Beneficial Ownership Information Access and Safeguards, 88732-88813 [2023-27973]
Download as PDF
88732
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
DEPARTMENT OF THE TREASURY
Financial Crimes Enforcement Network
31 CFR Part 1010
RIN 1506–AB59
Beneficial Ownership Information
Access and Safeguards
Financial Crimes Enforcement
Network (FinCEN), Treasury.
ACTION: Final rule.
AGENCY:
FinCEN is promulgating
regulations regarding access by
authorized recipients to beneficial
ownership information (BOI) that will
be reported to FinCEN pursuant to
section 6403 of the Corporate
Transparency Act (CTA), enacted into
law as part of the Anti-Money
Laundering Act of 2020 (AML Act),
which is itself part of the National
Defense Authorization Act for Fiscal
Year 2021 (NDAA). The regulations
implement the strict protocols required
by the CTA to protect sensitive
personally identifiable information (PII)
reported to FinCEN and establish the
circumstances in which specified
recipients have access to BOI, along
with data protection protocols and
oversight mechanisms applicable to
each recipient category. The disclosure
of BOI to authorized recipients in
accordance with appropriate protocols
and oversight will help law enforcement
and national security agencies prevent
and combat money laundering, terrorist
financing, tax fraud, and other illicit
activity, as well as protect national
security.
SUMMARY:
These rules are effective
February 20, 2024.
DATES:
The
FinCEN Regulatory Support Section at
1–800–767–2825 or electronically at
frc@fincen.gov.
SUPPLEMENTARY INFORMATION:
FOR FURTHER INFORMATION CONTACT:
I. Introduction
ddrumheller on DSK120RN23PROD with RULES3
This final rule implements the
beneficial ownership information (BOI)
access and safeguard provisions in the
Corporate Transparency Act (CTA).1
The rule balances the statutory
requirement to create a database of BOI
1 The CTA is Title LXIV of the William M. (Mac)
Thornberry National Defense Authorization Act for
Fiscal Year 2021, Public Law 116–283 (Jan. 1, 2021)
(the NDAA). Division F of the NDAA is the AntiMoney Laundering Act of 2020 (AML Act), which
includes the CTA. Section 6403 of the CTA, among
other things, amends the Bank Secrecy Act (BSA)
by adding a new section 5336, Beneficial
Ownership Information Reporting Requirements, to
Subchapter II of Chapter 53 of Title 31, United
States Code.
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
that is highly useful to authorized BOI
recipients, with the requirement to
safeguard BOI from unauthorized use.
This final rule reflects FinCEN’s
understanding of the critical need for
the highest standard of security and
confidentiality protocols to maintain
confidence in the U.S. Government’s
ability to protect sensitive information
while achieving the objective of the
CTA noted above—establishing a
database of BOI that will be highly
useful in combatting illicit finance and
the abuse of shell and front companies
by criminals, corrupt officials, and other
bad actors.
Specifically, this final rule
implements the provisions in the CTA,
codified at 31 U.S.C. 5336(c), that
authorize certain recipients to receive
disclosures of identifying information
associated with reporting companies,
their beneficial owners, and their
company applicants (together, BOI). The
CTA requires reporting companies to
report BOI to FinCEN pursuant to 31
U.S.C. 5336(b). This rule reflects
FinCEN’s careful consideration of
public comments, including those
received in response to (1) an advance
notice of proposed rulemaking
(ANPRM) 2 on the implementation of
the CTA, (2) an NPRM regarding BOI
reporting requirements (Reporting
NPRM),3 and (3) an NPRM regarding
BOI access and safeguards (Access
NPRM).4
As Congress explained in the CTA,
‘‘malign actors seek to conceal their
ownership of corporations, limited
liability companies, or other similar
entities in the United States to facilitate
illicit activity, including money
laundering, the financing of terrorism,
proliferation financing, serious tax
fraud, human and drug trafficking,
counterfeiting, piracy, securities fraud,
financial fraud, and acts of foreign
corruption, harming the national
security interests of the United States
and allies of the United States.’’ 5 Access
by authorized recipients to BOI reported
under the CTA would significantly aid
efforts to protect U.S. national security
and safeguard the U.S. financial system
from such illicit use. It would impede
illicit actors’ ability to use legal entities
to conceal proceeds from criminal acts
that undermine U.S. national security
and foreign policy interests, such as
corruption, human trafficking, drug and
arms trafficking, and terrorist financing.
BOI can also add critical data to
financial analyses in activities the CTA
2 86
FR 17557 (Apr. 5, 2021).
FR 69920 (Dec. 8, 2021).
4 87 FR 77404 (Dec. 16, 2022).
5 CTA, section 6402(3).
3 86
PO 00000
Frm 00002
Fmt 4701
Sfmt 4700
contemplates, including tax
investigations. It can also provide
essential information to the intelligence
and national security professionals who
work to prevent terrorists, proliferators,
and those who seek to undermine our
democratic institutions or threaten other
core U.S. interests from raising, hiding,
or moving money in the United States
through anonymous shell or front
companies.6
The United States currently does not
have a centralized or complete store of
information about who owns and
operates legal entities within the United
States. The beneficial ownership data
available to law enforcement and
national security agencies are generally
limited to certain commercial databases
and the information collected by
financial institutions on legal entity
accounts pursuant to their Customer
Due Diligence (CDD) or broader
Customer Identification Program (CIP)
obligations, some of which has been
included in Suspicious Activity Reports
(SARs) or provided to law enforcement
in response to judicial process.7 As set
out in detail in the Notice of Proposed
Rulemaking regarding BOI reporting
requirements 8 and the BOI reporting
final rule,9 U.S. law enforcement
officials and the Financial Action Task
Force (FATF),10 among others, have for
years noted how the lack of timely
access to accurate and adequate BOI by
law enforcement and other authorized
6 A front company generates legitimate business
proceeds to commingle with illicit earnings. See
U.S. Department of the Treasury, National Money
Laundering Risk Assessment (2018), p. 29, available
at https://home.treasury.gov/system/files/136/
2018NMLRA_12-18.pdf.
7 See, e.g., 31 CFR 1010.230. Even then, any BOI
a financial institution collects is not systematically
reported to any central repository.
8 Supra note 3, 86 FR at 69923–69924.
9 87 FR 59498, 59506 (Sept. 30, 2022).
10 The FATF, of which the United States is a
founding member, is an international, intergovernmental task force whose purpose is the
development and promotion of international
standards and the effective implementation of legal,
regulatory, and operational measures to combat
money laundering, terrorist financing, the financing
of weapons proliferation, and other related threats
to the integrity of the international financial system.
The FATF assesses over 200 jurisdictions against its
minimum standards for beneficial ownership
transparency. Among other things, it has
established standards on transparency and
beneficial ownership of legal persons, to deter and
prevent the misuse of corporate vehicles. See FATF
Recommendation 24, Transparency and Beneficial
Ownership of Legal Persons, The FATF
Recommendations: International Standards on
Combating Money Laundering and the Financing of
Terrorism and Proliferation (updated Oct. 2020),
available at https://www.fatf-gafi.org/publications/
fatfrecommendations/documents/fatfrecommendations.html; FATF Guidance,
Transparency and Beneficial Ownership, Part III
(Oct. 2014), available at https://www.fatf-gafi.org/
media/fatf/documents/reports/Guidancetransparency-beneficial-ownership.pdf.
E:\FR\FM\22DER3.SGM
22DER3
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES3
recipients remained a significant gap in
the United States’ anti-money
laundering/countering the financing of
terrorism (AML/CFT) and countering
the financing of proliferation (CFP)
framework. Broadly, and critically, BOI
can identify linkages between potential
illicit actors and opaque business
entities, including shell companies.
Furthermore, comparing BOI reported
pursuant to the CTA against data
collected under the Bank Secrecy Act
(BSA) and other relevant government
data is expected to significantly further
efforts to identify illicit actors and
combat their financial activities.
At the same time, however, FinCEN
recognizes that BOI is sensitive
information. This final rule reflects
FinCEN’s commitment to creating a
highly useful database for authorized
BOI recipients while protecting this
sensitive information from unauthorized
disclosure. To this end, the final rule
aims to ensure that: (1) only authorized
recipients have access to BOI; (2)
authorized recipients use that BOI only
for purposes permitted by the CTA; and
(3) authorized recipients re-disclose BOI
only in ways that balance protection of
the security and confidentiality of the
BOI with furtherance of the CTA’s
objective of making BOI available to a
range of users for purposes specified in
the CTA. The final rule also provides a
robust framework to ensure that BOI
reported to FinCEN, and received by
authorized recipients, is subject to strict
cybersecurity controls, confidentiality
protections and restrictions, and robust
audit and oversight measures.
Coincident with the protocols described
in this final rule, FinCEN continues to
work to develop a secure, nonpublic
database in which to store BOI, using
rigorous information security methods
and controls typically used in the
Federal government to protect
nonclassified yet sensitive information
systems at the highest security level.
Against this backdrop and consistent
with the CTA, FinCEN will permit
certain Federal, State,11 local, and Tribal
officials, as well as foreign officials
acting through a Federal agency, to
obtain BOI for use in furtherance of
statutorily authorized activities such as
those related to national security,
intelligence, and law enforcement.
11 FinCEN will interpret the term ‘‘State’’
consistent with the definition of that term in the
final Beneficial Ownership Information Reporting
Requirements rule at 87 FR 59498 (Sep. 30, 2022)
(which defines the term ‘‘State’’ to mean ‘‘any state
of the United States, the District of Columbia, the
Commonwealth of Puerto Rico, the Commonwealth
of the Northern Mariana Islands, American Samoa,
Guam, the United States Virgin Islands, and any
other commonwealth, territory, or possession of the
United States.’’).
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
Financial institutions with customer
due diligence requirements under
applicable law will have access to BOI
to facilitate compliance with those
requirements, as will the Federal
functional regulators or other
appropriate regulatory agencies that
supervise or assess those financial
institutions’ compliance with such
requirements.
II. Background
A. Access to Beneficial Ownership
Information
For more than two decades, the U.S.
government has been raising awareness
about the misuse of legal entities by
criminal actors for illicit ends.12
Recently, Secretary of the Treasury Janet
L. Yellen affirmed that:
‘‘The United States has a unique obligation
to tackle corruption. Corrupt actors from
around the world continually attempt to
exploit the vulnerabilities in the U.S.
framework—for countering money
laundering, terrorist financing, and other
forms of illicit finance. . . . Just like
legitimate investors, corrupt actors move
their money through the United States to take
advantage of the world’s largest and most
dynamic economy. They incorporate
companies to benefit from our strong legal
system, buy assets like real estate, and invest
in our deep and liquid markets. . . .
Unmasking shell corporations is the single
most significant thing we can do to make our
financial system inhospitable to corrupt
actors. . . . The beneficial ownership
database will deter dirty money from
entering the U.S.—and give law enforcement
and other partners the tools they need to
follow the money when it does.’’ 13
The Department of the Treasury
(Treasury) has previously observed in
its 2020 National Strategy for Combating
Terrorist and other Illicit Financing (the
2020 Illicit Financing Strategy) that
‘‘[m]isuse of legal entities to hide a
criminal beneficial owner or illegal
source of funds continues to be a
common, if not the dominant, feature of
illicit finance schemes, especially those
involving money laundering, predicate
offences, tax evasion, and proliferation
financing. . . .’’ 14 The 2020 Illicit
12 See
87 FR 59501–59503 (Sept. 30, 2022).
13 U.S. Department of the Treasury (Treasury),
‘‘Remarks by Secretary Janet L. Yellen on AntiCorruption as a Cornerstone of a Fair, Accountable,
and Democratic Economy at the Summit for
Democracy,’’ (Mar. 28, 2023), available at https://
home.treasury.gov/news/press-releases/jy1371.
14 Treasury, National Strategy for Combating
Terrorist and Other Illicit Financing (2020), p. 13,
available at https://home.treasury.gov/system/files/
136/National-Strategy-to-Counter-IllicitFinancev2.pdf. The 2022 National Strategy for
Combating Terrorist and Other Illicit Financing
noted that ‘‘[t]he passage of the CTA was a critical
step forward in closing a long-standing gap and
strengthening the U.S. AML/CFT regime’’ and that
‘‘[a]ddressing the gap in collection at the time of
PO 00000
Frm 00003
Fmt 4701
Sfmt 4700
88733
Financing Strategy further noted a
Treasury finding that, between 2016 and
2019, legal entities were used in a
substantial proportion of adjudicated
Internal Revenue Service (IRS) cases to
perpetrate tax evasion and fraud.15 In a
separate report, the Drug Enforcement
Administration highlighted that drug
trafficking organizations frequently use
shell and front companies to commingle
illicit drug proceeds with legitimate
front company revenue to launder the
illicit drug proceeds.16
As Treasury stressed in its 2022 Illicit
Financing Strategy, law enforcement’s
lack of access to uniform BOI hinders its
ability to swiftly investigate those
entities created and used to hide
ownership for illicit purposes.17
Consequently, authorized recipients’
access to BOI reported under the CTA
will significantly aid efforts to protect
U.S. national security; safeguard the
U.S. financial system; and support U.S.
foreign policy and other interests by
providing a tool to counter corruption,
human smuggling, drug and arms
trafficking, terrorist financing, and other
criminal acts. BOI can also add critical
data to financial analyses in activities
the CTA contemplates, including tax
investigations. BOI can also provide
essential information to the intelligence
and national security professionals who
work to prevent terrorists, proliferators,
and those who seek to undermine our
democratic institutions or threaten other
core U.S. interests from raising, hiding,
or moving money in the United States
through anonymous shell or front
companies.
Entity formation and registration in
the United States happen at the state
and Tribal levels. Although state- and
Tribal-level entity formation laws vary,
most jurisdictions do not require the
party forming an entity to identify its
individual beneficial owners at or after
the time of formation. Additionally, the
vast majority of states require little to no
contact information or other information
about an entity’s officers or others who
entity formation is the most important AML/CFT
regulatory action for the U.S. government.’’
Treasury, National Strategy for Combating Terrorist
and Other Illicit Financing (May 2022), p. 8,
available at https://home.treasury.gov/system/files/
136/2022-National-Strategy-for-CombatingTerrorist-and-Other-Illicit-Financing.pdf (‘‘2022
Illicit Financing Strategy’’).
15 Id. at 14.
16 Drug Enforcement Administration, 2020 Drug
Enforcement Administration National Drug Threat
Assessment (‘‘DEA 2020 NDTA’’) (2020), pp. 87–88,
available at https://www.dea.gov/sites/default/files/
2021-02/DIR-008-21%202020%20
National%20Drug%20Threat%20Assessment_
WEB.pdf.
17 See Treasury, 2022 Illicit Financing Strategy,
supra note 3, p. 12.
E:\FR\FM\22DER3.SGM
22DER3
88734
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES3
control it.18 Furthermore, although
many financial institutions are required
to collect certain beneficial ownership
information pursuant to FinCEN’s 2016
Customer Due Diligence Rule (2016
CDD Rule),19 and broader Customer
Identification Program (CIP)
obligations,20 that information is not
systematically reported to a central
repository.
Identifying individual beneficial
owners of legal entities in the United
States therefore is often a significant
challenge for law enforcement,21 and it
represents a significant weakness in the
United States’ AML/CFT and CFP
frameworks, as Treasury 22 and the
FATF 23 have noted for some time.
18 See CTA, section 6402(2) (‘‘[M]ost or all States
do not require information about the beneficial
owners of corporations, limited liability companies,
or other similar entities formed under the laws of
the State’’); U.S. Government Accountability Office,
Company Formations: Minimal Ownership
Information Is Collected and Available (Apr. 2006),
available at https://www.gao.gov/assets/gao-06376.pdf; see also, e.g., The National Association of
Secretaries of State (NASS), NASS Summary of
Information Collected by States (Jun. 2019),
available at https://www.nass.org/sites/default/files/
company%20formation/nass-business-entity-infocollected-june2019.pdf.
19 Final Rule, Customer Due Diligence
Requirements for Financial Institutions, 81 FR
29398–29402 (May 11, 2016); 31 CFR 1010.230.
20 See e.g., 31 CFR 1020.220.
21 In 2019, for example, Steven M. D’Antuono,
Acting Deputy Assistant Director of the FBI’s
Criminal Investigative Division testified before
Congress that ‘‘[t]he process for the production of
[beneficial ownership] records can be lengthy,
anywhere from a few weeks to many years, and . . .
can be extended drastically when it is necessary to
obtain information from other countries . . . . [I]f
an investigator obtains the ownership records,
either from a domestic or foreign entity, the
investigator may discover that the owner of the
identified corporate entity is an additional
corporate entity, necessitating the same process for
the newly discovered corporate entity. Many
professional launderers and others involved in
illicit finance intentionally layer ownership and
financial transactions in order to reduce
transparency of transactions. As it stands, it is a
facially effective way to delay an investigation.’’
D’Antuono further acknowledged that these
challenges may be even greater for State, local, and
Tribal law enforcement agencies that may not have
the same resources as their Federal counterparts to
undertake long and costly investigations to identify
beneficial owners. D’Antuono noted that requiring
the disclosure of BOI by legal entities and the
creation of a central BOI repository available to law
enforcement and regulators could address these
challenges. Federal Bureau of Investigation (FBI),
Testimony of Steven M. D’Antuono, Section Chief,
Criminal Investigative Division, ‘‘Combatting Illicit
Financing by Anonymous Shell Companies’’ (May
21, 2019), available at https://www.fbi.gov/news/
testimony/combating-illicit-financing-byanonymous-shell-companies.
22 Treasury, Treasury Announces Key Regulations
and Legislation to Counter Money Laundering and
Corruption, Combat Tax Evasion, May 5, 2016,
available at https://home.treasury.gov/news/pressreleases/jl0451.
23 See FATF Recommendation 24, Transparency
and Beneficial Ownership of Legal Persons, The
FATF Recommendations: International Standards
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
Currently, obtaining BOI through grand
jury subpoenas and other means can
involve considerable effort. Grand jury
subpoenas, for example, require an
underlying grand jury investigation into
a possible violation of law. Furthermore,
the law enforcement officer or
investigator must work with a
prosecutor’s office, such as a U.S.
Attorney’s Office, to open a grand jury
investigation, obtain the grand jury
subpoena, and issue it on behalf of the
grand jury. The investigator also needs
to determine who should receive the
subpoena and coordinate service, which
creates additional complications in
cases involving complicated corporate
structuring. Sometimes this work is all
for naught because the investigation
involves an entity formed or registered
in a jurisdiction that does not require
BOI for formation or registration.
FinCEN’s existing regulatory tools
help, but they provide only partial
solutions. The 2016 CDD Rule, for
example, requires that certain types of
U.S. financial institutions identify and
verify the beneficial owners of legal
entity customers at the time of account
opening.24 The information financial
institutions must collect under the 2016
CDD Rule, however, is generally neither
comprehensive nor reported to the U.S.
government (nor to State, local, or Tribal
governments), except when filed in
suspicious activity reports (SARs) or in
response to judicial process. Moreover,
the 2016 CDD Rule applies only to legal
entities that open accounts at certain
U.S. financial institutions. Other
FinCEN authorities—geographic
targeting orders 25 and the so-called
‘‘311 measures’’ (i.e., special measures
imposed on foreign jurisdictions,
foreign financial institutions, or
international transactions of primary
money laundering concern) 26—offer
temporary and targeted tools. Neither
provides law enforcement the ability to
reliably, efficiently, and consistently
identify new entities for investigation or
follow investigatory leads.
This Final Rule will help to fill in
these gaps while creating a framework
to keep BOI secure and confidential.
B. The CTA
The CTA is part of the AML Act,
which is a part of the 2021 NDAA. The
CTA added a new section, 31 U.S.C.
on Combating Money Laundering and the Financing
of Terrorism and Proliferation (updated Oct. 2020),
available at https://www.fatf-gafi.org/publications/
fatfrecommendations/documents/fatfrecommendations.html.
24 31 CFR 1010.230(b)(1).
25 31 U.S.C. 5326(a); 31 CFR 1010.370.
26 31 U.S.C. 5318A, as added by section 311 of the
USA PATRIOT Act (Pub. L. 107–56).
PO 00000
Frm 00004
Fmt 4701
Sfmt 4700
5336, to the BSA to enhance beneficial
ownership transparency while
minimizing the burden on the regulated
community.27 This new section requires
certain types of domestic and foreign
entities, called ‘‘reporting companies,’’
to submit BOI to FinCEN.28 Specifically,
reporting companies must submit to
FinCEN, for each beneficial owner and
each individual who files an application
to form a domestic entity or register a
foreign entity to do business in the
United States (the ‘‘company
applicant’’), four pieces of information:
the individual’s full legal name, date of
birth, current residential or business
street address, and either a unique
identifying number from an acceptable
identification document (e.g., a
passport) or the individual’s ‘‘FinCEN
identifier.’’ 29
The CTA establishes that BOI is
‘‘sensitive information.’’ 30 The statute
treats it as such by limiting its access
and use to specified parties for
particular purposes.31 In particular,
Congress authorized FinCEN to disclose
BOI only to a statutorily defined group
of governmental authorities and
financial institutions, and only in
defined circumstances. The CTA further
provides that the Secretary of the
Treasury (Secretary) must ‘‘maintain
[BOI] in a secure, nonpublic database,
using information security methods and
techniques that are appropriate to
protect nonclassified information
systems at the highest security level.’’ 32
As discussed in detail in section II.E,
FinCEN is currently building the secure
information technology (IT) system into
which reporting companies will submit,
and from which authorized recipients
will generally obtain, BOI.
In addition to setting out
requirements and restrictions related to
BOI reporting and access, the CTA
requires that FinCEN revise the 2016
CDD Rule within one year of the BOI
reporting requirements taking effect. In
particular, the CTA directs FinCEN to
revise the 2016 CDD Rule to: (1) bring
it into conformity with the AML Act as
a whole, including the CTA; (2) account
for financial institutions’ access to BOI
27 CTA,
section 6403.
U.S.C. 5336(b)(1), (2). The CTA generally
exempts from the reporting requirements banks and
other entities that are already subject to significant
regulatory regimes meant to expose their beneficial
owners, among other purposes. See id. at
5336(a)(11)(B).
29 Id. at 5336(b)(2).
30 CTA, section 6402(6).
31 Id.
32 CTA, section 6402(7)(A). While the statutory
language seems to include a typographical error that
refers to another provision (not related to BOI), it
also seems clear that the object of protection in this
case is BOI.
28 31
E:\FR\FM\22DER3.SGM
22DER3
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
reported to FinCEN ‘‘in order to confirm
the beneficial ownership information
provided directly to the financial
institutions’’ for AML/CFT and
customer due diligence purposes; and
(3) reduce unnecessary or duplicative
burdens on financial institutions and
legal entity customers.33 In carrying out
these provisions, the CTA further
requires FinCEN to rescind paragraphs
(b) through (j) of 31 CFR 1010.230.34
FinCEN began implementing the CTA
by publishing an ANPRM on April 5,
2021.35 The ANPRM sought input on
five open-ended categories of questions,
including questions on clarifying key
CTA definitions and on how FinCEN
should implement CTA provisions
governing FinCEN’s maintenance and
disclosure of BOI subject to appropriate
access protocols. In response to the
ANPRM, FinCEN received and
considered 220 comments from parties
that included businesses, civil society
organizations, trade associations, law
firms, secretaries of state and other state
officials, Indian Tribes, members of
Congress, and private citizens.
FinCEN next published the Reporting
NPRM on December 8, 2021.36 The
Reporting NPRM described Treasury’s
efforts to address the lack of
transparency in the ownership of certain
legal entities, and proposed regulations
specifying what BOI must be reported to
FinCEN pursuant to CTA requirements,
by whom, and when. These regulations
also proposed processes for obtaining,
updating, and using FinCEN identifiers.
The Reporting NPRM included a 60-day
comment period, which closed on
February 7, 2022. FinCEN received over
240 comments on the Reporting NPRM.
After considering those comments,
FinCEN published a final rule
implementing the CTA’s BOI reporting
requirements on September 30, 2022
(Reporting Rule).37 The Reporting Rule
takes effect on January 1, 2024, and is
the first of three rulemakings required
by the CTA. Under the Reporting Rule,
reporting companies in existence before
the effective date will have until January
1, 2025, to report.38 The Reporting Rule
33 CTA,
section 6403(d)(1)(A)–(C).
section 6403(d)(1)–(2). The CTA orders
the rescission of paragraphs (b) through (j) directly
(‘‘the Secretary of the Treasury shall rescind
paragraphs (b) through (j)’’) and orders the retention
of paragraph (a) by a negative rule of construction
(‘‘nothing in this section may be construed to
authorize the Secretary of the Treasury to repeal
. . . [31 CFR] 1010.230(a)[.]’’). The statute also
provides a list of considerations to take into account
when revising the 2016 CDD Rule. See generally
CTA, section 6403(d)(3).
35 86 FR 17557 (Apr. 5, 2021).
36 86 FR 69920 (Dec. 8, 2021).
37 87 FR 59498 (Sept. 30, 2022).
38 Reporting Rule, 31 CFR 1010.380(a)(1)(i)-(ii).
ddrumheller on DSK120RN23PROD with RULES3
34 CTA,
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
also provided that reporting companies
created or registered to do business on
or after January 1, 2024 would need to
submit BOI to FinCEN within 30 days
of receiving notice of a company’s
creation or registration.39 However, on
November 30, 2023, FinCEN published
a final rule to extend the timeframe for
reporting companies created or
registered on or after January 1, 2024,
and before January 1, 2025, to submit
their initial BOI reports to FinCEN.
Under this amendment to the Reporting
Rule, reporting companies created or
registered on or after January 1, 2024,
and before January 1, 2025, will have 90
days to submit their initial BOI reports,
instead of 30 days. Reporting companies
formed on or after January 1, 2025, will
continue to be required to submit their
initial BOI reports within 30 days.
The Reporting Rule also reserved for
further consideration certain provisions
concerning the use of FinCEN
identifiers for entities.
FinCEN next published the Access
NPRM regarding the CTA’s BOI access
and safeguard provisions on December
16, 2022.40 The proposed regulations
reflected information gleaned from over
30 outreach sessions with
representatives from Federal agencies,
state courts, state and local prosecutors’
offices, Tribal governments, financial
institutions, financial self-regulatory
organizations (SROs), and government
offices that had established beneficial
ownership databases, as well as from
comments to the prior CTA-related
publications. The Access NPRM also
included proposed amendments to the
reporting regulations that would finalize
the remaining Reporting Rule provisions
concerning the use of FinCEN
identifiers for entities. The comment
period for the Access NPRM closed on
February 14, 2023.
This final rule adopts, with
modifications, the proposed regulations
in the Access NPRM and is the second
rulemaking required by the CTA. These
final access and safeguard regulations
(‘‘Access Rule’’) aim to ensure that: (1)
only authorized recipients have access
to BOI; (2) authorized recipients use that
access only for purposes permitted by
the CTA; and (3) authorized recipients
only re-disclose BOI in ways that
balance protecting its security and
confidentiality with the CTA objective
of making BOI available to a range of
users for authorized purposes. The
regulations also provide a robust
framework to ensure that BOI reported
to FinCEN, and received by authorized
recipients, is subject to strict
39 Id.
40 87
PO 00000
at 1010.380(a)(iii).
FR 77404 (Dec. 16, 2022).
Frm 00005
Fmt 4701
Sfmt 4700
88735
cybersecurity controls, confidentiality
protections and restrictions, and robust
audit and oversight measures.
FinCEN will implement the CTA
requirement to revise the 2016 CDD
Rule through a future rulemaking
process. That process will provide the
public with an opportunity to comment
on the effect of the final provisions of
the BOI reporting and access rules on
financial institutions’ customer due
diligence obligations.
Finally, the CTA requires the
Inspector General of the Department of
the Treasury to provide public contact
information to receive external
comments or complaints regarding the
BOI notification and collection process
or regarding the accuracy, completeness,
or timeliness of such information.41
Treasury’s Office of Inspector General
(‘‘Treasury OIG’’) has established the
following email inbox to receive such
comments or complaints:
CorporateTransparency@oig.treas.gov.
C. The Access NPRM
As noted above in section II.B,
FinCEN published the Access NPRM on
December 16, 2022. The NPRM had a
60-day comment period that closed on
February 14, 2023. FinCEN received
over 80 comments. The NPRM
described who would be authorized to
access BOI reported to FinCEN, how
those parties could use the information,
and how they would be required to
safeguard it.
The proposed regulations would
amend 31 CFR 1010.950(a) to clarify
that the disclosure of BOI would be
governed by proposed 31 CFR 1010.955,
rather than 31 CFR 1010.950(a), which
governs disclosure of other BSA
information. The CTA specifies
disclosure rules applicable to BOI that
are distinct from BSA provisions
authorizing disclosure of other BSA
information.42
The Access NPRM proposed to
incorporate the CTA’s general
prohibition on the disclosure of BOI by
individual recipients to others unless
authorized to do so under the statute or
its implementing regulations, with
certain clarifications regarding the
applicability and duration of that
prohibition. The proposed regulations
would authorize the disclosure and use
of BOI to facilitate the purposes of the
CTA, with FinCEN further proposing to
retain the authority to permit in writing
the re-disclosure of BOI in other
circumstances.
The proposed regulations included
provisions that would address a range of
41 See
42 See
E:\FR\FM\22DER3.SGM
31 U.S.C. 5336(h)(4).
31 U.S.C. 5336(c)(2), (5).
22DER3
88736
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES3
administrative matters, e.g.,
circumstances under which FinCEN
could decline to provide requested BOI
or debar or suspend an authorized
recipient, and would incorporate CTA
provisions that impose civil and
criminal penalties for knowingly
disclosing or knowingly using BOI in
ways that were not authorized by the
CTA. The proposed rule also would
reinforce the security and
confidentiality requirements of the CTA
by making clear the range of actions that
could constitute unauthorized
disclosure and use.
Finally, the Access NPRM made a
new proposal regarding the use of
FinCEN identifiers for entities, which
was initially addressed in the Reporting
NPRM and then deferred in the Final
Reporting Rule. Specifically, the
proposed regulations would clarify that
a reporting company would be
permitted to report the FinCEN
identifier of an intermediate entity (i.e.,
an entity through which an individual
beneficial owner exercises substantial
control or owns ownership interests in
a reporting company) in lieu of a
beneficial owner’s PII only when three
criteria are met. Taken together, these
requirements sought to avoid the use of
FinCEN identifiers to obscure beneficial
ownership in a reporting company
when the entity’s ownership structure
involves multiple beneficial owners and
intermediate entities. FinCEN published
a final rule to implement these
provisions regarding the use of FinCEN
identifiers for entities on November 8,
2023.43
The Access NPRM, however,
primarily focused on the scope of and
requirements for access to and
protection of BOI reported to FinCEN.
The following subsections outline how
the proposed regulations would apply to
five categories of authorized recipients
for which the CTA prescribes specific
requirements with respect to access to
and use of BOI.
i. Domestic Agencies
The first category of BOI recipients
authorized by the CTA consists of (1)
Federal agencies engaged in national
security, intelligence, or law
enforcement activity if the requested
BOI is for use in furtherance of such
activity; 44 and (2) State, local, and
Tribal law enforcement agencies if ‘‘a
court of competent jurisdiction’’
authorizes the law enforcement agency
to seek the information in a criminal or
civil investigation.45 Federal agency
43 88
FR 76995 (Nov. 8, 2023).
U.S.C. 5336(c)(2)(B)(i)(I).
45 31 U.S.C. 5336(c)(2)(B)(i)(II).
44 31
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
access to BOI would be contingent on
the type of activity an agency engages in.
In contrast, State, local, and Tribal
access would be contingent on two
conditions; (1) whether the recipient is
a law enforcement agency, i.e., the type
of agency; and (2) whether a State, local,
or Tribal law enforcement agency
receives authorization from a court of
competent jurisdiction to request BOI
from FinCEN.
The Access NPRM proposed
definitions for ‘‘national security,’’
‘‘intelligence,’’ and ‘‘law enforcement’’
activities in a manner consistent with
the CTA. In particular, the Access
NPRM proposed that ‘‘law enforcement’’
include both criminal and civil
investigations and actions, including
actions to impose civil penalties, civil
forfeiture actions, and civil enforcement
through administrative proceedings. For
access by State, local and Tribal law
enforcement, the Access NPRM
proposed to define ‘‘court of competent
jurisdiction’’ as any court with
jurisdiction over the criminal or civil
investigation for which the State, local,
or Tribal law enforcement agency
requested BOI. The Access NPRM
further proposed that the requisite court
authorization would have to be in the
form of a court order, with the
understanding that the term ‘‘order’’
could encompass many authorization
types issued by a range of court officers
(i.e., individuals empowered to exercise
a court’s authority and issue
authorizations on its behalf, excluding
individual attorneys). The NPRM
specifically sought feedback on the
scope of this definition.
The proposed regulations would also
require all Federal agencies engaged in
national security, intelligence, or law
enforcement activity to provide a brief
justification for each search for BOI in
the FinCEN IT system and certify
compliance with the applicable
regulatory requirements. State, local,
and Tribal law enforcement agencies
would also have had to provide a brief
justification for each search for BOI and
submit copies of their court orders for
FinCEN review. Upon meeting these
requirements, both Federal agencies
engaged in national security,
intelligence, or law enforcement activity
and State, local, and Tribal law
enforcement agencies would have the
ability to conduct searches for BOI in
the beneficial ownership IT system (the
‘‘BO IT system’’) relevant to their
investigation. The BO IT system would
provide these users with both a
reporting company’s BOI at the time of
the request as well as any previously
submitted BOI.
PO 00000
Frm 00006
Fmt 4701
Sfmt 4700
Furthermore, the Access NPRM
proposed that Federal agencies engaged
in a national security, intelligence, or
law enforcement activity, as well as
State, local, and Tribal law enforcement
agencies, would be authorized to
disclose BOI obtained directly from
FinCEN to courts of competent
jurisdiction or parties to a civil or
criminal proceeding. This authorization
would only apply to civil or criminal
proceedings involving U.S. Federal,
State, local, and Tribal laws. In the
preamble to the Access NPRM, FinCEN
explained that it envisioned agencies
relying on this provision when, for
example, a prosecutor would need to
provide a criminal defendant with BOI
in discovery or use it as evidence in a
court proceeding or trial.46
The CTA prescribes a number of
security and confidentiality
requirements that the Secretary must
impose on requesting Federal, State,
local, and Tribal agencies and their
heads. These include requirements for
secure storage systems and access
policies and procedures; personnel
access controls; recordkeeping,
reporting, and audit requirements; and
written certifications. These
requirements affirm the importance of
the security and confidentiality
protocols and the need for a high degree
of accountability for the protection of
BOI. The proposed regulations
described how each requesting agency,
before it could obtain BOI from FinCEN,
would be required to enter into a
memorandum of understanding (MOU)
with FinCEN specifying the standards,
procedures, and systems that the agency
would be required to maintain to protect
BOI, including security plans. FinCEN
explained in the preamble to the Access
NPRM that these requirements are
extensive by necessity given the broad
search functionality within the BO IT
system that would be available to this
category of authorized recipients.
ii. Foreign Requesters
The second category consists of
foreign law enforcement agencies,
judges, prosecutors, central authorities,
and competent authorities (‘‘foreign
requesters’’), provided their requests
come through an intermediary Federal
agency, meet additional criteria, and are
made either (1) under an international
treaty, agreement, or convention; or (2)
via a request made by law enforcement,
judicial, or prosecutorial authorities in a
trusted foreign country (when no
international treaty, agreement, or
convention is available).47
46 See
47 See
E:\FR\FM\22DER3.SGM
CTA, section 6402(5)(D).
31 U.S.C. 5336(c)(2)(B)(ii).
22DER3
ddrumheller on DSK120RN23PROD with RULES3
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
FinCEN generally did not propose to
identify in the Access NPRM any
specific Federal agencies that would
serve as intermediaries with foreign
governments.48 FinCEN instead
indicated that it would work with
Federal agencies to identify those that
are well positioned to be intermediaries,
based on several factors, including: the
level of engagement with foreign law
enforcement agencies, judges,
prosecutors, central authorities, or
competent authorities; responsibility
under international treaties, agreements,
or conventions; and capacity to process
requests for BOI while managing risks of
unauthorized disclosure. The Access
NPRM proposed to permit intermediary
Federal agencies to use BOI obtained
from FinCEN at the behest of a foreign
requester only to facilitate a response to
that foreign requester.
With respect to the requirement that
a foreign request be made under an
‘‘international treaty, agreement, or
convention,’’ FinCEN explained that it
understood those terms to cover a
legally binding agreement governed by
international law. FinCEN did not
propose to identify specific countries it
would treat as ‘‘trusted’’ in situations
when no international treaty, agreement,
or convention applied. The Access
NPRM explained that to define ‘‘trusted
foreign country’’ would have risked
arbitrarily excluding foreign requesters
with whom sharing BOI might be
appropriate in some cases but not
others. FinCEN instead proposed to
conduct case-by-case assessments in
consultation with relevant U.S.
government agencies to determine
whether to disclose BOI to a foreign
requester in a particular instance.
In the Access NPRM, FinCEN
explained that it did not expect foreign
requesters to have direct access to the
BO IT system, but rather that
intermediary Federal agencies would
perform BOI searches in the system on
a foreign requester’s behalf. Before
acting as intermediaries, Federal
agencies would first have to fulfill
several requirements, including: (1)
ensuring that they have secure systems
for BOI storage; (2) entering into MOUs
with FinCEN outlining expectations and
responsibilities; (3) incorporating the
CTA foreign sharing requirements into
evaluation criteria with which to review
BOI requests from foreign requesters; (4)
integrating the evaluation criteria into
their existing information-sharing
policies and procedures; (5) developing
48 Given its longstanding relationships and
relevant experience as the financial intelligence
unit of the United States, FinCEN proposed to
directly receive, evaluate, and respond to requests
for BOI from foreign financial intelligence units.
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
additional security protocols and
systems as required under the CTA and
this rule; and (6) ensuring that their
personnel have sufficient training on
BOI security and use requirements and
restrictions.
Under the Access NPRM, an
intermediary Federal agency would be
authorized to submit foreign requests for
BOI to FinCEN only after meeting these
requirements. Such requests would
need to include certain information,
including: (1) the names of both the
individual within the intermediary
Federal agency making the request and
the individual affiliated with the foreign
requester on whose behalf the request
was being made; and (2) either the
international treaty, agreement, or
convention under which the request
was being made, or a statement that no
such instrument governs along with an
explanation of the information’s
intended use. Intermediary Federal
agencies would also need to certify that
a request meets applicable eligibility
criteria. After doing so, an intermediary
Federal agency could then search for
and retrieve requested BOI from the
system and respond to the foreign
requester in a manner consistent with
either the international treaty,
agreement, or convention, or the request
from the trusted foreign country.
Intermediary Federal agencies would be
required to maintain records
documenting specified elements of each
search, both for the agency’s own
internal auditing and for FinCEN audits
as required under the CTA.
Recognizing the importance that all
authorized BOI recipients—including
foreign requesters—take appropriate
steps to keep BOI confidential and
secure and to prevent misuse, FinCEN
also proposed requiring foreign
requesters to handle, disclose, and use
BOI consistent with the requirements of
the applicable international treaty,
agreement, or convention under which
it is requested. When no treaty,
agreement, or convention applies, the
Access NPRM proposed that the head of
an intermediary Federal agency, acting
on behalf of a foreign requester, or their
designee, would need to submit to
FinCEN a written explanation of the
specific purpose for which the foreign
requester is requesting BOI. The
intermediary Federal agency in such
cases would have also needed to
provide FinCEN with a certification that
the requested BOI would be: (1) used in
furtherance of a law enforcement
investigation or prosecution, or for a
national security or intelligence activity
that is authorized under the laws of the
relevant foreign country; (2) only used
for the particular purpose or activity for
PO 00000
Frm 00007
Fmt 4701
Sfmt 4700
88737
which it was requested; and (3) handled
in accordance with specified security
and confidentiality requirements. Under
the proposed rule, the certification
would reflect what the head of the
intermediary Federal agency head or
their designee understands to be the
intended use for the BOI, rather than a
guarantee from the intermediary Federal
agency that the foreign requester would
not use the information for
unauthorized purposes. The Access
NPRM further specified that FinCEN
could request additional information
from the requester to support FinCEN’s
evaluation of whether to disclose BOI to
a foreign requester when the request is
not pursuant to an international treaty,
agreement, or convention.
iii. Financial Institutions With Customer
Due Diligence Compliance Obligations
Under Applicable Law
The third authorized recipient
category under the CTA is financial
institutions that use BOI ‘‘to facilitate
compliance with customer due
diligence requirements under applicable
law.’’ 49 FinCEN proposed to define the
term ‘‘customer due diligence
requirements under applicable law’’ to
mean FinCEN’s customer due diligence
regulations at 31 CFR 1010.230, which
require covered financial institutions to
identify and verify beneficial owners of
legal entity customers. FinCEN
considered other approaches, but
concluded that focusing on its 2016
CDD Rule alone would make this access
category easier to administer, reduce
uncertainty about which financial
institutions could access BOI under the
proposed rule, and better protect the
security and confidentiality of sensitive
BOI by limiting the circumstances under
which financial institutions could
access the information. There also did
not appear to be any State, local, or
Tribal customer due diligence
requirements comparable in substance
to FinCEN’s 2016 CDD Rule.50
The CTA further requires that a
reporting company’s consent is
necessary in order for a financial
institution to obtain BOI from FinCEN.
FinCEN proposed to make financial
institutions responsible for obtaining
this consent. That proposal reflected
FinCEN’s assessment that financial
institutions are best positioned to obtain
and manage consent through existing
49 31
U.S.C. 5336(c)(2)(B)(iii).
the Access NPRM, FinCEN specifically asked
commenters to identify any Federal, State, local, or
Tribal law requirements comparable to the 2016
CDD Rule regarding financial institutions
identifying and verifying beneficial owners of legal
entity customers. FinCEN received no responses to
that request.
50 In
E:\FR\FM\22DER3.SGM
22DER3
88738
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES3
processes and by virtue of having direct
relationship with reporting companies
as customers. Although certain
certifications would be required, the
Access NPRM did not propose that
financial institutions submit proof of a
reporting company’s consent. FinCEN
recognized that it would not have the
capacity to review, verify, and store
consent forms, and additional FinCEN
involvement would create undue delays
for the ability of financial institutions to
onboard customers. FinCEN also
explained that a financial institution’s
compliance with these requirements
would be assessed by Federal functional
regulators in the ordinary course during
examinations, or by financial SROs
during their routine BSA
examinations.51
FinCEN described in the Access
NPRM its plan to establish for financial
institutions a more circumscribed BO IT
system interface than would be
available to most Federal agencies and
State, local, and Tribal law enforcement
agencies. This would be based on the
defined purposes for which financial
institutions can use BOI under the CTA
and the proposed requirement that they
obtain reporting company consent
before requesting the information from
FinCEN. The interface would require
financial institutions to submit
identifying information specific to a
particular reporting company (for
example, the company name and tax
identification number). In return, the
financial institution would receive an
electronic transcript with that reporting
company’s BOI at the time of the
request. The transcript would not
include any previously submitted BOI
for the reporting company.
Although the CTA does not
specifically address the safeguards that
financial institutions must implement as
a condition for requesting BOI, the CTA
authorizes FinCEN to prescribe by
regulation any other safeguards
determined to be necessary or
appropriate to protect the
confidentiality of BOI.52 In exercising
this authority, FinCEN proposed a
principles-based approach by requiring
that financial institutions develop and
implement administrative, technical,
and physical safeguards reasonably
51 The CTA requirements financial institutions
must satisfy to qualify for BOI disclosure from
FinCEN are part of the BSA, a statute enacted in
pertinent part in Chapter X of the Code of Federal
Regulations. FinCEN has delegated its authority to
examine financial institutions for compliance with
Chapter X to the Federal functional regulators. See
31 CFR 1010.810. Separately, the FBAs have their
own authority to examine the financial institutions
that they supervise for compliance with the BSA.
See 12 U.S.C. 1786(q)(2), 1818(s)(2).
52 31 U.S.C. 5336(c)(3)(K).
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
designed to protect BOI as a
precondition for receiving the
information. The proposed regulations
would establish that the security and
information handling procedures
necessary to comply with section 501 of
the Gramm-Leach-Bliley Act (GrammLeach-Bliley) 53 and related regulations
to protect nonpublic customer personal
information, if applied to BOI under the
control of the financial institution,
would satisfy this requirement.
Financial institutions not subject to
regulations issued pursuant to section
501 of Gramm-Leach-Bliley would be
held to these same substantive
standards under the proposed rules.
Subject to certain conditions, the
Access NPRM proposed to authorize
financial institutions to share BOI that
they obtained from FinCEN for use in
fulfilling customer due diligence
obligations with: (1) their Federal
functional regulators, (2) qualifying
SROs, or (3) any other appropriate
regulatory agency. FinCEN proposed
this authorization for the sake of
efficiency and to more easily provide
regulators with a complete picture of
how financial institutions are obtaining
and using BOI for customer due
diligence compliance, thereby
supporting the aims and purposes of the
CTA, as well as helping them detect
compliance failures.
iv. Regulatory Agencies
The fourth category of authorized
recipient under the proposed
regulations is Federal functional
regulators and other appropriate
regulatory agencies that (1) are
authorized to assess, supervise, enforce,
or otherwise determine financial
institution compliance with customer
due diligence requirements under
applicable law; (2) use BOI solely to
conduct an assessment, supervision, or
authorized investigation or activity
under 31 U.S.C. 5336(c)(2)(C)(i); and (3)
enter into an agreement with FinCEN
describing appropriate protocols for
obtaining BOI.
The proposed regulations also
incorporated the CTA’s limitation on
the scope of access by these agencies.
The CTA states that BOI that FinCEN
discloses to financial institutions should
‘‘also be available to [their qualifying
regulators].’’ 54 The Access NPRM
therefore proposed to allow only
qualifying regulators to obtain from
FinCEN BOI that financial institutions
that they supervise for customer due
diligence compliance had already
53 Public Law 106–102, 113 Stat. 1338, 1436–37
(1999).
54 31 U.S.C. 5336(c)(2)(C) (emphasis added).
PO 00000
Frm 00008
Fmt 4701
Sfmt 4700
obtained under the CTA and its
implementing regulations. Obtaining
BOI from FinCEN would require Federal
functional regulators and other
appropriate regulatory agencies to
certify to FinCEN when requesting BOI
that the agency (1) is authorized by law
to assess, supervise, enforce, or
otherwise determine the relevant
financial institution’s compliance with
customer due diligence requirements
under applicable law, and (2) would use
the information solely for that activity.
FinCEN made clear in the Access
NPRM that it did not believe this
customer due diligence-specific
authorization was the exclusive means
through which one of these regulators
could obtain BOI. The access provision
for Federal agencies engaged in national
security, intelligence, or law
enforcement activities focuses on
activity categories, not agency types. To
the extent that a Federal functional
regulator, like the Securities and
Exchange Commission (SEC), engages in
civil law enforcement activities, agency
officers, employees, contractors, and
agents responsible for those activities
could obtain BOI under the access
provision for Federal law enforcement
activity. The same principle applies to
other agencies with both supervisory
responsibility and authority to engage in
other covered activity, including,
potentially, State, local, and Tribal law
enforcement agencies.
In the Access NPRM, FinCEN clarified
that it would adopt its existing
regulatory definition of ‘‘Federal
functional regulators’’ to minimize the
risk of confusion.55 FinCEN did not
propose to define ‘‘other appropriate
regulatory agencies,’’ because it assessed
that the requirement that an agency be
authorized by law to supervise financial
institutions for customer due diligence
compliance sufficiently circumscribed
the category.
In the Access NPRM, FinCEN
considered whether SROs registered
with or designated by a Federal
functional regulator pursuant to Federal
statute 56 (‘‘qualifying SROs’’) should
qualify as ‘‘other appropriate regulatory
agencies.’’ These organizations—like the
Financial Industry Regulatory Authority
(FINRA) or the National Futures
Association (NFA)—are not traditionally
55 Under this definition, the six Federal
functional regulators that supervise financial
institutions with customer due diligence obligations
are the Board of Governors of the Federal Reserve
System (FRB), the Office of the Comptroller of the
Currency (OCC), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union
Administration (NCUA), the SEC, and the
Commodity Futures Trading Commission (CFTC).
See 31 CFR 1010.100(r).
56 See, e.g., 7 U.S.C. 21; 15 U.S.C. 78o–3.
E:\FR\FM\22DER3.SGM
22DER3
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
understood to be agencies of the U.S.
government,57 but they do exercise selfregulatory authority within the
framework of Federal law, and work
under the supervision of Federal
functional regulators to assess,
supervise, and enforce financial
institution compliance with, among
other things, customer due diligence
requirements.58 These qualifying SROs
also are subject to extensive oversight by
Federal agencies.59
FinCEN believed that qualifying SROs
fulfill a critical role in overseeing
participants in the financial services
sector which justified their limited and
derivative access to BOI: Without this
level of access, qualifying SROs would
not be able to effectively evaluate a
financial institution’s customer due
diligence compliance. The CTA
provides FinCEN broad discretion to
specify the conditions under which
authorized recipients of BOI may redisclose that information to others.
Consequently, the Access NPRM
proposed to permit both financial
institutions and Federal functional
regulators to re-disclose to qualifying
SROs any BOI they obtained from
FinCEN for use in complying with
customer due diligence requirements
under applicable law. A qualifying SRO
would (1) need to satisfy the same three
conditions applicable to Federal
functional regulators and other
appropriate regulatory agencies, and (2)
be permitted to use the information for
the limited purpose of examining
compliance with applicable customer
due diligence obligations.
The Access NPRM further proposed
that Federal functional regulators would
also be permitted to disclose BOI to DOJ
for purposes of making a referral to DOJ
or for use in litigation related to the
activity for which the requesting agency
requested the information.
ddrumheller on DSK120RN23PROD with RULES3
v. Department of the Treasury Access
The CTA includes separate, Treasuryspecific provisions for accessing BOI,
57 See, e.g., In re William H. Murphy & Co., SEC
Release No. 34–90759, 2020 WL 7496228, *17 (Dec.
21, 2020) (explaining that FINRA ‘‘is not a part of
the government or otherwise a [S]tate actor’’ to
which constitutional requirements apply).
58 See, e.g., FINRA Rule 3310(f); NFA Compliance
Rule 2–9(c)(5).
59 See, e.g., Scottsdale Cap. Advisors Corp. v.
FINRA, 844 F.3d 414, 418 (4th Cir. 2016) (‘‘Before
any FINRA rule goes into effect, the SEC must
approve the rule and specifically determine that it
is consistent with the purposes of the Exchange Act.
The SEC may also amend any existing rule to
ensure it comports with the purposes and
requirements of the Exchange Act.’’ (citations
omitted); Birkelbach v. SEC, 751 F.3d 472, 475 (7th
Cir. 2014) (‘‘A [FINRA] member can appeal the
disposition of a FINRA disciplinary proceeding to
the SEC, which performs a de novo review of the
record and issues a decision of its own.’’).
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
tying the access to a Treasury officer’s
or employee’s official duties requiring
BOI inspection or disclosure,60
including for tax administration
purposes.61 Proposed 31 CFR
1010.955(b)(5) tracked these
authorizations, and provided that
Treasury officers and employees may
receive BOI where their official duties
require such access, or for tax
administration, consistent with
procedures and safeguards established
by the Director of FinCEN. The
proposed regulations also clarified the
term ‘‘tax administration purposes’’ by
adding a reference to the definition of
‘‘tax administration’’ in the Internal
Revenue Code.62
The Access NPRM explained that
FinCEN envisioned Treasury
components having broad search
functionality comparable to that of
Federal agencies engaged in national
security, intelligence, or law
enforcement activity. This would
include using BOI for enforcement
actions, intelligence and analytical
purposes, sanctions-related
investigations, and identifying property
blocked pursuant to sanctions, as well
as for activities unique to Treasury, such
as for tax administration and
administration of the BOI framework,
including audits, enforcement, and
oversight. As with other Federal
agencies requesting BOI for their own
use, Treasury would also be permitted
to disclose BOI for purposes of making
a referral to DOJ or for use in litigation
related to the activity for which
Treasury officers, employees,
contractors, or agents requested the
information.
The Access NPRM further explained
that FinCEN expected to work with
other Treasury components to establish
internal policies and procedures
governing Treasury access to BOI.
FinCEN noted that it anticipated that
the security and confidentiality
protocols in those policies and
procedures would include elements of
the protocols described in proposed 31
CFR 1010.955(d)(1) as applicable to
Treasury activities and organization.
Furthermore, officers and employees
identified as having duties potentially
requiring access to BOI would receive
training on, among other topics,
determining when their duties require
access to BOI, what they can do with the
information, and how to handle and
safeguard it. Their activities would also
be subject to audit.
60 See
31 U.S.C. 5336(c)(5)(A).
31 U.S.C. 5336(c)(5)(B).
62 26 U.S.C. 6103(b)(4).
61 See
PO 00000
Frm 00009
Fmt 4701
Sfmt 4700
88739
D. CTA Implementation Efforts
i. Beneficial Ownership IT System
The CTA directs the Secretary to
maintain BOI ‘‘in a secure, nonpublic
database, using information security
methods and techniques that are
appropriate to protect nonclassified
information security systems at the
highest security level . . . .’’ 63 FinCEN
is implementing this requirement by
developing a secure BO IT system to
receive, store, and maintain BOI.
Consistent with the CTA’s
requirement 64 and FinCEN’s
recognition that BOI is sensitive
information warranting stringent
security, the system will be cloud-based
and will meet the highest Federal
Information Security Management Act
(FISMA) 65 level (FISMA High).66 A
FISMA High rating indicates that losing
the confidentiality, integrity, or
availability of information within a
system would have a severe or
catastrophic adverse effect on the
organization maintaining the system,
including on organizational assets or
individuals.67 The rating carries with it
a requirement to implement certain
baseline controls to protect the relevant
information.68 System functionality will
vary by recipient category consistent
with statutory requirements, limitations
on BOI disclosure, and FinCEN’s
objective of minimizing access to the
data as much as practicable to minimize
the risk of unauthorized disclosure. The
target date for the system to begin
accepting BOI reports is January 1, 2024,
the same day on which the Reporting
Rule takes effect.
ii. Additional CTA Implementation
Efforts
In addition to continuing
development of the BO IT system,
FinCEN is working across several other
CTA implementation efforts. First, it is
working intensively to develop
guidance and other educational
materials to ensure that small
businesses have the information they
need to comply and that reporting
beneficial ownership information is as
streamlined and straightforward as
possible. On March 24, 2023, for
example, FinCEN published its first set
63 CTA,
section 6402(7).
U.S.C. 5336(c)(8).
65 44 U.S.C. 3541 et seq.
66 See U.S. Department of Commerce, Federal
Information Processing Standards Publication:
Standards for Security Categorization of Federal
Information and Information Systems (‘‘FIPS Pub
199’’) (Feb. 2004), available at https://nvlpubs.nist.
gov/nistpubs/fips/nist.fips.199.pdf.
67 Id. at 3.
68 Id.
64 31
E:\FR\FM\22DER3.SGM
22DER3
ddrumheller on DSK120RN23PROD with RULES3
88740
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
of guidance materials to aid the public,
and in particular the small business
community, in understanding the BOI
reporting requirements taking effect on
January 1, 2024.69 That guidance,
available on FinCEN’s website, includes
Frequently Asked Questions (FAQs),
guidance on BOI filing dates, and
informational videos.70 FinCEN
published a Small Entity Compliance
Guide on September 18, 2023, as well as
additional guidance to address more
complex topics around BOI reporting.
FinCEN is also developing the
infrastructure to respond to queries,
conduct audit and oversight, and
provide partner agencies and financial
institutions with access to BOI.
FinCEN is particularly focused on
providing helpful customer service to
reporting companies in the first year
and beyond as they file their BOI.
FinCEN currently fields approximately
13,000 inquiries a year through its
Regulatory Support Section, and
approximately 70,000 external technical
inquiries a year through the IT Systems
Helpdesk. FinCEN has estimated that
there will be approximately 32 million
reporting companies in Year 1 of the
reporting requirement and
approximately 5 million new reporting
companies each year thereafter.71 Given
the expected increase in incoming
inquiries, FinCEN is working to stand
up a dedicated beneficial ownership
contact center to respond to inquiries
about the beneficial ownership
reporting requirements, and to provide
assistance to users encountering
technical issues with the BO IT system.
FinCEN expects the contact center to
begin operations prior to January 1,
2024.
FinCEN is also working to establish
internal policies and procedures
governing Treasury officer and
employee access to BOI, as well as to
draft and negotiate MOUs for access to
BOI and related materials. In keeping
with protocols described in this final
rule, Federal, State, local and Tribal
agencies outside of Treasury will be
required to enter into MOUs with
FinCEN specifying the standards,
procedures, and systems they will be
required to maintain to protect BOI.
Agency MOUs will, among other things,
memorialize and implement
requirements regarding reports and
certifications, periodic training of
69 FinCEN, FinCEN Issues Initial Beneficial
Ownership Information Reporting Guidance (Mar.
24, 2023), available at https://www.fincen.gov/
news/news-releases/fincen-issues-initial-beneficialownership-information-reporting-guidance.
70 FinCEN, Beneficial Ownership Information
Reporting, available at https://www.fincen.gov/boi.
71 87 FR 59498, 59549 (Sept. 30, 2022).
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
individual recipients of BOI, personnel
access restrictions, re-disclosure
limitations, and access to audit and
oversight mechanisms. MOUs will also
include security plans covering topics
related to personnel security (e.g.,
eligibility limitations, screening
standards, and certification and
notification requirements); physical
security (i.e., system connections and
use, conditions of access, and data
maintenance); computer security (i.e.,
use and access policies, standards
related to passwords, transmission,
storage, and encryption); and
inspections and compliance. Agencies
will be able to rely on existing databases
and related IT infrastructure to satisfy
the requirement to ‘‘establish and
maintain’’ secure systems in which to
store BOI where those systems have
appropriate security and confidentiality
protocols, and FinCEN will engage with
recipient agencies on these protocols
during the MOU development process.
iii. Administration of Access to BOI
For any given user agency, the
administrative steps described in the
preceding section will need to be
completed before authorized users
obtain access to the BO IT system. These
steps will require resources to complete.
Every Federal, State, local, and tribal
user agency will need to enter into an
MOU with FinCEN for access to the BO
IT system and put in place the policies
and procedures required under the final
Access Rule and the MOU. FinCEN will
also need to establish BO IT system
individual user accounts for all
personnel who are authorized to access
the system at agencies and financial
institutions.
To smoothly manage the draw on
resources that this process will demand,
FinCEN will take a phased approach to
providing access to the BO IT system.
The first stage will be a pilot program
for a handful of key Federal agency
users starting in 2024, as required
MOUs and policies and procedures are
completed. The second stage will
extend access to Treasury Department
offices and certain Federal agencies
engaged in law enforcement and
national security activities that already
have Bank Secrecy Act MOUs (e.g., FBI,
IRS–CI, HSI, DEA, Federal banking
agencies (FBAs)). Subsequent stages will
extend access to additional Federal
agencies engaged in law enforcement,
national security, and intelligence
activities, as well as key State, local, and
Tribal law enforcement partners; to
additional State, local, and Tribal law
enforcement partners; in connection
with foreign government requests; and
PO 00000
Frm 00010
Fmt 4701
Sfmt 4700
finally, to financial institutions and
their supervisors.
FinCEN believes that starting with a
small pilot program of users in 2024
will help test the system and ensure that
any issues can be addressed before
expanding access to other users. Making
access more broadly available in the
four subsequent stages outlined above
will help ensure the orderly onboarding
of authorized users and will space out
the timing of the annual audits of
agency users that FinCEN is required to
conduct under the CTA. Additionally,
there is a good reason for FinCEN’s
sequencing of access, making financial
institutions and their supervisors the
last category of users that will receive
access to the BO IT system: FinCEN
expects that the timing of their access
will roughly coincide with the
upcoming revision of FinCEN’s 2016
CDD Rule. This will allow financial
institutions to enjoy certain
administrative efficiencies by bundling
system and compliance changes.
FinCEN anticipates providing additional
information on the timing and details
regarding this phased implementation
approach in early 2024.
E. Comments Received
In response to the NPRM, FinCEN
received over 80 comments.
Submissions came from a broad array of
individuals and organizations,
including members of Congress, the
financial industry and related trade
associations, groups representing small
business interests, corporate
transparency advocacy groups, law
enforcement representatives, regulatory
associations, legal associations, and
other interested groups and individuals.
In general, many commenters
expressed support for the proposed
regulations. These commenters agreed
that the proposed regulations were a
significant step forward in improving
the ability of law enforcement and
national security agencies to identify
illicit actors hiding behind anonymous
shell and front companies. One of the
commenters stated that the proposed
regulations would confer benefits to
both the United States and its overseas
partners and bring the United States in
line with emerging global practices
relating to beneficial ownership
information reporting. These
commenters viewed the proposed
regulations as being consistent with the
statutory text. They supported the
approach taken to provide access to BOI
to authorized recipients and were
encouraged by the proposed limitations
and security provisions to protect the
BOI and prevent unauthorized
disclosure. These commenters were
E:\FR\FM\22DER3.SGM
22DER3
ddrumheller on DSK120RN23PROD with RULES3
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
particularly supportive of the proposed
regulations with respect to U.S. Federal
agencies’ access to the BOI database.
Supportive commenters agreed that U.S.
Federal agencies accessing the database
for law enforcement, intelligence, and
national security purposes should have
broad access, and that foreign requesters
should be able to request BOI for similar
purposes.
Other commenters expressed general
opposition to the proposed regulations,
arguing that the proposed regulations
deviate from the CTA and congressional
intent. These commenters argued that
the proposed regulations, if finalized
without significant changes, would
impose unnecessary requirements,
limitations, and burdens with respect to
certain types of access. Commenters also
argued that the proposed regulations
would be too costly and burdensome for
small businesses. In particular,
commenters expressed concern over the
access provisions relating to State, local,
and Tribal law enforcement authorities
and financial institutions. Some
commenters stated that certain
requirements for law enforcement
access to BOI, such as the requirement
to submit ‘‘a copy of a court order’’ and
‘‘written justification’’ in proposed 31
CFR 1010.955(d)(1)(ii)(B)(2), would
create undue barriers for State, local and
Tribal law enforcement and contradict
the statutory text. Other commenters
argued that the proposed restrictions on
access by financial institutions and their
regulators would significantly limit the
utility of the database. These
commenters argued that proposed
regulations interpreted ‘‘customer due
diligence requirements under applicable
law’’ in 31 U.S.C. 5336(c)(2)(B)(iii) too
narrowly and objected to the
requirement that individuals with
access to BOI be located in the United
States (31 CFR 1010.955(c)(2)(ii)). These
commenters suggested that FinCEN
adopt a broader approach to financial
institutions’ access to BOI and asked for
clarification on a number of related
provisions, including, for example,
expectations around customer consent,
database usage, and discrepancy
reporting. One commenter suggested
that FinCEN withdraw the proposed
regulations and engage with the
financial services industry and small
businesses to develop a new proposal to
better achieve the objectives of the CTA
and the AML Act.
Many commenters, regardless of their
overarching views, suggested specific
modifications to the proposed
regulations to enhance clarity, refine
policy expectations, ensure technical
accuracy, and improve implementation
more broadly. Commenters sought
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
clarification on specific definitions, use
cases, technical requirements and
processes, and database functionality,
among other things. Several commenters
advocated for providing certain
additional categories of users access to
BOI, while others shared views on the
sensitivity of BOI. Several commenters
emphasized their view that BOI needed
to be verified and suggested ways to
improve the quality of the database.
Commenters also shared views on
future revisions to the 2016 CDD Rule,
highlighting the ways in which they
anticipated the proposed regulations
with respect to access would interact
with the 2016 CDD Rule. Among other
things, these commenters expressed
concerns about potential inconsistencies
between BOI in the database and the
customer information that financial
institutions maintain pursuant to
customer due diligence obligations.
Many of these commenters urged
FinCEN to address these concerns
before 2016 CDD Rule revisions are
finalized; some suggested that these
concerns be addressed as part of the
final Access Rule. Several commenters
expressed frustration over the
sequencing of the CTA rulemakings,
stating, for example, that it is difficult
to provide meaningful comments on the
proposed regulations given
uncertainties about revisions to the 2016
CDD Rule.
Commenters shared views on the
proposed regulations on FinCEN
identifiers for reporting companies.
While some commenters were
supportive of FinCEN’s approach, others
found the proposal complex and
confusing. Whether or not generally
supportive, commenters suggested
specific modifications to the proposal
and asked for clarification on the
availability of the information
underlying FinCEN identifiers. One
commenter expressed generalized
concern about the availability of
FinCEN identifiers and their potential
misuse.
FinCEN also received comments on
topics not directly related to the
proposed regulations. Some of these
comments focused on elements of the
Reporting Rule, e.g., information to be
reported, company applicants,
enforcement mechanism, and the
proposed BOI report form. Others
identified typographical errors, offered
specific recommendations with respect
to MSBs and mutual funds, and urged
FinCEN to take steps to prevent the
creation of fraudulent FinCEN websites.
One commenter suggested that FinCEN
should be designated as part of the
intelligence community, while another
suggested that Congress should repeal
PO 00000
Frm 00011
Fmt 4701
Sfmt 4700
88741
the USA PATRIOT Act. Finally, one
commenter highlighted that some
individuals may feel discouraged from
submitting comments on proposed
regulations if their views do not align
with those of their employer.
FinCEN carefully reviewed and
considered each comment submitted.
Many specific proposals will be
discussed in more detail in section III
below. FinCEN’s analysis and approach
has been guided by the statutory text,
including the statutory obligations to
disclose BOI to authorized users for
specified purposes while following
strict security and confidentiality
protocols and minimizing burdens on
stakeholders.
