Beneficial Ownership Information Access and Safeguards, and Use of FinCEN Identifiers for Entities, 77404-77457 [2022-27031]

Download as PDF 77404 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules DEPARTMENT OF THE TREASURY Financial Crimes Enforcement Network 31 CFR Part 1010 RIN 1506–AB59 RIN 1506–AB49 Beneficial Ownership Information Access and Safeguards, and Use of FinCEN Identifiers for Entities Financial Crimes Enforcement Network (FinCEN), Treasury. ACTION: Notice of proposed rulemaking (NPRM). AGENCY: FinCEN is promulgating proposed regulations regarding access by authorized recipients to beneficial ownership information (BOI) that will be reported to FinCEN pursuant to Section 6403 of the Corporate Transparency Act (CTA), enacted into law as part of the Anti-Money Laundering Act of 2020 (AML Act), which is itself part of the National Defense Authorization Act for Fiscal Year 2021 (NDAA). The proposed regulations would implement the strict protocols on security and confidentiality required by the CTA to protect sensitive personally identifiable information (PII) reported to FinCEN. The NPRM explains the circumstances in which specified recipients would have access to BOI and outlines data protection protocols and oversight mechanisms applicable to each recipient category. The disclosure of BOI to authorized recipients in accordance with appropriate protocols and oversight will help law enforcement and national security agencies prevent and combat money laundering, terrorist financing, tax fraud, and other illicit activity, as well as protect national security. FinCEN is also proposing regulations to specify when and how reporting companies can use FinCEN identifiers to report the BOI of entities. DATES: Written comments on this proposed rule may be submitted on or before February 14, 2023. ADDRESSES: Comments may be submitted by any of the following methods: • Federal E-rulemaking Portal: https://www.regulations.gov. Follow the instructions for submitting comments. Refer to Docket Number FINCEN–2021– 0005 and RIN 1506–AB49/AB59. • Mail: Policy Division, Financial Crimes Enforcement Network, P.O. Box 39, Vienna, VA 22183. Refer to Docket Number FINCEN–2021–0005 and RIN 1506–AB49/AB59. FOR FURTHER INFORMATION CONTACT: The FinCEN Regulatory Support Section at lotter on DSK11XQN23PROD with PROPOSALS4 SUMMARY: VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 1–800–767–2825 or electronically at frc@fincen.gov. SUPPLEMENTARY INFORMATION: I. Executive Summary These proposed regulations would implement the provisions in the CTA, codified at 31 U.S.C. 5336(c),1 that authorize certain recipients to receive disclosures of identifying information associated with reporting companies, their beneficial owners, and their company applicants (together, BOI). The CTA requires reporting companies to report BOI to FinCEN pursuant to 31 U.S.C. 5336(b). This NPRM reflects FinCEN’s careful consideration of public comments, including those received in response to an advance notice of proposed rulemaking (ANPRM) 2 on the implementation of the CTA, and in response to an NPRM regarding BOI reporting requirements (Reporting NPRM).3 This NPRM also reflects FinCEN’s understanding of the critical need for the highest standard of security and confidentiality protocols to maintain confidence in the U.S. government’s ability to protect sensitive information while achieving the objective of the CTA—establishing a database of beneficial ownership information (BOI) that will be highly useful in combatting illicit finance and the abuse of shell and front companies by criminals, corrupt officials, and other bad actors. The proposed regulations aim to ensure that: (1) only authorized recipients have access to BOI; (2) authorized recipients use that access only for purposes permitted by the CTA; and (3) authorized recipients only redisclose BOI in ways that balance protection of the security and confidentiality of the BOI with furtherance of the CTA’s objective of making BOI available to a range of users for purposes specified in the CTA. The proposed regulations also provide a robust framework to ensure that BOI reported to FinCEN, and received by authorized recipients, is subject to strict cyber security controls, confidentiality protections and restrictions, and robust audit and oversight measures. Coincident with the protocols described 1 The CTA is Title LXIV of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, Public Law 116–283 (Jan. 1, 2021) (the NDAA). Division F of the NDAA is the AntiMoney Laundering Act of 2020 (AML Act), which includes the CTA. Section 6403 of the CTA, among other things, amends the Bank Secrecy Act (BSA) by adding a new Section 5336, Beneficial Ownership Information Reporting Requirements, to Subchapter II of Chapter 53 of Title 31, United States Code. 2 86 FR 17557 (Apr. 5, 2021). 3 86 FR 69920 (Dec. 8, 2021). PO 00000 Frm 00002 Fmt 4701 Sfmt 4702 in this NPRM, FinCEN is working to develop a secure, non-public database in which to store BOI, using rigorous information security methods and controls typically used in the Federal government to protect non-classified yet sensitive information systems at the highest security level. Against this backdrop and consistent with the CTA, FinCEN will permit Federal, State, local, and Tribal officials, as well as certain foreign officials acting through a Federal agency, to obtain BOI for use in furtherance of statutorily authorized activities such as those related to national security, intelligence, and law enforcement. Financial institutions (FIs) with customer due diligence (CDD) requirements under applicable law will have access to BOI to facilitate CDD compliance. Their regulators will likewise have access to BOI to make assessments of CDD compliance. Additionally, FinCEN is proposing certain amendments to the BOI reporting regulations regarding the use of FinCEN identifiers.4 The proposed amendments would specify how reporting companies would be able to use an entity’s FinCEN identifier to fulfill their BOI reporting obligations under 31 CFR 1010.380. II. Background A. Access to Beneficial Ownership Information As Congress explained in the CTA, ‘‘malign actors seek to conceal their ownership of corporations, limited liability companies, or other similar entities in the United States to facilitate illicit activity, including money laundering, the financing of terrorism, proliferation financing, serious tax fraud, human and drug trafficking, counterfeiting, piracy, securities fraud, financial fraud, and acts of foreign corruption, harming the national security interests of the United States and allies of the United States.’’ 5 Access by authorized recipients to BOI reported under the CTA would significantly aid efforts to protect U.S. national security and safeguard the U.S. financial system from such illicit use. It would impede illicit actors’ ability to use legal entities to conceal proceeds from criminal acts that undermine U.S. national security and foreign policy interests, such as corruption, human smuggling, drug and arms trafficking, and terrorist financing. BOI can also add critical data to financial analyses in activities the CTA 4 Id., as defined in 31 CFR 1010.380(f)(2), a FinCEN identifier is a unique identifying number assigned by FinCEN to an individual or reporting company under 31 CFR 1010.380. 5 CTA, Section 6402(3). E:\FR\FM\16DEP4.SGM 16DEP4 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules lotter on DSK11XQN23PROD with PROPOSALS4 contemplates, including tax investigations. It can also provide essential information to the intelligence and national security professionals who work to prevent terrorists, proliferators, and those who seek to undermine our democratic institutions or threaten other core U.S. interests from raising, hiding, or moving money in the United States through anonymous shell or front companies.6 The United States currently does not have a centralized or complete store of information about who owns and operates legal entities within the United States. The beneficial ownership data available to law enforcement and national security agencies are generally limited to the information collected by financial institutions on legal entity accounts pursuant to their CDD or broader Customer Identification Program (CIP) obligations, some of which has been included in Suspicious Activity Reports (SARs) or provided to law enforcement in response to judicial process.7 As set out in detail in the Reporting NPRM 8 and the BOI reporting final rule,9 U.S. law enforcement officials and the Financial Action Task Force (FATF),10 among others, have for years noted how the lack of timely access to accurate and adequate BOI by law enforcement and other authorized recipients remained a significant gap in the United States’ anti-moneylaundering-/countering-the-financing-of6 A front company generates legitimate business proceeds to commingle with illicit earnings. See U.S. Department of the Treasury, National Money Laundering Risk Assessment (2018), p. 29, available at https://home.treasury.gov/system/files/136/ 2018NMLRA_12-18.pdf. 7 31 CFR 1010.230. Even then, any BOI a financial institution collects is not systematically reported to any central repository. 8 Supra note 3. 9 87 FR 59498 (Sept. 30, 2022). 10 The FATF, of which the United States is a founding member, is an international, intergovernmental task force whose purpose is the development and promotion of international standards and the effective implementation of legal, regulatory, and operational measures to combat money laundering, terrorist financing, the financing of weapons proliferation, and other related threats to the integrity of the international financial system. The FATF assesses over 200 jurisdictions against its minimum standards for beneficial ownership transparency. Among other things, it has established standards on transparency and beneficial ownership of legal persons, to deter and prevent the misuse of corporate vehicles. See FATF Recommendation 24, Transparency and Beneficial Ownership of Legal Persons, The FATF Recommendations: International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation (updated Oct. 2020), available at https://www.fatf-gafi.org/publications/ fatfrecommendations/documents/fatfrecommendations.html; FATF Guidance, Transparency and Beneficial Ownership, Part III (Oct. 2014), available at https://www.fatf-gafi.org/ media/fatf/documents/reports/Guidancetransparency-beneficial-ownership.pdf. VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 terrorism (AML/CFT) and countering the financing of proliferation (CFP) framework. Broadly, and critically, BOI can identify linkages between potential illicit actors and opaque business entities, including shell companies. Furthermore, comparing BOI reported pursuant to the CTA against data collected under the Bank Secrecy Act (BSA) and other relevant government data is expected to significantly further efforts to identify illicit actors and combat their financial activities. As law enforcement and other U.S. government officials have noted, investigations into, and prosecutions of, money laundering, corruption, and other illicit financial activities are often prolonged or stymied by those officials’ inability to rapidly access BOI in a centralized database. Kenneth A. Blanco, then-Director of FinCEN and a former State and Federal prosecutor, observed in 2019 testimony to the U.S. Senate Committee on Banking, Housing and Urban Affairs that based on his experience as a former State and Federal prosecutor, identifying the ultimate beneficial owner of a shell or front company in the United States ‘‘often requires human source information, grand jury subpoenas, surveillance operations, witness interviews, search warrants, and foreign legal assistance requests to get behind the outward facing structure of these shell companies. This takes an enormous amount of time—time that could be used to further other important and necessary aspects of an investigation— and wastes resources, or prevents investigators from getting to other equally important investigations.’’ 11 The FBI’s Steven M. D’Antuono elaborated on these difficulties, testifying before the Senate Banking Housing and Urban Affairs Committee in 2019 that ‘‘[t]he process for the production of records can be lengthy, anywhere from a few weeks to many years, and . . . can be extended drastically when it is necessary to obtain information from other countries . . . . [I]f an investigator obtains the ownership records, either from a domestic or foreign entity, the investigator may discover that the owner of the identified corporate entity is an additional corporate entity, necessitating the same process for the newly discovered corporate entity. Many professional launderers and others involved in illicit finance 11 FinCEN, Testimony for the Record, Kenneth A. Blanco, Director, U.S. Senate Committee on Banking, Housing and Urban Affairs (May 21, 2019), available at https://www.banking.senate.gov/ imo/media/doc/Blanco%20Testimony%205-2119.pdf. PO 00000 Frm 00003 Fmt 4701 Sfmt 4702 77405 intentionally layer ownership and financial transactions in order to reduce transparency of transactions. As it stands, it is a facially effective way to delay an investigation.’’ 12 D’Antuono acknowledged that these challenges may be even starker for State, local, and Tribal law enforcement agencies that may not have the same resources as their Federal counterparts to undertake long and costly investigations to identify the beneficial owners of these entities.13 During the testimony, he noted that requiring the disclosure of BOI by legal entities and the creation of a central BOI repository available to law enforcement and regulators could address these challenges.14 The process of obtaining BOI through grand jury subpoenas and other means can be time-consuming and of limited utility in some cases. Grand jury subpoenas, for example, require an underlying grand jury investigation into a possible violation of law. In addition, the law enforcement officer or investigator must work with a prosecutor’s office, such as a U.S. Attorney’s Office, to open a grand jury investigation, obtain the grand jury subpoena, and issue it on behalf of the grand jury. The investigator also needs to determine the proper recipient of the subpoena and coordinate service, which raises additional complications in cases where there is excessive layering of corporate structures to hide the identity of the ultimate beneficial owners. In some cases, however, BOI still may not be attainable via grand jury subpoena because it is not recorded. For example, because most states do not require the disclosure of BOI when forming or registering an entity, BOI cannot be obtained from the secretary of state or similar office. Furthermore, many states permit corporations to acquire property without disclosing BOI, and therefore BOI cannot be obtained from property records. FinCEN’s existing regulatory tools also have significant limitations. The 2016 CDD Rule,15 for example, requires that certain types of U.S. financial institutions identify and verify the beneficial owners of legal entity customers at the time those financial institutions open a new account for a 12 Federal Bureau of Investigation (FBI), Testimony of Steven M. D’Antuono, Section Chief, Criminal Investigative Division, ‘‘Combatting Illicit Financing by Anonymous Shell Companies’’ (May 21, 2019), available at https://www.fbi.gov/news/ testimony/combating-illicit-financing-byanonymous-shell-companies. 13 Id. 14 Id. 15 81 FR 29397 (May 11, 2016). E:\FR\FM\16DEP4.SGM 16DEP4 77406 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules lotter on DSK11XQN23PROD with PROPOSALS4 legal entity customer,16 but the rule provides only a partial solution.17 The information provided to U.S. financial institutions about beneficial owners of certain U.S. entities is generally not comprehensive and not reported to the U.S. government (nor to State, local, or Tribal governments), except when filed in SARs or in response to judicial process. It is therefore not immediately available to law enforcement, intelligence, and national security agencies. Moreover, the CDD rule applies only to legal entities that open accounts at certain U.S. financial institutions. Other FinCEN authorities— geographic targeting orders 18 and the so-called ‘‘311 measures’’ (i.e., special measures imposed on jurisdictions, financial institutions, or international transactions of primary money laundering concern) 19—offer temporary and targeted tools. Neither provides law enforcement the ability to reliably, efficiently, and consistently follow investigatory leads. The utility and value of BOI reported to FinCEN, therefore, rests in large part on the bureau’s ability to provide authorized recipients predictable and efficient access to reported BOI while protecting the confidentiality and integrity of the information. As Congress noted, ‘‘[f]ederal legislation providing for the collection of beneficial ownership information for corporations, limited liability companies, or other similar entities formed under the laws of the States is needed’’ to protect vital U.S. ‘‘national security interests . . . [and] better enable critical national security, intelligence, and law 16 The CDD Rule NPRM contained a requirement that covered financial institutions conduct ongoing monitoring to maintain and update customer information on a risk basis, specifying that customer information includes the beneficial owners of legal entity customers. As noted in the supplementary material to the final rule, FinCEN did not construe this obligation as imposing a categorical, retroactive requirement to identify and verify BOI for existing legal entity customers. Rather, these provisions reflect the conclusion that a financial institution should obtain BOI from existing legal entity customers when, in the course of its normal monitoring, the financial institution detects information relevant to assessing or reevaluating the risk of such customer. Final Rule, Customer Due Diligence Requirements for Financial Institutions, 81 FR 29398, 29404 (May 11, 2016). 17 See U.S. Money Laundering Threat Assessment Working Group, U.S. Money Laundering Threat Assessment (2005), pp. 48–49, available at https:// www.treasury.gov/resource-center/terrorist-illicitfinance/documents/mlta.pdf. See also Congressional Research Service, Miller, Rena S. and Rosen, Liana W., Beneficial Ownership Transparency in Corporate Formation, Shell Companies, Real Estate, and Financial Transactions (Jul. 8, 2019), available at https:// crsreports.congress.gov/product/pdf/R/R45798. 18 31 U.S.C. 5326(a); 31 CFR 1010.370. 19 31 U.S.C. 5318A, as added by section 311 of the USA PATRIOT Act (Pub. L. 107–56). VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 enforcement efforts to counter money laundering, the financing of terrorism, and other illicit activity.’’ 20 Furthermore, providing authorized recipients in FIs access to BOI reported to FinCEN, as the CTA requires, will assist FIs in complying with AML/CFT and CDD requirements. B. The Corporate Transparency Act The CTA is part of the AML Act, which is itself a part of the 2021 NDAA. The CTA added a new section, 31 U.S.C. 5336, to the BSA to address the broader objectives of enhancing beneficial ownership transparency while minimizing the burden on the regulated community. In brief, 31 U.S.C. 5336 requires certain types of domestic and foreign entities, called ‘‘reporting companies,’’ to submit specified BOI to FinCEN. FinCEN is authorized to share this BOI with certain Government agencies, financial institutions, and regulators, subject to appropriate protocols.21 The requirement for reporting companies to submit BOI takes effect ‘‘on the effective date of the regulations prescribed by the Secretary of the Treasury under [31 U.S.C. 5336].’’ 22 Reporting companies formed or registered after the effective date will need to submit the requisite BOI to FinCEN at the time of formation, while preexisting reporting companies will have a specified period to comply and report.23 The CTA reporting requirements generally exempt entities that are otherwise subject to significant regulatory regimes—e.g., banks—where Congress presumably expected primary regulators to have visibility into the identities of the owners and ownership structures of the entities. The exemptions thus avoid imposing duplicative requirements in these cases. The provision at 31 U.S.C. 5336 requires reporting companies to submit to FinCEN, for each beneficial owner and company applicant, either the individual’s full legal name, date of birth, current residential or business street address, and a unique identifying number from an acceptable identification document (e.g., a nonexpired passport)—four readily accessible pieces of information that should not be unduly burdensome for individuals to produce, or for reporting companies to collect and submit to FinCEN—or a FinCEN identifier.24 A FinCEN identifier is a unique 20 CTA, Section 6402(5)(B),(D). generally 31 U.S.C. 5336(b), (c). 22 31 U.S.C. 5336(b)(5). 23 See 31 U.S.C. 5336(b)(1)(B), (C). 24 See 31 U.S.C. 5336(b)(2). 21 See PO 00000 Frm 00004 Fmt 4701 Sfmt 4702 identifying number that FinCEN will issue to individuals or entities upon request.25 In certain instances, the FinCEN identifier may be reported in lieu of an individual’s name, birth date, address, and unique identification number.26 As noted in Section II.E. below, FinCEN addressed the regulatory requirements related to BOI reporting pursuant to the CTA through the recent issuance of a final BOI reporting rule.27 Given the sensitivity of the reportable BOI, the CTA imposes strict confidentiality and security restrictions on the storage, access, and use of BOI. Congress authorized FinCEN to disclose BOI to a statutorily defined group of governmental authorities and financial institutions, in limited circumstances. The CTA establishes that BOI is ‘‘sensitive information,’’ 28 and provides that the Secretary of the Treasury (Secretary) shall ‘‘maintain [it] in a secure, nonpublic database, using information security methods and techniques that are appropriate to protect nonclassified information systems at the highest security level.’’ 29 The statute further provides that BOI is only to be used by specified parties for specified purposes.30 Access to and disclosure of BOI is the focus of this NPRM. In addition to setting out requirements and restrictions related to BOI reporting and access, the CTA requires that FinCEN revise the current CDD Rule within one year of January 1, 2024, the effective date of the final BOI reporting rule, by rescinding paragraphs (b) through (j) of 31 CFR 1010.230.31 The CTA identifies three purposes for this revision: (1) to bring the rule into conformity with the AML Act as a whole, including the CTA; (2) to account for financial institutions’ access to BOI reported to FinCEN ‘‘in order to confirm the beneficial ownership information provided directly to the financial institutions’’ for AML/CFT and customer due diligence purposes; and (3) to reduce unnecessary or duplicative 25 See 31 U.S.C. 5336(b)(3)(A)(i). 31 U.S.C. 5336(b)(3)(B). 27 Supra note 7. 28 CTA, Section 6402(6). 29 CTA, Section 6402(7)(A). While the statutory language seems to include a typo that refers to another provision, it also seems clear that the object of protection in this case is BOI. 30 CTA, Section 6402(6). 31 CTA, Section 6403(d)(1), (2). The CTA orders the rescission of paragraphs (b) through (j) directly (‘‘the Secretary of the Treasury shall rescind paragraphs (b) through (j)’’) and orders the retention of paragraph (a) by a negative rule of construction (‘‘nothing in this section may be construed to authorize the Secretary of the Treasury to repeal ... [31 CFR] 1010.230(a)[.]’’). 26 See E:\FR\FM\16DEP4.SGM 16DEP4 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules burdens on financial institutions and legal entity customers.32 FinCEN intends to satisfy the requirements related to the revision of the CDD Rule through a future rulemaking process that will provide the public with an opportunity to comment on the proposal. FinCEN anticipates that this rulemaking to revise the CDD Rule will touch on the issue of the interplay between financial institutions’ CDD efforts and the beneficial ownership IT system that FinCEN is developing to receive, store, and maintain BOI. lotter on DSK11XQN23PROD with PROPOSALS4 C. The Advance Notice of Proposed Rulemaking On April 5, 2021, FinCEN published the ANPRM related to implementing the CTA.33 The ANPRM sought input on five open-ended categories of questions, including on clarifying key definitions and on FinCEN’s implementation of the related provisions of the CTA that govern the bureau’s maintenance and disclosure of BOI subject to appropriate access protocols. In response to the ANPRM, FinCEN received 220 comments from parties that included businesses, civil society organizations, trade associations, law firms, secretaries of state and other State officials, Indian Tribes, members of Congress, and private citizens. Some comments focused on issues that pertain to this access rulemaking, such as the structure of the BOI database, certain users’ need for access, the importance of ensuring the security of the database, specific technological decisions that FinCEN could make, and the desirability of a FinCEN commitment to verifying the information in the database. FinCEN has considered all of the comments that it received in response to the ANPRM in drafting this proposed rule. D. The Reporting Notice of Proposed Rulemaking FinCEN followed the ANPRM with the December 8, 2021, publication of the Reporting NPRM, the first of the three CTA-related rulemakings.34 In the Reporting NPRM, FinCEN described in detail Treasury’s efforts to address the lack of transparency in certain legal entity ownership, the value of BOI, the national security and law enforcement implications of legal entities with anonymous beneficial owners, and the need for centralized BOI collection.35 The Reporting NPRM acknowledged the 32 CTA, Section 6403(d)(1)(A)–(C). 33 Supra note 2. 34 86 FR 69920 (Dec. 8, 2021). 35 Id. at 69921–69928. VerDate Sep<11>2014 22:00 Dec 15, 2022 current environment in which criminals and other bad actors can exploit the creation and use of legal entities in the United States. The Reporting NPRM proposed regulations specifying what BOI must be reported to FinCEN pursuant to CTA requirements, by whom, and when. In particular, it proposed that domestic and foreign reporting companies report to FinCEN four pieces of BOI for each of their beneficial owners and company applicants: full legal name, birthdate, current residential or business street address, and a unique identifying number from an acceptable identification document (e.g., a nonexpired passport or driver’s license). In the alternative, the proposed rule would permit a reporting company to report a FinCEN identifier for an individual or entity in certain circumstances.36 These regulations also proposed processes for obtaining, updating, and using FinCEN identifiers. The Reporting NPRM included a 60-day comment period, which closed on February 7, 2022, and FinCEN received over 240 comments on the NPRM. E. The Final Reporting Rule On September 30, 2022, FinCEN published a final rule implementing the CTA’s BOI reporting requirements and addressing the comments submitted on the NPRM. The final regulations require certain legal entities to file with FinCEN reports that identify the beneficial owners of the entity, and individuals who filed (or who are primarily responsible for directing or controlling the filing of) an application with specified governmental authorities to create the entity or register it to do business. Further, the regulations describe who must file a report, what information must be provided, and when a report is due. These reporting requirements are intended to help prevent and combat money laundering, terrorist financing, corruption, tax fraud, and other illicit activity, while minimizing the burden on reporting companies. In addition, as the final BOI reporting rule noted, providing authorized users in the law enforcement, national security, and regulatory communities, and in FIs, access to the reported BOI will diminish the ability of illicit actors to obfuscate their activities through the use of anonymous shell and front companies. FinCEN also recognized in the final BOI reporting rule the vital importance of protecting the reported BOI and ensuring, through the issuance of regulations governing access to the 36 See Jkt 259001 PO 00000 31 U.S.C. 5336(b). Frm 00005 Fmt 4701 Sfmt 4702 77407 reported BOI, that the BOI is subject to stringent use and security protocols. The BOI final reporting regulations become effective on January 1, 2024. Furthermore, the final BOI reporting rule reserved certain provisions concerning the use of FinCEN identifiers for entities for further consideration. This Access NPRM includes proposed amendments to the reporting regulations that would finalize these remaining provisions. F. Beneficial Ownership Information Infrastructure i. Beneficial Ownership Information IT System Development The CTA directs the Secretary to maintain BOI ‘‘in a secure, nonpublic database, using information security methods and techniques that are appropriate to protect non-classified information security systems at the highest security level . . . .’’ 37 To implement this requirement, FinCEN has been developing a secure information technology (IT) system to receive, store, and maintain BOI. FinCEN has gathered requirements and completed initial system engineering, architectures, and program planning activities. The initial build of the cloud infrastructure is complete and the development of the first set of system products is in progress. The target date for the system to begin accepting BOI reports is January 1, 2024, the same day the reporting rule takes effect. FinCEN is taking a very deliberative approach to designing and building the system, factoring in the requirements set out in the CTA as well as guidance from Congress. As Senator Sherrod Brown, the then-Ranking Member of the Senate Committee on Banking, Housing, and Urban Affairs and one of the primary authors of the CTA, noted in his December 9, 2020, floor statement accompanying the CTA, ‘‘[i]n designing the [system], FinCEN should survey other beneficial ownership databases to determine their best features and design, and create a structure that secures the data as required by law.’’ 38 Among other actions FinCEN has undertaken in the development of the system, FinCEN met not only with future stakeholders to better understand their need to access BOI and how they currently safeguard sensitive information (see Section II.H. ‘‘Outreach’’ below), but also with other government entities that had developed 37 CTA, Section 6402(7). Sherrod Brown, National Defense Authorization Act, Congressional Record 166:208 (Dec. 9, 2020), p. S7312, available at https:// www.govinfo.gov/content/pkg/CREC-2020-12-09/ pdf/CREC-2020-12-09.pdf. 38 Senator E:\FR\FM\16DEP4.SGM 16DEP4 77408 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules beneficial ownership databases, such as the District of Columbia’s (DC’s) Superintendent of Corporations (within DC’s Department of Consumer and Regulatory Affairs Corporations), and the United Kingdom’s Companies House. Senator Brown also encouraged FinCEN to ‘‘ensure that [F]ederal, [S]tate, local and tribal law enforcement can access the beneficial ownership database without excessive delays or red tape in a manner modeled after its existing systems providing law enforcement access to databases containing currency transaction and suspicious activity report information.’’ 39 Keeping BOI secure and confidential is one of FinCEN’s highest priorities in building the system. Serving that interest requires not only designing and implementing appropriate technical controls around BOI security and storage, but also thoroughly understanding the ways in which prospective authorized BOI recipients intend to access, handle, and use BOI. This knowledge in turn informs the policies, procedures, and processes that will govern how authorized recipients treat BOI when they access it. This balance is reflected in the ongoing development of the system. Consistent with the CTA’s requirement,40 the system will be cloudbased and is being implemented to meet the highest Federal Information Security Management Act (FISMA) 41 level (FISMA High).42 A FISMA High rating indicates that losing the confidentiality, integrity, or availability of information within a system would have a severe or catastrophic adverse effect on the organization maintaining the system, including on organizational assets or individuals.43 The rating carries with it a requirement to implement certain baseline controls to protect the relevant information.44 FinCEN recognizes that BOI is highly sensitive information. FinCEN therefore views it as critical to mitigate the risk of unauthorized disclosure of BOI as much as possible. To that end, system functionality will vary by recipient category consistent with statutory requirements and limitations on BOI lotter on DSK11XQN23PROD with PROPOSALS4 39 Id. 40 31 U.S.C. 5336(c)(8). 41 44 U.S.C 3541 et seq. 42 See U.S. Department of Commerce, Federal Information Processing Standards Publication: Standards for Security Categorization of Federal Information and Information Systems (‘‘FIPS Pub 199’’) (Feb. 2004), available at https:// nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf. 43 Id. at 3. 44 Id. VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 disclosure—for example, financial institutions will have a different level of access to BOI than law enforcement agencies. The regulations proposed in this Access NPRM complement this functionality by clarifying and codifying those requirements and limitations, including through recipient-specific access protocols designed to protect BOI security and confidentiality. ii. CTA Implementation Efforts FinCEN continues to face resource constraints in developing and deploying the Beneficial Ownership IT System and efforts to put in place processes to support the collection and use of BOI. There are a myriad of areas that need additional investment, including additional personnel to support efforts beyond the initial build of the Beneficial Ownership IT System. These include efforts to provide clear and transparent guidance to reporting companies and authorized users of BOI, negotiating and implementing memoranda of understanding (MOUs) with domestic government agencies, reviewing requests for BOI and accompanying court authorizations from State, local, or tribal law enforcement agencies, auditing the handling and use of BOI, and enforcement activities. FinCEN is particularly focused on providing adequate customer service resources for reporting companies in the first year and beyond as they file their BOI. FinCEN currently fields approximately 13,000 inquiries a year through its Regulatory Support Section, and approximately 70,000 external technical inquiries a year through the IT Systems Helpdesk. FinCEN has estimated that there will be approximately 32 million reporting companies in Year 1 of the reporting requirement and approximately 5 million new reporting companies each year thereafter.45 If 10 percent of those reporting companies have questions about the reporting requirement or the form, or technical issues when filing, that could result in upwards of 3 million inquiries in Year 1, and 500,000 per year after that. Without the availability of additional appropriated funds to support this project and other mission-critical services, FinCEN may need to identify trade-offs, including with respect to guidance and outreach activities, and the staged access by different authorized users to the database. FinCEN is currently identifying the range of considerations implicated by potential budget shortfalls and the trade-offs that are available and appropriate. 45 87 PO 00000 FR 59498, 59549 (Sept. 30, 2022). Frm 00006 Fmt 4701 Sfmt 4702 G. Verification FinCEN continues to evaluate options for verifying reported BOI.46 ‘‘Verification,’’ as that term is used here, means confirming that the reported BOI submitted to FinCEN is actually associated with a particular individual. A number of commenters to the ANPRM and Reporting NPRM have affirmed the importance of verifying BOI to support authorized activities that rely on the information. FinCEN continues to review the options available to verify BOI within the legal constraints in the CTA. H. Outreach FinCEN has conducted more than 30 outreach sessions to solicit input on how best to implement the statutory authorizations and limitations regarding BOI disclosure. Participants included representatives from Federal agencies, State courts, State and local prosecutors’ offices, Tribal governments, FIs, financial self-regulatory organizations (SROs), and, as noted previously, government offices that had established BOI databases. Topics discussed included how stakeholders might use BOI, potential information technology (IT) system features, circumstances in which potential stakeholders might need to re-disseminate BOI, and how different approaches might help further the purposes of the CTA. These conversations helped FinCEN refine its thinking about how to create a useful database for stakeholders while protecting BOI and individual privacy. III. Overview of Access Framework and Protocols A. Statutory Framework The CTA authorizes FinCEN to disclose BOI to five categories of recipients.47 The first category consists of recipients in Federal, State, local and Tribal government agencies. Within this category, FinCEN may disclose BOI to Federal agencies engaged in national security, intelligence, or law enforcement activity if the requested BOI is for use in furtherance of such activity.48 Note that Federal agency access is activity-based. Thus, an agency such as a Federal functional regulator, while perhaps not a ‘‘law enforcement 46 Pursuant to Sections 6502(b)(1)(C) and (D) of the AML Act, the Secretary, in consultation with the Attorney General, will conduct a study no later than two years after the effective date of the BOI reporting final rule, to evaluate the costs associated with imposing any new verification requirements on FinCEN and the resources necessary to implement any such changes. 47 31 U.S.C. 5336(c)(2)(B) and 31 U.S.C. 5336(c)(5). 48 31 U.S.C. 5336(c)(2)(B)(i)(I). E:\FR\FM\16DEP4.SGM 16DEP4 lotter on DSK11XQN23PROD with PROPOSALS4 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules agency’’ in the conventional sense, may still be engaged in ‘‘law enforcement activity’’ such as civil law enforcement, and can therefore still request BOI from FinCEN for use in furtherance of that activity. FinCEN may also disclose BOI to State, local, and Tribal law enforcement agencies if ‘‘a court of competent jurisdiction’’ has authorized the law enforcement agency to seek the information in a criminal or civil investigation.49 The second category consists of foreign law enforcement agencies, judges, prosecutors, central authorities, and competent authorities (‘‘foreign requesters’’), provided their requests come through an intermediary Federal agency, meet certain additional criteria, and are made either (1) under an international treaty, agreement, or convention, or (2) via a request made by law enforcement, judicial, or prosecutorial authorities in a trusted foreign country (when no international treaty, agreement, or convention is available).50 The third authorized recipient category is FIs using BOI to facilitate compliance with CDD requirements under applicable law, provided the FI requesting the BOI has the relevant reporting company’s consent for such disclosure.51 The fourth category is Federal functional regulators and other appropriate regulatory agencies acting in a supervisory capacity assessing FIs for compliance with CDD requirements.52 These agencies may access the BOI information that FIs they supervise received from FinCEN. The fifth and final category of authorized BOI recipients is the U.S. Department of the Treasury (Treasury) itself, for which the CTA provides relatively unique access to BOI tied to an officer or employee’s official duties requiring BOI inspection or disclosure, including for tax administration.53 The CTA directs the Secretary to ‘‘take all steps, including regular auditing, to ensure that government authorities accessing [BOI] do so only for authorized purposes consistent with [the CTA].’’ 54 The CTA also requires the Secretary to establish protocols governing access by authorized recipients to BOI and protecting the information’s security and confidentiality.55 Specifically, the statute provides that the Secretary shall establish protocols requiring: (1) the heads of requesting agencies to approve standards and procedures for protecting BOI, and make related certifications; 56 (2) requesting agencies to ‘‘establish and maintain, to the satisfaction of the Secretary, a secure system in which [BOI] provided directly by the Secretary shall be stored’’; 57 (3) requesting agencies to ‘‘furnish a report to the Secretary, at such time and containing such information as the Secretary may prescribe, that describes the procedures established and utilized by such agency to ensure the confidentiality of [BOI] provided directly by the Secretary’’; 58 (4) certain requesting agencies to provide a written certification that the requirements for access to BOI have been met; 59 (5) requesting agencies to ‘‘limit, to the greatest extent practicable, the scope of information sought, consistent with the purposes for seeking [BOI];’’ 60 (6) requesting agencies to ‘‘establish and maintain, to the satisfaction of the Secretary, a permanent system of standardized records with respect to an auditable trail of each request for [BOI] submitted to the Secretary by the agency, including the reason for the request, the name of the individual who made the request, the date of the request, any disclosure of [BOI] made by or to the agency, and any other information the Secretary of the Treasury determines is appropriate’’; 61 and (7) requesting agencies to ‘‘conduct an annual audit to verify that the [BOI] received from the Secretary has been accessed and used appropriately, and in a manner consistent with this paragraph and provide the results of that audit to the Secretary upon request.62 The Secretary is likewise required to ‘‘conduct an annual audit of the adherence of the agencies to the protocols established under this paragraph to ensure that agencies are requesting and using beneficial ownership information appropriately.’’ 63 The CTA expressly restricts access to BOI to only those authorized users at a requesting agency: (1) who are directly engaged in an authorized investigation or activity; (2) whose duties or responsibilities require access to BOI; (3) who have undergone appropriate 56 31 49 31 U.S.C. 5336(c)(2)(B)(i)(II). 50 See 31 U.S.C. 5336(c)(2)(B)(ii). 51 31 U.S.C. 5336(c)(2)(B)(iii). 52 31 U.S.C. 5336(c)(2)(B)(iv). 53 31 U.S.C. 5336(c)(5). 54 CTA, Section 6402(7)(B). 55 See generally 31 U.S.C. 5336(c)(3). VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 U.S.C. 5336(c)(3)(B). U.S.C. 5336(c)(3)(C). 58 31 U.S.C. 5336(c)(3)(D). 59 31 U.S.C. 5336(c)(3)(E). 60 31 U.S.C. 5336(c)(3)(F). 61 31 U.S.C. 5336(c)(3)(H). 62 See 31 U.S.C. 5336(c)(3)(I). 63 See 31 U.S.C. 5336(c)(3)(J). 57 31 PO 00000 Frm 00007 Fmt 4701 Sfmt 4702 77409 training or use staff to access the system who have undergone appropriate training; (4) who use appropriate identity verification to obtain access to the information; and (5) who are authorized by agreement with the Secretary to access BOI.64 The statute further provides the Secretary with discretionary authority to prescribe by regulation such other safeguards as she deems necessary and appropriate to protect BOI confidentiality.65 The Secretary has delegated the authority to prescribe appropriate protocols to protect the security and confidentiality of BOI pursuant to 31 U.S.C. 5336(c)(3) to FinCEN.66 B. Disclosure to Authorized Domestic Government Agency Users for NonSupervisory Purposes Under the first category of BOI recipients, FinCEN expects three types of domestic agency users to be able to access and query the beneficial ownership IT system directly: (1) Federal agencies engaged in national security, intelligence, and law enforcement activity; (2) Treasury officers and employees who require access to BOI to perform their official duties or for tax administration; and (3) State, local, and Tribal law enforcement agencies. This type of access would permit authorized individuals within an authorized recipient agency to log in, run queries using multiple search fields, and review one or more results returned immediately. These agencies often lack comprehensive information about a subject or other relevant individuals or entities when conducting investigations. The ability to query the database directly and iteratively is therefore necessary to enable them to use BOI effectively. Nevertheless, to protect against potential abuse, Federal-agency users engaged in national security, intelligence, or law enforcement activity would have to submit brief justifications to FinCEN for their searches, explaining how their searches further a particular qualifying activity, and these justifications would be subject to oversight and audit by FinCEN. FinCEN will develop guidance for agencies on submitting the required justifications. Consistent with the CTA’s restrictions, authorized users from State, local, and Tribal law enforcement agencies would be required to upload the document issued by a court of competent jurisdiction authorizing the 64 31 U.S.C. 5336(c)(3)(G). 31 U.S.C. 5336(c)(3)(K). 66 Treasury Order 180–01 (Jan. 14, 2020). 65 See E:\FR\FM\16DEP4.SGM 16DEP4 77410 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules agency to seek BOI from FinCEN.67 After FinCEN has reviewed the relevant authorization for sufficiency and approved the request, an agency could then conduct searches using multiple search fields consistent in scope with the court authorization and subject to audit by FinCEN. These searches would return results immediately. Such broad search capabilities within the beneficial ownership IT system require domestic agencies to clearly understand the scope of their authorization and their responsibilities under it. That is why the proposed rule establishes protocols for requirements, limitations, and expectations with respect to searches by domestic agencies of the beneficial ownership IT system. As part of these protocols, each domestic agency would first need to enter into a memorandum of understanding (MOU) with FinCEN before being allowed access to the system. FinCEN is developing draft MOUs based on similar agreements it uses to share BSA data. FinCEN will also provide training for agency personnel and exercise oversight and audit functions discussed in more detail in Section IV below. None of the remaining authorized recipient categories will have access to the broad search capabilities within the system. C. Disclosure to Authorized Foreign Requesters Foreign requesters—foreign law enforcement agencies, judges, prosecutors, central authorities, or competent authorities (or a like designation)—will not have direct access to the beneficial ownership IT system. They will instead submit their requests for BOI to Federal intermediary agencies as the CTA requires.68 If the foreign request meets the applicable criteria of the CTA 69 and the proposed rule, then the Federal agency intermediary will retrieve the BOI from 67 See 31 U.S.C. 5336(c)(2)(B)(i)(II). U.S.C. 5336(c)(2)(B)(ii). 69 Section 6403 of the CTA requires that the foreign request be made by a Federal agency on behalf of a law enforcement agency, foreign central authority or competent authority (or like designation), under an international treaty, agreement, convention, or official request made by law enforcement, judicial, or prosecutorial authorities in trusted foreign countries when no treaty, agreement, or convention is available. The CTA goes on to state that the foreign request must (1) be issued in response to a request for assistance in an investigation or prosecution by such foreign country; and (2) either (a) require compliance with the disclosure and use provisions of the treaty, agreement, or convention publicly disclosing any BOI received; or (b) limit the use of the information for any purpose other than the authorized investigation or national security or intelligence activity. See 31 U.S.C. 5336(c)(2)(B)(ii). lotter on DSK11XQN23PROD with PROPOSALS4 68 31 VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 the system and transmit it to the foreign requester. FinCEN intends to work with Federal agencies to identify agencies that are well positioned to serve as intermediaries between FinCEN and foreign requesters. FinCEN expects that these possible intermediary Federal agencies will have regular engagement and familiarity with foreign law enforcement agencies, judges, prosecutors, central authorities, or competent authorities on matters related to law enforcement, national security, or intelligence activity, and will have established policies, procedures, and communication channels for sharing information with those foreign parties. Other factors would include whether a prospective intermediary Federal agency represents the U.S. government in relevant international treaties, agreements, or conventions, the expected number of requests that the agency could receive, and the ability of the agency to efficiently process requests while managing risks of unauthorized disclosure. Once identified, FinCEN will then work with intermediary Federal agencies to: (1) ensure that they have secure systems for BOI storage; (2) enter into MOUs outlining expectations and responsibilities; (3) translate the CTA foreign sharing requirements into evaluation criteria against which intermediaries can compare requests from foreign requesters; (4) integrate the evaluation criteria into the intermediaries’ existing informationsharing policies and procedures; (5) develop additional security protocols and systems as required under the CTA and this rule; and (6) ensure that intermediary agency personnel have sufficient training on the requirements of the CTA and the proposed rule. FinCEN would exercise oversight and audit functions to ensure that Federal intermediary agencies adhere to requirements and take appropriate measures to mitigate the risk of foreign requesters abusing the information. Given its longstanding relationships and relevant experience as the financial intelligence unit of the United States, FinCEN proposes to directly receive, evaluate, and respond to requests for BOI from foreign financial intelligence units. D. Disclosure to FIs and Regulatory Agencies for CDD Compliance Unlike foreign requesters, both FIs and their regulators (Federal functional regulators and other appropriate regulatory agencies, when assessing FIs’ compliance with CDD requirements) would both have direct access to BOI PO 00000 Frm 00008 Fmt 4701 Sfmt 4702 contained in the beneficial ownership IT system, albeit in more limited form than Federal agencies engaged in national security, intelligence, or law enforcement activity, or State, local, and Tribal law enforcement agencies. The CTA authorizes FinCEN to disclose a reporting company’s BOI to an FI only to the extent that such disclosure facilitates the FI’s compliance with CDD requirements under applicable law, and only if the reporting company first consents.70 FinCEN takes these constraints seriously given the sensitive nature of BOI and the potential number of FI employees who could have access to it. FinCEN is therefore not planning to permit FIs to run broad or open-ended queries in the beneficial ownership IT system or to receive multiple search results. Rather, FinCEN anticipates that a FI, with a reporting company’s consent, would submit to the system identifying information specific to that reporting company, and receive in return an electronic transcript with that entity’s BOI. To the extent the FI makes a trivial data-entry error in its request for BOI, the FI could still obtain the requested BOI, provided the errors do not compromise BOI security and confidentiality and result in the FI retrieving information on the wrong reporting company. This more limited information-retrieval process would reduce the overall risk of inappropriate use or unauthorized disclosures of BOI. The CTA permits similarly narrow access for Federal functional regulators and other appropriate regulatory agencies exercising supervisory functions. The statute allows these agencies to request from FinCEN BOI that the FIs they supervise have already obtained from the bureau, but only for assessing an FI’s compliance with CDD requirements under applicable law.71 Consequently, Federal functional regulators and other appropriate regulatory agencies will generally have limited access to the beneficial ownership IT system if requesting BOI for the purpose of ascertaining CDD compliance. FinCEN is still developing this access model and accompanying functionality, but expects regulators to be able to retrieve any BOI that the FIs they supervise received from FinCEN during a particular period, as opposed to data that might reflect subsequent updates. This would both satisfy CTA requirements and facilitate smoother 70 31 U.S.C. 5336(c)(2)(B)(iii). 31 U.S.C. 5336(c)(2)(C), providing that BOI FinCEN discloses to a financial institution ‘‘shall also be available to a Federal functional regulator or other appropriate regulatory agency, as determined by the Secretary . . . .’’ 71 See E:\FR\FM\16DEP4.SGM 16DEP4 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules examinations by ensuring regulators receive the same BOI that FIs received for purposes of their CDD reviews. FinCEN expects that Federal functional regulators responsible for bringing civil enforcement actions will be able to avail themselves of the Federal law enforcement access provision and functionality described in Section III.B. above.72 State, local, and Tribal agencies with both a qualifying, CDD-focused regulatory function and a law enforcement function could similarly avail themselves of the access provisions applicable to those distinct BOI recipient categories. Each agency would be responsible for ensuring unauthorized disclosure does not occur between its various components. In addition, FinCEN is required under the CTA to perform annual audits to ensure agencies are requesting and using BOI appropriately and consistently with their internal protocols.73 As with other Federal agencies, MOUs will further specify the expectations with respect to the handling and sharing of BOI by components of the same agency that may access BOI under different circumstances. FIs, meanwhile, would have to agree to terms of use that would be a condition of access to the beneficial ownership IT system. This distinction reflects the more limited, less flexible functionality FIs will enjoy relative to government agencies with multi-field search capabilities within the beneficial ownership IT system. lotter on DSK11XQN23PROD with PROPOSALS4 IV. Section-by-Section Analysis As described below in Section IV.A., this proposed rule would add new access-to-information rules in a new § 1010.955 (‘‘Availability of information reported pursuant to 31 CFR 1010.380’’) in subpart J (‘‘Miscellaneous’’) of part 1010 (‘‘General Provisions’’) of chapter X (‘‘Financial Crimes Enforcement Network’’) of title 31, Code of Federal Regulations. To avoid confusion, it would also rename and clarify the scope of the existing 31 CFR 1010.950 (‘‘Availability of information— general’’). The following sections describe the elements of the proposed rule: (i) availability of information—general; (ii) prohibition on disclosure; (iii) disclosure of information by FinCEN; (iv) use of information; (v) security and confidentiality requirements; (vi) administration of requests for information reported pursuant to 31 72 Federal functional regulators engaged in national security activity would similarly be able to make use of the search functionality associated with the ‘‘national security activity’’ access provision. 73 See 31 U.S.C. 5336(c)(3)(J). VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 CFR 1010.380; and (vii) violations and penalties. Additionally, Section IV.B. below describes the FinCEN identifier provisions of the proposed rule. A. Beneficial Ownership Information Retention and Disclosure Requirements i. Availability of Information—General FinCEN proposes to amend 31 CFR 1010.950(a) to clarify that the disclosure of BOI would be governed by proposed 31 CFR 1010.955, rather than 31 CFR 1010.950(a), which governs disclosure of other BSA information. Currently 31 CFR 1010.950(a) authorizes the disclosure of all BSA information received by FinCEN and states that ‘‘[t]he Secretary may within his discretion disclose information reported under this chapter for any reason consistent with the purposes of the Bank Secrecy Act, including those set forth in paragraphs (b) through (d) of this section.’’ The CTA authorizes FinCEN to disclose such information only in limited and specified circumstances that are separate and distinct from provisions authorizing disclosure of other BSA information.74 Accordingly, FinCEN is proposing to amend 31 CFR 1010.950(a) to clarify that the disclosure of BOI would instead be governed by proposed 31 CFR 1010.955. ii. Prohibition on Disclosure The CTA provides that, except as authorized by 31 U.S.C. 5336(c) and the protocols promulgated under that subsection, BOI reported pursuant to 31 U.S.C. 5336 ‘‘shall be confidential and may not be disclosed by . . . (i) an officer or employee of the United States; (ii) an officer or employee of any State, local, or Tribal agency, or (iii) an officer or employee of any [FI] or regulatory agency receiving information under [31 U.S.C. 5336(c)].’’ 75 Proposed 31 CFR 1010.955(a) would incorporate this prohibition, with two clarifications. First, it would clarify that any individual authorized to receive BOI pursuant to proposed 31 CFR 1010.955(b) is prohibited from disclosing it except as expressly authorized by FinCEN. Critically, this provision would extend the prohibition on disclosure to any individual who receives BOI regardless of whether they continue to serve in the position through which they were authorized to receive BOI. Otherwise, the regulations could be read to permit disclosure of sensitive BOI after an individual leaves the relevant position. Second, it would 74 See 75 See PO 00000 31 U.S.C. 5336(c)(2), (5). 31 U.S.C. 5336(c)(2)(A). Frm 00009 Fmt 4701 Sfmt 4702 77411 also extend the prohibition on disclosure to any individual who receives BOI as a contractor or agent of the United States; a contractor or agent of a State, local, or Tribal agency; or a member of the board of directors, contractor, or agent of an FI. FinCEN believes that this clarification is needed to ensure that agents acting on behalf of an authorized BOI recipient agency or other entity are subject to the same prohibition on the disclosure of BOI as officers and employees of an authorized BOI recipient agency or other entity. Such an approach is necessary to avoid the different treatment of employees and officers in relation to contractors and agents. Although the CTA does not expressly refer to agents, contractors, or directors, FinCEN would extend the prohibition on disclosure to such individuals pursuant to 31 U.S.C. 5336(c)(3)(K), which provides that ‘‘the Secretary of the Treasury shall establish by regulation protocols described in [31 U.S.C. 5336(2)(A)] that . . . provide such other safeguards which the Secretary determines (and which the Secretary prescribes in regulations) to be necessary or appropriate to protect the confidentiality of the beneficial ownership information.’’ 76 FinCEN also believes this approach is consistent with the CTA’s overall focus on preventing unauthorized disclosure 77 and the broad scope of the provisions penalizing unauthorized disclosure by ‘‘any person.’’ 78 FinCEN invites comments on this approach. iii. Disclosure of Information to Authorized Recipients The CTA authorizes FinCEN to disclose BOI to five categories of recipients in specified circumstances.79 The statutory authorization is generally permissive: with one exception, the CTA provides that FinCEN ‘‘may disclose’’ BOI to authorized recipients in qualifying circumstances.80 This 76 Section 6003(1) of the AML Act defines the BSA as comprising Section 21 of the Federal Deposit Insurance Act (12 U.S.C. 1829b), Chapter 2 of Title I of Public Law 91–508 (12 U.S.C. 1951 et seq.), and Subchapter II of Chapter 53 of Title 31, United States Code, which includes 31 U.S.C. 5336. Congress has authorized the Secretary to administer the BSA. The Secretary has delegated to the Director of FinCEN the authority to implement, administer, and enforce compliance with the BSA and associated regulations (Treasury Order 180–01 (Jan. 14, 2020)). 77 See generally 31 U.S.C. 5336(c). 78 See generally 31 U.S.C. 5336(h)(2), (3). 79 See 31 U.S.C. 5336(c)(2)(B). 80 31 U.S.C. 5336(c)(2)(B). Under 5336(c)(2)(C), BOI that a reporting company consents to share with a financial institution ‘‘shall’’ be available to a Federal functional regulator to supervise Continued E:\FR\FM\16DEP4.SGM 16DEP4 77412 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules lotter on DSK11XQN23PROD with PROPOSALS4 language affords FinCEN discretion to ensure that BOI is disclosed only to authorized recipients that are able to keep the information confidential and secure. FinCEN intends to foster a culture of responsibility around BOI that treats security and confidentiality as a paramount objective. a. Federal Agencies Engaged in National Security, Intelligence, or Law Enforcement Activity Section 6403 of the CTA authorizes FinCEN to disclose BOI upon receipt of a request, through appropriate protocols, from a Federal agency engaged in national security, intelligence, or law enforcement activity for use in furtherance of one of those activities.81 Federal agency access is to be based upon the type of activity an agency is conducting rather than the identity of the agency or how it might be categorized. The key consideration is the scope of the types of activities described in the CTA for which the agency may seek BOI: national security activities, intelligence activities, and law enforcement activities. The CTA does not specify what agency activities fall within those three categories, and FinCEN proposes to do so consistent with the text, structure, and purpose of the CTA. Proposed 31 CFR 1010.955(b)(1)(i) would define ‘‘national security activity’’ as any ‘‘activity pertaining to the national defense or foreign relations of the United States, as well as activity to protect against threats to the security or economy of the United States.’’ This approach draws, in large part, from 8 U.S.C. 1189(d)(2), which defines ‘‘national security’’ for purposes of designating foreign terrorist organizations (FTOs) that threaten U.S. national security. FinCEN believes this definition is appropriate for several reasons. First, the FTO statute covers a broad range of national security threats to the United States, including those with an economic dimension. That scope is consonant with the CTA’s goal to combat national security threats that are financial in nature, such as money laundering, terrorist financing, counterfeiting, fraud, and foreign corruption.82 Second, the FTO statute arises in a related context insofar as it involves efforts to hinder illicit actors’ economic activities. Proposed 31 CFR 1010.955(b)(1)(ii) would define ‘‘intelligence activity’’ based upon Executive Order 12333 of compliance with customer due diligence requirements under applicable law. 81 See 31 U.S.C. 5336(c)(2)(B)(i)(I). 82 See CTA, Section 6402(3). VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 December 4, 1981, as amended.83 Executive Order 12333 remains ‘‘a foundational document for the United States’ foreign intelligence efforts.’’ 84 It establishes ‘‘a framework that applies broadly to the government’s collection, analysis, and use of foreign intelligence and counterintelligence—from human sources, by interception of communications, by cameras and other sensors on satellites and aerial systems, and through relationships with intelligence services of other governments.’’ 85 FinCEN believes that relying on Executive Order 12333 would be consistent with existing agency understanding and would provide flexibility to accommodate Intelligence Community missions and activities.86 Proposed 31 CFR 1010.955(b)(1)(ii) would therefore define intelligence activity to include ‘‘all activities conducted by elements of the United States Intelligence Community that are authorized pursuant to Executive Order 12333, as amended, or any succeeding executive order.’’ Finally, proposed 31 CFR 1010.955(b)(1)(iii) would define ‘‘law enforcement activity’’ to include ‘‘investigative and enforcement activities relating to civil or criminal violations of law.’’ Proposed 31 CFR 1010.955(b)(1)(iii) is intended broadly to cover the types of functions in which Federal agencies engage when they work to enforce the laws of the United States. FinCEN believes that it is consistent with the CTA to authorize Federal agencies to access BOI at all stages of the law enforcement process. Additionally, the proposed rule would make clear that law enforcement activity can include both criminal and civil investigations and actions, such as actions to impose or enforce civil penalties, civil forfeiture actions, and civil enforcement through administrative proceedings. The CTA is concerned with combating all manner of illicit activity,87 and many laws that prohibit such activity are enforced by Federal agencies in both civil and criminal actions. The CTA does not limit ‘‘law enforcement activity’’ to criminal investigations or actions. Moreover, FinCEN’s clarification in the proposed rule would place Federal 83 Exec. Order No. 12333, 46 FR 59941 (Dec. 4, 1981) (‘‘United States Intelligence Activities’’). 84 5 Privacy and Civil Liberties Oversight Board, Executive Order 12333 (accessed Apr. 28, 2022), https://documents.pclob.gov/prod/Documents/ OversightReport/4f1d0d87-233b-4555-9b8779089ad9845e/12333%20Public%20Capstone.pdf. 85 Id. 86 By ‘‘Intelligence Community,’’ FinCEN means the agencies identified in paragraph 3.4(f) of Executive Order 12333. 87 See CTA, Section 6402(3). PO 00000 Frm 00010 Fmt 4701 Sfmt 4702 agencies on the same footing as State, local, and Tribal law enforcement agencies, for which the CTA authorizes use of BOI in a ‘‘criminal or civil investigation.’’ Nothing in the CTA suggests that Federal agencies should have more limited access to BOI than their State, local, and Tribal counterparts engaged in civil investigations, and FinCEN does not believe it would be appropriate to limit Federal agencies’ access in this manner. The proposed rule would also facilitate law enforcement cooperation by providing access to BOI in both civil and criminal investigations, as both types of investigations often proceed in parallel.88 Among the Federal agencies with access to BOI for law enforcement purposes would be Federal functional regulators that investigate civil violations of law.89 Although the CTA separately authorizes Federal functional regulators to access BOI for the purpose of supervising compliance with CDD requirements, this access does not preclude Federal functional regulators from accessing BOI when engaging in law enforcement activity.90 The CTA specifically references ‘‘securities fraud, financial fraud, and acts of foreign corruption’’ as types of illicit activity that the statute is intended to help combat.91 These are areas in which a significant amount of law enforcement activity is conducted by Federal functional regulators such as the Securities and Exchange Commission (SEC), which brings hundreds of civil enforcement actions, including administrative proceedings, each year against individuals and entities engaged in market manipulation, Ponzi schemes, offering fraud, insider trading, and other violations of the Federal securities laws.92 Under the proposed rule, the SEC and other Federal functional regulators would be able to obtain BOI directly from the beneficial ownership IT system for use in furtherance of this critical law enforcement activity. The proposed rule would also place the SEC and other Federal functional regulators 88 See 31 U.S.C. 5336(c)(2)(B)(i)(II). 31 U.S.C. 5336(c)(2)(B)(i)(II). 90 The two provisions contemplate different processes depending on the purpose for which access is sought. Under Section 5336(c)(2)(B)(i)(I), FinCEN ‘‘may’’ disclose BOI upon request from a Federal agency engaged in law enforcement activity. In contrast, under 5336(c)(2)(C), BOI that a reporting company consents to share with a financial institution ‘‘shall’’ be available to a Federal functional regulator to supervise compliance with customer due diligence requirements pursuant to an agreement with the regulator. 91 CTA, Section 6402(3). 92 See, e.g., https://www.sec.gov/news/pressrelease/2021-238. 89 See E:\FR\FM\16DEP4.SGM 16DEP4 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules on equal footing with other Federal agencies that lack a regulatory or supervisory function, but that are engaged in civil and criminal law enforcement activity, like the U.S. Department of Justice (DOJ). For all three types of activities— national security, intelligence, and law enforcement—FinCEN considered proposing more restrictive definitions involving exhaustive lists of activities. The bureau believes these approaches would risk being either under- or overinclusive and could arbitrarily limit access to BOI for activities that the regulations may fail to specify. The CTA, among other things, was enacted to ‘‘protect vital United States national security interests,’’ ‘‘protect interstate and foreign commerce,’’ and ‘‘better enable critical national security, intelligence, and law enforcement efforts to counter . . . illicit activity.’’ 93 The statute targets a wide array of illicit actors who use opaque corporate structures to conceal their illicit activities. FinCEN believes the risk of unintentionally hindering a Federal agency’s important national security, intelligence, or law enforcement activities supports the flexible approach the bureau has proposed. This approach will also have more flexibility to develop alongside the evolving threats facing the United States. FinCEN invites comments on its proposed definitions of national security, intelligence, and law enforcement activities. b. State, Local, and Tribal Law Enforcement Agencies The CTA permits FinCEN to disclose BOI upon receipt of a request, through appropriate protocols, ‘‘from a State, local, or Tribal law enforcement agency, if a court of competent jurisdiction, including any officer of such a court, has authorized the law enforcement agency to seek the information in a criminal or civil investigation.’’ 94 Proposed 31 CFR 1010.955(b)(2) similarly would allow FinCEN to disclose BOI to a State,95 local, or Tribal law enforcement agency ‘‘if a court of competent jurisdiction has authorized the agency to seek the information in a 93 CTA, Section 6402(5)(B), (D). U.S.C. 5336(c)(2)(B)(i)(II). 95 FinCEN will interpret the term ‘‘State’’ consistent with the definition of that term in the final Beneficial Ownership Information Reporting Requirements rule at 87 FR 59498 (Sep. 30, 2022) (which defines the term ‘‘State’’ to mean ‘‘any [S]tate of the United States, the District of Columbia, the Commonwealth of Puerto Rico, the Commonwealth of the Northern Mariana Islands, American Samoa, Guam, the United States Virgin Islands, and any other commonwealth, territory, or possession of the United States.’’) lotter on DSK11XQN23PROD with PROPOSALS4 94 31 VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 criminal or civil investigation.’’ FinCEN recognizes that State practices are likely to be varied with respect to how law enforcement agencies may be authorized by a court to seek information in connection with an investigation or prosecution.96 FinCEN has not sought to define what it means for a court to ‘‘authorize’’ the law enforcement agency to seek BOI, but aims to ensure that BOI access at the State, local, and Tribal level is highly useful to law enforcement and has consistent application across jurisdictions. At a minimum, the proposed rule would allow a State, local, or Tribal law enforcement agency (including a prosecutor) to access BOI where a court specifically authorizes access in the context of a criminal or civil proceeding, for example, through a court’s issuance of an order or approval of a subpoena. Other circumstances, however, are less clear. For example, depending on State, local, or Tribal practices, grand jury subpoenas may or may not satisfy the CTA’s court authorization requirement. Grand juries have traditionally played a central role in criminal discovery and may help determine whether sufficient evidence exists to indict an individual.97 The State and local law enforcement agencies, prosecutors, and court officials with whom FinCEN consulted emphasized the importance of ensuring that BOI could be obtained in connection with grand jury investigations. FinCEN agrees that providing BOI at the investigative stage may further the CTA’s statutory objectives by helping State, local, and Tribal authorities uncover links between 96 31 U.S.C. 5336(c)(2)(B)(i)(II) authorizes FinCEN to disclose BOI to a State, local, or Tribal law enforcement agency in the context of ‘‘a criminal or civil investigation.’’ FinCEN believes this provision permits the agency to disclose of BOI to a State, local, or Tribal law enforcement agency, with the required court authorization, for use in a civil or criminal law enforcement action that follows the investigation. FinCEN believes this is a reasonable interpretation of the statutory language given that disclosure provisions for Federal agencies engaged in law enforcement, and foreign requests pertaining to an ‘‘investigation or prosecution,’’ under the CTA would cover the disclosure to those recipients in the context of a prosecution. See 31 U.S.C. 5336(c)(2)(B)(i)(I), (c)(2)(B)(ii)(I). FinCEN does not believes Congress intended to allow Federal and foreign law enforcement agencies to obtain BOI for use in prosecutions while prohibiting State, local, and Tribal law enforcement agencies doing so. A more restrictive interpretation would severely limit the utility of BOI for State, local, and Tribal law enforcement agencies and run counter to the purposes of the CTA. See CTA, Section 6402(8)(C) (directing FinCEN to create a database of BOI that is ‘‘highly useful to national security, intelligence, and law enforcement agencies . . . ’’). 97 See generally Sara Sun Beale et al., Investigative Grand Jury and Indicting Grand Jury, Grand Jury Law and Practice § 1:7 (2d ed. rev. Dec. 2021). PO 00000 Frm 00011 Fmt 4701 Sfmt 4702 77413 criminals and entities they may be using to conceal illicit activities.98 Ultimately, however, FinCEN determined that it needs more information about State, local, and tribal practices in order to determine whether they would involve court authorization, as required by the CTA. State practices can vary, and grand jury subpoenas may be issued by the grand jury in some jurisdictions or signed by a prosecutor seeking information to present to a grand jury in others. Neither courts nor grand juries always play a meaningful role in authorizing subpoenas,99 and a majority of states no longer use grand juries to screen criminal cases.100 FinCEN requests comments on this subject. In particular, commenters should explain the mechanisms State, local, and Tribal authorities use to gather evidence in criminal and civil cases. With respect to these particular mechanisms, commenters should describe the extent to which court authorization is involved. More generally, commenters should also explain what role courts or court officers play in authorizing evidencegathering activities, what existing practices involve court authorization, and the extent to which new court processes could be developed and integrated into existing practices to satisfy the CTA’s authorization requirement. Commenters should also address the need for access to BOI at different stages of an investigation, as well as the privacy interests that may be implicated by such access. Proposed 31 CFR 1010.955(b)(2) would clarify that the authorized recipient of BOI under this provision would be the State, local, or Tribal agency that makes a proper request for BOI consistent with the proposed rule. The proposed rule would also define ‘‘law enforcement agency’’ in a manner similar to the definition of ‘‘law enforcement activity’’ used to define the scope of access for Federal agencies engaged in law enforcement activity. This approach is intended to ensure consistency regardless of whether law enforcement activity occurs at the local, State, Tribal, or Federal level, including in circumstances involving cooperation among and across jurisdictions, such as through task forces. 98 See CTA, Section 6402(3), (4), (5)(D). Sara Sun Beale et al., Role of Prosecutor and Grand Jurors in Subpoenaing Evidence, Grand Jury Law and Practice § 6:2 (2d ed. rev. Dec. 2021). For example, Massachusetts permits district attorneys to ‘‘issue subpoenas under their hands for witnesses to appear and testify on behalf of the commonwealth.’’ Mass. Gen. Laws Ann. ch. 277, § 68. 100 See id. 99 See E:\FR\FM\16DEP4.SGM 16DEP4 77414 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules Proposed 31 CFR 1010.955(b)(2) would clarify that ‘‘a court of competent jurisdiction’’ is any court with jurisdiction over the criminal or civil investigation for which a State, local, or Tribal law enforcement agency requests BOI. The proposed rule does not specify which officials qualify as officers of the court because courts have varying practices. FinCEN expects, however, that individuals who may exercise a court’s authority and issue authorizations on its behalf would qualify. FinCEN invites comment on whether it should more specifically identify officers of the court for purposes of the rule, and if so, what the potential qualifying criteria might be. FinCEN does not believe that individual attorneys acting alone would fall within the definition of ‘‘court officer’’ for purposes of this provision. Though lawyers are sometimes referred to as ‘‘officers of the court’’ to emphasize their professional obligations to the legal system, they are not all ‘‘officers of the court’’ in the sense of exercising the court’s authority. FinCEN does not believe the CTA—which includes numerous provisions limiting who may access BOI—intended to empower any individual admitted to practice law to authorize the disclosure of BOI. lotter on DSK11XQN23PROD with PROPOSALS4 c. Foreign Requesters The CTA provides that FinCEN may disclose BOI upon receipt of a request ‘‘from a Federal agency on behalf of a law enforcement agency, prosecutor, or judge of another country, including a foreign central authority or competent authority (or like designation), under an international treaty, agreement, convention, or official request made by law enforcement, judicial, or prosecutorial authorities in trusted foreign countries when no treaty, agreement, or convention is available.’’ 101 Such a request from a Federal agency must be ‘‘issued in response to a request for assistance in an investigation or prosecution by such foreign country,’’ 102 and must ‘‘require[e] compliance with the disclosure and use provisions of the treaty, agreement, or convention, publicly disclosing [sic] any beneficial ownership information received,’’ 103 or limit BOI use ‘‘for any purpose other than the authorized investigation or national security or intelligence activity.’’ 104 101 31 U.S.C. 5336(c)(2)(B)(ii). U.S.C. 5336(c)(2)(B)(ii)(I). 103 31 U.S.C. 5336(c)(2)(B)(ii)(II)(aa). 104 31 U.S.C. 5336(c)(2)(B)(ii)(II)(bb). Proposed 31 CFR 1010.955(b)(3) clarifies that a request for BOI from a foreign requester would have to derive from a law enforcement investigation or prosecution, or from national security or intelligence activity, authorized under the foreign country’s laws. This would permit foreign requesters to obtain BOI for, and use it in, the full range of activities contemplated by 31 U.S.C. 5336(c)(2)(B)(ii) (i.e., law enforcement, national security, and intelligence activities), thereby giving effect to all of the language in that subparagraph. The proposed rule also resolves ambiguities arising from inconsistent statutory language. Specifically, one part of the CTA’s foreign-access provision appears to require a request to flow from a foreign ‘‘investigation or prosecution,’’ 105 while another appears to allow a foreign requester to use BOI to further any ‘‘authorized investigation or national security or intelligence activity.’’ 106 FinCEN believes the proposed rule best resolves this discrepancy by clarifying that authorized national security and intelligence activities could be a basis for a BOI request, in addition to a law enforcement investigation or prosecution. FinCEN would view the scope of the phrase ‘‘law enforcement investigation or prosecution’’ similarly to how it interprets the term ‘‘law enforcement activity’’ under proposed 31 CFR 1010.955(b)(3): such activity can include both criminal and civil investigations and actions, including actions to impose civil penalties, civil forfeiture actions, and civil enforcement through administrative proceedings. The proposed rule next makes clear that the relevant ‘‘foreign central authority or foreign competent authority’’ would be the agency identified in the international treaty, agreement, or convention under which a foreign request is made. FinCEN understands that ‘‘foreign central authority’’ and ‘‘foreign competent authority’’ are terms of art typically defined within the context of a particular agreement. This proposed regulatory clarification should therefore remove any ambiguity around the terms without unduly excluding appropriate foreign requesters from access to BOI. Third, the proposed rule explains that, consistent with the CTA, foreign requests would need to fall into one of two categories in order for the foreign requester to receive BOI. The first category is requests made pursuant to an international treaty, agreement, or convention. The second category is 102 31 VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 105 31 106 31 PO 00000 U.S.C. 5336(c)(2)(B)(ii)(I). U.S.C. 5336(c)(2)(B)(ii)(II)(bb). Frm 00012 Fmt 4701 Sfmt 4702 official requests by a law enforcement, judicial, or prosecutorial authority of a trusted foreign country where there is no international treaty, agreement, or convention that governs.107 The security and confidentiality requirements applicable to each of these two categories are different. Under the proposed rule, an intermediary Federal agency responding to a foreign request under an international treaty, agreement, or convention would first need to ensure that the request is consistent with the requirements of the relevant treaty, agreement, or convention, and the requirements of proposed 31 CFR 1010.955(b)(3). FinCEN understands that an ‘‘international treaty, agreement, or convention’’ is a legally binding agreement governed by international law. FinCEN would appreciate views on whether there are other types of international arrangements under which the sharing of beneficial ownership information would be important to achieve the goals of the CTA (such as information sharing arrangements with foreign law enforcement agencies that do not have legal force) and whether there are means to do so consistent with the CTA. The intermediary Federal agency would provide basic information to FinCEN about who is requesting the information and the treaty, agreement, or convention under which the request is being made. The intermediary Federal agency would then search for and retrieve the requested BOI from the system and respond to the request in a manner consistent with the treaty, agreement, or convention. The intermediary Federal agency would be subject to certain recordkeeping requirements to ensure that FinCEN is able to perform appropriate audit and oversight functions in accordance with an MOU to be agreed between the intermediary Federal agency and FinCEN. The intermediary Federal agency would also be subject to the security and confidentiality protocols applicable to other domestic agencies that receive and handle BOI at proposed 31 CFR 1010.955(d)(1). Where a request for BOI includes a request that the information be authenticated for use in a legal proceeding in the foreign country making the request, FinCEN may establish a process for providing such authentication via MOU with the 107 The regulatory text here uses ‘‘judicial or prosecutorial authority’’ instead of the earlier ‘‘judge or prosecutor’’ to mirror an identical language shift in the corresponding statutory provision. See 31 U.S.C. 5336(c)(2)(B)(ii). FinCEN does not view this difference as significant or having practical effect. E:\FR\FM\16DEP4.SGM 16DEP4 lotter on DSK11XQN23PROD with PROPOSALS4 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules relevant intermediary Federal agency. Such process may include an arrangement where FinCEN searches the beneficial ownership IT system and provides the information and related authentication to the intermediary Federal agency consistent with the terms of the relevant MOU. With respect to an official request by a law enforcement, judicial, or prosecutorial authority of a trusted foreign country where no international treaty, agreement, or convention applies, FinCEN would establish a mechanism to address such requests either on a case-by-case basis or pursuant to alternative arrangements with intermediary Federal agencies where those intermediary Federal agencies have ongoing relationships with the foreign requester. The CTA does not provide criteria for determining whether a particular foreign country is ‘‘trusted,’’ but rather, provides FinCEN with considerable discretion to make this determination. FinCEN considered identifying particular countries or groups of countries as ‘‘trusted’’ for the purposes of receiving BOI. Ultimately, however, FinCEN determined that such a restrictive approach could arbitrarily exclude foreign requesters with whom sharing BOI might be appropriate in some cases but not others. The United States participates in many formal and informal international relationships through which data are sometimes shared. FinCEN does not believe any of these relationships, or any combination of them, sets appropriate potential boundaries for BOI disclosure given the purposes of the CTA. The bureau, in consultation with relevant U.S. government agencies, will therefore look to U.S. interests and priorities in determining whether to disclose BOI to foreign requesters when no international treaty, agreement, or convention applies. In making these determinations, FinCEN will also consider the ability of a foreign requester to maintain the security and confidentiality of requested BOI. Once FinCEN makes the determination to disclose BOI to a foreign requester, the intermediary Federal agency would be permitted to retrieve and disseminate BOI to the foreign requester, subject to applicable security and confidentiality protocols. FinCEN considered an alternative structure under which intermediary Federal agencies would relay foreign requester requests under an international treaty, agreement, or convention to FinCEN, which would then assess the requests, retrieve requested BOI, and transmit it either directly to the requester or indirectly via VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 77415 the intermediary Federal agency for subsequent dissemination to the requester. While neither of these approaches presents the security risks associated with the other two potential approaches FinCEN rejected, both are likely to be much less efficient. For example, intermediary Federal agencies are likely to have ongoing relationships with foreign requesters, including established points of contact. They are also likely more familiar than FinCEN with existing treaty obligations and information exchange channels and processes. Finally, FinCEN believes its proposed approach aligns best with the text of the CTA, which assumes Federal agencies will serve as the intermediary on behalf of foreign requesters.108 FinCEN invites comment on this proposal and on any other alternatives. requirements.110 FinCEN decided not to propose this broader approach, however. The bureau believes a more tailored approach will be easier to administer, reduce uncertainty about what FIs may access BOI under this provision, and better protect the security and confidentiality of sensitive BOI by limiting the circumstances under which FIs may access BOI.111 That said, FinCEN solicits comments on whether a broader reading of the phrase ‘‘customer due diligence requirements’’ is warranted under the framework of the CTA, and, if so, how customer due diligence requirements should be defined in order to provide regulatory clarity, protect the security and confidentiality of BOI, and minimize the risk of abuse. FinCEN also considered including State, local, and Tribal customer due d. FIs Subject to CDD Requirements diligence requirements comparable in The CTA authorizes FinCEN to substance to FinCEN’s own CDD disclose BOI upon receipt of a request regulations in the proposed definition of ‘‘made by a[n] [FI] subject to customer ‘‘customer due diligence requirements due diligence requirements, with the under applicable law.’’ However, the consent of the reporting company, to bureau has not identified any such facilitate the compliance of the [FI] with requirements. FinCEN invites comments customer due diligence requirements identifying any specific State, local, or under applicable law.’’ 109 This statutory Tribal customer due diligence language leaves unspecified both the requirements that are substantially mechanism by which consent should be similar to the bureau’s CDD registered and the meaning of the term regulations—i.e., requirements related ‘‘customer due diligence requirements to FIs in a State, local, or Tribal under applicable law.’’ jurisdiction identifying and verifying Proposed 31 CFR 1010.955(b)(4) beneficial owners of legal entity would address both issues. Under the customers—for potential inclusion in proposed rule, an FI would be the proposed definition. responsible for obtaining a reporting e. Federal Functional Regulators or company’s consent. This reflects Other Appropriate Regulatory Agencies FinCEN’s assessment that FIs are best The CTA authorizes FinCEN to positioned to obtain and manage disclose BOI to ‘‘Federal functional consent through existing processes and regulator[s] and other appropriate by virtue of having direct contact with regulatory agenc[ies] consistent with’’ the reporting company as a customer. certain requirements.112 This access is Additionally, the proposed rule would define ‘‘customer due diligence subject to three statutory conditions. requirements under applicable law’’ to First, a ‘‘Federal functional regulator or mean FinCEN’s customer due diligence other appropriate regulatory agency’’ (CDD) regulations at 31 CFR 1010.230, must be ‘‘authorized by law to assess, which require covered FIs to identify supervise, enforce, or otherwise and verify beneficial owners of legal determine the compliance of [a entity customers. FinCEN considered particular FI] with’’ its CDD interpreting the phrase ‘‘customer due 110 See, e.g., 31 CFR 1020.220 (requiring banks to diligence requirements under applicable implement a Customer Identification Program). law’’ more broadly to cover a range of 111 The CTA requires FinCEN to revise the 2016 activities beyond compliance with legal CDD Rule within a year of the effective date of the obligations in FinCEN’s regulations to final Reporting Rule. See CTA, Section 6403(d)(1). identify and verify beneficial owners of One purpose of this revision is to account for FIs’ access to BOI, which the Sense of Congress portion legal entity customers. FinCEN’s of the CTA states may be used to facilitate the FI’s separate Customer Identification ‘‘with anti-money laundering, Program regulations, for example, could compliance countering the financing of terrorism, and customer be considered customer due diligence due diligence requirements under applicable law.’’ 108 See 31 U.S.C. 5336(c)(2)(B)(ii) (providing that ‘‘FinCEN may disclose [BOI] only upon receipt of . . . a request from a Federal agency on behalf of’’ a qualified foreign requester (emphasis added)). 109 See 31 U.S.C. 5336(c)(2)(B)(iii). PO 00000 Frm 00013 Fmt 4701 Sfmt 4702 Id. 6403(d)(1)(B) (emphasis added). That the CTA identifies ‘‘[CDD] requirements under applicable law’’ as distinct from broader AML/CFT requirements suggests that Congress intended that phrase not to include other AML/CFT obligations. 112 See 31 U.S.C. 5336(c)(2)(B)(iv). E:\FR\FM\16DEP4.SGM 16DEP4 lotter on DSK11XQN23PROD with PROPOSALS4 77416 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules requirements.113 Second, such regulator may use the BOI only ‘‘for the purpose of conducting [an] assessment, supervision, or authorized investigation or activity’’ related to the CDD requirements the regulator is responsible for overseeing.114 Finally, the regulator must ‘‘[enter] into an agreement with the Secretary providing for appropriate protocols governing the safekeeping of the information.’’ 115 FinCEN’s proposed rule at 31 CFR 1010.955(b)(4) tracks these conditions. In order to obtain BOI from FinCEN, a regulator would need to be authorized by law to assess, supervise, enforce, or otherwise determine a FI’s compliance with its CDD requirements, and it would have to enter into an agreement with FinCEN that describes appropriate protocols to obtain BOI. FinCEN would only disclose to the regulator the BOI that a relevant FI has already received. This is in keeping with the CTA requirement that BOI disclosed to an FI under 31 U.S.C. 5336(c)(2)(B)(iii) ‘‘also be available to [regulators]’’ that meet specified criteria.116 FinCEN does not believe this CDDspecific provision is the exclusive means through which a financial regulator can access BOI from the beneficial ownership IT system. The access provisions for Federal agencies engaged in national security, intelligence, or law enforcement activities, and for State, local, and Tribal law enforcement agencies, focus on activity categories, not agency types. To the extent a Federal functional regulator engages in civil law enforcement activities, those activities would be covered by the law-enforcement access provisions. For example, the SEC— which supervises broker-dealers and other securities market participants, including for compliance with the CDD regulations—also investigates and litigates civil violations of Federal securities laws. Consequently, consistent with the CTA, the SEC would be able to broadly search the beneficial ownership IT system for BOI for use in furtherance of its law enforcement activity. Separately, the SEC would also be able to receive BOI subject to the constraints at proposed 31 CFR 1010.955(b)(4) for use in supervising broker-dealers and other regulated entities for CDD compliance. Regarding who qualifies for access under this proposed provision, the CTA refers to Federal functional regulators and ‘‘other appropriate regulatory 113 31 U.S.C. 5336(c)(2)(C)(i). U.S.C. 5336(c)(2)(C)(ii). 115 31 U.S.C. 5336(c)(2)(C)(iii). 116 31 U.S.C. 5336(c)(2)(C) (emphasis added). 114 31 VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 agencies.’’ The AML Act defines ‘‘Federal functional regulator’’ to include six financial regulatory authorities 117 as well as ‘‘any Federal regulator that examines a financial institution for compliance with the Bank Secrecy Act.’’ 118 The proposed rule would adopt FinCEN’s existing regulatory definition, which the bureau believes will minimize the risk of confusion. FinCEN’s regulations already define the term ‘‘Federal functional regulator’’ to include the six agencies identified in the AML Act’s definition as well as the Commodity Futures Trading Commission (CFTC).119 Because the CFTC has been delegated authority to examine certain FIs for compliance with the BSA,120 it also falls within the AML Act’s definition. FinCEN does not propose to define ‘‘other appropriate regulatory agencies’’ at this time. FinCEN believes the requirement in 31 U.S.C. 5336(c)(2)(C)(i) that such an agency be ‘‘authorized by law to assess, supervise, enforce, or otherwise determine the compliance of such FIs with customer due diligence requirements under applicable law’’ sufficiently defines the category (e.g., it could include State banking regulators). However, FinCEN invites comment on this proposed approach. FinCEN considered whether financial self-regulatory organizations that are registered with or designated by a Federal functional regulator pursuant to Federal statute 121 (‘‘qualifying SROs’’)—like the Financial Industry Regulatory Authority (FINRA) or the National Futures Association (NFA)— qualify as ‘‘other appropriate regulatory agencies.’’ These organizations though authorized by Federal law, are not traditionally understood to be agencies of the government,122 but they do exercise self-regulatory authority within the framework of Federal law and work under the supervision of Federal functional regulators to assess, supervise, and enforce FI compliance with, among other things, CDD 117 The six Federal functional regulators that supervise financial institutions with CDD obligations are the Board of Governors of the Federal Reserve System (FRB), the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the SEC, and the Commodity Futures Trading Commission (CFTC). 118 AML Act, Section 6003(3). 119 31 CFR 1010.100(r). 120 See 31 CFR 1010.810(b)(9). 121 See, e.g., 7 U.S.C. 21; 15 U.S.C. 78o–3. 122 See, e.g., In re William H. Murphy & Co., SEC Release No. 34–90759, 2020 WL 7496228, *17 (Dec. 21, 2020) (explaining that FINRA ‘‘is not a part of the government or otherwise a [S]tate actor’’ to which constitutional requirements apply). PO 00000 Frm 00014 Fmt 4701 Sfmt 4702 requirements.123 Qualifying SROs are subject to extensive oversight by Federal agencies.124 Although it may be unclear whether SROs are ‘‘regulatory agencies’’ to which direct access to BOI shall be provided, FinCEN believes that their unique position,125 and the critical role they play in overseeing participants in the financial services sector, justify providing SROs with a limited and derivative form of access. The CTA provides FinCEN broad discretion to specify the conditions under which authorized recipients of BOI may redisclose that information to others. Therefore, the proposed rule would permit FIs to re-disclose to qualifying SROs the BOI they have obtained from FinCEN for use in complying with CDD requirements under applicable law. A qualifying SRO would need to satisfy the same three conditions applicable to Federal functional regulators and other appropriate regulatory agencies, and a qualifying SRO that receives BOI from an FI it supervises may in turn use the information for the limited purpose of examining compliance with those same CDD obligations. Without this level of access, these organizations would not be able to effectively evaluate an FI’s CDD compliance. FinCEN invites comments on this proposed approach. f. Department of the Treasury Access The CTA includes separate, Treasuryspecific provisions for accessing BOI. One of those provisions makes BOI ‘‘accessible for inspection or disclosure to officers and employees of the Department of the Treasury whose official duties require such inspection or 123 See, e.g., FINRA Rule 3310(f); NFA Compliance Rule 2–9(c)(5). 124 See, e.g., Scottsdale Cap. Advisors Corp. v. FINRA, 844 F.3d 414, 418 (4th Cir. 2016) (‘‘Before any FINRA rule goes into effect, the SEC must approve the rule and specifically determine that it is consistent with the purposes of the Exchange Act. The SEC may also amend any existing rule to ensure it comports with the purposes and requirements of the Exchange Act.’’ (citations omitted); Birkelbach v. SEC, 751 F.3d 472, 475 (7th Cir. 2014) (‘‘A [FINRA] member can appeal the disposition of a FINRA disciplinary proceeding to the SEC, which performs a de novo review of the record and issues a decision of its own.’’). 125 See NASD v. SEC, 431 F.3d 803, 804 (D.C. Cir. 2005) (explaining that FINRA’s predecessor’s ‘‘authority to discipline its members for violations of Federal securities law is entirely derivative. The authority it exercises ultimately belongs to the SEC’’); see also Turbeville v. FINRA, 874 F.3d 1268, 1276 (11th Cir. 2017) (‘‘When exercising [their regulatory and enforcement] functions, SROs act under color of [F]ederal law as deputies of the [F]ederal [G]overnment.’’); In re Series 7 Broker Qualification Exam Scoring Litig., 548 F.3d 110, 114 (D.C. Cir. 2008) (‘‘When an SRO acts under the aegis of the Exchange Act’s delegated authority, it is absolutely immune from suit for the improper performance of regulatory, adjudicatory, or prosecutorial duties delegated by the SEC.’’). E:\FR\FM\16DEP4.SGM 16DEP4 lotter on DSK11XQN23PROD with PROPOSALS4 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules disclosure subject to procedures and safeguards prescribed by the Secretary of the Treasury.’’ 126 The other grants officers and employees of Treasury ‘‘access to [BOI] for tax administration purposes.’’ 127 Proposed 31 CFR 1010.955(b)(5) tracks these authorizations and would provide that Treasury officers and employees may receive BOI where their official duties require such access, or for tax administration, consistent with procedures and safeguards established by the Secretary. The proposed rule clarifies the term ‘‘tax administration purposes’’ by adding a reference to the definition of ‘‘tax administration’’ in the Internal Revenue Code.128 FinCEN believes adopting this definition is appropriate because Treasury officers and employees who administer tax laws are already familiar with it and have a clear understanding of the activity it covers. Furthermore, FinCEN believes the definition is broad enough to avoid inadvertently excluding a tax administration-related activity that would be undermined by lack of access to BOI. FinCEN welcomes comments on the proposed scope of the term ‘‘tax administration.’’ FinCEN envisions Treasury components using BOI for appropriate purposes, such as tax administration, enforcement actions, intelligence and analytical purposes, use in sanctions designation investigations, and identifying property blocked pursuant to sanctions, as well as for administration of the BOI framework, such as for audits, enforcement, and oversight. FinCEN will work with other Treasury components to establish internal policies and procedures governing Treasury officer and employee access to BOI. These policies and procedures will ensure that FinCEN discloses BOI only to Treasury officers or employees with official duties requiring BOI access, or for tax administration. FinCEN anticipates that the security and confidentiality protocols in those policies and procedures will include elements of the protocols described in proposed 31 CFR 1010.955(d)(1) as applicable to Treasury activities and organization. Officers and employees identified as having duties potentially requiring access to BOI would receive training on, among other topics, determining when their duties require access to BOI, what they can do with the information, and how to handle and safeguard it. Their activities would also be subject to the same audit. 126 31 U.S.C. 5336(c)(5)(A). 31 U.S.C. 5336(c)(5)(B). 128 26 U.S.C. 6103(b)(4). 127 See VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 iv. Use of Information a. Use of Information by Authorized Recipients The CTA includes numerous provisions limiting how BOI may be used. Federal agencies engaged in national security, intelligence, or law enforcement activity may use BOI only ‘‘in furtherance of such activity’’ 129 and must provide written certifications to FinCEN that ‘‘at a minimum, se[t] forth the specific reason or reasons why [BOI] is relevant to’’ an authorized activity.130 State, local, and Tribal law enforcement agencies must obtain authorization from a court of competent jurisdiction to obtain BOI in criminal or civil investigations.131 Federal agencies requesting BOI on behalf of foreign law enforcement agencies, judges, or prosecutors may do so only pursuant to an international treaty, agreement, or convention or pursuant to an official request from a trusted foreign country for assistance in an official investigation, prosecution, or authorized national security or intelligence activity.132 FIs must have a reporting company’s consent to request its BOI from FinCEN as part of CDD compliance activities,133 and a financial regulator assessing an FI’s compliance with CDD requirements may request and receive only the BOI that the FI previously requested when conducting such an assessment.134 Each of these requirements reflects a general expectation that authorized recipients not obtain BOI for one authorized activity and then use it for another unrelated purpose. The statute also requires authorized recipients of BOI to narrowly tailor their requests as much as possible. For example, the CTA instructs the Secretary to require requesting agencies ‘‘to limit, to the greatest extent practicable, the scope of information sought, consistent with the purposes for seeking BOI.’’ 135 Proposed 31 CFR 1010.955(c)(1) would implement these provisions by clarifying that, unless otherwise authorized by FinCEN, any person who receives information disclosed by FinCEN under proposed 31 CFR 1010.955(b) would be authorized to use it only for the particular purpose or activity for which it was disclosed. Thus, for example, a Federal agency employee, contractor, or agent who 129 31 U.S.C. 5336(c)(2)(B)(i)(I). U.S.C. 5336(c)(3)(E)(ii). 131 See 31 U.S.C. 5336(c)(2)(B)(i)(II). 132 See 31 U.S.C. 5336(c)(2)(B)(ii). 133 See 31 U.S.C. 5336(c)(2)(B)(iii). 134 See 31 U.S.C. 5336(c)(2)(B)(iv) and 31 U.S.C. 5336(c)(2)(C). 135 31 U.S.C. 5336(c)(3)(F). 130 31 PO 00000 Frm 00015 Fmt 4701 Sfmt 4702 77417 obtains BOI from FinCEN for use in furtherance of national security activity would be authorized to use the BOI only for the particular national security activity for which the request was made. FinCEN believes this limitation is necessary to ensure that BOI is used only for proper purposes and only to the extent necessary. Proposed 31 CFR 1010.955(c)(1) further clarifies that a Federal agency receiving BOI pursuant to the foreign access provision at proposed 31 CFR 1010.955(b)(3), i.e., an intermediate Federal agency, can use the BOI only to facilitate a response to the relevant foreign requester. This limitation ensures that Federal intermediary agencies handling BOI in this context would do so only for the permissible use of transmitting it to a foreign requester. Authorized recipients that fail to follow applicable use limitations would risk losing the ability to receive BOI. b. Limitations on Re-Disclosure of Information by Authorized Recipients Although the CTA expressly limits the circumstances under which FinCEN may initially disclose BOI to other agencies or FIs, the CTA does not specify the circumstances under which an authorized recipient of BOI may redisclose the BOI to another person or organization. The CTA instead prohibits re-disclosure except as authorized in the protocols promulgated by regulation, thereby leaving it to FinCEN to establish the appropriate re-disclosure rules in the protocols.136 The proposed rule would permit the disclosure by authorized recipients of BOI in limited circumstances that would further the core underlying national security, intelligence, and law enforcement objectives of the CTA while at the same time ensuring that BOI is disclosed only where appropriate for those purposes. Generally, authorized re-disclosures would be subject to protocols designed, as with those applicable to initial disclosures of BOI from the beneficial ownership IT system, to protect the security and confidentiality of BOI. First, proposed 31 CFR 1010.955(c)(2)(i) would authorize a Federal, State, local or Tribal agency that receives BOI from FinCEN to redisclose it to others within the same organization, if the re-disclosure is consistent with the security and confidentiality requirements of 31 CFR 136 31 U.S.C. 5336(c)(2)(A). The CTA appears to presume that some re-disclosure will be permitted when it requires requesting agencies to keep records related to their requests, including of ‘‘any disclosure of beneficial information made by . . . the agency.’’ 31 U.S.C. 5336(c)(3)(H). E:\FR\FM\16DEP4.SGM 16DEP4 lotter on DSK11XQN23PROD with PROPOSALS4 77418 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules 1010.955(d)(1)(i)(F), (d)(2), or applicable internal Treasury policies, procedures, orders or directives; and is in furtherance of the same purpose for which the BOI was requested. Without this authorization, the statutory prohibitions at 31 U.S.C. 5336(c)(2)(A) and corresponding regulatory prohibitions at proposed 31 CFR 1010.955(a) could be viewed to constrain officers, employees, contractors, and agents within the same authorized requesting agency from efficiently sharing BOI in a manner consistent with the objectives of the CTA. FinCEN recognizes that authorized individuals that receive BOI within authorized recipient organizations may need limited flexibility to disclose BOI to others in their organization to the extent those other individuals need the BOI to further the original purpose for which the BOI request was made to FinCEN. An employee working on a law enforcement case within a Federal agency, for example, might need to disclose BOI obtained from FinCEN to another employee working on the same law enforcement matter. FinCEN envisions that there are circumstances in which FI employees may have a similar need to share BOI with counterparts, e.g., if they are working together to onboard a new customer. Proposed 31 CFR 1010.955(c)(2)(ii) therefore extends a comparable authority to FIs. One difference should be noted: FinCEN proposes to expressly limit FIs to redisclosing BOI to other officers, employees, contractors, and agents of the FI physically present in the United States. FinCEN believes this limitation is necessary to provide appropriate protection to BOI against disclosures to foreign governments outside of the framework established by the CTA. The CTA confirms, among other things, foreign government agencies should only obtain the BOI of reporting companies for limited purposes and through intermediary Federal agencies. Allowing U.S. FIs to re-disclose BOI outside of the United States creates the potential for a foreign government agency to obtain such BOI by serving a judicial or administrative warrant, summons, or subpoena directly on the foreign entity or location where the BOI is stored. Prohibiting FIs from moving BOI outside the United States reinforces and complements the requirements associated with the requirements through which foreign governments can obtain BOI under the proposed rule. Next, proposed 31 CFR 1010.955(c)(2)(iii) would allow an FI, subject to certain conditions, to share BOI that it obtains from FinCEN for use VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 in fulfilling its CDD obligations with (1) the FI’s Federal functional regulator, (2) a qualifying SRO, or (3) any other appropriate regulatory agency. The CTA specifies that BOI provided to an FI ‘‘shall also be available’’ to a Federal functional regulator or other appropriate regulatory agency, under certain conditions, and proposed 31 CFR 1010.955(b)(4)(ii) would authorize the agency to obtain the BOI directly from FinCEN. Proposed 31 CFR 1010.955(c)(2)(ii) would complement that authorization by also allowing the agency to obtain the BOI from the FI. FinCEN believes this may be a more efficient means of access for agencies conducting assessments of an FI’s compliance with CDD requirements under applicable law. Such redisclosure would more easily provide regulators with a complete picture of how FIs are obtaining and using BOI for CDD compliance, thereby supporting the aims and purposes of the CTA, and would also help them detect compliance failures. Proposed 31 CFR 1010.955(c)(2)(ii) would also authorize re-disclosure to qualifying SROs. SROs perform important supervisory and regulatory functions under the oversight of Federal functional regulators to assess FI compliance with CDD requirements among their member firms. Given that SROs can perform these supervisory functions, FinCEN believes that access to BOI would be as helpful to qualifying SROs as to Federal functional regulators in ensuring a complete and accurate assessment of CDD compliance. Qualifying SROs, like any supervisory agency, would need to enter into an MOU with FinCEN, and agree to implement security and confidentiality protocols, including audit requirements, prior to receiving BOI from their regulated institutions. Fourth, proposed 31 CFR 1010.955(c)(2)(iv) would allow a Federal functional regulator to disclose information to a qualifying SRO. Consistent with the purposes of the CTA, the proposed rule makes clear that BOI may be accessed, used, and redisclosed for examinations for compliance with CDD requirements under applicable law. Fifth, proposed 31 CFR 1010.955(c)(2)(v), consistent with the CTA, would allow an intermediary Federal agency to disclose BOI to the foreign person for whom the intermediary Federal agency requested the information in accordance with proposed 31 CFR 1010.955(b)(3). Without an express regulatory provision to effectuate the CTA’s provisions relating to BOI access by a foreign law enforcement agency, prosecutor, or PO 00000 Frm 00016 Fmt 4701 Sfmt 4702 judge, questions could arise as to whether the intermediary Federal agency would be able to then share with a foreign requester the information obtained on its behalf. Sixth, proposed 31 CFR 1010.955(c)(2)(vi) would allow a Federal, State, local, or Tribal law enforcement agency to disclose BOI to a court of competent jurisdiction or parties to a civil or criminal proceeding. This authorization would only apply to civil or criminal proceedings involving U.S. Federal, State, local, and Tribal laws. FinCEN envisions agencies relying on this provision when, for example, a prosecutor must provide a criminal defendant with BOI in discovery or use it as evidence in a court proceeding or trial.137 FinCEN considered requiring Federal, State, local, or Tribal law enforcement agencies to request permission to disclose BOI on a case-by-case basis. The bureau decided against that approach for the sake of efficiency and the administration of justice. FinCEN would be unlikely to oppose disclosing BOI for use by law enforcement agencies in a civil or criminal proceeding; the CTA explicitly contemplates using BOI in this scenario.138 Additionally, manual review of individual disclosure requests in this context could also delay the relevant legal proceeding. FinCEN invites comment on this proposed approach. Seventh, proposed 31 CFR 1010.955(c)(2)(vii) would allow a Federal agency that receives BOI from FinCEN pursuant to proposed 31 CFR 1010.955(b)(1), (b)(4)(ii), or (b)(5) to disclose that BOI to DOJ in a case referral. While DOJ would also be able to request the relevant BOI from FinCEN in furtherance of law enforcement activity, allowing the requesting Federal agency to share that BOI with DOJ would allow for more efficient investigation and law enforcement activity. The proposed provision would also make clear that the requesting agency can disclose BOI to DOJ for use in litigation related to the activity for which the BOI is requested. Such authorization will allow DOJ to have a complete record—including BOI—when fulfilling its responsibilities to represent the requesting agency in litigation. Eighth, proposed 31 CFR 1010.955(c)(2)(viii) would allow a foreign requester that receives BOI pursuant to a request made under an international treaty, agreement, or convention to disclose and use that BOI in accordance with the requirements of 137 See 138 See E:\FR\FM\16DEP4.SGM CTA, Section 6402(5)(D). id. 16DEP4 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules lotter on DSK11XQN23PROD with PROPOSALS4 the relevant agreement. This approach harmonizes 31 U.S.C. 5336(c)(2)(B)(ii)(II)(aa) 139 with the process described in the introductory paragraph in 31 U.S.C. 5336(c)(2)(B)(ii), which establishes a preference for disclosing BOI to foreign requesters under international agreements. For foreign requests that are not governed by an international treaty, agreement, or convention, FinCEN would review redisclosure requests from foreign requesters either on a case-by-case basis or pursuant to alternative arrangements with intermediary Federal agencies where those intermediary Federal agencies have ongoing relationships with the particular foreign requesters. Finally, proposed 31 CFR 1010.955(c)(2)(ix) would make clear that re-disclosing BOI obtained under 31 CFR 1010.955(b) in any circumstances other than those defined in proposed 31 CFR 1010.955(c)(2) would be prohibited unless FinCEN provided prior authorization for the re-disclosure in writing, or such re-disclosure were made in accordance with applicable protocols, guidance, and regulations as FinCEN may issue. This provision would give FinCEN the ability to authorize, either on a case-by-case basis or categorically through written protocols, guidance, or regulations, the re-disclosure of BOI in limited cases to further the purposes of the CTA.140 FinCEN welcomes comments on any of the proposed provisions permitting the re-disclosure of BOI for activities consistent with the purposes of the CTA. Proposed 31 CFR 1010.955(c)(2)(ix) would also enable FinCEN to authorize the re-disclosure of BOI in appropriate circumstances. For example, FinCEN envisions instances when it might be necessary for one law enforcement agency to disclose BOI obtained from FinCEN to another agency for an authorized purpose. The ability to share BOI in such circumstances would ensure that authorized recipients are able to further the goals of the CTA of protecting U.S. national security and combatting illicit activity, including corruption, money laundering, tax fraud, and terrorist financing, while at the same time, ensuring that appropriate security and confidentiality are 139 Requiring requests for BOI from foreign requesters to ‘‘[comply] with the disclosure and use provisions of the treaty, agreement, or convention, publicly disclosing [sic] any beneficial ownership information received . . . .’’ 