undergone
appropriate training or use staff to access the system who have
undergone appropriate training; (4) who use appropriate identity
verification to obtain access to the information; and (5) who are
authorized by agreement with the Secretary to access BOI.\64\
---------------------------------------------------------------------------
\64\ 31 U.S.C. 5336(c)(3)(G).
---------------------------------------------------------------------------
The statute further provides the Secretary with discretionary
authority to prescribe by regulation such other safeguards as she deems
necessary and appropriate to protect BOI confidentiality.\65\ The
Secretary has delegated the authority to prescribe appropriate
protocols to protect the security and confidentiality of BOI pursuant
to 31 U.S.C. 5336(c)(3) to FinCEN.\66\
---------------------------------------------------------------------------
\65\ See 31 U.S.C. 5336(c)(3)(K).
\66\ Treasury Order 180-01 (Jan. 14, 2020).
---------------------------------------------------------------------------
B. Disclosure to Authorized Domestic Government Agency Users for Non-
Supervisory Purposes
Under the first category of BOI recipients, FinCEN expects three
types of domestic agency users to be able to access and query the
beneficial ownership IT system directly: (1) Federal agencies engaged
in national security, intelligence, and law enforcement activity; (2)
Treasury officers and employees who require access to BOI to perform
their official duties or for tax administration; and (3) State, local,
and Tribal law enforcement agencies. This type of access would permit
authorized individuals within an authorized recipient agency to log in,
run queries using multiple search fields, and review one or more
results returned immediately.
These agencies often lack comprehensive information about a subject
or other relevant individuals or entities when conducting
investigations. The ability to query the database directly and
iteratively is therefore necessary to enable them to use BOI
effectively. Nevertheless, to protect against potential abuse, Federal-
agency users engaged in national security, intelligence, or law
enforcement activity would have to submit brief justifications to
FinCEN for their searches, explaining how their searches further a
particular qualifying activity, and these justifications would be
subject to oversight and audit by FinCEN. FinCEN will develop guidance
for agencies on submitting the required justifications.
Consistent with the CTA's restrictions, authorized users from
State, local, and Tribal law enforcement agencies would be required to
upload the document issued by a court of competent jurisdiction
authorizing the
[[Page 77410]]
agency to seek BOI from FinCEN.\67\ After FinCEN has reviewed the
relevant authorization for sufficiency and approved the request, an
agency could then conduct searches using multiple search fields
consistent in scope with the court authorization and subject to audit
by FinCEN. These searches would return results immediately.
---------------------------------------------------------------------------
\67\ See 31 U.S.C. 5336(c)(2)(B)(i)(II).
---------------------------------------------------------------------------
Such broad search capabilities within the beneficial ownership IT
system require domestic agencies to clearly understand the scope of
their authorization and their responsibilities under it. That is why
the proposed rule establishes protocols for requirements, limitations,
and expectations with respect to searches by domestic agencies of the
beneficial ownership IT system. As part of these protocols, each
domestic agency would first need to enter into a memorandum of
understanding (MOU) with FinCEN before being allowed access to the
system. FinCEN is developing draft MOUs based on similar agreements it
uses to share BSA data. FinCEN will also provide training for agency
personnel and exercise oversight and audit functions discussed in more
detail in Section IV below.
None of the remaining authorized recipient categories will have
access to the broad search capabilities within the system.
C. Disclosure to Authorized Foreign Requesters
Foreign requesters--foreign law enforcement agencies, judges,
prosecutors, central authorities, or competent authorities (or a like
designation)--will not have direct access to the beneficial ownership
IT system. They will instead submit their requests for BOI to Federal
intermediary agencies as the CTA requires.\68\ If the foreign request
meets the applicable criteria of the CTA \69\ and the proposed rule,
then the Federal agency intermediary will retrieve the BOI from the
system and transmit it to the foreign requester.
---------------------------------------------------------------------------
\68\ 31 U.S.C. 5336(c)(2)(B)(ii).
\69\ Section 6403 of the CTA requires that the foreign request
be made by a Federal agency on behalf of a law enforcement agency,
foreign central authority or competent authority (or like
designation), under an international treaty, agreement, convention,
or official request made by law enforcement, judicial, or
prosecutorial authorities in trusted foreign countries when no
treaty, agreement, or convention is available. The CTA goes on to
state that the foreign request must (1) be issued in response to a
request for assistance in an investigation or prosecution by such
foreign country; and (2) either (a) require compliance with the
disclosure and use provisions of the treaty, agreement, or
convention publicly disclosing any BOI received; or (b) limit the
use of the information for any purpose other than the authorized
investigation or national security or intelligence activity. See 31
U.S.C. 5336(c)(2)(B)(ii).
---------------------------------------------------------------------------
FinCEN intends to work with Federal agencies to identify agencies
that are well positioned to serve as intermediaries between FinCEN and
foreign requesters. FinCEN expects that these possible intermediary
Federal agencies will have regular engagement and familiarity with
foreign law enforcement agencies, judges, prosecutors, central
authorities, or competent authorities on matters related to law
enforcement, national security, or intelligence activity, and will have
established policies, procedures, and communication channels for
sharing information with those foreign parties. Other factors would
include whether a prospective intermediary Federal agency represents
the U.S. government in relevant international treaties, agreements, or
conventions, the expected number of requests that the agency could
receive, and the ability of the agency to efficiently process requests
while managing risks of unauthorized disclosure.
Once identified, FinCEN will then work with intermediary Federal
agencies to: (1) ensure that they have secure systems for BOI storage;
(2) enter into MOUs outlining expectations and responsibilities; (3)
translate the CTA foreign sharing requirements into evaluation criteria
against which intermediaries can compare requests from foreign
requesters; (4) integrate the evaluation criteria into the
intermediaries' existing information-sharing policies and procedures;
(5) develop additional security protocols and systems as required under
the CTA and this rule; and (6) ensure that intermediary agency
personnel have sufficient training on the requirements of the CTA and
the proposed rule. FinCEN would exercise oversight and audit functions
to ensure that Federal intermediary agencies adhere to requirements and
take appropriate measures to mitigate the risk of foreign requesters
abusing the information.
Given its longstanding relationships and relevant experience as the
financial intelligence unit of the United States, FinCEN proposes to
directly receive, evaluate, and respond to requests for BOI from
foreign financial intelligence units.
D. Disclosure to FIs and Regulatory Agencies for CDD Compliance
Unlike foreign requesters, both FIs and their regulators (Federal
functional regulators and other appropriate regulatory agencies, when
assessing FIs' compliance with CDD requirements) would both have direct
access to BOI contained in the beneficial ownership IT system, albeit
in more limited form than Federal agencies engaged in national
security, intelligence, or law enforcement activity, or State, local,
and Tribal law enforcement agencies.
The CTA authorizes FinCEN to disclose a reporting company's BOI to
an FI only to the extent that such disclosure facilitates the FI's
compliance with CDD requirements under applicable law, and only if the
reporting company first consents.\70\ FinCEN takes these constraints
seriously given the sensitive nature of BOI and the potential number of
FI employees who could have access to it. FinCEN is therefore not
planning to permit FIs to run broad or open-ended queries in the
beneficial ownership IT system or to receive multiple search results.
Rather, FinCEN anticipates that a FI, with a reporting company's
consent, would submit to the system identifying information specific to
that reporting company, and receive in return an electronic transcript
with that entity's BOI. To the extent the FI makes a trivial data-entry
error in its request for BOI, the FI could still obtain the requested
BOI, provided the errors do not compromise BOI security and
confidentiality and result in the FI retrieving information on the
wrong reporting company. This more limited information-retrieval
process would reduce the overall risk of inappropriate use or
unauthorized disclosures of BOI.
---------------------------------------------------------------------------
\70\ 31 U.S.C. 5336(c)(2)(B)(iii).
---------------------------------------------------------------------------
The CTA permits similarly narrow access for Federal functional
regulators and other appropriate regulatory agencies exercising
supervisory functions. The statute allows these agencies to request
from FinCEN BOI that the FIs they supervise have already obtained from
the bureau, but only for assessing an FI's compliance with CDD
requirements under applicable law.\71\ Consequently, Federal functional
regulators and other appropriate regulatory agencies will generally
have limited access to the beneficial ownership IT system if requesting
BOI for the purpose of ascertaining CDD compliance. FinCEN is still
developing this access model and accompanying functionality, but
expects regulators to be able to retrieve any BOI that the FIs they
supervise received from FinCEN during a particular period, as opposed
to data that might reflect subsequent updates. This would both satisfy
CTA requirements and facilitate smoother
[[Page 77411]]
examinations by ensuring regulators receive the same BOI that FIs
received for purposes of their CDD reviews.
---------------------------------------------------------------------------
\71\ See 31 U.S.C. 5336(c)(2)(C), providing that BOI FinCEN
discloses to a financial institution ``shall also be available to a
Federal functional regulator or other appropriate regulatory agency,
as determined by the Secretary . . . .''
---------------------------------------------------------------------------
FinCEN expects that Federal functional regulators responsible for
bringing civil enforcement actions will be able to avail themselves of
the Federal law enforcement access provision and functionality
described in Section III.B. above.\72\ State, local, and Tribal
agencies with both a qualifying, CDD-focused regulatory function and a
law enforcement function could similarly avail themselves of the access
provisions applicable to those distinct BOI recipient categories. Each
agency would be responsible for ensuring unauthorized disclosure does
not occur between its various components. In addition, FinCEN is
required under the CTA to perform annual audits to ensure agencies are
requesting and using BOI appropriately and consistently with their
internal protocols.\73\ As with other Federal agencies, MOUs will
further specify the expectations with respect to the handling and
sharing of BOI by components of the same agency that may access BOI
under different circumstances. FIs, meanwhile, would have to agree to
terms of use that would be a condition of access to the beneficial
ownership IT system. This distinction reflects the more limited, less
flexible functionality FIs will enjoy relative to government agencies
with multi-field search capabilities within the beneficial ownership IT
system.
---------------------------------------------------------------------------
\72\ Federal functional regulators engaged in national security
activity would similarly be able to make use of the search
functionality associated with the ``national security activity''
access provision.
\73\ See 31 U.S.C. 5336(c)(3)(J).
---------------------------------------------------------------------------
IV. Section-by-Section Analysis
As described below in Section IV.A., this proposed rule would add
new access-to-information rules in a new Sec. 1010.955 (``Availability
of information reported pursuant to 31 CFR 1010.380'') in subpart J
(``Miscellaneous'') of part 1010 (``General Provisions'') of chapter X
(``Financial Crimes Enforcement Network'') of title 31, Code of Federal
Regulations. To avoid confusion, it would also rename and clarify the
scope of the existing 31 CFR 1010.950 (``Availability of information--
general'').
The following sections describe the elements of the proposed rule:
(i) availability of information--general; (ii) prohibition on
disclosure; (iii) disclosure of information by FinCEN; (iv) use of
information; (v) security and confidentiality requirements; (vi)
administration of requests for information reported pursuant to 31 CFR
1010.380; and (vii) violations and penalties.
Additionally, Section IV.B. below describes the FinCEN identifier
provisions of the proposed rule.
A. Beneficial Ownership Information Retention and Disclosure
Requirements
i. Availability of Information--General
FinCEN proposes to amend 31 CFR 1010.950(a) to clarify that the
disclosure of BOI would be governed by proposed 31 CFR 1010.955, rather
than 31 CFR 1010.950(a), which governs disclosure of other BSA
information. Currently 31 CFR 1010.950(a) authorizes the disclosure of
all BSA information received by FinCEN and states that ``[t]he
Secretary may within his discretion disclose information reported under
this chapter for any reason consistent with the purposes of the Bank
Secrecy Act, including those set forth in paragraphs (b) through (d) of
this section.'' The CTA authorizes FinCEN to disclose such information
only in limited and specified circumstances that are separate and
distinct from provisions authorizing disclosure of other BSA
information.\74\ Accordingly, FinCEN is proposing to amend 31 CFR
1010.950(a) to clarify that the disclosure of BOI would instead be
governed by proposed 31 CFR 1010.955.
---------------------------------------------------------------------------
\74\ See 31 U.S.C. 5336(c)(2), (5).
---------------------------------------------------------------------------
ii. Prohibition on Disclosure
The CTA provides that, except as authorized by 31 U.S.C. 5336(c)
and the protocols promulgated under that subsection, BOI reported
pursuant to 31 U.S.C. 5336 ``shall be confidential and may not be
disclosed by . . . (i) an officer or employee of the United States;
(ii) an officer or employee of any State, local, or Tribal agency, or
(iii) an officer or employee of any [FI] or regulatory agency receiving
information under [31 U.S.C. 5336(c)].'' \75\
---------------------------------------------------------------------------
\75\ See 31 U.S.C. 5336(c)(2)(A).
---------------------------------------------------------------------------
Proposed 31 CFR 1010.955(a) would incorporate this prohibition,
with two clarifications. First, it would clarify that any individual
authorized to receive BOI pursuant to proposed 31 CFR 1010.955(b) is
prohibited from disclosing it except as expressly authorized by FinCEN.
Critically, this provision would extend the prohibition on disclosure
to any individual who receives BOI regardless of whether they continue
to serve in the position through which they were authorized to receive
BOI. Otherwise, the regulations could be read to permit disclosure of
sensitive BOI after an individual leaves the relevant position. Second,
it would also extend the prohibition on disclosure to any individual
who receives BOI as a contractor or agent of the United States; a
contractor or agent of a State, local, or Tribal agency; or a member of
the board of directors, contractor, or agent of an FI. FinCEN believes
that this clarification is needed to ensure that agents acting on
behalf of an authorized BOI recipient agency or other entity are
subject to the same prohibition on the disclosure of BOI as officers
and employees of an authorized BOI recipient agency or other entity.
Such an approach is necessary to avoid the different treatment of
employees and officers in relation to contractors and agents.
Although the CTA does not expressly refer to agents, contractors,
or directors, FinCEN would extend the prohibition on disclosure to such
individuals pursuant to 31 U.S.C. 5336(c)(3)(K), which provides that
``the Secretary of the Treasury shall establish by regulation protocols
described in [31 U.S.C. 5336(2)(A)] that . . . provide such other
safeguards which the Secretary determines (and which the Secretary
prescribes in regulations) to be necessary or appropriate to protect
the confidentiality of the beneficial ownership information.'' \76\
FinCEN also believes this approach is consistent with the CTA's overall
focus on preventing unauthorized disclosure \77\ and the broad scope of
the provisions penalizing unauthorized disclosure by ``any person.''
\78\ FinCEN invites comments on this approach.
---------------------------------------------------------------------------
\76\ Section 6003(1) of the AML Act defines the BSA as
comprising Section 21 of the Federal Deposit Insurance Act (12
U.S.C. 1829b), Chapter 2 of Title I of Public Law 91-508 (12 U.S.C.
1951 et seq.), and Subchapter II of Chapter 53 of Title 31, United
States Code, which includes 31 U.S.C. 5336. Congress has authorized
the Secretary to administer the BSA. The Secretary has delegated to
the Director of FinCEN the authority to implement, administer, and
enforce compliance with the BSA and associated regulations (Treasury
Order 180-01 (Jan. 14, 2020)).
\77\ See generally 31 U.S.C. 5336(c).
\78\ See generally 31 U.S.C. 5336(h)(2), (3).
---------------------------------------------------------------------------
iii. Disclosure of Information to Authorized Recipients
The CTA authorizes FinCEN to disclose BOI to five categories of
recipients in specified circumstances.\79\ The statutory authorization
is generally permissive: with one exception, the CTA provides that
FinCEN ``may disclose'' BOI to authorized recipients in qualifying
circumstances.\80\ This
[[Page 77412]]
language affords FinCEN discretion to ensure that BOI is disclosed only
to authorized recipients that are able to keep the information
confidential and secure. FinCEN intends to foster a culture of
responsibility around BOI that treats security and confidentiality as a
paramount objective.
---------------------------------------------------------------------------
\79\ See 31 U.S.C. 5336(c)(2)(B).
\80\ 31 U.S.C. 5336(c)(2)(B). Under 5336(c)(2)(C), BOI that a
reporting company consents to share with a financial institution
``shall'' be available to a Federal functional regulator to
supervise compliance with customer due diligence requirements under
applicable law.
---------------------------------------------------------------------------
a. Federal Agencies Engaged in National Security, Intelligence, or Law
Enforcement Activity
Section 6403 of the CTA authorizes FinCEN to disclose BOI upon
receipt of a request, through appropriate protocols, from a Federal
agency engaged in national security, intelligence, or law enforcement
activity for use in furtherance of one of those activities.\81\ Federal
agency access is to be based upon the type of activity an agency is
conducting rather than the identity of the agency or how it might be
categorized. The key consideration is the scope of the types of
activities described in the CTA for which the agency may seek BOI:
national security activities, intelligence activities, and law
enforcement activities.
---------------------------------------------------------------------------
\81\ See 31 U.S.C. 5336(c)(2)(B)(i)(I).
---------------------------------------------------------------------------
The CTA does not specify what agency activities fall within those
three categories, and FinCEN proposes to do so consistent with the
text, structure, and purpose of the CTA. Proposed 31 CFR
1010.955(b)(1)(i) would define ``national security activity'' as any
``activity pertaining to the national defense or foreign relations of
the United States, as well as activity to protect against threats to
the security or economy of the United States.'' This approach draws, in
large part, from 8 U.S.C. 1189(d)(2), which defines ``national
security'' for purposes of designating foreign terrorist organizations
(FTOs) that threaten U.S. national security. FinCEN believes this
definition is appropriate for several reasons. First, the FTO statute
covers a broad range of national security threats to the United States,
including those with an economic dimension. That scope is consonant
with the CTA's goal to combat national security threats that are
financial in nature, such as money laundering, terrorist financing,
counterfeiting, fraud, and foreign corruption.\82\ Second, the FTO
statute arises in a related context insofar as it involves efforts to
hinder illicit actors' economic activities.
---------------------------------------------------------------------------
\82\ See CTA, Section 6402(3).
---------------------------------------------------------------------------
Proposed 31 CFR 1010.955(b)(1)(ii) would define ``intelligence
activity'' based upon Executive Order 12333 of December 4, 1981, as
amended.\83\ Executive Order 12333 remains ``a foundational document
for the United States' foreign intelligence efforts.'' \84\ It
establishes ``a framework that applies broadly to the government's
collection, analysis, and use of foreign intelligence and
counterintelligence--from human sources, by interception of
communications, by cameras and other sensors on satellites and aerial
systems, and through relationships with intelligence services of other
governments.'' \85\ FinCEN believes that relying on Executive Order
12333 would be consistent with existing agency understanding and would
provide flexibility to accommodate Intelligence Community missions and
activities.\86\ Proposed 31 CFR 1010.955(b)(1)(ii) would therefore
define intelligence activity to include ``all activities conducted by
elements of the United States Intelligence Community that are
authorized pursuant to Executive Order 12333, as amended, or any
succeeding executive order.''
---------------------------------------------------------------------------
\83\ Exec. Order No. 12333, 46 FR 59941 (Dec. 4, 1981) (``United
States Intelligence Activities'').
\84\ 5 Privacy and Civil Liberties Oversight Board, Executive
Order 12333 (accessed Apr. 28, 2022), https://documents.pclob.gov/prod/Documents/OversightReport/4f1d0d87-233b-4555-9b87-79089ad9845e/12333%20Public%20Capstone.pdf.
\85\ Id.
\86\ By ``Intelligence Community,'' FinCEN means the agencies
identified in paragraph 3.4(f) of Executive Order 12333.
---------------------------------------------------------------------------
Finally, proposed 31 CFR 1010.955(b)(1)(iii) would define ``law
enforcement activity'' to include ``investigative and enforcement
activities relating to civil or criminal violations of law.'' Proposed
31 CFR 1010.955(b)(1)(iii) is intended broadly to cover the types of
functions in which Federal agencies engage when they work to enforce
the laws of the United States. FinCEN believes that it is consistent
with the CTA to authorize Federal agencies to access BOI at all stages
of the law enforcement process.
Additionally, the proposed rule would make clear that law
enforcement activity can include both criminal and civil investigations
and actions, such as actions to impose or enforce civil penalties,
civil forfeiture actions, and civil enforcement through administrative
proceedings. The CTA is concerned with combating all manner of illicit
activity,\87\ and many laws that prohibit such activity are enforced by
Federal agencies in both civil and criminal actions. The CTA does not
limit ``law enforcement activity'' to criminal investigations or
actions. Moreover, FinCEN's clarification in the proposed rule would
place Federal agencies on the same footing as State, local, and Tribal
law enforcement agencies, for which the CTA authorizes use of BOI in a
``criminal or civil investigation.'' Nothing in the CTA suggests that
Federal agencies should have more limited access to BOI than their
State, local, and Tribal counterparts engaged in civil investigations,
and FinCEN does not believe it would be appropriate to limit Federal
agencies' access in this manner. The proposed rule would also
facilitate law enforcement cooperation by providing access to BOI in
both civil and criminal investigations, as both types of investigations
often proceed in parallel.\88\
---------------------------------------------------------------------------
\87\ See CTA, Section 6402(3).
\88\ See 31 U.S.C. 5336(c)(2)(B)(i)(II).
---------------------------------------------------------------------------
Among the Federal agencies with access to BOI for law enforcement
purposes would be Federal functional regulators that investigate civil
violations of law.\89\ Although the CTA separately authorizes Federal
functional regulators to access BOI for the purpose of supervising
compliance with CDD requirements, this access does not preclude Federal
functional regulators from accessing BOI when engaging in law
enforcement activity.\90\ The CTA specifically references ``securities
fraud, financial fraud, and acts of foreign corruption'' as types of
illicit activity that the statute is intended to help combat.\91\ These
are areas in which a significant amount of law enforcement activity is
conducted by Federal functional regulators such as the Securities and
Exchange Commission (SEC), which brings hundreds of civil enforcement
actions, including administrative proceedings, each year against
individuals and entities engaged in market manipulation, Ponzi schemes,
offering fraud, insider trading, and other violations of the Federal
securities laws.\92\ Under the proposed rule, the SEC and other Federal
functional regulators would be able to obtain BOI directly from the
beneficial ownership IT system for use in furtherance of this critical
law enforcement activity. The proposed rule would also place the SEC
and other Federal functional regulators
[[Page 77413]]
on equal footing with other Federal agencies that lack a regulatory or
supervisory function, but that are engaged in civil and criminal law
enforcement activity, like the U.S. Department of Justice (DOJ).
---------------------------------------------------------------------------
\89\ See 31 U.S.C. 5336(c)(2)(B)(i)(II).
\90\ The two provisions contemplate different processes
depending on the purpose for which access is sought. Under Section
5336(c)(2)(B)(i)(I), FinCEN ``may'' disclose BOI upon request from a
Federal agency engaged in law enforcement activity. In contrast,
under 5336(c)(2)(C), BOI that a reporting company consents to share
with a financial institution ``shall'' be available to a Federal
functional regulator to supervise compliance with customer due
diligence requirements pursuant to an agreement with the regulator.
\91\ CTA, Section 6402(3).
\92\ See, e.g., https://www.sec.gov/news/press-release/2021-238.
---------------------------------------------------------------------------
For all three types of activities--national security, intelligence,
and law enforcement--FinCEN considered proposing more restrictive
definitions involving exhaustive lists of activities. The bureau
believes these approaches would risk being either under- or over-
inclusive and could arbitrarily limit access to BOI for activities that
the regulations may fail to specify. The CTA, among other things, was
enacted to ``protect vital United States national security interests,''
``protect interstate and foreign commerce,'' and ``better enable
critical national security, intelligence, and law enforcement efforts
to counter . . . illicit activity.'' \93\ The statute targets a wide
array of illicit actors who use opaque corporate structures to conceal
their illicit activities. FinCEN believes the risk of unintentionally
hindering a Federal agency's important national security, intelligence,
or law enforcement activities supports the flexible approach the bureau
has proposed. This approach will also have more flexibility to develop
alongside the evolving threats facing the United States.
---------------------------------------------------------------------------
\93\ CTA, Section 6402(5)(B), (D).
---------------------------------------------------------------------------
FinCEN invites comments on its proposed definitions of national
security, intelligence, and law enforcement activities.
b. State, Local, and Tribal Law Enforcement Agencies
The CTA permits FinCEN to disclose BOI upon receipt of a request,
through appropriate protocols, ``from a State, local, or Tribal law
enforcement agency, if a court of competent jurisdiction, including any
officer of such a court, has authorized the law enforcement agency to
seek the information in a criminal or civil investigation.'' \94\
---------------------------------------------------------------------------
\94\ 31 U.S.C. 5336(c)(2)(B)(i)(II).
---------------------------------------------------------------------------
Proposed 31 CFR 1010.955(b)(2) similarly would allow FinCEN to
disclose BOI to a State,\95\ local, or Tribal law enforcement agency
``if a court of competent jurisdiction has authorized the agency to
seek the information in a criminal or civil investigation.'' FinCEN
recognizes that State practices are likely to be varied with respect to
how law enforcement agencies may be authorized by a court to seek
information in connection with an investigation or prosecution.\96\
FinCEN has not sought to define what it means for a court to
``authorize'' the law enforcement agency to seek BOI, but aims to
ensure that BOI access at the State, local, and Tribal level is highly
useful to law enforcement and has consistent application across
jurisdictions.
---------------------------------------------------------------------------
\95\ FinCEN will interpret the term ``State'' consistent with
the definition of that term in the final Beneficial Ownership
Information Reporting Requirements rule at 87 FR 59498 (Sep. 30,
2022) (which defines the term ``State'' to mean ``any [S]tate of the
United States, the District of Columbia, the Commonwealth of Puerto
Rico, the Commonwealth of the Northern Mariana Islands, American
Samoa, Guam, the United States Virgin Islands, and any other
commonwealth, territory, or possession of the United States.'')
\96\ 31 U.S.C. 5336(c)(2)(B)(i)(II) authorizes FinCEN to
disclose BOI to a State, local, or Tribal law enforcement agency in
the context of ``a criminal or civil investigation.'' FinCEN
believes this provision permits the agency to disclose of BOI to a
State, local, or Tribal law enforcement agency, with the required
court authorization, for use in a civil or criminal law enforcement
action that follows the investigation. FinCEN believes this is a
reasonable interpretation of the statutory language given that
disclosure provisions for Federal agencies engaged in law
enforcement, and foreign requests pertaining to an ``investigation
or prosecution,'' under the CTA would cover the disclosure to those
recipients in the context of a prosecution. See 31 U.S.C.
5336(c)(2)(B)(i)(I), (c)(2)(B)(ii)(I). FinCEN does not believes
Congress intended to allow Federal and foreign law enforcement
agencies to obtain BOI for use in prosecutions while prohibiting
State, local, and Tribal law enforcement agencies doing so. A more
restrictive interpretation would severely limit the utility of BOI
for State, local, and Tribal law enforcement agencies and run
counter to the purposes of the CTA. See CTA, Section 6402(8)(C)
(directing FinCEN to create a database of BOI that is ``highly
useful to national security, intelligence, and law enforcement
agencies . . . '').
---------------------------------------------------------------------------
At a minimum, the proposed rule would allow a State, local, or
Tribal law enforcement agency (including a prosecutor) to access BOI
where a court specifically authorizes access in the context of a
criminal or civil proceeding, for example, through a court's issuance
of an order or approval of a subpoena. Other circumstances, however,
are less clear. For example, depending on State, local, or Tribal
practices, grand jury subpoenas may or may not satisfy the CTA's court
authorization requirement. Grand juries have traditionally played a
central role in criminal discovery and may help determine whether
sufficient evidence exists to indict an individual.\97\ The State and
local law enforcement agencies, prosecutors, and court officials with
whom FinCEN consulted emphasized the importance of ensuring that BOI
could be obtained in connection with grand jury investigations. FinCEN
agrees that providing BOI at the investigative stage may further the
CTA's statutory objectives by helping State, local, and Tribal
authorities uncover links between criminals and entities they may be
using to conceal illicit activities.\98\ Ultimately, however, FinCEN
determined that it needs more information about State, local, and
tribal practices in order to determine whether they would involve court
authorization, as required by the CTA. State practices can vary, and
grand jury subpoenas may be issued by the grand jury in some
jurisdictions or signed by a prosecutor seeking information to present
to a grand jury in others. Neither courts nor grand juries always play
a meaningful role in authorizing subpoenas,\99\ and a majority of
states no longer use grand juries to screen criminal cases.\100\
---------------------------------------------------------------------------
\97\ See generally Sara Sun Beale et al., Investigative Grand
Jury and Indicting Grand Jury, Grand Jury Law and Practice Sec. 1:7
(2d ed. rev. Dec. 2021).
\98\ See CTA, Section 6402(3), (4), (5)(D).
\99\ See Sara Sun Beale et al., Role of Prosecutor and Grand
Jurors in Subpoenaing Evidence, Grand Jury Law and Practice Sec.
6:2 (2d ed. rev. Dec. 2021). For example, Massachusetts permits
district attorneys to ``issue subpoenas under their hands for
witnesses to appear and testify on behalf of the commonwealth.''
Mass. Gen. Laws Ann. ch. 277, Sec. 68.
\100\ See id.
---------------------------------------------------------------------------
FinCEN requests comments on this subject. In particular, commenters
should explain the mechanisms State, local, and Tribal authorities use
to gather evidence in criminal and civil cases. With respect to these
particular mechanisms, commenters should describe the extent to which
court authorization is involved. More generally, commenters should also
explain what role courts or court officers play in authorizing
evidence-gathering activities, what existing practices involve court
authorization, and the extent to which new court processes could be
developed and integrated into existing practices to satisfy the CTA's
authorization requirement. Commenters should also address the need for
access to BOI at different stages of an investigation, as well as the
privacy interests that may be implicated by such access.
Proposed 31 CFR 1010.955(b)(2) would clarify that the authorized
recipient of BOI under this provision would be the State, local, or
Tribal agency that makes a proper request for BOI consistent with the
proposed rule. The proposed rule would also define ``law enforcement
agency'' in a manner similar to the definition of ``law enforcement
activity'' used to define the scope of access for Federal agencies
engaged in law enforcement activity. This approach is intended to
ensure consistency regardless of whether law enforcement activity
occurs at the local, State, Tribal, or Federal level, including in
circumstances involving cooperation among and across jurisdictions,
such as through task forces.