In implementing this final rule,
FinCEN took into account the many
comments and suggestions intended to
clarify and refine the scope of the rule
and to reduce burdens on authorized
users to the greatest extent practicable.
FinCEN further notes that
implementation of the final rule will
require additional engagement with
stakeholders to ensure a clear
understanding of the rule’s
requirements, including through
additional guidance, FAQs, and help
lines. FinCEN intends to work within
Treasury and with interagency partners
to inform these specific efforts and the
broader implementation of this final
rule.
III. Discussion of Final Rule
This final rule builds on the Access
NPRM and is the next step after the
Reporting Rule in FinCEN’s
implementation of the CTA. The final
rule aims to ensure that: (1) only
authorized recipients have access to
BOI; (2) authorized recipients use that
access only for purposes permitted by
the CTA; and (3) authorized recipients
only re-disclose BOI in ways that
balance protecting its security and
confidentiality with the CTA objective
of making BOI available to users for a
range of authorized purposes. The
regulations also provide a robust
framework to ensure that BOI reported
to FinCEN, and received by authorized
recipients, is subject to strict
cybersecurity controls, confidentiality
protections and restrictions, and robust
audit and oversight measures.
FinCEN is adopting the proposed rule
largely as proposed, but with certain
modifications that are responsive to
comments received and intended to
reduce barriers to the effective use of
BOI, while maintaining appropriate
protections for the information. Among
other things, the final rule broadens the
purposes for which financial
institutions may use BOI, and
E:\FR\FM\22DER3.SGM
22DER3
88742
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
streamlines the requirements for State,
local, and Tribal law enforcement access
to BOI. FinCEN believes that these
changes will help to ensure that the
database is highly useful to relevant
stakeholders who are authorized to
access BOI. FinCEN has made certain
other clarifying and technical revisions
throughout the rule. We discuss specific
comments, modifications, revisions, and
the shape of the final rule section by
section here.
We discuss the elements of the final
rule under seven headings: (A)
availability of information—general; (B)
prohibition on disclosure; (C) disclosure
of information by FinCEN; (D) use of
information; (E) security and
confidentiality requirements; (F)
administration of requests for
information reported pursuant to 31
CFR 1010.380; and (G) violations. In
addition, this section discusses general
implementation efforts as they apply to
the development of the IT system.
ddrumheller on DSK120RN23PROD with RULES3
A. Availability of Information—General
Proposed Rule. FinCEN proposed to
amend 31 CFR 1010.950(a) to clarify
that the disclosure of BOI would not be
governed by § 1010.950(a) but instead
by proposed 31 CFR 1010.955.
Comments Received. FinCEN did not
receive comments on this proposal.
Final Rule. The final rule adopts the
amendments to 31 CFR 1010.950(a) as
proposed. The amendments clarify that
the disclosure of BOI is governed by a
new provision, 31 CFR 1010.955, rather
than 31 CFR 1010.950(a). Section
1010.950(a) governs disclosure of other
BSA information by Treasury and states
that ‘‘[t]he Secretary may within his
discretion disclose information reported
under this chapter for any reason
consistent with the purposes of the
Bank Secrecy Act, including those set
forth in paragraphs (b) through (d) of
this section.’’ In contrast, the CTA
authorizes FinCEN to disclose BOI only
in limited and specified
circumstances.72 As these CTA
provisions are separate and distinct
from provisions authorizing disclosure
of other BSA information, distinct
regulatory treatment is warranted.73
B. Prohibition on Disclosure
Proposed Rule. Proposed 31 CFR
1010.955(a) would implement the broad
prohibition in the CTA on the
disclosure of information reported to
FinCEN pursuant to 31 CFR 1010.380,
except as authorized under the
proposed rule. Specifically, the CTA
provides that, except as authorized by
72 See
31 U.S.C. 5336(c)(2), (5).
e.g., 31 U.S.C. 5319.
73 See,
VerDate Sep<11>2014
19:01 Dec 21, 2023
31 U.S.C. 5336(c) and the protocols
promulgated thereunder, BOI reported
to FinCEN by reporting companies is
confidential and shall not be disclosed
by (1) an officer or employee of the
United States, (2) an officer or employee
of any State, local, or Tribal agency, or
(3) an officer or employee of any
financial institution or regulatory
agency receiving information under this
subsection of the CTA.74 The proposed
rule adopted this broad prohibition on
disclosure but extended it in two ways.
First, it extended the prohibition to any
of the officers or employees described in
(1) through (3) above regardless of
whether they continue to serve in the
position through which they were
authorized to receive BOI. Second, it
extended the prohibition on disclosure
to any individual who receives BOI as
a contractor or agent of the United
States; as a contractor or agent of a State,
local, or Tribal agency; or as a member
of the board of directors, contractor, or
agent of a financial institution.
Comments Received. One commenter
supported the proposed extension of the
prohibition on disclosure of BOI to
contractors or agents of the United
States and State, local or Tribal law
enforcement agencies, and to
contractors, agents, and directors of
financial institutions. The commenter
noted that this extension furthers the
purpose of the CTA and would close
potential loopholes around prohibited
disclosures of BOI. Several commenters
requested greater clarity on the
prohibition on disclosure or further
extension of the prohibition to
additional individuals. One commenter
opposed extending the prohibition to
agents, contractors, and, in the case of
financial institutions, directors, arguing
that the existing prohibition in the
statute was already overly protective of
BOI. One commenter did not believe
that the proposed rule adequately
clarifies that the prohibition on
disclosure covers individuals who
receive BOI even after they leave the
position in which they were authorized
to receive the BOI. This commenter
suggested that the rule should include
language that explicitly addresses this
scenario. This commenter also asked
that the prohibition on disclosure
explicitly extend to an officer,
employee, contactor, or agent of foreign
law enforcement agencies, foreign law
enforcement agencies, foreign judges,
foreign prosecutors, or other foreign
authorities. Another commenter
suggested adding a provision to prohibit
disclosure by attorneys or parties who
may receive BOI in the context of a civil
74 See
Jkt 262001
PO 00000
31 U.S.C. 5336(c)(2)(A).
Frm 00012
Fmt 4701
Sfmt 4700
or criminal proceeding. Another
commenter suggested extending access
requirements (which would include the
prohibition on disclosure of BOI) to any
individual under contract or under the
remit of an entity authorized to access
BOI (non-employee agents), such as
consultants, auditors, and third-party
service providers.
Final Rule. The final rule adopts 31
CFR 1010.955(a) as proposed. FinCEN
believes that the proposed rule,
including the extension of the
disclosure prohibition to certain
specified individuals, is necessary to
fully carry out the CTA’s intent to
protect sensitive BOI and prevent
unauthorized disclosure of this
information. FinCEN proposed these
extensions pursuant to 31 U.S.C.
5336(c)(3)(K), which provides that ‘‘the
Secretary of the Treasury shall establish
by regulation protocols described in [31
U.S.C. 5336(2)(A)] that . . . provide
such other safeguards which the
Secretary determines (and which the
Secretary prescribes in regulations) to be
necessary or appropriate to protect the
confidentiality of the beneficial
ownership information.’’ Further, after
considering the comments to this
provision, FinCEN has concluded that
this provision is sufficiently clear, in
terms of the prohibition on disclosure
applying to those individuals who leave
a position in which they were
previously authorized to receive BOI.
The proposed rule stated that, except as
authorized, BOI is confidential and
‘‘shall not be disclosed by any
individual who receives such
information as’’ an officer, employee,
contractor, agent, or director. This
prohibition means that individuals who
receive BOI when acting in these
specified roles cannot disclose BOI
(except as authorized in the rule)
regardless of whether they continue in
or leave these roles.
FinCEN has also determined not to
add language extending the prohibition
on disclosure to an officer, employee,
contactor, or agent of foreign law
enforcement agencies, foreign law
enforcement agencies, foreign judges,
foreign prosecutors, or other foreign
authorities. FinCEN believes there are
existing mechanisms in place under the
CTA that would appropriately protect
BOI in these circumstances. For
example, in the context of foreign access
to BOI through a request made under an
international treaty, agreement, or
convention, the handling and use of BOI
would be governed by the disclosure
and use provisions of the relevant
international treaty, agreement, or
E:\FR\FM\22DER3.SGM
22DER3
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES3
convention.75 As for trusted foreign
countries, the CTA explicitly limits the
use of BOI ‘‘for any purpose other than
the authorized investigation or national
security or intelligence activity’’ 76 and
proposed 31 CFR 1010.955(c)(2)(ix)
(now renumbered as 31 CFR
1010.955(c)(2)(x)) provided that ‘‘any
information disclosed by FinCEN under
paragraph (b) of this section shall not be
further disclosed to any other person for
any purpose without the prior written
consent of FinCEN, or as authorized by
applicable protocols or guidance that
FinCEN may issue.’’ In the event of
improper disclosure of BOI by a trusted
foreign country, FinCEN would consider
all available remedies including
FinCEN’s authority to reject a request
for BOI or suspend a requesting party’s
access to such information.77
FinCEN has also decided not to
specifically extend the prohibition on
disclosure to parties in a civil and
criminal proceeding because it views
this scenario as being covered by the
regulations, specifically by the
provision prohibiting redisclosure
without the prior consent of FinCEN.78
FinCEN will consider, however,
whether to issue guidance or FAQs to
further address issues relating to public
disclosure of BOI in civil or criminal
proceedings. With respect to the
commenter suggesting that FinCEN add
language to specify that individuals
under contract or under the remit of an
entity authorized to access BOI
(including consultants, auditors, and
third-party service providers) are
covered by the prohibition on
disclosure, FinCEN believes that
proposed 31 CFR 1010.955(a)
sufficiently covers these individuals as
contractors or agents.
C. Disclosure of Information by FinCEN
As discussed in the proposed rule, the
CTA authorizes FinCEN to disclose BOI
to five categories of recipients. The first
category consists of recipients in
Federal, State, local and Tribal
government agencies.79 Within this
category, FinCEN may disclose BOI to
Federal agencies engaged in national
security, intelligence, or law
enforcement activity if the requested
BOI is for use in furtherance of such
activity.80 FinCEN may also disclose
BOI to State, local, and Tribal law
enforcement agencies if ‘‘a court of
competent jurisdiction’’ has authorized
75 See
31 U.S.C. 5336(c)(2)(B)(ii)(I)(aa).
U.S.C. 5336(c)(2)(B)(ii)(II)(bb).
77 See proposed 31 CFR 1010.955(e)(3).
78 31 CFR 1010.955(c)(2)(ix).
79 31 U.S.C. 5336(c)(2)(B) and 31 U.S.C.
5336(c)(5).
80 31 U.S.C. 5336(c)(2)(B)(i)(I).
the law enforcement agency to seek the
information in a criminal or civil
investigation.81
The second category consists of
foreign law enforcement agencies,
judges, prosecutors, central authorities,
and competent authorities (‘‘foreign
requesters’’), provided their requests
come through an intermediary Federal
agency, meet certain additional criteria,
and are made either (1) under an
international treaty, agreement, or
convention, or (2) via a request made by
law enforcement, judicial, or
prosecutorial authorities in a trusted
foreign country (when no international
treaty, agreement, or convention is
available).82
The third authorized recipient
category are financial institutions using
BOI to facilitate compliance with
customer due diligence requirements
under applicable law, provided the
financial institution requesting the BOI
has the relevant reporting company’s
consent for such disclosure.83
The fourth category is Federal
functional regulators and other
appropriate regulatory agencies acting
in a supervisory capacity assessing
financial institutions for compliance
with customer due diligence
requirements.84 These agencies may
access the BOI information that
financial institutions they supervise
received from FinCEN.
The fifth and final category of
authorized BOI recipients is the
Treasury itself, for which the CTA
provides access to BOI tied to an officer
or employee’s official duties requiring
BOI inspection or disclosure, including
for tax administration.85
i. Disclosure to Federal Agencies for Use
in Furtherance of National Security,
Intelligence, or Law Enforcement
Activity
a. Definition of National Security
Activity
Proposed Rule. Proposed 31 CFR
1010.955(b)(1)(i) specified that national
security activity includes activity
pertaining to the national defense or
foreign relations of the United States, as
well as activity to protect against threats
to the safety and security of the United
States.
Comments Received. Commenters
generally provided broad support for the
definition of national security activity in
proposed 31 CFR 1010.955(b)(1)(i),
stating that the activity-based approach
76 31
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
81 31
U.S.C. 5336(c)(2)(B)(i)(II).
U.S.C. 5336(c)(2)(B)(ii).
83 31 U.S.C. 5336(c)(2)(B)(iii).
84 31 U.S.C. 5336(c)(2)(B)(iv).
85 31 U.S.C. 5336(c)(5).
82 31
PO 00000
Frm 00013
Fmt 4701
Sfmt 4700
88743
is reasonable, clear, and adequately
justified. Some commenters expressed
the view that the definition should not
be further delimited or narrowed, as this
may impede the intent of the CTA. One
recommended that FinCEN clarify that
the proposed definition is not meant to
limit Congress’s language identifying
specific national security threats in the
CTA’s Sense-of-Congress provision.86
Another commenter suggested adding a
reference in the preamble to the illicit
finance strategy, as defined in the 2021
Memorandum on Establishing the Fight
Against Corruption as a Core United
States National Security Interest. One
commenter urged FinCEN to include the
words ‘‘threats to’’ before ‘‘national
defense or foreign relations,’’ and two
commenters suggested substituting the
word ‘‘means’’ for ‘‘includes’’ to clarify
that the definition is finite. In particular,
one of those two commenters noted that
replacing ‘‘includes’’ with ‘‘means’’
would be consistent with the statute
cited in support of the proposed
regulation, 8 U.S.C. 1189(d)(2), which
provides that national security ‘‘means’’
the national defense, foreign relations,
or economic interests of the United
States.
Final Rule. The final rule largely
adopts the proposed rule, but
substitutes ‘‘means’’ for ‘‘includes’’ in
definition in the final rule. FinCEN
agrees that changing ‘‘includes’’ to
‘‘means’’ will provide additional clarity
while still retaining the approach
described by the proposed rule that
draws, in large part, from 8 U.S.C.
1189(d)(2). Section 1189(d)(2) defines
‘‘national security’’ for purposes of
designating foreign terrorist
organizations (FTOs) that threaten U.S.
national security. As stated in the
proposed rule, FinCEN believes this
definition is appropriate for several
reasons. First, the FTO statute covers a
broad range of national security threats
to the United States, including those
with an economic dimension. That
scope is consonant with the CTA’s goal
to combat national security threats that
are financial in nature, such as money
laundering, terrorist financing,
counterfeiting, fraud, and foreign
corruption.87 Second, the FTO statute
arises in a related context insofar as it
involves efforts to hinder illicit actors’
economic activities. FinCEN does not
intend this definition to exclude any
national security threats that Congress
identified in the CTA. FinCEN also
notes that it will determine whether an
agency’s activities are ‘‘national security
activities’’ that qualify the agency for
86 See
87 See
E:\FR\FM\22DER3.SGM
CTA, section 6402(3).
CTA, section 6402(3)–(6).
22DER3
88744
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES3
access to BOI during the process to
establish a MOU governing access
between the agency and FinCEN. Some
undertakings, such as vetting potential
recipients of foreign assistance and
procurement contract awards, might
constitute ‘‘national security activities’’
depending on the particular facts and
circumstances, and therefore may be
evaluated as part of that process.
FinCEN declines to incorporate into the
final rule reference to specific strategies
to counter corruption or other types of
specific national security threats. Acts
of foreign corruption are specifically
mentioned in the CTA as acts that harm
the national security interests of the
United States, and as discussed above,
are already contemplated by the final
rule. Referencing specific strategy
documents is therefore unnecessary and
could cause confusion.
b. Definition of Intelligence Activity
Proposed Rule. Proposed 31 CFR
1010.955(b)(1)(ii) defines intelligence
activity to include ‘‘all activities
conducted by elements of the United
States Intelligence Community that are
authorized pursuant to Executive Order
12333 (‘‘E.O. 12333’’), as amended, or
any succeeding executive order.’’
Comments Received. A number of
commenters supported the proposed
rule’s definition of ‘‘intelligence
activity,’’ and noted the approach taken
by FinCEN is reasonable. Some
commenters expressed that the
definition should not be further
delimited or narrowed, as this may
impede the intent of the CTA. Three
commenters suggested that the use of
the word ‘‘includes’’ was too broad, and
it should be replaced with ‘‘means’’ to
clarify that the definition is finite. One
commenter argued that ‘‘includes’’
implies that the proposed rule might
allow sharing BOI under the intelligence
activity provisions of 31 U.S.C. 5336,
outside of the authorization provided by
E.O. 12333. This commenter also argued
that the definition of ‘‘intelligence
activity’’ in proposed 31 CFR
1010.955(b)(1)(ii) conflicts with
proposed 31 CFR 1010.955(b)(3)(i),
which refers to disclosures of BOI by
FinCEN to an intermediary Federal
agency for transmission to a foreign
agency for assistance in intelligence
activity authorized under the laws of a
foreign country. The commenter
suggested that FinCEN should revise
§ 1010.955(b)(1)(ii) to read ‘‘(ii)
intelligence activity, when used in this
section in reference to an activity of the
United States, means all activities that
elements of the United States
intelligence community are authorized
to conduct pursuant to E.O. 12333, as
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
amended, or any successor [E]xecutive
order.’’ A different commenter
recommended that FinCEN make clear
that E.O. 12333’s limitation on the use
of United States person information by
the Intelligence Community would not
constrain use of BOI, if the use was
otherwise permitted by the CTA. One
commenter, while concurring with the
proposed rule as sensible and workable,
suggested it should include a reference
to the 2021 U.S. Strategy on Countering
Corruption and its calls for increasing
intelligence activity on corrupt actors
and bolstering information sharing
between the Intelligence Community
and law enforcement.
Final Rule. The final rule adopts the
proposed rule with two clarifying edits.
First, FinCEN adopts the
recommendation to substitute ‘‘means’’
for ‘‘includes’’ within the definition, in
order to clarify that ‘‘intelligence
activity’’ covers only those activities
conducted by elements of the United
States Intelligence Community that are
authorized pursuant to E.O. 12333, as
amended, or any succeeding executive
order. Second, FinCEN agrees that the
definition of ‘‘intelligence activity’’ in
proposed 31 CFR 1010.955(b)(1)(ii) was
incompatible with the authorization for
sharing of BOI with foreign requesters in
proposed 31 CFR 1010.955(b)(3)(i), as it
proposed to define intelligence
activities throughout the rule
exclusively by reference to U.S. legal
authorities. The final rule corrects this
mistake by inserting new 31 CFR
1010.955(b)(3)(iv), a definition of the
term ‘‘intelligence activity authorized
under the laws of a foreign country’’
that clearly relates such activity to
foreign legal authorities that establish
what constitute legally acceptable
intelligence activities under the laws of
another country, as E.O. 12333 does for
U.S. law.88
FinCEN does not believe that
additional clarifications are necessary
regarding the scope of access to BOI by
Federal agencies engaged in intelligence
activity, to the extent the activity relates
to United States persons. E.O. 12333
sets out the scope of authorized activity
and, among other things, provides that
agencies shall, consistent with the
provisions of the Order, prepare and
provide intelligence in a manner that
‘‘allows the full and free exchange of
information, consistent with applicable
law and presidential guidance.’’ Internal
procedures established pursuant to the
88 FinCEN has addressed an analogous drafting
problem in proposed 31 CFR 1010.955(b)(1)(i) with
reference to the term ‘‘national security activity’’ by
defining the term ‘‘national security activity
authorized under the laws of a foreign country’’ in
new 31 CFR 1010.955(b)(3)(iii).
PO 00000
Frm 00014
Fmt 4701
Sfmt 4700
Order further govern the handling of
information relating to U.S. persons.
Finally, FinCEN declines to incorporate
into the final rule reference to specific
strategies to counter corruption or other
national security threats, while noting
that acts of foreign corruption are
specifically mentioned in the CTA as
acts that harm the national security
interests of the United States.
c. Definition of Law Enforcement
Activity
Proposed Rule. Proposed 31 CFR
1010.955(b)(1)(iii) defined ‘‘law
enforcement activity’’ to include
‘‘investigative and enforcement
activities relating to civil or criminal
violations of law.’’ The proposed rule
specified that such activity does not
include routine supervision or
examination of a financial institution by
a Federal regulatory agency with
authority described in 31 CFR
1010.955(b)(4)(ii)(A). The inclusion of
both investigation and enforcement as
‘‘law enforcement activity’’ was based
on FinCEN’s view that it is consistent
with the CTA to authorize Federal
agencies to access BOI at all stages of
the law enforcement process.
Comments Received. Commenters
generally agreed with the definition in
31 CFR 1010.955(b)(1)(iii), stating that
the proposed rule is reasonable and
workable. One commenter emphasized
the need for law enforcement to have
access to BOI during all stages of
criminal or civil investigations. Two
commenters suggested that the use of
the word ‘‘includes’’ was too broad, and
it should be replaced with ‘‘means’’ to
clarify that the definition is finite. Some
commenters expressed that the
definition should not be further
delimited or narrowed, as this may
impede the intent of the CTA. One
commenter concurred with the
exclusion of routine supervision and
examination by Federal regulator
agencies, as these activities are covered
by a separate section of the CTA, and
the proposed rule also recognizes that
Federal functional regulators engage in
law enforcement activities that will
enable them to request BOI. However,
two commenters took an opposite view,
arguing that the proposed rule should be
modified either at 31 CFR
1010.955(b)(1) or 31 CFR
1010.955(b)(1)(iii) to explicitly include
disclosure to Federal regulatory
agencies for law enforcement purposes
as a disclosure governed by
1010.955(b)(1). Another commenter
supported the broad definition of law
enforcement activity but sought an
explicit extension of the definition to
State, local, and Tribal authorities, as
E:\FR\FM\22DER3.SGM
22DER3
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
well as the inclusion of specific
exemplar criminal violations related to
taxes, wages, theft, forgery, insurance
fraud, and human trafficking.
Final Rule. The final rule adopts the
proposed rule with the exception of one
clarifying edit. Specifically, FinCEN
adopts the recommendation to
substitute ‘‘means’’ for ‘‘includes’’
within the definition to further clarify
the definition, while retaining the
approach from the proposed rule.
FinCEN also notes that it will determine
whether an agency’s activities are ‘‘law
enforcement activities’’ qualifying it for
access to BOI during the process to
establish a MOU between the agency
and FinCEN governing such access.
FinCEN declines to incorporate into the
final rule reference to specific criminal
violations, as this is redundant
considering the existing language
regarding civil or criminal violations of
law.
Regarding the role of Federal
regulatory agencies, FinCEN does not
believe that a change to the proposed
language is warranted. As stated in the
proposed rule, the access provision for
Federal agencies engaged in national
security, intelligence, or law
enforcement activities focuses on
activity categories, not agency types. To
the extent a Federal functional regulator
engages in civil law enforcement
activities, those activities would be
covered by the law enforcement access
provision.
ii. Disclosure to State, local, and Tribal
Law Enforcement Agencies for Use in
Criminal or Civil Investigations
ddrumheller on DSK120RN23PROD with RULES3
a. A Court of Competent Jurisdiction
Proposed Rule. The CTA permits
FinCEN to disclose BOI upon receipt of
a request, through appropriate
protocols, ‘‘from a State, local, or Tribal
law enforcement agency, if a court of
competent jurisdiction, including any
officer of such a court, has authorized
the law enforcement agency to seek the
information in a criminal or civil
investigation.’’ 89 Proposed 31 CFR
1010.955(b)(2) implements this
provision and would allow FinCEN to
disclose BOI to a State, local, or Tribal
law enforcement agency that requests
this information if a court of competent
jurisdiction has authorized the agency’s
request for the BOI for use in a criminal
or civil investigation. Proposed 31 CFR
1010.955(b)(2)(i) further provided that a
court of competent jurisdiction is ‘‘any
court’’ with jurisdiction over the
criminal or civil investigation for which
89 31
U.S.C. 5336(c)(2)(B)(i)(II).
VerDate Sep<11>2014
19:01 Dec 21, 2023
a State, local, or Tribal agency requests
BOI.
Comments Received. Commenters
were generally supportive of the
definition of the phrase ‘‘court of
competent jurisdiction’’ in proposed 31
CFR 1010.955(b)(2)(i). These
commenters noted that the proposed
definition is flexible enough to
encompass a wide variety of courts and
will facilitate the ability of State, local,
or Tribal law enforcement agencies to
seek court authorization for the purpose
of requesting BOI from FinCEN. Several
commenters requested that FinCEN
explicitly include administrative courts
and adjudicatory bodies such as boards
and commissions. One commenter
noted that state and local governments
allow civil law enforcement proceedings
to occur in hearings before adjudicators
that are independent of law
enforcement, such as administrative law
judges. Some commenters also
recommended that ‘‘court of competent
jurisdiction’’ should explicitly account
for jurisdiction over an investigation or
a ‘‘case’’ because BOI may be relevant to
both.
Final Rule. The final rule adopts 31
CFR 1010.955(b)(2)(i) as proposed.
FinCEN agrees with the commenters
who thought the level of clarity
provided by this provision is sufficient
to encompass the various types of courts
and adjudicatory bodies that exist in
State, local, and Tribal jurisdictions,
including those which some
commenters suggested that FinCEN
explicitly reference. The reference in
this provision to ‘‘any court’’ that has
jurisdiction over an investigation
provides broad and, in FinCEN’s view,
sufficiently clear applicability. As such,
FinCEN believes it is unnecessary to list
specific types of adjudicatory bodies
that would qualify as a court of
competent jurisdiction. Further, in
response to the comments that
requested that FinCEN clarify that a
court of competent jurisdiction includes
an adjudicative body with jurisdiction
over both investigations and ‘‘cases’’
(understood as ongoing civil or criminal
court proceedings), FinCEN has
followed the formulation in the CTA,
which uses the term ‘‘criminal or civil
investigation.’’ 90 However, FinCEN
does not believe that this clause
excludes State, local, or Tribal agencies
from seeking a request for BOI as part
of an ongoing ‘‘case,’’ whether that be a
civil proceeding or a criminal
prosecution following an initial
investigation.
90 See
Jkt 262001
PO 00000
31 U.S.C. 5336(c)(2)(B)(i)(II).
Frm 00015
Fmt 4701
Sfmt 4700
88745
b. State, Local, or Tribal Law
Enforcement Agencies
Proposed Rule. Proposed 31 CFR
1010.955(b)(2)(ii) defined a ‘‘State, local,
or Tribal law enforcement agency’’ as
‘‘an agency of a State, local, or Tribal
government that is authorized by law to
engage in the investigation or
enforcement of civil or criminal
violations of law.’’ The proposed rule
defined this term in a manner similar to
the proposed definition of ‘‘law
enforcement activity’’ for Federal
agencies to ensure consistency
regardless of whether law enforcement
activity occurs at the Federal, State,
local, or Tribal, level.
Comments Received. Several
commenters argued that FinCEN should
clarify in the final rule that State, local,
and Tribal law enforcement agencies
include various types of administrative
and regulatory bodies covering a range
of subject areas such as labor and
employment, contracting, tax,
unemployment insurance, and workers’
compensation, among others. One
commenter recommended that FinCEN
amend 31 CFR 1010.955(b)(2)(ii) to state
that a State, local or Tribal law
enforcement agency is one that is
authorized by law to investigate or
enforce civil, criminal, ‘‘or
administrative’’ violations of law. Some
commenters noted that many State,
local, and Tribal regulatory agencies
also have law enforcement functions
insofar as they have the authority to
both issue regulations and enforce
compliance with regulations. One of
these commenters believed that
proposed 31 CFR 1010.955(b)(2)(ii)
already covers these regulatory agencies.
Finally, one commenter suggested that
FinCEN clarify that local enforcement
agencies include non-Federal agencies
within the government of the District of
Columbia.
Final Rule. FinCEN is adopting 31
CFR 1010.955(b)(2)(ii) as proposed.
FinCEN believes that this provision is
adequately clear and sufficiently
flexible to encompass the many varieties
of State, local, and Tribal law
enforcement agencies that engage in the
investigation or enforcement of civil or
criminal violations of law, including
regulatory violations. As a result, it is
not necessary, in FinCEN’s view, to
specifically list examples of State, local,
and Tribal law enforcement agencies, as
some commenters requested.
Furthermore, in response to the
commenter’s request that the final rule
explicitly include non-Federal agencies
within the District of Columbia, FinCEN
believes this is unnecessary because the
E:\FR\FM\22DER3.SGM
22DER3
88746
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES3
definition of ‘‘State’’ in the CTA
includes the District of Columbia.91
c. Court Authorization and Written
Certification
Proposed Rule. The CTA provides
that FinCEN may disclose BOI to a
State, local, or Tribal law enforcement
agency ‘‘if a court of competent
jurisdiction, including any officer of
such a court, has authorized the law
enforcement agency to seek the
information in a criminal or civil
investigation.’’ 92 Proposed 31 CFR
1010.955(b)(2) would implement this
provision of the CTA by allowing
FinCEN to disclose BOI to a State, local,
or Tribal law enforcement agency that
requests this information if a court of
competent jurisdiction authorizes the
agency’s request for the BOI for use in
a criminal or civil investigation. FinCEN
did not propose to identify every kind
of court authorization that would satisfy
the CTA, and it did not propose to
specify which officers of a court may
provide authorization. That is because
FinCEN recognized that State, local, and
Tribal practices are likely to be varied
with respect to how law enforcement
agencies may be authorized by a court
to seek information in connection with
an investigation or prosecution.
In addition, the proposed rule
included safeguards designed to protect
the confidentiality of BOI and ensure it
is not misused. These requirements
were also meant to ensure that FinCEN
could properly audit requests for BOI
from State, local, and Tribal law
enforcement agencies, consistent with
the CTA’s audit requirements.93 As a
result, proposed 31 CFR
1010.955(d)(1)(ii)(B)(2) required that
when a State, local, or Tribal law
enforcement agency requests BOI from
FinCEN, the head of such an agency or
their designee would have to submit to
FinCEN, ‘‘in the form and manner as
FinCEN shall prescribe:’’ (i) a copy of a
court order from a court of competent
jurisdiction authorizing the agency to
seek the BOI in a criminal or civil
investigation, and (ii) a written
justification explaining why the request
for BOI is relevant to the civil or
criminal investigation. The proposed
rule further explained that after FinCEN
reviewed the relevant authorization for
sufficiency and approved the request, an
agency could then conduct searches
using multiple search fields consistent
in scope with the court authorization
and subject to audit by FinCEN.94 Thus,
91 31
U.S.C. 5336(a)(12); see also supra note 5.
31 U.S.C. 5336(c)(2)(B)(i)(II).
93 See 31 U.S.C. 5336(c)(3)(J).
94 87 FR at 77409–10.
92 See
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
the court order and written justification
requirements in the proposed rule were
meant to serve multiple purposes—i.e.,
to ensure that a court of competent
jurisdiction has authorized an agency’s
request for the BOI, protect the security
of confidential BOI, and enable FinCEN
to conduct required audits of searches
by State, local, or Tribal law
enforcement agencies.
These requirements were proposed
alongside other security and
confidentiality requirements applicable
to all domestic government requesters of
BOI. For example, the proposed rule
explained that Federal agency users of
FinCEN’s BOI database would be
required to submit brief justifications to
FinCEN for their searches, explaining
how their searches further a particular
qualifying activity, and these
justifications would be subject to
oversight and audit by FinCEN.
Additionally, the proposed rule
required a Federal, State, local, or Tribal
agency requesting BOI to minimize to
the greatest practicable extent the scope
of BOI it seeks, consistent with the
agency’s purpose in requesting BOI.
Comments Received. Commenters
generally opposed the requirements in
proposed 31 CFR
1010.955(d)(1)(ii)(B)(2)(i) that the head
of a State, local, or Tribal law
enforcement agency, or their designee,
must obtain and submit a copy of a
court order to FinCEN authorizing the
agency to seek BOI in a criminal or civil
investigation. Commenters opposed the
court order requirements for two broad
reasons: they argued that, first, these
requirements conflict with the plain
language of the CTA as well as with
congressional intent; and second, these
requirements would create burdens on
State, local, and Tribal agencies that
would impede their ability to access
BOI in a timely manner, which would
be contrary to the goals of the CTA. In
general, commenters encouraged
FinCEN to take a more flexible approach
in specifying the manner in which a
court authorizes a request for BOI,
which court personnel can provide that
authorization, and at what stage in an
investigation or proceeding agencies
may seek the BOI from FinCEN. In sum,
these commenters argued that the final
rule should adopt the broader concept
of court authorization from the CTA.
Commenters also generally opposed
for largely the same reasons the
requirement in proposed 31 CFR
1010.955(d)(1)(ii)(B)(2)(i) that the
agency head must also submit a written
justification to FinCEN explaining the
relevance of the BOI for the
investigation. Specifically, some
commenters noted that the CTA does
PO 00000
Frm 00016
Fmt 4701
Sfmt 4700
not contain such a requirement,
expressed concerns that this
requirement would unduly delay
requests by agencies for BOI, and
highlighted the challenges involved in
FinCEN reviewing each justification
provided by an agency that requests
BOI.
In the first category of objections to
the court order requirement, several
commenters argued that the proposed
rule conflicts with the plain language of
the CTA which does not require a court
order for State, local, or Tribal law
enforcement agencies seeking access to
BOI. Instead, these commenters pointed
out that the CTA uses the general
concept of court authorization, which
could also include other kinds of
authorization. Commenters also cited
the legislative history of the CTA in
arguing that Congress intended to create
a less formal and more flexible process.
These commenters noted that Congress
had considered and rejected a narrower
concept than court authorization when
debating the CTA’s provision
concerning State, local, and Tribal law
enforcement agency access to BOI.
In the second category of objections to
the proposed court order requirement,
commenters argued that a court order
requirement would place unnecessary
burdens on State, local, and Tribal law
enforcement agencies as well as the
courts involved because of the need to
take additional efforts to obtain a court
order. These burdens would be
exacerbated because these agencies
often face greater resource constraints
compared to their Federal counterparts.
The result would be delays in
investigations. One commenter noted
that the requirement could give some
courts the impression that formal
pleadings, evidence-based standards, or
a hearing is necessary to authorize a
request for BOI.
Furthermore, commenters argued that
a court order requirement would
effectively restrict agencies to working
only with a narrow category of court
officers, most likely a judge, rather than
‘‘any officer of such court’’ as the CTA
permits. These commenters also argued
that, as a result, the court order
requirement conflicts with the CTA.
One commenter recommended that the
final rule should clearly state that a
court officer includes any individual
who exercises court authority, including
a judge, magistrate, clerk, bailiff, sheriff,
prosecutor, clerk assistant, or other
personnel that the court designates to
authorize a request for BOI. A few
commenters argued that since an
attorney is commonly considered a
‘‘court officer,’’ and many jurisdictions
allow attorneys to issue subpoenas,
E:\FR\FM\22DER3.SGM
22DER3
ddrumheller on DSK120RN23PROD with RULES3
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
attorneys should be able to authorize a
request for BOI. However, one
commenter disagreed with this view,
arguing that only court personnel
should be allowed to authorize an
agency’s request for BOI. In addition,
one commenter requested that FinCEN
provide guidance to court officials who
are involved in authorizing an agency’s
request for BOI, setting forth the proper
procedures for reviewing these requests
as well as potentially providing an
authorization form for agencies and
courts to use. Commenters also
recommended that FinCEN provide
flexibility in how the court order was
reported to FinCEN.
Several commenters also highlighted
the need for flexibility regarding when
in the course of a civil or criminal
investigation courts may authorize a
State, local, or Tribal law enforcement
agency to seek BOI. For example, some
commenters requested that FinCEN
clarify in the final rule that a grand jury
subpoena qualifies as court
authorization under the CTA. Some
commenters also argued that the final
rule should provide more clarity
regarding how prosecutors can draft
grand jury subpoenas to ensure that they
would satisfy the court authorization
requirement. Commenters also
requested that the final rule clarify that
courts should be permitted to authorize
BOI requests throughout the full life
cycle of an investigation, including after
the initiation of a civil or criminal
proceeding.
As for the written justification
requirement in the proposed rule,
commenters argued that it could limit
the ability of State, local, and Tribal law
enforcement agencies to access BOI, and
commenters noted that there is no such
requirement in the text of the CTA.
Several commenters argued that the
written justification requirement would
create a double review process in which
these agencies would first have to obtain
approval from a court for their request
for BOI, and then they would need to
gain a second level of approval from
FinCEN. According to these
commenters, FinCEN would compare
the written justification to the court
order, and based on its review, could
reject the court’s decision to authorize
an agency’s request for BOI. Some
commenters argued that such case-bycase review of justifications by FinCEN
would overwhelm FinCEN’s resources
and cause significant delays in the
ability of State, local, and Tribal law
enforcement agencies to access BOI.95
95 Commenters made several other arguments
against the written justification requirement. For
example, another commenter argued that it would
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
The result, according to several
commenters, is that the written
justification requirement would
undermine the CTA’s policy goal that
the database be ‘‘highly useful’’ to law
enforcement.96
Finally, some commenters focused on
alternative approaches to State, local,
and Tribal law enforcement access to
BOI. One commenter argued that the
final rule should require that State,
local, and Tribal law enforcement
agencies obtain a grand jury subpoena
in order to request BOI, and this
commenter also supported the written
justification requirement. One
commenter raised concerns about
whether courts could adequately protect
the privacy of BOI and argued that a
separate government agency should be
responsible for managing BOI access
requests on behalf of State, local, and
Tribal agencies. Further, one commenter
noted that the CTA itself had imposed
stricter requirements on State, local, and
Tribal agencies than it imposed upon
their Federal counterparts since the
CTA imposed a court authorization
requirement on the former agencies.
This commenter believed that statutory
changes would be necessary to remove
the court authorization requirement in
order to make it simpler for State, local,
and Tribal agencies to access the BOI
database.
Final Rule. The final rule adopts the
requirements for State, local, and Tribal
law enforcement agencies’ access to BOI
in proposed 31 CFR 1010.955(b)(2)
without change. However, FinCEN was
persuaded by comments that were
critical of the requirements in proposed
31 CFR 1010.955(d)(1)(ii)(B)(2) that
State, local, and Tribal law enforcement
agencies submit a copy of a court order
and written justification for FinCEN
review prior to searching for BOI.
Accordingly, FinCEN has made several
changes to that provision in the final
rule. These revisions are intended to
streamline State, local, and Tribal law
enforcement agency access to BOI and
reduce burdens on these agencies and
courts as well as on FinCEN, while at
the same time maintaining robust
confidentiality and security
requirements for these agencies and
be inappropriate for FinCEN to require
‘‘justification’’ from State, local, or Tribal law
enforcement agencies because the CTA only
required ‘‘certifications’’ from Federal agency
heads; that FinCEN does not have the required
subject matter expertise to evaluate justifications;
and that the term ‘‘justification’’ implied a level of
persuasiveness that would be required in the
written statements that State, local, or Tribal law
enforcement agencies provide when they request
BOI.
96 See CTA, section 6402(8)(C).
PO 00000
Frm 00017
Fmt 4701
Sfmt 4700
88747
FinCEN oversight and audit of these
requests.
First, § 1010.955(d)(1)(ii)(B)(2)(i) will
no longer require that these agencies
obtain a specific form of court
authorization, such as a court order.
Instead, the final rule requires only that
State, local, and Tribal law enforcement
agencies obtain ‘‘court authorization’’ to
seek BOI from FinCEN as part of a civil
or criminal investigation. As the
preamble to the proposed rule noted,
FinCEN requested comment on the
various types of relevant court
authorization that exist at the State,
local, and Tribal level, and requested
that commenters explain what role
courts or court officers play in
authorizing evidence-gathering
activities, what existing practices
involve court authorization, and the
extent to which new court processes
could be developed and integrated into
existing practices to satisfy the CTA’s
authorization requirement. FinCEN also
requested comment on the need for
access to BOI at different stages of an
investigation, as well as the privacy
interests that may be implicated by such
access. In requesting comment on these
topics, FinCEN sought greater clarity on
the various mechanisms in which courts
might satisfy the CTA standard of ‘‘court
authorization.’’ The comments that
FinCEN received provided greater
clarity on how State, local, and Tribal
law enforcement agencies could satisfy
the CTA’s court authorization
requirement while also meeting
FinCEN’s obligations under the CTA to
protect the confidentiality of BOI and
prevent potential misuse, including by
being able to audit requests by agencies
for BOI.
FinCEN agrees that requiring State,
local, and Tribal law enforcement
agencies to obtain a court order may
create unnecessary burdens. FinCEN
further agrees that the statutory
language concerning court authorization
would maintain sufficient flexibility
and facilitate access to BOI by State,
local, and Tribal law enforcement
agencies while still protecting against
unauthorized use or disclosure. FinCEN
intends the final rule to provide enough
flexibility so that a variety of court
officers—such as a judge, clerk of the
court, or magistrate—could provide
authorization at appropriate stages of
the investigation process. FinCEN may
issue guidance or FAQs on this subject
in the future if needed, including, for
example, on how the court
authorization requirement would apply
to grand jury proceedings. Such
guidance may also further address
questions about court personnel, stages
of the investigation, court procedures
E:\FR\FM\22DER3.SGM
22DER3
ddrumheller on DSK120RN23PROD with RULES3
88748
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
for reviewing requests for BOI, and
other topics concerning court
authorization in the context of specific
factual circumstances.
However, FinCEN agrees with those
commenters who argued that being an
attorney, by itself, is not sufficient to
empower an individual to grant the
required court authorization under the
CTA. As discussed in the proposed rule,
FinCEN does not believe the CTA,
which includes numerous provisions
limiting who may access BOI, permits
any individual with a license to practice
law to authorize the disclosure of BOI,
even if they are sometimes referred to as
‘‘officers of the court’’ in other contexts.
FinCEN further does not agree with the
commenter that suggested that a
separate government agency, apart from
a court of competent jurisdiction,
should handle BOI requests from State,
local, or Tribal law enforcement
agencies. The CTA is clear that these
agencies must seek court authorization
in order to request BOI from FinCEN,
and FinCEN believes that the security
and confidentiality requirements
reflected in the final rule will be
sufficient to protect against
unauthorized use or disclosure.
Second, rather than submit a copy of
the authorization (such as a copy of a
court order) to FinCEN,
§ 1010.955(d)(1)(ii)(B)(2) now only
requires that State, local, and Tribal law
enforcement agencies (1) certify that
they have received authorization to seek
BOI from a court of competent
jurisdiction and that the BOI is relevant
to a civil or criminal investigation, and
(2) provide a description of the
information the court has authorized the
agency to seek.97 FinCEN is persuaded
by comments stating that the
requirement in the proposed rule would
have set more stringent requirements for
State, local, and Tribal law enforcement
agencies than would apply to their
Federal counterparts. FinCEN is further
persuaded by comments that FinCEN
should instead allow these agencies to
certify that they have obtained
appropriate authorization from a court
of competent jurisdiction.
FinCEN does not intend to look
behind these certifications to assess the
sufficiency of a court’s authorization at
the time a request is submitted. Instead,
the final rule clearly reflects FinCEN’s
role in auditing requesting agencies’ BOI
requests, which requires a process to
ensure that a request for BOI by a State,
local, or Tribal law enforcement agency
remains within the terms of the court
authorization. FinCEN believes that the
97 FinCEN will specify the precise method of
certification at a later date.
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
certification requirement, along with the
requirement to provide a description of
the information the court has authorized
the agency to seek, will provide FinCEN
with a sufficiently robust means to
effectively conduct oversight and audit
of such access.
Third, in response to commenters’
concerns, the final rule eliminates the
written justification requirement in
proposed 31 CFR
1010.955(d)(1)(ii)(B)(2)(ii). Moreover,
after considering commenters’ concerns
about potential delays associated with a
case-by-case review of written
justifications from these agencies in
connection with BOI requests, and
taking into account available resources,
FinCEN has determined that, as a policy
matter, it will not conduct individual
reviews of each request for BOI by State,
local, or Tribal law enforcement
agencies when they are submitted.
Rather, consistent with requirements of
the CTA, FinCEN will conduct robust
audit and oversight of State, local, and
Tribal law enforcement agency searches
for BOI to ensure that BOI is requested
for authorized purposes by authorized
recipients. Finally, by adopting the
broad notion of court authorization that
the CTA uses, FinCEN is also choosing
not to further specify in the rule the
particular stages of an investigation
during which courts could authorize a
request for BOI by State, local, or Tribal
agencies.
iii. Disclosure for Use in Furtherance of
Foreign National Security, Intelligence,
or Law Enforcement Activity
a. General
Proposed Rule. Proposed 31 CFR
1010.955(b)(3) authorized FinCEN to
disclose BOI to foreign requesters when
certain criteria were satisfied. The
criteria were that the foreign request for
BOI must (1) come to FinCEN through
an intermediary Federal agency; (2) be
for assistance in a law enforcement
investigation or prosecution, or for a
national security or intelligence activity,
authorized under the laws of the foreign
country; and (3) either be made under
an international treaty, agreement, or
convention, or, when no such
instrument was available, be an official
request by a law enforcement, judicial,
or prosecutorial authority of a trusted
foreign country.
Comments Received. A few
commenters supported both foreign
requester access to BOI and the
threshold requirements for that access.
Another commenter stated that the
proposed rule should specify timelines
for processing and responding to foreign
requests. One commenter stated that
PO 00000
Frm 00018
Fmt 4701
Sfmt 4700
BOI should not be shared with foreign
requesters at all.
Final Rule. FinCEN adopts the
proposed rule without changes. The
final rule is consistent with the letter,
spirit, and purposes of the CTA by
permitting foreign requesters to obtain
BOI for, and use it in, the full range of
activities contemplated by 31 U.S.C.
5336(c)(2)(B)(ii) (i.e., law enforcement,
national security, and intelligence
activities). The rule also resolves
ambiguities arising from inconsistent
statutory language. Specifically, one
part of the CTA’s foreign access
provision appears to require a request to
arise from a foreign ‘‘investigation or
prosecution,’’ 98 while another appears
to allow a foreign requester to use BOI
to further any ‘‘authorized investigation
or national security or intelligence
activity.’’ 99 The final rule resolves this
discrepancy by clarifying that
authorized national security and
intelligence activities, as well as law
enforcement investigations or
prosecutions, could be a basis for a BOI
request.
FinCEN declines to specify timelines
for processing and responding to foreign
requests. At this juncture, FinCEN does
not have sufficient data to support a
prediction about the average amount of
time it will take to issue a response to
a foreign request. Average response
times for requests from foreign countries
when no international treaty, agreement,
or convention applies are particularly
hard to predict. These may often require
highly fact-intensive assessments of
both the requester and the request,
require broad analysis of U.S. interests
and priorities, and involve consultation
with other relevant U.S. government
agencies. Such assessments could take a
matter of days or significantly longer.
While sharing under international
treaties, conventions, or agreements
might follow more predictable
timelines, unforeseeable procedural,
legal, or inter-governmental
impediments hurdles could create
delays. FinCEN commits to processing
requests as quickly as practicable with
available resources rather than establish
deadlines based on limited data.
b. Intermediary Federal Agency
Proposed Rule. Proposed 31 CFR
1010.955(b)(3) authorized FinCEN to
disclose BOI to foreign requesters when
certain criteria were satisfied. One
criterion identified by the CTA and the
proposed regulation was that requests
for BOI must come to FinCEN through
an intermediary Federal agency.
98 31
99 31
E:\FR\FM\22DER3.SGM
U.S.C. 5336(c)(2)(B)(ii)(I).
U.S.C. 5336(c)(2)(B)(ii)(II)(bb).
22DER3
ddrumheller on DSK120RN23PROD with RULES3
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
The CTA did not identify particular
intermediary Federal agencies, and
FinCEN did not propose to identify any
by regulation. FinCEN instead stated its
intention to work with Federal agencies
to identify agencies suited to serving as
intermediaries between FinCEN and
foreign requesters. For example, one
indicator of potential suitability
identified by FinCEN in the Access
NPRM was a Federal agency having
regular engagement and familiarity with
foreign law enforcement agencies,
judges, prosecutors, central authorities,
or competent authorities on matters
related to law enforcement, national
security, or intelligence activity. Other
factors would include whether a
prospective intermediary Federal
agency has established policies,
procedures, and communication
channels for sharing information with
those foreign parties, and whether the
prospective intermediary Federal
agency represents the U.S. government
in relevant international treaties,
agreements, or conventions; other
factors include the expected number of
requests that the agency could receive,
and the ability of the agency to
efficiently process requests while
managing risks of unauthorized
disclosure.
In the Access NPRM, FinCEN stated
that it would work with potential
intermediary Federal agencies to: (1)
ensure that they have secure systems for
BOI storage; (2) enter into MOUs
outlining expectations and
responsibilities; (3) translate the CTA
foreign sharing requirements into
evaluation criteria against which
intermediary Federal agencies could
review requests from foreign requesters;
(4) integrate the evaluation criteria into
the intermediary Federal agencies’
existing information-sharing policies
and procedures; (5) develop additional
security protocols and systems as
required under the CTA and its
implementing regulations; and (6)
ensure that intermediary Federal agency
personnel have sufficient training on
applicable requirements under the CTA
and its implementing regulations. Under
the proposal, FinCEN would exercise
oversight and audit functions to ensure
that intermediary Federal agencies
adhere to requirements and take
appropriate measures to mitigate the
risk of foreign requesters abusing the
information.
Given its longstanding relationships
and relevant experience as the financial
intelligence unit (FIU) of the United
States, FinCEN proposed to directly
receive, evaluate, and respond to
requests for BOI from foreign FIUs.
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
Comments Received. One commenter
expressed surprise that the proposed
rule did not include examples of
intermediary Federal agencies, while
another commenter supported the
potential for any Federal agency to
become an intermediary Federal agency.
There were varying perspectives on the
proposal that FinCEN should act as an
intermediary Federal agency for BOI
requests from foreign FIUs. One
commenter stated that foreign requesters
might funnel all requests for BOI
through their FIUs if FinCEN served as
an intermediary Federal agency for
foreign FIU requests, which would
significantly increase FinCEN’s
workload. That commenter also said
that exchanges through FIUs were not
admissible in court. In contrast, one
commenter indicated that FinCEN’s role
should be broadened to include
receiving, reviewing, and evaluating all
foreign requests, not just those from
foreign FIUs. Another commenter asked
FinCEN to clarify that, when reviewing
and responding to requests for BOI from
foreign FIUs, FinCEN would adhere to
the proposed requirements applicable to
other intermediary Federal agencies.
Final Rule. FinCEN adopts the
proposed rule without any changes.
FinCEN is still in the early stages of
working to identify intermediary
Federal agencies, and therefore is not in
a position to list those agencies in a
regulation. FinCEN can anticipate
several Federal agencies that likely
could serve as intermediary Federal
agencies given that (1) the rule
contemplates FinCEN taking indirect
requests for BOI from foreign requesters;
(2) requests will be for assistance in law
enforcement investigations or
prosecutions, or for a national security
or intelligence activity, authorized
under the laws of the relevant foreign
country; and (3) many requests for BOI
will come under international treaties,
agreements, and conventions. Federal
agencies that are likely to meet these
criteria include the U.S. Departments of
State and Justice, the Federal Bureau of
Investigation, U.S. Customs and Border
Protection, the IRS, and member
agencies of the Intelligence Community.
This list only provides examples of
Federal agencies whose activities seem
to align with the functions of an
intermediary Federal agency and is not
intended to create expectations
regarding possible intermediary Federal
agencies.
FinCEN itself will very likely act as
the intermediary Federal agency for
requests for BOI from foreign FIUs. As
the FIU for the United States, FinCEN
already has policies and procedures for,
and extensive experience in, sharing
PO 00000
Frm 00019
Fmt 4701
Sfmt 4700
88749
information related to national security,
intelligence, and law enforcement
activities with foreign FIUs through the
Egmont Group. Accordingly, FinCEN
could leverage existing processes and
relationships to fulfill the requirements
of the CTA and its implementing
regulations.
FinCEN does not expect that foreign
requesters will funnel all requests for
BOI through their FIUs and overwhelm
FinCEN. The rule permits foreign FIUs
to request BOI in two scenarios. The
first scenario is when two conditions
apply: (1) the request is for assistance in
a law enforcement investigation or
prosecution, or for a national security or
intelligence activity, authorized under
the laws of the foreign country, and (2)
a governing international treaty,
agreement, or convention identifies the
foreign FIU as the central or competent
authority in the matter or otherwise
dictates that the foreign FIU should
request BOI from FinCEN. The second
scenario in which a foreign FIU may
request BOI is when there is no
international treaty, agreement, or
convention available. In this scenario,
the foreign FIU may request BOI from
FinCEN when (1) the request is for
assistance in a law enforcement
investigation or prosecution, or for a
national security or intelligence activity,
authorized under the laws of the foreign
country, and (2) the FIU qualifies as a
law enforcement (i.e., authorized by law
to engage in the investigation or
enforcement of civil or criminal
violations of law), judicial, or
prosecutorial authority of a trusted
foreign country. Both scenarios involve
multiple requirements that a foreign FIU
must satisfy to request BOI from FinCEN
and are unlikely to result in a large
number of potential requests from
foreign FIUs.
On the question of BOI admissibility,
FinCEN does not agree with the claim
by one commenter that information
exchanges through FIUs necessarily
render the disclosed information
inadmissible in courts around the world
with enough frequency to warrant
concern. Furthermore, if information
exchanges between FIUs do render
information inadmissible in some
foreign courts, the CTA and this final
rule provide means other than FIU
exchanges by which foreign requesters
may obtain BOI, namely through foreign
judges, prosecutors, law enforcement
agencies, and other central and
competent authorities.100 FinCEN is
confident that foreign requesters that
require admissible BOI, that are
100 See 31 U.S.C. 5336(c)(2)(B)(ii); 31 CFR
1010.955(b)(3).
E:\FR\FM\22DER3.SGM
22DER3
88750
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES3
authorized to receive BOI under the
terms set forth in the CTA and this final
rule, and that satisfy all applicable
criteria for BOI disclosure will be able
to obtain the information they need in
an admissible form through an
intermediary Federal agency.
Nonetheless, FinCEN believes it
should act as an intermediary Federal
agency for BOI requests from foreign
FIUs. Receiving, reviewing, and
responding to requests for BOI from all
foreign requesters would not be feasible,
given FinCEN’s resource limitations.
c. Foreign Central or Competent
Authority
Proposed Rule. Proposed 31 CFR
1010.955(b)(3) authorized FinCEN to
disclose BOI to foreign requesters when
certain criteria were satisfied. The CTA
did not define central or competent
authorities, and so FinCEN proposed to
make clear that ‘‘[a] relevant ‘foreign
central authority or foreign competent
authority’ would be the agency
identified in an international treaty,
agreement, or convention under which
a foreign request is made’’ (emphasis
added.) This decision was based on
FinCEN’s understanding that ‘‘foreign
central authority’’ and ‘‘foreign
competent authority’’ are terms of art
typically defined within the context of
a particular agreement. FinCEN’s goal
was to remove any ambiguity around
the terms without unduly excluding
appropriate foreign requesters from
access to BOI.
Comments Received. One commenter
pointed to the FATF and the Egmont
Group as potential means of identifying
foreign central and competent
authorities. Specifically, the commenter
stated that, because the United States is
a member of both organizations, either
body’s method of designating foreign
central or competent authorities (with
appropriate safeguards) should allow an
agency designated through that method
to qualify as a foreign central or
competent authority for the purposes of
the CTA.
Another commenter stated that
requiring foreign central and competent
authorities to be identified as such in a
governing international treaty,
agreement, or convention was overly
restrictive. The commenter’s concern
stems from the word ‘‘in.’’ To support
its position, the commenter points to the
Hague Convention for Service Abroad of
Judicial and Extrajudicial Documents in
Civil or Commercial Matters and the
Hague Convention on the Taking of
Evidence Abroad in Civil or Commercial
Matters. The commenter states that both
agreements provide for the use of a
central authority for the receipt of
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
requests for service or evidence by
requiring a contracting state to designate
a central authority and organize the
central authority in accordance with its
own law. Requiring designation of that
central authority upfront in the treaty
itself, the commenter claims, would
remove some level of flexibility, and
would require cumbersome treaty
amendment processes were a party to
change the specified central authority.
As an alternative, this same
commenter suggested looking to the
service provisions of the Foreign
Sovereign Immunities Act, and in
particular 28 U.S.C. 1608, to allow for
largely undefined ‘‘special
arrangements’’ to govern BOI disclosure
through agencies other than central
authorities. The commenter again
pointed to the difficulty of changing
treaties to reflect new central
authorities, and viewed ‘‘special
arrangements’’ as possibly providing
‘‘an approach to better manage the
foreign access provisions of the CTA on
a case-by-case basis.’’
Final Rule. FinCEN adopts the
proposed rule, but with a clarification
about its meaning.
In the course of drafting the Access
NPRM, FinCEN conducted extensive
outreach to the Department of State, the
Department of Justice, and other Federal
agencies that participate in international
affairs on behalf of the United States. As
a result, Treasury understands that
‘‘central authority’’ and ‘‘competent
authority’’ are referents that may be
reliant on international treaties,
agreements, and conventions for context
and meaning. If an institution derives its
status as a central and competent
authority pursuant to an international
treaty, agreement, or convention, then
by definition requiring foreign central
and competent authorities to be
identified as such under governing
international treaties, agreements, or
conventions is not overly restrictive. In
contrast, FATF and the Egmont Group
are not international bodies established
by treaty, agreement, or convention, nor
do they issue, implement, or administer
any of the international treaties,
agreements, or conventions that make
an institution a central or competent
authority. That said, information from
both bodies could be useful in
determining whether foreign countries
are ‘‘trusted’’ in situations when no
international treaty, agreement, or
convention is available.
When such an agreement is available,
a commenter makes a reasonable point
that the instrument might not
specifically identify particular central or
competent authorities, but might instead
direct contracting states to identify them
PO 00000
Frm 00020
Fmt 4701
Sfmt 4700
through other means. The Hague
conventions, which the commenter
points to as examples, are instructive.
As the commenter notes, both
conventions require contracting states to
identify central authorities to administer
convention obligations, but do not
themselves identify specific institutions
of any particular governments as central
authorities. That work is left to
implementing statutes and regulations
in contracting states. FinCEN
understands that this is a common
arrangement in international
agreements. Consequently, for purposes
of 31 CFR 1010.955(b)(3), a foreign
central or competent authority may be
identified as such either directly by a
governing treaty, agreement, or
convention, or by the statutes,
regulations, or other legal means by
which the relevant foreign requester
country has implemented the
agreement.
With this clarification, FinCEN sees
no need to resort to ‘‘special
arrangements’’ under 28 U.S.C. 1608 of
the Foreign Sovereign Immunities Act to
disclose BOI to foreign requesters. The
CTA is clear about which foreign
requesters may obtain BOI from
FinCEN, as well as the criteria they
must satisfy and the general process
they must follow to obtain it. The
resulting framework reflects the
requirements of the CTA but remains
flexible enough to accomplish the stated
aims and purposes of the CTA without
need for supplemental measures.
d. Trusted Foreign Country
Proposed Rule. Proposed 31 CFR
1010.955(b)(3)(ii)(B) authorized FinCEN
to disclose BOI in response to official
requests by law enforcement, judicial, or
prosecutorial authorities of ‘‘trusted’’
foreign countries when other criteria are
satisfied. The other criteria were that the
request for BOI must (1) come to
FinCEN through an intermediary
Federal agency; and (2) be for assistance
in a law enforcement investigation or
prosecution, or for a national security or
intelligence activity, authorized under
the laws of the foreign country. In
keeping with the CTA, the ‘‘trusted
foreign country’’ requirement would
come into play when there is no
international treaty, agreement, or
convention available under which the
relevant foreign country could make the
request.
The CTA does not provide criteria for
determining whether a particular
foreign country is ‘‘trusted,’’ leaving
FinCEN with flexibility to make the
determination. FinCEN considered
identifying particular countries or
groups of countries as ‘‘trusted’’ for the
E:\FR\FM\22DER3.SGM
22DER3
ddrumheller on DSK120RN23PROD with RULES3
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
purposes of receiving BOI, but
determined that such a restrictive
approach could arbitrarily exclude
foreign requesters with whom sharing
BOI might be appropriate in some cases
but not others. FinCEN proposed in the
Access NPRM to instead consult with
relevant U.S. government agencies on a
case-by-case basis to determine whether
to disclose BOI to foreign requesters
when no international treaty, agreement,
or convention applies. In making these
determinations, FinCEN and the
consulting agencies would consider U.S.
priorities and interests, as well as the
ability of a foreign requester to maintain
the security and confidentiality of
requested BOI.
Comments Received. Commenters
generally wanted to know either which
foreign countries would be ‘‘trusted’’ or
the criteria by which FinCEN would
identify trusted foreign countries. One
commenter wanted a searchable list of
trusted foreign countries. Multiple
commenters suggested that FinCEN
publicly define its trust criteria, with
some arguing that a non-transparent
case-by-case determination process
could yield unjustifiably disparate
treatment. One commenter suggested
either defining ‘‘trusted’’ or dropping
the term entirely and relying solely on
treaties, agreements, and conventions.
Another commenter noted a FinCEN
definition would promote consistency
of access.
A few commenters argued that
FinCEN should not have sole discretion
to determine which countries are
trusted, as such decisions have
implications for national security and
foreign relations. One commenter
supported FinCEN’s decision not to
develop a prior list of trusted foreign
countries because such a list would
inevitably change over time. That same
commenter further argued, however,
that FinCEN should define the ‘‘relevant
U.S. government agencies’’ with which
it would consult to make trust
determinations as including the
Departments of State and Justice, and
should announce that, at a minimum,
FinCEN will treat members of NATO,
the EU, and the G7 group of nations as
trusted foreign countries absent special
circumstances. Another commenter
stated that FinCEN had taken a sensible
approach regarding the trusted foreign
country requirements, but might
consider giving advance notice to
countries that would explicitly not be
trusted.
Final Rule. FinCEN adopts the
proposed rule with limited
clarifications. FinCEN agrees with the
commenter that the rule would benefit
from identifying particular agencies
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
with which FinCEN is likely to consult
when no international treaty, agreement,
or convention applies to a foreign
request for BOI and FinCEN needs to
determine whether the country at issue
is ‘‘trusted.’’ FinCEN is therefore
specifying in the rule that, in
determining whether a request is from a
‘‘trusted foreign country,’’ FinCEN will
make such determination with the
concurrence of the Department of State,
and in consultation with the
Department of Justice or other agencies
as necessary and appropriate.
Specifying that FinCEN will seek the
Department of State’s concurrence on
these determinations reflects the
Department of State’s central role in
conducting U.S. foreign policy and
foreign relations. FinCEN has also
explicitly identified the Department of
Justice to reflect the major role that the
Department Justice plays in U.S.
relations with other countries in law
enforcement, national security, and
intelligence activities, and the
commensurate likelihood that FinCEN
will regularly consult it when making
trust determinations. However,
identifying these two agencies within
the regulation does not mean that
FinCEN will only consult them when
making trust determinations, or that
FinCEN is delegating its authority to
make those determinations. Indeed,
FinCEN will consult with agencies other
than the Departments of State and
Justice when appropriate, e.g., when
those agencies have relevant equities,
expertise, or relationships with foreign
governments.
While FinCEN is choosing to clarify
the interagency coordination element of
its trust determination process, it is not
defining ‘‘trusted’’ or enumerating
criteria it will use to assess requests for
BOI when no international treaty,
agreement, or convention applies. There
are likely too many situations in which
providing other countries with BOI
might be in the best interest of the
United States to reduce that complexity
to a single definition or list. That same
variability also weighs against
preemptively identifying certain
countries as either wholly trusted or
not. Particular facts and circumstances
are relevant to the determination and
may result in different outcomes where
the same foreign requester is involved.
These are dynamic situations to which
FinCEN must be able to respond
flexibly, in consultation with relevant
Federal agencies. At this time, FinCEN
believes that it is important to retain
appropriate discretion in making
determinations regarding ‘‘trusted’’
foreign countries in particular
PO 00000
Frm 00021
Fmt 4701
Sfmt 4700
88751
circumstances, and declines to adopt
restrictive definitions or criteria that
could be detrimental to broader U.S.
interests.
e. Training
Proposed Rule. Proposed 31 CFR
1010.955(d)(3)(i) required foreign
requesters to handle, disclose, and use
BOI consistent with the requirements of
the applicable treaty, agreement, or
convention under which it was
requested. 31 CFR 1010.955(d)(3)(ii),
meanwhile, applied to situations in
which there was no applicable treaty,
agreement, or convention, and would
have imposed on foreign BOI requesters
certain general requirements that the
CTA imposes on all requesting
agencies.101 FinCEN believed these
measures were necessary to protect the
security and confidentiality of BOI
provided to foreign requesters.102
Proposed requirements applicable to
foreign requesters when no treaty,
agreement, or convention applies
included having security standards and
procedures, maintaining a secure
storage system that complies with the
security standards that the foreign
requester applies to the most sensitive
unclassified information it handles,
minimizing the amount of information
requested, and restricting personnel
access to BOI to persons ‘‘[w]ho have
undergone training on the appropriate
handling and safeguarding [BOI].’’
Foreign requesters that request and
receive BOI under an applicable
international treaty, agreement, or
convention would not have these
requirements under the proposed rule,
given that such requesters would be
governed by standards and procedures
prescribed by the applicable
international treaty, agreement, or
convention.
Comments Received. Several
commenters indicated that FinCEN
should revise the requirement that
foreign requesters limit access to BOI to
persons ‘‘[w]ho have undergone training
on the appropriate handling and
safeguarding of [BOI].’’ One commenter
expressed the view that the training
requirement was stricter than the one
proposed for domestic agencies, under
which personnel with access to BOI
either had to receive training on its
handling and safeguarding or received
the information from someone who had
undergone such training. Another
commenter suggested that FinCEN
adopt this domestic agency standard for
101 In the Access NPRM, FinCEN misnumbered
this provision as a duplicate 31 CFR
1010.955(d)(3)(i).