140 For example, FinCEN could authorize the supervisory component of a Federal functional regulator that identifies a CDD-related deficiency at an FI to share BOI with its enforcement component as part of a referral in which the BOI would be used in furtherance of law enforcement activity. VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 maintained in a way that ensures appropriate audit and oversight. For example, a Federal agency to which FinCEN disclosed BOI in furtherance of that agency’s national security activities may identify a possible criminal violation and need to provide the information to a Federal law enforcement agency for investigation, and prosecution, if appropriate. Federal agencies that are a part of a task force to target specific criminal activity, such as drug trafficking or corruption, may also need to share BOI within the task force. In such cases, it would be more efficient for the agencies involved to share BOI directly among themselves instead of each agency having to separately request the same BOI from FinCEN. The requirements that an agency would need to satisfy to obtain BOI through re-disclosure are the same as those an agency would need to satisfy to obtain BOI from FinCEN directly under this proposed rule. FinCEN also envisions including re-disclosure limitations in the BOI disclosure MOUs it enters into with recipient agencies. These provisions would make clear that it would be the responsibility of a recipient agency to take necessary steps to ensure that BOI is made available for purposes specifically authorized by the CTA, and not for the general purposes of the agency. Such agency-to-agency agreements can be effective at creating and enforcing standards on use, reuse, and redistribution of sensitive information. However, FinCEN solicits comments from the public as to whether other mechanisms, such as the imposition of redistribution standards by regulation, mandatory redistribution logs, regular audit requirements, or other techniques, may be more appropriate in this context. v. Security and Confidentiality Requirements The CTA directs the Secretary to establish by regulation protocols to protect the security and confidentiality of any BOI provided directly by FinCEN.141 FinCEN views safeguarding BOI to be a top priority. The security and confidentiality of BOI would be protected through several protocols to prevent unauthorized disclosure and to ensure that BOI is used solely for the purposes described in the CTA. These include high standard security protocols in the implementation of the beneficial ownership IT system, robust MOUs that will impose security requirements on agencies that have access to BOI, such as current background checks on 141 31 PO 00000 U.S.C. 5336(c)(3)(A). Frm 00017 Fmt 4701 Sfmt 4702 77419 personnel accessing the information and controls to ensure appropriate use, regular training, and robust audit and oversight at the agency level and by FinCEN. In addition, FinCEN is committed to regularly reviewing protocols and information security practices to ensure they protect BOI from unauthorized use or disclosure. While the CTA enumerates specific requirements applicable to ‘‘requesting agencies,’’ FinCEN believes it is necessary and appropriate to impose comparable requirements on FIs and foreign requesters, taking into account considerations unique to those recipient categories.142 Clear expectations for all recipients and comparable data management requirements across different categories of authorized recipients will facilitate high standard information security and confidentiality practices and will contribute to more effective audits and oversight. This subsection discusses requirements applicable to both ‘‘requesting agencies’’ and other authorized requesters. a. Security and Confidentiality Requirements for Domestic Agencies The CTA prescribes with specificity a number of requirements that the Secretary must impose on requesting agencies and their heads. These requirements affirm the importance of the security and confidentiality protocols and the need for a high degree of accountability for the protection of BOI. Specifically, the statute provides that the Secretary shall require requesting agencies to (1) ‘‘establish and maintain, to the satisfaction of the Secretary, a secure system in which [BOI] provided directly by the Secretary shall be stored;’’ 143 (2) ‘‘furnish a report to the Secretary, at such time and containing such information as the Secretary may prescribe, that describes the procedures established and utilized by such agency to ensure the confidentiality of [BOI] provided directly by the Secretary;’’ 144 (3) ‘‘limit, to the greatest extent practicable, the scope of information sought, consistent with the purposes for seeking [BOI];’’ 145 and (4) ‘‘establish and maintain, to the satisfaction of the Secretary, a permanent system of standardized records with respect to an auditable trail of each request for [BOI] submitted to the Secretary by the agency, including the reason for the request, the name of the individual who made the request, the date of the 142 31 U.S.C. 5336(c)(3)(K). U.S.C. 5336(c)(3)(C). 144 31 U.S.C. 5336(c)(3)(D). 145 31 U.S.C. 5336(c)(3)(F). 143 31 E:\FR\FM\16DEP4.SGM 16DEP4 lotter on DSK11XQN23PROD with PROPOSALS4 77420 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules request, any disclosure of [BOI] made by or to the agency, and any other information the Secretary of the Treasury determines is appropriate.’’ 146 The CTA also instructs the Secretary to establish by regulation protocols: (1) ‘‘requir[ing] the head of any requesting agency, on a non-delegable basis, to approve the standards and procedures utilized by the requesting agency and certify to the Secretary semi-annually that such standards and procedures are in compliance with the requirements of [31 U.S.C. 5336(c)(3)];’’ 147 (2) ‘‘requir[ing] a written certification for each authorized investigation or other activity [giving rise to an authorized BOI disclosure] from the head of [a Federal agency acting in furtherance of national security, intelligence, or law enforcement activity, or a State, local, or Tribal law enforcement agency], or their designees, that (a) states that applicable requirements have been met, in such form and manner as the Secretary may prescribe; and (b) at a minimum, sets forth the specific reason or reasons why the [BOI] is relevant to [the] authorized investigation or other activity . . .’’; and (3) ‘‘restrict[ing], to the satisfaction of the Secretary, access to [BOI] to whom disclosure may be made under the [CTA disclosure provisions] to only users at the requesting agency (a) who are directly engaged in the authorized investigation [for which BOI disclosure is authorized]; (b) whose duties or responsibilities require such access; (c) who have undergone appropriate training, or use staff to access the database who have undergone appropriate training; (d) who use appropriate identity verification mechanisms to obtain access to the information; and (e) who are authorized by agreement with the Secretary to access the information.’’ 148 Finally, the CTA instructs the Secretary to require requesting agencies receiving BOI from FinCEN to ‘‘conduct an annual audit to verify that the [BOI] received from the Secretary has been accessed and used appropriately, and in a manner consistent with this paragraph and provide the results of that audit to the Secretary upon request.’’ 149 The statute imposes a corresponding requirement on the Secretary to ‘‘conduct an annual audit of the adherence of the agencies to the protocols established under [31 U.S.C. 5336(c)(3)] to ensure that agencies are 146 31 U.S.C. 5336(c)(3)(H). U.S.C. 5336(c)(3)(B). 148 31 U.S.C. 5336(c)(3)(G). 149 31 U.S.C. 5336(c)(3)(I). requesting and using [BOI] appropriately.’’ 150 The proposed regulation would organize these requirements into two subsections. The first, proposed 31 CFR 1010.955(d)(1)(i), would address general requirements applicable to Federal, State, local, and Tribal requesting agencies, including intermediary Federal agencies acting on behalf of authorized foreign requesters, Federal functional regulators, and other appropriate regulatory agencies. This proposed subsection would require each requesting agency, before it could obtain BOI, to enter into a MOU with FinCEN specifying the standards, procedures, and systems that the agency would be required to maintain to protect BOI.151 These MOUs would, among other things, memorialize and implement requirements contained in proposed 31 CFR 1010.955(d)(1)(i), including those regarding reports and certifications, periodic training of individual recipients of BOI, personnel access restrictions, re-disclosure limitations, and access to audit and oversight mechanisms. The MOUs would also include security plans covering topics related to personnel security (e.g., eligibility limitations, screening standards, certification and notification requirements); physical security (system connections and use, conditions of access, data maintenance); computer security (use and access policies, standards related to passwords, transmission, storage, and encryption); and inspections and compliance. Agencies may rely on existing databases and related IT infrastructure to satisfy the requirement to ‘‘establish and maintain’’ secure systems in which to store BOI where those systems have appropriate security and confidentiality protocols, and FinCEN will engage with recipient agencies on this issue during the development of an MOU on BOI sharing. Because security protocol details may vary based on each agency’s particular circumstances and capabilities, FinCEN believes individual MOUs are preferable to a ‘‘one-size-fits-all’’ approach of specifying particular requirements by regulation. FinCEN invites comment on this MOU-based approach, and on whether additional requirements should be incorporated into the regulations or into FinCEN’s MOUs. The second subsection would apply to each request for BOI. It includes specific requirements with which each individual request for BOI must comply, as described in the CTA, as well as 147 31 VerDate Sep<11>2014 22:00 Dec 15, 2022 150 31 U.S.C. 5336(c)(3)(J). 151 31 CFR 1010.955(d)(1)(i)(A). Jkt 259001 PO 00000 Frm 00018 Fmt 4701 Sfmt 4702 additional requirements that FinCEN believes are necessary to ensure that BOI is subject to security and confidentiality requirements of a sufficiently high standard.152 Proposed 31 CFR 1010.955(d)(1)(ii)(A) (referred to as a ‘‘minimization’’ requirement) would require all requesting agencies to limit, to the greatest extent practicable, the amount of BOI they seek, consistent with the agency’s purpose for seeking it. The provision mirrors the CTA requirement at 31 U.S.C. 5336(c)(3)(F) and would enhance information security and confidentiality by limiting disclosure of BOI only to those situations in which BOI is necessary for a particular purpose. Proposed 31 CFR 1010.955(d)(1)(ii)(B)(1) would incorporate the requirement of 31 U.S.C. 5336(c)(3)(E) that the head of a requesting Federal agency acting in furtherance of national security, intelligence, or law enforcement activity, or their designees, certify in writing, for each request made by the agency to FinCEN, that (1) the agency was engaged in a national security, intelligence, or law enforcement activity, and (2) the BOI requested was for use in furthering that activity, setting forth specific reasons why the requested BOI was relevant. FinCEN expects that the certification and justification would be made by the individual at the authorized Federal agency at the time of the BOI request. Similarly, proposed 31 CFR 1010.955(d)(1)(ii)(B)(2) would require the head of a requesting State, local, or Tribal law enforcement agency, or their designee, to submit to FinCEN a copy of the court authorization required under proposed 31 CFR 1010.955(b)(2), as well as a written justification setting forth specific reasons why the requested information was relevant to the investigation. FinCEN believes that collecting the underlying court authorizations will help to ensure compliance with 31 U.S.C. 5336(c)(2)(B)(i)(II) and facilitate audit and oversight of such requests. Moreover, the submission of brief justification narratives will make it easier for FinCEN personnel to identify the relevant information in a court authorization, thereby allowing for faster reviews and more focused audits. FinCEN considered not requiring State, local, and Tribal law enforcement agencies to submit corresponding justifications in addition to the court authorizations, but in some cases the 152 The additional measures are being proposed pursuant to the authority delegated to FinCEN under 31 U.S.C. 5336(c)(3)(K). E:\FR\FM\16DEP4.SGM 16DEP4 lotter on DSK11XQN23PROD with PROPOSALS4 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules relationship between a court authorization and the search in question might not be apparent on the face of the court authorization. Proposed 31 CFR 1010.955(d)(1)(ii)(B)(3) and (4) would identify the information that an intermediary Federal agency would need to obtain, and in some cases, submit to FinCEN, when making a request for BOI on behalf of foreign law enforcement, prosecutors, or judges. The information that would need to be submitted to FinCEN pursuant to these provisions is dependent on whether the foreign request at issue is pursuant to an international treaty, agreement, or convention. Regardless of whether an international treaty, agreement, or convention applies, the head of an intermediary Federal agency acting on behalf of a foreign requester, or their designee, would always need to: (1) identify to FinCEN both the individual within the intermediary Federal agency making the request; (2) identify to FinCEN the individual affiliated with the foreign requester on whose behalf the request is being made; and (3) either identify to FinCEN the international treaty, agreement, or convention under which the request was being made or provide a statement that no such instrument governs. When an international treaty, agreement, or convention applies, the head of an intermediary Federal agency acting on behalf of a foreign requester, or their designee, would need to retain the request for information under the relevant international treaty, agreement, or convention, and would also have to certify to FinCEN that the requested BOI is for use in furtherance of a law enforcement investigation or prosecution, or for a national security or intelligence activity, that is authorized under the laws of the relevant foreign country. This certification would apply to the intermediary Federal agency head or designee’s understanding of the intended use for the BOI, and would not constitute a guarantee from the intermediary Federal agency that the foreign requester would not use the information for other activities without authorization. In circumstances in which an international treaty, agreement, or convention does not apply, the head of an intermediary Federal agency acting on behalf of a foreign requester, or their designee, would need to submit to FinCEN a written explanation of the specific purpose for which the foreign requester is requesting BOI. The intermediary Federal agency would also need to provide FinCEN with a VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 certification that requested BOI: (1) will be used in furtherance of a law enforcement investigation or prosecution, or for a national security or intelligence activity that is authorized under the laws of the relevant foreign country; (2) will only be used for the particular purpose or activity for which it is requested; and (3) will be handled in accordance with applicable security and confidentiality requirements as discussed in detail in Section IV.A.v.c. below with respect to proposed 31 CFR 1010.955(d)(3). Again, this certification would apply to the intermediary Federal agency head or designee’s understanding of the intended use for the BOI, and would not constitute a guarantee from the intermediary Federal agency that the foreign requester would not use the information for other activities without authorization. The proposed rule further specifies that FinCEN may request additional information to support its evaluation of whether to disclose BOI to a foreign requester when a request is not pursuant to an international treaty, agreement, or convention. FinCEN anticipates the implementation of a case management function in the beneficial ownership IT system to manage this information and certification submission process. Finally, proposed 31 CFR 1010.955(d)(1)(ii)(B)(5) would require the head of Federal functional regulators and other appropriate regulatory agencies, or their designee, to certify to FinCEN when requesting BOI that the agency (1) is authorized by law to assess, supervise, enforce, or otherwise determine the relevant FI’s compliance with CDD requirements under applicable law, and (2) will use the information solely for the purpose of conducting the assessment, supervision, or authorized investigation or activity described in proposed 31 CFR 1010.955(b)(4)(ii)(A). b. Security and Confidentiality Requirements for FIs Although the CTA does not specifically address the safeguards FIs must implement as a precondition to requesting BOI, the CTA authorizes FinCEN to prescribe by regulation any other safeguards determined to be necessary or appropriate to protect the confidentiality of BOI.153 Proposed 31 CFR 1010.955(d)(2) contains the safeguards applicable to FIs, including security standards for managing the BOI data. Any security standards FinCEN imposes should keep BOI reasonably secure and confidential, but not be so 153 31 PO 00000 U.S.C. 5336(c)(3)(K). Frm 00019 Fmt 4701 Sfmt 4702 77421 stringent as to make the information practically inaccessible or useless to FIs. Such overly burdensome requirements would frustrate the CTA’s objective of facilitating FI compliance with CDD requirements under applicable law. To strike an appropriate balance, proposed 31 CFR 1010.955(d)(2)(i) would take a principles-based approach by requiring FIs to develop and implement administrative, technical, and physical safeguards reasonably designed to protect BOI as a precondition for receiving BOI. Although proposed 31 CFR 1010.955(d)(2)(i) would not prescribe any specific safeguards, it would establish that the security and information handling procedures necessary to comply with section 501 of the Gramm-Leach-Bliley Act (GrammLeach-Bliley) 154 and applicable regulations issued under it to protect non-public customer personal information, if applied to BOI under the control of the FI, would satisfy this requirement. This would be true for any FI, regardless of whether that FI was subject to section 501, so long as the FI actually applied procedures at the appropriate level of protection. The safe harbor in proposed 31 CFR 1010.955(d)(2)(i) would therefore establish baseline security and confidentiality standards that are the same for all FIs. The approach of establishing a baseline standard would be consistent with other provisions in FinCEN’s regulations that impose standards for handling sensitive information.155 Section 501 of Gramm-Leach-Bliley, codified at 15 U.S.C. 6801(b) and 6805, requires each Federal functional regulator to establish appropriate standards for the FIs subject to its jurisdiction relating to administrative, technical, and physical safeguards to (1) ensure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of such records; and (3) protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer. The Federal functional regulators have implemented these requirements in different ways. The OCC, FRB, FDIC, and NCUA incorporated into their regulations the Interagency Guidelines Establishing Interagency Security 154 Public Law 106–102, 113 Stat. 1338, 1436–37 (1999). 155 See, e.g., 31 CFR 1010.520(b)(3)(iv)(C), 31 CFR 1010.540(b)(4)(ii). E:\FR\FM\16DEP4.SGM 16DEP4 77422 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules lotter on DSK11XQN23PROD with PROPOSALS4 Standards (Interagency Guidelines).156 The Interagency Guidelines add detail to the more general Gramm-Leach-Bliley requirements, covering specific subjects related to identifying, managing, and controlling risk (e.g., physical and electronic access controls, encryption and training requirements, and testing). The CFTC has incorporated the GrammLeach-Bliley expectations of FIs into its regulations 157 and recommended best practices for meeting them that are ‘‘designed to be generally consistent with’’ the Interagency Guidelines.158 The SEC has also incorporated the Gramm-Leach-Bliley expectations of FIs into its regulations,159 but evaluates the reasonableness of Gramm-Leach-Bliley compliance policies and procedures on a case-by-case basis and communicates findings of insufficiency through supervision and enforcement actions.160 This blended approach for complying with the Gramm-Leach-Bliley requirements is well-suited to protecting sensitive information generally and BOI in particular. Gramm-Leach-Bliley provides general baseline expectations for keeping data secure and confidential, while each agency’s implementing regulations take into account factors unique to the FIs they supervise. Allowing FIs to meet the requirement to safeguard BOI by extending to it the same processes they use to comply with regulations issued pursuant to section 501 of GrammLeach-Bliley would avoid duplicative or inconsistent requirements for information security and protocols and would be less burdensome for FIs to administer without sacrificing a high level of protection. In order to ensure that security and confidentiality standards are consistent across the entire financial industry, even FIs not subject to regulations issued pursuant to section 501 of Gramm-Leach-Bliley would be held to these same substantive standards. For FIs not subject to section 501, the Interagency Guidelines might serve as a useful checklist against which such FIs could evaluate their existing security 156 See Interagency Guidelines Establishing Standards for Safeguarding Customer Information and Rescission of Year 2000 Standards for Safety and Soundness, 66 FR 8616 (Feb. 1, 2001). The agencies implementing regulations are at 12 CFR part 30, app. B (OCC); 12 CFR. Part 208, app. D– 2 and Part 225, app. F (FRB); 12 CFR part 364, app. B (FDIC); and 12 CFR part 748, apps. A & B (NCUA). 157 See 17 CFR 160. 158 See CFTC Staff Advisory No. 14–21 (February 16, 2014). 159 See 17 CFR 248.30(a). 160 See, e.g., Morgan Stanley Smith Barney, SEC Administrative Proceeding File No. 3–21112 (Sept. 20, 2022). VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 and confidentiality practices, and a useful guide to possible modifications to bring the FI to the level of security and confidentiality necessary to justify obtaining BOI. Proposed 31 CFR 1010.955(d)(2)(ii) would require FIs to obtain and document a reporting company’s consent before requesting that reporting company’s BOI from FinCEN. FIs are well-positioned to obtain consent—and to track any revocation of such consent—given that they maintain direct customer relationships and are able to leverage existing onboarding and account maintenance processes to obtain reporting company consent. FinCEN considered the alternative approach of FinCEN obtaining consent directly from the reporting company, but rejected the approach given potential delays and the lack of any direct relationship with the reporting company. Finally, proposed 31 CFR 1010.955(d)(2)(iii) would require the FI to certify in writing for each BOI request that it: (1) is requesting the information to facilitate its compliance with CDD requirements under applicable law, (2) obtained the reporting company’s written consent to request its BOI, and (3) fulfilled the other requirements of the section. FinCEN anticipates that an FI would be able to make the certification via a checkbox when requesting BOI via the beneficial ownership IT system. FinCEN expects that FIs will establish protocols to direct authorized staff to ensure that the requirements are satisfied and that appropriate records are maintained for the purposes of audit and oversight. FinCEN further expects FIs to provide training on these protocols and to require system users from FIs to complete FinCEN-provided online training about the system and related responsibilities as a condition for creating and maintaining system accounts. Under the proposed rule, FinCEN would not require FIs to submit proof of reporting company consent at the time of the request for BOI. FinCEN would not have the capacity to review, verify, and store consent forms and additional FinCEN involvement would create undue delays for the ability of FIs to onboard customers. In addition, FinCEN expects that FI compliance with these requirements would be assessed by Federal functional regulators in the ordinary course during safety and soundness examinations or by the SROs during their routine BSA PO 00000 Frm 00020 Fmt 4701 Sfmt 4702 examinations.161 FIs therefore have a strong incentive to retain evidence of a reporting company’s consent for the purposes of supervisory examinations and compliance and for use in cases involving suspected or alleged violations of the requirement. Together with potential civil and criminal penalties under the CTA, such examinations would create a robust control and oversight mechanism. FinCEN invites comments on this proposed approach to FI security and confidentiality requirements, including any views regarding how consent should be obtained from reporting companies and on the applicability of auditing requirements to FIs. c. Security and Confidentiality Requirements for Foreign Requesters It is critical that all authorized BOI recipients—including foreign requesters—take steps to keep BOI confidential and secure and to prevent misuse. To that end, proposed 31 CFR 1010.955(d)(3)(i) would require foreign requesters to handle, disclose, and use BOI consistent with the requirements of the applicable treaty, agreement or convention under which it was requested. 31 CFR 1010.955(d)(3)(ii), meanwhile, would impose on foreign BOI requesters certain general requirements the CTA imposes on all requesting agencies. FinCEN believes these measures are necessary to protect the security and confidentiality of BOI provided to foreign requesters.162 Requirements applicable to foreign requesters when no treaty, agreement, or convention applies include having security standards and procedures, maintaining a secure storage system that complies with whatever security standards the foreign requester applies to the most sensitive unclassified information it handles, minimizing the amount of information requested, and restricting personnel access to it. Foreign requesters that request and receive BOI under an applicable international treaty, agreement, or convention would not have these requirements under the proposed rule, given that such requesters would be governed by standards and procedures under the applicable international treaty, agreement, or convention. 161 The CTA requirements FIs must satisfy to qualify for BOI disclosure from FinCEN are part of the BSA, a statute enacted in pertinent part in Chapter X of the Code of Federal Regulations. FinCEN has delegated its authority to examine FIs for compliance with Chapter X to the Federal functional regulators. See 31 CFR 1010.810. See also, e.g., 12 U.S.C. 1818(s)(2), 12 U.S.C. 1786(q)(2). 162 See 31 U.S.C. 5336(c)(3)(A), (K). E:\FR\FM\16DEP4.SGM 16DEP4 lotter on DSK11XQN23PROD with PROPOSALS4 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules FinCEN considered proposing a requirement that foreign requesters enter into MOUs comparable to domestic requesting agencies for situations in which an international treaty, agreement, or convention applies. The bureau decided not to propose such an approach because foreign requesters will not have direct access to the beneficial ownership IT system and because FinCEN anticipates a significantly lower volume of foreign requests in general relative to other stakeholders. FinCEN believes MOUs are appropriate with domestic agencies to account for the risks inherent in repeated, detailed interaction with the beneficial ownership IT system. Foreign BOI requesters, by contrast, would only receive BOI through intermediary Federal agencies that would themselves be subject to detailed MOUs. Those intermediary Federal agencies would in turn work with foreign requesters to safeguard BOI in accordance with applicable treaties, agreements, or conventions when applicable, and under governing protocols in other circumstances. FinCEN considered imposing audit requirements on foreign requesters as part of these security and confidentiality protocols, but determined that it would not be feasible. First, in situations involving international treaties, agreements, or conventions, such audits would only be permissible if allowed by the international agreement. In situations in which no such international agreement applied, it would nevertheless be practically challenging for FinCEN to conduct meaningful audits of a foreign requester’s BOI handling systems and practices given that it would involve extensive negotiations and the commitment of substantial FinCEN personnel to considerable document review (potentially involving translation) and travel. Foreign governments under any circumstances are also unlikely to grant FinCEN access to their secure IT systems to the degree that a comprehensive audit demands. While FinCEN considered whether to refrain from sharing information with a foreign requester that refused to be subject to audit requirements, such an approach would result in reduced information sharing and cooperation overall. The United States regularly collaborates bilaterally and in global task forces, for example, to combat terrorism, transnational criminal organizations, and other threats to national security. The success of these initiatives depends upon effective international cooperation and robust VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 efforts by foreign counterparts. Those foreign counterparts might decide not to request BOI at all, depriving our partners of information that would support these efforts, with potentially negative direct consequences for the United States. FinCEN invites comments on its proposal with respect to security and confidentiality requirements applicable to foreign requesters. vi. Administration of Requests for Information Reported Pursuant to 31 CFR 1010.380 The CTA includes several provisions regarding how FinCEN should administer requests for BOI. Proposed 31 CFR 1010.955(e) would implement these CTA provisions. Proposed 31 CFR 1010.955(e)(1) would require agencies and FIs to submit requests for BOI to FinCEN in the form and manner FinCEN shall prescribe.163 The bureau intends to provide additional detail regarding the form and manner of BOI requests for all categories of authorized users through specific instructions and guidance as it continues developing the beneficial ownership IT system. To the extent required by the Paperwork Reduction Act (PRA), FinCEN would publish for notice and comment any proposed information collection associated with BOI requests. Proposed 31 CFR 1010.955(e)(2) would implement 31 U.S.C. 5336(c)(6)(B), which describes the circumstances under which the Secretary ‘‘may decline to provide’’ requested BOI. The CTA describes three permissible reasons for declining to provide BOI: (a) a ‘‘requesting agency’’ failing to meet applicable requirements; (2) ‘‘the information is being requested for an unlawful purpose;’’ or (3) ‘‘other good cause exists to deny the request.’’ 164 Proposed 31 CFR 1010.955(e)(2) would make minor changes to the statutory text to clarify its scope and to provide appropriate cross references. While 31 U.S.C. 5336(c)(6)(B)(i) speaks directly to requests made by a ‘‘requesting agency,’’ FinCEN believes the CTA also permits the bureau to deny requests from any authorized recipient, including FIs, that fail to comply with any requirements to receive BOI (e.g., refusing to obtain consent from reporting companies before making BOI requests or failing to fully comply with the proposed security and confidentiality requirements).165 FinCEN’s ability to decline requests in these circumstances is necessary to ‘‘protect the security and confidentiality of [BOI]’’ that the agency provides to authorized recipients.166 Moreover, FinCEN would consider an FI’s failure to comply with any requirements to constitute ‘‘good cause’’ sufficient to justify denying a request for BOI.167 Proposed 31 CFR 1010.955(e)(3) would specify that the reasons for rejecting a request are also bases for suspension or debarment. The CTA permits the Secretary to suspend or debar a ‘‘requesting agency’’ from access to BOI for any of the reasons for rejection in the preceding paragraph, including for ‘‘repeated or serious violations’’ of any requirement established as a precondition for receiving BOI.168 FinCEN would again extend the availability of the suspension or debarment authority to FIs to ensure the integrity of BOI, ensure the security of the beneficial ownership IT system, and implement the confidentiality requirements imposed by the CTA. Under the proposed rule, suspension of access to BOI would be a temporary measure, while debarment would be permanent. The proposed rule would also permit FinCEN to determine in its sole discretion the length of any suspension. Additionally, the proposed rule would clarify that FinCEN may reinstate suspended or debarred requesters upon satisfaction of any terms or conditions FinCEN in its sole discretion believes are appropriate. As with the authority to reject requests, FinCEN views suspension and debarment as important tools for protecting sensitive information from potential misuse. vii. Violations; Penalties The CTA makes it unlawful for any person to knowingly disclose or knowingly use BOI obtained by the person through a report submitted to, or an authorized disclosure made by, FinCEN, unless such disclosure is authorized under the CTA.169 Proposed 31 CFR 1010.955(f)(1) tracks this prohibition, and further clarifies that such disclosure authorized under the CTA includes disclosure authorized under the regulations issued pursuant to the CTA. Proposed 31 CFR 1010.955(f)(2) then explains that for purposes of paragraph (f)(1), unauthorized use would include any unauthorized accessing of information submitted to FinCEN under 31 CFR 1010.380, including any activity in 166 Id.; 163 31 U.S.C. 5336(c)(2)(C). 164 Id. 165 See PO 00000 31 U.S.C. 5336(c)(3)(A). Frm 00021 Fmt 4701 Sfmt 4702 77423 see also 31 U.S.C. 5336(c)(3)(K). U.S.C. 5663(c)(6)(B)(iii). 168 31 U.S.C. 5336(c)(7). 169 See 31 U.S.C. 5336(h)(2). 167 31 E:\FR\FM\16DEP4.SGM 16DEP4 77424 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules which an employee, officer, director, contractor, or agent of a Federal, State, local, or Tribal agency or FI knowingly violates applicable security and confidentiality requirements in connection with accessing such information.170 This reflects FinCEN’s view that the security and confidentiality requirements under the CTA and this proposed rule circumscribe the ways in which authorized recipients can use BOI, consistent with the statute’s emphasis on keeping BOI secure and confidential. Proposed 31 CFR 1010.955(f)(3) lists the CTA’s enumerated civil and criminal penalties for knowingly disclosing or using BOI without authorization. The CTA provides civil penalties in the amount of $500 for each day a violation continues or has not been remedied. Criminal penalties are a fine of not more than $250,000 or imprisonment for not more than 5 years, or both.171 The CTA also provides for enhanced criminal penalties, including a fine of up to $500,000, imprisonment of not more than 10 years, or both, if a person commits a violation while violating another law of the United States or as part of a pattern of any illegal activity involving more than $100,000 in a 12-month period.172 lotter on DSK11XQN23PROD with PROPOSALS4 B. Use of FinCEN Identifiers for Entities A FinCEN identifier is a unique identifying number that FinCEN will issue to individuals who have provided FinCEN with their BOI and to reporting companies that have filed initial BOI reports.173 Consistent with the CTA, the final BOI reporting rule describes the manner in which FinCEN will issue a FinCEN identifier to individuals and to entities.174 It also describes circumstances in which a reporting company may report an individual beneficial owner’s FinCEN identifier to FinCEN in lieu of providing the individual’s BOI.175 The CTA also provides for the use of a reporting company’s FinCEN identifier, specifying that if an individual ‘‘is or may be a beneficial owner of a reporting company by an interest held by the individual in an 170 31 U.S.C. 5336(c)(4) explicitly applies civil and criminal penalties to employees and officers of ‘‘requesting agencies’’ who violate applicable security and confidentiality protocols, including through unauthorized disclosure or use. FinCEN views this as a self-executing reinforcement provision to support 31 U.S.C. 5336(h)(3)(B), which focuses on unlawful disclosure or use by any person. 171 31 U.S.C. 5336(h)(3)(B). 172 See 31 U.S.C. 5336(h)(3)(B)(ii)(II). 173 31 U.S.C. 5336(b)(3). 174 See 31 CFR 1010.380(b)(4). 175 See 31 CFR 1010.380(b)(4)(ii)(B). VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 entity that, directly or indirectly, holds an interest in the reporting company,’’ the reporting company may report the entity’s FinCEN identifier in lieu of providing the individual’s BOI.176 The Reporting NPRM proposed to incorporate this language without significant clarification. Some commenters, however, expressed concerns that the use of FinCEN identifiers could obscure the identities of beneficial owners in a manner that might result in greater secrecy or incomplete or misleading disclosures. Several commenters noted that the proposed language may be confusing and pose problems when a reporting company’s ownership structure involves multiple beneficial owners and intermediate entities. In light of this feedback, the final BOI reporting rule did not adopt the proposed language, and FinCEN is now proposing different language to implement the CTA in a manner that better clarifies when a company may report an intermediate entity’s FinCEN identifier in lieu of an individual’s BOI. Proposed 31 CFR 1010.380(b)(4)(ii)(B) would permit a reporting company to report an intermediate entity’s FinCEN identifier in lieu of a beneficial owner’s BOI only when: (1) the intermediate entity has obtained a FinCEN identifier and provided that FinCEN identifier to the reporting company; (2) an individual is or may be a beneficial owner of the reporting company by virtue of an interest in the reporting company that the individual holds through the entity; and (3) only the individuals that are beneficial owners of the intermediate entity are beneficial owners of the reporting company, and vice versa. The first and second requirements are straightforward clarifications, while the third requirement reflects an implicit assumption in the statutory language. It is straightforward to allow a reporting company to use an intermediate entity’s FinCEN identifier where a single individual is the sole beneficial owner of a reporting company through a single intermediate entity. In this simple scenario, the same individual would be the beneficial owner of both the reporting company and the intermediate entity. Reporting the intermediate entity’s FinCEN identifier in lieu of the individual’s BOI would thus accurately indicate that the individual is a beneficial owner of both entities, and the intermediate entity would have already reported the individual’s BOI when it filed its initial report and obtained a FinCEN identifier. 176 31 PO 00000 U.S.C. 5336(b)(3)(C). Frm 00022 Fmt 4701 Sfmt 4702 However, the use of an intermediate company’s FinCEN identifier beyond this simple scenario encounters significant problems when a reporting company’s ownership structure involves multiple beneficial owners and/or intermediate entities. For instance, if the intermediate entity has any beneficial owners who are not also beneficial owners of the reporting company, the reporting company’s use of the intermediate entity’s FinCEN identifier would identify multiple individuals as beneficial owners of the reporting company, when in fact they are only beneficial owners of the intermediate entity. Additionally, if an individual is a beneficial owner of a reporting company through multiple intermediate entities but is not a beneficial owner of one of those entities, the reporting company’s use of that entity’s FinCEN identifier could obscure the identity of that beneficial owner. In this case, the reporting company’s use of an intermediate entity’s FinCEN identifier would fail to identify an individual as a beneficial owner of the reporting company, when in fact the individual is such a beneficial owner. In light of the core objective of the CTA to establish a comprehensive beneficial ownership database and to ensure that the information it contains is accurate and highly useful, FinCEN does not believe the FinCEN identifier provision was intended to enable reporting companies to misidentify beneficial owners. As explained in the prior paragraph, there are some scenarios in which FinCEN would be unable to accurately identify which reported beneficial owners are extraneous, or which BOI reports are incomplete, thereby making it more difficult for FinCEN and authorized recipients of BOI to identify the true beneficial owners of each reporting company. This would make the beneficial ownership database less accurate and undermine the fundamental goals of the CTA. Moreover, FIs that obtain BOI reports that are either under- or over-inclusive may have difficulty reconciling this BOI with other information they receive during the CDD process, impeding another goal of the CTA. Furthermore, over-inclusive BOI would require FinCEN to disclose more BOI than necessary in response to authorized requests. Instead of only disclosing BOI for individuals who are beneficial owners of the reporting company that is the subject of a request, FinCEN would have to also disclose BOI for other individuals who are beneficial owners of a different company that may not be E:\FR\FM\16DEP4.SGM 16DEP4 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules the subject of the request. This overdisclosure would be in significant conflict with the confidentiality and privacy protections the CTA instructs FinCEN to implement, including the requirement to ‘‘limit, to the greatest extent practicable, the scope of the information sought.’’ 177 For all of these reasons, permitting a reporting company to use an intermediate entity’s FinCEN identifier would appear consistent with the CTA’s overall statutory scheme only if the two entities have the same beneficial owners. In this case, as in the simple scenario previously described, reporting the intermediate entity’s FinCEN identifier would be equivalent to reporting the BOI of the reporting company’s beneficial owners. There would be no mismatch. Accordingly, proposed 31 CFR 1010.380(b)(4)(ii)(B) makes this requirement explicit by permitting a reporting company to report an intermediate entity’s FinCEN identifier only when the intermediate entity and the reporting company have the same beneficial owners. FinCEN believes this requirement is implicit in the CTA, and is necessary for FinCEN to avoid collection of potentially incomplete information and to prevent disclosure of inaccurate reports that contain extraneous sensitive information or that lack relevant BOI. FinCEN solicits comment on this proposal. lotter on DSK11XQN23PROD with PROPOSALS4 V. Final Rule Effective Date FinCEN is proposing an effective date of January 1, 2024, to align with the date on which the final BOI reporting rule at 31 CFR 1010.380 becomes effective. A January 1, 2024, effective date is intended to provide the public and authorized users of BOI with sufficient time to review and prepare for implementation of the rule. FinCEN solicits comment on the proposed effective date for this rule. VI. Request for Comment FinCEN seeks comment from all parts of the public, as well as Federal, State, local, and Tribal government entities, with respect to the proposed rule as a whole and specific provisions discussed above in Section IV. FinCEN invites comment on any and all aspects of the proposed rule, and specifically seeks comments on the following questions: Understanding the Rule 1. Can the organization of the rule text be improved? If so, how? 2. Can the language of the rule text be improved? If so, how? 177 31 U.S.C. 5336(c)(3)(F). VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 3. Does the proposed rule provide sufficient guidance to stakeholders and the public regarding the scope and requirements for access to BOI? Disclosure of Information 4. The CTA prohibits officers and employees of (1) the United States, (2) State, local, and Tribal agencies, and (3) FIs and regulatory agencies from disclosing BOI reported under the statute. FinCEN proposes to extend the prohibition to agents, contractors, and, in the case of FIs, directors as well. FinCEN invites comments on the proposed scope. 5. Are FinCEN’s proposed interpretations of ‘‘national security,’’ ‘‘intelligence,’’ and ‘‘law enforcement’’ clear enough to be useful without being overly prescriptive? If not, what should be different? Commenters are invited to suggest alternative interpretations or sources for reference. 6. Should FinCEN add any specific activities or elements to the proposed interpretations of ‘‘national security,’’ ‘‘intelligence,’’ and ‘‘law enforcement’’ that do not seem to be covered already? If so, what? 7. FinCEN requests comments discussing how State, local, and Tribal law enforcement agencies are authorized by courts to seek information in criminal and civil investigations. Among the particular issues that FinCEN is interested in are: how State, local, and Tribal authorities gather evidence in criminal and civil cases; what role a court plays in each of these mechanisms, and whether in the commenter’s opinion it rises to the level of court ‘‘authorization’’; what role court officers (holders of specific offices, not attorneys as general-purpose officers of the court) play in these mechanisms; how grand jury subpoenas are issued and how the court officers issuing them are ‘‘authorized’’ by a court; whether courts of competent jurisdiction, or officers thereof, regularly authorize subpoenas or other investigative steps via court order; and whether there are any evidence-gathering mechanisms through which State, local, or Tribal law enforcement agencies should be able to request BOI from FinCEN, but that do not require any kind of court? 8. Is requiring a foreign central authority or foreign competent authority to be identified as such in an applicable international treaty, agreement, or convention overly restrictive? If so, what is a more appropriate means of identification? 9. Are there alternative approaches to managing the foreign access provision of the CTA that FinCEN should consider? PO 00000 Frm 00023 Fmt 4701 Sfmt 4702 77425 10. Should FinCEN define the term ‘‘trusted foreign country’’ in the rule, and if so, what considerations should be included in such a definition? 11. FinCEN proposes that FIs be required to obtain the reporting company’s consent in order to request the reporting company’s BOI from FinCEN. FinCEN invites commenters to indicate what barriers or challenges FIs may face in fulfilling such a requirement, as well as any other considerations. 12. FinCEN proposes to define ‘‘customer due diligence requirements under applicable law’’ to mean the bureau’s 2016 CDD Rule, as it may be amended or superseded pursuant to the AML Act. The 2016 CDD Rule requires FIs to identify and verify beneficial owners of legal entity customers. Should FinCEN expressly define ‘‘customer due diligence requirements under applicable law’’ as a larger category of requirements that includes more than identifying and verifying beneficial owners of legal entity customers? If so, what other requirements should the phrase encompass? How should the broader definition be worded? It appears to FinCEN that the consequences of a broader definition of this phrase would include making BOI available to more FIs for a wider range of specific compliance purposes, possibly making BOI available to more regulatory agencies for a wider range of specific examination and oversight purposes, and putting greater pressure on the demand for the security and confidentiality of BOI. How does the new balance of those consequences created by a broader definition fulfill the purpose of the CTA? 13. If FinCEN wants to limit the phrase ‘‘customer due diligence requirements under applicable law’’ to apply only to requirements like those imposed under its 2016 CDD Rule related to FIs identifying and verifying beneficial owners of legal entity customers, are there any other comparable requirements under Federal, State, local, or Tribal law? If so, please specifically identify these requirements and the regulatory bodies that supervise for compliance with or enforce them. 14. Are there any State, local, or Tribal government agencies that supervise FIs for compliance with FinCEN’s 2016 CDD Rule? If so, please identify them. 15. FinCEN does not propose to disclose BOI to SROs as ‘‘other appropriate regulatory agencies,’’ but does propose to authorize FIs that receive BOI from FinCEN to disclose it to SROs that meet specified qualifying E:\FR\FM\16DEP4.SGM 16DEP4 77426 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules criteria. Is this sufficient to allow SROs to perform duties delegated to them by Federal functional regulators and other appropriate regulatory agencies? Are there reasons why SROs could be included as ‘‘other appropriate regulatory agencies’’ and obtain BOI directly from FinCEN? 16. Are there additional circumstances under which FinCEN is authorized to disclose BOI that are not reflected in this proposed rule? lotter on DSK11XQN23PROD with PROPOSALS4 Use of Information 17. FinCEN proposes to permit U.S. agencies to disclose BOI received under 31 CFR 1010.955(b)(1) or (2) to courts of competent jurisdiction or parties to civil or criminal proceedings. Is this authorization appropriately scoped to allow for the use of BOI in civil or criminal proceedings? 18. In proposed 31 CFR 1010.955(c)(2)(v), FinCEN proposes to establish a mechanism to authorize, either on a case-by-case basis or categorically through written protocols, guidance, or regulations, the redisclosure of BOI in cases not otherwise covered under 31 CFR 1010.955(c)(2) and in which the inability to share the information would frustrate the purposes of the CTA because of the categorical prohibitions against disclosures at 31 U.S.C. 5336(c)(2)(A). Are there other categories of redisclosures that FinCEN should consider authorizing? Are there particular handling or security protocols that FinCEN should consider imposing with respect to such re-disclosures of BOI? 19. Could a State regulatory agency qualify as a ‘‘State, local, or Tribal law enforcement agency’’ under the definition in proposed 31 CFR 1010.955(b)(2)(ii)? If so, please describe the investigation or enforcement activities involving potential civil or criminal violations of law that such agencies may undertake that would require access to BOI. Security and Confidentiality Requirements 20. Should FinCEN impose any additional security or confidentiality requirements on authorized recipients of any type? If so, what requirements and why? 21. The minimization component of the security and confidentiality requirements requires limiting the ‘‘scope of information sought’’ to the greatest extent possible. FinCEN understands this phrase, drawn from the language of the CTA, to mean that requesters should tailor their requests for information as narrowly as possible, VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 consistent with their needs for BOI. Such narrow tailoring should minimize the likelihood that a request will return BOI that is irrelevant to the purpose of the request or unhelpful to the requester. Does the phrase used in the regulation convey this meaning sufficiently clearly, or should it be expanded, and if so how? 22. Because security protocol details may vary based on each agency’s particular circumstances and capabilities, FinCEN believes individual MOUs are preferable to a one-size-fits all approach of specifying particular requirements by regulation. FinCEN invites comment on this MOU-based approach, and on whether additional requirements should be incorporated into the regulations or into FinCEN’s MOUs. 23. FinCEN proposes to require FIs to limit BOI disclosure to FI directors, officers, employees, contractors, and agents within the United States. Would this restriction impose undue hardship on FIs? What are the practical implications and potential costs of this limitation? 24. Are the procedures FIs use to protect non-public customer personal information in compliance with section 501 of Gramm-Leach-Bliley sufficient for the purpose of securing BOI disclosed by FinCEN under the CTA? If not, is there another set of security standards FinCEN should require FIs to apply to BOI? 25. Are the standards established by section 501 of Gramm-Leach-Bliley, its implementing regulations, and interagency guidance sufficiently clear such that FIs not directly subject to that statute will know how to comply with FinCEN’s requirements with respect to establishing and implementing security and confidentiality standards? 26. Do any states impose, and supervise for compliance on, security and confidentiality requirements comparable to those that FFRs are required to impose on FIs under section 501 of Gramm-Leach-Bliley? Please provide examples of such requirements. Outreach 29. What specific issues should FinCEN address via public guidance or FAQs? Are there specific recommendations on engagement with stakeholders to ensure that the authorized recipients, and in particular, State, local, and Tribal authorities and small and mid-sized FIs, are aware of requirements for access to the beneficial ownership IT system? PO 00000 Frm 00024 Fmt 4701 Sfmt 4702 FinCEN Identifiers 30. Does FinCEN’s proposal with respect to an entity’s use of a FinCEN identifier adequately address the potential under- or over-reporting issues discussed in the preamble? VI. Regulatory Analysis This regulatory impact analysis (RIA) assesses the anticipated impact, both in terms of costs and benefits, of the proposed rule, in accordance with Executive Order 12866. This analysis also includes an assessment of the impact on small entities pursuant to the Regulatory Flexibility Act (RFA), reporting and recordkeeping burdens under the Paperwork Reduction Act (PRA); and an assessment as required by the Unfunded Mandates Reform Act of 1995 (UMRA).178 Regarding the proposed regulations related to BOI access, the analysis assumes a baseline scenario of no access granted to the BOI system maintained by FinCEN, which is the current regulatory environment, and uses a time horizon of 10 years. The analysis estimates that the overall quantifiable impact associated with the proposed rule, which would affect U.S. Federal agencies including FinCEN, as well as State, local, and Tribal agencies, foreign requesters, certain financial institutions, and self-regulatory organizations, would be between $108.7 million in net savings and $840.7 million in net costs in the first year of implementation of the rule, and then a net impact between $186.5 million in net savings and $672.0 million in net costs on an ongoing annual basis.179 This proposed rule has been determined to be a significant rule for purposes of Executive Order 12866. Furthermore, the proposed rule would have a significant economic impact on a substantial number of small entities. Last, the proposed rule would result in an estimated 5-year average PRA annual cost of $642.5 million to certain State, local, and Tribal agencies, selfregulatory organizations, and financial 178 The U.S. Bureau of Economic Analysis reports the annual value of the gross domestic product (GDP) deflator in 1995 (the year in which UMRA was enacted) as 71.823, and as 118.895 in 2021. See U.S. Bureau of Economic Analysis, Table 1.1.9. Implicit Price Deflators for Gross Domestic Product, available at https://apps.bea.gov/iTable/?reqid= 19&step=2&isuri=1&categories=survey#ey JhcHBpZCI6MTksInN0ZXBzIjpbMSwy LDMsM10sImRhdGEiOltbIkNhd GVnb3JpZXMiLCJTdXJ2ZXk iXSxbIk5JUEFfVGFibGVfTG lzdCIsIjEzIl0sWyJGaXJzdF9ZZWFyIiwiMTk5NSJd LFsiTGFzdF9ZZWFyIiwiMjAyMSJdLFsiU2Nhb GUiLCIwIl0sWyJTZXJpZXMiLCJBIl1dfQ. Thus, the inflation adjusted estimate for $100 million is 118.895/71.823 × 100 = $166 million. 179 All aggregate figures are approximate and not precise estimates unless otherwise specified. E:\FR\FM\16DEP4.SGM 16DEP4 lotter on DSK11XQN23PROD with PROPOSALS4 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules institutions. Because accessing BOI under the proposed rule is not mandated for State, local, and Tribal governments or the private sector, FinCEN does not assess any expenditures pursuant to UMRA. As FinCEN identified in the final BOI reporting rule’s RIA, FinCEN will incur costs for administering the regulation and access to BOI.180 These costs include development and ongoing annual maintenance of the beneficial ownership IT system. In particular, developing and maintaining the methods of access to the beneficial ownership IT system described in this NPRM has impacted FinCEN’s IT cost estimates. FinCEN estimated that the initial IT development costs associated with the final BOI reporting rule are approximately $72 million with an additional $25.6 million per year required to maintain the new BOI system and the underlying FinCEN IT that is needed to support the new capabilities. These estimates do not include certain potential additional costs, such as for IT personnel or information verification. The final BOI reporting rule’s RIA also estimated $10 million per year in FinCEN personnel costs in order to ensure successful implementation of and compliance with the BOI reporting requirements. Given that these costs to FinCEN are already accounted for in the RIA of the final BOI reporting rule, these costs are not included in the RIA. The costs to FinCEN in this RIA are in addition to those included in the final BOI reporting rule’s RIA. FinCEN also considers in the RIA what costs or benefits may be associated with the proposed rule regarding reporting companies’ use of FinCEN identifiers for entities. The final BOI reporting rule’s RIA contains a regulatory analysis that accounts for the impact associated with obtaining, updating, and using FinCEN identifiers, including a summary of NPRM comments related to the associated estimated costs and benefits. Regarding entities’ use of FinCEN identifiers, FinCEN proposes to rely upon the analysis in the final BOI reporting rule’s RIA. That analysis states that the costs associated with reporting companies’ use of FinCEN identifiers are captured in that RIA’s cost estimates associated with BOI reports. This analysis is explained in more detail in Section VI.A.ii. below. A. Executive Orders 12866 and 13563 Executive Orders 12866 and 13563 direct agencies to assess costs and 180 87 FR 59578 (Sept. 30, 2022). VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, and public health and safety effects, as well as distributive impacts and equity). Executive Order 13563 emphasizes the importance of quantifying both costs and benefits, reducing costs, harmonizing rules, and promoting flexibility. FinCEN conducted an assessment of the costs and benefits of the proposed rule, as well as the costs and benefits of available regulatory alternatives. This proposed rule is necessary in order to implement Section 6403 of the CTA. Consistent with the cost-benefit analysis in Section VI.A.i. below, this proposed rule has been designated a ‘‘significant regulatory action’’ and economically significant under section 3(f) of Executive Order 12866. Accordingly, the proposed rule has been reviewed by the Office of Management and Budget (OMB). i. Section of Proposed Rule Regarding BOI Access a. Alternative Scenarios FinCEN considered alternatives to the proposed rule. However, for the reasons described within this section, FinCEN decided not to propose these alternatives. 1. Reduce Training Burden The first alternative would be to reduce the training requirement for BOI authorized recipients, which includes appropriate training for authorized recipients of BOI as well as annual training for access to BOI. In its analysis, FinCEN assumes that each authorized recipient that would access the BOI would be required to undergo one hour of training per year.181 Here, FinCEN considers the scenario where authorized recipients would instead be required to undergo one hour of training every two years, in alignment with the current BSA data access requirements. This scenario could result in savings every other year of $108 to $172,800 per Federal agency, $76 to $5,168 per State, local, and Tribal agency, $95 to $6,460 per SRO,182 $108 per foreign requester, 181 The assumption of one training hour is in alignment with the current training requirement for accessing BSA data. However, one notable difference is that the proposed BOI training requirement is annual, not biennial. 182 To calculate costs to SROs, FinCEN calculated a ratio that applied the estimated costs to State regulators (which would have access requirements similar to SROs) to the wage rate estimated herein for financial institutions, since SROs are private organizations. FinCEN requests comment on this assessment. PO 00000 Frm 00025 Fmt 4701 Sfmt 4702 77427 and $146 to $241 per financial institution. The aggregate savings could be as much as $3.7 million to $5.2 million ($1.3 million total for domestic agencies and SROs + $2.4 to $3.9 million for financial institutions) every other year. This alternative scenario could result in savings every other year of approximately $95 to $190 per small financial institution. The aggregate savings could be as much as approximately $1.3 million to $2.7 million (($95 × 14,051 small financial institutions = $1,334,845) and ($190 × 14,051 small financial institutions = $2,669,690)) every other year. Given the sensitive nature of the BOI,183 FinCEN believes that maintaining an annual training requirement for BOI authorized recipients and access to BOI is necessary to protect the security and confidentiality of the BOI. 2. Change Customer Consent Requirement The second alternative that FinCEN considered is altering the customer consent requirement for FIs. Under the proposed rule, financial institutions would be required to obtain and document customer consent once for a given customer. FinCEN considered an alternative approach in which FinCEN would directly obtain the reporting company’s consent. Under this scenario, financial institutions would not need to spend time and resources on the onetime implementation costs of approximately 10 hours in year 1 to create consent forms and processes. Using an hourly wage estimate of $95 per hour for financial institutions, FinCEN estimates this would result in a one-time savings per financial institution of approximately $950. To estimate aggregate savings under this scenario, FinCEN multiplies this value by 16,252 financial institutions resulting in a total savings of approximately $15.4 million ($950 per institution × 16,252 financial institutions = $15,439,400). The cost savings for small financial institutions under this scenario would be approximately $13.3 million ($950 per institution × 14,051 small financial institutions = $13,348,450). Though this alternative results in a savings to financial institutions, including small entities, FinCEN believes that financial institutions are better positioned to obtain consent—and to track consent revocation—given their direct customer relationships and ability to leverage existing onboarding and account 183 As noted in the preamble, the CTA establishes that BOI is ‘‘sensitive information’’ and it imposes strict confidentiality and security restrictions on the storage, access, and use of BOI. See CTA, Section 6402(6), (7). E:\FR\FM\16DEP4.SGM 16DEP4 77428 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules maintenance processes. Therefore, FinCEN decided not to propose this alternative. lotter on DSK11XQN23PROD with PROPOSALS4 3. Impose Court Authorization Requirement on Federal Agencies The third alternative would extend the requirement that State, local, and Tribal law enforcement agencies provide a court authorization with each BOI request to 202 Federal agencies. FinCEN expects that requests submitted by State, local, and Tribal law enforcement agencies have an additional 20 to 30 hours of burden owing to an additional requirement that a court of competent jurisdiction, including any officer of such a court, authorizes the agency to seek the information in a criminal or civil investigation. Therefore, FinCEN applies this additional 20 to 30 hours of burden per BOI request to the estimated BOI requests submitted by Federal agencies and by State regulators. Using FinCEN’s internal BSA request data as a proxy, FinCEN anticipates that Federal agencies could submit as many as approximately 2 million total BOI requests annually.184 Using an hourly wage estimate of $108 per hour for Federal employees results in additional aggregate annual costs between approximately $4.3 billion and $6.5 billion ((2 million Federal requests × 20 hours × $108 per hour = $4,320,000,000) and (2 million Federal requests × 30 hours × $108 per hour = $6,480,000,000). This alternative could minimize the potential for broad or non-specific searches by any agency not currently subject to the requirement because of the higher initial barrier to accessing the data. However, FinCEN believes that imposing this requirement on authorized recipients, for whom such a requirement is not statutorily mandated, is overly burdensome and would make it too difficult to obtain BOI in a timely fashion for active investigations. For these reasons, FinCEN decided not to propose this alternative. b. Affected Entities In order to analyze cost and benefits, the number of entities affected by the proposed rule must first be estimated. Authorized recipients of BOI would be affected by this proposed rulemaking if they elect to access BOI, because they are required to meet certain criteria in order to receive that BOI. The criteria 184 While FinCEN does not estimate growth of requests throughout the 10-year time horizon of this analysis, the number of BOI requests could increase significantly after the first years of implementation of the BOI reporting requirements as awareness of the ability to access and the utility of BOI increases. VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 vary depending on the type of authorized recipient. Federal agencies engaged in national security, intelligence, and law enforcement activity would have access to BOI in furtherance of such activities if they establish the appropriate protocols prescribed for them in the proposed rule. Additionally, Treasury officers and employees who require access to BOI to perform their official duties or for tax administration would have access. The number of agencies that could qualify under these categories is large and difficult to quantify. FinCEN proposes using the number of Federal agencies that are active entities 185 with BSA data access 186 as a proxy for the number of Federal agencies that may elect to access BOI. FinCEN believes this proxy is apt. While the criteria for access to BSA data are somewhat different outside of the CTA context, Federal agencies that have access to BSA data would generally also meet the criteria for access to BOI under the CTA. FinCEN believes that Federal agencies that have access to BSA data will most likely want access to BOI as well, and will generally be able to access it under the parameters specified by the proposed rule. FinCEN includes offices within the Department of the Treasury, such as FinCEN itself,187 in this proxy count. As of January 2022, 202 Federal agencies and agency subcomponents are active entities with BSA data access. State, local, and Tribal law enforcement agencies would have access to BOI for use in criminal and civil investigations if they follow the process prescribed for them in the proposed rule. FinCEN proposes using the number of State and local law enforcement agencies that are active entities with BSA data access as a proxy 185 For purposes of this analysis, an agency has active access to BSA data if the official duties of any agency employee or contractor includes authorized access to the FinCEN Query system, a web-based application that provides access to BSA reports maintained by FinCEN. 186 For purposes of this analysis, BSA data consists of all of the reports submitted to FinCEN by financial institutions and individuals pursuant to obligations that currently arise under the BSA, 31 U.S.C. 5311 et seq., and its implementing regulations. These include reports of cash transactions over $10,000, reports of suspicious transactions by persons obtaining services from financial institutions, reports of the transportation of currency and other monetary instruments in amounts over $10,000 into or out of the United States, and reports of U.S. persons’ foreign financial accounts. In fiscal year 2019, more than 20 million BSA reports were filed. See Financial Crimes Enforcement Network, ‘‘What is the BSA data?,’’ available at https://www.fincen.gov/what-bsa-data. 187 In addition to incurring costs as an authorized recipient of BOI, FinCEN expects to incur costs from administering data to other authorized recipients. PO 00000 Frm 00026 Fmt 4701 Sfmt 4702 for the number of State, local, and Tribal law enforcement agencies that may access BOI, for the reasons discussed in the Federal agency context. As of January 2022, 153 State and local law enforcement agencies and agency subcomponents are active entities with access to BSA data.188 The process that the proposed rule sets forth involves these agencies obtaining a court authorization for each BOI request. Courts of competent jurisdiction that would issue such authorizations may therefore also be affected by the proposed rule; FinCEN has not estimated the burden that may be imposed on such entities, but is interested in comments on the subject. Foreign government entities, such as law enforcement, prosecutors, judges or other competent or central authorities, would potentially be able to access BOI after submitting a request as described in the proposed rule. FinCEN does not estimate the number of different foreign requesters that may request BOI, but instead estimates a range of the total number of annual requests for BOI that FinCEN may receive from all foreign requesters. FinCEN requests comment on this proposal and the estimate of foreign requests. The proposed rule requires that foreign requests be made through an intermediary Federal agency. Therefore, Federal agencies would also be affected by foreign requests. The six Federal functional regulators that supervise financial institutions with CDD obligations—the FRB, the OCC, the FDIC, the NCUA, the SEC, and the CFTC—may access BOI for purposes of supervising a financial institution’s compliance with those obligations. Additionally, other appropriate regulatory agencies may access BOI under the proposed rule. FinCEN proposes primarily using the number of regulators that both supervise entities with requirements under FinCEN’s CDD Rule and are active entities with access to BSA data as a proxy for the number of regulatory agencies that may access BOI. As of January 2022, 62 regulatory agencies satisfy both criteria.189 FinCEN adds two self-regulatory organizations (SROs) to this count, which totals to 64 regulatory agencies. Although SROs are 188 No Tribal law enforcement agencies currently have access to BSA data through the FinCEN Query system. FinCEN requests comment on how many Tribal law enforcement agencies may access BOI. 189 This includes the six Federal functional regulators. The remaining 56 entities are State regulators that supervise banks, securities dealers, and other entities that currently have CDD obligations under FinCEN regulations. FinCEN did not include State regulatory agencies that have active access to BSA data but do not regulate entities with FinCEN CDD obligations, such as State gaming authorities or State tax authorities. E:\FR\FM\16DEP4.SGM 16DEP4 77429 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules not government agencies and they would not have direct access to the beneficial ownership IT system under the proposed rule, they may receive BOI through re-disclosure and would be subject to the same security and confidentiality requirements as other regulatory agencies under the proposed rule. Financial institutions with CDD requirements under applicable law would be able to access BOI with the consent of the reporting company. Assuming that all financial institutions Financial Institution Type that are subject to FinCEN’s CDD Rule would access BOI, FinCEN estimates the number of affected financial institutions in Table 1. Table 1—Affected Financial Institutions Coun.t .• Small Count .· .•• Banks, savings associations, thrifts, trust companies 1 Credit unions 2 5,128 3,661 4,957 4,432 Brokers or dealers in securities3 3,527 3,439 Mutual funds 4 1,591 1,548 Futures commission merchants and introducing brokers in commodities 5 1,049 971 Total 16,252 14,051 1 All counts are from Q2 2022 Federal Financial Institutions Examination Council (FFIEC) Call Report data, available at https://cdr.ffiec.gov/public/pws/downloadbulkdata.aspx. Data for institutions that are not insured, are insured under non-FDIC deposit insurance regimes, or do not have a Federal functional regulator are from the FDIC's Research Information System, available at https://www.fdic.gov/foia/ris/ 2 Credit union data are from the NCUA for Q2 2022, available at https://www.ncua.gov/analysis/credit-unioncorporate-call-report-data. 3 According to the SEC, the number of brokers or dealers in securities for the fiscal year 2021 is 3,527. See Securities and Exchange Commission, Fiscal Year 2023 Congressional Budget Justification, p. 33, https://www.sec.gov/files/FY%202023%20Congressional%20Budget%20Justification%20Annual%20Perfor mance%20Plan_FINAL.pdf. 4 Based on estimates provided for the 2018 notice to renew 0MB control number 1506-0033, 83 FR 46011 (Sept. 11, 2018). 5 As of September 30, 2022, the CFTC stated there are 60 futures commission merchants and 989 introducing brokers in commodities, totaling 1,049. 190 The SBA currently defines small entity size standards for affected financial institutions as follows: less than $750 million in total assets for commercial banks, savings institutions, and credit unions; less than $41.5 million in total assets for trust companies; less than $41.5 million in annual receipts for broker-dealers; less than $41.5 million in annual receipts for portfolio management; less than $35 million in annual receipts for open-end investment funds; and less than $41.5 million in annual receipts for futures commission merchants and introducing brokers in commodities. See U.S. Small Business Administration’s Table of Size VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 U.S. Census Bureau’s publicly available 2017 Statistics of U.S. Businesses survey data (Census survey data).191 FinCEN applies SBA size standards to the corresponding industry’s receipts in the 2017 Census survey data and determines what proportion of a given industry is deemed small, on Standards, https://www.sba.gov/sites/default/files/ 2022-07/Table%20of%20Size%20Standards_ Effective%20July%2014%202022_Final-508.pdf. 191 See U.S. Census Bureau, U.S. & states, NAICS, detailed employment sizes (U.S., 6-digit and states, NAICS sectors) (2017), available at https:// www.census.gov/data/tables/2017/econ/susb/2017susb-annual.html. The Census survey documents the number of firms and establishments, employment numbers, and annual payroll by State, industry, and enterprise every year. Receipts data, which FinCEN uses as a proxy for revenues, is available only once every five years, with 2017 being the most recent survey year with receipt data. PO 00000 Frm 00027 Fmt 4701 Sfmt 4702 average.192 193 FinCEN considers a 192 FinCEN does not apply population proportions to banks or credit unions. Because data accessed through FFIEC and NCUA Call Report data provides information about asset size for banks, trusts, savings and loans, credit unions, etc., FinCEN is able to directly determine how many banks and credit unions are small by SBA size standards. Because the Call Report data does not include institutions that are not insured, are insured under non-FDIC deposit insurance regimes, or that do not have a Federal financial regulator, FinCEN assumes that all such entities listed in the FDIC’s Research Information System data are small, unless they are controlled by a holding company that does not meet the SBA’s definition of a small entity, and includes them in the count of small banks. 193 Consistent with the SBA’s General Principles of Affiliation, 13 CFR 121.103(a), FinCEN aggregates the assets of affiliated financial institutions using FFIEC financial data reported by bank holding companies on forms Y–9C, Y–9LP, and Y–9SP (available at https://www.ffiec.gov/npw/ E:\FR\FM\16DEP4.SGM Continued 16DEP4 EP16DE22.020</GPH> lotter on DSK11XQN23PROD with PROPOSALS4 Totaling these estimates results in 16,252 financial institutions that may access BOI pursuant to the proposed rule. Of these financial institutions, 14,051 are small entities. To identify whether a financial institution is small, FinCEN uses the Small Business Administration’s (SBA) latest annual size standards for small entities in a given industry.190 FinCEN also uses the 77430 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules financial institution to be small if it has total annual receipts less than the annual SBA small entity size standard for the financial institution’s industry. FinCEN applies these estimated proportions to FinCEN’s current financial institution counts for brokers or dealers in securities, mutual funds, and futures commission merchants and introducing brokers in commodities to determine the proportion of current small financial institutions in those industries. Using this methodology and data from the FFIEC and the NCUA, approximately 14,051 small financial institutions could be affected by the proposed rule, as summarized in Table 1. Table 2 summarizes the counts of entities by category that would have access to BOI data. Table 2—Affected Entities ederal agencies engaged in national security, ·ntelligence, or law enforcement activities, and Treasury offices 1 State, local, and Tribal law enforcement agencies 153 0 NIA NIA egulatory agencies2 64 0 inancial institutions 3 16,252 14,051 16,671 14,051 oreign requesters Total 1 This includes 186 active Federal agencies and 16 offices within the U.S. Department of the Treasury ·ncluding FinCEN. includes both State and Federal regulators of institutions subject to CDD requirements, as well as SROs. 3 This includes all financial institutions subject to CDD requirements, as summarized in Table 1. c. Potential Costs and Benefits Ideally, a cost-benefit analysis would identify and monetize, with certainty, all costs and benefits of a regulation; this would enable policymakers to evaluate different regulatory options by comparing dollar amounts of costs and benefits, and pursuing those options with the greatest net benefits. However, regulatory impact analyses often include both cost and benefit components that cannot be expressed in monetary units with any degree of certainty. As explained by OMB in relevant costbenefit guidance, simple cost-benefit comparisons can be misleading when the analysis cannot express important benefits and costs in dollar terms ‘‘because the calculation of net benefits in such cases does not provide a full evaluation of all relevant benefits and costs.’’ 195 FinCEN follows OMB’s recommendation in such instances and provides an evaluation of nonquantifiable benefits and costs in addition to quantified benefits and costs. This RIA estimates costs to the authorized recipients for following the proposed rule’s security and confidentiality requirements, costs to FinCEN for administering access to BOI, and benefits that authorized recipients would gain from accessing BOI. The quantified estimates provided in this RIA include a range of possible costs and benefits for each type of authorized recipient. The quantified benefits are limited to cost savings that agencies may obtain through accessing BOI; there are other, non-quantified benefits that would also be included in the agencies’ decision to request BOI. For the purposes of estimating the overall impact of the proposed rule, FinCEN assumes that Federal, State, or local agencies that access BOI would do so only if the quantified and nonquantified benefits at least equal the costs, since these entities would obtain access to BOI only if they voluntarily request it. Therefore, FinCEN expects that in reality the minimum net impact to these entities would be zero, meaning that the costs equal the benefits. However, because many of benefits to FinancialReport/FinancialDataDownload) and ownership data (available at https://www.ffiec.gov/ npw/FinancialReport/DataDownload) when determining if an institution should be classified as small. FinCEN uses four quarters of data reported by holding companies, banks, and credit unions because a ‘‘financial institution’s assets are determined by averaging the assets reported on its four quarterly financial statements for the preceding year.’’ See U.S. Small Business Administration’s Table of Size Standards, p. 44 n.8, https:// www.sba.gov/sites/default/files/2022-07/Table %20of%20Size%20Standards_ Effective%20July%2014%202022_Final-508.pdf. FinCEN recognizes that using SBA size standards to identify small credit unions differs from the size standards applied by the NCUA. However, for consistency in this analysis, FinCEN applies the SBA-defined size standards. 194 FinCEN considered whether other entities would be considered small entities pursuant to the Regulatory Flexibility Act. The Regulatory Flexibility Act’s definition of a small governmental jurisdiction is a government of a city, county, town, township, village, school district, or special district with a population of less than 50,000. While State, local, and Tribal government agencies may be affected by the proposed rule, FinCEN does not believe that government agencies of jurisdictions with a population of less than 50,000 would be included in such agencies. However, FinCEN requests comment on this assumption. 195 Office of Management and Budget, Circular A– 4:10 (Sept. 17, 2003), available at https:// obamawhitehouse.archives.gov/omb/circulars_ a004_a-4. lotter on DSK11XQN23PROD with PROPOSALS4 As evidenced in Table 2, FinCEN anticipates that as many as 16,671 different domestic agencies and financial institutions could elect to access BOI. Of these, FinCEN believes the only entity category that would have small entities affected is financial institutions.194 VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 PO 00000 Frm 00028 Fmt 4701 Sfmt 4702 E:\FR\FM\16DEP4.SGM 16DEP4 EP16DE22.021</GPH> 2 This Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules such agencies are not quantifiable, FinCEN presents in the analysis an impact estimate that incorporates the range of quantified costs and benefits that FinCEN expects based in part on outreach to agencies that are authorized recipients of BOI. FinCEN does not attempt to estimate a dollar value of benefits that will accrue to financial institutions, State regulators or SROs as a result of the proposed rule. In order to estimate financial institutions’ benefits, it would be necessary to know how access to BOI under the proposed rule would apply to CDD obligations, which will not be known until FinCEN revises the 2016 CDD Rule, as the CTA requires. FinCEN estimates a dollar value of benefits that would accrue to Federal financial regulatory agencies on the assumption that these agencies would access BOI for law enforcement activity.196 However, FinCEN does not estimate a dollar value of benefits accruing to State regulators and SROs because FinCEN assumes that their primary use of BOI would be for examinations of financial institutions for compliance with CDD requirements, rather than for law enforcement activity. In addition, FinCEN assumes that no quantifiable benefits will accrue to FinCEN itself as a result of administering BOI access. The costs in the first and subsequent years are distributed unevenly among the different types of Federal, State, and local agencies. The estimated average year 1 net impact per Federal agency is between $8,967,600 in costs and $2,157,165 in savings,197 per State regulator is between $1,995 and $0.5 million in costs, per State, local and Tribal law enforcement agency is between $52,977,200 in costs and $1,516,485 in savings,198 per SRO is between $2,494 and $0.6 million in 196 See 31 U.S.C. 5336(c)(2)(B)(i)(I). maximum estimated costs in Year 1 are $9 million per Federal agency, and the minimum estimated benefits in Year 1 per Federal agency are $32,400, so the maximum net cost per Federal agency is $8,967,600 ($9,000,000¥$32,400). The maximum estimated benefits in Year 1 per Federal agency are $2,160,000, and the minimum estimated costs in Year 1 per Federal agency ares $2,835, so the maximum estimated net benefit per Federal agency is $2,157,165 ($2,160,000¥$2,835). 198 The maximum estimated costs in Year 1 are $53 million per State, local, and Tribal law enforcement agency, and the minimum estimated benefits in Year 1 are $22,800 per State, local and Tribal law enfocement agency, so the maxium net cost per State, local, and Tribal law enforcement agency is $52,977,200 ($53,000,000¥$22,800). The maximum estimated benefits in Year 1 per State, local, and Tribal law enforcement agency are $1,520,000, and the minimum estimated cost per State, local, and Tribal law enforcement agency is $3,515, so the maximum estimated net benefit in Year 1 per State, local, and Tribal law enforcement agency is $1,516,485 ($1,520,000¥$3,515). lotter on DSK11XQN23PROD with PROPOSALS4 197 The VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 costs, and per financial institution is between $12,206 and $17,695 in costs. From year 2 and onward, the estimated average annual net impact per Federal agency is between $8,867,600 in costs and $2,158,785 in savings,199 per State regulator is between $855 and $0.4 million in costs, per State, local and Tribal law enforcement agency is between $52,877,200 in costs and $1,517,625 in savings,200 per SRO is between $1,069 at $0.5 million in costs, and per financial institution is between $7,456 and $9,145 in costs. Overall, FinCEN estimates the potential overall impact associated with the proposed rule would be between $108.7 million in net savings and $840.7 million in net costs in the first year of implementation of the rule, and then from $186.5 million in net savings to $672.0 million in net costs on an ongoing annual basis.201 These estimates, along with any non-quantifiable costs and benefits, are described in further detail within this section.202 199 The maximum estimated costs in year 2 and onward are $8.9 million per Federal agency, and the minimum estimated benefits in year 2 and onward are $32,400 per Federal agency, so the maximum estimated net costs are $8,867,600 ($8,900,000¥$32,400). The maximum estimated benefits in year 2 and onward per Federal agency are $2,160,000, and the minimum estimated cost per Federal agency is $1,215, so the maximum estimated net benefits per Federal agency are $2,158,785 ($2,160,000¥$1,215). 200 The maximum estimated costs in year 2 and onward are $52.9 million per State, local, and Tribal law enforcement agency, and the minimum estimate benefits in year 2 and onward per State, local, and Tribal law enforcement agency are $22,800, so the maximum estimated net costs in years 2 and onward per State, local, and Tribal law enforcement agency are $52,877,200 ($52,900,000¥$22,800). The maximum estimated benefits in years 2 and onward per State, local, and Tribal law enforcement agency are $1,520,000, and the minimum estimated costs in years 2 and onward per State, local, and Tribal law enforcement agency ares $2,375, so the maximum estimated net benefits in years 2 and onward per State, local, and Tribal law enforcement agency are $1,517,625 ($1,520,000¥$2,375). 201 Both here and throughout the analysis, FinCEN estimates a range of both costs and benefits. These ranges reflect heterogeneity across agencies and financial institutions in terms of requirements to access BOI, entity size, resources, existing IT infrastructure, and investigative caseload, among other factors. FinCEN does not know exactly what every authorized recipient’s unique costs and benefits would be and instead provides ranges of the expected minimum and maximum. FinCEN believes that providing ranges with minimums and maximums, rather than a point estimate, such as the median, throughout this analysis is more appropriate given the number of factors that could contribute to the actual cost or benefits an authorized recipient incurs due to the proposed rule. 202 Throughout the analysis, FinCEN rounds each step of the calculation to the nearest whole dollar value for smaller estimates and to the first significant figure after the decimal for larger estimates (in the hundreds of thousands, millions, and billions). Performing a sensitivity analysis PO 00000 Frm 00029 Fmt 4701 Sfmt 4702 77431 In the analysis, FinCEN uses an estimated compensation rate of approximately $108 per hour for Federal agencies and foreign requesters, approximately $76 per hour for State, local, and Tribal agencies, and approximately $95 per hour for financial institutions. This is based on occupational wage data from the U.S. Bureau of Labor Statistics (BLS).203 The most recent occupational wage data from the BLS corresponds to May 2021, released in May 2022. To obtain these three wage rates, FinCEN calculated the average reported hourly wages of six specific occupation codes assessed to be likely authorized recipients at Federal agencies, State, local, and Tribal agencies, and financial institutions.204 205 Included financial industries were identified at the most granular North American Industry Classification System (NAICS) code available and are the types of financial institutions that are subject to regulation under the BSA, even if these financial institutions are not entities that are affected by the proposed rule, including: banks (as defined in 31 CFR 1010.100(d)); casinos; money service businesses; broker-dealers; mutual funds; insurance companies; futures commission merchants and introducing brokers in commodities; dealers in precious metals, precious stones, or jewels; operators of credit card systems; and loan or finance companies. This results in a Federal agency hourly wage estimate of $66.78; a State, local, and Tribal agency hourly wage estimate of where rounding is only performed in the final step of the whole impact calculation confirms that FinCEN’s rounding method produces a difference of less than 0.7 percent in the magnitude of FinCEN’s estimates, which FinCEN does not consider to be sufficient to affect its analysis or conclusions regarding the impact of the proposed rule. 203 See U.S. Bureau of Labor Statistics, National Occupational Employment and Wage Estimates (May 2021), available at https://www.bls.gov/oes/ current/oessrci.htm. 204 To estimate government hourly wages, FinCEN modifies the burden analysis in FinCEN’s publication ‘‘Renewal without Change of AntiMoney Laundering Programs for Certain Financial Institutions.’’ See 85 FR 49418 (Aug. 13, 2020). Specifically, FinCEN uses hourly wage data from the following six occupations to estimate an average hourly government employee wage: chief executives (i.e., agency heads), first-line supervisors of law enforcement workers, law enforcement workers, financial examiners, lawyers and judicial clerks, and computer and information systems managers. 205 FinCEN uses hourly wage data for the following occupations to estimate an average hourly financial institution employee wage: chief executives, financial managers, compliance officers, and financial clerks. FinCEN also includes the hourly wages for lawyers and judicial clerks, as well as for computer and information systems managers. E:\FR\FM\16DEP4.SGM 16DEP4 77432 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules $46.70; 206 and a financial institution hourly wage estimate of $67.23. Multiplying these hourly wage estimates by their corresponding benefits factor (1.62 207 for government agencies and 1.42 208 for private industry) produces a fully loaded hourly compensation amounts of approximately $108 for Federal agencies, $76 for State, local, and Tribal agencies, and $95 per hour for financial institutions. These wage estimates are summarized in Table 3: Table 3—Fully Loaded Wage Estimates Federal government agency1 $66.78 1.62 $108 State government agency $46.02 1.62 $75 Local government agency $47.37 1.62 $77 Equal weighted average for State, local, and Tribal agencies 2,3 $46.70 1.62 $76 Financial institution $67.23 1.42 $95 1 FinCEN assumes the same hourly wage estimate for foreign requesters as for Federal agencies. This estimate does not include Tribal wages, as BLS does not provide any estimates for Tribal agencies. FinCEN welcomes comment on this estimate. 3 FinCEN calculates a simple average of the hourly wage estimate of State and local agencies. Estimating the average State and local agency hourly wage using a value-weighted approach based on the likely proportion of State versus local agency participants using internal FinCEN BSA data produced a similar hourl wa e estimate. 2 lotter on DSK11XQN23PROD with PROPOSALS4 Each of the affected entities would have costs associated with the proposed rule if it elects to access FinCEN’s BOI database. The costs would vary based on the access procedures for the authorized recipients.209 The proposed rule would require different access procedures for domestic agencies, foreign requesters, and financial institutions. FinCEN 206 To estimate a single hourly wage estimate for State, local, and Tribal agencies, FinCEN calculated an average of the May 2021 mean hourly wage estimates for State government agencies and for local government agencies (($46.02 + $47.37)/2 = $46.70), as wages are available for both of these types of government workers in the BLS occupational wage data. BLS data does not include an estimate for Tribal government worker and thus FinCEN does not include a Tribal government worker wage estimate in this average. FinCEN welcomes comment on how to obtain wage estimates for Tribal government workers. VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 would also incur costs for administering access to authorized recipients. A. Domestic Agencies Domestic agencies must meet multiple requirements to receive BOI. Whether the costs of these requirements would be one-time, ongoing, or recurring, and whether the costs accrue on a per-recipient or per-request basis varies from requirement to requirement. Additionally, some requirements are administrative and involve the creation 207 The ratio between benefits and wages for State and local government workers is $21.15 (hourly benefits)/$34.32 (hourly wages) = 0.62, as of March 2022. The benefit factor is 1 plus the benefit/wages ratio, or 1.62. See U.S. Bureau of Labor Statistics, Employer Costs for Employee Compensation Historical Listing, available at https://www.bls.gov/ web/ecec/ececqrtn.pdf. The State and local government workers series data for March 2022 is available at https://www.bls.gov/web/ecec/ececgovernment-dataset.xlsx. FinCEN applies the same benefits factor to Federal workers. PO 00000 Frm 00030 Fmt 4701 Sfmt 4702 of documents, while others involve IT. To estimate the costs for meeting these requirements, FinCEN consulted with multiple Federal agencies and utilized statistics regarding active entities with BSA data access. Requirements are summarized in Table 4, which is followed by more detailed analysis. Costs associated with each requirement are summarized in Table 5, at the end of this section. 208 The ratio between benefits and wages for private industry workers is $11.42 (hourly benefits)/ $27.19 (hourly wages) = 0.42, as of March 2022. The benefit factor is 1 plus the benefit/wages ratio, or 1.42. See U.S. Bureau of Labor Statistics, Employer Costs for Employee Compensation: Private industry dataset (March 2022), available at https:// www.bls.gov/web/ecec/ecec-private-dataset.xlsx. 209 The costs would also vary by institution size and investigation caseload, but for simplicity, FinCEN estimates an average impact by category of authorized recipient throughout the analysis. E:\FR\FM\16DEP4.SGM 16DEP4 EP16DE22.022</GPH> 1. Costs Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules 77433 Table 4—Requirements for Domestic Agencies 1 1 2 3 4 Enter into an agreement with FinCEN and establish standards and rocedures Establish and maintain a secure system to store BOI Establish and maintain an auditable system of standardized records for re uests Restrict access to appropriate persons within the agency, all of whom must undergo training2 One-time Administrative Ongoing IT Ongoing IT Ongoing (Training cost ient Administrative 5 Conduct an annual audit and cooperate with FinCEN' s annual audit Administrative 6 Semi-annual Obtain certification of standards and procedures initially and then semi-annually, by the head of the a enc Annual Provide initial and then an annual report on rocedures Submit written certification for each request that it Ongoing (Cost is per meets certain agency requirements request) Administrative 7 8 Administrative Administrative 1 Enter into an agreement with FinCEN and establish standards and procedures. For requirement #1, FinCEN assumes that domestic agencies would incur costs during the first year of implementation. FinCEN received the following feedback from different agencies on the amount of time needed for these requirements. Agencies described the types of activities expected to meet these requirements in their responses, but the feedback applies to estimated burden for requirement #1: • Approximately 15 to 20 hours to formalize policies and procedures. • Approximately 40 hours to review, analyze and implement any unique standards and procedures of FinCEN’s database into the agency’s current secure systems. • Approximately 300 hours to draft and shepherd standards and procedures. Therefore, in alignment with the feedback FinCEN received during outreach efforts, FinCEN assumes it VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 would take a domestic agency, on average, between 15 and 300 business hours to complete this one-time task. Using an hourly wage estimate of $108 per hour for Federal agencies results in a one-time cost between approximately $1,620 and $32,400 per Federal agency ((15 hours × $108 per hour = $1,620) and (300 hours × $108 per hour = $32,400)). Using an hourly wage estimate of $76 per hour for State, local, and Tribal agencies results in a one-time cost between approximately $1,140 and $22,800 per State, local, and Tribal agency ((15 hours × $76 per hour = $1,140) and (300 hours × $76 per hour = $22,800)). To estimate aggregate costs, FinCEN multiplies these ranges by 208 total Federal agencies 210 and 209 State, 210 This is derived from 202 Federal law enforcement, national security and intelligence agencies and agency subcomponents plus six Federal regulators. PO 00000 Frm 00031 Fmt 4701 Sfmt 4702 local, and Tribal agencies,211 resulting in a total one-time cost between approximately $0.6 million and $11.5 million ((208 Federal agencies × $1,620 per Federal agency + 209 State, local, and Tribal agencies × $1,140 per State, local, and Tribal agency = $575,220) and (208 Federal agencies × $32,400 per Federal agency + 209 State, local, and Tribal agencies × $22,800 per State, local, and Tribal agency = $11,504,400)). Establish and maintain a secure system to store BOI. The cost of requirement #2 would vary depending on the existing IT infrastructure of the domestic agency. Some agencies may be able to build upon existing systems that generally meet the security and confidentiality requirements. Other agencies may need to create new systems. FinCEN received the following feedback from outreach on this subject. 211 This is derived from 153 State and local law enforcement agencies plus 56 State regulators that supervise entities with CDD obligations. E:\FR\FM\16DEP4.SGM 16DEP4 EP16DE22.023</GPH> lotter on DSK11XQN23PROD with PROPOSALS4 In addition to the requirements in this table, the proposed rule requires that a domestic agency shall limit, to the greatest extent practicable, the scope of BOI it seeks. However, there is no associated cost estimated for this requirement, and it is not included within the table. 2 While FinCEN does not assess a cost for restricting access, FinCEN assesses a cost related to the training re uirement included under this rovision 77434 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules lotter on DSK11XQN23PROD with PROPOSALS4 Agencies described the types of activities expected to meet these requirements in their responses, but the feedback applies to estimated burden for requirement #2: • Approximately 60 hours to establish a secure system for BOI, based on the method of access. That agency further suggested that maintaining the secure storage system would require a periodic review of about 4 hours to assure system integrity. • Approximately 300 hours to incorporate BOI into existing information systems. Once the system is established, maintenance would be a minimal additional ongoing cost. • Approximately no cost, assuming that the BOI would be accessed similarly to BSA data (i.e., in a webbased system maintained by FinCEN). This was the conclusion of multiple agencies. One agency further noted that this overall process would have little to no financial impact on the agency, as FinCEN would establish the web-based portal, maintain the secure storage system of the data, and develop mechanisms to safeguard the information contained therein from unauthorized access. Consistent with feedback from agencies, FinCEN expects that certain agencies (in particular, Federal agencies) would bear de minimis IT costs because Federal agencies already have secure systems and networks in place as well as sufficient storage capacity in accordance with Federal Information Security Management Act (FISMA) standards.212 Therefore, FinCEN assumes a range of burden for requirement #2 in year 1 of de minimis to 300 hours, and an ongoing burden of de minimis to 4 hours. Using an hourly wage estimate of $108 per hour for Federal agencies results in an initial cost between approximately de minimis costs and $32,400 (300 hours × $108 per hour = $32,400), and $432 annually thereafter (4 hours × $108 per hour = $432) per Federal agency. Using an hourly wage estimate of $76 per hour for State, local, and Tribal agencies results in an initial cost between approximately de minimis costs and $22,800 (300 hours × $76 per hour = $22,800), and $304 annually thereafter (4 hours × $76 per hour = $304) per State, local, and Tribal 212 Under FISMA, Federal agencies need to provide information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information collected or maintained by an agency. Federal agencies also need to comply with the information security standards and guidelines developed by NIST. 44 U.S.C. 3553. VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 agency. To estimate aggregate costs, FinCEN multiplies these ranges by 208 total Federal agencies, and 209 State, local, and Tribal agencies, resulting in a total year 1 cost between approximately de minimis and $11.5 million (208 Federal agencies × $32,400 per Federal agency + 209 State, local, and Tribal agencies × $22,800 per State, local, and Tribal agency = $11,504,400). The ongoing annual cost would be between approximately de minimis and $0.2 million (208 Federal agencies × $432 per Federal agency + 209 State, local, and Tribal agencies × $304 per State, local, and Tribal agency = $153,392). Establish and maintain an auditable system of standardized records for requests. As with requirement #2, the ongoing IT costs from requirement #3 would vary depending on the existing IT infrastructure of the domestic agency. FinCEN received the following feedback from outreach on this subject. Agencies described the types of activities expected to meet these requirements in their responses, but the feedback applies to estimated burden for requirement #3: • Approximately 60 hours would be required to establish a storage system for record requests that is in compliance with both FinCEN and the agency’s applicable policies and procedures. This estimate includes a review of the agency’s Memorandum of Understanding (MOU) with FinCEN and consultation with appropriate personnel responsible for access to and disclosure of such records. Additionally, the agency suggested that maintenance of BOI requests would require an estimated 20 hours on an ongoing basis. • Approximately 200 hours would be needed to incorporate BOI into record storage systems and minimal ongoing cost. • Approximately no additional costs, as another agency noted that the cost would already be included in the estimate for establishing standards and procedures, and that if BOI is treated similarly to BSA data, there would not be ongoing costs. FinCEN expects that certain agencies (in particular, Federal agencies) would bear de minimis IT costs because Federal agencies already have secure systems and networks in place as well as sufficient storage capacity in accordance with FISMA standards. Therefore, based on agency feedback, FinCEN assumes a range of burden for requirement #3 in year 1 of de minimis to 200 hours, and an ongoing burden of de minimis to 20 hours. Using an hourly wage estimate of $108 per hour for Federal agencies results in an initial cost between approximately de minimis costs and PO 00000 Frm 00032 Fmt 4701 Sfmt 4702 $21,600 (200 hours × $108 per hour = $21,600), and $2,160 annually thereafter (20 hours × $108 per hour = $2,160) per Federal agency. Using an hourly wage estimate of $76 per hour for State, local, and Tribal agencies results in an initial cost between approximately de minimis costs and $15,200 (200 hours × $76 per hour = $15,200), and $1,520 annually thereafter (20 hours × $76 per hour = $1,520) per State, local, and Tribal agency. To estimate aggregate costs, FinCEN multiplies these ranges by 208 total Federal agencies, and 209 State, local, and Tribal agencies, resulting in a total year 1 cost between approximately de minimis and $7.7 million (208 Federal agencies × $21,600 per Federal agency + 209 State, local, and Tribal agencies × $15,200 per State, local, and Tribal agency = $7,669,600). The ongoing annual cost would be between approximately de minimis and $0.8 million (208 Federal agencies × $2,160 per Federal agency + 209 State, local, and Tribal agencies × $1,520 per State, local, and Tribal agency = $766,960). Restrict access to appropriate persons within the agency, all of whom must undergo training. Requirement #4 notes that employees that receive BOI access would be required to undergo training. The number of authorized recipients that would have BOI access at a given agency would vary. Using the active entities with access to BSA data as of January 2022 as a proxy, and consistent with information provided by a number of agencies, FinCEN anticipates that each Federal agency could have anywhere between approximately 1 and 1,600 recipients of BOI data while each State, local, and Tribal agency could have anywhere between 1 and 68 recipients of BOI.213 To estimate the cost of this training, FinCEN assumes that each employee that would access the BOI data would be required to undergo 1 hour of training per year.214 Using an hourly wage estimate of $108 per hour for Federal agencies results in an annual cost between approximately $108 and $172,800 (1 employee × 1 hour × $108 per hour = $108) and (1,600 employees × 1 hour × $108 per hour)) per Federal agency. Using an hourly wage estimate of $76 per hour for State, local, and Tribal agencies results in an annual cost 213 The range provided is an estimate of the lowest and highest number of users for Federal agencies and for State and local agencies respectively as of a given date in January 2022 with access to BSA data through FinCEN’s database. 214 The assumption of one training hour is in alignment with the current training requirement for accessing BSA data. However, one notable difference is that the proposed BOI training requirement is annual, not biennial. E:\FR\FM\16DEP4.SGM 16DEP4 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules between approximately $76 and $5,168 (1 employee × 1 hour × $76 per hour = $76) and (68 employees × 1 hour × $76 per hour = $5,168)) per State, local, and Tribal agency. To estimate the aggregate annual costs, FinCEN uses aggregate user counts of active BSA data users based on internal FinCEN data from January 2022, which provides a more reasonable estimate of the likely number of authorized recipients than assuming the previously estimated ranges would apply to each domestic agency. Therefore, based on internal data, FinCEN expects that approximately 11,000 Federal employees and 1,800 employees of State, local, and Tribal agencies would require annual training to access BOI data.215 This translates into an aggregate annual training cost of approximately $1.3 million (11,000 Federal employees × 1 hour × $108 per hour + 1,800 State, local, and Tribal employees × 1 hour × $76 per hour = $1,324,800). Conduct an annual audit and cooperate with FinCEN’s annual audit; initially and then semi-annually certify standards and procedures by the head of the agency; annually provide a report on procedures. Requirements #5–7 are administrative costs that a domestic agency would incur on an annual or semi-annual basis. Specifically, they require an agency to: (1) conduct an annual audit and cooperate with FinCEN’s annual audit; (2) certify standards and procedures by the head of the agency semi-annually; and (3) provide an annual report on procedures to FinCEN. Based on feedback from outreach, FinCEN assumes it would take a given agency between 10 hours and 160 hours per year to meet these three requirements. FinCEN received the following feedback from domestic agencies regarding the estimated costs of these requirements. Agencies described the types of activities expected to meet these requirements in their responses, but the feedback applies to estimated burden for requirements #5–7: • Approximately 40 hours would be needed to perform an annual audit related to compliance of standards, lotter on DSK11XQN23PROD with PROPOSALS4 215 These estimates are based on the number of users that directly access BSA data through FinCEN’s internal system; there are a limited number of other ways that users may access BSA data, which are not accounted for here. Furthermore, FinCEN does not estimate growth of BOI authorized recipients throughout the 10-year time horizon of this analysis. However, FinCEN acknowledges that the number of BOI authorized recipients could increase significantly after the first year of implementation of the BOI reporting requirements as awareness of the ability to access and utility of BOI increases. VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 procedures and storage of data. Once acceptable and verifiable procedures are in place, annual reporting to FinCEN would require approximately 20 hours and an annual outlay of 30 hours to review and proceed with internal processes that would result in the agency head’s semi-annual certification. Thus, the aggregate annual estimate of compliance burden would be approximately 120 hours (40 hours for audit + (2 × 30 hours for agency head certification) + 20 hours for reporting). • Approximately 100 hours to conduct an annual audit by internal auditors, 40 hours to prepare an annual report, and 20 hours to prepare for review and certification, totaling 160 hours. • Approximately 0 hours to conduct an annual audit given the assumption that FinCEN would maintain the database, and 10 to 20 hours for the annual report and agency head review.216 • Approximately 120 to 160 hours. One agency’s liaison to FinCEN is responsible for, among other duties, reviewing the results of an annual audit conducted by FinCEN relating to system usage, and ensuring personnel are in compliance with the policies and procedures set forth by FinCEN.217 The liaison spends anywhere from 120 to 160 hours each year on these duties relating to BSA data. One agency anticipates that a similar number of the liaison’s hours would be attributed to BOI, and the administrative, procedural, or legal requirements that may come with it. Using an hourly wage estimate of $108 per hour for Federal agencies results in annual costs between approximately $1,080 and $17,280 per Federal agency ((10 hours × $108 per hour = $1,080) and (160 hours × $108 per hour = $17,280)). Using an hourly wage estimate of $76 per hour for State, local, and Tribal agencies results in annual costs between approximately $760 and $12,160 per State, local, and Tribal agency ((10 hours × $76 per hour = $760) and (160 hours × $76 per hour = $12,160)). To estimate annual aggregate costs, FinCEN multiplies these ranges by 208 total Federal agencies and 209 State, local, and Tribal agencies, resulting in a total annual cost between 216 This estimate assumes that FinCEN would have audit responsibilities, and the tracking of auditable activity would be maintained by FinCEN’s system. This is similar to the current BSA data structure. Therefore, the agency assumes that it would not independently bear costs related to this audit function. 