[[Page 77414]]
Proposed 31 CFR 1010.955(b)(2) would clarify that ``a court of
competent jurisdiction'' is any court with jurisdiction over the
criminal or civil investigation for which a State, local, or Tribal law
enforcement agency requests BOI. The proposed rule does not specify
which officials qualify as officers of the court because courts have
varying practices. FinCEN expects, however, that individuals who may
exercise a court's authority and issue authorizations on its behalf
would qualify. FinCEN invites comment on whether it should more
specifically identify officers of the court for purposes of the rule,
and if so, what the potential qualifying criteria might be.
FinCEN does not believe that individual attorneys acting alone
would fall within the definition of ``court officer'' for purposes of
this provision. Though lawyers are sometimes referred to as ``officers
of the court'' to emphasize their professional obligations to the legal
system, they are not all ``officers of the court'' in the sense of
exercising the court's authority. FinCEN does not believe the CTA--
which includes numerous provisions limiting who may access BOI--
intended to empower any individual admitted to practice law to
authorize the disclosure of BOI.
c. Foreign Requesters
The CTA provides that FinCEN may disclose BOI upon receipt of a
request ``from a Federal agency on behalf of a law enforcement agency,
prosecutor, or judge of another country, including a foreign central
authority or competent authority (or like designation), under an
international treaty, agreement, convention, or official request made
by law enforcement, judicial, or prosecutorial authorities in trusted
foreign countries when no treaty, agreement, or convention is
available.'' \101\ Such a request from a Federal agency must be
``issued in response to a request for assistance in an investigation or
prosecution by such foreign country,'' \102\ and must ``require[e]
compliance with the disclosure and use provisions of the treaty,
agreement, or convention, publicly disclosing [sic] any beneficial
ownership information received,'' \103\ or limit BOI use ``for any
purpose other than the authorized investigation or national security or
intelligence activity.'' \104\
---------------------------------------------------------------------------
\101\ 31 U.S.C. 5336(c)(2)(B)(ii).
\102\ 31 U.S.C. 5336(c)(2)(B)(ii)(I).
\103\ 31 U.S.C. 5336(c)(2)(B)(ii)(II)(aa).
\104\ 31 U.S.C. 5336(c)(2)(B)(ii)(II)(bb).
---------------------------------------------------------------------------
Proposed 31 CFR 1010.955(b)(3) clarifies that a request for BOI
from a foreign requester would have to derive from a law enforcement
investigation or prosecution, or from national security or intelligence
activity, authorized under the foreign country's laws. This would
permit foreign requesters to obtain BOI for, and use it in, the full
range of activities contemplated by 31 U.S.C. 5336(c)(2)(B)(ii) (i.e.,
law enforcement, national security, and intelligence activities),
thereby giving effect to all of the language in that subparagraph. The
proposed rule also resolves ambiguities arising from inconsistent
statutory language. Specifically, one part of the CTA's foreign-access
provision appears to require a request to flow from a foreign
``investigation or prosecution,'' \105\ while another appears to allow
a foreign requester to use BOI to further any ``authorized
investigation or national security or intelligence activity.'' \106\
FinCEN believes the proposed rule best resolves this discrepancy by
clarifying that authorized national security and intelligence
activities could be a basis for a BOI request, in addition to a law
enforcement investigation or prosecution. FinCEN would view the scope
of the phrase ``law enforcement investigation or prosecution''
similarly to how it interprets the term ``law enforcement activity''
under proposed 31 CFR 1010.955(b)(3): such activity can include both
criminal and civil investigations and actions, including actions to
impose civil penalties, civil forfeiture actions, and civil enforcement
through administrative proceedings.
---------------------------------------------------------------------------
\105\ 31 U.S.C. 5336(c)(2)(B)(ii)(I).
\106\ 31 U.S.C. 5336(c)(2)(B)(ii)(II)(bb).
---------------------------------------------------------------------------
The proposed rule next makes clear that the relevant ``foreign
central authority or foreign competent authority'' would be the agency
identified in the international treaty, agreement, or convention under
which a foreign request is made. FinCEN understands that ``foreign
central authority'' and ``foreign competent authority'' are terms of
art typically defined within the context of a particular agreement.
This proposed regulatory clarification should therefore remove any
ambiguity around the terms without unduly excluding appropriate foreign
requesters from access to BOI.
Third, the proposed rule explains that, consistent with the CTA,
foreign requests would need to fall into one of two categories in order
for the foreign requester to receive BOI. The first category is
requests made pursuant to an international treaty, agreement, or
convention. The second category is official requests by a law
enforcement, judicial, or prosecutorial authority of a trusted foreign
country where there is no international treaty, agreement, or
convention that governs.\107\ The security and confidentiality
requirements applicable to each of these two categories are different.
---------------------------------------------------------------------------
\107\ The regulatory text here uses ``judicial or prosecutorial
authority'' instead of the earlier ``judge or prosecutor'' to mirror
an identical language shift in the corresponding statutory
provision. See 31 U.S.C. 5336(c)(2)(B)(ii). FinCEN does not view
this difference as significant or having practical effect.
---------------------------------------------------------------------------
Under the proposed rule, an intermediary Federal agency responding
to a foreign request under an international treaty, agreement, or
convention would first need to ensure that the request is consistent
with the requirements of the relevant treaty, agreement, or convention,
and the requirements of proposed 31 CFR 1010.955(b)(3). FinCEN
understands that an ``international treaty, agreement, or convention''
is a legally binding agreement governed by international law. FinCEN
would appreciate views on whether there are other types of
international arrangements under which the sharing of beneficial
ownership information would be important to achieve the goals of the
CTA (such as information sharing arrangements with foreign law
enforcement agencies that do not have legal force) and whether there
are means to do so consistent with the CTA. The intermediary Federal
agency would provide basic information to FinCEN about who is
requesting the information and the treaty, agreement, or convention
under which the request is being made. The intermediary Federal agency
would then search for and retrieve the requested BOI from the system
and respond to the request in a manner consistent with the treaty,
agreement, or convention. The intermediary Federal agency would be
subject to certain recordkeeping requirements to ensure that FinCEN is
able to perform appropriate audit and oversight functions in accordance
with an MOU to be agreed between the intermediary Federal agency and
FinCEN. The intermediary Federal agency would also be subject to the
security and confidentiality protocols applicable to other domestic
agencies that receive and handle BOI at proposed 31 CFR 1010.955(d)(1).
Where a request for BOI includes a request that the information be
authenticated for use in a legal proceeding in the foreign country
making the request, FinCEN may establish a process for providing such
authentication via MOU with the
[[Page 77415]]
relevant intermediary Federal agency. Such process may include an
arrangement where FinCEN searches the beneficial ownership IT system
and provides the information and related authentication to the
intermediary Federal agency consistent with the terms of the relevant
MOU.
With respect to an official request by a law enforcement, judicial,
or prosecutorial authority of a trusted foreign country where no
international treaty, agreement, or convention applies, FinCEN would
establish a mechanism to address such requests either on a case-by-case
basis or pursuant to alternative arrangements with intermediary Federal
agencies where those intermediary Federal agencies have ongoing
relationships with the foreign requester. The CTA does not provide
criteria for determining whether a particular foreign country is
``trusted,'' but rather, provides FinCEN with considerable discretion
to make this determination.
FinCEN considered identifying particular countries or groups of
countries as ``trusted'' for the purposes of receiving BOI. Ultimately,
however, FinCEN determined that such a restrictive approach could
arbitrarily exclude foreign requesters with whom sharing BOI might be
appropriate in some cases but not others. The United States
participates in many formal and informal international relationships
through which data are sometimes shared. FinCEN does not believe any of
these relationships, or any combination of them, sets appropriate
potential boundaries for BOI disclosure given the purposes of the CTA.
The bureau, in consultation with relevant U.S. government agencies,
will therefore look to U.S. interests and priorities in determining
whether to disclose BOI to foreign requesters when no international
treaty, agreement, or convention applies. In making these
determinations, FinCEN will also consider the ability of a foreign
requester to maintain the security and confidentiality of requested
BOI. Once FinCEN makes the determination to disclose BOI to a foreign
requester, the intermediary Federal agency would be permitted to
retrieve and disseminate BOI to the foreign requester, subject to
applicable security and confidentiality protocols.
FinCEN considered an alternative structure under which intermediary
Federal agencies would relay foreign requester requests under an
international treaty, agreement, or convention to FinCEN, which would
then assess the requests, retrieve requested BOI, and transmit it
either directly to the requester or indirectly via the intermediary
Federal agency for subsequent dissemination to the requester. While
neither of these approaches presents the security risks associated with
the other two potential approaches FinCEN rejected, both are likely to
be much less efficient. For example, intermediary Federal agencies are
likely to have ongoing relationships with foreign requesters, including
established points of contact. They are also likely more familiar than
FinCEN with existing treaty obligations and information exchange
channels and processes. Finally, FinCEN believes its proposed approach
aligns best with the text of the CTA, which assumes Federal agencies
will serve as the intermediary on behalf of foreign requesters.\108\
FinCEN invites comment on this proposal and on any other alternatives.
---------------------------------------------------------------------------
\108\ See 31 U.S.C. 5336(c)(2)(B)(ii) (providing that ``FinCEN
may disclose [BOI] only upon receipt of . . . a request from a
Federal agency on behalf of'' a qualified foreign requester
(emphasis added)).
---------------------------------------------------------------------------
d. FIs Subject to CDD Requirements
The CTA authorizes FinCEN to disclose BOI upon receipt of a request
``made by a[n] [FI] subject to customer due diligence requirements,
with the consent of the reporting company, to facilitate the compliance
of the [FI] with customer due diligence requirements under applicable
law.'' \109\ This statutory language leaves unspecified both the
mechanism by which consent should be registered and the meaning of the
term ``customer due diligence requirements under applicable law.''
---------------------------------------------------------------------------
\109\ See 31 U.S.C. 5336(c)(2)(B)(iii).
---------------------------------------------------------------------------
Proposed 31 CFR 1010.955(b)(4) would address both issues. Under the
proposed rule, an FI would be responsible for obtaining a reporting
company's consent. This reflects FinCEN's assessment that FIs are best
positioned to obtain and manage consent through existing processes and
by virtue of having direct contact with the reporting company as a
customer. Additionally, the proposed rule would define ``customer due
diligence requirements under applicable law'' to mean FinCEN's customer
due diligence (CDD) regulations at 31 CFR 1010.230, which require
covered FIs to identify and verify beneficial owners of legal entity
customers. FinCEN considered interpreting the phrase ``customer due
diligence requirements under applicable law'' more broadly to cover a
range of activities beyond compliance with legal obligations in
FinCEN's regulations to identify and verify beneficial owners of legal
entity customers. FinCEN's separate Customer Identification Program
regulations, for example, could be considered customer due diligence
requirements.\110\ FinCEN decided not to propose this broader approach,
however. The bureau believes a more tailored approach will be easier to
administer, reduce uncertainty about what FIs may access BOI under this
provision, and better protect the security and confidentiality of
sensitive BOI by limiting the circumstances under which FIs may access
BOI.\111\ That said, FinCEN solicits comments on whether a broader
reading of the phrase ``customer due diligence requirements'' is
warranted under the framework of the CTA, and, if so, how customer due
diligence requirements should be defined in order to provide regulatory
clarity, protect the security and confidentiality of BOI, and minimize
the risk of abuse.
---------------------------------------------------------------------------
\110\ See, e.g., 31 CFR 1020.220 (requiring banks to implement a
Customer Identification Program).
\111\ The CTA requires FinCEN to revise the 2016 CDD Rule within
a year of the effective date of the final Reporting Rule. See CTA,
Section 6403(d)(1). One purpose of this revision is to account for
FIs' access to BOI, which the Sense of Congress portion of the CTA
states may be used to facilitate the FI's compliance ``with anti-
money laundering, countering the financing of terrorism, and
customer due diligence requirements under applicable law.'' Id.
6403(d)(1)(B) (emphasis added). That the CTA identifies ``[CDD]
requirements under applicable law'' as distinct from broader AML/CFT
requirements suggests that Congress intended that phrase not to
include other AML/CFT obligations.
---------------------------------------------------------------------------
FinCEN also considered including State, local, and Tribal customer
due diligence requirements comparable in substance to FinCEN's own CDD
regulations in the proposed definition of ``customer due diligence
requirements under applicable law.'' However, the bureau has not
identified any such requirements. FinCEN invites comments identifying
any specific State, local, or Tribal customer due diligence
requirements that are substantially similar to the bureau's CDD
regulations--i.e., requirements related to FIs in a State, local, or
Tribal jurisdiction identifying and verifying beneficial owners of
legal entity customers--for potential inclusion in the proposed
definition.
e. Federal Functional Regulators or Other Appropriate Regulatory
Agencies
The CTA authorizes FinCEN to disclose BOI to ``Federal functional
regulator[s] and other appropriate regulatory agenc[ies] consistent
with'' certain requirements.\112\ This access is subject to three
statutory conditions. First, a ``Federal functional regulator or other
appropriate regulatory agency'' must be ``authorized by law to assess,
supervise, enforce, or otherwise determine the compliance of [a
particular FI] with'' its CDD
[[Page 77416]]
requirements.\113\ Second, such regulator may use the BOI only ``for
the purpose of conducting [an] assessment, supervision, or authorized
investigation or activity'' related to the CDD requirements the
regulator is responsible for overseeing.\114\ Finally, the regulator
must ``[enter] into an agreement with the Secretary providing for
appropriate protocols governing the safekeeping of the information.''
\115\
---------------------------------------------------------------------------
\112\ See 31 U.S.C. 5336(c)(2)(B)(iv).
\113\ 31 U.S.C. 5336(c)(2)(C)(i).
\114\ 31 U.S.C. 5336(c)(2)(C)(ii).
\115\ 31 U.S.C. 5336(c)(2)(C)(iii).
---------------------------------------------------------------------------
FinCEN's proposed rule at 31 CFR 1010.955(b)(4) tracks these
conditions. In order to obtain BOI from FinCEN, a regulator would need
to be authorized by law to assess, supervise, enforce, or otherwise
determine a FI's compliance with its CDD requirements, and it would
have to enter into an agreement with FinCEN that describes appropriate
protocols to obtain BOI. FinCEN would only disclose to the regulator
the BOI that a relevant FI has already received. This is in keeping
with the CTA requirement that BOI disclosed to an FI under 31 U.S.C.
5336(c)(2)(B)(iii) ``also be available to [regulators]'' that meet
specified criteria.\116\
---------------------------------------------------------------------------
\116\ 31 U.S.C. 5336(c)(2)(C) (emphasis added).
---------------------------------------------------------------------------
FinCEN does not believe this CDD-specific provision is the
exclusive means through which a financial regulator can access BOI from
the beneficial ownership IT system. The access provisions for Federal
agencies engaged in national security, intelligence, or law enforcement
activities, and for State, local, and Tribal law enforcement agencies,
focus on activity categories, not agency types. To the extent a Federal
functional regulator engages in civil law enforcement activities, those
activities would be covered by the law-enforcement access provisions.
For example, the SEC--which supervises broker-dealers and other
securities market participants, including for compliance with the CDD
regulations--also investigates and litigates civil violations of
Federal securities laws. Consequently, consistent with the CTA, the SEC
would be able to broadly search the beneficial ownership IT system for
BOI for use in furtherance of its law enforcement activity. Separately,
the SEC would also be able to receive BOI subject to the constraints at
proposed 31 CFR 1010.955(b)(4) for use in supervising broker-dealers
and other regulated entities for CDD compliance.
Regarding who qualifies for access under this proposed provision,
the CTA refers to Federal functional regulators and ``other appropriate
regulatory agencies.'' The AML Act defines ``Federal functional
regulator'' to include six financial regulatory authorities \117\ as
well as ``any Federal regulator that examines a financial institution
for compliance with the Bank Secrecy Act.'' \118\ The proposed rule
would adopt FinCEN's existing regulatory definition, which the bureau
believes will minimize the risk of confusion. FinCEN's regulations
already define the term ``Federal functional regulator'' to include the
six agencies identified in the AML Act's definition as well as the
Commodity Futures Trading Commission (CFTC).\119\ Because the CFTC has
been delegated authority to examine certain FIs for compliance with the
BSA,\120\ it also falls within the AML Act's definition. FinCEN does
not propose to define ``other appropriate regulatory agencies'' at this
time. FinCEN believes the requirement in 31 U.S.C. 5336(c)(2)(C)(i)
that such an agency be ``authorized by law to assess, supervise,
enforce, or otherwise determine the compliance of such FIs with
customer due diligence requirements under applicable law'' sufficiently
defines the category (e.g., it could include State banking regulators).
However, FinCEN invites comment on this proposed approach.
---------------------------------------------------------------------------
\117\ The six Federal functional regulators that supervise
financial institutions with CDD obligations are the Board of
Governors of the Federal Reserve System (FRB), the Office of the
Comptroller of the Currency (OCC), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA),
the SEC, and the Commodity Futures Trading Commission (CFTC).
\118\ AML Act, Section 6003(3).
\119\ 31 CFR 1010.100(r).
\120\ See 31 CFR 1010.810(b)(9).
---------------------------------------------------------------------------
FinCEN considered whether financial self-regulatory organizations
that are registered with or designated by a Federal functional
regulator pursuant to Federal statute \121\ (``qualifying SROs'')--like
the Financial Industry Regulatory Authority (FINRA) or the National
Futures Association (NFA)--qualify as ``other appropriate regulatory
agencies.'' These organizations though authorized by Federal law, are
not traditionally understood to be agencies of the government,\122\ but
they do exercise self-regulatory authority within the framework of
Federal law and work under the supervision of Federal functional
regulators to assess, supervise, and enforce FI compliance with, among
other things, CDD requirements.\123\ Qualifying SROs are subject to
extensive oversight by Federal agencies.\124\
---------------------------------------------------------------------------
\121\ See, e.g., 7 U.S.C. 21; 15 U.S.C. 78o-3.
\122\ See, e.g., In re William H. Murphy & Co., SEC Release No.
34-90759, 2020 WL 7496228, *17 (Dec. 21, 2020) (explaining that
FINRA ``is not a part of the government or otherwise a [S]tate
actor'' to which constitutional requirements apply).
\123\ See, e.g., FINRA Rule 3310(f); NFA Compliance Rule 2-
9(c)(5).
\124\ See, e.g., Scottsdale Cap. Advisors Corp. v. FINRA, 844
F.3d 414, 418 (4th Cir. 2016) (``Before any FINRA rule goes into
effect, the SEC must approve the rule and specifically determine
that it is consistent with the purposes of the Exchange Act. The SEC
may also amend any existing rule to ensure it comports with the
purposes and requirements of the Exchange Act.'' (citations
omitted); Birkelbach v. SEC, 751 F.3d 472, 475 (7th Cir. 2014) (``A
[FINRA] member can appeal the disposition of a FINRA disciplinary
proceeding to the SEC, which performs a de novo review of the record
and issues a decision of its own.'').
---------------------------------------------------------------------------
Although it may be unclear whether SROs are ``regulatory agencies''
to which direct access to BOI shall be provided, FinCEN believes that
their unique position,\125\ and the critical role they play in
overseeing participants in the financial services sector, justify
providing SROs with a limited and derivative form of access. The CTA
provides FinCEN broad discretion to specify the conditions under which
authorized recipients of BOI may re-disclose that information to
others. Therefore, the proposed rule would permit FIs to re-disclose to
qualifying SROs the BOI they have obtained from FinCEN for use in
complying with CDD requirements under applicable law. A qualifying SRO
would need to satisfy the same three conditions applicable to Federal
functional regulators and other appropriate regulatory agencies, and a
qualifying SRO that receives BOI from an FI it supervises may in turn
use the information for the limited purpose of examining compliance
with those same CDD obligations. Without this level of access, these
organizations would not be able to effectively evaluate an FI's CDD
compliance. FinCEN invites comments on this proposed approach.
---------------------------------------------------------------------------
\125\ See NASD v. SEC, 431 F.3d 803, 804 (D.C. Cir. 2005)
(explaining that FINRA's predecessor's ``authority to discipline its
members for violations of Federal securities law is entirely
derivative. The authority it exercises ultimately belongs to the
SEC''); see also Turbeville v. FINRA, 874 F.3d 1268, 1276 (11th Cir.
2017) (``When exercising [their regulatory and enforcement]
functions, SROs act under color of [F]ederal law as deputies of the
[F]ederal [G]overnment.''); In re Series 7 Broker Qualification Exam
Scoring Litig., 548 F.3d 110, 114 (D.C. Cir. 2008) (``When an SRO
acts under the aegis of the Exchange Act's delegated authority, it
is absolutely immune from suit for the improper performance of
regulatory, adjudicatory, or prosecutorial duties delegated by the
SEC.'').
---------------------------------------------------------------------------
f. Department of the Treasury Access
The CTA includes separate, Treasury-specific provisions for
accessing BOI. One of those provisions makes BOI ``accessible for
inspection or disclosure to officers and employees of the Department of
the Treasury whose official duties require such inspection or
[[Page 77417]]
disclosure subject to procedures and safeguards prescribed by the
Secretary of the Treasury.'' \126\ The other grants officers and
employees of Treasury ``access to [BOI] for tax administration
purposes.'' \127\
---------------------------------------------------------------------------
\126\ 31 U.S.C. 5336(c)(5)(A).
\127\ See 31 U.S.C. 5336(c)(5)(B).
---------------------------------------------------------------------------
Proposed 31 CFR 1010.955(b)(5) tracks these authorizations and
would provide that Treasury officers and employees may receive BOI
where their official duties require such access, or for tax
administration, consistent with procedures and safeguards established
by the Secretary. The proposed rule clarifies the term ``tax
administration purposes'' by adding a reference to the definition of
``tax administration'' in the Internal Revenue Code.\128\ FinCEN
believes adopting this definition is appropriate because Treasury
officers and employees who administer tax laws are already familiar
with it and have a clear understanding of the activity it covers.
Furthermore, FinCEN believes the definition is broad enough to avoid
inadvertently excluding a tax administration-related activity that
would be undermined by lack of access to BOI. FinCEN welcomes comments
on the proposed scope of the term ``tax administration.''
---------------------------------------------------------------------------
\128\ 26 U.S.C. 6103(b)(4).
---------------------------------------------------------------------------
FinCEN envisions Treasury components using BOI for appropriate
purposes, such as tax administration, enforcement actions, intelligence
and analytical purposes, use in sanctions designation investigations,
and identifying property blocked pursuant to sanctions, as well as for
administration of the BOI framework, such as for audits, enforcement,
and oversight. FinCEN will work with other Treasury components to
establish internal policies and procedures governing Treasury officer
and employee access to BOI. These policies and procedures will ensure
that FinCEN discloses BOI only to Treasury officers or employees with
official duties requiring BOI access, or for tax administration. FinCEN
anticipates that the security and confidentiality protocols in those
policies and procedures will include elements of the protocols
described in proposed 31 CFR 1010.955(d)(1) as applicable to Treasury
activities and organization. Officers and employees identified as
having duties potentially requiring access to BOI would receive
training on, among other topics, determining when their duties require
access to BOI, what they can do with the information, and how to handle
and safeguard it. Their activities would also be subject to the same
audit.
iv. Use of Information
a. Use of Information by Authorized Recipients
The CTA includes numerous provisions limiting how BOI may be used.
Federal agencies engaged in national security, intelligence, or law
enforcement activity may use BOI only ``in furtherance of such
activity'' \129\ and must provide written certifications to FinCEN that
``at a minimum, se[t] forth the specific reason or reasons why [BOI] is
relevant to'' an authorized activity.\130\ State, local, and Tribal law
enforcement agencies must obtain authorization from a court of
competent jurisdiction to obtain BOI in criminal or civil
investigations.\131\ Federal agencies requesting BOI on behalf of
foreign law enforcement agencies, judges, or prosecutors may do so only
pursuant to an international treaty, agreement, or convention or
pursuant to an official request from a trusted foreign country for
assistance in an official investigation, prosecution, or authorized
national security or intelligence activity.\132\ FIs must have a
reporting company's consent to request its BOI from FinCEN as part of
CDD compliance activities,\133\ and a financial regulator assessing an
FI's compliance with CDD requirements may request and receive only the
BOI that the FI previously requested when conducting such an
assessment.\134\ Each of these requirements reflects a general
expectation that authorized recipients not obtain BOI for one
authorized activity and then use it for another unrelated purpose. The
statute also requires authorized recipients of BOI to narrowly tailor
their requests as much as possible. For example, the CTA instructs the
Secretary to require requesting agencies ``to limit, to the greatest
extent practicable, the scope of information sought, consistent with
the purposes for seeking BOI.'' \135\
---------------------------------------------------------------------------
\129\ 31 U.S.C. 5336(c)(2)(B)(i)(I).
\130\ 31 U.S.C. 5336(c)(3)(E)(ii).
\131\ See 31 U.S.C. 5336(c)(2)(B)(i)(II).
\132\ See 31 U.S.C. 5336(c)(2)(B)(ii).
\133\ See 31 U.S.C. 5336(c)(2)(B)(iii).
\134\ See 31 U.S.C. 5336(c)(2)(B)(iv) and 31 U.S.C.
5336(c)(2)(C).
\135\ 31 U.S.C. 5336(c)(3)(F).
---------------------------------------------------------------------------
Proposed 31 CFR 1010.955(c)(1) would implement these provisions by
clarifying that, unless otherwise authorized by FinCEN, any person who
receives information disclosed by FinCEN under proposed 31 CFR
1010.955(b) would be authorized to use it only for the particular
purpose or activity for which it was disclosed. Thus, for example, a
Federal agency employee, contractor, or agent who obtains BOI from
FinCEN for use in furtherance of national security activity would be
authorized to use the BOI only for the particular national security
activity for which the request was made. FinCEN believes this
limitation is necessary to ensure that BOI is used only for proper
purposes and only to the extent necessary.
Proposed 31 CFR 1010.955(c)(1) further clarifies that a Federal
agency receiving BOI pursuant to the foreign access provision at
proposed 31 CFR 1010.955(b)(3), i.e., an intermediate Federal agency,
can use the BOI only to facilitate a response to the relevant foreign
requester. This limitation ensures that Federal intermediary agencies
handling BOI in this context would do so only for the permissible use
of transmitting it to a foreign requester.
Authorized recipients that fail to follow applicable use
limitations would risk losing the ability to receive BOI.
b. Limitations on Re-Disclosure of Information by Authorized Recipients
Although the CTA expressly limits the circumstances under which
FinCEN may initially disclose BOI to other agencies or FIs, the CTA
does not specify the circumstances under which an authorized recipient
of BOI may re-disclose the BOI to another person or organization. The
CTA instead prohibits re-disclosure except as authorized in the
protocols promulgated by regulation, thereby leaving it to FinCEN to
establish the appropriate re-disclosure rules in the protocols.\136\
The proposed rule would permit the disclosure by authorized recipients
of BOI in limited circumstances that would further the core underlying
national security, intelligence, and law enforcement objectives of the
CTA while at the same time ensuring that BOI is disclosed only where
appropriate for those purposes. Generally, authorized re-disclosures
would be subject to protocols designed, as with those applicable to
initial disclosures of BOI from the beneficial ownership IT system, to
protect the security and confidentiality of BOI.
---------------------------------------------------------------------------
\136\ 31 U.S.C. 5336(c)(2)(A). The CTA appears to presume that
some re-disclosure will be permitted when it requires requesting
agencies to keep records related to their requests, including of
``any disclosure of beneficial information made by . . . the
agency.'' 31 U.S.C. 5336(c)(3)(H).
---------------------------------------------------------------------------
First, proposed 31 CFR 1010.955(c)(2)(i) would authorize a Federal,
State, local or Tribal agency that receives BOI from FinCEN to re-
disclose it to others within the same organization, if the re-
disclosure is consistent with the security and confidentiality
requirements of 31 CFR
[[Page 77418]]
1010.955(d)(1)(i)(F), (d)(2), or applicable internal Treasury policies,
procedures, orders or directives; and is in furtherance of the same
purpose for which the BOI was requested. Without this authorization,
the statutory prohibitions at 31 U.S.C. 5336(c)(2)(A) and corresponding
regulatory prohibitions at proposed 31 CFR 1010.955(a) could be viewed
to constrain officers, employees, contractors, and agents within the
same authorized requesting agency from efficiently sharing BOI in a
manner consistent with the objectives of the CTA. FinCEN recognizes
that authorized individuals that receive BOI within authorized
recipient organizations may need limited flexibility to disclose BOI to
others in their organization to the extent those other individuals need
the BOI to further the original purpose for which the BOI request was
made to FinCEN. An employee working on a law enforcement case within a
Federal agency, for example, might need to disclose BOI obtained from
FinCEN to another employee working on the same law enforcement matter.
FinCEN envisions that there are circumstances in which FI employees
may have a similar need to share BOI with counterparts, e.g., if they
are working together to onboard a new customer. Proposed 31 CFR
1010.955(c)(2)(ii) therefore extends a comparable authority to FIs. One
difference should be noted: FinCEN proposes to expressly limit FIs to
redisclosing BOI to other officers, employees, contractors, and agents
of the FI physically present in the United States. FinCEN believes this
limitation is necessary to provide appropriate protection to BOI
against disclosures to foreign governments outside of the framework
established by the CTA. The CTA confirms, among other things, foreign
government agencies should only obtain the BOI of reporting companies
for limited purposes and through intermediary Federal agencies.
Allowing U.S. FIs to re-disclose BOI outside of the United States
creates the potential for a foreign government agency to obtain such
BOI by serving a judicial or administrative warrant, summons, or
subpoena directly on the foreign entity or location where the BOI is
stored. Prohibiting FIs from moving BOI outside the United States
reinforces and complements the requirements associated with the
requirements through which foreign governments can obtain BOI under the
proposed rule.
Next, proposed 31 CFR 1010.955(c)(2)(iii) would allow an FI,
subject to certain conditions, to share BOI that it obtains from FinCEN
for use in fulfilling its CDD obligations with (1) the FI's Federal
functional regulator, (2) a qualifying SRO, or (3) any other
appropriate regulatory agency. The CTA specifies that BOI provided to
an FI ``shall also be available'' to a Federal functional regulator or
other appropriate regulatory agency, under certain conditions, and
proposed 31 CFR 1010.955(b)(4)(ii) would authorize the agency to obtain
the BOI directly from FinCEN. Proposed 31 CFR 1010.955(c)(2)(ii) would
complement that authorization by also allowing the agency to obtain the
BOI from the FI. FinCEN believes this may be a more efficient means of
access for agencies conducting assessments of an FI's compliance with
CDD requirements under applicable law. Such re-disclosure would more
easily provide regulators with a complete picture of how FIs are
obtaining and using BOI for CDD compliance, thereby supporting the aims
and purposes of the CTA, and would also help them detect compliance
failures. Proposed 31 CFR 1010.955(c)(2)(ii) would also authorize re-
disclosure to qualifying SROs. SROs perform important supervisory and
regulatory functions under the oversight of Federal functional
regulators to assess FI compliance with CDD requirements among their
member firms. Given that SROs can perform these supervisory functions,
FinCEN believes that access to BOI would be as helpful to qualifying
SROs as to Federal functional regulators in ensuring a complete and
accurate assessment of CDD compliance. Qualifying SROs, like any
supervisory agency, would need to enter into an MOU with FinCEN, and
agree to implement security and confidentiality protocols, including
audit requirements, prior to receiving BOI from their regulated
institutions.