102 See 31 U.S.C. 5336(c)(3)(A), (K).
E:\FR\FM\22DER3.SGM
22DER3
ddrumheller on DSK120RN23PROD with RULES3
88752
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
foreign requesters. Other commenters
variously stated that training in this
context is superfluous given the other
requirements applicable to foreign
requesters, that training requirements
would exceed reciprocal standards
imposed by foreign partners when U.S.
government agencies obtained beneficial
ownership information from foreign BOI
databases, and that FinCEN should
define with greater precision the
requirements for foreign requester
training.
Final Rule. FinCEN adopts the
proposed rule with changes. First,
FinCEN fixed the typographical error in
31 CFR 1010.955(d)(3)(ii) to reflect the
provision’s correct numbering. Second,
FinCEN has removed the proposed
rule’s requirement that an individual
from an intermediary Federal agency
submit personal details when making
each request on behalf of a foreign
requester. That is because the individual
will submit identifying information to
FinCEN at the time they create an
account to access FinCEN’s BO IT
system, which will be necessary to make
requests on behalf of foreign
governments. FinCEN will provide
guidance to intermediary Federal
agencies at a later time on how users of
the BO IT system will set up these
accounts.
The third change to the proposed
provision pertains to certification
requirements in situations involving
‘‘trusted’’ foreign countries. FinCEN
originally proposed to require each
intermediary Federal agency requesting
BOI on behalf of a foreign requester
under proposed 31 CFR
1010.955(b)(3)(ii)(B) to submit to
FinCEN ‘‘[a] written explanation of the
specific purpose for which the foreign
person is seeking information . . . along
with an accompanying certification that
the information is for use in furtherance
of a law enforcement investigation or
prosecution, or for a national security or
intelligence activity, that is authorized
under the laws of the relevant foreign
country; will be used only for the
particular purpose or activity for which
it is requested; and will be handled
consistent with [applicable security and
confidentiality requirements].’’ FinCEN
is modifying the certification
requirement to avoid unintentionally
imposing on intermediary Federal
agencies a requirement to certify to a
foreign requester’s future behavior with
respect to the BOI obtained, which the
agency could not know with certainty.
Under the final rule, such agencies must
still certify to FinCEN that the
information is for use in furtherance of
a law enforcement investigation or
prosecution, or for a national security or
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
intelligence activity, that is authorized
under the laws of the relevant foreign
country. However, the remainder of the
original certification has been modified
to require only that the intermediary
Federal agency certify that the foreign
requester has been informed that BOI
disclosed to it may only be used for the
particular purpose or activity for which
it was requested and must be handled
consistent with applicable
requirements. This modified
certification better reflects what an
intermediary Federal agency can know
and practically control. FinCEN’s
expectation that foreign requesters will
handle BOI in accordance with
applicable requirements and protect it
to the best of their ability remains
unchanged, as does FinCEN’s
willingness to withhold BOI from
requesters that fail to meet that
expectation.
FinCEN declines to make additional
revisions suggested by comments. The
requirement that foreign requesters
apply appropriate standards and
procedures to protect BOI and limit BOI
dissemination to trained individuals is
reasonable under the circumstances and
unlikely to place undue burden on
foreign requesters. It is critical that all
authorized BOI recipients–including
foreign requesters–take steps to keep
BOI confidential and secure and to
prevent its misuse given the sensitivity
of the personal information to be
reported to the BO IT system. The
application of BOI security standards
and procedures, including the training
requirement, effectuates these
underlying objectives, including by
requiring individual foreign recipients
to have knowledge of those
requirements. FinCEN also declines to
prescribe specific requirements on the
structure and content of any training.
FinCEN recognizes that standards and
procedures will vary by foreign
requester to reflect organizational and
resource differences. At root, every
individual with access to BOI should
understand the purposes for which BOI
can be used, the persons with whom
they can share BOI with and for what
purpose, and the manner in which they
must secure it.
The differences between the
application of BOI security standards
and procedures for domestic and foreign
requesters reflect legal and practical
considerations. First, the CTA
specifically prescribes certain standards
for domestic agencies that have access
to BOI, but not for foreign requesters.
Second, the Access NPRM proposed
standards and procedures that are
tailored to particular circumstances and
challenges involving foreign requesters,
PO 00000
Frm 00022
Fmt 4701
Sfmt 4700
and are arguably less burdensome that
those required of domestic agencies. For
example, FinCEN decided not to
propose an MOU requirement for
foreign requesters because (1) foreign
requesters will not have direct access to
the BO IT system, and (2) FinCEN
anticipates a significantly lower volume
of foreign requests in general relative to
other stakeholders. In contrast, the
MOUs with domestic agencies are
appropriate to mitigate the risks
inherent in the expected volume and
frequency of searches in the BO IT
system. FinCEN anticipates that these
MOUs will, among other things,
memorialize and implement
requirements regarding reports and
certifications, periodic training of
individual recipients of BOI, personnel
access restrictions, re-disclosure
limitations, and access to audit and
oversight mechanisms. The MOUs will
also include security plans covering
topics related to personnel security (e.g.,
eligibility limitations, screening
standards, certifications and notification
requirements); physical security (system
connections and use, conditions of
access, data maintenance); computer
security (use and access policies,
standards related to passwords,
transmission, storage, and encryption);
and inspections and compliance.
Foreign BOI requesters will only
receive BOI through intermediary
Federal agencies that will themselves be
subject to the detailed MOUs described
above. Those intermediary Federal
agencies will in turn work with foreign
requesters either in accordance with
applicable international treaties,
conventions, or agreements or under
standards and protocols that ‘‘trusted’’
foreign countries would be required to
develop and implement.
FinCEN also decided against the
imposition of audit requirements on
foreign requesters because of practical
considerations. First, for the sharing of
BOI governed by international treaties,
agreements, or conventions, the relevant
treaty, agreement, or convention would
govern whether audits would be
permissible. If no treaty, agreement, or
convention applied, practical challenges
would limit FinCEN’s ability to conduct
audits of a foreign requester’s BOI
systems and practices. In order to
conduct such an audit, FinCEN would
need to negotiate appropriate audit
mechanisms, likely on a reciprocal
basis, given that foreign governments
will likely be reluctant to allow FinCEN
extensive access to comprehensively
audit their secure IT systems and
records. FinCEN would also likely need
to commit substantial staff and
personnel to conduct either remote or
E:\FR\FM\22DER3.SGM
22DER3
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES3
in-person audits in foreign countries.
While FinCEN could refrain from
sharing BOI with foreign requesters that
refuse to be subject to audits, it would
likely degrade international cooperation
on law enforcement and national
security efforts and constrain the United
States’ ability to combat cross-border
illicit finance and criminal activity,
including fentanyl trafficking, fraud,
and sanctions evasion, among other
crimes.
f. Re-Disclosure of BOI in the Context of
Foreign Requests
Proposed Rule. The Access NPRM
proposed rules that effectuated the
foreign government access provisions in
a series of steps that, first, would have
authorized FinCEN to disclose BOI to
intermediary Federal agencies; would
have then authorized those agencies to
redisclose BOI to the foreign requester;
and would have authorized the foreign
requester to use the BOI, including
through re-disclosure, consistent with
the applicable treaty.
Specifically, proposed 31 CFR
1010.955(b)(3) authorized FinCEN to
disclose BOI to intermediary Federal
agencies for transmission to the foreign
requester where (1) an intermediary
Federal agency provides FinCEN with
the foreign request; (2) the requested
BOI is for assistance in a law
enforcement investigation or
prosecution, or for a national security or
intelligence activity, authorized under
the laws of the foreign country; and (3)
the request is made under an
international treaty, agreement, or
convention, or, when no such
instrument is available, is an official
request by a law enforcement, judicial,
or prosecutorial authority of a trusted
foreign country. Proposed 31 CFR
1010.955(c)(2)(v) would further
authorize the intermediary Federal
agency to disclose the BOI to the foreign
requester, consistent with the CTA’s
foreign government provisions.
Lastly, proposed 31 CFR
1010.955(c)(2)(viii) allowed a foreign
requester that receives BOI pursuant to
a request made under an international
treaty, agreement, or convention to redisclose and use that BOI in accordance
with the requirements of the relevant
agreement. This approach accords with
the CTA’s preference for disclosing BOI
to foreign requesters under international
agreements and allowing the agreements
to govern how the information is used,
as indicated in the introductory
paragraph in 31 U.S.C. 5336(c)(2)(B)(ii).
For foreign requests that are not
governed by an international treaty,
agreement, or convention, FinCEN
proposed reviewing re-disclosure
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
requests from foreign requesters either
on a case-by-case basis or pursuant to
alternative arrangements with
intermediary Federal agencies where
those intermediary Federal agencies
have ongoing relationships with the
particular foreign requester. This would
occur under former 31 CFR
1010.955(c)(2)(ix), now 31 CFR
1010.955(c)(2)(x), discussed in section
III.D.ii.
Comments Received. Commenters
noted several concerns regarding the redisclosure of BOI by intermediary
Federal agencies to foreign requesters.
One commenter indicated that the
proposed rule conflicted with section
2.3 of E.O. 12333 of December 4, 1981,
as amended, by authorizing U.S.
intelligence agencies to share
information about U.S. persons with
other countries’ intelligence agencies
without regard to the Executive Order’s
restrictions on collecting, retaining, and
disseminating U.S. person
information.103 Another commenter
criticized the proposed rule as unduly
vague about the foreign recipient of BOI,
the scope of application of the proposed
31 CFR 1010.955(c)(2)(viii), and
whether re-disclosure would be
consistent with the CTA where no
international treaty, agreement, or
convention is available. A third
commenter observed that FinCEN could
broaden § 1010.955(c)(2)(v) to allow
intermediary Federal agencies to share
BOI with ‘‘relevant countries’’ without
first obtaining FinCEN’s permission,
while a fourth warned FinCEN to ensure
that foreign countries do not use their
tax authorities to obtain BOI for non-tax
related reasons under the pretense of tax
administration.
Final Rule. FinCEN views the
proposed rules to be sufficiently clear
and adopts the provisions as proposed,
though the related provision at new 31
CFR 1010.955(c)(2)(x) is revised as
discussed in section III.D.ii. Proposed
31 CFR 1010.955(c)(2)(v) makes clear
that an intermediary Federal agency
may disclose BOI only ‘‘to the foreign
person on whose behalf the Federal
agency made the request’’ to FinCEN
(emphasis added). The provision is
sufficiently specific as to the foreign
recipient that receives BOI. The rule
also is not in conflict with E.O. 12333,
section 2.3 and, in particular, the
requirement that elements of the
Intelligence Community disseminate
information concerning U.S. persons
only in accordance with certain
established procedures. FinCEN expects
that intermediary Federal agency
103 E.O. 12333, 46 FR 59941 (Dec. 4, 1981)
(‘‘United States Intelligence Activities’’).
PO 00000
Frm 00023
Fmt 4701
Sfmt 4700
88753
requests, and transmission of BOI to
foreign requesters will be in accordance
with any legal requirements, and
internal protocols, applicable to the
intermediary Federal agency. For
instance, the guidelines of the Office of
the Director of National Intelligence
require that, for dissemination of
information regarding U.S. persons to
foreign governments, those entities must
agree to restrictions on the use and
dissemination of that information as
necessary.104 Furthermore, consistent
with the rule, an agency’s internal
protocols might place certain process
requirements on the agency in making
the request to FinCEN for BOI or on the
re-disclosure of the information to the
foreign requester.
Former 31 CFR 1010.955(c)(2)(viii)—
now renumbered as 31 CFR
1010.955(c)(2)(ix)—permits foreign
requesters to re-disclose BOI consistent
with the terms of the applicable
international treaty, agreement, or
convention, but does not authorize
disclosure in any other contexts.
Relying on the general authority in 31
CFR 1010.955(c)(2)(x) for FinCEN to
authorize by prior written authorization,
protocols, or guidance redisclosures in
furtherance of an authorized purpose or
activity, FinCEN will review
redisclosure requests from foreign
requesters that did not request BOI
pursuant to an international treaty,
agreement, or convention.
FinCEN also declines to permit
intermediary Federal agencies to redisclose BOI to a defined list of
countries, without either a governing
international treaty, agreement, or
convention or separate FinCEN
authorization. The scenario the proposal
seems to contemplate involves an
intermediary Federal agency requesting
BOI from FinCEN on behalf of one
foreign requester, storing the
information in the intermediary Federal
agency’s own database, and then later
re-disclosing that same BOI to a
different foreign requester that wants
the information and satisfies the
eligibility criteria that would qualify it
to have the intermediary Federal agency
request the information from FinCEN on
its behalf. In this case, however, the
intermediary Federal agency would not
need to retrieve the BOI from FinCEN’s
BO IT system or involve FinCEN at all
because it would already have the
relevant BOI in its own system.
104 See Office of the Direct of National
Intelligence, Attorney General (AG) Guidelines,
Approved December 23, 2020, available at https://
www.intel.gov/assets/documents/
702%20Documents/declassified/AGGs/
ODNI%20guidelines%20as%20approved
%20by%20AG%2012.23.20_OCR.pdf.
E:\FR\FM\22DER3.SGM
22DER3
ddrumheller on DSK120RN23PROD with RULES3
88754
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
FinCEN views this proposal as
infeasible for a number of reasons. First,
a reporting company might update its
reported BOI in the interim between the
times when two foreign requesters want
the information. The intermediary
Federal agency’s stored BOI would not
reflect those updates and would be out
of date and potentially useless or
confounding in an investigation or
prosecution if passed to a foreign
requester. Having foreign requesters
receive outdated BOI would undercut
the CTA’s objective of providing useful
information to authorized BOI
recipients.
The second consideration weighing
against the proposal has to do with
auditing. FinCEN has extensive audit
requirements with respect to Federal
agencies that receive BOI under the
CTA. While an intermediary Federal
agency will not need FinCEN’s explicit
and case-specific ‘‘permission’’ to
retrieve BOI from the BO IT system on
a foreign requester’s behalf, the
intermediary will need to submit to
FinCEN certain information about itself,
the request, and the requester. FinCEN
will in turn rely on this information to
satisfy those audit requirements. The act
of an intermediary Federal agency
retrieving BOI from the BO IT system
will also serve as information upon
which FinCEN will rely as a proxy
record indicating that a corresponding
disclosure to a foreign requester
occurred. Were FinCEN to authorize
intermediary Federal agencies to store
and disseminate FinCEN-derived BOI
from their own databases instead of
responding to foreign requests for BOI
with information retrieved from
FinCEN’s BO IT system on a one-for-one
basis, all of that information would be
lost, more difficult to collect, or more
subject to tampering. All of these
considerations lead FinCEN to reject
this proposal.
Finally, FinCEN takes seriously
concerns about foreign requesters and
other authorized BOI recipients
requesting BOI for one purpose and
using it for other purposes the CTA does
not permit. This includes concerns
about pretextual requests made under
the guise of activities related to the
enforcement of tax laws, a relatively
narrow aspect of ‘‘tax administration,’’
as defined in 26 U.S.C. 6103(b)(4), for
which the CTA authorizes BOI
disclosure to foreign requesters.105
105 The CTA does not authorize FinCEN to
provide BOI to foreign requestors for any and all tax
administration purposes. Some foreign tax-related
activities, however, including enforcement of tax
laws, may qualify as law enforcement, national
security, or intelligence activities under the CTA,
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
These concerns are why FinCEN is
requiring intermediary Federal agencies
to certify that requests for BOI from
foreign requesters satisfy applicable
CTA requirements, including the
requirement that requests be for use in
furtherance of a law enforcement
investigation or prosecution, or for a
national security or intelligence activity,
that is authorized under the laws of the
relevant foreign country.
That said, a foreign requester that
originally obtained BOI for use in
furtherance of an authorized law
enforcement investigation or
prosecution (including those related to
tax laws), or for an authorized national
security or intelligence activity, would
not necessarily be prohibited from also
using that BOI for other purposes when
the BOI was obtained pursuant to a
treaty, agreement, or convention. As
explained previously, if a foreign
requester obtains BOI pursuant to a
treaty, agreement, or convention for use
in an activity authorized by the CTA,
then the requester is authorized to
subsequently use or re-disclose the
information in any way permitted by
that treaty, agreement, or convention.
This allowance reflects the general
deference to treaties, agreements, and
conventions exhibited by the CTA’s
foreign sharing provision. In all cases,
FinCEN will work with intermediary
Federal agencies to ensure that foreign
requesters understand and agree to
abide by the restrictions and
requirements associated with BOI, as
well as the potential consequences for
failing to honor those commitments.
iv. Disclosure To Facilitate Compliance
With Customer Due Diligence
Requirements
The Access NPRM proposed to
authorize disclosure of BOI to facilitate
compliance with ‘‘customer due
diligence requirements under applicable
law’’ 106 to: (1) ‘‘financial institutions’’
subject to such customer due diligence
requirements, and (2) ‘‘Federal
functional regulator[s] or other
appropriate regulatory agenc[ies] . . .
authorized by law to assess, supervise,
enforce, or otherwise determine the
compliance’’ of financial institutions
with such requirements.107 FinCEN
therefore discusses the proposed terms
of financial institution and regulator
access to BOI separately.
31 U.S.C. 5336(c)(2)(B)(ii), permitting BOI to be
disclosed under appropriate circumstances.
106 31 U.S.C. 5336(c)(2)(B)(iii); proposed 31 CFR
1010.955(b)(4).
107 Id.; 31 U.S.C. 5336(c)(2)(B)(iii), (C)(i).
PO 00000
Frm 00024
Fmt 4701
Sfmt 4700
a. Financial Institutions
The Access NPRM proposed
provisions specifying which financial
institutions 108 could access BOI, the
uses to which they could put BOI, and
the prerequisites for their access and
terms of use. The NPRM’s treatment of
financial institution access was the
focus of many comments. Numerous
comments focused both on FinCEN’s
proposal to limit the financial
institutions authorized to obtain BOI to
those with responsibilities under
FinCEN’s 2016 CDD Rule and on
FinCEN’s proposal to limit those
financial institutions’ use of BOI to
facilitating compliance with 31 CFR
1010.230 of the 2016 CDD Rule. Both of
those subjects are discussed here. Other
issues raised by commenters on
financial institution access and use of
BOI were tied to larger systemic
concerns and less closely associated
with financial institutions per se,
including the consent requirement,
confidentiality and security protocols,
and redisclosure of BOI. These more
systemic comments are addressed
elsewhere in this document.
Proposed Rule. The CTA authorizes
FinCEN to disclose BOI upon receipt of
a request ‘‘made by a financial
institution subject to customer due
diligence requirements, with the
consent of the reporting company, to
facilitate the compliance of the financial
institution with customer due diligence
requirements under applicable law.’’ 109
The CTA neither defines ‘‘financial
institution subject to customer due
diligence requirements’’ nor ‘‘customer
due diligence requirements under
applicable law.’’ Proposed 31 CFR
1010.955(b)(4)(i) described both the
types of financial institutions entitled to
request BOI and the purposes for which
those financial institutions could use
that BOI. Under the rule, FinCEN would
disclose BOI to financial institutions
‘‘subject to customer due diligence
requirements under applicable law,’’
and that BOI could be used ‘‘in
facilitating . . . compliance’’ with those
customer due diligence requirements.
Section 1010.955(b)(4)(i) further
defined the phrase ‘‘customer due
diligence requirements under applicable
law’’ to mean the requirement imposed
on ‘‘covered financial institutions’’
under 31 CFR 1010.230 to identify and
108 FinCEN regulations generally define ‘‘financial
institution,’’ including for the purposes of this rule,
at 31 CFR 1010.100(t). This general definition is
distinct from that of ‘‘covered financial institution,’’
as used in the 2016 CDD Rule and this preamble.
Under the 2016 CDD Rule (specifically, 31 CFR
1010.230(f)), ‘‘covered financial institution’’ has the
meaning set forth in 31 CFR 1010.605(e)(1).
109 31 U.S.C. 5336(c)(2)(B)(iii).
E:\FR\FM\22DER3.SGM
22DER3
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES3
verify beneficial owners of their ‘‘legal
entity customers,’’ primarily at account
opening.110 These ‘‘covered financial
institutions’’ are limited to: banks
(including credit unions); brokers or
dealers in securities registered, or
required to be registered, with the SEC;
futures commission merchants and
introducing brokers in commodities
registered, or required to be registered,
with the CFTC; and mutual funds.111 In
contrast, other types of financial
institutions, such as money services
businesses (MSBs) and insurance
companies, would not be able to access
BOI from FinCEN in light of the 2016
CDD Rule definition. Additionally,
under the proposed rule, these financial
institutions would be able to use BOI
only to comply with 31 CFR 1010.230,
but not for other purposes. This
approach was designed to enhance
security and confidentiality, and
facilitate audit and oversight, of the BOI
database by describing a defined set of
financial institutions and limiting
opportunities for unauthorized use or
intentional or inadvertent breaches.
FinCEN also considered a broader
approach that would permit financial
institutions with CIP obligations 112 to
access the database. A broader approach
would have permitted more financial
institutions to use BOI for a wider range
of compliance activities, such as
compliance with CIP regulations.
FinCEN specifically requested
comments on the interpretation of the
phrase ‘‘customer due diligence
requirements under applicable law,’’
including whether FinCEN should
adopt a broader definition, how to best
provide regulatory clarity, and how to
maintain the security and
confidentiality of BOI if a broader
definition were adopted.113
110 31 CFR 1010.230(b). Under the 2016 CDD
Rule, ‘‘legal entity customer means a corporation,
limited liability company, or other entity that is
created by the filing of a public document with a
Secretary of State or similar office, a general
partnership, and any similar entity formed under
the laws of a foreign jurisdiction that opens an
account,’’ with certain exceptions. Id. 1010.230(e).
This definition of ‘‘legal entity customer’’ overlaps
with, but is distinct from, the definition of
‘‘reporting company’’ in 31 CFR 1010.380(c) of the
Reporting Rule.
111 31 CFR 1010.230(f) (cross-referencing the
definition of ‘‘covered financial institutions’’ in 31
CFR 1010.605(e)(1)).
112 See 31 CFR 1020.220, 1023.220, 1024.220,
1026.220.
113 The preamble to the proposed rule noted that
FinCEN also had considered defining ‘‘customer
due diligence requirements under applicable law’’
to include State, local, and Tribal customer due
diligence requirements similar in substance to the
2016 CDD Rule. However, FinCEN chose not to do
so, noting that it was unaware of any such
requirements. FinCEN invited comments about any
State, local, or Tribal laws or regulations that
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
Comments Received. FinCEN received
many comments that were critical of
FinCEN’s proposed approach. First,
commenters asserted that FinCEN’s
interpretation ran counter to the plain
text of the CTA. Several commenters
pointed to the CTA provision directing
the Secretary to promulgate regulations
that ‘‘facilitate the compliance of []
financial institutions with anti-money
laundering, countering the financing of
terrorism, and customer due diligence
requirements under applicable law.’’ 114
In order to implement this provision,
one commenter noted that FinCEN
should allow financial institutions to
access BOI for more uses than
compliance with 31 CFR 1010.230, and
pointed to contrasting references in the
CTA to 31 CFR 1010.230 and ‘‘customer
due diligence requirements under
applicable law’’ as indicative of
Congressional intent.115 Another
commenter stated that FinCEN erred
when it pointed to the Sense of
Congress as evidence that Congress
understood ‘‘customer due diligence
requirements under applicable law’’ did
not include ‘‘anti-money laundering,
[and] countering the financing of
terrorism.’’ 116
Second, commenters argued that the
proposed rule’s approach would be
burdensome for financial institutions
and undermine the usefulness of the
BOI database. In particular, commenters
claimed that the proposed approach
conflicted with the core CTA objectives
that the BOI database be ‘‘highly useful’’
to financial institutions,117 and that
burdens on financial institutions should
be minimized.118 In this respect, one
commenter listed the variety of AML/
CFT compliance and sanctions-related
tasks for which banks relied on the BOI
obtained from legal entity customers
under the 2016 CDD Rule, including, for
example, compliance with CIP
requirements, customer risk ratings,
require financial institutions to identify and verify
the beneficial owners of legal entity customers. One
commenter noted that some states, such as New
York, require financial institutions operating in the
state to implement AML programs that include
general customer identification and customer due
diligence requirements. However, this commenter
did not cite to any requirements to identify and
verify beneficial owners of legal entities, as
FinCEN’s 2016 CDD Rule requires.
114 31 U.S.C. 5336(b)(1)(F)(iv)(II).
115 CTA, section 6403(d)(1) (directing the
Secretary of the Treasury to revise the 2016 CDD
Rule).
116 CTA, section 6402(6)(B).
117 See 31 U.S.C. 5336(b)(1)(F)(iv).
118 See CTA, section 6403(d)(1)(C) (directing that
the 2016 CDD Rule be revised to ‘‘reduce any
burdens on financial institutions and legal entity
customers that are, in light of the enactment of this
division and the amendments made by this
division, unnecessary or duplicative’’).
PO 00000
Frm 00025
Fmt 4701
Sfmt 4700
88755
transaction monitoring, sanctions
screening, identifying politically
exposed persons, and filing SARs or
sanctions-related reports.119 The
commenter reiterated that the proposed
rule would not provide financial
institutions with any additional AML/
CFT compliance value if financial
institutions could use FinCEN-collected
BOI only as described in the proposed
rule; in fact, the commenter confirmed
that financial institutions would be
unlikely to use the database at all. Other
commenters pointed to likely
implementation burdens and
duplicative requirements, such as the
likely need to create a firewall and
systems to separate FinCEN-obtained
BOI from BOI obtained under the 2016
CDD Rule, given the different purposes
for which those two types of BOI could
be used. This, in turn, would also
impose duplicative requirements on
reporting companies, given their need to
provide BOI to both FinCEN and to
financial institutions.
Third, commenters maintained that
the proposed approach conflicts with
the broader AML/CFT regulatory
framework, including supervisory
expectations and FinCEN guidance on
the role of customer due diligence in a
financial institution’s AML program.
Several commenters stated squarely that
the phrase ‘‘customer due diligence
requirements under applicable law’’
clearly encompassed AML/CFT
requirements beyond the identification
and verification requirements of the
2016 CDD Rule. For example,
commenters noted that the 2016 CDD
Rule itself interprets ‘‘customer due
diligence’’ broadly to encompass
ongoing monitoring for reporting
suspicious transactions,120 and amends
AML program rules to require financial
institutions to implement risk-based
119 The commenter noted, and FinCEN agrees,
that the 2016 CDD Rule itself imposed no specific
limits on how financial institutions could use the
BOI collected under that rule, including for AML/
CFT compliance purposes.
120 See 2016 CDD Rule, 81 FR at 29398 (‘‘FinCEN
believes that there are four core elements of
customer due diligence, and that they should be
explicit requirements in the anti-money laundering
(AML) program for all covered financial
institutions, in order to ensure clarity and
consistency across sectors: (1) Customer
identification and verification; (2) beneficial
ownership identification and verification; (3)
understanding the nature and purpose of customer
relationships to develop a customer risk profile; and
(4) ongoing monitoring for reporting suspicious
transactions and, on a risk-basis, maintaining and
updating customer information.’’).
E:\FR\FM\22DER3.SGM
22DER3
88756
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES3
procedures for doing so.121 122 Other
commenters invoked supervisory
expectations around the use of BOI,
noting that the Federal Financial
Institutions Examination Council
(FFIEC) BSA/AML Examination
Manual123 states that banks should
specify in their policies, procedures,
and processes how BOI will be used to
meet other regulatory obligations, such
as identifying suspicious activity and
identifying parties sanctioned by
Treasury’s Office of Foreign Asset
Control (OFAC).124 Commenters also
provided specific suggestions to
broaden the scope of use of BOI, for
example, including CIP requirements
under 31 CFR 1010.220 and the ongoing
customer due diligence requirements
under 31 CFR 1010.210 to facilitate the
compliance with AML/CFT and
customer due diligence requirements
under applicable law.125 Finally, some
commenters claimed that the proposed
approach would make it challenging for
financial institutions to comply with
other legal or regulatory requirements,
such as sanctions screening, and urged
FinCEN to broaden the permitted uses
of BOI.
Fourth, commenters also expressed
concerns about the policy reasons for
choosing a narrower interpretation of
‘‘customer due diligence requirements
under applicable law,’’ for example,
easing administration of the BOI
database and protecting BOI security
and confidentiality. One commenter
stated that ease of administration is not
a sufficient justification to limit the
ways financial institutions can use BOI
to combat illicit finance. Several
commenters noted that both the CTA,
and laws requiring banks to protect the
vast amounts of PII for which they are
responsible, such as Gramm-LeachBliley, provide multiple safeguards to
ensure the confidentiality and security
of BOI, including substantial protocols
121 See 2016 CDD Rule, 81 FR at 29457–29458,
codified, as amended, at 31 CFR 1020.210(a)(2)(v),
1023.21(b)(5), 1024.210(b)(5), 1026.210(b)(5).
122 One commenter also noted that banks have
built their compliance systems to be consistent with
the preamble to the 2016 CDD Rule. The commenter
indicated that limiting the purposes for which BOI
obtained from the database can be used thus would
hurt such compliance efforts.
123 FFIEC BSA/AML Examination Manual,
available at https://bsaaml.ffiec.gov/manual.
124 Relatedly, another commenter urged FinCEN
to consider allowing broad BOI access for purely
practical reasons, taking into account the value that
BOI provides for financial institutions in meeting
their regulatory obligations beyond the 2016 CDD
Rule, such as fraud detection, customer
identification and verification, and OFAC sanctions
screening.
125 In contrast, another commenter asked that
FinCEN itemize exactly how financial institutions
can use BOI, rather than cross-referencing 31 CFR
1010.230 or any other regulatory provision.
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
that financial institutions must follow to
access the BOI database.
Fifth, while a few commenters
expressed support for the limitation on
the types of financial institutions with
access to BOI, many commenters argued
that certain types of financial
institutions not subject to the 2016 CDD
Rule—in particular, MSBs—would
benefit from access to the BOI and that
FinCEN’s definition of ‘‘customer due
diligence requirements under applicable
law’’ thus should be changed to allow
these other financial institutions to
access FinCEN-collected BOI.126 One
commenter noted that MSBs—which are
required to implement AML compliance
programs with ‘‘policies, procedures,
and internal controls reasonably
designed’’ to ensure compliance with
the BSA127—may be required by those
programs to identify and verify the
beneficial owners of legal entity
customers and authorized agents during
onboarding. In this context, the
commenter identified FinCEN’s 2016
guidance to MSBs concerning agent
monitoring that required MSB
principals to identify the owners of an
MSB’s agents as a reason for interpreting
the term ‘‘customer due diligence
requirements under applicable law’’ to
include such MSB requirements.128
Lastly, one commenter urged FinCEN to
allow any financial institution that has
AML program obligations to have access
to the BOI database, subject to
appropriate security requirements and
other access protocols, in order to
enhance overall transparency in the U.S.
financial system and to effectively fight
illicit finance.
Final Rule. In light of the comments
received, FinCEN has revised its
proposed approach towards the
financial institutions that will have
access to the BOI database and the
purposes for which that BOI may be
used. The revised regulation now
specifies that the clause ‘‘customer due
diligence requirements under applicable
law’’ includes ‘‘any legal requirement or
prohibition designed to counter money
laundering or the financing of terrorism,
126 Additionally, two commenters agreed with
FinCEN’s proposed definition of ‘‘customer due
diligence under applicable law’’ but claimed that
this did not lead to the limitations that FinCEN
proposed to place on the use of BOI by financial
institutions. These commenters asserted that
FinCEN’s proposed definition was consistent with
a broader authorization for financial institutions to
use BOI for any purpose consistent with a financial
institution’s anti-financial crimes program,
including (but not limited to) AML, sanctions, antibribery, and anti-corruption procedures.
127 See 31 CFR 1022.210(d)(1)(i).
128 FIN–2016–G001, Guidance on Existing AML
Program Rule Compliance Obligations for MSB
Principals with Respect to Agent Monitoring (Mar.
11, 2016).
PO 00000
Frm 00026
Fmt 4701
Sfmt 4700
or to safeguard the national security of
the United States, to comply with which
it is reasonably necessary for a financial
institution to obtain or verify beneficial
ownership information of a legal entity
customer.’’ Accordingly, the final
regulations would permit a broader
range of financial institutions to access
BOI from the FinCEN database for a
broader range of purposes than
described in the proposed rule should
FinCEN choose to afford such access. As
discussed below in this section,
however, FinCEN, in the exercise of its
discretion, intends to permit only
financial institutions with obligations
under the 2016 CDD Rule to have access
to the BOI database at this time.
Under this approach, a financial
institution can use BOI obtained from
FinCEN to help discharge its AML/CFT
obligations under the BSA, including its
AML program, customer identification,
SAR filing, and enhanced due diligence
requirements. It can also use BOI to
satisfy other requirements, so long as
those requirements are designed to
counter money laundering or the
financing of terrorism or safeguard U.S.
national security, and so long as it is
reasonably necessary to obtain or verify
BOI of legal entity customers to satisfy
those requirements. For example, a
financial institution may use BOI
obtained from FinCEN (with the consent
of the reporting company) to facilitate
compliance with sanctions imposed by
OFAC on individuals and legal entities
under the International Emergency
Economic Powers Act129 and other legal
authorities, such as the Foreign
Narcotics Kingpin Designation Act130
and the Global Magnitsky Human Rights
Accountability Act.131 These sanctions
can have national security and antimoney laundering purposes. Financial
institutions regularly use BOI to comply
with these sanctions, often through
OFAC sanctions screening, including in
ascertaining whether sanctions are
applicable to persons by virtue of the socalled ‘‘50-percent’’ rule.132
At the same time, there are bounds to
the uses of BOI by financial institutions
under the final rule. As a threshold
matter, the use of BOI should be directly
129 50
U.S.C. 1701–1706.
U.S.C. 1901–1908.
131 22 U.S.C. 10101–10103.
132 The ‘‘50 percent rule’’ subjects to U.S.
sanctions any entity that is 50 percent owned by a
blocked person is itself blocked, and U.S. persons,
including domestic financial institutions, are
prohibited from transacting business with such an
entity. See, e.g., OFAC, Addition of General
Licenses for the Official Business of the United
States Government and Certain International
Organizations and Entities and Updates to the 50
Percent Rule Interpretive in OFAC Sanctions
Regulations, 87 FR 78470 (Dec. 21, 2022).
130 21
E:\FR\FM\22DER3.SGM
22DER3
ddrumheller on DSK120RN23PROD with RULES3
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
related to a financial institution’s
compliance with a legal obligation that
is designed to counter money
laundering or the financing of terrorism,
or to safeguard the national security of
the United States. For example, the final
rule does not permit financial
institutions to use BOI from FinCEN in
assessing whether to extend credit to a
legal entity, or in establishing the price
of that credit, when credit decisions are
unrelated to AML/CFT or national
security purposes. Moreover, FinCEN
does not consider general business or
commercial uses of BOI, such as client
development, to be consistent with
AML/CFT or national security purposes.
The broader approach taken in the
final rule is motivated by both legal and
policy considerations. First, FinCEN is
persuaded that both the statutory
framework and congressional intent are
properly read to encompass uses
broader than compliance with the 2016
CDD Rule. The CTA provision
governing the 2016 CDD Rule revisions
directs that the revised rule needs to
take into account financial institution
access to BOI ‘‘to facilitate the
compliance of those financial
institutions with anti-money
laundering, countering the financing of
terrorism, and customer due diligence
requirements under applicable law.’’ 133
The Sense of Congress similarly states
that BOI should be available to
‘‘facilitate the compliance of the
financial institutions with anti-money
laundering, countering the financing of
terrorism, and customer due diligence
requirements under applicable law.’’ 134
This terminology is broader than a
reference to the 2016 CDD Rule.
Moreover, commenters correctly point
out that the CTA’s specific references to
the 2016 CDD Rule contrast with those
more general references to customer due
diligence requirements elsewhere in the
CTA.135
Second, as noted by many
commenters, the revised approach will
further the overarching purposes of the
CTA to combat illicit activity by
enabling financial institutions to use
BOI for AML/CFT and national security
purposes. The revised approach will
allow a financial institution to integrate
and leverage BOI obtained from FinCEN
with other information that the financial
institution uses for their full range of
customer due diligence activities. It will
also reduce the burdens on financial
institutions in handling and using BOI,
and correspondingly, increase its
practical value.
133 CTA,
section 6402(d)(1)(B).
section 6402(6).
135 CTA, section 6403(d)(1).
The final rule also authorizes FinCEN
to disclose BOI to a broader range of
financial institutions consistent with the
revised approach taken with respect to
the meaning of ‘‘customer due diligence
requirements under applicable law.’’
Accordingly, MSBs and other financial
institutions with AML program
requirements, such as casinos, along
with ‘‘covered financial institutions’’ as
defined in the 2016 CDD Rule, would be
eligible under the final rule to access the
database subject to appropriate security
and confidentiality protocols. The final
rule, however, accords FinCEN with
discretion regarding the scope and
timing of access by financial
institutions. The CTA does not direct
FinCEN to provide access to financial
institutions, but rather states that
FinCEN ‘‘may disclose’’ BOI to
qualifying financial institutions,
consistent with the CTA’s security,
confidentiality, and provisions
regarding the usefulness of the
database.136 The final rule, 31 CFR
1010.955(b)(4)(i), likewise preserves this
discretion accorded to FinCEN.
In the exercise of this discretion,
FinCEN intends to provide access as an
initial matter to financial institutions
that are covered financial institutions
under the 2016 CDD Rule. The initial
focus on covered financial institutions
under the 2016 CDD Rule will allow
FinCEN to work towards timely access
for those institutions with
comprehensive security and
confidentiality protocols and
compliance and supervisory frameworks
regarding the use of that information,
while working to further evaluate
whether it is appropriate and feasible to
expand access to other financial
institutions, such as MSBs or casinos,
after an initial implementation period.
Against the backdrop of the comments
received on this provision, FinCEN
notes that two core considerations
motivate access: the importance of BOI
access for effective AML/CFT
compliance and the need for security
and confidentiality in the handing and
use of such BOI. There are estimated to
be over 300,000 financial institutions
regulated under the BSA that are diverse
in size, business types, complexity, and
supervisory and regulatory frameworks,
in particular, with differences in
security and confidentiality
requirements. Covered financial
institutions under the 2016 CDD Rule
are subject to the Gramm-Leach-Bliley
security requirements and a national
supervisory framework with respect to
implementation of those requirements.
In contrast, other financial institutions
134 CTA,
VerDate Sep<11>2014
19:01 Dec 21, 2023
that are not subject to the 2016 CDD
Rule, such as casinos, MSBs, and
dealers in precious metals, precious
stones, or jewels, are subject to more
fragmented security standards that
require additional time to evaluate and
determine the extent to which standards
and oversight mechanisms are required.
Along with the development of new,
and additional, standards, FinCEN will
need to identify and implement
additional outreach, help desk training,
audit, oversight and other resources to
ensure that this larger group of financial
institutions complies with the security,
confidentiality, and use requirements
under the final rule. Lastly, FinCEN will
continue to evaluate the usefulness of
BOI access to particular industry sectors
based on a range of factors, e.g., which
financial institutions with AML
program requirements have legal entity
customers,137 the size of this customer
base, and the related illicit finance risks,
as it considers further expanding access
to additional financial institutions.
b. Regulatory Agencies
1. Scope of Regulatory Agency Access to
BOI
Proposed Rule. The CTA authorizes
Federal functional regulators and ‘‘other
appropriate regulatory agencies’’ to
access ‘‘the information’’ previously
made available to financial institutions
subject to customer due diligence
requirements under applicable law.138
Consistent with this provision,
proposed 31 CFR 1010.955(b)(4)(ii)
would allow FinCEN to disclose BOI
that has been previously provided to a
financial institution to a ‘‘Federal
functional regulator or other appropriate
regulatory agency’’ if the regulator
requests it, is authorized by law to
assess, supervise, enforce, or otherwise
determine the compliance of such
financial institution with ‘‘customer due
diligence requirements under applicable
law’’ (proposed § 1010.955(b)(4)(ii)(A));
will use the BOI solely for that purpose
(proposed § 1010.955(b)(4)(ii)(B)); and
has entered into an agreement with
FinCEN to properly safeguard BOI
(proposed § 1010.955(b)(4)(ii)(C)). As
discussed in the preceding section
(III.C.iv.a), in view of the proposed
rule’s approach towards the phrase
‘‘customer due diligence requirements
under applicable law,’’ Federal
functional regulators and other
regulatory agencies would have been
authorized to access BOI only to assess,
supervise, enforce, or otherwise
137 As
136 31
Jkt 262001
PO 00000
U.S.C. 5336(c)(2)(B).
Frm 00027
Fmt 4701
Sfmt 4700
88757
138 31
E:\FR\FM\22DER3.SGM
defined at 31 CFR 1010.230(e).
U.S.C. 5336(c)(2)(C).
22DER3
88758
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES3
determine a financial institution’s
compliance with 31 CFR 1010.230.
Comments Received. Two
commenters raised concerns that the
limitations on access for regulators were
overly restrictive. The comments argued
that the proposed rule did not
adequately justify why supervisory
access should be limited for the sole
purpose of determining financial
institution compliance with the
requirements of 31 CFR 1010.230, and
that regulators should have access to the
database to assess a financial
institution’s compliance with customer
due diligence obligations over which
regulators broadly have regulatory
authority.139
In contrast, one commenter noted
skepticism as to whether Federal or
state regulators even needed to access
the BOI database if financial institutions
would not be subject to a requirement
to use the database. Absent such a
requirement, the commenter noted that
financial institutions would likely
obtain beneficial ownership information
directly from their customers under the
2016 CDD Rule. The commenter further
stated that financial institutions should
not be responsible for resolving any
discrepancies between the BOI reported
to FinCEN and the BOI that financial
institutions received from their
customers.
Final Rule. FinCEN retains proposed
31 CFR 1010.955(b)(4)(ii) in the final
rule, but the scope of this provision has
changed. In light of the revised
approach to the phrase ‘‘customer due
diligence requirements under applicable
law’’ in 31 CFR 1010.955(b)(4)(i),
§ 1010.955(b)(4)(ii)(A) now provides
access to BOI obtained from FinCEN to
those regulatory agencies that ‘‘assess,
supervise, enforce, or otherwise
determine’’ compliance of financial
institutions with AML/CFT- or national
security-related legal requirements for
which BOI access is reasonably
necessary. Relatedly, final rule
§ 1010.955(b)(4)(ii)(B)—which also
remains identical to the proposed rule—
prescribes that regulatory agencies can
now use that BOI obtained from FinCEN
to conduct ‘‘the assessment,
supervision, or authorized
investigation’’ in connection with a
financial institution’s use of BOI
obtained from FinCEN to comply with
139 This
commenter supported FinCEN’s separate
statement in the NPRM, 87 FR at 77411, that
regulators engaged in national security or law
enforcement activities would be able to access BOI
under proposed 31 CFR 1010.955(b)(1) in addition
to proposed 31 CFR 1010.955(b)(4)(ii), subject to
specific conditions and limitations. The commenter
viewed this position as partly correcting the
limitation of regulatory access to supervising
compliance with § 1010.230.
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
legal requirements to counter money
laundering or the financing of terrorism,
or to safeguard the national security of
the United States. FinCEN does not
expect the number of regulatory
agencies with access to BOI under this
provision to change significantly under
the final rule’s approach, but believes
that the supervisory scope will be better
matched to effectively supervise
financial institutions for AML program
implementation. Supervisory agencies
that seek to retrieve BOI under
§ 1010.955(b)(4)(ii)(A) and (B) will
continue to be required to enter into an
agreement with FinCEN for such access
under final rule § 1010.955(b)(4)(ii)(C).
FinCEN adopts this provision without
change, consistent with the CTA
itself.140
FinCEN regards the comment which
stated that regulatory access to the BOI
database under these provisions will
have no value if financial institution use
of BOI obtained from FinCEN is not
mandatory as incorrect in its
understanding. First, the CTA expressly
requires FinCEN to provide Federal
functional regulators or other
appropriate regulatory agencies with
access to BOI provided to a financial
institution.141 It is true that if financial
institutions in fact do not access BOI,
regulatory access will be
commensurately limited. But less access
does not mean no utility: at the very
least, regulatory agencies will be able to
use their access to gauge the intensity of
financial institution use of BOI, and
therefore regulatory agency access will
aid their understanding of financial
institution activity. Likewise, as a policy
matter, if financial institutions were to
access BOI, supervisory agencies should
have access to the same BOI for
supervisory purposes to better
understand the use and handling of BOI
obtained from by financial institutions.
FinCEN notes, however, that neither
the CTA nor the final rule requires
financial institutions to access the BOI
database. Under the final rule, the
decision whether to access the database
is left to the discretion of financial
institutions, with the understanding that
financial institutions that choose to
access the BOI database will make use
of such access subject to the use
limitations and security and
confidentiality requirements of the final
rule itself. Accordingly, FinCEN notes
that the final rule neither creates nor
establishes supervisory expectations
with respect to whether and the extent
to which financial institutions access
the BOI database, or report
140 31
141 31
PO 00000
U.S.C. 5336(c)(2)(C)(iii).
U.S.C 5336(c)(2)(C).
Frm 00028
Fmt 4701
Sfmt 4700
discrepancies between the BOI obtained
from the database and BOI the financial
institution may collect through other
channels, including, for example,
directly from its customers under the
2016 CDD Rule. In summary, the final
rule does not create a new regulatory
requirement for financial institutions to
access BOI from the BO IT System or a
supervisory expectation that they do so.
The final rule also does not make any
changes to the requirements of the 2016
CDD Rule. As such, the Access Rule
does not necessitate changes to BSA/
AML compliance programs designed to
comply with the (unchanged) 2016 CDD
Rule, and other existing BSA
requirements, such as customer
identification program requirements,142
and suspicious activity reporting.143
However, any access to and use of BOI
obtained from the BO IT System must
comply with the requirements of the
CTA and the Access Rule. FinCEN will
address whether, and if so how,
financial institutions should access BOI
for CDD Rule compliance purposes in
its revision of the 2016 CDD Rule.
2. Meaning of ‘‘Other Appropriate
Regulatory Agencies’’
Proposed Rule. Proposed 31 CFR
1010.955(b)(4)(ii) would permit FinCEN
to disclose BOI to either a ‘‘Federal
functional regulator’’ or an ‘‘other
appropriate regulatory agency . . . [that]
assessed, supervised, enforced, or
otherwise determined the compliance of
such financial institution with customer
due diligence requirements under
applicable law.’’ While ‘‘Federal
functional regulator’’ is a defined
term,144 the proposed rule did not
define ‘‘other appropriate regulatory
agency.’’ 145 The preamble, however,
provided illustrative examples, and
invited comment. For example, the
preamble noted that ‘‘other appropriate
regulatory agencies’’ could ‘‘include
State banking regulators,’’ 146 but that it
was ‘‘unclear’’ whether SROs registered
with or designated by a Federal
functional regulator (i.e., qualifying
SROs) should be considered ‘‘other
appropriate regulatory agencies’’.
Comments Received. Several
comments requested that FinCEN define
‘‘other appropriate regulatory agency’’ to
142 31
CFR 1010.220.
CFR 1010.320.
144 31 CFR 1010.100(r). Under this definition, the
Federal functional regulators are the Board of
Governors of the Federal Reserve System (FRB), the
Office of the Comptroller of the Currency (OCC), the
Federal Deposit Insurance Corporation (FDIC), the
Office of Thrift Supervision, the NCUA, the SEC,
and the CFTC.
145 87 FR at 77416.
146 Id.
143 31
E:\FR\FM\22DER3.SGM
22DER3
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
include specified entities. Three
commenters suggested that state
regulatory agencies be expressly
included. These commenters variously
recommended that the term ‘‘State bank
supervisor,’’ as used in the AML Act,147
state credit union regulators, and other
state supervisory authorities should be
expressly incorporated into the meaning
of ‘‘other appropriate regulatory agency’’
in order to ensure consistent database
access for state regulators supervising
customer due diligence compliance and
to avoid confusion. Another commenter
argued that some SROs, including
FINRA, should be considered to be
‘‘other appropriate regulatory agencies,’’
given that those SROs have broad AML/
CFT oversight and that limiting SRO
access to BOI would undermine the
CTA’s objectives.
Final Rule. The final rule does not
provide the specificity in the regulatory
definition of ‘‘other appropriate
regulatory agencies’’ requested by
commenters given that the rule provides
sufficient clarity regarding the agencies
that are entitled to BOI access under
§ 1010.955(b)(4)(ii).148 FinCEN notes
that ‘‘State bank supervisors,’’ as
defined in the AML Act, as well as state
credit union regulators and other state
supervisory authorities that meet the
criteria of the final rule may have access
to the BOI database. Moreover, the term
‘‘other appropriate regulatory agency’’
does not include SROs because the term
‘‘agency’’ is generally understood to
mean a governmental entity, rather than
a private organization regardless of
whether it performs governmental
functions.149 150 FinCEN recognizes that
SROs perform critical oversight
functions with respect to AML/CFT
compliance. The final rule retains the
ability for qualifying SROs to receive
BOI redisclosed to them from a financial
institution or Federal functional
regulator under § 1010.955(c)(2)(iii) and
(iv).
3. Redisclosure of BOI to SROs
Proposed Rule. Proposed
§ 1010.955(c)(2)(iii) and (iv) 151 would
ddrumheller on DSK120RN23PROD with RULES3
147 See
AML Act, section 6003(8), 6304 (crossreferencing 12 U.S.C. 1813); 12 U.S.C. 1813(r)(1)
(‘‘The term ‘State bank supervisor’ means any
officer, agency, or other entity of any State which
has primary regulatory authority over State banks
or State savings associations in such State.’’).
148 31 U.S.C. 5336(c)(2)(C).
149 See, e.g., 5 U.S.C. 551(1) (‘‘ ‘agency’ means
each authority of the Government of the United
States . . .’’).
150 See, e.g., In re William H. Murphy & Co., SEC
Release No. 34–90759, 2020 WL 7496228, *17 (Dec.
21, 2020) (explaining that FINRA ‘‘is not a part of
the government or otherwise a [S]tate actor’’ to
which constitutional requirements apply).
151 These provisions are discussed in greater
depth in section III.D.ii.
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
allow financial institutions and Federal
functional regulators to re-disclose BOI
obtained from the BOI database to a
qualifying SRO provided that it meets
the requirements of proposed
§ 1010.955(b)(4)(ii). Under this
provision, the qualifying SRO would
have had to be authorized by law to
determine compliance with customer
due diligence requirements under
appliable law; it would have been able
to use BOI obtained from FinCEN only
to determine such compliance; and it
would have had to enter into an
agreement with FinCEN to safeguard the
information. The proposed rule noted
that qualifying SROs play an important
role, working under oversight of Federal
functional regulators, in assessing,
supervising, and enforcing compliance
with customer due diligence
requirements under applicable law,
among other requirements.152
Comments Received. One commenter
agreed that it is sufficient for qualifying
SROs to receive BOI obtained from
FinCEN through the re-disclosure
provisions given the limited purposes
for which that BOI could be used by
regulators. However, the commenter
noted that those limitations were too
narrow and could interfere with other
SRO oversight responsibilities,
including investigations of fraud and
other illicit activity.153 Another
commenter suggested that any SRO with
market regulation functions, regardless
of whether registered with or designated
by a Federal functional regulator—
beyond the two qualifying SROs (FINRA
and NFA) specifically named in the
NPRM—be permitted to receive BOI
obtained from the BO IT system by
financial institutions.154
Final Rule. FinCEN is adopting
§ 1010.955(c)(2)(iii) and (iv) as
proposed.155 In light of the revised
152 87
FR at 77416.
SRO also expressed concern that the
proposed rule could be interpreted to prohibit
financial institutions from collecting BOI or similar
information from any source other than the BOI
database. FinCEN does not believe that this is a
reasonable reading of the regulatory text and thus
does not believe the text needs revision. Regardless,
to avoid any confusion, FinCEN clarifies that this
rule does not restrict SROs’ ability to acquire BOI
from other sources.
154 This commenter cited the CME Group as one
example of an SRO that should have such access.
CME Group, however, is an SRO that has been
designated by a Federal functional regulator (CFTC)
pursuant to Federal statute, i.e., a qualifying SRO.
See, e.g., CFTC, Final Rule, Financial Surveillance
Examination Program Requirements for SelfRegulatory Organizations, 84 FR 12882, 12884 n. 22
(Apr. 3, 2019). Thus, these provisions would not
prohibit financial institutions or Federal functional
regulators from redisclosing BOI to the CME Group
if the provisions’ other requirements were met.
155 Comments regarding re-disclosure under
§ 1010.955(c)(2) more broadly are discussed in
153 The
PO 00000
Frm 00029
Fmt 4701
Sfmt 4700
88759
approach to the scope of ‘‘customer due
diligence requirements under applicable
law,’’ however, qualifying SROs would
be able to use BOI redisclosed to them
to conduct ‘‘the assessment,
supervision, or authorized
investigation’’ in connection with a
financial institution’s use of BOI
obtained from FinCEN to comply with
legal requirements to counter money
laundering or the financing of terrorism,
or to safeguard the national security of
the United States. Even if the CTA could
be read to permit qualifying SROs to use
BOI for purposes beyond these under
the re-disclosure provision, however,
such an approach would be inconsistent
with the use limitations imposed on
Federal functional regulators and other
appropriate regulatory agencies and the
CTA’s emphasis on safeguarding BOI.
FinCEN also is not extending the redisclosure provisions to SROs that have
not registered with or been designated
by a Federal functional regulator.
Qualifying SROs exercise unique
regulatory authority within the
framework of Federal law and under the
oversight of Federal functional
regulators to assess, supervise, and
enforce financial institution compliance
with customer due diligence and other
requirements.156 157 In light of their
unique role, and the oversight provided
by the Federal functional regulators, in
particular, with respect to security and
confidentiality requirements, FinCEN
determined that qualifying SROs are
appropriate authorized recipients for
BOI re-disclosures under FinCEN’s
discretionary authority. In contrast, nonqualifying SROs do not play the same
unique role within the Federal
regulatory framework and are not
subject to the same extensive
government oversight as qualifying
SROs.
v. Department of the Treasury Access
a. Disclosure to Officers or Employees of
the Department of the Treasury
Proposed Rule. Proposed 31 CFR
1010.955(b)(5)(i) permits officers or
section III.D.ii FinCEN has made several changes to
proposed § 1010.955(c)(2) in response to these
comments, but these changes do not include any
alterations to § 1010.955(c)(2)(iii) or (iv).
156 See, e.g., FINRA Rule 3310(f); NFA
Compliance Rule 2–9(c)(5).
157 See, e.g., Scottsdale Cap. Advisors Corp., 844
F.3d at 418 (‘‘Before any FINRA rule goes into
effect, the SEC must approve the rule and
specifically determine that it is consistent with the
purposes of the Exchange Act. The SEC may also
amend any existing rule to ensure it comports with
the purposes and requirements of the Exchange
Act.’’ (citations omitted); Birkelbach, 751 F.3d at
475 (‘‘A [FINRA] member can appeal the
disposition of a FINRA disciplinary proceeding to
the SEC, which performs a de novo review of the
record and issues a decision of its own.’’).
E:\FR\FM\22DER3.SGM
22DER3
88760
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES3
employees of the U.S. Department of the
Treasury to access BOI when official
duties require such inspection or
disclosure, subject to internal
procedures and safeguards.
Comments Received. Multiple
comments supported the proposed
access for Treasury officers and
employees. Commenters suggested a few
clarifications, e.g., listing the official
duties that justify access such as
Treasury’s role in auditing and reporting
on BOI. Other comments suggested that
FinCEN should apprise the public of, or
clarify, the internal Treasury procedures
to ensure the confidentiality and
security of BOI. Some commenters
proposed that BOI be treated as ‘‘return
information’’ subject to the same
protections as tax information under 26
U.S.C. 6103, particularly when it is
obtained by IRS. One commenter stated
that there should be coordinating
regulations issued to ensure that BOI
disclosed to Treasury’s officers and
employees, including those at the IRS,
is ‘‘protected to at least the same
degree’’ as BOI that is disclosed to other
agencies and that these regulations
should be coordinated with 26 U.S.C.
6103.158
Final Rule. FinCEN adopts the
proposed rule. FinCEN declines to add
to the rule a list of official duties that
would require access to BOI because
those duties may change over time, and
because, consistent with the CTA,
Treasury access to BOI will be governed
by internal procedures and safeguards.
As noted in the proposed rule, however,
FinCEN expects that Treasury officers
and employees will access and use BOI
for a range of appropriate purposes,
including: tax administration,
enforcement actions, intelligence and
analytical purposes, use in sanctions
-related investigations, and identifying
property blocked pursuant to sanctions,
as well as for administration of the BOI
framework, such as for audits,
enforcement, and oversight. This will
include access to BOI necessary to
complete the reports required by section
6502 of the AML Act and audit and
158 The commenter also requested clarification on
the sharing of BOI by Treasury with state or foreign
requesters for tax administration purposes, as well
as how FinCEN would ensure that any BOI shared
is adequately protected. FinCEN notes that statelevel and foreign requesters will obtain BOI
pursuant to other provisions of 31 CFR
1010.955(b)—specifically, 31 CFR 1010.955(b)(2)
and (b)(3). In contrast, 31 CFR 1010.955(b)(5) is
specific to access by officers or employees of the
Department of the Treasury; 1010.955(b)(5) does not
itself authorize these Treasury officers or employees
to share BOI with state or foreign requestors for tax
administration purposes. 31 CFR 1010.955(d)
provides security and confidentiality requirements
for BOI shared with state or foreign requestors
pursuant to (b)(2) and (b)(3).
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
oversight activities, including access by
the Treasury OIG. FinCEN will work
with other Treasury components to
establish internal policies and
procedures governing Treasury officer
and employee access to BOI. These
policies and procedures will ensure that
FinCEN discloses BOI only to Treasury
officers or employees with official
duties requiring BOI access, or for tax
administration.
Furthermore, FinCEN does not believe
that BOI reported to it is ‘‘return
information’’ subject to the disclosure
limitations on tax-related information
under the Internal Revenue Code (26
U.S.C. 6103). Since BOI is information
reported to FinCEN to fulfill a reporting
requirement under Title 31 of the
United States Code, it does not fall
within the definition of ‘‘return
information’’ at 26 U.S.C. 6103(b)(2),
which is defined to include information
received by the Secretary in connection
with determining ‘‘a person’s liability
(or the amount thereof) . . . under this
title’’—i.e., Title 26 containing the
Internal Revenue Code. The CTA
instead provides particular security and
confidentiality requirements to govern
the protection and disclosure of BOI,
which this final rule implements.
In accordance with the detailed
security and confidentiality
requirements in the CTA, the final rule
expressly imposes robust requirements
on ‘‘requesting agencies’’ outside of the
Treasury Department. Similarly,
Treasury access to BOI will be governed
by internal procedures and safeguards
consistent with the CTA. FinCEN
anticipates that these internal
procedures and safeguards will be
comparable to, and include elements of,
the security and confidentiality
requirements in 31 CFR 1010.955(d)(1)
taking into account Treasury’s unique
role in administering the BO IT system
and framework. Officers and employees
identified as having duties potentially
requiring access to BOI would receive
training on, among other topics,
determining when their duties require
access to BOI, what they can do with the
information, and how to handle and
safeguard it. Their activities would also
be subject to audit.
b. Disclosure for Tax Administration
Purposes
Proposed Rule. Proposed 31 CFR
1010.955(b)(5)(ii) permits disclosure of
BOI to officers or employees of the
Department of the Treasury for tax
administration as defined in 26 U.S.C.
6103(b)(4), subject to internal
procedures and safeguards.
Comments Received. Several
commenters suggested that use of BOI
PO 00000
Frm 00030
Fmt 4701
Sfmt 4700
for tax administration purposes should
be further clarified. Comments asked for
greater specificity on tax administration
uses, and one commenter requested
clarification on the ‘‘analytical’’ use of
BOI referenced in the NPRM, as applied
to tax administration. Another
commenter stated that use by Treasury
should be limited to the purposes of the
CTA.
Final Rule. FinCEN adopts the
proposed rule. As explained in the
NPRM, FinCEN interprets the term ‘‘tax
administration,’’ as employed in the
CTA, to have the meaning provided for
in 26 U.S.C. 6103(b)(4). Accordingly, in
the context of tax administration, use of
BOI in an ‘‘analytical’’ capacity would
be delimited by this definition. Further,
as explained in the NPRM, FinCEN
believes that adopting the 26 U.S.C.
6103(b)(4) definition of tax
administration is appropriate because
Treasury officers and employees who
administer tax laws are already familiar
with it and have a clear understanding
of the activity it covers. FinCEN also
believes the definition is broad enough
to avoid inadvertently excluding a tax
administration-related activity that
would be undermined by lack of access
to BOI. In response to the proposal that
FinCEN limit access to matters within
the scope of the CTA, FinCEN declines
to make this proposed amendment and
notes that the CTA specifically provides
that officers and employees of the
Treasury may obtain access to beneficial
ownership information for ‘‘tax
administration purposes’’ generally.
vi. Other Disclosures and Related Issues
Proposed Rule. Consistent with the
CTA, proposed 31 CFR 1010.955(b)
limits disclosure of BOI by FinCEN, and
corresponding access to BOI, to certain
categories of recipients. The NPRM
included a question for comment about
whether there are additional
circumstances not reflected in this
proposed rule when the CTA would
authorize FinCEN to disclose BOI.
Comments Received. Commenters
suggested additional categories of
authorized recipients and additional
recipients within categories already
proposed in the NPRM. Within
government channels, commenters
proposed that FinCEN should make BOI
available to public authorities involved
in public procurement at both the
Federal and state level and to those with
audit authority over BOI—the
Government Accountability Office
(GAO) and Treasury OIG. Commenters
also stated that additional financial
institutions should have access to BOI,
including money services businesses
(MSBs). Another commenter, however,
E:\FR\FM\22DER3.SGM
22DER3
ddrumheller on DSK120RN23PROD with RULES3
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
asked for confirmation that financial
institutions with access to BOI will be
limited to ‘‘covered financial
institutions’’ as defined in 31 CFR
1010.230(f). Several commenters stated
that real estate professionals, such as
land title agencies and real estate
settlement agents, should be permitted
to access BOI. These commenters stated
such access would facilitate compliance
with laws regarding foreign ownership
of agricultural land and FinCEN’s real
estate geographic targeting orders
(GTOs), among other common business
practices. Commenters also stated that
entities that assist financial institutions
with customer due diligence and
beneficial ownership data analysis, such
as regulatory technology (RegTech)
firms and beneficial ownership data
service providers, should be able to
access and request BOI from FinCEN on
behalf of a financial institution. One
commenter noted that such entities are
‘‘contractors’’ or ‘‘agents’’ of financial
institutions. Another commenter noted
that access should be broadened to
include non-governmental
organizations, journalists, and
eventually the public, to align with
global standards.
Several commenters asked whether
and how BOI would be authenticated
before disclosure for purposes of a
proceeding governed by rules of
evidence. Two commenters focused
their concern on authentication in
foreign courts, focusing on a statement
in the preamble to the NPRM regarding
the authentication of BOI in
international sharing arrangements.
That statement indicated that ‘‘[w]here
a request for BOI includes a request that
the information be authenticated for use
in a legal proceeding in the foreign
country making the request, FinCEN
may establish a process for providing
such authentication via MOU with the
relevant intermediary Federal agency.’’
These commenters conveyed that
FinCEN should issue a blanket rule
authorizing all Federal agencies that
transmit BOI to authenticate such
records, rather than doing so through ad
hoc agreements.
One of the same commenters asked
that the rule be clarified to allow
Federal, State, local, and Tribal agencies
to themselves authenticate BOI obtained
from FinCEN, rather than requiring
FinCEN to authenticate the records in
each case. The commenter was
concerned that if FinCEN must certify
the authenticity of these records in
every case, then it could create an
administrative chokepoint that could
impede civil and criminal actions.
Final Rule. FinCEN declines to make
further changes to the categories of
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
recipients to which BOI may be
disclosed. The proposed rule aligns
with the CTA in limiting disclosure to
the categories of recipients FinCEN has
already identified. The CTA does not
provide for FinCEN to disclose BOI to
non-governmental organizations,
journalists, or the public.
FinCEN notes, however, that the CTA
and the final rule permit disclosure to
some of the specific recipients
commenters suggested within those
categories. Regarding additional
disclosures for government users,
FinCEN reiterates that authorities with
audit requirements such as the GAO and
Treasury OIG will have the ability to
complete these statutorily mandated
activities. FinCEN anticipates working
with the GAO to ensure access to BOI
as required by the CTA,159 and as
permitted by 31 U.S.C. 716(a).160
Treasury OIG will have access to BOI
under the specific CTA and final rule
provision for employees and officers of
the Department of the Treasury.161
Regarding access for procurementrelated purposes, FinCEN expects that it
will be able to disclose BOI to
government agencies for such purposes
when the procurement or the review of
the procurement is an activity for which
FinCEN is otherwise authorized to
disclose BOI, e.g., a national security,
law enforcement, or intelligence
activity.
Discussion about which types of
financial institutions will have access to
BOI is included in section III.C.iv.a.