217 Additionally, the liaison disseminates protocols to authorized personnel relating to requesting and maintaining access to BSA data. PO 00000 Frm 00033 Fmt 4701 Sfmt 4702 77435 approximately $0.4 million and $6.1 million ((208 Federal agencies × $1,080 per Federal agency + 209 State, local, and Tribal agencies × $760 per State, local, and Tribal agency = $383,480) and (208 Federal agencies × $17,280 per Federal agency + 209 State, local, and Tribal agencies × $12,160 per State, local, and Tribal agency = $6,135,680)). Submit written certification for each request that it meets certain agency requirements. Finally, for requirement #8, domestic agencies are required to submit a written certification for each request for BOI. The written certification would be in the form and manner prescribed by FinCEN. FinCEN anticipates that this certification would be submitted to FinCEN via an electronic form. The number of requests for BOI that would be submitted to FinCEN by domestic agencies in any given year would vary. FinCEN assumes that submitting a request to FinCEN for BOI would take one employee approximately 15 minutes, or 0.25 hours, per request. This is based on FinCEN’s experience with submitting requests for BSA data in FinCEN Query, which similarly require a written justification for a search request. Certification requirements vary by authorized recipient type under the proposed rule.218 FinCEN expects that requests submitted by State, local, and Tribal law enforcement agencies would have 20 to 30 hours of burden in addition to the 0.25 hours of burden per request owing to an additional requirement that a court of competent jurisdiction, including any officer of such a court, issue a court authorization for the agency to seek the information in a criminal or civil investigation.219 For purposes of estimating the cost of these additional hours of burden, FinCEN applies the hourly wage estimate for State, local, and Tribal employees and assumes that this cost would be incurred by the State, local or Tribal agency. In practice, employees within the court system may also incur costs related to this requirement. FinCEN welcomes comment on the appropriate 218 While Federal and regulatory agencies must certify that their request is related to specific activities, State, local, and Tribal law enforcement agencies must certify that a court of competent jurisdiction, including any officer of such a court, has authorized the agency to seek the information in a criminal or civil investigation. 219 FinCEN believes a 20 to 30 hour burden estimate for the additional requirement of obtaining court authorization for a BOI request would reflect the time needed for activities associated with obtaining a court authorization. FinCEN requests comment on whether this understanding is accurate. E:\FR\FM\16DEP4.SGM 16DEP4 77436 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules wage rate and burden for such an estimation. Using an hourly wage estimate of $108 per hour for Federal employees results in a per request cost of approximately $27 per Federal agency (0.25 hours × $108 per hour = $27). Using an hourly wage estimate of $76 per hour for State, local, and Tribal employees results in a per request cost of approximately $19 per State and local regulator (0.25 hours × $76 per hour = $19) and between approximately $1,539 and $2,299 per State, local, and Tribal law enforcement agency ((20.25 hours × $76 per hour = $1,539) and (30.25 hours × $76 per hour = $2,299)). To estimate a per agency annual cost, FinCEN uses BSA data request statistics from Fiscal Year 2021 as a proxy. Using these data, FinCEN estimates that each Federal agency could submit between 1 and 323,000 requests for BOI annually while each State, local, and Tribal agency could submit between 1 and 23,000 requests for BOI annually.220 Therefore, the estimated annual cost is between $27 and $8.7 million (($27 per request × 1 request) and ($27 per request × 323,000 requests = $8,721,000)) per Federal agency. The annual cost is between $19 and $0.4 million (($19 per request × 1 request) and ($19 per request × 23,000 requests = $437,000)) per State and local regulator. The annual cost is between $1,539 and $52.9 million (($1,539 per request × 1 request = $1,539) and ($2,299 per request × 23,000 requests = $52,877,000) per State, local, lotter on DSK11XQN23PROD with PROPOSALS4 220 The range is an estimate of the lowest and highest number of BSA data requests received through FinCEN’s database from Federal agencies and for State and local agencies respectively during Fiscal Year 2021. VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 and Tribal law enforcement agency. FinCEN acknowledges that there is burden associated with the requirement to obtain a court authorization. As a result, State, local, or Tribal law enforcement agencies may submit fewer requests for BOI information than requests for BSA information, which do not impose similar requirements. FinCEN requests comment from such authorities on whether this requirement would make it less likely that they would submit BOI requests, when compared with BSA requests. Using FinCEN’s internal BSA request data as a proxy, FinCEN anticipates that Federal agencies could submit as many as 2 million total BOI requests annually and that State, local, and Tribal agencies could submit as many as 230,000 total BOI requests annually.221 222 The internal number of BSA requests provides a more reasonable estimate of the likely number of aggregate requests than assuming the previously estimated ranges would apply to each domestic agency. This translates into aggregate annual costs between $362.4 million and $514.4 million ((2 million Federal requests × $27 per request + 30,000 State and local regulatory requests × $19 per request + 200,000 State, local, and Tribal law enforcement requests × $1,539 per request = $362,370,000) and (2 million Federal requests × $27 per request + 30,000 State and local regulatory requests × $19 per request + 200,000 State, local, and Tribal law enforcement requests × $2,299 per request = $514,370,000)). Table 5 presents the estimated costs to domestic agencies, as well as SROs, for requirements #1–8. Table 5 includes both the per agency cost and the aggregate costs for each requirement. The estimated average per agency cost in year 1 is between $2,835 and $9.0 million per Federal agency, between $1,995 and $0.5 million per State and local regulator, between $3,515 and $53 million per State, local, and Tribal law enforcement agency, and between $2,494 to $0.6 million per SRO.223 The estimated average per agency cost each year after the first year of implementation is between $1,215 and $8.9 million per Federal agency, between $855 and $0.4 million per State and local regulator, between $2,375 and $52.9 million per State, local, and Tribal law enforcement agency, and between $1,069 to $0.5 million per SRO. The total estimated aggregate cost to domestic agencies in year 1 is between $364.7 million and $553.1 million, and then between $364.1 million and $523.3 million each year thereafter. BILLING CODE 4810–02–P 221 Of the 230,000 anticipated total annual State, local, and Tribal BOI requests, approximately 30,000 are expected from State regulators and approximately 200,000 from State, local, and Tribal law enforcement agencies. 222 While FinCEN does not estimate growth of requests throughout the 10-year time horizon of this analysis, the number of BOI requests could increase significantly after the first years of implementation of the BOI reporting requirements as awareness of the ability to access and utility of BOI increases. PO 00000 Frm 00034 Fmt 4701 Sfmt 4702 223 To calculate total costs to SROs, FinCEN calculated a ratio that applied the estimated costs to State regulators (which would have access requirements similar to SROs) to the wage rate estimated herein for financial institutions, since SROs are private organizations. FinCEN requests comment on this assessment. As noted previously, SROs would not have direct access to the beneficial ownership IT system, but rather may receive BOI through re-disclosure. E:\FR\FM\16DEP4.SGM 16DEP4 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules 77437 Table 5—Costs to Domestic Agencies Requirement Year 1 Cost Per Agency 1 Enter into an agreement with FinCEN and establish standards and procedures $1,620 to $32,400 per Federal agency $0 $1,140 to $22,800 per State, local, and Tribal agency de minimis to $32,400 per Federal agency de minimis to $432 per Federal agency de minimis de minimis to $11.5 to $0.2 million million de minimis to $22,800 per State, local, and Tribal agency de minimis to $304 per State, local, and Tribal agency de minimis to $21,600 per Federal agency de minimis to $2,160 per Federal agency de minimis to $15,200 per State, local, and Tribal agency de minimis to $1,520 per State, local, and Tribal agency Restrict access to appropriate persons within the agency, which specifies that each appropriate person will undergo training 1 $108 to $172,800 per Federal agency $108 to $172,800 per Federal agency $76 to $5,168 per State, local, and Tribal agency Conduct an annual audit and cooperate with FinCEN's annual audit Obtain certification of standards and procedures initially and then semiannually, by the head of the agency $1,080 to $17,280 per Federal agency $76to$5,168 per State, local, and Tribal agency $1,080 to $17,280 per Federal agency ·. 2 3 4 5 lotter on DSK11XQN23PROD with PROPOSALS4 6 VerDate Sep<11>2014 Aggregate·· Costs Years 2t $0 Aggregate Costs Year 1 $0.6 million to $11.5 million Years 2+ Cost -Per Agency Establish and maintain a secure system to store BOI Establish and maintain an auditable system of standardized records for requests 22:00 Dec 15, 2022 Jkt 259001 $760 to $12,160 per State, local, and Tribal agency PO 00000 Frm 00035 Fmt 4701 de minimis de minimis to $7.7 to $0.8 million million $1.3 million $1.3 million $0.4 million to $6.1 million $0.4 million to $6.1 million $760 to $12,160 per State, local, and Tribal agency Sfmt 4725 E:\FR\FM\16DEP4.SGM 16DEP4 EP16DE22.024</GPH> # 77438 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules Provide initial and then an annual report on rocedures Submit written certification for each request that it meets certain agency requirements2 7 8 Total $27 to $8.7 million per Federal agency $27 to $8.7 million per Federal agency $19 to $0.4 $19 to $0.4 million per State million per and local regulator State and local regulator $1,539 to $52.9 million per State, $1,539 to $52.9 local, and Tribal million per law enforcement State, local, and agency Tribal law enforcement a en $2,835 to $9.0 $1,215 to $8.9 million per million per Federal agency Federal agency $1,995 to $0.5 million per State $855 to $0.4 and local million per regulator State and local regulator $3,515 to $53 million per State, $2,375 to $52.9 local, and Tribal million per law enforcement State, local, agency and Tribal law enforcement $2,494 to $0.6 agency million per SRO $1,069 to $0.5 million per SRO $362.4 million to $514.4 million $362.4 million to $514.4 million $364.7 million to $553.1 million $364.1 million to $523.3 million per agency annual cost is estimated using a range of the minimmn and maximmn nmnber of Federal employees and of State, local, and Tribal employees of any agency that access BSA data. The aggregate costs arc estimated using the total number of Federal employees and of State, local, and Tribal employees that directly access BSA data. 2 The per agency annual cost is estimated using a range of the minimum and maximum number of requests of any agency that access BSA data. The aggregate costs are estimated using the total number of BSA data requests from Fiscal Year 2021 for Federal agencies, State and local regulators, and State, local, and Tribal law enforcement agencies. BILLING CODE 4810–02–C VerDate Sep<11>2014 22:00 Dec 15, 2022 In addition to the costs listed in Table 5, Federal agencies may incur costs Jkt 259001 PO 00000 Frm 00036 Fmt 4701 Sfmt 4702 related to submitting requests on behalf of foreign requesters. These costs are E:\FR\FM\16DEP4.SGM 16DEP4 EP16DE22.025</GPH> lotter on DSK11XQN23PROD with PROPOSALS4 1 The Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules estimated in the next section. Federal agencies may also bear costs related to enforcement in cases of unauthorized disclosure and use of BOI; however, these costs have not been estimated in this analysis, as the level of compliance with the proposed rule is unknown. B. Foreign Requesters Foreign requesters must meet multiple requirements to receive BOI. FinCEN does not have an estimate of the number of foreign requesters that may elect to request and access BOI, or which requesters would do so under an applicable international treaty, agreement, or convention, or through another channel available under the proposed rule, and welcomes public comment on how to estimate this number. Foreign requesters that request and receive BOI under an applicable international treaty, agreement, or convention would not have certain requirements under the proposed rule, given that such requesters would be governed by standards and procedures under the applicable international treaty, agreement, or convention. However, FinCEN does not differentiate between types of foreign requesters in this analysis, given the lack of data. Though FinCEN is unable to estimate aggregate costs on foreign requesters at this time given the lack of data on the number of foreign requesters that may access BOI, FinCEN provides partial cost estimates of the requirements on a given foreign requester. Requirements are summarized in Table 6, which is followed by a more detailed analysis. Costs associated with each requirement are summarized in Table 7 at the end of this section. Table 6—Requirements for Foreign Requesters 1 1 Establish standards and procedures One-time Administrative 2 Establish a secure system to store BOI Ongoing IT 3 Restrict access to appropriate persons within the entity, which specifies that appropriate persons will undergo training Provide information for each request to an intermediary Federal agency Ongoing per requester Administrative Ongoing per request Administrative 4 77439 Establish standards and procedures. For requirement #1, FinCEN assumes that foreign requesters would incur costs during the first year of implementation. FinCEN assumes it would take a foreign requester, on average, between one and two full business weeks (or, between 40 and 80 business hours) to establish standards and procedures. This estimate is a FinCEN assumption based on its experience coordinating with foreign partners. FinCEN requests comment on the accuracy of this estimate. Using an hourly wage estimate of $108 per hour for Federal agencies, which FinCEN assumes is a comparable hourly wage estimate for foreign requesters, FinCEN estimates this one-time cost would be between approximately $4,320 and $8,640 per foreign requester ((40 hours × $108 per hour) and (80 hours × $108 per hour)). Foreign requesters that request and receive BOI under an applicable international treaty, agreement, or convention would not have this requirement under the proposed rule, given that such VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 requesters would be governed by standards and procedures under the applicable international treaty, agreement, or convention. However, FinCEN does not differentiate between types of foreign requesters in this analysis, given the lack of data. Establish a secure system to store BOI. For requirement #2, the cost of the ongoing IT requirement would vary depending on the existing infrastructure of the foreign requester. FinCEN believes that foreign requesters already have secure systems and networks in place as well as sufficient storage capacity, given their ongoing coordination with the U.S. Government on a variety of matters, which likely adhere to applicable data security standards. Therefore, FinCEN assumes de minimis IT costs. FinCEN welcomes comment on this assumption. Foreign requesters that request and receive BOI under an applicable international treaty, agreement, or convention would not have this requirement under the proposed rule, given that such requesters would be governed by PO 00000 Frm 00037 Fmt 4701 Sfmt 4702 security standards under the applicable international treaty, agreement, or convention. However, FinCEN does not differentiate between types of foreign requesters in this analysis, given the lack of data. Restrict access to appropriate persons within the agency, which specifies that appropriate persons will undergo training. For requirement #3, FinCEN assumes that each foreign requester that would access the BOI data would be required to undergo 1 hour of training per year. Using an estimated hourly wage amount of $108, this results in an annual training cost of approximately $108 per foreign requester. Provide information for each request to an intermediary Federal agency. For requirement #4, FinCEN assumes that providing information for a BOI request to a Federal intermediary agency would take one foreign requester approximately 45 minutes, or 0.75 hours, per request. This estimate is based on FinCEN’s assumption that a request for BOI submitted directly by a Federal agency on its own behalf would E:\FR\FM\16DEP4.SGM 16DEP4 EP16DE22.026</GPH> lotter on DSK11XQN23PROD with PROPOSALS4 1 In addition to the requirements in this table, the proposed rule requires that a foreign requester shall limit, to the greatest extent practicable, the scope of BOI it seeks. However, there is no associated cost estimated for this requirement, and it is not included within the table. 77440 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules take approximately 15 minutes; given the additional information required for a foreign-initiated request, FinCEN proposes tripling that estimate for foreign requests. Using an hourly wage estimate of $108 per hour, this would result in a per request cost of approximately $81 per foreign requester (0.75 hours × $108 per hour = $81). Based on feedback from agencies, FinCEN believes that the total number of foreign requests could range between approximately 200 and 900 per year.224 This would result in an aggregate annual cost to foreign requesters between approximately $16,200 and $72,900 ((200 requests × $81 per request = $16,200) and (900 requests × $81 per request = $72,900)). FinCEN also assumes that Federal agencies that submit requests on behalf of foreign requesters to FinCEN would incur additional costs; FinCEN itself expects to incur costs from the submission of such requests. Therefore, FinCEN estimates that BOI requests on behalf of foreign requesters would require approximately two hours of one 1 Establish standards and procedures 2 Establish a secure system to store BOI Restrict access to appropriate persons within the entity, which specifies that each appropriate erson will under o trainin 2 Provide information for each request to an intermediary Federal agency 3 Total 3 4 Federal employee’s time, resulting in a cost per request of approximately $216 (2 hours × $108 per hour). This would result in a total annual cost to Federal agencies between approximately $43,200 and $194,400 ((200 requests × 2 hours × $108 per hour = $43,200) and (900 requests × 2 hours × $108 per hour = $194,400)). Table 7 presents the estimated costs to foreign requesters for each of requirements #1–4. Table 7—Costs to Foreign Requesters 1 $4,320$8,640 de minimis $0 Unknown de minimis de minimis de minimis $108 per requester $108 per requester Unknown Unknown $81 per request $81 per request $16,200 to $72,900 $16,200 to $72,900 $4,509 to $8,829 $189 $16,200 to $72,900 $16,200 to $72,900 Unknown 1 Due C. Financial Institutions lotter on DSK11XQN23PROD with PROPOSALS4 Financial institutions must meet multiple requirements to access BOI. 224 FinCEN recognizes that the number of BOI requests from foreign requesters may be higher in reality, as no such U.S. beneficial ownership IT VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 Requirements are summarized in Table 8, which is followed by a more detailed analysis. Costs associated with each requirement are summarized in Table 9, at the end of this section. system currently exists. The existence of a centralized U.S. BOI source may in fact result in a higher number of annual requests by foreign requesters. FinCEN welcomes comment on this estimate. PO 00000 Frm 00038 Fmt 4701 Sfmt 4702 E:\FR\FM\16DEP4.SGM 16DEP4 EP16DE22.027</GPH> to a lack of data on the number of potential foreign requesters that may elect to access BOI, it is not possible to estimate the aggregate foreign requester costs from requirements #1 and #4. The per requester and aggregate cost estimates for foreign requesters are partial, given that aggregate costs for two of the four requirements are unknown, since FinCEN does not have an estimate of the number of foreign requesters. FinCEN requests comment on an estimate of the number of potential foreign requesters that may request BOI. 2 While FinCEN does not assess a cost for restricting access, FinCEN assesses a cost related to the training requirement included under this provision. Since FinCEN does not have an estimate of the number of foreign requesters, FinCEN does not estimate an aggregate cost associated with this requirement. 3 In addition to imposing costs on foreign requesters, BOI requests from foreign requesters would impose a burden on Federal agencies, as Federal agencies would submit such BOI requests to FinCEN on behalf of the foreign requester. FinCEN expects Federal agencies' efforts and coordination to result in two hours of burden, or a roximatel $216 er re uest Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules 77441 Table 8—Requirements for Financial Institutions 1 1 Establish administrative and physical safeguards One-time Administrative 2 Establish technical safeguards Ongoing IT 3 Obtain and document customer consent One-time Administrative 4 Submit written certification for each request that it Ongoing per meets certain requirements request Administrative 5 Undergo training2 Administrative Ongoing per recipient 1 In addition to Establish administrative and physical safeguards. For requirement #1, FinCEN assumes that financial institutions would incur costs during the first year of implementation. FinCEN assumes it would take a financial institution, on average, between one and two full business weeks (or, between 40 and 80 business hours) to establish administrative and physical safeguards. This estimate is a FinCEN assumption based on its experience with the financial services industry. FinCEN requests comment on the accuracy of this estimate. Using an hourly wage estimate of $95 per hour for financial institutions, FinCEN estimates this onetime cost would be between approximately $3,800 and $7,600 per financial institution. To estimate aggregate costs, FinCEN multiplies this range by 16,252 total financial institutions resulting in a total cost between approximately $61.8 million and $123.5 million (($3,800 per institution × 16,252 financial institutions = $61,757,600) and ($7,600 per institution × 16,252 financial institutions = $123,515,200), respectively)). Establish technical safeguards. For requirement #2, the cost of the ongoing IT requirement would vary depending on the existing infrastructure of the financial institution. FinCEN believes VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 that most financial institutions already have secure systems and networks in place as well as sufficient storage capacity, given existing requirements with regard to protection of customers’ nonpublic personal information.225 Therefore, FinCEN assumes de minimis IT costs. FinCEN requests comment on this assumption. Obtain and document customer consent. For requirement #3, FinCEN assumes that financial institutions would incur costs during the first year of implementation due to updating customer consent forms and processes. Specifically, FinCEN assumes it would take a financial institution, on average, approximately 10 hours in year 1 to conduct these activities. This number is based on FinCEN’s underlying assumption that such implementation would involve relatively minimal resources to update forms and workflows. From year 2 and onward, 225 As noted in the proposed rule, financial institutions may have established information procedures to satisfy the requirements of section 501 of the Gramm-Leach-Bliley Act, and applicable regulations issued thereunder, with regard to the protection of customers’ nonpublic personal information. If a financial institution is not subject to section 501 of the Gramm-Leach-Bliley Act, such institutions may be required, recommended, or authorized under applicable Federal or State law to have similar information procedures with regard to protection of customer information. PO 00000 Frm 00039 Fmt 4701 Sfmt 4702 FinCEN believes costs associated with obtaining and documenting customers’ consent would be negligible because consent forms and processes have already been established and because this requirement is a one-time and not a periodic requirement for a given customer. FinCEN requests comments from financial institutions in particular on these assumptions. Using an hourly wage estimate of $95 per hour for financial institutions, FinCEN estimates this one-time cost would be approximately $950 per financial institution. To estimate aggregate costs, FinCEN multiplies this estimate by 16,252 total financial institutions, resulting in a total cost of approximately $15.8 million ($950 per institution × 16,252 financial institutions = $15,439,400). Submit written certification for each request that it meets certain requirements. For requirement #4, the written certifications would be submitted in the form and manner prescribed by FinCEN. FinCEN anticipates that this certification would be submitted to FinCEN via an electronic form. FinCEN assumes that submitting a request to FinCEN for BOI would take one employee approximately 15 minutes, or 0.25 hours, per request. For purposes of this analysis, FinCEN assumes a range of E:\FR\FM\16DEP4.SGM 16DEP4 EP16DE22.028</GPH> lotter on DSK11XQN23PROD with PROPOSALS4 the requirements in this table, the proposed rule requires that financial institutions shall restrict access to BOI. However, FinCEN does not estimate a cost for this requirement, and it is not included within the table. 2 While the proposed rule does not explicitly require training, FinCEN believes that the safeguards in the proposed rule would require authorized recipients of BOI at these institutions to undergo training. Additionally, FinCEN anticipates that access to the beneficial ownership IT system would be conditioned on reci ients of BOI under oin trainin . 77442 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules approximately 5 million to 6.1 million total requests from financial institutions per year. The minimum amount assumes that the number of BOI requests from financial institutions each year would equal the number of new entities that qualify as a ‘‘reporting company’’ required to submit BOI. As estimated in the final BOI reporting rule’s RIA, this is approximately 5 million entities annually.226 The maximum amount assumes that financial institutions would request BOI for each new legal entity customer at the time of account opening, in alignment with the 2016 CDD Rule,227 resulting in approximately 6.1 million entities.228 For purposes of this analysis, FinCEN assumes that financial institutions would submit BOI requests related to newly open legal entity customer accounts in alignment with the 2016 lotter on DSK11XQN23PROD with PROPOSALS4 226 In the final BOI reporting rule’s RIA, the analysis assumes 13.1 percent growth in new entities from 2020 through 2024, and then a stable same number of approximately 5 million new entities each year thereafter through 2033. FinCEN included an alternative estimate which assumed that the rate of new entities created will grow at a rate of approximately 13.1 percent per year from 2020 through 2033. This resulted in a new entity annual formation estimate of 5 million in the year of the effective date of the final BOI reporting rule which increases to approximately 5.6 million ten years after the effective date of the final BOI reporting rule (2033). See 87 FR 59582 (Sept. 30, 2022). 227 The CTA requires that the 2016 CDD Rule be revised given FinCEN’s BOI reporting and access requirements. Therefore, this estimate and assumption may change after that revision. 228 The 2016 CDD Rule estimated that each financial institution with CDD requirements will open, on average, 1.5 new legal entity accounts per business day. The rule also assumed there are 250 business days per year, which is in alignment with the number of business days in 2022. Therefore, FinCEN estimates that financial institutions would need to conduct CDD requirements for a minimum of approximately 6.1 million legal entities per year (16,252 financial institutions × 1.5 accounts per day × 250 business days per year = 6,094,500 new legal entity accounts opened per year). VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 CDD Rule. FinCEN requests comment, in particular from financial institutions, on whether this range is accurate. Therefore, the estimated aggregate annual cost of this requirement is between approximately $118.8 million and $144.7 million ((5 million total requests × 0.25 hours per request × $95 per hour = $118,750,000) and (6.1 million total requests × 0.25 hours per request × $95 per hour = $144,700,000), respectively). The per institution annual cost of requirement #3 is between approximately $7,310 and $8,904 (($118.8 million/16,252 financial institutions) and ($144.7 million/16,252 financial institutions), respectively). Undergo training. Last, requirement #5 pertains to training for individuals that access BOI. To estimate the cost of this training, FinCEN assumes a range of authorized recipients per financial institution. FinCEN believes a range is appropriate given the variation in institution size, complexity, and business models across the 16,252 financial institutions. Based on feedback from Federal agency outreach, FinCEN assumes a minimum of one financial institution employee and a maximum of six financial institution employees would undergo annual BOI training. Using an hourly wage rate of $95 per hour, and assuming each authorized recipient would need to undergo one hour of training each year, FinCEN estimates a per institution annual training cost between approximately $95 and $570 ((1 employee × 1 hour × $95 per hour = $95) and (6 employees × 1 hour × $95 per hour = $570)). To estimate aggregate costs, FinCEN uses SBA size standards and identifies approximately 14,051 small financial institutions and 2,201 large financial institutions (16,252 total financial institutions¥14,051 small financial institutions). Furthermore, FinCEN PO 00000 Frm 00040 Fmt 4701 Sfmt 4702 assumes one to two employees per small financial institution and five to six employees per large financial institution.229 This results in an estimated minimum average hourly cost of $146 ((14,051 small institutions × 1 employee × $95 per hour + 2,201 large institutions × 5 employees × $95 per hour)/16,252 total financial institutions) and a maximum average hourly cost of $241 ((14,051 small institutions × 2 employees × $95 per hour + 2,201 large institutions × 6 employees × $95 per hour)/16,252 total financial institutions). The estimated aggregate training cost is between approximately $2.4 million and $3.9 million per year ((14,051 small institutions × 1 employee × 1 training hour per person × $95 per hour + 2,201 large institutions × 5 employees × 1 hour × $95 per hour = $2,380,320) and (14,051 small institutions × 2 employees × 1 hour × $95 per hour + 2,201 large institutions × 6 employees × 1 hour × $95 per hour = $3,924,260)). Table 9 presents the estimated costs to financial institutions for each of requirements #1–5. Table 9 illustrates both the financial institution cost and the aggregate cost for each requirement. The estimated average cost per financial institution in year 1 is between approximately $12,206 and $17,854 and between approximately $7,456 and $9,304 each year thereafter. The estimated aggregate costs from requirements #1–5 for financial institutions are between approximately $198.4 million and $290.1 million in the first year of implementation, and then between approximately $121.2 million and $151.2 million each year thereafter. 229 FinCEN acknowledges this number could significantly vary across financial institutions. FinCEN requests comment on these assumptions. E:\FR\FM\16DEP4.SGM 16DEP4 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules 77443 Table 9—Costs to Financial Institutions $3,800 to $7,600 de minimis 4 Submit written certification for each request that it meets certain re uirements 5 Undergo training Total lotter on DSK11XQN23PROD with PROPOSALS4 D. FinCEN In addition to the costs of accessing BOI data as a domestic agency, FinCEN would incur costs from managing the access of other authorized recipients. To administer BOI access, FinCEN would need to: develop training materials and agreements with domestic agencies; conduct ongoing outreach with authorized recipients on the access requirements and respond to inquiries from authorized recipients; conduct audits of authorized responsibilities; develop procedures to review authorized recipients’ standards and procedures, and requests as needed; and potentially reject requests or suspend access if requirements are not met. FinCEN currently administers access to the FinCEN Query system, which involves similar considerations; therefore, FinCEN would build on its experience to administer BOI access. FinCEN would also incur an initial cost in setting up internal processes and procedures for administering BOI access.230 FinCEN does not have a cost estimate for these specific activities, but notes that the final BOI reporting rule’s RIA included an estimated annual 230 FinCEN would also develop the beneficial ownership IT system that allows for the varying types of access. The costs associated with developing and maintaining this IT system are addressed in the final BOI reporting rule’s RIA. VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 $0 de minimis $61.8 million to $123.5 million de minimis de minimis $950 $0 $15.4 million $0 $7,310 to $8,904 $7,310 to $8,904 $118.8 million to $144.7 million $118.8 million to $144.7 million $146 to $241 $146 to $241 $2.4 million to $3.9 million $2.4 million to $3.9 million $12,206 to $17,695 $7,456 to $9,145 $198.4 million to $287.5 million $121.2 million to $148.6 million personnel cost of approximately $10 million associated with the reporting requirements.231 FinCEN assumes that personnel costs associated with the access requirements would be of a similar magnitude, and therefore includes a $10 million annual FinCEN cost in its total cost estimates for this proposed rule. 2. Benefits The proposed rule would result in benefits for authorized recipients. Currently, authorized recipients may obtain BOI through a variety of means; however, the proposed rule would put in place a system of direct and costsaving access to the information. FinCEN has quantitatively estimated such benefits in this analysis. However, the proposed rule would also have nonquantifiable benefits to authorized recipients of BOI and to society more widely. This proposed rule would facilitate U.S. national security, intelligence, and law enforcement activity by providing access to BOI which, as noted in the final BOI reporting rule’s RIA, would make these activities more effective and efficient. These activities would be more effective and efficient because the improved ownership transparency would enhance Federal agencies’ ability to investigate, 231 87 PO 00000 FR 59578 (Sept. 30, 2022). Frm 00041 Fmt 4701 Sfmt 4702 $0 prosecute, and disrupt the financing of terrorism, other transnational security threats, and other types of domestic and transnational financial crimes. Additionally, Treasury would gain efficiencies in its efforts to identify the ownership of legal entities, resulting in improved analysis, investigations, and policy decisions on a variety of subjects. The Internal Revenue Service could obtain access to BOI for tax administration purposes, which may provide benefits for tax compliance. Federal regulators may also obtain benefits by accessing BOI in civil law enforcement matters. Similarly, the proposed rule would facilitate and make more efficient investigations by State, local, and Tribal law enforcement agencies. Access to BOI through FinCEN would prevent such agencies from spending time and resources to identify BOI. Foreign requesters would also reap similar benefits. Financial institutions could gain access to key information, including potentially additional beneficial owners, for their CDD processes, and State regulatory agencies and SROs could use BOI to supervise financial institutions’ compliance with CDD requirements. However, FinCEN is not estimating benefits related to these types of entities at this time, given the pending revisions to the CDD Rule. FinCEN anticipates E:\FR\FM\16DEP4.SGM 16DEP4 EP16DE22.029</GPH> 1 Establish administrative and physical safeguards 2 Establish technical safe ards 3 Obtain and document customer consent 77444 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules that the benefits to financial institutions in meeting their CDD obligations, and the benefits to regulatory agencies in supervising financial institutions for compliance with CDD requirements, would be discussed in that rulemaking. These stated benefits are in alignment with feedback FinCEN has received from a number of agencies as part of the outreach efforts FinCEN conducted in formulating the proposed rule. One agency noted that BOI would serve as an additional resource to investigators because having access to BOI would enable them to immediately identify a subject who owns a company, which would save time conducting additional investigations to develop subject identity information. A second agency also stated access to BOI could save time and resources. One agency noted that the vital data would further investigations and result in more successful and impactful investigations. Another agency provided similar feedback and noted that having access to BOI would significantly enhance investigations and bolster any analytical product that is prepared for the agency’s cases; and that a central repository of BOI would save a multitude of hours that would otherwise be spent researching secretary of State records, conducting law enforcement database queries, and/or conducting open-source intelligence research to identify a company’s ownership. One agency noted that the benefit would depend upon the scope of access. To quantify the potential benefits to various stakeholders of being able to access BOI, FinCEN asked for input from numerous agencies about cost savings that would result from such access; cost savings are one, but not the sole, benefit of BOI access. One agency estimated that, contingent upon the nature and complexity of each individual case’s specific need for BOI resources, access to BOI would save as much as an approximately 300 hours annually.232 Another agency suggested that, with higher caseloads, having access to BOI could save investigations as much as thousands of hours annually; another noted that several hours per case would be saved by not lotter on DSK11XQN23PROD with PROPOSALS4 232 Per the agency’s feedback, this would comprise a range between 50 and 100 investigations utilizing BOI. VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 having to search multiple databases for company information. A fourth agency suggested that having access to BOI could save investigations as much as 20,000 hours annually that could be repurposed toward other tasks. Therefore, based on this feedback, FinCEN assumes a potential quantifiable benefit range of cost savings between 300 and 20,000 hours annually, per domestic agency.233 234 This is equivalent to a per Federal agency dollar savings between $32,400 and $2.2 million (300 hours × $108 per hour = $32,400) and (20,000 hours × $108 per hour = $2,160,000) and a per State, local, and Tribal agency dollar savings between $22,800 and $1.5 million (300 hours × $76 per hour = $22,800 and 20,000 hours × $76 per hour = $1,520,000), depending on the number and complexity of the investigations. The minimum dollar value of the benefits of the proposed rule implied by these assumptions in Year 1 is $10.2 million ((208 Federal agencies × 300 hours per agency × $108 per hour) + (153 State, local, and Tribal law enforcement agencies × 300 hours per agency × $76 per hour) = $10,227,600). The maximum estimated aggregate annual savings is $681.8 million ((208 Federal agencies × 20,000 hours per agency × $108 per hour) + (153 State, local, and Tribal law enforcement agencies × 20,000 hours per agency × $76 per hour) = $681,840,000). These estimates only pertain to cost savings benefits; agencies could also gain other benefits from accessing BOI, such as investigative law enforcement value, that are not quantified in this analysis. Therefore, FinCEN believes the benefits could be greater than the cost savings estimated here. As stated previously in the RIA, FinCEN assumes that no Federal agency or State, local or Tribal law enforcement agency will access BOI unless the benefits of doing so are at least equal to the costs, given that BOI access is optional. Non-quantifiable benefits 233 Regarding regulators, FinCEN assumes that the benefit would relate to civil law enforcement activities rather than examination activities. 234 The estimated amount of direct benefits from reduced investigation time and resources does not account for any potential savings to financial institutions that access BOI. Any potential benefits to financial institutions for accessing BOI will be accounted for in the forthcoming CDD Rule revision. PO 00000 Frm 00042 Fmt 4701 Sfmt 4702 would be included in this consideration, as well as the quantifiable benefits estimated in the analysis. In addition to the direct benefits of saving agencies time and money, accessing BOI would lead to other secondary benefits, as discussed in the final BOI reporting rule’s RIA.235 BOI would also further the missions of the agencies to combat crime, as well as contribute to national security, intelligence, and law enforcement, and other activities. Therefore, the benefits to agencies of accessing BOI would be more than saving costs, as it would lead to more effective and efficient investigations. Enabling effective and efficient investigations would have additional secondary benefits of making it more difficult to launder money through shell companies and other entities, in turn strengthening national security and enhancing financial system transparency and integrity. Barriers to money laundering encourage a more secure economy and more economic activity, as businesses would have more trust in the legitimacy of new business partners. Finally, the sharing of BOI with foreign partners, subject to appropriate protocols consistent with the CTA, may further transnational investigations, tax enforcement, and the identification of national and international security threats. These secondary benefits are not accounted for in this analysis since they are accounted for in the final BOI reporting rule RIA. However, these benefits cannot come to fruition without authorized recipients gaining access to BOI, as considered in this proposed rulemaking. Therefore, the benefits between the final BOI reporting rule and this proposed rule are inextricably linked. 3. Overall Impact Overall, FinCEN estimates the potential quantifiable impact of the proposed rule could be between $108.7 million in net savings and $840.7 million in net costs in the first year of implementation of the rule, and then from $186.5 million in net savings to $672.0 million in net costs on an ongoing annual basis. Table 10 summarizes the estimated aggregate yearly impact of the proposed rule. 235 See E:\FR\FM\16DEP4.SGM 87 FR 59579–59580 (Sept. 30, 2022). 16DEP4 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules 77445 Table 10—Aggregate Yearly Impact of the Proposed Rule (Dollars in millions) oreign requester costs inancial institution costs Total net cost $0.02 to $0.07 $0.02 to $0.07 $198.4 to $287.5 $121.2 to $148.6 $10 $10 $573.1 to $850.9 $495.3 to $682.2 -[10.2 to $681.8} -[$10.2 to $681.8} -$108. 7 to $840. 7 - $186.5 to $672.0 1 This The estimated, quantifiable, aggregate annual benefits of the rule, which only reflects potential cost savings to agencies, would be between approximately $10.2 and $681.8 million. Likewise, FinCEN expects that the aggregate annual quantifiable costs of the rule would be somewhere between approximately $573.1 and $850.9 million in year 1, and between approximately $495.3 and $682.2 million each year thereafter. FinCEN believes that, in practice, entities may choose to access BOI only if the benefits to their operational needs, which includes cost savings and other nonquantifiable benefits, outweigh the costs associated with the requirements for accessing BOI. Using the maximum net cost impact estimates from Table 10 as an upper bound of the potential impact of this proposed rule, FinCEN determines the present value over a 10-year horizon of approximately $5.9 billion at the three percent discount rate and approximately $4.9 billion at the seven percent discount rate. ii. Section of Proposed Rule Regarding FinCEN Identifier Use by Entities The proposed rule would establish a process through which a reporting VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 company may report another reporting company’s FinCEN identifier and full legal name in lieu of the information otherwise required under 31 CFR 1010.380(b)(1), subject to certain limitations. This proposed rule would affect reporting companies that choose to report FinCEN identifiers of another reporting company in their BOI report. It may also affect reporting companies’ decision on whether or not to request a FinCEN identifier. FinCEN considered whether the proposed rule would result in any additional cost to reporting companies beyond what is estimated in the final BOI reporting rule’s RIA.236 FinCEN assesses that the proposed rule is consistent with the assumption in the final BOI reporting rule’s RIA that the cost associated with using entities’ FinCEN identifiers is accounted for in the BOI report cost estimates. The 236 The final BOI reporting rule’s RIA did not estimate the number of reporting companies that will obtain FinCEN identifiers. The mechanism for reporting companies to obtain a FinCEN identifier will be to either check a box on its initial BOI report or submit an updated BOI report with the box checked. Therefore, FinCEN assumed that the cost of reporting companies obtaining FinCEN identifiers was included in the initial BOI report cost estimates in the final BOI reporting rule RIA. See 87 FR 59578 (Sept. 30, 2022). PO 00000 Frm 00043 Fmt 4701 Sfmt 4702 proposed rule could reduce burden for reporting companies that choose to report another reporting company’s FinCEN identifier because the reporting company would provide fewer pieces of information on the BOI report. However, FinCEN assesses such burden reduction is likely to be minimal relative to the total cost of filling out and submitting the report. Additionally, it is unknown by FinCEN how many entities may choose to utilize the proposed rule. Therefore, FinCEN does not estimate costs or benefits associated with the proposed rule beyond what is separately stated in the final BOI reporting rule RIA. Similarly, FinCEN does not include alternatives regarding this proposed rule beyond what is included in the final BOI reporting rule RIA. B. Regulatory Flexibility Act The Regulatory Flexibility Act 237 (RFA) requires an agency either to provide an initial regulatory flexibility analysis (IRFA) with a proposed rule or certify that the proposed rule would not have a significant economic impact on a substantial number of small entities. The section of the proposed rule regarding BOI access would apply to a 237 See E:\FR\FM\16DEP4.SGM 5 U.S.C. 601 et seq. 16DEP4 EP16DE22.030</GPH> lotter on DSK11XQN23PROD with PROPOSALS4 estimate includes aggregate annual costs to Federal agencies engaged in law enforcement, national security and intelligence activities, offices of the U.S. Department of the Treasury including FinCEN, State, ocal, and Tribal law enforcement agencies, and both Federal and State regulators. Costs to SROs are also · eluded in this aggregation. This estimate includes the additional aggregate annual costs between approximately $43,200 and $194,400 to ederal agencies from submitting and coordinating BOI requests on behalf of foreign partners. This includes only costs to FinCEN associated with managing the BOI database. Costs to FinCEN as an uthorized reci ient of BOI are included in the domestic a encies estimates. 77446 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules substantial number of small entities. FinCEN has attempted to minimize the burden to the greatest extent practicable, but the proposed rule may nevertheless have a significant economic impact on small entities. Accordingly, FinCEN has prepared an IRFA. FinCEN welcomes comments on all aspects of the IRFA. A final regulatory flexibility analysis will be conducted after consideration of comments received. The IRFA addresses the BOI access sections of the proposed rule. With respect to the sections of the proposed rule addressing the use of FinCEN identifiers, FinCEN does not assess any additional costs associated with the proposed rule beyond the costs separately considered in the final BOI reporting rule’s RIA.238 Therefore, FinCEN does not consider the proposed rule’s FinCEN identifier provisions in the following RFA calculations or conclusions. i. Statement of the Need for, and Objectives of, the Proposed Rule As previously noted, the proposed rule is necessary to implement Section 6403 of the CTA. The purpose of the proposed rule is to implement the retention and disclosure requirements of Section 6403 and to establish appropriate protocols to protect the security and confidentiality of the BOI. ii. Small Entities Affected by the Proposed Rule lotter on DSK11XQN23PROD with PROPOSALS4 To assess the number of small entities affected by the proposed rule, FinCEN separately considered whether any small businesses, small organizations, or small governmental jurisdictions, as defined by the RFA, would be affected. FinCEN concludes that small businesses would be substantially affected by the proposed rule. Each of these three categories is discussed below within this section. In defining ‘‘small business,’’ the RFA relies on the definition of ‘‘small business concern’’ from the Small Business Act.239 This definition is based on size standards (either average annual receipts or number of employees) matched to industries.240 Assuming maximum non-mandated participation by small financial institutions, the proposed rule would affect approximately all 14,051 small financial 238 See 87 FR 59577–59578 (Sept. 30, 2022). 5 U.S.C. 601(3). 240 See U.S. Small Business Administration, Table of Small Business Size Standards Matched to North American Industry Classification System Codes (Jul. 14, 2022), available at https:// www.sba.gov/sites/default/files/2022-07/ Table%20of%20Size%20Standards_ Effective%20July%2014%202022_Final-508.pdf. 239 See VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 institutions. All of these small financial institutions would have a significant economic impact in the first year of implementation, which FinCEN believes meets the threshold for a substantial number. Therefore, FinCEN concludes the proposed rule would have a significant economic impact on a substantial number of small entities. FinCEN assumes the economic impact on an individual small entity is significant if the total estimated impact in a given year is greater than 1 percent of the small entity’s total receipts for that year. FinCEN estimates the cost for small financial institutions to comply with the sections of the proposed rule addressing BOI access would be between approximately $12,155 and $17,644 in year 1, and approximately $7,405 and $9,094 annually in subsequent years, as indicated in Table 9.241 FinCEN then compares these per financial institution cost estimates to the average total receipts for the smallest size category for each type of financial institution from the 2017 Census survey data, adjusted for inflation.242 The analysis indicates that, even when considering the minimum year 1 impact of $12,155, the smallest entities of all types of financial institutions would incur an economic impact that exceeds 1 percent of receipts for that industry. Therefore, FinCEN expects that the proposed rule would have a significant economic impact on a substantial number of small entities. In defining ‘‘small organization,’’ the RFA generally defines it as any not-forprofit enterprise that is independently owned and operated and is not dominant in its field.243 FinCEN 241 The minimum and maximum costs for small entities can be determined by using $95 (1 employee × $95 per hour) as the minimum cost for training in Table 9 and using $190 (2 employees × $95 per hour) as the maximum cost for training. 242 FinCEN inflation adjusted the 2017 Census survey data using Implicit Price Deflators for Gross Domestic Product quarterly data from the U.S. Bureau of Economic Analysis, available at https:// apps.bea.gov/iTable/?reqid=19&step=2&isuri=1& categories=survey#eyJhcHBpZCI6 MTksInN0ZXBzIjpbMSwyLDMsM10sImRhdGEiOl tbIkNhdGVnb3JpZXMiLCJTdXJ2ZXkiXSxbIk5 JUEFfVGFibGVfTGlzdCIsIjEzIl0s WyJGaXJzdF9ZZWFyIiwiMTk5NSJdLFsiTGFzdF9 ZZWFyIiwiMjAyMSJdLFsiU2NhbGUiLCIwI l0sWyJTZXJpZXMiLCJBIl1dfQ. FinCEN estimated an inflation factor of approximately 1.14 (the gross domestic product deflator in the first quarter of 2017 is 107.038, while in the fourth quarter of 2021 it was 121.708; hence the inflation factor is 121.708/107.038 = 1.14). FinCEN then applied this inflation adjustment factor of 1.14 to the 1 percent of average annual receipts in the 2017 Census survey data for each financial industry affected by this proposed rule to estimate the latest inflationadjusted dollar value threshold of 1 percent of annual receipts. 243 5 U.S.C. 601(4). PO 00000 Frm 00044 Fmt 4701 Sfmt 4702 anticipates that the proposed rule would not affect ‘‘small organizations,’’ as defined by the RFA. The RFA generally defines ‘‘small governmental jurisdiction[s]’’ as governments of cities, counties, towns, townships, villages, school districts, or special districts, with a population of less than 50,000.244 While State, local, and Tribal government agencies may be affected by the proposed rule, FinCEN does not believe that government agencies of jurisdictions with a population of less than 50,000 would be included in such agencies. Therefore, no ‘‘small governmental jurisdictions’’ are expected to be affected. iii. Compliance Requirements Under the proposed rule accessing BOI is not mandatory; therefore, the proposed rule would not impose requirements in the strictest sense. However, the proposed rule would require those that wish to access BOI to establish standards and procedures or safeguards, and to comply with other requirements. In particular, financial institutions would develop and implement administrative, technical, and physical safeguards reasonably designed to protect the security, confidentiality, and integrity of BOI. Financial institutions would also be required to obtain and document customer consent, as well as maintain a record of such consent for five years after it was last relied upon, which may require updates to existing policies and procedures. The proposed rule would also require those that wish to access BOI provide a written certification for each BOI request, in the form and manner prescribed by FinCEN. FinCEN intends to provide additional detail regarding the form and manner of BOI requests for all categories of authorized recipients through specific instructions and guidance as it continues developing the beneficial ownership IT system. To the extent required by the PRA, FinCEN would publish for notice and comment any proposed information collection associated with BOI requests. Small entities affected by the proposed rule, which FinCEN assesses to be small financial institutions, would be required to comply with these requirements if they access BOI. FinCEN assumes that the professional expertise needed to comply with such requirements already exists at small financial institutions with CDD obligations. 244 5 E:\FR\FM\16DEP4.SGM U.S.C. 601(5). 16DEP4 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules iv. Duplicative, Overlapping, or Conflicting Federal Rules There are no Federal rules that directly duplicate, overlap, or conflict with the proposed rule. The proposed rule is closely related to FinCEN’s recent publication of the final BOI reporting rule.245 The final BOI reporting rule finalizes regulations to implement the CTA’s BOI reporting requirements, which describe who must file a report, what information must be provided, and when a report is due. In contrast, this NPRM proposes appropriate protocols for access to and disclosure of BOI. The final BOI reporting rule’s RIA estimated the cost to the public of reporting and updating BOI and information related to FinCEN identifiers. The final BOI reporting rule’s RIA also estimated the cost to FinCEN of developing and maintaining this reporting mechanism, costs to other government agencies as a result of reporting requirements, and the benefits of the requirements. FinCEN has aimed to not duplicate costs and benefits covered in the final BOI reporting rule herein. v. Significant Alternatives That Reduce Burden on Small Entities In considering significant alternatives that would alter burdens on small entities, FinCEN applies two of the previously described alternative scenarios to small financial institutions. lotter on DSK11XQN23PROD with PROPOSALS4 a. Reduce Training Burden The first alternative would be to reduce the training requirement for BOI authorized recipients, which includes appropriate training for authorized recipients of BOI as well as annual training for access to the beneficial ownership IT system. In its analysis, FinCEN assumes that each authorized recipient that would access BOI would be required to undergo one hour of training per year.246 Here, FinCEN considers the scenario where authorized recipients would instead be required to undergo one hour of training every two years, in alignment with the current BSA data access requirements. This scenario could result in savings every other year of $108 to $172,800 per Federal agency, $76 to $5,168 per State, local, and Tribal agency, $95 to $6,460 per SRO,247 $108 per foreign requester, 245 See 87 FR 59498 (Sept. 30, 2022). assumption of one training hour is in alignment with the current training requirement for accessing BSA data. However, one notable difference is that the proposed BOI training requirement is annual, not biennial. 247 To calculate total costs to SROs, FinCEN calculated a ratio that applied the estimated costs to State regulators (which would have access 246 The VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 and $146 to $241 per financial institution. The aggregate savings could be as much as $3.7 million to $5.2 million ($1.3 million total for domestic agencies and SROs + $2.4 to $3.9 million for financial institutions) every other year. This alternative scenario could result in savings every other year of approximately $95 to $190 per small financial institution. The aggregate savings could be as much as approximately $1.3 million to $2.7 million (($95 × 14,051 small financial institutions = $1,334,845) and ($190 × 14,051 small financial institutions = $2,669,690)) every other year. Given the sensitive nature of the BOI data,248 FinCEN believes that maintaining an annual training requirement for BOI authorized recipients and access to the beneficial ownership IT system is necessary to protect the security and confidentiality of the BOI. b. Change Customer Consent Requirement Another alternative that FinCEN considered is altering the customer consent requirement for financial institutions. Under the proposed rule, financial institutions would be required to obtain and document customer consent once for a given customer. FinCEN considered an alternative approach in which FinCEN would directly obtain the reporting company’s consent. Under this scenario, financial institutions would not need to spend time and resources on the one-time implementation costs of approximately 10 hours in year 1 to create consent forms and processes. Using an hourly wage estimate of $95 per hour for financial institutions, FinCEN estimates this would result in a one-time savings per financial institution of approximately $950. To estimate aggregate savings under this scenario, FinCEN multiplies this value by 16,252 financial institutions resulting in a total savings of approximately $15.4 million ($950 per institution × 16,252 financial institutions = $15,439,400). The cost savings for small financial institutions under this scenario would be approximately $13.3 million ($950 per institution × 14,051 small financial institutions = $13,348,450). Though this alternative results in a savings to financial institutions, including small requirements similar to SROs) to the wage rate estimated herein for financial institutions, since SROs are private organizations. FinCEN requests comment on this assessment. 248 As noted in the preamble, the CTA establishes that BOI is ‘‘sensitive information’’ and it imposes strict confidentiality and security restrictions on the storage, access, and use of BOI. See CTA, Section 6402(6), (7). PO 00000 Frm 00045 Fmt 4701 Sfmt 4702 77447 entities, FinCEN believes that financial institutions are better positioned to obtain consent—and to track consent revocation—given their direct customer relationships and ability to leverage existing onboarding and account maintenance processes. Therefore, FinCEN decided not to propose this alternative. C. Paperwork Reduction Act The reporting requirements in the proposed rule are being submitted to OMB for review in accordance with the Paperwork Reduction Act of 1995 (PRA).249 Under the PRA, an agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a valid control number assigned by OMB. Written comments and recommendations for the proposed information collection can be submitted by visiting www.reginfo.gov/public/do/ PRAMain. This particular document may be found by selecting ‘‘Currently Under Review—Open for Public Comments’’ or by using the search function. Comments are welcome and must be received by February 14, 2023. In accordance with requirements of the PRA, 44 U.S.C. 3506(c)(2)(A), and its implementing regulations, 5 CFR 1320, the following information concerns the collection of information as it relates to the proposed rule and is presented to assist those persons wishing to comment on the information collection. The PRA analysis included herein is for the sections of the proposed rule relating to BOI access. It does not include the sections of the proposed rule addressing the use of FinCEN identifiers for entities because FinCEN does not assess any additional burden or costs associated with the proposed rule beyond the costs and burden separately considered in the final BOI reporting rule’s PRA analysis for BOI reports.250 Reporting and Recordkeeping Requirements: The proposed rule would require State, local, and Tribal agencies and financial institutions that wish to access BOI to conduct the following activities: establish standards and procedures or safeguards and undergo annual training. Financial institutions would also be required to obtain and document customer consent, maintaining a record of such consent for five years after it was last relied upon, which may require updates to existing processes and creation of consent forms. The proposed rule would also require State, local, and Tribal agencies and financial institutions that wish to access 249 See 250 See E:\FR\FM\16DEP4.SGM 44 U.S.C. 3506(c)(2)(A). 87 FR 59589–59591 (Sept. 30, 2022). 16DEP4 77448 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules BOI to provide a written certification for each BOI request. FinCEN intends to provide additional detail regarding the form and manner of BOI requests for all categories of authorized users through specific instructions and guidance as it continues developing the beneficial ownership IT system. To the extent required by the PRA, FinCEN would publish for notice and comment any proposed information collection associated with BOI requests. In addition, the proposed rule would require State, local, and Tribal agencies to establish and maintain a secure system to store BOI, as well as an auditable system of standardized records for requests, conduct an annual audit, certify standards and procedures by the agency head semi-annually, and provide an annual report on procedures, resulting in additional recordkeeping and reporting requirements. Finally, the proposed rule would require that SROs follow the same security and confidentiality requirements outlined herein for State, local, and Tribal agencies, if they obtain BOI through redisclosure by a Federal functional regulator or financial institution. OMB Control Numbers: 1506–XXXX. Frequency: As required; varies depending on the requirement. Description of Affected Public: State, local and Tribal agencies, SROs, and financial institutions with CDD obligations, as defined in the proposed rule. While others from Federal and foreign requesters are able to access BOI after meeting specific requirements, FinCEN does not include them in the PRA analysis because the regulations implementing the PRA define ‘‘person’’ as an individual, partnership, association, corporation (including operations of government-owned contractor-operated facilities), business trust, or legal representative, an organized group of individuals, a State, territorial, tribal, or local government or branch thereof, or a political subdivision of a State, territory, Tribal, or local government or a branch of a political subdivision.251 For foreign requesters in particular, FinCEN lotter on DSK11XQN23PROD with PROPOSALS4 251 See 5 CFR 1320.3(k). VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 assumes that such requests would be made at the national level. Estimated Number of Respondents: 16,463 entities. This total is composed of an estimated 209 State, local, and Tribal agencies, of which 153 are State, local, and Tribal law enforcement agencies and 56 are State regulatory agencies, 2 SROs, and 16,252 financial institutions.252 While the requirements in the proposed rule are only imposed on those that optionally access BOI, for purposes of PRA burden analysis, FinCEN assumes maximum participation from State, local, and Tribal agencies, SROs, and financial institutions. Estimated Total Annual Reporting and Recordkeeping Burden: 253 FinCEN estimates that during year 1 the annual hourly burden would be 9,289,604 hours. In year 2 and onward, FinCEN estimates that the annual hourly burden would be 7,663,188 hours. The annual estimated burden hours for State, local, and Tribal entities as well as SROs is 6,261,856 hours in the first year, and 6,098,120 hours in year 2 and onward. As shown in Table 11, the hourly burden in year 1 for State, local, and Tribal entities and SROs includes the hourly burden associated with the following requirements in the NPRM: enter into an agreement with FinCEN and establish standards and procedures (Action B); establish a secure system to store BOI (Action D); establish and maintain an auditable system of standardized records for requests (Action E); submit written certification for each request that it meets certain requirements (Action G); restrict access to appropriate persons within the entity (Action H); conduct an annual audit and cooperate with FinCEN’s annual audit (Action I); obtain certification of standards and procedures, initially and then semi-annually, by the head of the entity (Action J); and provide annual reports on procedures (Action K). The hourly burden in year 2 and onward for State, local, and Tribal entities and 252 See Table 1 for the types of financial institutions covered by this notice. 253 As previously noted, this is a partial amount of the maximum overall burden associated with the proposed rule given that the PRA analysis does not include the potential burden on Federal and foreign agencies. The full burden and cost are assessed in the RIA cost analysis. PO 00000 Frm 00046 Fmt 4701 Sfmt 4702 SROs is associated with the same requirements as year 1, with the exception of Action B because FinCEN expects this action will result in costs for these entities in year 1 only. The annual estimated hourly burden for financial institutions is 3,027,748 hours in the first year and 1,565,068 hours in year 2 and onward. The hourly burden for financial institutions in year 1 is associated with the following: establish administrative and physical safeguards (Action A); establish technical safeguards (Action C); obtain and document customer consent (Action F); submit written certification for each request that it meets certain requirements (Action G); and undergo training (Action H). The hourly burden in year 2 and onward for financial institutions is associated only with the requirements for Actions G and H because FinCEN expects the other actions will result in costs for these entities in year 1 only. Annual estimated burden declines in year 2 and onward because State, local, and Tribal agencies, SROs, and financial institutions no longer need to complete Actions A, B, and F, and have a lower hourly burden for Action E. Table 11 lists the type of entity, the number of entities, the hours per entity, and the total hourly burden by action. For Actions A, B, C, D, E, F, I, J, and K, the hours per entity are the maximum of the range estimated in the cost analysis of the RIA. For Action G and H, the hours per entity calculations are specified in footnotes to Table 11. Total annual hourly burden is calculated by multiplying the number of entities by the hours per entity for each action. In each subsequent year after initial implementation, FinCEN estimates that the total hourly annual burden is 7,663,188 due to Actions A, B, and F only imposing burdens in year 1 and Actions D and E having lower annual per entity burdens. This results in a 5year average burden estimate of approximately 7,988,471 hours.254 BILLING CODE 4810–02–P 254 The 5-year average equals the sum of (Year 1 burden hours of 9,289,604 + Year 2 burden hours of 7,663,188 + Year 3 burden hours of 7,663,188 + Year 4 burden hours of 7,663,188 + Year 5 burden hours of 7,663,88) divided by 5. E:\FR\FM\16DEP4.SGM 16DEP4 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules 77449 Table 11—Annual Hourly Burden Associated With Proposed Rule Requirements Financial insti tuti ons 16,252 B. Enter into an agreement with FinCEN and establish standards and procedures State, local, and Tribal agencies and SROs 211 C. Establish technical safeguards Financial insti tuti ons D. Establish a secure system to store BOI E. Establish and maintain an auditable system of standardized records for requests State, local, and Tribal agencies and SROs State, local, and Tribal agencies and SROs F. Obtain and document customer consent G. Submit written certification for each request that it meets certain requirements 1 G. Submit written lotter on DSK11XQN23PROD with PROPOSALS4 certification for each request that it meets certain requirements, including court authorization VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 80 in Year 1; 0 in Years 2+ 300 in Year 1; 0 in Years 2+ 1,300,160 in Year 1; 0 in Years 2+ 16,252 0 in Year 1; 0 in Years 2+ 0 in Year 1; 0 in Years 2+ 211 300 in Year 1; 4 in Years 2+ 63,300 in Year 1; 844 in Years 2+ 211 200 in Year 1; 20 in Years 2+ 42,200 in Year 1; 4,220 in Years 2+ Financial insti tuti ons 16,252 162,520 in Year 1; 0 in Years 2+ Financial insti tuti ons 16,252 10 in Year 1; 0 in Years 2+ 93.8 in Year 1; 93.8 in Years 2+ State, local, and Tribal law enforcement 153 PO 00000 Frm 00047 Fmt 4701 Sfmt 4725 39,542.5 in Year 1; 39,542.5 in Years 2 E:\FR\FM\16DEP4.SGM 63,300 in Year 1; 0 in Years 2+ 1,524,438 in Year 1; 1,524,438 in Years 2+ 6,050,003 in Year 1; 6,050,003 in Years 2+ 16DEP4 EP16DE22.031</GPH> A. Establish administrative and physical safeguards 77450 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules 129.3 in Year 1; 129.3 in Years 2+ 2.5 in Year 1; 2.5 in Years 2+ 8.5 in Year 1, 8.5 in Years 2+ 7,499 in Year 1; 7,499 in Years 2+ 211 160 in Year 1; 160 in Years 2+ 33,760 in Year 1; 33,760 in Years 2+ 211 Included in I. Included in I. G. Submit written certification for each request that it meets certain re uirements H. Undergo training2 State regulatory agencies and SROs Financial insti tuti ons H. Restrict access to appropriate persons within the entity, which specifies that appropriate persons will undergo trainin 3 I. Conduct an annual audit and cooperate with FinCEN' s annual audit State, local, and Tribal agencies and SROs 211 State, local, and Tribal agencies and SROs State, local, and Tribal agencies and SROs Obtain certification of standards and procedures initially and then semiannually, by the head of the enti K. Provide initial and then an annual report on procedures J. State, local, and Tribal agencies and SROs 58 16,252 211 40,630 in Year 1; 40,630 in Years 2+ 1,794 in Year 1; 1,794 in Years 2+ Included in I. Included in I. 9,289,604 in Year 1; 7,663,188 in Years 2+ Total Annual Hourly Burden 1 Estimated Total Annual Reporting and Recordkeeping Cost: 255 As described in Table 3, FinCEN calculated the fully loaded hourly wage for each 255 As previously noted, this is a partial amount of the maximum overall cost associated with the proposed rule because the PRA analysis does not include the potential cost to Federal and foreign agencies. The full burden and cost of the rule are assessed in the RIA analysis. VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 type of affected entity type. Using these estimated wages, the total cost of the annual burden in year 1 would be $763,745,736 In year 2 and onward, FinCEN estimates that the total cost of the annual burden is $612,199,760, owing to Actions A, B, and F only imposing burdens in year 1 and Actions D and E having lower annual per entity burdens. The annual estimated cost for PO 00000 Frm 00048 Fmt 4701 Sfmt 4702 State, local, and Tribal agencies and SROs is $476,109,676 in the first year and $463,518,300 in year 2 and onward. The annual estimated cost for financial institutions is $287,636,060 in the first year and $148,681,460 in year 2 and E:\FR\FM\16DEP4.SGM 16DEP4 EP16DE22.032</GPH> lotter on DSK11XQN23PROD with PROPOSALS4 For all types of entity, the hours per entity for Action G is the per entity share of the aggregate burden estimated in the RIA 2 For financial institutions, the hours per entity for Action H equals the weighted average of the large and small financial institutions' maximum burden estimated in the RIA 3 For State, local, and Tribal agencies and SROs, the hours per entity for Action H equals the per entity share of the ate burden. a Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules Table 12—Annual Cost Associated With Proposed Rule Requirements A. Establish administrative and physical safeguards Financial institutions $95 1,300,160 in Year 1; 0 in Years 2+ $123,515,200 in Year 1; $0 in Years 2+ B. Enter into an agreement with FinCEN and establish standards and procedures C. Establish technical safeguards State, local, and Tribal agencies $76 63,300 in Year 1; 0 in Years 2+ $4,810,800 in Year 1; $0 in Years 2+ Financial institutions $95 0 in Year 1; 0 in Years 2+ $0 in Year 1; $0 in Years 2+ D. Establish a secure system to store BOI State, local, and Tribal agencies $76 63,300 in Year 1; 844 in Years 2+ $4,810,800 in Year 1; $64,144 in Years 2+ E. Establish and maintain an auditable system of standardized records for requests State, local, and Tribal agencies $76 42,200 in Year 1; 4,220 in Years 2+ $3,207,200 in Year 1; $320,720 in Years 2+ F. Obtain and document customer consent Financial institutions $95 162,520 in Year 1; 0 in Years 2+ $15,439,400 in Year 1; $0 in Years 2+ G. Submit written Financial institutions $95 1,524,438 in Year 1; 1,524,438 in Years 2+ $144,821,610 in Year 1; $144,821,610 in Years 2+ lotter on DSK11XQN23PROD with PROPOSALS4 certification for each request that it meets certain requirements 256 The 5-year average equals the sum of (Year 1 costs of $763,745,736 + Year 2 costs of VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 $612,199,760 + Year 3 costs of $612,199,760 + Year PO 00000 Frm 00049 Fmt 4701 Sfmt 4725 4 costs of $612,199,760 + Year 5 costs of $612,199,760) divided by 5. E:\FR\FM\16DEP4.SGM 16DEP4 EP16DE22.033</GPH> onward. The 5-year average annual cost estimate is $642,508,955.256 77451 77452 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules G. Submit written certification for each request that it meets certain requirements, including court authorization G. Submit written certification for each request that it meets certain requirements State, local, and Tribal law enforcement $76 6,050,003 in Year I; 6,050,003 in Years 2+ $459,800,228 in Year I; $459,800,228 in Years 2+ State regulatory agencies $76 7,499 in Year I; 7,499 in Years 2+ $569,924 in Year I; $569,924 in Years 2+ H. Undergo training Financial institutions $95 40,630 in Year I; 40,630 in Years 2+ $3,859,850 in Year I; $3,859,850 in Years 2+ H. Restrict access to appropriate persons within the agency, which specifies that appropriate persons will under o trainin I. Conduct an annual audit and cooperate with FinCEN' s annual audit State, local, and Tribal agencies $76 1,794 in Year I; 1,794 in Years 2+ $136,344 in Year I; $136,344 in Years 2+ State, local, and Tribal agencies $76 33,760 in Year I; 33,760 in Years 2+ $2,565,760 in Year I; $2,565,760 in Years 2+ State, local, and Tribal agencies $76 Included in I. Included in I. State, local, and Tribal a encies SRO $76 Included in I. Included in I. $95 2,196 in Year I; 644 in Years 2+ $208,620 in Year I; $61,180 in Years 2+ J. Obtain certification of standards and procedures initially and then semi-annually, by the head of the entit K. Provide initial and then an annual report on rocedures Actions B, D, E, G, H, 1-K Total Annual Cost BILLING CODE 4810–02–C VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 PO 00000 Frm 00050 Fmt 4701 Sfmt 4702 E:\FR\FM\16DEP4.SGM 16DEP4 EP16DE22.034</GPH> lotter on DSK11XQN23PROD with PROPOSALS4 $ 763,745,736 in Year 1; $612,199,760 in Years 2+ Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules lotter on DSK11XQN23PROD with PROPOSALS4 D. Unfunded Mandates Reform Act Section 202 of the Unfunded Mandates Reform Act of 1995, Public Law 104–4 (UMRA) requires that an agency assess anticipated costs and benefits and take certain other actions before promulgating a rule that includes a Federal mandate that may result in expenditure by State, local, and Tribal governments, in the aggregate, or by the private sector, of $100 million or more in any one year, adjusted for inflation. The proposed regulations regarding access by authorized recipients to BOI do not include any Federal mandate for State, local, and Tribal governments or the private sector.257 Similarly, the proposed regulations that address how reporting companies would be able to use an entity’s FinCEN identifier to fulfill their obligations under FinCEN’s BOI reporting requirements do not contain a Federal mandate. E. Questions for Comment General Request for Comments under the Paperwork Reduction Act: Comments submitted in response to this notice will be summarized and included in the request for OMB approval. All comments will become a matter of public record. Comments are invited on: (a) whether the collection of information is necessary for the proper performance of the functions of the agency, including whether the information shall have practical utility; (b) the accuracy of the agency’s estimate of the burden of the collection of information; (c) ways to enhance the quality, utility, and clarity of the information to be collected; (d) ways to minimize the burden of the collection of information on respondents, including through the use of technology; and (e) estimates of capital or start-up costs and costs of operation, maintenance, and purchase of services required to provide information. Other Requests for Comment: In addition, FinCEN generally invites comment on the accuracy of FinCEN’s regulatory analysis. FinCEN specifically requests comment on the following, which are mentioned in the preceding text. State, local, and Tribal agencies’ BOI access estimates: 1. How many Tribal law enforcement agencies, and how many authorized recipients at such agencies, may access BOI on an annual basis? 2. What is an appropriate wage estimate for a Tribal government worker? 257 FinCEN expects that requirements regarding private sector access will be clarified in the forthcoming revision of the CDD Rule. VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 3. Should the burden estimate for court authorizations include the burden on court employees? If so, what would be the occupation code, wage, and estimated time burden of such employees? 4. Given the requirement to obtain court authorization to access BOI, are State, local, and Tribal agencies less likely to access BOI at the rate by which they access BSA information? If so, what is a reasonable estimate for the annual requests for BOI from these agencies? SROs’ BOI access estimates: 5. Is FinCEN’s assessment of costs to SROs reasonable? Foreign requesters’ BOI access estimates: 6. How many foreign requesters may access BOI on an annual basis, and which requesters would do so under an applicable international treaty, agreement, or convention, or through another channel available under the proposed rule? 7. Is FinCEN’s approximation that it would take a foreign requester, on average, between one and two full business weeks (or, between 40 and 80 business hours) to establish standards and procedures accurate? 8. Is the assumption that foreign requesters would have a de minimis IT cost to comply with the requirements in the proposed rule accurate? 9. Is the annual estimate of foreign requests for BOI reasonable? Financial institutions’ BOI access estimates: 10. Is FinCEN’s approximation that it would take a financial institution, on average, between one and two full business weeks (or, between 40 and 80 business hours) to establish administrative and physical safeguards accurate? 11. Is the assumption that financial institutions would have a de minimis IT cost to comply with the requirements in the proposed rule accurate? 12. Is the burden estimate for obtaining and documenting customer consent reasonable? If not, what would be a reasonable estimate? 13. Are the assumptions that one to two employees per small financial institution and five to six employees per large institution would access BOI reasonable? If not, what would be reasonable estimates? 14. Is the estimated range of annual requests from financial institutions reasonable? 15. Are there additional categories of burden that FinCEN should consider in its burden estimates? If so, what are they, and what is the estimated burden per financial institution? Conversely, if PO 00000 Frm 00051 Fmt 4701 Sfmt 4702 77453 any of the categories of burden in the estimates should not be included, identify those and explain why. Small entities’ estimates: 16. Are FinCEN’s estimates of burden on small entities accurate, as calculated in the IRFA? If not, why, and on what basis should they be updated? Provide specific sources and data for alternative cost estimates for each category of burden per entity. 17. Is FinCEN’s assumption that small governmental jurisdictions are unlikely to access BOI accurate? FinCEN identifier analysis: 18. Is FinCEN correct in assuming that the proposed rule would not result in additional burden or cost to reporting companies beyond what is estimated in the final BOI reporting rule’s RIA? 19. How many reporting companies are likely to use entities’ FinCEN identifiers to comply with the BOI reporting requirements? List of Subjects in 31 CFR Part 1010 Administrative practice and procedure, Aliens, Authority delegations (Government agencies), Banks and banking, Brokers, Business and industry, Commodity futures, Currency, Citizenship and naturalization, Electronic filing, Federal savings associations, Federal-States relations, Federally recognized tribes, Foreign persons, Holding companies, Indian law, Indians, Insurance companies, Investment advisers, Investment companies, Investigations, Law enforcement, Penalties, Reporting and recordkeeping requirements, Small businesses, Securities, Terrorism, Tribal government, Time. Authority and Issuance For the reasons set forth in the Supplementary Information, FinCEN proposes to amend part 1010 of chapter X of title 31 of the Code of Federal Regulations, as amended September 30, 2022, at 87 FR 59498, effective January 1, 2024, as follows: PART 1010—GENERAL PROVISIONS 1. The authority citation for part 1010 continues to read as follows: ■ Authority: 12 U.S.C. 1829b and 1951– 1959; 31 U.S.C. 5311–5314 and 5316–5336; title III, sec. 314, Pub. L. 107–56, 115 Stat. 307; sec. 2006, Pub. L. 114–41, 129 Stat. 458– 459; sec. 701, Pub. L. 114–74, 129 Stat. 599. 2. In § 1010.380, add paragraph (b)(4)(ii)(B) to read as follows: ■ § 1010.380 Reports of beneficial ownership information. * * * (b) * * * E:\FR\FM\16DEP4.SGM 16DEP4 * * 77454 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules (4) * * * (ii) * * * (B) A reporting company may report another entity’s FinCEN identifier and full legal name in lieu of the information required under paragraph (b)(1) of this section with respect to the beneficial owners of the reporting company only if: (1) The entity has obtained a FinCEN identifier and provided that FinCEN identifier to the reporting company; (2) An individual is or may be a beneficial owner of the reporting company by virtue of an interest in the reporting company that the individual holds through the entity; and (3) The beneficial owners of the entity and of the reporting company are the same individuals. * * * * * ■ 4. In § 1010.950, revise the section heading and paragraph (a) to read as follows: § 1010.950 general. Availability of information— (a) The Secretary has the discretion to disclose information reported under this chapter, other than information reported pursuant to § 1010.380, for any reason consistent with the purposes of the Bank Secrecy Act, including those set forth in paragraphs (b) through (d) of this section. FinCEN may disclose information reported pursuant to § 1010.380 only as set forth in § 1010.955, and paragraphs (b) through (f) of this section shall not apply to the disclosure of such information. * * * * * ■ 5. Add § 1010.955 to read as follows: lotter on DSK11XQN23PROD with PROPOSALS4 § 1010.955 Availability of beneficial ownership information reported under this part. (a) Prohibition on disclosure. Except as authorized in paragraphs (b), (c), and (d) of this section, information reported to FinCEN pursuant to § 1010.380 is confidential and shall not be disclosed by any individual who receives such information as— (1) An officer, employee, contractor, or agent of the United States; (2) An officer, employee, contractor, or agent of any State, local, or Tribal agency; or (3) A director, officer, employee, contractor, or agent of any financial institution. (b) Disclosure of information by FinCEN—(1) Disclosure to Federal agencies for use in furtherance of national security, intelligence, or law enforcement activity. Upon receipt of a request from a Federal agency engaged in national security, intelligence, or law enforcement activity for information to VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 be used in furtherance of such activity, FinCEN may disclose information reported pursuant to § 1010.380 to such agency. For purposes of this section— (i) National security activity includes activity pertaining to the national defense or foreign relations of the United States, as well as activity to protect against threats to the safety and security of the United States; (ii) Intelligence activity includes all activities conducted by elements of the United States Intelligence Community that are authorized pursuant to Executive Order 12333, as amended, or any succeeding executive order; and (iii) Law enforcement activity includes investigative and enforcement activities relating to civil or criminal violations of law. Such activity does not include the routine supervision or examination of a financial institution by a Federal regulatory agency with authority described in (b)(4)(ii)(A) of this section. (2) Disclosure to State, local, and Tribal law enforcement agencies for use in criminal or civil investigations. Upon receipt of a request from a State, local, or Tribal law enforcement agency for information to be used in a criminal or civil investigation, FinCEN may disclose information reported pursuant to § 1010.380 to such agency if a court of competent jurisdiction has authorized the agency to seek the information in a criminal or civil investigation. For purposes of this section— (i) A court of competent jurisdiction is any court with jurisdiction over the investigation for which a State, local, or Tribal law enforcement agency requests information under this paragraph. (ii) A State, local, or Tribal law enforcement agency is an agency of a State, local, or Tribal government that is authorized by law to engage in the investigation or enforcement of civil or criminal violations of law. (3) Disclosure for use in furtherance of foreign national security, intelligence, or law enforcement activity. Upon receipt of a request from a Federal agency on behalf of a law enforcement agency, prosecutor, or judge of another country, or on behalf of a foreign central authority or foreign competent authority (or like designation) under an applicable international treaty, agreement, or convention, FinCEN may disclose information reported pursuant to § 1010.380 to such Federal agency for transmission to the foreign law enforcement agency, prosecutor, judge, foreign central authority, or foreign competent authority who initiated the request, provided that: (i) The request is for assistance in a law enforcement investigation or PO 00000 Frm 00052 Fmt 4701 Sfmt 4702 prosecution, or for a national security or intelligence activity, that is authorized under the laws of the foreign country; and (ii) The request is: (A) Made under an international treaty, agreement, or convention, or; (B) When no such treaty, agreement, or convention is available, is an official request by a law enforcement, judicial, or prosecutorial authority of a trusted foreign country. (4) Disclosure to facilitate compliance with customer due diligence requirements—(i) Financial institutions. Upon receipt of a request from a financial institution subject to customer due diligence requirements under applicable law for information to be used in facilitating such compliance, FinCEN may disclose information reported pursuant to § 1010.380 to such financial institution, provided each reporting company that reported such information consents to such disclosure. For purposes of this section, customer due diligence requirements under applicable law are the beneficial ownership requirements for legal entity customers at § 1010.230, as those requirements may be amended or superseded. (ii) Regulatory agencies. Upon receipt of a request by a Federal functional regulator or other appropriate regulatory agency, FinCEN shall disclose to such agency any information disclosed to a financial institution pursuant to paragraph (b)(4)(i) of this section if the agency— (A) Is authorized by law to assess, supervise, enforce, or otherwise determine the compliance of such financial institution with customer due diligence requirements under applicable law; (B) Will use the information solely for the purpose of conducting the assessment, supervision, or authorized investigation or activity described in paragraph (b)(4)(ii)(A) of this section; and (C) Has entered into an agreement with FinCEN providing for appropriate protocols governing the safekeeping of the information. (5) Disclosure to officers or employees of the Department of the Treasury. Consistent with procedures and safeguards established by the Secretary— (i) Information reported pursuant to § 1010.380 shall be accessible for inspection or disclosure to officers and employees of the Department of the Treasury whose official duties the Secretary determines require such inspection or disclosure. E:\FR\FM\16DEP4.SGM 16DEP4 lotter on DSK11XQN23PROD with PROPOSALS4 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules (ii) Officers and employees of the Department of the Treasury may obtain information reported pursuant to § 1010.380 for tax administration as defined in 26 U.S.C. 6103(b)(4). (c) Use of information—(1) Use of information by authorized recipients. Unless otherwise authorized by FinCEN, any person who receives information disclosed by FinCEN under paragraph (b) of this section shall use such information only for the particular purpose or activity for which such information was disclosed. A Federal agency that receives information pursuant to paragraph (b)(3) of this section shall only use it to facilitate a response to a request for assistance pursuant to that paragraph. (2) Disclosure of information by authorized recipients. (i) Any officer, employee, contractor, or agent of a requesting agency who receives information disclosed by FinCEN pursuant to a request under paragraph (b)(1) or (2) or (b)(4)(ii) of this section may disclose such information to another officer, employee, contractor, or agent of the same requesting agency for the particular purpose or activity for which such information was requested, consistent with the requirements of paragraph (d)(1)(i)(F) of this section, as applicable. Any officer, employee, contractor, or agent of the U.S. Department of the Treasury who receives information disclosed by FinCEN pursuant to a request under paragraph (b)(5) of this section may disclose such information to another Treasury officer, employee, contractor, or agent for the particular purpose or activity for which such information was requested consistent with internal Treasury policies, procedures, orders or directives. (ii) Any director, officer, employee, contractor, or agent of a financial institution who receives information disclosed by FinCEN pursuant to a request under paragraph (b)(4)(i) of this section may disclose such information to another director, officer, employee, contractor, or agent within the United States of the same financial institution for the particular purpose or activity for which such information was requested, consistent with the requirements of paragraph (d)(2) of this section. (iii) Any director, officer, employee, contractor, or agent of a financial institution that receives information disclosed by FinCEN pursuant to paragraph (b)(4)(i) of this section may disclose such information to the financial institution’s Federal functional regulator, a self-regulatory organization that is registered with or designated by a Federal functional regulator pursuant VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 to Federal statute, or other appropriate regulatory agency, provided that the Federal functional regulator, selfregulatory organization, or other appropriate regulatory agency meets the requirements identified in paragraphs (b)(4)(ii)(A) through (C) of this section. A financial institution may rely on a Federal functional regulator, selfregulatory organization, or other appropriate regulatory agency’s representation that it meets the requirements. (iv) Any officer, employee, contractor, or agent of a Federal functional regulator that receives information disclosed by FinCEN pursuant to paragraph (b)(4)(ii) of this section may disclose such information to a selfregulatory organization that is registered with or designated by the Federal functional regulator, provided that the self-regulatory organization meets the requirements of paragraphs (b)(4)(ii)(A) through (C) of this section. (v) Any officer, employee, contractor, or agent of a Federal agency that receives information from FinCEN pursuant to a request made under paragraph (b)(3) of this section may disclose such information to the foreign person on whose behalf the Federal agency made the request. (vi) Any officer, employee, contractor, or agent of a Federal agency engaged in a national security, intelligence, or law enforcement activity, or any officer, employee, contractor, or agent of a State, local, or Tribal law enforcement agency, may disclose information reported pursuant to § 1010.380 that it has obtained directly from FinCEN pursuant to a request under paragraph (b)(1) or (2) of this section to a court of competent jurisdiction or parties to a civil or criminal proceeding. (vii) Any officer, employee, contractor, or agent of a requesting agency who receives information disclosed by FinCEN pursuant to a request under paragraph (b)(1), (b)(4)(ii), or (b)(5) of this section may disclose such information to any officer, employee, contractor, or agent of the United States Department of Justice for purposes of making a referral to the Department of Justice or for use in litigation related to the activity for which the requesting agency requested the information. (viii) A law enforcement agency, prosecutor, judge, foreign central authority, or foreign competent authority of another country that receives information from a Federal agency pursuant to a request under paragraph (b)(3)(ii)(A) of this section may disclose and use such information consistent with the international treaty, PO 00000 Frm 00053 Fmt 4701 Sfmt 4702 77455 agreement, or convention under which the request was made. (ix) Except as described in this paragraph (c)(2), any information disclosed by FinCEN under paragraph (b) of this section shall not be further disclosed to any other person for any purpose without the prior written consent of FinCEN, or as authorized by applicable protocols or guidance that FinCEN may issue. FinCEN may authorize persons to disclose information obtained pursuant to paragraph (b) of this section in furtherance of a purpose or activity described in that paragraph. (d) Security and confidentiality requirements—(1) Security and confidentiality requirements for domestic agencies—(i) General requirements. To receive information under paragraph (b)(1), (2), or (3) or (b)(4)(ii) of this section, a Federal, State, local, or Tribal agency shall satisfy the following requirements: (A) Agreement. The agency shall enter into an agreement with FinCEN specifying the standards, procedures, and systems to be maintained by the agency, and any other requirements FinCEN may specify, to protect the security and confidentiality of such information. Agreements shall include, at a minimum, descriptions of the information to which an agency will have access, specific limitations on electronic access to that information, discretionary conditions of access, requirements and limitations related to re-disclosure, audit and inspection requirements, and security plans outlining requirements and standards for personnel security, physical security, and computer security. (B) Standards and procedures. The agency shall establish standards and procedures to protect the security and confidentiality of such information, including procedures for training agency personnel on the appropriate handling and safeguarding of such information. The head of the agency, on a non-delegable basis, shall approve these standards and procedures. (C) Initial report and certification. The agency shall provide FinCEN a report that describes the standards and procedures established pursuant to paragraph (d)(1)(i)(B) of this section and that includes a certification by the head of the agency, on a non-delegable basis, that the standards and procedures implement the requirements of this paragraph (d)(1). (D) Secure system for beneficial ownership information storage. The agency shall establish and maintain a secure system in which such information shall be stored, that E:\FR\FM\16DEP4.SGM 16DEP4 lotter on DSK11XQN23PROD with PROPOSALS4 77456 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules complies with information security standards prescribed by FinCEN. (E) Auditability. The agency shall establish and maintain a permanent, auditable system of standardized records for requests pursuant to paragraph (b) of this section, including, for each request, the date of the request, the name of the individual who makes the request, the reason for the request, any disclosure of such information made by or to the requesting agency, and information or references to such information sufficient to reconstruct the justification for the request. (F) Restrictions on personnel access to information. The agency shall restrict access to information obtained from FinCEN pursuant to this section to personnel— (1) Who are directly engaged in the activity for which the information was requested; (2) Whose duties or responsibilities require such access; (3) Who have received training pursuant to paragraph (d)(1)(i)(B) of this section or have obtained the information requested directly from persons who both received such training and received the information directly from FinCEN; (4) Who use appropriate identity verification mechanisms to obtain access to the information; and (5) Who are authorized by agreement between the agency and FinCEN to access the information. (G) Audit requirements. The agency shall: (1) Conduct an annual audit to verify that information obtained from FinCEN pursuant to this section has been accessed and used appropriately and in accordance with the standards and procedures established pursuant to paragraph (d)(1)(i)(B) of this section; (2) Provide the results of that audit to FinCEN upon request; and (3) Cooperate with FinCEN’s annual audit of the adherence of agencies to the requirements established under this paragraph to ensure that agencies are requesting and using the information obtained under this section appropriately, including by promptly providing any information FinCEN requests in support of its annual audit. (H) Semi-annual certification. The head of the agency, on a non-delegable basis, shall certify to FinCEN semiannually that the agency’s standards and procedures established pursuant to paragraph (d)(1)(i)(B) of this section are in compliance with the requirements of this paragraph (d)(1). One of the semiannual certifications may be included in the annual report required under paragraph (d)(1)(i)(I) of this section. VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 (I) Annual report on procedures. The agency shall provide FinCEN a report annually that describes the standards and procedures that the agency uses to ensure the security and confidentiality of any information received pursuant to paragraph (b) of this section. (ii) Requirements for requests for disclosure. A Federal, State, local, or Tribal agency that makes a request under paragraph (b)(1), (2), or (3) or (b)(4)(ii) of this section shall satisfy the following requirements in connection with each request that it makes and in connection with all such information it receives. (A) Minimization. The requesting agency shall limit, to the greatest extent practicable, the scope of such information it seeks, consistent with the agency’s purposes for seeking such information. (B) Certifications and other requirements. (1) The head of a Federal agency that makes a request under paragraph (b)(1) of this section or their designee shall make a written certification to FinCEN, in the form and manner as FinCEN shall prescribe, that: (i) The agency is engaged in a national security, intelligence, or law enforcement activity; and (ii) The information requested is for use in furtherance of such activity, setting forth specific reasons why the requested information is relevant to the activity. (2) The head of a State, local, or Tribal agency, or their designee, who makes a request under paragraph (b)(2) of this section shall submit to FinCEN, in the form and manner as FinCEN shall prescribe: (i) A copy of a court order from a court of competent jurisdiction authorizing the agency to seek the information in a criminal or civil investigation; and (ii) A written justification that sets forth specific reasons why the requested information is relevant to the criminal or civil investigation. (3) The head of a Federal agency, or their designee, who makes a request under paragraph (b)(3)(ii)(A) of this section shall: (i) Retain for its records the request for information under the applicable international treaty, agreement, or convention; (ii) Submit to FinCEN, in the form and manner as FinCEN shall prescribe: the name, title, email address, and telephone number for the individual from the Federal agency making the request; the name, title, agency, and country of the foreign person on whose behalf the Federal agency is making the request; the title and date of the PO 00000 Frm 00054 Fmt 4701 Sfmt 4702 international treaty, agreement, or convention under which the request is being made; and a certification that the information is for use in furtherance of a law enforcement investigation or prosecution, or for a national security or intelligence activity, that is authorized under the laws of the relevant foreign country. (4) The head of a Federal agency, or their designee, who makes a request under paragraph (b)(3)(ii)(B) of this section shall submit to FinCEN, in the form and manner as FinCEN shall prescribe: (i) A written explanation of the specific purpose for which the foreign person is seeking information under paragraph (b)(3)(ii)(B) of this section, along with an accompanying certification that the information is for use in furtherance of a law enforcement investigation or prosecution, or for a national security or intelligence activity, that is authorized under the laws of the relevant foreign country; will be used only for the particular purpose or activity for which it is requested; and will be handled consistent with the requirements of paragraph (d)(3) of this section; (ii) The name, title, email address, and telephone number for the individual from the Federal agency making the request; (iii) The name, title, agency, and country of the foreign person on whose behalf the Federal agency is making the request; and (iv) Any other information that FinCEN requests in order to evaluate the request. (5) The head of a Federal functional regulator or other appropriate regulatory agency, or their designee, who makes a request under paragraph (b)(4)(ii) of this section shall make a written certification to FinCEN, in the form and manner as FinCEN shall prescribe, that: (i) The agency is authorized by law to assess, supervise, enforce, or otherwise determine the compliance of a relevant financial institution with customer due diligence requirements under applicable law; and (ii) The agency will use the information solely for the purpose of conducting the assessment, supervision, or authorized investigation or activity described in paragraph (b)(4)(ii)(A) of this section. (2) Security and confidentiality requirements for financial institutions. To receive information under paragraph (b)(4)(i) of this section, a financial institution shall satisfy the following requirements: (i) Restrictions on personnel access to information. The financial institution E:\FR\FM\16DEP4.SGM 16DEP4 lotter on DSK11XQN23PROD with PROPOSALS4 Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / Proposed Rules shall restrict access to information obtained from FinCEN under paragraph (b)(4)(i) of this section to directors, officers, employees, contractors, and agents within the United States. (ii) Safeguards. The financial institution shall develop and implement administrative, technical, and physical safeguards reasonably designed to protect the security, confidentiality, and integrity of such information. The requirements of this paragraph (d)(2)(i) of this section shall be deemed satisfied to the extent that a financial institution: (A) Applies such information procedures that the institution has established to satisfy the requirements of section 501 of the Gramm-LeachBliley Act (15 U.S.C. 6801 et seq.), and applicable regulations issued thereunder, with regard to the protection of its customers’ nonpublic personal information, modified as needed to account for any unique requirements imposed under this section; or (B) If it is not subject to section 501 of the Gramm-Leach-Bliley Act, applies such information procedures with regard to the protection of its customers’ nonpublic personal information that are required, recommended, or authorized under applicable Federal or State law and are at least as protective of the security and confidentiality of customer information as procedures that satisfy the standards of section 501 of the Gramm-Leach-Bliley Act. (iii) Consent to obtain information. Before making a request for information regarding a reporting company under paragraph (b)(4)(i) of this section, the financial institution shall obtain and document the consent of the reporting company to request such information. The documentation of the reporting company’s consent shall be maintained for 5 years after it is last relied upon in connection with a request for information under paragraph (b)(4)(i) of this section. (iv) Certification. For each request for information regarding a reporting company under paragraph (b)(4)(i) of this section, the financial institution shall make a written certification to FinCEN that it: (A) Is requesting the information to facilitate its compliance with customer due diligence requirements under applicable law; (B) Has obtained the written consent of the reporting company to request the information from FinCEN; and VerDate Sep<11>2014 22:00 Dec 15, 2022 Jkt 259001 (C) Has fulfilled all other requirements of paragraph (d)(2) of this section. (3) Security and confidentiality requirements for foreign recipients of information. (i) To receive information under paragraph (b)(3)(ii)(A) of this section, a foreign person on whose behalf a Federal agency made the request under that paragraph shall comply with all applicable handling, disclosure, and use requirements of the international treaty, agreement, or convention under which the request was made. (i) To receive information under paragraph (b)(3)(ii)(B) of this section, a foreign person on whose behalf a Federal agency made the request under that paragraph shall ensure that the following requirements are satisfied: (A) Standards and procedures. A foreign person who receives information pursuant to paragraph (b)(3)(ii)(B) of this section shall establish standards and procedures to protect the security and confidentiality of such information, including procedures for training personnel who will have access to it on the appropriate handling and safeguarding of such information. (B) Secure system for beneficial ownership information storage. Such information shall be maintained in a secure system that complies with the security standards the foreign person applies to the most sensitive unclassified information it handles. (C) Minimization. To the greatest extent practicable, the scope of information sought shall be limited, consistent with the purposes for seeking such information. (D) Restrictions on personnel access to information. Access to such information shall be limited to persons— (1) Who are directly engaged in the activity described in paragraph (b)(3) of this section for which the information was requested; (2) Whose duties or responsibilities require such access; and (3) Who have undergone training on the appropriate handling and safeguarding of information obtained pursuant to this section. (e) Administration of requests—(1) Form and manner of requests. Requests for information under paragraph (b) of this section shall be submitted to FinCEN in such form and manner as FinCEN shall prescribe. PO 00000 Frm 00055 Fmt 4701 Sfmt 9990 77457 (2) Rejection of requests. (i) FinCEN will reject a request under paragraph (b)(4) of this section, and may reject any other request made pursuant to this section, if such request is not submitted in the form and manner prescribed by FinCEN. (ii) FinCEN may reject any request, or otherwise decline to disclose any information in response to a request made under this section, if FinCEN, in its sole discretion, finds that, with respect to the request: (A) The requester has failed to meet any requirement of this section; (B) The information is being requested for an unlawful purpose; or (C) Other good cause exists to deny the request. (3) Suspension of access. (i) FinCEN may permanently debar or temporarily suspend, for any period of time, any requesting party from receiving or accessing information under paragraph (b) of this section if FinCEN, in its sole discretion, finds that: (A) The requesting party has failed to meet any requirement of this section; (B) The requesting party has requested information for an unlawful purpose; or (C) Other good cause exists for such debarment or suspension. (ii) FinCEN may reinstate the access of any requester that has been suspended or debarred under this paragraph (e)(3) upon satisfaction of any terms or conditions that FinCEN deems appropriate. (f) Violations—(1) Unauthorized disclosure or use. Except as authorized by this section, it shall be unlawful for any person to knowingly disclose, or knowingly use, the beneficial ownership information obtained by the person, directly or indirectly, through: (i) A report submitted to FinCEN under § 1010.380; or (ii) A disclosure made by FinCEN pursuant to paragraph (b) of this section. (2) For purposes of paragraph (f)(1) of this section, unauthorized use shall include accessing information without authorization, and shall include any violation of the requirements described in paragraph (d) of this section in connection with any access. Himamauli Das, Acting Director, Financial Crimes Enforcement Network. [FR Doc. 2022–27031 Filed 12–15–22; 8:45 am] BILLING CODE 4810–02–P E:\FR\FM\16DEP4.SGM 16DEP4