Fourth, proposed 31 CFR 1010.955(c)(2)(iv) would allow a Federal
functional regulator to disclose information to a qualifying SRO.
Consistent with the purposes of the CTA, the proposed rule makes clear
that BOI may be accessed, used, and re-disclosed for examinations for
compliance with CDD requirements under applicable law.
Fifth, proposed 31 CFR 1010.955(c)(2)(v), consistent with the CTA,
would allow an intermediary Federal agency to disclose BOI to the
foreign person for whom the intermediary Federal agency requested the
information in accordance with proposed 31 CFR 1010.955(b)(3). Without
an express regulatory provision to effectuate the CTA's provisions
relating to BOI access by a foreign law enforcement agency, prosecutor,
or judge, questions could arise as to whether the intermediary Federal
agency would be able to then share with a foreign requester the
information obtained on its behalf.
Sixth, proposed 31 CFR 1010.955(c)(2)(vi) would allow a Federal,
State, local, or Tribal law enforcement agency to disclose BOI to a
court of competent jurisdiction or parties to a civil or criminal
proceeding. This authorization would only apply to civil or criminal
proceedings involving U.S. Federal, State, local, and Tribal laws.
FinCEN envisions agencies relying on this provision when, for example,
a prosecutor must provide a criminal defendant with BOI in discovery or
use it as evidence in a court proceeding or trial.\137\
---------------------------------------------------------------------------
\137\ See CTA, Section 6402(5)(D).
---------------------------------------------------------------------------
FinCEN considered requiring Federal, State, local, or Tribal law
enforcement agencies to request permission to disclose BOI on a case-
by-case basis. The bureau decided against that approach for the sake of
efficiency and the administration of justice. FinCEN would be unlikely
to oppose disclosing BOI for use by law enforcement agencies in a civil
or criminal proceeding; the CTA explicitly contemplates using BOI in
this scenario.\138\ Additionally, manual review of individual
disclosure requests in this context could also delay the relevant legal
proceeding. FinCEN invites comment on this proposed approach.
---------------------------------------------------------------------------
\138\ See id.
---------------------------------------------------------------------------
Seventh, proposed 31 CFR 1010.955(c)(2)(vii) would allow a Federal
agency that receives BOI from FinCEN pursuant to proposed 31 CFR
1010.955(b)(1), (b)(4)(ii), or (b)(5) to disclose that BOI to DOJ in a
case referral. While DOJ would also be able to request the relevant BOI
from FinCEN in furtherance of law enforcement activity, allowing the
requesting Federal agency to share that BOI with DOJ would allow for
more efficient investigation and law enforcement activity. The proposed
provision would also make clear that the requesting agency can disclose
BOI to DOJ for use in litigation related to the activity for which the
BOI is requested. Such authorization will allow DOJ to have a complete
record--including BOI--when fulfilling its responsibilities to
represent the requesting agency in litigation.
Eighth, proposed 31 CFR 1010.955(c)(2)(viii) would allow a foreign
requester that receives BOI pursuant to a request made under an
international treaty, agreement, or convention to disclose and use that
BOI in accordance with the requirements of
[[Page 77419]]
the relevant agreement. This approach harmonizes 31 U.S.C.
5336(c)(2)(B)(ii)(II)(aa) \139\ with the process described in the
introductory paragraph in 31 U.S.C. 5336(c)(2)(B)(ii), which
establishes a preference for disclosing BOI to foreign requesters under
international agreements. For foreign requests that are not governed by
an international treaty, agreement, or convention, FinCEN would review
re-disclosure requests from foreign requesters either on a case-by-case
basis or pursuant to alternative arrangements with intermediary Federal
agencies where those intermediary Federal agencies have ongoing
relationships with the particular foreign requesters.
---------------------------------------------------------------------------
\139\ Requiring requests for BOI from foreign requesters to
``[comply] with the disclosure and use provisions of the treaty,
agreement, or convention, publicly disclosing [sic] any beneficial
ownership information received . . . .''
---------------------------------------------------------------------------
Finally, proposed 31 CFR 1010.955(c)(2)(ix) would make clear that
re-disclosing BOI obtained under 31 CFR 1010.955(b) in any
circumstances other than those defined in proposed 31 CFR
1010.955(c)(2) would be prohibited unless FinCEN provided prior
authorization for the re-disclosure in writing, or such re-disclosure
were made in accordance with applicable protocols, guidance, and
regulations as FinCEN may issue. This provision would give FinCEN the
ability to authorize, either on a case-by-case basis or categorically
through written protocols, guidance, or regulations, the re-disclosure
of BOI in limited cases to further the purposes of the CTA.\140\ FinCEN
welcomes comments on any of the proposed provisions permitting the re-
disclosure of BOI for activities consistent with the purposes of the
CTA.
---------------------------------------------------------------------------
\140\ For example, FinCEN could authorize the supervisory
component of a Federal functional regulator that identifies a CDD-
related deficiency at an FI to share BOI with its enforcement
component as part of a referral in which the BOI would be used in
furtherance of law enforcement activity.
---------------------------------------------------------------------------
Proposed 31 CFR 1010.955(c)(2)(ix) would also enable FinCEN to
authorize the re-disclosure of BOI in appropriate circumstances. For
example, FinCEN envisions instances when it might be necessary for one
law enforcement agency to disclose BOI obtained from FinCEN to another
agency for an authorized purpose. The ability to share BOI in such
circumstances would ensure that authorized recipients are able to
further the goals of the CTA of protecting U.S. national security and
combatting illicit activity, including corruption, money laundering,
tax fraud, and terrorist financing, while at the same time, ensuring
that appropriate security and confidentiality are maintained in a way
that ensures appropriate audit and oversight.
For example, a Federal agency to which FinCEN disclosed BOI in
furtherance of that agency's national security activities may identify
a possible criminal violation and need to provide the information to a
Federal law enforcement agency for investigation, and prosecution, if
appropriate. Federal agencies that are a part of a task force to target
specific criminal activity, such as drug trafficking or corruption, may
also need to share BOI within the task force. In such cases, it would
be more efficient for the agencies involved to share BOI directly among
themselves instead of each agency having to separately request the same
BOI from FinCEN.
The requirements that an agency would need to satisfy to obtain BOI
through re-disclosure are the same as those an agency would need to
satisfy to obtain BOI from FinCEN directly under this proposed rule.
FinCEN also envisions including re-disclosure limitations in the BOI
disclosure MOUs it enters into with recipient agencies. These
provisions would make clear that it would be the responsibility of a
recipient agency to take necessary steps to ensure that BOI is made
available for purposes specifically authorized by the CTA, and not for
the general purposes of the agency. Such agency-to-agency agreements
can be effective at creating and enforcing standards on use, reuse, and
redistribution of sensitive information. However, FinCEN solicits
comments from the public as to whether other mechanisms, such as the
imposition of redistribution standards by regulation, mandatory
redistribution logs, regular audit requirements, or other techniques,
may be more appropriate in this context.
v. Security and Confidentiality Requirements
The CTA directs the Secretary to establish by regulation protocols
to protect the security and confidentiality of any BOI provided
directly by FinCEN.\141\ FinCEN views safeguarding BOI to be a top
priority. The security and confidentiality of BOI would be protected
through several protocols to prevent unauthorized disclosure and to
ensure that BOI is used solely for the purposes described in the CTA.
These include high standard security protocols in the implementation of
the beneficial ownership IT system, robust MOUs that will impose
security requirements on agencies that have access to BOI, such as
current background checks on personnel accessing the information and
controls to ensure appropriate use, regular training, and robust audit
and oversight at the agency level and by FinCEN. In addition, FinCEN is
committed to regularly reviewing protocols and information security
practices to ensure they protect BOI from unauthorized use or
disclosure.
---------------------------------------------------------------------------
\141\ 31 U.S.C. 5336(c)(3)(A).
---------------------------------------------------------------------------
While the CTA enumerates specific requirements applicable to
``requesting agencies,'' FinCEN believes it is necessary and
appropriate to impose comparable requirements on FIs and foreign
requesters, taking into account considerations unique to those
recipient categories.\142\ Clear expectations for all recipients and
comparable data management requirements across different categories of
authorized recipients will facilitate high standard information
security and confidentiality practices and will contribute to more
effective audits and oversight. This subsection discusses requirements
applicable to both ``requesting agencies'' and other authorized
requesters.
---------------------------------------------------------------------------
\142\ 31 U.S.C. 5336(c)(3)(K).
---------------------------------------------------------------------------
a. Security and Confidentiality Requirements for Domestic Agencies
The CTA prescribes with specificity a number of requirements that
the Secretary must impose on requesting agencies and their heads. These
requirements affirm the importance of the security and confidentiality
protocols and the need for a high degree of accountability for the
protection of BOI.
Specifically, the statute provides that the Secretary shall require
requesting agencies to (1) ``establish and maintain, to the
satisfaction of the Secretary, a secure system in which [BOI] provided
directly by the Secretary shall be stored;'' \143\ (2) ``furnish a
report to the Secretary, at such time and containing such information
as the Secretary may prescribe, that describes the procedures
established and utilized by such agency to ensure the confidentiality
of [BOI] provided directly by the Secretary;'' \144\ (3) ``limit, to
the greatest extent practicable, the scope of information sought,
consistent with the purposes for seeking [BOI];'' \145\ and (4)
``establish and maintain, to the satisfaction of the Secretary, a
permanent system of standardized records with respect to an auditable
trail of each request for [BOI] submitted to the Secretary by the
agency, including the reason for the request, the name of the
individual who made the request, the date of the
[[Page 77420]]
request, any disclosure of [BOI] made by or to the agency, and any
other information the Secretary of the Treasury determines is
appropriate.'' \146\
---------------------------------------------------------------------------
\143\ 31 U.S.C. 5336(c)(3)(C).
\144\ 31 U.S.C. 5336(c)(3)(D).
\145\ 31 U.S.C. 5336(c)(3)(F).
\146\ 31 U.S.C. 5336(c)(3)(H).
---------------------------------------------------------------------------
The CTA also instructs the Secretary to establish by regulation
protocols: (1) ``requir[ing] the head of any requesting agency, on a
non-delegable basis, to approve the standards and procedures utilized
by the requesting agency and certify to the Secretary semi-annually
that such standards and procedures are in compliance with the
requirements of [31 U.S.C. 5336(c)(3)];'' \147\ (2) ``requir[ing] a
written certification for each authorized investigation or other
activity [giving rise to an authorized BOI disclosure] from the head of
[a Federal agency acting in furtherance of national security,
intelligence, or law enforcement activity, or a State, local, or Tribal
law enforcement agency], or their designees, that (a) states that
applicable requirements have been met, in such form and manner as the
Secretary may prescribe; and (b) at a minimum, sets forth the specific
reason or reasons why the [BOI] is relevant to [the] authorized
investigation or other activity . . .''; and (3) ``restrict[ing], to
the satisfaction of the Secretary, access to [BOI] to whom disclosure
may be made under the [CTA disclosure provisions] to only users at the
requesting agency (a) who are directly engaged in the authorized
investigation [for which BOI disclosure is authorized]; (b) whose
duties or responsibilities require such access; (c) who have undergone
appropriate training, or use staff to access the database who have
undergone appropriate training; (d) who use appropriate identity
verification mechanisms to obtain access to the information; and (e)
who are authorized by agreement with the Secretary to access the
information.'' \148\
---------------------------------------------------------------------------
\147\ 31 U.S.C. 5336(c)(3)(B).
\148\ 31 U.S.C. 5336(c)(3)(G).
---------------------------------------------------------------------------
Finally, the CTA instructs the Secretary to require requesting
agencies receiving BOI from FinCEN to ``conduct an annual audit to
verify that the [BOI] received from the Secretary has been accessed and
used appropriately, and in a manner consistent with this paragraph and
provide the results of that audit to the Secretary upon request.''
\149\ The statute imposes a corresponding requirement on the Secretary
to ``conduct an annual audit of the adherence of the agencies to the
protocols established under [31 U.S.C. 5336(c)(3)] to ensure that
agencies are requesting and using [BOI] appropriately.'' \150\
---------------------------------------------------------------------------
\149\ 31 U.S.C. 5336(c)(3)(I).
\150\ 31 U.S.C. 5336(c)(3)(J).
---------------------------------------------------------------------------
The proposed regulation would organize these requirements into two
subsections. The first, proposed 31 CFR 1010.955(d)(1)(i), would
address general requirements applicable to Federal, State, local, and
Tribal requesting agencies, including intermediary Federal agencies
acting on behalf of authorized foreign requesters, Federal functional
regulators, and other appropriate regulatory agencies. This proposed
subsection would require each requesting agency, before it could obtain
BOI, to enter into a MOU with FinCEN specifying the standards,
procedures, and systems that the agency would be required to maintain
to protect BOI.\151\ These MOUs would, among other things, memorialize
and implement requirements contained in proposed 31 CFR
1010.955(d)(1)(i), including those regarding reports and
certifications, periodic training of individual recipients of BOI,
personnel access restrictions, re-disclosure limitations, and access to
audit and oversight mechanisms. The MOUs would also include security
plans covering topics related to personnel security (e.g., eligibility
limitations, screening standards, certification and notification
requirements); physical security (system connections and use,
conditions of access, data maintenance); computer security (use and
access policies, standards related to passwords, transmission, storage,
and encryption); and inspections and compliance. Agencies may rely on
existing databases and related IT infrastructure to satisfy the
requirement to ``establish and maintain'' secure systems in which to
store BOI where those systems have appropriate security and
confidentiality protocols, and FinCEN will engage with recipient
agencies on this issue during the development of an MOU on BOI sharing.
---------------------------------------------------------------------------
\151\ 31 CFR 1010.955(d)(1)(i)(A).
---------------------------------------------------------------------------
Because security protocol details may vary based on each agency's
particular circumstances and capabilities, FinCEN believes individual
MOUs are preferable to a ``one-size-fits-all'' approach of specifying
particular requirements by regulation. FinCEN invites comment on this
MOU-based approach, and on whether additional requirements should be
incorporated into the regulations or into FinCEN's MOUs.
The second subsection would apply to each request for BOI. It
includes specific requirements with which each individual request for
BOI must comply, as described in the CTA, as well as additional
requirements that FinCEN believes are necessary to ensure that BOI is
subject to security and confidentiality requirements of a sufficiently
high standard.\152\
---------------------------------------------------------------------------
\152\ The additional measures are being proposed pursuant to the
authority delegated to FinCEN under 31 U.S.C. 5336(c)(3)(K).
---------------------------------------------------------------------------
Proposed 31 CFR 1010.955(d)(1)(ii)(A) (referred to as a
``minimization'' requirement) would require all requesting agencies to
limit, to the greatest extent practicable, the amount of BOI they seek,
consistent with the agency's purpose for seeking it. The provision
mirrors the CTA requirement at 31 U.S.C. 5336(c)(3)(F) and would
enhance information security and confidentiality by limiting disclosure
of BOI only to those situations in which BOI is necessary for a
particular purpose.
Proposed 31 CFR 1010.955(d)(1)(ii)(B)(1) would incorporate the
requirement of 31 U.S.C. 5336(c)(3)(E) that the head of a requesting
Federal agency acting in furtherance of national security,
intelligence, or law enforcement activity, or their designees, certify
in writing, for each request made by the agency to FinCEN, that (1) the
agency was engaged in a national security, intelligence, or law
enforcement activity, and (2) the BOI requested was for use in
furthering that activity, setting forth specific reasons why the
requested BOI was relevant. FinCEN expects that the certification and
justification would be made by the individual at the authorized Federal
agency at the time of the BOI request. Similarly, proposed 31 CFR
1010.955(d)(1)(ii)(B)(2) would require the head of a requesting State,
local, or Tribal law enforcement agency, or their designee, to submit
to FinCEN a copy of the court authorization required under proposed 31
CFR 1010.955(b)(2), as well as a written justification setting forth
specific reasons why the requested information was relevant to the
investigation. FinCEN believes that collecting the underlying court
authorizations will help to ensure compliance with 31 U.S.C.
5336(c)(2)(B)(i)(II) and facilitate audit and oversight of such
requests. Moreover, the submission of brief justification narratives
will make it easier for FinCEN personnel to identify the relevant
information in a court authorization, thereby allowing for faster
reviews and more focused audits. FinCEN considered not requiring State,
local, and Tribal law enforcement agencies to submit corresponding
justifications in addition to the court authorizations, but in some
cases the
[[Page 77421]]
relationship between a court authorization and the search in question
might not be apparent on the face of the court authorization.
Proposed 31 CFR 1010.955(d)(1)(ii)(B)(3) and (4) would identify the
information that an intermediary Federal agency would need to obtain,
and in some cases, submit to FinCEN, when making a request for BOI on
behalf of foreign law enforcement, prosecutors, or judges. The
information that would need to be submitted to FinCEN pursuant to these
provisions is dependent on whether the foreign request at issue is
pursuant to an international treaty, agreement, or convention.
Regardless of whether an international treaty, agreement, or
convention applies, the head of an intermediary Federal agency acting
on behalf of a foreign requester, or their designee, would always need
to: (1) identify to FinCEN both the individual within the intermediary
Federal agency making the request; (2) identify to FinCEN the
individual affiliated with the foreign requester on whose behalf the
request is being made; and (3) either identify to FinCEN the
international treaty, agreement, or convention under which the request
was being made or provide a statement that no such instrument governs.
When an international treaty, agreement, or convention applies, the
head of an intermediary Federal agency acting on behalf of a foreign
requester, or their designee, would need to retain the request for
information under the relevant international treaty, agreement, or
convention, and would also have to certify to FinCEN that the requested
BOI is for use in furtherance of a law enforcement investigation or
prosecution, or for a national security or intelligence activity, that
is authorized under the laws of the relevant foreign country. This
certification would apply to the intermediary Federal agency head or
designee's understanding of the intended use for the BOI, and would not
constitute a guarantee from the intermediary Federal agency that the
foreign requester would not use the information for other activities
without authorization.
In circumstances in which an international treaty, agreement, or
convention does not apply, the head of an intermediary Federal agency
acting on behalf of a foreign requester, or their designee, would need
to submit to FinCEN a written explanation of the specific purpose for
which the foreign requester is requesting BOI. The intermediary Federal
agency would also need to provide FinCEN with a certification that
requested BOI: (1) will be used in furtherance of a law enforcement
investigation or prosecution, or for a national security or
intelligence activity that is authorized under the laws of the relevant
foreign country; (2) will only be used for the particular purpose or
activity for which it is requested; and (3) will be handled in
accordance with applicable security and confidentiality requirements as
discussed in detail in Section IV.A.v.c. below with respect to proposed
31 CFR 1010.955(d)(3). Again, this certification would apply to the
intermediary Federal agency head or designee's understanding of the
intended use for the BOI, and would not constitute a guarantee from the
intermediary Federal agency that the foreign requester would not use
the information for other activities without authorization. The
proposed rule further specifies that FinCEN may request additional
information to support its evaluation of whether to disclose BOI to a
foreign requester when a request is not pursuant to an international
treaty, agreement, or convention. FinCEN anticipates the implementation
of a case management function in the beneficial ownership IT system to
manage this information and certification submission process.
Finally, proposed 31 CFR 1010.955(d)(1)(ii)(B)(5) would require the
head of Federal functional regulators and other appropriate regulatory
agencies, or their designee, to certify to FinCEN when requesting BOI
that the agency (1) is authorized by law to assess, supervise, enforce,
or otherwise determine the relevant FI's compliance with CDD
requirements under applicable law, and (2) will use the information
solely for the purpose of conducting the assessment, supervision, or
authorized investigation or activity described in proposed 31 CFR
1010.955(b)(4)(ii)(A).
b. Security and Confidentiality Requirements for FIs
Although the CTA does not specifically address the safeguards FIs
must implement as a precondition to requesting BOI, the CTA authorizes
FinCEN to prescribe by regulation any other safeguards determined to be
necessary or appropriate to protect the confidentiality of BOI.\153\
Proposed 31 CFR 1010.955(d)(2) contains the safeguards applicable to
FIs, including security standards for managing the BOI data.
---------------------------------------------------------------------------
\153\ 31 U.S.C. 5336(c)(3)(K).
---------------------------------------------------------------------------
Any security standards FinCEN imposes should keep BOI reasonably
secure and confidential, but not be so stringent as to make the
information practically inaccessible or useless to FIs. Such overly
burdensome requirements would frustrate the CTA's objective of
facilitating FI compliance with CDD requirements under applicable law.
To strike an appropriate balance, proposed 31 CFR 1010.955(d)(2)(i)
would take a principles-based approach by requiring FIs to develop and
implement administrative, technical, and physical safeguards reasonably
designed to protect BOI as a precondition for receiving BOI. Although
proposed 31 CFR 1010.955(d)(2)(i) would not prescribe any specific
safeguards, it would establish that the security and information
handling procedures necessary to comply with section 501 of the Gramm-
Leach-Bliley Act (Gramm-Leach-Bliley) \154\ and applicable regulations
issued under it to protect non-public customer personal information, if
applied to BOI under the control of the FI, would satisfy this
requirement. This would be true for any FI, regardless of whether that
FI was subject to section 501, so long as the FI actually applied
procedures at the appropriate level of protection. The safe harbor in
proposed 31 CFR 1010.955(d)(2)(i) would therefore establish baseline
security and confidentiality standards that are the same for all FIs.
The approach of establishing a baseline standard would be consistent
with other provisions in FinCEN's regulations that impose standards for
handling sensitive information.\155\
---------------------------------------------------------------------------
\154\ Public Law 106-102, 113 Stat. 1338, 1436-37 (1999).
\155\ See, e.g., 31 CFR 1010.520(b)(3)(iv)(C), 31 CFR
1010.540(b)(4)(ii).
---------------------------------------------------------------------------
Section 501 of Gramm-Leach-Bliley, codified at 15 U.S.C. 6801(b)
and 6805, requires each Federal functional regulator to establish
appropriate standards for the FIs subject to its jurisdiction relating
to administrative, technical, and physical safeguards to (1) ensure the
security and confidentiality of customer records and information; (2)
protect against any anticipated threats or hazards to the security or
integrity of such records; and (3) protect against unauthorized access
to or use of such records or information which could result in
substantial harm or inconvenience to any customer. The Federal
functional regulators have implemented these requirements in different
ways. The OCC, FRB, FDIC, and NCUA incorporated into their regulations
the Interagency Guidelines Establishing Interagency Security
[[Page 77422]]
Standards (Interagency Guidelines).\156\ The Interagency Guidelines add
detail to the more general Gramm-Leach-Bliley requirements, covering
specific subjects related to identifying, managing, and controlling
risk (e.g., physical and electronic access controls, encryption and
training requirements, and testing). The CFTC has incorporated the
Gramm-Leach-Bliley expectations of FIs into its regulations \157\ and
recommended best practices for meeting them that are ``designed to be
generally consistent with'' the Interagency Guidelines.\158\ The SEC
has also incorporated the Gramm-Leach-Bliley expectations of FIs into
its regulations,\159\ but evaluates the reasonableness of Gramm-Leach-
Bliley compliance policies and procedures on a case-by-case basis and
communicates findings of insufficiency through supervision and
enforcement actions.\160\
---------------------------------------------------------------------------
\156\ See Interagency Guidelines Establishing Standards for
Safeguarding Customer Information and Rescission of Year 2000
Standards for Safety and Soundness, 66 FR 8616 (Feb. 1, 2001). The
agencies implementing regulations are at 12 CFR part 30, app. B
(OCC); 12 CFR. Part 208, app. D-2 and Part 225, app. F (FRB); 12 CFR
part 364, app. B (FDIC); and 12 CFR part 748, apps. A & B (NCUA).
\157\ See 17 CFR 160.
\158\ See CFTC Staff Advisory No. 14-21 (February 16, 2014).
\159\ See 17 CFR 248.30(a).
\160\ See, e.g., Morgan Stanley Smith Barney, SEC Administrative
Proceeding File No. 3-21112 (Sept. 20, 2022).
---------------------------------------------------------------------------
This blended approach for complying with the Gramm-Leach-Bliley
requirements is well-suited to protecting sensitive information
generally and BOI in particular. Gramm-Leach-Bliley provides general
baseline expectations for keeping data secure and confidential, while
each agency's implementing regulations take into account factors unique
to the FIs they supervise. Allowing FIs to meet the requirement to
safeguard BOI by extending to it the same processes they use to comply
with regulations issued pursuant to section 501 of Gramm-Leach-Bliley
would avoid duplicative or inconsistent requirements for information
security and protocols and would be less burdensome for FIs to
administer without sacrificing a high level of protection.
In order to ensure that security and confidentiality standards are
consistent across the entire financial industry, even FIs not subject
to regulations issued pursuant to section 501 of Gramm-Leach-Bliley
would be held to these same substantive standards. For FIs not subject
to section 501, the Interagency Guidelines might serve as a useful
checklist against which such FIs could evaluate their existing security
and confidentiality practices, and a useful guide to possible
modifications to bring the FI to the level of security and
confidentiality necessary to justify obtaining BOI.
Proposed 31 CFR 1010.955(d)(2)(ii) would require FIs to obtain and
document a reporting company's consent before requesting that reporting
company's BOI from FinCEN. FIs are well-positioned to obtain consent--
and to track any revocation of such consent--given that they maintain
direct customer relationships and are able to leverage existing
onboarding and account maintenance processes to obtain reporting
company consent. FinCEN considered the alternative approach of FinCEN
obtaining consent directly from the reporting company, but rejected the
approach given potential delays and the lack of any direct relationship
with the reporting company.
Finally, proposed 31 CFR 1010.955(d)(2)(iii) would require the FI
to certify in writing for each BOI request that it: (1) is requesting
the information to facilitate its compliance with CDD requirements
under applicable law, (2) obtained the reporting company's written
consent to request its BOI, and (3) fulfilled the other requirements of
the section. FinCEN anticipates that an FI would be able to make the
certification via a checkbox when requesting BOI via the beneficial
ownership IT system. FinCEN expects that FIs will establish protocols
to direct authorized staff to ensure that the requirements are
satisfied and that appropriate records are maintained for the purposes
of audit and oversight. FinCEN further expects FIs to provide training
on these protocols and to require system users from FIs to complete
FinCEN-provided online training about the system and related
responsibilities as a condition for creating and maintaining system
accounts.
Under the proposed rule, FinCEN would not require FIs to submit
proof of reporting company consent at the time of the request for BOI.
FinCEN would not have the capacity to review, verify, and store consent
forms and additional FinCEN involvement would create undue delays for
the ability of FIs to onboard customers. In addition, FinCEN expects
that FI compliance with these requirements would be assessed by Federal
functional regulators in the ordinary course during safety and
soundness examinations or by the SROs during their routine BSA
examinations.\161\ FIs therefore have a strong incentive to retain
evidence of a reporting company's consent for the purposes of
supervisory examinations and compliance and for use in cases involving
suspected or alleged violations of the requirement. Together with
potential civil and criminal penalties under the CTA, such examinations
would create a robust control and oversight mechanism. FinCEN invites
comments on this proposed approach to FI security and confidentiality
requirements, including any views regarding how consent should be
obtained from reporting companies and on the applicability of auditing
requirements to FIs.
---------------------------------------------------------------------------
\161\ The CTA requirements FIs must satisfy to qualify for BOI
disclosure from FinCEN are part of the BSA, a statute enacted in
pertinent part in Chapter X of the Code of Federal Regulations.
FinCEN has delegated its authority to examine FIs for compliance
with Chapter X to the Federal functional regulators. See 31 CFR
1010.810. See also, e.g., 12 U.S.C. 1818(s)(2), 12 U.S.C.
1786(q)(2).
---------------------------------------------------------------------------
c. Security and Confidentiality Requirements for Foreign Requesters
It is critical that all authorized BOI recipients--including
foreign requesters--take steps to keep BOI confidential and secure and
to prevent misuse. To that end, proposed 31 CFR 1010.955(d)(3)(i) would
require foreign requesters to handle, disclose, and use BOI consistent
with the requirements of the applicable treaty, agreement or convention
under which it was requested. 31 CFR 1010.955(d)(3)(ii), meanwhile,
would impose on foreign BOI requesters certain general requirements the
CTA imposes on all requesting agencies. FinCEN believes these measures
are necessary to protect the security and confidentiality of BOI
provided to foreign requesters.\162\ Requirements applicable to foreign
requesters when no treaty, agreement, or convention applies include
having security standards and procedures, maintaining a secure storage
system that complies with whatever security standards the foreign
requester applies to the most sensitive unclassified information it
handles, minimizing the amount of information requested, and
restricting personnel access to it. Foreign requesters that request and
receive BOI under an applicable international treaty, agreement, or
convention would not have these requirements under the proposed rule,
given that such requesters would be governed by standards and
procedures under the applicable international treaty, agreement, or
convention.
---------------------------------------------------------------------------
\162\ See 31 U.S.C. 5336(c)(3)(A), (K).
---------------------------------------------------------------------------
[[Page 77423]]
FinCEN considered proposing a requirement that foreign requesters
enter into MOUs comparable to domestic requesting agencies for
situations in which an international treaty, agreement, or convention
applies. The bureau decided not to propose such an approach because
foreign requesters will not have direct access to the beneficial
ownership IT system and because FinCEN anticipates a significantly
lower volume of foreign requests in general relative to other
stakeholders. FinCEN believes MOUs are appropriate with domestic
agencies to account for the risks inherent in repeated, detailed
interaction with the beneficial ownership IT system. Foreign BOI
requesters, by contrast, would only receive BOI through intermediary
Federal agencies that would themselves be subject to detailed MOUs.
Those intermediary Federal agencies would in turn work with foreign
requesters to safeguard BOI in accordance with applicable treaties,
agreements, or conventions when applicable, and under governing
protocols in other circumstances.