With respect to the question of whether
FinCEN may disclose BOI to RegTech
firms, beneficial ownership data service
providers, due diligence vendors, or
other third-party service providers to
financial institutions, FinCEN believes
that the final rule authorizes the
disclosure of FinCEN BOI to such
services providers provided that they
and their employees are ‘‘agents’’ or
‘‘contractors’’ of a financial institution
with access to BOI and are performing
a function on behalf of the financial
institution that requires direct access to
it. If a financial institution relies on a
service provider or other contractor to
159 See 31 U.S.C. 5336(c)(10); see also AntiMoney Laundering Act of 2020, section 6502.
160 31 U.S.C. 716(a) entitles GAO to ‘‘obtain such
agency records as . . . require[d] to discharge [its]
duties . . . .’’ Only certain foreign intelligence
records and agency records ‘‘specifically exempted
from disclosure to the Comptroller General by a
statute’’ fall outside this requirement. Id. at
716(d)(1). Indeed, 31 U.S.C. 716 expressly
contemplates agencies’ disclosure of confidential
information to GAO, requiring GAO to ‘‘maintain
the same level of confidentiality’’ over records
disclosed to it as is required of the agency
responsible for the record. Id. at 716(e)(1).
161 See 31 U.S.C. 5336(c)(5).
PO 00000
Frm 00031
Fmt 4701
Sfmt 4700
88761
request, obtain, and access BOI, the
financial institution will ultimately be
responsible for the activity of any
service provider or contractor accessing
BOI on its behalf. Service providers that
are agents or contractors of a financial
institution authorized to access BOI will
be able to request and access BOI
through accounts associated with that
financial institution. It will be the
financial institution’s responsibility to
ensure that its service providers or other
such contractors comply with all
applicable obligations, including
requirements to protect and store BOI in
compliance with the rule, and ensuring
that BOI is used for appropriate
purposes. Additionally, service
providers and other contractors will not
be permitted to use the BOI accessed on
behalf of a financial institution for any
purpose not authorized by the CTA or
FinCEN’s regulations. For example, BOI
requested by a service provider on a
financial institution’s behalf cannot be
integrated into downstream services that
the service provider makes accessible to
other financial institutions. When
requesting BOI for a financial
institution, a service provider or
contractor is acting for or on behalf of
this specific financial institution; it
cannot repurpose BOI for the
contractor’s own use, such as data
aggregation, or for the use of other
financial institutions.
Regarding authentication of BOI,
FinCEN declines to add a specific
regulatory provision to address this
issue. With respect to foreign countries,
foreign laws will govern what
constitutes an authenticated record in a
particular legal proceeding. Many
foreign countries have developed
information sharing arrangements for
criminal, civil, or other investigations or
proceedings. These arrangements
include Mutual Legal Assistance
Treaties (MLATs), multilateral
conventions, and other agreements that
are typically consistent with a foreign
country’s rules concerning
authentication. In most such
international arrangements, the U.S.
Department of Justice’s Office of
International Affairs (DOJ/OIA) is the
intermediary Federal agency that would
receive information from FinCEN and
transmit it to the requesting foreign
authority.
In some cases, a foreign country’s
laws may require FinCEN, as the records
custodian of BOI, to certify the
information’s authenticity. Some foreign
countries may require that DOJ/OIA
certify the authenticity of the BOI, while
others still might require that both
agencies provide a certification. The
preamble to the NPRM explained:
E:\FR\FM\22DER3.SGM
22DER3
88762
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
Where a request for BOI includes a request
that the information be authenticated for use
in a legal proceeding in the foreign country
making the request, FinCEN may establish a
process for providing such authentication via
MOU with the relevant intermediary Federal
agency. Such process may include an
arrangement where FinCEN searches the
beneficial ownership IT system and provides
the information and related authentication to
the intermediary Federal agency consistent
with the terms of the relevant MOU.162
This approach allows for variations in
the requests for authentication that may
come from foreign countries. All
government agencies obtaining BOI
from FinCEN, including those
transmitting BOI to foreign countries,
will be required to enter into an MOU
with FinCEN in order to ensure that all
domestic agencies have appropriate
protocols in place to ensure the proper
handling and use of BOI. FinCEN will
take into consideration the question of
authentication in crafting its MOUs with
intermediary Federal agencies such as
OIA.
FinCEN did not accept the proposal
that the regulation should be altered to
allow State, local, and Tribal agencies to
themselves authenticate BOI they obtain
from FinCEN, that is, without obtaining
a certificate of authenticity or other form
of evidentiary authentication from
FinCEN. The authentication of evidence
depends on the operation of applicable
law. For example, state-level rules of
evidence often require documents
maintained by Federal agencies to be
authenticated by the affixing of the
official seal of the agency, a statement
or testimony by a designated custodian
of those records by the agency, or some
other certification of authenticity by the
agency.163 Each jurisdiction has its own
applicable rules of evidence, however,
and may not require certification by a
Federal agency. FinCEN declines to
issue a blanket rule on authentication,
as such a rule would be hard to craft
given the variation in State, local, and
Tribal procedures and would invite
needless confusion on the interaction
between State, local, or Tribal rules of
evidence and FinCEN’s rule. FinCEN
believes that existing laws will suffice to
provide for authentication of BOI.
ddrumheller on DSK120RN23PROD with RULES3
D. Use of Information
i. Use of Information by Authorized
Recipients
Proposed Rule. Proposed 31 CFR
1010.955(c)(1) provided generally that
authorized recipients shall use BOI
received from FinCEN ‘‘only for the
particular purpose or activity for which
162 87
FR at 77414–15.
e.g., Fed. R. Evid. 902(1)–(2), (4).
163 See,
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
such information was disclosed,’’ unless
otherwise authorized by FinCEN. In the
unique case of a Federal agency that
receives information pursuant to 31 CFR
1010.955(b)(3) (Disclosure for Use in
Furtherance of Foreign National
Security, Intelligence, or Law
Enforcement Activity), the rule more
specifically provided that the Federal
agency shall only use it to facilitate a
response to that foreign request for
assistance. In other words, the proposed
rule limits the use of BOI by an
intermediary Federal agency to
facilitating a response to a proper
request for BOI from a foreign requester.
Comments Received. One commenter
suggested deleting the word ‘‘only’’
from proposed 31 CFR 1010.955(c)(1)
and adding language that would allow
BOI to be used for any CTA-authorized
purpose for that agency once FinCEN
disclosed it. This commenter raised
practical concerns about the restriction
that BOI obtained from FinCEN only be
used for the particular purpose or
activity for which the information was
disclosed, noting that this could lead to
multiple requests to FinCEN for the
same information by the same agency.
They then provided the example of a
Federal functional regulator obtaining
BOI, and then realizing it would be
critical for a legal action.
Final Rule. FinCEN adopts the
proposed rule with two revisions to the
first sentence of 31 CFR 1010.955(c)(1).
First, FinCEN amends this sentence to
begin ‘‘[e]xcept as permitted under
paragraph (c)(2) of this section,’’ instead
of ‘‘[u]nless otherwise authorized by
FinCEN.’’ Second, FinCEN has added
the phrase ‘‘shall not further disclose
such information to any other person’’
to this sentence, so that the first
sentence of 31 CFR 1010.955(c)(1) of the
final rule reads: ‘‘Except as permitted
under paragraph (c)(2) of this section,
any person who receives information
disclosed by FinCEN under paragraph
(b) of this section shall not further
disclose such information to any other
person, and shall use such information
only for the particular purpose or
activity for which such information was
disclosed.’’
Both of these newly added phrases
were (with minor, non-substantive
differences) previously contained in
proposed 31 CFR 1010.955(c)(2)(ix), the
last provision of proposed § 1010.955(c),
and establish that recipients of BOI
under § 1010.955(b) may only redisclose that BOI when authorized
under § 1010.955(c)(2). Given the
importance of this limitation to BOI use
generally, FinCEN determined that this
text should be given greater prominence
at the beginning, rather than placed at
PO 00000
Frm 00032
Fmt 4701
Sfmt 4700
the end, of § 1010.955(c)’s provisions
governing the use of BOI.164 FinCEN
also continues to believe that limiting
the use of BOI by authorized recipients
to the ‘‘particular purpose or activity for
which such information was disclosed’’
is necessary to reflect the general
expectation in the CTA that authorized
recipients should not obtain BOI for one
authorized activity and then use it for
another, unrelated purpose. Thus, for
example, a Federal agency officer,
employee, contractor, or agent who
obtains BOI from FinCEN for use in
furtherance of national security activity
would be authorized to use that BOI
only for the particular national security
activity for which the request was made.
With respect to the commenter’s
suggestion to delete the word ‘‘only’’
from this paragraph, FinCEN believes
such a change is unnecessary. With
respect to the commenter’s suggestion to
add language to allow BOI to be used for
any CTA-authorized purpose for that
agency, FinCEN declines to adopt this
suggestion. FinCEN believes that such
an authorization would be overbroad
and would run counter to the disclosure
framework and oversight, audit, and
access protocols of the CTA and the
proposed rule. Further, as described in
proposed 31 CFR 1010.955(c)(2),
FinCEN has proposed to allow the redisclosure of BOI in certain specified
circumstances to further the goals of the
CTA, subject to applicable security and
confidentiality requirements.
ii. Disclosure of Information by
Authorized Recipients
Proposed Rule. Proposed 31 CFR
1010.955(c)(1) would establish a blanket
prohibition on the ‘‘re-disclosure’’ of
BOI by an authorized recipient unless
such disclosure is authorized by
FinCEN. However, provided that the
authorized recipient abides by
applicable security and confidentiality
requirements, the proposed rule would
permit authorized recipients to redisclose BOI in eight circumstances, as
summarized here:
1. Officers, employees, contractors, or
agents of a Federal, State, local or Tribal
agency may disclose BOI to other
officers, employees, contractors, or
agents within the same organization for
the particular purpose or activity for
which the BOI was requested (proposed
§ 1010.955(c)(2)(i)).
2. Officers, employees, contractors, or
agents of a financial institution may
164 As discussed below in section III.D.ii.e. (ReDisclosure with Written Consent of FinCEN),
FinCEN’s decision to move this language to 31 CFR
1010.955(c)(1) was also based in part on FinCEN’s
consideration of a commenter recommending an
alteration to proposed 1010.955(c)(2)(ix).
E:\FR\FM\22DER3.SGM
22DER3
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES3
disclose BOI to other officers,
employees, contractors, or agents within
the United States of the same financial
institution for the particular purpose or
activity for which the BOI was
requested (proposed
§ 1010.955(c)(2)(ii)).
3. Officers, employees, contractors, or
agents of a financial institution may
disclose BOI to the financial
institution’s Federal functional
regulator, a self-regulatory organization
that is registered with or designated by
a Federal functional regulator pursuant
to Federal statute, or other appropriate
regulatory agency, that meets the
requirements identified in proposed 31
CFR 1010.955(b)(4)(ii)(A) through (C)
(proposed § 1010.955(c)(2)(iii)).165
4. Any officer, employee, contractor,
or agent of a Federal functional
regulator may disclose BOI to a selfregulatory organization that is registered
with or designated by the Federal
functional regulator, provided that the
self-regulatory organization meets the
requirements of proposed 31 CFR
1010.955(b)(4)(ii)(A) through (C)
(proposed § 1010.955(c)(2)(iv)).
5. Any officer, employee, contractor,
or agent of a Federal agency that
receives BOI from FinCEN after
requesting it on behalf of a foreign
authority pursuant to proposed
§ 1010.955(b)(3) may disclose the BOI to
the foreign person on whose behalf the
Federal agency made the request
(proposed § 1010.955(c)(2)(v)).
6. Any officer, employee, contractor,
or agent of a Federal agency engaged in
a national security, intelligence, or law
enforcement activity, or any officer,
employee, contractor, or agent of a State,
local, or Tribal law enforcement agency
may disclose BOI to a court of
competent jurisdiction or parties to a
civil or criminal proceeding (proposed
§ 1010.955(c)(2)(vi)).
7. Any officer, employee, contractor,
or agent of a Federal agency that
receives BOI from FinCEN pursuant to
31 CFR 1010.955(b)(1) (Federal agencies
engaged in national security,
intelligence, or law enforcement
activity), (b)(4)(ii) (Federal functional
regulators or other appropriate
regulatory agencies), or (b)(5) (The
165 Proposed 31 CFR 1010.955(b)(4)(ii)(A) through
(C) provide that the agency—
‘‘(A) [i]s authorized by law to assess, supervise,
enforce, or otherwise determine the compliance of
such financial institution with customer due
diligence requirements under applicable law; (B)
[w]ill use the information solely for the purpose of
conducting the assessment, supervision, or
authorized investigation or activity described in
paragraph (b)(4)(ii)(A) of this section; and (C) [h]as
entered into an agreement with FinCEN providing
for appropriate protocols governing the safekeeping
of the information.’’
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
Department of the Treasury) may
disclose BOI to the United States
Department of Justice for purposes of
making a referral to the Department of
Justice or for use in litigation related to
the activity for which the requesting
agency requested the information
(proposed § 1010.955(c)(2)(vii)).
8. A foreign authority specified in
proposed § 1010.955(b)(3) may disclose
and use BOI consistent with the
international treaty, agreement, or
convention under which the request for
BOI was made (proposed
§ 1010.955(c)(2)(viii)).
In addition to these eight
circumstances, the proposed rule
contains a catch-all, proposed 31 CFR
1010.955(c)(2)(ix), that would permit
FinCEN to authorize the re-disclosure of
BOI by an authorized recipient, so long
as the re-disclosure is for an authorized
purpose. To this end, proposed 31 CFR
1010.955(c)(2)(ix) specified that, except
as described above, any information
disclosed by FinCEN under proposed 31
CFR 1010.955(b) shall not be further
disclosed to any other person for any
purpose without the prior written
consent of FinCEN, or as authorized by
applicable protocols or guidance that
FinCEN may issue.
In sum, the proposed rule would
permit the re-disclosure of BOI by
authorized recipients in limited
circumstances that further the core
underlying national security,
intelligence, and law enforcement
objectives of the CTA while at the same
time ensuring that BOI is disclosed only
where appropriate for those purposes.
Generally, authorized re-disclosures
would be subject to protocols designed,
as with those applicable to initial
disclosures of BOI from the BO IT
system, to protect the security and
confidentiality of BOI.
a. Re-Disclosure—In General
Comments Received. Several
commenters approved of the approach
in the proposed rule permitting certain
broad categories of re-disclosure, and
not requiring a case-by-case
determination by FinCEN. On the other
hand, several commenters felt that, as
written, the scope of the authorized redisclosure of BOI was too limiting. One
commenter proposed that FinCEN
consider creating a special ‘‘amended
request’’ form for situations in which an
agency or a financial institution requests
BOI and then comes back to FinCEN to
request authorization to re-disclose that
BOI, rather than requiring separate
requests for the BOI and subsequent redisclosure authorization.
Several commenters felt that the
proposed re-disclosure provisions
PO 00000
Frm 00033
Fmt 4701
Sfmt 4700
88763
would unduly restrict the use of the
BOI. They raised concerns about
repeatedly needing to return to FinCEN
for requests to use the same BOI for one
purpose, then another, in the course of,
for example, a regulatory examination.
Two commenters expressed concern
that the proposed rule might not permit
re-disclosure in open court.
Commenters raised several other,
more specific issues related to redisclosure that are discussed elsewhere
in this preamble.166
Final Rule. FinCEN adopts the
proposed rule with several
modifications described in subsections
below. Specifically, FinCEN inserted a
new 31 CFR 1010.955(c)(2)(viii) to allow
a re-disclosure of BOI by State, local,
and Tribal law enforcement agencies to
State, local, and Tribal agencies for the
purpose of making a referral for possible
prosecution by that agency, or for use in
litigation related to the activity for
which the requesting agency requested
the information (discussed in greater
detail below). FinCEN also renumbered
31 CFR 1010.955(c)(2)(ix) as 31 CFR
1010.955(c)(2)(x) to account for the
insertion of the new paragraph
(c)(2)(viii) and revised the text of that
paragraph.
Concerning comments that the
proposed rule might not permit redisclosure in open court, proposed 31
CFR 1010.955(c)(2)(vi) would permit redisclosure ‘‘to a court of competent
jurisdiction or parties to a civil or
criminal proceeding,’’ including, in the
appropriate circumstance, in open
court. Further, this rule would also
permit re-disclosure to a court of
competent jurisdiction in broader
settings such as in an application for a
search warrant or a warrant pursuant to
the Foreign Intelligence Surveillance
Act. Thus, no changes to the proposed
rule are needed to allow for the
disclosure of BOI in these
circumstances.
As to the comment that FinCEN
consider an ‘‘amended request’’ form,
FinCEN will consider the appropriate
process for requesting authorization to
re-disclose BOI and will issue guidance
for such requests when implementing
the final rule.
b. Re-Disclosure—Law Enforcement
Proposed Rule. As described above,
the proposed rule would permit re166 Such topics include re-disclosure to outside
contractors and agents, re-disclosure to state
examiners, re-disclosure within a financial
institution to persons and directors responsible for
monitoring compliance with customer due
diligence rules, re-disclosure related to 314(b)
sharing, and geographic limitations on redisclosure.
E:\FR\FM\22DER3.SGM
22DER3
ddrumheller on DSK120RN23PROD with RULES3
88764
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
disclosure of BOI for law enforcement
purposes by Federal, State, local, or
Tribal agencies in several contexts. As
relevant here, under the proposed rule,
Federal, State, local, or Tribal agencies
that receive BOI from FinCEN pursuant
to a request under 31 CFR
1010.955(b)(1) or (2) would be permitted
to re-disclose BOI to a court of
competent jurisdiction or parties to a
civil or criminal proceeding (proposed
§ 1010.955(c)(2)(vi)); and agencies that
receive BOI under 31 CFR
1010.955(b)(1) (Federal agencies
engaged in national security,
intelligence, or law enforcement
activities), (b)(4)(ii) (Federal functional
regulators or other appropriate
regulatory agencies), or (b)(5) (the
Department of the Treasury) would be
permitted to re-disclose BOI to the
United States Department of Justice
(DOJ) for purposes of making a referral
to DOJ or for use in litigation related to
the activity for which the requesting
agency requested the information
(proposed § 1010.955(c)(2)(vii)).
Comments Received. One commenter
noted that State, local, and Tribal law
enforcement agencies did not have a
rule analogous to § 1010.955(c)(2)(vii)
that would permit re-disclosure of BOI
to State, local, or Tribal prosecutors for
purposes of making a case referral, and
recommended the addition of such a
rule. The commenter suggested
amending proposed 31 CFR
1010.955(c)(2)(vi) to insert ‘‘to any
officer, employee, contractor, or agent of
an attorney general, district attorney’’
after the word ‘‘jurisdiction,’’ in order to
enable such re-disclosure.
Another commenter noted that, at
times, law enforcement and regulatory
agencies engage in joint investigations—
that is, multiple agencies investigate a
single fact pattern, sharing information
among themselves. The commenter
proposed that FinCEN clarify that
authorization from FinCEN is not
needed for re-disclosure within a joint
investigation.
Commenters expressed concern that
the re-disclosure rules would prevent
effective use of BOI by law enforcement.
For example, authorized recipients
outside of law enforcement would be
prohibited from providing the
information to law enforcement without
first going to FinCEN to obtain
permission to re-disclose that
information. One commenter suggested
an edit to proposed 31 CFR
1010.955(c)(2)(ix), the catch-all
provision permitting FinCEN to
authorize re-disclosure of BOI, to permit
an authorized recipient to disclose BOI
to a Federal agency engaged in national
security, intelligence, law enforcement
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
activities, or a Federal regulatory agency
when in the judgment of that person redisclosure would be in the public
interest and would assist in combatting
illicit finance.
Final Rule. FinCEN modifies the
proposed rule to include an additional
re-disclosure authorization for State,
local, and Tribal law enforcement
agencies, what is now 31 CFR
1010.955(c)(2)(viii), as noted above.
FinCEN agrees that State, local, and
Tribal law enforcement agencies should
be permitted to disclose BOI for the
purpose of making a referral to another
State, local, or Tribal agency for possible
prosecution. Although such disclosures
may be covered by proposed 31 CFR
1010.955(c)(2)(vi) in certain contexts,
FinCEN is electing to expand 31 CFR
1010.955(c)(2) to include a new
provision, 31 CFR 1010.955(c)(2)(viii),
to explicitly address such disclosures.
FinCEN declines the proposed edits to
31 CFR 1010.955(c)(2)(vi) as that
paragraph is intended to apply to active
litigation matters.
FinCEN recognizes that at times
agencies engage in joint investigations;
that is, multiple agencies work together
on a single investigation. Federal
agencies that are a part of a task force
to target specific criminal activity, such
as drug trafficking or corruption, may
also need to share BOI within the task
force. In such cases, it would be more
efficient for the agencies involved to
share BOI directly among themselves
instead of each agency having to
separately request the same BOI from
FinCEN.167 FinCEN did not include a
provision permitting re-disclosure in
joint investigations or task forces in the
proposed rule, but it did explicitly
address joint investigations and task
forces in the preamble to the proposed
rule. There, FinCEN indicated that it
would evaluate requests to share BOI in
the context of a joint investigation or
task force under its discretionary redisclosure authority under proposed 31
CFR 1010.955(c)(2)(ix).
FinCEN recognizes that sharing
between agencies in the context of joint
investigations or task forces is
consistent with the CTA’s direction that
BOI should be used to advance law
enforcement interests. However, joint
investigations and task forces come in
many potential permutations—for
example, multiple Federal agencies, a
mix of Federal and state agencies, state
and Tribal agencies, multiple state
agencies, etc. Each such permutation
raises unique issues. For example, in a
joint investigation between Federal and
state law enforcement agencies, do the
167 87
PO 00000
FR at 77419.
Frm 00034
Fmt 4701
Sfmt 4700
agencies have to provide FinCEN both a
request from Federal law enforcement
under 31 CFR 1010.955(b)(1) and a court
authorization under 31 CFR
1010.955(b)(2), or would one type of
process suffice? If a Federal law
enforcement agency obtained BOI for
the purpose of investigating Federal
crimes, could it re-disclose that
information to a state law enforcement
agency for its purpose in investigating
state crimes? Does a task force
consisting of both state and Tribal law
enforcement agencies need to obtain a
court authorization from multiple courts
of competent jurisdiction, or just one? It
would be difficult to establish a
regulation that would resolve all of
these issues, and even attempting to do
so in a regulation runs the risk of further
complicating the issue.
For these reasons, FinCEN is not
creating a specific re-disclosure
provision in 31 CFR 1010.955(c)(2) that
would address these scenarios. Instead,
FinCEN will address joint investigations
and task forces in future guidance, with
an eye toward issuing guidance that
captures the most common or
straightforward circumstances, and in
more unusual or complex situations
evaluating specific re-disclosure
requests on a case-by-case basis under
its 31 CFR 1010.955(c)(2)(x) authority to
approve in writing re-disclosure of BOI
in furtherance of an authorized purpose
or activity. This approach permits
FinCEN greater flexibility in crafting
appropriate rules for varied
circumstances.
As noted, one commenter stated that
FinCEN should permit an authorized
recipient to re-disclose BOI to a Federal
agency engaged in national security,
intelligence, law enforcement activities,
or a Federal regulatory agency, when in
the judgment of that person, redisclosure would be in the public
interest and would assist in combating
illicit finance. FinCEN finds such a
provision to be too vague and subjective
to be implementable. The CTA prohibits
re-disclosure of beneficial ownership
information except as authorized in the
protocols promulgated by regulation,
thereby leaving it to FinCEN to establish
the appropriate re-disclosure rules.168
FinCEN is promulgating rules to permit
the re-disclosure of beneficial
ownership information under certain,
limited circumstances that would
further the core underlying national
security, intelligence, and law
168 31 U.S.C. 5336(c)(2)(A). The CTA appears to
presume that some re-disclosure will be permitted
when it requires requesting agencies to keep records
related to their requests, including of ‘‘any
disclosure of beneficial information made by . . .
the agency.’’ 31 U.S.C. 5336(c)(3)(H).
E:\FR\FM\22DER3.SGM
22DER3
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES3
enforcement objectives of the CTA
while at the same time ensuring that
BOI is disclosed only where appropriate
for those purposes. However, the
proposed change suggests
supplementing objective standards with
the subjective judgment of any person in
receipt of BOI. This proposal is beyond
the confines of the CTA’s disclosure
provisions. Although the number of
cases in which BOI would need to be
disclosed to law enforcement as a matter
of emergency is likely to be quite low,
FinCEN will consider future guidance
on this topic.
c. Re-Disclosure—Financial Institutions
Proposed Rule. Proposed 31 CFR
1010.955(c)(2)(ii) would authorize any
director, officer, employee, contractor,
or agent of a financial institution who
received BOI from FinCEN to re-disclose
the information to another director,
officer, employee, contractor, or agent
within the United States of the same
financial institution for the particular
purpose or activity for which the BOI
was requested, consistent with the
security and confidentiality
requirements of 31 CFR 1010.955(d)(2).
Proposed 31 CFR 1010.955(c)(2)(iii)
would further authorize financial
institutions to re-disclose BOI received
from FinCEN to regulators—specifically,
Federal functional regulators, specified
SROs, and other appropriate regulatory
agencies—that meet the requirements
identified in paragraphs (b)(4)(ii)(A)
through (C) of the proposed rule.
Financial institutions would be able to
rely on a Federal functional regulator,
SRO, or other appropriate regulatory
agency’s representation that it meets the
requirements.
Comments Received. Commenters
generally opposed the requirement in
proposed 31 CFR 1010.955(c)(2)(ii) and
31 CFR 1010.955(d)(2)(i) that financial
institutions limit disclosure of BOI
obtained from FinCEN under the CTA to
directors, officers, employees,
contractors, and agents physically
present within the United States. These
comments and FinCEN’s response to
them are consolidated in the discussion
of proposed 31 CFR 1010.955(d)(2)(i) in
section III.E.ii.a below.
Several comments interpreted these
proposed authorizations as prohibitions
against financial institutions disclosing
BOI to directors, officers, employees,
contractors, or agents. One commenter
asked FinCEN to include safe harbor
provisions to permit employees to share
BOI within their institutions according
to that institution’s policies and
procedures. Other comments asked
FinCEN to state explicitly that the
proposed rule would authorize BOI
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
disclosure ‘‘enterprise-wide,’’ as well as
to certain specific parties. These specific
parties were (1) internal and external
auditors; (2) legal and compliance
personnel; (3) state regulators; (4)
affiliated financial institutions and other
financial institutions involved in
syndicated loans; (5) other financial
institutions under USA PATRIOT Act
section 314(b); and (6) third-party
service providers, including RegTech
companies.
Final Rule. FinCEN adopts proposed
31 CFR1010.955(c)(2)(ii) and (iii)
without change, other than deletion of
the phrase ‘‘within the United States,’’
the reasons for which will be discussed
in section III.E.ii.a below. As indicated
above, 31 CFR 1010.955(c)(2)(ii) does
not prohibit financial institution
directors, officers, employees,
contractors, or agents from re-disclosing
BOI received from FinCEN to one
another, but rather authorizes them to
do so, provided re-disclosure is for the
particular purpose or activity for which
the BOI was requested. ‘‘Employees’’
might include, among others, a financial
institution’s internal legal and
compliance personnel. ‘‘Contractors’’
and ‘‘agents’’ might include any
individual or entity providing services
by contract, including, for example,
outside counsel, auditors, and providers
of data analysis software tools.
FinCEN views state regulators that
meet the requirements identified in
paragraphs (b)(4)(ii)(A) through (C) of
the final rule as ‘‘other appropriate
regulatory agencies’’ to which financial
institutions may re-disclose BOI from
FinCEN under 31 CFR
1010.955(c)(2)(iii).
FinCEN understands that financial
institutions might want or need to redisclose BOI from FinCEN to parties
that are not their directors, officers,
employees, contractors, agents, or
regulators. Examples provided in
comments include affiliated financial
institutions, other financial institutions
involved in syndicated loan agreements,
and other financial institutions eligible
to participate in section 314(b)
information sharing. Another example
might be an external compliance
monitor appointed as part of a civil or
criminal enforcement matter. These are
typically complex arrangements with
highly variable facts and circumstances
that do not lend themselves well to one
broad regulation. FinCEN will therefore
address these issues in future guidance,
with an eye toward evaluating specific
re-disclosure requests on a case-by-case
basis under its 31 CFR 1010.955(c)(2)(x)
authority to approve in writing redisclosure of BOI in furtherance of an
authorized purpose or activity.
PO 00000
Frm 00035
Fmt 4701
Sfmt 4700
88765
d. Re-Disclosure Required by Law
Proposed Rule. The proposed rule did
not provide for explicit directions for
responding to legal demands for BOI.
Comments Received. Several
commenters requested that the rule
contain specific processes for
responding to legal demands for BOI.
For example, a commenter asked how a
financial institution should respond to a
law enforcement subpoena for BOI
obtained from FinCEN. Another
commenter asked that FinCEN treat BOI
like SAR information and issue a
prohibition on re-disclosure of BOI by
financial institutions in response to
legal process.
Final Rule. FinCEN recognizes the
issues that may be raised when
compulsory legal process—such as a
court order or grand jury subpoena—
calls for the production of BOI obtained
from FinCEN. The resolution of these
issues is most appropriate for post-rule
guidance. FinCEN will seek to address
these issues in future guidance or
through specific re-disclosure requests
under its 31 CFR 1010.955(c)(2)(x)
authority to approve in writing redisclosure of BOI in furtherance of an
authorized purpose or activity.
e. Re-Disclosure With Written Consent
of FinCEN
Proposed Rule. Proposed 31 CFR
1010.955(c)(2)(ix) would prohibit the redisclosure of BOI obtained under
proposed 31 CFR 1010.955(b) other than
as permitted in proposed 31 CFR
1010.955(c)(2), and would permit
FinCEN to authorize the re-disclosure of
BOI in other circumstances via written
consent, or through applicable protocols
or guidance that FinCEN may issue.
Comments Received. One commenter
recommended removing the first
sentence of proposed
§ 1010.955(c)(2)(ix) as redundant given
proposed 31 CFR 1010.955(a), the
baseline prohibition on re-disclosure.
The language the commenter suggested
removing reads, ‘‘[e]xcept as described
in this paragraph (c)(2), any information
disclosed by FinCEN under paragraph
(b) of this section shall not be further
disclosed to any other person for any
purpose without the prior written
consent of FinCEN, or as authorized by
applicable protocols or guidance that
FinCEN may issue.’’
Final Rule. FinCEN adopts proposed
31 CFR 1010.955(c)(2)(ix) with technical
and organizational changes. First,
FinCEN made a minor technical update
to renumber 31 CFR 1010.955(c)(2)(ix)
as 31 CFR 1010.955(c)(2)(x) to reflect the
insertion of the new 31 CFR
1010.955(c)(2)(viii). Second, FinCEN
E:\FR\FM\22DER3.SGM
22DER3
ddrumheller on DSK120RN23PROD with RULES3
88766
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
considered the comment which
suggested the removal of the first
sentence of proposed 31 CFR
1010.955(c)(2)(ix). Although there is
some overlap with 31 CFR 1010.955(a),
FinCEN believes that the first sentence
of this provision is important to clarify
the obligations of authorized recipients
of BOI with respect to the re-disclosure
of such information once they have
obtained it. However, as described
above in section III.D.i (Use of
Information by Authorized Recipients),
FinCEN concluded that language
describing this obligation was better
placed in 31 CFR 1010.955(c)(1) given
its importance and general applicability.
Accordingly, FinCEN removed the
portions of the first sentence of
proposed 31 CFR 1010.955(c)(2)(ix)
prohibiting re-disclosure of BOI, except
as permitted in § 1010.955(c)(2), and
inserted them into the first sentence of
31 CFR 1010.955(c)(1).
FinCEN retained the proposed
provision providing that FinCEN may
authorize further re-disclosures of BOI
not otherwise permitted under
§ 1010.955(c)(2) by prior written consent
or ‘‘by applicable protocols or guidance
that FinCEN may issue,’’ but moved this
limitation into the remaining sentence
in new 31 CFR 1010.955(c)(2)(x). This
part now reads, ‘‘FinCEN may by prior
written authorization, or by protocols or
guidance that FinCEN may issue,
authorize persons to disclose
information obtained pursuant to
paragraph (b) of this section in
furtherance of a purpose or activity
described in that paragraph.’’ This
provision gives FinCEN the ability to
authorize, either on a case-by-case basis
or categorically through written
protocols, guidance, or regulations, the
re-disclosure of BOI in limited cases to
further the purposes of the CTA.
As stated in the proposed rule, this
provision could be used to address
situations involving sharing of BOI by
government agencies as part of a joint
investigation or within a task force. The
requirements that an agency would need
to satisfy to obtain BOI through redisclosure are the same as those an
agency would need to satisfy to obtain
BOI from FinCEN directly under this
proposed rule. FinCEN also envisions
including re-disclosure limitations in
the BOI disclosure MOUs it enters into
with recipient agencies. These
provisions would make clear that it
would be the responsibility of a
recipient agency to take necessary steps
to ensure that BOI is made available for
purposes specifically authorized by the
CTA, and not for the general purposes
of the agency. Such agency-to-agency
agreements can be effective at creating
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
and enforcing standards on use, reuse,
and redistribution of sensitive
information.
E. Security and Confidentiality
Requirements
The CTA directs the Secretary to
establish by regulation protocols to
protect the security and confidentiality
of any BOI provided directly by
FinCEN.169 It then prescribes specific
security and confidentiality
requirements that FinCEN must impose
on ‘‘requesting agencies’’ and grants the
Secretary authority to ‘‘provide such
other safeguards which the Secretary
determines (and which the Secretary
prescribes in regulations) to be
necessary or appropriate to protect the
confidentiality of the beneficial
ownership information.’’ 170
i. Security and Confidentiality
Requirements for Domestic Agencies
a. General
Proposed Rule. Proposed 31 CFR
1010.955(d)(1)(i) addressed general
security and confidentiality
requirements applicable to Federal,
State, local, and Tribal requesting
agencies, including intermediary
Federal agencies acting on behalf of
authorized foreign requesters, Federal
functional regulators, and other
appropriate regulatory agencies
(collectively, ‘‘requesting agencies’’).
These general requirements would need
to be satisfied by a requesting agency for
it to be eligible to receive BOI from
FinCEN. Proposed 31 CFR
1010.955(d)(1)(i) required that each
requesting agency:
(1) Enter into an agreement with FinCEN
specifying the standards, procedures, and
systems to be maintained by the agency, and
any other requirements FinCEN might
specify, to protect the security and
confidentiality of such information;
(2) Establish standards and procedures,
approved by the head of the agency, to
protect the security and confidentiality of
BOI;
(3) Provide FinCEN with an initial report
that describes these standards and
procedures established and includes a
certification from the head of the agency that
the standards and procedures implement the
requirements of this paragraph;
(4) Establish and maintain a secure system
for storing BOI which complies with
information security standards prescribed by
FinCEN;
(5) Establish and maintain a permanent,
auditable system of standardized records of
the agency’s BOI requests;
(6) Restrict access to BOI to personnel
meeting specified criteria, which would
169 31
170 31
PO 00000
U.S.C. 5336(c)(3)(A).
U.S.C. 5336(c)(3)(B)–(K).
Frm 00036
Fmt 4701
Sfmt 4700
include meeting the training requirements of
the proposed rule;
(7) Conduct an annual audit to verify that
information obtained from FinCEN has been
accessed and used appropriately, provide
FinCEN with the results of the audit upon
FinCEN’s request, and cooperate with
FinCEN’s annual audit of requesting
agencies’ adherence to the requirements
established under this paragraph;
(8) Provide a semi-annual certification
from the head of the agency, on a nondelegable basis, that the agency’s standards
and procedures are in compliance with the
security and confidentiality requirements of
this provision; and
(9) Provide FinCEN an annual report that
describes the standards and procedures the
agency uses to ensure the security and
confidentiality of the BOI it receives from
FinCEN.
The preamble to the proposed rule
explained that the agreement required
by 31 CFR 1010.955(d)(1)(i)(A) would be
a MOU that each requesting agency
would enter into with FinCEN before
being able to request any BOI.
Comments Received. FinCEN received
several comments on security and
confidentiality requirements for all
authorized users, as well as comments
focused more specifically on security
and confidentiality requirements for
domestic requesting agencies. For all
authorized users, one commenter
expressed support for the proposed
rule’s general security and
confidentiality requirements, noting that
these align with the CTA. Several other
commenters expressed appreciation for
FinCEN’s efforts to balance the interests
of those requesting BOI against the
protections and restrictions mandated
by the CTA. One commenter viewed
these requirements as adequate and
argued that FinCEN should not add any
new requirements that were not
included in the CTA.
As for the requirements applicable to
requesting agencies, one commenter
argued that the proposed requirements
would be so strict that they could
hinder the agencies’ access to BOI.
However, this commenter recognized
that in proposing these requirements,
FinCEN was simply implementing
statutory requirements, and that any
change to these requirements would
have to come from Congress. With
respect to the requirement that agencies
establish and maintain secure systems
for BOI storage, one commenter
welcomed the clarification in the Access
NPRM preamble that agencies may rely
on existing databases and related IT
infrastructure to satisfy this
requirement. This commenter proposed
additional points of clarification with
respect to these systems—for example,
on how FinCEN would coordinate with
E:\FR\FM\22DER3.SGM
22DER3
ddrumheller on DSK120RN23PROD with RULES3
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
agencies to develop technology-enabled
access that ‘‘maximize[s] the utility of
access and minimize[s] additional
development costs,’’ and whether
agencies would be able to pool their
resources and collaborate to satisfy this
requirement.
There were several comments
requesting additional clarifications or
changes to proposed 31 CFR
1010.955(d)(1)(i). Two commenters
asked that FinCEN clarify in the final
rule that certain security and
confidentiality requirements for
requesting agencies apply to the entire
information-sharing relationship
between FinCEN and the requesting
agency, instead of applying on what one
commenter referred to as an ‘‘iterative’’
basis, which FinCEN understands to
mean case-by-case or request-by-request.
One commenter cited the provisions of
the CTA contained in sections
5336(c)(2)(C)(iii) and 5336(c)(3)(B)–(D),
(H), and (I), which 31 CFR
1010.955(d)(1)(i) implements, as
examples of provisions that should
apply at the relationship rather than the
case-by-case level. These commenters
argued that applying certain of these
requirements for each individual
request would be impractical and would
effectively undermine the usability of
the BOI database. These same
commenters asked FinCEN to further
clarify that it does not intend to review
access determinations on a case-by-case
basis prior to authorized users accessing
the BOI database.
There were also several comments
related to the proposed rule’s audit
requirements. One commenter suggested
that FinCEN should expand the audit
requirements in the final rule to require
that agencies verify that requests for BOI
are appropriate under proposed 31 CFR
1010.955(b) and that records of BOI
requests are kept in accordance with
proposed 31 CFR 1010.955(d)(1)(i)(E),
which requires agencies to maintain an
auditable record of requests. This
commenter also suggested that the final
rule should include audit requirements
specifically for Federal agencies that are
making requests on behalf of foreign
persons, i.e., for intermediary Federal
agencies. These requirements would
include ensuring that the information
required of intermediary Federal
agencies under 31 CFR
1010.955(d)(1)(ii)(B)(3) and (4) has been
maintained and that these agencies are
compliant with 31 CFR 1010.955(d)(3),
the security and confidentiality
requirements for foreign persons on
whose behalf an intermediary Federal
agency requests BOI. A different
commenter also requested that FinCEN
audit BOI requests from foreign
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
requesters. Another commenter
recommended that FinCEN modify the
audit and annual report requirements to
be completed by requesting agencies to
also include data relevant for evaluating
the accuracy, completeness, and
usefulness of the BOI database.
One commenter requested that
FinCEN provide for greater involvement
by the head of a requesting agency in
satisfying the agency’s security and
confidentiality requirements. For
example, this commenter suggested that
the final rule should specify that only
the head of an agency, on a nondelegable basis, could enter into the
agreement with FinCEN, or
acknowledge the final audit report
satisfying the requirements under
5336(c)(3)(B) and (H). In addition, one
commenter asked FinCEN to add a
provision requiring that agencies specify
which agency personnel can make
requests to FinCEN for BOI and access
BOI. Finally, one commenter suggested
that FinCEN could develop a series of
model MOUs for each agency type (local
law enforcement agency, state law
enforcement agency, etc.).
Final Rule. The final rule adopts
proposed 31 CFR 1010.955(d)(1)(i) with
only minor technical changes. FinCEN
agrees with the commenter that the
general security and confidentiality
requirements for domestic agencies are
statutory requirements, and any change
to these requirements would have to be
mandated by Congress. FinCEN believes
these requirements are reasonable given
the sensitive nature of BOI and expects
that once a requesting agency meets the
general security and confidentiality
requirements, it should be able to use
the BO IT system to access BOI in a
rapid and efficient manner. With respect
to requests for additional clarifications
on the requirement that agencies
establish and maintain a secure system
for BOI storage, FinCEN appreciates
these suggestions and will give them
due consideration in the context of
entering into MOUs with domestic
agencies. FinCEN believes that agencies
will likely be able to leverage existing
databases and related IT infrastructure
to meet this requirement, and has
included the statutory language ‘‘to the
satisfaction of the Secretary’’ in the
regulatory text to ensure sufficient
flexibility to implement this
approach.171 FinCEN may also choose to
171 With the addition of the statutory language ‘‘to
the satisfaction of the Secretary’’ to the regulatory
text, FinCEN also removed as unnecessary the
proposed language that would have required any
agency’s secure system for BOI storage to ‘‘compl[y]
with information security standards prescribed by
FinCEN.’’
PO 00000
Frm 00037
Fmt 4701
Sfmt 4700
88767
provide additional guidance on these
topics in the future.
As for the comments requesting
clarification that the requirements in
this provision apply generally and not
on a request-by-request basis, FinCEN
believes that the rule text, and the
heading ‘‘general requirements,’’ made
it sufficiently clear that these
requirements apply to requesting
agencies generally, and that the
requirements of 31 CFR
1010.955(d)(1)(ii), as the heading
‘‘requirements for requests for
disclosure’’ suggests, are request-byrequest requirements. Several of the
general requirements, such as the audit,
certification, and report requirements,
explicitly state that these requirements
apply on an annual or semi-annual
basis. Other requirements, such as the
requirement that requesting agencies
establish and maintain a secure system
to store BOI, would by their nature
apply on an ongoing basis.
FinCEN also considered comments
suggesting that additional audit
requirements are necessary. Regarding
the commenter suggesting that FinCEN
include audit requirements to ensure
that BOI requests are appropriate under
proposed 31 CFR 1010.955(b) and that
requesting agencies have properly
maintained an auditable record of
requests, FinCEN believes that the
proposed audit requirements
sufficiently cover these areas. FinCEN
also declines to accept this commenter’s
proposal to add specific requirements
concerning the audit of requests by
intermediary Federal agencies on behalf
of foreign persons. In FinCEN’s view,
when a request for BOI is made under
an international treaty, agreement, or
convention, the arrangements set forth
in (or authorized by) that treaty,
agreement, or convention would govern.
When no such treaty, agreement, or
convention is involved, and a trusted
foreign country is involved, FinCEN
will work closely with the intermediary
Federal agency and will take measures
to confirm compliance with proposed
31 CFR 1010.955(d)(3).
In response to the commenter
recommending that the audit and
reporting requirements for requesting
agencies should also address the
accuracy, completeness, and usefulness
of the BOI database, FinCEN does not
view these issues as relevant to the
security and confidentiality provisions
of the regulation, which FinCEN
adopted directly from the CTA. FinCEN
may consider these requirements in the
context of MOUs with relevant agencies
to establish feedback mechanisms to
facilitate evaluation of the quality of the
E:\FR\FM\22DER3.SGM
22DER3
88768
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES3
database with a view to improving
compliance and enforcement.
As for the commenter suggesting an
additional requirement for agencies to
specify which personnel may request
and access BOI, FinCEN does not
believe a rule change is necessary but
will consider this suggestion further and
potentially address it in future
guidance. In response to the commenter
suggesting an expanded role in the
security and confidentiality
requirements for agency heads, FinCEN
believes that the involvement of agency
heads in these requirements is already
significant, and that greater involvement
would create burdens on agencies
without clear benefits. Lastly,
concerning the comment regarding
MOUs, FinCEN appreciates this
feedback and will consider developing
template MOUs for different types of
BOI user agencies. FinCEN will also
consider further tailoring MOUs as
needed for specific agencies and will
work with agencies on MOUs when
appropriate.
b. Minimization and Requirements for
Individual Requests for BOI by
Domestic Agencies
Proposed Rule. Proposed 31 CFR
1010.955(d)(1)(ii) includes requirements
that would apply to each individual
request for BOI from requesting
agencies. This provision includes two
general requirements. First, agencies
must minimize, to the greatest
practicable extent, the scope of the BOI
they request consistent with the purpose
of the request (the NPRM referred to this
as the ‘‘minimization’’ requirement).
Second, the head of a Federal agency, or
their designee, must provide written
certifications to FinCEN, in the form
and manner that FinCEN prescribes, (1)
that the agency is engaged in a national
security, intelligence, or law
enforcement activity, and (2) that the
BOI requested is for use in such activity,
along with the specific reasons why the
BOI is relevant to the activity.
Comments Received. FinCEN did not
receive comments concerning the
minimization requirement. FinCEN
received several comments relating to
FinCEN’s review process for BOI
requests from authorized users
generally, and these comments also
apply to proposed 31 CFR
1010.955(d)(1)(ii)(B) on the
requirements for written certification by
Federal agencies. Commenters generally
requested that FinCEN clarify in the
final rule that FinCEN will not review
the agency requests for BOI on a caseby-case basis. One commenter claimed
that case-by-case review of the purpose
of an agency’s requests would not be
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
worth the costs given FinCEN’s resource
constraints. This commenter focused on
the general security and confidentiality
requirements that the CTA imposes on
requesting agencies and argued that
additional oversight on a case-by-case
basis would be unnecessary. Another
commenter argued that case-by-case
review would create administrative
hurdles for agencies in accessing BOI,
thereby undermining the usefulness of
the BOI database. This commenter also
argued that the CTA was not meant to
give FinCEN the authority to question
requesting agencies’ substantive reasons
for requesting BOI. Thus, this
commenter urged FinCEN to clarify in
the final rule that FinCEN will not
evaluate the purpose of agencies’
requests in deciding whether to grant
requests for BOI.
Separately, one commenter
recommended that FinCEN should
further strengthen the safeguards
concerning individual requests for BOI
by requiring senior-level review and
written approvals by requesting
agencies for each BOI request. While
this commenter did not specify which
provision of the rule text should be
changed, the commenter appeared to
suggest adding additional requirements
to proposed 31 CFR 1010.955(d)(1)(ii).
This commenter argued that because of
the highly sensitive nature of BOI and
the importance of securing it, FinCEN
should require senior-level officials of
agencies to provide written approval for
each BOI request to FinCEN by an
agency. These senior-level officials, the
commenter argued, should be Senateconfirmed Presidential appointees of
Federal agencies and chief executives or
their designees for State, local, or Tribal
agencies.
Final Rule. The final rule adopts 31
CFR 1010.955(d)(1)(ii) largely as
proposed. Although not specifically
suggested by comments, FinCEN is
removing the proposed requirement at
31 CFR 1010.955(d)(1)(ii)(B)(3)(ii) that
intermediary Federal agencies identify
the date of the international treaty,
agreement, or convention under which
a request for BOI is being made; FinCEN
believes that identification of the date is
unnecessary. Regarding the comments
expressing concerns that FinCEN will be
reviewing each agency’s requests for
BOI on a case-by-case basis, FinCEN
does not believe it is necessary to
change the rule to address this concern.
Instead, FinCEN reiterates here that it
has no intention of reviewing each
individual request for BOI from a
requesting agency. The requirement for
certifications from requesting agencies
is sufficient to establish a basis for
FinCEN to know which agencies are
PO 00000
Frm 00038
Fmt 4701
Sfmt 4700
accessing the BOI database, and the
basis on which they are doing so. This
is important for purposes of meeting
FinCEN’s audit requirements. FinCEN,
however, will not review each
individual request from these agencies
in real time. As for the commenter who
argued that FinCEN should add a
requirement that senior-level officials at
requesting agencies must approve each
BOI request, FinCEN declines to adopt
this recommendation. Such a
requirement would add an unwarranted
burden on requesting agencies and
would not be outweighed by sufficient
benefits.
ii. Security and Confidentiality
Requirements for Financial Institutions
a. Restriction on Personnel Access to
Information
Proposed Rule. FinCEN proposed to
require financial institutions to limit
access to BOI obtained from FinCEN to
the financial institutions’ directors,
officers, employees, contractors, and
agents within the United States.
Proposed 31 CFR 1010.955(d)(2)(i)
explicitly imposed this limitation, while
proposed 31 CFR 1010.955(c)(2)(ii)
made clear that it not only applied to
initial BOI recipients, but continued to
apply when directors, officers,
employees, contractors, and agents of a
financial institution wanted to redisclose BOI to directors, officers,
employees, contractors, and agents
within the same financial institution for
the particular purpose or activity for
which the financial institution
requested the information.
Comments Received. Commenters
generally opposed the requirement that
financial institutions limit disclosure of
BOI obtained from FinCEN to directors,
officers, employees, contractors, and
agents physically present within the
United States. One commenter
supported the limitation, but many
more did not. Comments stated that the
limitation would cause a disruption in
the financial industry and run counter
to current business practices.
Commenters indicated that contracting
with foreign workers is common for
AML/CFT purposes, and financial
institution personnel outside of the
United States (including contractors and
agents) routinely have access to
customer information.
Commenters further argued that the
limitation would decrease the utility of
BOI. Some stated that financial
institutions may choose to continue to
collect BOI from customers under the
2016 CDD Rule and forego accessing
FinCEN’s BO IT system altogether to
avoid the BOI handling requirements set
E:\FR\FM\22DER3.SGM
22DER3
ddrumheller on DSK120RN23PROD with RULES3
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
out in the NPRM. One commenter stated
that the limitation would result in less
effective risk management, while others
indicated that it would increase
compliance costs. One commenter
estimated that it will take years and
millions of dollars to ‘‘onshore’’ job
functions tasked with handling BOI
from FinCEN. Further, commenters
asserted that the limitation is not
included in the CTA and that it
contradicts other portions of the AML
Act. Commenters also claimed that the
proposed limitation is inconsistent with
U.S. and international regulatory
expectations for enterprise-wide risk
management. Comments pointed to
previous Treasury, FinCEN, and other
regulatory guidance about sharing
information across borders within
enterprises. A commenter stated that
FinCEN did not give a specific reason
for the limitation.
Some comments proposed
alternatives, such as allowing redisclosure to individuals outside of the
United States and relying on
technological safeguards and security
requirements to protect the information.
Another suggestion was to limit access
to the BO IT system to personnel within
the United States, but allow redisclosure to directors, officers,
employees, contractors, and agents in
other countries. A few comments
suggested those counterparts could be
limited to ‘‘trusted foreign countries’’ or
other specified destinations. Finally,
one commenter asked FinCEN to define
‘‘physically present in the United
States.’’
Final Rule. The final rule at 31 CFR
1010.955(d)(2)(i) and (ii) revises the
limitation on sending BOI outside the
United States so that it is less stringent
than the proposed rule. Under the final
rule, financial institutions do not need
to keep BOI confined to the United
States, but rather are prohibited from
sending BOI to certain foreign
jurisdictions and categories of
jurisdictions. As articulated in the
Access NPRM, the CTA describes a
framework for disclosures of BOI to
foreign governments, and the
regulations should seek to ensure
consistency with the broader CTA
framework. At the same time, FinCEN
takes seriously commenters’ argument
that a flat prohibition on sending BOI
abroad is too blunt a mechanism that
would impose significant costs.172
172 At least one commenter suggested that any
such limitation is in conflict with the FFIEC
manual’s recognition that ‘‘[a] bank may choose to
implement customer due diligence policies,
procedures and processes on an enterprise-wide
basis.’’ Such a choice, however, as the manual itself
acknowledges, is permissible only ‘‘to the extent
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
FinCEN has determined that it is not
necessary to prohibit all offshoring of
BOI in order to address the threat posed
by sending BOI to jurisdictions of
greatest concern. Instead, 31 CFR
1010.955(d)(2)(i) prohibits BOI from
being sent to Russia, China, any
jurisdiction designated as a state
sponsor of terrorism, and any
jurisdiction that is subject to
comprehensive sanctions under U.S.
law, which are the jurisdictions SARs
cannot be sent to pursuant to 31 U.S.C.
5318(g)(8)(C)(i). While the information
contained in SARs is clearly different
from BOI in many respects, FinCEN
considers the selection of these
jurisdictions to be a strong indicator of
a broader congressional perspective on
the acceptability of exposing sensitive
information filed with the U.S.
government to the legal processes of
these foreign jurisdictions. As the
selection of these jurisdictions
indicates, Congress clearly regards the
exposure of such sensitive information
as more acceptable when it involves
some jurisdictions than when it
involves others. FinCEN has used this
list of jurisdictions based on that
understanding of the general
congressional perspective on offshoring
of information. The Secretary is
authorized to add to this list to ensure
compliance with the CTA or for national
security reasons.
FinCEN acknowledges that allowing
BOI to be used and disseminated
offshore creates a risk of unauthorized
disclosure and misuse, and entails
translating U.S. legal requirements for
non-U.S. personnel and training them to
understand and comply with those
requirements. FinCEN weighed these
risks against the burden that limiting
BOI to directors, officers, employees,
contractors, and agents within the
United States would impose on some
financial institutions. Many financial
institutions operate global compliance
programs that apportion responsibilities
among different regions and reduce
compliance expenses. Relocating certain
compliance functions to the United
States simply to allow them to obtain
BOI from FinCEN could be very costly,
and in many cases might be financially
permitted by law.’’ FFIEC BSA/AML Examination
Manual, Assessing Compliance with BSA
Regulatory Requirements, Customer Due
Diligence—Overview (May 5, 2018), p. 4, https://
www.ffiec.gov/press/pdf/
Customer%20Due%20Diligence%20%20Overview%20and%20Exam%20ProceduresFINAL.pdf. Here, the CTA establishes the legal
parameters under which an institution can choose
its enterprise-wide policies by authorizing FinCEN
to prescribe by regulation any safeguards it
determines to be necessary or appropriate to protect
the confidentiality of BOI. 31 U.S.C. 5336(c)(3)(K).
PO 00000
Frm 00039
Fmt 4701
Sfmt 4700
88769
infeasible. FinCEN assesses that the cost
of the targeted offshoring limitation
should be de minimis: it is FinCEN’s
understanding that U.S financial
institutions currently do not send a
significant volume of customer
information to Russia, China, any
jurisdiction designated as a state
sponsor of terrorism, or any jurisdiction
that is subject to comprehensive
sanctions under U.S. law, and with
respect to jurisdictions that are state
sponsors of terrorism, sending such
information is already prohibited by
other law.
In addition, in order for FinCEN to
monitor foreign government interest in
obtaining BOI, the final rule requires
that financial institutions notify FinCEN
within three business days of receiving
a demand from a foreign government for
BOI obtained from FinCEN. FinCEN
assesses that this offshoring limitation
with notification requirement addresses
the legitimate issues regarding security
and conformity with the CTA raised by
sending BOI outside the United States,
without resorting to a blanket onshoring
requirement.
b. Safeguards and Security Standards
Proposed Rule. Proposed 31 CFR
1010.955(d)(2)(ii) described safeguards
applicable to financial institutions that
were designed to maintain the security
and confidentiality of BOI while
preserving accessibility and
usefulness.173 Proposed 31 CFR
1010.955(d)(2)(ii)(A) required financial
institutions to develop and implement
administrative, technical, and physical
safeguards reasonably designed to
protect BOI as a precondition for
receiving BOI. The provision did not
prescribe specific safeguards or security
requirements. Rather, proposed 31 CFR
1010.955(d)(2)(ii)(A) provided that the
application to BOI obtained from
FinCEN of security and information
handling procedures established by a
financial institution to comply with
section 501 of the Gramm-Leach-Bliley
Act (Gramm-Leach-Bliley) 174 and its
implementing regulations, with regard
to the protection of its customers’
nonpublic personal information, would
satisfy the requirement.
Gramm-Leach-Bliley provides general
baseline expectations for keeping data
secure and confidential, while each
agency’s implementing regulations take
into account factors unique to the
financial institutions the agency
supervises. Section 501 of GrammLeach-Bliley, codified at 15 U.S.C.
173 See
31 U.S.C. 5336(c)(3)(K).
Law 106–102, 113 Stat. 1338, 1436–37
174 Public
(1999).
E:\FR\FM\22DER3.SGM
22DER3
88770
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES3
6801(b) and 6805, requires each Federal
functional regulator to establish
appropriate standards relating to
administrative, technical, and physical
safeguards for financial institutions it
regulates to: (1) ensure the security and
confidentiality of customer records and
information; (2) protect against any
anticipated threats or hazards to the
security or integrity of such records; and
(3) protect against unauthorized access
to or use of such records or information
that could result in substantial harm or
inconvenience to any customer. The
Federal functional regulators have
implemented these requirements in
different ways. The OCC, FRB, FDIC,
and the NCUA incorporated into their
regulations the Interagency Guidelines
Establishing Interagency Security
Standards (Interagency Guidelines).175
The Interagency Guidelines add detail
to the more general Gramm-Leach-Bliley
requirements, covering specific subjects
related to identifying, managing, and
controlling risk (e.g., physical and
electronic access controls, encryption
and training requirements, and testing).
The CFTC has incorporated the GrammLeach-Bliley expectations of financial
institutions into its regulations 176 and
recommended best practices for meeting
them that are ‘‘designed to be generally
consistent with’’ the Interagency
Guidelines.177 The SEC has also
incorporated the Gramm-Leach-Bliley
expectations of financial institutions
into its regulations,178 and has
instituted enforcement actions for
violations of such regulations.179
Under proposed 31 CFR
1010.955(d)(2)(ii)(B), financial
institutions that were not subject to the
requirements of section 501 of GrammLeach-Bliley could apply security and
handling procedures that were ‘‘at least
as protective of the security and
confidentiality of customer
information’’ as procedures that satisfy
the standards set out in Gramm-LeachBliley. For these financial institutions,
the proposed rule suggested that the
Interagency Guidelines might serve as a
useful checklist against which to
175 See Interagency Guidelines Establishing
Standards for Safeguarding Customer Information
and Rescission of Year 2000 Standards for Safety
and Soundness, 66 FR 8616 (Feb. 1, 2001). The
agencies’ implementing regulations are at 12 CFR
part 30, app. B (OCC); 12 CFR part 208, app. D–2
and part 225, app. F (FRB); 12 CFR part 364, app.
B (FDIC); and 12 CFR part 748, apps. A & B
(NCUA).
176 See 17 CFR 160.
177 See CFTC Staff Advisory No. 14–21 (Feb. 16,
2014).
178 See 17 CFR 248.1–248.100.
179 See, e.g., Morgan Stanley Smith Barney LLC,
SEC Exchange Act Release No. 95832 (Sept. 20,
2022).
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
evaluate existing security and
confidentiality practices, as well as a
useful guide for possible information
security program modifications.
Comments Received. Commenters
generally concurred with the proposal
to anchor BOI security and
confidentiality requirements to GrammLeach-Bliley, noting that the
information security program
requirements under that statute and its
implementing regulations were
sufficient to secure BOI received by
financial institutions. Commenters
observed that these requirements are
already familiar to financial institutions
and integrated into business practices.
Commenters further encouraged
FinCEN not to impose additional
security and information handling
protocols on financial institutions that
could be duplicative of, inconsistent
with, or more burdensome than these
existing requirements. A commenter
requested that FinCEN create a safe
harbor provision for all employees of a
financial institution that is compliant
with Gramm-Leach-Bliley to further
minimize compliance burden.
Regarding information security
requirements generally, commenters
requested clarification on whether
background checks would be required
for any employees, and whether a
‘‘firewall’’ would be required to block
access to BOI by employees not
involved in opening accounts for new
customers.
Final Rule. The final rule adopts the
proposed rule without change. Allowing
financial institutions to satisfy the
requirement to safeguard BOI by
applying the security and information
handling procedures used to comply
with Gramm-Leach-Bliley and its
implementing regulations is intended to
avoid duplicative or inconsistent
requirements and reduce burdens, while
maintaining a high degree of security
and confidentiality. As commenters
pointed out, many financial institutions
are generally familiar with the GrammLeach-Bliley requirements and already
have policies, procedures, and
infrastructure in place to comply with
its requirements. In addition, Federal
functional regulators currently assess
financial institutions for compliance
with Gramm-Leach-Bliley, which
reduces burdens on supervisors while
ensuring continued predictability for
financial institutions. Lastly, for
financial institutions not subject to
Gramm-Leach-Bliley, the Interagency
Guidelines provide a blueprint for
establishing or benchmarking existing
compliance systems so that those
financial institutions can access the BO
IT system and manage BOI securely.
PO 00000
Frm 00040
Fmt 4701
Sfmt 4700
FinCEN is not extending a safe harbor
to employees of a financial institution
that is compliant with Gramm-LeachBliley standards. It is important for
FinCEN to retain discretion to evaluate
individual conduct by a director, officer,
employee, contractor, or agent and
related facts and circumstances on a
case-by-case basis where there are
unauthorized disclosures or uses by a
financial institution, and to consider
potential enforcement action.
On the question of background checks
and firewalls, the final rule does not
include additional safeguards or other
requirements. FinCEN views the
security and information handling
procedures implemented by financial
institutions to comply with GrammLeach-Bliley to be sufficient. Additional
requirements could create
inconsistencies with existing security
and information handling programs and
create unnecessary burdens on both
financial institutions and their
supervisors, without a clear security
benefit given the absence of specific
concerns from commenters on the
sufficiency of the Gramm-Leach-Bliley
requirements.
FinCEN also declines to impose
specific, additional safeguards on
financial institutions that are not subject
to Gramm-Leach-Bliley because such
requirements could result in unintended
consequences. These financial
institutions can vary significantly in
size, organizational structure, client
base, risk profile, resources, and other
characteristics. Many of these financial
institutions could face significant costs
and technical challenges in
implementing uniform, additional
standards, or FinCEN would need to
expend resources to consider case-bycase modifications to address the
diversity of unique circumstances.
c. Protocols and Training
Proposed Rule. For each BOI request,
proposed 31 CFR 1010.955(d)(2)(iii)
would require a financial institution to
certify in writing that it fulfilled
information security and other
requirements set out in that section. The
proposed rule explained that FinCEN
expected that financial institutions
would establish protocols to satisfy
these information security requirements,
including appropriate recordkeeping, to
enable FinCEN to fulfill its audit and
oversight responsibilities. The proposed
rule also indicated that financial
institutions would need to develop a
training program that would ensure that
BO IT system users at the financial
institution received training on the
protocols and completed FinCENprovided online training as a condition
E:\FR\FM\22DER3.SGM
22DER3
ddrumheller on DSK120RN23PROD with RULES3
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
for creating and maintaining system
accounts.
Comments Received. One commenter
was skeptical that financial institutions
would act in accordance with FinCEN’s
expectations for protocols and training
without specific regulatory
requirements. The commenter suggested
expressly setting out in the regulations
the expectations regarding protocols and
training. Another commenter expressed
appreciation that FinCEN planned to
provide training on the BO IT system
when it becomes available. A third
commenter asked FinCEN to confirm
that only financial institution
employees who will access the system
would need to take this training, and
not employees who may view and use
BOI retained on the financial
institution’s system in accordance with
applicable requirements.
Final Rule. FinCEN adopts the
proposed rule without change given that
the imposition of additional
requirements regarding protocols and
training would likely be duplicative and
potentially confusing. Financial
institutions can satisfy the requirements
of 31 CFR 1010.955(d)(2)(ii) by either
applying to BOI security and
information handling procedures
designed to comply with section 501 of
Gramm-Leach-Bliley Act or by
implementing procedures that are ‘‘at
least’’ as protective of customer
information as procedures that satisfy
Gramm-Leach-Bliley standards. The
different materials promulgated by the
Federal functional regulators to
implement Gramm-Leach-Bliley have in
common requirements to (1) establish
policies and procedures that govern
security; and (2) provide related
training.180 Additional requirements to
establish protocols and training could
create confusion and inconsistencies in
implementation, and likely impose
additional burdens on financial
institutions and FinCEN.
Moreover, the final rule imposes on
the director, officer, employee,
contractor, or agent of a financial
institution the individual responsibility
for ensuring compliance with BOI
security and information handling
requirements. Accordingly, FinCEN
believes that financial institutions have
appropriate incentives to develop
protocols and training programs that
adequately train relevant financial
institution staff on requirements for
handing BOI based on the nature, scope,
and risks presented in particular
circumstances.
180 See generally Interagency Guidelines, supra
note 168, p. 138.
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
d. Consent To Obtain Information
Proposed Rule. The CTA authorizes
FinCEN to disclose a reporting
company’s BOI to a financial institution
only if the reporting company consents
to the disclosure.181 Proposed 31 CFR
1010.955(b)(4) would have allowed
FinCEN to disclose a reporting
company’s BOI to a financial institution
only if the reporting company consented
to the disclosure. In addition, proposed
31 CFR 1010.955(d)(2)(iii) would have
required a financial institution that
wanted a reporting company’s BOI to
obtain and document the company’s
consent to having its BOI disclosed
before requesting the BOI from FinCEN.
Comments Received. FinCEN received
comments for and against requiring
financial institutions to obtain consent
from reporting companies. It also
received comments addressing specific
aspects of how the consent process
should be managed.
Commenters in favor of imposing the
requirement on financial institutions to
obtain consent generally agreed with the
rationale articulated in the proposed
rule. In the preamble, the proposed rule
reasoned that financial institutions are
best positioned to obtain consent
because they have (1) direct customer
relationships with reporting companies,
and (2) existing policies and procedures
to obtain and document consent on
other matters. Commenters agreed that
financial institutions can leverage these
existing relationships and processes to
fulfill the consent requirement and did
not view the additional requirement to
be overly burdensome. Several
commenters noted concerns, however,
that a request by a financial institution
to a reporting company for consent
could be perceived to be ‘‘tipping off’’
reporting companies if the financial
institution was investigating the
company for suspicious activity. Two
commenters recommended that FinCEN
add provisions to prevent tipping off
reporting company prospects or
customers.