Agencies

[Federal Register Volume 87, Number 241 (Friday, December 16, 2022)]
[Proposed Rules]
[Pages 77404-77457]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-27031]



[[Page 77403]]

Vol. 87

Friday,

No. 241

December 16, 2022

Part VI





Department of the Treasury





-----------------------------------------------------------------------





Financial Crimes Enforcement Network





-----------------------------------------------------------------------





31 CFR Part 1010





Beneficial Ownership Information Access and Safeguards, and Use of 
FinCEN Identifiers for Entities; Proposed Rule

Federal Register / Vol. 87, No. 241 / Friday, December 16, 2022 / 
Proposed Rules

[[Page 77404]]


-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

Financial Crimes Enforcement Network

31 CFR Part 1010

RIN 1506-AB59
RIN 1506-AB49


Beneficial Ownership Information Access and Safeguards, and Use 
of FinCEN Identifiers for Entities

AGENCY: Financial Crimes Enforcement Network (FinCEN), Treasury.

ACTION: Notice of proposed rulemaking (NPRM).

-----------------------------------------------------------------------

SUMMARY: FinCEN is promulgating proposed regulations regarding access 
by authorized recipients to beneficial ownership information (BOI) that 
will be reported to FinCEN pursuant to Section 6403 of the Corporate 
Transparency Act (CTA), enacted into law as part of the Anti-Money 
Laundering Act of 2020 (AML Act), which is itself part of the National 
Defense Authorization Act for Fiscal Year 2021 (NDAA). The proposed 
regulations would implement the strict protocols on security and 
confidentiality required by the CTA to protect sensitive personally 
identifiable information (PII) reported to FinCEN. The NPRM explains 
the circumstances in which specified recipients would have access to 
BOI and outlines data protection protocols and oversight mechanisms 
applicable to each recipient category. The disclosure of BOI to 
authorized recipients in accordance with appropriate protocols and 
oversight will help law enforcement and national security agencies 
prevent and combat money laundering, terrorist financing, tax fraud, 
and other illicit activity, as well as protect national security. 
FinCEN is also proposing regulations to specify when and how reporting 
companies can use FinCEN identifiers to report the BOI of entities.

DATES: Written comments on this proposed rule may be submitted on or 
before February 14, 2023.

ADDRESSES: Comments may be submitted by any of the following methods:
     Federal E-rulemaking Portal: https://www.regulations.gov. 
Follow the instructions for submitting comments. Refer to Docket Number 
FINCEN-2021-0005 and RIN 1506-AB49/AB59.
     Mail: Policy Division, Financial Crimes Enforcement 
Network, P.O. Box 39, Vienna, VA 22183. Refer to Docket Number FINCEN-
2021-0005 and RIN 1506-AB49/AB59.

FOR FURTHER INFORMATION CONTACT: The FinCEN Regulatory Support Section 
at 1-800-767-2825 or electronically at [email protected].