FinCEN considered imposing audit requirements on foreign requesters
as part of these security and confidentiality protocols, but determined
that it would not be feasible. First, in situations involving
international treaties, agreements, or conventions, such audits would
only be permissible if allowed by the international agreement. In
situations in which no such international agreement applied, it would
nevertheless be practically challenging for FinCEN to conduct
meaningful audits of a foreign requester's BOI handling systems and
practices given that it would involve extensive negotiations and the
commitment of substantial FinCEN personnel to considerable document
review (potentially involving translation) and travel. Foreign
governments under any circumstances are also unlikely to grant FinCEN
access to their secure IT systems to the degree that a comprehensive
audit demands. While FinCEN considered whether to refrain from sharing
information with a foreign requester that refused to be subject to
audit requirements, such an approach would result in reduced
information sharing and cooperation overall. The United States
regularly collaborates bilaterally and in global task forces, for
example, to combat terrorism, transnational criminal organizations, and
other threats to national security. The success of these initiatives
depends upon effective international cooperation and robust efforts by
foreign counterparts. Those foreign counterparts might decide not to
request BOI at all, depriving our partners of information that would
support these efforts, with potentially negative direct consequences
for the United States.
FinCEN invites comments on its proposal with respect to security
and confidentiality requirements applicable to foreign requesters.
vi. Administration of Requests for Information Reported Pursuant to 31
CFR 1010.380
The CTA includes several provisions regarding how FinCEN should
administer requests for BOI. Proposed 31 CFR 1010.955(e) would
implement these CTA provisions.
Proposed 31 CFR 1010.955(e)(1) would require agencies and FIs to
submit requests for BOI to FinCEN in the form and manner FinCEN shall
prescribe.\163\ The bureau intends to provide additional detail
regarding the form and manner of BOI requests for all categories of
authorized users through specific instructions and guidance as it
continues developing the beneficial ownership IT system. To the extent
required by the Paperwork Reduction Act (PRA), FinCEN would publish for
notice and comment any proposed information collection associated with
BOI requests.
---------------------------------------------------------------------------
\163\ 31 U.S.C. 5336(c)(2)(C).
---------------------------------------------------------------------------
Proposed 31 CFR 1010.955(e)(2) would implement 31 U.S.C.
5336(c)(6)(B), which describes the circumstances under which the
Secretary ``may decline to provide'' requested BOI. The CTA describes
three permissible reasons for declining to provide BOI: (a) a
``requesting agency'' failing to meet applicable requirements; (2)
``the information is being requested for an unlawful purpose;'' or (3)
``other good cause exists to deny the request.'' \164\ Proposed 31 CFR
1010.955(e)(2) would make minor changes to the statutory text to
clarify its scope and to provide appropriate cross references. While 31
U.S.C. 5336(c)(6)(B)(i) speaks directly to requests made by a
``requesting agency,'' FinCEN believes the CTA also permits the bureau
to deny requests from any authorized recipient, including FIs, that
fail to comply with any requirements to receive BOI (e.g., refusing to
obtain consent from reporting companies before making BOI requests or
failing to fully comply with the proposed security and confidentiality
requirements).\165\ FinCEN's ability to decline requests in these
circumstances is necessary to ``protect the security and
confidentiality of [BOI]'' that the agency provides to authorized
recipients.\166\ Moreover, FinCEN would consider an FI's failure to
comply with any requirements to constitute ``good cause'' sufficient to
justify denying a request for BOI.\167\
---------------------------------------------------------------------------
\164\ Id.
\165\ See 31 U.S.C. 5336(c)(3)(A).
\166\ Id.; see also 31 U.S.C. 5336(c)(3)(K).
\167\ 31 U.S.C. 5663(c)(6)(B)(iii).
---------------------------------------------------------------------------
Proposed 31 CFR 1010.955(e)(3) would specify that the reasons for
rejecting a request are also bases for suspension or debarment. The CTA
permits the Secretary to suspend or debar a ``requesting agency'' from
access to BOI for any of the reasons for rejection in the preceding
paragraph, including for ``repeated or serious violations'' of any
requirement established as a precondition for receiving BOI.\168\
FinCEN would again extend the availability of the suspension or
debarment authority to FIs to ensure the integrity of BOI, ensure the
security of the beneficial ownership IT system, and implement the
confidentiality requirements imposed by the CTA. Under the proposed
rule, suspension of access to BOI would be a temporary measure, while
debarment would be permanent. The proposed rule would also permit
FinCEN to determine in its sole discretion the length of any
suspension. Additionally, the proposed rule would clarify that FinCEN
may reinstate suspended or debarred requesters upon satisfaction of any
terms or conditions FinCEN in its sole discretion believes are
appropriate. As with the authority to reject requests, FinCEN views
suspension and debarment as important tools for protecting sensitive
information from potential misuse.
---------------------------------------------------------------------------
\168\ 31 U.S.C. 5336(c)(7).
---------------------------------------------------------------------------
vii. Violations; Penalties
The CTA makes it unlawful for any person to knowingly disclose or
knowingly use BOI obtained by the person through a report submitted to,
or an authorized disclosure made by, FinCEN, unless such disclosure is
authorized under the CTA.\169\ Proposed 31 CFR 1010.955(f)(1) tracks
this prohibition, and further clarifies that such disclosure authorized
under the CTA includes disclosure authorized under the regulations
issued pursuant to the CTA. Proposed 31 CFR 1010.955(f)(2) then
explains that for purposes of paragraph (f)(1), unauthorized use would
include any unauthorized accessing of information submitted to FinCEN
under 31 CFR 1010.380, including any activity in
[[Page 77424]]
which an employee, officer, director, contractor, or agent of a
Federal, State, local, or Tribal agency or FI knowingly violates
applicable security and confidentiality requirements in connection with
accessing such information.\170\ This reflects FinCEN's view that the
security and confidentiality requirements under the CTA and this
proposed rule circumscribe the ways in which authorized recipients can
use BOI, consistent with the statute's emphasis on keeping BOI secure
and confidential.
---------------------------------------------------------------------------
\169\ See 31 U.S.C. 5336(h)(2).
\170\ 31 U.S.C. 5336(c)(4) explicitly applies civil and criminal
penalties to employees and officers of ``requesting agencies'' who
violate applicable security and confidentiality protocols, including
through unauthorized disclosure or use. FinCEN views this as a self-
executing reinforcement provision to support 31 U.S.C.
5336(h)(3)(B), which focuses on unlawful disclosure or use by any
person.
---------------------------------------------------------------------------
Proposed 31 CFR 1010.955(f)(3) lists the CTA's enumerated civil and
criminal penalties for knowingly disclosing or using BOI without
authorization. The CTA provides civil penalties in the amount of $500
for each day a violation continues or has not been remedied. Criminal
penalties are a fine of not more than $250,000 or imprisonment for not
more than 5 years, or both.\171\ The CTA also provides for enhanced
criminal penalties, including a fine of up to $500,000, imprisonment of
not more than 10 years, or both, if a person commits a violation while
violating another law of the United States or as part of a pattern of
any illegal activity involving more than $100,000 in a 12-month
period.\172\
---------------------------------------------------------------------------
\171\ 31 U.S.C. 5336(h)(3)(B).
\172\ See 31 U.S.C. 5336(h)(3)(B)(ii)(II).
---------------------------------------------------------------------------
B. Use of FinCEN Identifiers for Entities
A FinCEN identifier is a unique identifying number that FinCEN will
issue to individuals who have provided FinCEN with their BOI and to
reporting companies that have filed initial BOI reports.\173\
Consistent with the CTA, the final BOI reporting rule describes the
manner in which FinCEN will issue a FinCEN identifier to individuals
and to entities.\174\ It also describes circumstances in which a
reporting company may report an individual beneficial owner's FinCEN
identifier to FinCEN in lieu of providing the individual's BOI.\175\
---------------------------------------------------------------------------
\173\ 31 U.S.C. 5336(b)(3).
\174\ See 31 CFR 1010.380(b)(4).
\175\ See 31 CFR 1010.380(b)(4)(ii)(B).
---------------------------------------------------------------------------
The CTA also provides for the use of a reporting company's FinCEN
identifier, specifying that if an individual ``is or may be a
beneficial owner of a reporting company by an interest held by the
individual in an entity that, directly or indirectly, holds an interest
in the reporting company,'' the reporting company may report the
entity's FinCEN identifier in lieu of providing the individual's
BOI.\176\ The Reporting NPRM proposed to incorporate this language
without significant clarification. Some commenters, however, expressed
concerns that the use of FinCEN identifiers could obscure the
identities of beneficial owners in a manner that might result in
greater secrecy or incomplete or misleading disclosures. Several
commenters noted that the proposed language may be confusing and pose
problems when a reporting company's ownership structure involves
multiple beneficial owners and intermediate entities. In light of this
feedback, the final BOI reporting rule did not adopt the proposed
language, and FinCEN is now proposing different language to implement
the CTA in a manner that better clarifies when a company may report an
intermediate entity's FinCEN identifier in lieu of an individual's BOI.
---------------------------------------------------------------------------
\176\ 31 U.S.C. 5336(b)(3)(C).
---------------------------------------------------------------------------
Proposed 31 CFR 1010.380(b)(4)(ii)(B) would permit a reporting
company to report an intermediate entity's FinCEN identifier in lieu of
a beneficial owner's BOI only when: (1) the intermediate entity has
obtained a FinCEN identifier and provided that FinCEN identifier to the
reporting company; (2) an individual is or may be a beneficial owner of
the reporting company by virtue of an interest in the reporting company
that the individual holds through the entity; and (3) only the
individuals that are beneficial owners of the intermediate entity are
beneficial owners of the reporting company, and vice versa. The first
and second requirements are straightforward clarifications, while the
third requirement reflects an implicit assumption in the statutory
language.
It is straightforward to allow a reporting company to use an
intermediate entity's FinCEN identifier where a single individual is
the sole beneficial owner of a reporting company through a single
intermediate entity. In this simple scenario, the same individual would
be the beneficial owner of both the reporting company and the
intermediate entity. Reporting the intermediate entity's FinCEN
identifier in lieu of the individual's BOI would thus accurately
indicate that the individual is a beneficial owner of both entities,
and the intermediate entity would have already reported the
individual's BOI when it filed its initial report and obtained a FinCEN
identifier. However, the use of an intermediate company's FinCEN
identifier beyond this simple scenario encounters significant problems
when a reporting company's ownership structure involves multiple
beneficial owners and/or intermediate entities. For instance, if the
intermediate entity has any beneficial owners who are not also
beneficial owners of the reporting company, the reporting company's use
of the intermediate entity's FinCEN identifier would identify multiple
individuals as beneficial owners of the reporting company, when in fact
they are only beneficial owners of the intermediate entity.
Additionally, if an individual is a beneficial owner of a reporting
company through multiple intermediate entities but is not a beneficial
owner of one of those entities, the reporting company's use of that
entity's FinCEN identifier could obscure the identity of that
beneficial owner. In this case, the reporting company's use of an
intermediate entity's FinCEN identifier would fail to identify an
individual as a beneficial owner of the reporting company, when in fact
the individual is such a beneficial owner.
In light of the core objective of the CTA to establish a
comprehensive beneficial ownership database and to ensure that the
information it contains is accurate and highly useful, FinCEN does not
believe the FinCEN identifier provision was intended to enable
reporting companies to misidentify beneficial owners. As explained in
the prior paragraph, there are some scenarios in which FinCEN would be
unable to accurately identify which reported beneficial owners are
extraneous, or which BOI reports are incomplete, thereby making it more
difficult for FinCEN and authorized recipients of BOI to identify the
true beneficial owners of each reporting company. This would make the
beneficial ownership database less accurate and undermine the
fundamental goals of the CTA. Moreover, FIs that obtain BOI reports
that are either under- or over-inclusive may have difficulty
reconciling this BOI with other information they receive during the CDD
process, impeding another goal of the CTA. Furthermore, over-inclusive
BOI would require FinCEN to disclose more BOI than necessary in
response to authorized requests. Instead of only disclosing BOI for
individuals who are beneficial owners of the reporting company that is
the subject of a request, FinCEN would have to also disclose BOI for
other individuals who are beneficial owners of a different company that
may not be
[[Page 77425]]
the subject of the request. This over-disclosure would be in
significant conflict with the confidentiality and privacy protections
the CTA instructs FinCEN to implement, including the requirement to
``limit, to the greatest extent practicable, the scope of the
information sought.'' \177\
---------------------------------------------------------------------------
\177\ 31 U.S.C. 5336(c)(3)(F).
---------------------------------------------------------------------------
For all of these reasons, permitting a reporting company to use an
intermediate entity's FinCEN identifier would appear consistent with
the CTA's overall statutory scheme only if the two entities have the
same beneficial owners. In this case, as in the simple scenario
previously described, reporting the intermediate entity's FinCEN
identifier would be equivalent to reporting the BOI of the reporting
company's beneficial owners. There would be no mismatch. Accordingly,
proposed 31 CFR 1010.380(b)(4)(ii)(B) makes this requirement explicit
by permitting a reporting company to report an intermediate entity's
FinCEN identifier only when the intermediate entity and the reporting
company have the same beneficial owners. FinCEN believes this
requirement is implicit in the CTA, and is necessary for FinCEN to
avoid collection of potentially incomplete information and to prevent
disclosure of inaccurate reports that contain extraneous sensitive
information or that lack relevant BOI. FinCEN solicits comment on this
proposal.
V. Final Rule Effective Date
FinCEN is proposing an effective date of January 1, 2024, to align
with the date on which the final BOI reporting rule at 31 CFR 1010.380
becomes effective. A January 1, 2024, effective date is intended to
provide the public and authorized users of BOI with sufficient time to
review and prepare for implementation of the rule. FinCEN solicits
comment on the proposed effective date for this rule.
VI. Request for Comment
FinCEN seeks comment from all parts of the public, as well as
Federal, State, local, and Tribal government entities, with respect to
the proposed rule as a whole and specific provisions discussed above in
Section IV. FinCEN invites comment on any and all aspects of the
proposed rule, and specifically seeks comments on the following
questions:
Understanding the Rule
1. Can the organization of the rule text be improved? If so, how?
2. Can the language of the rule text be improved? If so, how?
3. Does the proposed rule provide sufficient guidance to
stakeholders and the public regarding the scope and requirements for
access to BOI?
Disclosure of Information
4. The CTA prohibits officers and employees of (1) the United
States, (2) State, local, and Tribal agencies, and (3) FIs and
regulatory agencies from disclosing BOI reported under the statute.
FinCEN proposes to extend the prohibition to agents, contractors, and,
in the case of FIs, directors as well. FinCEN invites comments on the
proposed scope.
5. Are FinCEN's proposed interpretations of ``national security,''
``intelligence,'' and ``law enforcement'' clear enough to be useful
without being overly prescriptive? If not, what should be different?
Commenters are invited to suggest alternative interpretations or
sources for reference.
6. Should FinCEN add any specific activities or elements to the
proposed interpretations of ``national security,'' ``intelligence,''
and ``law enforcement'' that do not seem to be covered already? If so,
what?
7. FinCEN requests comments discussing how State, local, and Tribal
law enforcement agencies are authorized by courts to seek information
in criminal and civil investigations. Among the particular issues that
FinCEN is interested in are: how State, local, and Tribal authorities
gather evidence in criminal and civil cases; what role a court plays in
each of these mechanisms, and whether in the commenter's opinion it
rises to the level of court ``authorization''; what role court officers
(holders of specific offices, not attorneys as general-purpose officers
of the court) play in these mechanisms; how grand jury subpoenas are
issued and how the court officers issuing them are ``authorized'' by a
court; whether courts of competent jurisdiction, or officers thereof,
regularly authorize subpoenas or other investigative steps via court
order; and whether there are any evidence-gathering mechanisms through
which State, local, or Tribal law enforcement agencies should be able
to request BOI from FinCEN, but that do not require any kind of court?
8. Is requiring a foreign central authority or foreign competent
authority to be identified as such in an applicable international
treaty, agreement, or convention overly restrictive? If so, what is a
more appropriate means of identification?
9. Are there alternative approaches to managing the foreign access
provision of the CTA that FinCEN should consider?
10. Should FinCEN define the term ``trusted foreign country'' in
the rule, and if so, what considerations should be included in such a
definition?
11. FinCEN proposes that FIs be required to obtain the reporting
company's consent in order to request the reporting company's BOI from
FinCEN. FinCEN invites commenters to indicate what barriers or
challenges FIs may face in fulfilling such a requirement, as well as
any other considerations.
12. FinCEN proposes to define ``customer due diligence requirements
under applicable law'' to mean the bureau's 2016 CDD Rule, as it may be
amended or superseded pursuant to the AML Act. The 2016 CDD Rule
requires FIs to identify and verify beneficial owners of legal entity
customers. Should FinCEN expressly define ``customer due diligence
requirements under applicable law'' as a larger category of
requirements that includes more than identifying and verifying
beneficial owners of legal entity customers? If so, what other
requirements should the phrase encompass? How should the broader
definition be worded? It appears to FinCEN that the consequences of a
broader definition of this phrase would include making BOI available to
more FIs for a wider range of specific compliance purposes, possibly
making BOI available to more regulatory agencies for a wider range of
specific examination and oversight purposes, and putting greater
pressure on the demand for the security and confidentiality of BOI. How
does the new balance of those consequences created by a broader
definition fulfill the purpose of the CTA?
13. If FinCEN wants to limit the phrase ``customer due diligence
requirements under applicable law'' to apply only to requirements like
those imposed under its 2016 CDD Rule related to FIs identifying and
verifying beneficial owners of legal entity customers, are there any
other comparable requirements under Federal, State, local, or Tribal
law? If so, please specifically identify these requirements and the
regulatory bodies that supervise for compliance with or enforce them.
14. Are there any State, local, or Tribal government agencies that
supervise FIs for compliance with FinCEN's 2016 CDD Rule? If so, please
identify them.
15. FinCEN does not propose to disclose BOI to SROs as ``other
appropriate regulatory agencies,'' but does propose to authorize FIs
that receive BOI from FinCEN to disclose it to SROs that meet specified
qualifying
[[Page 77426]]
criteria. Is this sufficient to allow SROs to perform duties delegated
to them by Federal functional regulators and other appropriate
regulatory agencies? Are there reasons why SROs could be included as
``other appropriate regulatory agencies'' and obtain BOI directly from
FinCEN?
16. Are there additional circumstances under which FinCEN is
authorized to disclose BOI that are not reflected in this proposed
rule?
Use of Information
17. FinCEN proposes to permit U.S. agencies to disclose BOI
received under 31 CFR 1010.955(b)(1) or (2) to courts of competent
jurisdiction or parties to civil or criminal proceedings. Is this
authorization appropriately scoped to allow for the use of BOI in civil
or criminal proceedings?
18. In proposed 31 CFR 1010.955(c)(2)(v), FinCEN proposes to
establish a mechanism to authorize, either on a case-by-case basis or
categorically through written protocols, guidance, or regulations, the
re-disclosure of BOI in cases not otherwise covered under 31 CFR
1010.955(c)(2) and in which the inability to share the information
would frustrate the purposes of the CTA because of the categorical
prohibitions against disclosures at 31 U.S.C. 5336(c)(2)(A). Are there
other categories of redisclosures that FinCEN should consider
authorizing? Are there particular handling or security protocols that
FinCEN should consider imposing with respect to such re-disclosures of
BOI?
19. Could a State regulatory agency qualify as a ``State, local, or
Tribal law enforcement agency'' under the definition in proposed 31 CFR
1010.955(b)(2)(ii)? If so, please describe the investigation or
enforcement activities involving potential civil or criminal violations
of law that such agencies may undertake that would require access to
BOI.
Security and Confidentiality Requirements
20. Should FinCEN impose any additional security or confidentiality
requirements on authorized recipients of any type? If so, what
requirements and why?
21. The minimization component of the security and confidentiality
requirements requires limiting the ``scope of information sought'' to
the greatest extent possible. FinCEN understands this phrase, drawn
from the language of the CTA, to mean that requesters should tailor
their requests for information as narrowly as possible, consistent with
their needs for BOI. Such narrow tailoring should minimize the
likelihood that a request will return BOI that is irrelevant to the
purpose of the request or unhelpful to the requester. Does the phrase
used in the regulation convey this meaning sufficiently clearly, or
should it be expanded, and if so how?
22. Because security protocol details may vary based on each
agency's particular circumstances and capabilities, FinCEN believes
individual MOUs are preferable to a one-size-fits all approach of
specifying particular requirements by regulation. FinCEN invites
comment on this MOU-based approach, and on whether additional
requirements should be incorporated into the regulations or into
FinCEN's MOUs.
23. FinCEN proposes to require FIs to limit BOI disclosure to FI
directors, officers, employees, contractors, and agents within the
United States. Would this restriction impose undue hardship on FIs?
What are the practical implications and potential costs of this
limitation?
24. Are the procedures FIs use to protect non-public customer
personal information in compliance with section 501 of Gramm-Leach-
Bliley sufficient for the purpose of securing BOI disclosed by FinCEN
under the CTA? If not, is there another set of security standards
FinCEN should require FIs to apply to BOI?
25. Are the standards established by section 501 of Gramm-Leach-
Bliley, its implementing regulations, and interagency guidance
sufficiently clear such that FIs not directly subject to that statute
will know how to comply with FinCEN's requirements with respect to
establishing and implementing security and confidentiality standards?
26. Do any states impose, and supervise for compliance on, security
and confidentiality requirements comparable to those that FFRs are
required to impose on FIs under section 501 of Gramm-Leach-Bliley?
Please provide examples of such requirements.
Outreach
29. What specific issues should FinCEN address via public guidance
or FAQs? Are there specific recommendations on engagement with
stakeholders to ensure that the authorized recipients, and in
particular, State, local, and Tribal authorities and small and mid-
sized FIs, are aware of requirements for access to the beneficial
ownership IT system?
FinCEN Identifiers
30. Does FinCEN's proposal with respect to an entity's use of a
FinCEN identifier adequately address the potential under- or over-
reporting issues discussed in the preamble?
VI. Regulatory Analysis
This regulatory impact analysis (RIA) assesses the anticipated
impact, both in terms of costs and benefits, of the proposed rule, in
accordance with Executive Order 12866. This analysis also includes an
assessment of the impact on small entities pursuant to the Regulatory
Flexibility Act (RFA), reporting and recordkeeping burdens under the
Paperwork Reduction Act (PRA); and an assessment as required by the
Unfunded Mandates Reform Act of 1995 (UMRA).\178\
---------------------------------------------------------------------------
\178\ The U.S. Bureau of Economic Analysis reports the annual
value of the gross domestic product (GDP) deflator in 1995 (the year
in which UMRA was enacted) as 71.823, and as 118.895 in 2021. See
U.S. Bureau of Economic Analysis, Table 1.1.9. Implicit Price
Deflators for Gross Domestic Product, available at https://apps.bea.gov/iTable/?reqid=19&step=2&isuri=1&categories=survey#eyJhcHBpZCI6MTksInN0ZXBzIjpbMSwyLDMsM10sImRhdGEiOltbIkNhdGVnb3JpZXMiLCJTdXJ2ZXkiXSxbIk5JUEFfVGFibGVfTGlzdCIsIjEzIl0sWyJGaXJzdF9ZZWFyIiwiMTk5NSJdLFsiTGFzdF9ZZWFyIiwiMjAyMSJdLFsiU2NhbGUiLCIwIl0sWyJTZXJpZXMiLCJBIl1dfQ. Thus, the
inflation adjusted estimate for $100 million is 118.895/71.823 x 100
= $166 million.
---------------------------------------------------------------------------
Regarding the proposed regulations related to BOI access, the
analysis assumes a baseline scenario of no access granted to the BOI
system maintained by FinCEN, which is the current regulatory
environment, and uses a time horizon of 10 years. The analysis
estimates that the overall quantifiable impact associated with the
proposed rule, which would affect U.S. Federal agencies including
FinCEN, as well as State, local, and Tribal agencies, foreign
requesters, certain financial institutions, and self-regulatory
organizations, would be between $108.7 million in net savings and
$840.7 million in net costs in the first year of implementation of the
rule, and then a net impact between $186.5 million in net savings and
$672.0 million in net costs on an ongoing annual basis.\179\ This
proposed rule has been determined to be a significant rule for purposes
of Executive Order 12866. Furthermore, the proposed rule would have a
significant economic impact on a substantial number of small entities.
Last, the proposed rule would result in an estimated 5-year average PRA
annual cost of $642.5 million to certain State, local, and Tribal
agencies, self-regulatory organizations, and financial
[[Page 77427]]
institutions. Because accessing BOI under the proposed rule is not
mandated for State, local, and Tribal governments or the private
sector, FinCEN does not assess any expenditures pursuant to UMRA.
---------------------------------------------------------------------------
\179\ All aggregate figures are approximate and not precise
estimates unless otherwise specified.
---------------------------------------------------------------------------
As FinCEN identified in the final BOI reporting rule's RIA, FinCEN
will incur costs for administering the regulation and access to
BOI.\180\ These costs include development and ongoing annual
maintenance of the beneficial ownership IT system. In particular,
developing and maintaining the methods of access to the beneficial
ownership IT system described in this NPRM has impacted FinCEN's IT
cost estimates. FinCEN estimated that the initial IT development costs
associated with the final BOI reporting rule are approximately $72
million with an additional $25.6 million per year required to maintain
the new BOI system and the underlying FinCEN IT that is needed to
support the new capabilities. These estimates do not include certain
potential additional costs, such as for IT personnel or information
verification. The final BOI reporting rule's RIA also estimated $10
million per year in FinCEN personnel costs in order to ensure
successful implementation of and compliance with the BOI reporting
requirements. Given that these costs to FinCEN are already accounted
for in the RIA of the final BOI reporting rule, these costs are not
included in the RIA. The costs to FinCEN in this RIA are in addition to
those included in the final BOI reporting rule's RIA.
---------------------------------------------------------------------------
\180\ 87 FR 59578 (Sept. 30, 2022).
---------------------------------------------------------------------------
FinCEN also considers in the RIA what costs or benefits may be
associated with the proposed rule regarding reporting companies' use of
FinCEN identifiers for entities. The final BOI reporting rule's RIA
contains a regulatory analysis that accounts for the impact associated
with obtaining, updating, and using FinCEN identifiers, including a
summary of NPRM comments related to the associated estimated costs and
benefits. Regarding entities' use of FinCEN identifiers, FinCEN
proposes to rely upon the analysis in the final BOI reporting rule's
RIA. That analysis states that the costs associated with reporting
companies' use of FinCEN identifiers are captured in that RIA's cost
estimates associated with BOI reports. This analysis is explained in
more detail in Section VI.A.ii. below.
A. Executive Orders 12866 and 13563
Executive Orders 12866 and 13563 direct agencies to assess costs
and benefits of available regulatory alternatives and, if regulation is
necessary, to select regulatory approaches that maximize net benefits
(including potential economic, environmental, and public health and
safety effects, as well as distributive impacts and equity). Executive
Order 13563 emphasizes the importance of quantifying both costs and
benefits, reducing costs, harmonizing rules, and promoting flexibility.
FinCEN conducted an assessment of the costs and benefits of the
proposed rule, as well as the costs and benefits of available
regulatory alternatives. This proposed rule is necessary in order to
implement Section 6403 of the CTA. Consistent with the cost-benefit
analysis in Section VI.A.i. below, this proposed rule has been
designated a ``significant regulatory action'' and economically
significant under section 3(f) of Executive Order 12866. Accordingly,
the proposed rule has been reviewed by the Office of Management and
Budget (OMB).
i. Section of Proposed Rule Regarding BOI Access
a. Alternative Scenarios
FinCEN considered alternatives to the proposed rule. However, for
the reasons described within this section, FinCEN decided not to
propose these alternatives.
1. Reduce Training Burden
The first alternative would be to reduce the training requirement
for BOI authorized recipients, which includes appropriate training for
authorized recipients of BOI as well as annual training for access to
BOI. In its analysis, FinCEN assumes that each authorized recipient
that would access the BOI would be required to undergo one hour of
training per year.\181\ Here, FinCEN considers the scenario where
authorized recipients would instead be required to undergo one hour of
training every two years, in alignment with the current BSA data access
requirements. This scenario could result in savings every other year of
$108 to $172,800 per Federal agency, $76 to $5,168 per State, local,
and Tribal agency, $95 to $6,460 per SRO,\182\ $108 per foreign
requester, and $146 to $241 per financial institution. The aggregate
savings could be as much as $3.7 million to $5.2 million ($1.3 million
total for domestic agencies and SROs + $2.4 to $3.9 million for
financial institutions) every other year. This alternative scenario
could result in savings every other year of approximately $95 to $190
per small financial institution. The aggregate savings could be as much
as approximately $1.3 million to $2.7 million (($95 x 14,051 small
financial institutions = $1,334,845) and ($190 x 14,051 small financial
institutions = $2,669,690)) every other year. Given the sensitive
nature of the BOI,\183\ FinCEN believes that maintaining an annual
training requirement for BOI authorized recipients and access to BOI is
necessary to protect the security and confidentiality of the BOI.
---------------------------------------------------------------------------
\181\ The assumption of one training hour is in alignment with
the current training requirement for accessing BSA data. However,
one notable difference is that the proposed BOI training requirement
is annual, not biennial.
\182\ To calculate costs to SROs, FinCEN calculated a ratio that
applied the estimated costs to State regulators (which would have
access requirements similar to SROs) to the wage rate estimated
herein for financial institutions, since SROs are private
organizations. FinCEN requests comment on this assessment.
\183\ As noted in the preamble, the CTA establishes that BOI is
``sensitive information'' and it imposes strict confidentiality and
security restrictions on the storage, access, and use of BOI. See
CTA, Section 6402(6), (7).
---------------------------------------------------------------------------
2. Change Customer Consent Requirement
The second alternative that FinCEN considered is altering the
customer consent requirement for FIs. Under the proposed rule,
financial institutions would be required to obtain and document
customer consent once for a given customer. FinCEN considered an
alternative approach in which FinCEN would directly obtain the
reporting company's consent. Under this scenario, financial
institutions would not need to spend time and resources on the one-time
implementation costs of approximately 10 hours in year 1 to create
consent forms and processes. Using an hourly wage estimate of $95 per
hour for financial institutions, FinCEN estimates this would result in
a one-time savings per financial institution of approximately $950. To
estimate aggregate savings under this scenario, FinCEN multiplies this
value by 16,252 financial institutions resulting in a total savings of
approximately $15.4 million ($950 per institution x 16,252 financial
institutions = $15,439,400). The cost savings for small financial
institutions under this scenario would be approximately $13.3 million
($950 per institution x 14,051 small financial institutions =
$13,348,450). Though this alternative results in a savings to financial
institutions, including small entities, FinCEN believes that financial
institutions are better positioned to obtain consent--and to track
consent revocation--given their direct customer relationships and
ability to leverage existing onboarding and account
[[Page 77428]]
maintenance processes. Therefore, FinCEN decided not to propose this
alternative.