Other commenters argued that
FinCEN, rather than financial
institutions, should obtain a reporting
company’s consent. One commenter
stated that FinCEN’s role as the central
U.S. repository for BOI made FinCEN
the appropriate choice for collecting
consent and revocations of that consent.
Another noted that FinCEN would have
a direct relationship with reporting
companies through the collection of BOI
reports and could use the reporting
mechanism to obtain and document
consent. Commenters also suggested
181 31
PO 00000
U.S.C. 5336(c)(2)(B)(iii).
Frm 00041
Fmt 4701
Sfmt 4700
88771
ways that FinCEN could facilitate
reporting company consent at the time
the company submits a BOI report. For
example, FinCEN could generate a
blanket notice to a reporting company at
the time it submits a BOI report stating
that government agencies and financial
institutions can request the reporting
company’s information for specific
purposes. A related suggestion was to
allow reporting companies to preauthorize financial institutions to access
their BOI at the submission of the BOI
report, as a way to reduce burdens on
the reporting companies.
Commenters covered additional
subjects. One commenter noted that
financial institutions already collect BOI
from customers under existing
requirements and argued that requiring
explicit consent to retrieve the same
information from another source—in
this case FinCEN’s BO IT system—adds
unnecessary complexity. Another
commenter recommended delaying the
consent requirement until FinCEN
finalizes revisions to the 2016 CDD
Rule. Two commenters stated that
money launderers and other illicit
actors who deliberately form shell
companies to engage in criminal activity
will see the consent requirement as an
opportunity to further obscure their
identity, noting that it is difficult to
imagine a shell company providing
consent to retrieve its BOI.
Two commenters noted that the
consent requirement could have
unintended consequences on reporting
company access to financial services.
One commenter stated that reporting
companies risk losing financial services
if they do not provide consent. Another
commenter stated that the consent
requirement may push reporting
companies to seek out alternative
financing rather than provide financial
institutions with consent to retrieve
their BOI.
FinCEN also received numerous
comments about when and how
reporting company consent should be
obtained. Several commenters stated
that consent should be obtained at
account opening in a customeracknowledged agreement, not as a
standalone document. Commenters also
likewise requested that FinCEN
expressly allow financial institutions to
obtain consent in conjunction with
other required consents and
certifications, and through normal
account opening and customer
onboarding processes. Numerous
commenters requested that FinCEN
clarify that consent need only be
obtained once at account opening and
that it does not expire unless expressly
revoked. One commenter stated that
E:\FR\FM\22DER3.SGM
22DER3
ddrumheller on DSK120RN23PROD with RULES3
88772
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
consent should remain valid for the
length of the customer relationship, and
that a financial institution should not
need to renew consent or notify a
reporting company each time the
financial institution retrieves its BOI.
One commenter asked whether a
reporting company changing its
structure would affect its consent. That
commenter also asked whether a new
consent is required each time a
reporting company customer opens a
new account. Several commenters
requested that FinCEN create
standardized consent language for
financial institutions to use to obtain a
reporting company’s consent. One
commenter requested that FinCEN
explicitly permit reporting companies to
grant consent on behalf of their parent
companies.
Several commenters proposed
alternatives to requiring a reporting
company to provide affirmative consent.
Two commenters suggested permitting a
reporting company to opt-out if it did
not want to consent to its BOI being
obtained by a financial institution. One
commenter suggested that financial
institutions be allowed to provide
disclosures of intent to obtain a
reporting company’s BOI from FinCEN
that would be acknowledged by the
reporting company, instead of requiring
affirmative consent.
Other commenters proposed
alternatives to written affirmative
consent, with one commenter suggesting
a checkbox and another commenter
suggesting replacing the term ‘‘written’’
with ‘‘documented’’ or defining
‘‘written’’ in a way that provides
financial institutions with flexibility
about how to implement the
requirement. Several commenters
suggested that any consent that satisfies
these requirements should benefit from
a safe harbor under which such consent
is deemed effective.
Two commenters stated that consent
should be in writing and financial
institutions should furnish a copy of
that written consent to FinCEN when
requesting the relevant BOI. Two other
commenters expressed the opposite
view that FinCEN should not require
financial institutions to submit proof of
consent.
A few commenters requested
clarification on how consent may be
provided and by whom. Several
commenters stated that FinCEN should
expressly permit a financial institution
to obtain consent from a reporting
company customer authorizing the
financial institution to use that
customer’s BOI for broader purposes.
Another commenter stated that financial
institutions should be able to rely on
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
their affiliates to obtain consent,
providing the example of futures
commission merchants often relying on
introducing brokers to engage with
customers as a way of arguing that the
former should be able to obtain a
reporting company’s BOI based on
consent obtained by the latter.
One commenter requested a clear
definition of what constitutes customer
consent and sought guidance on when
customer consent is deemed revoked.
Several commenters requested
clarification on how revocation should
be documented, while others
recommended that FinCEN issue
guidance to financial institutions on
what to do if a customer refuses to
provide consent.
Final Rule. FinCEN adopts the
proposed rule with the clarification that
reporting company consent must be
documented but need not specifically be
in writing. FinCEN cannot eliminate the
consent requirement as suggested by
commenters given that the CTA
authorizes FinCEN to disclose a
reporting company’s BOI to a financial
institution only if the reporting
company consents to the disclosure.182
Nor can FinCEN side-step the consent
requirement by notifying reporting
companies that financial institutions
can request their BOI for specific
purposes or treat the submission of a
BOI report as implied consent.
After carefully considering comments
and the relative burdens and options,
FinCEN continues to believe that
financial institutions are better
positioned to obtain and document a
reporting company’s consent. As
explained in the proposed rule,
financial institutions are wellpositioned to obtain consent—and to
track any revocation of such consent—
given that they maintain direct customer
relationships and are able to leverage
existing onboarding and account
maintenance processes to obtain
reporting company consent. By contrast,
considerable delay and burdens on
reporting companies could result if
FinCEN were to administer the consent
process. For example, it would be
impractical for FinCEN to administer a
process through which a reporting
company could consent to the
disclosure of BOI to some financial
institutions, but not others. It would
also be administratively complex for
FinCEN to establish a mechanism to
timely verify and respond to consent
requests, which could result in delays in
a reporting company’s ability to access
financial services.
182 31
PO 00000
U.S.C. 5336(c)(2)(B)(iii).
Frm 00042
Fmt 4701
Sfmt 4700
The final rule does not prescribe any
particular means by which a financial
institution must obtain a reporting
company’s consent. Rather, the final
rule affords financial institutions
substantial discretion in the manner in
which they obtain consent. FinCEN
recognizes that financial institutions
vary greatly in customer bases, risk
tolerance, and resources. All financial
institutions obtain customer consent on
a range of subjects and have existing
policies and procedures for doing so
that reflect their unique attributes.
Those policies and procedures also
reflect different legal requirements,
including those involving consent in the
data privacy context at the Federal and
state levels.
Additionally, in response to
comments that suggested replacing the
term ‘‘written’’ with ‘‘documented’’ to
provide financial institutions with more
flexibility in how to implement the
requirement (e.g., via a checkbox), the
final rule no longer requires consent to
be in writing; it only requires that the
consent be documented.
FinCEN also believes that providing
financial institutions with flexibility in
how they implement this requirement
will help minimize the burden
associated with obtaining consent from
reporting company customers. Financial
institutions may satisfy this requirement
through any lawful method of obtaining
meaningful consent from a customer. As
a consequence of offering this
flexibility, however, FinCEN cannot
offer a safe harbor for any particular
method used to obtain consent.
The final rule does not require a
financial institution to notify a reporting
company each time the financial
institution retrieves the reporting
company’s BOI from FinCEN, nor does
it require financial institutions to
submit proof of consent to FinCEN,
unless otherwise required by law. The
final rule only requires the financial
institution to obtain a reporting
company’s consent at a time prior to an
initial request for the reporting
company’s BOI from FinCEN, and it
may rely on that consent to retrieve the
same reporting company’s BOI on
subsequent occasions, including to open
additional accounts for that reporting
company, unless the consent is revoked.
The ability of financial institutions to
broadly obtain reporting company
consent is expected to alleviate
concerns regarding ‘‘tipping off’’
reporting companies about
investigations that require the retrieval
of BOI.
The final rule also does not address
either revocation or expiration of
consent. Rather, the final rule provides
E:\FR\FM\22DER3.SGM
22DER3
ddrumheller on DSK120RN23PROD with RULES3
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
flexibility to financial institutions to
develop appropriate procedures and
mechanisms with respect to the
revocation of consent or the expiration
of consent. This flexibility will allow
financial institutions to develop
processes appropriate to their size,
business lines, and customer types,
among other considerations, and
provide reporting companies greater
flexibility regarding the manner in
which they provide and revoke
consent—in contrast, a FinCEN
mechanism will likely provide less
flexibility and disadvantage both
financial institutions and reporting
companies. For example, if needed,
financial institution may set terms
through contract or otherwise to provide
for the expiration of consent or
revocation given that the final rule does
not specify any time frames for
expiration of consent.
The final rule also does not articulate
specific procedures or mechanisms
through which a reporting company can
provide or revoke consent, e.g., what
forms or mechanisms a financial
institution should use, which company
representatives may provide or revoke
consent, whether affiliates can consent
on behalf of one another, when
corporate changes would require
obtaining new consent, or how financial
institutions should handle customers
who refuse to provide consent. Rather,
FinCEN believes that it is appropriate to
provide flexibility to a financial
institution based on its practices and
circumstances, as well as its extensive
experience in implementing consent
procedures in other contexts and subject
to different legal requirements. FinCEN
will consider additional guidance or
FAQs if additional clarification is
required.
Lastly, FinCEN does not share
concerns that the consent requirement
could drive customers with legitimate
business away from financial
institutions. FinCEN’s 2016 CDD Rule
already requires financial institutions to
identify the beneficial owners of legal
entity customers, and financial
institutions regularly seek information
from reporting companies regarding
beneficial ownership information. As
such, FinCEN does not expect reporting
companies to systemically decline
financial services because of the consent
requirement and the availability of the
FinCEN database to confirm reporting
company BOI.
e. Certification
Proposed Rule. Proposed 31 CFR
1010.955(d)(2)(iv) would require a
financial institution to ‘‘make a written
certification to FinCEN’’ for each BOI
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
request that it: (1) is requesting the
information to facilitate its compliance
with customer due diligence
requirements under applicable law; (2)
obtained the reporting company’s
‘‘written consent’’ to request its BOI
from FinCEN; and (3) fulfilled the other
security and confidentiality
requirements financial institutions must
satisfy to receive BOI from FinCEN (as
reflected in other provisions of
§ 1010.955(d)(2)). The Access NPRM
indicated that a financial institution
would be able to make the certification
via a checkbox when requesting BOI via
the BO IT system.183
Comments Received. One commenter
suggested that the final rule should not
require a financial institution to obtain
a ‘‘written’’ certification from financial
institutions.
Final Rule. FinCEN is amending the
proposed rule to require that financial
institutions provide a certification to
FinCEN ‘‘in such form and manner as
FinCEN shall prescribe.’’ The revision
in the final rule will allow FinCEN to
take a flexible approach towards
implementation of the certification
requirement that takes into account a
range of considerations, such as
technological feasibility. Accordingly,
FinCEN intends to prescribe a
certification mechanism that seeks to
minimize burdens and provide
certainty, and may include checkboxes
or other forms. As it develops the BO IT
system, FinCEN anticipates that a
financial institution will be able to make
the certification via a simple checkbox
when requesting BOI via the BO IT
system.
Additionally, FinCEN amends
proposed § 1010.955(d)(2)(iv) to require
a financial institution to certify that it
has obtained and ‘‘documented’’ a
reporting company’s consent to request
the reporting company’s BOI from
FinCEN. The revised approach
eliminates the requirement for the
financial institution to obtain ‘‘written’’
consent from the reporting company,
requiring only that consent be
‘‘documented.’’
iii. Sensitivity of Beneficial Ownership
Information
Proposed Rule. Proposed 31 CFR
1010.955(a) states that information
reported to FinCEN pursuant to 31 CFR
1010.380 is confidential and may not be
disclosed except in certain enumerated
circumstances.184 The draft rule
identifies five categories of recipients
who may receive BOI, with each
category of disclosure limited to a
183 87
184 31
PO 00000
FR at 77422.
U.S.C. 5336(c)(2)(A).
Frm 00043
Fmt 4701
Sfmt 4700
88773
particular purpose or purposes, and an
additional eight categories of authorized
re-disclosure, plus a catch-all provision
permitting FinCEN to authorize redisclosure in other circumstances.185
Comments Received. Commenters
provided mixed views on the overall
sensitivity of BOI and the security and
confidentiality requirements that should
be applicable to protect BOI from
unauthorized use or disclosure and the
privacy interests of beneficial owners
and company applicants. Some
commenters felt that the CTA’s
confidentiality requirement was too
broad, and that individuals should have
little or no privacy interest in such
information. One commenter noted that
the CTA never identifies ‘‘privacy’’ as a
statutory objective, arguing that while
the CTA does direct FinCEN to build a
secure database, ensuring data security
is not equivalent to implementing
privacy protections for individuals or
entities. Another argued that
individuals should not have any
expectation of privacy over BOI because
an entity ‘‘exists only through the
public’s concession.’’ Others felt that
the CTA’s confidentiality requirements
were too narrow, highlighting the
impact on small businesses. One
commenter noted that the proposed rule
did not provide adequate reassurances
that the information would be protected;
others felt that the disclosure provisions
under proposed 31 CFR 1010.955(b)
rendered the idea of confidentiality or
privacy meaningless. Finally, as
discussed above in section III.D.v.a, one
commenter felt that the confidentiality
requirements for BOI should mirror
those for tax returns and tax return
information under 26 U.S.C. 6103 to
ensure that BOI is protected.
Final Rule. The final rule adopts
proposed 31 CFR 1010.955(a) as written.
FinCEN considered the comments and
is sensitive to concerns about data
security and privacy. As discussed
throughout this preamble, the CTA
establishes that BOI is ‘‘sensitive
information’’ and imposes strict security
and confidentiality requirements on
BOI. For example, 31 U.S.C.
5336(c)(2)(A) creates a baseline
presumption of confidentiality with a
provision on prohibition on disclosure
by any individual who receives it. Other
provisions reinforce the sensitivity of
BOI and further limit such disclosures.
For example, the CTA mandates
‘‘appropriate protocols’’ in order to
disclose BOI to recipients, and even
specifies procedural steps in certain
185 31
E:\FR\FM\22DER3.SGM
U.S.C. 5336(c)(2)(B).
22DER3
88774
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
cases,186 such as the requirement that a
State, local, or Tribal law enforcement
agency obtain authorization from a court
of competent jurisdiction to seek the
information in a criminal or civil
investigation. FinCEN is following the
statutory requirements prescribed by
Congress in the CTA in promulgating
the security and confidentiality
provisions in the final rule.
On the other hand, FinCEN agrees
with comments that the overarching
goal of the CTA is to make BOI available
to help law enforcement and agencies
engaged in national security activities
prevent and combat money laundering,
terrorist financing, tax fraud, and other
illicit activity, as well as protect
national security. As discussed above in
section III.D.v.a, FinCEN has declined to
adopt provisions that mirror those in 26
U.S.C. 6103. The CTA provides detailed
security and confidentiality
requirements tailored to the BO IT
system’s authorized uses and authorized
recipients, and the final rule adopts
these requirements to ensure the
protection of this sensitive information.
In addition, FinCEN believes that the
requirements of 26 U.S.C. 6103 would
impose a substantial burden on the
overall functionality of the BO IT
system and the requirement to establish
a BOI database highly useful to law
enforcement. For example, 26 U.S.C.
6103 at times requires Federal law
enforcement to obtain a court order to
access tax returns and tax return
information, while the CTA imposes no
such restriction.187 Further, the CTA
envisions that financial institutions
would have access to BOI for its
customers through access to FinCEN’s
database, while 26 U.S.C. 6103 has no
analogous provision. Ultimately,
FinCEN found this suggestion
unworkable in the context of the CTA.
to disclose BOI if FinCEN, in its sole
discretion, finds that, with respect to the
request, the requester has failed to meet
any requirements of the rule, the BOI is
being requested for an unlawful
purpose, or other good cause exists to
deny the request.
Comments Received. FinCEN received
several comments relating to the level of
discretion that FinCEN can exercise in
determining when to grant or deny a
request for access to BOI. One
commenter supported the proposed
rule’s provisions related to FinCEN’s
authority to reject requests for BOI as a
faithful implementation of the CTA. A
few commenters requested that FinCEN
remove the words ‘‘sole discretion’’
from proposed 31 CFR
1010.955(e)(2)(ii). One commenter
argued that there are significant
protocols under the CTA to adequately
protect the security and confidentiality
BOI, so it is not consistent with the CTA
for FinCEN to have unlimited discretion
to reject or grant access. The commenter
also noted that the CTA does not use the
term ‘‘sole discretion.’’
Final Rule. The final rule adopts 31
CFR 1010.955(e)(2) as proposed. In
FinCEN’s view, it is important to clearly
state in 31 CFR 1010.955(e)(2)(ii) that
FinCEN has the sole discretion to
approve or deny requests for access to
BOI because FinCEN has obligations
under the CTA to protect the security
and confidentiality of BOI, ensure that
BOI is used for authorized purposes by
authorized recipients, and to ensure
audit and oversight of the BO IT System.
The CTA does not require that FinCEN
consult with any other agency or with
those requesting access to BOI when it
decides to grant or reject access. FinCEN
believes it is within its authority under
the CTA to decide, based on its sole
discretion, whether to accept or reject a
request for access to BOI.
F. Administration of Requests
ii. Suspension of Access
Proposed Rule. In keeping with the
CTA,188 proposed 31 CFR
1010.955(e)(3)(i) specified that FinCEN
could suspend or debar a requesting
agency or financial institution (referred
to in the proposed provision as a
‘‘requesting party’’) from access to BOI
for (1) failing to meet applicable
regulatory requirements; (2) requesting
BOI for an unlawful purpose; or (3)
other good cause. Proposed 31 CFR
1010.955(e)(3)(ii) further specified that
FinCEN could reinstate a suspended or
debarred party’s access upon the latter
satisfying any terms or conditions that
FinCEN deems appropriate. The Access
NPRM explained that suspension of
ddrumheller on DSK120RN23PROD with RULES3
i. Rejection of Requests
Proposed Rule. Proposed 31 CFR
1010.955(e)(1) provided that requests for
BOI under 31 CFR 1010.955(b) shall be
submitted to FinCEN in such form and
manner as FinCEN shall prescribe.
Proposed 31 CFR 1010.955(e)(2)(i) states
that FinCEN will reject requests for BOI
made under 31 CFR 1010.955(b)(4)
(Disclosure to facilitate compliance with
customer due diligence requirements) if
such request is not submitted in the
form and manner prescribed by FinCEN.
Furthermore, proposed 31 CFR
1010.955(e)(2)(ii) provided that FinCEN
may reject requests or otherwise decline
186 31
187 26
U.S.C. 5336(c)(3).
U.S.C. 6013(i).
VerDate Sep<11>2014
19:01 Dec 21, 2023
188 31
Jkt 262001
PO 00000
U.S.C. 5336(c)(6)–(7).
Frm 00044
Fmt 4701
Sfmt 4700
access to BOI would be temporary while
debarment would be permanent.
FinCEN alone would determine
suspension periods.189
Comments Received. One commenter
asked for more information about how
FinCEN would evaluate whether to
suspend or debar a financial institution.
This commenter also asked whether
FinCEN or the financial institution’s
appropriate state or Federal functional
regulator would make the ultimate
suspension or debarment decision, and
whether a financial institution would
have an opportunity to rebut a claim
that it improperly used BOI. Several
commenters asked how financial
institutions should continue meeting
their customer due diligence obligations
if they lose access to BOI from FinCEN.
One commenter viewed the use of the
term ‘‘requesting party’’ in proposed
§ 1010.955(e)(3)(i) as limiting FinCEN to
permanently debarring or temporarily
suspending only entities rather than
individual users as well. This
commenter recommended that FinCEN
clarify that there may be times when
FinCEN wants to allow continued
access by an agency or financial
institution but disallow continued
access by an individual user from that
agency or financial institution.
Final Rule. FinCEN adopts 31 CFR
1010.955(e)(3)(i) and (ii) with minor
modifications. These final regulations as
a whole establish the requirements that
a financial institution must satisfy to
obtain BOI from FinCEN, what they may
do with the information, and how they
must safeguard it. Section
1010.955(e)(3)(i) makes clear that failing
to abide by these requirements and
restrictions, including by requesting BOI
for an unlawful purpose, can result in
suspension or debarment from access to
BOI. FinCEN further reserves the right
to suspend or debar a requesting party
for good cause involving other
circumstances. As stated in the Access
NPRM, the decision to suspend or debar
a financial institution from access to
BOI is subject to FinCEN’s sole
discretion. Imposing limitations on that
discretion as a regulatory matter, such
as by implementing a ‘‘three strikes’’
rule on certain conduct while
identifying other activity as grounds for
immediate debarment, are premature
and require further evaluation. FinCEN
will make determinations on a case-bycase basis after considering the available
facts and circumstances. FinCEN will
continue to consider whether additional
standards or limitations are needed to
foster predictability, provide fairness,
189 87
E:\FR\FM\22DER3.SGM
FR at 77423.
22DER3
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES3
and enhance compliance after gaining
experience.
Questions about how a financial
institution temporarily or permanently
losing access to BOI from FinCEN might
affect the institution’s ability to meet its
customer due diligence obligations are
also premature because they implicate
the forthcoming 2016 CDD Rule
revisions. FinCEN may address those
issues in that future rulemaking.
FinCEN, however, has decided to
make modest changes to 31 CFR
1010.955(e)(3)—changing the term
‘‘requesting party’’ in 31 CFR
1010.955(e)(3)(i) and the term
‘‘requester’’ in 1010.955(e)(3)(ii) to
‘‘individual requester or requesting
entity’’—in order to clarify that FinCEN
may permanently debar or temporarily
suspend individual users at an agency
or financial institution in addition to the
entity itself.
G. Violations—Unauthorized Disclosure
or Use
Proposed Rule. Proposed rule 31 CFR
1010.955(f) tracks the CTA’s language
making it unlawful for any person to
knowingly disclose, or knowingly use,
BOI obtained by that person, except as
authorized by the CTA and these
regulations. The rule applies to BOI
whether the person obtained it directly
or indirectly, and whether this
information was contained in a report
submitted to FinCEN under 31 CFR
1010.380 or disclosed by FinCEN under
31 CFR 1010.955(b). The rule goes on to
broadly define ‘‘unauthorized use’’ to
include accessing information without
authorization, or ‘‘any violation’’ of the
security and confidentiality
requirements described in 31 CFR
1010.955(d) in connection with any
access.
Comments Received. Several
commenters stated that they approved
of the enforcement provisions of the
proposed rule, largely in the context of
providing comments to other parts of
the rule. Otherwise, FinCEN did not
receive substantive comments about the
enforcement provisions.
Final Rule. FinCEN adopts the rule as
written and notes that the CTA provides
civil penalties in the amount of $500 for
each day a violation continues or has
not been remedied. Criminal penalties
are a fine of not more than $250,000 or
imprisonment for not more than 5 years,
or both.190 The CTA also provides for
enhanced criminal penalties, including
a fine of up to $500,000, imprisonment
of not more than 10 years, or both, if a
person commits a violation while
violating another law of the United
190 31
U.S.C. 5336(h)(3)(B).
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
States or as part of a pattern of any
illegal activity involving more than
$100,000 in a 12-month period.191
H. Implementation Efforts
i. Implications for Revision of the 2016
CDD Rule
Proposed Rule. The preamble to the
proposed rule discussed the
requirement in section 6403(d) of the
CTA that FinCEN revise the 2016 CDD
Rule in order to (1) ensure that the rule
conforms with the CTA; (2) address how
financial institutions with customer due
diligence obligations will access the
database; and (3) reduce burdens on
financial institutions and legal entity
customers.192 The CTA requires that
FinCEN revise the 2016 CDD Rule
within one year of January 1, 2024, the
effective date of the final BOI Reporting
Rule, by rescinding paragraphs (b)
through (j) of 31 CFR 1010.230.193 The
preamble to the proposed rule noted
that FinCEN will revise the 2016 CDD
Rule at a later date instead of addressing
it in this rulemaking. The preamble
further stated that FinCEN expected that
the revision of the 2016 CDD Rule
would likely address the interaction of
financial institutions’ existing customer
due diligence efforts and the BOI
database. The proposed rule did not
otherwise address the required revision
to the 2016 CDD Rule.
Comments Received. Some
commenters expressed that it was
difficult to comment comprehensively
on the Access NPRM as FinCEN has not
yet issued a notice of proposed
rulemaking concerning revisions to the
2016 CDD Rule. Other commenters,
however, addressed the future
rulemaking despite FinCEN’s express
reservation of 2016 CDD Rule issues for
consideration at a later date. In
particular, these commenters identified
several issues that they believe a
revision of the 2016 CDD Rule should
address in light of financial institution
access to the BOI database. These issues
included (1) whether FinCEN should
mandate that financial institutions
access the BOI database; (2) the
verification and identification of
financial institutions customers’
beneficial owners; (3) how to address
discrepancies between the BOI database
and the BOI that financial institutions
191 31
U.S.C. 5336(h)(3)(B)(ii)(II).
CTA, section 6403(d)(1)(A)–(C).
193 CTA, section 6403(d)(1), (2). The CTA orders
the rescission of paragraphs (b) through (j) directly
(‘‘the Secretary of the Treasury shall rescind
paragraphs (b) through (j)’’) and orders the retention
of paragraph (a) by a negative rule of construction
(‘‘nothing in this section may be construed to
authorize the Secretary of the Treasury to repeal
. . . [31 CFR] 1010.230(a)[.]’’).
192 See
PO 00000
Frm 00045
Fmt 4701
Sfmt 4700
88775
receive directly from their customers;
(4) whether there should be a safe
harbor for financial institutions in case
of such discrepancies; and (5) regulatory
expectations related to financial
institutions’ use of the BOI database.
FinCEN also received comments on a
number of technical issues related to
specific provisions of the 2016 CDD
Rule, the desirability of changes to those
provisions, and the overall process of
revision.
Final Rule. FinCEN appreciates the
comments on the interaction of the
proposed rule with the forthcoming
revision to the 2016 CDD Rule but
declines to make modifications in this
final rule based on consideration of the
forthcoming revision. Furthermore,
comments that relate to how FinCEN
should revise the 2016 CDD Rule are not
addressed in this rule. However,
FinCEN will consider these comments
in its development of a notice of
proposed rulemaking on this topic in
the future. Covered financial
institutions will continue to be subject
to the existing 2016 CDD Rule until a
revision of that rule is effective. In
addition, FinCEN, in consultation with
the Federal functional regulators, will
issue guidance on this topic as
appropriate.
While FinCEN is reserving
consideration of certain issues for the
2016 CDD Rule revision, comments on
the Access NPRM are addressed here—
in particular those comments that are
relevant to the use of the BOI database
by financial institutions in the period
between the effective date of this final
rule and the revision to the 2016 CDD
Rule. FinCEN is also addressing
comments that requested specific
changes to this final rule in connection
with reporting discrepancies in BOI, as
well as those that requested a definitive
authorization to rely on BOI or a
definitive exemption from liability (a
safe harbor provision). FinCEN
addresses these matters as follows.
Some commenters requested that
FinCEN explicitly state in this final rule
that use of the BOI database by financial
institutions is not mandatory. As with
the proposed rule, the final rule outlines
who may access the BOI database and
for what purpose; however, it does not
require financial institutions to access
the BOI database, nor does it speak to
what financial institutions’ obligations
may be once the 2016 CDD Rule is
revised. FinCEN expects to more fully
address the question of the extent to
which, and how, financial institutions
should access the BOI database for the
purpose of fulfilling their customer due
diligence obligations when FinCEN
revises the 2016 CDD Rule. As
E:\FR\FM\22DER3.SGM
22DER3
ddrumheller on DSK120RN23PROD with RULES3
88776
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
explained in section III.C.iv.b.1, the
final rule does not create a new
regulatory requirement for financial
institutions to access BOI from the BO
IT System or a supervisory expectation
that they do so. Thus, the Access Rule
does not necessitate changes to BSA/
AML compliance programs designed to
comply with existing BSA requirements,
such as the 2016 CDD Rule, customer
identification program requirements,194
and suspicious activity reporting.195
However, any access to and use of BOI
obtained from the BO IT System must
comply with the requirements of the
CTA and the Access Rule.
Similarly, on the issue of
discrepancies between the BOI that
financial institutions obtain from
FinCEN and the BOI that they obtain
directly from their customers, several
commenters asked FinCEN to clearly
state in the final rule that financial
institutions would not be required to
report discrepancies. This final rule
does not require financial institutions to
access the BOI database, nor does it
require them to report discrepancies
between information obtained from
customers and BOI obtained from
FinCEN, if any are discovered. This
final rule also does not change a
financial institution’s obligations under
other provisions of the BSA and
implementing regulations, including the
regulatory requirement for financial
institutions to maintain an anti-money
laundering program that involves,
among other things, the reporting of
suspicious transactions to FinCEN.196
FinCEN declines to follow suggestions
from commenters that the final rule
address this subject. If FinCEN finds
that additional guidance or regulatory
changes are necessary, it may issue
stand-alone guidance or take up the
subject in a later rulemaking such as the
revision of the 2016 CDD Rule.
The issues raised by commenters
relating to handling discrepancies and
the provision of a safe harbor are
connected to the issue, also raised by
commenters, of the extent to which
financial institutions may rely on BOI
obtained from FinCEN for the purpose
of fulfilling their regulatory customer
due diligence requirements. As
explained above, revisions to the 2016
CDD Rule and its requirements will be
the subject of a future rulemaking.
However, FinCEN appreciates the
consideration of these issues, as
reflected in the comments already
submitted, and FinCEN will take them
194 31
CFR 1010.220.
CFR 1010.320.
196 See 31 CFR 1020.320.
195 31
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
into account in the context of that future
rulemaking.
Finally, with respect to the comments
that raised concerns about regulatory
expectations, FinCEN continues to work
closely with Federal functional
regulators on how financial institutions
are examined with respect to their use
of the BOI database to facilitate
compliance with customer due
diligence requirements under applicable
law, including the 2016 CDD Rule and
its revision. As part of this effort,
FinCEN will continue consulting with
the Federal functional regulators on
whether to issue guidance in this area.
ii. Information Technology Systems
Issues
a. Access—In General
Comments Received. Several
commenters made general comments on
access to beneficial ownership
information reported to FinCEN. Two
commenters made statements that
access to BOI should be simple,
uncomplicated, and timely. One
commenter stated that the beneficial
ownership database should be built so
that it maximizes access to authorized
users with eventual public access in
mind. Another commenter stated that
the final rule should clarify that the
structure and nature of the access
protocols in the CTA are meant to
facilitate auditable and technologicallyenabled access to the BOI database, and
that access will generally not be
considered by FinCEN on a case-by-case
basis. One commenter stated that any
required certifications should be filed
electronically.
Another commenter stated that BOI
should be available in bulk, noting that
bulk data formats will allow users to
find patterns or red flags relating to
beneficial ownership, or to assess and
improve data quality. Another
commenter requested that financial
institutions have the ability to submit
required certifications and access BOI
on a bulk, automated basis. This
commenter noted that if access to the
BO IT system requires manual
submissions on a customer-by-customer
basis, this would be unnecessarily
cumbersome and would adversely
impact the ability of financial
institutions to use information from the
database effectively and efficiently for
illicit finance risk management.
Two commenters requested that
FinCEN clarify what information
authorized users will receive from the
BO IT system, and that such information
should include the chain of ownership
between the reporting company and the
beneficial owners. Several commenters
PO 00000
Frm 00046
Fmt 4701
Sfmt 4700
requested clarification as to whether
authorized users will have access to the
underlying BOI when a FinCEN
identifier is included in a beneficial
ownership information report in lieu of
the personal identifying information of
a beneficial owner or company
applicant. One commenter suggested
that this be explicit in the regulatory
text. Another commenter explained that
if a bank relies on a BOI report with
FinCEN identifiers in lieu of know-yourcustomer/customer identification
program information, it will be unable
to fully conduct customer due diligence
or enhanced due diligence.
Another commenter noted that
FinCEN should provide BOI in a
structured data format, and
recommended that FinCEN adopt the
Beneficial Ownership Data Standard
(BODS) as the common data standard
for BOI stored in the IT system so that
the data is compatible with other
jurisdictions’ BOI databases. One
commenter suggested that one
authorized access be assigned to each
entity, and that each entity should be
held responsible for controlling who
uses that access. Another commenter
stated that ensuring limited access to
beneficial ownership data is essential to
help with public confidence in the
system and for compliance purposes
and encouraged FinCEN to think about
how to prevent, mitigate, and manage
potential data breaches that could occur,
including how affected parties will be
notified and how remedies can be
implemented within reasonable
timelines. This commenter also
suggested that FinCEN should have the
highest protective protocols in place for
the database and that access to the
database should be tracked, so that
FinCEN is aware at all times of who has
access to the database and who is
making requests. Further, given the
sensitive nature of BOI and the limited
uses for which BOI obtained from
FinCEN might be used, one commenter
requested that FinCEN consider
providing financial institutions with
confirmation that BOI was obtained
from FinCEN.
Response. FinCEN appreciates the
need to provide automated, userfriendly access to the BO IT system, and
is developing the BO IT system against
those parameters and the requirements
set forth in the CTA. Notably, the CTA
does not provide for public access to
BOI, and the modalities for authorized
users to access BOI reflect that fact.
With respect to comments regarding
bulk access to BOI, FinCEN does not, at
this time, anticipate providing bulk data
exports of BOI to authorized users.
However, FinCEN expects that financial
E:\FR\FM\22DER3.SGM
22DER3
ddrumheller on DSK120RN23PROD with RULES3
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
institutions will use Application
Programming Interfaces (APIs) to access
BOI, and that the BO IT system will
accommodate the use of APIs for this
purpose (including the submission of
required certifications).
Regarding comments that FinCEN
should avoid engaging in case-by-case
reviews of BOI access requests, FinCEN
notes that this is generally consistent
with the proposed access modalities for
the six categories of authorized users.
Although FinCEN had initially
proposed a case-by-case review
mechanism for State, local, and Tribal
law enforcement agency requests for
BOI, it has eliminated that requirement
from the final rule. FinCEN will review
certain requests for BOI from a ‘‘trusted
foreign country’’ on a case-by-case basis,
but believes that the case-by-case
handling of those requests is warranted
given their nature (i.e., they are requests
from a foreign government that are not
governed by an existing treaty,
agreement, or convention) and the fact
that foreign governments, per the CTA,
must submit requests for BOI through an
intermediary Federal agency and will
not have direct access to the BO IT
system.
Two commenters requested that
FinCEN clarify what information
authorized users will receive from the
BO IT system, and that such information
should include the chain of ownership
between the reporting company and the
beneficial owners. Other commenters
requested clarification as to whether
authorized users will have access to the
underlying BOI when a FinCEN
identifier is included in beneficial
ownership information report in lieu of
the personal identifying information of
a beneficial owner or company
applicant.
FinCEN will disclose to authorized
users the information that reporting
companies are required to report under
31 CFR 1010.380(b). This means that
authorized users will receive
information about (1) the reporting
company, (2) its beneficial owners, and
(3) any company applicants. For the
reporting company, authorized users
will receive a transcript with (1) the full
legal name and any trade or ‘‘doing
business as’’ names of the reporting
company, (2) the complete current
address of the reporting company, (3)
the State, Tribal, or foreign jurisdiction
of formation of the reporting company,
(4) for a foreign reporting company, the
State or Tribal jurisdiction where the
foreign reporting company first
registers, and (5) the IRS Taxpayer
Identification Number or foreign tax
identification number of the reporting
company. For beneficial owners or
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
company applicants, authorized users
will receive a transcript with (1) the full
legal name of the individual, (2) the
individual’s date of birth, (3) a complete
current address, and (4) the unique
identifying number and the issuing
jurisdiction from an acceptable
identification document (i.e., a nonexpired U.S. passport, a non-expired
identification document issued to the
individual by a State, local government,
or Indian tribe for the purpose of
identifying the individual, a nonexpired driver’s license issued to the
individual by a state, or a non-expired
passport issued by a foreign government
to the individual). Images of
individuals’ identification documents
will be made available to Federal
agencies engaged in law enforcement,
national security, or intelligence
activities, or to State, local, or Tribal law
enforcement agencies. Information
associated with a FinCEN identifier that
has been reported in a beneficial
ownership information report will be
included in the BOI transcripts made
available to authorized users. Lastly,
FinCEN intends to mark BOI reports to
identify them as originating from
FinCEN’s BO IT system.
In respect of data format, FinCEN
evaluated existing data standards,
which includes Extensible Markup
Language (XML), and the Open
Ownership (OO) data standards when
developing its beneficial ownership data
standards. To the extent possible,
FinCEN did use those standards in the
OO data catalog that could be
incorporated consistent with the CTA.
The BO IT system will adhere to
FISMA (Federal Information Security
Management Act) ‘‘High’’ standards,
which require implementing the highest
level of security controls for a system at
the unclassified level, to help protect
against the loss of confidentiality,
integrity, or availability of information.
For the BO IT systems, FinCEN is
responsible for implementing Executive
Order 14028 (‘‘Improving the Nation’s
Cybersecurity’’), Treasury’s Zero Trust
mandates, Continuous Diagnostic
Mitigation Program, and other Federal
directives to protect systems and
information. In addition, Treasury has
established a Cyber Review Board,
which has established the Treasury
Incident Coordination Process (T–ICP)
to appropriately escalate any data
breaches and compromises.
b. IT System Search Capabilities
Comments Received. FinCEN received
comments both on how all authorized
users would conduct searches for BOI in
the IT system, and more specific
comments about how financial
PO 00000
Frm 00047
Fmt 4701
Sfmt 4700
88777
institutions would conduct searches.
Multiple commenters requested that all
users be able to search using a wide
range of search fields or that FinCEN
adopt a layered approach in which some
users would be able to conduct wider
ranging searches while others would be
more limited. One commenter also
requested that users be able to search for
historical BOI on a single reporting
company. Commenters also highlighted
the need for information on how
authorized users can access BOI and
requested that FinCEN provide guidance
for users in conducting searches in the
form of pre-populated forms, templates,
guidance documents, FAQs, or an
‘‘access toolkit.’’
With respect to financial institution
access, several commenters argued that
the proposed level of financial
institution searching capabilities is far
too restrictive and should mirror that of
law enforcement agencies so financial
institutions can conduct broad and
open-ended queries. One commenter
stated that financial institutions should
be able to broadly search throughout the
BOI database to learn more about a
specific customer’s beneficial owners
and their connections to other
companies in order to strengthen their
customer due diligence compliance.
Many commenters also requested that
FinCEN adopt technologies that would
facilitate immediate, on-demand access
to BOI that would be compatible with
financial institutions’ systems, and the
most common request was for FinCEN
to allow the use of APIs to access the IT
system. Some commenters asked
FinCEN to clarify that FinCEN would
not manually review and approve each
request to search the database, as this
could overwhelm FinCEN’s capabilities
considering the number of search
requests. Many commenters requested
an automated system for financial
institutions to certify their requests for
access and be approved by FinCEN so
that they could conduct bulk searches
instead of individual searches, and they
argued that the proposal in the NPRM
of a single ‘‘electronic transcript’’ per
BOI search would be costly and
inefficient. Commenters also requested
that FinCEN make changes to the
information FinCEN requires from
financial institutions to conduct
searches, and one commenter argued
that FinCEN should require that
financial institutions use a reporting
company’s FinCEN identifier as an
added security measure. Finally, related
to financial institution searches of the
database, a few commenters asked that,
prior to January 1, 2024, FinCEN clarify
how financial institutions would be
informed when their queries match or
E:\FR\FM\22DER3.SGM
22DER3
ddrumheller on DSK120RN23PROD with RULES3
88778
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
fail to match data in the database, and
how FinCEN will handle query errors
and mismatches generally. One
commenter provided specific
suggestions for a matching system that
FinCEN could use.
Response. As explained in the
proposed rule, FinCEN expects that
there will be differing levels of access to
the BO IT system, depending on the
type of authorized BOI recipient.
Domestic agency users (i.e., Federal
agencies engaged in national security,
intelligence, and law enforcement
activity; Treasury officers and
employees who require access to BOI to
perform their official duties or for tax
administration; and State, local, and
Tribal law enforcement agencies) will be
able to access and query the BO IT
system directly. This type of access
would permit authorized individuals
within an authorized recipient agency to
log in, run queries using multiple search
fields, and review one or more results
returned immediately. This broad access
to the BO IT system will allow domestic
agency users to conduct a wide range of
searches using a variety of search fields.
FinCEN believes this broad, flexible
access for domestic agency users is
necessary to enable them to use BOI
effectively to facilitate investigations or
other activities for which they may
obtain BOI.
As discussed in the proposed rule,
such broad search capabilities within
the BO IT system require domestic
agencies to clearly understand the scope
of their authorization and their
responsibilities under it. That is why
the proposed rule establishes protocols
for requirements, limitations, and
expectations with respect to searches by
domestic agencies of the BO IT system.
As part of these protocols, each
domestic agency would first need to
enter into an MOU with FinCEN before
being allowed access to the system.
Several commenters also requested that
FinCEN provide guidance to users on
how to conduct searches. FinCEN
expects to offer guidance and training
for all authorized users on the use of the
BO IT system, similar to the trainings it
provides to law enforcement and others
on access to BSA data.
As noted in the proposed rule, other
categories of authorized BOI recipients
will have more limited search
capabilities. Foreign BOI recipients will
have no access to the BO IT system, as
their requests will flow through an
intermediary Federal agency. Financial
institutions and their regulators (Federal
functional regulators and other
appropriate regulatory agencies) would
both have direct access to the BO IT
system, albeit in more limited form than
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
domestic agency users. The difference
in access between domestic government
agencies and financial institutions is
explained by the provisions of the CTA,
which require the consent of the
reporting company before a financial
institution may obtain the company’s
BOI from FinCEN. FinCEN anticipates
that once a financial institution has
obtained that consent, the financial
institution would submit identifying
information specific to that reporting
company and receive in return an
electronic transcript with that entity’s
BOI. FinCEN anticipates that financial
institutions will be able to obtain a
transcript immediately after submitting
the search request; financial
institutions’ search requests will not be
subject to manual review. Because of the
need to limit financial institution access
to those BOI transcripts for which it has
reporting company consent, FinCEN
believes that it would not be consistent
with this statutory requirement to allow
financial institutions to broadly query
the BO IT system, which may result in
the financial institutions obtaining
information about other reporting
companies or beneficial owners for
which they do not have consent. One
commenter suggested that FinCEN
require financial institutions to use a
reporting company’s FinCEN identifier
for the search as an added security
measure. FinCEN notes, however, that
reporting companies are not required to
obtain FinCEN identifiers, and not all
reporting companies will request them.
With respect to Federal functional
regulators and other appropriate
regulatory agencies exercising
supervisory functions, the CTA allows
these agencies to request from FinCEN
BOI that the financial institutions they
supervise have already obtained from
FinCEN, but only for assessing a
financial institution’s compliance with
customer due diligence requirements
under applicable law. FinCEN expects
regulators acting in this supervisory
capacity to be able to retrieve any BOI
that the financial institutions they
supervise received from FinCEN during
a particular period, but they will not be
able to broadly search the BO IT system.
However, Federal functional regulators
and other appropriate regulatory
agencies responsible for bringing civil
enforcement actions will be able to avail
themselves of the broader search
functionality described above for
domestic agency users.
c. Notification of Updates or Changes to
BOI
Comments Received. Several
commenters argued that the final rule
should provide more clarity on whether
PO 00000
Frm 00048
Fmt 4701
Sfmt 4700
FinCEN will provide financial
institutions with the updates to BOI that
reporting companies provide when
there are changes to that company’s
BOI. These commenters specifically
asked that FinCEN create a mechanism
for automated updates of BOI to
financial institutions when reporting
companies change their BOI.
Commenters argued that such
automated updates would meet the
requirements of the CTA that BOI
provided to FinCEN is ‘‘highly useful’’
and assists financial institutions in
meeting their customer due diligence
and AML/CFT obligations. A few
commenters requested that FinCEN
develop a ‘‘push’’ notification system
for the automated updates, and others
requested a system in which financial
institutions could sign up for updates
when they first queried the database for
a reporting company’s BOI. Commenters
also suggested that financial institutions
could be given a choice to ‘‘opt out’’ at
any point, such as when a financial
institution’s customer withdraws
consent for searches of its BOI.
Response. FinCEN appreciates the
commenters’ suggestions regarding the
BO IT system functionality. FinCEN will
consider these suggestions as a possible
future enhancement to the BO IT
system.
d. Inability and Loss of Access
Comments Received. Several
commenters asked FinCEN how
financial institutions should continue
meeting their customer due diligence
obligations in the event of an
unexpected event that results in loss of
access to the BO IT system, such as a
system outage or cyberattack that causes
the system to be inaccessible. One
commenter asked for FinCEN to clarify
whether access to the system would be
limited to business days and whether
financial institutions would be
prohibited from opening accounts
during times of inaccessibility.
Response. FinCEN anticipates that the
BO IT system will be available for
access 24 hours a day and 7 days a
week. When there are planned system
outages for regular maintenance
activities or period of unexpected
system unavailability, FinCEN will
provide appropriate notification to
users. Questions pertaining to the use of
BOI for 2016 CDD rule compliance will
be addressed in FinCEN’s forthcoming
proposed rule to revise 31 CFR
1010.230.
e. Verification of Beneficial Ownership
Information
In the preamble to the proposed rule,
FinCEN stated that it continues to
E:\FR\FM\22DER3.SGM
22DER3
ddrumheller on DSK120RN23PROD with RULES3
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
review the options available to verify
BOI within the legal constraints in the
CTA. It also clarified that in the term
‘‘verification,’’ as FinCEN uses it in this
context, means confirming that the
reported BOI submitted to FinCEN is
actually associated with a particular
individual.
Comments Received. FinCEN received
several comments on the issue of
verification of the beneficial ownership
information it will receive under 31 CFR
1010.380. Commenters argued that
FinCEN is required by the CTA to verify
information in the BO IT system, and
that such verification is necessary to
ensure the BOI reported to FinCEN is
‘‘accurate, complete, and highly useful’’
consistent with the CTA. Some
commenters urged FinCEN itself to
verify data in the BOI database, while
others suggested that verification should
involve coordination with other
governmental agencies and that such
coordination is required by the CTA.
Suggested verification mechanisms
included checks against the Consular
Consolidated Database maintained by
the Department of State, the National
Law Enforcement Telecommunications
System, the U.S. Postal Service, and
Departments of Motor Vehicles. One
commenter noted that any verification
method should be efficient and not
burdensome to businesses.
Some commenters noted the
experience of other countries in
verifying information in their beneficial
ownership registers, and that FinCEN’s
proposal did not meet the verification
requirements set forth by FATF. Others
noted that FinCEN’s definition of
‘‘verification’’ was unduly narrow and
should be expanded to include verifying
both that identifying information
submitted is for an actual person and
that the BOI is related to the named
reporting company. Multiple
commenters argued that verification, by
ensuring BOI was accurate and
complete, would reduce burden for
financial institutions (or concomitantly,
that failing to verify BOI would increase
burden by imposing additional
compliance costs on financial
institutions). Commenters also argued
that BOI would not be useful for
financial institutions without
verification. Multiple commenters
suggested that FinCEN explore
verification using privacy-protected data
sharing mechanisms such as a ZeroKnowledge Proof which match certain
data elements without requiring any of
the parties to exchange or disclose the
underlying data.
With respect to the timing of
verification, one commenter suggested
that cross-checking information should
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
happen at the time an entity is formed
and that financial institutions should
therefore not have to collect the
information but instead access the
FinCEN database to assist in customer
due diligence. Other commenters
suggested that information should be
verified upon submission to FinCEN.
One commenter noted that FinCEN
could increase the usefulness of the
database by sanctions screening BOI
against OFAC’s Specially Designated
Nationals and Blocked Persons List and
alerting users who access such BOI.
Response. Although verification is not
addressed in this rule, FinCEN
appreciates the comments on this topic
and is carefully considering the
suggestions provided. FinCEN agrees
that verification is an important part of
its overall efforts to ensure that the BOI
reported to it is ‘‘accurate, complete,
and highly useful’’ and continues to
assess options to verify BOI taking into
consideration practical, legal, and
resource challenges.
f. Other IT System Issues
Comments Received. FinCEN received
additional comments pertaining to the
functionality or use of the BO IT system.
Two commenters suggested that FinCEN
should make the BO IT system
compatible with other countries’
databases. Others suggested that FinCEN
provide a proof of registration page
when a BOI report is successfully filed.
Another commenter noted that the
proposed rule does not address whether
authorized users may make copies of the
BOI reports they obtain from the BO IT
system. One commenter recommended
that FinCEN develop an interactive
database which discloses generic BOI
database query trends.
Response. FinCEN appreciates these
ideas and will take them into
consideration as it continues to
implement the CTA.
iii. The Proposed BOI Reporting Form
Comments Received. While not the
subject of this proposed rule, FinCEN
received several comments on the
proposed Beneficial Ownership
Information Report (BOIR), which is the
form that FinCEN will use to collect
beneficial ownership information from
reporting companies pursuant to 31 CFR
1010.380. Commenters were critical of
checkboxes on the proposed BOIR form
that would provide a mechanism for
reporting companies to indicate when
they are unable to obtain certain
information about the reporting
company’s beneficial owners and
company applicants. Several of these
commenters requested that FinCEN
remove all such checkboxes. Two
PO 00000
Frm 00049
Fmt 4701
Sfmt 4700
88779
commenters expressed concern with the
quality and reliability of BOI if reporting
companies are allowed to indicate that
they are unable to identify beneficial
owners entirely or provide only certain
information associated with beneficial
owners. One commenter stated that the
checkboxes would act as a roadblock to
banks’ compliance with customer due
diligence obligations and principles.
One commenter stated that inclusion of
the checkboxes supports financial
institutions’ voluntary use of BOI. One
commenter stated that submission of
declarations where the reporting
company does not know who its
beneficial owners are should not be
permitted outside exceptional
circumstances and that in such
circumstances, the reporting company
should submit supporting evidence and
an explanation why the person is
anonymous or their identity is
unknown.
Response. As part of its obligations
under the Paperwork Reduction Act of
1995 (PRA), FinCEN separately solicited
public comment on the proposed BOIR
form through a 60-day PRA notice,
issued on January 17, 2023.197 Given
that the BOIR form is outside the scope
of this rulemaking and was instead the
subject of the 60-day PRA notice,
FinCEN considered the comments it
received on the form as part of its
consideration of the comments received
in response to the 60-day PRA notice.
Pursuant to the PRA, on September 29,
2023, the Department of the Treasury,
on behalf of FinCEN, published a 30-day
PRA notice, which considered these
comments and proposed a revised
approach to the BOIR form.198 OMB
approved the proposed BOIR form on
November 27, 2023.
iv. Outreach and Guidance
Proposed Rule. FinCEN
acknowledged in the proposed rule that
implementation of the final rule will
require additional engagement with
stakeholders to ensure a clear
understanding of the Access Rule’s
requirements, including through
guidance and FAQs, help lines, and
other communications. In question 29 in
the Access NPRM, FinCEN asked what
specific issues FinCEN should address
via public guidance or FAQs as well as
whether there were specific
recommendations on engagement with
stakeholders to ensure that the
authorized recipients—in particular,
State, local, and Tribal authorities and
small and mid-sized financial
197 88
198 88
E:\FR\FM\22DER3.SGM
FR 2760 (Jan. 17, 2023).
FR 67443 (Sept. 29, 2023).
22DER3
ddrumheller on DSK120RN23PROD with RULES3
88780
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
institutions—are aware of requirements
for access to the BO IT system.
Comments Received. FinCEN received
a variety of comments in response to the
outreach questions in the Access NPRM.
Commenters noted that a Small Entity
Compliance Guide and FAQs, available
well in advance of any effective date,
would be useful for authorized users of
the BO IT system. Training videos and
step-by-step guides for each type of
authorized recipient, including an
online tip platform, would also improve
CTA effectiveness. Commenters also
suggested the importance of having
educational materials for foreign
requesters available in as many
languages as feasible. Those
commenters stated that the guidance on
foreign access should include examples,
templates, forms, and other materials
that can streamline the process as much
as possible. Several commenters
suggested developing guidance and
educational materials for financial
institutions, Certified Public
Accountants, and Secretary of State
offices that could be provided to their
customers and constituents. One
commenter specifically highlighted a
variety of national law enforcement and
tribal association annual conferences
where FinCEN should present and be
available to educate participants on
access to, and the utility of, the BO IT
system. Regarding engagement with
potential foreign requesters, one
commenter suggested that FinCEN
consider discussing access requirements
with the key foreign partners of Federal
agencies. One commenter recommended
that FinCEN use clear font styles and
sizes, avoid small footnotes and
legalese, and use contrasting colors.
Final Rule. As with the Reporting
Rule published on September 30,
2022,199 FinCEN envisions committing
significant resources upon publication
of the final Access Rule to prepare for
and enable successful implementation.
FinCEN anticipates that these resources
will be used to conduct outreach, as
well as draft and issue guidance, user
guides, FAQs, and other educational
materials. FinCEN recognizes the need
to ensure that reporting companies,
authorized users, and other stakeholders
have a thorough understanding of the
beneficial ownership Reporting and
Access Rules and their requirements,
both before and after the effective date
of the rules. FinCEN also remains
mindful of the imperative to minimize
burdens on reporting companies,
financial institutions, and authorized
users while also fulfilling the CTA’s
directives for establishing an effective
199 87
FR at 59548.
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
reporting and access framework.
FinCEN appreciates that outreach and
education is an important element of the
effort to reduce compliance burdens and
enhance the utility of the BO IT system.
In addition to its planned outreach and
educational efforts, FinCEN continues to
track inquiries coming into its
Regulatory Support Section and will
draw on those inquiries when planning
outreach and drafting future guidance
and educational materials.
FinCEN notes that 31 U.S.C. 5336(g)
requires the Director of FinCEN, in
promulgating regulations carrying out
the CTA, to reach out to the small
business community and other
appropriate parties to ensure efficiency
and effectiveness of the process for the
entities subject to the CTA’s
requirements. FinCEN has engaged in
such outreach throughout the Access
rulemaking processes. As noted in the
Access NPRM, FinCEN conducted more
than 30 outreach sessions to solicit
input on how best to implement the
statutory authorizations and limitations
regarding BOI disclosure. Participants
included representatives from Federal
agencies, state courts, state and local
prosecutors’ offices, Tribal governments,
financial institutions, financial SROs,
and government offices that had
established BOI databases. Topics
discussed included how stakeholders
might use BOI, potential IT system
features, circumstances in which
potential stakeholders might need to redisseminate BOI, and how different
approaches might help further the
purposes of the CTA. These
conversations helped FinCEN refine its
thinking about how to create a useful
database for stakeholders while
protecting BOI and individual privacy.
FinCEN intends to continue its
substantial outreach to stakeholders,
including Federal and state law
enforcement officials, Indian Tribes,
trade groups, and others, to ensure
coordinated efforts to provide notice
and sufficient guidance to all potential
authorized users. FinCEN will also
provide guidance materials and training
materials for authorized users of the BO
IT system.
FinCEN appreciates the suggestions
on how to minimize burden to State,
local, and Tribal authorities and make
the use of the BO IT system as effective
as possible. FinCEN currently
administers access to the FinCEN Query
system and would build on its
experience and contacts with law
enforcement agencies and others in
administering access to and providing
training on BOI access.
PO 00000
Frm 00050
Fmt 4701
Sfmt 4700
I. Other Access NPRM Comments
i. Inspector General Complaint Process
Comments received. One commenter
stated that the proposed rule lacked any
acknowledgement of the user complaint
process established in the CTA.200 The
CTA provides that the Inspector General
of the Department of the Treasury, in
coordination with the Secretary of the
Treasury, shall provide public contact
information to receive external
comments or complaints regarding the
beneficial ownership information
notification and collection process or
regarding the accuracy, completeness, or
timeliness of such information. The
CTA also requires the Inspector General
to make a periodic report to Congress on
user complaints and any resulting
recommendations to ensure the
beneficial ownership information
reported to FinCEN is accurate,
complete, and highly useful.201
Response. FinCEN is cognizant of the
CTA’s requirements with respect to the
user complaint process. FinCEN
acknowledged Treasury OIG’s role in
this process in the final beneficial
ownership Reporting Rule, noting that
the Treasury OIG had established an
email inbox (CorporateTransparency@
oig.treas.gov) to receive such
complaints.202 FinCEN expects that
officers and employees of OIG, as
officers and employees of the
Department of the Treasury, would have
access to BOI in the BO IT system for
any official duties that require access to
information in that system, including
for purposes of fulfilling the Treasury
OIG’s responsibilities under the user
complaint process as outlined in the
CTA.
ii. Effective Date
Proposed Rule. FinCEN proposed an
effective date for the Access Rule of
January 1, 2024, to align with the date
on which the Reporting Rule at 31 CFR
1010.380 becomes effective.203 FinCEN
explained in the proposed rule that a
January 1, 2024, effective date is
intended to provide the public and
authorized users of BOI with sufficient
time to review and prepare for
implementation of the rule.204
Comments Received. Several
commenters expressed concern about
the January 1, 2024, effective date. One
commenter stated that it is unlikely that
FinCEN will be able to promulgate a
final access rule by the end of 2023 or
200 31
U.S.C. 5336(h)(4).
201 Id.
202 87
203 87
FR 59498, 59508.
FR 77404, 77425.
204 Id.
E:\FR\FM\22DER3.SGM
22DER3
ddrumheller on DSK120RN23PROD with RULES3
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
that the related BO IT system will be
built, tested, and operational by the end
of 2023. The commenter noted that it is
unlikely that authorized users will have
met the regulatory obligations that are
prerequisites to their ability to access
BOI by that date. The commenter
suggested that FinCEN should set out a
manageable, realistic timeline extending
past January 1, 2024, and communicate
this timeline to all stakeholders.
Another commenter expressed concern
about a ‘‘go live’’ date of January 1,
2024,205 and the ability of FinCEN and
financial institutions to make the
necessary implementation preparations
by that date given resource constraints.
This commenter suggested that FinCEN
delay the effective date of the beneficial
ownership rules and consider a staged
implementation approach. Finally,
another commenter expressed concern
that the effective date of FinCEN’s
beneficial ownership rules will coincide
with a regulatory action by the
Consumer Financial Protection Bureau,
which would overwhelm financial
institution compliance staff.
Final Rule. This final rule will be
effective February 20, 2024. However,
the effective date of the Reporting Rule
remains January 1, 2024, and FinCEN
continues to target January 1, 2024, for
the release of the BO IT system. Given
the publication date of this final rule in
advance of January 1, 2024, and
FinCEN’s phased implementation
approach outlined in section II.D.iii,
FinCEN believes authorized users will
have sufficient advance notice of the
requirements of this rule. FinCEN
appreciates these comments and
pragmatic suggestions and will make
adjustments to its implementation plans
if circumstances warrant.
With respect to concerns about
potential overlap with another
significant regulatory action, FinCEN
notes that under the Reporting Rule,
existing reporting companies will have
one year (until January 1, 2025) to file
their initial beneficial ownership
reports. FinCEN also notes that there is
no requirement in the rule that
authorized users of the BO IT system
access the system immediately upon the
effective date of this rule. The final
CTA-related rulemaking to revise
FinCEN’s customer due diligence rule
must occur no later than one year after
the effective date of the Reporting Rule,
or January 1, 2025, and this process will
likely extend into 2024.206
205 The commenter actually referred to January 1,
2025, but FinCEN believes this was a typographical
error intended to refer to January 1, 2024.
206 CTA, section 6304(d).
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
iii. Budget and Staffing
Proposed Rule. The preamble of the
proposed rule included a discussion of
FinCEN’s resource constraints with
respect to implementation of the
CTA.207 FinCEN noted in that
discussion that without the availability
of additional appropriated funds to
support this project and other missioncritical services, FinCEN may need to
identify trade-offs, including with
respect to guidance and outreach
activities, and the staged access by
different authorized users to the
database.
Comments Received. One commenter
made note of this discussion in the
proposed rule and requested a fuller
explanation of the staged access
approach. This same commenter also
observed that FinCEN would likely
receive an exponentially greater number
of inquiries and requests for technical
support from filers and users of the BO
IT system than it currently handles and
that FinCEN will need to hire and train
hundreds of support personnel in the
next twelve months. Another asked
what ‘‘staged access’’ means and noted
that the final rule should address
specifics about this and how it will
impact community banks. Finally, one
commenter suggested that FinCEN
address its resource constraints by
considering a professional internship
program to address short term staffing
needs to support CTA implementation.
Response. As previewed in the
proposed rule, FinCEN has undertaken
efforts to identify options to implement
the requirements of the CTA within its
current resources. One of several
options to manage implementation in
the current resource-constrained
environment is to implement a phased
rollout of access to the BO IT system—
meaning that different groups of
authorized users would obtain access to
the system at different times in a set
timeframe. As discussed further in
section II.D.iii, to manage smoothly the
draw on resources that this process will
demand, FinCEN will take a phased
approach to providing access to the BO
IT system.
FinCEN continues to move
expeditiously to put in place the
necessary infrastructure to implement
the CTA and to provide adequate
guidance and support to reporting
companies and authorized users of the
BO IT system. To this end, FinCEN is
currently working to implement and
staff a dedicated beneficial ownership
contact center to field both substantive
and IT-related inquiries. FinCEN has
207 87
PO 00000
FR 77404, 77408.
Frm 00051
Fmt 4701
Sfmt 4700
88781
also hired additional full-time staff who
will be assigned to support the
beneficial ownership portfolio and has
procured additional contractor support
for FinCEN’s CTA implementation
efforts. Any changes to FinCEN’s plans
to implement the CTA will be clearly
communicated to the public and
stakeholders.
IV. Severability
If any of the provisions of this rule, or
the application thereof to any person or
circumstance, is held to be invalid, such
invalidity shall not affect other
provisions or application of such
provisions to other persons or
circumstances that can be given effect
without the invalid provision or
application.
V. Regulatory Analysis
This section contains the final
regulatory impact analysis (RIA) for this
final rule; it estimates the anticipated
cost of the BOI access requirements to
the public, among other items. The final
rule imposes requirements on domestic
agencies, foreign requesters, and
financial institutions when they elect to
access FinCEN’s BOI database. The
requirements and the associated costs
vary depending on whether the affected
entity is a domestic agency, foreign
requester, or financial institution. To
estimate costs associated with accessing
beneficial ownership information in
accordance with the final rule, FinCEN
assigns an hourly burden to each
requirement in the rule and uses an
estimated wage rate to determine a perentity expected cost of following that
requirement. Where appropriate,
FinCEN varies the hourly burden and
wage according to the entity type and
the size of the entity. To approximate an
upper bound of aggregate expected
costs, FinCEN multiplies the per entity
costs computed as described by the total
number of expected affected entities.
These expected costs do not represent
fees that affected entities need to pay to
access beneficial ownership
information, as no such fees are
imposed by the final rule. Instead, the
costs as estimated below reflect the
dollar value FinCEN assigned, where
possible, to the estimated time burden
associated with the rule’s requirements.
Many of the rule’s benefits are not as
readily quantifiable, in part because the
rule sets forth access requirements for
obtaining BOI that is not yet
available,208 and because expected use
(and hence benefits) by at least some
208 BOI will be collected pursuant to 31 CFR
1010.380, finalized under the Reporting Rule,
which will be effective January 1, 2024.
E:\FR\FM\22DER3.SGM
22DER3
88782
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES3
parties cannot be reliably estimated
before the CTA’s required revision to
the 2016 CDD Rule has been
finalized.209 Other important expected
benefits of the rule are not reliably
quantifiable because an attempt to
isolate the incremental benefits
uniquely attributable to this rule would
be inherently speculative, and even if
such discrete increments could be
identified, assigning a dollar value to
items such as national security or public
faith in the integrity of the U.S. financial
system is impracticable. The rule,
nevertheless, is generally expected to
improve investigations by law
enforcement and assist other authorized
users in a variety of activities. To the
extent that this increased efficiency in
information gathering can be proxied by
reduced search costs,210 FinCEN
quantified these expected benefits to
certain affected parties in the NPRM and
in the RIA below. The potential
improvements in the breadth, scope,
and efficiency of investigations and
other activities by authorized users
should in turn strengthen national
security, enhance financial system
transparency and integrity, and align the
United States more closely with
international AML/CFT standards. The
RIA includes a discussion of these
qualitative benefits and quantifiable
efficiency gains which may accrue to
domestic agencies alongside the
quantitative discussion of costs.
FinCEN has made efforts to assess the
expected costs and benefits of the rule
realistically, but notes that the rule
relates to access to newly required
information that is not yet available;
thus, the estimates are based on several
assumptions where FinCEN lacks
certain direct supporting data. FinCEN
further notes that the analysis of
expected costs and benefits, as
previewed in the NPRM and discussed
below, is performed over annual
increments that assume a fully
operational framework, one in which all
potentially affected parties access a
database that includes BOI reports from
all reporting companies that are in
existence as of the Reporting Rule’s
209 FinCEN would need to know how access to
BOI under the rule will impact financial
institutions’ customer due diligence obligations,
which FinCEN will not be able to assess until its
revises the 2016 CDD Rule. Thus, FinCEN will
instead assess the value that BOI access has to
financial institutions in the regulatory analysis of
FinCEN’s upcoming revisions to the 2016 CDD
Rule. Throughout the analysis, FinCEN notes issues
that may be affected by the required revision to the
CDD rule.