SUPPLEMENTARY INFORMATION: 

I. Executive Summary

    These proposed regulations would implement the provisions in the 
CTA, codified at 31 U.S.C. 5336(c),\1\ that authorize certain 
recipients to receive disclosures of identifying information associated 
with reporting companies, their beneficial owners, and their company 
applicants (together, BOI). The CTA requires reporting companies to 
report BOI to FinCEN pursuant to 31 U.S.C. 5336(b). This NPRM reflects 
FinCEN's careful consideration of public comments, including those 
received in response to an advance notice of proposed rulemaking 
(ANPRM) \2\ on the implementation of the CTA, and in response to an 
NPRM regarding BOI reporting requirements (Reporting NPRM).\3\ This 
NPRM also reflects FinCEN's understanding of the critical need for the 
highest standard of security and confidentiality protocols to maintain 
confidence in the U.S. government's ability to protect sensitive 
information while achieving the objective of the CTA--establishing a 
database of beneficial ownership information (BOI) that will be highly 
useful in combatting illicit finance and the abuse of shell and front 
companies by criminals, corrupt officials, and other bad actors.
---------------------------------------------------------------------------

    \1\ The CTA is Title LXIV of the William M. (Mac) Thornberry 
National Defense Authorization Act for Fiscal Year 2021, Public Law 
116-283 (Jan. 1, 2021) (the NDAA). Division F of the NDAA is the 
Anti-Money Laundering Act of 2020 (AML Act), which includes the CTA. 
Section 6403 of the CTA, among other things, amends the Bank Secrecy 
Act (BSA) by adding a new Section 5336, Beneficial Ownership 
Information Reporting Requirements, to Subchapter II of Chapter 53 
of Title 31, United States Code.
    \2\ 86 FR 17557 (Apr. 5, 2021).
    \3\ 86 FR 69920 (Dec. 8, 2021).
---------------------------------------------------------------------------

    The proposed regulations aim to ensure that: (1) only authorized 
recipients have access to BOI; (2) authorized recipients use that 
access only for purposes permitted by the CTA; and (3) authorized 
recipients only re-disclose BOI in ways that balance protection of the 
security and confidentiality of the BOI with furtherance of the CTA's 
objective of making BOI available to a range of users for purposes 
specified in the CTA. The proposed regulations also provide a robust 
framework to ensure that BOI reported to FinCEN, and received by 
authorized recipients, is subject to strict cyber security controls, 
confidentiality protections and restrictions, and robust audit and 
oversight measures. Coincident with the protocols described in this 
NPRM, FinCEN is working to develop a secure, non-public database in 
which to store BOI, using rigorous information security methods and 
controls typically used in the Federal government to protect non-
classified yet sensitive information systems at the highest security 
level. Against this backdrop and consistent with the CTA, FinCEN will 
permit Federal, State, local, and Tribal officials, as well as certain 
foreign officials acting through a Federal agency, to obtain BOI for 
use in furtherance of statutorily authorized activities such as those 
related to national security, intelligence, and law enforcement. 
Financial institutions (FIs) with customer due diligence (CDD) 
requirements under applicable law will have access to BOI to facilitate 
CDD compliance. Their regulators will likewise have access to BOI to 
make assessments of CDD compliance.
    Additionally, FinCEN is proposing certain amendments to the BOI 
reporting regulations regarding the use of FinCEN identifiers.\4\ The 
proposed amendments would specify how reporting companies would be able 
to use an entity's FinCEN identifier to fulfill their BOI reporting 
obligations under 31 CFR 1010.380.
---------------------------------------------------------------------------

    \4\ Id., as defined in 31 CFR 1010.380(f)(2), a FinCEN 
identifier is a unique identifying number assigned by FinCEN to an 
individual or reporting company under 31 CFR 1010.380.
---------------------------------------------------------------------------

II. Background

A. Access to Beneficial Ownership Information

    As Congress explained in the CTA, ``malign actors seek to conceal 
their ownership of corporations, limited liability companies, or other 
similar entities in the United States to facilitate illicit activity, 
including money laundering, the financing of terrorism, proliferation 
financing, serious tax fraud, human and drug trafficking, 
counterfeiting, piracy, securities fraud, financial fraud, and acts of 
foreign corruption, harming the national security interests of the 
United States and allies of the United States.'' \5\ Access by 
authorized recipients to BOI reported under the CTA would significantly 
aid efforts to protect U.S. national security and safeguard the U.S. 
financial system from such illicit use. It would impede illicit actors' 
ability to use legal entities to conceal proceeds from criminal acts 
that undermine U.S. national security and foreign policy interests, 
such as corruption, human smuggling, drug and arms trafficking, and 
terrorist financing. BOI can also add critical data to financial 
analyses in activities the CTA

[[Page 77405]]

contemplates, including tax investigations. It can also provide 
essential information to the intelligence and national security 
professionals who work to prevent terrorists, proliferators, and those 
who seek to undermine our democratic institutions or threaten other 
core U.S. interests from raising, hiding, or moving money in the United 
States through anonymous shell or front companies.\6\
---------------------------------------------------------------------------

    \5\ CTA, Section 6402(3).
    \6\ A front company generates legitimate business proceeds to 
commingle with illicit earnings. See U.S. Department of the 
Treasury, National Money Laundering Risk Assessment (2018), p. 29, 
available at https://home.treasury.gov/system/files/136/2018NMLRA_12-18.pdf.
---------------------------------------------------------------------------

    The United States currently does not have a centralized or complete 
store of information about who owns and operates legal entities within 
the United States. The beneficial ownership data available to law 
enforcement and national security agencies are generally limited to the 
information collected by financial institutions on legal entity 
accounts pursuant to their CDD or broader Customer Identification 
Program (CIP) obligations, some of which has been included in 
Suspicious Activity Reports (SARs) or provided to law enforcement in 
response to judicial process.\7\ As set out in detail in the Reporting 
NPRM \8\ and the BOI reporting final rule,\9\ U.S. law enforcement 
officials and the Financial Action Task Force (FATF),\10\ among others, 
have for years noted how the lack of timely access to accurate and 
adequate BOI by law enforcement and other authorized recipients 
remained a significant gap in the United States' anti-money-laundering-
/countering-the-financing-of-terrorism (AML/CFT) and countering the 
financing of proliferation (CFP) framework. Broadly, and critically, 
BOI can identify linkages between potential illicit actors and opaque 
business entities, including shell companies. Furthermore, comparing 
BOI reported pursuant to the CTA against data collected under the Bank 
Secrecy Act (BSA) and other relevant government data is expected to 
significantly further efforts to identify illicit actors and combat 
their financial activities.
---------------------------------------------------------------------------

    \7\ 31 CFR 1010.230. Even then, any BOI a financial institution 
collects is not systematically reported to any central repository.
    \8\ Supra note 3.
    \9\ 87 FR 59498 (Sept. 30, 2022).
    \10\ The FATF, of which the United States is a founding member, 
is an international, inter-governmental task force whose purpose is 
the development and promotion of international standards and the 
effective implementation of legal, regulatory, and operational 
measures to combat money laundering, terrorist financing, the 
financing of weapons proliferation, and other related threats to the 
integrity of the international financial system. The FATF assesses 
over 200 jurisdictions against its minimum standards for beneficial 
ownership transparency. Among other things, it has established 
standards on transparency and beneficial ownership of legal persons, 
to deter and prevent the misuse of corporate vehicles. See FATF 
Recommendation 24, Transparency and Beneficial Ownership of Legal 
Persons, The FATF Recommendations: International Standards on 
Combating Money Laundering and the Financing of Terrorism and 
Proliferation (updated Oct. 2020), available at https://www.fatf-gafi.org/publications/fatfrecommendations/documents/fatf-recommendations.html; FATF Guidance, Transparency and Beneficial 
Ownership, Part III (Oct. 2014), available at https://www.fatf-gafi.org/media/fatf/documents/reports/Guidance-transparency-beneficial-ownership.pdf.
---------------------------------------------------------------------------

    As law enforcement and other U.S. government officials have noted, 
investigations into, and prosecutions of, money laundering, corruption, 
and other illicit financial activities are often prolonged or stymied 
by those officials' inability to rapidly access BOI in a centralized 
database. Kenneth A. Blanco, then-Director of FinCEN and a former State 
and Federal prosecutor, observed in 2019 testimony to the U.S. Senate 
Committee on Banking, Housing and Urban Affairs that based on his 
experience as a former State and Federal prosecutor, identifying the 
ultimate beneficial owner of a shell or front company in the United 
States ``often requires human source information, grand jury subpoenas, 
surveillance operations, witness interviews, search warrants, and 
foreign legal assistance requests to get behind the outward facing 
structure of these shell companies. This takes an enormous amount of 
time--time that could be used to further other important and necessary 
aspects of an investigation--and wastes resources, or prevents 
investigators from getting to other equally important investigations.'' 
\11\
---------------------------------------------------------------------------

    \11\ FinCEN, Testimony for the Record, Kenneth A. Blanco, 
Director, U.S. Senate Committee on Banking, Housing and Urban 
Affairs (May 21, 2019), available at https://www.banking.senate.gov/imo/media/doc/Blanco%20Testimony%205-21-19.pdf.
---------------------------------------------------------------------------

    The FBI's Steven M. D'Antuono elaborated on these difficulties, 
testifying before the Senate Banking Housing and Urban Affairs 
Committee in 2019 that ``[t]he process for the production of records 
can be lengthy, anywhere from a few weeks to many years, and . . . can 
be extended drastically when it is necessary to obtain information from 
other countries . . . . [I]f an investigator obtains the ownership 
records, either from a domestic or foreign entity, the investigator may 
discover that the owner of the identified corporate entity is an 
additional corporate entity, necessitating the same process for the 
newly discovered corporate entity. Many professional launderers and 
others involved in illicit finance intentionally layer ownership and 
financial transactions in order to reduce transparency of transactions. 
As it stands, it is a facially effective way to delay an 
investigation.'' \12\ D'Antuono acknowledged that these challenges may 
be even starker for State, local, and Tribal law enforcement agencies 
that may not have the same resources as their Federal counterparts to 
undertake long and costly investigations to identify the beneficial 
owners of these entities.\13\ During the testimony, he noted that 
requiring the disclosure of BOI by legal entities and the creation of a 
central BOI repository available to law enforcement and regulators 
could address these challenges.\14\
---------------------------------------------------------------------------

    \12\ Federal Bureau of Investigation (FBI), Testimony of Steven 
M. D'Antuono, Section Chief, Criminal Investigative Division, 
``Combatting Illicit Financing by Anonymous Shell Companies'' (May 
21, 2019), available at https://www.fbi.gov/news/testimony/combating-illicit-financing-by-anonymous-shell-companies.
    \13\ Id.
    \14\ Id.
---------------------------------------------------------------------------

    The process of obtaining BOI through grand jury subpoenas and other 
means can be time-consuming and of limited utility in some cases. Grand 
jury subpoenas, for example, require an underlying grand jury 
investigation into a possible violation of law. In addition, the law 
enforcement officer or investigator must work with a prosecutor's 
office, such as a U.S. Attorney's Office, to open a grand jury 
investigation, obtain the grand jury subpoena, and issue it on behalf 
of the grand jury. The investigator also needs to determine the proper 
recipient of the subpoena and coordinate service, which raises 
additional complications in cases where there is excessive layering of 
corporate structures to hide the identity of the ultimate beneficial 
owners. In some cases, however, BOI still may not be attainable via 
grand jury subpoena because it is not recorded. For example, because 
most states do not require the disclosure of BOI when forming or 
registering an entity, BOI cannot be obtained from the secretary of 
state or similar office. Furthermore, many states permit corporations 
to acquire property without disclosing BOI, and therefore BOI cannot be 
obtained from property records.
    FinCEN's existing regulatory tools also have significant 
limitations. The 2016 CDD Rule,\15\ for example, requires that certain 
types of U.S. financial institutions identify and verify the beneficial 
owners of legal entity customers at the time those financial 
institutions open a new account for a

[[Page 77406]]

legal entity customer,\16\ but the rule provides only a partial 
solution.\17\ The information provided to U.S. financial institutions 
about beneficial owners of certain U.S. entities is generally not 
comprehensive and not reported to the U.S. government (nor to State, 
local, or Tribal governments), except when filed in SARs or in response 
to judicial process. It is therefore not immediately available to law 
enforcement, intelligence, and national security agencies. Moreover, 
the CDD rule applies only to legal entities that open accounts at 
certain U.S. financial institutions. Other FinCEN authorities--
geographic targeting orders \18\ and the so-called ``311 measures'' 
(i.e., special measures imposed on jurisdictions, financial 
institutions, or international transactions of primary money laundering 
concern) \19\--offer temporary and targeted tools. Neither provides law 
enforcement the ability to reliably, efficiently, and consistently 
follow investigatory leads.
---------------------------------------------------------------------------

    \15\ 81 FR 29397 (May 11, 2016).
    \16\ The CDD Rule NPRM contained a requirement that covered 
financial institutions conduct ongoing monitoring to maintain and 
update customer information on a risk basis, specifying that 
customer information includes the beneficial owners of legal entity 
customers. As noted in the supplementary material to the final rule, 
FinCEN did not construe this obligation as imposing a categorical, 
retroactive requirement to identify and verify BOI for existing 
legal entity customers. Rather, these provisions reflect the 
conclusion that a financial institution should obtain BOI from 
existing legal entity customers when, in the course of its normal 
monitoring, the financial institution detects information relevant 
to assessing or reevaluating the risk of such customer. Final Rule, 
Customer Due Diligence Requirements for Financial Institutions, 81 
FR 29398, 29404 (May 11, 2016).
    \17\ See U.S. Money Laundering Threat Assessment Working Group, 
U.S. Money Laundering Threat Assessment (2005), pp. 48-49, available 
at https://www.treasury.gov/resource-center/terrorist-illicit-finance/documents/mlta.pdf. See also Congressional Research Service, 
Miller, Rena S. and Rosen, Liana W., Beneficial Ownership 
Transparency in Corporate Formation, Shell Companies, Real Estate, 
and Financial Transactions (Jul. 8, 2019), available at https://crsreports.congress.gov/product/pdf/R/R45798.
    \18\ 31 U.S.C. 5326(a); 31 CFR 1010.370.
    \19\ 31 U.S.C. 5318A, as added by section 311 of the USA PATRIOT 
Act (Pub. L. 107-56).
---------------------------------------------------------------------------

    The utility and value of BOI reported to FinCEN, therefore, rests 
in large part on the bureau's ability to provide authorized recipients 
predictable and efficient access to reported BOI while protecting the 
confidentiality and integrity of the information. As Congress noted, 
``[f]ederal legislation providing for the collection of beneficial 
ownership information for corporations, limited liability companies, or 
other similar entities formed under the laws of the States is needed'' 
to protect vital U.S. ``national security interests . . . [and] better 
enable critical national security, intelligence, and law enforcement 
efforts to counter money laundering, the financing of terrorism, and 
other illicit activity.'' \20\ Furthermore, providing authorized 
recipients in FIs access to BOI reported to FinCEN, as the CTA 
requires, will assist FIs in complying with AML/CFT and CDD 
requirements.
---------------------------------------------------------------------------

    \20\ CTA, Section 6402(5)(B),(D).
---------------------------------------------------------------------------

B. The Corporate Transparency Act

    The CTA is part of the AML Act, which is itself a part of the 2021 
NDAA. The CTA added a new section, 31 U.S.C. 5336, to the BSA to 
address the broader objectives of enhancing beneficial ownership 
transparency while minimizing the burden on the regulated community. In 
brief, 31 U.S.C. 5336 requires certain types of domestic and foreign 
entities, called ``reporting companies,'' to submit specified BOI to 
FinCEN. FinCEN is authorized to share this BOI with certain Government 
agencies, financial institutions, and regulators, subject to 
appropriate protocols.\21\ The requirement for reporting companies to 
submit BOI takes effect ``on the effective date of the regulations 
prescribed by the Secretary of the Treasury under [31 U.S.C. 5336].'' 
\22\ Reporting companies formed or registered after the effective date 
will need to submit the requisite BOI to FinCEN at the time of 
formation, while preexisting reporting companies will have a specified 
period to comply and report.\23\
---------------------------------------------------------------------------

    \21\ See generally 31 U.S.C. 5336(b), (c).
    \22\ 31 U.S.C. 5336(b)(5).
    \23\ See 31 U.S.C. 5336(b)(1)(B), (C).
---------------------------------------------------------------------------

    The CTA reporting requirements generally exempt entities that are 
otherwise subject to significant regulatory regimes--e.g., banks--where 
Congress presumably expected primary regulators to have visibility into 
the identities of the owners and ownership structures of the entities. 
The exemptions thus avoid imposing duplicative requirements in these 
cases.
    The provision at 31 U.S.C. 5336 requires reporting companies to 
submit to FinCEN, for each beneficial owner and company applicant, 
either the individual's full legal name, date of birth, current 
residential or business street address, and a unique identifying number 
from an acceptable identification document (e.g., a nonexpired 
passport)--four readily accessible pieces of information that should 
not be unduly burdensome for individuals to produce, or for reporting 
companies to collect and submit to FinCEN--or a FinCEN identifier.\24\ 
A FinCEN identifier is a unique identifying number that FinCEN will 
issue to individuals or entities upon request.\25\ In certain 
instances, the FinCEN identifier may be reported in lieu of an 
individual's name, birth date, address, and unique identification 
number.\26\ As noted in Section II.E. below, FinCEN addressed the 
regulatory requirements related to BOI reporting pursuant to the CTA 
through the recent issuance of a final BOI reporting rule.\27\
---------------------------------------------------------------------------

    \24\ See 31 U.S.C. 5336(b)(2).
    \25\ See 31 U.S.C. 5336(b)(3)(A)(i).
    \26\ See 31 U.S.C. 5336(b)(3)(B).
    \27\ Supra note 7.
---------------------------------------------------------------------------

    Given the sensitivity of the reportable BOI, the CTA imposes strict 
confidentiality and security restrictions on the storage, access, and 
use of BOI. Congress authorized FinCEN to disclose BOI to a statutorily 
defined group of governmental authorities and financial institutions, 
in limited circumstances. The CTA establishes that BOI is ``sensitive 
information,'' \28\ and provides that the Secretary of the Treasury 
(Secretary) shall ``maintain [it] in a secure, nonpublic database, 
using information security methods and techniques that are appropriate 
to protect nonclassified information systems at the highest security 
level.'' \29\ The statute further provides that BOI is only to be used 
by specified parties for specified purposes.\30\ Access to and 
disclosure of BOI is the focus of this NPRM.
---------------------------------------------------------------------------

    \28\ CTA, Section 6402(6).
    \29\ CTA, Section 6402(7)(A). While the statutory language seems 
to include a typo that refers to another provision, it also seems 
clear that the object of protection in this case is BOI.
    \30\ CTA, Section 6402(6).
---------------------------------------------------------------------------

    In addition to setting out requirements and restrictions related to 
BOI reporting and access, the CTA requires that FinCEN revise the 
current CDD Rule within one year of January 1, 2024, the effective date 
of the final BOI reporting rule, by rescinding paragraphs (b) through 
(j) of 31 CFR 1010.230.\31\ The CTA identifies three purposes for this 
revision: (1) to bring the rule into conformity with the AML Act as a 
whole, including the CTA; (2) to account for financial institutions' 
access to BOI reported to FinCEN ``in order to confirm the beneficial 
ownership information provided directly to the financial institutions'' 
for AML/CFT and customer due diligence purposes; and (3) to reduce 
unnecessary or duplicative

[[Page 77407]]

burdens on financial institutions and legal entity customers.\32\
---------------------------------------------------------------------------

    \31\ CTA, Section 6403(d)(1), (2). The CTA orders the rescission 
of paragraphs (b) through (j) directly (``the Secretary of the 
Treasury shall rescind paragraphs (b) through (j)'') and orders the 
retention of paragraph (a) by a negative rule of construction 
(``nothing in this section may be construed to authorize the 
Secretary of the Treasury to repeal ... [31 CFR] 1010.230(a)[.]'').
    \32\ CTA, Section 6403(d)(1)(A)-(C).
---------------------------------------------------------------------------

    FinCEN intends to satisfy the requirements related to the revision 
of the CDD Rule through a future rulemaking process that will provide 
the public with an opportunity to comment on the proposal. FinCEN 
anticipates that this rulemaking to revise the CDD Rule will touch on 
the issue of the interplay between financial institutions' CDD efforts 
and the beneficial ownership IT system that FinCEN is developing to 
receive, store, and maintain BOI.

C. The Advance Notice of Proposed Rulemaking

    On April 5, 2021, FinCEN published the ANPRM related to 
implementing the CTA.\33\ The ANPRM sought input on five open-ended 
categories of questions, including on clarifying key definitions and on 
FinCEN's implementation of the related provisions of the CTA that 
govern the bureau's maintenance and disclosure of BOI subject to 
appropriate access protocols.
---------------------------------------------------------------------------

    \33\ Supra note 2.
---------------------------------------------------------------------------

    In response to the ANPRM, FinCEN received 220 comments from parties 
that included businesses, civil society organizations, trade 
associations, law firms, secretaries of state and other State 
officials, Indian Tribes, members of Congress, and private citizens. 
Some comments focused on issues that pertain to this access rulemaking, 
such as the structure of the BOI database, certain users' need for 
access, the importance of ensuring the security of the database, 
specific technological decisions that FinCEN could make, and the 
desirability of a FinCEN commitment to verifying the information in the 
database.
    FinCEN has considered all of the comments that it received in 
response to the ANPRM in drafting this proposed rule.

D. The Reporting Notice of Proposed Rulemaking

    FinCEN followed the ANPRM with the December 8, 2021, publication of 
the Reporting NPRM, the first of the three CTA-related rulemakings.\34\ 
In the Reporting NPRM, FinCEN described in detail Treasury's efforts to 
address the lack of transparency in certain legal entity ownership, the 
value of BOI, the national security and law enforcement implications of 
legal entities with anonymous beneficial owners, and the need for 
centralized BOI collection.\35\ The Reporting NPRM acknowledged the 
current environment in which criminals and other bad actors can exploit 
the creation and use of legal entities in the United States.
---------------------------------------------------------------------------

    \34\ 86 FR 69920 (Dec. 8, 2021).
    \35\ Id. at 69921-69928.
---------------------------------------------------------------------------

    The Reporting NPRM proposed regulations specifying what BOI must be 
reported to FinCEN pursuant to CTA requirements, by whom, and when. In 
particular, it proposed that domestic and foreign reporting companies 
report to FinCEN four pieces of BOI for each of their beneficial owners 
and company applicants: full legal name, birthdate, current residential 
or business street address, and a unique identifying number from an 
acceptable identification document (e.g., a nonexpired passport or 
driver's license). In the alternative, the proposed rule would permit a 
reporting company to report a FinCEN identifier for an individual or 
entity in certain circumstances.\36\ These regulations also proposed 
processes for obtaining, updating, and using FinCEN identifiers. The 
Reporting NPRM included a 60-day comment period, which closed on 
February 7, 2022, and FinCEN received over 240 comments on the NPRM.
---------------------------------------------------------------------------

    \36\ See 31 U.S.C. 5336(b).
---------------------------------------------------------------------------

E. The Final Reporting Rule

    On September 30, 2022, FinCEN published a final rule implementing 
the CTA's BOI reporting requirements and addressing the comments 
submitted on the NPRM. The final regulations require certain legal 
entities to file with FinCEN reports that identify the beneficial 
owners of the entity, and individuals who filed (or who are primarily 
responsible for directing or controlling the filing of) an application 
with specified governmental authorities to create the entity or 
register it to do business. Further, the regulations describe who must 
file a report, what information must be provided, and when a report is 
due. These reporting requirements are intended to help prevent and 
combat money laundering, terrorist financing, corruption, tax fraud, 
and other illicit activity, while minimizing the burden on reporting 
companies.
    In addition, as the final BOI reporting rule noted, providing 
authorized users in the law enforcement, national security, and 
regulatory communities, and in FIs, access to the reported BOI will 
diminish the ability of illicit actors to obfuscate their activities 
through the use of anonymous shell and front companies. FinCEN also 
recognized in the final BOI reporting rule the vital importance of 
protecting the reported BOI and ensuring, through the issuance of 
regulations governing access to the reported BOI, that the BOI is 
subject to stringent use and security protocols. The BOI final 
reporting regulations become effective on January 1, 2024.
    Furthermore, the final BOI reporting rule reserved certain 
provisions concerning the use of FinCEN identifiers for entities for 
further consideration. This Access NPRM includes proposed amendments to 
the reporting regulations that would finalize these remaining 
provisions.

F. Beneficial Ownership Information Infrastructure

i. Beneficial Ownership Information IT System Development
    The CTA directs the Secretary to maintain BOI ``in a secure, 
nonpublic database, using information security methods and techniques 
that are appropriate to protect non-classified information security 
systems at the highest security level . . . .'' \37\ To implement this 
requirement, FinCEN has been developing a secure information technology 
(IT) system to receive, store, and maintain BOI. FinCEN has gathered 
requirements and completed initial system engineering, architectures, 
and program planning activities. The initial build of the cloud 
infrastructure is complete and the development of the first set of 
system products is in progress. The target date for the system to begin 
accepting BOI reports is January 1, 2024, the same day the reporting 
rule takes effect.
---------------------------------------------------------------------------

    \37\ CTA, Section 6402(7).
---------------------------------------------------------------------------

    FinCEN is taking a very deliberative approach to designing and 
building the system, factoring in the requirements set out in the CTA 
as well as guidance from Congress. As Senator Sherrod Brown, the then-
Ranking Member of the Senate Committee on Banking, Housing, and Urban 
Affairs and one of the primary authors of the CTA, noted in his 
December 9, 2020, floor statement accompanying the CTA, ``[i]n 
designing the [system], FinCEN should survey other beneficial ownership 
databases to determine their best features and design, and create a 
structure that secures the data as required by law.'' \38\ Among other 
actions FinCEN has undertaken in the development of the system, FinCEN 
met not only with future stakeholders to better understand their need 
to access BOI and how they currently safeguard sensitive information 
(see Section II.H. ``Outreach'' below), but also with other government 
entities that had developed

[[Page 77408]]

beneficial ownership databases, such as the District of Columbia's 
(DC's) Superintendent of Corporations (within DC's Department of 
Consumer and Regulatory Affairs Corporations), and the United Kingdom's 
Companies House.
---------------------------------------------------------------------------

    \38\ Senator Sherrod Brown, National Defense Authorization Act, 
Congressional Record 166:208 (Dec. 9, 2020), p. S7312, available at 
https://www.govinfo.gov/content/pkg/CREC-2020-12-09/pdf/CREC-2020-12-09.pdf.
---------------------------------------------------------------------------

    Senator Brown also encouraged FinCEN to ``ensure that [F]ederal, 
[S]tate, local and tribal law enforcement can access the beneficial 
ownership database without excessive delays or red tape in a manner 
modeled after its existing systems providing law enforcement access to 
databases containing currency transaction and suspicious activity 
report information.'' \39\ Keeping BOI secure and confidential is one 
of FinCEN's highest priorities in building the system. Serving that 
interest requires not only designing and implementing appropriate 
technical controls around BOI security and storage, but also thoroughly 
understanding the ways in which prospective authorized BOI recipients 
intend to access, handle, and use BOI. This knowledge in turn informs 
the policies, procedures, and processes that will govern how authorized 
recipients treat BOI when they access it.
---------------------------------------------------------------------------

    \39\ Id.
---------------------------------------------------------------------------

    This balance is reflected in the ongoing development of the system. 
Consistent with the CTA's requirement,\40\ the system will be cloud-
based and is being implemented to meet the highest Federal Information 
Security Management Act (FISMA) \41\ level (FISMA High).\42\ A FISMA 
High rating indicates that losing the confidentiality, integrity, or 
availability of information within a system would have a severe or 
catastrophic adverse effect on the organization maintaining the system, 
including on organizational assets or individuals.\43\ The rating 
carries with it a requirement to implement certain baseline controls to 
protect the relevant information.\44\
---------------------------------------------------------------------------

    \40\ 31 U.S.C. 5336(c)(8).
    \41\ 44 U.S.C 3541 et seq.
    \42\ See U.S. Department of Commerce, Federal Information 
Processing Standards Publication: Standards for Security 
Categorization of Federal Information and Information Systems 
(``FIPS Pub 199'') (Feb. 2004), available at https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf.
    \43\ Id. at 3.
    \44\ Id.
---------------------------------------------------------------------------

    FinCEN recognizes that BOI is highly sensitive information. FinCEN 
therefore views it as critical to mitigate the risk of unauthorized 
disclosure of BOI as much as possible. To that end, system 
functionality will vary by recipient category consistent with statutory 
requirements and limitations on BOI disclosure--for example, financial 
institutions will have a different level of access to BOI than law 
enforcement agencies. The regulations proposed in this Access NPRM 
complement this functionality by clarifying and codifying those 
requirements and limitations, including through recipient-specific 
access protocols designed to protect BOI security and confidentiality.
ii. CTA Implementation Efforts
    FinCEN continues to face resource constraints in developing and 
deploying the Beneficial Ownership IT System and efforts to put in 
place processes to support the collection and use of BOI. There are a 
myriad of areas that need additional investment, including additional 
personnel to support efforts beyond the initial build of the Beneficial 
Ownership IT System. These include efforts to provide clear and 
transparent guidance to reporting companies and authorized users of 
BOI, negotiating and implementing memoranda of understanding (MOUs) 
with domestic government agencies, reviewing requests for BOI and 
accompanying court authorizations from State, local, or tribal law 
enforcement agencies, auditing the handling and use of BOI, and 
enforcement activities.
    FinCEN is particularly focused on providing adequate customer 
service resources for reporting companies in the first year and beyond 
as they file their BOI. FinCEN currently fields approximately 13,000 
inquiries a year through its Regulatory Support Section, and 
approximately 70,000 external technical inquiries a year through the IT 
Systems Helpdesk. FinCEN has estimated that there will be approximately 
32 million reporting companies in Year 1 of the reporting requirement 
and approximately 5 million new reporting companies each year 
thereafter.\45\ If 10 percent of those reporting companies have 
questions about the reporting requirement or the form, or technical 
issues when filing, that could result in upwards of 3 million inquiries 
in Year 1, and 500,000 per year after that.
---------------------------------------------------------------------------

    \45\ 87 FR 59498, 59549 (Sept. 30, 2022).
---------------------------------------------------------------------------

    Without the availability of additional appropriated funds to 
support this project and other mission-critical services, FinCEN may 
need to identify trade-offs, including with respect to guidance and 
outreach activities, and the staged access by different authorized 
users to the database. FinCEN is currently identifying the range of 
considerations implicated by potential budget shortfalls and the trade-
offs that are available and appropriate.

G. Verification

    FinCEN continues to evaluate options for verifying reported 
BOI.\46\ ``Verification,'' as that term is used here, means confirming 
that the reported BOI submitted to FinCEN is actually associated with a 
particular individual. A number of commenters to the ANPRM and 
Reporting NPRM have affirmed the importance of verifying BOI to support 
authorized activities that rely on the information. FinCEN continues to 
review the options available to verify BOI within the legal constraints 
in the CTA.
---------------------------------------------------------------------------

    \46\ Pursuant to Sections 6502(b)(1)(C) and (D) of the AML Act, 
the Secretary, in consultation with the Attorney General, will 
conduct a study no later than two years after the effective date of 
the BOI reporting final rule, to evaluate the costs associated with 
imposing any new verification requirements on FinCEN and the 
resources necessary to implement any such changes.
---------------------------------------------------------------------------

H. Outreach

    FinCEN has conducted more than 30 outreach sessions to solicit 
input on how best to implement the statutory authorizations and 
limitations regarding BOI disclosure. Participants included 
representatives from Federal agencies, State courts, State and local 
prosecutors' offices, Tribal governments, FIs, financial self-
regulatory organizations (SROs), and, as noted previously, government 
offices that had established BOI databases. Topics discussed included 
how stakeholders might use BOI, potential information technology (IT) 
system features, circumstances in which potential stakeholders might 
need to re-disseminate BOI, and how different approaches might help 
further the purposes of the CTA. These conversations helped FinCEN 
refine its thinking about how to create a useful database for 
stakeholders while protecting BOI and individual privacy.

III. Overview of Access Framework and Protocols

A. Statutory Framework

    The CTA authorizes FinCEN to disclose BOI to five categories of 
recipients.\47\ The first category consists of recipients in Federal, 
State, local and Tribal government agencies. Within this category, 
FinCEN may disclose BOI to Federal agencies engaged in national 
security, intelligence, or law enforcement activity if the requested 
BOI is for use in furtherance of such activity.\48\ Note that Federal 
agency access is activity-based. Thus, an agency such as a Federal 
functional regulator, while perhaps not a ``law enforcement

[[Page 77409]]

agency'' in the conventional sense, may still be engaged in ``law 
enforcement activity'' such as civil law enforcement, and can therefore 
still request BOI from FinCEN for use in furtherance of that activity. 
FinCEN may also disclose BOI to State, local, and Tribal law 
enforcement agencies if ``a court of competent jurisdiction'' has 
authorized the law enforcement agency to seek the information in a 
criminal or civil investigation.\49\
---------------------------------------------------------------------------

    \47\ 31 U.S.C. 5336(c)(2)(B) and 31 U.S.C. 5336(c)(5).
    \48\ 31 U.S.C. 5336(c)(2)(B)(i)(I).
    \49\ 31 U.S.C. 5336(c)(2)(B)(i)(II).
---------------------------------------------------------------------------

    The second category consists of foreign law enforcement agencies, 
judges, prosecutors, central authorities, and competent authorities 
(``foreign requesters''), provided their requests come through an 
intermediary Federal agency, meet certain additional criteria, and are 
made either (1) under an international treaty, agreement, or 
convention, or (2) via a request made by law enforcement, judicial, or 
prosecutorial authorities in a trusted foreign country (when no 
international treaty, agreement, or convention is available).\50\
---------------------------------------------------------------------------

    \50\ See 31 U.S.C. 5336(c)(2)(B)(ii).
---------------------------------------------------------------------------

    The third authorized recipient category is FIs using BOI to 
facilitate compliance with CDD requirements under applicable law, 
provided the FI requesting the BOI has the relevant reporting company's 
consent for such disclosure.\51\
---------------------------------------------------------------------------

    \51\ 31 U.S.C. 5336(c)(2)(B)(iii).
---------------------------------------------------------------------------

    The fourth category is Federal functional regulators and other 
appropriate regulatory agencies acting in a supervisory capacity 
assessing FIs for compliance with CDD requirements.\52\ These agencies 
may access the BOI information that FIs they supervise received from 
FinCEN.
---------------------------------------------------------------------------

    \52\ 31 U.S.C. 5336(c)(2)(B)(iv).
---------------------------------------------------------------------------

    The fifth and final category of authorized BOI recipients is the 
U.S. Department of the Treasury (Treasury) itself, for which the CTA 
provides relatively unique access to BOI tied to an officer or 
employee's official duties requiring BOI inspection or disclosure, 
including for tax administration.\53\
---------------------------------------------------------------------------

    \53\ 31 U.S.C. 5336(c)(5).
---------------------------------------------------------------------------

    The CTA directs the Secretary to ``take all steps, including 
regular auditing, to ensure that government authorities accessing [BOI] 
do so only for authorized purposes consistent with [the CTA].'' \54\ 
The CTA also requires the Secretary to establish protocols governing 
access by authorized recipients to BOI and protecting the information's 
security and confidentiality.\55\
---------------------------------------------------------------------------

    \54\ CTA, Section 6402(7)(B).
    \55\ See generally 31 U.S.C. 5336(c)(3).
---------------------------------------------------------------------------

    Specifically, the statute provides that the Secretary shall 
establish protocols requiring: (1) the heads of requesting agencies to 
approve standards and procedures for protecting BOI, and make related 
certifications; \56\ (2) requesting agencies to ``establish and 
maintain, to the satisfaction of the Secretary, a secure system in 
which [BOI] provided directly by the Secretary shall be stored''; \57\ 
(3) requesting agencies to ``furnish a report to the Secretary, at such 
time and containing such information as the Secretary may prescribe, 
that describes the procedures established and utilized by such agency 
to ensure the confidentiality of [BOI] provided directly by the 
Secretary''; \58\ (4) certain requesting agencies to provide a written 
certification that the requirements for access to BOI have been met; 
\59\ (5) requesting agencies to ``limit, to the greatest extent 
practicable, the scope of information sought, consistent with the 
purposes for seeking [BOI];'' \60\ (6) requesting agencies to 
``establish and maintain, to the satisfaction of the Secretary, a 
permanent system of standardized records with respect to an auditable 
trail of each request for [BOI] submitted to the Secretary by the 
agency, including the reason for the request, the name of the 
individual who made the request, the date of the request, any 
disclosure of [BOI] made by or to the agency, and any other information 
the Secretary of the Treasury determines is appropriate''; \61\ and (7) 
requesting agencies to ``conduct an annual audit to verify that the 
[BOI] received from the Secretary has been accessed and used 
appropriately, and in a manner consistent with this paragraph and 
provide the results of that audit to the Secretary upon request.\62\ 
The Secretary is likewise required to ``conduct an annual audit of the 
adherence of the agencies to the protocols established under this 
paragraph to ensure that agencies are requesting and using beneficial 
ownership information appropriately.'' \63\
---------------------------------------------------------------------------

    \56\ 31 U.S.C. 5336(c)(3)(B).
    \57\ 31 U.S.C. 5336(c)(3)(C).
    \58\ 31 U.S.C. 5336(c)(3)(D).
    \59\ 31 U.S.C. 5336(c)(3)(E).
    \60\ 31 U.S.C. 5336(c)(3)(F).
    \61\ 31 U.S.C. 5336(c)(3)(H).
    \62\ See 31 U.S.C. 5336(c)(3)(I).
    \63\ See 31 U.S.C. 5336(c)(3)(J).
---------------------------------------------------------------------------

    The CTA expressly restricts access to BOI to only those authorized 
users at a requesting agency: (1) who are directly engaged in an 
authorized investigation or activity; (2) whose duties or 
responsibilities require access to BOI; (3) who have undergone 
appropriate training or use staff to access the system who have 
undergone appropriate training; (4) who use appropriate identity 
verification to obtain access to the information; and (5) who are 
authorized by agreement with the Secretary to access BOI.\64\
---------------------------------------------------------------------------

    \64\ 31 U.S.C. 5336(c)(3)(G).
---------------------------------------------------------------------------

    The statute further provides the Secretary with discretionary 
authority to prescribe by regulation such other safeguards as she deems 
necessary and appropriate to protect BOI confidentiality.\65\ The 
Secretary has delegated the authority to prescribe appropriate 
protocols to protect the security and confidentiality of BOI pursuant 
to 31 U.S.C. 5336(c)(3) to FinCEN.\66\
---------------------------------------------------------------------------

    \65\ See 31 U.S.C. 5336(c)(3)(K).
    \66\ Treasury Order 180-01 (Jan. 14, 2020).
---------------------------------------------------------------------------

B. Disclosure to Authorized Domestic Government Agency Users for Non-
Supervisory Purposes

    Under the first category of BOI recipients, FinCEN expects three 
types of domestic agency users to be able to access and query the 
beneficial ownership IT system directly: (1) Federal agencies engaged 
in national security, intelligence, and law enforcement activity; (2) 
Treasury officers and employees who require access to BOI to perform 
their official duties or for tax administration; and (3) State, local, 
and Tribal law enforcement agencies. This type of access would permit 
authorized individuals within an authorized recipient agency to log in, 
run queries using multiple search fields, and review one or more 
results returned immediately.
    These agencies often lack comprehensive information about a subject 
or other relevant individuals or entities when conducting 
investigations. The ability to query the database directly and 
iteratively is therefore necessary to enable them to use BOI 
effectively. Nevertheless, to protect against potential abuse, Federal-
agency users engaged in national security, intelligence, or law 
enforcement activity would have to submit brief justifications to 
FinCEN for their searches, explaining how their searches further a 
particular qualifying activity, and these justifications would be 
subject to oversight and audit by FinCEN. FinCEN will develop guidance 
for agencies on submitting the required justifications.
    Consistent with the CTA's restrictions, authorized users from 
State, local, and Tribal law enforcement agencies would be required to 
upload the document issued by a court of competent jurisdiction 
authorizing the

[[Page 77410]]

agency to seek BOI from FinCEN.\67\ After FinCEN has reviewed the 
relevant authorization for sufficiency and approved the request, an 
agency could then conduct searches using multiple search fields 
consistent in scope with the court authorization and subject to audit 
by FinCEN. These searches would return results immediately.
---------------------------------------------------------------------------

    \67\ See 31 U.S.C. 5336(c)(2)(B)(i)(II).
---------------------------------------------------------------------------

    Such broad search capabilities within the beneficial ownership IT 
system require domestic agencies to clearly understand the scope of 
their authorization and their responsibilities under it. That is why 
the proposed rule establishes protocols for requirements, limitations, 
and expectations with respect to searches by domestic agencies of the 
beneficial ownership IT system. As part of these protocols, each 
domestic agency would first need to enter into a memorandum of 
understanding (MOU) with FinCEN before being allowed access to the 
system. FinCEN is developing draft MOUs based on similar agreements it 
uses to share BSA data. FinCEN will also provide training for agency 
personnel and exercise oversight and audit functions discussed in more 
detail in Section IV below.
    None of the remaining authorized recipient categories will have 
access to the broad search capabilities within the system.

C. Disclosure to Authorized Foreign Requesters

    Foreign requesters--foreign law enforcement agencies, judges, 
prosecutors, central authorities, or competent authorities (or a like 
designation)--will not have direct access to the beneficial ownership 
IT system. They will instead submit their requests for BOI to Federal 
intermediary agencies as the CTA requires.\68\ If the foreign request 
meets the applicable criteria of the CTA \69\ and the proposed rule, 
then the Federal agency intermediary will retrieve the BOI from the 
system and transmit it to the foreign requester.
---------------------------------------------------------------------------

    \68\ 31 U.S.C. 5336(c)(2)(B)(ii).
    \69\ Section 6403 of the CTA requires that the foreign request 
be made by a Federal agency on behalf of a law enforcement agency, 
foreign central authority or competent authority (or like 
designation), under an international treaty, agreement, convention, 
or official request made by law enforcement, judicial, or 
prosecutorial authorities in trusted foreign countries when no 
treaty, agreement, or convention is available. The CTA goes on to 
state that the foreign request must (1) be issued in response to a 
request for assistance in an investigation or prosecution by such 
foreign country; and (2) either (a) require compliance with the 
disclosure and use provisions of the treaty, agreement, or 
convention publicly disclosing any BOI received; or (b) limit the 
use of the information for any purpose other than the authorized 
investigation or national security or intelligence activity. See 31 
U.S.C. 5336(c)(2)(B)(ii).
---------------------------------------------------------------------------

    FinCEN intends to work with Federal agencies to identify agencies 
that are well positioned to serve as intermediaries between FinCEN and 
foreign requesters. FinCEN expects that these possible intermediary 
Federal agencies will have regular engagement and familiarity with 
foreign law enforcement agencies, judges, prosecutors, central 
authorities, or competent authorities on matters related to law 
enforcement, national security, or intelligence activity, and will have 
established policies, procedures, and communication channels for 
sharing information with those foreign parties. Other factors would 
include whether a prospective intermediary Federal agency represents 
the U.S. government in relevant international treaties, agreements, or 
conventions, the expected number of requests that the agency could 
receive, and the ability of the agency to efficiently process requests 
while managing risks of unauthorized disclosure.
    Once identified, FinCEN will then work with intermediary Federal 
agencies to: (1) ensure that they have secure systems for BOI storage; 
(2) enter into MOUs outlining expectations and responsibilities; (3) 
translate the CTA foreign sharing requirements into evaluation criteria 
against which intermediaries can compare requests from foreign 
requesters; (4) integrate the evaluation criteria into the 
intermediaries' existing information-sharing policies and procedures; 
(5) develop additional security protocols and systems as required under 
the CTA and this rule; and (6) ensure that intermediary agency 
personnel have sufficient training on the requirements of the CTA and 
the proposed rule. FinCEN would exercise oversight and audit functions 
to ensure that Federal intermediary agencies adhere to requirements and 
take appropriate measures to mitigate the risk of foreign requesters 
abusing the information.
    Given its longstanding relationships and relevant experience as the 
financial intelligence unit of the United States, FinCEN proposes to 
directly receive, evaluate, and respond to requests for BOI from 
foreign financial intelligence units.

D. Disclosure to FIs and Regulatory Agencies for CDD Compliance

    Unlike foreign requesters, both FIs and their regulators (Federal 
functional regulators and other appropriate regulatory agencies, when 
assessing FIs' compliance with CDD requirements) would both have direct 
access to BOI contained in the beneficial ownership IT system, albeit 
in more limited form than Federal agencies engaged in national 
security, intelligence, or law enforcement activity, or State, local, 
and Tribal law enforcement agencies.
    The CTA authorizes FinCEN to disclose a reporting company's BOI to 
an FI only to the extent that such disclosure facilitates the FI's 
compliance with CDD requirements under applicable law, and only if the 
reporting company first consents.\70\ FinCEN takes these constraints 
seriously given the sensitive nature of BOI and the potential number of 
FI employees who could have access to it. FinCEN is therefore not 
planning to permit FIs to run broad or open-ended queries in the 
beneficial ownership IT system or to receive multiple search results. 
Rather, FinCEN anticipates that a FI, with a reporting company's 
consent, would submit to the system identifying information specific to 
that reporting company, and receive in return an electronic transcript 
with that entity's BOI. To the extent the FI makes a trivial data-entry 
error in its request for BOI, the FI could still obtain the requested 
BOI, provided the errors do not compromise BOI security and 
confidentiality and result in the FI retrieving information on the 
wrong reporting company. This more limited information-retrieval 
process would reduce the overall risk of inappropriate use or 
unauthorized disclosures of BOI.
---------------------------------------------------------------------------

    \70\ 31 U.S.C. 5336(c)(2)(B)(iii).
---------------------------------------------------------------------------

    The CTA permits similarly narrow access for Federal functional 
regulators and other appropriate regulatory agencies exercising 
supervisory functions. The statute allows these agencies to request 
from FinCEN BOI that the FIs they supervise have already obtained from 
the bureau, but only for assessing an FI's compliance with CDD 
requirements under applicable law.\71\ Consequently, Federal functional 
regulators and other appropriate regulatory agencies will generally 
have limited access to the beneficial ownership IT system if requesting 
BOI for the purpose of ascertaining CDD compliance. FinCEN is still 
developing this access model and accompanying functionality, but 
expects regulators to be able to retrieve any BOI that the FIs they 
supervise received from FinCEN during a particular period, as opposed 
to data that might reflect subsequent updates. This would both satisfy 
CTA requirements and facilitate smoother

[[Page 77411]]

examinations by ensuring regulators receive the same BOI that FIs 
received for purposes of their CDD reviews.
---------------------------------------------------------------------------

    \71\ See 31 U.S.C. 5336(c)(2)(C), providing that BOI FinCEN 
discloses to a financial institution ``shall also be available to a 
Federal functional regulator or other appropriate regulatory agency, 
as determined by the Secretary . . . .''
---------------------------------------------------------------------------

    FinCEN expects that Federal functional regulators responsible for 
bringing civil enforcement actions will be able to avail themselves of 
the Federal law enforcement access provision and functionality 
described in Section III.B. above.\72\ State, local, and Tribal 
agencies with both a qualifying, CDD-focused regulatory function and a 
law enforcement function could similarly avail themselves of the access 
provisions applicable to those distinct BOI recipient categories. Each 
agency would be responsible for ensuring unauthorized disclosure does 
not occur between its various components. In addition, FinCEN is 
required under the CTA to perform annual audits to ensure agencies are 
requesting and using BOI appropriately and consistently with their 
internal protocols.\73\ As with other Federal agencies, MOUs will 
further specify the expectations with respect to the handling and 
sharing of BOI by components of the same agency that may access BOI 
under different circumstances. FIs, meanwhile, would have to agree to 
terms of use that would be a condition of access to the beneficial 
ownership IT system. This distinction reflects the more limited, less 
flexible functionality FIs will enjoy relative to government agencies 
with multi-field search capabilities within the beneficial ownership IT 
system.
---------------------------------------------------------------------------

    \72\ Federal functional regulators engaged in national security 
activity would similarly be able to make use of the search 
functionality associated with the ``national security activity'' 
access provision.
    \73\ See 31 U.S.C. 5336(c)(3)(J).
---------------------------------------------------------------------------

IV. Section-by-Section Analysis

    As described below in Section IV.A., this proposed rule would add 
new access-to-information rules in a new Sec.  1010.955 (``Availability 
of information reported pursuant to 31 CFR 1010.380'') in subpart J 
(``Miscellaneous'') of part 1010 (``General Provisions'') of chapter X 
(``Financial Crimes Enforcement Network'') of title 31, Code of Federal 
Regulations. To avoid confusion, it would also rename and clarify the 
scope of the existing 31 CFR 1010.950 (``Availability of information--
general'').
    The following sections describe the elements of the proposed rule: 
(i) availability of information--general; (ii) prohibition on 
disclosure; (iii) disclosure of information by FinCEN; (iv) use of 
information; (v) security and confidentiality requirements; (vi) 
administration of requests for information reported pursuant to 31 CFR 
1010.380; and (vii) violations and penalties.
    Additionally, Section IV.B. below describes the FinCEN identifier 
provisions of the proposed rule.

A. Beneficial Ownership Information Retention and Disclosure 
Requirements

i. Availability of Information--General
    FinCEN proposes to amend 31 CFR 1010.950(a) to clarify that the 
disclosure of BOI would be governed by proposed 31 CFR 1010.955, rather 
than 31 CFR 1010.950(a), which governs disclosure of other BSA 
information. Currently 31 CFR 1010.950(a) authorizes the disclosure of 
all BSA information received by FinCEN and states that ``[t]he 
Secretary may within his discretion disclose information reported under 
this chapter for any reason consistent with the purposes of the Bank 
Secrecy Act, including those set forth in paragraphs (b) through (d) of 
this section.'' The CTA authorizes FinCEN to disclose such information 
only in limited and specified circumstances that are separate and 
distinct from provisions authorizing disclosure of other BSA 
information.\74\ Accordingly, FinCEN is proposing to amend 31 CFR 
1010.950(a) to clarify that the disclosure of BOI would instead be 
governed by proposed 31 CFR 1010.955.
---------------------------------------------------------------------------

    \74\ See 31 U.S.C. 5336(c)(2), (5).
---------------------------------------------------------------------------

ii. Prohibition on Disclosure
    The CTA provides that, except as authorized by 31 U.S.C. 5336(c) 
and the protocols promulgated under that subsection, BOI reported 
pursuant to 31 U.S.C. 5336 ``shall be confidential and may not be 
disclosed by . . . (i) an officer or employee of the United States; 
(ii) an officer or employee of any State, local, or Tribal agency, or 
(iii) an officer or employee of any [FI] or regulatory agency receiving 
information under [31 U.S.C. 5336(c)].'' \75\
---------------------------------------------------------------------------

    \75\ See 31 U.S.C. 5336(c)(2)(A).
---------------------------------------------------------------------------

    Proposed 31 CFR 1010.955(a) would incorporate this prohibition, 
with two clarifications. First, it would clarify that any individual 
authorized to receive BOI pursuant to proposed 31 CFR 1010.955(b) is 
prohibited from disclosing it except as expressly authorized by FinCEN. 
Critically, this provision would extend the prohibition on disclosure 
to any individual who receives BOI regardless of whether they continue 
to serve in the position through which they were authorized to receive 
BOI. Otherwise, the regulations could be read to permit disclosure of 
sensitive BOI after an individual leaves the relevant position. Second, 
it would also extend the prohibition on disclosure to any individual 
who receives BOI as a contractor or agent of the United States; a 
contractor or agent of a State, local, or Tribal agency; or a member of 
the board of directors, contractor, or agent of an FI. FinCEN believes 
that this clarification is needed to ensure that agents acting on 
behalf of an authorized BOI recipient agency or other entity are 
subject to the same prohibition on the disclosure of BOI as officers 
and employees of an authorized BOI recipient agency or other entity. 
Such an approach is necessary to avoid the different treatment of 
employees and officers in relation to contractors and agents.
    Although the CTA does not expressly refer to agents, contractors, 
or directors, FinCEN would extend the prohibition on disclosure to such 
individuals pursuant to 31 U.S.C. 5336(c)(3)(K), which provides that 
``the Secretary of the Treasury shall establish by regulation protocols 
described in [31 U.S.C. 5336(2)(A)] that . . . provide such other 
safeguards which the Secretary determines (and which the Secretary 
prescribes in regulations) to be necessary or appropriate to protect 
the confidentiality of the beneficial ownership information.'' \76\ 
FinCEN also believes this approach is consistent with the CTA's overall 
focus on preventing unauthorized disclosure \77\ and the broad scope of 
the provisions penalizing unauthorized disclosure by ``any person.'' 
\78\ FinCEN invites comments on this approach.
---------------------------------------------------------------------------

    \76\ Section 6003(1) of the AML Act defines the BSA as 
comprising Section 21 of the Federal Deposit Insurance Act (12 
U.S.C. 1829b), Chapter 2 of Title I of Public Law 91-508 (12 U.S.C. 
1951 et seq.), and Subchapter II of Chapter 53 of Title 31, United 
States Code, which includes 31 U.S.C. 5336. Congress has authorized 
the Secretary to administer the BSA. The Secretary has delegated to 
the Director of FinCEN the authority to implement, administer, and 
enforce compliance with the BSA and associated regulations (Treasury 
Order 180-01 (Jan. 14, 2020)).
    \77\ See generally 31 U.S.C. 5336(c).
    \78\ See generally 31 U.S.C. 5336(h)(2), (3).
---------------------------------------------------------------------------

iii. Disclosure of Information to Authorized Recipients
    The CTA authorizes FinCEN to disclose BOI to five categories of 
recipients in specified circumstances.\79\ The statutory authorization 
is generally permissive: with one exception, the CTA provides that 
FinCEN ``may disclose'' BOI to authorized recipients in qualifying 
circumstances.\80\ This

[[Page 77412]]

language affords FinCEN discretion to ensure that BOI is disclosed only 
to authorized recipients that are able to keep the information 
confidential and secure. FinCEN intends to foster a culture of 
responsibility around BOI that treats security and confidentiality as a 
paramount objective.
---------------------------------------------------------------------------

    \79\ See 31 U.S.C. 5336(c)(2)(B).
    \80\ 31 U.S.C. 5336(c)(2)(B). Under 5336(c)(2)(C), BOI that a 
reporting company consents to share with a financial institution 
``shall'' be available to a Federal functional regulator to 
supervise compliance with customer due diligence requirements under 
applicable law.
---------------------------------------------------------------------------

a. Federal Agencies Engaged in National Security, Intelligence, or Law 
Enforcement Activity
    Section 6403 of the CTA authorizes FinCEN to disclose BOI upon 
receipt of a request, through appropriate protocols, from a Federal 
agency engaged in national security, intelligence, or law enforcement 
activity for use in furtherance of one of those activities.\81\ Federal 
agency access is to be based upon the type of activity an agency is 
conducting rather than the identity of the agency or how it might be 
categorized. The key consideration is the scope of the types of 
activities described in the CTA for which the agency may seek BOI: 
national security activities, intelligence activities, and law 
enforcement activities.
---------------------------------------------------------------------------

    \81\ See 31 U.S.C. 5336(c)(2)(B)(i)(I).
---------------------------------------------------------------------------

    The CTA does not specify what agency activities fall within those 
three categories, and FinCEN proposes to do so consistent with the 
text, structure, and purpose of the CTA. Proposed 31 CFR 
1010.955(b)(1)(i) would define ``national security activity'' as any 
``activity pertaining to the national defense or foreign relations of 
the United States, as well as activity to protect against threats to 
the security or economy of the United States.'' This approach draws, in 
large part, from 8 U.S.C. 1189(d)(2), which defines ``national 
security'' for purposes of designating foreign terrorist organizations 
(FTOs) that threaten U.S. national security. FinCEN believes this 
definition is appropriate for several reasons. First, the FTO statute 
covers a broad range of national security threats to the United States, 
including those with an economic dimension. That scope is consonant 
with the CTA's goal to combat national security threats that are 
financial in nature, such as money laundering, terrorist financing, 
counterfeiting, fraud, and foreign corruption.\82\ Second, the FTO 
statute arises in a related context insofar as it involves efforts to 
hinder illicit actors' economic activities.
---------------------------------------------------------------------------

    \82\ See CTA, Section 6402(3).
---------------------------------------------------------------------------

    Proposed 31 CFR 1010.955(b)(1)(ii) would define ``intelligence 
activity'' based upon Executive Order 12333 of December 4, 1981, as 
amended.\83\ Executive Order 12333 remains ``a foundational document 
for the United States' foreign intelligence efforts.'' \84\ It 
establishes ``a framework that applies broadly to the government's 
collection, analysis, and use of foreign intelligence and 
counterintelligence--from human sources, by interception of 
communications, by cameras and other sensors on satellites and aerial 
systems, and through relationships with intelligence services of other 
governments.'' \85\ FinCEN believes that relying on Executive Order 
12333 would be consistent with existing agency understanding and would 
provide flexibility to accommodate Intelligence Community missions and 
activities.\86\ Proposed 31 CFR 1010.955(b)(1)(ii) would therefore 
define intelligence activity to include ``all activities conducted by 
elements of the United States Intelligence Community that are 
authorized pursuant to Executive Order 12333, as amended, or any 
succeeding executive order.''
---------------------------------------------------------------------------

    \83\ Exec. Order No. 12333, 46 FR 59941 (Dec. 4, 1981) (``United 
States Intelligence Activities'').
    \84\ 5 Privacy and Civil Liberties Oversight Board, Executive 
Order 12333 (accessed Apr. 28, 2022), https://documents.pclob.gov/prod/Documents/OversightReport/4f1d0d87-233b-4555-9b87-79089ad9845e/12333%20Public%20Capstone.pdf.
    \85\ Id.
    \86\ By ``Intelligence Community,'' FinCEN means the agencies 
identified in paragraph 3.4(f) of Executive Order 12333.
---------------------------------------------------------------------------

    Finally, proposed 31 CFR 1010.955(b)(1)(iii) would define ``law 
enforcement activity'' to include ``investigative and enforcement 
activities relating to civil or criminal violations of law.'' Proposed 
31 CFR 1010.955(b)(1)(iii) is intended broadly to cover the types of 
functions in which Federal agencies engage when they work to enforce 
the laws of the United States. FinCEN believes that it is consistent 
with the CTA to authorize Federal agencies to access BOI at all stages 
of the law enforcement process.
    Additionally, the proposed rule would make clear that law 
enforcement activity can include both criminal and civil investigations 
and actions, such as actions to impose or enforce civil penalties, 
civil forfeiture actions, and civil enforcement through administrative 
proceedings. The CTA is concerned with combating all manner of illicit 
activity,\87\ and many laws that prohibit such activity are enforced by 
Federal agencies in both civil and criminal actions. The CTA does not 
limit ``law enforcement activity'' to criminal investigations or 
actions. Moreover, FinCEN's clarification in the proposed rule would 
place Federal agencies on the same footing as State, local, and Tribal 
law enforcement agencies, for which the CTA authorizes use of BOI in a 
``criminal or civil investigation.'' Nothing in the CTA suggests that 
Federal agencies should have more limited access to BOI than their 
State, local, and Tribal counterparts engaged in civil investigations, 
and FinCEN does not believe it would be appropriate to limit Federal 
agencies' access in this manner. The proposed rule would also 
facilitate law enforcement cooperation by providing access to BOI in 
both civil and criminal investigations, as both types of investigations 
often proceed in parallel.\88\
---------------------------------------------------------------------------

    \87\ See CTA, Section 6402(3).
    \88\ See 31 U.S.C. 5336(c)(2)(B)(i)(II).
---------------------------------------------------------------------------

    Among the Federal agencies with access to BOI for law enforcement 
purposes would be Federal functional regulators that investigate civil 
violations of law.\89\ Although the CTA separately authorizes Federal 
functional regulators to access BOI for the purpose of supervising 
compliance with CDD requirements, this access does not preclude Federal 
functional regulators from accessing BOI when engaging in law 
enforcement activity.\90\ The CTA specifically references ``securities 
fraud, financial fraud, and acts of foreign corruption'' as types of 
illicit activity that the statute is intended to help combat.\91\ These 
are areas in which a significant amount of law enforcement activity is 
conducted by Federal functional regulators such as the Securities and 
Exchange Commission (SEC), which brings hundreds of civil enforcement 
actions, including administrative proceedings, each year against 
individuals and entities engaged in market manipulation, Ponzi schemes, 
offering fraud, insider trading, and other violations of the Federal 
securities laws.\92\ Under the proposed rule, the SEC and other Federal 
functional regulators would be able to obtain BOI directly from the 
beneficial ownership IT system for use in furtherance of this critical 
law enforcement activity. The proposed rule would also place the SEC 
and other Federal functional regulators

[[Page 77413]]

on equal footing with other Federal agencies that lack a regulatory or 
supervisory function, but that are engaged in civil and criminal law 
enforcement activity, like the U.S. Department of Justice (DOJ).
---------------------------------------------------------------------------

    \89\ See 31 U.S.C. 5336(c)(2)(B)(i)(II).
    \90\ The two provisions contemplate different processes 
depending on the purpose for which access is sought. Under Section 
5336(c)(2)(B)(i)(I), FinCEN ``may'' disclose BOI upon request from a 
Federal agency engaged in law enforcement activity. In contrast, 
under 5336(c)(2)(C), BOI that a reporting company consents to share 
with a financial institution ``shall'' be available to a Federal 
functional regulator to supervise compliance with customer due 
diligence requirements pursuant to an agreement with the regulator.
    \91\ CTA, Section 6402(3).
    \92\ See, e.g., https://www.sec.gov/news/press-release/2021-238.
---------------------------------------------------------------------------

    For all three types of activities--national security, intelligence, 
and law enforcement--FinCEN considered proposing more restrictive 
definitions involving exhaustive lists of activities. The bureau 
believes these approaches would risk being either under- or over-
inclusive and could arbitrarily limit access to BOI for activities that 
the regulations may fail to specify. The CTA, among other things, was 
enacted to ``protect vital United States national security interests,'' 
``protect interstate and foreign commerce,'' and ``better enable 
critical national security, intelligence, and law enforcement efforts 
to counter . . . illicit activity.'' \93\ The statute targets a wide 
array of illicit actors who use opaque corporate structures to conceal 
their illicit activities. FinCEN believes the risk of unintentionally 
hindering a Federal agency's important national security, intelligence, 
or law enforcement activities supports the flexible approach the bureau 
has proposed. This approach will also have more flexibility to develop 
alongside the evolving threats facing the United States.
---------------------------------------------------------------------------

    \93\ CTA, Section 6402(5)(B), (D).
---------------------------------------------------------------------------

    FinCEN invites comments on its proposed definitions of national 
security, intelligence, and law enforcement activities.
b. State, Local, and Tribal Law Enforcement Agencies
    The CTA permits FinCEN to disclose BOI upon receipt of a request, 
through appropriate protocols, ``from a State, local, or Tribal law 
enforcement agency, if a court of competent jurisdiction, including any 
officer of such a court, has authorized the law enforcement agency to 
seek the information in a criminal or civil investigation.'' \94\
---------------------------------------------------------------------------

    \94\ 31 U.S.C. 5336(c)(2)(B)(i)(II).
---------------------------------------------------------------------------

    Proposed 31 CFR 1010.955(b)(2) similarly would allow FinCEN to 
disclose BOI to a State,\95\ local, or Tribal law enforcement agency 
``if a court of competent jurisdiction has authorized the agency to 
seek the information in a criminal or civil investigation.'' FinCEN 
recognizes that State practices are likely to be varied with respect to 
how law enforcement agencies may be authorized by a court to seek 
information in connection with an investigation or prosecution.\96\ 
FinCEN has not sought to define what it means for a court to 
``authorize'' the law enforcement agency to seek BOI, but aims to 
ensure that BOI access at the State, local, and Tribal level is highly 
useful to law enforcement and has consistent application across 
jurisdictions.
---------------------------------------------------------------------------

    \95\ FinCEN will interpret the term ``State'' consistent with 
the definition of that term in the final Beneficial Ownership 
Information Reporting Requirements rule at 87 FR 59498 (Sep. 30, 
2022) (which defines the term ``State'' to mean ``any [S]tate of the 
United States, the District of Columbia, the Commonwealth of Puerto 
Rico, the Commonwealth of the Northern Mariana Islands, American 
Samoa, Guam, the United States Virgin Islands, and any other 
commonwealth, territory, or possession of the United States.'')
    \96\ 31 U.S.C. 5336(c)(2)(B)(i)(II) authorizes FinCEN to 
disclose BOI to a State, local, or Tribal law enforcement agency in 
the context of ``a criminal or civil investigation.'' FinCEN 
believes this provision permits the agency to disclose of BOI to a 
State, local, or Tribal law enforcement agency, with the required 
court authorization, for use in a civil or criminal law enforcement 
action that follows the investigation. FinCEN believes this is a 
reasonable interpretation of the statutory language given that 
disclosure provisions for Federal agencies engaged in law 
enforcement, and foreign requests pertaining to an ``investigation 
or prosecution,'' under the CTA would cover the disclosure to those 
recipients in the context of a prosecution. See 31 U.S.C. 
5336(c)(2)(B)(i)(I), (c)(2)(B)(ii)(I). FinCEN does not believes 
Congress intended to allow Federal and foreign law enforcement 
agencies to obtain BOI for use in prosecutions while prohibiting 
State, local, and Tribal law enforcement agencies doing so. A more 
restrictive interpretation would severely limit the utility of BOI 
for State, local, and Tribal law enforcement agencies and run 
counter to the purposes of the CTA. See CTA, Section 6402(8)(C) 
(directing FinCEN to create a database of BOI that is ``highly 
useful to national security, intelligence, and law enforcement 
agencies . . . '').
---------------------------------------------------------------------------

    At a minimum, the proposed rule would allow a State, local, or 
Tribal law enforcement agency (including a prosecutor) to access BOI 
where a court specifically authorizes access in the context of a 
criminal or civil proceeding, for example, through a court's issuance 
of an order or approval of a subpoena. Other circumstances, however, 
are less clear. For example, depending on State, local, or Tribal 
practices, grand jury subpoenas may or may not satisfy the CTA's court 
authorization requirement. Grand juries have traditionally played a 
central role in criminal discovery and may help determine whether 
sufficient evidence exists to indict an individual.\97\ The State and 
local law enforcement agencies, prosecutors, and court officials with 
whom FinCEN consulted emphasized the importance of ensuring that BOI 
could be obtained in connection with grand jury investigations. FinCEN 
agrees that providing BOI at the investigative stage may further the 
CTA's statutory objectives by helping State, local, and Tribal 
authorities uncover links between criminals and entities they may be 
using to conceal illicit activities.\98\ Ultimately, however, FinCEN 
determined that it needs more information about State, local, and 
tribal practices in order to determine whether they would involve court 
authorization, as required by the CTA. State practices can vary, and 
grand jury subpoenas may be issued by the grand jury in some 
jurisdictions or signed by a prosecutor seeking information to present 
to a grand jury in others. Neither courts nor grand juries always play 
a meaningful role in authorizing subpoenas,\99\ and a majority of 
states no longer use grand juries to screen criminal cases.\100\
---------------------------------------------------------------------------

    \97\ See generally Sara Sun Beale et al., Investigative Grand 
Jury and Indicting Grand Jury, Grand Jury Law and Practice Sec.  1:7 
(2d ed. rev. Dec. 2021).
    \98\ See CTA, Section 6402(3), (4), (5)(D).
    \99\ See Sara Sun Beale et al., Role of Prosecutor and Grand 
Jurors in Subpoenaing Evidence, Grand Jury Law and Practice Sec.  
6:2 (2d ed. rev. Dec. 2021). For example, Massachusetts permits 
district attorneys to ``issue subpoenas under their hands for 
witnesses to appear and testify on behalf of the commonwealth.'' 
Mass. Gen. Laws Ann. ch. 277, Sec.  68.
    \100\ See id.
---------------------------------------------------------------------------

    FinCEN requests comments on this subject. In particular, commenters 
should explain the mechanisms State, local, and Tribal authorities use 
to gather evidence in criminal and civil cases. With respect to these 
particular mechanisms, commenters should describe the extent to which 
court authorization is involved. More generally, commenters should also 
explain what role courts or court officers play in authorizing 
evidence-gathering activities, what existing practices involve court 
authorization, and the extent to which new court processes could be 
developed and integrated into existing practices to satisfy the CTA's 
authorization requirement. Commenters should also address the need for 
access to BOI at different stages of an investigation, as well as the 
privacy interests that may be implicated by such access.
    Proposed 31 CFR 1010.955(b)(2) would clarify that the authorized 
recipient of BOI under this provision would be the State, local, or 
Tribal agency that makes a proper request for BOI consistent with the 
proposed rule. The proposed rule would also define ``law enforcement 
agency'' in a manner similar to the definition of ``law enforcement 
activity'' used to define the scope of access for Federal agencies 
engaged in law enforcement activity. This approach is intended to 
ensure consistency regardless of whether law enforcement activity 
occurs at the local, State, Tribal, or Federal level, including in 
circumstances involving cooperation among and across jurisdictions, 
such as through task forces.