3. Impose Court Authorization Requirement on Federal Agencies
The third alternative would extend the requirement that State,
local, and Tribal law enforcement agencies provide a court
authorization with each BOI request to 202 Federal agencies. FinCEN
expects that requests submitted by State, local, and Tribal law
enforcement agencies have an additional 20 to 30 hours of burden owing
to an additional requirement that a court of competent jurisdiction,
including any officer of such a court, authorizes the agency to seek
the information in a criminal or civil investigation. Therefore, FinCEN
applies this additional 20 to 30 hours of burden per BOI request to the
estimated BOI requests submitted by Federal agencies and by State
regulators. Using FinCEN's internal BSA request data as a proxy, FinCEN
anticipates that Federal agencies could submit as many as approximately
2 million total BOI requests annually.\184\ Using an hourly wage
estimate of $108 per hour for Federal employees results in additional
aggregate annual costs between approximately $4.3 billion and $6.5
billion ((2 million Federal requests x 20 hours x $108 per hour =
$4,320,000,000) and (2 million Federal requests x 30 hours x $108 per
hour = $6,480,000,000).
---------------------------------------------------------------------------
\184\ While FinCEN does not estimate growth of requests
throughout the 10-year time horizon of this analysis, the number of
BOI requests could increase significantly after the first years of
implementation of the BOI reporting requirements as awareness of the
ability to access and the utility of BOI increases.
---------------------------------------------------------------------------
This alternative could minimize the potential for broad or non-
specific searches by any agency not currently subject to the
requirement because of the higher initial barrier to accessing the
data. However, FinCEN believes that imposing this requirement on
authorized recipients, for whom such a requirement is not statutorily
mandated, is overly burdensome and would make it too difficult to
obtain BOI in a timely fashion for active investigations. For these
reasons, FinCEN decided not to propose this alternative.
b. Affected Entities
In order to analyze cost and benefits, the number of entities
affected by the proposed rule must first be estimated. Authorized
recipients of BOI would be affected by this proposed rulemaking if they
elect to access BOI, because they are required to meet certain criteria
in order to receive that BOI. The criteria vary depending on the type
of authorized recipient.
Federal agencies engaged in national security, intelligence, and
law enforcement activity would have access to BOI in furtherance of
such activities if they establish the appropriate protocols prescribed
for them in the proposed rule. Additionally, Treasury officers and
employees who require access to BOI to perform their official duties or
for tax administration would have access. The number of agencies that
could qualify under these categories is large and difficult to
quantify. FinCEN proposes using the number of Federal agencies that are
active entities \185\ with BSA data access \186\ as a proxy for the
number of Federal agencies that may elect to access BOI. FinCEN
believes this proxy is apt. While the criteria for access to BSA data
are somewhat different outside of the CTA context, Federal agencies
that have access to BSA data would generally also meet the criteria for
access to BOI under the CTA. FinCEN believes that Federal agencies that
have access to BSA data will most likely want access to BOI as well,
and will generally be able to access it under the parameters specified
by the proposed rule. FinCEN includes offices within the Department of
the Treasury, such as FinCEN itself,\187\ in this proxy count. As of
January 2022, 202 Federal agencies and agency subcomponents are active
entities with BSA data access.
---------------------------------------------------------------------------
\185\ For purposes of this analysis, an agency has active access
to BSA data if the official duties of any agency employee or
contractor includes authorized access to the FinCEN Query system, a
web-based application that provides access to BSA reports maintained
by FinCEN.
\186\ For purposes of this analysis, BSA data consists of all of
the reports submitted to FinCEN by financial institutions and
individuals pursuant to obligations that currently arise under the
BSA, 31 U.S.C. 5311 et seq., and its implementing regulations. These
include reports of cash transactions over $10,000, reports of
suspicious transactions by persons obtaining services from financial
institutions, reports of the transportation of currency and other
monetary instruments in amounts over $10,000 into or out of the
United States, and reports of U.S. persons' foreign financial
accounts. In fiscal year 2019, more than 20 million BSA reports were
filed. See Financial Crimes Enforcement Network, ``What is the BSA
data?,'' available at https://www.fincen.gov/what-bsa-data.
\187\ In addition to incurring costs as an authorized recipient
of BOI, FinCEN expects to incur costs from administering data to
other authorized recipients.
---------------------------------------------------------------------------
State, local, and Tribal law enforcement agencies would have access
to BOI for use in criminal and civil investigations if they follow the
process prescribed for them in the proposed rule. FinCEN proposes using
the number of State and local law enforcement agencies that are active
entities with BSA data access as a proxy for the number of State,
local, and Tribal law enforcement agencies that may access BOI, for the
reasons discussed in the Federal agency context. As of January 2022,
153 State and local law enforcement agencies and agency subcomponents
are active entities with access to BSA data.\188\ The process that the
proposed rule sets forth involves these agencies obtaining a court
authorization for each BOI request. Courts of competent jurisdiction
that would issue such authorizations may therefore also be affected by
the proposed rule; FinCEN has not estimated the burden that may be
imposed on such entities, but is interested in comments on the subject.
---------------------------------------------------------------------------
\188\ No Tribal law enforcement agencies currently have access
to BSA data through the FinCEN Query system. FinCEN requests comment
on how many Tribal law enforcement agencies may access BOI.
---------------------------------------------------------------------------
Foreign government entities, such as law enforcement, prosecutors,
judges or other competent or central authorities, would potentially be
able to access BOI after submitting a request as described in the
proposed rule. FinCEN does not estimate the number of different foreign
requesters that may request BOI, but instead estimates a range of the
total number of annual requests for BOI that FinCEN may receive from
all foreign requesters. FinCEN requests comment on this proposal and
the estimate of foreign requests. The proposed rule requires that
foreign requests be made through an intermediary Federal agency.
Therefore, Federal agencies would also be affected by foreign requests.
The six Federal functional regulators that supervise financial
institutions with CDD obligations--the FRB, the OCC, the FDIC, the
NCUA, the SEC, and the CFTC--may access BOI for purposes of supervising
a financial institution's compliance with those obligations.
Additionally, other appropriate regulatory agencies may access BOI
under the proposed rule. FinCEN proposes primarily using the number of
regulators that both supervise entities with requirements under
FinCEN's CDD Rule and are active entities with access to BSA data as a
proxy for the number of regulatory agencies that may access BOI. As of
January 2022, 62 regulatory agencies satisfy both criteria.\189\ FinCEN
adds two self-regulatory organizations (SROs) to this count, which
totals to 64 regulatory agencies. Although SROs are
[[Page 77429]]
not government agencies and they would not have direct access to the
beneficial ownership IT system under the proposed rule, they may
receive BOI through re-disclosure and would be subject to the same
security and confidentiality requirements as other regulatory agencies
under the proposed rule.
---------------------------------------------------------------------------
\189\ This includes the six Federal functional regulators. The
remaining 56 entities are State regulators that supervise banks,
securities dealers, and other entities that currently have CDD
obligations under FinCEN regulations. FinCEN did not include State
regulatory agencies that have active access to BSA data but do not
regulate entities with FinCEN CDD obligations, such as State gaming
authorities or State tax authorities.
---------------------------------------------------------------------------
Financial institutions with CDD requirements under applicable law
would be able to access BOI with the consent of the reporting company.
Assuming that all financial institutions that are subject to FinCEN's
CDD Rule would access BOI, FinCEN estimates the number of affected
financial institutions in Table 1.
Table 1--Affected Financial Institutions
[GRAPHIC] [TIFF OMITTED] TP16DE22.020
Totaling these estimates results in 16,252 financial institutions
that may access BOI pursuant to the proposed rule. Of these financial
institutions, 14,051 are small entities. To identify whether a
financial institution is small, FinCEN uses the Small Business
Administration's (SBA) latest annual size standards for small entities
in a given industry.\190\ FinCEN also uses the U.S. Census Bureau's
publicly available 2017 Statistics of U.S. Businesses survey data
(Census survey data).\191\ FinCEN applies SBA size standards to the
corresponding industry's receipts in the 2017 Census survey data and
determines what proportion of a given industry is deemed small, on
average.192 193 FinCEN considers a
[[Page 77430]]
financial institution to be small if it has total annual receipts less
than the annual SBA small entity size standard for the financial
institution's industry. FinCEN applies these estimated proportions to
FinCEN's current financial institution counts for brokers or dealers in
securities, mutual funds, and futures commission merchants and
introducing brokers in commodities to determine the proportion of
current small financial institutions in those industries. Using this
methodology and data from the FFIEC and the NCUA, approximately 14,051
small financial institutions could be affected by the proposed rule, as
summarized in Table 1.
---------------------------------------------------------------------------
\190\ The SBA currently defines small entity size standards for
affected financial institutions as follows: less than $750 million
in total assets for commercial banks, savings institutions, and
credit unions; less than $41.5 million in total assets for trust
companies; less than $41.5 million in annual receipts for broker-
dealers; less than $41.5 million in annual receipts for portfolio
management; less than $35 million in annual receipts for open-end
investment funds; and less than $41.5 million in annual receipts for
futures commission merchants and introducing brokers in commodities.
See U.S. Small Business Administration's Table of Size Standards,
https://www.sba.gov/sites/default/files/2022-07/Table%20of%20Size%20Standards_Effective%20July%2014%202022_Final-508.pdf.
\191\ See U.S. Census Bureau, U.S. & states, NAICS, detailed
employment sizes (U.S., 6-digit and states, NAICS sectors) (2017),
available at https://www.census.gov/data/tables/2017/econ/susb/2017-susb-annual.html. The Census survey documents the number of firms
and establishments, employment numbers, and annual payroll by State,
industry, and enterprise every year. Receipts data, which FinCEN
uses as a proxy for revenues, is available only once every five
years, with 2017 being the most recent survey year with receipt
data.
\192\ FinCEN does not apply population proportions to banks or
credit unions. Because data accessed through FFIEC and NCUA Call
Report data provides information about asset size for banks, trusts,
savings and loans, credit unions, etc., FinCEN is able to directly
determine how many banks and credit unions are small by SBA size
standards. Because the Call Report data does not include
institutions that are not insured, are insured under non-FDIC
deposit insurance regimes, or that do not have a Federal financial
regulator, FinCEN assumes that all such entities listed in the
FDIC's Research Information System data are small, unless they are
controlled by a holding company that does not meet the SBA's
definition of a small entity, and includes them in the count of
small banks.
\193\ Consistent with the SBA's General Principles of
Affiliation, 13 CFR 121.103(a), FinCEN aggregates the assets of
affiliated financial institutions using FFIEC financial data
reported by bank holding companies on forms Y-9C, Y-9LP, and Y-9SP
(available at https://www.ffiec.gov/npw/FinancialReport/FinancialDataDownload) and ownership data (available at https://www.ffiec.gov/npw/FinancialReport/DataDownload) when determining if
an institution should be classified as small. FinCEN uses four
quarters of data reported by holding companies, banks, and credit
unions because a ``financial institution's assets are determined by
averaging the assets reported on its four quarterly financial
statements for the preceding year.'' See U.S. Small Business
Administration's Table of Size Standards, p. 44 n.8, https://www.sba.gov/sites/default/files/2022-07/Table%20of%20Size%20Standards_Effective%20July%2014%202022_Final-508.pdf. FinCEN recognizes that using SBA size standards to identify
small credit unions differs from the size standards applied by the
NCUA. However, for consistency in this analysis, FinCEN applies the
SBA-defined size standards.
---------------------------------------------------------------------------
Table 2 summarizes the counts of entities by category that would
have access to BOI data.
Table 2--Affected Entities
[GRAPHIC] [TIFF OMITTED] TP16DE22.021
As evidenced in Table 2, FinCEN anticipates that as many as 16,671
different domestic agencies and financial institutions could elect to
access BOI. Of these, FinCEN believes the only entity category that
would have small entities affected is financial institutions.\194\
---------------------------------------------------------------------------
\194\ FinCEN considered whether other entities would be
considered small entities pursuant to the Regulatory Flexibility
Act. The Regulatory Flexibility Act's definition of a small
governmental jurisdiction is a government of a city, county, town,
township, village, school district, or special district with a
population of less than 50,000. While State, local, and Tribal
government agencies may be affected by the proposed rule, FinCEN
does not believe that government agencies of jurisdictions with a
population of less than 50,000 would be included in such agencies.
However, FinCEN requests comment on this assumption.
---------------------------------------------------------------------------
c. Potential Costs and Benefits
Ideally, a cost-benefit analysis would identify and monetize, with
certainty, all costs and benefits of a regulation; this would enable
policymakers to evaluate different regulatory options by comparing
dollar amounts of costs and benefits, and pursuing those options with
the greatest net benefits. However, regulatory impact analyses often
include both cost and benefit components that cannot be expressed in
monetary units with any degree of certainty. As explained by OMB in
relevant cost-benefit guidance, simple cost-benefit comparisons can be
misleading when the analysis cannot express important benefits and
costs in dollar terms ``because the calculation of net benefits in such
cases does not provide a full evaluation of all relevant benefits and
costs.'' \195\ FinCEN follows OMB's recommendation in such instances
and provides an evaluation of non-quantifiable benefits and costs in
addition to quantified benefits and costs.
---------------------------------------------------------------------------
\195\ Office of Management and Budget, Circular A-4:10 (Sept.
17, 2003), available at https://obamawhitehouse.archives.gov/omb/circulars_a004_a-4.
---------------------------------------------------------------------------
This RIA estimates costs to the authorized recipients for following
the proposed rule's security and confidentiality requirements, costs to
FinCEN for administering access to BOI, and benefits that authorized
recipients would gain from accessing BOI. The quantified estimates
provided in this RIA include a range of possible costs and benefits for
each type of authorized recipient. The quantified benefits are limited
to cost savings that agencies may obtain through accessing BOI; there
are other, non-quantified benefits that would also be included in the
agencies' decision to request BOI. For the purposes of estimating the
overall impact of the proposed rule, FinCEN assumes that Federal,
State, or local agencies that access BOI would do so only if the
quantified and non-quantified benefits at least equal the costs, since
these entities would obtain access to BOI only if they voluntarily
request it. Therefore, FinCEN expects that in reality the minimum net
impact to these entities would be zero, meaning that the costs equal
the benefits. However, because many of benefits to
[[Page 77431]]
such agencies are not quantifiable, FinCEN presents in the analysis an
impact estimate that incorporates the range of quantified costs and
benefits that FinCEN expects based in part on outreach to agencies that
are authorized recipients of BOI.
FinCEN does not attempt to estimate a dollar value of benefits that
will accrue to financial institutions, State regulators or SROs as a
result of the proposed rule. In order to estimate financial
institutions' benefits, it would be necessary to know how access to BOI
under the proposed rule would apply to CDD obligations, which will not
be known until FinCEN revises the 2016 CDD Rule, as the CTA requires.
FinCEN estimates a dollar value of benefits that would accrue to
Federal financial regulatory agencies on the assumption that these
agencies would access BOI for law enforcement activity.\196\ However,
FinCEN does not estimate a dollar value of benefits accruing to State
regulators and SROs because FinCEN assumes that their primary use of
BOI would be for examinations of financial institutions for compliance
with CDD requirements, rather than for law enforcement activity. In
addition, FinCEN assumes that no quantifiable benefits will accrue to
FinCEN itself as a result of administering BOI access.
---------------------------------------------------------------------------
\196\ See 31 U.S.C. 5336(c)(2)(B)(i)(I).
---------------------------------------------------------------------------
The costs in the first and subsequent years are distributed
unevenly among the different types of Federal, State, and local
agencies. The estimated average year 1 net impact per Federal agency is
between $8,967,600 in costs and $2,157,165 in savings,\197\ per State
regulator is between $1,995 and $0.5 million in costs, per State, local
and Tribal law enforcement agency is between $52,977,200 in costs and
$1,516,485 in savings,\198\ per SRO is between $2,494 and $0.6 million
in costs, and per financial institution is between $12,206 and $17,695
in costs. From year 2 and onward, the estimated average annual net
impact per Federal agency is between $8,867,600 in costs and $2,158,785
in savings,\199\ per State regulator is between $855 and $0.4 million
in costs, per State, local and Tribal law enforcement agency is between
$52,877,200 in costs and $1,517,625 in savings,\200\ per SRO is between
$1,069 at $0.5 million in costs, and per financial institution is
between $7,456 and $9,145 in costs. Overall, FinCEN estimates the
potential overall impact associated with the proposed rule would be
between $108.7 million in net savings and $840.7 million in net costs
in the first year of implementation of the rule, and then from $186.5
million in net savings to $672.0 million in net costs on an ongoing
annual basis.\201\ These estimates, along with any non-quantifiable
costs and benefits, are described in further detail within this
section.\202\
---------------------------------------------------------------------------
\197\ The maximum estimated costs in Year 1 are $9 million per
Federal agency, and the minimum estimated benefits in Year 1 per
Federal agency are $32,400, so the maximum net cost per Federal
agency is $8,967,600 ($9,000,000-$32,400). The maximum estimated
benefits in Year 1 per Federal agency are $2,160,000, and the
minimum estimated costs in Year 1 per Federal agency ares $2,835, so
the maximum estimated net benefit per Federal agency is $2,157,165
($2,160,000-$2,835).
\198\ The maximum estimated costs in Year 1 are $53 million per
State, local, and Tribal law enforcement agency, and the minimum
estimated benefits in Year 1 are $22,800 per State, local and Tribal
law enfocement agency, so the maxium net cost per State, local, and
Tribal law enforcement agency is $52,977,200 ($53,000,000-$22,800).
The maximum estimated benefits in Year 1 per State, local, and
Tribal law enforcement agency are $1,520,000, and the minimum
estimated cost per State, local, and Tribal law enforcement agency
is $3,515, so the maximum estimated net benefit in Year 1 per State,
local, and Tribal law enforcement agency is $1,516,485 ($1,520,000-
$3,515).
\199\ The maximum estimated costs in year 2 and onward are $8.9
million per Federal agency, and the minimum estimated benefits in
year 2 and onward are $32,400 per Federal agency, so the maximum
estimated net costs are $8,867,600 ($8,900,000-$32,400). The maximum
estimated benefits in year 2 and onward per Federal agency are
$2,160,000, and the minimum estimated cost per Federal agency is
$1,215, so the maximum estimated net benefits per Federal agency are
$2,158,785 ($2,160,000-$1,215).
\200\ The maximum estimated costs in year 2 and onward are $52.9
million per State, local, and Tribal law enforcement agency, and the
minimum estimate benefits in year 2 and onward per State, local, and
Tribal law enforcement agency are $22,800, so the maximum estimated
net costs in years 2 and onward per State, local, and Tribal law
enforcement agency are $52,877,200 ($52,900,000-$22,800). The
maximum estimated benefits in years 2 and onward per State, local,
and Tribal law enforcement agency are $1,520,000, and the minimum
estimated costs in years 2 and onward per State, local, and Tribal
law enforcement agency ares $2,375, so the maximum estimated net
benefits in years 2 and onward per State, local, and Tribal law
enforcement agency are $1,517,625 ($1,520,000-$2,375).
\201\ Both here and throughout the analysis, FinCEN estimates a
range of both costs and benefits. These ranges reflect heterogeneity
across agencies and financial institutions in terms of requirements
to access BOI, entity size, resources, existing IT infrastructure,
and investigative caseload, among other factors. FinCEN does not
know exactly what every authorized recipient's unique costs and
benefits would be and instead provides ranges of the expected
minimum and maximum. FinCEN believes that providing ranges with
minimums and maximums, rather than a point estimate, such as the
median, throughout this analysis is more appropriate given the
number of factors that could contribute to the actual cost or
benefits an authorized recipient incurs due to the proposed rule.
\202\ Throughout the analysis, FinCEN rounds each step of the
calculation to the nearest whole dollar value for smaller estimates
and to the first significant figure after the decimal for larger
estimates (in the hundreds of thousands, millions, and billions).
Performing a sensitivity analysis where rounding is only performed
in the final step of the whole impact calculation confirms that
FinCEN's rounding method produces a difference of less than 0.7
percent in the magnitude of FinCEN's estimates, which FinCEN does
not consider to be sufficient to affect its analysis or conclusions
regarding the impact of the proposed rule.
---------------------------------------------------------------------------
In the analysis, FinCEN uses an estimated compensation rate of
approximately $108 per hour for Federal agencies and foreign
requesters, approximately $76 per hour for State, local, and Tribal
agencies, and approximately $95 per hour for financial institutions.
This is based on occupational wage data from the U.S. Bureau of Labor
Statistics (BLS).\203\ The most recent occupational wage data from the
BLS corresponds to May 2021, released in May 2022. To obtain these
three wage rates, FinCEN calculated the average reported hourly wages
of six specific occupation codes assessed to be likely authorized
recipients at Federal agencies, State, local, and Tribal agencies, and
financial institutions.\204\ \205\ Included financial industries were
identified at the most granular North American Industry Classification
System (NAICS) code available and are the types of financial
institutions that are subject to regulation under the BSA, even if
these financial institutions are not entities that are affected by the
proposed rule, including: banks (as defined in 31 CFR 1010.100(d));
casinos; money service businesses; broker-dealers; mutual funds;
insurance companies; futures commission merchants and introducing
brokers in commodities; dealers in precious metals, precious stones, or
jewels; operators of credit card systems; and loan or finance
companies. This results in a Federal agency hourly wage estimate of
$66.78; a State, local, and Tribal agency hourly wage estimate of
[[Page 77432]]
$46.70; \206\ and a financial institution hourly wage estimate of
$67.23. Multiplying these hourly wage estimates by their corresponding
benefits factor (1.62 \207\ for government agencies and 1.42 \208\ for
private industry) produces a fully loaded hourly compensation amounts
of approximately $108 for Federal agencies, $76 for State, local, and
Tribal agencies, and $95 per hour for financial institutions. These
wage estimates are summarized in Table 3:
---------------------------------------------------------------------------
\203\ See U.S. Bureau of Labor Statistics, National Occupational
Employment and Wage Estimates (May 2021), available at https://www.bls.gov/oes/current/oessrci.htm.
\204\ To estimate government hourly wages, FinCEN modifies the
burden analysis in FinCEN's publication ``Renewal without Change of
Anti-Money Laundering Programs for Certain Financial Institutions.''
See 85 FR 49418 (Aug. 13, 2020). Specifically, FinCEN uses hourly
wage data from the following six occupations to estimate an average
hourly government employee wage: chief executives (i.e., agency
heads), first-line supervisors of law enforcement workers, law
enforcement workers, financial examiners, lawyers and judicial
clerks, and computer and information systems managers.
\205\ FinCEN uses hourly wage data for the following occupations
to estimate an average hourly financial institution employee wage:
chief executives, financial managers, compliance officers, and
financial clerks. FinCEN also includes the hourly wages for lawyers
and judicial clerks, as well as for computer and information systems
managers.
\206\ To estimate a single hourly wage estimate for State,
local, and Tribal agencies, FinCEN calculated an average of the May
2021 mean hourly wage estimates for State government agencies and
for local government agencies (($46.02 + $47.37)/2 = $46.70), as
wages are available for both of these types of government workers in
the BLS occupational wage data. BLS data does not include an
estimate for Tribal government worker and thus FinCEN does not
include a Tribal government worker wage estimate in this average.
FinCEN welcomes comment on how to obtain wage estimates for Tribal
government workers.
\207\ The ratio between benefits and wages for State and local
government workers is $21.15 (hourly benefits)/$34.32 (hourly wages)
= 0.62, as of March 2022. The benefit factor is 1 plus the benefit/
wages ratio, or 1.62. See U.S. Bureau of Labor Statistics, Employer
Costs for Employee Compensation Historical Listing, available at
https://www.bls.gov/web/ecec/ececqrtn.pdf. The State and local
government workers series data for March 2022 is available at
https://www.bls.gov/web/ecec/ecec-government-dataset.xlsx. FinCEN
applies the same benefits factor to Federal workers.
\208\ The ratio between benefits and wages for private industry
workers is $11.42 (hourly benefits)/$27.19 (hourly wages) = 0.42, as
of March 2022. The benefit factor is 1 plus the benefit/wages ratio,
or 1.42. See U.S. Bureau of Labor Statistics, Employer Costs for
Employee Compensation: Private industry dataset (March 2022),
available at https://www.bls.gov/web/ecec/ecec-private-dataset.xlsx.
---------------------------------------------------------------------------
Table 3--Fully Loaded Wage Estimates
[GRAPHIC] [TIFF OMITTED] TP16DE22.022
1. Costs
Each of the affected entities would have costs associated with the
proposed rule if it elects to access FinCEN's BOI database. The costs
would vary based on the access procedures for the authorized
recipients.\209\ The proposed rule would require different access
procedures for domestic agencies, foreign requesters, and financial
institutions. FinCEN would also incur costs for administering access to
authorized recipients.
---------------------------------------------------------------------------
\209\ The costs would also vary by institution size and
investigation caseload, but for simplicity, FinCEN estimates an
average impact by category of authorized recipient throughout the
analysis.
---------------------------------------------------------------------------
A. Domestic Agencies
Domestic agencies must meet multiple requirements to receive BOI.
Whether the costs of these requirements would be one-time, ongoing, or
recurring, and whether the costs accrue on a per-recipient or per-
request basis varies from requirement to requirement. Additionally,
some requirements are administrative and involve the creation of
documents, while others involve IT. To estimate the costs for meeting
these requirements, FinCEN consulted with multiple Federal agencies and
utilized statistics regarding active entities with BSA data access.
Requirements are summarized in Table 4, which is followed by more
detailed analysis. Costs associated with each requirement are
summarized in Table 5, at the end of this section.
[[Page 77433]]
Table 4--Requirements for Domestic Agencies 1
[GRAPHIC] [TIFF OMITTED] TP16DE22.023
Enter into an agreement with FinCEN and establish standards and
procedures. For requirement #1, FinCEN assumes that domestic agencies
would incur costs during the first year of implementation. FinCEN
received the following feedback from different agencies on the amount
of time needed for these requirements. Agencies described the types of
activities expected to meet these requirements in their responses, but
the feedback applies to estimated burden for requirement #1:
Approximately 15 to 20 hours to formalize policies and
procedures.
Approximately 40 hours to review, analyze and implement
any unique standards and procedures of FinCEN's database into the
agency's current secure systems.
Approximately 300 hours to draft and shepherd standards
and procedures.
Therefore, in alignment with the feedback FinCEN received during
outreach efforts, FinCEN assumes it would take a domestic agency, on
average, between 15 and 300 business hours to complete this one-time
task. Using an hourly wage estimate of $108 per hour for Federal
agencies results in a one-time cost between approximately $1,620 and
$32,400 per Federal agency ((15 hours x $108 per hour = $1,620) and
(300 hours x $108 per hour = $32,400)). Using an hourly wage estimate
of $76 per hour for State, local, and Tribal agencies results in a one-
time cost between approximately $1,140 and $22,800 per State, local,
and Tribal agency ((15 hours x $76 per hour = $1,140) and (300 hours x
$76 per hour = $22,800)). To estimate aggregate costs, FinCEN
multiplies these ranges by 208 total Federal agencies \210\ and 209
State, local, and Tribal agencies,\211\ resulting in a total one-time
cost between approximately $0.6 million and $11.5 million ((208 Federal
agencies x $1,620 per Federal agency + 209 State, local, and Tribal
agencies x $1,140 per State, local, and Tribal agency = $575,220) and
(208 Federal agencies x $32,400 per Federal agency + 209 State, local,
and Tribal agencies x $22,800 per State, local, and Tribal agency =
$11,504,400)).
---------------------------------------------------------------------------
\210\ This is derived from 202 Federal law enforcement, national
security and intelligence agencies and agency subcomponents plus six
Federal regulators.
\211\ This is derived from 153 State and local law enforcement
agencies plus 56 State regulators that supervise entities with CDD
obligations.
---------------------------------------------------------------------------
Establish and maintain a secure system to store BOI. The cost of
requirement #2 would vary depending on the existing IT infrastructure
of the domestic agency. Some agencies may be able to build upon
existing systems that generally meet the security and confidentiality
requirements. Other agencies may need to create new systems. FinCEN
received the following feedback from outreach on this subject.
[[Page 77434]]
Agencies described the types of activities expected to meet these
requirements in their responses, but the feedback applies to estimated
burden for requirement #2:
Approximately 60 hours to establish a secure system for
BOI, based on the method of access. That agency further suggested that
maintaining the secure storage system would require a periodic review
of about 4 hours to assure system integrity.
Approximately 300 hours to incorporate BOI into existing
information systems. Once the system is established, maintenance would
be a minimal additional ongoing cost.
Approximately no cost, assuming that the BOI would be
accessed similarly to BSA data (i.e., in a web-based system maintained
by FinCEN). This was the conclusion of multiple agencies. One agency
further noted that this overall process would have little to no
financial impact on the agency, as FinCEN would establish the web-based
portal, maintain the secure storage system of the data, and develop
mechanisms to safeguard the information contained therein from
unauthorized access.
Consistent with feedback from agencies, FinCEN expects that certain
agencies (in particular, Federal agencies) would bear de minimis IT
costs because Federal agencies already have secure systems and networks
in place as well as sufficient storage capacity in accordance with
Federal Information Security Management Act (FISMA) standards.\212\
Therefore, FinCEN assumes a range of burden for requirement #2 in year
1 of de minimis to 300 hours, and an ongoing burden of de minimis to 4
hours.
---------------------------------------------------------------------------
\212\ Under FISMA, Federal agencies need to provide information
security protections commensurate with the risk and magnitude of the
harm resulting from unauthorized access, use, disclosure,
disruption, modification, or destruction of information collected or
maintained by an agency. Federal agencies also need to comply with
the information security standards and guidelines developed by NIST.