210 In this analysis, ‘‘search cost’’ refers to the cost
associated with obtaining beneficial ownership
information. See. discussion in section V.A.ii.g.
about monetizing the time component of search
costs.
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
effective date.211 This framing is not
expected to specifically depict the costs
or benefits corresponding to the first, or
subsequent, calendar year(s) following
the adoption of the final rule, given the
phased nature of related regulatory
implementation.212 However, FinCEN is
utilizing this approach because it
imposes the fewest extraneous
assumptions about how phased
regulatory implementation impacts the
expected economic effects.
FinCEN acknowledges that during
initial implementation, while entities
begin to gain access to BOI and initial
BOI reports are populated in the
database, the anticipated aggregate costs
and benefits of the rule may be lower
that the estimates presented below.
FinCEN further acknowledges that
during this period, the balance of costs
to benefits may also differ such that the
relative economic value (benefits scaled
by costs) of the rule as discussed below
could be overestimated. However, as the
methodological approach of the RIA, in
the NPRM and below, conservatively
ascribes no quantifiable benefits to
financial institutions as a subgroup of
authorized users while nevertheless
incorporating an estimated full cost
burden of access to them, it is unlikely
that the aggregate net benefits in the RIA
are overstated because in practice the
benefit to participating financial
institutions is expected to be nonzero.
FinCEN has described its cost
estimates in detail to inform the public
about the rule and its impact and has
analyzed the final rule as required
under Executive Orders (E.O.s) 12866,
13563, and 14094, the Regulatory
Flexibility Act, the Unfunded Mandates
Reform Act, and the Paperwork
Reduction Act. FinCEN’s analysis
assumes the baseline scenario is the
current regulatory framework, in which
there is no general Federal beneficial
ownership information disclosure
requirement and therefore no access to
this information. Thus, any estimated
costs and benefits as a result of the rule
are new relative to maintaining the
current framework. It has been
determined that this regulation is a
‘‘significant regulatory action’’ under
section 3(f)(1) of E.O. 12866, as
amended. Pursuant to the Regulatory
Flexibility Act, FinCEN’s analysis
concluded that the rule will have a
significant economic impact on a
substantial number of small entities.
Furthermore, pursuant to the Unfunded
Mandates Reform Act, FinCEN
211 The Reporting Rule requires such entities to
report BOI within one year of the effective date.
212 The phased implementation is discussed in
section II.D.iii. of the preamble.
PO 00000
Frm 00052
Fmt 4701
Sfmt 4700
concluded that the rule will result in an
expenditure of $177 million or more
annually by State, local, and Tribal
governments or by the private sector.213
Because the rule is a significant
regulatory action under section 3(f)(1) of
E.O. 12866, FinCEN prepared and made
public a preliminary RIA, along with an
Initial Regulatory Flexibility Analysis
(IRFA) pursuant to the Regulatory
Flexibility Act, on December 16,
2022.214 FinCEN received multiple
comments about the RIA and the IRFA,
which are addressed in this section.
FinCEN has incorporated additional
data points, additional cost
considerations, and responses to other
points raised by commenters into the
final RIA, which is published in its
entirety following a narrative response
to the comments.
A. Executive Orders 12866, 13563, and
14094
E.O.s 12866, 13563, and 14094 direct
agencies to assess costs and benefits of
available regulatory alternatives and, if
regulation is necessary, to select
regulatory approaches that maximize
net benefits (including potential
economic, environmental, and public
health and safety effects; distributive
impacts; and equity). E.O. 13563
emphasizes the importance of
quantifying both costs and benefits,
reducing costs, harmonizing rules, and
promoting flexibility. It has been
determined that this regulation is a
significant regulatory action under
section 3(f)(1) of E.O. 12866, as
amended. Accordingly, this final rule
has been reviewed by the Office of
Management and Budget (OMB).
i. Discussion of Comments to the RIA
FinCEN received several comments
related to the Access NPRM RIA. The
majority of these comments focused on
the estimated costs for financial
institutions to comply with the
proposed access requirements. A
smaller group of comments raised
points on other aspects of the NPRM’s
RIA, primarily on the cost analysis.
213 The Unfunded Mandates Reform Act requires
an assessment of mandates that will result in an
annual expenditure of $100 million or more,
adjusted for inflation. The U.S. Bureau of Economic
Analysis reports the annual value of the gross
domestic product (GDP) deflator in 1995, the year
of the Unfunded Mandates Reform Act, as 71.823,
and as 127.224 in 2022. See U.S. Bureau of
Economic Analysis, ‘‘Table 1.1.9. Implicit Price
Deflators for Gross Domestic Product’’ (accessed
Friday, June 2, 2023). Thus, the inflation adjusted
estimate for $100 million is 127.224/71.823 × 100
= $177 million.
214 See 87 FR 77426–77454.
E:\FR\FM\22DER3.SGM
22DER3
ddrumheller on DSK120RN23PROD with RULES3
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
a. Comments Related to Costs to
Financial Institutions
Comments generally stated that the
access requirements will be burdensome
for financial institutions. Time and
resources will be required to adjust to
the rule’s requirements for financial
institutions to access BOI. In particular,
a comment noted that compliance costs
will include training relevant staff,
changing policies and procedures,
enhancing information security, and
educating senior management and
customers, and that these costs are
significant and should not be
overlooked or underestimated.
Comments also stated that banks would
need to hire or reallocate personnel if
the rule is implemented as proposed.
FinCEN generally agrees with comments
observing that time and resources that
will be required for financial
institutions to adjust to the rule’s
requirements. FinCEN aims in this
analysis to accurately estimate the
burden of implementing requirements to
access BOI.
Comments also discussed the
estimates in the NPRM for financial
institution costs. One comment stated
that the estimates were generally
inaccurate and were not reasonable.
Comments provided specific feedback
on the following financial institution
cost estimates:
Administrative, Technical, and
Physical Safeguards. A few commenters
stated that the NPRM’s estimate of the
costs for financial institutions to
establish administrative and physical
safeguards to protect accessed BOI was
far too low—one comment called it
‘‘exponentially off’’—and needed to be
revisited. One commenter stated that
financial institutions would need to
spend vastly more than estimated to
develop and implement new systems,
with ongoing costs that would include
training on how to treat BOI from
FinCEN differently than other BOI a
financial institution may collect. The
commenter estimated it would cost
between $1 million and $3 million to
develop new systems or adapt existing
systems to comply with the proposed
rule and to prevent BOI obtained from
FinCEN from ‘‘flowing’’ into other
financial institution monitoring systems
or to affiliates outside of the United
States. The commenter notes this cost
could double if financial institutions are
only able to access BOI on a manual,
and not automated, basis.
Relatedly, a commenter stated that
FinCEN significantly underestimates the
costs financial institutions will incur to
update processes and IT systems to
comply with the proposed rule. The
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
commenter stated that financial
institutions would need to ‘‘reengineer’’
their existing processes and technology
to comply with the limitations on
sharing outside of the United States and
to segregate BOI from FinCEN from
standard customer documentation. The
commenter did not provide a cost
estimate. A commenter reminded
FinCEN to be mindful that modifying
existing procedures to accommodate
requests and other related issues will
take time and resources and requested
FinCEN write the final rule in a clear
and straightforward manner.
Finally, a commenter expressed
concern that BOI reported to FinCEN
will not be accurate or reliable, forcing
banks to shoulder the majority of the
burden in implementing the CTA by
acting as ‘‘regulatory quality control.’’
Commenters stated that if financial
institutions are required to rely on BOI
reported to FinCEN, the quality and
reliability of customer risk profiles
would be undermined unless the
financial institutions maintain duplicate
systems of BOI financial institutions
receive directly from their customers
and identify discrepancies between the
two data sources.
In response to these comments,
FinCEN increased the burden estimate
of financial institutions establishing
administrative and physical safeguards.
FinCEN retains its estimate for IT costs.
As explained in section III.H.ii.e.
although this rule does not address the
verification of BOI reported to FinCEN,
FinCEN agrees that verification is an
important part of its overall efforts to
ensure that the BOI reported is
‘‘accurate, complete, and highly useful’’
and continues to assess options to verify
BOI taking into consideration practical,
legal, and resource challenges.
Regardless of exactly how FinCEN
ultimately addresses verification,
FinCEN does not anticipate that the
final rule will require financial
institutions to need to separate BOI
obtained from FinCEN and BOI obtained
from customers under their existing
customer due diligence processes, as
some commenters suggested would be
necessary if FinCEN retained a strict
prohibition on financial institutions
using or storing BOI obtained from
FinCEN outside the United States;
therefore, FinCEN is not estimating the
burden for financial institutions to
reallocate resources or create
duplicative systems to separately store
BOI obtained from FinCEN. FinCEN also
notes that financial institutions will
have the ability to submit multiple
search requests simultaneously through
an automated process, lessening costs
PO 00000
Frm 00053
Fmt 4701
Sfmt 4700
88783
associated with manual searches by
financial institutions.
Customer Consent. Under the rule,
financial institutions must obtain and
document the consent of a reporting
company customer prior to accessing
BOI about that customer. Multiple
commenters stated that FinCEN’s
estimate for the burden of obtaining this
customer consent was too low and not
reasonable; one comment called the
estimate ‘‘patently absurd.’’
Commenters noted that this process
would involve multiple steps, including
identifying all applicable forms, drafting
and reviewing appropriate consent
language, and updating or establishing
new processes and procedures. A
commenter noted that updating online
forms, which is the format that many
banks use for account opening
documents, requires technical
development work and testing, among
other tasks. The commenter stated that
small banks will require less than the
estimated 10 hours, but the majority of
institutions will require significantly
more time to implement the
requirement. Another commenter stated
that the NPRM estimate disregarded the
time and attention necessary to devote
on an ongoing basis to meeting this
requirement. Another commenter noted
that costs could also arise if a customer
does not give consent or revokes
consent, because the financial
institution would be required to expend
resources to monitor on an ongoing
basis which customers have consented.
A commenter estimated it would take
10,000 hours of personnel time, and
potentially 100,000 hours in the largest
institutions, to update account opening
policies, procedures, processes, and
forms to include the customer consent
requirement. A commenter noted that
large banks will be able to absorb these
costs but predicted small and mid-sized
banks will turn to service providers.
FinCEN changed the burden estimate
for obtaining customer consent based on
these comments. FinCEN increased the
initial burden for updating forms and
procedures to account for this
requirement and considered the
multiple steps this will require based on
comments. FinCEN also added an
ongoing maintenance cost for this
requirement to account for the necessity
to change or update procedures. FinCEN
assesses, however, that this ongoing
maintenance cost is relatively minimal.
FinCEN is not estimating costs related to
obtaining customer consent more than
once, but will assess if such a cost
should be considered in the future CDD
Rule revision. FinCEN is not assessing
a cost related to a customer not
providing or revoking consent. FinCEN
E:\FR\FM\22DER3.SGM
22DER3
ddrumheller on DSK120RN23PROD with RULES3
88784
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
believes that the tracking of such
information would be included in the
existing cost estimates related to
customer consent. Additionally, FinCEN
expects that few customers will not
provide consent given that providing
BOI and general consent for financial
institutions to access information from
other sources are both routine
requirements that customers anticipate
and accept.
Customer consent was the focus of
one of the regulatory alternatives
analyzed in the NPRM. Under this
alternative, FinCEN, rather than
financial institutions, would have
obtained the required consent from
reporting companies before financial
institutions could access those
companies’ BOI.215 A commenter stated
that the cost savings to financial
institutions would be much larger in
practice than FinCEN estimated in the
NPRM’s alternative analysis, and that
FinCEN’s reason for rejecting this
alternative—that financial institutions
are better positioned to obtain consent
(and track consent revocation) given
their direct customer relationships and
ability to leverage existing onboarding
and account maintenance processes—
does not make sense. FinCEN retains
this alternative scenario but notes that
the related cost savings estimate has
changed given the changes to the
financial institution burden estimates
throughout the analysis.
FinCEN, however, rejects the
commenter’s claim that the NPRM’s
reasoning was nonsensical. As
explained in section III.E.ii.d above,
FinCEN remains convinced that
financial institutions are better situated
than FinCEN to obtain and document a
reporting company’s consent given
financial institutions’ direct customer
relationships. By contrast, FinCEN
believes considerable delay could result
if it were itself to take on direct
management of the consent process. For
this reason and as further explained in
section III.E.ii.d above, FinCEN declines
to adopt the alternative of FinCEN
collecting customer consent.
Training. A few commenters stated
that the estimated cost of training
financial institution employees who
will access BOI under the rule was
underestimated. A commenter stated
that the NPRM estimates did not
account for lost productivity to the
financial institution while employees
are attending training sessions.
However, FinCEN notes the use of a
wage rate for financial institution
employees implicitly accounts for lost
productivity to the institution of
215 See
87 FR 77427–77428.
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
employees working on the rule’s
requirements rather than other items.
Commenters stated that in addition to
those directly accessing FinCEN’s BOI
database, all employees that interact
with BOI through account opening or
customer interactions would also need
to participate in training. This training
would most likely not be centralized
and would be spread over departments
and branches in financial institutions. A
commenter stated that the increased
cost due to training contradicts
Congress’ intent for the CTA to
minimize burden on financial
institutions. A commenter stated this
burden could be alleviated by keeping
the registration and requirements
simple. A commenter also stated that
training would be necessary to inform
financial institution employees on how
to treat BOI obtained from FinCEN
separately from BOI obtained through
other means.
FinCEN has concluded that these
comments overstate the burden imposed
by the rule. The final rule (31 CFR
1010.955(d)(2)(ii)) requires financial
institutions to develop and implement
administrative, technical, and physical
safeguards reasonably designed to
protect BOI as a precondition for
receiving BOI. But, as explained in
section III.E.ii.c, FinCEN is authorizing
financial institutions to satisfy this
requirement by applying security and
information handling procedures under
section 501 of Gramm-Leach-Bliley Act
and applicable regulations for
nonpublic customer personal
information to BOI. The Federal
functional regulators have implemented
the requirements of the Gramm-LeachBliley Act in different ways, but they all
generally reference providing related
training.216 Thus, FinCEN does not
expect BOI training to be unduly
burdensome because training to protect
nonpublic customer personal
information is already part of a financial
institutions’ Gramm-Leach-Bliley Act
requirements.217 As explained in
section III.E.ii.c, FinCEN thus
anticipates that financial institutions
will determine how best to train
personnel who will have access to BOI
but who will not interact with the BO
IT system.
Nonetheless, financial institutions
will need to provide some training to
216 See generally Interagency Guidelines, supra
note 91, p. 95.
217 As discussed, the final rule does not require
financial institutions to separate BOI obtained from
FinCEN and BOI obtained from customers under
their existing customer due diligence processes.
Thus, training on how to segregate BOI obtained
from different sources should not be necessary, and
FinCEN accordingly does not need to account for
the costs of such training.
PO 00000
Frm 00054
Fmt 4701
Sfmt 4700
ensure that relevant financial institution
personnel access BOI in a manner
consistent with this rule. As part of
estimating the cost of this training, the
NPRM included an estimate of the
number of employees that would access
BOI at both small and large financial
institutions. Commenters stated that
these estimates were too low and
depended on many assumptions,
including an assumption that the
connection to the BO IT system is fast
and easy for the user with minimal
manual intervention. Commenters
proposed alternative estimates. A
commenter assumed that banks would
have between 5 and 15 percent of
employees involved in customer due
diligence processes (the percentage
varied depending on financial
institution size), and used December
2021 FDIC bank data to estimate that
3,586 small banks will have between 1.5
to 10 people, and an average of 4 to 5
people, performing customer due
diligence, and 1,263 large banks will
have between 5 and 5,000 people, and
an average of 26 to 27 people,
performing customer due diligence.
Another comment from a bank industry
representative stated that a member
estimated it has hired 50 full-time
equivalent employees to address the
existing CDD Rule requirements, and
additional employees would be needed
for the proposed rule. Similarly, another
commenter estimated that some large
banks will need to hire up to 40 or 50
additional staff to manage the technical
process associated with BOI. A financial
institution comment stated that they
would like to have at least 20 or 25 staff
members (out of 40 full-time staff)
available to access this data, which
would be a minimum of 3 staff per
location.
FinCEN appreciates the estimates
provided by commenters and has
incorporated changes to the analysis
based on these comments. However,
FinCEN notes that the assumption that
connection to the BO IT system is fast
and easy for the user is in line with
FinCEN’s expectations. Financial
institutions will also not need to access
the BO IT system manually if they
access via API.
Requests for BOI and Related
Certification Costs. Commenters raised
questions about the assumptions related
to the NPRM’s estimate of the number
of annual requests for BOI from
financial institutions. The NPRM
included this estimate to calculate the
cost burden of the proposed rule’s
requirement that financial institutions
certify that each request for BOI meets
certain requirements. A commenter
stated that FinCEN’s reliance on
E:\FR\FM\22DER3.SGM
22DER3
ddrumheller on DSK120RN23PROD with RULES3
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
estimates of annual new entity accounts
from the 2016 CDD Rule was wrong
because: (1) the CDD Rule requires the
collection and verification of BOI for
every new customer and every existing
customer opening a new account; (2) the
definition of legal entity customer under
the CDD Rule is broader than the
definition of reporting company under
the CTA; and (3) the use of an average
for a diverse set of financial institutions
may not be appropriate. Another
commenter questioned the assumption
that financial institutions will seek to
access BOI every time a new legal entity
customer that qualifies as a reporting
company opens a new account because
another part of the NPRM stated that the
proposed rule would not impose an
obligation to access BOI. Another
commenter claimed that most banks
expect that the total annual costs of
certifying their compliance when
making BOI requests will be
significantly higher than FinCEN’s
estimate, but did not provide an
alternative cost estimate.
FinCEN retains the methodology used
in the NPRM, which results in an
estimated range of 5 million to 6 million
annual requests for BOI from financial
institutions. FinCEN proposed the
upper bound of 6 million based on the
2016 CDD Rule’s regulatory analysis.
The comments identified several
reasons why the actual number of
requests may differ, but FinCEN
maintains it is appropriate to provide an
upper bound estimate based on the CDD
Rule. FinCEN agrees with commenters
that this final rule does not impose an
obligation to access BOI. However,
FinCEN uses this upper bound estimate
to illustrate potential costs to financial
institutions if the financial institutions
access BOI at the rate estimated in the
current CDD Rule. FinCEN also
acknowledges the point raised by
another commenter regarding
differences between the CDD Rule and
Reporting Rule. If the future CDD Rule
revision includes a different estimate for
the number of annual requests for BOI
per year, FinCEN will note that change,
and its effect on financial institution
costs, in that revision.
Other Financial Institution Costs.
Commenters recommended that audit
and legal review costs to financial
institutions be incorporated into the
RIA. There are no audit requirements for
financial institutions in the rule;
however, FinCEN understands that in
practice financial institution audits will
include reviewing the safeguards
implemented to protect accessed BOI.
FinCEN clarifies in the analysis that the
administrative safeguards burden
estimate includes audit and legal review
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
of such safeguards, and increases the
burden estimate accordingly. A
commenter also stated that the costs to
financial institutions should be
presented on a per account basis, and
that the amount per account would be
a few hours of an operations specialist
work (at $50 per hour rate) to access
BOI, corroborate it, address any
remediation of errors in the BOI, and
supervise the process, totaling $100–
$200 per account opening in
maintenance fees. FinCEN believes that
the per institution cost estimate
methodology used in the NPRM is
appropriate and retains it here. The per
account cost estimate would not capture
fixed costs of establishing new
procedures, and other requirements,
that are necessary at the institutional
level to comply with the rule.
A commenter noted that complying
with the rule’s security and
confidentiality requirements for BOI
access will require significant time and
resources for small businesses
(presumably meaning small financial
institutions), and that this will put such
small businesses at a disadvantage
compared to large companies with more
resources. FinCEN considers the cost of
the rule to small financial institutions in
the Regulatory Flexibility Act section of
the analysis, below. A commenter
requested that FinCEN publish Small
Entity Compliance Guides and FAQs to
assist such entities with compliance.
FinCEN anticipates issuing a Small
Entity Compliance Guide pursuant to
section 212 of Small Business
Regulatory Enforcement Fairness Act
(SBREFA) to assist small entities in
complying with the BOI access
requirements.
b. Comments Related to Government
and Reporting Company Costs
A handful of commenters raised other
cost issues outside of those that
pertained specifically to financial
institutions. Regarding other estimates
in the NPRM’s RIA, one commenter
stated that the cost estimate for State,
local, and Tribal law enforcement
agencies failed to include the number of
hours such agencies would spend on the
proposed written justification
requirement. FinCEN did consider this
burden in the NPRM and estimated that
submitting a request to FinCEN for BOI
would take one employee
approximately 15 minutes, or 0.25
hours, per request. For State, local, and
Tribal agencies, FinCEN estimated an
additional 20 to 30 hours of burden per
request to obtain a court authorization
in the NPRM. Therefore, State, local,
and Tribal requests were estimated to
have 20.25 to 30.25 hours of burden per
PO 00000
Frm 00055
Fmt 4701
Sfmt 4700
88785
request because of the court
authorization and written certification
requirements.218 FinCEN changed this
estimate in the analysis given changes to
the final rule’s requirements.219
A commenter stated that the NPRM
RIA did not address significant burdens
on reporting companies that would have
to provide BOI to both financial
institutions and FinCEN. The
commenter stated that such a burden
would be duplicative and unnecessary.
FinCEN expects that consideration of
such burden will be included in the
future CDD Rule revision, which will
discuss the current requirements that
financial institutions identify and verify
the beneficial ownership information of
their legal entity customers. Finally, a
commenter agreed with the estimates of
FinCEN’s costs in the NPRM, noting the
estimates appeared reasonable.
c. Comments Related to Benefits
A few commenters stated that access
to BOI would not have a benefit for
financial institutions. These
commenters stated that the
requirements would impose additional
compliance costs without enhancing
customer due diligence processes and
could result in duplicative processes. A
commenter stated this would result in
an inefficient allocation of resources
across AML compliance programs.
Another commenter stated that
resources would be reallocated away
from risk-based activities that more
effectively mitigate illicit finance risks.
As in the NPRM, FinCEN is not
attempting to estimate the benefits of
this rule to financial institutions. To do
so, FinCEN would need to know how
access to BOI under the rule will impact
financial institutions’ customer due
diligence obligations, which FinCEN
will not be able to assess until its revises
the 2016 CDD Rule. Thus, FinCEN will
instead assess the value that BOI access
has to financial institutions in the
regulatory analysis of FinCEN’s
upcoming revisions to the 2016 CDD
Rule.220 As explained in section II.B,
mandatory revisions to the 2016 CDD
Rule include: (1) bringing the rule into
conformity with the AML Act as a
whole, including the CTA; (2)
accounting for financial institutions’
access to BOI reported to FinCEN ‘‘in
order to confirm the beneficial
ownership information provided
directly to’’ financial institutions for
AML/CFT and customer due diligence
purposes; and (3) reducing unnecessary
218 FinCEN clarifies that this requirement is a
certification and not a justification.
219 31 CFR 1010.955(d)(1)(ii)(B)(2).
220 CTA, Section 6403(d)(1).
E:\FR\FM\22DER3.SGM
22DER3
88786
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
or duplicative burdens on financial
institutions and legal entity
customers.221
d. Comments on Other Topics
A commenter recommended that
FinCEN require secretaries of state and
similar offices to incorporate collection
of BOI into their registration processes,
and then submit this information to
FinCEN. The commenter noted that
while this option was explored and
rejected in the Reporting Rule, it could
possibly be implemented in the long
term and would minimize burden. As
noted in the Reporting Rule, FinCEN
rejected this alternative in part due to
concerns raised by comments from
several State authorities.222 FinCEN will
continue to explore other avenues to
coordinate with secretaries of state and
similar offices on beneficial ownership
matters and to minimize burden.
ii. Final Regulatory Impact Analysis
ddrumheller on DSK120RN23PROD with RULES3
a. Overview of the RIA
The RIA begins with a summary of the
rationale for the final rule, three
regulatory alternatives to the final rule,
and findings from the cost and benefit
analysis (sections (b)–(d)). Section (e)
describes the type and number of
entities expected to be affected by the
rule. Section (f) provides a detailed cost
analysis (including discussions of each
requirement’s quantifiable costs) that
considers costs to domestic agencies
(including SROs), foreign requesters,
financial institutions, and FinCEN.
Section (g) is a detailed discussion of
benefits. Section (h) summarizes the
overall impact of the quantifiable
portions of the rule.
Changes to the analysis or
assumptions are clearly specified, as
well as references to comments that are
incorporated into the RIA. In the course
of this discussion, FinCEN describes its
estimates, along with any nonquantifiable costs and benefits.223 In
response to comments, FinCEN has
made the following changes to its
estimates: increased the number of
SROs that may access BOI; increased the
hourly burden for financial institutions
to establish administrative and physical
safeguards by 200 percent; increased the
hourly burden for financial institutions
to obtain and document customer
221 CTA,
Section 6403(d)(1)(A)–(C).
222 87 FR 59559 (Sept. 30, 2022).
223 Throughout the analysis, FinCEN rounds
estimates for entity counts to the nearest whole
number, and any wage and growth estimates to the
nearest 1 or 2 decimal places. Calculations may not
be precise due to rounding, but FinCEN expects this
rounding method produces no meaningful
difference in the magnitude of FinCEN’s estimates
or conclusions.
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
consent by 400–600 percent in year 1 224
and an additional 10 to 20 hours in
subsequent years; 225 and increased the
expected number of financial institution
employees requiring training to 4 to 5
for small financial institutions and 25 to
30 for large financial institutions.
FinCEN also decreased the hourly
burden estimate for written certification
of requests by State, local, and Tribal
law enforcement agencies, and
described additional requirements for
financial institutions, consistent with
changes made to this requirement in the
final rule. FinCEN also made changes to
update data, underlying sources, and
estimates with more recent information,
if available.
b. Rationale for the Final Rule
This rule is necessary to comply with
and implement the CTA. As described
in section I, this rule is consistent with
the CTA’s statutory mandate that
FinCEN issue regulations regarding
access to beneficial ownership
information. Specifically, the final rule
implements the provisions in the CTA,
codified at 31 U.S.C. 5336(c), that
authorize FinCEN to disclose
identifying information associated with
reporting companies, their beneficial
owners, and their company applicants
(together, BOI) to certain recipients.
c. Discussion of Regulatory Alternatives
to the Final Rule
The rule is statutorily mandated, and
therefore FinCEN has limited ability to
implement alternatives. However,
FinCEN considered certain significant
alternatives in the NPRM that were
available under the statute. FinCEN
replicated some of those alternatives
here, with adjustments for clarity and
for incorporated changes to the RIA, and
added another alternative. The sources
and analysis underlying the burden and
cost estimates cited in these alternatives
are explained in the RIA.
1. Change Customer Consent
Requirement
FinCEN considered altering the
customer consent requirement for
financial institutions. Under the final
rule, financial institutions are required
to obtain and document customer
consent once for a given customer.
224 As discussed in section V above, Year 1 in this
analysis is the first year in which all potentially
affected parties access a database that includes BOI
reports from reporting companies that are in
existence as of the Reporting Rule’s effective date.
225 Subsequent years (sometimes referred to as
‘‘Years 2+’’) in this analysis are the years after the
first year in which all potentially affected parties
access a database that includes BOI reports from
reporting companies that are in existence as of the
Reporting Rule’s effective date.
PO 00000
Frm 00056
Fmt 4701
Sfmt 4700
FinCEN considered an alternative
approach in which FinCEN would
directly obtain the reporting company’s
consent. Under this scenario, financial
institutions would not need to spend
time and resources on drafting or
modifying customer consent forms,
ensuring legal compliance, and testing
the forms.226 Using an hourly wage
estimate of $106 per hour for financial
institutions, FinCEN estimates this
would result in a savings per financial
institution of approximately $5,300 to
$7,420 in year 1 and $1,060 to $2,120
in subsequent years. FinCEN estimates
an aggregate savings of $83.3 to $116.6
million in year 1 and $16.7 to $33.3
million in subsequent years. To estimate
the potential range of aggregate savings
under this scenario, FinCEN multiplies
the respective estimates of yearly
savings by the number of financial
institutions (e.g., $7,420 per institution
× 15,716 financial institutions =
$116,612,720, to estimate the upper
bound). The cost savings for small
financial institutions under this
scenario would be approximately $72.6
million ($5,300 per institution × 13,699
small financial institutions =
$72,604,700), assuming the lower bound
of the estimated time burden applies.
Though this alternative results in a
savings to financial institutions,
including small entities, FinCEN
believes that financial institutions are
better positioned to obtain consent—and
to track consent revocation—given their
direct customer relationships and ability
to leverage existing onboarding and
account maintenance processes, as also
discussed in sections III.E.ii.d and
V.A.i.a above. Therefore, FinCEN
decided not to adopt this alternative.
2. Impose Court Authorization
Requirement on Federal Agencies
Another alternative extends the
requirement that State, local, and Tribal
law enforcement agencies provide a
court authorization with each BOI
request to 201 Federal agencies. FinCEN
estimates that requests submitted by
State, local, and Tribal law enforcement
agencies have an additional 8 to 10
hours of burden owing to an additional
requirement that a court of competent
jurisdiction, including any officer of
such a court, authorizes the agency to
seek the information in a criminal or
civil investigation. Therefore, FinCEN
applies this additional 8 to 10 hours of
burden per BOI request to the estimated
BOI requests submitted by Federal
226 FinCEN expects this process to require
approximately 50 to 70 hours in year 1 and 10 to
20 hours in subsequent years for ongoing forms
maintenance.
E:\FR\FM\22DER3.SGM
22DER3
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES3
agencies and by State regulators. Using
FinCEN’s internal BSA request data as
a proxy, FinCEN anticipates that Federal
agencies could submit as many as
approximately 2 million total BOI
requests annually.227 Using an hourly
wage estimate of $110 per hour for
Federal employees, this requirement
would result in additional aggregate
annual costs in the first year between
approximately $1.76 and $2.2 billion ((2
million Federal requests × 8 hours ×
$110 per hour = $1.76 billion) and (2
million Federal requests × 10 hours ×
$110 per hour = $2.2 billion)) and
between $1.32 billion and $1.76 billion
in subsequent years ((2 million Federal
requests × 6 hours × $110 per hour =
$1.32 billion) and (2 million Federal
requests × 8 hours × $110 per hour =
$1.76 billion)). This alternative could
minimize the potential for broad or nonspecific searches by any agency not
currently subject to the requirement
because of the higher initial barrier to
accessing the data. However, FinCEN
believes that imposing this requirement
on authorized recipients for whom such
a requirement is not statutorily
mandated could lead to unnecessary
delays for Federal agencies in obtaining
BOI and impose unjustified burdens.
For these reasons, FinCEN decided not
to adopt this alternative.
3. Require Court Order for State, Local,
and Tribal Law Enforcement Requests
This alternative would require State,
local, and Tribal law enforcement
agencies to provide a copy of a court
order for each BOI request, which was
required in the proposed rule. In the
NPRM RIA, FinCEN estimated that
State, local, and Tribal law enforcement
agencies would have a per request
hourly burden between 20 to 30 hours
to obtain a court order for each BOI
request. Considering comments
received, FinCEN changed this
requirement in the final rule. The final
rule requires that State, local, and Tribal
law enforcement agencies obtain
authorization from a court of competent
jurisdiction to request BOI. FinCEN
estimates that State, local, and Tribal
law enforcement agencies will have a
per request hourly burden of 8 to 10
hours in year 1 and 6 to 8 hours in
subsequent years to obtain a court
authorization. Thus, in rejecting the
alternative proposed in the NPRM,
227 While FinCEN’s estimates do not incorporate
an estimated growth rate in the number of requests
throughout the 10-year time horizon of this
analysis, it is nevertheless possible that the number
of BOI requests could increase significantly in the
years following initial implementation of the BOI
reporting requirements as awareness of the ability
to access and the utility of BOI increases.
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
FinCEN estimates a reduction in hourly
burden per request between 12 to 20
hours in year 1 and 14 to 22 hours in
subsequent years. Using FinCEN’s
internal BSA request data as a proxy,
FinCEN anticipates that State, local, and
Tribal law enforcement agencies will
submit between 1 and 23,000 BOI
requests per agency and, in total, as
many as approximately 200,000 BOI
requests annually. Using an hourly wage
estimate of $80 per hour for State, local,
and Tribal agency employees, FinCEN
estimates adopting this alternative
would result in a range of additional
costs per State, local, and Tribal law
enforcement agency of approximately
$960 to $36.8 million in year 1 ((1
request × 12 hours × $80 per hour =
$960) and (23,000 × 20 hours × $80 per
hour = $36.8 million)) and $1,120 to
$40.48 million in subsequent years ((1
request × 14 hours × $80 per hour =
$1,120) and (23,000 × 22 hours × $80
per hour = $40.48 million)). In total,
adopting this alternative would have
resulted in additional aggregate annual
costs in the first year between
approximately $192 and $320 million
((200,000 requests × 12 hours × $80 per
hour = $192 million) and (200,000 × 20
hours × $80 per hour = $320 million))
and between $224 million and $352
million in subsequent years ((200,000
requests × 14 hours × $80 per hour =
$224 million) and (200,000 × 22 hours
× $80 per hour = $352 million)). Given
the concerns raised by commenters and
the reasons outlined in section III.C.ii,
FinCEN decided not to adopt this
alternative, which results in a burden
reduction to State, local, and Tribal law
enforcement agencies.
d. Summary of Findings
1. Costs
The cost analysis estimates costs to
domestic agencies (including SROs),
foreign requesters, financial institutions,
and FinCEN. Each of the affected
entities will have costs associated with
the rule if it elects to access FinCEN
BOI. The costs vary based on the access
procedures for the authorized
recipients. The rule requires different
access procedures for domestic
agencies, foreign requesters, and
financial institutions. Whether the costs
of these requirements are one-time,
ongoing, or recurring, and whether the
costs accrue on a per recipient or per
request basis varies from requirement to
requirement. Additionally, some
requirements are administrative and
involve the creation of documents,
while others involve IT.
The estimated average per agency cost
in year 1 is between $2,888 and $10.1
PO 00000
Frm 00057
Fmt 4701
Sfmt 4700
88787
million per Federal agency, between
$2,100 and $.5 million per State and
local regulator, between $2,740 and
$18.9 million per State, local, and Tribal
law enforcement agency, and between
$2,783 to $662,500 per SRO. The
estimated average per agency cost each
year after the first year is between
$1,238 and $10 million per Federal
agency, between $900 and $.5 million
per State and local regulator, between
$1,380 and $15.2 million per State,
local, and Tribal law enforcement
agency, and between $1,193 to $662,500
per SRO. The total estimated aggregate
cost to domestic agencies in year 1 is
between $190.1 million and $260.4
million, and then between $157.5
million and $197.4 million each year
thereafter.
FinCEN is unable to estimate
aggregate costs on foreign requesters
given the lack of data on the number of
foreign requesters that may access BOI,
but FinCEN provides partial cost
estimates of the requirements on a
foreign requester. FinCEN’s estimates
annual cost to foreign requesters as
between approximately $16,600 and
$74,700. FinCEN also assumes that
Federal agencies that submit BOI
requests on behalf of foreign requesters
to FinCEN will incur additional costs;
FinCEN itself expects to incur costs
from the submission of such requests.
Therefore, FinCEN estimates that BOI
requests on behalf of foreign requesters
result in a cost per request of
approximately $220 to Federal agencies,
and a total annual cost to Federal
agencies between approximately
$44,000 and $198,000.
The estimated average cost per
financial institution in year 1 is between
approximately $27,161 and $43,668 and
between approximately $10,201 and
$12,928 each year thereafter. The
estimated aggregate cost for financial
institutions is between approximately
$426.9 and $686.3 million in the first
year, and then between approximately
$160.4 and $203.2 million each year
thereafter.
In addition to the costs of accessing
BOI data as a domestic agency, FinCEN
will incur costs from managing the
access of other authorized recipients.
FinCEN’s estimated annual cost for such
activities is $13 million.
2. Benefits
The rule will result in benefits for
authorized recipients, including through
improving the effectiveness and
efficiency of U.S. national security,
intelligence, and law enforcement
activity by providing access to BOI.
FinCEN has quantitatively estimated a
portion of such benefits in this analysis.
E:\FR\FM\22DER3.SGM
22DER3
88788
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
The rule will also have non-quantifiable
benefits to authorized recipients of BOI
and to society more widely. FinCEN
estimates quantifiable benefits
attributable to enhanced BOI search
efficiency between $33,000 and $2.2
million per Federal agency and similar
benefits between $24,000 and $1.6
million per State, local, and Tribal
agency. In aggregate, FinCEN estimates
quantifiable benefits between $10.6
million and $708.2 million.
e. Affected Entities
In order to analyze cost and benefits,
the number of entities affected by the
rule must first be estimated. Authorized
recipients of BOI are affected by this
rulemaking if they elect to access BOI
because they are required to meet
certain criteria to receive that BOI. The
criteria vary depending on the type of
authorized recipient.
Federal agencies engaged in national
security, intelligence, and law
enforcement activity will have access to
BOI in furtherance of such activities if
they establish the appropriate protocols
prescribed for them in the rule.
Additionally, Treasury officers and
employees who require access to BOI to
perform their official duties or for tax
administration will have access. The
number of agencies that could qualify
under these categories is large and
difficult to quantify. FinCEN uses the
number of Federal agencies that are
active entities 228 with BSA data
access 229 as a proxy for the number of
Federal agencies that may access BOI.
FinCEN believes this proxy is apt. While
the criteria for access to BSA data are
somewhat different outside of the CTA
ddrumheller on DSK120RN23PROD with RULES3
228 For
purposes of this analysis, an agency has
active access to BSA data if the official duties of any
agency employee or contractor includes authorized
access to the FinCEN Query system, a web-based
application that provides access to BSA reports
maintained by FinCEN.
229 For purposes of this analysis, BSA data
consists of all of the reports submitted to FinCEN
by financial institutions and individuals pursuant
to obligations that currently arise under the BSA,
31 U.S.C. 5311 et seq., and its implementing
regulations. These include reports of cash
transactions over $10,000, reports of suspicious
transactions by persons obtaining services from
financial institutions, reports of the transportation
of currency and other monetary instruments in
amounts over $10,000 into or out of the United
States, and reports of U.S. persons’ foreign financial
accounts. In fiscal year 2019, more than 20 million
BSA reports were filed. See Financial Crimes
Enforcement Network, ‘‘What is the BSA data?,’’
available at https://www.fincen.gov/what-bsa-data.
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
context, Federal agencies that have
access to BSA data will generally also
meet the criteria for access to BOI under
the CTA. FinCEN believes that Federal
agencies that have access to BSA data
will most likely want access to BOI as
well and will generally be able to access
it under the parameters specified by the
rule. FinCEN includes offices within the
U.S. Department of the Treasury, such
as FinCEN itself,230 in this proxy count.
As of June 2023, 201 Federal agencies
and agency subcomponents are active
entities with BSA data access.
State, local, and Tribal law
enforcement agencies will have access
to BOI for use in criminal and civil
investigations if they follow the process
prescribed for them in the rule. FinCEN
uses the number of State and local law
enforcement agencies that are active
entities with BSA data access as a proxy
for the number of State, local, and Tribal
law enforcement agencies that may
access BOI, for the reasons discussed in
the Federal agency context. As of June
2023, 158 State and local law
enforcement agencies and agency
subcomponents are active entities with
access to BSA data.231 The process that
the rule sets forth involves these
agencies obtaining a court authorization
for each BOI request. Courts of
competent jurisdiction that issue such
authorizations may therefore also be
affected by the rule; FinCEN has not
estimated the burden that may be
imposed on such entities because of a
lack of relevant data and because such
burden will depend on choices made by
courts in authorizing BOI requests that
they receive from agencies.
Foreign government entities, such as
law enforcement, prosecutors, judges or
other competent or central authorities,
will be able to access BOI after
submitting a request as described in the
rule. FinCEN does not estimate the
number of different foreign requesters
that may request BOI, but instead
estimates a range of the total number of
annual requests for BOI that FinCEN
may receive from all foreign requesters.
The rule requires that foreign requests
230 In addition to incurring costs as an authorized
recipient of BOI, FinCEN expects to incur costs
from administering data to other authorized
recipients.
231 No Tribal law enforcement agencies currently
have access to BSA data through the FinCEN Query
system.
PO 00000
Frm 00058
Fmt 4701
Sfmt 4700
be made through an intermediary
Federal agency. Therefore, Federal
agencies will also be affected by foreign
requests.
The six Federal functional regulators
that supervise financial institutions
with customer due diligence
obligations—the FRB, the OCC, the
FDIC, the NCUA, the SEC, and the
CFTC—may access BOI for purposes of
supervising a FI’s compliance with
those obligations. Additionally, other
appropriate regulatory agencies may
access BOI under the rule. FinCEN uses
the number of regulators that both
supervise entities with requirements
under FinCEN’s CDD Rule and are
active entities with access to BSA data
as a proxy for the number of regulatory
agencies that may access BOI. As of June
2023, 63 regulatory agencies satisfy both
criteria.232 FinCEN adds three SROs to
this count, 233 which totals to 66
regulatory agencies. Although SROs are
not government agencies and they will
not have direct access to the BO IT
system under the rule, they may receive
BOI through re-disclosure and will be
subject to the same security and
confidentiality requirements as other
regulatory agencies under the rule.
As discussed further in section
III.C.iv.a, FinCEN intends to provide
access to BOI as an initial matter only
to financial institutions that are
‘‘covered financial institutions’’ as
defined in 31 CFR 1010.230. Assuming
that all such financial institutions will
access BOI, FinCEN estimates the
number of affected financial institutions
in Table 1.234
BILLING CODE 4810–02–P
232 This includes the six Federal functional
regulators. The remaining 57 entities are State
regulators that supervise banks, securities dealers,
and other entities that currently have customer due
diligence obligations under FinCEN regulations.
FinCEN did not include State regulatory agencies
that have active access to BSA data but do not
regulate entities with FinCEN customer due
diligence obligations, such as State gaming
authorities or State tax authorities.
233 FinCEN included two SROs in the NPRM but
added an additional SRO based on a comment.
234 To reiterate a point made on this subject in
section III.C.iv.b.1 above, this rule does not create
an obligation for financial institutions to access
BOI. However, for FinCEN’s own regulatory
compliance purposes, it is necessary to make
assumptions about the number of financial
institutions that will choose to do so, and FinCEN
wishes to avoid inadvertently underestimating that
number.
E:\FR\FM\22DER3.SGM
22DER3
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
88789
Table I-Affected Financial Institutions
Financial Institution Type
Banks, savings associations,
thrifts, trust companies 1
Credit unions2
Brokers or dealers in
securities3
Mutual funds 4
Futures commission
merchants and introducing
brokers in commodities5
Total
Count
Small Count
5,001
3,673
4,787
3,538
4,297 6
3,450 6
1,378
1,012
1,341 6
938 6
15,716
13,699
6
All counts are from Q2 2023 FFIEC Call Report data, available at
https://cdr.ffiec.gov/public/pws/downloadbulkdata.aspx. Data for institutions that are not insured, are insured
under non-FDIC deposit insurance regimes, or do not have a Federal functional regulator are from the FDIC's
Research Information System, available at https://www.fdic.gov/foia/ris/.
2 Credit union data are from the NCUA for Q2 2023, available at https://www.ncua.gov/analysis/credit-unioncorporate-call-report-data.
3 According to the SEC, the number of brokers or dealers in securities for the fiscal year 2022 is 3,538. See
Securities and Exchange Commission, Fiscal Year 2024 Congressional Budget Justification, p. 32,
https ://www.sec.gov/files/fy-2024-congressional-budget-justification_fmal-3-10.pdf. 4 According to the SEC, as
of December 2022 (including filings made through Jan 20, 2023) there are 1,378 open-end registered investment
companies that report on Form N-CEN.
5 There are 60 futures commission merchants as of July 31, 2023, according to the CFTC website. See
Commodity Futures Trading Commission, Financial Data for FCMs,
https://www.cftc.gov/MarketReports/fmancialfcmdata/index.htm. According to CFTC, there are 952 introducing
brokers in commodities as of October 5, 2023.
6 The source of all small counts in this table is a FinCEN analysis described in the text below Table 1.
1
ddrumheller on DSK120RN23PROD with RULES3
Totaling these estimates results in
15,716 financial institutions that may
access BOI pursuant to the rule. Of these
financial institutions, 13,699 are small
entities. To identify whether a financial
institution is small, FinCEN uses the
Small Business Administration’s (SBA)
latest annual size standards for small
entities in a given industry.235 FinCEN
also uses the U.S. Census Bureau’s
publicly available 2017 Statistics of U.S.
Businesses survey data (Census survey
235 The SBA currently defines small entity size
standards for affected financial institutions as
follows: less than $850 million in total assets for
commercial banks, savings institutions, and credit
unions; less than $47 million in annual receipts for
trust companies; less than $47 million in annual
receipts for broker-dealers; less than $47 million in
annual receipts for portfolio management; less than
$40 million in annual receipts for open-end
investment funds; and less than $47 million in
annual receipts for futures commission merchants
and introducing brokers in commodities. See U.S.
Small Business Administration’s Table of Size
Standards, available athttps://www.sba.gov/sites/
sbagov/files/2023-03/Table%20of%20
Size%20Standards_
Effective%20March%2017%2C%202023%20%281
%29%20%281%29_0.pdf.
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
data).236 FinCEN applies SBA size
standards to the corresponding
industry’s receipts in the 2017 Census
survey data and determines what
proportion of a given industry is
deemed small, on average. FinCEN
considers a financial institution to be
small if it has total annual receipts less
than the annual SBA small entity size
standard for the FI’s industry. FinCEN
applies these estimated proportions to
FinCEN’s current financial institution
counts for brokers or dealers in
securities, mutual funds, and futures
commission merchants and introducing
brokers in commodities to determine the
proportion of current small financial
institutions in those industries. FinCEN
does not apply population proportions
to banks or credit unions. Because data
236 See U.S. Census Bureau, U.S. & states, NAICS,
detailed employment sizes (U.S., 6-digit and states,
NAICS sectors) (2017), available at https://
www.census.gov/data/tables/2017/econ/susb/2017susb-annual.html. The Census survey documents
the number of firms and establishments,
employment numbers, and annual payroll by State,
industry, and enterprise every year. Receipts data,
which FinCEN uses as a proxy for revenues, is
available only once every five years, with 2017
being the most recent survey year with receipt data.
PO 00000
Frm 00059
Fmt 4701
Sfmt 4700
accessed through FFIEC and NCUA Call
Report data provides information about
asset size for banks, trusts, savings and
loans, credit unions, etc., FinCEN is able
to directly determine how many banks
and credit unions are small by SBA size
standards. 237 Because the Call Report
data does not include institutions that
237 Consistent with the SBA’s General Principles
of Affiliation, 13 CFR 121.103(a), FinCEN aggregates
the assets of affiliated financial institutions using
FFIEC financial data reported by bank holding
companies on forms Y–9C, Y–9LP, and Y–9SP
(available at https://www.ffiec.gov/npw/Financial
Report/FinancialDataDownload) and ownership
data (available at https://www.ffiec.gov/npw/
FinancialReport/DataDownload) when determining
if an institution should be classified as small.
FinCEN uses four quarters of data reported by
holding companies, banks, and credit unions
because a ‘‘financial institution’s assets are
determined by averaging the assets reported on its
four quarterly financial statements for the preceding
year.’’ See U.S. Small Business Administration’s
Table of Size Standards, p. 38 n.8, available at
https://www.sba.gov/sites/sbagov/files/2023-03/
Table%20of%20Size%20Standards_
Effective%20March%2017%2C%202023%20%281
%29%20%281%29_0.pdf. FinCEN recognizes that
using SBA size standards to identify small credit
unions differs from the size standards applied by
the NCUA. However, for consistency in this
analysis, FinCEN applies the SBA-defined size
standards.
E:\FR\FM\22DER3.SGM
22DER3
ER22DE23.000
BILLING CODE 4810–02–C
88790
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
are not insured, are insured under nonFDIC deposit insurance regimes, or that
do not have a Federal financial
regulator, FinCEN assumes that all such
entities listed in the FDIC’s Research
Information System data are small,
unless they are controlled by a holding
proposed rule, as summarized in Table
1.
Table 2 summarizes the counts of
entities by category that will have access
to BOI data.
company that does not meet the SBA’s
definition of a small entity, and
includes them in the count of small
banks. Using this methodology and data
from the FFIEC and the NCUA,
approximately 13,699 small financial
institutions could be affected by the
Table 2-Affected Entities
ddrumheller on DSK120RN23PROD with RULES3
As shown in Table 2, FinCEN
anticipates that as many as 16,141
different domestic agencies and
financial institutions could elect to
access BOI. Of these, FinCEN believes
the only entity category that will have
small entities affected is financial
institutions.238
f. Detailed Discussion of Costs
The rule imposes requirements on
domestic agencies, foreign requesters,
and financial institutions. To estimate
costs, FinCEN assigns an hourly burden
to each requirement and uses an
estimated wage rate to determine the per
entity cost of that requirement. Where
appropriate, FinCEN varies the hourly
burden and wage according to the entity
type and the size of the entity. To
estimate total costs, FinCEN multiplies
the per entity costs by the number of
entities.
In this analysis, FinCEN uses an
estimated compensation rate of
approximately $110 per hour for Federal
agencies and foreign requesters,
approximately $80 per hour for State,
local, and Tribal agencies, and
approximately $106 per hour for
financial institutions. This is based on
occupational wage data from the U.S.
Bureau of Labor Statistics (BLS).239 The
238 FinCEN provides more detail about this
conclusion in the Regulatory Flexibility Act
analysis.
239 See U.S. Bureau of Labor Statistics, National
Occupational Employment and Wage Estimates
(May 2022), available at https://www.bls.gov/oes/
current/oessrci.htm.
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
Count
Small Count
0
0
NIA
0
13,699
13,699
most recent occupational wage data
from the BLS corresponds to May 2022,
released in May 2023. To obtain these
three wage rates, FinCEN calculated the
average reported hourly wages of six
specific occupation codes assessed to be
likely authorized recipients at Federal
agencies, State, local, and Tribal
agencies, and financial institutions.240
Included financial industries were
identified at the most granular North
American Industry Classification
System (NAICS) code available and are
the types of financial institutions that
are subject to regulation under the BSA,
even if these financial institutions are
not entities that are affected by the rule,
including: banks; casinos; money
service businesses; brokers or dealers in
securities; mutual funds; insurance
companies; futures commission
merchants and introducing brokers in
commodities; dealers in precious
240 To estimate government hourly wages,
FinCEN modifies the burden analysis in FinCEN’s
publication ‘‘Renewal without Change of AntiMoney Laundering Programs for Certain Financial
Institutions.’’ See 85 FR 49418 (Aug. 13, 2020).
Specifically, FinCEN uses hourly wage data from
the following six occupations to estimate an average
hourly government employee wage: chief
executives (i.e., agency heads), first-line supervisors
of law enforcement workers, law enforcement
workers, financial examiners, lawyers and judicial
clerks, and computer and information systems
managers. FinCEN uses hourly wage data for the
following occupations to estimate an average hourly
financial institution employee wage: chief
executives, financial managers, compliance officers,
and financial clerks. FinCEN also includes the
hourly wages for lawyers and judicial clerks, as
well as for computer and information systems
managers.
PO 00000
Frm 00060
Fmt 4701
Sfmt 4700
metals, precious stones, or jewels;
operators of credit card systems; and
loan or finance companies. This results
in a Federal agency hourly wage
estimate of $68.34; a State, local, and
Tribal agency hourly wage estimate of
$49.61; 241 and a financial institution
hourly wage estimate of $74.86.
Multiplying these hourly wage estimates
by their corresponding benefits factor
(1.61 242 for government agencies and
1.42 243 for private industry) produces
fully loaded hourly compensation
amounts of approximately $110 for
241 To estimate a single hourly wage estimate for
State, local, and Tribal agencies, FinCEN calculated
an average of the May 2022 mean hourly wage
estimates for State government agencies and for
local government agencies (($47.55 + $51.66)/2 =
$49.61), as wages are available for both of these
types of government workers in the BLS
occupational wage data. BLS data does not include
an estimate for Tribal government worker and thus
FinCEN does not include a Tribal government
worker wage estimate in this average.
242 The ratio between benefits and wages for State
and local government workers is $21.91 (hourly
benefits)/$35.69 (hourly wages) = 0.61, as of March
2023. The benefit factor is 1 plus the benefit/wages
ratio, or 1.61. See U.S. Bureau of Labor Statistics,
Employer Costs for Employee Compensation
Historical Listing, available at https://www.bls.gov/
web/ecec/ececqrtn.pdf. The State and local
government workers series data for March 2023 is
available at https://www.bls.gov/web/ecec/ececgovernment-dataset.xlsx. FinCEN applies the same
benefits factor to Federal workers.
243 The ratio between benefits and wages for
private industry workers is $11.86 (hourly benefits)/
$28.37 (hourly wages) = 0.42, as of March 2023. The
benefit factor is 1 plus the benefit/wages ratio, or
1.42. See U.S. Bureau of Labor Statistics, Employer
Costs for Employee Compensation: Private industry
dataset (Mar. 2023), available at https://
www.bls.gov/web/ecec/ecec-private-dataset.xlsx.
E:\FR\FM\22DER3.SGM
22DER3
ER22DE23.001
Entity Type
Federal agencies engaged in
201
national security, intelligence,
or law enforcement activity,
and Treasury offices
State, local, and Tribal law
158
enforcement agencies
Foreign requesters
NIA
Regulatory agencies
66
Financial Institutions
15,716
Total
16,141
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
Federal agencies, $80 for State, local,
and Tribal agencies, and $106 per hour
88791
for financial institutions. These wage
estimates are summarized in Table 3:
Table 3-Fully Loaded Wage Estimates
Entity Type
Federal government agency 1
State government agency
Local government agency
Equal weighted average for
State, local, and Tribal
agencies2
FI
Mean Hourly
Wage
$68.34
$47.55
$51.66
$49.61
Benefits Factor Fully Loaded
Hourly Wage
1.61
$110
1.61
$77
1.61
$83
1.61
$80
$74.86
1.42
$106
1 FinCEN
assumes the same hourly wage estimate for foreign requesters as for Federal agencies.
2 FinCEN calculates a simple average of the hourly wage estimate of State and local agencies. (BLS does not
provide any estimates for Tribal agency wages.) Estimating the average State and local agency hourly wage
using a value-weighted approached based on the likely proportion of State versus local agency participants using
internal FinCEN BSA data resulted in a similar hourly wage estimate.
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
administering access to authorized
recipients.
1. Domestic Agencies
Domestic agencies must meet
multiple requirements to receive BOI.
Whether the costs of these requirements
are one-time, ongoing, or recurring, and
whether the costs accrue on a perrecipient or per request basis varies
from requirement to requirement.
Additionally, some requirements are
administrative and involve the creation
of documents, while others involve IT.
To estimate the costs for meeting these
PO 00000
Frm 00061
Fmt 4701
Sfmt 4700
requirements, FinCEN consulted with
multiple Federal agencies and utilized
statistics regarding active entities with
BSA data access. Requirements are
summarized in Table 4, which is
followed by more detailed analysis and
cost estimates. Table 4 does not
specifically reflect the requirement that
domestic agencies shall limit, to the
greatest extent practicable, the scope of
BOI it seeks. However, FinCEN does not
anticipate this limitation to impose
meaningful costs, and thus there is no
associated cost estimated for this
requirement.
E:\FR\FM\22DER3.SGM
22DER3
ER22DE23.002
ddrumheller on DSK120RN23PROD with RULES3
Each of the affected entities will have
costs associated with the rule if it elects
to access FinCEN BOI. The costs vary
based on the access procedures for the
authorized recipients. The costs also
vary by institution size and
investigation caseload, but for
simplicity, FinCEN estimates an average
impact by category of authorized
recipient throughout the analysis. The
rule requires different access procedures
for domestic agencies, foreign
requesters, and financial institutions.
FinCEN will also incur costs for
88792
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
Table 4-Requirements for Domestic Agencies
1
2
3
4
5
6
7
ddrumheller on DSK120RN23PROD with RULES3
8
Requirement
Enter into an agreement with FinCEN
and establish standards and procedures
Establish and maintain a secure system to
store BOI
Establish and maintain an auditable
system of standardized records for
requests
Restrict access to appropriate persons
within the agency, some of whom must
undergo training
Conduct an annual audit and cooperate
with FinCEN' s annual audit
Obtain certification of standards and
procedures initially and then semiannually, by the head of the agency
Provide initial and then an annual report
on procedures
Submit written certification for each
request that it meets certain agency
requirements
Timin~ of Cost
One-time
Type of Cost
Administrative
Ongoing
IT
Ongoing
IT
Ongoing (Training
cost is per recipient)
Administrative
Annual
Administrative
Semi-annual
Administrative
Annual
Administrative
Ongoing (Cost is per
request)
Administrative
Enter Into an Agreement with FinCEN
and Establish Standards and
Procedures. For requirement #1, FinCEN
assumes that domestic agencies will
incur costs during the first year. In
alignment with the feedback FinCEN
received during outreach efforts, which
is detailed in the NPRM, FinCEN
assumes it will take a domestic agency,
on average, between 15 and 300
business hours to complete this onetime task. Using an hourly wage
estimate of $110 per hour for Federal
agencies results in a one-time cost
between approximately $1,650 and
$33,000 per Federal agency ((15 hours ×
$110 per hour = $1,650) and (300 hours
× $110 per hour = $33,000)). Using an
hourly wage estimate of $80 per hour for
State, local, and Tribal agencies results
in a one-time cost between
approximately $1,200 and $24,000 per
State, local, and Tribal agency ((15
hours × $80 per hour = $1,200) and (300
hours × $80 per hour = $24,000)). To
estimate aggregate costs, FinCEN
multiplies these ranges by 207 total
Federal agencies 244 and 215 State, local,
and Tribal agencies,245 resulting in a
total one-time cost between
approximately $0.6 and $12 million
((207 Federal agencies × $1,650 per
Federal agency + 215 State, local, and
Tribal agencies × $1,200 per State, local,
and Tribal agency = $599,550) and (207
Federal agencies × $33,000 per Federal
agency + 215 State, local, and Tribal
agencies × $24,000 per State, local, and
Tribal agency = $11,991,000)).
Establish and Maintain a Secure
System to Store BOI. The cost of
requirement #2 will vary depending on
the existing IT infrastructure of the
domestic agency. Some agencies will be
able to build upon existing systems that
generally meet the security and
confidentiality requirements. Other
agencies will need to create new
systems. Consistent with feedback from
agencies that is detailed in the NPRM,
FinCEN expects that certain agencies (in
particular, Federal agencies) will bear
de minimis IT costs because Federal
agencies already have secure systems
and networks in place as well as
sufficient storage capacity in accordance
with Federal Information Security
244 This is 201 Federal law enforcement, national
security, and intelligence agencies and agency
subcomponents and six Federal regulators.
245 This is 158 State and local law enforcement
agencies and 57 State regulators that supervise
entities with customer due diligence requirements.
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
PO 00000
Frm 00062
Fmt 4701
Sfmt 4700
Management Act (FISMA) standards.246
Therefore, FinCEN assumes a range of
burden for requirement #2 in year 1 of
de minimis to 300 hours, and an
ongoing burden of de minimis to 4
hours.
Using an hourly wage estimate of
$110 per hour for Federal agencies
results in an initial cost between
approximately de minimis costs and
$33,000 (300 hours × $110 per hour =
$33,000), and $440 annually thereafter
(4 hours × $110 per hour = $440) per
Federal agency. Using an hourly wage
estimate of $80 per hour for State, local,
and Tribal agencies results in an initial
cost between approximately de minimis
costs and $24,000 (300 hours × $80 per
hour = $24,000), and $320 annually
thereafter (4 hours × $80 per hour =
$320) per State, local, and Tribal
agency. To estimate aggregate costs,
FinCEN multiplies these ranges by 207
total Federal agencies, and 215 State,
local, and Tribal agencies, resulting in a
total year 1 cost between approximately
246 Under FISMA, Federal agencies need to
provide information security protections
commensurate with the risk and magnitude of the
harm resulting from unauthorized access, use,
disclosure, disruption, modification, or destruction
of information collected or maintained by an
agency. Federal agencies also need to comply with
the information security standards and guidelines
developed by NIST. 44 U.S.C. 3553.
E:\FR\FM\22DER3.SGM
22DER3
ER22DE23.003
#
ddrumheller on DSK120RN23PROD with RULES3
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
de minimis and $12.0 million (207
Federal agencies × $33,000 per Federal
agency + 215 State, local, and Tribal
agencies × $24,000 per State, local, and
Tribal agency = $11,991,000). The
ongoing annual cost will be between
approximately de minimis and $.2
million (207 Federal agencies × $440 per
Federal agency + 215 State, local, and
Tribal agencies × $320 per State, local,
and Tribal agency = $159,880).
Establish and Maintain an Auditable
System of Standardized Records for
Requests. As with requirement #2, the
ongoing IT costs from requirement #3
will vary depending on the existing IT
infrastructure of the domestic agency.
FinCEN again expects that certain
agencies (in particular, Federal
agencies) will bear de minimis IT costs
because Federal agencies already have
secure systems and networks in place as
well as sufficient storage capacity in
accordance with FISMA standards.
Based on this expectation and agency
feedback explained in the NPRM,
FinCEN assumes a range of burden for
requirement #3 in year 1 of de minimis
to 200 hours, and an ongoing burden of
de minimis to 20 hours.
Using an hourly wage estimate of
$110 per hour for Federal agencies
results in an initial cost between
approximately de minimis costs and
$22,000 (200 hours × $110 per hour =
$22,000), and $2,200 annually thereafter
(20 hours × $110 per hour = $2,200) per
Federal agency. Using an hourly wage
estimate of $80 per hour for State, local,
and Tribal agencies results in an initial
cost between approximately de minimis
costs and $16,000 (200 hours × $80 per
hour = $16,000), and $1,600 annually
thereafter (20 hours × $80 per hour =
$1,600) per State, local, and Tribal
agency. To estimate aggregate costs,
FinCEN multiplies these ranges by 207
total Federal agencies, and 215 State,
local, and Tribal agencies, resulting in a
total year 1 cost between approximately
de minimis and $8.0 million (207
Federal agencies × $22,000 per Federal
agency + 215 State, local, and Tribal
agencies × $16,000 per State, local, and
Tribal agency = $7,994,000). The
ongoing annual cost will between
approximately de minimis and $.8
million (207 Federal agencies × $2,200
per Federal agency + 215 State, local,
and Tribal agencies × $1,600 per State,
local, and Tribal agency = $799,400).
Restrict Access to Appropriate
Persons Within the Agency, Some of
Whom Must Undergo Training. FinCEN
assumes that to comply with this
requirement, agencies will provide
training to certain employees that
receive BOI access. The number of
authorized recipients that have BOI
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
access at a given agency will vary. Using
the active entities with access to BSA
data as of June 2023 as a proxy, and
consistent with information provided by
a number of agencies, FinCEN
anticipates that each Federal agency
could have anywhere between
approximately 1 and 1,900 recipients of
BOI data while each State, local, and
Tribal agency could have anywhere
between 1 and 80 recipients of BOI.247
To estimate the cost of this training,
FinCEN assumes that each employee
that accesses BOI data will undergo 1
hour of training per year. Using an
hourly wage estimate of $110 per hour
for Federal agencies results in an annual
cost between approximately $110 and
$209,000 (1 employee × 1 hour × $110
per hour = $110) and (1,900 employees
× 1 hour × $110 per hour = $209,000))
per Federal agency. Using an hourly
wage estimate of $80 per hour for State,
local, and Tribal agencies results in an
annual cost between approximately $80
and $6,400 (1 employee × 1 hour × $80
per hour = $80) and (80 employees × 1
hour × $80 per hour = $6,400)) per State,
local, and Tribal agency.
To estimate the aggregate annual
costs, FinCEN uses aggregate user
counts of active BSA data users based
on internal FinCEN data from June
2023, which provides a more reasonable
estimate of the likely number of
authorized recipients than assuming the
previously estimated ranges will apply
to each domestic agency. Therefore,
based on internal data, FinCEN expects
that approximately 12,000 Federal
employees and 2,000 employees of
State, local, and Tribal agencies will
undergo annual training to access BOI
data.248 This results in an aggregate
annual training cost of approximately
$1.5 million ((12,000 Federal employees
× 1 hour × $110 per hour) + (2,000 State,
local, and Tribal employees × 1 hour ×
$80 per hour) = $1,480,000).
Conduct an Annual Audit and
Cooperate with FinCEN’s Annual Audit;
Initially and then Semi-Annually Certify
Standards and Procedures by the Head
247 The range provided is an estimate of the
lowest and highest number of users for Federal
agencies and for State and local agencies
respectively as of a given date in June 2023 with
access to BSA data through FinCEN’s database.
248 These estimates are based on the number of
users that directly access BSA data through
FinCEN’s internal system; there are a limited
number of other ways that users may access BSA
data, which are not accounted for here.
Furthermore, while FinCEN does not incorporate an
anticipated growth rate into the estimate of BOI
authorized recipients throughout the 10-year time
horizon of this analysis, the number of BOI
authorized recipients could increase significantly
after the first fully operational year of the BOI
reporting requirements as awareness of the ability
to access and utility of accessing BOI increases.
PO 00000
Frm 00063
Fmt 4701
Sfmt 4700
88793
of the Agency; Annually Provide a
Report on Procedures. Requirements
#5–7 are administrative costs that a
domestic agency will incur on an
annual or semi-annual basis.