[[Page 77414]]

    Proposed 31 CFR 1010.955(b)(2) would clarify that ``a court of 
competent jurisdiction'' is any court with jurisdiction over the 
criminal or civil investigation for which a State, local, or Tribal law 
enforcement agency requests BOI. The proposed rule does not specify 
which officials qualify as officers of the court because courts have 
varying practices. FinCEN expects, however, that individuals who may 
exercise a court's authority and issue authorizations on its behalf 
would qualify. FinCEN invites comment on whether it should more 
specifically identify officers of the court for purposes of the rule, 
and if so, what the potential qualifying criteria might be.
    FinCEN does not believe that individual attorneys acting alone 
would fall within the definition of ``court officer'' for purposes of 
this provision. Though lawyers are sometimes referred to as ``officers 
of the court'' to emphasize their professional obligations to the legal 
system, they are not all ``officers of the court'' in the sense of 
exercising the court's authority. FinCEN does not believe the CTA--
which includes numerous provisions limiting who may access BOI--
intended to empower any individual admitted to practice law to 
authorize the disclosure of BOI.
c. Foreign Requesters
    The CTA provides that FinCEN may disclose BOI upon receipt of a 
request ``from a Federal agency on behalf of a law enforcement agency, 
prosecutor, or judge of another country, including a foreign central 
authority or competent authority (or like designation), under an 
international treaty, agreement, convention, or official request made 
by law enforcement, judicial, or prosecutorial authorities in trusted 
foreign countries when no treaty, agreement, or convention is 
available.'' \101\ Such a request from a Federal agency must be 
``issued in response to a request for assistance in an investigation or 
prosecution by such foreign country,'' \102\ and must ``require[e] 
compliance with the disclosure and use provisions of the treaty, 
agreement, or convention, publicly disclosing [sic] any beneficial 
ownership information received,'' \103\ or limit BOI use ``for any 
purpose other than the authorized investigation or national security or 
intelligence activity.'' \104\
---------------------------------------------------------------------------

    \101\ 31 U.S.C. 5336(c)(2)(B)(ii).
    \102\ 31 U.S.C. 5336(c)(2)(B)(ii)(I).
    \103\ 31 U.S.C. 5336(c)(2)(B)(ii)(II)(aa).
    \104\ 31 U.S.C. 5336(c)(2)(B)(ii)(II)(bb).
---------------------------------------------------------------------------

    Proposed 31 CFR 1010.955(b)(3) clarifies that a request for BOI 
from a foreign requester would have to derive from a law enforcement 
investigation or prosecution, or from national security or intelligence 
activity, authorized under the foreign country's laws. This would 
permit foreign requesters to obtain BOI for, and use it in, the full 
range of activities contemplated by 31 U.S.C. 5336(c)(2)(B)(ii) (i.e., 
law enforcement, national security, and intelligence activities), 
thereby giving effect to all of the language in that subparagraph. The 
proposed rule also resolves ambiguities arising from inconsistent 
statutory language. Specifically, one part of the CTA's foreign-access 
provision appears to require a request to flow from a foreign 
``investigation or prosecution,'' \105\ while another appears to allow 
a foreign requester to use BOI to further any ``authorized 
investigation or national security or intelligence activity.'' \106\ 
FinCEN believes the proposed rule best resolves this discrepancy by 
clarifying that authorized national security and intelligence 
activities could be a basis for a BOI request, in addition to a law 
enforcement investigation or prosecution. FinCEN would view the scope 
of the phrase ``law enforcement investigation or prosecution'' 
similarly to how it interprets the term ``law enforcement activity'' 
under proposed 31 CFR 1010.955(b)(3): such activity can include both 
criminal and civil investigations and actions, including actions to 
impose civil penalties, civil forfeiture actions, and civil enforcement 
through administrative proceedings.
---------------------------------------------------------------------------

    \105\ 31 U.S.C. 5336(c)(2)(B)(ii)(I).
    \106\ 31 U.S.C. 5336(c)(2)(B)(ii)(II)(bb).
---------------------------------------------------------------------------

    The proposed rule next makes clear that the relevant ``foreign 
central authority or foreign competent authority'' would be the agency 
identified in the international treaty, agreement, or convention under 
which a foreign request is made. FinCEN understands that ``foreign 
central authority'' and ``foreign competent authority'' are terms of 
art typically defined within the context of a particular agreement. 
This proposed regulatory clarification should therefore remove any 
ambiguity around the terms without unduly excluding appropriate foreign 
requesters from access to BOI.
    Third, the proposed rule explains that, consistent with the CTA, 
foreign requests would need to fall into one of two categories in order 
for the foreign requester to receive BOI. The first category is 
requests made pursuant to an international treaty, agreement, or 
convention. The second category is official requests by a law 
enforcement, judicial, or prosecutorial authority of a trusted foreign 
country where there is no international treaty, agreement, or 
convention that governs.\107\ The security and confidentiality 
requirements applicable to each of these two categories are different.
---------------------------------------------------------------------------

    \107\ The regulatory text here uses ``judicial or prosecutorial 
authority'' instead of the earlier ``judge or prosecutor'' to mirror 
an identical language shift in the corresponding statutory 
provision. See 31 U.S.C. 5336(c)(2)(B)(ii). FinCEN does not view 
this difference as significant or having practical effect.
---------------------------------------------------------------------------

    Under the proposed rule, an intermediary Federal agency responding 
to a foreign request under an international treaty, agreement, or 
convention would first need to ensure that the request is consistent 
with the requirements of the relevant treaty, agreement, or convention, 
and the requirements of proposed 31 CFR 1010.955(b)(3). FinCEN 
understands that an ``international treaty, agreement, or convention'' 
is a legally binding agreement governed by international law. FinCEN 
would appreciate views on whether there are other types of 
international arrangements under which the sharing of beneficial 
ownership information would be important to achieve the goals of the 
CTA (such as information sharing arrangements with foreign law 
enforcement agencies that do not have legal force) and whether there 
are means to do so consistent with the CTA. The intermediary Federal 
agency would provide basic information to FinCEN about who is 
requesting the information and the treaty, agreement, or convention 
under which the request is being made. The intermediary Federal agency 
would then search for and retrieve the requested BOI from the system 
and respond to the request in a manner consistent with the treaty, 
agreement, or convention. The intermediary Federal agency would be 
subject to certain recordkeeping requirements to ensure that FinCEN is 
able to perform appropriate audit and oversight functions in accordance 
with an MOU to be agreed between the intermediary Federal agency and 
FinCEN. The intermediary Federal agency would also be subject to the 
security and confidentiality protocols applicable to other domestic 
agencies that receive and handle BOI at proposed 31 CFR 1010.955(d)(1).
    Where a request for BOI includes a request that the information be 
authenticated for use in a legal proceeding in the foreign country 
making the request, FinCEN may establish a process for providing such 
authentication via MOU with the

[[Page 77415]]

relevant intermediary Federal agency. Such process may include an 
arrangement where FinCEN searches the beneficial ownership IT system 
and provides the information and related authentication to the 
intermediary Federal agency consistent with the terms of the relevant 
MOU.
    With respect to an official request by a law enforcement, judicial, 
or prosecutorial authority of a trusted foreign country where no 
international treaty, agreement, or convention applies, FinCEN would 
establish a mechanism to address such requests either on a case-by-case 
basis or pursuant to alternative arrangements with intermediary Federal 
agencies where those intermediary Federal agencies have ongoing 
relationships with the foreign requester. The CTA does not provide 
criteria for determining whether a particular foreign country is 
``trusted,'' but rather, provides FinCEN with considerable discretion 
to make this determination.
    FinCEN considered identifying particular countries or groups of 
countries as ``trusted'' for the purposes of receiving BOI. Ultimately, 
however, FinCEN determined that such a restrictive approach could 
arbitrarily exclude foreign requesters with whom sharing BOI might be 
appropriate in some cases but not others. The United States 
participates in many formal and informal international relationships 
through which data are sometimes shared. FinCEN does not believe any of 
these relationships, or any combination of them, sets appropriate 
potential boundaries for BOI disclosure given the purposes of the CTA. 
The bureau, in consultation with relevant U.S. government agencies, 
will therefore look to U.S. interests and priorities in determining 
whether to disclose BOI to foreign requesters when no international 
treaty, agreement, or convention applies. In making these 
determinations, FinCEN will also consider the ability of a foreign 
requester to maintain the security and confidentiality of requested 
BOI. Once FinCEN makes the determination to disclose BOI to a foreign 
requester, the intermediary Federal agency would be permitted to 
retrieve and disseminate BOI to the foreign requester, subject to 
applicable security and confidentiality protocols.
    FinCEN considered an alternative structure under which intermediary 
Federal agencies would relay foreign requester requests under an 
international treaty, agreement, or convention to FinCEN, which would 
then assess the requests, retrieve requested BOI, and transmit it 
either directly to the requester or indirectly via the intermediary 
Federal agency for subsequent dissemination to the requester. While 
neither of these approaches presents the security risks associated with 
the other two potential approaches FinCEN rejected, both are likely to 
be much less efficient. For example, intermediary Federal agencies are 
likely to have ongoing relationships with foreign requesters, including 
established points of contact. They are also likely more familiar than 
FinCEN with existing treaty obligations and information exchange 
channels and processes. Finally, FinCEN believes its proposed approach 
aligns best with the text of the CTA, which assumes Federal agencies 
will serve as the intermediary on behalf of foreign requesters.\108\ 
FinCEN invites comment on this proposal and on any other alternatives.
---------------------------------------------------------------------------

    \108\ See 31 U.S.C. 5336(c)(2)(B)(ii) (providing that ``FinCEN 
may disclose [BOI] only upon receipt of . . . a request from a 
Federal agency on behalf of'' a qualified foreign requester 
(emphasis added)).
---------------------------------------------------------------------------

d. FIs Subject to CDD Requirements
    The CTA authorizes FinCEN to disclose BOI upon receipt of a request 
``made by a[n] [FI] subject to customer due diligence requirements, 
with the consent of the reporting company, to facilitate the compliance 
of the [FI] with customer due diligence requirements under applicable 
law.'' \109\ This statutory language leaves unspecified both the 
mechanism by which consent should be registered and the meaning of the 
term ``customer due diligence requirements under applicable law.''
---------------------------------------------------------------------------

    \109\ See 31 U.S.C. 5336(c)(2)(B)(iii).
---------------------------------------------------------------------------

    Proposed 31 CFR 1010.955(b)(4) would address both issues. Under the 
proposed rule, an FI would be responsible for obtaining a reporting 
company's consent. This reflects FinCEN's assessment that FIs are best 
positioned to obtain and manage consent through existing processes and 
by virtue of having direct contact with the reporting company as a 
customer. Additionally, the proposed rule would define ``customer due 
diligence requirements under applicable law'' to mean FinCEN's customer 
due diligence (CDD) regulations at 31 CFR 1010.230, which require 
covered FIs to identify and verify beneficial owners of legal entity 
customers. FinCEN considered interpreting the phrase ``customer due 
diligence requirements under applicable law'' more broadly to cover a 
range of activities beyond compliance with legal obligations in 
FinCEN's regulations to identify and verify beneficial owners of legal 
entity customers. FinCEN's separate Customer Identification Program 
regulations, for example, could be considered customer due diligence 
requirements.\110\ FinCEN decided not to propose this broader approach, 
however. The bureau believes a more tailored approach will be easier to 
administer, reduce uncertainty about what FIs may access BOI under this 
provision, and better protect the security and confidentiality of 
sensitive BOI by limiting the circumstances under which FIs may access 
BOI.\111\ That said, FinCEN solicits comments on whether a broader 
reading of the phrase ``customer due diligence requirements'' is 
warranted under the framework of the CTA, and, if so, how customer due 
diligence requirements should be defined in order to provide regulatory 
clarity, protect the security and confidentiality of BOI, and minimize 
the risk of abuse.
---------------------------------------------------------------------------

    \110\ See, e.g., 31 CFR 1020.220 (requiring banks to implement a 
Customer Identification Program).
    \111\ The CTA requires FinCEN to revise the 2016 CDD Rule within 
a year of the effective date of the final Reporting Rule. See CTA, 
Section 6403(d)(1). One purpose of this revision is to account for 
FIs' access to BOI, which the Sense of Congress portion of the CTA 
states may be used to facilitate the FI's compliance ``with anti-
money laundering, countering the financing of terrorism, and 
customer due diligence requirements under applicable law.'' Id. 
6403(d)(1)(B) (emphasis added). That the CTA identifies ``[CDD] 
requirements under applicable law'' as distinct from broader AML/CFT 
requirements suggests that Congress intended that phrase not to 
include other AML/CFT obligations.
---------------------------------------------------------------------------

    FinCEN also considered including State, local, and Tribal customer 
due diligence requirements comparable in substance to FinCEN's own CDD 
regulations in the proposed definition of ``customer due diligence 
requirements under applicable law.'' However, the bureau has not 
identified any such requirements. FinCEN invites comments identifying 
any specific State, local, or Tribal customer due diligence 
requirements that are substantially similar to the bureau's CDD 
regulations--i.e., requirements related to FIs in a State, local, or 
Tribal jurisdiction identifying and verifying beneficial owners of 
legal entity customers--for potential inclusion in the proposed 
definition.
e. Federal Functional Regulators or Other Appropriate Regulatory 
Agencies
    The CTA authorizes FinCEN to disclose BOI to ``Federal functional 
regulator[s] and other appropriate regulatory agenc[ies] consistent 
with'' certain requirements.\112\ This access is subject to three 
statutory conditions. First, a ``Federal functional regulator or other 
appropriate regulatory agency'' must be ``authorized by law to assess, 
supervise, enforce, or otherwise determine the compliance of [a 
particular FI] with'' its CDD

[[Page 77416]]

requirements.\113\ Second, such regulator may use the BOI only ``for 
the purpose of conducting [an] assessment, supervision, or authorized 
investigation or activity'' related to the CDD requirements the 
regulator is responsible for overseeing.\114\ Finally, the regulator 
must ``[enter] into an agreement with the Secretary providing for 
appropriate protocols governing the safekeeping of the information.'' 
\115\
---------------------------------------------------------------------------

    \112\ See 31 U.S.C. 5336(c)(2)(B)(iv).
    \113\ 31 U.S.C. 5336(c)(2)(C)(i).
    \114\ 31 U.S.C. 5336(c)(2)(C)(ii).
    \115\ 31 U.S.C. 5336(c)(2)(C)(iii).
---------------------------------------------------------------------------

    FinCEN's proposed rule at 31 CFR 1010.955(b)(4) tracks these 
conditions. In order to obtain BOI from FinCEN, a regulator would need 
to be authorized by law to assess, supervise, enforce, or otherwise 
determine a FI's compliance with its CDD requirements, and it would 
have to enter into an agreement with FinCEN that describes appropriate 
protocols to obtain BOI. FinCEN would only disclose to the regulator 
the BOI that a relevant FI has already received. This is in keeping 
with the CTA requirement that BOI disclosed to an FI under 31 U.S.C. 
5336(c)(2)(B)(iii) ``also be available to [regulators]'' that meet 
specified criteria.\116\
---------------------------------------------------------------------------

    \116\ 31 U.S.C. 5336(c)(2)(C) (emphasis added).
---------------------------------------------------------------------------

    FinCEN does not believe this CDD-specific provision is the 
exclusive means through which a financial regulator can access BOI from 
the beneficial ownership IT system. The access provisions for Federal 
agencies engaged in national security, intelligence, or law enforcement 
activities, and for State, local, and Tribal law enforcement agencies, 
focus on activity categories, not agency types. To the extent a Federal 
functional regulator engages in civil law enforcement activities, those 
activities would be covered by the law-enforcement access provisions. 
For example, the SEC--which supervises broker-dealers and other 
securities market participants, including for compliance with the CDD 
regulations--also investigates and litigates civil violations of 
Federal securities laws. Consequently, consistent with the CTA, the SEC 
would be able to broadly search the beneficial ownership IT system for 
BOI for use in furtherance of its law enforcement activity. Separately, 
the SEC would also be able to receive BOI subject to the constraints at 
proposed 31 CFR 1010.955(b)(4) for use in supervising broker-dealers 
and other regulated entities for CDD compliance.
    Regarding who qualifies for access under this proposed provision, 
the CTA refers to Federal functional regulators and ``other appropriate 
regulatory agencies.'' The AML Act defines ``Federal functional 
regulator'' to include six financial regulatory authorities \117\ as 
well as ``any Federal regulator that examines a financial institution 
for compliance with the Bank Secrecy Act.'' \118\ The proposed rule 
would adopt FinCEN's existing regulatory definition, which the bureau 
believes will minimize the risk of confusion. FinCEN's regulations 
already define the term ``Federal functional regulator'' to include the 
six agencies identified in the AML Act's definition as well as the 
Commodity Futures Trading Commission (CFTC).\119\ Because the CFTC has 
been delegated authority to examine certain FIs for compliance with the 
BSA,\120\ it also falls within the AML Act's definition. FinCEN does 
not propose to define ``other appropriate regulatory agencies'' at this 
time. FinCEN believes the requirement in 31 U.S.C. 5336(c)(2)(C)(i) 
that such an agency be ``authorized by law to assess, supervise, 
enforce, or otherwise determine the compliance of such FIs with 
customer due diligence requirements under applicable law'' sufficiently 
defines the category (e.g., it could include State banking regulators). 
However, FinCEN invites comment on this proposed approach.
---------------------------------------------------------------------------

    \117\ The six Federal functional regulators that supervise 
financial institutions with CDD obligations are the Board of 
Governors of the Federal Reserve System (FRB), the Office of the 
Comptroller of the Currency (OCC), the Federal Deposit Insurance 
Corporation (FDIC), the National Credit Union Administration (NCUA), 
the SEC, and the Commodity Futures Trading Commission (CFTC).
    \118\ AML Act, Section 6003(3).
    \119\ 31 CFR 1010.100(r).
    \120\ See 31 CFR 1010.810(b)(9).
---------------------------------------------------------------------------

    FinCEN considered whether financial self-regulatory organizations 
that are registered with or designated by a Federal functional 
regulator pursuant to Federal statute \121\ (``qualifying SROs'')--like 
the Financial Industry Regulatory Authority (FINRA) or the National 
Futures Association (NFA)--qualify as ``other appropriate regulatory 
agencies.'' These organizations though authorized by Federal law, are 
not traditionally understood to be agencies of the government,\122\ but 
they do exercise self-regulatory authority within the framework of 
Federal law and work under the supervision of Federal functional 
regulators to assess, supervise, and enforce FI compliance with, among 
other things, CDD requirements.\123\ Qualifying SROs are subject to 
extensive oversight by Federal agencies.\124\
---------------------------------------------------------------------------

    \121\ See, e.g., 7 U.S.C. 21; 15 U.S.C. 78o-3.
    \122\ See, e.g., In re William H. Murphy & Co., SEC Release No. 
34-90759, 2020 WL 7496228, *17 (Dec. 21, 2020) (explaining that 
FINRA ``is not a part of the government or otherwise a [S]tate 
actor'' to which constitutional requirements apply).
    \123\ See, e.g., FINRA Rule 3310(f); NFA Compliance Rule 2-
9(c)(5).
    \124\ See, e.g., Scottsdale Cap. Advisors Corp. v. FINRA, 844 
F.3d 414, 418 (4th Cir. 2016) (``Before any FINRA rule goes into 
effect, the SEC must approve the rule and specifically determine 
that it is consistent with the purposes of the Exchange Act. The SEC 
may also amend any existing rule to ensure it comports with the 
purposes and requirements of the Exchange Act.'' (citations 
omitted); Birkelbach v. SEC, 751 F.3d 472, 475 (7th Cir. 2014) (``A 
[FINRA] member can appeal the disposition of a FINRA disciplinary 
proceeding to the SEC, which performs a de novo review of the record 
and issues a decision of its own.'').
---------------------------------------------------------------------------

    Although it may be unclear whether SROs are ``regulatory agencies'' 
to which direct access to BOI shall be provided, FinCEN believes that 
their unique position,\125\ and the critical role they play in 
overseeing participants in the financial services sector, justify 
providing SROs with a limited and derivative form of access. The CTA 
provides FinCEN broad discretion to specify the conditions under which 
authorized recipients of BOI may re-disclose that information to 
others. Therefore, the proposed rule would permit FIs to re-disclose to 
qualifying SROs the BOI they have obtained from FinCEN for use in 
complying with CDD requirements under applicable law. A qualifying SRO 
would need to satisfy the same three conditions applicable to Federal 
functional regulators and other appropriate regulatory agencies, and a 
qualifying SRO that receives BOI from an FI it supervises may in turn 
use the information for the limited purpose of examining compliance 
with those same CDD obligations. Without this level of access, these 
organizations would not be able to effectively evaluate an FI's CDD 
compliance. FinCEN invites comments on this proposed approach.
---------------------------------------------------------------------------

    \125\ See NASD v. SEC, 431 F.3d 803, 804 (D.C. Cir. 2005) 
(explaining that FINRA's predecessor's ``authority to discipline its 
members for violations of Federal securities law is entirely 
derivative. The authority it exercises ultimately belongs to the 
SEC''); see also Turbeville v. FINRA, 874 F.3d 1268, 1276 (11th Cir. 
2017) (``When exercising [their regulatory and enforcement] 
functions, SROs act under color of [F]ederal law as deputies of the 
[F]ederal [G]overnment.''); In re Series 7 Broker Qualification Exam 
Scoring Litig., 548 F.3d 110, 114 (D.C. Cir. 2008) (``When an SRO 
acts under the aegis of the Exchange Act's delegated authority, it 
is absolutely immune from suit for the improper performance of 
regulatory, adjudicatory, or prosecutorial duties delegated by the 
SEC.'').
---------------------------------------------------------------------------

f. Department of the Treasury Access
    The CTA includes separate, Treasury-specific provisions for 
accessing BOI. One of those provisions makes BOI ``accessible for 
inspection or disclosure to officers and employees of the Department of 
the Treasury whose official duties require such inspection or

[[Page 77417]]

disclosure subject to procedures and safeguards prescribed by the 
Secretary of the Treasury.'' \126\ The other grants officers and 
employees of Treasury ``access to [BOI] for tax administration 
purposes.'' \127\
---------------------------------------------------------------------------

    \126\ 31 U.S.C. 5336(c)(5)(A).
    \127\ See 31 U.S.C. 5336(c)(5)(B).
---------------------------------------------------------------------------

    Proposed 31 CFR 1010.955(b)(5) tracks these authorizations and 
would provide that Treasury officers and employees may receive BOI 
where their official duties require such access, or for tax 
administration, consistent with procedures and safeguards established 
by the Secretary. The proposed rule clarifies the term ``tax 
administration purposes'' by adding a reference to the definition of 
``tax administration'' in the Internal Revenue Code.\128\ FinCEN 
believes adopting this definition is appropriate because Treasury 
officers and employees who administer tax laws are already familiar 
with it and have a clear understanding of the activity it covers. 
Furthermore, FinCEN believes the definition is broad enough to avoid 
inadvertently excluding a tax administration-related activity that 
would be undermined by lack of access to BOI. FinCEN welcomes comments 
on the proposed scope of the term ``tax administration.''
---------------------------------------------------------------------------

    \128\ 26 U.S.C. 6103(b)(4).
---------------------------------------------------------------------------

    FinCEN envisions Treasury components using BOI for appropriate 
purposes, such as tax administration, enforcement actions, intelligence 
and analytical purposes, use in sanctions designation investigations, 
and identifying property blocked pursuant to sanctions, as well as for 
administration of the BOI framework, such as for audits, enforcement, 
and oversight. FinCEN will work with other Treasury components to 
establish internal policies and procedures governing Treasury officer 
and employee access to BOI. These policies and procedures will ensure 
that FinCEN discloses BOI only to Treasury officers or employees with 
official duties requiring BOI access, or for tax administration. FinCEN 
anticipates that the security and confidentiality protocols in those 
policies and procedures will include elements of the protocols 
described in proposed 31 CFR 1010.955(d)(1) as applicable to Treasury 
activities and organization. Officers and employees identified as 
having duties potentially requiring access to BOI would receive 
training on, among other topics, determining when their duties require 
access to BOI, what they can do with the information, and how to handle 
and safeguard it. Their activities would also be subject to the same 
audit.
iv. Use of Information
a. Use of Information by Authorized Recipients
    The CTA includes numerous provisions limiting how BOI may be used. 
Federal agencies engaged in national security, intelligence, or law 
enforcement activity may use BOI only ``in furtherance of such 
activity'' \129\ and must provide written certifications to FinCEN that 
``at a minimum, se[t] forth the specific reason or reasons why [BOI] is 
relevant to'' an authorized activity.\130\ State, local, and Tribal law 
enforcement agencies must obtain authorization from a court of 
competent jurisdiction to obtain BOI in criminal or civil 
investigations.\131\ Federal agencies requesting BOI on behalf of 
foreign law enforcement agencies, judges, or prosecutors may do so only 
pursuant to an international treaty, agreement, or convention or 
pursuant to an official request from a trusted foreign country for 
assistance in an official investigation, prosecution, or authorized 
national security or intelligence activity.\132\ FIs must have a 
reporting company's consent to request its BOI from FinCEN as part of 
CDD compliance activities,\133\ and a financial regulator assessing an 
FI's compliance with CDD requirements may request and receive only the 
BOI that the FI previously requested when conducting such an 
assessment.\134\ Each of these requirements reflects a general 
expectation that authorized recipients not obtain BOI for one 
authorized activity and then use it for another unrelated purpose. The 
statute also requires authorized recipients of BOI to narrowly tailor 
their requests as much as possible. For example, the CTA instructs the 
Secretary to require requesting agencies ``to limit, to the greatest 
extent practicable, the scope of information sought, consistent with 
the purposes for seeking BOI.'' \135\
---------------------------------------------------------------------------

    \129\ 31 U.S.C. 5336(c)(2)(B)(i)(I).
    \130\ 31 U.S.C. 5336(c)(3)(E)(ii).
    \131\ See 31 U.S.C. 5336(c)(2)(B)(i)(II).
    \132\ See 31 U.S.C. 5336(c)(2)(B)(ii).
    \133\ See 31 U.S.C. 5336(c)(2)(B)(iii).
    \134\ See 31 U.S.C. 5336(c)(2)(B)(iv) and 31 U.S.C. 
5336(c)(2)(C).
    \135\ 31 U.S.C. 5336(c)(3)(F).
---------------------------------------------------------------------------

    Proposed 31 CFR 1010.955(c)(1) would implement these provisions by 
clarifying that, unless otherwise authorized by FinCEN, any person who 
receives information disclosed by FinCEN under proposed 31 CFR 
1010.955(b) would be authorized to use it only for the particular 
purpose or activity for which it was disclosed. Thus, for example, a 
Federal agency employee, contractor, or agent who obtains BOI from 
FinCEN for use in furtherance of national security activity would be 
authorized to use the BOI only for the particular national security 
activity for which the request was made. FinCEN believes this 
limitation is necessary to ensure that BOI is used only for proper 
purposes and only to the extent necessary.
    Proposed 31 CFR 1010.955(c)(1) further clarifies that a Federal 
agency receiving BOI pursuant to the foreign access provision at 
proposed 31 CFR 1010.955(b)(3), i.e., an intermediate Federal agency, 
can use the BOI only to facilitate a response to the relevant foreign 
requester. This limitation ensures that Federal intermediary agencies 
handling BOI in this context would do so only for the permissible use 
of transmitting it to a foreign requester.
    Authorized recipients that fail to follow applicable use 
limitations would risk losing the ability to receive BOI.
b. Limitations on Re-Disclosure of Information by Authorized Recipients
    Although the CTA expressly limits the circumstances under which 
FinCEN may initially disclose BOI to other agencies or FIs, the CTA 
does not specify the circumstances under which an authorized recipient 
of BOI may re-disclose the BOI to another person or organization. The 
CTA instead prohibits re-disclosure except as authorized in the 
protocols promulgated by regulation, thereby leaving it to FinCEN to 
establish the appropriate re-disclosure rules in the protocols.\136\ 
The proposed rule would permit the disclosure by authorized recipients 
of BOI in limited circumstances that would further the core underlying 
national security, intelligence, and law enforcement objectives of the 
CTA while at the same time ensuring that BOI is disclosed only where 
appropriate for those purposes. Generally, authorized re-disclosures 
would be subject to protocols designed, as with those applicable to 
initial disclosures of BOI from the beneficial ownership IT system, to 
protect the security and confidentiality of BOI.
---------------------------------------------------------------------------

    \136\ 31 U.S.C. 5336(c)(2)(A). The CTA appears to presume that 
some re-disclosure will be permitted when it requires requesting 
agencies to keep records related to their requests, including of 
``any disclosure of beneficial information made by . . . the 
agency.'' 31 U.S.C. 5336(c)(3)(H).
---------------------------------------------------------------------------

    First, proposed 31 CFR 1010.955(c)(2)(i) would authorize a Federal, 
State, local or Tribal agency that receives BOI from FinCEN to re-
disclose it to others within the same organization, if the re-
disclosure is consistent with the security and confidentiality 
requirements of 31 CFR

[[Page 77418]]

1010.955(d)(1)(i)(F), (d)(2), or applicable internal Treasury policies, 
procedures, orders or directives; and is in furtherance of the same 
purpose for which the BOI was requested. Without this authorization, 
the statutory prohibitions at 31 U.S.C. 5336(c)(2)(A) and corresponding 
regulatory prohibitions at proposed 31 CFR 1010.955(a) could be viewed 
to constrain officers, employees, contractors, and agents within the 
same authorized requesting agency from efficiently sharing BOI in a 
manner consistent with the objectives of the CTA. FinCEN recognizes 
that authorized individuals that receive BOI within authorized 
recipient organizations may need limited flexibility to disclose BOI to 
others in their organization to the extent those other individuals need 
the BOI to further the original purpose for which the BOI request was 
made to FinCEN. An employee working on a law enforcement case within a 
Federal agency, for example, might need to disclose BOI obtained from 
FinCEN to another employee working on the same law enforcement matter.
    FinCEN envisions that there are circumstances in which FI employees 
may have a similar need to share BOI with counterparts, e.g., if they 
are working together to onboard a new customer. Proposed 31 CFR 
1010.955(c)(2)(ii) therefore extends a comparable authority to FIs. One 
difference should be noted: FinCEN proposes to expressly limit FIs to 
redisclosing BOI to other officers, employees, contractors, and agents 
of the FI physically present in the United States. FinCEN believes this 
limitation is necessary to provide appropriate protection to BOI 
against disclosures to foreign governments outside of the framework 
established by the CTA. The CTA confirms, among other things, foreign 
government agencies should only obtain the BOI of reporting companies 
for limited purposes and through intermediary Federal agencies. 
Allowing U.S. FIs to re-disclose BOI outside of the United States 
creates the potential for a foreign government agency to obtain such 
BOI by serving a judicial or administrative warrant, summons, or 
subpoena directly on the foreign entity or location where the BOI is 
stored. Prohibiting FIs from moving BOI outside the United States 
reinforces and complements the requirements associated with the 
requirements through which foreign governments can obtain BOI under the 
proposed rule.
    Next, proposed 31 CFR 1010.955(c)(2)(iii) would allow an FI, 
subject to certain conditions, to share BOI that it obtains from FinCEN 
for use in fulfilling its CDD obligations with (1) the FI's Federal 
functional regulator, (2) a qualifying SRO, or (3) any other 
appropriate regulatory agency. The CTA specifies that BOI provided to 
an FI ``shall also be available'' to a Federal functional regulator or 
other appropriate regulatory agency, under certain conditions, and 
proposed 31 CFR 1010.955(b)(4)(ii) would authorize the agency to obtain 
the BOI directly from FinCEN. Proposed 31 CFR 1010.955(c)(2)(ii) would 
complement that authorization by also allowing the agency to obtain the 
BOI from the FI. FinCEN believes this may be a more efficient means of 
access for agencies conducting assessments of an FI's compliance with 
CDD requirements under applicable law. Such re-disclosure would more 
easily provide regulators with a complete picture of how FIs are 
obtaining and using BOI for CDD compliance, thereby supporting the aims 
and purposes of the CTA, and would also help them detect compliance 
failures. Proposed 31 CFR 1010.955(c)(2)(ii) would also authorize re-
disclosure to qualifying SROs. SROs perform important supervisory and 
regulatory functions under the oversight of Federal functional 
regulators to assess FI compliance with CDD requirements among their 
member firms. Given that SROs can perform these supervisory functions, 
FinCEN believes that access to BOI would be as helpful to qualifying 
SROs as to Federal functional regulators in ensuring a complete and 
accurate assessment of CDD compliance. Qualifying SROs, like any 
supervisory agency, would need to enter into an MOU with FinCEN, and 
agree to implement security and confidentiality protocols, including 
audit requirements, prior to receiving BOI from their regulated 
institutions.
    Fourth, proposed 31 CFR 1010.955(c)(2)(iv) would allow a Federal 
functional regulator to disclose information to a qualifying SRO. 
Consistent with the purposes of the CTA, the proposed rule makes clear 
that BOI may be accessed, used, and re-disclosed for examinations for 
compliance with CDD requirements under applicable law.
    Fifth, proposed 31 CFR 1010.955(c)(2)(v), consistent with the CTA, 
would allow an intermediary Federal agency to disclose BOI to the 
foreign person for whom the intermediary Federal agency requested the 
information in accordance with proposed 31 CFR 1010.955(b)(3). Without 
an express regulatory provision to effectuate the CTA's provisions 
relating to BOI access by a foreign law enforcement agency, prosecutor, 
or judge, questions could arise as to whether the intermediary Federal 
agency would be able to then share with a foreign requester the 
information obtained on its behalf.
    Sixth, proposed 31 CFR 1010.955(c)(2)(vi) would allow a Federal, 
State, local, or Tribal law enforcement agency to disclose BOI to a 
court of competent jurisdiction or parties to a civil or criminal 
proceeding. This authorization would only apply to civil or criminal 
proceedings involving U.S. Federal, State, local, and Tribal laws. 
FinCEN envisions agencies relying on this provision when, for example, 
a prosecutor must provide a criminal defendant with BOI in discovery or 
use it as evidence in a court proceeding or trial.\137\
---------------------------------------------------------------------------

    \137\ See CTA, Section 6402(5)(D).
---------------------------------------------------------------------------

    FinCEN considered requiring Federal, State, local, or Tribal law 
enforcement agencies to request permission to disclose BOI on a case-
by-case basis. The bureau decided against that approach for the sake of 
efficiency and the administration of justice. FinCEN would be unlikely 
to oppose disclosing BOI for use by law enforcement agencies in a civil 
or criminal proceeding; the CTA explicitly contemplates using BOI in 
this scenario.\138\ Additionally, manual review of individual 
disclosure requests in this context could also delay the relevant legal 
proceeding. FinCEN invites comment on this proposed approach.
---------------------------------------------------------------------------

    \138\ See id.
---------------------------------------------------------------------------

    Seventh, proposed 31 CFR 1010.955(c)(2)(vii) would allow a Federal 
agency that receives BOI from FinCEN pursuant to proposed 31 CFR 
1010.955(b)(1), (b)(4)(ii), or (b)(5) to disclose that BOI to DOJ in a 
case referral. While DOJ would also be able to request the relevant BOI 
from FinCEN in furtherance of law enforcement activity, allowing the 
requesting Federal agency to share that BOI with DOJ would allow for 
more efficient investigation and law enforcement activity. The proposed 
provision would also make clear that the requesting agency can disclose 
BOI to DOJ for use in litigation related to the activity for which the 
BOI is requested. Such authorization will allow DOJ to have a complete 
record--including BOI--when fulfilling its responsibilities to 
represent the requesting agency in litigation.
    Eighth, proposed 31 CFR 1010.955(c)(2)(viii) would allow a foreign 
requester that receives BOI pursuant to a request made under an 
international treaty, agreement, or convention to disclose and use that 
BOI in accordance with the requirements of

[[Page 77419]]

the relevant agreement. This approach harmonizes 31 U.S.C. 
5336(c)(2)(B)(ii)(II)(aa) \139\ with the process described in the 
introductory paragraph in 31 U.S.C. 5336(c)(2)(B)(ii), which 
establishes a preference for disclosing BOI to foreign requesters under 
international agreements. For foreign requests that are not governed by 
an international treaty, agreement, or convention, FinCEN would review 
re-disclosure requests from foreign requesters either on a case-by-case 
basis or pursuant to alternative arrangements with intermediary Federal 
agencies where those intermediary Federal agencies have ongoing 
relationships with the particular foreign requesters.
---------------------------------------------------------------------------

    \139\ Requiring requests for BOI from foreign requesters to 
``[comply] with the disclosure and use provisions of the treaty, 
agreement, or convention, publicly disclosing [sic] any beneficial 
ownership information received . . . .''
---------------------------------------------------------------------------

    Finally, proposed 31 CFR 1010.955(c)(2)(ix) would make clear that 
re-disclosing BOI obtained under 31 CFR 1010.955(b) in any 
circumstances other than those defined in proposed 31 CFR 
1010.955(c)(2) would be prohibited unless FinCEN provided prior 
authorization for the re-disclosure in writing, or such re-disclosure 
were made in accordance with applicable protocols, guidance, and 
regulations as FinCEN may issue. This provision would give FinCEN the 
ability to authorize, either on a case-by-case basis or categorically 
through written protocols, guidance, or regulations, the re-disclosure 
of BOI in limited cases to further the purposes of the CTA.\140\ FinCEN 
welcomes comments on any of the proposed provisions permitting the re-
disclosure of BOI for activities consistent with the purposes of the 
CTA.
---------------------------------------------------------------------------

    \140\ For example, FinCEN could authorize the supervisory 
component of a Federal functional regulator that identifies a CDD-
related deficiency at an FI to share BOI with its enforcement 
component as part of a referral in which the BOI would be used in 
furtherance of law enforcement activity.
---------------------------------------------------------------------------

    Proposed 31 CFR 1010.955(c)(2)(ix) would also enable FinCEN to 
authorize the re-disclosure of BOI in appropriate circumstances. For 
example, FinCEN envisions instances when it might be necessary for one 
law enforcement agency to disclose BOI obtained from FinCEN to another 
agency for an authorized purpose. The ability to share BOI in such 
circumstances would ensure that authorized recipients are able to 
further the goals of the CTA of protecting U.S. national security and 
combatting illicit activity, including corruption, money laundering, 
tax fraud, and terrorist financing, while at the same time, ensuring 
that appropriate security and confidentiality are maintained in a way 
that ensures appropriate audit and oversight.
    For example, a Federal agency to which FinCEN disclosed BOI in 
furtherance of that agency's national security activities may identify 
a possible criminal violation and need to provide the information to a 
Federal law enforcement agency for investigation, and prosecution, if 
appropriate. Federal agencies that are a part of a task force to target 
specific criminal activity, such as drug trafficking or corruption, may 
also need to share BOI within the task force. In such cases, it would 
be more efficient for the agencies involved to share BOI directly among 
themselves instead of each agency having to separately request the same 
BOI from FinCEN.
    The requirements that an agency would need to satisfy to obtain BOI 
through re-disclosure are the same as those an agency would need to 
satisfy to obtain BOI from FinCEN directly under this proposed rule. 
FinCEN also envisions including re-disclosure limitations in the BOI 
disclosure MOUs it enters into with recipient agencies. These 
provisions would make clear that it would be the responsibility of a 
recipient agency to take necessary steps to ensure that BOI is made 
available for purposes specifically authorized by the CTA, and not for 
the general purposes of the agency. Such agency-to-agency agreements 
can be effective at creating and enforcing standards on use, reuse, and 
redistribution of sensitive information. However, FinCEN solicits 
comments from the public as to whether other mechanisms, such as the 
imposition of redistribution standards by regulation, mandatory 
redistribution logs, regular audit requirements, or other techniques, 
may be more appropriate in this context.
v. Security and Confidentiality Requirements
    The CTA directs the Secretary to establish by regulation protocols 
to protect the security and confidentiality of any BOI provided 
directly by FinCEN.\141\ FinCEN views safeguarding BOI to be a top 
priority. The security and confidentiality of BOI would be protected 
through several protocols to prevent unauthorized disclosure and to 
ensure that BOI is used solely for the purposes described in the CTA. 
These include high standard security protocols in the implementation of 
the beneficial ownership IT system, robust MOUs that will impose 
security requirements on agencies that have access to BOI, such as 
current background checks on personnel accessing the information and 
controls to ensure appropriate use, regular training, and robust audit 
and oversight at the agency level and by FinCEN. In addition, FinCEN is 
committed to regularly reviewing protocols and information security 
practices to ensure they protect BOI from unauthorized use or 
disclosure.
---------------------------------------------------------------------------

    \141\ 31 U.S.C. 5336(c)(3)(A).
---------------------------------------------------------------------------

    While the CTA enumerates specific requirements applicable to 
``requesting agencies,'' FinCEN believes it is necessary and 
appropriate to impose comparable requirements on FIs and foreign 
requesters, taking into account considerations unique to those 
recipient categories.\142\ Clear expectations for all recipients and 
comparable data management requirements across different categories of 
authorized recipients will facilitate high standard information 
security and confidentiality practices and will contribute to more 
effective audits and oversight. This subsection discusses requirements 
applicable to both ``requesting agencies'' and other authorized 
requesters.
---------------------------------------------------------------------------

    \142\ 31 U.S.C. 5336(c)(3)(K).
---------------------------------------------------------------------------

a. Security and Confidentiality Requirements for Domestic Agencies
    The CTA prescribes with specificity a number of requirements that 
the Secretary must impose on requesting agencies and their heads. These 
requirements affirm the importance of the security and confidentiality 
protocols and the need for a high degree of accountability for the 
protection of BOI.
    Specifically, the statute provides that the Secretary shall require 
requesting agencies to (1) ``establish and maintain, to the 
satisfaction of the Secretary, a secure system in which [BOI] provided 
directly by the Secretary shall be stored;'' \143\ (2) ``furnish a 
report to the Secretary, at such time and containing such information 
as the Secretary may prescribe, that describes the procedures 
established and utilized by such agency to ensure the confidentiality 
of [BOI] provided directly by the Secretary;'' \144\ (3) ``limit, to 
the greatest extent practicable, the scope of information sought, 
consistent with the purposes for seeking [BOI];'' \145\ and (4) 
``establish and maintain, to the satisfaction of the Secretary, a 
permanent system of standardized records with respect to an auditable 
trail of each request for [BOI] submitted to the Secretary by the 
agency, including the reason for the request, the name of the 
individual who made the request, the date of the

[[Page 77420]]

request, any disclosure of [BOI] made by or to the agency, and any 
other information the Secretary of the Treasury determines is 
appropriate.'' \146\
---------------------------------------------------------------------------

    \143\ 31 U.S.C. 5336(c)(3)(C).
    \144\ 31 U.S.C. 5336(c)(3)(D).
    \145\ 31 U.S.C. 5336(c)(3)(F).
    \146\ 31 U.S.C. 5336(c)(3)(H).
---------------------------------------------------------------------------

    The CTA also instructs the Secretary to establish by regulation 
protocols: (1) ``requir[ing] the head of any requesting agency, on a 
non-delegable basis, to approve the standards and procedures utilized 
by the requesting agency and certify to the Secretary semi-annually 
that such standards and procedures are in compliance with the 
requirements of [31 U.S.C. 5336(c)(3)];'' \147\ (2) ``requir[ing] a 
written certification for each authorized investigation or other 
activity [giving rise to an authorized BOI disclosure] from the head of 
[a Federal agency acting in furtherance of national security, 
intelligence, or law enforcement activity, or a State, local, or Tribal 
law enforcement agency], or their designees, that (a) states that 
applicable requirements have been met, in such form and manner as the 
Secretary may prescribe; and (b) at a minimum, sets forth the specific 
reason or reasons why the [BOI] is relevant to [the] authorized 
investigation or other activity . . .''; and (3) ``restrict[ing], to 
the satisfaction of the Secretary, access to [BOI] to whom disclosure 
may be made under the [CTA disclosure provisions] to only users at the 
requesting agency (a) who are directly engaged in the authorized 
investigation [for which BOI disclosure is authorized]; (b) whose 
duties or responsibilities require such access; (c) who have undergone 
appropriate training, or use staff to access the database who have 
undergone appropriate training; (d) who use appropriate identity 
verification mechanisms to obtain access to the information; and (e) 
who are authorized by agreement with the Secretary to access the 
information.'' \148\
---------------------------------------------------------------------------

    \147\ 31 U.S.C. 5336(c)(3)(B).
    \148\ 31 U.S.C. 5336(c)(3)(G).
---------------------------------------------------------------------------

    Finally, the CTA instructs the Secretary to require requesting 
agencies receiving BOI from FinCEN to ``conduct an annual audit to 
verify that the [BOI] received from the Secretary has been accessed and 
used appropriately, and in a manner consistent with this paragraph and 
provide the results of that audit to the Secretary upon request.'' 
\149\ The statute imposes a corresponding requirement on the Secretary 
to ``conduct an annual audit of the adherence of the agencies to the 
protocols established under [31 U.S.C. 5336(c)(3)] to ensure that 
agencies are requesting and using [BOI] appropriately.'' \150\
---------------------------------------------------------------------------

    \149\ 31 U.S.C. 5336(c)(3)(I).
    \150\ 31 U.S.C. 5336(c)(3)(J).
---------------------------------------------------------------------------

    The proposed regulation would organize these requirements into two 
subsections. The first, proposed 31 CFR 1010.955(d)(1)(i), would 
address general requirements applicable to Federal, State, local, and 
Tribal requesting agencies, including intermediary Federal agencies 
acting on behalf of authorized foreign requesters, Federal functional 
regulators, and other appropriate regulatory agencies. This proposed 
subsection would require each requesting agency, before it could obtain 
BOI, to enter into a MOU with FinCEN specifying the standards, 
procedures, and systems that the agency would be required to maintain 
to protect BOI.\151\ These MOUs would, among other things, memorialize 
and implement requirements contained in proposed 31 CFR 
1010.955(d)(1)(i), including those regarding reports and 
certifications, periodic training of individual recipients of BOI, 
personnel access restrictions, re-disclosure limitations, and access to 
audit and oversight mechanisms. The MOUs would also include security 
plans covering topics related to personnel security (e.g., eligibility 
limitations, screening standards, certification and notification 
requirements); physical security (system connections and use, 
conditions of access, data maintenance); computer security (use and 
access policies, standards related to passwords, transmission, storage, 
and encryption); and inspections and compliance. Agencies may rely on 
existing databases and related IT infrastructure to satisfy the 
requirement to ``establish and maintain'' secure systems in which to 
store BOI where those systems have appropriate security and 
confidentiality protocols, and FinCEN will engage with recipient 
agencies on this issue during the development of an MOU on BOI sharing.
---------------------------------------------------------------------------

    \151\ 31 CFR 1010.955(d)(1)(i)(A).
---------------------------------------------------------------------------

    Because security protocol details may vary based on each agency's 
particular circumstances and capabilities, FinCEN believes individual 
MOUs are preferable to a ``one-size-fits-all'' approach of specifying 
particular requirements by regulation. FinCEN invites comment on this 
MOU-based approach, and on whether additional requirements should be 
incorporated into the regulations or into FinCEN's MOUs.
    The second subsection would apply to each request for BOI. It 
includes specific requirements with which each individual request for 
BOI must comply, as described in the CTA, as well as additional 
requirements that FinCEN believes are necessary to ensure that BOI is 
subject to security and confidentiality requirements of a sufficiently 
high standard.\152\
---------------------------------------------------------------------------

    \152\ The additional measures are being proposed pursuant to the 
authority delegated to FinCEN under 31 U.S.C. 5336(c)(3)(K).
---------------------------------------------------------------------------

    Proposed 31 CFR 1010.955(d)(1)(ii)(A) (referred to as a 
``minimization'' requirement) would require all requesting agencies to 
limit, to the greatest extent practicable, the amount of BOI they seek, 
consistent with the agency's purpose for seeking it. The provision 
mirrors the CTA requirement at 31 U.S.C. 5336(c)(3)(F) and would 
enhance information security and confidentiality by limiting disclosure 
of BOI only to those situations in which BOI is necessary for a 
particular purpose.
    Proposed 31 CFR 1010.955(d)(1)(ii)(B)(1) would incorporate the 
requirement of 31 U.S.C. 5336(c)(3)(E) that the head of a requesting 
Federal agency acting in furtherance of national security, 
intelligence, or law enforcement activity, or their designees, certify 
in writing, for each request made by the agency to FinCEN, that (1) the 
agency was engaged in a national security, intelligence, or law 
enforcement activity, and (2) the BOI requested was for use in 
furthering that activity, setting forth specific reasons why the 
requested BOI was relevant. FinCEN expects that the certification and 
justification would be made by the individual at the authorized Federal 
agency at the time of the BOI request. Similarly, proposed 31 CFR 
1010.955(d)(1)(ii)(B)(2) would require the head of a requesting State, 
local, or Tribal law enforcement agency, or their designee, to submit 
to FinCEN a copy of the court authorization required under proposed 31 
CFR 1010.955(b)(2), as well as a written justification setting forth 
specific reasons why the requested information was relevant to the 
investigation. FinCEN believes that collecting the underlying court 
authorizations will help to ensure compliance with 31 U.S.C. 
5336(c)(2)(B)(i)(II) and facilitate audit and oversight of such 
requests. Moreover, the submission of brief justification narratives 
will make it easier for FinCEN personnel to identify the relevant 
information in a court authorization, thereby allowing for faster 
reviews and more focused audits. FinCEN considered not requiring State, 
local, and Tribal law enforcement agencies to submit corresponding 
justifications in addition to the court authorizations, but in some 
cases the

[[Page 77421]]

relationship between a court authorization and the search in question 
might not be apparent on the face of the court authorization.
    Proposed 31 CFR 1010.955(d)(1)(ii)(B)(3) and (4) would identify the 
information that an intermediary Federal agency would need to obtain, 
and in some cases, submit to FinCEN, when making a request for BOI on 
behalf of foreign law enforcement, prosecutors, or judges. The 
information that would need to be submitted to FinCEN pursuant to these 
provisions is dependent on whether the foreign request at issue is 
pursuant to an international treaty, agreement, or convention.
    Regardless of whether an international treaty, agreement, or 
convention applies, the head of an intermediary Federal agency acting 
on behalf of a foreign requester, or their designee, would always need 
to: (1) identify to FinCEN both the individual within the intermediary 
Federal agency making the request; (2) identify to FinCEN the 
individual affiliated with the foreign requester on whose behalf the 
request is being made; and (3) either identify to FinCEN the 
international treaty, agreement, or convention under which the request 
was being made or provide a statement that no such instrument governs. 
When an international treaty, agreement, or convention applies, the 
head of an intermediary Federal agency acting on behalf of a foreign 
requester, or their designee, would need to retain the request for 
information under the relevant international treaty, agreement, or 
convention, and would also have to certify to FinCEN that the requested 
BOI is for use in furtherance of a law enforcement investigation or 
prosecution, or for a national security or intelligence activity, that 
is authorized under the laws of the relevant foreign country. This 
certification would apply to the intermediary Federal agency head or 
designee's understanding of the intended use for the BOI, and would not 
constitute a guarantee from the intermediary Federal agency that the 
foreign requester would not use the information for other activities 
without authorization.
    In circumstances in which an international treaty, agreement, or 
convention does not apply, the head of an intermediary Federal agency 
acting on behalf of a foreign requester, or their designee, would need 
to submit to FinCEN a written explanation of the specific purpose for 
which the foreign requester is requesting BOI. The intermediary Federal 
agency would also need to provide FinCEN with a certification that 
requested BOI: (1) will be used in furtherance of a law enforcement 
investigation or prosecution, or for a national security or 
intelligence activity that is authorized under the laws of the relevant 
foreign country; (2) will only be used for the particular purpose or 
activity for which it is requested; and (3) will be handled in 
accordance with applicable security and confidentiality requirements as 
discussed in detail in Section IV.A.v.c. below with respect to proposed 
31 CFR 1010.955(d)(3). Again, this certification would apply to the 
intermediary Federal agency head or designee's understanding of the 
intended use for the BOI, and would not constitute a guarantee from the 
intermediary Federal agency that the foreign requester would not use 
the information for other activities without authorization. The 
proposed rule further specifies that FinCEN may request additional 
information to support its evaluation of whether to disclose BOI to a 
foreign requester when a request is not pursuant to an international 
treaty, agreement, or convention. FinCEN anticipates the implementation 
of a case management function in the beneficial ownership IT system to 
manage this information and certification submission process.
    Finally, proposed 31 CFR 1010.955(d)(1)(ii)(B)(5) would require the 
head of Federal functional regulators and other appropriate regulatory 
agencies, or their designee, to certify to FinCEN when requesting BOI 
that the agency (1) is authorized by law to assess, supervise, enforce, 
or otherwise determine the relevant FI's compliance with CDD 
requirements under applicable law, and (2) will use the information 
solely for the purpose of conducting the assessment, supervision, or 
authorized investigation or activity described in proposed 31 CFR 
1010.955(b)(4)(ii)(A).
b. Security and Confidentiality Requirements for FIs
    Although the CTA does not specifically address the safeguards FIs 
must implement as a precondition to requesting BOI, the CTA authorizes 
FinCEN to prescribe by regulation any other safeguards determined to be 
necessary or appropriate to protect the confidentiality of BOI.\153\ 
Proposed 31 CFR 1010.955(d)(2) contains the safeguards applicable to 
FIs, including security standards for managing the BOI data.
---------------------------------------------------------------------------

    \153\ 31 U.S.C. 5336(c)(3)(K).
---------------------------------------------------------------------------

    Any security standards FinCEN imposes should keep BOI reasonably 
secure and confidential, but not be so stringent as to make the 
information practically inaccessible or useless to FIs. Such overly 
burdensome requirements would frustrate the CTA's objective of 
facilitating FI compliance with CDD requirements under applicable law. 
To strike an appropriate balance, proposed 31 CFR 1010.955(d)(2)(i) 
would take a principles-based approach by requiring FIs to develop and 
implement administrative, technical, and physical safeguards reasonably 
designed to protect BOI as a precondition for receiving BOI. Although 
proposed 31 CFR 1010.955(d)(2)(i) would not prescribe any specific 
safeguards, it would establish that the security and information 
handling procedures necessary to comply with section 501 of the Gramm-
Leach-Bliley Act (Gramm-Leach-Bliley) \154\ and applicable regulations 
issued under it to protect non-public customer personal information, if 
applied to BOI under the control of the FI, would satisfy this 
requirement. This would be true for any FI, regardless of whether that 
FI was subject to section 501, so long as the FI actually applied 
procedures at the appropriate level of protection. The safe harbor in 
proposed 31 CFR 1010.955(d)(2)(i) would therefore establish baseline 
security and confidentiality standards that are the same for all FIs. 
The approach of establishing a baseline standard would be consistent 
with other provisions in FinCEN's regulations that impose standards for 
handling sensitive information.\155\
---------------------------------------------------------------------------

    \154\ Public Law 106-102, 113 Stat. 1338, 1436-37 (1999).
    \155\ See, e.g., 31 CFR 1010.520(b)(3)(iv)(C), 31 CFR 
1010.540(b)(4)(ii).
---------------------------------------------------------------------------

    Section 501 of Gramm-Leach-Bliley, codified at 15 U.S.C. 6801(b) 
and 6805, requires each Federal functional regulator to establish 
appropriate standards for the FIs subject to its jurisdiction relating 
to administrative, technical, and physical safeguards to (1) ensure the 
security and confidentiality of customer records and information; (2) 
protect against any anticipated threats or hazards to the security or 
integrity of such records; and (3) protect against unauthorized access 
to or use of such records or information which could result in 
substantial harm or inconvenience to any customer. The Federal 
functional regulators have implemented these requirements in different 
ways. The OCC, FRB, FDIC, and NCUA incorporated into their regulations 
the Interagency Guidelines Establishing Interagency Security

[[Page 77422]]

Standards (Interagency Guidelines).\156\ The Interagency Guidelines add 
detail to the more general Gramm-Leach-Bliley requirements, covering 
specific subjects related to identifying, managing, and controlling 
risk (e.g., physical and electronic access controls, encryption and 
training requirements, and testing). The CFTC has incorporated the 
Gramm-Leach-Bliley expectations of FIs into its regulations \157\ and 
recommended best practices for meeting them that are ``designed to be 
generally consistent with'' the Interagency Guidelines.\158\ The SEC 
has also incorporated the Gramm-Leach-Bliley expectations of FIs into 
its regulations,\159\ but evaluates the reasonableness of Gramm-Leach-
Bliley compliance policies and procedures on a case-by-case basis and 
communicates findings of insufficiency through supervision and 
enforcement actions.\160\
---------------------------------------------------------------------------

    \156\ See Interagency Guidelines Establishing Standards for 
Safeguarding Customer Information and Rescission of Year 2000 
Standards for Safety and Soundness, 66 FR 8616 (Feb. 1, 2001). The 
agencies implementing regulations are at 12 CFR part 30, app. B 
(OCC); 12 CFR. Part 208, app. D-2 and Part 225, app. F (FRB); 12 CFR 
part 364, app. B (FDIC); and 12 CFR part 748, apps. A & B (NCUA).
    \157\ See 17 CFR 160.
    \158\ See CFTC Staff Advisory No. 14-21 (February 16, 2014).
    \159\ See 17 CFR 248.30(a).
    \160\ See, e.g., Morgan Stanley Smith Barney, SEC Administrative 
Proceeding File No. 3-21112 (Sept. 20, 2022).
---------------------------------------------------------------------------

    This blended approach for complying with the Gramm-Leach-Bliley 
requirements is well-suited to protecting sensitive information 
generally and BOI in particular. Gramm-Leach-Bliley provides general 
baseline expectations for keeping data secure and confidential, while 
each agency's implementing regulations take into account factors unique 
to the FIs they supervise. Allowing FIs to meet the requirement to 
safeguard BOI by extending to it the same processes they use to comply 
with regulations issued pursuant to section 501 of Gramm-Leach-Bliley 
would avoid duplicative or inconsistent requirements for information 
security and protocols and would be less burdensome for FIs to 
administer without sacrificing a high level of protection.
    In order to ensure that security and confidentiality standards are 
consistent across the entire financial industry, even FIs not subject 
to regulations issued pursuant to section 501 of Gramm-Leach-Bliley 
would be held to these same substantive standards. For FIs not subject 
to section 501, the Interagency Guidelines might serve as a useful 
checklist against which such FIs could evaluate their existing security 
and confidentiality practices, and a useful guide to possible 
modifications to bring the FI to the level of security and 
confidentiality necessary to justify obtaining BOI.
    Proposed 31 CFR 1010.955(d)(2)(ii) would require FIs to obtain and 
document a reporting company's consent before requesting that reporting 
company's BOI from FinCEN. FIs are well-positioned to obtain consent--
and to track any revocation of such consent--given that they maintain 
direct customer relationships and are able to leverage existing 
onboarding and account maintenance processes to obtain reporting 
company consent. FinCEN considered the alternative approach of FinCEN 
obtaining consent directly from the reporting company, but rejected the 
approach given potential delays and the lack of any direct relationship 
with the reporting company.
    Finally, proposed 31 CFR 1010.955(d)(2)(iii) would require the FI 
to certify in writing for each BOI request that it: (1) is requesting 
the information to facilitate its compliance with CDD requirements 
under applicable law, (2) obtained the reporting company's written 
consent to request its BOI, and (3) fulfilled the other requirements of 
the section. FinCEN anticipates that an FI would be able to make the 
certification via a checkbox when requesting BOI via the beneficial 
ownership IT system. FinCEN expects that FIs will establish protocols 
to direct authorized staff to ensure that the requirements are 
satisfied and that appropriate records are maintained for the purposes 
of audit and oversight. FinCEN further expects FIs to provide training 
on these protocols and to require system users from FIs to complete 
FinCEN-provided online training about the system and related 
responsibilities as a condition for creating and maintaining system 
accounts.
    Under the proposed rule, FinCEN would not require FIs to submit 
proof of reporting company consent at the time of the request for BOI. 
FinCEN would not have the capacity to review, verify, and store consent 
forms and additional FinCEN involvement would create undue delays for 
the ability of FIs to onboard customers. In addition, FinCEN expects 
that FI compliance with these requirements would be assessed by Federal 
functional regulators in the ordinary course during safety and 
soundness examinations or by the SROs during their routine BSA 
examinations.\161\ FIs therefore have a strong incentive to retain 
evidence of a reporting company's consent for the purposes of 
supervisory examinations and compliance and for use in cases involving 
suspected or alleged violations of the requirement. Together with 
potential civil and criminal penalties under the CTA, such examinations 
would create a robust control and oversight mechanism. FinCEN invites 
comments on this proposed approach to FI security and confidentiality 
requirements, including any views regarding how consent should be 
obtained from reporting companies and on the applicability of auditing 
requirements to FIs.
---------------------------------------------------------------------------

    \161\ The CTA requirements FIs must satisfy to qualify for BOI 
disclosure from FinCEN are part of the BSA, a statute enacted in 
pertinent part in Chapter X of the Code of Federal Regulations. 
FinCEN has delegated its authority to examine FIs for compliance 
with Chapter X to the Federal functional regulators. See 31 CFR 
1010.810. See also, e.g., 12 U.S.C. 1818(s)(2), 12 U.S.C. 
1786(q)(2).
---------------------------------------------------------------------------

c. Security and Confidentiality Requirements for Foreign Requesters
    It is critical that all authorized BOI recipients--including 
foreign requesters--take steps to keep BOI confidential and secure and 
to prevent misuse. To that end, proposed 31 CFR 1010.955(d)(3)(i) would 
require foreign requesters to handle, disclose, and use BOI consistent 
with the requirements of the applicable treaty, agreement or convention 
under which it was requested. 31 CFR 1010.955(d)(3)(ii), meanwhile, 
would impose on foreign BOI requesters certain general requirements the 
CTA imposes on all requesting agencies. FinCEN believes these measures 
are necessary to protect the security and confidentiality of BOI 
provided to foreign requesters.\162\ Requirements applicable to foreign 
requesters when no treaty, agreement, or convention applies include 
having security standards and procedures, maintaining a secure storage 
system that complies with whatever security standards the foreign 
requester applies to the most sensitive unclassified information it 
handles, minimizing the amount of information requested, and 
restricting personnel access to it. Foreign requesters that request and 
receive BOI under an applicable international treaty, agreement, or 
convention would not have these requirements under the proposed rule, 
given that such requesters would be governed by standards and 
procedures under the applicable international treaty, agreement, or 
convention.
---------------------------------------------------------------------------

    \162\ See 31 U.S.C. 5336(c)(3)(A), (K).

---------------------------------------------------------------------------

[[Page 77423]]

    FinCEN considered proposing a requirement that foreign requesters 
enter into MOUs comparable to domestic requesting agencies for 
situations in which an international treaty, agreement, or convention 
applies. The bureau decided not to propose such an approach because 
foreign requesters will not have direct access to the beneficial 
ownership IT system and because FinCEN anticipates a significantly 
lower volume of foreign requests in general relative to other 
stakeholders. FinCEN believes MOUs are appropriate with domestic 
agencies to account for the risks inherent in repeated, detailed 
interaction with the beneficial ownership IT system. Foreign BOI 
requesters, by contrast, would only receive BOI through intermediary 
Federal agencies that would themselves be subject to detailed MOUs. 
Those intermediary Federal agencies would in turn work with foreign 
requesters to safeguard BOI in accordance with applicable treaties, 
agreements, or conventions when applicable, and under governing 
protocols in other circumstances.
    FinCEN considered imposing audit requirements on foreign requesters 
as part of these security and confidentiality protocols, but determined 
that it would not be feasible. First, in situations involving 
international treaties, agreements, or conventions, such audits would 
only be permissible if allowed by the international agreement. In 
situations in which no such international agreement applied, it would 
nevertheless be practically challenging for FinCEN to conduct 
meaningful audits of a foreign requester's BOI handling systems and 
practices given that it would involve extensive negotiations and the 
commitment of substantial FinCEN personnel to considerable document 
review (potentially involving translation) and travel. Foreign 
governments under any circumstances are also unlikely to grant FinCEN 
access to their secure IT systems to the degree that a comprehensive 
audit demands. While FinCEN considered whether to refrain from sharing 
information with a foreign requester that refused to be subject to 
audit requirements, such an approach would result in reduced 
information sharing and cooperation overall. The United States 
regularly collaborates bilaterally and in global task forces, for 
example, to combat terrorism, transnational criminal organizations, and 
other threats to national security. The success of these initiatives 
depends upon effective international cooperation and robust efforts by 
foreign counterparts. Those foreign counterparts might decide not to 
request BOI at all, depriving our partners of information that would 
support these efforts, with potentially negative direct consequences 
for the United States.
    FinCEN invites comments on its proposal with respect to security 
and confidentiality requirements applicable to foreign requesters.
vi. Administration of Requests for Information Reported Pursuant to 31 
CFR 1010.380
    The CTA includes several provisions regarding how FinCEN should 
administer requests for BOI. Proposed 31 CFR 1010.955(e) would 
implement these CTA provisions.
    Proposed 31 CFR 1010.955(e)(1) would require agencies and FIs to 
submit requests for BOI to FinCEN in the form and manner FinCEN shall 
prescribe.\163\ The bureau intends to provide additional detail 
regarding the form and manner of BOI requests for all categories of 
authorized users through specific instructions and guidance as it 
continues developing the beneficial ownership IT system. To the extent 
required by the Paperwork Reduction Act (PRA), FinCEN would publish for 
notice and comment any proposed information collection associated with 
BOI requests.
---------------------------------------------------------------------------

    \163\ 31 U.S.C. 5336(c)(2)(C).
---------------------------------------------------------------------------

    Proposed 31 CFR 1010.955(e)(2) would implement 31 U.S.C. 
5336(c)(6)(B), which describes the circumstances under which the 
Secretary ``may decline to provide'' requested BOI. The CTA describes 
three permissible reasons for declining to provide BOI: (a) a 
``requesting agency'' failing to meet applicable requirements; (2) 
``the information is being requested for an unlawful purpose;'' or (3) 
``other good cause exists to deny the request.'' \164\ Proposed 31 CFR 
1010.955(e)(2) would make minor changes to the statutory text to 
clarify its scope and to provide appropriate cross references. While 31 
U.S.C. 5336(c)(6)(B)(i) speaks directly to requests made by a 
``requesting agency,'' FinCEN believes the CTA also permits the bureau 
to deny requests from any authorized recipient, including FIs, that 
fail to comply with any requirements to receive BOI (e.g., refusing to 
obtain consent from reporting companies before making BOI requests or 
failing to fully comply with the proposed security and confidentiality 
requirements).\165\ FinCEN's ability to decline requests in these 
circumstances is necessary to ``protect the security and 
confidentiality of [BOI]'' that the agency provides to authorized 
recipients.\166\ Moreover, FinCEN would consider an FI's failure to 
comply with any requirements to constitute ``good cause'' sufficient to 
justify denying a request for BOI.\167\
---------------------------------------------------------------------------

    \164\ Id.
    \165\ See 31 U.S.C. 5336(c)(3)(A).
    \166\ Id.; see also 31 U.S.C. 5336(c)(3)(K).
    \167\ 31 U.S.C. 5663(c)(6)(B)(iii).
---------------------------------------------------------------------------

    Proposed 31 CFR 1010.955(e)(3) would specify that the reasons for 
rejecting a request are also bases for suspension or debarment. The CTA 
permits the Secretary to suspend or debar a ``requesting agency'' from 
access to BOI for any of the reasons for rejection in the preceding 
paragraph, including for ``repeated or serious violations'' of any 
requirement established as a precondition for receiving BOI.\168\ 
FinCEN would again extend the availability of the suspension or 
debarment authority to FIs to ensure the integrity of BOI, ensure the 
security of the beneficial ownership IT system, and implement the 
confidentiality requirements imposed by the CTA. Under the proposed 
rule, suspension of access to BOI would be a temporary measure, while 
debarment would be permanent. The proposed rule would also permit 
FinCEN to determine in its sole discretion the length of any 
suspension. Additionally, the proposed rule would clarify that FinCEN 
may reinstate suspended or debarred requesters upon satisfaction of any 
terms or conditions FinCEN in its sole discretion believes are 
appropriate. As with the authority to reject requests, FinCEN views 
suspension and debarment as important tools for protecting sensitive 
information from potential misuse.
---------------------------------------------------------------------------

    \168\ 31 U.S.C. 5336(c)(7).
---------------------------------------------------------------------------

vii. Violations; Penalties
    The CTA makes it unlawful for any person to knowingly disclose or 
knowingly use BOI obtained by the person through a report submitted to, 
or an authorized disclosure made by, FinCEN, unless such disclosure is 
authorized under the CTA.\169\ Proposed 31 CFR 1010.955(f)(1) tracks 
this prohibition, and further clarifies that such disclosure authorized 
under the CTA includes disclosure authorized under the regulations 
issued pursuant to the CTA. Proposed 31 CFR 1010.955(f)(2) then 
explains that for purposes of paragraph (f)(1), unauthorized use would 
include any unauthorized accessing of information submitted to FinCEN 
under 31 CFR 1010.380, including any activity in

[[Page 77424]]

which an employee, officer, director, contractor, or agent of a 
Federal, State, local, or Tribal agency or FI knowingly violates 
applicable security and confidentiality requirements in connection with 
accessing such information.\170\ This reflects FinCEN's view that the 
security and confidentiality requirements under the CTA and this 
proposed rule circumscribe the ways in which authorized recipients can 
use BOI, consistent with the statute's emphasis on keeping BOI secure 
and confidential.
---------------------------------------------------------------------------

    \169\ See 31 U.S.C. 5336(h)(2).
    \170\ 31 U.S.C. 5336(c)(4) explicitly applies civil and criminal 
penalties to employees and officers of ``requesting agencies'' who 
violate applicable security and confidentiality protocols, including 
through unauthorized disclosure or use. FinCEN views this as a self-
executing reinforcement provision to support 31 U.S.C. 
5336(h)(3)(B), which focuses on unlawful disclosure or use by any 
person.
---------------------------------------------------------------------------

    Proposed 31 CFR 1010.955(f)(3) lists the CTA's enumerated civil and 
criminal penalties for knowingly disclosing or using BOI without 
authorization. The CTA provides civil penalties in the amount of $500 
for each day a violation continues or has not been remedied. Criminal 
penalties are a fine of not more than $250,000 or imprisonment for not 
more than 5 years, or both.\171\ The CTA also provides for enhanced 
criminal penalties, including a fine of up to $500,000, imprisonment of 
not more than 10 years, or both, if a person commits a violation while 
violating another law of the United States or as part of a pattern of 
any illegal activity involving more than $100,000 in a 12-month 
period.\172\
---------------------------------------------------------------------------

    \171\ 31 U.S.C. 5336(h)(3)(B).
    \172\ See 31 U.S.C. 5336(h)(3)(B)(ii)(II).
---------------------------------------------------------------------------

B. Use of FinCEN Identifiers for Entities

    A FinCEN identifier is a unique identifying number that FinCEN will 
issue to individuals who have provided FinCEN with their BOI and to 
reporting companies that have filed initial BOI reports.\173\ 
Consistent with the CTA, the final BOI reporting rule describes the 
manner in which FinCEN will issue a FinCEN identifier to individuals 
and to entities.\174\ It also describes circumstances in which a 
reporting company may report an individual beneficial owner's FinCEN 
identifier to FinCEN in lieu of providing the individual's BOI.\175\
---------------------------------------------------------------------------

    \173\ 31 U.S.C. 5336(b)(3).
    \174\ See 31 CFR 1010.380(b)(4).
    \175\ See 31 CFR 1010.380(b)(4)(ii)(B).
---------------------------------------------------------------------------

    The CTA also provides for the use of a reporting company's FinCEN 
identifier, specifying that if an individual ``is or may be a 
beneficial owner of a reporting company by an interest held by the 
individual in an entity that, directly or indirectly, holds an interest 
in the reporting company,'' the reporting company may report the 
entity's FinCEN identifier in lieu of providing the individual's 
BOI.\176\ The Reporting NPRM proposed to incorporate this language 
without significant clarification. Some commenters, however, expressed 
concerns that the use of FinCEN identifiers could obscure the 
identities of beneficial owners in a manner that might result in 
greater secrecy or incomplete or misleading disclosures. Several 
commenters noted that the proposed language may be confusing and pose 
problems when a reporting company's ownership structure involves 
multiple beneficial owners and intermediate entities. In light of this 
feedback, the final BOI reporting rule did not adopt the proposed 
language, and FinCEN is now proposing different language to implement 
the CTA in a manner that better clarifies when a company may report an 
intermediate entity's FinCEN identifier in lieu of an individual's BOI.
---------------------------------------------------------------------------

    \176\ 31 U.S.C. 5336(b)(3)(C).
---------------------------------------------------------------------------

    Proposed 31 CFR 1010.380(b)(4)(ii)(B) would permit a reporting 
company to report an intermediate entity's FinCEN identifier in lieu of 
a beneficial owner's BOI only when: (1) the intermediate entity has 
obtained a FinCEN identifier and provided that FinCEN identifier to the 
reporting company; (2) an individual is or may be a beneficial owner of 
the reporting company by virtue of an interest in the reporting company 
that the individual holds through the entity; and (3) only the 
individuals that are beneficial owners of the intermediate entity are 
beneficial owners of the reporting company, and vice versa. The first 
and second requirements are straightforward clarifications, while the 
third requirement reflects an implicit assumption in the statutory 
language.
    It is straightforward to allow a reporting company to use an 
intermediate entity's FinCEN identifier where a single individual is 
the sole beneficial owner of a reporting company through a single 
intermediate entity. In this simple scenario, the same individual would 
be the beneficial owner of both the reporting company and the 
intermediate entity. Reporting the intermediate entity's FinCEN 
identifier in lieu of the individual's BOI would thus accurately 
indicate that the individual is a beneficial owner of both entities, 
and the intermediate entity would have already reported the 
individual's BOI when it filed its initial report and obtained a FinCEN 
identifier. However, the use of an intermediate company's FinCEN 
identifier beyond this simple scenario encounters significant problems 
when a reporting company's ownership structure involves multiple 
beneficial owners and/or intermediate entities. For instance, if the 
intermediate entity has any beneficial owners who are not also 
beneficial owners of the reporting company, the reporting company's use 
of the intermediate entity's FinCEN identifier would identify multiple 
individuals as beneficial owners of the reporting company, when in fact 
they are only beneficial owners of the intermediate entity. 
Additionally, if an individual is a beneficial owner of a reporting 
company through multiple intermediate entities but is not a beneficial 
owner of one of those entities, the reporting company's use of that 
entity's FinCEN identifier could obscure the identity of that 
beneficial owner. In this case, the reporting company's use of an 
intermediate entity's FinCEN identifier would fail to identify an 
individual as a beneficial owner of the reporting company, when in fact 
the individual is such a beneficial owner.
    In light of the core objective of the CTA to establish a 
comprehensive beneficial ownership database and to ensure that the 
information it contains is accurate and highly useful, FinCEN does not 
believe the FinCEN identifier provision was intended to enable 
reporting companies to misidentify beneficial owners. As explained in 
the prior paragraph, there are some scenarios in which FinCEN would be 
unable to accurately identify which reported beneficial owners are 
extraneous, or which BOI reports are incomplete, thereby making it more 
difficult for FinCEN and authorized recipients of BOI to identify the 
true beneficial owners of each reporting company. This would make the 
beneficial ownership database less accurate and undermine the 
fundamental goals of the CTA. Moreover, FIs that obtain BOI reports 
that are either under- or over-inclusive may have difficulty 
reconciling this BOI with other information they receive during the CDD 
process, impeding another goal of the CTA. Furthermore, over-inclusive 
BOI would require FinCEN to disclose more BOI than necessary in 
response to authorized requests. Instead of only disclosing BOI for 
individuals who are beneficial owners of the reporting company that is 
the subject of a request, FinCEN would have to also disclose BOI for 
other individuals who are beneficial owners of a different company that 
may not be

[[Page 77425]]

the subject of the request. This over-disclosure would be in 
significant conflict with the confidentiality and privacy protections 
the CTA instructs FinCEN to implement, including the requirement to 
``limit, to the greatest extent practicable, the scope of the 
information sought.'' \177\
---------------------------------------------------------------------------

    \177\ 31 U.S.C. 5336(c)(3)(F).
---------------------------------------------------------------------------

    For all of these reasons, permitting a reporting company to use an 
intermediate entity's FinCEN identifier would appear consistent with 
the CTA's overall statutory scheme only if the two entities have the 
same beneficial owners. In this case, as in the simple scenario 
previously described, reporting the intermediate entity's FinCEN 
identifier would be equivalent to reporting the BOI of the reporting 
company's beneficial owners. There would be no mismatch. Accordingly, 
proposed 31 CFR 1010.380(b)(4)(ii)(B) makes this requirement explicit 
by permitting a reporting company to report an intermediate entity's 
FinCEN identifier only when the intermediate entity and the reporting 
company have the same beneficial owners. FinCEN believes this 
requirement is implicit in the CTA, and is necessary for FinCEN to 
avoid collection of potentially incomplete information and to prevent 
disclosure of inaccurate reports that contain extraneous sensitive 
information or that lack relevant BOI. FinCEN solicits comment on this 
proposal.