44 U.S.C. 3553.
---------------------------------------------------------------------------
Using an hourly wage estimate of $108 per hour for Federal agencies
results in an initial cost between approximately de minimis costs and
$32,400 (300 hours x $108 per hour = $32,400), and $432 annually
thereafter (4 hours x $108 per hour = $432) per Federal agency. Using
an hourly wage estimate of $76 per hour for State, local, and Tribal
agencies results in an initial cost between approximately de minimis
costs and $22,800 (300 hours x $76 per hour = $22,800), and $304
annually thereafter (4 hours x $76 per hour = $304) per State, local,
and Tribal agency. To estimate aggregate costs, FinCEN multiplies these
ranges by 208 total Federal agencies, and 209 State, local, and Tribal
agencies, resulting in a total year 1 cost between approximately de
minimis and $11.5 million (208 Federal agencies x $32,400 per Federal
agency + 209 State, local, and Tribal agencies x $22,800 per State,
local, and Tribal agency = $11,504,400). The ongoing annual cost would
be between approximately de minimis and $0.2 million (208 Federal
agencies x $432 per Federal agency + 209 State, local, and Tribal
agencies x $304 per State, local, and Tribal agency = $153,392).
Establish and maintain an auditable system of standardized records
for requests. As with requirement #2, the ongoing IT costs from
requirement #3 would vary depending on the existing IT infrastructure
of the domestic agency. FinCEN received the following feedback from
outreach on this subject. Agencies described the types of activities
expected to meet these requirements in their responses, but the
feedback applies to estimated burden for requirement #3:
Approximately 60 hours would be required to establish a
storage system for record requests that is in compliance with both
FinCEN and the agency's applicable policies and procedures. This
estimate includes a review of the agency's Memorandum of Understanding
(MOU) with FinCEN and consultation with appropriate personnel
responsible for access to and disclosure of such records. Additionally,
the agency suggested that maintenance of BOI requests would require an
estimated 20 hours on an ongoing basis.
Approximately 200 hours would be needed to incorporate BOI
into record storage systems and minimal ongoing cost.
Approximately no additional costs, as another agency noted
that the cost would already be included in the estimate for
establishing standards and procedures, and that if BOI is treated
similarly to BSA data, there would not be ongoing costs.
FinCEN expects that certain agencies (in particular, Federal
agencies) would bear de minimis IT costs because Federal agencies
already have secure systems and networks in place as well as sufficient
storage capacity in accordance with FISMA standards. Therefore, based
on agency feedback, FinCEN assumes a range of burden for requirement #3
in year 1 of de minimis to 200 hours, and an ongoing burden of de
minimis to 20 hours.
Using an hourly wage estimate of $108 per hour for Federal agencies
results in an initial cost between approximately de minimis costs and
$21,600 (200 hours x $108 per hour = $21,600), and $2,160 annually
thereafter (20 hours x $108 per hour = $2,160) per Federal agency.
Using an hourly wage estimate of $76 per hour for State, local, and
Tribal agencies results in an initial cost between approximately de
minimis costs and $15,200 (200 hours x $76 per hour = $15,200), and
$1,520 annually thereafter (20 hours x $76 per hour = $1,520) per
State, local, and Tribal agency. To estimate aggregate costs, FinCEN
multiplies these ranges by 208 total Federal agencies, and 209 State,
local, and Tribal agencies, resulting in a total year 1 cost between
approximately de minimis and $7.7 million (208 Federal agencies x
$21,600 per Federal agency + 209 State, local, and Tribal agencies x
$15,200 per State, local, and Tribal agency = $7,669,600). The ongoing
annual cost would be between approximately de minimis and $0.8 million
(208 Federal agencies x $2,160 per Federal agency + 209 State, local,
and Tribal agencies x $1,520 per State, local, and Tribal agency =
$766,960).
Restrict access to appropriate persons within the agency, all of
whom must undergo training. Requirement #4 notes that employees that
receive BOI access would be required to undergo training. The number of
authorized recipients that would have BOI access at a given agency
would vary. Using the active entities with access to BSA data as of
January 2022 as a proxy, and consistent with information provided by a
number of agencies, FinCEN anticipates that each Federal agency could
have anywhere between approximately 1 and 1,600 recipients of BOI data
while each State, local, and Tribal agency could have anywhere between
1 and 68 recipients of BOI.\213\
---------------------------------------------------------------------------
\213\ The range provided is an estimate of the lowest and
highest number of users for Federal agencies and for State and local
agencies respectively as of a given date in January 2022 with access
to BSA data through FinCEN's database.
---------------------------------------------------------------------------
To estimate the cost of this training, FinCEN assumes that each
employee that would access the BOI data would be required to undergo 1
hour of training per year.\214\ Using an hourly wage estimate of $108
per hour for Federal agencies results in an annual cost between
approximately $108 and $172,800 (1 employee x 1 hour x $108 per hour =
$108) and (1,600 employees x 1 hour x $108 per hour)) per Federal
agency. Using an hourly wage estimate of $76 per hour for State, local,
and Tribal agencies results in an annual cost
[[Page 77435]]
between approximately $76 and $5,168 (1 employee x 1 hour x $76 per
hour = $76) and (68 employees x 1 hour x $76 per hour = $5,168)) per
State, local, and Tribal agency.
---------------------------------------------------------------------------
\214\ The assumption of one training hour is in alignment with
the current training requirement for accessing BSA data. However,
one notable difference is that the proposed BOI training requirement
is annual, not biennial.
---------------------------------------------------------------------------
To estimate the aggregate annual costs, FinCEN uses aggregate user
counts of active BSA data users based on internal FinCEN data from
January 2022, which provides a more reasonable estimate of the likely
number of authorized recipients than assuming the previously estimated
ranges would apply to each domestic agency. Therefore, based on
internal data, FinCEN expects that approximately 11,000 Federal
employees and 1,800 employees of State, local, and Tribal agencies
would require annual training to access BOI data.\215\ This translates
into an aggregate annual training cost of approximately $1.3 million
(11,000 Federal employees x 1 hour x $108 per hour + 1,800 State,
local, and Tribal employees x 1 hour x $76 per hour = $1,324,800).
---------------------------------------------------------------------------
\215\ These estimates are based on the number of users that
directly access BSA data through FinCEN's internal system; there are
a limited number of other ways that users may access BSA data, which
are not accounted for here. Furthermore, FinCEN does not estimate
growth of BOI authorized recipients throughout the 10-year time
horizon of this analysis. However, FinCEN acknowledges that the
number of BOI authorized recipients could increase significantly
after the first year of implementation of the BOI reporting
requirements as awareness of the ability to access and utility of
BOI increases.
---------------------------------------------------------------------------
Conduct an annual audit and cooperate with FinCEN's annual audit;
initially and then semi-annually certify standards and procedures by
the head of the agency; annually provide a report on procedures.
Requirements #5-7 are administrative costs that a domestic agency would
incur on an annual or semi-annual basis. Specifically, they require an
agency to: (1) conduct an annual audit and cooperate with FinCEN's
annual audit; (2) certify standards and procedures by the head of the
agency semi-annually; and (3) provide an annual report on procedures to
FinCEN. Based on feedback from outreach, FinCEN assumes it would take a
given agency between 10 hours and 160 hours per year to meet these
three requirements.
FinCEN received the following feedback from domestic agencies
regarding the estimated costs of these requirements. Agencies described
the types of activities expected to meet these requirements in their
responses, but the feedback applies to estimated burden for
requirements #5-7:
Approximately 40 hours would be needed to perform an
annual audit related to compliance of standards, procedures and storage
of data. Once acceptable and verifiable procedures are in place, annual
reporting to FinCEN would require approximately 20 hours and an annual
outlay of 30 hours to review and proceed with internal processes that
would result in the agency head's semi-annual certification. Thus, the
aggregate annual estimate of compliance burden would be approximately
120 hours (40 hours for audit + (2 x 30 hours for agency head
certification) + 20 hours for reporting).
Approximately 100 hours to conduct an annual audit by
internal auditors, 40 hours to prepare an annual report, and 20 hours
to prepare for review and certification, totaling 160 hours.
Approximately 0 hours to conduct an annual audit given the
assumption that FinCEN would maintain the database, and 10 to 20 hours
for the annual report and agency head review.\216\
---------------------------------------------------------------------------
\216\ This estimate assumes that FinCEN would have audit
responsibilities, and the tracking of auditable activity would be
maintained by FinCEN's system. This is similar to the current BSA
data structure. Therefore, the agency assumes that it would not
independently bear costs related to this audit function.
---------------------------------------------------------------------------
Approximately 120 to 160 hours. One agency's liaison to
FinCEN is responsible for, among other duties, reviewing the results of
an annual audit conducted by FinCEN relating to system usage, and
ensuring personnel are in compliance with the policies and procedures
set forth by FinCEN.\217\ The liaison spends anywhere from 120 to 160
hours each year on these duties relating to BSA data. One agency
anticipates that a similar number of the liaison's hours would be
attributed to BOI, and the administrative, procedural, or legal
requirements that may come with it.
---------------------------------------------------------------------------
\217\ Additionally, the liaison disseminates protocols to
authorized personnel relating to requesting and maintaining access
to BSA data.
---------------------------------------------------------------------------
Using an hourly wage estimate of $108 per hour for Federal agencies
results in annual costs between approximately $1,080 and $17,280 per
Federal agency ((10 hours x $108 per hour = $1,080) and (160 hours x
$108 per hour = $17,280)). Using an hourly wage estimate of $76 per
hour for State, local, and Tribal agencies results in annual costs
between approximately $760 and $12,160 per State, local, and Tribal
agency ((10 hours x $76 per hour = $760) and (160 hours x $76 per hour
= $12,160)). To estimate annual aggregate costs, FinCEN multiplies
these ranges by 208 total Federal agencies and 209 State, local, and
Tribal agencies, resulting in a total annual cost between approximately
$0.4 million and $6.1 million ((208 Federal agencies x $1,080 per
Federal agency + 209 State, local, and Tribal agencies x $760 per
State, local, and Tribal agency = $383,480) and (208 Federal agencies x
$17,280 per Federal agency + 209 State, local, and Tribal agencies x
$12,160 per State, local, and Tribal agency = $6,135,680)).
Submit written certification for each request that it meets certain
agency requirements. Finally, for requirement #8, domestic agencies are
required to submit a written certification for each request for BOI.
The written certification would be in the form and manner prescribed by
FinCEN. FinCEN anticipates that this certification would be submitted
to FinCEN via an electronic form. The number of requests for BOI that
would be submitted to FinCEN by domestic agencies in any given year
would vary.
FinCEN assumes that submitting a request to FinCEN for BOI would
take one employee approximately 15 minutes, or 0.25 hours, per request.
This is based on FinCEN's experience with submitting requests for BSA
data in FinCEN Query, which similarly require a written justification
for a search request. Certification requirements vary by authorized
recipient type under the proposed rule.\218\ FinCEN expects that
requests submitted by State, local, and Tribal law enforcement agencies
would have 20 to 30 hours of burden in addition to the 0.25 hours of
burden per request owing to an additional requirement that a court of
competent jurisdiction, including any officer of such a court, issue a
court authorization for the agency to seek the information in a
criminal or civil investigation.\219\ For purposes of estimating the
cost of these additional hours of burden, FinCEN applies the hourly
wage estimate for State, local, and Tribal employees and assumes that
this cost would be incurred by the State, local or Tribal agency. In
practice, employees within the court system may also incur costs
related to this requirement. FinCEN welcomes comment on the appropriate
[[Page 77436]]
wage rate and burden for such an estimation.
---------------------------------------------------------------------------
\218\ While Federal and regulatory agencies must certify that
their request is related to specific activities, State, local, and
Tribal law enforcement agencies must certify that a court of
competent jurisdiction, including any officer of such a court, has
authorized the agency to seek the information in a criminal or civil
investigation.
\219\ FinCEN believes a 20 to 30 hour burden estimate for the
additional requirement of obtaining court authorization for a BOI
request would reflect the time needed for activities associated with
obtaining a court authorization. FinCEN requests comment on whether
this understanding is accurate.
---------------------------------------------------------------------------
Using an hourly wage estimate of $108 per hour for Federal
employees results in a per request cost of approximately $27 per
Federal agency (0.25 hours x $108 per hour = $27). Using an hourly wage
estimate of $76 per hour for State, local, and Tribal employees results
in a per request cost of approximately $19 per State and local
regulator (0.25 hours x $76 per hour = $19) and between approximately
$1,539 and $2,299 per State, local, and Tribal law enforcement agency
((20.25 hours x $76 per hour = $1,539) and (30.25 hours x $76 per hour
= $2,299)).
To estimate a per agency annual cost, FinCEN uses BSA data request
statistics from Fiscal Year 2021 as a proxy. Using these data, FinCEN
estimates that each Federal agency could submit between 1 and 323,000
requests for BOI annually while each State, local, and Tribal agency
could submit between 1 and 23,000 requests for BOI annually.\220\
Therefore, the estimated annual cost is between $27 and $8.7 million
(($27 per request x 1 request) and ($27 per request x 323,000 requests
= $8,721,000)) per Federal agency. The annual cost is between $19 and
$0.4 million (($19 per request x 1 request) and ($19 per request x
23,000 requests = $437,000)) per State and local regulator. The annual
cost is between $1,539 and $52.9 million (($1,539 per request x 1
request = $1,539) and ($2,299 per request x 23,000 requests =
$52,877,000) per State, local, and Tribal law enforcement agency.
FinCEN acknowledges that there is burden associated with the
requirement to obtain a court authorization. As a result, State, local,
or Tribal law enforcement agencies may submit fewer requests for BOI
information than requests for BSA information, which do not impose
similar requirements. FinCEN requests comment from such authorities on
whether this requirement would make it less likely that they would
submit BOI requests, when compared with BSA requests.
---------------------------------------------------------------------------
\220\ The range is an estimate of the lowest and highest number
of BSA data requests received through FinCEN's database from Federal
agencies and for State and local agencies respectively during Fiscal
Year 2021.
---------------------------------------------------------------------------
Using FinCEN's internal BSA request data as a proxy, FinCEN
anticipates that Federal agencies could submit as many as 2 million
total BOI requests annually and that State, local, and Tribal agencies
could submit as many as 230,000 total BOI requests
annually.221 222 The internal number of BSA requests
provides a more reasonable estimate of the likely number of aggregate
requests than assuming the previously estimated ranges would apply to
each domestic agency. This translates into aggregate annual costs
between $362.4 million and $514.4 million ((2 million Federal requests
x $27 per request + 30,000 State and local regulatory requests x $19
per request + 200,000 State, local, and Tribal law enforcement requests
x $1,539 per request = $362,370,000) and (2 million Federal requests x
$27 per request + 30,000 State and local regulatory requests x $19 per
request + 200,000 State, local, and Tribal law enforcement requests x
$2,299 per request = $514,370,000)).
---------------------------------------------------------------------------
\221\ Of the 230,000 anticipated total annual State, local, and
Tribal BOI requests, approximately 30,000 are expected from State
regulators and approximately 200,000 from State, local, and Tribal
law enforcement agencies.
\222\ While FinCEN does not estimate growth of requests
throughout the 10-year time horizon of this analysis, the number of
BOI requests could increase significantly after the first years of
implementation of the BOI reporting requirements as awareness of the
ability to access and utility of BOI increases.
---------------------------------------------------------------------------
Table 5 presents the estimated costs to domestic agencies, as well
as SROs, for requirements #1-8. Table 5 includes both the per agency
cost and the aggregate costs for each requirement. The estimated
average per agency cost in year 1 is between $2,835 and $9.0 million
per Federal agency, between $1,995 and $0.5 million per State and local
regulator, between $3,515 and $53 million per State, local, and Tribal
law enforcement agency, and between $2,494 to $0.6 million per
SRO.\223\ The estimated average per agency cost each year after the
first year of implementation is between $1,215 and $8.9 million per
Federal agency, between $855 and $0.4 million per State and local
regulator, between $2,375 and $52.9 million per State, local, and
Tribal law enforcement agency, and between $1,069 to $0.5 million per
SRO. The total estimated aggregate cost to domestic agencies in year 1
is between $364.7 million and $553.1 million, and then between $364.1
million and $523.3 million each year thereafter.
---------------------------------------------------------------------------
\223\ To calculate total costs to SROs, FinCEN calculated a
ratio that applied the estimated costs to State regulators (which
would have access requirements similar to SROs) to the wage rate
estimated herein for financial institutions, since SROs are private
organizations. FinCEN requests comment on this assessment. As noted
previously, SROs would not have direct access to the beneficial
ownership IT system, but rather may receive BOI through re-
disclosure.
---------------------------------------------------------------------------
BILLING CODE 4810-02-P
[[Page 77437]]
Table 5--Costs to Domestic Agencies
[GRAPHIC] [TIFF OMITTED] TP16DE22.024
[[Page 77438]]
[GRAPHIC] [TIFF OMITTED] TP16DE22.025
BILLING CODE 4810-02-C
In addition to the costs listed in Table 5, Federal agencies may
incur costs related to submitting requests on behalf of foreign
requesters. These costs are
[[Page 77439]]
estimated in the next section. Federal agencies may also bear costs
related to enforcement in cases of unauthorized disclosure and use of
BOI; however, these costs have not been estimated in this analysis, as
the level of compliance with the proposed rule is unknown.
B. Foreign Requesters
Foreign requesters must meet multiple requirements to receive BOI.
FinCEN does not have an estimate of the number of foreign requesters
that may elect to request and access BOI, or which requesters would do
so under an applicable international treaty, agreement, or convention,
or through another channel available under the proposed rule, and
welcomes public comment on how to estimate this number. Foreign
requesters that request and receive BOI under an applicable
international treaty, agreement, or convention would not have certain
requirements under the proposed rule, given that such requesters would
be governed by standards and procedures under the applicable
international treaty, agreement, or convention. However, FinCEN does
not differentiate between types of foreign requesters in this analysis,
given the lack of data. Though FinCEN is unable to estimate aggregate
costs on foreign requesters at this time given the lack of data on the
number of foreign requesters that may access BOI, FinCEN provides
partial cost estimates of the requirements on a given foreign
requester. Requirements are summarized in Table 6, which is followed by
a more detailed analysis. Costs associated with each requirement are
summarized in Table 7 at the end of this section.
Table 6--Requirements for Foreign Requesters 1
[GRAPHIC] [TIFF OMITTED] TP16DE22.026
Establish standards and procedures. For requirement #1, FinCEN
assumes that foreign requesters would incur costs during the first year
of implementation. FinCEN assumes it would take a foreign requester, on
average, between one and two full business weeks (or, between 40 and 80
business hours) to establish standards and procedures. This estimate is
a FinCEN assumption based on its experience coordinating with foreign
partners. FinCEN requests comment on the accuracy of this estimate.
Using an hourly wage estimate of $108 per hour for Federal agencies,
which FinCEN assumes is a comparable hourly wage estimate for foreign
requesters, FinCEN estimates this one-time cost would be between
approximately $4,320 and $8,640 per foreign requester ((40 hours x $108
per hour) and (80 hours x $108 per hour)). Foreign requesters that
request and receive BOI under an applicable international treaty,
agreement, or convention would not have this requirement under the
proposed rule, given that such requesters would be governed by
standards and procedures under the applicable international treaty,
agreement, or convention. However, FinCEN does not differentiate
between types of foreign requesters in this analysis, given the lack of
data.
Establish a secure system to store BOI. For requirement #2, the
cost of the ongoing IT requirement would vary depending on the existing
infrastructure of the foreign requester. FinCEN believes that foreign
requesters already have secure systems and networks in place as well as
sufficient storage capacity, given their ongoing coordination with the
U.S. Government on a variety of matters, which likely adhere to
applicable data security standards. Therefore, FinCEN assumes de
minimis IT costs. FinCEN welcomes comment on this assumption. Foreign
requesters that request and receive BOI under an applicable
international treaty, agreement, or convention would not have this
requirement under the proposed rule, given that such requesters would
be governed by security standards under the applicable international
treaty, agreement, or convention. However, FinCEN does not
differentiate between types of foreign requesters in this analysis,
given the lack of data.
Restrict access to appropriate persons within the agency, which
specifies that appropriate persons will undergo training. For
requirement #3, FinCEN assumes that each foreign requester that would
access the BOI data would be required to undergo 1 hour of training per
year. Using an estimated hourly wage amount of $108, this results in an
annual training cost of approximately $108 per foreign requester.
Provide information for each request to an intermediary Federal
agency. For requirement #4, FinCEN assumes that providing information
for a BOI request to a Federal intermediary agency would take one
foreign requester approximately 45 minutes, or 0.75 hours, per request.
This estimate is based on FinCEN's assumption that a request for BOI
submitted directly by a Federal agency on its own behalf would
[[Page 77440]]
take approximately 15 minutes; given the additional information
required for a foreign-initiated request, FinCEN proposes tripling that
estimate for foreign requests. Using an hourly wage estimate of $108
per hour, this would result in a per request cost of approximately $81
per foreign requester (0.75 hours x $108 per hour = $81). Based on
feedback from agencies, FinCEN believes that the total number of
foreign requests could range between approximately 200 and 900 per
year.\224\ This would result in an aggregate annual cost to foreign
requesters between approximately $16,200 and $72,900 ((200 requests x
$81 per request = $16,200) and (900 requests x $81 per request =
$72,900)).
---------------------------------------------------------------------------
\224\ FinCEN recognizes that the number of BOI requests from
foreign requesters may be higher in reality, as no such U.S.
beneficial ownership IT system currently exists. The existence of a
centralized U.S. BOI source may in fact result in a higher number of
annual requests by foreign requesters. FinCEN welcomes comment on
this estimate.
---------------------------------------------------------------------------
FinCEN also assumes that Federal agencies that submit requests on
behalf of foreign requesters to FinCEN would incur additional costs;
FinCEN itself expects to incur costs from the submission of such
requests. Therefore, FinCEN estimates that BOI requests on behalf of
foreign requesters would require approximately two hours of one Federal
employee's time, resulting in a cost per request of approximately $216
(2 hours x $108 per hour). This would result in a total annual cost to
Federal agencies between approximately $43,200 and $194,400 ((200
requests x 2 hours x $108 per hour = $43,200) and (900 requests x 2
hours x $108 per hour = $194,400)).
Table 7 presents the estimated costs to foreign requesters for each
of requirements #1-4.
Table 7--Costs to Foreign Requesters 1
[GRAPHIC] [TIFF OMITTED] TP16DE22.027
C. Financial Institutions
Financial institutions must meet multiple requirements to access
BOI. Requirements are summarized in Table 8, which is followed by a
more detailed analysis. Costs associated with each requirement are
summarized in Table 9, at the end of this section.
[[Page 77441]]
Table 8--Requirements for Financial Institutions 1
[GRAPHIC] [TIFF OMITTED] TP16DE22.028
Establish administrative and physical safeguards. For requirement
#1, FinCEN assumes that financial institutions would incur costs during
the first year of implementation. FinCEN assumes it would take a
financial institution, on average, between one and two full business
weeks (or, between 40 and 80 business hours) to establish
administrative and physical safeguards. This estimate is a FinCEN
assumption based on its experience with the financial services
industry. FinCEN requests comment on the accuracy of this estimate.
Using an hourly wage estimate of $95 per hour for financial
institutions, FinCEN estimates this one-time cost would be between
approximately $3,800 and $7,600 per financial institution. To estimate
aggregate costs, FinCEN multiplies this range by 16,252 total financial
institutions resulting in a total cost between approximately $61.8
million and $123.5 million (($3,800 per institution x 16,252 financial
institutions = $61,757,600) and ($7,600 per institution x 16,252
financial institutions = $123,515,200), respectively)).
Establish technical safeguards. For requirement #2, the cost of the
ongoing IT requirement would vary depending on the existing
infrastructure of the financial institution. FinCEN believes that most
financial institutions already have secure systems and networks in
place as well as sufficient storage capacity, given existing
requirements with regard to protection of customers' nonpublic personal
information.\225\ Therefore, FinCEN assumes de minimis IT costs. FinCEN
requests comment on this assumption.
---------------------------------------------------------------------------
\225\ As noted in the proposed rule, financial institutions may
have established information procedures to satisfy the requirements
of section 501 of the Gramm-Leach-Bliley Act, and applicable
regulations issued thereunder, with regard to the protection of
customers' nonpublic personal information. If a financial
institution is not subject to section 501 of the Gramm-Leach-Bliley
Act, such institutions may be required, recommended, or authorized
under applicable Federal or State law to have similar information
procedures with regard to protection of customer information.
---------------------------------------------------------------------------
Obtain and document customer consent. For requirement #3, FinCEN
assumes that financial institutions would incur costs during the first
year of implementation due to updating customer consent forms and
processes. Specifically, FinCEN assumes it would take a financial
institution, on average, approximately 10 hours in year 1 to conduct
these activities. This number is based on FinCEN's underlying
assumption that such implementation would involve relatively minimal
resources to update forms and workflows. From year 2 and onward, FinCEN
believes costs associated with obtaining and documenting customers'
consent would be negligible because consent forms and processes have
already been established and because this requirement is a one-time and
not a periodic requirement for a given customer. FinCEN requests
comments from financial institutions in particular on these
assumptions. Using an hourly wage estimate of $95 per hour for
financial institutions, FinCEN estimates this one-time cost would be
approximately $950 per financial institution. To estimate aggregate
costs, FinCEN multiplies this estimate by 16,252 total financial
institutions, resulting in a total cost of approximately $15.8 million
($950 per institution x 16,252 financial institutions = $15,439,400).
Submit written certification for each request that it meets certain
requirements. For requirement #4, the written certifications would be
submitted in the form and manner prescribed by FinCEN. FinCEN
anticipates that this certification would be submitted to FinCEN via an
electronic form. FinCEN assumes that submitting a request to FinCEN for
BOI would take one employee approximately 15 minutes, or 0.25 hours,
per request. For purposes of this analysis, FinCEN assumes a range of
[[Page 77442]]
approximately 5 million to 6.1 million total requests from financial
institutions per year. The minimum amount assumes that the number of
BOI requests from financial institutions each year would equal the
number of new entities that qualify as a ``reporting company'' required
to submit BOI. As estimated in the final BOI reporting rule's RIA, this
is approximately 5 million entities annually.\226\ The maximum amount
assumes that financial institutions would request BOI for each new
legal entity customer at the time of account opening, in alignment with
the 2016 CDD Rule,\227\ resulting in approximately 6.1 million
entities.\228\ For purposes of this analysis, FinCEN assumes that
financial institutions would submit BOI requests related to newly open
legal entity customer accounts in alignment with the 2016 CDD Rule.
FinCEN requests comment, in particular from financial institutions, on
whether this range is accurate. Therefore, the estimated aggregate
annual cost of this requirement is between approximately $118.8 million
and $144.7 million ((5 million total requests x 0.25 hours per request
x $95 per hour = $118,750,000) and (6.1 million total requests x 0.25
hours per request x $95 per hour = $144,700,000), respectively). The
per institution annual cost of requirement #3 is between approximately
$7,310 and $8,904 (($118.8 million/16,252 financial institutions) and
($144.7 million/16,252 financial institutions), respectively).
---------------------------------------------------------------------------
\226\ In the final BOI reporting rule's RIA, the analysis
assumes 13.1 percent growth in new entities from 2020 through 2024,
and then a stable same number of approximately 5 million new
entities each year thereafter through 2033. FinCEN included an
alternative estimate which assumed that the rate of new entities
created will grow at a rate of approximately 13.1 percent per year
from 2020 through 2033. This resulted in a new entity annual
formation estimate of 5 million in the year of the effective date of
the final BOI reporting rule which increases to approximately 5.6
million ten years after the effective date of the final BOI
reporting rule (2033). See 87 FR 59582 (Sept. 30, 2022).
\227\ The CTA requires that the 2016 CDD Rule be revised given
FinCEN's BOI reporting and access requirements. Therefore, this
estimate and assumption may change after that revision.
\228\ The 2016 CDD Rule estimated that each financial
institution with CDD requirements will open, on average, 1.5 new
legal entity accounts per business day. The rule also assumed there
are 250 business days per year, which is in alignment with the
number of business days in 2022. Therefore, FinCEN estimates that
financial institutions would need to conduct CDD requirements for a
minimum of approximately 6.1 million legal entities per year (16,252
financial institutions x 1.5 accounts per day x 250 business days
per year = 6,094,500 new legal entity accounts opened per year).
---------------------------------------------------------------------------
Undergo training. Last, requirement #5 pertains to training for
individuals that access BOI. To estimate the cost of this training,
FinCEN assumes a range of authorized recipients per financial
institution. FinCEN believes a range is appropriate given the variation
in institution size, complexity, and business models across the 16,252
financial institutions. Based on feedback from Federal agency outreach,
FinCEN assumes a minimum of one financial institution employee and a
maximum of six financial institution employees would undergo annual BOI
training. Using an hourly wage rate of $95 per hour, and assuming each
authorized recipient would need to undergo one hour of training each
year, FinCEN estimates a per institution annual training cost between
approximately $95 and $570 ((1 employee x 1 hour x $95 per hour = $95)
and (6 employees x 1 hour x $95 per hour = $570)). To estimate
aggregate costs, FinCEN uses SBA size standards and identifies
approximately 14,051 small financial institutions and 2,201 large
financial institutions (16,252 total financial institutions-14,051
small financial institutions). Furthermore, FinCEN assumes one to two
employees per small financial institution and five to six employees per
large financial institution.\229\ This results in an estimated minimum
average hourly cost of $146 ((14,051 small institutions x 1 employee x
$95 per hour + 2,201 large institutions x 5 employees x $95 per hour)/
16,252 total financial institutions) and a maximum average hourly cost
of $241 ((14,051 small institutions x 2 employees x $95 per hour +
2,201 large institutions x 6 employees x $95 per hour)/16,252 total
financial institutions). The estimated aggregate training cost is
between approximately $2.4 million and $3.9 million per year ((14,051
small institutions x 1 employee x 1 training hour per person x $95 per
hour + 2,201 large institutions x 5 employees x 1 hour x $95 per hour =
$2,380,320) and (14,051 small institutions x 2 employees x 1 hour x $95
per hour + 2,201 large institutions x 6 employees x 1 hour x $95 per
hour = $3,924,260)).
---------------------------------------------------------------------------
\229\ FinCEN acknowledges this number could significantly vary
across financial institutions. FinCEN requests comment on these
assumptions.
---------------------------------------------------------------------------
Table 9 presents the estimated costs to financial institutions for
each of requirements #1-5. Table 9 illustrates both the financial
institution cost and the aggregate cost for each requirement. The
estimated average cost per financial institution in year 1 is between
approximately $12,206 and $17,854 and between approximately $7,456 and
$9,304 each year thereafter. The estimated aggregate costs from
requirements #1-5 for financial institutions are between approximately
$198.4 million and $290.1 million in the first year of implementation,
and then between approximately $121.2 million and $151.2 million each
year thereafter.