Specifically, they require an agency to:
(1) conduct an annual audit and
cooperate with FinCEN’s annual audit;
(2) certify standards and procedures by
the head of the agency semi-annually;
and (3) provide an annual report on
procedures to FinCEN. Based on
feedback from outreach as explained in
the NPRM, FinCEN assumes it will take
a given agency between 10 hours and
160 hours per year to meet these three
requirements.
Using an hourly wage estimate of
$110 per hour for Federal agencies
results in annual costs between
approximately $1,100 and $17,600 per
Federal agency ((10 hours × $110 per
hour = $1,100) and (160 hours × $110
per hour = $17,600)). Using an hourly
wage estimate of $80 per hour for State,
local, and Tribal agencies results in
annual costs between approximately
$800 and $12,800 per State, local, and
Tribal agency ((10 hours × $80 per hour
= $800) and (160 hours × $80 per hour
= $12,800)). To estimate annual
aggregate costs, FinCEN multiplies these
ranges by 207 total Federal agencies and
215 State, local, and Tribal agencies,
resulting in a total annual cost between
approximately $.4 million and $6.4
million ((207 Federal agencies × $1,100
per Federal agency + 215 State, local,
and Tribal agencies × $800 per State,
local, and Tribal agency = $399,700) and
(207 Federal agencies × $17,600 per
Federal agency + 215 State, local, and
Tribal agencies × $12,800 per State,
local, and Tribal agency = $6,395,200)).
Submit Written Certification for Each
Request that it Meets Certain Agency
Requirements. Finally, for requirement
#8, domestic agencies are required to
submit a written certification for each
request for BOI. The written
certification will be in the form and
manner prescribed by FinCEN. This
certification will be submitted to
FinCEN via an electronic form. The
number of requests for BOI submitted to
FinCEN by domestic agencies in any
given year will vary.
FinCEN assumes that submitting a
request to FinCEN for BOI will take one
employee approximately 15 minutes, or
0.25 hours, per request. This is based on
FinCEN’s experience with submitting
requests for BSA data in FinCEN Query,
which similarly require a written
description for a search request.
Certification requirements vary by
authorized recipient type under the
rule. Federal and regulatory agencies
must certify that their request is related
E:\FR\FM\22DER3.SGM
22DER3
ddrumheller on DSK120RN23PROD with RULES3
88794
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
to specific activities. State, local, and
Tribal law enforcement agencies must
certify that a court of competent
jurisdiction, including any officer of
such a court, has authorized the agency
to seek the BOI in a criminal or civil
investigation. FinCEN expects that
requests submitted by State, local, and
Tribal law enforcement agencies will
take an additional 8 to 10 hours in year
1 and 6 to 8 hours in subsequent years
to the due to the additional court
authorization requirement. The hourly
burden decline in subsequent years
reflects FinCEN’s expectation that
agencies (and courts) will improve their
processes for meeting BOI request
requirements. FinCEN expects many
agencies will access BOI repeatedly year
after year as they do with BSA data. For
purposes of estimating the cost of these
additional hours of burden, FinCEN
applies the hourly wage estimate for
State, local, and Tribal employees and
assumes that this cost will be incurred
by the State, local or Tribal law
enforcement agency. In practice,
employees within the court system may
also incur costs related to this
requirement. However, FinCEN has not
estimated the burden that may be
imposed on such entities because of the
lack of relevant data and because such
burden will vary depending on how
courts choose to authorize BOI requests.
Using an hourly wage estimate of
$110 per hour for Federal employees
results in a per request cost of
approximately $28 per Federal agency
(0.25 hours × $110 per hour = $27.50).
Using an hourly wage estimate of $80
per hour for State, local, and Tribal
employees results in a per request cost
of approximately $20 per State and local
regulator (0.25 hours × $80 per hour =
$20), between approximately $660 and
$820 per State, local, and Tribal law
enforcement agency in year 1 ((8.25
hours × $80 per hour = $660) and (10.25
hours × $80 per hour = $820)) and $500
and $660 in subsequent years ((6.25
hours × $80 per hour = $500) and (8.25
hours × $80 per hour = $660)).
To estimate a per agency annual cost,
FinCEN uses BSA data request statistics
from recent years as a proxy. Using
these data, FinCEN estimates that each
Federal agency could submit between 1
and 350,000 requests for BOI annually
while each State, local, and Tribal
agency could submit between 1 and
23,000 requests for BOI annually.249
Therefore, the estimated annual cost is
between $28 and $9.8 million (($28 per
request × 1 request) and ($28 per request
× 350,000 requests = $9,800,000)) per
Federal agency. The annual cost is
between $20 and $.5 million (($20 per
request × 1 request) and ($20 per request
× 23,000 requests = $460,000)) per State
and local regulator. For State, local, and
Tribal law enforcement agencies, the
annual cost is between $660 and $18.9
million in year 1 (($660 per request × 1
request = $660) and ($820 per request ×
23,000 requests = $18,860,000)) and
$500 and $15.2 million in subsequent
years (($500 per request × 1 request =
$500) and ($660 per request × 23,000
requests = $15,180,000)).
Using FinCEN’s internal BSA request
data as a proxy, FinCEN anticipates that
Federal agencies could submit as many
as 2 million total BOI requests annually
and that State, local, and Tribal agencies
could submit as many as 230,000 total
BOI requests annually.250 The internal
number of BSA requests provides a
more reasonable estimate of the likely
number of aggregate requests than
assuming the previously estimated
ranges will apply to each domestic
agency. This results in aggregate costs in
year 1 between $187.6 and $219.6
million ((2 million Federal requests ×
$28 per request + 30,000 State and local
regulatory requests × $20 per request +
200,000 State, local, and Tribal law
enforcement requests × $660 per request
= $187,600,000) and (2 million Federal
requests × $28 per request + 30,000
State and local regulatory requests × $30
per request + 200,000 State, local, and
Tribal law enforcement requests × $820
per request = $219,600,000)). In
subsequent years, the aggregate annual
costs range between $155.6 million and
$187.6 million ((2 million Federal
requests × $28 per request + 30,000
State and local regulatory requests × $20
per request + 200,000 State, local, and
Tribal law enforcement requests × $500
per request = $155,600,000) and ((2
million Federal requests × $28 per
request + 30,000 State and local
regulatory requests × $20 per request +
200,000 State, local, and Tribal law
enforcement requests × $660 per request
= $187,600,000)).
Totaling the estimated costs for
requirements #1–8, the estimated
average per agency cost in year 1 is
between $2,888 and $10.1 million per
Federal agency, between $2,100 and $.5
million per State and local regulator,
between $2,740 and $18.9 million per
State, local, and Tribal law enforcement
agency, and between $2,783 to $662,500
249 The range is an estimate of the lowest and
highest number of BSA data requests received
through FinCEN’s database from Federal agencies
and for State and local agencies respectively during
recent years.
250 Of the 230,000 anticipated total annual State,
local, and Tribal BOI requests, approximately
30,000 are expected from State regulators and
approximately 200,000 from State, local, and Tribal
law enforcement agencies.
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
PO 00000
Frm 00064
Fmt 4701
Sfmt 4700
per SRO.251 The estimated average per
agency cost each year after the first year
is between $1,238 and $10 million per
Federal agency, between $900 and $.5
million per State and local regulator,
between $1,380 and $15.2 million per
State, local, and Tribal law enforcement
agency, and between $1,193 to $662,500
per SRO. The total estimated aggregate
cost to domestic agencies in year 1 is
between $190.1 million and $260.2
million, and then between $157.5
million and $197.2 million each year
thereafter.
Federal agencies may incur costs
related to submitting requests on behalf
of foreign requesters. These costs are
estimated in the next section. Federal
agencies may also bear costs related to
enforcement in cases of unauthorized
disclosure and use of BOI; however,
these costs have not been estimated in
this analysis, as the level of compliance
with the rule is unknown.
2. Foreign Requesters
Foreign requesters must meet
multiple requirements to receive BOI.
FinCEN does not have an estimate of the
number of foreign requesters that may
elect to request and access BOI, or
which requesters will do so under an
applicable international treaty,
agreement, or convention, or through
another channel available under the
rule. Foreign requesters that request and
receive BOI under an applicable
international treaty, agreement, or
convention do not have certain
requirements under the rule, given that
such requesters are governed by
standards and procedures under the
applicable international treaty,
agreement, or convention. However,
FinCEN does not differentiate between
types of foreign requesters in this
analysis, given the lack of data. Though
FinCEN is unable to estimate aggregate
costs on foreign requesters given the
lack of data on the number of foreign
requesters that may access BOI, FinCEN
provides partial cost estimates of the
requirements on a foreign requester.
Requirements are summarized in Table
5, which is followed by a more detailed
analysis and cost estimates. Table 5
does not specifically reflect the
requirement that a foreign requester
shall limit, to the greatest extent
practicable, the scope of BOI it seeks.
However, FinCEN does not expect this
251 To calculate total costs to SROs, FinCEN
calculated a ratio that applied the estimated costs
to State regulators (which have access requirements
similar to SROs) to the wage rate estimated herein
for financial institutions, since SROs are private
organizations. As noted previously, SROs will not
have direct access to the BO IT system, but may
receive BOI through re-disclosure.
E:\FR\FM\22DER3.SGM
22DER3
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
limitation to impose meaningful costs,
88795
and thus there is no associated cost
estimated for this requirement.
Table 5-Requirements for Foreign Requesters
1
2
3
ddrumheller on DSK120RN23PROD with RULES3
4
Requirement
Establish standards and procedures
Maintain a secure system to store BOI
Restrict access to appropriate persons, all
of whom must undergo training
Provide information for each request to
an intermediary Federal agency
Timin~ of Cost
One-time
Ongoing
Ongoing per
requester
Ongoing per request
Type of Cost
Administrative
IT
Administrative
Administrative
Establish Standards and Procedures.
For requirement #1, FinCEN assumes
that foreign requesters will incur costs
during the first year. FinCEN assumes it
will take a foreign requester, on average,
between one and two full business
weeks (or, between 40 and 80 business
hours) to establish standards and
procedures. This estimate is a FinCEN
assumption based on its experience
coordinating with foreign partners.
Using an hourly wage estimate of $110
per hour for Federal agencies, which
FinCEN assumes is a comparable hourly
wage estimate for foreign requesters,
FinCEN estimates this one-time cost
will be between approximately $4,400
and $8,800 per foreign requester ((40
hours × $110 per hour) and (80 hours ×
$110 per hour)). Foreign requesters that
request and receive BOI under an
applicable international treaty,
agreement, or convention do not have
this requirement under the rule, given
that such requesters are governed by
standards and procedures under the
applicable international treaty,
agreement, or convention. However,
FinCEN does not differentiate between
types of foreign requesters in this
analysis, given the lack of data.
Maintain a Secure System to Store
BOI. For requirement #2, the cost of the
ongoing IT requirement will vary
depending on the existing infrastructure
of the foreign requester. FinCEN
believes that foreign requesters already
have secure systems and networks in
place as well as sufficient storage
capacity, given their ongoing
coordination with the U.S. government
on a variety of matters, which likely
adhere to applicable data security
standards. Therefore, FinCEN assumes
de minimis IT costs. Foreign requesters
that request and receive BOI under an
applicable international treaty,
agreement, or convention do not have
this requirement under the rule, given
that such requesters are governed by
security standards under the applicable
international treaty, agreement, or
convention. However, FinCEN does not
differentiate between types of foreign
requesters in this analysis, given the
lack of data.
Restrict Access to Appropriate
Persons, Who Will Undergo Training.
For requirement #3, FinCEN assumes
that each foreign requester that accesses
BOI data will undergo 1 hour of training
per year; FinCEN does not impose
specific requirements on the content or
structure of this training. Using an
estimated hourly wage amount of $110,
this results in an annual training cost of
approximately $110 per foreign
requester.
Provide Information for Each Request
to an Intermediary Federal Agency. For
requirement #4, FinCEN assumes that
providing information for a BOI request
to an intermediary Federal agency will
take one foreign requester
approximately 45 minutes, or 0.75
hours, per request. This estimate is
based on FinCEN’s assumption that a
request for BOI submitted directly by a
Federal agency on its own behalf will
take approximately 15 minutes. Given
the additional information required for
a foreign-initiated request, FinCEN
triples that estimate for foreign requests.
Using an hourly wage estimate of $110
per hour, this will result in a per request
cost of approximately $83 per foreign
requester (0.75 hours × $110 per hour =
$83). Based on feedback from agencies,
FinCEN believes that the total number
of foreign requests will range between
approximately 200 and 900 per year.252
This results in an aggregate annual cost
to foreign requesters between
approximately $16,600 and $74,700
((200 requests × $83 per request =
$16,600) and (900 requests × $83 per
request = $74,700)).
FinCEN also assumes that Federal
agencies that submit requests on behalf
of foreign requesters to FinCEN will
incur additional costs; FinCEN itself
expects to incur costs from the
submission of such requests. Therefore,
FinCEN estimates that processing BOI
requests on behalf of foreign requesters
require approximately two hours of one
Federal employee’s time, resulting in a
cost per request of approximately $220
(2 hours × $110 per hour). This results
in a total annual cost to Federal agencies
between approximately $44,000 and
$198,000 ((200 requests × 2 hours ×
$110 per hour = $44,000) and (900
requests × 2 hours × $110 per hour =
$198,000)).
252 FinCEN recognizes that the number of BOI
requests from foreign requesters may be higher, as
no such U.S. beneficial ownership IT system
currently exists. The existence of a centralized U.S.
BOI source may in fact result in a higher number
of annual requests by foreign requesters.
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
PO 00000
Frm 00065
Fmt 4701
Sfmt 4700
3. Financial Institutions
Financial institutions must meet
multiple requirements to access BOI.
Requirements are summarized in Table
6, which is followed by a more detailed
analysis and cost estimates. It should be
noted that Table 6 includes a training
requirement. FinCEN assumes
authorized recipients of BOI at financial
institutions will undergo training in
order to comply with the safeguards in
the rule. Additionally, FinCEN
anticipates that access to the BO IT
system will be conditioned on
recipients of BOI undergoing training.
E:\FR\FM\22DER3.SGM
22DER3
ER22DE23.004
#
88796
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
Table 6-Requirements for Financial Institutions
1
2
3
4
ddrumheller on DSK120RN23PROD with RULES3
5
6
7
Requirement
Develop and implement administrative
and physical safeguards
Develop and implement technical
safeguards
Obtain and document customer consent
Submit certification for each request that
it meets certain requirements
Undergo training
Geographic restrictions
Notification of information demand
Develop and Implement
Administrative and Physical
Safeguards. For requirement #1, FinCEN
estimates an average burden per
financial institution between 120 and
240 hours to develop and implement
administrative and physical safeguards.
This estimate increased from the NPRM
based on comments that stated that
estimate was too low, and those that
noted that audit and legal review will be
included in the burden for developing
and implementing these safeguards.
Using an hourly wage estimate of $106
per hour for financial institutions,
FinCEN estimates this one-time cost
will be between approximately $12,720
and $25,440 per financial institution. To
estimate aggregate costs, FinCEN
multiplies this range by 15,716 total
financial institutions resulting in a total
cost between approximately $199.9 and
$399.8. million (($12,720 per financial
institution × 15,716 financial
institutions = $199,907,520) and
($25,440 per financial institution ×
15,716 financial institutions =
$399,815,040)).
Develop and Implement Technical
Safeguards. For requirement #2, the cost
of the ongoing IT requirement will vary
depending on the existing infrastructure
of the financial institution. FinCEN
believes that most financial institutions
already have secure systems and
networks in place as well as sufficient
storage capacity, given existing
requirements with regard to protection
of customers’ nonpublic personal
information.253 Therefore, FinCEN
assumes de minimis IT costs.
253 As noted in the rule, financial institutions may
have established information procedures to satisfy
the requirements of section 501 of the GrammLeach-Bliley Act, and applicable regulations issued
thereunder, with regard to the protection of
customers’ nonpublic personal information. If a
financial institution is not subject to section 501 of
the Gramm-Leach-Bliley Act, such institutions may
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
Timing of Cost
One-time
Type of Cost
Administrative
Ongoing
IT
Ongoing
Ongoing per request
Administrative
Administrative
Ongoing per recipient Administrative
Ongoing
Administrative/IT
Ongoing per demand Administrative
Obtain and Document Customer
Consent. For requirement #3, FinCEN
estimates that establishing processes to
obtain and document customer consent
will require between 50 and 70 hours of
burden per financial institution. This
estimate includes burden of drafting
new language regarding customer
consent for inclusion in financial
institution documents, legal review of
the language, and testing to integrate
changes into IT systems. This estimate
incorporates feedback from commenters
that the NPRM estimate was too low and
that it does incorporate the full range of
activity necessary to complete this
requirement. In addition, based on
commenter feedback, FinCEN estimates
an ongoing annual burden between 10
and 20 hours per financial institution to
maintain records of customer consent.
Using an hourly wage estimate of $106
per hour for financial institutions,
FinCEN estimates the one-time cost is
between approximately $5,300 to $7,420
per financial institution in year 1 and
between $1,060 to $2,120 in ongoing
costs each year thereafter. To estimate
aggregate costs, FinCEN multiplies this
estimate by 15,716 total financial
institutions, resulting in a total cost
between approximately $83.3 and
$116.6 million in year 1 (($5,300 per
financial institution × 15,716 financial
institutions = $83,294,800) and ($7,420
per financial institution × 15,716
financial institutions = $116,612,720))
and $16.7 and $33.3 million in ongoing
years (($1,060 per financial institution ×
15,716 financial institutions =
$16,658,960) and ($2,120 per financial
institution × 15,716 financial
institutions = $33,317,920)).
be required, recommended, or authorized under
applicable Federal or State law to have similar
information procedures with regard to protection of
customer information.
PO 00000
Frm 00066
Fmt 4701
Sfmt 4700
Submit Certification for Each Request
that it Meets Certain Requirements. For
requirement #4, the certifications are
submitted in the form and manner
prescribed by FinCEN via an electronic
form. FinCEN estimates that submitting
a request to FinCEN for BOI will take
one employee approximately 15
minutes, or 0.25 hours, per request.254
For purposes of this analysis, FinCEN
assumes a range of approximately 5
million to 6 million total requests from
financial institutions per year. The
minimum amount assumes that the
number of BOI requests from financial
institutions each year equals the number
of new entities that qualify as ‘‘reporting
company’’ required to submit BOI. As
estimated in the Reporting Rule’s RIA,
this is approximately 5 million entities
annually.255 The maximum amount
assumes that financial institutions
request BOI for each new legal entity
customer at the time of account
opening, in alignment with the 2016
CDD Rule,256 resulting in approximately
6 million entities.257 Therefore, the
254 FinCEN anticipates that financial institutions
will also be able to request BOI through an
Application Programming Interface (API) which
will make this process less burdensome.
255 In the Reporting Rule’s RIA, the analysis
assumes 13.1 percent growth in new entities from
2020 through 2024, and then a stable same number
of approximately 5 million new entities each year
thereafter through 2033.
256 The CTA requires that the 2016 CDD Rule be
revised given FinCEN’s BOI reporting and access
requirements. Therefore, this estimate and
assumption may change after that revision.
257 The 2016 CDD Rule estimated that each
financial institution with customer due diligence
requirements will open, on average, 1.5 new legal
entity accounts per business day. The rule also
assumed there are 250 business days per year.
Therefore, FinCEN estimates that financial
institutions would need to conduct customer due
diligence requirements for a minimum of
approximately 6 million legal entities per year
(15,716 financial institutions × 1.5 accounts per day
× 250 business days per year = 5,893,500 new legal
entity accounts opened per year).
E:\FR\FM\22DER3.SGM
22DER3
ER22DE23.005
#
ddrumheller on DSK120RN23PROD with RULES3
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
estimated aggregate annual cost of this
requirement is between approximately
$132.5 and $156.2 million ((5 million
total requests × 0.25 hours per request
× $106 per hour = $132,500,000) and
(5,893,500 total requests × 0.25 hours
per request × $106 per hour =
$156,177,750)). The per institution
annual cost of requirement #4 is
between approximately $8,431 and
$9,938 (($132,500,000/15,716 financial
institutions) and ($156,177,750/15,716
financial institutions)).
Undergo Training. Requirement #5
pertains to training for individuals that
access BOI. FinCEN assumes authorized
recipients of BOI at financial
institutions will undergo training in
order to comply with the safeguards in
the rule. To estimate the cost of this
training, FinCEN assumes a range of
authorized recipients per financial
institution. FinCEN believes a range is
appropriate given the variation in
institution size, complexity, and
business models across the 15,716
financial institutions. Based on
information provided by comments,
FinCEN assumes 4 to 5 employees per
small financial institution and 25 to 30
employees per large financial institution
will undergo annual BOI training. This
estimate differs from the NPRM because
FinCEN integrated feedback from
commenters that stated the NPRM
estimate was too low. Using an hourly
wage rate of $106 per hour, and
assuming each authorized recipient has
one hour of training each year, FinCEN
estimates a per institution annual
training cost between approximately
$424 and $3,180 ((4 employees × 1 hour
× $106 per hour = $424) and (30
employees × 1 hour × $106 per hour =
$3,180)). To estimate aggregate costs,
FinCEN uses SBA size standards and
identifies approximately 13,699 small
financial institutions and 2,017 large
financial institutions (15,716 total
financial institutions ¥13,699 small
financial institutions). This results in an
estimated minimum average annual perinstitution cost of $710 ((13,699 small
institutions × 4 employees × $106 per
hour + 2,017 large institutions × 25
employees × $106 per hour)/15,716 total
financial institutions) and a maximum
average annual cost of $870 ((13,699
small institutions × 5 employees × $106
per hour + 2,017 large institutions × 30
employees × $106 per hour)/15,716 total
financial institutions). The estimated
aggregate training cost is between
approximately $11.2 and $13.7 million
per year ((13,699 small institutions × 4
employees × 1 training hour per person
× $106 per hour + 2,017 large
institutions × 25 employees × 1 hour ×
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
$106 per hour = $11,153,426) and
(13,699 small institutions × 5 employees
× 1 hour × $106 per hour + 2,017 large
institutions × 30 employees × 1 hour ×
$106 per hour = $13,674,530)).
Geographic Restrictions. Requirement
#6 pertains to the final rule’s inclusion
of certain geographic restrictions for
financial institutions on the use and
storage of BOI. The proposed rule
restricted this use and storage to within
the United States; the final rule does not
include this limitation, but instead
states that BOI cannot be made available
or stored in specific jurisdictions.
Commenters expressed concern the
geographic restrictions in the proposed
rule would conflict with existing IT
systems and information handling
procedures but did not provide
quantitative feedback regarding
additional burden specific to the
geographic restriction.258 The final rule
allows greater flexibility regarding
geographic access in only requiring
financial institutions to restrict access
for select jurisdictions, lowering the
burden of this requirement. Because
financial institutions already face
restrictions to operating in those
jurisdictions, FinCEN expects this
limitation to impose de minimis costs.
Notification of Information Demand.
Requirement #7 obligates financial
institutions to notify FinCEN within
three business days if they receive a
subpoena or legal demand from a
foreign government for BOI obtained
from FinCEN. FinCEN expects financial
institutions to receive zero information
demand requests and thus assumes de
minimis costs. Foreign governments
should request BOI through the
available government channels rather
than by demanding information from
financial institutions; this requirement
intends to ensure that foreign
governments leverage the proper BOI
request channels.
Together, the estimated average cost
per financial institution for completing
the 7 requirements in Table 6 in year 1
is between approximately $27,161 and
$43,668, and between approximately
$10,201 and $12,928 each year
thereafter. The estimated aggregate costs
from requirements #1–7 for financial
institutions are between approximately
258 One commenter estimated it would cost
between $1 million and $3 million to develop new
systems or adapt existing systems to comply with
the various aspects of the proposed rule, including
preventing BOI obtained from FinCEN from
‘‘flowing’’ into other financial institution
monitoring systems and to affiliates outside of the
United States. This commenter, however, did not
indicate how much of this estimated $1–3 million
in costs was attributable to the geographic
restriction as opposed to other aspects of the
proposed rule.
PO 00000
Frm 00067
Fmt 4701
Sfmt 4700
88797
$426.9 and $686.3 million in the first
year, and then between approximately
$160.3 and $203.2 million each year
thereafter.
4. FinCEN
In addition to the costs of accessing
BOI data as a domestic agency, FinCEN
will incur costs from managing the
access of other authorized recipients. To
administer BOI access, FinCEN will
develop training materials and
agreements with domestic agencies;
conduct ongoing outreach with
authorized recipients on the access
requirements and respond to inquiries
and notifications from authorized
recipients; conduct audits of authorized
responsibilities; develop procedures to
review authorized recipients’ standards
and procedures, and requests as needed;
and potentially reject requests or
suspend access if requirements are not
met. FinCEN currently administers
access to the FinCEN Query system,
which involves similar considerations;
therefore, FinCEN will build on its
experience to administer BOI access.
FinCEN will also incur an initial cost in
setting up internal processes and
procedures for administering BOI
access.259 FinCEN retains its $10
million annual personnel cost estimate
from the NPRM. In addition, FinCEN
has determined the volume of activity
associated with managing access to BOI
requires contract staff to support this
new program, which FinCEN estimates
will cost approximately $3 million
annually. Therefore, FinCEN’s estimated
annual costs are $13 million.
g. Detailed Discussion of Benefits
The rule is expected to yield benefits
for authorized recipients. Currently,
authorized recipients may obtain BOI
through a variety of means; however,
the rule will put in place a centralized
system that, by virtue of providing more
direct access to the information, is
expected to reduce related search costs.
FinCEN has quantitatively estimated
some such benefits in this analysis. The
rule will also have non-quantifiable
benefits to authorized recipients of BOI
and to society more widely. This rule
will facilitate U.S. national security,
intelligence, and law enforcement
activity by providing access to BOI
which, as noted in the Reporting Rule’s
RIA, will make these activities more
effective and efficient. These activities
will be more effective and efficient
because the improved ownership
259 FinCEN also is developing the BO IT system
that will allow for the varying types of access. The
costs associated with developing and maintaining
this IT system are addressed in the Reporting Rule’s
RIA.
E:\FR\FM\22DER3.SGM
22DER3
88798
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES3
transparency will enhance Federal
agencies’ ability to investigate,
prosecute, and disrupt the financing of
terrorism, other transnational security
threats, and other types of domestic and
transnational financial crimes.
Additionally, Treasury anticipates that
it will gain efficiencies in its efforts to
identify the ownership of legal entities,
resulting in improved analysis,
investigations, and policy decisions on
a variety of subjects. The Internal
Revenue Service will be able to obtain
access to BOI for tax administration
purposes, which may provide benefits
for tax compliance. Federal regulators
may also obtain benefits by accessing
BOI in civil law enforcement matters.
Similarly, the rule is expected to
facilitate and make more efficient
investigations by State, local, and Tribal
law enforcement agencies. Access to
BOI through FinCEN is expected to
obviate the need for such agencies to
spend additional time and resources
identifying BOI using other, potentially
costlier, methods. Foreign requesters
may also reap similar benefits.
While FinCEN further expects that
financial institutions could also benefit
from gaining access to key information
(including potentially additional
beneficial owners, for their customer
due diligence processes), given the
pending revisions to the CDD Rule,
FinCEN is not quantifying expected
benefits for financial institutions at this
time. FinCEN anticipates that the
benefits to financial institutions in
meeting their customer due diligence
obligations will be discussed in that
rulemaking. Additionally, that
rulemaking will consider costs and
benefits to regulatory agencies that
supervise financial institutions’
compliance with customer due
diligence requirements.
This rule’s estimates of benefits to
domestic agencies are in alignment with
feedback FinCEN has received from a
number of agencies as part of the
outreach efforts FinCEN conducted in
formulating the rule. This feedback on
qualitative and quantitative benefits of
accessing BOI is summarized in the
NPRM. Based on this feedback, FinCEN
anticipates a potential quantifiable
benefit range attributable to efficiency
gains of between 300 and 20,000 hours
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
annually, per domestic agency.260 This
is equivalent to a per Federal agency
dollar savings between $33,000 and $2.2
million ((300 hours × $110 per hour =
$33,000) and (20,000 hours × $110 per
hour = $2,200,000)) and a per State,
local, and Tribal agency dollar savings
between $24,000 and $1.6 million ((300
hours × $80 per hour = $24,000 and
20,000 hours × $80 per hour =
$1,600,000)), depending on the number
and complexity of the investigations.
The minimum dollar value of the
benefits of the rule implied by these
assumptions in year 1 is $10.6 million
((207 Federal agencies × 300 hours per
agency × $110 per hour) + (158 State,
local, and Tribal law enforcement
agencies × 300 hours per agency × $80
per hour) = $10,623,000). The maximum
estimated aggregate annual quantified
benefit is $708.2 million ((207 Federal
agencies × 20,000 hours per agency ×
$110 per hour) + (158 State, local, and
Tribal law enforcement agencies ×
20,000 hours per agency × $80 per hour)
= 708,200,000). These estimates only
pertain to quantifiable benefits in the
form of enhanced BOI search efficiency;
agencies can also gain other benefits
from accessing BOI, such as
investigative law enforcement value,
that are not quantified in this analysis.
Therefore, FinCEN believes the benefits
can be greater than the cost savings
attributable to enhanced search
efficiency estimated here.
FinCEN assumes that no Federal
agency or State, local or Tribal law
enforcement agency will access BOI
unless the benefits of doing so are at
least equal to the costs, given that BOI
access is optional for these agencies. In
cases where quantifiable costs exceed
quantified benefits, but a Federal agency
or State, local or Tribal law enforcement
agency elects to access BOI, certain nonquantifiable benefits must exist that
outweigh the quantified net cost.
FinCEN takes these kinds of nonquantifiable benefits into consideration,
260 Regarding Federal regulators, FinCEN assumes
that the benefit would relate to civil law
enforcement activities rather than examination
activities. The estimated direct benefits from
reduced investigation time and resources does not
account for any potential benefits in the form of
efficiency gains to financial institutions that access
BOI. Any potential benefits to financial institutions
for accessing BOI will be accounted for in the
forthcoming CDD Rule revision.
PO 00000
Frm 00068
Fmt 4701
Sfmt 4700
as well as the quantifiable benefits
estimated in the analysis. In addition to
the direct benefits that will accrue to
agencies, such as saving time, accessing
BOI will lead to other secondary
benefits, as discussed in the Reporting
Rule’s RIA.261 BOI will also further the
missions of the agencies to combat
crime, as well as contribute to national
security, intelligence, and law
enforcement, and other activities.
Therefore, the expected benefits to
agencies of accessing BOI are more than
just the efficiency gains with respect to
search costs; FinCEN expects more
streamlined access to BOI will lead to
more effective and efficient
investigations. Enabling effective and
efficient investigations has the
additional secondary benefit of making
it more difficult to launder money
through shell companies and other
entities, in turn strengthening national
security and enhancing financial system
transparency and integrity. Barriers to
money laundering encourage a more
secure economy and can generate more
economic activity when businesses have
more trust in the legitimacy of new
business partners. Finally, the sharing of
BOI with foreign partners, subject to
appropriate protocols consistent with
the CTA, may further transnational
investigations, tax enforcement, and the
identification of national and
international security threats. These
secondary benefits are not accounted for
in this analysis since they are accounted
for in the Reporting Rule RIA. However,
these benefits cannot come to fruition
without authorized recipients gaining
access to BOI, as implemented by this
rule. Therefore, the benefits between the
Reporting Rule and this rule are
inextricably linked.
h. Overall Impact
Overall, FinCEN estimates the
potential quantifiable impact of the rule
will be between $78.2 million in
quantifiable net benefits and $949.2
million in net costs in the first year of
the rule, and then from $377.3 million
in quantifiable net benefits to $403.0
million in net costs on an ongoing
annual basis. Table 7 summarizes the
estimated aggregate yearly impact of the
rule.
261 See
E:\FR\FM\22DER3.SGM
87 FR 59579–59580 (Sept. 30, 2022).
22DER3
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
88799
Table 7-Aggregate Yearly Impact of the Rule (Dollars in millions)
oreign requester costs
inancial institution costs
Total net cost
$0.02 to $0.07
$0.02 to $0.07
$426.9 to $686.3
$160.4 to $203.2
$13
$13
$630.0 to $959.8
$330.9 to $413.6
-[10.6 to $708.2]
-[$10.6 to $708.2]
- $78.2 to $949.2
- $377.3 to $403.0
This estimate includes aggregate annual costs to Federal agencies engaged in law enforcement, national
security, and intelligence activities, offices of the U.S. Department of the Treasury including FinCEN, State,
local, and Tribal law enforcement agencies, and both Federal and State regulators. Costs to SROs are also
included in this aggregation.
This estimate includes the additional aggregate annual costs between approximately $44,000 and $198,000 to
ederal agencies from submitting and coordinating BOI requests on behalf of foreign partners.
This includes only costs to FinCEN associated with managing BOI access. Costs to FinCEN as an authorized
ecipient of BOI are included in the domestic agencies estimates.
The estimated, quantifiable, aggregate
annual benefits of the rule, which only
reflect potential quantifiable benefits to
agencies, will be between approximately
$10.6 and $708.2 million. Likewise,
FinCEN expects that the aggregate
annual quantifiable costs of the rule will
be somewhere between approximately
$630.0 and $959.8 million in year 1, and
between approximately $330.9 and
$413.6 million each year thereafter.
FinCEN believes that, in practice,
entities will choose to access BOI only
if the benefits to the entity’s operational
needs, which includes both quantifiable
and non-quantifiable benefits, outweigh
the costs associated with the
requirements for accessing BOI. This
analysis assumes financial institutions
can choose whether or not to access
BOI. The question of whether financial
institutions are required to access BOI
as part of their CDD Rule obligations
will be addressed in FinCEN’s
forthcoming revisions to the 2016 CDD
Rule. For other users, there are and will
be no requirements to access BOI.
Using the maximum net cost impact
estimates from Table 7 as an upper
bound of the impact of this rule,
FinCEN determines the present value
over a 10-year horizon of approximately
$4 billion at the three percent discount
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
rate and approximately $3.3 billion at
the seven percent discount rate.
B. Final Regulatory Flexibility Act
Analysis
When an agency issues a rule
proposal, the Regulatory Flexibility Act
(RFA) requires the agency to either
provide an IRFA or, in lieu of preparing
an analysis, to certify that the proposed
rule is not expected to have a significant
economic impact on a substantial
number of small entities.262 When
FinCEN issued its NPRM, FinCEN
believed that the proposed rule would
have a significant economic impact on
a substantial number of small entities,
and provided an IRFA.263 FinCEN
received numerous comments related to
the RIA. Some of the comments related
to the RIA were from small entities and
associations representing small entities.
FinCEN has discussed those comments
relating to specific provisions in the
proposed rule in section III above, and
those relating to the RIA in section V.A.
above.
The RFA requires each Final
Regulatory Flexibility Analysis (FRFA)
to contain:
• A succinct statement of the need
for, and objectives of, the rule;
262 5
U.S.C. 601–612.
FR 77445–77447.
263 87
PO 00000
Frm 00069
Fmt 4701
• A summary of the significant issues
raised by the public comments in
response to the IRFA, a summary of the
assessment of the agency of such issues,
and a statement of any changes made in
the proposed rule as a result of such
comments;
• A description of and an estimate of
the number of small entities to which
the proposed rule would apply;
• A description of the projected
reporting, recordkeeping, and other
compliance requirements of the
proposed rule, including an estimate of
the classes of small entities which will
be subject to the requirement and the
type of professional skills necessary for
the preparation of the report or record;
and
• A description of the steps the
agency has taken to minimize the
significant economic impact on small
entities consistent with the stated
objectives of applicable statutes,
including a statement of the factual,
policy, and legal reasons for selecting
the alternative adopted in the final rule
and why each one of the other
significant alternatives to the rule
considered by the agency which affect
the impact on small entities was
rejected.264
264 5
Sfmt 4700
E:\FR\FM\22DER3.SGM
U.S.C. 604(a).
22DER3
ER22DE23.006
ddrumheller on DSK120RN23PROD with RULES3
1
88800
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
i. Statement of the Reasons for, and
Objectives of, the Rule
The rule is necessary to implement
section 6403 of the CTA. The purpose
of the rule is to implement the
disclosure requirements of section 6403
and to establish appropriate protocols to
protect the security and confidentiality
of the BOI.
ddrumheller on DSK120RN23PROD with RULES3
ii. A Summary of the Significant Issues
Raised by the Public Comments in
Response to the IRFA, a Summary of the
Assessment of the Agency of Such
Issues, and a Statement of Any Changes
Made in the Proposed Rule as a Result
of Such Comments
FinCEN has carefully considered the
comments received in response to the
NPRM. Section III provides a general
overview of the comments and
discusses the significant issues raised by
comments. In addition, section V.A
includes a discussion of the comments
received with respect to the preliminary
RIA and IRFA, including those with
respect to the estimated cost that the
rule will impose on financial
institutions, which will include small
entities. FinCEN has considered the
comments received from small entities
and from associations representing
them, regardless of whether the
comments referred to the IRFA.
Commenters expressed concern about
the costs that the rule’s requirements for
BOI access would impose on financial
institutions, which include small
entities. FinCEN considered the burden
and costs of the specific requirements
throughout the final rule and has
adjusted the analysis appropriately.
Many comments were critical of
FinCEN’s interpretation of ‘‘customer
due diligence requirements under
applicable law’’ in the proposed rule
and the limited use of BOI by financial
institutions that this definition would
require. Some comments argued that if
financial institutions could only use
BOI reported to FinCEN to comply with
the 31 CFR 1010.230 instead of the
broader purposes, this would add
burdens to financial institutions.
Commenters noted that financial
institutions already use BOI obtained
from their customers for broad
purposes. Commenters explained that if
an financial institution is limited to
using BOI obtained from FinCEN merely
for purposes of compliance with 31 CFR
1010.230, then the financial institution
would need to create a ‘‘firewall’’
between the BOI obtained from FinCEN
and the BOI that an financial institution
obtains directly from its legal entity
customers, so that the financial
institution could still use the BOI it
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
obtained directly from customers in the
range of ways to which it has become
accustomed. This firewalling would be
a significant additional burden,
according to these commenters. Several
commenters claimed that if banks can
only use BOI from FinCEN for
compliance with 31 CFR 1010.230, this
would create duplicative requirements
for financial institutions.
The final rule revises the proposed
rule’s definition of ‘‘customer due
diligence requirements under applicable
law,’’ which was limited to the
requirements under 31 CFR 1010.230, to
allow the use of BOI more broadly to
counter money laundering and the
financing of terrorism, as well as to
comply with certain other measures that
safeguard national security. This change
reflects FinCEN’s conclusion that the
phrase should encompass a financial
institution’s AML/CFT obligations
under the BSA, including suspicious
activity monitoring and SAR filing, as
well as related activities such as
sanctions screening, anti-fraud, and
anti-bribery controls and other activities
pursuant to the financial institution’s
legal requirements for AML/CFT.
FinCEN found persuasive comments
that argued that if BOI from FinCEN
could only be used for compliance with
31 CFR 1010.230 instead of the broader
purposes for which financial
institutions are already using BOI for,
this would add burdens to financial
institutions that would not be justified
by the potential gains in protecting the
security and confidentiality of BOI.
Commenters expressed concern that
the proposed rule’s geographic
restrictions limiting access to BOI to
within the United States would conflict
with existing IT systems and
information handling processes but did
not provide quantitative feedback
regarding additional burden.265 The
final rule allows greater flexibility
regarding geographic access in only
requiring financial institutions to
restrict access for select jurisdictions in
which financial institutions already face
restrictions, lowering the likelihood a
financial institution will be burdened by
this requirement.
Comments also suggested options to
decrease burden for financial
265 One commenter estimated it would cost
between $1 million and $3 million to develop new
systems or adapt existing systems to comply with
the various aspects of the proposed rule, including
preventing BOI obtained from FinCEN from
‘‘flowing’’ into other financial institution
monitoring systems and to affiliates outside of the
United States. This commenter, however, did not
indicate how much of this estimated $1–3 million
in costs was attributable to the geographic
restriction as opposed to other aspects of the
proposed rule.
PO 00000
Frm 00070
Fmt 4701
Sfmt 4700
institutions through technological
means. A commenter requested that
financial institutions submit required
certifications and access BOI on a bulk,
automated basis. This commenter noted
that if access to the BO IT system
requires manual submissions on a
customer-by-customer basis, this would
be unnecessarily cumbersome and
would adversely impact the ability of
financial institutions to use the
information effectively and efficiently
for illicit finance risk management.
FinCEN agrees with these comments
and notes that financial institutions will
have the ability to submit search
requests through an automated process,
lessening costs associated with manual
searches by financial institutions.
FinCEN expects that financial
institutions will use Application
Programming Interfaces (APIs) to access
BOI, and that the BO IT system will
accommodate the use of APIs for this
purpose (including the submission of
required certifications).
In addition, more specific information
regarding the estimated costs for small
entities resulting from the final rule is
set forth in section V.B.v below, and
other steps FinCEN has taken to
minimize the economic impact of the
rule on small entities are set forth in
section V.B.vi below.
iii. The Response of the Agency to a
Comment Filed by the Chief Counsel for
Advocacy of the Small Business
Administration in Response to the
Proposed Rule, and a Detailed
Statement of Any Change Made to the
Proposed Rule in the Final Rule as a
Result of the Comment
The Chief Counsel for Advocacy of
the Small Business Administration
(‘‘Advocacy’’) filed a comment to the
NPRM on February 14, 2023, that
acknowledges that the proposed rule
will be economically burdensome for
small businesses. Advocacy notes that
FinCEN prepared an IRFA for the
NPRM.
Advocacy urged FinCEN to clarify
certain provisions of the proposed rule
because small entities claimed the
proposed rule was unclear. For
example, the IRFA stated that the
proposed rule’s requirements to access
BOI would not be mandatory (because
accessing BOI reported to FinCEN is not
itself currently mandatory), but small
entity groups have stated that the rule
itself is unclear as to whether the
requirements of the rulemaking are
mandatory. Lack of clarity could lead to
small entities incurring unnecessary
costs in trying to comply with the
rulemaking. There are also concerns
E:\FR\FM\22DER3.SGM
22DER3
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
about the scope of the proposed
rulemaking.
FinCEN clarified with Advocacy that
the phrase ‘‘scope of the proposed
rulemaking’’ refers to the scope of
authorized users that will be permitted
access to BOI and the permitted uses of
that information. Section III.C.iv.a.1
above clarifies that the types of financial
institutions that FinCEN will under its
discretionary authority permit to access
BOI will initially be those that are
‘‘covered financial institutions’’ under
the 2016 CDD Rule. Section III.C.iv.a.2
clarifies the scope of permitted uses for
BOI by those financial institutions.
Advocacy also encourages FinCEN to
provide a clear compliance guide for
this rulemaking, and references a
similar request in Advocacy’s February
4, 2022 comment letter to the Reporting
Rule. Section 212 of the Small Business
Regulatory Enforcement Fairness Act
(SBREFA) requires agencies to provide a
compliance guide for each rule (or
related series of rules) that requires a
final regulatory flexibility analysis.266
Agencies are required to publish the
guides with publication of the final rule,
post them to websites, distribute them
to industry contacts, and report
annually to Congress.267 FinCEN
anticipates issuing a Small Entity
Compliance Guide, pursuant to section
212 of SBREFA, in order to assist small
entities in complying with the BOI
access requirements.
ddrumheller on DSK120RN23PROD with RULES3
iv. Description and Estimate of the
Number of Small Entities to Which the
Rule Will Apply
To assess the number of small entities
affected by the rule, FinCEN separately
considered whether any small
businesses, small organizations, or small
governmental jurisdictions, as defined
by the RFA, will be impacted. FinCEN
concludes that a substantial number of
small businesses will be significantly
impacted by the rule, which is
consistent with the IRFA.
In defining ‘‘small business,’’ the RFA
points to the definition of ‘‘small
business concern’’ from the Small
Business Act.268 This small business
definition is based on size standards
(either average annual receipts or
number of employees) matched to
industries.269 Assuming maximum non266 Small Business Regulatory Enforcement
Fairness Act of 1996, Public Law 104–121, 212, 110
Stat. 857, 858 (1996).
267 The Small Business and Work Opportunity
Tax Act of 2007 added these additional
requirements for agency compliance to SBREFA.
See Small Business and Work Opportunity Tax Act
of 2007, Public Law 110–28, 121 Stat. 190 (2007).
268 5 U.S.C. 601(3).
269 See U.S. Small Business Administration, Table
of Small Business Size Standards Matched to North
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
mandated participation by small
financial institutions, the rule will affect
approximately all 13,699 small financial
institutions. All of these small financial
institutions will have a significant
economic impact in the first year of
implementation, which FinCEN believes
meets the threshold for a substantial
number. Therefore, FinCEN concludes
the rule will have a significant
economic impact on a substantial
number of small entities.
FinCEN assumes the economic impact
on an individual small entity is
significant if the total estimated impact
in a given year is greater than 1 percent
of the small entity’s total receipts for
that year. FinCEN estimates the cost for
small financial institutions to comply
with the sections of the rule addressing
BOI access will be between
approximately $26,875 and $43,328 in
year 1, and approximately $9,915 and
$12,588 annually in subsequent
years.270 FinCEN then compares these
per financial institution cost estimates
to the average total receipts for the
smallest size category for each type of
financial institution from the 2017
Census survey data, adjusted for
inflation.271 The analysis indicates that,
even when considering the minimum
year 1 impact of $26,875, the smallest
entities of all types of financial
institutions will incur an economic
impact that exceeds 1 percent of
receipts for that industry. Therefore,
FinCEN expects that the rule will have
American Industry Classification System Codes
(Mar. 17, 2023), available at https://www.sba.gov/
sites/sbagov/files/2023-03/
Table%20of%20Size%20Standards_
Effective%20March%2017%2C%202023
%20%281%29%20%281%29_0.pdf.
270 The minimum and maximum costs for small
entities can be determined by using $424 (4
employee × $106 per hour) as the minimum cost for
training and using $530 (5 employees × $106 per
hour) as the maximum cost for training.
271 FinCEN inflation adjusted the 2017 Census
survey data using Implicit Price Deflators for Gross
Domestic Product quarterly data from the U.S.
Bureau of Economic Analysis, available at https://
apps.bea.gov/iTable/?reqid=19&step=2&
isuri=1&categories=
survey#eyJhcHBpZCI6MTksInN0ZXBz
IjpbMSwyLDMsM10sImRhdGEiOltbIkNhd
GVnb3JpZXMiLCJTdXJ2ZXkiXSxbIk5JUE
FfVGFibGVfTGlzdCIsIjEzIl0s
WyJGaXJzdF9ZZWFyIiwi
MTk5NSJdLFsiTGFzdF9ZZW
FyIiwiMjAyMiJdLFsiU2Nhb
GUiLCIwIl0sWyJTZXJpZXMiLCJBIl1dfQ==. FinCEN
estimated an inflation factor of approximately 1.18
(the gross domestic product deflator in 2017 is
107.749, while in 2022 it was 127.224; hence, the
inflation factor is 127.224/107.749= 1.18). FinCEN
then applied this inflation adjustment factor of 1.18
to the 1 percent of average annual receipts in the
2017 Census survey data for each financial industry
affected by this proposed rule to estimate the latest
inflation-adjusted dollar value threshold of 1
percent of annual receipts.
PO 00000
Frm 00071
Fmt 4701
Sfmt 4700
88801
a significant economic impact on a
substantial number of small entities.
In defining ‘‘small organization,’’ the
RFA generally defines it as any not-forprofit enterprise that is independently
owned and operated and is not
dominant in its field.272 FinCEN
assesses that the rule will not affect
‘‘small organizations’’ as defined by the
RFA.
The RFA generally defines ‘‘small
governmental jurisdiction[s]’’ as
governments of cities, counties, towns,
townships, villages, school districts, or
special districts, with a population of
less than 50,000.273 While State, local,
and Tribal government agencies may be
affected by the rule, FinCEN does not
believe that government agencies of
jurisdictions with a population of less
than 50,000 will be included in such
agencies.274 Therefore, no ‘‘small
governmental jurisdictions’’ are
expected to be affected.
v. Description of the Projected
Reporting, Recordkeeping, and Other
Compliance Requirements of the Rule,
Including an Estimate of the Classes of
Small Entities Which Will Be Subject to
the Requirements and the Type of
Professional Skills Necessary for the
Preparation of the Report or Record
Under the rule, accessing BOI is not
currently mandatory; therefore, the rule
will not impose requirements in the
strictest sense.275 However, the rule will
require those that elect to access BOI to
establish standards and procedures or
safeguards, and to comply with other
requirements. In particular, financial
institutions will be required to develop
and implement administrative,
technical, and physical safeguards
reasonably designed to protect the
security, confidentiality, and integrity of
BOI. Financial institutions will also be
required to obtain and document
customer consent to access their BOI, as
well as maintain a record of such
consent for five years after it was last
relied upon, which may require updates
to existing policies and procedures.
Financial institutions will also be
required to comply with certain
geographic restrictions and notify
FinCEN if they receive an information
demand from a foreign government. The
rule will also require those that access
BOI provide a certification for each BOI
272 5
U.S.C. 601(4).
U.S.C. 601(5).
274 FinCEN made this assumption in the NPRM
and requested public comment; it did not receive
any comments that addressed this specific point.
275 FinCEN anticipates considering whether to
require financial institutions to access BOI reported
to FinCEN in the future, potentially as part of its
revisions to the 2016 CDD Rule.
273 5
E:\FR\FM\22DER3.SGM
22DER3
88802
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES3
request, in the form and manner
prescribed by FinCEN. FinCEN intends
to provide additional detail regarding
the form and manner of BOI requests for
all categories of authorized recipients
through specific instructions and
guidance as it continues developing the
BO IT system. To the extent required by
the PRA, FinCEN will publish for notice
and comment any proposed information
collection associated with BOI requests.
Small entities affected by the rule,
which FinCEN assesses to be small
financial institutions, will be required to
comply with these requirements if they
access BOI. FinCEN assumes that the
professional expertise needed to comply
with such requirements already exists at
small financial institutions with
customer due diligence obligations.
vi. Description of the Steps the Agency
Has Taken To Minimize the Significant
Economic Impact on Small Entities
Consistent With the Stated Objectives of
Applicable Statutes, Including a
Statement of the Factual, Policy, and
Legal Reasons for Selecting the
Alternative Adopted in the Final Rule
and Why Each One of the Other
Significant Alternatives to the Rule
Considered by the Agency Which Affect
the Impact on the Small Entities Was
Rejected
The steps FinCEN has taken to
minimize the significant economic
impact on small entities and the factual,
policy, and legal reasons for selecting
the final rule are described throughout
section III. This section of the FRFA
includes one of the alternative scenarios
considered in the RIA. The rule is
statutorily mandated, and therefore
FinCEN has limited ability to
implement alternatives. However,
FinCEN considered the following
significant alternative which affected
the impact on small entities. The
sources and analysis underlying the
burden and cost estimates cited in this
alternative are explained in the RIA.
FinCEN considered altering the
customer consent requirement for
financial institutions. Under the final
rule, financial institutions are required
to obtain and document customer
consent once for a given customer.
FinCEN considered an alternative
approach in which FinCEN would
directly obtain the reporting company’s
consent. Under this scenario, financial
institutions would not need to spend
time and resources on drafting or
modifying customer consent forms,
ensuring legal compliance, and testing
the forms which FinCEN expects to
require approximately 50 to 70 hours in
year 1 and 10 to 20 hours in subsequent
years for ongoing forms maintenance.
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
Using an hourly wage estimate of $106
per hour for financial institutions,
FinCEN estimates this would result in
an initial savings per financial
institution of approximately $5,300 to
$7,420 in year 1 and $1,060 to $2,120
in subsequent years. FinCEN estimates
an aggregate savings of $83.3 to $116.6
million in year 1 and $16.7 to $33.3
million in subsequent years. To estimate
aggregate savings under this scenario,
FinCEN multiplies the yearly savings by
the number of financial institutions
(e.g., $5,300 per financial institution ×
15,716 financial institutions =
$83,294,800). The cost savings for small
financial institutions under this
scenario would be approximately $72.6
million ($5,300 per financial institution
× 13,699 small financial institutions =
$72,604,700). Though this alternative
results in a savings to financial
institutions, including small entities,
FinCEN believes that financial
institutions are better positioned to
obtain consent—and to track consent
revocation—given their direct customer
relationships and ability to leverage
existing onboarding and account
maintenance processes, as also
discussed in sections III.E.ii.d and
V.A.i.a above. Therefore, FinCEN
decided not to adopt this alternative.
C. Unfunded Mandates Reform Act
Section 202 of the Unfunded
Mandates Reform Act of 1995, Public
Law 104–4 (Unfunded Mandates Reform
Act) requires that an agency prepare a
budgetary impact statement before
promulgating a rule that includes a
Federal mandate that may result in
expenditure by State, local, and Tribal
governments, in the aggregate, or by the
private sector, of $100 million or more
in any one year, adjusted for inflation.
FinCEN believes that the RIA provides
the analysis required by the Unfunded
Mandates Reform Act.
D. Paperwork Reduction Act
The new reporting and recordkeeping
requirements contained in this rule (31
CFR 1010.955) have been approved by
OMB in accordance with the Paperwork
Reduction Act of 1995 (PRA), 44 U.S.C.
3501 et seq., under control number
1506–0077. The PRA imposes certain
requirements on Federal agencies in
connection with their conducting or
sponsoring any collection of
information as defined by the PRA.
Under the PRA, an agency may not
conduct or sponsor, and a person is not
required to respond to, a collection of
information unless it displays a valid
OMB control number.
As discussed in the RIA, FinCEN
revised estimates for the requirements
PO 00000
Frm 00072
Fmt 4701
Sfmt 4700
based on comments received in the
NPRM and updates to the final rule and
underlying data sources. All revisions to
the estimates are explained in the RIA.
Reporting and Recordkeeping
Requirements: The rule requires State,
local, and Tribal agencies and financial
institutions that access BOI to conduct
the following activities: establish
standards and procedures, and develop
and implement safeguards. FinCEN
assumes authorized recipients of BOI at
financial institutions will undergo
annual training in order to comply with
the safeguards in the rule. Financial
institutions are also required to obtain
and document customer consent,
maintaining a record of such consent for
five years after it was last relied upon,
which may require updates to existing
processes and creation of consent forms.
The rule also requires State, local, and
Tribal agencies and financial
institutions that access BOI to provide a
certification for each BOI request.
FinCEN intends to provide additional
detail regarding the form and manner of
BOI requests for all categories of
authorized users through specific
instructions and guidance as it
continues developing the BO IT system.
To the extent required by the PRA,
FinCEN will publish for notice and
comment any proposed information
collection associated with BOI requests.
The rule also requires financial
institutions to comply with certain
geographic restrictions and notify
FinCEN if they receive an information
demand from a foreign government for
BOI. In addition, the rule requires State,
local, and Tribal agencies to establish
and maintain a secure system to store
BOI, as well as an auditable system of
standardized records for requests,
conduct an annual audit, certify
standards and procedures by the agency
head semi-annually, and provide an
annual report on procedures, resulting
in additional recordkeeping and
reporting requirements. Finally, the rule
requires that SROs follow the same
security and confidentiality
requirements outlined herein for State,
local, and Tribal agencies, if they obtain
BOI through re-disclosure by a Federal
functional regulator or financial
institution.
OMB Control Number: 1506–0077.
Frequency: As required; varies
depending on the requirement.
Description of Affected Public: State,
local and Tribal agencies, SROs, and
financial institutions with customer due
diligence obligations, as defined in the
rule. While others from Federal and
foreign requesters are able to access BOI
after meeting specific requirements,
FinCEN does not include them in the
E:\FR\FM\22DER3.SGM
22DER3
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
PRA analysis because the regulations
implementing the PRA define ‘‘person’’
as an individual, partnership,
association, corporation (including
operations of government-owned
contractor-operated facilities), business
trust, or legal representative, an
organized group of individuals, a State,
territorial, tribal, or local government or
branch thereof, or a political
subdivision of a State, territory, Tribal,
or local government or a branch of a
political subdivision.276 For foreign
requesters in particular, FinCEN
assumes that such requests will be made
at the national level.
Estimated Number of Respondents:
15,934 entities. This total is composed
of an estimated 215 State, local, and
Tribal agencies, of which 158 are State,
local, and Tribal law enforcement
agencies and 57 are State regulatory
agencies, 3 SROs, and 15,716 financial
institutions.277 While the requirements
in the rule are only imposed on those
that optionally access BOI, for purposes
of PRA burden analysis FinCEN
assumes maximum participation from
State, local, and Tribal agencies, SROs,
and financial institutions.
Estimated Total Annual Reporting
and Recordkeeping Burden: FinCEN
estimates that during year 1 the annual
hourly burden will be 8,743,781 hours.
In year 2 and onward, FinCEN estimates
that the annual hourly burden will be
3,616,964 hours. The annual estimated
burden hours for State, local, and Tribal
entities as well as SROs is 2,268,789
hours in the first year, and 1,699,612
276 See
5 CFR 1320.3(k).
Table 1 for the types of financial
institutions covered by this notice.
ddrumheller on DSK120RN23PROD with RULES3
277 See
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
hours in year 2 and onward. As shown
in Table 8, the hourly burden in year 1
for State, local, and Tribal entities and
SROs includes the hourly burden
associated with the following
requirements in the rule: enter into an
agreement with FinCEN and establish
standards and procedures (Action B);
establish a secure system to store BOI
(Action D); establish and maintain an
auditable system of standardized
records for requests (Action E); submit
written certification for each request
that it meets certain requirements
(Action G); restrict access to appropriate
persons within the entity (Action H);
conduct an annual audit and cooperate
with FinCEN’s annual audit (Action I);
obtain certification of standards and
procedures, initially and then semiannually, by the head of the entity
(Action J); and provide annual reports
on procedures (Action K). The hourly
burden in year 2 and onward for State,
local, and Tribal entities and SROs is
associated with the same requirements
as year 1, with the exception of Action
B because FinCEN expects this action
will result in costs for these entities in
year 1 only.
The annual estimated hourly burden
for financial institutions is 6,474,992
hours in the first year and 1,917,352
hours in year 2 and onward. The hourly
burden for financial institutions in year
1 is associated with the following:
develop and implement administrative
and physical safeguards (Action A);
develop and implement technical
safeguards (Action C); obtain and
document customer consent (Action F);
submit certification for each request that
it meets certain requirements (Action
PO 00000
Frm 00073
Fmt 4701
Sfmt 4700
88803
G); undergo training (Action H); comply
with certain geographic restrictions
(Action L); and notify FinCEN if they
receive an information demand from a
foreign government (Action M). The
hourly burden in year 2 and onward for
financial institutions is associated only
with the requirements for Actions F, G
and H because FinCEN expects the other
actions will result in costs for these
entities in year 1 only.
Annual estimated burden declines in
year 2 and onward because State, local,
and Tribal agencies, SROs, and financial
institutions no longer need to complete
Actions A and B, and have a lower
hourly burden for Actions E and F.
State, local, and Tribal law enforcement
agencies have a lower hourly burden for
Action G. Table 8 lists the type of entity,
the number of entities, the hours per
entity, and the total hourly burden by
action. For Actions A, B, C, D, E, F, I,
J, K, L, and M the hours per entity are
the maximum of the range estimated in
the cost analysis of the RIA. For Action
G and H, the hours per entity
calculations are specified in footnotes to
Table 8. Total annual hourly burden is
calculated by multiplying the number of
entities by the hours per entity for each
action. In each subsequent year after
initial implementation, FinCEN
estimates that the total hourly annual
burden is 3,616,964. This results in a 5year average burden estimate of
approximately 4,642,327 hours.278
BILLING CODE 4810–02–P
278 The 5-year average equals the sum of (Year 1
burden hours of 8,743,781 + Year 2 burden hours
of 3,616,964 + Year 3 burden hours of 3,616,964 +
Year 4 burden hours of 3,616,964 + Year 5 burden
hours of 3,616,964) divided by 5.
E:\FR\FM\22DER3.SGM
22DER3
88804
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
Table 8-Annual Hourly Burden Associated with Rule Requirements
Financial
institutions
15,716
240 in Year
1; 0 in Years
2+
300 in Year
1; 0 in Years
2+
3,771,840 in Year 1;
0 in Years 2+
B. Enter into an agreement
with FinCEN and
establish standards and
procedures
State, local,
and Tribal
agencies and
SROs
218
C. Develop and implement
technical safeguards
Financial
institutions
15,716
0 in Year 1; 0
in Years 2+
0 in Year 1; 0 in
Years 2+
State, local,
and Tribal
agencies and
SROs
State, local,
and Tribal
agencies and
SROs
218
300 in Year
1; 4 in Years
2+
65,400 in Year 1;
872 in Years 2+
218
200 in Year
1; 20 in Years
2+
43,600 in Year 1;
4,360 in Years 2+
F. Obtain and document
customer consent
Financial
institutions
15,716
1,100,120 in Year 1;
314,320 in Years 2+
G. Submit certification for
each request that it
meets certain
requirements 1
Financial
institutions
15,716
70 in Year 1;
20 in Years
2+
94 in Year 1;
94 in Years
2+
D. Establish a secure
system to store BOI
ddrumheller on DSK120RN23PROD with RULES3
E. Establish and maintain
an auditable system of
standardized records for
requests
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
PO 00000
Frm 00074
Fmt 4701
Sfmt 4725
E:\FR\FM\22DER3.SGM
65,400 in Year 1; 0
in Years 2+
1,474,161 in Year 1;
1,474,161 in Years
2+
22DER3
ER22DE23.007
A. Develop and implement
administrative and
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
H. Restrict access to
appropriate persons
within the entity, which
specifies that appropriate
persons will undergo
trainin 3
I. Conduct an annual audit
and cooperate with
FinCEN' s annual audit
J. Obtain certification of
standards and
procedures initially and
then semi-annually, by
the head of the enti
K. Provide initial and then
an annual report on
procedures
158
12,975 in
Year l;
10,443 in
Years 2+
2,050,003 in Year 1;
1,649,994 in Years
2+
State
regulatory
agencies and
SROs
Financial
institutions
60
125 in Year
1; 125 in
Years 2+
7,500 in Year 1;
7,500 in Years 2+
15,716
8 in Year 1; 8
in Years 2+
128,871 in Year 1;
128,871 in Years 2+
State, local,
and Tribal
agencies and
SROs
218
9 in Year 1, 9
in Years 2+
2,006 in Year 1;
2,006 in Years 2+
State, local,
and Tribal
agencies and
SROs
State, local,
and Tribal
agencies and
SROs
218
160 in Year
1; 160 in
Years 2+
34,880 in Year 1;
34,880 in Years 2+
218
Included in I.
Included in I.
218
Included in I.
Included in I.
15,716
0 in Year 1; 0
in Years 2+
0 in Year 1; 0 in
Years 2+
15,716
0 in Year 1; 0
in Years 2+
0 in Year 1; 0 in
Years 2+
State, local,
and Tribal
agencies and
SROs
Financial
institutions
L. Comply with certain
eo ra hie restrictions
M. Notify FinCEN of
information demand
from foreign
overnment
ddrumheller on DSK120RN23PROD with RULES3
State, local,
and Tribal
law
enforcement
Financial
institutions
8,743,781 in Year 1;
3,616,964 in Years
2+
Total Annual Hourly Burden
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
PO 00000
Frm 00075
Fmt 4701
Sfmt 4725
E:\FR\FM\22DER3.SGM
22DER3
ER22DE23.008
G. Submit written
certification for each
request that it meets
certain requirements,
including court
authorization
G. Submit written
certification for each
request that it meets
certain re uirements
H. Undergo training2
88805
88806
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
1 For all types of entity, the hours per entity for Action G is the per entity share of the aggregate burden estimated in
the RIA.
2 For financial institutions, the hours per entity for Action H equals the weighted average of the large and small
financial institutions' maximum burden estimated in the RIA.
3 For State, local, and Tribal agencies and SROs, the hours per entity for Action H equals the per entity share of the
a e ate burden.
Estimated Total Annual Reporting
and Recordkeeping Cost: As describd in
Table 3, FinCEN calculated the fully
loaded hourly wage for each type of
affected entity type. Using these
estimated wages, the total cost of the
annual bureden in year 1 is
$868,200,270. In year 2 and onward,
FinCEN estimates that the total cost of
the annual burden is $339,309,502,
owing to Actions A and B only
imposing burens in year 1, Actions D
and E having lower annual per entity
burdens, and Actions G having lower
burden per request for State, local and
Tribal law enforcement agencies. The
annual estimated cost for State, local,
and Tribal agencies and SROs is
$181,851,118 in the first and
$13,070,190 in year 2 and onward. The
annual estimated cost for financial
institutions is $686,349,152 in the first
year and $203,239,312 in year 2 and
onward. The 5-year average annual cost
estimate is $445,087,656.279
279 The 5-year average equals the sum of (year 1
costs of $868,200,270 + Year 2 costs of
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
Financial
institutions
$106
3,771,840 in
Year 1; 0 in
Years 2+
$399,815,040
in Year 1; $0
in Years 2+
State, local,
and Tribal
agencies
$80
65,400 in Year
1; 0 in Years 2+
$5,232,000 in
Year 1; $0 in
Years 2+
$339,309,502 + Year 3 costs of $339,309,502 + Year
PO 00000
Frm 00076
Fmt 4701
Sfmt 4725
4 costs of $339,309,502 + Year 5 costs of
$339,309,502) divided by 5.