V. Final Rule Effective Date

    FinCEN is proposing an effective date of January 1, 2024, to align 
with the date on which the final BOI reporting rule at 31 CFR 1010.380 
becomes effective. A January 1, 2024, effective date is intended to 
provide the public and authorized users of BOI with sufficient time to 
review and prepare for implementation of the rule. FinCEN solicits 
comment on the proposed effective date for this rule.

VI. Request for Comment

    FinCEN seeks comment from all parts of the public, as well as 
Federal, State, local, and Tribal government entities, with respect to 
the proposed rule as a whole and specific provisions discussed above in 
Section IV. FinCEN invites comment on any and all aspects of the 
proposed rule, and specifically seeks comments on the following 
questions:

Understanding the Rule

    1. Can the organization of the rule text be improved? If so, how?
    2. Can the language of the rule text be improved? If so, how?
    3. Does the proposed rule provide sufficient guidance to 
stakeholders and the public regarding the scope and requirements for 
access to BOI?

Disclosure of Information

    4. The CTA prohibits officers and employees of (1) the United 
States, (2) State, local, and Tribal agencies, and (3) FIs and 
regulatory agencies from disclosing BOI reported under the statute. 
FinCEN proposes to extend the prohibition to agents, contractors, and, 
in the case of FIs, directors as well. FinCEN invites comments on the 
proposed scope.
    5. Are FinCEN's proposed interpretations of ``national security,'' 
``intelligence,'' and ``law enforcement'' clear enough to be useful 
without being overly prescriptive? If not, what should be different? 
Commenters are invited to suggest alternative interpretations or 
sources for reference.
    6. Should FinCEN add any specific activities or elements to the 
proposed interpretations of ``national security,'' ``intelligence,'' 
and ``law enforcement'' that do not seem to be covered already? If so, 
what?
    7. FinCEN requests comments discussing how State, local, and Tribal 
law enforcement agencies are authorized by courts to seek information 
in criminal and civil investigations. Among the particular issues that 
FinCEN is interested in are: how State, local, and Tribal authorities 
gather evidence in criminal and civil cases; what role a court plays in 
each of these mechanisms, and whether in the commenter's opinion it 
rises to the level of court ``authorization''; what role court officers 
(holders of specific offices, not attorneys as general-purpose officers 
of the court) play in these mechanisms; how grand jury subpoenas are 
issued and how the court officers issuing them are ``authorized'' by a 
court; whether courts of competent jurisdiction, or officers thereof, 
regularly authorize subpoenas or other investigative steps via court 
order; and whether there are any evidence-gathering mechanisms through 
which State, local, or Tribal law enforcement agencies should be able 
to request BOI from FinCEN, but that do not require any kind of court?
    8. Is requiring a foreign central authority or foreign competent 
authority to be identified as such in an applicable international 
treaty, agreement, or convention overly restrictive? If so, what is a 
more appropriate means of identification?
    9. Are there alternative approaches to managing the foreign access 
provision of the CTA that FinCEN should consider?
    10. Should FinCEN define the term ``trusted foreign country'' in 
the rule, and if so, what considerations should be included in such a 
definition?
    11. FinCEN proposes that FIs be required to obtain the reporting 
company's consent in order to request the reporting company's BOI from 
FinCEN. FinCEN invites commenters to indicate what barriers or 
challenges FIs may face in fulfilling such a requirement, as well as 
any other considerations.
    12. FinCEN proposes to define ``customer due diligence requirements 
under applicable law'' to mean the bureau's 2016 CDD Rule, as it may be 
amended or superseded pursuant to the AML Act. The 2016 CDD Rule 
requires FIs to identify and verify beneficial owners of legal entity 
customers. Should FinCEN expressly define ``customer due diligence 
requirements under applicable law'' as a larger category of 
requirements that includes more than identifying and verifying 
beneficial owners of legal entity customers? If so, what other 
requirements should the phrase encompass? How should the broader 
definition be worded? It appears to FinCEN that the consequences of a 
broader definition of this phrase would include making BOI available to 
more FIs for a wider range of specific compliance purposes, possibly 
making BOI available to more regulatory agencies for a wider range of 
specific examination and oversight purposes, and putting greater 
pressure on the demand for the security and confidentiality of BOI. How 
does the new balance of those consequences created by a broader 
definition fulfill the purpose of the CTA?
    13. If FinCEN wants to limit the phrase ``customer due diligence 
requirements under applicable law'' to apply only to requirements like 
those imposed under its 2016 CDD Rule related to FIs identifying and 
verifying beneficial owners of legal entity customers, are there any 
other comparable requirements under Federal, State, local, or Tribal 
law? If so, please specifically identify these requirements and the 
regulatory bodies that supervise for compliance with or enforce them.
    14. Are there any State, local, or Tribal government agencies that 
supervise FIs for compliance with FinCEN's 2016 CDD Rule? If so, please 
identify them.
    15. FinCEN does not propose to disclose BOI to SROs as ``other 
appropriate regulatory agencies,'' but does propose to authorize FIs 
that receive BOI from FinCEN to disclose it to SROs that meet specified 
qualifying

[[Page 77426]]

criteria. Is this sufficient to allow SROs to perform duties delegated 
to them by Federal functional regulators and other appropriate 
regulatory agencies? Are there reasons why SROs could be included as 
``other appropriate regulatory agencies'' and obtain BOI directly from 
FinCEN?
    16. Are there additional circumstances under which FinCEN is 
authorized to disclose BOI that are not reflected in this proposed 
rule?

Use of Information

    17. FinCEN proposes to permit U.S. agencies to disclose BOI 
received under 31 CFR 1010.955(b)(1) or (2) to courts of competent 
jurisdiction or parties to civil or criminal proceedings. Is this 
authorization appropriately scoped to allow for the use of BOI in civil 
or criminal proceedings?
    18. In proposed 31 CFR 1010.955(c)(2)(v), FinCEN proposes to 
establish a mechanism to authorize, either on a case-by-case basis or 
categorically through written protocols, guidance, or regulations, the 
re-disclosure of BOI in cases not otherwise covered under 31 CFR 
1010.955(c)(2) and in which the inability to share the information 
would frustrate the purposes of the CTA because of the categorical 
prohibitions against disclosures at 31 U.S.C. 5336(c)(2)(A). Are there 
other categories of redisclosures that FinCEN should consider 
authorizing? Are there particular handling or security protocols that 
FinCEN should consider imposing with respect to such re-disclosures of 
BOI?
    19. Could a State regulatory agency qualify as a ``State, local, or 
Tribal law enforcement agency'' under the definition in proposed 31 CFR 
1010.955(b)(2)(ii)? If so, please describe the investigation or 
enforcement activities involving potential civil or criminal violations 
of law that such agencies may undertake that would require access to 
BOI.

Security and Confidentiality Requirements

    20. Should FinCEN impose any additional security or confidentiality 
requirements on authorized recipients of any type? If so, what 
requirements and why?
    21. The minimization component of the security and confidentiality 
requirements requires limiting the ``scope of information sought'' to 
the greatest extent possible. FinCEN understands this phrase, drawn 
from the language of the CTA, to mean that requesters should tailor 
their requests for information as narrowly as possible, consistent with 
their needs for BOI. Such narrow tailoring should minimize the 
likelihood that a request will return BOI that is irrelevant to the 
purpose of the request or unhelpful to the requester. Does the phrase 
used in the regulation convey this meaning sufficiently clearly, or 
should it be expanded, and if so how?
    22. Because security protocol details may vary based on each 
agency's particular circumstances and capabilities, FinCEN believes 
individual MOUs are preferable to a one-size-fits all approach of 
specifying particular requirements by regulation. FinCEN invites 
comment on this MOU-based approach, and on whether additional 
requirements should be incorporated into the regulations or into 
FinCEN's MOUs.
    23. FinCEN proposes to require FIs to limit BOI disclosure to FI 
directors, officers, employees, contractors, and agents within the 
United States. Would this restriction impose undue hardship on FIs? 
What are the practical implications and potential costs of this 
limitation?
    24. Are the procedures FIs use to protect non-public customer 
personal information in compliance with section 501 of Gramm-Leach-
Bliley sufficient for the purpose of securing BOI disclosed by FinCEN 
under the CTA? If not, is there another set of security standards 
FinCEN should require FIs to apply to BOI?
    25. Are the standards established by section 501 of Gramm-Leach-
Bliley, its implementing regulations, and interagency guidance 
sufficiently clear such that FIs not directly subject to that statute 
will know how to comply with FinCEN's requirements with respect to 
establishing and implementing security and confidentiality standards?
    26. Do any states impose, and supervise for compliance on, security 
and confidentiality requirements comparable to those that FFRs are 
required to impose on FIs under section 501 of Gramm-Leach-Bliley? 
Please provide examples of such requirements.

Outreach

    29. What specific issues should FinCEN address via public guidance 
or FAQs? Are there specific recommendations on engagement with 
stakeholders to ensure that the authorized recipients, and in 
particular, State, local, and Tribal authorities and small and mid-
sized FIs, are aware of requirements for access to the beneficial 
ownership IT system?

FinCEN Identifiers

    30. Does FinCEN's proposal with respect to an entity's use of a 
FinCEN identifier adequately address the potential under- or over-
reporting issues discussed in the preamble?

VI. Regulatory Analysis

    This regulatory impact analysis (RIA) assesses the anticipated 
impact, both in terms of costs and benefits, of the proposed rule, in 
accordance with Executive Order 12866. This analysis also includes an 
assessment of the impact on small entities pursuant to the Regulatory 
Flexibility Act (RFA), reporting and recordkeeping burdens under the 
Paperwork Reduction Act (PRA); and an assessment as required by the 
Unfunded Mandates Reform Act of 1995 (UMRA).\178\
---------------------------------------------------------------------------

    \178\ The U.S. Bureau of Economic Analysis reports the annual 
value of the gross domestic product (GDP) deflator in 1995 (the year 
in which UMRA was enacted) as 71.823, and as 118.895 in 2021. See 
U.S. Bureau of Economic Analysis, Table 1.1.9. Implicit Price 
Deflators for Gross Domestic Product, available at https://apps.bea.gov/iTable/?reqid=19&step=2&isuri=1&categories=survey#eyJhcHBpZCI6MTksInN0ZXBzIjpbMSwyLDMsM10sImRhdGEiOltbIkNhdGVnb3JpZXMiLCJTdXJ2ZXkiXSxbIk5JUEFfVGFibGVfTGlzdCIsIjEzIl0sWyJGaXJzdF9ZZWFyIiwiMTk5NSJdLFsiTGFzdF9ZZWFyIiwiMjAyMSJdLFsiU2NhbGUiLCIwIl0sWyJTZXJpZXMiLCJBIl1dfQ. Thus, the 
inflation adjusted estimate for $100 million is 118.895/71.823 x 100 
= $166 million.
---------------------------------------------------------------------------

    Regarding the proposed regulations related to BOI access, the 
analysis assumes a baseline scenario of no access granted to the BOI 
system maintained by FinCEN, which is the current regulatory 
environment, and uses a time horizon of 10 years. The analysis 
estimates that the overall quantifiable impact associated with the 
proposed rule, which would affect U.S. Federal agencies including 
FinCEN, as well as State, local, and Tribal agencies, foreign 
requesters, certain financial institutions, and self-regulatory 
organizations, would be between $108.7 million in net savings and 
$840.7 million in net costs in the first year of implementation of the 
rule, and then a net impact between $186.5 million in net savings and 
$672.0 million in net costs on an ongoing annual basis.\179\ This 
proposed rule has been determined to be a significant rule for purposes 
of Executive Order 12866. Furthermore, the proposed rule would have a 
significant economic impact on a substantial number of small entities. 
Last, the proposed rule would result in an estimated 5-year average PRA 
annual cost of $642.5 million to certain State, local, and Tribal 
agencies, self-regulatory organizations, and financial

[[Page 77427]]

institutions. Because accessing BOI under the proposed rule is not 
mandated for State, local, and Tribal governments or the private 
sector, FinCEN does not assess any expenditures pursuant to UMRA.
---------------------------------------------------------------------------

    \179\ All aggregate figures are approximate and not precise 
estimates unless otherwise specified.
---------------------------------------------------------------------------

    As FinCEN identified in the final BOI reporting rule's RIA, FinCEN 
will incur costs for administering the regulation and access to 
BOI.\180\ These costs include development and ongoing annual 
maintenance of the beneficial ownership IT system. In particular, 
developing and maintaining the methods of access to the beneficial 
ownership IT system described in this NPRM has impacted FinCEN's IT 
cost estimates. FinCEN estimated that the initial IT development costs 
associated with the final BOI reporting rule are approximately $72 
million with an additional $25.6 million per year required to maintain 
the new BOI system and the underlying FinCEN IT that is needed to 
support the new capabilities. These estimates do not include certain 
potential additional costs, such as for IT personnel or information 
verification. The final BOI reporting rule's RIA also estimated $10 
million per year in FinCEN personnel costs in order to ensure 
successful implementation of and compliance with the BOI reporting 
requirements. Given that these costs to FinCEN are already accounted 
for in the RIA of the final BOI reporting rule, these costs are not 
included in the RIA. The costs to FinCEN in this RIA are in addition to 
those included in the final BOI reporting rule's RIA.
---------------------------------------------------------------------------

    \180\ 87 FR 59578 (Sept. 30, 2022).
---------------------------------------------------------------------------

    FinCEN also considers in the RIA what costs or benefits may be 
associated with the proposed rule regarding reporting companies' use of 
FinCEN identifiers for entities. The final BOI reporting rule's RIA 
contains a regulatory analysis that accounts for the impact associated 
with obtaining, updating, and using FinCEN identifiers, including a 
summary of NPRM comments related to the associated estimated costs and 
benefits. Regarding entities' use of FinCEN identifiers, FinCEN 
proposes to rely upon the analysis in the final BOI reporting rule's 
RIA. That analysis states that the costs associated with reporting 
companies' use of FinCEN identifiers are captured in that RIA's cost 
estimates associated with BOI reports. This analysis is explained in 
more detail in Section VI.A.ii. below.

A. Executive Orders 12866 and 13563

    Executive Orders 12866 and 13563 direct agencies to assess costs 
and benefits of available regulatory alternatives and, if regulation is 
necessary, to select regulatory approaches that maximize net benefits 
(including potential economic, environmental, and public health and 
safety effects, as well as distributive impacts and equity). Executive 
Order 13563 emphasizes the importance of quantifying both costs and 
benefits, reducing costs, harmonizing rules, and promoting flexibility. 
FinCEN conducted an assessment of the costs and benefits of the 
proposed rule, as well as the costs and benefits of available 
regulatory alternatives. This proposed rule is necessary in order to 
implement Section 6403 of the CTA. Consistent with the cost-benefit 
analysis in Section VI.A.i. below, this proposed rule has been 
designated a ``significant regulatory action'' and economically 
significant under section 3(f) of Executive Order 12866. Accordingly, 
the proposed rule has been reviewed by the Office of Management and 
Budget (OMB).
i. Section of Proposed Rule Regarding BOI Access
a. Alternative Scenarios
    FinCEN considered alternatives to the proposed rule. However, for 
the reasons described within this section, FinCEN decided not to 
propose these alternatives.
1. Reduce Training Burden
    The first alternative would be to reduce the training requirement 
for BOI authorized recipients, which includes appropriate training for 
authorized recipients of BOI as well as annual training for access to 
BOI. In its analysis, FinCEN assumes that each authorized recipient 
that would access the BOI would be required to undergo one hour of 
training per year.\181\ Here, FinCEN considers the scenario where 
authorized recipients would instead be required to undergo one hour of 
training every two years, in alignment with the current BSA data access 
requirements. This scenario could result in savings every other year of 
$108 to $172,800 per Federal agency, $76 to $5,168 per State, local, 
and Tribal agency, $95 to $6,460 per SRO,\182\ $108 per foreign 
requester, and $146 to $241 per financial institution. The aggregate 
savings could be as much as $3.7 million to $5.2 million ($1.3 million 
total for domestic agencies and SROs + $2.4 to $3.9 million for 
financial institutions) every other year. This alternative scenario 
could result in savings every other year of approximately $95 to $190 
per small financial institution. The aggregate savings could be as much 
as approximately $1.3 million to $2.7 million (($95 x 14,051 small 
financial institutions = $1,334,845) and ($190 x 14,051 small financial 
institutions = $2,669,690)) every other year. Given the sensitive 
nature of the BOI,\183\ FinCEN believes that maintaining an annual 
training requirement for BOI authorized recipients and access to BOI is 
necessary to protect the security and confidentiality of the BOI.
---------------------------------------------------------------------------

    \181\ The assumption of one training hour is in alignment with 
the current training requirement for accessing BSA data. However, 
one notable difference is that the proposed BOI training requirement 
is annual, not biennial.
    \182\ To calculate costs to SROs, FinCEN calculated a ratio that 
applied the estimated costs to State regulators (which would have 
access requirements similar to SROs) to the wage rate estimated 
herein for financial institutions, since SROs are private 
organizations. FinCEN requests comment on this assessment.
    \183\ As noted in the preamble, the CTA establishes that BOI is 
``sensitive information'' and it imposes strict confidentiality and 
security restrictions on the storage, access, and use of BOI. See 
CTA, Section 6402(6), (7).
---------------------------------------------------------------------------

2. Change Customer Consent Requirement
    The second alternative that FinCEN considered is altering the 
customer consent requirement for FIs. Under the proposed rule, 
financial institutions would be required to obtain and document 
customer consent once for a given customer. FinCEN considered an 
alternative approach in which FinCEN would directly obtain the 
reporting company's consent. Under this scenario, financial 
institutions would not need to spend time and resources on the one-time 
implementation costs of approximately 10 hours in year 1 to create 
consent forms and processes. Using an hourly wage estimate of $95 per 
hour for financial institutions, FinCEN estimates this would result in 
a one-time savings per financial institution of approximately $950. To 
estimate aggregate savings under this scenario, FinCEN multiplies this 
value by 16,252 financial institutions resulting in a total savings of 
approximately $15.4 million ($950 per institution x 16,252 financial 
institutions = $15,439,400). The cost savings for small financial 
institutions under this scenario would be approximately $13.3 million 
($950 per institution x 14,051 small financial institutions = 
$13,348,450). Though this alternative results in a savings to financial 
institutions, including small entities, FinCEN believes that financial 
institutions are better positioned to obtain consent--and to track 
consent revocation--given their direct customer relationships and 
ability to leverage existing onboarding and account

[[Page 77428]]

maintenance processes. Therefore, FinCEN decided not to propose this 
alternative.
3. Impose Court Authorization Requirement on Federal Agencies
    The third alternative would extend the requirement that State, 
local, and Tribal law enforcement agencies provide a court 
authorization with each BOI request to 202 Federal agencies. FinCEN 
expects that requests submitted by State, local, and Tribal law 
enforcement agencies have an additional 20 to 30 hours of burden owing 
to an additional requirement that a court of competent jurisdiction, 
including any officer of such a court, authorizes the agency to seek 
the information in a criminal or civil investigation. Therefore, FinCEN 
applies this additional 20 to 30 hours of burden per BOI request to the 
estimated BOI requests submitted by Federal agencies and by State 
regulators. Using FinCEN's internal BSA request data as a proxy, FinCEN 
anticipates that Federal agencies could submit as many as approximately 
2 million total BOI requests annually.\184\ Using an hourly wage 
estimate of $108 per hour for Federal employees results in additional 
aggregate annual costs between approximately $4.3 billion and $6.5 
billion ((2 million Federal requests x 20 hours x $108 per hour = 
$4,320,000,000) and (2 million Federal requests x 30 hours x $108 per 
hour = $6,480,000,000).
---------------------------------------------------------------------------

    \184\ While FinCEN does not estimate growth of requests 
throughout the 10-year time horizon of this analysis, the number of 
BOI requests could increase significantly after the first years of 
implementation of the BOI reporting requirements as awareness of the 
ability to access and the utility of BOI increases.
---------------------------------------------------------------------------

    This alternative could minimize the potential for broad or non-
specific searches by any agency not currently subject to the 
requirement because of the higher initial barrier to accessing the 
data. However, FinCEN believes that imposing this requirement on 
authorized recipients, for whom such a requirement is not statutorily 
mandated, is overly burdensome and would make it too difficult to 
obtain BOI in a timely fashion for active investigations. For these 
reasons, FinCEN decided not to propose this alternative.
b. Affected Entities
    In order to analyze cost and benefits, the number of entities 
affected by the proposed rule must first be estimated. Authorized 
recipients of BOI would be affected by this proposed rulemaking if they 
elect to access BOI, because they are required to meet certain criteria 
in order to receive that BOI. The criteria vary depending on the type 
of authorized recipient.
    Federal agencies engaged in national security, intelligence, and 
law enforcement activity would have access to BOI in furtherance of 
such activities if they establish the appropriate protocols prescribed 
for them in the proposed rule. Additionally, Treasury officers and 
employees who require access to BOI to perform their official duties or 
for tax administration would have access. The number of agencies that 
could qualify under these categories is large and difficult to 
quantify. FinCEN proposes using the number of Federal agencies that are 
active entities \185\ with BSA data access \186\ as a proxy for the 
number of Federal agencies that may elect to access BOI. FinCEN 
believes this proxy is apt. While the criteria for access to BSA data 
are somewhat different outside of the CTA context, Federal agencies 
that have access to BSA data would generally also meet the criteria for 
access to BOI under the CTA. FinCEN believes that Federal agencies that 
have access to BSA data will most likely want access to BOI as well, 
and will generally be able to access it under the parameters specified 
by the proposed rule. FinCEN includes offices within the Department of 
the Treasury, such as FinCEN itself,\187\ in this proxy count. As of 
January 2022, 202 Federal agencies and agency subcomponents are active 
entities with BSA data access.
---------------------------------------------------------------------------

    \185\ For purposes of this analysis, an agency has active access 
to BSA data if the official duties of any agency employee or 
contractor includes authorized access to the FinCEN Query system, a 
web-based application that provides access to BSA reports maintained 
by FinCEN.
    \186\ For purposes of this analysis, BSA data consists of all of 
the reports submitted to FinCEN by financial institutions and 
individuals pursuant to obligations that currently arise under the 
BSA, 31 U.S.C. 5311 et seq., and its implementing regulations. These 
include reports of cash transactions over $10,000, reports of 
suspicious transactions by persons obtaining services from financial 
institutions, reports of the transportation of currency and other 
monetary instruments in amounts over $10,000 into or out of the 
United States, and reports of U.S. persons' foreign financial 
accounts. In fiscal year 2019, more than 20 million BSA reports were 
filed. See Financial Crimes Enforcement Network, ``What is the BSA 
data?,'' available at https://www.fincen.gov/what-bsa-data.
    \187\ In addition to incurring costs as an authorized recipient 
of BOI, FinCEN expects to incur costs from administering data to 
other authorized recipients.
---------------------------------------------------------------------------

    State, local, and Tribal law enforcement agencies would have access 
to BOI for use in criminal and civil investigations if they follow the 
process prescribed for them in the proposed rule. FinCEN proposes using 
the number of State and local law enforcement agencies that are active 
entities with BSA data access as a proxy for the number of State, 
local, and Tribal law enforcement agencies that may access BOI, for the 
reasons discussed in the Federal agency context. As of January 2022, 
153 State and local law enforcement agencies and agency subcomponents 
are active entities with access to BSA data.\188\ The process that the 
proposed rule sets forth involves these agencies obtaining a court 
authorization for each BOI request. Courts of competent jurisdiction 
that would issue such authorizations may therefore also be affected by 
the proposed rule; FinCEN has not estimated the burden that may be 
imposed on such entities, but is interested in comments on the subject.
---------------------------------------------------------------------------

    \188\ No Tribal law enforcement agencies currently have access 
to BSA data through the FinCEN Query system. FinCEN requests comment 
on how many Tribal law enforcement agencies may access BOI.
---------------------------------------------------------------------------

    Foreign government entities, such as law enforcement, prosecutors, 
judges or other competent or central authorities, would potentially be 
able to access BOI after submitting a request as described in the 
proposed rule. FinCEN does not estimate the number of different foreign 
requesters that may request BOI, but instead estimates a range of the 
total number of annual requests for BOI that FinCEN may receive from 
all foreign requesters. FinCEN requests comment on this proposal and 
the estimate of foreign requests. The proposed rule requires that 
foreign requests be made through an intermediary Federal agency. 
Therefore, Federal agencies would also be affected by foreign requests.
    The six Federal functional regulators that supervise financial 
institutions with CDD obligations--the FRB, the OCC, the FDIC, the 
NCUA, the SEC, and the CFTC--may access BOI for purposes of supervising 
a financial institution's compliance with those obligations. 
Additionally, other appropriate regulatory agencies may access BOI 
under the proposed rule. FinCEN proposes primarily using the number of 
regulators that both supervise entities with requirements under 
FinCEN's CDD Rule and are active entities with access to BSA data as a 
proxy for the number of regulatory agencies that may access BOI. As of 
January 2022, 62 regulatory agencies satisfy both criteria.\189\ FinCEN 
adds two self-regulatory organizations (SROs) to this count, which 
totals to 64 regulatory agencies. Although SROs are

[[Page 77429]]

not government agencies and they would not have direct access to the 
beneficial ownership IT system under the proposed rule, they may 
receive BOI through re-disclosure and would be subject to the same 
security and confidentiality requirements as other regulatory agencies 
under the proposed rule.
---------------------------------------------------------------------------

    \189\ This includes the six Federal functional regulators. The 
remaining 56 entities are State regulators that supervise banks, 
securities dealers, and other entities that currently have CDD 
obligations under FinCEN regulations. FinCEN did not include State 
regulatory agencies that have active access to BSA data but do not 
regulate entities with FinCEN CDD obligations, such as State gaming 
authorities or State tax authorities.
---------------------------------------------------------------------------

    Financial institutions with CDD requirements under applicable law 
would be able to access BOI with the consent of the reporting company. 
Assuming that all financial institutions that are subject to FinCEN's 
CDD Rule would access BOI, FinCEN estimates the number of affected 
financial institutions in Table 1.

Table 1--Affected Financial Institutions
[GRAPHIC] [TIFF OMITTED] TP16DE22.020

    Totaling these estimates results in 16,252 financial institutions 
that may access BOI pursuant to the proposed rule. Of these financial 
institutions, 14,051 are small entities. To identify whether a 
financial institution is small, FinCEN uses the Small Business 
Administration's (SBA) latest annual size standards for small entities 
in a given industry.\190\ FinCEN also uses the U.S. Census Bureau's 
publicly available 2017 Statistics of U.S. Businesses survey data 
(Census survey data).\191\ FinCEN applies SBA size standards to the 
corresponding industry's receipts in the 2017 Census survey data and 
determines what proportion of a given industry is deemed small, on 
average.192 193 FinCEN considers a

[[Page 77430]]

financial institution to be small if it has total annual receipts less 
than the annual SBA small entity size standard for the financial 
institution's industry. FinCEN applies these estimated proportions to 
FinCEN's current financial institution counts for brokers or dealers in 
securities, mutual funds, and futures commission merchants and 
introducing brokers in commodities to determine the proportion of 
current small financial institutions in those industries. Using this 
methodology and data from the FFIEC and the NCUA, approximately 14,051 
small financial institutions could be affected by the proposed rule, as 
summarized in Table 1.
---------------------------------------------------------------------------

    \190\ The SBA currently defines small entity size standards for 
affected financial institutions as follows: less than $750 million 
in total assets for commercial banks, savings institutions, and 
credit unions; less than $41.5 million in total assets for trust 
companies; less than $41.5 million in annual receipts for broker-
dealers; less than $41.5 million in annual receipts for portfolio 
management; less than $35 million in annual receipts for open-end 
investment funds; and less than $41.5 million in annual receipts for 
futures commission merchants and introducing brokers in commodities. 
See U.S. Small Business Administration's Table of Size Standards, 
https://www.sba.gov/sites/default/files/2022-07/Table%20of%20Size%20Standards_Effective%20July%2014%202022_Final-508.pdf.
    \191\ See U.S. Census Bureau, U.S. & states, NAICS, detailed 
employment sizes (U.S., 6-digit and states, NAICS sectors) (2017), 
available at https://www.census.gov/data/tables/2017/econ/susb/2017-susb-annual.html. The Census survey documents the number of firms 
and establishments, employment numbers, and annual payroll by State, 
industry, and enterprise every year. Receipts data, which FinCEN 
uses as a proxy for revenues, is available only once every five 
years, with 2017 being the most recent survey year with receipt 
data.
    \192\ FinCEN does not apply population proportions to banks or 
credit unions. Because data accessed through FFIEC and NCUA Call 
Report data provides information about asset size for banks, trusts, 
savings and loans, credit unions, etc., FinCEN is able to directly 
determine how many banks and credit unions are small by SBA size 
standards. Because the Call Report data does not include 
institutions that are not insured, are insured under non-FDIC 
deposit insurance regimes, or that do not have a Federal financial 
regulator, FinCEN assumes that all such entities listed in the 
FDIC's Research Information System data are small, unless they are 
controlled by a holding company that does not meet the SBA's 
definition of a small entity, and includes them in the count of 
small banks.
    \193\ Consistent with the SBA's General Principles of 
Affiliation, 13 CFR 121.103(a), FinCEN aggregates the assets of 
affiliated financial institutions using FFIEC financial data 
reported by bank holding companies on forms Y-9C, Y-9LP, and Y-9SP 
(available at https://www.ffiec.gov/npw/FinancialReport/FinancialDataDownload) and ownership data (available at https://www.ffiec.gov/npw/FinancialReport/DataDownload) when determining if 
an institution should be classified as small. FinCEN uses four 
quarters of data reported by holding companies, banks, and credit 
unions because a ``financial institution's assets are determined by 
averaging the assets reported on its four quarterly financial 
statements for the preceding year.'' See U.S. Small Business 
Administration's Table of Size Standards, p. 44 n.8, https://www.sba.gov/sites/default/files/2022-07/Table%20of%20Size%20Standards_Effective%20July%2014%202022_Final-508.pdf. FinCEN recognizes that using SBA size standards to identify 
small credit unions differs from the size standards applied by the 
NCUA. However, for consistency in this analysis, FinCEN applies the 
SBA-defined size standards.
---------------------------------------------------------------------------

    Table 2 summarizes the counts of entities by category that would 
have access to BOI data.

Table 2--Affected Entities
[GRAPHIC] [TIFF OMITTED] TP16DE22.021

    As evidenced in Table 2, FinCEN anticipates that as many as 16,671 
different domestic agencies and financial institutions could elect to 
access BOI. Of these, FinCEN believes the only entity category that 
would have small entities affected is financial institutions.\194\
---------------------------------------------------------------------------

    \194\ FinCEN considered whether other entities would be 
considered small entities pursuant to the Regulatory Flexibility 
Act. The Regulatory Flexibility Act's definition of a small 
governmental jurisdiction is a government of a city, county, town, 
township, village, school district, or special district with a 
population of less than 50,000. While State, local, and Tribal 
government agencies may be affected by the proposed rule, FinCEN 
does not believe that government agencies of jurisdictions with a 
population of less than 50,000 would be included in such agencies. 
However, FinCEN requests comment on this assumption.
---------------------------------------------------------------------------

c. Potential Costs and Benefits
    Ideally, a cost-benefit analysis would identify and monetize, with 
certainty, all costs and benefits of a regulation; this would enable 
policymakers to evaluate different regulatory options by comparing 
dollar amounts of costs and benefits, and pursuing those options with 
the greatest net benefits. However, regulatory impact analyses often 
include both cost and benefit components that cannot be expressed in 
monetary units with any degree of certainty. As explained by OMB in 
relevant cost-benefit guidance, simple cost-benefit comparisons can be 
misleading when the analysis cannot express important benefits and 
costs in dollar terms ``because the calculation of net benefits in such 
cases does not provide a full evaluation of all relevant benefits and 
costs.'' \195\ FinCEN follows OMB's recommendation in such instances 
and provides an evaluation of non-quantifiable benefits and costs in 
addition to quantified benefits and costs.
---------------------------------------------------------------------------

    \195\ Office of Management and Budget, Circular A-4:10 (Sept. 
17, 2003), available at https://obamawhitehouse.archives.gov/omb/circulars_a004_a-4.
---------------------------------------------------------------------------

    This RIA estimates costs to the authorized recipients for following 
the proposed rule's security and confidentiality requirements, costs to 
FinCEN for administering access to BOI, and benefits that authorized 
recipients would gain from accessing BOI. The quantified estimates 
provided in this RIA include a range of possible costs and benefits for 
each type of authorized recipient. The quantified benefits are limited 
to cost savings that agencies may obtain through accessing BOI; there 
are other, non-quantified benefits that would also be included in the 
agencies' decision to request BOI. For the purposes of estimating the 
overall impact of the proposed rule, FinCEN assumes that Federal, 
State, or local agencies that access BOI would do so only if the 
quantified and non-quantified benefits at least equal the costs, since 
these entities would obtain access to BOI only if they voluntarily 
request it. Therefore, FinCEN expects that in reality the minimum net 
impact to these entities would be zero, meaning that the costs equal 
the benefits. However, because many of benefits to

[[Page 77431]]

such agencies are not quantifiable, FinCEN presents in the analysis an 
impact estimate that incorporates the range of quantified costs and 
benefits that FinCEN expects based in part on outreach to agencies that 
are authorized recipients of BOI.
    FinCEN does not attempt to estimate a dollar value of benefits that 
will accrue to financial institutions, State regulators or SROs as a 
result of the proposed rule. In order to estimate financial 
institutions' benefits, it would be necessary to know how access to BOI 
under the proposed rule would apply to CDD obligations, which will not 
be known until FinCEN revises the 2016 CDD Rule, as the CTA requires. 
FinCEN estimates a dollar value of benefits that would accrue to 
Federal financial regulatory agencies on the assumption that these 
agencies would access BOI for law enforcement activity.\196\ However, 
FinCEN does not estimate a dollar value of benefits accruing to State 
regulators and SROs because FinCEN assumes that their primary use of 
BOI would be for examinations of financial institutions for compliance 
with CDD requirements, rather than for law enforcement activity. In 
addition, FinCEN assumes that no quantifiable benefits will accrue to 
FinCEN itself as a result of administering BOI access.
---------------------------------------------------------------------------

    \196\ See 31 U.S.C. 5336(c)(2)(B)(i)(I).
---------------------------------------------------------------------------

    The costs in the first and subsequent years are distributed 
unevenly among the different types of Federal, State, and local 
agencies. The estimated average year 1 net impact per Federal agency is 
between $8,967,600 in costs and $2,157,165 in savings,\197\ per State 
regulator is between $1,995 and $0.5 million in costs, per State, local 
and Tribal law enforcement agency is between $52,977,200 in costs and 
$1,516,485 in savings,\198\ per SRO is between $2,494 and $0.6 million 
in costs, and per financial institution is between $12,206 and $17,695 
in costs. From year 2 and onward, the estimated average annual net 
impact per Federal agency is between $8,867,600 in costs and $2,158,785 
in savings,\199\ per State regulator is between $855 and $0.4 million 
in costs, per State, local and Tribal law enforcement agency is between 
$52,877,200 in costs and $1,517,625 in savings,\200\ per SRO is between 
$1,069 at $0.5 million in costs, and per financial institution is 
between $7,456 and $9,145 in costs. Overall, FinCEN estimates the 
potential overall impact associated with the proposed rule would be 
between $108.7 million in net savings and $840.7 million in net costs 
in the first year of implementation of the rule, and then from $186.5 
million in net savings to $672.0 million in net costs on an ongoing 
annual basis.\201\ These estimates, along with any non-quantifiable 
costs and benefits, are described in further detail within this 
section.\202\
---------------------------------------------------------------------------

    \197\ The maximum estimated costs in Year 1 are $9 million per 
Federal agency, and the minimum estimated benefits in Year 1 per 
Federal agency are $32,400, so the maximum net cost per Federal 
agency is $8,967,600 ($9,000,000-$32,400). The maximum estimated 
benefits in Year 1 per Federal agency are $2,160,000, and the 
minimum estimated costs in Year 1 per Federal agency ares $2,835, so 
the maximum estimated net benefit per Federal agency is $2,157,165 
($2,160,000-$2,835).
    \198\ The maximum estimated costs in Year 1 are $53 million per 
State, local, and Tribal law enforcement agency, and the minimum 
estimated benefits in Year 1 are $22,800 per State, local and Tribal 
law enfocement agency, so the maxium net cost per State, local, and 
Tribal law enforcement agency is $52,977,200 ($53,000,000-$22,800). 
The maximum estimated benefits in Year 1 per State, local, and 
Tribal law enforcement agency are $1,520,000, and the minimum 
estimated cost per State, local, and Tribal law enforcement agency 
is $3,515, so the maximum estimated net benefit in Year 1 per State, 
local, and Tribal law enforcement agency is $1,516,485 ($1,520,000-
$3,515).
    \199\ The maximum estimated costs in year 2 and onward are $8.9 
million per Federal agency, and the minimum estimated benefits in 
year 2 and onward are $32,400 per Federal agency, so the maximum 
estimated net costs are $8,867,600 ($8,900,000-$32,400). The maximum 
estimated benefits in year 2 and onward per Federal agency are 
$2,160,000, and the minimum estimated cost per Federal agency is 
$1,215, so the maximum estimated net benefits per Federal agency are 
$2,158,785 ($2,160,000-$1,215).
    \200\ The maximum estimated costs in year 2 and onward are $52.9 
million per State, local, and Tribal law enforcement agency, and the 
minimum estimate benefits in year 2 and onward per State, local, and 
Tribal law enforcement agency are $22,800, so the maximum estimated 
net costs in years 2 and onward per State, local, and Tribal law 
enforcement agency are $52,877,200 ($52,900,000-$22,800). The 
maximum estimated benefits in years 2 and onward per State, local, 
and Tribal law enforcement agency are $1,520,000, and the minimum 
estimated costs in years 2 and onward per State, local, and Tribal 
law enforcement agency ares $2,375, so the maximum estimated net 
benefits in years 2 and onward per State, local, and Tribal law 
enforcement agency are $1,517,625 ($1,520,000-$2,375).
    \201\ Both here and throughout the analysis, FinCEN estimates a 
range of both costs and benefits. These ranges reflect heterogeneity 
across agencies and financial institutions in terms of requirements 
to access BOI, entity size, resources, existing IT infrastructure, 
and investigative caseload, among other factors. FinCEN does not 
know exactly what every authorized recipient's unique costs and 
benefits would be and instead provides ranges of the expected 
minimum and maximum. FinCEN believes that providing ranges with 
minimums and maximums, rather than a point estimate, such as the 
median, throughout this analysis is more appropriate given the 
number of factors that could contribute to the actual cost or 
benefits an authorized recipient incurs due to the proposed rule.
    \202\ Throughout the analysis, FinCEN rounds each step of the 
calculation to the nearest whole dollar value for smaller estimates 
and to the first significant figure after the decimal for larger 
estimates (in the hundreds of thousands, millions, and billions). 
Performing a sensitivity analysis where rounding is only performed 
in the final step of the whole impact calculation confirms that 
FinCEN's rounding method produces a difference of less than 0.7 
percent in the magnitude of FinCEN's estimates, which FinCEN does 
not consider to be sufficient to affect its analysis or conclusions 
regarding the impact of the proposed rule.
---------------------------------------------------------------------------

    In the analysis, FinCEN uses an estimated compensation rate of 
approximately $108 per hour for Federal agencies and foreign 
requesters, approximately $76 per hour for State, local, and Tribal 
agencies, and approximately $95 per hour for financial institutions. 
This is based on occupational wage data from the U.S. Bureau of Labor 
Statistics (BLS).\203\ The most recent occupational wage data from the 
BLS corresponds to May 2021, released in May 2022. To obtain these 
three wage rates, FinCEN calculated the average reported hourly wages 
of six specific occupation codes assessed to be likely authorized 
recipients at Federal agencies, State, local, and Tribal agencies, and 
financial institutions.\204\ \205\ Included financial industries were 
identified at the most granular North American Industry Classification 
System (NAICS) code available and are the types of financial 
institutions that are subject to regulation under the BSA, even if 
these financial institutions are not entities that are affected by the 
proposed rule, including: banks (as defined in 31 CFR 1010.100(d)); 
casinos; money service businesses; broker-dealers; mutual funds; 
insurance companies; futures commission merchants and introducing 
brokers in commodities; dealers in precious metals, precious stones, or 
jewels; operators of credit card systems; and loan or finance 
companies. This results in a Federal agency hourly wage estimate of 
$66.78; a State, local, and Tribal agency hourly wage estimate of

[[Page 77432]]

$46.70; \206\ and a financial institution hourly wage estimate of 
$67.23. Multiplying these hourly wage estimates by their corresponding 
benefits factor (1.62 \207\ for government agencies and 1.42 \208\ for 
private industry) produces a fully loaded hourly compensation amounts 
of approximately $108 for Federal agencies, $76 for State, local, and 
Tribal agencies, and $95 per hour for financial institutions. These 
wage estimates are summarized in Table 3:
---------------------------------------------------------------------------

    \203\ See U.S. Bureau of Labor Statistics, National Occupational 
Employment and Wage Estimates (May 2021), available at https://www.bls.gov/oes/current/oessrci.htm.
    \204\ To estimate government hourly wages, FinCEN modifies the 
burden analysis in FinCEN's publication ``Renewal without Change of 
Anti-Money Laundering Programs for Certain Financial Institutions.'' 
See 85 FR 49418 (Aug. 13, 2020). Specifically, FinCEN uses hourly 
wage data from the following six occupations to estimate an average 
hourly government employee wage: chief executives (i.e., agency 
heads), first-line supervisors of law enforcement workers, law 
enforcement workers, financial examiners, lawyers and judicial 
clerks, and computer and information systems managers.
    \205\ FinCEN uses hourly wage data for the following occupations 
to estimate an average hourly financial institution employee wage: 
chief executives, financial managers, compliance officers, and 
financial clerks. FinCEN also includes the hourly wages for lawyers 
and judicial clerks, as well as for computer and information systems 
managers.
    \206\ To estimate a single hourly wage estimate for State, 
local, and Tribal agencies, FinCEN calculated an average of the May 
2021 mean hourly wage estimates for State government agencies and 
for local government agencies (($46.02 + $47.37)/2 = $46.70), as 
wages are available for both of these types of government workers in 
the BLS occupational wage data. BLS data does not include an 
estimate for Tribal government worker and thus FinCEN does not 
include a Tribal government worker wage estimate in this average. 
FinCEN welcomes comment on how to obtain wage estimates for Tribal 
government workers.
    \207\ The ratio between benefits and wages for State and local 
government workers is $21.15 (hourly benefits)/$34.32 (hourly wages) 
= 0.62, as of March 2022. The benefit factor is 1 plus the benefit/
wages ratio, or 1.62. See U.S. Bureau of Labor Statistics, Employer 
Costs for Employee Compensation Historical Listing, available at 
https://www.bls.gov/web/ecec/ececqrtn.pdf. The State and local 
government workers series data for March 2022 is available at 
https://www.bls.gov/web/ecec/ecec-government-dataset.xlsx. FinCEN 
applies the same benefits factor to Federal workers.
    \208\ The ratio between benefits and wages for private industry 
workers is $11.42 (hourly benefits)/$27.19 (hourly wages) = 0.42, as 
of March 2022. The benefit factor is 1 plus the benefit/wages ratio, 
or 1.42. See U.S. Bureau of Labor Statistics, Employer Costs for 
Employee Compensation: Private industry dataset (March 2022), 
available at https://www.bls.gov/web/ecec/ecec-private-dataset.xlsx.
---------------------------------------------------------------------------

Table 3--Fully Loaded Wage Estimates
[GRAPHIC] [TIFF OMITTED] TP16DE22.022

1. Costs
    Each of the affected entities would have costs associated with the 
proposed rule if it elects to access FinCEN's BOI database. The costs 
would vary based on the access procedures for the authorized 
recipients.\209\ The proposed rule would require different access 
procedures for domestic agencies, foreign requesters, and financial 
institutions. FinCEN would also incur costs for administering access to 
authorized recipients.
---------------------------------------------------------------------------

    \209\ The costs would also vary by institution size and 
investigation caseload, but for simplicity, FinCEN estimates an 
average impact by category of authorized recipient throughout the 
analysis.
---------------------------------------------------------------------------

A. Domestic Agencies
    Domestic agencies must meet multiple requirements to receive BOI. 
Whether the costs of these requirements would be one-time, ongoing, or 
recurring, and whether the costs accrue on a per-recipient or per-
request basis varies from requirement to requirement. Additionally, 
some requirements are administrative and involve the creation of 
documents, while others involve IT. To estimate the costs for meeting 
these requirements, FinCEN consulted with multiple Federal agencies and 
utilized statistics regarding active entities with BSA data access. 
Requirements are summarized in Table 4, which is followed by more 
detailed analysis. Costs associated with each requirement are 
summarized in Table 5, at the end of this section.

[[Page 77433]]

Table 4--Requirements for Domestic Agencies 1
[GRAPHIC] [TIFF OMITTED] TP16DE22.023

    Enter into an agreement with FinCEN and establish standards and 
procedures. For requirement #1, FinCEN assumes that domestic agencies 
would incur costs during the first year of implementation. FinCEN 
received the following feedback from different agencies on the amount 
of time needed for these requirements. Agencies described the types of 
activities expected to meet these requirements in their responses, but 
the feedback applies to estimated burden for requirement #1:
     Approximately 15 to 20 hours to formalize policies and 
procedures.
     Approximately 40 hours to review, analyze and implement 
any unique standards and procedures of FinCEN's database into the 
agency's current secure systems.
     Approximately 300 hours to draft and shepherd standards 
and procedures.
    Therefore, in alignment with the feedback FinCEN received during 
outreach efforts, FinCEN assumes it would take a domestic agency, on 
average, between 15 and 300 business hours to complete this one-time 
task. Using an hourly wage estimate of $108 per hour for Federal 
agencies results in a one-time cost between approximately $1,620 and 
$32,400 per Federal agency ((15 hours x $108 per hour = $1,620) and 
(300 hours x $108 per hour = $32,400)). Using an hourly wage estimate 
of $76 per hour for State, local, and Tribal agencies results in a one-
time cost between approximately $1,140 and $22,800 per State, local, 
and Tribal agency ((15 hours x $76 per hour = $1,140) and (300 hours x 
$76 per hour = $22,800)). To estimate aggregate costs, FinCEN 
multiplies these ranges by 208 total Federal agencies \210\ and 209 
State, local, and Tribal agencies,\211\ resulting in a total one-time 
cost between approximately $0.6 million and $11.5 million ((208 Federal 
agencies x $1,620 per Federal agency + 209 State, local, and Tribal 
agencies x $1,140 per State, local, and Tribal agency = $575,220) and 
(208 Federal agencies x $32,400 per Federal agency + 209 State, local, 
and Tribal agencies x $22,800 per State, local, and Tribal agency = 
$11,504,400)).
---------------------------------------------------------------------------

    \210\ This is derived from 202 Federal law enforcement, national 
security and intelligence agencies and agency subcomponents plus six 
Federal regulators.
    \211\ This is derived from 153 State and local law enforcement 
agencies plus 56 State regulators that supervise entities with CDD 
obligations.
---------------------------------------------------------------------------

    Establish and maintain a secure system to store BOI. The cost of 
requirement #2 would vary depending on the existing IT infrastructure 
of the domestic agency. Some agencies may be able to build upon 
existing systems that generally meet the security and confidentiality 
requirements. Other agencies may need to create new systems. FinCEN 
received the following feedback from outreach on this subject.

[[Page 77434]]

Agencies described the types of activities expected to meet these 
requirements in their responses, but the feedback applies to estimated 
burden for requirement #2:
     Approximately 60 hours to establish a secure system for 
BOI, based on the method of access. That agency further suggested that 
maintaining the secure storage system would require a periodic review 
of about 4 hours to assure system integrity.
     Approximately 300 hours to incorporate BOI into existing 
information systems. Once the system is established, maintenance would 
be a minimal additional ongoing cost.
     Approximately no cost, assuming that the BOI would be 
accessed similarly to BSA data (i.e., in a web-based system maintained 
by FinCEN). This was the conclusion of multiple agencies. One agency 
further noted that this overall process would have little to no 
financial impact on the agency, as FinCEN would establish the web-based 
portal, maintain the secure storage system of the data, and develop 
mechanisms to safeguard the information contained therein from 
unauthorized access.
    Consistent with feedback from agencies, FinCEN expects that certain 
agencies (in particular, Federal agencies) would bear de minimis IT 
costs because Federal agencies already have secure systems and networks 
in place as well as sufficient storage capacity in accordance with 
Federal Information Security Management Act (FISMA) standards.\212\ 
Therefore, FinCEN assumes a range of burden for requirement #2 in year 
1 of de minimis to 300 hours, and an ongoing burden of de minimis to 4 
hours.
---------------------------------------------------------------------------

    \212\ Under FISMA, Federal agencies need to provide information 
security protections commensurate with the risk and magnitude of the 
harm resulting from unauthorized access, use, disclosure, 
disruption, modification, or destruction of information collected or 
maintained by an agency. Federal agencies also need to comply with 
the information security standards and guidelines developed by NIST. 
44 U.S.C. 3553.
---------------------------------------------------------------------------

    Using an hourly wage estimate of $108 per hour for Federal agencies 
results in an initial cost between approximately de minimis costs and 
$32,400 (300 hours x $108 per hour = $32,400), and $432 annually 
thereafter (4 hours x $108 per hour = $432) per Federal agency. Using 
an hourly wage estimate of $76 per hour for State, local, and Tribal 
agencies results in an initial cost between approximately de minimis 
costs and $22,800 (300 hours x $76 per hour = $22,800), and $304 
annually thereafter (4 hours x $76 per hour = $304) per State, local, 
and Tribal agency. To estimate aggregate costs, FinCEN multiplies these 
ranges by 208 total Federal agencies, and 209 State, local, and Tribal 
agencies, resulting in a total year 1 cost between approximately de 
minimis and $11.5 million (208 Federal agencies x $32,400 per Federal 
agency + 209 State, local, and Tribal agencies x $22,800 per State, 
local, and Tribal agency = $11,504,400). The ongoing annual cost would 
be between approximately de minimis and $0.2 million (208 Federal 
agencies x $432 per Federal agency + 209 State, local, and Tribal 
agencies x $304 per State, local, and Tribal agency = $153,392).
    Establish and maintain an auditable system of standardized records 
for requests. As with requirement #2, the ongoing IT costs from 
requirement #3 would vary depending on the existing IT infrastructure 
of the domestic agency. FinCEN received the following feedback from 
outreach on this subject. Agencies described the types of activities 
expected to meet these requirements in their responses, but the 
feedback applies to estimated burden for requirement #3:
     Approximately 60 hours would be required to establish a 
storage system for record requests that is in compliance with both 
FinCEN and the agency's applicable policies and procedures. This 
estimate includes a review of the agency's Memorandum of Understanding 
(MOU) with FinCEN and consultation with appropriate personnel 
responsible for access to and disclosure of such records. Additionally, 
the agency suggested that maintenance of BOI requests would require an 
estimated 20 hours on an ongoing basis.
     Approximately 200 hours would be needed to incorporate BOI 
into record storage systems and minimal ongoing cost.
     Approximately no additional costs, as another agency noted 
that the cost would already be included in the estimate for 
establishing standards and procedures, and that if BOI is treated 
similarly to BSA data, there would not be ongoing costs.
    FinCEN expects that certain agencies (in particular, Federal 
agencies) would bear de minimis IT costs because Federal agencies 
already have secure systems and networks in place as well as sufficient 
storage capacity in accordance with FISMA standards. Therefore, based 
on agency feedback, FinCEN assumes a range of burden for requirement #3 
in year 1 of de minimis to 200 hours, and an ongoing burden of de 
minimis to 20 hours.
    Using an hourly wage estimate of $108 per hour for Federal agencies 
results in an initial cost between approximately de minimis costs and 
$21,600 (200 hours x $108 per hour = $21,600), and $2,160 annually 
thereafter (20 hours x $108 per hour = $2,160) per Federal agency. 
Using an hourly wage estimate of $76 per hour for State, local, and 
Tribal agencies results in an initial cost between approximately de 
minimis costs and $15,200 (200 hours x $76 per hour = $15,200), and 
$1,520 annually thereafter (20 hours x $76 per hour = $1,520) per 
State, local, and Tribal agency. To estimate aggregate costs, FinCEN 
multiplies these ranges by 208 total Federal agencies, and 209 State, 
local, and Tribal agencies, resulting in a total year 1 cost between 
approximately de minimis and $7.7 million (208 Federal agencies x 
$21,600 per Federal agency + 209 State, local, and Tribal agencies x 
$15,200 per State, local, and Tribal agency = $7,669,600). The ongoing 
annual cost would be between approximately de minimis and $0.8 million 
(208 Federal agencies x $2,160 per Federal agency + 209 State, local, 
and Tribal agencies x $1,520 per State, local, and Tribal agency = 
$766,960).
    Restrict access to appropriate persons within the agency, all of 
whom must undergo training. Requirement #4 notes that employees that 
receive BOI access would be required to undergo training. The number of 
authorized recipients that would have BOI access at a given agency 
would vary. Using the active entities with access to BSA data as of 
January 2022 as a proxy, and consistent with information provided by a 
number of agencies, FinCEN anticipates that each Federal agency could 
have anywhere between approximately 1 and 1,600 recipients of BOI data 
while each State, local, and Tribal agency could have anywhere between 
1 and 68 recipients of BOI.\213\
---------------------------------------------------------------------------

    \213\ The range provided is an estimate of the lowest and 
highest number of users for Federal agencies and for State and local 
agencies respectively as of a given date in January 2022 with access 
to BSA data through FinCEN's database.
---------------------------------------------------------------------------

    To estimate the cost of this training, FinCEN assumes that each 
employee that would access the BOI data would be required to undergo 1 
hour of training per year.\214\ Using an hourly wage estimate of $108 
per hour for Federal agencies results in an annual cost between 
approximately $108 and $172,800 (1 employee x 1 hour x $108 per hour = 
$108) and (1,600 employees x 1 hour x $108 per hour)) per Federal 
agency. Using an hourly wage estimate of $76 per hour for State, local, 
and Tribal agencies results in an annual cost

[[Page 77435]]

between approximately $76 and $5,168 (1 employee x 1 hour x $76 per 
hour = $76) and (68 employees x 1 hour x $76 per hour = $5,168)) per 
State, local, and Tribal agency.
---------------------------------------------------------------------------

    \214\ The assumption of one training hour is in alignment with 
the current training requirement for accessing BSA data. However, 
one notable difference is that the proposed BOI training requirement 
is annual, not biennial.
---------------------------------------------------------------------------

    To estimate the aggregate annual costs, FinCEN uses aggregate user 
counts of active BSA data users based on internal FinCEN data from 
January 2022, which provides a more reasonable estimate of the likely 
number of authorized recipients than assuming the previously estimated 
ranges would apply to each domestic agency. Therefore, based on 
internal data, FinCEN expects that approximately 11,000 Federal 
employees and 1,800 employees of State, local, and Tribal agencies 
would require annual training to access BOI data.\215\ This translates 
into an aggregate annual training cost of approximately $1.3 million 
(11,000 Federal employees x 1 hour x $108 per hour + 1,800 State, 
local, and Tribal employees x 1 hour x $76 per hour = $1,324,800).
---------------------------------------------------------------------------

    \215\ These estimates are based on the number of users that 
directly access BSA data through FinCEN's internal system; there are 
a limited number of other ways that users may access BSA data, which 
are not accounted for here. Furthermore, FinCEN does not estimate 
growth of BOI authorized recipients throughout the 10-year time 
horizon of this analysis. However, FinCEN acknowledges that the 
number of BOI authorized recipients could increase significantly 
after the first year of implementation of the BOI reporting 
requirements as awareness of the ability to access and utility of 
BOI increases.
---------------------------------------------------------------------------

    Conduct an annual audit and cooperate with FinCEN's annual audit; 
initially and then semi-annually certify standards and procedures by 
the head of the agency; annually provide a report on procedures. 
Requirements #5-7 are administrative costs that a domestic agency would 
incur on an annual or semi-annual basis. Specifically, they require an 
agency to: (1) conduct an annual audit and cooperate with FinCEN's 
annual audit; (2) certify standards and procedures by the head of the 
agency semi-annually; and (3) provide an annual report on procedures to 
FinCEN. Based on feedback from outreach, FinCEN assumes it would take a 
given agency between 10 hours and 160 hours per year to meet these 
three requirements.
    FinCEN received the following feedback from domestic agencies 
regarding the estimated costs of these requirements. Agencies described 
the types of activities expected to meet these requirements in their 
responses, but the feedback applies to estimated burden for 
requirements #5-7:
     Approximately 40 hours would be needed to perform an 
annual audit related to compliance of standards, procedures and storage 
of data. Once acceptable and verifiable procedures are in place, annual 
reporting to FinCEN would require approximately 20 hours and an annual 
outlay of 30 hours to review and proceed with internal processes that 
would result in the agency head's semi-annual certification. Thus, the 
aggregate annual estimate of compliance burden would be approximately 
120 hours (40 hours for audit + (2 x 30 hours for agency head 
certification) + 20 hours for reporting).
     Approximately 100 hours to conduct an annual audit by 
internal auditors, 40 hours to prepare an annual report, and 20 hours 
to prepare for review and certification, totaling 160 hours.
     Approximately 0 hours to conduct an annual audit given the 
assumption that FinCEN would maintain the database, and 10 to 20 hours 
for the annual report and agency head review.\216\
---------------------------------------------------------------------------

    \216\ This estimate assumes that FinCEN would have audit 
responsibilities, and the tracking of auditable activity would be 
maintained by FinCEN's system. This is similar to the current BSA 
data structure. Therefore, the agency assumes that it would not 
independently bear costs related to this audit function.
---------------------------------------------------------------------------

     Approximately 120 to 160 hours. One agency's liaison to 
FinCEN is responsible for, among other duties, reviewing the results of 
an annual audit conducted by FinCEN relating to system usage, and 
ensuring personnel are in compliance with the policies and procedures 
set forth by FinCEN.\217\ The liaison spends anywhere from 120 to 160 
hours each year on these duties relating to BSA data. One agency 
anticipates that a similar number of the liaison's hours would be 
attributed to BOI, and the administrative, procedural, or legal 
requirements that may come with it.
---------------------------------------------------------------------------

    \217\ Additionally, the liaison disseminates protocols to 
authorized personnel relating to requesting and maintaining access 
to BSA data.
---------------------------------------------------------------------------

    Using an hourly wage estimate of $108 per hour for Federal agencies 
results in annual costs between approximately $1,080 and $17,280 per 
Federal agency ((10 hours x $108 per hour = $1,080) and (160 hours x 
$108 per hour = $17,280)). Using an hourly wage estimate of $76 per 
hour for State, local, and Tribal agencies results in annual costs 
between approximately $760 and $12,160 per State, local, and Tribal 
agency ((10 hours x $76 per hour = $760) and (160 hours x $76 per hour 
= $12,160)). To estimate annual aggregate costs, FinCEN multiplies 
these ranges by 208 total Federal agencies and 209 State, local, and 
Tribal agencies, resulting in a total annual cost between approximately 
$0.4 million and $6.1 million ((208 Federal agencies x $1,080 per 
Federal agency + 209 State, local, and Tribal agencies x $760 per 
State, local, and Tribal agency = $383,480) and (208 Federal agencies x 
$17,280 per Federal agency + 209 State, local, and Tribal agencies x 
$12,160 per State, local, and Tribal agency = $6,135,680)).
    Submit written certification for each request that it meets certain 
agency requirements. Finally, for requirement #8, domestic agencies are 
required to submit a written certification for each request for BOI. 
The written certification would be in the form and manner prescribed by 
FinCEN. FinCEN anticipates that this certification would be submitted 
to FinCEN via an electronic form. The number of requests for BOI that 
would be submitted to FinCEN by domestic agencies in any given year 
would vary.
    FinCEN assumes that submitting a request to FinCEN for BOI would 
take one employee approximately 15 minutes, or 0.25 hours, per request. 
This is based on FinCEN's experience with submitting requests for BSA 
data in FinCEN Query, which similarly require a written justification 
for a search request. Certification requirements vary by authorized 
recipient type under the proposed rule.\218\ FinCEN expects that 
requests submitted by State, local, and Tribal law enforcement agencies 
would have 20 to 30 hours of burden in addition to the 0.25 hours of 
burden per request owing to an additional requirement that a court of 
competent jurisdiction, including any officer of such a court, issue a 
court authorization for the agency to seek the information in a 
criminal or civil investigation.\219\ For purposes of estimating the 
cost of these additional hours of burden, FinCEN applies the hourly 
wage estimate for State, local, and Tribal employees and assumes that 
this cost would be incurred by the State, local or Tribal agency. In 
practice, employees within the court system may also incur costs 
related to this requirement. FinCEN welcomes comment on the appropriate

[[Page 77436]]

wage rate and burden for such an estimation.
---------------------------------------------------------------------------

    \218\ While Federal and regulatory agencies must certify that 
their request is related to specific activities, State, local, and 
Tribal law enforcement agencies must certify that a court of 
competent jurisdiction, including any officer of such a court, has 
authorized the agency to seek the information in a criminal or civil 
investigation.
    \219\ FinCEN believes a 20 to 30 hour burden estimate for the 
additional requirement of obtaining court authorization for a BOI 
request would reflect the time needed for activities associated with 
obtaining a court authorization. FinCEN requests comment on whether 
this understanding is accurate.
---------------------------------------------------------------------------

    Using an hourly wage estimate of $108 per hour for Federal 
employees results in a per request cost of approximately $27 per 
Federal agency (0.25 hours x $108 per hour = $27). Using an hourly wage 
estimate of $76 per hour for State, local, and Tribal employees results 
in a per request cost of approximately $19 per State and local 
regulator (0.25 hours x $76 per hour = $19) and between approximately 
$1,539 and $2,299 per State, local, and Tribal law enforcement agency 
((20.25 hours x $76 per hour = $1,539) and (30.25 hours x $76 per hour 
= $2,299)).
    To estimate a per agency annual cost, FinCEN uses BSA data request 
statistics from Fiscal Year 2021 as a proxy. Using these data, FinCEN 
estimates that each Federal agency could submit between 1 and 323,000 
requests for BOI annually while each State, local, and Tribal agency 
could submit between 1 and 23,000 requests for BOI annually.\220\ 
Therefore, the estimated annual cost is between $27 and $8.7 million 
(($27 per request x 1 request) and ($27 per request x 323,000 requests 
= $8,721,000)) per Federal agency. The annual cost is between $19 and 
$0.4 million (($19 per request x 1 request) and ($19 per request x 
23,000 requests = $437,000)) per State and local regulator. The annual 
cost is between $1,539 and $52.9 million (($1,539 per request x 1 
request = $1,539) and ($2,299 per request x 23,000 requests = 
$52,877,000) per State, local, and Tribal law enforcement agency. 
FinCEN acknowledges that there is burden associated with the 
requirement to obtain a court authorization. As a result, State, local, 
or Tribal law enforcement agencies may submit fewer requests for BOI 
information than requests for BSA information, which do not impose 
similar requirements. FinCEN requests comment from such authorities on 
whether this requirement would make it less likely that they would 
submit BOI requests, when compared with BSA requests.
---------------------------------------------------------------------------

    \220\ The range is an estimate of the lowest and highest number 
of BSA data requests received through FinCEN's database from Federal 
agencies and for State and local agencies respectively during Fiscal 
Year 2021.
---------------------------------------------------------------------------

    Using FinCEN's internal BSA request data as a proxy, FinCEN 
anticipates that Federal agencies could submit as many as 2 million 
total BOI requests annually and that State, local, and Tribal agencies 
could submit as many as 230,000 total BOI requests 
annually.221 222 The internal number of BSA requests 
provides a more reasonable estimate of the likely number of aggregate 
requests than assuming the previously estimated ranges would apply to 
each domestic agency. This translates into aggregate annual costs 
between $362.4 million and $514.4 million ((2 million Federal requests 
x $27 per request + 30,000 State and local regulatory requests x $19 
per request + 200,000 State, local, and Tribal law enforcement requests 
x $1,539 per request = $362,370,000) and (2 million Federal requests x 
$27 per request + 30,000 State and local regulatory requests x $19 per 
request + 200,000 State, local, and Tribal law enforcement requests x 
$2,299 per request = $514,370,000)).
---------------------------------------------------------------------------

    \221\ Of the 230,000 anticipated total annual State, local, and 
Tribal BOI requests, approximately 30,000 are expected from State 
regulators and approximately 200,000 from State, local, and Tribal 
law enforcement agencies.
    \222\ While FinCEN does not estimate growth of requests 
throughout the 10-year time horizon of this analysis, the number of 
BOI requests could increase significantly after the first years of 
implementation of the BOI reporting requirements as awareness of the 
ability to access and utility of BOI increases.
---------------------------------------------------------------------------

    Table 5 presents the estimated costs to domestic agencies, as well 
as SROs, for requirements #1-8. Table 5 includes both the per agency 
cost and the aggregate costs for each requirement. The estimated 
average per agency cost in year 1 is between $2,835 and $9.0 million 
per Federal agency, between $1,995 and $0.5 million per State and local 
regulator, between $3,515 and $53 million per State, local, and Tribal 
law enforcement agency, and between $2,494 to $0.6 million per 
SRO.\223\ The estimated average per agency cost each year after the 
first year of implementation is between $1,215 and $8.9 million per 
Federal agency, between $855 and $0.4 million per State and local 
regulator, between $2,375 and $52.9 million per State, local, and 
Tribal law enforcement agency, and between $1,069 to $0.5 million per 
SRO. The total estimated aggregate cost to domestic agencies in year 1 
is between $364.7 million and $553.1 million, and then between $364.1 
million and $523.3 million each year thereafter.
---------------------------------------------------------------------------

    \223\ To calculate total costs to SROs, FinCEN calculated a 
ratio that applied the estimated costs to State regulators (which 
would have access requirements similar to SROs) to the wage rate 
estimated herein for financial institutions, since SROs are private 
organizations. FinCEN requests comment on this assessment. As noted 
previously, SROs would not have direct access to the beneficial 
ownership IT system, but rather may receive BOI through re-
disclosure.
---------------------------------------------------------------------------

BILLING CODE 4810-02-P

[[Page 77437]]

Table 5--Costs to Domestic Agencies
[GRAPHIC] [TIFF OMITTED] TP16DE22.024


[[Page 77438]]


[GRAPHIC] [TIFF OMITTED] TP16DE22.025

BILLING CODE 4810-02-C
    In addition to the costs listed in Table 5, Federal agencies may 
incur costs related to submitting requests on behalf of foreign 
requesters. These costs are

[[Page 77439]]

estimated in the next section. Federal agencies may also bear costs 
related to enforcement in cases of unauthorized disclosure and use of 
BOI; however, these costs have not been estimated in this analysis, as 
the level of compliance with the proposed rule is unknown.
B. Foreign Requesters
    Foreign requesters must meet multiple requirements to receive BOI. 
FinCEN does not have an estimate of the number of foreign requesters 
that may elect to request and access BOI, or which requesters would do 
so under an applicable international treaty, agreement, or convention, 
or through another channel available under the proposed rule, and 
welcomes public comment on how to estimate this number. Foreign 
requesters that request and receive BOI under an applicable 
international treaty, agreement, or convention would not have certain 
requirements under the proposed rule, given that such requesters would 
be governed by standards and procedures under the applicable 
international treaty, agreement, or convention. However, FinCEN does 
not differentiate between types of foreign requesters in this analysis, 
given the lack of data. Though FinCEN is unable to estimate aggregate 
costs on foreign requesters at this time given the lack of data on the 
number of foreign requesters that may access BOI, FinCEN provides 
partial cost estimates of the requirements on a given foreign 
requester. Requirements are summarized in Table 6, which is followed by 
a more detailed analysis. Costs associated with each requirement are 
summarized in Table 7 at the end of this section.

Table 6--Requirements for Foreign Requesters 1
[GRAPHIC] [TIFF OMITTED] TP16DE22.026

    Establish standards and procedures. For requirement #1, FinCEN 
assumes that foreign requesters would incur costs during the first year 
of implementation. FinCEN assumes it would take a foreign requester, on 
average, between one and two full business weeks (or, between 40 and 80 
business hours) to establish standards and procedures. This estimate is 
a FinCEN assumption based on its experience coordinating with foreign 
partners. FinCEN requests comment on the accuracy of this estimate. 
Using an hourly wage estimate of $108 per hour for Federal agencies, 
which FinCEN assumes is a comparable hourly wage estimate for foreign 
requesters, FinCEN estimates this one-time cost would be between 
approximately $4,320 and $8,640 per foreign requester ((40 hours x $108 
per hour) and (80 hours x $108 per hour)). Foreign requesters that 
request and receive BOI under an applicable international treaty, 
agreement, or convention would not have this requirement under the 
proposed rule, given that such requesters would be governed by 
standards and procedures under the applicable international treaty, 
agreement, or convention. However, FinCEN does not differentiate 
between types of foreign requesters in this analysis, given the lack of 
data.
    Establish a secure system to store BOI. For requirement #2, the 
cost of the ongoing IT requirement would vary depending on the existing 
infrastructure of the foreign requester. FinCEN believes that foreign 
requesters already have secure systems and networks in place as well as 
sufficient storage capacity, given their ongoing coordination with the 
U.S. Government on a variety of matters, which likely adhere to 
applicable data security standards. Therefore, FinCEN assumes de 
minimis IT costs. FinCEN welcomes comment on this assumption. Foreign 
requesters that request and receive BOI under an applicable 
international treaty, agreement, or convention would not have this 
requirement under the proposed rule, given that such requesters would 
be governed by security standards under the applicable international 
treaty, agreement, or convention. However, FinCEN does not 
differentiate between types of foreign requesters in this analysis, 
given the lack of data.
    Restrict access to appropriate persons within the agency, which 
specifies that appropriate persons will undergo training. For 
requirement #3, FinCEN assumes that each foreign requester that would 
access the BOI data would be required to undergo 1 hour of training per 
year. Using an estimated hourly wage amount of $108, this results in an 
annual training cost of approximately $108 per foreign requester.
    Provide information for each request to an intermediary Federal 
agency. For requirement #4, FinCEN assumes that providing information 
for a BOI request to a Federal intermediary agency would take one 
foreign requester approximately 45 minutes, or 0.75 hours, per request. 
This estimate is based on FinCEN's assumption that a request for BOI 
submitted directly by a Federal agency on its own behalf would

[[Page 77440]]

take approximately 15 minutes; given the additional information 
required for a foreign-initiated request, FinCEN proposes tripling that 
estimate for foreign requests. Using an hourly wage estimate of $108 
per hour, this would result in a per request cost of approximately $81 
per foreign requester (0.75 hours x $108 per hour = $81). Based on 
feedback from agencies, FinCEN believes that the total number of 
foreign requests could range between approximately 200 and 900 per 
year.\224\ This would result in an aggregate annual cost to foreign 
requesters between approximately $16,200 and $72,900 ((200 requests x 
$81 per request = $16,200) and (900 requests x $81 per request = 
$72,900)).
---------------------------------------------------------------------------

    \224\ FinCEN recognizes that the number of BOI requests from 
foreign requesters may be higher in reality, as no such U.S. 
beneficial ownership IT system currently exists. The existence of a 
centralized U.S. BOI source may in fact result in a higher number of 
annual requests by foreign requesters. FinCEN welcomes comment on 
this estimate.
---------------------------------------------------------------------------

    FinCEN also assumes that Federal agencies that submit requests on 
behalf of foreign requesters to FinCEN would incur additional costs; 
FinCEN itself expects to incur costs from the submission of such 
requests. Therefore, FinCEN estimates that BOI requests on behalf of 
foreign requesters would require approximately two hours of one Federal 
employee's time, resulting in a cost per request of approximately $216 
(2 hours x $108 per hour). This would result in a total annual cost to 
Federal agencies between approximately $43,200 and $194,400 ((200 
requests x 2 hours x $108 per hour = $43,200) and (900 requests x 2 
hours x $108 per hour = $194,400)).
    Table 7 presents the estimated costs to foreign requesters for each 
of requirements #1-4.