[[Page 77443]]
Table 9--Costs to Financial Institutions
[GRAPHIC] [TIFF OMITTED] TP16DE22.029
D. FinCEN
In addition to the costs of accessing BOI data as a domestic
agency, FinCEN would incur costs from managing the access of other
authorized recipients. To administer BOI access, FinCEN would need to:
develop training materials and agreements with domestic agencies;
conduct ongoing outreach with authorized recipients on the access
requirements and respond to inquiries from authorized recipients;
conduct audits of authorized responsibilities; develop procedures to
review authorized recipients' standards and procedures, and requests as
needed; and potentially reject requests or suspend access if
requirements are not met. FinCEN currently administers access to the
FinCEN Query system, which involves similar considerations; therefore,
FinCEN would build on its experience to administer BOI access. FinCEN
would also incur an initial cost in setting up internal processes and
procedures for administering BOI access.\230\ FinCEN does not have a
cost estimate for these specific activities, but notes that the final
BOI reporting rule's RIA included an estimated annual personnel cost of
approximately $10 million associated with the reporting
requirements.\231\ FinCEN assumes that personnel costs associated with
the access requirements would be of a similar magnitude, and therefore
includes a $10 million annual FinCEN cost in its total cost estimates
for this proposed rule.
---------------------------------------------------------------------------
\230\ FinCEN would also develop the beneficial ownership IT
system that allows for the varying types of access. The costs
associated with developing and maintaining this IT system are
addressed in the final BOI reporting rule's RIA.
\231\ 87 FR 59578 (Sept. 30, 2022).
---------------------------------------------------------------------------
2. Benefits
The proposed rule would result in benefits for authorized
recipients. Currently, authorized recipients may obtain BOI through a
variety of means; however, the proposed rule would put in place a
system of direct and cost-saving access to the information. FinCEN has
quantitatively estimated such benefits in this analysis. However, the
proposed rule would also have non-quantifiable benefits to authorized
recipients of BOI and to society more widely. This proposed rule would
facilitate U.S. national security, intelligence, and law enforcement
activity by providing access to BOI which, as noted in the final BOI
reporting rule's RIA, would make these activities more effective and
efficient. These activities would be more effective and efficient
because the improved ownership transparency would enhance Federal
agencies' ability to investigate, prosecute, and disrupt the financing
of terrorism, other transnational security threats, and other types of
domestic and transnational financial crimes. Additionally, Treasury
would gain efficiencies in its efforts to identify the ownership of
legal entities, resulting in improved analysis, investigations, and
policy decisions on a variety of subjects. The Internal Revenue Service
could obtain access to BOI for tax administration purposes, which may
provide benefits for tax compliance. Federal regulators may also obtain
benefits by accessing BOI in civil law enforcement matters.
Similarly, the proposed rule would facilitate and make more
efficient investigations by State, local, and Tribal law enforcement
agencies. Access to BOI through FinCEN would prevent such agencies from
spending time and resources to identify BOI. Foreign requesters would
also reap similar benefits.
Financial institutions could gain access to key information,
including potentially additional beneficial owners, for their CDD
processes, and State regulatory agencies and SROs could use BOI to
supervise financial institutions' compliance with CDD requirements.
However, FinCEN is not estimating benefits related to these types of
entities at this time, given the pending revisions to the CDD Rule.
FinCEN anticipates
[[Page 77444]]
that the benefits to financial institutions in meeting their CDD
obligations, and the benefits to regulatory agencies in supervising
financial institutions for compliance with CDD requirements, would be
discussed in that rulemaking.
These stated benefits are in alignment with feedback FinCEN has
received from a number of agencies as part of the outreach efforts
FinCEN conducted in formulating the proposed rule. One agency noted
that BOI would serve as an additional resource to investigators because
having access to BOI would enable them to immediately identify a
subject who owns a company, which would save time conducting additional
investigations to develop subject identity information. A second agency
also stated access to BOI could save time and resources. One agency
noted that the vital data would further investigations and result in
more successful and impactful investigations. Another agency provided
similar feedback and noted that having access to BOI would
significantly enhance investigations and bolster any analytical product
that is prepared for the agency's cases; and that a central repository
of BOI would save a multitude of hours that would otherwise be spent
researching secretary of State records, conducting law enforcement
database queries, and/or conducting open-source intelligence research
to identify a company's ownership. One agency noted that the benefit
would depend upon the scope of access.
To quantify the potential benefits to various stakeholders of being
able to access BOI, FinCEN asked for input from numerous agencies about
cost savings that would result from such access; cost savings are one,
but not the sole, benefit of BOI access. One agency estimated that,
contingent upon the nature and complexity of each individual case's
specific need for BOI resources, access to BOI would save as much as an
approximately 300 hours annually.\232\ Another agency suggested that,
with higher caseloads, having access to BOI could save investigations
as much as thousands of hours annually; another noted that several
hours per case would be saved by not having to search multiple
databases for company information. A fourth agency suggested that
having access to BOI could save investigations as much as 20,000 hours
annually that could be repurposed toward other tasks.
---------------------------------------------------------------------------
\232\ Per the agency's feedback, this would comprise a range
between 50 and 100 investigations utilizing BOI.
---------------------------------------------------------------------------
Therefore, based on this feedback, FinCEN assumes a potential
quantifiable benefit range of cost savings between 300 and 20,000 hours
annually, per domestic agency.233 234 This is equivalent to
a per Federal agency dollar savings between $32,400 and $2.2 million
(300 hours x $108 per hour = $32,400) and (20,000 hours x $108 per hour
= $2,160,000) and a per State, local, and Tribal agency dollar savings
between $22,800 and $1.5 million (300 hours x $76 per hour = $22,800
and 20,000 hours x $76 per hour = $1,520,000), depending on the number
and complexity of the investigations.
---------------------------------------------------------------------------
\233\ Regarding regulators, FinCEN assumes that the benefit
would relate to civil law enforcement activities rather than
examination activities.
\234\ The estimated amount of direct benefits from reduced
investigation time and resources does not account for any potential
savings to financial institutions that access BOI. Any potential
benefits to financial institutions for accessing BOI will be
accounted for in the forthcoming CDD Rule revision.
---------------------------------------------------------------------------
The minimum dollar value of the benefits of the proposed rule
implied by these assumptions in Year 1 is $10.2 million ((208 Federal
agencies x 300 hours per agency x $108 per hour) + (153 State, local,
and Tribal law enforcement agencies x 300 hours per agency x $76 per
hour) = $10,227,600). The maximum estimated aggregate annual savings is
$681.8 million ((208 Federal agencies x 20,000 hours per agency x $108
per hour) + (153 State, local, and Tribal law enforcement agencies x
20,000 hours per agency x $76 per hour) = $681,840,000). These
estimates only pertain to cost savings benefits; agencies could also
gain other benefits from accessing BOI, such as investigative law
enforcement value, that are not quantified in this analysis. Therefore,
FinCEN believes the benefits could be greater than the cost savings
estimated here.
As stated previously in the RIA, FinCEN assumes that no Federal
agency or State, local or Tribal law enforcement agency will access BOI
unless the benefits of doing so are at least equal to the costs, given
that BOI access is optional. Non-quantifiable benefits would be
included in this consideration, as well as the quantifiable benefits
estimated in the analysis. In addition to the direct benefits of saving
agencies time and money, accessing BOI would lead to other secondary
benefits, as discussed in the final BOI reporting rule's RIA.\235\ BOI
would also further the missions of the agencies to combat crime, as
well as contribute to national security, intelligence, and law
enforcement, and other activities. Therefore, the benefits to agencies
of accessing BOI would be more than saving costs, as it would lead to
more effective and efficient investigations. Enabling effective and
efficient investigations would have additional secondary benefits of
making it more difficult to launder money through shell companies and
other entities, in turn strengthening national security and enhancing
financial system transparency and integrity. Barriers to money
laundering encourage a more secure economy and more economic activity,
as businesses would have more trust in the legitimacy of new business
partners. Finally, the sharing of BOI with foreign partners, subject to
appropriate protocols consistent with the CTA, may further
transnational investigations, tax enforcement, and the identification
of national and international security threats. These secondary
benefits are not accounted for in this analysis since they are
accounted for in the final BOI reporting rule RIA. However, these
benefits cannot come to fruition without authorized recipients gaining
access to BOI, as considered in this proposed rulemaking. Therefore,
the benefits between the final BOI reporting rule and this proposed
rule are inextricably linked.
---------------------------------------------------------------------------
\235\ See 87 FR 59579-59580 (Sept. 30, 2022).
---------------------------------------------------------------------------
3. Overall Impact
Overall, FinCEN estimates the potential quantifiable impact of the
proposed rule could be between $108.7 million in net savings and $840.7
million in net costs in the first year of implementation of the rule,
and then from $186.5 million in net savings to $672.0 million in net
costs on an ongoing annual basis. Table 10 summarizes the estimated
aggregate yearly impact of the proposed rule.
[[Page 77445]]
Table 10--Aggregate Yearly Impact of the Proposed Rule (Dollars in
millions)
[GRAPHIC] [TIFF OMITTED] TP16DE22.030
The estimated, quantifiable, aggregate annual benefits of the rule,
which only reflects potential cost savings to agencies, would be
between approximately $10.2 and $681.8 million. Likewise, FinCEN
expects that the aggregate annual quantifiable costs of the rule would
be somewhere between approximately $573.1 and $850.9 million in year 1,
and between approximately $495.3 and $682.2 million each year
thereafter. FinCEN believes that, in practice, entities may choose to
access BOI only if the benefits to their operational needs, which
includes cost savings and other non-quantifiable benefits, outweigh the
costs associated with the requirements for accessing BOI.
Using the maximum net cost impact estimates from Table 10 as an
upper bound of the potential impact of this proposed rule, FinCEN
determines the present value over a 10-year horizon of approximately
$5.9 billion at the three percent discount rate and approximately $4.9
billion at the seven percent discount rate.
ii. Section of Proposed Rule Regarding FinCEN Identifier Use by
Entities
The proposed rule would establish a process through which a
reporting company may report another reporting company's FinCEN
identifier and full legal name in lieu of the information otherwise
required under 31 CFR 1010.380(b)(1), subject to certain limitations.
This proposed rule would affect reporting companies that choose to
report FinCEN identifiers of another reporting company in their BOI
report. It may also affect reporting companies' decision on whether or
not to request a FinCEN identifier.
FinCEN considered whether the proposed rule would result in any
additional cost to reporting companies beyond what is estimated in the
final BOI reporting rule's RIA.\236\ FinCEN assesses that the proposed
rule is consistent with the assumption in the final BOI reporting
rule's RIA that the cost associated with using entities' FinCEN
identifiers is accounted for in the BOI report cost estimates. The
proposed rule could reduce burden for reporting companies that choose
to report another reporting company's FinCEN identifier because the
reporting company would provide fewer pieces of information on the BOI
report. However, FinCEN assesses such burden reduction is likely to be
minimal relative to the total cost of filling out and submitting the
report. Additionally, it is unknown by FinCEN how many entities may
choose to utilize the proposed rule. Therefore, FinCEN does not
estimate costs or benefits associated with the proposed rule beyond
what is separately stated in the final BOI reporting rule RIA.
Similarly, FinCEN does not include alternatives regarding this proposed
rule beyond what is included in the final BOI reporting rule RIA.
---------------------------------------------------------------------------
\236\ The final BOI reporting rule's RIA did not estimate the
number of reporting companies that will obtain FinCEN identifiers.
The mechanism for reporting companies to obtain a FinCEN identifier
will be to either check a box on its initial BOI report or submit an
updated BOI report with the box checked. Therefore, FinCEN assumed
that the cost of reporting companies obtaining FinCEN identifiers
was included in the initial BOI report cost estimates in the final
BOI reporting rule RIA. See 87 FR 59578 (Sept. 30, 2022).
---------------------------------------------------------------------------
B. Regulatory Flexibility Act
The Regulatory Flexibility Act \237\ (RFA) requires an agency
either to provide an initial regulatory flexibility analysis (IRFA)
with a proposed rule or certify that the proposed rule would not have a
significant economic impact on a substantial number of small entities.
The section of the proposed rule regarding BOI access would apply to a
[[Page 77446]]
substantial number of small entities. FinCEN has attempted to minimize
the burden to the greatest extent practicable, but the proposed rule
may nevertheless have a significant economic impact on small entities.
---------------------------------------------------------------------------
\237\ See 5 U.S.C. 601 et seq.
---------------------------------------------------------------------------
Accordingly, FinCEN has prepared an IRFA. FinCEN welcomes comments
on all aspects of the IRFA. A final regulatory flexibility analysis
will be conducted after consideration of comments received. The IRFA
addresses the BOI access sections of the proposed rule. With respect to
the sections of the proposed rule addressing the use of FinCEN
identifiers, FinCEN does not assess any additional costs associated
with the proposed rule beyond the costs separately considered in the
final BOI reporting rule's RIA.\238\ Therefore, FinCEN does not
consider the proposed rule's FinCEN identifier provisions in the
following RFA calculations or conclusions.
---------------------------------------------------------------------------
\238\ See 87 FR 59577-59578 (Sept. 30, 2022).
---------------------------------------------------------------------------
i. Statement of the Need for, and Objectives of, the Proposed Rule
As previously noted, the proposed rule is necessary to implement
Section 6403 of the CTA. The purpose of the proposed rule is to
implement the retention and disclosure requirements of Section 6403 and
to establish appropriate protocols to protect the security and
confidentiality of the BOI.
ii. Small Entities Affected by the Proposed Rule
To assess the number of small entities affected by the proposed
rule, FinCEN separately considered whether any small businesses, small
organizations, or small governmental jurisdictions, as defined by the
RFA, would be affected. FinCEN concludes that small businesses would be
substantially affected by the proposed rule. Each of these three
categories is discussed below within this section.
In defining ``small business,'' the RFA relies on the definition of
``small business concern'' from the Small Business Act.\239\ This
definition is based on size standards (either average annual receipts
or number of employees) matched to industries.\240\ Assuming maximum
non-mandated participation by small financial institutions, the
proposed rule would affect approximately all 14,051 small financial
institutions. All of these small financial institutions would have a
significant economic impact in the first year of implementation, which
FinCEN believes meets the threshold for a substantial number.
Therefore, FinCEN concludes the proposed rule would have a significant
economic impact on a substantial number of small entities.
---------------------------------------------------------------------------
\239\ See 5 U.S.C. 601(3).
\240\ See U.S. Small Business Administration, Table of Small
Business Size Standards Matched to North American Industry
Classification System Codes (Jul. 14, 2022), available at https://www.sba.gov/sites/default/files/2022-07/Table%20of%20Size%20Standards_Effective%20July%2014%202022_Final-508.pdf.
---------------------------------------------------------------------------
FinCEN assumes the economic impact on an individual small entity is
significant if the total estimated impact in a given year is greater
than 1 percent of the small entity's total receipts for that year.
FinCEN estimates the cost for small financial institutions to comply
with the sections of the proposed rule addressing BOI access would be
between approximately $12,155 and $17,644 in year 1, and approximately
$7,405 and $9,094 annually in subsequent years, as indicated in Table
9.\241\ FinCEN then compares these per financial institution cost
estimates to the average total receipts for the smallest size category
for each type of financial institution from the 2017 Census survey
data, adjusted for inflation.\242\ The analysis indicates that, even
when considering the minimum year 1 impact of $12,155, the smallest
entities of all types of financial institutions would incur an economic
impact that exceeds 1 percent of receipts for that industry. Therefore,
FinCEN expects that the proposed rule would have a significant economic
impact on a substantial number of small entities.
---------------------------------------------------------------------------
\241\ The minimum and maximum costs for small entities can be
determined by using $95 (1 employee x $95 per hour) as the minimum
cost for training in Table 9 and using $190 (2 employees x $95 per
hour) as the maximum cost for training.
\242\ FinCEN inflation adjusted the 2017 Census survey data
using Implicit Price Deflators for Gross Domestic Product quarterly
data from the U.S. Bureau of Economic Analysis, available at https://apps.bea.gov/iTable/?reqid=19&step=2&isuri=1&categories=survey#eyJhcHBpZCI6MTksInN0ZXBzIjpbMSwyLDMsM10sImRhdGEiOltbIkNhdGVnb3JpZXMiLCJTdXJ2ZXkiXSxbIk5JUEFfVGFibGVfTGlzdCIsIjEzIl0sWyJGaXJzdF9ZZWFyIiwiMTk5NSJdLFsiTGFzdF9ZZWFyIiwiMjAyMSJdLFsiU2NhbGUiLCIwIl0sWyJTZXJpZXMiLCJBIl1dfQ. FinCEN estimated
an inflation factor of approximately 1.14 (the gross domestic
product deflator in the first quarter of 2017 is 107.038, while in
the fourth quarter of 2021 it was 121.708; hence the inflation
factor is 121.708/107.038 = 1.14). FinCEN then applied this
inflation adjustment factor of 1.14 to the 1 percent of average
annual receipts in the 2017 Census survey data for each financial
industry affected by this proposed rule to estimate the latest
inflation-adjusted dollar value threshold of 1 percent of annual
receipts.
---------------------------------------------------------------------------
In defining ``small organization,'' the RFA generally defines it as
any not-for-profit enterprise that is independently owned and operated
and is not dominant in its field.\243\ FinCEN anticipates that the
proposed rule would not affect ``small organizations,'' as defined by
the RFA.
---------------------------------------------------------------------------
\243\ 5 U.S.C. 601(4).
---------------------------------------------------------------------------
The RFA generally defines ``small governmental jurisdiction[s]'' as
governments of cities, counties, towns, townships, villages, school
districts, or special districts, with a population of less than
50,000.\244\ While State, local, and Tribal government agencies may be
affected by the proposed rule, FinCEN does not believe that government
agencies of jurisdictions with a population of less than 50,000 would
be included in such agencies. Therefore, no ``small governmental
jurisdictions'' are expected to be affected.
---------------------------------------------------------------------------
\244\ 5 U.S.C. 601(5).
---------------------------------------------------------------------------
iii. Compliance Requirements
Under the proposed rule accessing BOI is not mandatory; therefore,
the proposed rule would not impose requirements in the strictest sense.
However, the proposed rule would require those that wish to access BOI
to establish standards and procedures or safeguards, and to comply with
other requirements. In particular, financial institutions would develop
and implement administrative, technical, and physical safeguards
reasonably designed to protect the security, confidentiality, and
integrity of BOI. Financial institutions would also be required to
obtain and document customer consent, as well as maintain a record of
such consent for five years after it was last relied upon, which may
require updates to existing policies and procedures. The proposed rule
would also require those that wish to access BOI provide a written
certification for each BOI request, in the form and manner prescribed
by FinCEN. FinCEN intends to provide additional detail regarding the
form and manner of BOI requests for all categories of authorized
recipients through specific instructions and guidance as it continues
developing the beneficial ownership IT system. To the extent required
by the PRA, FinCEN would publish for notice and comment any proposed
information collection associated with BOI requests.
Small entities affected by the proposed rule, which FinCEN assesses
to be small financial institutions, would be required to comply with
these requirements if they access BOI. FinCEN assumes that the
professional expertise needed to comply with such requirements already
exists at small financial institutions with CDD obligations.
[[Page 77447]]
iv. Duplicative, Overlapping, or Conflicting Federal Rules
There are no Federal rules that directly duplicate, overlap, or
conflict with the proposed rule. The proposed rule is closely related
to FinCEN's recent publication of the final BOI reporting rule.\245\
The final BOI reporting rule finalizes regulations to implement the
CTA's BOI reporting requirements, which describe who must file a
report, what information must be provided, and when a report is due. In
contrast, this NPRM proposes appropriate protocols for access to and
disclosure of BOI. The final BOI reporting rule's RIA estimated the
cost to the public of reporting and updating BOI and information
related to FinCEN identifiers. The final BOI reporting rule's RIA also
estimated the cost to FinCEN of developing and maintaining this
reporting mechanism, costs to other government agencies as a result of
reporting requirements, and the benefits of the requirements. FinCEN
has aimed to not duplicate costs and benefits covered in the final BOI
reporting rule herein.
---------------------------------------------------------------------------
\245\ See 87 FR 59498 (Sept. 30, 2022).
---------------------------------------------------------------------------
v. Significant Alternatives That Reduce Burden on Small Entities
In considering significant alternatives that would alter burdens on
small entities, FinCEN applies two of the previously described
alternative scenarios to small financial institutions.
a. Reduce Training Burden
The first alternative would be to reduce the training requirement
for BOI authorized recipients, which includes appropriate training for
authorized recipients of BOI as well as annual training for access to
the beneficial ownership IT system. In its analysis, FinCEN assumes
that each authorized recipient that would access BOI would be required
to undergo one hour of training per year.\246\ Here, FinCEN considers
the scenario where authorized recipients would instead be required to
undergo one hour of training every two years, in alignment with the
current BSA data access requirements. This scenario could result in
savings every other year of $108 to $172,800 per Federal agency, $76 to
$5,168 per State, local, and Tribal agency, $95 to $6,460 per SRO,\247\
$108 per foreign requester, and $146 to $241 per financial institution.
The aggregate savings could be as much as $3.7 million to $5.2 million
($1.3 million total for domestic agencies and SROs + $2.4 to $3.9
million for financial institutions) every other year. This alternative
scenario could result in savings every other year of approximately $95
to $190 per small financial institution. The aggregate savings could be
as much as approximately $1.3 million to $2.7 million (($95 x 14,051
small financial institutions = $1,334,845) and ($190 x 14,051 small
financial institutions = $2,669,690)) every other year. Given the
sensitive nature of the BOI data,\248\ FinCEN believes that maintaining
an annual training requirement for BOI authorized recipients and access
to the beneficial ownership IT system is necessary to protect the
security and confidentiality of the BOI.
---------------------------------------------------------------------------
\246\ The assumption of one training hour is in alignment with
the current training requirement for accessing BSA data. However,
one notable difference is that the proposed BOI training requirement
is annual, not biennial.
\247\ To calculate total costs to SROs, FinCEN calculated a
ratio that applied the estimated costs to State regulators (which
would have access requirements similar to SROs) to the wage rate
estimated herein for financial institutions, since SROs are private
organizations. FinCEN requests comment on this assessment.
\248\ As noted in the preamble, the CTA establishes that BOI is
``sensitive information'' and it imposes strict confidentiality and
security restrictions on the storage, access, and use of BOI. See
CTA, Section 6402(6), (7).
---------------------------------------------------------------------------
b. Change Customer Consent Requirement
Another alternative that FinCEN considered is altering the customer
consent requirement for financial institutions. Under the proposed
rule, financial institutions would be required to obtain and document
customer consent once for a given customer. FinCEN considered an
alternative approach in which FinCEN would directly obtain the
reporting company's consent. Under this scenario, financial
institutions would not need to spend time and resources on the one-time
implementation costs of approximately 10 hours in year 1 to create
consent forms and processes. Using an hourly wage estimate of $95 per
hour for financial institutions, FinCEN estimates this would result in
a one-time savings per financial institution of approximately $950. To
estimate aggregate savings under this scenario, FinCEN multiplies this
value by 16,252 financial institutions resulting in a total savings of
approximately $15.4 million ($950 per institution x 16,252 financial
institutions = $15,439,400). The cost savings for small financial
institutions under this scenario would be approximately $13.3 million
($950 per institution x 14,051 small financial institutions =
$13,348,450). Though this alternative results in a savings to financial
institutions, including small entities, FinCEN believes that financial
institutions are better positioned to obtain consent--and to track
consent revocation--given their direct customer relationships and
ability to leverage existing onboarding and account maintenance
processes. Therefore, FinCEN decided not to propose this alternative.
C. Paperwork Reduction Act
The reporting requirements in the proposed rule are being submitted
to OMB for review in accordance with the Paperwork Reduction Act of
1995 (PRA).\249\ Under the PRA, an agency may not conduct or sponsor,
and a person is not required to respond to, a collection of information
unless it displays a valid control number assigned by OMB. Written
comments and recommendations for the proposed information collection
can be submitted by visiting www.reginfo.gov/public/do/PRAMain. This
particular document may be found by selecting ``Currently Under
Review--Open for Public Comments'' or by using the search function.
Comments are welcome and must be received by February 14, 2023. In
accordance with requirements of the PRA, 44 U.S.C. 3506(c)(2)(A), and
its implementing regulations, 5 CFR 1320, the following information
concerns the collection of information as it relates to the proposed
rule and is presented to assist those persons wishing to comment on the
information collection.
---------------------------------------------------------------------------
\249\ See 44 U.S.C. 3506(c)(2)(A).
---------------------------------------------------------------------------
The PRA analysis included herein is for the sections of the
proposed rule relating to BOI access. It does not include the sections
of the proposed rule addressing the use of FinCEN identifiers for
entities because FinCEN does not assess any additional burden or costs
associated with the proposed rule beyond the costs and burden
separately considered in the final BOI reporting rule's PRA analysis
for BOI reports.\250\
---------------------------------------------------------------------------
\250\ See 87 FR 59589-59591 (Sept. 30, 2022).
---------------------------------------------------------------------------
Reporting and Recordkeeping Requirements: The proposed rule would
require State, local, and Tribal agencies and financial institutions
that wish to access BOI to conduct the following activities: establish
standards and procedures or safeguards and undergo annual training.
Financial institutions would also be required to obtain and document
customer consent, maintaining a record of such consent for five years
after it was last relied upon, which may require updates to existing
processes and creation of consent forms. The proposed rule would also
require State, local, and Tribal agencies and financial institutions
that wish to access
[[Page 77448]]
BOI to provide a written certification for each BOI request. FinCEN
intends to provide additional detail regarding the form and manner of
BOI requests for all categories of authorized users through specific
instructions and guidance as it continues developing the beneficial
ownership IT system. To the extent required by the PRA, FinCEN would
publish for notice and comment any proposed information collection
associated with BOI requests. In addition, the proposed rule would
require State, local, and Tribal agencies to establish and maintain a
secure system to store BOI, as well as an auditable system of
standardized records for requests, conduct an annual audit, certify
standards and procedures by the agency head semi-annually, and provide
an annual report on procedures, resulting in additional recordkeeping
and reporting requirements. Finally, the proposed rule would require
that SROs follow the same security and confidentiality requirements
outlined herein for State, local, and Tribal agencies, if they obtain
BOI through re-disclosure by a Federal functional regulator or
financial institution.
OMB Control Numbers: 1506-XXXX.
Frequency: As required; varies depending on the requirement.
Description of Affected Public: State, local and Tribal agencies,
SROs, and financial institutions with CDD obligations, as defined in
the proposed rule. While others from Federal and foreign requesters are
able to access BOI after meeting specific requirements, FinCEN does not
include them in the PRA analysis because the regulations implementing
the PRA define ``person'' as an individual, partnership, association,
corporation (including operations of government-owned contractor-
operated facilities), business trust, or legal representative, an
organized group of individuals, a State, territorial, tribal, or local
government or branch thereof, or a political subdivision of a State,
territory, Tribal, or local government or a branch of a political
subdivision.\251\ For foreign requesters in particular, FinCEN assumes
that such requests would be made at the national level.
---------------------------------------------------------------------------
\251\ See 5 CFR 1320.3(k).
---------------------------------------------------------------------------
Estimated Number of Respondents: 16,463 entities. This total is
composed of an estimated 209 State, local, and Tribal agencies, of
which 153 are State, local, and Tribal law enforcement agencies and 56
are State regulatory agencies, 2 SROs, and 16,252 financial
institutions.\252\ While the requirements in the proposed rule are only
imposed on those that optionally access BOI, for purposes of PRA burden
analysis, FinCEN assumes maximum participation from State, local, and
Tribal agencies, SROs, and financial institutions.
---------------------------------------------------------------------------
\252\ See Table 1 for the types of financial institutions
covered by this notice.
---------------------------------------------------------------------------
Estimated Total Annual Reporting and Recordkeeping Burden: \253\
FinCEN estimates that during year 1 the annual hourly burden would be
9,289,604 hours. In year 2 and onward, FinCEN estimates that the annual
hourly burden would be 7,663,188 hours. The annual estimated burden
hours for State, local, and Tribal entities as well as SROs is
6,261,856 hours in the first year, and 6,098,120 hours in year 2 and
onward. As shown in Table 11, the hourly burden in year 1 for State,
local, and Tribal entities and SROs includes the hourly burden
associated with the following requirements in the NPRM: enter into an
agreement with FinCEN and establish standards and procedures (Action
B); establish a secure system to store BOI (Action D); establish and
maintain an auditable system of standardized records for requests
(Action E); submit written certification for each request that it meets
certain requirements (Action G); restrict access to appropriate persons
within the entity (Action H); conduct an annual audit and cooperate
with FinCEN's annual audit (Action I); obtain certification of
standards and procedures, initially and then semi-annually, by the head
of the entity (Action J); and provide annual reports on procedures
(Action K). The hourly burden in year 2 and onward for State, local,
and Tribal entities and SROs is associated with the same requirements
as year 1, with the exception of Action B because FinCEN expects this
action will result in costs for these entities in year 1 only.
---------------------------------------------------------------------------
\253\ As previously noted, this is a partial amount of the
maximum overall burden associated with the proposed rule given that
the PRA analysis does not include the potential burden on Federal
and foreign agencies. The full burden and cost are assessed in the
RIA cost analysis.
---------------------------------------------------------------------------
The annual estimated hourly burden for financial institutions is
3,027,748 hours in the first year and 1,565,068 hours in year 2 and
onward. The hourly burden for financial institutions in year 1 is
associated with the following: establish administrative and physical
safeguards (Action A); establish technical safeguards (Action C);
obtain and document customer consent (Action F); submit written
certification for each request that it meets certain requirements
(Action G); and undergo training (Action H). The hourly burden in year
2 and onward for financial institutions is associated only with the
requirements for Actions G and H because FinCEN expects the other
actions will result in costs for these entities in year 1 only.
Annual estimated burden declines in year 2 and onward because
State, local, and Tribal agencies, SROs, and financial institutions no
longer need to complete Actions A, B, and F, and have a lower hourly
burden for Action E. Table 11 lists the type of entity, the number of
entities, the hours per entity, and the total hourly burden by action.
For Actions A, B, C, D, E, F, I, J, and K, the hours per entity are the
maximum of the range estimated in the cost analysis of the RIA. For
Action G and H, the hours per entity calculations are specified in
footnotes to Table 11. Total annual hourly burden is calculated by
multiplying the number of entities by the hours per entity for each
action. In each subsequent year after initial implementation, FinCEN
estimates that the total hourly annual burden is 7,663,188 due to
Actions A, B, and F only imposing burdens in year 1 and Actions D and E
having lower annual per entity burdens. This results in a 5-year
average burden estimate of approximately 7,988,471 hours.\254\
---------------------------------------------------------------------------
\254\ The 5-year average equals the sum of (Year 1 burden hours
of 9,289,604 + Year 2 burden hours of 7,663,188 + Year 3 burden
hours of 7,663,188 + Year 4 burden hours of 7,663,188 + Year 5
burden hours of 7,663,88) divided by 5.