Table 7--Costs to Foreign Requesters 1
[GRAPHIC] [TIFF OMITTED] TP16DE22.027

C. Financial Institutions
    Financial institutions must meet multiple requirements to access 
BOI. Requirements are summarized in Table 8, which is followed by a 
more detailed analysis. Costs associated with each requirement are 
summarized in Table 9, at the end of this section.

[[Page 77441]]

Table 8--Requirements for Financial Institutions 1
[GRAPHIC] [TIFF OMITTED] TP16DE22.028

    Establish administrative and physical safeguards. For requirement 
#1, FinCEN assumes that financial institutions would incur costs during 
the first year of implementation. FinCEN assumes it would take a 
financial institution, on average, between one and two full business 
weeks (or, between 40 and 80 business hours) to establish 
administrative and physical safeguards. This estimate is a FinCEN 
assumption based on its experience with the financial services 
industry. FinCEN requests comment on the accuracy of this estimate. 
Using an hourly wage estimate of $95 per hour for financial 
institutions, FinCEN estimates this one-time cost would be between 
approximately $3,800 and $7,600 per financial institution. To estimate 
aggregate costs, FinCEN multiplies this range by 16,252 total financial 
institutions resulting in a total cost between approximately $61.8 
million and $123.5 million (($3,800 per institution x 16,252 financial 
institutions = $61,757,600) and ($7,600 per institution x 16,252 
financial institutions = $123,515,200), respectively)).
    Establish technical safeguards. For requirement #2, the cost of the 
ongoing IT requirement would vary depending on the existing 
infrastructure of the financial institution. FinCEN believes that most 
financial institutions already have secure systems and networks in 
place as well as sufficient storage capacity, given existing 
requirements with regard to protection of customers' nonpublic personal 
information.\225\ Therefore, FinCEN assumes de minimis IT costs. FinCEN 
requests comment on this assumption.
---------------------------------------------------------------------------

    \225\ As noted in the proposed rule, financial institutions may 
have established information procedures to satisfy the requirements 
of section 501 of the Gramm-Leach-Bliley Act, and applicable 
regulations issued thereunder, with regard to the protection of 
customers' nonpublic personal information. If a financial 
institution is not subject to section 501 of the Gramm-Leach-Bliley 
Act, such institutions may be required, recommended, or authorized 
under applicable Federal or State law to have similar information 
procedures with regard to protection of customer information.
---------------------------------------------------------------------------

    Obtain and document customer consent. For requirement #3, FinCEN 
assumes that financial institutions would incur costs during the first 
year of implementation due to updating customer consent forms and 
processes. Specifically, FinCEN assumes it would take a financial 
institution, on average, approximately 10 hours in year 1 to conduct 
these activities. This number is based on FinCEN's underlying 
assumption that such implementation would involve relatively minimal 
resources to update forms and workflows. From year 2 and onward, FinCEN 
believes costs associated with obtaining and documenting customers' 
consent would be negligible because consent forms and processes have 
already been established and because this requirement is a one-time and 
not a periodic requirement for a given customer. FinCEN requests 
comments from financial institutions in particular on these 
assumptions. Using an hourly wage estimate of $95 per hour for 
financial institutions, FinCEN estimates this one-time cost would be 
approximately $950 per financial institution. To estimate aggregate 
costs, FinCEN multiplies this estimate by 16,252 total financial 
institutions, resulting in a total cost of approximately $15.8 million 
($950 per institution x 16,252 financial institutions = $15,439,400).
    Submit written certification for each request that it meets certain 
requirements. For requirement #4, the written certifications would be 
submitted in the form and manner prescribed by FinCEN. FinCEN 
anticipates that this certification would be submitted to FinCEN via an 
electronic form. FinCEN assumes that submitting a request to FinCEN for 
BOI would take one employee approximately 15 minutes, or 0.25 hours, 
per request. For purposes of this analysis, FinCEN assumes a range of

[[Page 77442]]

approximately 5 million to 6.1 million total requests from financial 
institutions per year. The minimum amount assumes that the number of 
BOI requests from financial institutions each year would equal the 
number of new entities that qualify as a ``reporting company'' required 
to submit BOI. As estimated in the final BOI reporting rule's RIA, this 
is approximately 5 million entities annually.\226\ The maximum amount 
assumes that financial institutions would request BOI for each new 
legal entity customer at the time of account opening, in alignment with 
the 2016 CDD Rule,\227\ resulting in approximately 6.1 million 
entities.\228\ For purposes of this analysis, FinCEN assumes that 
financial institutions would submit BOI requests related to newly open 
legal entity customer accounts in alignment with the 2016 CDD Rule. 
FinCEN requests comment, in particular from financial institutions, on 
whether this range is accurate. Therefore, the estimated aggregate 
annual cost of this requirement is between approximately $118.8 million 
and $144.7 million ((5 million total requests x 0.25 hours per request 
x $95 per hour = $118,750,000) and (6.1 million total requests x 0.25 
hours per request x $95 per hour = $144,700,000), respectively). The 
per institution annual cost of requirement #3 is between approximately 
$7,310 and $8,904 (($118.8 million/16,252 financial institutions) and 
($144.7 million/16,252 financial institutions), respectively).
---------------------------------------------------------------------------

    \226\ In the final BOI reporting rule's RIA, the analysis 
assumes 13.1 percent growth in new entities from 2020 through 2024, 
and then a stable same number of approximately 5 million new 
entities each year thereafter through 2033. FinCEN included an 
alternative estimate which assumed that the rate of new entities 
created will grow at a rate of approximately 13.1 percent per year 
from 2020 through 2033. This resulted in a new entity annual 
formation estimate of 5 million in the year of the effective date of 
the final BOI reporting rule which increases to approximately 5.6 
million ten years after the effective date of the final BOI 
reporting rule (2033). See 87 FR 59582 (Sept. 30, 2022).
    \227\ The CTA requires that the 2016 CDD Rule be revised given 
FinCEN's BOI reporting and access requirements. Therefore, this 
estimate and assumption may change after that revision.
    \228\ The 2016 CDD Rule estimated that each financial 
institution with CDD requirements will open, on average, 1.5 new 
legal entity accounts per business day. The rule also assumed there 
are 250 business days per year, which is in alignment with the 
number of business days in 2022. Therefore, FinCEN estimates that 
financial institutions would need to conduct CDD requirements for a 
minimum of approximately 6.1 million legal entities per year (16,252 
financial institutions x 1.5 accounts per day x 250 business days 
per year = 6,094,500 new legal entity accounts opened per year).
---------------------------------------------------------------------------

    Undergo training. Last, requirement #5 pertains to training for 
individuals that access BOI. To estimate the cost of this training, 
FinCEN assumes a range of authorized recipients per financial 
institution. FinCEN believes a range is appropriate given the variation 
in institution size, complexity, and business models across the 16,252 
financial institutions. Based on feedback from Federal agency outreach, 
FinCEN assumes a minimum of one financial institution employee and a 
maximum of six financial institution employees would undergo annual BOI 
training. Using an hourly wage rate of $95 per hour, and assuming each 
authorized recipient would need to undergo one hour of training each 
year, FinCEN estimates a per institution annual training cost between 
approximately $95 and $570 ((1 employee x 1 hour x $95 per hour = $95) 
and (6 employees x 1 hour x $95 per hour = $570)). To estimate 
aggregate costs, FinCEN uses SBA size standards and identifies 
approximately 14,051 small financial institutions and 2,201 large 
financial institutions (16,252 total financial institutions-14,051 
small financial institutions). Furthermore, FinCEN assumes one to two 
employees per small financial institution and five to six employees per 
large financial institution.\229\ This results in an estimated minimum 
average hourly cost of $146 ((14,051 small institutions x 1 employee x 
$95 per hour + 2,201 large institutions x 5 employees x $95 per hour)/
16,252 total financial institutions) and a maximum average hourly cost 
of $241 ((14,051 small institutions x 2 employees x $95 per hour + 
2,201 large institutions x 6 employees x $95 per hour)/16,252 total 
financial institutions). The estimated aggregate training cost is 
between approximately $2.4 million and $3.9 million per year ((14,051 
small institutions x 1 employee x 1 training hour per person x $95 per 
hour + 2,201 large institutions x 5 employees x 1 hour x $95 per hour = 
$2,380,320) and (14,051 small institutions x 2 employees x 1 hour x $95 
per hour + 2,201 large institutions x 6 employees x 1 hour x $95 per 
hour = $3,924,260)).
---------------------------------------------------------------------------

    \229\ FinCEN acknowledges this number could significantly vary 
across financial institutions. FinCEN requests comment on these 
assumptions.
---------------------------------------------------------------------------

    Table 9 presents the estimated costs to financial institutions for 
each of requirements #1-5. Table 9 illustrates both the financial 
institution cost and the aggregate cost for each requirement. The 
estimated average cost per financial institution in year 1 is between 
approximately $12,206 and $17,854 and between approximately $7,456 and 
$9,304 each year thereafter. The estimated aggregate costs from 
requirements #1-5 for financial institutions are between approximately 
$198.4 million and $290.1 million in the first year of implementation, 
and then between approximately $121.2 million and $151.2 million each 
year thereafter.

[[Page 77443]]

Table 9--Costs to Financial Institutions
[GRAPHIC] [TIFF OMITTED] TP16DE22.029

D. FinCEN
    In addition to the costs of accessing BOI data as a domestic 
agency, FinCEN would incur costs from managing the access of other 
authorized recipients. To administer BOI access, FinCEN would need to: 
develop training materials and agreements with domestic agencies; 
conduct ongoing outreach with authorized recipients on the access 
requirements and respond to inquiries from authorized recipients; 
conduct audits of authorized responsibilities; develop procedures to 
review authorized recipients' standards and procedures, and requests as 
needed; and potentially reject requests or suspend access if 
requirements are not met. FinCEN currently administers access to the 
FinCEN Query system, which involves similar considerations; therefore, 
FinCEN would build on its experience to administer BOI access. FinCEN 
would also incur an initial cost in setting up internal processes and 
procedures for administering BOI access.\230\ FinCEN does not have a 
cost estimate for these specific activities, but notes that the final 
BOI reporting rule's RIA included an estimated annual personnel cost of 
approximately $10 million associated with the reporting 
requirements.\231\ FinCEN assumes that personnel costs associated with 
the access requirements would be of a similar magnitude, and therefore 
includes a $10 million annual FinCEN cost in its total cost estimates 
for this proposed rule.
---------------------------------------------------------------------------

    \230\ FinCEN would also develop the beneficial ownership IT 
system that allows for the varying types of access. The costs 
associated with developing and maintaining this IT system are 
addressed in the final BOI reporting rule's RIA.
    \231\ 87 FR 59578 (Sept. 30, 2022).
---------------------------------------------------------------------------

2. Benefits
    The proposed rule would result in benefits for authorized 
recipients. Currently, authorized recipients may obtain BOI through a 
variety of means; however, the proposed rule would put in place a 
system of direct and cost-saving access to the information. FinCEN has 
quantitatively estimated such benefits in this analysis. However, the 
proposed rule would also have non-quantifiable benefits to authorized 
recipients of BOI and to society more widely. This proposed rule would 
facilitate U.S. national security, intelligence, and law enforcement 
activity by providing access to BOI which, as noted in the final BOI 
reporting rule's RIA, would make these activities more effective and 
efficient. These activities would be more effective and efficient 
because the improved ownership transparency would enhance Federal 
agencies' ability to investigate, prosecute, and disrupt the financing 
of terrorism, other transnational security threats, and other types of 
domestic and transnational financial crimes. Additionally, Treasury 
would gain efficiencies in its efforts to identify the ownership of 
legal entities, resulting in improved analysis, investigations, and 
policy decisions on a variety of subjects. The Internal Revenue Service 
could obtain access to BOI for tax administration purposes, which may 
provide benefits for tax compliance. Federal regulators may also obtain 
benefits by accessing BOI in civil law enforcement matters.
    Similarly, the proposed rule would facilitate and make more 
efficient investigations by State, local, and Tribal law enforcement 
agencies. Access to BOI through FinCEN would prevent such agencies from 
spending time and resources to identify BOI. Foreign requesters would 
also reap similar benefits.
    Financial institutions could gain access to key information, 
including potentially additional beneficial owners, for their CDD 
processes, and State regulatory agencies and SROs could use BOI to 
supervise financial institutions' compliance with CDD requirements. 
However, FinCEN is not estimating benefits related to these types of 
entities at this time, given the pending revisions to the CDD Rule. 
FinCEN anticipates

[[Page 77444]]

that the benefits to financial institutions in meeting their CDD 
obligations, and the benefits to regulatory agencies in supervising 
financial institutions for compliance with CDD requirements, would be 
discussed in that rulemaking.
    These stated benefits are in alignment with feedback FinCEN has 
received from a number of agencies as part of the outreach efforts 
FinCEN conducted in formulating the proposed rule. One agency noted 
that BOI would serve as an additional resource to investigators because 
having access to BOI would enable them to immediately identify a 
subject who owns a company, which would save time conducting additional 
investigations to develop subject identity information. A second agency 
also stated access to BOI could save time and resources. One agency 
noted that the vital data would further investigations and result in 
more successful and impactful investigations. Another agency provided 
similar feedback and noted that having access to BOI would 
significantly enhance investigations and bolster any analytical product 
that is prepared for the agency's cases; and that a central repository 
of BOI would save a multitude of hours that would otherwise be spent 
researching secretary of State records, conducting law enforcement 
database queries, and/or conducting open-source intelligence research 
to identify a company's ownership. One agency noted that the benefit 
would depend upon the scope of access.
    To quantify the potential benefits to various stakeholders of being 
able to access BOI, FinCEN asked for input from numerous agencies about 
cost savings that would result from such access; cost savings are one, 
but not the sole, benefit of BOI access. One agency estimated that, 
contingent upon the nature and complexity of each individual case's 
specific need for BOI resources, access to BOI would save as much as an 
approximately 300 hours annually.\232\ Another agency suggested that, 
with higher caseloads, having access to BOI could save investigations 
as much as thousands of hours annually; another noted that several 
hours per case would be saved by not having to search multiple 
databases for company information. A fourth agency suggested that 
having access to BOI could save investigations as much as 20,000 hours 
annually that could be repurposed toward other tasks.
---------------------------------------------------------------------------

    \232\ Per the agency's feedback, this would comprise a range 
between 50 and 100 investigations utilizing BOI.
---------------------------------------------------------------------------

    Therefore, based on this feedback, FinCEN assumes a potential 
quantifiable benefit range of cost savings between 300 and 20,000 hours 
annually, per domestic agency.233 234 This is equivalent to 
a per Federal agency dollar savings between $32,400 and $2.2 million 
(300 hours x $108 per hour = $32,400) and (20,000 hours x $108 per hour 
= $2,160,000) and a per State, local, and Tribal agency dollar savings 
between $22,800 and $1.5 million (300 hours x $76 per hour = $22,800 
and 20,000 hours x $76 per hour = $1,520,000), depending on the number 
and complexity of the investigations.
---------------------------------------------------------------------------

    \233\ Regarding regulators, FinCEN assumes that the benefit 
would relate to civil law enforcement activities rather than 
examination activities.
    \234\ The estimated amount of direct benefits from reduced 
investigation time and resources does not account for any potential 
savings to financial institutions that access BOI. Any potential 
benefits to financial institutions for accessing BOI will be 
accounted for in the forthcoming CDD Rule revision.
---------------------------------------------------------------------------

    The minimum dollar value of the benefits of the proposed rule 
implied by these assumptions in Year 1 is $10.2 million ((208 Federal 
agencies x 300 hours per agency x $108 per hour) + (153 State, local, 
and Tribal law enforcement agencies x 300 hours per agency x $76 per 
hour) = $10,227,600). The maximum estimated aggregate annual savings is 
$681.8 million ((208 Federal agencies x 20,000 hours per agency x $108 
per hour) + (153 State, local, and Tribal law enforcement agencies x 
20,000 hours per agency x $76 per hour) = $681,840,000). These 
estimates only pertain to cost savings benefits; agencies could also 
gain other benefits from accessing BOI, such as investigative law 
enforcement value, that are not quantified in this analysis. Therefore, 
FinCEN believes the benefits could be greater than the cost savings 
estimated here.
    As stated previously in the RIA, FinCEN assumes that no Federal 
agency or State, local or Tribal law enforcement agency will access BOI 
unless the benefits of doing so are at least equal to the costs, given 
that BOI access is optional. Non-quantifiable benefits would be 
included in this consideration, as well as the quantifiable benefits 
estimated in the analysis. In addition to the direct benefits of saving 
agencies time and money, accessing BOI would lead to other secondary 
benefits, as discussed in the final BOI reporting rule's RIA.\235\ BOI 
would also further the missions of the agencies to combat crime, as 
well as contribute to national security, intelligence, and law 
enforcement, and other activities. Therefore, the benefits to agencies 
of accessing BOI would be more than saving costs, as it would lead to 
more effective and efficient investigations. Enabling effective and 
efficient investigations would have additional secondary benefits of 
making it more difficult to launder money through shell companies and 
other entities, in turn strengthening national security and enhancing 
financial system transparency and integrity. Barriers to money 
laundering encourage a more secure economy and more economic activity, 
as businesses would have more trust in the legitimacy of new business 
partners. Finally, the sharing of BOI with foreign partners, subject to 
appropriate protocols consistent with the CTA, may further 
transnational investigations, tax enforcement, and the identification 
of national and international security threats. These secondary 
benefits are not accounted for in this analysis since they are 
accounted for in the final BOI reporting rule RIA. However, these 
benefits cannot come to fruition without authorized recipients gaining 
access to BOI, as considered in this proposed rulemaking. Therefore, 
the benefits between the final BOI reporting rule and this proposed 
rule are inextricably linked.
---------------------------------------------------------------------------

    \235\ See 87 FR 59579-59580 (Sept. 30, 2022).
---------------------------------------------------------------------------

3. Overall Impact
    Overall, FinCEN estimates the potential quantifiable impact of the 
proposed rule could be between $108.7 million in net savings and $840.7 
million in net costs in the first year of implementation of the rule, 
and then from $186.5 million in net savings to $672.0 million in net 
costs on an ongoing annual basis. Table 10 summarizes the estimated 
aggregate yearly impact of the proposed rule.

[[Page 77445]]

Table 10--Aggregate Yearly Impact of the Proposed Rule (Dollars in 
millions)
[GRAPHIC] [TIFF OMITTED] TP16DE22.030

    The estimated, quantifiable, aggregate annual benefits of the rule, 
which only reflects potential cost savings to agencies, would be 
between approximately $10.2 and $681.8 million. Likewise, FinCEN 
expects that the aggregate annual quantifiable costs of the rule would 
be somewhere between approximately $573.1 and $850.9 million in year 1, 
and between approximately $495.3 and $682.2 million each year 
thereafter. FinCEN believes that, in practice, entities may choose to 
access BOI only if the benefits to their operational needs, which 
includes cost savings and other non-quantifiable benefits, outweigh the 
costs associated with the requirements for accessing BOI.
    Using the maximum net cost impact estimates from Table 10 as an 
upper bound of the potential impact of this proposed rule, FinCEN 
determines the present value over a 10-year horizon of approximately 
$5.9 billion at the three percent discount rate and approximately $4.9 
billion at the seven percent discount rate.
ii. Section of Proposed Rule Regarding FinCEN Identifier Use by 
Entities
    The proposed rule would establish a process through which a 
reporting company may report another reporting company's FinCEN 
identifier and full legal name in lieu of the information otherwise 
required under 31 CFR 1010.380(b)(1), subject to certain limitations. 
This proposed rule would affect reporting companies that choose to 
report FinCEN identifiers of another reporting company in their BOI 
report. It may also affect reporting companies' decision on whether or 
not to request a FinCEN identifier.
    FinCEN considered whether the proposed rule would result in any 
additional cost to reporting companies beyond what is estimated in the 
final BOI reporting rule's RIA.\236\ FinCEN assesses that the proposed 
rule is consistent with the assumption in the final BOI reporting 
rule's RIA that the cost associated with using entities' FinCEN 
identifiers is accounted for in the BOI report cost estimates. The 
proposed rule could reduce burden for reporting companies that choose 
to report another reporting company's FinCEN identifier because the 
reporting company would provide fewer pieces of information on the BOI 
report. However, FinCEN assesses such burden reduction is likely to be 
minimal relative to the total cost of filling out and submitting the 
report. Additionally, it is unknown by FinCEN how many entities may 
choose to utilize the proposed rule. Therefore, FinCEN does not 
estimate costs or benefits associated with the proposed rule beyond 
what is separately stated in the final BOI reporting rule RIA. 
Similarly, FinCEN does not include alternatives regarding this proposed 
rule beyond what is included in the final BOI reporting rule RIA.
---------------------------------------------------------------------------

    \236\ The final BOI reporting rule's RIA did not estimate the 
number of reporting companies that will obtain FinCEN identifiers. 
The mechanism for reporting companies to obtain a FinCEN identifier 
will be to either check a box on its initial BOI report or submit an 
updated BOI report with the box checked. Therefore, FinCEN assumed 
that the cost of reporting companies obtaining FinCEN identifiers 
was included in the initial BOI report cost estimates in the final 
BOI reporting rule RIA. See 87 FR 59578 (Sept. 30, 2022).
---------------------------------------------------------------------------

B. Regulatory Flexibility Act

    The Regulatory Flexibility Act \237\ (RFA) requires an agency 
either to provide an initial regulatory flexibility analysis (IRFA) 
with a proposed rule or certify that the proposed rule would not have a 
significant economic impact on a substantial number of small entities. 
The section of the proposed rule regarding BOI access would apply to a

[[Page 77446]]

substantial number of small entities. FinCEN has attempted to minimize 
the burden to the greatest extent practicable, but the proposed rule 
may nevertheless have a significant economic impact on small entities.
---------------------------------------------------------------------------

    \237\ See 5 U.S.C. 601 et seq.
---------------------------------------------------------------------------

    Accordingly, FinCEN has prepared an IRFA. FinCEN welcomes comments 
on all aspects of the IRFA. A final regulatory flexibility analysis 
will be conducted after consideration of comments received. The IRFA 
addresses the BOI access sections of the proposed rule. With respect to 
the sections of the proposed rule addressing the use of FinCEN 
identifiers, FinCEN does not assess any additional costs associated 
with the proposed rule beyond the costs separately considered in the 
final BOI reporting rule's RIA.\238\ Therefore, FinCEN does not 
consider the proposed rule's FinCEN identifier provisions in the 
following RFA calculations or conclusions.
---------------------------------------------------------------------------

    \238\ See 87 FR 59577-59578 (Sept. 30, 2022).
---------------------------------------------------------------------------

i. Statement of the Need for, and Objectives of, the Proposed Rule
    As previously noted, the proposed rule is necessary to implement 
Section 6403 of the CTA. The purpose of the proposed rule is to 
implement the retention and disclosure requirements of Section 6403 and 
to establish appropriate protocols to protect the security and 
confidentiality of the BOI.
ii. Small Entities Affected by the Proposed Rule
    To assess the number of small entities affected by the proposed 
rule, FinCEN separately considered whether any small businesses, small 
organizations, or small governmental jurisdictions, as defined by the 
RFA, would be affected. FinCEN concludes that small businesses would be 
substantially affected by the proposed rule. Each of these three 
categories is discussed below within this section.
    In defining ``small business,'' the RFA relies on the definition of 
``small business concern'' from the Small Business Act.\239\ This 
definition is based on size standards (either average annual receipts 
or number of employees) matched to industries.\240\ Assuming maximum 
non-mandated participation by small financial institutions, the 
proposed rule would affect approximately all 14,051 small financial 
institutions. All of these small financial institutions would have a 
significant economic impact in the first year of implementation, which 
FinCEN believes meets the threshold for a substantial number. 
Therefore, FinCEN concludes the proposed rule would have a significant 
economic impact on a substantial number of small entities.
---------------------------------------------------------------------------

    \239\ See 5 U.S.C. 601(3).
    \240\ See U.S. Small Business Administration, Table of Small 
Business Size Standards Matched to North American Industry 
Classification System Codes (Jul. 14, 2022), available at https://www.sba.gov/sites/default/files/2022-07/Table%20of%20Size%20Standards_Effective%20July%2014%202022_Final-508.pdf.
---------------------------------------------------------------------------

    FinCEN assumes the economic impact on an individual small entity is 
significant if the total estimated impact in a given year is greater 
than 1 percent of the small entity's total receipts for that year. 
FinCEN estimates the cost for small financial institutions to comply 
with the sections of the proposed rule addressing BOI access would be 
between approximately $12,155 and $17,644 in year 1, and approximately 
$7,405 and $9,094 annually in subsequent years, as indicated in Table 
9.\241\ FinCEN then compares these per financial institution cost 
estimates to the average total receipts for the smallest size category 
for each type of financial institution from the 2017 Census survey 
data, adjusted for inflation.\242\ The analysis indicates that, even 
when considering the minimum year 1 impact of $12,155, the smallest 
entities of all types of financial institutions would incur an economic 
impact that exceeds 1 percent of receipts for that industry. Therefore, 
FinCEN expects that the proposed rule would have a significant economic 
impact on a substantial number of small entities.
---------------------------------------------------------------------------

    \241\ The minimum and maximum costs for small entities can be 
determined by using $95 (1 employee x $95 per hour) as the minimum 
cost for training in Table 9 and using $190 (2 employees x $95 per 
hour) as the maximum cost for training.
    \242\ FinCEN inflation adjusted the 2017 Census survey data 
using Implicit Price Deflators for Gross Domestic Product quarterly 
data from the U.S. Bureau of Economic Analysis, available at https://apps.bea.gov/iTable/?reqid=19&step=2&isuri=1&categories=survey#eyJhcHBpZCI6MTksInN0ZXBzIjpbMSwyLDMsM10sImRhdGEiOltbIkNhdGVnb3JpZXMiLCJTdXJ2ZXkiXSxbIk5JUEFfVGFibGVfTGlzdCIsIjEzIl0sWyJGaXJzdF9ZZWFyIiwiMTk5NSJdLFsiTGFzdF9ZZWFyIiwiMjAyMSJdLFsiU2NhbGUiLCIwIl0sWyJTZXJpZXMiLCJBIl1dfQ. FinCEN estimated 
an inflation factor of approximately 1.14 (the gross domestic 
product deflator in the first quarter of 2017 is 107.038, while in 
the fourth quarter of 2021 it was 121.708; hence the inflation 
factor is 121.708/107.038 = 1.14). FinCEN then applied this 
inflation adjustment factor of 1.14 to the 1 percent of average 
annual receipts in the 2017 Census survey data for each financial 
industry affected by this proposed rule to estimate the latest 
inflation-adjusted dollar value threshold of 1 percent of annual 
receipts.
---------------------------------------------------------------------------

    In defining ``small organization,'' the RFA generally defines it as 
any not-for-profit enterprise that is independently owned and operated 
and is not dominant in its field.\243\ FinCEN anticipates that the 
proposed rule would not affect ``small organizations,'' as defined by 
the RFA.
---------------------------------------------------------------------------

    \243\ 5 U.S.C. 601(4).
---------------------------------------------------------------------------

    The RFA generally defines ``small governmental jurisdiction[s]'' as 
governments of cities, counties, towns, townships, villages, school 
districts, or special districts, with a population of less than 
50,000.\244\ While State, local, and Tribal government agencies may be 
affected by the proposed rule, FinCEN does not believe that government 
agencies of jurisdictions with a population of less than 50,000 would 
be included in such agencies. Therefore, no ``small governmental 
jurisdictions'' are expected to be affected.
---------------------------------------------------------------------------

    \244\ 5 U.S.C. 601(5).
---------------------------------------------------------------------------

iii. Compliance Requirements
    Under the proposed rule accessing BOI is not mandatory; therefore, 
the proposed rule would not impose requirements in the strictest sense. 
However, the proposed rule would require those that wish to access BOI 
to establish standards and procedures or safeguards, and to comply with 
other requirements. In particular, financial institutions would develop 
and implement administrative, technical, and physical safeguards 
reasonably designed to protect the security, confidentiality, and 
integrity of BOI. Financial institutions would also be required to 
obtain and document customer consent, as well as maintain a record of 
such consent for five years after it was last relied upon, which may 
require updates to existing policies and procedures. The proposed rule 
would also require those that wish to access BOI provide a written 
certification for each BOI request, in the form and manner prescribed 
by FinCEN. FinCEN intends to provide additional detail regarding the 
form and manner of BOI requests for all categories of authorized 
recipients through specific instructions and guidance as it continues 
developing the beneficial ownership IT system. To the extent required 
by the PRA, FinCEN would publish for notice and comment any proposed 
information collection associated with BOI requests.
    Small entities affected by the proposed rule, which FinCEN assesses 
to be small financial institutions, would be required to comply with 
these requirements if they access BOI. FinCEN assumes that the 
professional expertise needed to comply with such requirements already 
exists at small financial institutions with CDD obligations.

[[Page 77447]]

iv. Duplicative, Overlapping, or Conflicting Federal Rules
    There are no Federal rules that directly duplicate, overlap, or 
conflict with the proposed rule. The proposed rule is closely related 
to FinCEN's recent publication of the final BOI reporting rule.\245\ 
The final BOI reporting rule finalizes regulations to implement the 
CTA's BOI reporting requirements, which describe who must file a 
report, what information must be provided, and when a report is due. In 
contrast, this NPRM proposes appropriate protocols for access to and 
disclosure of BOI. The final BOI reporting rule's RIA estimated the 
cost to the public of reporting and updating BOI and information 
related to FinCEN identifiers. The final BOI reporting rule's RIA also 
estimated the cost to FinCEN of developing and maintaining this 
reporting mechanism, costs to other government agencies as a result of 
reporting requirements, and the benefits of the requirements. FinCEN 
has aimed to not duplicate costs and benefits covered in the final BOI 
reporting rule herein.
---------------------------------------------------------------------------

    \245\ See 87 FR 59498 (Sept. 30, 2022).
---------------------------------------------------------------------------

v. Significant Alternatives That Reduce Burden on Small Entities
    In considering significant alternatives that would alter burdens on 
small entities, FinCEN applies two of the previously described 
alternative scenarios to small financial institutions.
a. Reduce Training Burden
    The first alternative would be to reduce the training requirement 
for BOI authorized recipients, which includes appropriate training for 
authorized recipients of BOI as well as annual training for access to 
the beneficial ownership IT system. In its analysis, FinCEN assumes 
that each authorized recipient that would access BOI would be required 
to undergo one hour of training per year.\246\ Here, FinCEN considers 
the scenario where authorized recipients would instead be required to 
undergo one hour of training every two years, in alignment with the 
current BSA data access requirements. This scenario could result in 
savings every other year of $108 to $172,800 per Federal agency, $76 to 
$5,168 per State, local, and Tribal agency, $95 to $6,460 per SRO,\247\ 
$108 per foreign requester, and $146 to $241 per financial institution. 
The aggregate savings could be as much as $3.7 million to $5.2 million 
($1.3 million total for domestic agencies and SROs + $2.4 to $3.9 
million for financial institutions) every other year. This alternative 
scenario could result in savings every other year of approximately $95 
to $190 per small financial institution. The aggregate savings could be 
as much as approximately $1.3 million to $2.7 million (($95 x 14,051 
small financial institutions = $1,334,845) and ($190 x 14,051 small 
financial institutions = $2,669,690)) every other year. Given the 
sensitive nature of the BOI data,\248\ FinCEN believes that maintaining 
an annual training requirement for BOI authorized recipients and access 
to the beneficial ownership IT system is necessary to protect the 
security and confidentiality of the BOI.
---------------------------------------------------------------------------

    \246\ The assumption of one training hour is in alignment with 
the current training requirement for accessing BSA data. However, 
one notable difference is that the proposed BOI training requirement 
is annual, not biennial.
    \247\ To calculate total costs to SROs, FinCEN calculated a 
ratio that applied the estimated costs to State regulators (which 
would have access requirements similar to SROs) to the wage rate 
estimated herein for financial institutions, since SROs are private 
organizations. FinCEN requests comment on this assessment.
    \248\ As noted in the preamble, the CTA establishes that BOI is 
``sensitive information'' and it imposes strict confidentiality and 
security restrictions on the storage, access, and use of BOI. See 
CTA, Section 6402(6), (7).
---------------------------------------------------------------------------

b. Change Customer Consent Requirement
    Another alternative that FinCEN considered is altering the customer 
consent requirement for financial institutions. Under the proposed 
rule, financial institutions would be required to obtain and document 
customer consent once for a given customer. FinCEN considered an 
alternative approach in which FinCEN would directly obtain the 
reporting company's consent. Under this scenario, financial 
institutions would not need to spend time and resources on the one-time 
implementation costs of approximately 10 hours in year 1 to create 
consent forms and processes. Using an hourly wage estimate of $95 per 
hour for financial institutions, FinCEN estimates this would result in 
a one-time savings per financial institution of approximately $950. To 
estimate aggregate savings under this scenario, FinCEN multiplies this 
value by 16,252 financial institutions resulting in a total savings of 
approximately $15.4 million ($950 per institution x 16,252 financial 
institutions = $15,439,400). The cost savings for small financial 
institutions under this scenario would be approximately $13.3 million 
($950 per institution x 14,051 small financial institutions = 
$13,348,450). Though this alternative results in a savings to financial 
institutions, including small entities, FinCEN believes that financial 
institutions are better positioned to obtain consent--and to track 
consent revocation--given their direct customer relationships and 
ability to leverage existing onboarding and account maintenance 
processes. Therefore, FinCEN decided not to propose this alternative.

C. Paperwork Reduction Act

    The reporting requirements in the proposed rule are being submitted 
to OMB for review in accordance with the Paperwork Reduction Act of 
1995 (PRA).\249\ Under the PRA, an agency may not conduct or sponsor, 
and a person is not required to respond to, a collection of information 
unless it displays a valid control number assigned by OMB. Written 
comments and recommendations for the proposed information collection 
can be submitted by visiting www.reginfo.gov/public/do/PRAMain. This 
particular document may be found by selecting ``Currently Under 
Review--Open for Public Comments'' or by using the search function. 
Comments are welcome and must be received by February 14, 2023. In 
accordance with requirements of the PRA, 44 U.S.C. 3506(c)(2)(A), and 
its implementing regulations, 5 CFR 1320, the following information 
concerns the collection of information as it relates to the proposed 
rule and is presented to assist those persons wishing to comment on the 
information collection.
---------------------------------------------------------------------------

    \249\ See 44 U.S.C. 3506(c)(2)(A).
---------------------------------------------------------------------------

    The PRA analysis included herein is for the sections of the 
proposed rule relating to BOI access. It does not include the sections 
of the proposed rule addressing the use of FinCEN identifiers for 
entities because FinCEN does not assess any additional burden or costs 
associated with the proposed rule beyond the costs and burden 
separately considered in the final BOI reporting rule's PRA analysis 
for BOI reports.\250\
---------------------------------------------------------------------------

    \250\ See 87 FR 59589-59591 (Sept. 30, 2022).
---------------------------------------------------------------------------

    Reporting and Recordkeeping Requirements: The proposed rule would 
require State, local, and Tribal agencies and financial institutions 
that wish to access BOI to conduct the following activities: establish 
standards and procedures or safeguards and undergo annual training. 
Financial institutions would also be required to obtain and document 
customer consent, maintaining a record of such consent for five years 
after it was last relied upon, which may require updates to existing 
processes and creation of consent forms. The proposed rule would also 
require State, local, and Tribal agencies and financial institutions 
that wish to access

[[Page 77448]]

BOI to provide a written certification for each BOI request. FinCEN 
intends to provide additional detail regarding the form and manner of 
BOI requests for all categories of authorized users through specific 
instructions and guidance as it continues developing the beneficial 
ownership IT system. To the extent required by the PRA, FinCEN would 
publish for notice and comment any proposed information collection 
associated with BOI requests. In addition, the proposed rule would 
require State, local, and Tribal agencies to establish and maintain a 
secure system to store BOI, as well as an auditable system of 
standardized records for requests, conduct an annual audit, certify 
standards and procedures by the agency head semi-annually, and provide 
an annual report on procedures, resulting in additional recordkeeping 
and reporting requirements. Finally, the proposed rule would require 
that SROs follow the same security and confidentiality requirements 
outlined herein for State, local, and Tribal agencies, if they obtain 
BOI through re-disclosure by a Federal functional regulator or 
financial institution.
    OMB Control Numbers: 1506-XXXX.
    Frequency: As required; varies depending on the requirement.
    Description of Affected Public: State, local and Tribal agencies, 
SROs, and financial institutions with CDD obligations, as defined in 
the proposed rule. While others from Federal and foreign requesters are 
able to access BOI after meeting specific requirements, FinCEN does not 
include them in the PRA analysis because the regulations implementing 
the PRA define ``person'' as an individual, partnership, association, 
corporation (including operations of government-owned contractor-
operated facilities), business trust, or legal representative, an 
organized group of individuals, a State, territorial, tribal, or local 
government or branch thereof, or a political subdivision of a State, 
territory, Tribal, or local government or a branch of a political 
subdivision.\251\ For foreign requesters in particular, FinCEN assumes 
that such requests would be made at the national level.
---------------------------------------------------------------------------

    \251\ See 5 CFR 1320.3(k).
---------------------------------------------------------------------------

    Estimated Number of Respondents: 16,463 entities. This total is 
composed of an estimated 209 State, local, and Tribal agencies, of 
which 153 are State, local, and Tribal law enforcement agencies and 56 
are State regulatory agencies, 2 SROs, and 16,252 financial 
institutions.\252\ While the requirements in the proposed rule are only 
imposed on those that optionally access BOI, for purposes of PRA burden 
analysis, FinCEN assumes maximum participation from State, local, and 
Tribal agencies, SROs, and financial institutions.
---------------------------------------------------------------------------

    \252\ See Table 1 for the types of financial institutions 
covered by this notice.
---------------------------------------------------------------------------

    Estimated Total Annual Reporting and Recordkeeping Burden: \253\ 
FinCEN estimates that during year 1 the annual hourly burden would be 
9,289,604 hours. In year 2 and onward, FinCEN estimates that the annual 
hourly burden would be 7,663,188 hours. The annual estimated burden 
hours for State, local, and Tribal entities as well as SROs is 
6,261,856 hours in the first year, and 6,098,120 hours in year 2 and 
onward. As shown in Table 11, the hourly burden in year 1 for State, 
local, and Tribal entities and SROs includes the hourly burden 
associated with the following requirements in the NPRM: enter into an 
agreement with FinCEN and establish standards and procedures (Action 
B); establish a secure system to store BOI (Action D); establish and 
maintain an auditable system of standardized records for requests 
(Action E); submit written certification for each request that it meets 
certain requirements (Action G); restrict access to appropriate persons 
within the entity (Action H); conduct an annual audit and cooperate 
with FinCEN's annual audit (Action I); obtain certification of 
standards and procedures, initially and then semi-annually, by the head 
of the entity (Action J); and provide annual reports on procedures 
(Action K). The hourly burden in year 2 and onward for State, local, 
and Tribal entities and SROs is associated with the same requirements 
as year 1, with the exception of Action B because FinCEN expects this 
action will result in costs for these entities in year 1 only.
---------------------------------------------------------------------------

    \253\ As previously noted, this is a partial amount of the 
maximum overall burden associated with the proposed rule given that 
the PRA analysis does not include the potential burden on Federal 
and foreign agencies. The full burden and cost are assessed in the 
RIA cost analysis.
---------------------------------------------------------------------------

    The annual estimated hourly burden for financial institutions is 
3,027,748 hours in the first year and 1,565,068 hours in year 2 and 
onward. The hourly burden for financial institutions in year 1 is 
associated with the following: establish administrative and physical 
safeguards (Action A); establish technical safeguards (Action C); 
obtain and document customer consent (Action F); submit written 
certification for each request that it meets certain requirements 
(Action G); and undergo training (Action H). The hourly burden in year 
2 and onward for financial institutions is associated only with the 
requirements for Actions G and H because FinCEN expects the other 
actions will result in costs for these entities in year 1 only.
    Annual estimated burden declines in year 2 and onward because 
State, local, and Tribal agencies, SROs, and financial institutions no 
longer need to complete Actions A, B, and F, and have a lower hourly 
burden for Action E. Table 11 lists the type of entity, the number of 
entities, the hours per entity, and the total hourly burden by action. 
For Actions A, B, C, D, E, F, I, J, and K, the hours per entity are the 
maximum of the range estimated in the cost analysis of the RIA. For 
Action G and H, the hours per entity calculations are specified in 
footnotes to Table 11. Total annual hourly burden is calculated by 
multiplying the number of entities by the hours per entity for each 
action. In each subsequent year after initial implementation, FinCEN 
estimates that the total hourly annual burden is 7,663,188 due to 
Actions A, B, and F only imposing burdens in year 1 and Actions D and E 
having lower annual per entity burdens. This results in a 5-year 
average burden estimate of approximately 7,988,471 hours.\254\
---------------------------------------------------------------------------

    \254\ The 5-year average equals the sum of (Year 1 burden hours 
of 9,289,604 + Year 2 burden hours of 7,663,188 + Year 3 burden 
hours of 7,663,188 + Year 4 burden hours of 7,663,188 + Year 5 
burden hours of 7,663,88) divided by 5.
---------------------------------------------------------------------------

BILLING CODE 4810-02-P

[[Page 77449]]

Table 11--Annual Hourly Burden Associated With Proposed Rule 
Requirements
[GRAPHIC] [TIFF OMITTED] TP16DE22.031


[[Page 77450]]


[GRAPHIC] [TIFF OMITTED] TP16DE22.032

    Estimated Total Annual Reporting and Recordkeeping Cost: \255\ As 
described in Table 3, FinCEN calculated the fully loaded hourly wage 
for each type of affected entity type. Using these estimated wages, the 
total cost of the annual burden in year 1 would be $763,745,736 In year 
2 and onward, FinCEN estimates that the total cost of the annual burden 
is $612,199,760, owing to Actions A, B, and F only imposing burdens in 
year 1 and Actions D and E having lower annual per entity burdens. The 
annual estimated cost for State, local, and Tribal agencies and SROs is 
$476,109,676 in the first year and $463,518,300 in year 2 and onward. 
The annual estimated cost for financial institutions is $287,636,060 in 
the first year and $148,681,460 in year 2 and

[[Page 77451]]

onward. The 5-year average annual cost estimate is $642,508,955.\256\
---------------------------------------------------------------------------

    \255\ As previously noted, this is a partial amount of the 
maximum overall cost associated with the proposed rule because the 
PRA analysis does not include the potential cost to Federal and 
foreign agencies. The full burden and cost of the rule are assessed 
in the RIA analysis.
    \256\ The 5-year average equals the sum of (Year 1 costs of 
$763,745,736 + Year 2 costs of $612,199,760 + Year 3 costs of 
$612,199,760 + Year 4 costs of $612,199,760 + Year 5 costs of 
$612,199,760) divided by 5.
---------------------------------------------------------------------------

Table 12--Annual Cost Associated With Proposed Rule Requirements
[GRAPHIC] [TIFF OMITTED] TP16DE22.033


[[Page 77452]]


[GRAPHIC] [TIFF OMITTED] TP16DE22.034

BILLING CODE 4810-02-C

[[Page 77453]]

D. Unfunded Mandates Reform Act

    Section 202 of the Unfunded Mandates Reform Act of 1995, Public Law 
104-4 (UMRA) requires that an agency assess anticipated costs and 
benefits and take certain other actions before promulgating a rule that 
includes a Federal mandate that may result in expenditure by State, 
local, and Tribal governments, in the aggregate, or by the private 
sector, of $100 million or more in any one year, adjusted for 
inflation. The proposed regulations regarding access by authorized 
recipients to BOI do not include any Federal mandate for State, local, 
and Tribal governments or the private sector.\257\ Similarly, the 
proposed regulations that address how reporting companies would be able 
to use an entity's FinCEN identifier to fulfill their obligations under 
FinCEN's BOI reporting requirements do not contain a Federal mandate.
---------------------------------------------------------------------------

    \257\ FinCEN expects that requirements regarding private sector 
access will be clarified in the forthcoming revision of the CDD 
Rule.
---------------------------------------------------------------------------

E. Questions for Comment

    General Request for Comments under the Paperwork Reduction Act: 
Comments submitted in response to this notice will be summarized and 
included in the request for OMB approval. All comments will become a 
matter of public record. Comments are invited on: (a) whether the 
collection of information is necessary for the proper performance of 
the functions of the agency, including whether the information shall 
have practical utility; (b) the accuracy of the agency's estimate of 
the burden of the collection of information; (c) ways to enhance the 
quality, utility, and clarity of the information to be collected; (d) 
ways to minimize the burden of the collection of information on 
respondents, including through the use of technology; and (e) estimates 
of capital or start-up costs and costs of operation, maintenance, and 
purchase of services required to provide information.
    Other Requests for Comment: In addition, FinCEN generally invites 
comment on the accuracy of FinCEN's regulatory analysis. FinCEN 
specifically requests comment on the following, which are mentioned in 
the preceding text.
    State, local, and Tribal agencies' BOI access estimates:
    1. How many Tribal law enforcement agencies, and how many 
authorized recipients at such agencies, may access BOI on an annual 
basis?
    2. What is an appropriate wage estimate for a Tribal government 
worker?
    3. Should the burden estimate for court authorizations include the 
burden on court employees? If so, what would be the occupation code, 
wage, and estimated time burden of such employees?
    4. Given the requirement to obtain court authorization to access 
BOI, are State, local, and Tribal agencies less likely to access BOI at 
the rate by which they access BSA information? If so, what is a 
reasonable estimate for the annual requests for BOI from these 
agencies?
    SROs' BOI access estimates:
    5. Is FinCEN's assessment of costs to SROs reasonable?
    Foreign requesters' BOI access estimates:
    6. How many foreign requesters may access BOI on an annual basis, 
and which requesters would do so under an applicable international 
treaty, agreement, or convention, or through another channel available 
under the proposed rule?
    7. Is FinCEN's approximation that it would take a foreign 
requester, on average, between one and two full business weeks (or, 
between 40 and 80 business hours) to establish standards and procedures 
accurate?
    8. Is the assumption that foreign requesters would have a de 
minimis IT cost to comply with the requirements in the proposed rule 
accurate?
    9. Is the annual estimate of foreign requests for BOI reasonable?
    Financial institutions' BOI access estimates:
    10. Is FinCEN's approximation that it would take a financial 
institution, on average, between one and two full business weeks (or, 
between 40 and 80 business hours) to establish administrative and 
physical safeguards accurate?
    11. Is the assumption that financial institutions would have a de 
minimis IT cost to comply with the requirements in the proposed rule 
accurate?
    12. Is the burden estimate for obtaining and documenting customer 
consent reasonable? If not, what would be a reasonable estimate?
    13. Are the assumptions that one to two employees per small 
financial institution and five to six employees per large institution 
would access BOI reasonable? If not, what would be reasonable 
estimates?
    14. Is the estimated range of annual requests from financial 
institutions reasonable?
    15. Are there additional categories of burden that FinCEN should 
consider in its burden estimates? If so, what are they, and what is the 
estimated burden per financial institution? Conversely, if any of the 
categories of burden in the estimates should not be included, identify 
those and explain why.
    Small entities' estimates:
    16. Are FinCEN's estimates of burden on small entities accurate, as 
calculated in the IRFA? If not, why, and on what basis should they be 
updated? Provide specific sources and data for alternative cost 
estimates for each category of burden per entity.
    17. Is FinCEN's assumption that small governmental jurisdictions 
are unlikely to access BOI accurate?
    FinCEN identifier analysis:
    18. Is FinCEN correct in assuming that the proposed rule would not 
result in additional burden or cost to reporting companies beyond what 
is estimated in the final BOI reporting rule's RIA?
    19. How many reporting companies are likely to use entities' FinCEN 
identifiers to comply with the BOI reporting requirements?

List of Subjects in 31 CFR Part 1010

    Administrative practice and procedure, Aliens, Authority 
delegations (Government agencies), Banks and banking, Brokers, Business 
and industry, Commodity futures, Currency, Citizenship and 
naturalization, Electronic filing, Federal savings associations, 
Federal-States relations, Federally recognized tribes, Foreign persons, 
Holding companies, Indian law, Indians, Insurance companies, Investment 
advisers, Investment companies, Investigations, Law enforcement, 
Penalties, Reporting and recordkeeping requirements, Small businesses, 
Securities, Terrorism, Tribal government, Time.

Authority and Issuance

    For the reasons set forth in the Supplementary Information, FinCEN 
proposes to amend part 1010 of chapter X of title 31 of the Code of 
Federal Regulations, as amended September 30, 2022, at 87 FR 59498, 
effective January 1, 2024, as follows:

PART 1010--GENERAL PROVISIONS

0
1. The authority citation for part 1010 continues to read as follows:

    Authority:  12 U.S.C. 1829b and 1951-1959; 31 U.S.C. 5311-5314 
and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; 
sec. 2006, Pub. L. 114-41, 129 Stat. 458-459; sec. 701, Pub. L. 114-
74, 129 Stat. 599.

0
2. In Sec.  1010.380, add paragraph (b)(4)(ii)(B) to read as follows:


Sec.  1010.380   Reports of beneficial ownership information.

* * * * *
    (b) * * *

[[Page 77454]]

    (4) * * *
    (ii) * * *
    (B) A reporting company may report another entity's FinCEN 
identifier and full legal name in lieu of the information required 
under paragraph (b)(1) of this section with respect to the beneficial 
owners of the reporting company only if:
    (1) The entity has obtained a FinCEN identifier and provided that 
FinCEN identifier to the reporting company;
    (2) An individual is or may be a beneficial owner of the reporting 
company by virtue of an interest in the reporting company that the 
individual holds through the entity; and
    (3) The beneficial owners of the entity and of the reporting 
company are the same individuals.
* * * * *
0
4. In Sec.  1010.950, revise the section heading and paragraph (a) to 
read as follows:


Sec.  1010.950   Availability of information--general.

    (a) The Secretary has the discretion to disclose information 
reported under this chapter, other than information reported pursuant 
to Sec.  1010.380, for any reason consistent with the purposes of the 
Bank Secrecy Act, including those set forth in paragraphs (b) through 
(d) of this section. FinCEN may disclose information reported pursuant 
to Sec.  1010.380 only as set forth in Sec.  1010.955, and paragraphs 
(b) through (f) of this section shall not apply to the disclosure of 
such information.
* * * * *
0
5. Add Sec.  1010.955 to read as follows:


Sec.  1010.955   Availability of beneficial ownership information 
reported under this part.

    (a) Prohibition on disclosure. Except as authorized in paragraphs 
(b), (c), and (d) of this section, information reported to FinCEN 
pursuant to Sec.  1010.380 is confidential and shall not be disclosed 
by any individual who receives such information as--
    (1) An officer, employee, contractor, or agent of the United 
States;
    (2) An officer, employee, contractor, or agent of any State, local, 
or Tribal agency; or
    (3) A director, officer, employee, contractor, or agent of any 
financial institution.
    (b) Disclosure of information by FinCEN--(1) Disclosure to Federal 
agencies for use in furtherance of national security, intelligence, or 
law enforcement activity. Upon receipt of a request from a Federal 
agency engaged in national security, intelligence, or law enforcement 
activity for information to be used in furtherance of such activity, 
FinCEN may disclose information reported pursuant to Sec.  1010.380 to 
such agency. For purposes of this section--
    (i) National security activity includes activity pertaining to the 
national defense or foreign relations of the United States, as well as 
activity to protect against threats to the safety and security of the 
United States;
    (ii) Intelligence activity includes all activities conducted by 
elements of the United States Intelligence Community that are 
authorized pursuant to Executive Order 12333, as amended, or any 
succeeding executive order; and
    (iii) Law enforcement activity includes investigative and 
enforcement activities relating to civil or criminal violations of law. 
Such activity does not include the routine supervision or examination 
of a financial institution by a Federal regulatory agency with 
authority described in (b)(4)(ii)(A) of this section.
    (2) Disclosure to State, local, and Tribal law enforcement agencies 
for use in criminal or civil investigations. Upon receipt of a request 
from a State, local, or Tribal law enforcement agency for information 
to be used in a criminal or civil investigation, FinCEN may disclose 
information reported pursuant to Sec.  1010.380 to such agency if a 
court of competent jurisdiction has authorized the agency to seek the 
information in a criminal or civil investigation. For purposes of this 
section--
    (i) A court of competent jurisdiction is any court with 
jurisdiction over the investigation for which a State, local, or Tribal 
law enforcement agency requests information under this paragraph.
    (ii) A State, local, or Tribal law enforcement agency is an agency 
of a State, local, or Tribal government that is authorized by law to 
engage in the investigation or enforcement of civil or criminal 
violations of law.
    (3) Disclosure for use in furtherance of foreign national security, 
intelligence, or law enforcement activity. Upon receipt of a request 
from a Federal agency on behalf of a law enforcement agency, 
prosecutor, or judge of another country, or on behalf of a foreign 
central authority or foreign competent authority (or like designation) 
under an applicable international treaty, agreement, or convention, 
FinCEN may disclose information reported pursuant to Sec.  1010.380 to 
such Federal agency for transmission to the foreign law enforcement 
agency, prosecutor, judge, foreign central authority, or foreign 
competent authority who initiated the request, provided that:
    (i) The request is for assistance in a law enforcement 
investigation or prosecution, or for a national security or 
intelligence activity, that is authorized under the laws of the foreign 
country; and
    (ii) The request is:
    (A) Made under an international treaty, agreement, or convention, 
or;
    (B) When no such treaty, agreement, or convention is available, is 
an official request by a law enforcement, judicial, or prosecutorial 
authority of a trusted foreign country.
    (4) Disclosure to facilitate compliance with customer due diligence 
requirements--(i) Financial institutions. Upon receipt of a request 
from a financial institution subject to customer due diligence 
requirements under applicable law for information to be used in 
facilitating such compliance, FinCEN may disclose information reported 
pursuant to Sec.  1010.380 to such financial institution, provided each 
reporting company that reported such information consents to such 
disclosure. For purposes of this section, customer due diligence 
requirements under applicable law are the beneficial ownership 
requirements for legal entity customers at Sec.  1010.230, as those 
requirements may be amended or superseded.
    (ii) Regulatory agencies. Upon receipt of a request by a Federal 
functional regulator or other appropriate regulatory agency, FinCEN 
shall disclose to such agency any information disclosed to a financial 
institution pursuant to paragraph (b)(4)(i) of this section if the 
agency--
    (A) Is authorized by law to assess, supervise, enforce, or 
otherwise determine the compliance of such financial institution with 
customer due diligence requirements under applicable law;
    (B) Will use the information solely for the purpose of conducting 
the assessment, supervision, or authorized investigation or activity 
described in paragraph (b)(4)(ii)(A) of this section; and
    (C) Has entered into an agreement with FinCEN providing for 
appropriate protocols governing the safekeeping of the information.
    (5) Disclosure to officers or employees of the Department of the 
Treasury. Consistent with procedures and safeguards established by the 
Secretary--
    (i) Information reported pursuant to Sec.  1010.380 shall be 
accessible for inspection or disclosure to officers and employees of 
the Department of the Treasury whose official duties the Secretary 
determines require such inspection or disclosure.

[[Page 77455]]

    (ii) Officers and employees of the Department of the Treasury may 
obtain information reported pursuant to Sec.  1010.380 for tax 
administration as defined in 26 U.S.C. 6103(b)(4).
    (c) Use of information--(1) Use of information by authorized 
recipients. Unless otherwise authorized by FinCEN, any person who 
receives information disclosed by FinCEN under paragraph (b) of this 
section shall use such information only for the particular purpose or 
activity for which such information was disclosed. A Federal agency 
that receives information pursuant to paragraph (b)(3) of this section 
shall only use it to facilitate a response to a request for assistance 
pursuant to that paragraph.
    (2) Disclosure of information by authorized recipients. (i) Any 
officer, employee, contractor, or agent of a requesting agency who 
receives information disclosed by FinCEN pursuant to a request under 
paragraph (b)(1) or (2) or (b)(4)(ii) of this section may disclose such 
information to another officer, employee, contractor, or agent of the 
same requesting agency for the particular purpose or activity for which 
such information was requested, consistent with the requirements of 
paragraph (d)(1)(i)(F) of this section, as applicable. Any officer, 
employee, contractor, or agent of the U.S. Department of the Treasury 
who receives information disclosed by FinCEN pursuant to a request 
under paragraph (b)(5) of this section may disclose such information to 
another Treasury officer, employee, contractor, or agent for the 
particular purpose or activity for which such information was requested 
consistent with internal Treasury policies, procedures, orders or 
directives.
    (ii) Any director, officer, employee, contractor, or agent of a 
financial institution who receives information disclosed by FinCEN 
pursuant to a request under paragraph (b)(4)(i) of this section may 
disclose such information to another director, officer, employee, 
contractor, or agent within the United States of the same financial 
institution for the particular purpose or activity for which such 
information was requested, consistent with the requirements of 
paragraph (d)(2) of this section.
    (iii) Any director, officer, employee, contractor, or agent of a 
financial institution that receives information disclosed by FinCEN 
pursuant to paragraph (b)(4)(i) of this section may disclose such 
information to the financial institution's Federal functional 
regulator, a self-regulatory organization that is registered with or 
designated by a Federal functional regulator pursuant to Federal 
statute, or other appropriate regulatory agency, provided that the 
Federal functional regulator, self-regulatory organization, or other 
appropriate regulatory agency meets the requirements identified in 
paragraphs (b)(4)(ii)(A) through (C) of this section. A financial 
institution may rely on a Federal functional regulator, self-regulatory 
organization, or other appropriate regulatory agency's representation 
that it meets the requirements.
    (iv) Any officer, employee, contractor, or agent of a Federal 
functional regulator that receives information disclosed by FinCEN 
pursuant to paragraph (b)(4)(ii) of this section may disclose such 
information to a self-regulatory organization that is registered with 
or designated by the Federal functional regulator, provided that the 
self-regulatory organization meets the requirements of paragraphs 
(b)(4)(ii)(A) through (C) of this section.
    (v) Any officer, employee, contractor, or agent of a Federal agency 
that receives information from FinCEN pursuant to a request made under 
paragraph (b)(3) of this section may disclose such information to the 
foreign person on whose behalf the Federal agency made the request.
    (vi) Any officer, employee, contractor, or agent of a Federal 
agency engaged in a national security, intelligence, or law enforcement 
activity, or any officer, employee, contractor, or agent of a State, 
local, or Tribal law enforcement agency, may disclose information 
reported pursuant to Sec.  1010.380 that it has obtained directly from 
FinCEN pursuant to a request under paragraph (b)(1) or (2) of this 
section to a court of competent jurisdiction or parties to a civil or 
criminal proceeding.
    (vii) Any officer, employee, contractor, or agent of a requesting 
agency who receives information disclosed by FinCEN pursuant to a 
request under paragraph (b)(1), (b)(4)(ii), or (b)(5) of this section 
may disclose such information to any officer, employee, contractor, or 
agent of the United States Department of Justice for purposes of making 
a referral to the Department of Justice or for use in litigation 
related to the activity for which the requesting agency requested the 
information.
    (viii) A law enforcement agency, prosecutor, judge, foreign central 
authority, or foreign competent authority of another country that 
receives information from a Federal agency pursuant to a request under 
paragraph (b)(3)(ii)(A) of this section may disclose and use such 
information consistent with the international treaty, agreement, or 
convention under which the request was made.
    (ix) Except as described in this paragraph (c)(2), any information 
disclosed by FinCEN under paragraph (b) of this section shall not be 
further disclosed to any other person for any purpose without the prior 
written consent of FinCEN, or as authorized by applicable protocols or 
guidance that FinCEN may issue. FinCEN may authorize persons to 
disclose information obtained pursuant to paragraph (b) of this section 
in furtherance of a purpose or activity described in that paragraph.
    (d) Security and confidentiality requirements--(1) Security and 
confidentiality requirements for domestic agencies--(i) General 
requirements. To receive information under paragraph (b)(1), (2), or 
(3) or (b)(4)(ii) of this section, a Federal, State, local, or Tribal 
agency shall satisfy the following requirements:
    (A) Agreement. The agency shall enter into an agreement with FinCEN 
specifying the standards, procedures, and systems to be maintained by 
the agency, and any other requirements FinCEN may specify, to protect 
the security and confidentiality of such information. Agreements shall 
include, at a minimum, descriptions of the information to which an 
agency will have access, specific limitations on electronic access to 
that information, discretionary conditions of access, requirements and 
limitations related to re-disclosure, audit and inspection 
requirements, and security plans outlining requirements and standards 
for personnel security, physical security, and computer security.
    (B) Standards and procedures. The agency shall establish standards 
and procedures to protect the security and confidentiality of such 
information, including procedures for training agency personnel on the 
appropriate handling and safeguarding of such information. The head of 
the agency, on a non-delegable basis, shall approve these standards and 
procedures.
    (C) Initial report and certification. The agency shall provide 
FinCEN a report that describes the standards and procedures established 
pursuant to paragraph (d)(1)(i)(B) of this section and that includes a 
certification by the head of the agency, on a non-delegable basis, that 
the standards and procedures implement the requirements of this 
paragraph (d)(1).
    (D) Secure system for beneficial ownership information storage. The 
agency shall establish and maintain a secure system in which such 
information shall be stored, that

[[Page 77456]]

complies with information security standards prescribed by FinCEN.
    (E) Auditability. The agency shall establish and maintain a 
permanent, auditable system of standardized records for requests 
pursuant to paragraph (b) of this section, including, for each request, 
the date of the request, the name of the individual who makes the 
request, the reason for the request, any disclosure of such information 
made by or to the requesting agency, and information or references to 
such information sufficient to reconstruct the justification for the 
request.
    (F) Restrictions on personnel access to information. The agency 
shall restrict access to information obtained from FinCEN pursuant to 
this section to personnel--
    (1) Who are directly engaged in the activity for which the 
information was requested;
    (2) Whose duties or responsibilities require such access;
    (3) Who have received training pursuant to paragraph (d)(1)(i)(B) 
of this section or have obtained the information requested directly 
from persons who both received such training and received the 
information directly from FinCEN;
    (4) Who use appropriate identity verification mechanisms to obtain 
access to the information; and
    (5) Who are authorized by agreement between the agency and FinCEN 
to access the information.
    (G) Audit requirements. The agency shall:
    (1) Conduct an annual audit to verify that information obtained 
from FinCEN pursuant to this section has been accessed and used 
appropriately and in accordance with the standards and procedures 
established pursuant to paragraph (d)(1)(i)(B) of this section;
    (2) Provide the results of that audit to FinCEN upon request; and
    (3) Cooperate with FinCEN's annual audit of the adherence of 
agencies to the requirements established under this paragraph to ensure 
that agencies are requesting and using the information obtained under 
this section appropriately, including by promptly providing any 
information FinCEN requests in support of its annual audit.
    (H) Semi-annual certification. The head of the agency, on a non-
delegable basis, shall certify to FinCEN semi-annually that the 
agency's standards and procedures established pursuant to paragraph 
(d)(1)(i)(B) of this section are in compliance with the requirements of 
this paragraph (d)(1). One of the semi-annual certifications may be 
included in the annual report required under paragraph (d)(1)(i)(I) of 
this section.
    (I) Annual report on procedures. The agency shall provide FinCEN a 
report annually that describes the standards and procedures that the 
agency uses to ensure the security and confidentiality of any 
information received pursuant to paragraph (b) of this section.
    (ii) Requirements for requests for disclosure. A Federal, State, 
local, or Tribal agency that makes a request under paragraph (b)(1), 
(2), or (3) or (b)(4)(ii) of this section shall satisfy the following 
requirements in connection with each request that it makes and in 
connection with all such information it receives.
    (A) Minimization. The requesting agency shall limit, to the 
greatest extent practicable, the scope of such information it seeks, 
consistent with the agency's purposes for seeking such information.
    (B) Certifications and other requirements. (1) The head of a 
Federal agency that makes a request under paragraph (b)(1) of this 
section or their designee shall make a written certification to FinCEN, 
in the form and manner as FinCEN shall prescribe, that:
    (i) The agency is engaged in a national security, intelligence, or 
law enforcement activity; and
    (ii) The information requested is for use in furtherance of such 
activity, setting forth specific reasons why the requested information 
is relevant to the activity.
    (2) The head of a State, local, or Tribal agency, or their 
designee, who makes a request under paragraph (b)(2) of this section 
shall submit to FinCEN, in the form and manner as FinCEN shall 
prescribe:
    (i) A copy of a court order from a court of competent jurisdiction 
authorizing the agency to seek the information in a criminal or civil 
investigation; and
    (ii) A written justification that sets forth specific reasons why 
the requested information is relevant to the criminal or civil 
investigation.
    (3) The head of a Federal agency, or their designee, who makes a 
request under paragraph (b)(3)(ii)(A) of this section shall:
    (i) Retain for its records the request for information under the 
applicable international treaty, agreement, or convention;
    (ii) Submit to FinCEN, in the form and manner as FinCEN shall 
prescribe: the name, title, email address, and telephone number for the 
individual from the Federal agency making the request; the name, title, 
agency, and country of the foreign person on whose behalf the Federal 
agency is making the request; the title and date of the international 
treaty, agreement, or convention under which the request is being made; 
and a certification that the information is for use in furtherance of a 
law enforcement investigation or prosecution, or for a national 
security or intelligence activity, that is authorized under the laws of 
the relevant foreign country.
    (4) The head of a Federal agency, or their designee, who makes a 
request under paragraph (b)(3)(ii)(B) of this section shall submit to 
FinCEN, in the form and manner as FinCEN shall prescribe:
    (i) A written explanation of the specific purpose for which the 
foreign person is seeking information under paragraph (b)(3)(ii)(B) of 
this section, along with an accompanying certification that the 
information is for use in furtherance of a law enforcement 
investigation or prosecution, or for a national security or 
intelligence activity, that is authorized under the laws of the 
relevant foreign country; will be used only for the particular purpose 
or activity for which it is requested; and will be handled consistent 
with the requirements of paragraph (d)(3) of this section;
    (ii) The name, title, email address, and telephone number for the 
individual from the Federal agency making the request;
    (iii) The name, title, agency, and country of the foreign person on 
whose behalf the Federal agency is making the request; and
    (iv) Any other information that FinCEN requests in order to 
evaluate the request.
    (5) The head of a Federal functional regulator or other appropriate 
regulatory agency, or their designee, who makes a request under 
paragraph (b)(4)(ii) of this section shall make a written certification 
to FinCEN, in the form and manner as FinCEN shall prescribe, that:
    (i) The agency is authorized by law to assess, supervise, enforce, 
or otherwise determine the compliance of a relevant financial 
institution with customer due diligence requirements under applicable 
law; and
    (ii) The agency will use the information solely for the purpose of 
conducting the assessment, supervision, or authorized investigation or 
activity described in paragraph (b)(4)(ii)(A) of this section.
    (2) Security and confidentiality requirements for financial 
institutions. To receive information under paragraph (b)(4)(i) of this 
section, a financial institution shall satisfy the following 
requirements:
    (i) Restrictions on personnel access to information. The financial 
institution

[[Page 77457]]

shall restrict access to information obtained from FinCEN under 
paragraph (b)(4)(i) of this section to directors, officers, employees, 
contractors, and agents within the United States.
    (ii) Safeguards. The financial institution shall develop and 
implement administrative, technical, and physical safeguards reasonably 
designed to protect the security, confidentiality, and integrity of 
such information. The requirements of this paragraph (d)(2)(i) of this 
section shall be deemed satisfied to the extent that a financial 
institution:
    (A) Applies such information procedures that the institution has 
established to satisfy the requirements of section 501 of the Gramm-
Leach-Bliley Act (15 U.S.C. 6801 et seq.), and applicable regulations 
issued thereunder, with regard to the protection of its customers' 
nonpublic personal information, modified as needed to account for any 
unique requirements imposed under this section; or
    (B) If it is not subject to section 501 of the Gramm-Leach-Bliley 
Act, applies such information procedures with regard to the protection 
of its customers' nonpublic personal information that are required, 
recommended, or authorized under applicable Federal or State law and 
are at least as protective of the security and confidentiality of 
customer information as procedures that satisfy the standards of 
section 501 of the Gramm-Leach-Bliley Act.
    (iii) Consent to obtain information. Before making a request for 
information regarding a reporting company under paragraph (b)(4)(i) of 
this section, the financial institution shall obtain and document the 
consent of the reporting company to request such information. The 
documentation of the reporting company's consent shall be maintained 
for 5 years after it is last relied upon in connection with a request 
for information under paragraph (b)(4)(i) of this section.
    (iv) Certification. For each request for information regarding a 
reporting company under paragraph (b)(4)(i) of this section, the 
financial institution shall make a written certification to FinCEN that 
it:
    (A) Is requesting the information to facilitate its compliance with 
customer due diligence requirements under applicable law;
    (B) Has obtained the written consent of the reporting company to 
request the information from FinCEN; and
    (C) Has fulfilled all other requirements of paragraph (d)(2) of 
this section.
    (3) Security and confidentiality requirements for foreign 
recipients of information. (i) To receive information under paragraph 
(b)(3)(ii)(A) of this section, a foreign person on whose behalf a 
Federal agency made the request under that paragraph shall comply with 
all applicable handling, disclosure, and use requirements of the 
international treaty, agreement, or convention under which the request 
was made.
    (i) To receive information under paragraph (b)(3)(ii)(B) of this 
section, a foreign person on whose behalf a Federal agency made the 
request under that paragraph shall ensure that the following 
requirements are satisfied:
    (A) Standards and procedures. A foreign person who receives 
information pursuant to paragraph (b)(3)(ii)(B) of this section shall 
establish standards and procedures to protect the security and 
confidentiality of such information, including procedures for training 
personnel who will have access to it on the appropriate handling and 
safeguarding of such information.
    (B) Secure system for beneficial ownership information storage. 
Such information shall be maintained in a secure system that complies 
with the security standards the foreign person applies to the most 
sensitive unclassified information it handles.
    (C) Minimization. To the greatest extent practicable, the scope of 
information sought shall be limited, consistent with the purposes for 
seeking such information.
    (D) Restrictions on personnel access to information. Access to such 
information shall be limited to persons--
    (1) Who are directly engaged in the activity described in paragraph 
(b)(3) of this section for which the information was requested;
    (2) Whose duties or responsibilities require such access; and
    (3) Who have undergone training on the appropriate handling and 
safeguarding of information obtained pursuant to this section.
    (e) Administration of requests--(1) Form and manner of requests. 
Requests for information under paragraph (b) of this section shall be 
submitted to FinCEN in such form and manner as FinCEN shall prescribe.
    (2) Rejection of requests. (i) FinCEN will reject a request under 
paragraph (b)(4) of this section, and may reject any other request made 
pursuant to this section, if such request is not submitted in the form 
and manner prescribed by FinCEN.
    (ii) FinCEN may reject any request, or otherwise decline to 
disclose any information in response to a request made under this 
section, if FinCEN, in its sole discretion, finds that, with respect to 
the request:
    (A) The requester has failed to meet any requirement of this 
section;
    (B) The information is being requested for an unlawful purpose; or
    (C) Other good cause exists to deny the request.
    (3) Suspension of access. (i) FinCEN may permanently debar or 
temporarily suspend, for any period of time, any requesting party from 
receiving or accessing information under paragraph (b) of this section 
if FinCEN, in its sole discretion, finds that:
    (A) The requesting party has failed to meet any requirement of this 
section;
    (B) The requesting party has requested information for an unlawful 
purpose; or
    (C) Other good cause exists for such debarment or suspension.
    (ii) FinCEN may reinstate the access of any requester that has been 
suspended or debarred under this paragraph (e)(3) upon satisfaction of 
any terms or conditions that FinCEN deems appropriate.
    (f) Violations--(1) Unauthorized disclosure or use. Except as 
authorized by this section, it shall be unlawful for any person to 
knowingly disclose, or knowingly use, the beneficial ownership 
information obtained by the person, directly or indirectly, through:
    (i) A report submitted to FinCEN under Sec.  1010.380; or
    (ii) A disclosure made by FinCEN pursuant to paragraph (b) of this 
section.
    (2) For purposes of paragraph (f)(1) of this section, unauthorized 
use shall include accessing information without authorization, and 
shall include any violation of the requirements described in paragraph 
(d) of this section in connection with any access.

Himamauli Das,
Acting Director, Financial Crimes Enforcement Network.
[FR Doc. 2022-27031 Filed 12-15-22; 8:45 am]
BILLING CODE 4810-02-P


This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.