---------------------------------------------------------------------------
BILLING CODE 4810-02-P
[[Page 77449]]
Table 11--Annual Hourly Burden Associated With Proposed Rule
Requirements
[GRAPHIC] [TIFF OMITTED] TP16DE22.031
[[Page 77450]]
[GRAPHIC] [TIFF OMITTED] TP16DE22.032
Estimated Total Annual Reporting and Recordkeeping Cost: \255\ As
described in Table 3, FinCEN calculated the fully loaded hourly wage
for each type of affected entity type. Using these estimated wages, the
total cost of the annual burden in year 1 would be $763,745,736 In year
2 and onward, FinCEN estimates that the total cost of the annual burden
is $612,199,760, owing to Actions A, B, and F only imposing burdens in
year 1 and Actions D and E having lower annual per entity burdens. The
annual estimated cost for State, local, and Tribal agencies and SROs is
$476,109,676 in the first year and $463,518,300 in year 2 and onward.
The annual estimated cost for financial institutions is $287,636,060 in
the first year and $148,681,460 in year 2 and
[[Page 77451]]
onward. The 5-year average annual cost estimate is $642,508,955.\256\
---------------------------------------------------------------------------
\255\ As previously noted, this is a partial amount of the
maximum overall cost associated with the proposed rule because the
PRA analysis does not include the potential cost to Federal and
foreign agencies. The full burden and cost of the rule are assessed
in the RIA analysis.
\256\ The 5-year average equals the sum of (Year 1 costs of
$763,745,736 + Year 2 costs of $612,199,760 + Year 3 costs of
$612,199,760 + Year 4 costs of $612,199,760 + Year 5 costs of
$612,199,760) divided by 5.
---------------------------------------------------------------------------
Table 12--Annual Cost Associated With Proposed Rule Requirements
[GRAPHIC] [TIFF OMITTED] TP16DE22.033
[[Page 77452]]
[GRAPHIC] [TIFF OMITTED] TP16DE22.034
BILLING CODE 4810-02-C
[[Page 77453]]
D. Unfunded Mandates Reform Act
Section 202 of the Unfunded Mandates Reform Act of 1995, Public Law
104-4 (UMRA) requires that an agency assess anticipated costs and
benefits and take certain other actions before promulgating a rule that
includes a Federal mandate that may result in expenditure by State,
local, and Tribal governments, in the aggregate, or by the private
sector, of $100 million or more in any one year, adjusted for
inflation. The proposed regulations regarding access by authorized
recipients to BOI do not include any Federal mandate for State, local,
and Tribal governments or the private sector.\257\ Similarly, the
proposed regulations that address how reporting companies would be able
to use an entity's FinCEN identifier to fulfill their obligations under
FinCEN's BOI reporting requirements do not contain a Federal mandate.
---------------------------------------------------------------------------
\257\ FinCEN expects that requirements regarding private sector
access will be clarified in the forthcoming revision of the CDD
Rule.
---------------------------------------------------------------------------
E. Questions for Comment
General Request for Comments under the Paperwork Reduction Act:
Comments submitted in response to this notice will be summarized and
included in the request for OMB approval. All comments will become a
matter of public record. Comments are invited on: (a) whether the
collection of information is necessary for the proper performance of
the functions of the agency, including whether the information shall
have practical utility; (b) the accuracy of the agency's estimate of
the burden of the collection of information; (c) ways to enhance the
quality, utility, and clarity of the information to be collected; (d)
ways to minimize the burden of the collection of information on
respondents, including through the use of technology; and (e) estimates
of capital or start-up costs and costs of operation, maintenance, and
purchase of services required to provide information.
Other Requests for Comment: In addition, FinCEN generally invites
comment on the accuracy of FinCEN's regulatory analysis. FinCEN
specifically requests comment on the following, which are mentioned in
the preceding text.
State, local, and Tribal agencies' BOI access estimates:
1. How many Tribal law enforcement agencies, and how many
authorized recipients at such agencies, may access BOI on an annual
basis?
2. What is an appropriate wage estimate for a Tribal government
worker?
3. Should the burden estimate for court authorizations include the
burden on court employees? If so, what would be the occupation code,
wage, and estimated time burden of such employees?
4. Given the requirement to obtain court authorization to access
BOI, are State, local, and Tribal agencies less likely to access BOI at
the rate by which they access BSA information? If so, what is a
reasonable estimate for the annual requests for BOI from these
agencies?
SROs' BOI access estimates:
5. Is FinCEN's assessment of costs to SROs reasonable?
Foreign requesters' BOI access estimates:
6. How many foreign requesters may access BOI on an annual basis,
and which requesters would do so under an applicable international
treaty, agreement, or convention, or through another channel available
under the proposed rule?
7. Is FinCEN's approximation that it would take a foreign
requester, on average, between one and two full business weeks (or,
between 40 and 80 business hours) to establish standards and procedures
accurate?
8. Is the assumption that foreign requesters would have a de
minimis IT cost to comply with the requirements in the proposed rule
accurate?
9. Is the annual estimate of foreign requests for BOI reasonable?
Financial institutions' BOI access estimates:
10. Is FinCEN's approximation that it would take a financial
institution, on average, between one and two full business weeks (or,
between 40 and 80 business hours) to establish administrative and
physical safeguards accurate?
11. Is the assumption that financial institutions would have a de
minimis IT cost to comply with the requirements in the proposed rule
accurate?
12. Is the burden estimate for obtaining and documenting customer
consent reasonable? If not, what would be a reasonable estimate?
13. Are the assumptions that one to two employees per small
financial institution and five to six employees per large institution
would access BOI reasonable? If not, what would be reasonable
estimates?
14. Is the estimated range of annual requests from financial
institutions reasonable?
15. Are there additional categories of burden that FinCEN should
consider in its burden estimates? If so, what are they, and what is the
estimated burden per financial institution? Conversely, if any of the
categories of burden in the estimates should not be included, identify
those and explain why.
Small entities' estimates:
16. Are FinCEN's estimates of burden on small entities accurate, as
calculated in the IRFA? If not, why, and on what basis should they be
updated? Provide specific sources and data for alternative cost
estimates for each category of burden per entity.
17. Is FinCEN's assumption that small governmental jurisdictions
are unlikely to access BOI accurate?
FinCEN identifier analysis:
18. Is FinCEN correct in assuming that the proposed rule would not
result in additional burden or cost to reporting companies beyond what
is estimated in the final BOI reporting rule's RIA?
19. How many reporting companies are likely to use entities' FinCEN
identifiers to comply with the BOI reporting requirements?
List of Subjects in 31 CFR Part 1010
Administrative practice and procedure, Aliens, Authority
delegations (Government agencies), Banks and banking, Brokers, Business
and industry, Commodity futures, Currency, Citizenship and
naturalization, Electronic filing, Federal savings associations,
Federal-States relations, Federally recognized tribes, Foreign persons,
Holding companies, Indian law, Indians, Insurance companies, Investment
advisers, Investment companies, Investigations, Law enforcement,
Penalties, Reporting and recordkeeping requirements, Small businesses,
Securities, Terrorism, Tribal government, Time.
Authority and Issuance
For the reasons set forth in the Supplementary Information, FinCEN
proposes to amend part 1010 of chapter X of title 31 of the Code of
Federal Regulations, as amended September 30, 2022, at 87 FR 59498,
effective January 1, 2024, as follows:
PART 1010--GENERAL PROVISIONS
0
1. The authority citation for part 1010 continues to read as follows:
Authority: 12 U.S.C. 1829b and 1951-1959; 31 U.S.C. 5311-5314
and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307;
sec. 2006, Pub. L. 114-41, 129 Stat. 458-459; sec. 701, Pub. L. 114-
74, 129 Stat. 599.
0
2. In Sec. 1010.380, add paragraph (b)(4)(ii)(B) to read as follows:
Sec. 1010.380 Reports of beneficial ownership information.
* * * * *
(b) * * *
[[Page 77454]]
(4) * * *
(ii) * * *
(B) A reporting company may report another entity's FinCEN
identifier and full legal name in lieu of the information required
under paragraph (b)(1) of this section with respect to the beneficial
owners of the reporting company only if:
(1) The entity has obtained a FinCEN identifier and provided that
FinCEN identifier to the reporting company;
(2) An individual is or may be a beneficial owner of the reporting
company by virtue of an interest in the reporting company that the
individual holds through the entity; and
(3) The beneficial owners of the entity and of the reporting
company are the same individuals.
* * * * *
0
4. In Sec. 1010.950, revise the section heading and paragraph (a) to
read as follows:
Sec. 1010.950 Availability of information--general.
(a) The Secretary has the discretion to disclose information
reported under this chapter, other than information reported pursuant
to Sec. 1010.380, for any reason consistent with the purposes of the
Bank Secrecy Act, including those set forth in paragraphs (b) through
(d) of this section. FinCEN may disclose information reported pursuant
to Sec. 1010.380 only as set forth in Sec. 1010.955, and paragraphs
(b) through (f) of this section shall not apply to the disclosure of
such information.
* * * * *
0
5. Add Sec. 1010.955 to read as follows:
Sec. 1010.955 Availability of beneficial ownership information
reported under this part.
(a) Prohibition on disclosure. Except as authorized in paragraphs
(b), (c), and (d) of this section, information reported to FinCEN
pursuant to Sec. 1010.380 is confidential and shall not be disclosed
by any individual who receives such information as--
(1) An officer, employee, contractor, or agent of the United
States;
(2) An officer, employee, contractor, or agent of any State, local,
or Tribal agency; or
(3) A director, officer, employee, contractor, or agent of any
financial institution.
(b) Disclosure of information by FinCEN--(1) Disclosure to Federal
agencies for use in furtherance of national security, intelligence, or
law enforcement activity. Upon receipt of a request from a Federal
agency engaged in national security, intelligence, or law enforcement
activity for information to be used in furtherance of such activity,
FinCEN may disclose information reported pursuant to Sec. 1010.380 to
such agency. For purposes of this section--
(i) National security activity includes activity pertaining to the
national defense or foreign relations of the United States, as well as
activity to protect against threats to the safety and security of the
United States;
(ii) Intelligence activity includes all activities conducted by
elements of the United States Intelligence Community that are
authorized pursuant to Executive Order 12333, as amended, or any
succeeding executive order; and
(iii) Law enforcement activity includes investigative and
enforcement activities relating to civil or criminal violations of law.
Such activity does not include the routine supervision or examination
of a financial institution by a Federal regulatory agency with
authority described in (b)(4)(ii)(A) of this section.
(2) Disclosure to State, local, and Tribal law enforcement agencies
for use in criminal or civil investigations. Upon receipt of a request
from a State, local, or Tribal law enforcement agency for information
to be used in a criminal or civil investigation, FinCEN may disclose
information reported pursuant to Sec. 1010.380 to such agency if a
court of competent jurisdiction has authorized the agency to seek the
information in a criminal or civil investigation. For purposes of this
section--
(i) A court of competent jurisdiction is any court with
jurisdiction over the investigation for which a State, local, or Tribal
law enforcement agency requests information under this paragraph.
(ii) A State, local, or Tribal law enforcement agency is an agency
of a State, local, or Tribal government that is authorized by law to
engage in the investigation or enforcement of civil or criminal
violations of law.
(3) Disclosure for use in furtherance of foreign national security,
intelligence, or law enforcement activity. Upon receipt of a request
from a Federal agency on behalf of a law enforcement agency,
prosecutor, or judge of another country, or on behalf of a foreign
central authority or foreign competent authority (or like designation)
under an applicable international treaty, agreement, or convention,
FinCEN may disclose information reported pursuant to Sec. 1010.380 to
such Federal agency for transmission to the foreign law enforcement
agency, prosecutor, judge, foreign central authority, or foreign
competent authority who initiated the request, provided that:
(i) The request is for assistance in a law enforcement
investigation or prosecution, or for a national security or
intelligence activity, that is authorized under the laws of the foreign
country; and
(ii) The request is:
(A) Made under an international treaty, agreement, or convention,
or;
(B) When no such treaty, agreement, or convention is available, is
an official request by a law enforcement, judicial, or prosecutorial
authority of a trusted foreign country.
(4) Disclosure to facilitate compliance with customer due diligence
requirements--(i) Financial institutions. Upon receipt of a request
from a financial institution subject to customer due diligence
requirements under applicable law for information to be used in
facilitating such compliance, FinCEN may disclose information reported
pursuant to Sec. 1010.380 to such financial institution, provided each
reporting company that reported such information consents to such
disclosure. For purposes of this section, customer due diligence
requirements under applicable law are the beneficial ownership
requirements for legal entity customers at Sec. 1010.230, as those
requirements may be amended or superseded.
(ii) Regulatory agencies. Upon receipt of a request by a Federal
functional regulator or other appropriate regulatory agency, FinCEN
shall disclose to such agency any information disclosed to a financial
institution pursuant to paragraph (b)(4)(i) of this section if the
agency--
(A) Is authorized by law to assess, supervise, enforce, or
otherwise determine the compliance of such financial institution with
customer due diligence requirements under applicable law;
(B) Will use the information solely for the purpose of conducting
the assessment, supervision, or authorized investigation or activity
described in paragraph (b)(4)(ii)(A) of this section; and
(C) Has entered into an agreement with FinCEN providing for
appropriate protocols governing the safekeeping of the information.
(5) Disclosure to officers or employees of the Department of the
Treasury. Consistent with procedures and safeguards established by the
Secretary--
(i) Information reported pursuant to Sec. 1010.380 shall be
accessible for inspection or disclosure to officers and employees of
the Department of the Treasury whose official duties the Secretary
determines require such inspection or disclosure.
[[Page 77455]]
(ii) Officers and employees of the Department of the Treasury may
obtain information reported pursuant to Sec. 1010.380 for tax
administration as defined in 26 U.S.C. 6103(b)(4).
(c) Use of information--(1) Use of information by authorized
recipients. Unless otherwise authorized by FinCEN, any person who
receives information disclosed by FinCEN under paragraph (b) of this
section shall use such information only for the particular purpose or
activity for which such information was disclosed. A Federal agency
that receives information pursuant to paragraph (b)(3) of this section
shall only use it to facilitate a response to a request for assistance
pursuant to that paragraph.
(2) Disclosure of information by authorized recipients. (i) Any
officer, employee, contractor, or agent of a requesting agency who
receives information disclosed by FinCEN pursuant to a request under
paragraph (b)(1) or (2) or (b)(4)(ii) of this section may disclose such
information to another officer, employee, contractor, or agent of the
same requesting agency for the particular purpose or activity for which
such information was requested, consistent with the requirements of
paragraph (d)(1)(i)(F) of this section, as applicable. Any officer,
employee, contractor, or agent of the U.S. Department of the Treasury
who receives information disclosed by FinCEN pursuant to a request
under paragraph (b)(5) of this section may disclose such information to
another Treasury officer, employee, contractor, or agent for the
particular purpose or activity for which such information was requested
consistent with internal Treasury policies, procedures, orders or
directives.
(ii) Any director, officer, employee, contractor, or agent of a
financial institution who receives information disclosed by FinCEN
pursuant to a request under paragraph (b)(4)(i) of this section may
disclose such information to another director, officer, employee,
contractor, or agent within the United States of the same financial
institution for the particular purpose or activity for which such
information was requested, consistent with the requirements of
paragraph (d)(2) of this section.
(iii) Any director, officer, employee, contractor, or agent of a
financial institution that receives information disclosed by FinCEN
pursuant to paragraph (b)(4)(i) of this section may disclose such
information to the financial institution's Federal functional
regulator, a self-regulatory organization that is registered with or
designated by a Federal functional regulator pursuant to Federal
statute, or other appropriate regulatory agency, provided that the
Federal functional regulator, self-regulatory organization, or other
appropriate regulatory agency meets the requirements identified in
paragraphs (b)(4)(ii)(A) through (C) of this section. A financial
institution may rely on a Federal functional regulator, self-regulatory
organization, or other appropriate regulatory agency's representation
that it meets the requirements.
(iv) Any officer, employee, contractor, or agent of a Federal
functional regulator that receives information disclosed by FinCEN
pursuant to paragraph (b)(4)(ii) of this section may disclose such
information to a self-regulatory organization that is registered with
or designated by the Federal functional regulator, provided that the
self-regulatory organization meets the requirements of paragraphs
(b)(4)(ii)(A) through (C) of this section.
(v) Any officer, employee, contractor, or agent of a Federal agency
that receives information from FinCEN pursuant to a request made under
paragraph (b)(3) of this section may disclose such information to the
foreign person on whose behalf the Federal agency made the request.
(vi) Any officer, employee, contractor, or agent of a Federal
agency engaged in a national security, intelligence, or law enforcement
activity, or any officer, employee, contractor, or agent of a State,
local, or Tribal law enforcement agency, may disclose information
reported pursuant to Sec. 1010.380 that it has obtained directly from
FinCEN pursuant to a request under paragraph (b)(1) or (2) of this
section to a court of competent jurisdiction or parties to a civil or
criminal proceeding.
(vii) Any officer, employee, contractor, or agent of a requesting
agency who receives information disclosed by FinCEN pursuant to a
request under paragraph (b)(1), (b)(4)(ii), or (b)(5) of this section
may disclose such information to any officer, employee, contractor, or
agent of the United States Department of Justice for purposes of making
a referral to the Department of Justice or for use in litigation
related to the activity for which the requesting agency requested the
information.
(viii) A law enforcement agency, prosecutor, judge, foreign central
authority, or foreign competent authority of another country that
receives information from a Federal agency pursuant to a request under
paragraph (b)(3)(ii)(A) of this section may disclose and use such
information consistent with the international treaty, agreement, or
convention under which the request was made.
(ix) Except as described in this paragraph (c)(2), any information
disclosed by FinCEN under paragraph (b) of this section shall not be
further disclosed to any other person for any purpose without the prior
written consent of FinCEN, or as authorized by applicable protocols or
guidance that FinCEN may issue. FinCEN may authorize persons to
disclose information obtained pursuant to paragraph (b) of this section
in furtherance of a purpose or activity described in that paragraph.
(d) Security and confidentiality requirements--(1) Security and
confidentiality requirements for domestic agencies--(i) General
requirements. To receive information under paragraph (b)(1), (2), or
(3) or (b)(4)(ii) of this section, a Federal, State, local, or Tribal
agency shall satisfy the following requirements:
(A) Agreement. The agency shall enter into an agreement with FinCEN
specifying the standards, procedures, and systems to be maintained by
the agency, and any other requirements FinCEN may specify, to protect
the security and confidentiality of such information. Agreements shall
include, at a minimum, descriptions of the information to which an
agency will have access, specific limitations on electronic access to
that information, discretionary conditions of access, requirements and
limitations related to re-disclosure, audit and inspection
requirements, and security plans outlining requirements and standards
for personnel security, physical security, and computer security.
(B) Standards and procedures. The agency shall establish standards
and procedures to protect the security and confidentiality of such
information, including procedures for training agency personnel on the
appropriate handling and safeguarding of such information. The head of
the agency, on a non-delegable basis, shall approve these standards and
procedures.
(C) Initial report and certification. The agency shall provide
FinCEN a report that describes the standards and procedures established
pursuant to paragraph (d)(1)(i)(B) of this section and that includes a
certification by the head of the agency, on a non-delegable basis, that
the standards and procedures implement the requirements of this
paragraph (d)(1).
(D) Secure system for beneficial ownership information storage. The
agency shall establish and maintain a secure system in which such
information shall be stored, that
[[Page 77456]]
complies with information security standards prescribed by FinCEN.
(E) Auditability. The agency shall establish and maintain a
permanent, auditable system of standardized records for requests
pursuant to paragraph (b) of this section, including, for each request,
the date of the request, the name of the individual who makes the
request, the reason for the request, any disclosure of such information
made by or to the requesting agency, and information or references to
such information sufficient to reconstruct the justification for the
request.
(F) Restrictions on personnel access to information. The agency
shall restrict access to information obtained from FinCEN pursuant to
this section to personnel--
(1) Who are directly engaged in the activity for which the
information was requested;
(2) Whose duties or responsibilities require such access;
(3) Who have received training pursuant to paragraph (d)(1)(i)(B)
of this section or have obtained the information requested directly
from persons who both received such training and received the
information directly from FinCEN;
(4) Who use appropriate identity verification mechanisms to obtain
access to the information; and
(5) Who are authorized by agreement between the agency and FinCEN
to access the information.
(G) Audit requirements. The agency shall:
(1) Conduct an annual audit to verify that information obtained
from FinCEN pursuant to this section has been accessed and used
appropriately and in accordance with the standards and procedures
established pursuant to paragraph (d)(1)(i)(B) of this section;
(2) Provide the results of that audit to FinCEN upon request; and
(3) Cooperate with FinCEN's annual audit of the adherence of
agencies to the requirements established under this paragraph to ensure
that agencies are requesting and using the information obtained under
this section appropriately, including by promptly providing any
information FinCEN requests in support of its annual audit.
(H) Semi-annual certification. The head of the agency, on a non-
delegable basis, shall certify to FinCEN semi-annually that the
agency's standards and procedures established pursuant to paragraph
(d)(1)(i)(B) of this section are in compliance with the requirements of
this paragraph (d)(1). One of the semi-annual certifications may be
included in the annual report required under paragraph (d)(1)(i)(I) of
this section.
(I) Annual report on procedures. The agency shall provide FinCEN a
report annually that describes the standards and procedures that the
agency uses to ensure the security and confidentiality of any
information received pursuant to paragraph (b) of this section.
(ii) Requirements for requests for disclosure. A Federal, State,
local, or Tribal agency that makes a request under paragraph (b)(1),
(2), or (3) or (b)(4)(ii) of this section shall satisfy the following
requirements in connection with each request that it makes and in
connection with all such information it receives.
(A) Minimization. The requesting agency shall limit, to the
greatest extent practicable, the scope of such information it seeks,
consistent with the agency's purposes for seeking such information.
(B) Certifications and other requirements. (1) The head of a
Federal agency that makes a request under paragraph (b)(1) of this
section or their designee shall make a written certification to FinCEN,
in the form and manner as FinCEN shall prescribe, that:
(i) The agency is engaged in a national security, intelligence, or
law enforcement activity; and
(ii) The information requested is for use in furtherance of such
activity, setting forth specific reasons why the requested information
is relevant to the activity.
(2) The head of a State, local, or Tribal agency, or their
designee, who makes a request under paragraph (b)(2) of this section
shall submit to FinCEN, in the form and manner as FinCEN shall
prescribe:
(i) A copy of a court order from a court of competent jurisdiction
authorizing the agency to seek the information in a criminal or civil
investigation; and
(ii) A written justification that sets forth specific reasons why
the requested information is relevant to the criminal or civil
investigation.
(3) The head of a Federal agency, or their designee, who makes a
request under paragraph (b)(3)(ii)(A) of this section shall:
(i) Retain for its records the request for information under the
applicable international treaty, agreement, or convention;
(ii) Submit to FinCEN, in the form and manner as FinCEN shall
prescribe: the name, title, email address, and telephone number for the
individual from the Federal agency making the request; the name, title,
agency, and country of the foreign person on whose behalf the Federal
agency is making the request; the title and date of the international
treaty, agreement, or convention under which the request is being made;
and a certification that the information is for use in furtherance of a
law enforcement investigation or prosecution, or for a national
security or intelligence activity, that is authorized under the laws of
the relevant foreign country.
(4) The head of a Federal agency, or their designee, who makes a
request under paragraph (b)(3)(ii)(B) of this section shall submit to
FinCEN, in the form and manner as FinCEN shall prescribe:
(i) A written explanation of the specific purpose for which the
foreign person is seeking information under paragraph (b)(3)(ii)(B) of
this section, along with an accompanying certification that the
information is for use in furtherance of a law enforcement
investigation or prosecution, or for a national security or
intelligence activity, that is authorized under the laws of the
relevant foreign country; will be used only for the particular purpose
or activity for which it is requested; and will be handled consistent
with the requirements of paragraph (d)(3) of this section;
(ii) The name, title, email address, and telephone number for the
individual from the Federal agency making the request;
(iii) The name, title, agency, and country of the foreign person on
whose behalf the Federal agency is making the request; and
(iv) Any other information that FinCEN requests in order to
evaluate the request.
(5) The head of a Federal functional regulator or other appropriate
regulatory agency, or their designee, who makes a request under
paragraph (b)(4)(ii) of this section shall make a written certification
to FinCEN, in the form and manner as FinCEN shall prescribe, that:
(i) The agency is authorized by law to assess, supervise, enforce,
or otherwise determine the compliance of a relevant financial
institution with customer due diligence requirements under applicable
law; and
(ii) The agency will use the information solely for the purpose of
conducting the assessment, supervision, or authorized investigation or
activity described in paragraph (b)(4)(ii)(A) of this section.
(2) Security and confidentiality requirements for financial
institutions. To receive information under paragraph (b)(4)(i) of this
section, a financial institution shall satisfy the following
requirements:
(i) Restrictions on personnel access to information. The financial
institution
[[Page 77457]]
shall restrict access to information obtained from FinCEN under
paragraph (b)(4)(i) of this section to directors, officers, employees,
contractors, and agents within the United States.
(ii) Safeguards. The financial institution shall develop and
implement administrative, technical, and physical safeguards reasonably
designed to protect the security, confidentiality, and integrity of
such information. The requirements of this paragraph (d)(2)(i) of this
section shall be deemed satisfied to the extent that a financial
institution:
(A) Applies such information procedures that the institution has
established to satisfy the requirements of section 501 of the Gramm-
Leach-Bliley Act (15 U.S.C. 6801 et seq.), and applicable regulations
issued thereunder, with regard to the protection of its customers'
nonpublic personal information, modified as needed to account for any
unique requirements imposed under this section; or
(B) If it is not subject to section 501 of the Gramm-Leach-Bliley
Act, applies such information procedures with regard to the protection
of its customers' nonpublic personal information that are required,
recommended, or authorized under applicable Federal or State law and
are at least as protective of the security and confidentiality of
customer information as procedures that satisfy the standards of
section 501 of the Gramm-Leach-Bliley Act.
(iii) Consent to obtain information. Before making a request for
information regarding a reporting company under paragraph (b)(4)(i) of
this section, the financial institution shall obtain and document the
consent of the reporting company to request such information. The
documentation of the reporting company's consent shall be maintained
for 5 years after it is last relied upon in connection with a request
for information under paragraph (b)(4)(i) of this section.
(iv) Certification. For each request for information regarding a
reporting company under paragraph (b)(4)(i) of this section, the
financial institution shall make a written certification to FinCEN that
it:
(A) Is requesting the information to facilitate its compliance with
customer due diligence requirements under applicable law;
(B) Has obtained the written consent of the reporting company to
request the information from FinCEN; and
(C) Has fulfilled all other requirements of paragraph (d)(2) of
this section.
(3) Security and confidentiality requirements for foreign
recipients of information. (i) To receive information under paragraph
(b)(3)(ii)(A) of this section, a foreign person on whose behalf a
Federal agency made the request under that paragraph shall comply with
all applicable handling, disclosure, and use requirements of the
international treaty, agreement, or convention under which the request
was made.
(i) To receive information under paragraph (b)(3)(ii)(B) of this
section, a foreign person on whose behalf a Federal agency made the
request under that paragraph shall ensure that the following
requirements are satisfied:
(A) Standards and procedures. A foreign person who receives
information pursuant to paragraph (b)(3)(ii)(B) of this section shall
establish standards and procedures to protect the security and
confidentiality of such information, including procedures for training
personnel who will have access to it on the appropriate handling and
safeguarding of such information.
(B) Secure system for beneficial ownership information storage.
Such information shall be maintained in a secure system that complies
with the security standards the foreign person applies to the most
sensitive unclassified information it handles.
(C) Minimization. To the greatest extent practicable, the scope of
information sought shall be limited, consistent with the purposes for
seeking such information.
(D) Restrictions on personnel access to information. Access to such
information shall be limited to persons--
(1) Who are directly engaged in the activity described in paragraph
(b)(3) of this section for which the information was requested;
(2) Whose duties or responsibilities require such access; and
(3) Who have undergone training on the appropriate handling and
safeguarding of information obtained pursuant to this section.
(e) Administration of requests--(1) Form and manner of requests.
Requests for information under paragraph (b) of this section shall be
submitted to FinCEN in such form and manner as FinCEN shall prescribe.
(2) Rejection of requests. (i) FinCEN will reject a request under
paragraph (b)(4) of this section, and may reject any other request made
pursuant to this section, if such request is not submitted in the form
and manner prescribed by FinCEN.
(ii) FinCEN may reject any request, or otherwise decline to
disclose any information in response to a request made under this
section, if FinCEN, in its sole discretion, finds that, with respect to
the request:
(A) The requester has failed to meet any requirement of this
section;
(B) The information is being requested for an unlawful purpose; or
(C) Other good cause exists to deny the request.
(3) Suspension of access. (i) FinCEN may permanently debar or
temporarily suspend, for any period of time, any requesting party from
receiving or accessing information under paragraph (b) of this section
if FinCEN, in its sole discretion, finds that:
(A) The requesting party has failed to meet any requirement of this
section;
(B) The requesting party has requested information for an unlawful
purpose; or
(C) Other good cause exists for such debarment or suspension.
(ii) FinCEN may reinstate the access of any requester that has been
suspended or debarred under this paragraph (e)(3) upon satisfaction of
any terms or conditions that FinCEN deems appropriate.
(f) Violations--(1) Unauthorized disclosure or use. Except as
authorized by this section, it shall be unlawful for any person to
knowingly disclose, or knowingly use, the beneficial ownership
information obtained by the person, directly or indirectly, through:
(i) A report submitted to FinCEN under Sec. 1010.380; or
(ii) A disclosure made by FinCEN pursuant to paragraph (b) of this
section.
(2) For purposes of paragraph (f)(1) of this section, unauthorized
use shall include accessing information without authorization, and
shall include any violation of the requirements described in paragraph
(d) of this section in connection with any access.
Himamauli Das,
Acting Director, Financial Crimes Enforcement Network.
[FR Doc. 2022-27031 Filed 12-15-22; 8:45 am]
BILLING CODE 4810-02-P