E:\FR\FM\22DER3.SGM
22DER3
ER22DE23.009
ddrumheller on DSK120RN23PROD with RULES3
A. Develop and
implement
administrative and
uards
B. Enter into an agreement
with FinCEN and
establish standards and
procedures
ER22DE23.010
Table 9 - Annual Cost Associated with Rule Requirements
C. Develop and
implement technical
safeguards
Financial
institutions
$106
0inYearl;0in
Years 2+
$0 in Year 1;
$0 in Years 2+
D. Establish a secure
system to store BOI
State, local,
and Tribal
agencies
$80
65,400 in Year
1; 872 in Years
2+
$5,232,000 in
Year 1;
$69,760 in
Years 2+
E. Establish and maintain
an auditable system of
standardized records
for requests
State, local,
and Tribal
agencies
$80
43,600 in Year
1; 4,360 in Years
2+
$3,488,000 in
Year 1;
$348,800 in
Years 2+
F. Obtain and document
customer consent
Financial
institutions
$106
1,100,120 in
Year 1; 314,320
in Years 2+
$116,612,720
in Year 1;
$33,317,920 in
Years 2+
G. Submit certification for
each request that it
meets certain
requirements
Financial
institutions
$106
1,474,161 in
Year 1;
1,474,161 in
Years 2+
$156,261,066
in Year 1;
$156,261,066
in Years 2+
G. Submit written
certification for each
request that it meets
certain requirements,
including court
authorization
G. Submit written
certification for each
request that it meets
certain requirements
State, local,
and Tribal
law
enforcement
$80
2,050,003 in
Year 1;
1,649,994 in
Years 2+
$164,000,240
in Year 1;
$131,999,520
in Years 2+
State
regulatory
agencies
$80
7,500 in Year 1;
7,500 in Years
2+
$600,000 in
Year 1;
$600,000 in
Years 2+
H. Undergo training
Financial
institutions
$106
128,871 in Year
1; 128,871 in
Years 2+
$13,660,326 in
Year 1;
$13,660,326 in
Years 2+
H. Restrict access to
appropriate persons
within the agency,
which specifies that
appropriate persons
will under o trainin
State, local,
and Tribal
agencies
$80
2,006 in Year 1;
2,006 in Years
2+
$160,480 in
Year 1;
$160,480 in
Years 2+
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
PO 00000
Frm 00077
Fmt 4701
Sfmt 4725
E:\FR\FM\22DER3.SGM
22DER3
88807
ER22DE23.011
ddrumheller on DSK120RN23PROD with RULES3
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
88808
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
I.
Conduct an annual
audit and cooperate
with FinCEN' s annual
audit
J. Obtain certification of
standards and
procedures initially and
then semi-annually, by
the head of the enti
K. Provide initial and then
an annual report on
rocedures
L. Comply with certain
eo ra hie restrictions
M. Notify FinCEN of
information demand
from foreign
overnment
Actions B, D, E, G, H, I-K
State, local,
and Tribal
agencies
$80
34,880 in Year
1; 34,880 in
Years 2+
$2,790,400 in
Year 1;
$2,790,400 in
Years 2+
State, local,
and Tribal
agencies
$80
Included in I.
Included in I.
State, local,
and Tribal
a encies
Financial
institutions
Financial
institutions
$80
Included in I.
Included in I.
$106
0 in Year 1; 0 in
Years 2+
0 in Year 1; 0 in
Years 2+
$0 in Year 1;
$0 in Years 2+
$0 in Year 1;
$0 in Years 2+
SRO
$106
3,283 in Year 1;
955 in Years 2+
$347,998 in
Year 1;
$101,230 in
Years 2+
$106
$
868,200,270 in
Year 1;
$339,309,502
in Years 2+
Total Annual Cost
ddrumheller on DSK120RN23PROD with RULES3
E. Congressional Review Act
Pursuant to Subtitle E of the Small
Business Regulatory Enforcement and
Fairness Act of 1996 (also known as the
Congressional Review Act or CRA)),
OMB’s Office of Information and
Regulatory Affairs has determined that
this action meets the criteria set forth in
5 U.S.C. 804(2).280
List of Subjects in 31 CFR Part 1010
Administrative practice and
procedure, Aliens, Authority
delegations (Government agencies),
Banks and banking, Brokers, Business
and industry, Commodity futures,
Currency, Citizenship and
naturalization, Electronic filing, Federal
savings associations, Federal-States
relations, Federally recognized tribes,
280 5
U.S.C. 804(2) et seq.
VerDate Sep<11>2014
19:26 Dec 21, 2023
Jkt 262001
Foreign persons, Holding companies,
Indian law, Indians, Insurance
companies, Investment advisers,
Investment companies, Investigations,
Law enforcement, Penalties, Reporting
and recordkeeping requirements, Small
businesses, Securities, Terrorism, Tribal
government, Time.
Authority and Issuance
For the reasons set forth in the
preamble, the U.S. Department of the
Treasury and Financial Crimes
Enforcement Network amend 31 CFR
part 1010 as follows:
PART 1010—GENERAL PROVISIONS
1. The authority citation for part 1010
continues to read as follows:
■
Authority: 12 U.S.C. 1829b and 1951–
1959; 31 U.S.C. 5311–5314 and 5316–5336;
title III, sec. 314, Pub. L. 107–56, 115 Stat.
PO 00000
Frm 00078
Fmt 4701
Sfmt 4700
307; sec. 2006, Pub. L. 114–41, 129 Stat. 458–
459; sec. 701, Pub. L. 114–74, 129 Stat. 599.
2. In § 1010.950, revise the section
heading and paragraph (a) to read as
follows:
■
§ 1010.950
general.
Availability of information—
(a) The Secretary has the discretion to
disclose information reported under this
chapter, other than information reported
pursuant to § 1010.380, for any reason
consistent with the purposes of the
Bank Secrecy Act, including those set
forth in paragraphs (b) through (d) of
this section. FinCEN may disclose
information reported pursuant to
§ 1010.380 only as set forth in
§ 1010.955, and paragraphs (b) through
(f) of this section shall not apply to the
disclosure of such information.
*
*
*
*
*
■ 3. Add § 1010.955 to read as follows:
E:\FR\FM\22DER3.SGM
22DER3
ER22DE23.012
BILLING CODE 4810–02–C
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES3
§ 1010.955 Availability of beneficial
ownership information reported under this
part.
(a) Prohibition on disclosure. Except
as authorized in paragraphs (b), (c), and
(d) of this section, information reported
to FinCEN pursuant to § 1010.380 is
confidential and shall not be disclosed
by any individual who receives such
information as—
(1) An officer, employee, contractor,
or agent of the United States;
(2) An officer, employee, contractor,
or agent of any State, local, or Tribal
agency; or
(3) A director, officer, employee,
contractor, or agent of any financial
institution.
(b) Disclosure of information by
FinCEN—(1) Disclosure to Federal
agencies for use in furtherance of
national security, intelligence, or law
enforcement activity. Upon receipt of a
request from a Federal agency engaged
in national security, intelligence, or law
enforcement activity for information
reported pursuant to § 1010.380 to be
used in furtherance of such activity,
FinCEN may disclose such information
to such agency. For purposes of this
paragraph (b)(1)—
(i) National security activity means
activity pertaining to the national
defense or foreign relations of the
United States, as well as activity to
protect against threats to the safety and
security of the United States;
(ii) Intelligence activity means all
activities conducted by elements of the
United States Intelligence Community
that are authorized pursuant to
Executive Order 12333, as amended, or
any succeeding executive order; and
(iii) Law enforcement activity means
investigative and enforcement activities
relating to civil or criminal violations of
law. Such activity does not include the
routine supervision or examination of a
financial institution by a Federal
regulatory agency with authority
described in paragraph (b)(4)(ii)(A) of
this section.
(2) Disclosure to State, local, and
Tribal law enforcement agencies for use
in criminal or civil investigations. Upon
receipt of a request from a State, local,
or Tribal law enforcement agency for
information reported pursuant to
§ 1010.380 to be used in a criminal or
civil investigation, FinCEN may disclose
such information to such agency if a
court of competent jurisdiction has
authorized the agency to seek the
information in a criminal or civil
investigation. For purposes of this
section—
(i) A court of competent jurisdiction
is any court with jurisdiction over the
investigation for which a State, local, or
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
Tribal law enforcement agency requests
information under this paragraph.
(ii) A State, local, or Tribal law
enforcement agency is an agency of a
State, local, or Tribal government that is
authorized by law to engage in the
investigation or enforcement of civil or
criminal violations of law.
(3) Disclosure for use in furtherance of
foreign national security, intelligence, or
law enforcement activity. Upon receipt
of a request for information reported
pursuant to § 1010.380 from a Federal
agency on behalf of a law enforcement
agency, prosecutor, or judge of another
country, or on behalf of a foreign central
authority or foreign competent authority
(or like designation) under an applicable
international treaty, agreement, or
convention, FinCEN may disclose such
information to such Federal agency for
transmission to the foreign law
enforcement agency, prosecutor, judge,
foreign central authority, or foreign
competent authority who initiated the
request, provided that:
(i) The request is for assistance in a
law enforcement investigation or
prosecution, or for a national security or
intelligence activity, that is authorized
under the laws of the foreign country;
and
(ii) The request is:
(A) Made under an international
treaty, agreement, or convention; or
(B) Made, when no such treaty,
agreement, or convention is available, as
an official request by a law enforcement,
judicial, or prosecutorial authority of a
foreign country determined by FinCEN,
with the concurrence of the Secretary of
State and in consultation with the
Attorney General or other agencies as
necessary and appropriate, to be a
trusted foreign country.
(iii) For purposes of this paragraph
(b)(3), a national security activity
authorized under the laws of a foreign
country is an activity pertaining to the
national defense or foreign relations of
a country other than the United States,
as well as activity to protect against
threats to the safety and security of that
country.
(iv) For purposes of this paragraph
(b)(3), an intelligence activity
authorized under the laws of a foreign
country is an activity conducted by a
foreign government agency that is
authorized under a foreign legal
authority comparable to Executive
Order 12333 that is applicable to the
agency.
(4) Disclosure to facilitate compliance
with customer due diligence
requirements—(i) Financial institutions.
Upon receipt of a request from a
financial institution subject to customer
due diligence requirements under
PO 00000
Frm 00079
Fmt 4701
Sfmt 4700
88809
applicable law for information reported
pursuant to § 1010.380 to be used in
facilitating compliance with such
requirements, FinCEN may disclose the
information to the financial institution
for that use, provided that the reporting
company that reported the information
to FinCEN consents to such disclosure.
For purposes of this paragraph,
customer due diligence requirements
under applicable law mean any legal
requirement or prohibition designed to
counter money laundering or the
financing of terrorism, or to safeguard
the national security of the United
States, to comply with which it is
reasonably necessary for a financial
institution to obtain or verify beneficial
ownership information of a legal entity
customer.
(ii) Regulatory agencies. Upon receipt
of a request by a Federal functional
regulator or other appropriate regulatory
agency, FinCEN shall disclose to such
agency any information disclosed to a
financial institution pursuant to
paragraph (b)(4)(i) of this section if the
agency—
(A) Is authorized by law to assess,
supervise, enforce, or otherwise
determine the compliance of such
financial institution with customer due
diligence requirements under applicable
law;
(B) Will use the information solely for
the purpose of conducting the
assessment, supervision, or authorized
investigation or activity described in
paragraph (b)(4)(ii)(A) of this section;
and
(C) Has entered into an agreement
with FinCEN providing for appropriate
protocols governing the safekeeping of
the information.
(5) Disclosure to officers or employees
of the Department of the Treasury.
Consistent with procedures and
safeguards established by the
Secretary—
(i) Information reported pursuant to
§ 1010.380 shall be accessible for
inspection or disclosure to officers and
employees of the Department of the
Treasury whose official duties the
Secretary determines require such
inspection or disclosure.
(ii) Officers and employees of the
Department of the Treasury may obtain
information reported pursuant to
§ 1010.380 for tax administration as
defined in 26 U.S.C. 6103(b)(4).
(c) Use of information—(1) Use of
information by authorized recipients.
Except as permitted under paragraph
(c)(2) of this section, any person who
receives information disclosed by
FinCEN under paragraph (b) of this
section shall not further disclose such
information to any other person, and
E:\FR\FM\22DER3.SGM
22DER3
ddrumheller on DSK120RN23PROD with RULES3
88810
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
shall use such information only for the
particular purpose or activity for which
such information was disclosed. A
Federal agency that receives information
pursuant to paragraph (b)(3) of this
section shall only use it to facilitate a
response to a request for assistance
pursuant to that paragraph.
(2) Disclosure of information by
authorized recipients. (i) Any officer,
employee, contractor, or agent of a
requesting agency who receives
information disclosed by FinCEN
pursuant to a request under paragraph
(b)(1) or (2) or (b)(4)(ii) of this section
may disclose such information to
another officer, employee, contractor, or
agent of the same requesting agency for
the particular purpose or activity for
which such information was requested,
consistent with the requirements of
paragraph (d)(1)(i)(F) of this section, as
applicable. Any officer, employee,
contractor, or agent of the U.S.
Department of the Treasury who
receives information disclosed by
FinCEN pursuant to a request under
paragraph (b)(5) of this section may
disclose such information to another
Treasury officer, employee, contractor,
or agent for the particular purpose or
activity for which such information was
requested consistent with internal
Treasury policies, procedures, orders or
directives.
(ii) Any director, officer, employee,
contractor, or agent of a financial
institution who receives information
disclosed by FinCEN pursuant to a
request under paragraph (b)(4)(i) of this
section may disclose such information
to another director, officer, employee,
contractor, or agent of the same
financial institution for the particular
purpose or activity for which such
information was requested, consistent
with the requirements of paragraph
(d)(2) of this section.
(iii) Any director, officer, employee,
contractor, or agent of a financial
institution that receives information
disclosed by FinCEN pursuant to
paragraph (b)(4)(i) of this section may
disclose such information to the
financial institution’s Federal functional
regulator, a self-regulatory organization
that is registered with or designated by
a Federal functional regulator pursuant
to Federal statute, or other appropriate
regulatory agency, provided that the
Federal functional regulator, selfregulatory organization, or other
appropriate regulatory agency meets the
requirements identified in paragraphs
(b)(4)(ii)(A) through (C) of this section.
A financial institution may rely on a
Federal functional regulator, selfregulatory organization, or other
appropriate regulatory agency’s
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
representation that it meets the
requirements.
(iv) Any officer, employee, contractor,
or agent of a Federal functional
regulator that receives information
disclosed by FinCEN pursuant to
paragraph (b)(4)(ii) of this section may
disclose such information to a selfregulatory organization that is registered
with or designated by the Federal
functional regulator, provided that the
self-regulatory organization meets the
requirements of paragraphs (b)(4)(ii)(A)
through (C) of this section.
(v) Any officer, employee, contractor,
or agent of a Federal agency that
receives information from FinCEN
pursuant to a request made under
paragraph (b)(3) of this section may
disclose such information to the foreign
person on whose behalf the Federal
agency made the request.
(vi) Any officer, employee, contractor,
or agent of a Federal agency engaged in
a national security, intelligence, or law
enforcement activity, or any officer,
employee, contractor, or agent of a State,
local, or Tribal law enforcement agency,
may disclose information reported
pursuant to § 1010.380 that it has
obtained directly from FinCEN pursuant
to a request under paragraph (b)(1) or (2)
of this section to a court of competent
jurisdiction or parties to a civil or
criminal proceeding.
(vii) Any officer, employee,
contractor, or agent of a requesting
agency who receives information
disclosed by FinCEN pursuant to a
request under paragraph (b)(1), (b)(4)(ii),
or (b)(5) of this section may disclose
such information to any officer,
employee, contractor, or agent of the
United States Department of Justice for
purposes of making a referral to the
Department of Justice or for use in
litigation related to the activity for
which the requesting agency requested
the information.
(viii) Any officer, employee,
contractor, or agent of a State, local, or
Tribal law enforcement agency who
receives information disclosed by
FinCEN pursuant to a request under
paragraph (b)(2) of this section may
disclose such information to any officer,
employee, contractor, or agent of
another State, local, or Tribal agency for
purposes of making a referral for
possible prosecution by that agency, or
for use in litigation related to the
activity for which the requesting agency
requested the information.
(ix) A law enforcement agency,
prosecutor, judge, foreign central
authority, or foreign competent
authority of another country that
receives information from a Federal
agency pursuant to a request under
PO 00000
Frm 00080
Fmt 4701
Sfmt 4700
paragraph (b)(3)(ii)(A) of this section
may disclose and use such information
consistent with the international treaty,
agreement, or convention under which
the request was made.
(x) FinCEN may by prior written
authorization, or by protocols or
guidance that FinCEN may issue,
authorize persons to disclose
information obtained pursuant to
paragraph (b) of this section in
furtherance of a purpose or activity
described in that paragraph.
(d) Security and confidentiality
requirements—(1) Security and
confidentiality requirements for
domestic agencies—(i) General
requirements. To receive information
under paragraph (b)(1), (2), or (3) or
(b)(4)(ii) of this section, a Federal, State,
local, or Tribal agency shall satisfy the
following requirements:
(A) Agreement. The agency shall enter
into an agreement with FinCEN
specifying the standards, procedures,
and systems to be maintained by the
agency, and any other requirements
FinCEN may specify, to protect the
security and confidentiality of such
information. Agreements shall include,
at a minimum, descriptions of the
information to which an agency will
have access, specific limitations on
electronic access to that information,
discretionary conditions of access,
requirements and limitations related to
re-disclosure, audit and inspection
requirements, and security plans
outlining requirements and standards
for personnel security, physical
security, and computer security.
(B) Standards and procedures. The
agency shall establish standards and
procedures to protect the security and
confidentiality of such information,
including procedures for training
agency personnel on the appropriate
handling and safeguarding of such
information. The head of the agency, on
a non-delegable basis, shall approve
these standards and procedures.
(C) Initial report and certification. The
agency shall provide FinCEN a report
that describes the standards and
procedures established pursuant to
paragraph (d)(1)(i)(B) of this section and
that includes a certification by the head
of the agency, on a non-delegable basis,
that the standards and procedures
implement the requirements of this
paragraph (d)(1).
(D) Secure system for beneficial
ownership information storage. The
agency shall, to the satisfaction of the
Secretary, establish and maintain a
secure system in which such
information shall be stored.
(E) Auditability. The agency shall
establish and maintain a permanent,
E:\FR\FM\22DER3.SGM
22DER3
ddrumheller on DSK120RN23PROD with RULES3
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
auditable system of standardized
records for requests pursuant to
paragraph (b) of this section, including,
for each request, the date of the request,
the name of the individual who makes
the request, the reason for the request,
any disclosure of such information
made by or to the requesting agency,
and information or references to such
information sufficient to reconstruct the
reasons for the request.
(F) Restrictions on personnel access to
information. The agency shall restrict
access to information obtained from
FinCEN pursuant to this section to
personnel—
(1) Who are directly engaged in the
activity for which the information was
requested;
(2) Whose duties or responsibilities
require such access;
(3) Who have received training
pursuant to paragraph (d)(1)(i)(B) of this
section or have obtained the information
requested directly from persons who
both received such training and
received the information directly from
FinCEN;
(4) Who use appropriate identity
verification mechanisms to obtain
access to the information; and
(5) Who are authorized by agreement
between the agency and FinCEN to
access the information.
(G) Audit requirements. The agency
shall:
(1) Conduct an annual audit to verify
that information obtained from FinCEN
pursuant to this section has been
accessed and used appropriately and in
accordance with the standards and
procedures established pursuant to
paragraph (d)(1)(i)(B) of this section;
(2) Provide the results of that audit to
FinCEN upon request; and
(3) Cooperate with FinCEN’s annual
audit of the adherence of agencies to the
requirements established under this
paragraph to ensure that agencies are
requesting and using the information
obtained under this section
appropriately, including by promptly
providing any information FinCEN
requests in support of its annual audit.
(H) Semi-annual certification. The
head of the agency, on a non-delegable
basis, shall certify to FinCEN semiannually that the agency’s standards
and procedures established pursuant to
paragraph (d)(1)(i)(B) of this section are
in compliance with the requirements of
this paragraph (d)(1). One of the semiannual certifications may be included in
the annual report required under
paragraph (d)(1)(i)(I) of this section.
(I) Annual report on procedures. The
agency shall provide FinCEN a report
annually that describes the standards
and procedures that the agency uses to
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
ensure the security and confidentiality
of any information received pursuant to
paragraph (b) of this section.
(ii) Requirements for requests for
disclosure. A Federal, State, local, or
Tribal agency that makes a request
under paragraph (b)(1), (2), or (3) or
(b)(4)(ii) of this section shall satisfy the
following requirements in connection
with each request that it makes and in
connection with all such information it
receives.
(A) Minimization. The requesting
agency shall limit, to the greatest extent
practicable, the scope of such
information it seeks, consistent with the
agency’s purposes for seeking such
information.
(B) Certifications and other
requirements. (1) The head of a Federal
agency that makes a request under
paragraph (b)(1) of this section or their
designee shall make a written
certification to FinCEN, in the form and
manner as FinCEN shall prescribe, that:
(i) The agency is engaged in a national
security, intelligence, or law
enforcement activity; and
(ii) The information requested is for
use in furtherance of such activity,
setting forth specific reasons why the
requested information is relevant to the
activity.
(2) The head of a State, local, or Tribal
agency, or their designee, who makes a
request under paragraph (b)(2) of this
section shall submit to FinCEN a written
certification, in the form and manner as
FinCEN shall prescribe, that:
(i) A court of competent jurisdiction
has authorized the agency to seek the
information in a criminal or civil
investigation; and
(ii) The requested information is
relevant to the criminal or civil
investigation, setting forth a description
of the information the court has
authorized the agency to seek.
(3) The head of a Federal agency, or
their designee, who makes a request
under paragraph (b)(3)(ii)(A) of this
section shall:
(i) Retain for the agency’s records the
request for information under the
applicable international treaty,
agreement, or convention;
(ii) Submit to FinCEN, in the form and
manner as FinCEN shall prescribe: the
name, title, agency, and country of the
foreign person on whose behalf the
Federal agency is making the request;
the title of the international treaty,
agreement, or convention under which
the request is being made; and a
certification that the requested
information is for use in furtherance of
a law enforcement investigation or
prosecution, or for a national security or
intelligence activity, that is authorized
PO 00000
Frm 00081
Fmt 4701
Sfmt 4700
88811
under the laws of the relevant foreign
country.
(4) The head of a Federal agency, or
their designee, who makes a request
under paragraph (b)(3)(ii)(B) of this
section shall submit to FinCEN, in the
form and manner as FinCEN shall
prescribe:
(i) A written explanation of the
specific purpose for which the foreign
person is seeking information under
paragraph (b)(3)(ii)(B) of this section,
along with an accompanying
certification that the information is for
use in furtherance of a law enforcement
investigation or prosecution, or for a
national security or intelligence activity,
that is authorized under the laws of the
relevant foreign country and that the
foreign person seeking information
under paragraph (b)(3)(ii)(B) has been
informed that the information may only
be used only for the particular purpose
or activity for which it is requested and
must be handled consistent with the
requirements of paragraph (d)(3) of this
section;
(ii) The name, title, agency, and
country of the foreign person on whose
behalf the Federal agency is making the
request; and
(iii) Any other information that
FinCEN requests in order to evaluate the
request.
(5) The head of a Federal functional
regulator or other appropriate regulatory
agency, or their designee, who makes a
request under paragraph (b)(4)(ii) of this
section shall make a written
certification to FinCEN, in the form and
manner as FinCEN shall prescribe, that:
(i) The agency is authorized by law to
assess, supervise, enforce, or otherwise
determine the compliance of a relevant
financial institution with customer due
diligence requirements under applicable
law; and
(ii) The agency will use the
information solely for the purpose of
conducting the assessment, supervision,
or authorized investigation or activity
described in paragraph (b)(4)(ii)(A) of
this section.
(2) Security and confidentiality
requirements for financial institutions.
To receive information under paragraph
(b)(4)(i) of this section, a financial
institution shall satisfy the following
requirements:
(i) Geographic restrictions on
information. The financial institution
shall not make information obtained
from FinCEN under paragraph (b)(4)(i)
of this section available to persons
physically located in, and shall not store
such information in, any of the
following jurisdictions:
(A) The People’s Republic of China;
(B) The Russian Federation; or
E:\FR\FM\22DER3.SGM
22DER3
ddrumheller on DSK120RN23PROD with RULES3
88812
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
(C) A jurisdiction:
(1) That is a state sponsor of terrorism,
as determined by the U.S. Department of
State;
(2) That is the subject of
comprehensive financial and economic
sanctions imposed by the Federal
Government, i.e., is a jurisdiction with
a government whose property and
interests in property within U.S.
jurisdiction are blocked pursuant to U.S.
sanctions authorities, or a jurisdiction
subject to broad-based prohibitions on
transactions by U.S. persons involving
that jurisdiction, such as prohibitions
on importing or exporting goods,
services, or technology to the
jurisdiction or dealing in goods or
services originating from the
jurisdiction, pursuant to U.S. sanctions
authorities; or
(3) To which the Secretary has
determined that allowing information
obtained from FinCEN under paragraph
(b)(4)(i) of this section to be made
available would undermine the
enforcement of the requirements of
paragraph (d)(2) of this section or the
national security of the United States.
(ii) Safeguards. The financial
institution shall develop and implement
administrative, technical, and physical
safeguards reasonably designed to
protect the security, confidentiality, and
integrity of such information. These
shall include:
(A) Information procedures. The
financial institution shall:
(1) Apply such information
procedures as the institution has
established to satisfy the requirements
of section 501 of the Gramm-LeachBliley Act (15 U.S.C. 6801 et seq.), and
applicable regulations issued
thereunder, with regard to the
protection of its customers’ nonpublic
personal information, modified as
needed to account for any unique
requirements imposed under this
section; or
(2) If the institution is not subject to
section 501 of the Gramm-Leach-Bliley
Act, apply such information procedures
with regard to the protection of its
customers’ nonpublic personal
information as are required,
recommended, or authorized under
applicable law and are at least as
protective of the security and
confidentiality of customer information
as procedures that satisfy the standards
of section 501 of the Gramm-LeachBliley Act.
(B) Notification of information
demand. The financial institution shall
notify FinCEN within three business
days of receipt of any foreign
government subpoena or legal demand
under which the financial institution
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
would have to disclose any information
the financial institution has received
pursuant to a request under paragraph
(b)(4)(i) of this section.
(iii) Consent to obtain information.
Before making a request for information
regarding a reporting company under
paragraph (b)(4)(i) of this section, the
financial institution shall obtain and
document the consent of the reporting
company to request such information.
The documentation of the reporting
company’s consent shall be maintained
for 5 years after it is last relied upon in
connection with a request for
information under paragraph (b)(4)(i) of
this section.
(iv) Certification. For each request for
information regarding a reporting
company under paragraph (b)(4)(i) of
this section, the financial institution
shall make a certification to FinCEN in
such form and manner as FinCEN shall
prescribe that the financial institution:
(A) Is requesting the information to
facilitate its compliance with customer
due diligence requirements under
applicable law;
(B) Has obtained and documented the
consent of the reporting company to
request the information from FinCEN;
and
(C) Has fulfilled all other
requirements of paragraph (d)(2) of this
section.
(3) Security and confidentiality
requirements for foreign recipients of
information. (i) To receive information
under paragraph (b)(3)(ii)(A) of this
section, a foreign person on whose
behalf a Federal agency made the
request under that paragraph shall
comply with all applicable handling,
disclosure, and use requirements of the
international treaty, agreement, or
convention under which the request
was made.
(ii) To receive information under
paragraph (b)(3)(ii)(B) of this section, a
foreign person on whose behalf a
Federal agency made the request under
that paragraph shall ensure that the
following requirements are satisfied:
(A) Standards and procedures. A
foreign person who receives information
pursuant to paragraph (b)(3)(ii)(B) of
this section shall establish standards
and procedures to protect the security
and confidentiality of such information,
including procedures for training
personnel who will have access to it on
the appropriate handling and
safeguarding of such information.
(B) Secure system for beneficial
ownership information storage. Such
information shall be maintained in a
secure system that complies with the
security standards the foreign person
PO 00000
Frm 00082
Fmt 4701
Sfmt 4700
applies to the most sensitive
unclassified information it handles.
(C) Minimization. To the greatest
extent practicable, the scope of
information sought shall be limited,
consistent with the purposes for seeking
such information.
(D) Restrictions on personnel access
to information. Access to such
information shall be limited to
persons—
(1) Who are directly engaged in the
activity described in paragraph (b)(3) of
this section for which the information
was requested;
(2) Whose duties or responsibilities
require such access; and
(3) Who have undergone training on
the appropriate handling and
safeguarding of information obtained
pursuant to this section.
(e) Administration of requests—(1)
Form and manner of requests. Requests
for information under paragraph (b) of
this section shall be submitted to
FinCEN in such form and manner as
FinCEN shall prescribe.
(2) Rejection of requests. (i) FinCEN
will reject a request under paragraph
(b)(4) of this section, and may reject any
other request made pursuant to this
section, if such request is not submitted
in the form and manner prescribed by
FinCEN.
(ii) FinCEN may reject any request, or
otherwise decline to disclose any
information in response to a request
made under this section, if FinCEN, in
its sole discretion, finds that, with
respect to the request:
(A) The requester has failed to meet
any requirement of this section;
(B) The information is being requested
for an unlawful purpose; or
(C) Other good cause exists to deny
the request.
(3) Suspension of access. (i) FinCEN
may permanently debar or temporarily
suspend, for any period of time, any
individual requester or requesting entity
from receiving or accessing information
under paragraph (b) of this section if
FinCEN, in its sole discretion, finds
that:
(A) The individual requester or
requesting entity has failed to meet any
requirement of this section;
(B) The individual requester or
requesting entity has requested
information for an unlawful purpose; or
(C) Other good cause exists for such
debarment or suspension.
(ii) FinCEN may reinstate the access
of any individual requester or
requesting entity that has been
suspended or debarred under this
paragraph (e)(3) upon satisfaction of any
terms or conditions that FinCEN deems
appropriate.
E:\FR\FM\22DER3.SGM
22DER3
Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES3
(f) Violations—(1) Unauthorized
disclosure or use. Except as authorized
by this section, it shall be unlawful for
any person to knowingly disclose, or
knowingly use, the beneficial ownership
information obtained by the person,
directly or indirectly, through:
VerDate Sep<11>2014
19:01 Dec 21, 2023
Jkt 262001
(i) A report submitted to FinCEN
under § 1010.380; or
(ii) A disclosure made by FinCEN
pursuant to paragraph (b) of this section.
(2) For purposes of paragraph (f)(1) of
this section, unauthorized use shall
include accessing information without
authorization, and shall include any
PO 00000
Frm 00083
Fmt 4701
Sfmt 9990
88813
violation of the requirements described
in paragraph (d) of this section in
connection with any access.
Andrea M. Gacki,
Director, Financial Crimes Enforcement
Network.
[FR Doc. 2023–27973 Filed 12–21–23; 8:45 am]
BILLING CODE 4810–02–P
E:\FR\FM\22DER3.SGM
22DER3
Agencies
[Federal Register Volume 88, Number 245 (Friday, December 22, 2023)]
[Rules and Regulations]
[Pages 88732-88813]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-27973]
[[Page 88731]]
Vol. 88
Friday,
No. 245
December 22, 2023
Part III
Department of the Treasury
-----------------------------------------------------------------------
Financial Crimes Enforcement Network
-----------------------------------------------------------------------
31 CFR Part 1010
Beneficial Ownership Information Access and Safeguards; Final Rule
Federal Register / Vol. 88 , No. 245 / Friday, December 22, 2023 /
Rules and Regulations
[[Page 88732]]
-----------------------------------------------------------------------
DEPARTMENT OF THE TREASURY
Financial Crimes Enforcement Network
31 CFR Part 1010
RIN 1506-AB59
Beneficial Ownership Information Access and Safeguards
AGENCY: Financial Crimes Enforcement Network (FinCEN), Treasury.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: FinCEN is promulgating regulations regarding access by
authorized recipients to beneficial ownership information (BOI) that
will be reported to FinCEN pursuant to section 6403 of the Corporate
Transparency Act (CTA), enacted into law as part of the Anti-Money
Laundering Act of 2020 (AML Act), which is itself part of the National
Defense Authorization Act for Fiscal Year 2021 (NDAA). The regulations
implement the strict protocols required by the CTA to protect sensitive
personally identifiable information (PII) reported to FinCEN and
establish the circumstances in which specified recipients have access
to BOI, along with data protection protocols and oversight mechanisms
applicable to each recipient category. The disclosure of BOI to
authorized recipients in accordance with appropriate protocols and
oversight will help law enforcement and national security agencies
prevent and combat money laundering, terrorist financing, tax fraud,
and other illicit activity, as well as protect national security.
DATES: These rules are effective February 20, 2024.
FOR FURTHER INFORMATION CONTACT: The FinCEN Regulatory Support Section
at 1-800-767-2825 or electronically at [email protected].
SUPPLEMENTARY INFORMATION:
I. Introduction
This final rule implements the beneficial ownership information
(BOI) access and safeguard provisions in the Corporate Transparency Act
(CTA).\1\ The rule balances the statutory requirement to create a
database of BOI that is highly useful to authorized BOI recipients,
with the requirement to safeguard BOI from unauthorized use. This final
rule reflects FinCEN's understanding of the critical need for the
highest standard of security and confidentiality protocols to maintain
confidence in the U.S. Government's ability to protect sensitive
information while achieving the objective of the CTA noted above--
establishing a database of BOI that will be highly useful in combatting
illicit finance and the abuse of shell and front companies by
criminals, corrupt officials, and other bad actors.
---------------------------------------------------------------------------
\1\ The CTA is Title LXIV of the William M. (Mac) Thornberry
National Defense Authorization Act for Fiscal Year 2021, Public Law
116-283 (Jan. 1, 2021) (the NDAA). Division F of the NDAA is the
Anti-Money Laundering Act of 2020 (AML Act), which includes the CTA.
Section 6403 of the CTA, among other things, amends the Bank Secrecy
Act (BSA) by adding a new section 5336, Beneficial Ownership
Information Reporting Requirements, to Subchapter II of Chapter 53
of Title 31, United States Code.
---------------------------------------------------------------------------
Specifically, this final rule implements the provisions in the CTA,
codified at 31 U.S.C. 5336(c), that authorize certain recipients to
receive disclosures of identifying information associated with
reporting companies, their beneficial owners, and their company
applicants (together, BOI). The CTA requires reporting companies to
report BOI to FinCEN pursuant to 31 U.S.C. 5336(b). This rule reflects
FinCEN's careful consideration of public comments, including those
received in response to (1) an advance notice of proposed rulemaking
(ANPRM) \2\ on the implementation of the CTA, (2) an NPRM regarding BOI
reporting requirements (Reporting NPRM),\3\ and (3) an NPRM regarding
BOI access and safeguards (Access NPRM).\4\
---------------------------------------------------------------------------
\2\ 86 FR 17557 (Apr. 5, 2021).
\3\ 86 FR 69920 (Dec. 8, 2021).
\4\ 87 FR 77404 (Dec. 16, 2022).
---------------------------------------------------------------------------
As Congress explained in the CTA, ``malign actors seek to conceal
their ownership of corporations, limited liability companies, or other
similar entities in the United States to facilitate illicit activity,
including money laundering, the financing of terrorism, proliferation
financing, serious tax fraud, human and drug trafficking,
counterfeiting, piracy, securities fraud, financial fraud, and acts of
foreign corruption, harming the national security interests of the
United States and allies of the United States.'' \5\ Access by
authorized recipients to BOI reported under the CTA would significantly
aid efforts to protect U.S. national security and safeguard the U.S.
financial system from such illicit use. It would impede illicit actors'
ability to use legal entities to conceal proceeds from criminal acts
that undermine U.S. national security and foreign policy interests,
such as corruption, human trafficking, drug and arms trafficking, and
terrorist financing. BOI can also add critical data to financial
analyses in activities the CTA contemplates, including tax
investigations. It can also provide essential information to the
intelligence and national security professionals who work to prevent
terrorists, proliferators, and those who seek to undermine our
democratic institutions or threaten other core U.S. interests from
raising, hiding, or moving money in the United States through anonymous
shell or front companies.\6\
---------------------------------------------------------------------------
\5\ CTA, section 6402(3).
\6\ A front company generates legitimate business proceeds to
commingle with illicit earnings. See U.S. Department of the
Treasury, National Money Laundering Risk Assessment (2018), p. 29,
available at https://home.treasury.gov/system/files/136/2018NMLRA_12-18.pdf.
---------------------------------------------------------------------------
The United States currently does not have a centralized or complete
store of information about who owns and operates legal entities within
the United States. The beneficial ownership data available to law
enforcement and national security agencies are generally limited to
certain commercial databases and the information collected by financial
institutions on legal entity accounts pursuant to their Customer Due
Diligence (CDD) or broader Customer Identification Program (CIP)
obligations, some of which has been included in Suspicious Activity
Reports (SARs) or provided to law enforcement in response to judicial
process.\7\ As set out in detail in the Notice of Proposed Rulemaking
regarding BOI reporting requirements \8\ and the BOI reporting final
rule,\9\ U.S. law enforcement officials and the Financial Action Task
Force (FATF),\10\ among others, have for years noted how the lack of
timely access to accurate and adequate BOI by law enforcement and other
authorized
[[Page 88733]]
recipients remained a significant gap in the United States' anti-money
laundering/countering the financing of terrorism (AML/CFT) and
countering the financing of proliferation (CFP) framework. Broadly, and
critically, BOI can identify linkages between potential illicit actors
and opaque business entities, including shell companies. Furthermore,
comparing BOI reported pursuant to the CTA against data collected under
the Bank Secrecy Act (BSA) and other relevant government data is
expected to significantly further efforts to identify illicit actors
and combat their financial activities.
---------------------------------------------------------------------------
\7\ See, e.g., 31 CFR 1010.230. Even then, any BOI a financial
institution collects is not systematically reported to any central
repository.
\8\ Supra note 3, 86 FR at 69923-69924.
\9\ 87 FR 59498, 59506 (Sept. 30, 2022).
\10\ The FATF, of which the United States is a founding member,
is an international, inter-governmental task force whose purpose is
the development and promotion of international standards and the
effective implementation of legal, regulatory, and operational
measures to combat money laundering, terrorist financing, the
financing of weapons proliferation, and other related threats to the
integrity of the international financial system. The FATF assesses
over 200 jurisdictions against its minimum standards for beneficial
ownership transparency. Among other things, it has established
standards on transparency and beneficial ownership of legal persons,
to deter and prevent the misuse of corporate vehicles. See FATF
Recommendation 24, Transparency and Beneficial Ownership of Legal
Persons, The FATF Recommendations: International Standards on
Combating Money Laundering and the Financing of Terrorism and
Proliferation (updated Oct. 2020), available at https://www.fatf-gafi.org/publications/fatfrecommendations/documents/fatf-recommendations.html; FATF Guidance, Transparency and Beneficial
Ownership, Part III (Oct. 2014), available at https://www.fatf-gafi.org/media/fatf/documents/reports/Guidance-transparency-beneficial-ownership.pdf.
---------------------------------------------------------------------------
At the same time, however, FinCEN recognizes that BOI is sensitive
information. This final rule reflects FinCEN's commitment to creating a
highly useful database for authorized BOI recipients while protecting
this sensitive information from unauthorized disclosure. To this end,
the final rule aims to ensure that: (1) only authorized recipients have
access to BOI; (2) authorized recipients use that BOI only for purposes
permitted by the CTA; and (3) authorized recipients re-disclose BOI
only in ways that balance protection of the security and
confidentiality of the BOI with furtherance of the CTA's objective of
making BOI available to a range of users for purposes specified in the
CTA. The final rule also provides a robust framework to ensure that BOI
reported to FinCEN, and received by authorized recipients, is subject
to strict cybersecurity controls, confidentiality protections and
restrictions, and robust audit and oversight measures. Coincident with
the protocols described in this final rule, FinCEN continues to work to
develop a secure, nonpublic database in which to store BOI, using
rigorous information security methods and controls typically used in
the Federal government to protect nonclassified yet sensitive
information systems at the highest security level. Against this
backdrop and consistent with the CTA, FinCEN will permit certain
Federal, State,\11\ local, and Tribal officials, as well as foreign
officials acting through a Federal agency, to obtain BOI for use in
furtherance of statutorily authorized activities such as those related
to national security, intelligence, and law enforcement. Financial
institutions with customer due diligence requirements under applicable
law will have access to BOI to facilitate compliance with those
requirements, as will the Federal functional regulators or other
appropriate regulatory agencies that supervise or assess those
financial institutions' compliance with such requirements.
---------------------------------------------------------------------------
\11\ FinCEN will interpret the term ``State'' consistent with
the definition of that term in the final Beneficial Ownership
Information Reporting Requirements rule at 87 FR 59498 (Sep. 30,
2022) (which defines the term ``State'' to mean ``any state of the
United States, the District of Columbia, the Commonwealth of Puerto
Rico, the Commonwealth of the Northern Mariana Islands, American
Samoa, Guam, the United States Virgin Islands, and any other
commonwealth, territory, or possession of the United States.'').
---------------------------------------------------------------------------
II. Background
A. Access to Beneficial Ownership Information
For more than two decades, the U.S. government has been raising
awareness about the misuse of legal entities by criminal actors for
illicit ends.\12\ Recently, Secretary of the Treasury Janet L. Yellen
affirmed that:
---------------------------------------------------------------------------
\12\ See 87 FR 59501-59503 (Sept. 30, 2022).
``The United States has a unique obligation to tackle
corruption. Corrupt actors from around the world continually attempt
to exploit the vulnerabilities in the U.S. framework--for countering
money laundering, terrorist financing, and other forms of illicit
finance. . . . Just like legitimate investors, corrupt actors move
their money through the United States to take advantage of the
world's largest and most dynamic economy. They incorporate companies
to benefit from our strong legal system, buy assets like real
estate, and invest in our deep and liquid markets. . . . Unmasking
shell corporations is the single most significant thing we can do to
make our financial system inhospitable to corrupt actors. . . . The
beneficial ownership database will deter dirty money from entering
the U.S.--and give law enforcement and other partners the tools they
need to follow the money when it does.'' \13\
---------------------------------------------------------------------------
\13\ U.S. Department of the Treasury (Treasury), ``Remarks by
Secretary Janet L. Yellen on Anti-Corruption as a Cornerstone of a
Fair, Accountable, and Democratic Economy at the Summit for
Democracy,'' (Mar. 28, 2023), available at https://home.treasury.gov/news/press-releases/jy1371.
The Department of the Treasury (Treasury) has previously observed
in its 2020 National Strategy for Combating Terrorist and other Illicit
Financing (the 2020 Illicit Financing Strategy) that ``[m]isuse of
legal entities to hide a criminal beneficial owner or illegal source of
funds continues to be a common, if not the dominant, feature of illicit
finance schemes, especially those involving money laundering, predicate
offences, tax evasion, and proliferation financing. . . .'' \14\ The
2020 Illicit Financing Strategy further noted a Treasury finding that,
between 2016 and 2019, legal entities were used in a substantial
proportion of adjudicated Internal Revenue Service (IRS) cases to
perpetrate tax evasion and fraud.\15\ In a separate report, the Drug
Enforcement Administration highlighted that drug trafficking
organizations frequently use shell and front companies to commingle
illicit drug proceeds with legitimate front company revenue to launder
the illicit drug proceeds.\16\
---------------------------------------------------------------------------
\14\ Treasury, National Strategy for Combating Terrorist and
Other Illicit Financing (2020), p. 13, available at https://home.treasury.gov/system/files/136/National-Strategy-to-Counter-Illicit-Financev2.pdf. The 2022 National Strategy for Combating
Terrorist and Other Illicit Financing noted that ``[t]he passage of
the CTA was a critical step forward in closing a long-standing gap
and strengthening the U.S. AML/CFT regime'' and that ``[a]ddressing
the gap in collection at the time of entity formation is the most
important AML/CFT regulatory action for the U.S. government.''
Treasury, National Strategy for Combating Terrorist and Other
Illicit Financing (May 2022), p. 8, available at https://home.treasury.gov/system/files/136/2022-National-Strategy-for-Combating-Terrorist-and-Other-Illicit-Financing.pdf (``2022 Illicit
Financing Strategy'').
\15\ Id. at 14.
\16\ Drug Enforcement Administration, 2020 Drug Enforcement
Administration National Drug Threat Assessment (``DEA 2020 NDTA'')
(2020), pp. 87-88, available at https://www.dea.gov/sites/default/files/2021-02/DIR-008-21%202020%20National%20Drug%20Threat%20Assessment_WEB.pdf.
---------------------------------------------------------------------------
As Treasury stressed in its 2022 Illicit Financing Strategy, law
enforcement's lack of access to uniform BOI hinders its ability to
swiftly investigate those entities created and used to hide ownership
for illicit purposes.\17\ Consequently, authorized recipients' access
to BOI reported under the CTA will significantly aid efforts to protect
U.S. national security; safeguard the U.S. financial system; and
support U.S. foreign policy and other interests by providing a tool to
counter corruption, human smuggling, drug and arms trafficking,
terrorist financing, and other criminal acts. BOI can also add critical
data to financial analyses in activities the CTA contemplates,
including tax investigations. BOI can also provide essential
information to the intelligence and national security professionals who
work to prevent terrorists, proliferators, and those who seek to
undermine our democratic institutions or threaten other core U.S.
interests from raising, hiding, or moving money in the United States
through anonymous shell or front companies.
---------------------------------------------------------------------------
\17\ See Treasury, 2022 Illicit Financing Strategy, supra note
3, p. 12.
---------------------------------------------------------------------------
Entity formation and registration in the United States happen at
the state and Tribal levels. Although state- and Tribal-level entity
formation laws vary, most jurisdictions do not require the party
forming an entity to identify its individual beneficial owners at or
after the time of formation. Additionally, the vast majority of states
require little to no contact information or other information about an
entity's officers or others who
[[Page 88734]]
control it.\18\ Furthermore, although many financial institutions are
required to collect certain beneficial ownership information pursuant
to FinCEN's 2016 Customer Due Diligence Rule (2016 CDD Rule),\19\ and
broader Customer Identification Program (CIP) obligations,\20\ that
information is not systematically reported to a central repository.
---------------------------------------------------------------------------
\18\ See CTA, section 6402(2) (``[M]ost or all States do not
require information about the beneficial owners of corporations,
limited liability companies, or other similar entities formed under
the laws of the State''); U.S. Government Accountability Office,
Company Formations: Minimal Ownership Information Is Collected and
Available (Apr. 2006), available at https://www.gao.gov/assets/gao-06-376.pdf; see also, e.g., The National Association of Secretaries
of State (NASS), NASS Summary of Information Collected by States
(Jun. 2019), available at https://www.nass.org/sites/default/files/company%20formation/nass-business-entity-info-collected-june2019.pdf.
\19\ Final Rule, Customer Due Diligence Requirements for
Financial Institutions, 81 FR 29398-29402 (May 11, 2016); 31 CFR
1010.230.
\20\ See e.g., 31 CFR 1020.220.
---------------------------------------------------------------------------
Identifying individual beneficial owners of legal entities in the
United States therefore is often a significant challenge for law
enforcement,\21\ and it represents a significant weakness in the United
States' AML/CFT and CFP frameworks, as Treasury \22\ and the FATF \23\
have noted for some time. Currently, obtaining BOI through grand jury
subpoenas and other means can involve considerable effort. Grand jury
subpoenas, for example, require an underlying grand jury investigation
into a possible violation of law. Furthermore, the law enforcement
officer or investigator must work with a prosecutor's office, such as a
U.S. Attorney's Office, to open a grand jury investigation, obtain the
grand jury subpoena, and issue it on behalf of the grand jury. The
investigator also needs to determine who should receive the subpoena
and coordinate service, which creates additional complications in cases
involving complicated corporate structuring. Sometimes this work is all
for naught because the investigation involves an entity formed or
registered in a jurisdiction that does not require BOI for formation or
registration.
---------------------------------------------------------------------------
\21\ In 2019, for example, Steven M. D'Antuono, Acting Deputy
Assistant Director of the FBI's Criminal Investigative Division
testified before Congress that ``[t]he process for the production of
[beneficial ownership] records can be lengthy, anywhere from a few
weeks to many years, and . . . can be extended drastically when it
is necessary to obtain information from other countries . . . . [I]f
an investigator obtains the ownership records, either from a
domestic or foreign entity, the investigator may discover that the
owner of the identified corporate entity is an additional corporate
entity, necessitating the same process for the newly discovered
corporate entity. Many professional launderers and others involved
in illicit finance intentionally layer ownership and financial
transactions in order to reduce transparency of transactions. As it
stands, it is a facially effective way to delay an investigation.''
D'Antuono further acknowledged that these challenges may be even
greater for State, local, and Tribal law enforcement agencies that
may not have the same resources as their Federal counterparts to
undertake long and costly investigations to identify beneficial
owners. D'Antuono noted that requiring the disclosure of BOI by
legal entities and the creation of a central BOI repository
available to law enforcement and regulators could address these
challenges. Federal Bureau of Investigation (FBI), Testimony of
Steven M. D'Antuono, Section Chief, Criminal Investigative Division,
``Combatting Illicit Financing by Anonymous Shell Companies'' (May
21, 2019), available at https://www.fbi.gov/news/testimony/combating-illicit-financing-by-anonymous-shell-companies.
\22\ Treasury, Treasury Announces Key Regulations and
Legislation to Counter Money Laundering and Corruption, Combat Tax
Evasion, May 5, 2016, available at https://home.treasury.gov/news/press-releases/jl0451.
\23\ See FATF Recommendation 24, Transparency and Beneficial
Ownership of Legal Persons, The FATF Recommendations: International
Standards on Combating Money Laundering and the Financing of
Terrorism and Proliferation (updated Oct. 2020), available at
https://www.fatf-gafi.org/publications/fatfrecommendations/documents/fatf-recommendations.html.
---------------------------------------------------------------------------
FinCEN's existing regulatory tools help, but they provide only
partial solutions. The 2016 CDD Rule, for example, requires that
certain types of U.S. financial institutions identify and verify the
beneficial owners of legal entity customers at the time of account
opening.\24\ The information financial institutions must collect under
the 2016 CDD Rule, however, is generally neither comprehensive nor
reported to the U.S. government (nor to State, local, or Tribal
governments), except when filed in suspicious activity reports (SARs)
or in response to judicial process. Moreover, the 2016 CDD Rule applies
only to legal entities that open accounts at certain U.S. financial
institutions. Other FinCEN authorities--geographic targeting orders
\25\ and the so-called ``311 measures'' (i.e., special measures imposed
on foreign jurisdictions, foreign financial institutions, or
international transactions of primary money laundering concern) \26\--
offer temporary and targeted tools. Neither provides law enforcement
the ability to reliably, efficiently, and consistently identify new
entities for investigation or follow investigatory leads.
---------------------------------------------------------------------------
\24\ 31 CFR 1010.230(b)(1).
\25\ 31 U.S.C. 5326(a); 31 CFR 1010.370.
\26\ 31 U.S.C. 5318A, as added by section 311 of the USA PATRIOT
Act (Pub. L. 107-56).
---------------------------------------------------------------------------
This Final Rule will help to fill in these gaps while creating a
framework to keep BOI secure and confidential.
B. The CTA
The CTA is part of the AML Act, which is a part of the 2021 NDAA.
The CTA added a new section, 31 U.S.C. 5336, to the BSA to enhance
beneficial ownership transparency while minimizing the burden on the
regulated community.\27\ This new section requires certain types of
domestic and foreign entities, called ``reporting companies,'' to
submit BOI to FinCEN.\28\ Specifically, reporting companies must submit
to FinCEN, for each beneficial owner and each individual who files an
application to form a domestic entity or register a foreign entity to
do business in the United States (the ``company applicant''), four
pieces of information: the individual's full legal name, date of birth,
current residential or business street address, and either a unique
identifying number from an acceptable identification document (e.g., a
passport) or the individual's ``FinCEN identifier.'' \29\
---------------------------------------------------------------------------
\27\ CTA, section 6403.
\28\ 31 U.S.C. 5336(b)(1), (2). The CTA generally exempts from
the reporting requirements banks and other entities that are already
subject to significant regulatory regimes meant to expose their
beneficial owners, among other purposes. See id. at 5336(a)(11)(B).
\29\ Id. at 5336(b)(2).
---------------------------------------------------------------------------
The CTA establishes that BOI is ``sensitive information.'' \30\ The
statute treats it as such by limiting its access and use to specified
parties for particular purposes.\31\ In particular, Congress authorized
FinCEN to disclose BOI only to a statutorily defined group of
governmental authorities and financial institutions, and only in
defined circumstances. The CTA further provides that the Secretary of
the Treasury (Secretary) must ``maintain [BOI] in a secure, nonpublic
database, using information security methods and techniques that are
appropriate to protect nonclassified information systems at the highest
security level.'' \32\ As discussed in detail in section II.E, FinCEN
is currently building the secure information technology (IT) system
into which reporting companies will submit, and from which authorized
recipients will generally obtain, BOI.
---------------------------------------------------------------------------
\30\ CTA, section 6402(6).
\31\ Id.
\32\ CTA, section 6402(7)(A). While the statutory language seems
to include a typographical error that refers to another provision
(not related to BOI), it also seems clear that the object of
protection in this case is BOI.
---------------------------------------------------------------------------
In addition to setting out requirements and restrictions related to
BOI reporting and access, the CTA requires that FinCEN revise the 2016
CDD Rule within one year of the BOI reporting requirements taking
effect. In particular, the CTA directs FinCEN to revise the 2016 CDD
Rule to: (1) bring it into conformity with the AML Act as a whole,
including the CTA; (2) account for financial institutions' access to
BOI
[[Page 88735]]
reported to FinCEN ``in order to confirm the beneficial ownership
information provided directly to the financial institutions'' for AML/
CFT and customer due diligence purposes; and (3) reduce unnecessary or
duplicative burdens on financial institutions and legal entity
customers.\33\ In carrying out these provisions, the CTA further
requires FinCEN to rescind paragraphs (b) through (j) of 31 CFR
1010.230.\34\
---------------------------------------------------------------------------
\33\ CTA, section 6403(d)(1)(A)-(C).
\34\ CTA, section 6403(d)(1)-(2). The CTA orders the rescission
of paragraphs (b) through (j) directly (``the Secretary of the
Treasury shall rescind paragraphs (b) through (j)'') and orders the
retention of paragraph (a) by a negative rule of construction
(``nothing in this section may be construed to authorize the
Secretary of the Treasury to repeal . . . [31 CFR]
1010.230(a)[.]''). The statute also provides a list of
considerations to take into account when revising the 2016 CDD Rule.
See generally CTA, section 6403(d)(3).
---------------------------------------------------------------------------
FinCEN began implementing the CTA by publishing an ANPRM on April
5, 2021.\35\ The ANPRM sought input on five open-ended categories of
questions, including questions on clarifying key CTA definitions and on
how FinCEN should implement CTA provisions governing FinCEN's
maintenance and disclosure of BOI subject to appropriate access
protocols. In response to the ANPRM, FinCEN received and considered 220
comments from parties that included businesses, civil society
organizations, trade associations, law firms, secretaries of state and
other state officials, Indian Tribes, members of Congress, and private
citizens.
---------------------------------------------------------------------------
\35\ 86 FR 17557 (Apr. 5, 2021).
---------------------------------------------------------------------------
FinCEN next published the Reporting NPRM on December 8, 2021.\36\
The Reporting NPRM described Treasury's efforts to address the lack of
transparency in the ownership of certain legal entities, and proposed
regulations specifying what BOI must be reported to FinCEN pursuant to
CTA requirements, by whom, and when. These regulations also proposed
processes for obtaining, updating, and using FinCEN identifiers. The
Reporting NPRM included a 60-day comment period, which closed on
February 7, 2022. FinCEN received over 240 comments on the Reporting
NPRM.
---------------------------------------------------------------------------
\36\ 86 FR 69920 (Dec. 8, 2021).
---------------------------------------------------------------------------
After considering those comments, FinCEN published a final rule
implementing the CTA's BOI reporting requirements on September 30, 2022
(Reporting Rule).\37\ The Reporting Rule takes effect on January 1,
2024, and is the first of three rulemakings required by the CTA. Under
the Reporting Rule, reporting companies in existence before the
effective date will have until January 1, 2025, to report.\38\ The
Reporting Rule also provided that reporting companies created or
registered to do business on or after January 1, 2024 would need to
submit BOI to FinCEN within 30 days of receiving notice of a company's
creation or registration.\39\ However, on November 30, 2023, FinCEN
published a final rule to extend the timeframe for reporting companies
created or registered on or after January 1, 2024, and before January
1, 2025, to submit their initial BOI reports to FinCEN. Under this
amendment to the Reporting Rule, reporting companies created or
registered on or after January 1, 2024, and before January 1, 2025,
will have 90 days to submit their initial BOI reports, instead of 30
days. Reporting companies formed on or after January 1, 2025, will
continue to be required to submit their initial BOI reports within 30
days.
---------------------------------------------------------------------------
\37\ 87 FR 59498 (Sept. 30, 2022).
\38\ Reporting Rule, 31 CFR 1010.380(a)(1)(i)-(ii).
\39\ Id. at 1010.380(a)(iii).
---------------------------------------------------------------------------
The Reporting Rule also reserved for further consideration certain
provisions concerning the use of FinCEN identifiers for entities.
FinCEN next published the Access NPRM regarding the CTA's BOI
access and safeguard provisions on December 16, 2022.\40\ The proposed
regulations reflected information gleaned from over 30 outreach
sessions with representatives from Federal agencies, state courts,
state and local prosecutors' offices, Tribal governments, financial
institutions, financial self-regulatory organizations (SROs), and
government offices that had established beneficial ownership databases,
as well as from comments to the prior CTA-related publications. The
Access NPRM also included proposed amendments to the reporting
regulations that would finalize the remaining Reporting Rule provisions
concerning the use of FinCEN identifiers for entities. The comment
period for the Access NPRM closed on February 14, 2023.
---------------------------------------------------------------------------
\40\ 87 FR 77404 (Dec. 16, 2022).
---------------------------------------------------------------------------
This final rule adopts, with modifications, the proposed
regulations in the Access NPRM and is the second rulemaking required by
the CTA. These final access and safeguard regulations (``Access Rule'')
aim to ensure that: (1) only authorized recipients have access to BOI;
(2) authorized recipients use that access only for purposes permitted
by the CTA; and (3) authorized recipients only re-disclose BOI in ways
that balance protecting its security and confidentiality with the CTA
objective of making BOI available to a range of users for authorized
purposes. The regulations also provide a robust framework to ensure
that BOI reported to FinCEN, and received by authorized recipients, is
subject to strict cybersecurity controls, confidentiality protections
and restrictions, and robust audit and oversight measures.
FinCEN will implement the CTA requirement to revise the 2016 CDD
Rule through a future rulemaking process. That process will provide the
public with an opportunity to comment on the effect of the final
provisions of the BOI reporting and access rules on financial
institutions' customer due diligence obligations.
Finally, the CTA requires the Inspector General of the Department
of the Treasury to provide public contact information to receive
external comments or complaints regarding the BOI notification and
collection process or regarding the accuracy, completeness, or
timeliness of such information.\41\ Treasury's Office of Inspector
General (``Treasury OIG'') has established the following email inbox to
receive such comments or complaints:
[email protected].
---------------------------------------------------------------------------
\41\ See 31 U.S.C. 5336(h)(4).
---------------------------------------------------------------------------
C. The Access NPRM
As noted above in section II.B, FinCEN published the Access NPRM on
December 16, 2022. The NPRM had a 60-day comment period that closed on
February 14, 2023. FinCEN received over 80 comments. The NPRM described
who would be authorized to access BOI reported to FinCEN, how those
parties could use the information, and how they would be required to
safeguard it.
The proposed regulations would amend 31 CFR 1010.950(a) to clarify
that the disclosure of BOI would be governed by proposed 31 CFR
1010.955, rather than 31 CFR 1010.950(a), which governs disclosure of
other BSA information. The CTA specifies disclosure rules applicable to
BOI that are distinct from BSA provisions authorizing disclosure of
other BSA information.\42\
---------------------------------------------------------------------------
\42\ See 31 U.S.C. 5336(c)(2), (5).
---------------------------------------------------------------------------
The Access NPRM proposed to incorporate the CTA's general
prohibition on the disclosure of BOI by individual recipients to others
unless authorized to do so under the statute or its implementing
regulations, with certain clarifications regarding the applicability
and duration of that prohibition. The proposed regulations would
authorize the disclosure and use of BOI to facilitate the purposes of
the CTA, with FinCEN further proposing to retain the authority to
permit in writing the re-disclosure of BOI in other circumstances.
The proposed regulations included provisions that would address a
range of
[[Page 88736]]
administrative matters, e.g., circumstances under which FinCEN could
decline to provide requested BOI or debar or suspend an authorized
recipient, and would incorporate CTA provisions that impose civil and
criminal penalties for knowingly disclosing or knowingly using BOI in
ways that were not authorized by the CTA. The proposed rule also would
reinforce the security and confidentiality requirements of the CTA by
making clear the range of actions that could constitute unauthorized
disclosure and use.
Finally, the Access NPRM made a new proposal regarding the use of
FinCEN identifiers for entities, which was initially addressed in the
Reporting NPRM and then deferred in the Final Reporting Rule.
Specifically, the proposed regulations would clarify that a reporting
company would be permitted to report the FinCEN identifier of an
intermediate entity (i.e., an entity through which an individual
beneficial owner exercises substantial control or owns ownership
interests in a reporting company) in lieu of a beneficial owner's PII
only when three criteria are met. Taken together, these requirements
sought to avoid the use of FinCEN identifiers to obscure beneficial
ownership in a reporting company when the entity's ownership structure
involves multiple beneficial owners and intermediate entities. FinCEN
published a final rule to implement these provisions regarding the use
of FinCEN identifiers for entities on November 8, 2023.\43\
---------------------------------------------------------------------------
\43\ 88 FR 76995 (Nov. 8, 2023).
---------------------------------------------------------------------------
The Access NPRM, however, primarily focused on the scope of and
requirements for access to and protection of BOI reported to FinCEN.
The following subsections outline how the proposed regulations would
apply to five categories of authorized recipients for which the CTA
prescribes specific requirements with respect to access to and use of
BOI.
i. Domestic Agencies
The first category of BOI recipients authorized by the CTA consists
of (1) Federal agencies engaged in national security, intelligence, or
law enforcement activity if the requested BOI is for use in furtherance
of such activity; \44\ and (2) State, local, and Tribal law enforcement
agencies if ``a court of competent jurisdiction'' authorizes the law
enforcement agency to seek the information in a criminal or civil
investigation.\45\ Federal agency access to BOI would be contingent on
the type of activity an agency engages in. In contrast, State, local,
and Tribal access would be contingent on two conditions; (1) whether
the recipient is a law enforcement agency, i.e., the type of agency;
and (2) whether a State, local, or Tribal law enforcement agency
receives authorization from a court of competent jurisdiction to
request BOI from FinCEN.
---------------------------------------------------------------------------
\44\ 31 U.S.C. 5336(c)(2)(B)(i)(I).
\45\ 31 U.S.C. 5336(c)(2)(B)(i)(II).
---------------------------------------------------------------------------
The Access NPRM proposed definitions for ``national security,''
``intelligence,'' and ``law enforcement'' activities in a manner
consistent with the CTA. In particular, the Access NPRM proposed that
``law enforcement'' include both criminal and civil investigations and
actions, including actions to impose civil penalties, civil forfeiture
actions, and civil enforcement through administrative proceedings. For
access by State, local and Tribal law enforcement, the Access NPRM
proposed to define ``court of competent jurisdiction'' as any court
with jurisdiction over the criminal or civil investigation for which
the State, local, or Tribal law enforcement agency requested BOI. The
Access NPRM further proposed that the requisite court authorization
would have to be in the form of a court order, with the understanding
that the term ``order'' could encompass many authorization types issued
by a range of court officers (i.e., individuals empowered to exercise a
court's authority and issue authorizations on its behalf, excluding
individual attorneys). The NPRM specifically sought feedback on the
scope of this definition.
The proposed regulations would also require all Federal agencies
engaged in national security, intelligence, or law enforcement activity
to provide a brief justification for each search for BOI in the FinCEN
IT system and certify compliance with the applicable regulatory
requirements. State, local, and Tribal law enforcement agencies would
also have had to provide a brief justification for each search for BOI
and submit copies of their court orders for FinCEN review. Upon meeting
these requirements, both Federal agencies engaged in national security,
intelligence, or law enforcement activity and State, local, and Tribal
law enforcement agencies would have the ability to conduct searches for
BOI in the beneficial ownership IT system (the ``BO IT system'')
relevant to their investigation. The BO IT system would provide these
users with both a reporting company's BOI at the time of the request as
well as any previously submitted BOI.
Furthermore, the Access NPRM proposed that Federal agencies engaged
in a national security, intelligence, or law enforcement activity, as
well as State, local, and Tribal law enforcement agencies, would be
authorized to disclose BOI obtained directly from FinCEN to courts of
competent jurisdiction or parties to a civil or criminal proceeding.
This authorization would only apply to civil or criminal proceedings
involving U.S. Federal, State, local, and Tribal laws. In the preamble
to the Access NPRM, FinCEN explained that it envisioned agencies
relying on this provision when, for example, a prosecutor would need to
provide a criminal defendant with BOI in discovery or use it as
evidence in a court proceeding or trial.\46\
---------------------------------------------------------------------------
\46\ See CTA, section 6402(5)(D).
---------------------------------------------------------------------------
The CTA prescribes a number of security and confidentiality
requirements that the Secretary must impose on requesting Federal,
State, local, and Tribal agencies and their heads. These include
requirements for secure storage systems and access policies and
procedures; personnel access controls; recordkeeping, reporting, and
audit requirements; and written certifications. These requirements
affirm the importance of the security and confidentiality protocols and
the need for a high degree of accountability for the protection of BOI.
The proposed regulations described how each requesting agency, before
it could obtain BOI from FinCEN, would be required to enter into a
memorandum of understanding (MOU) with FinCEN specifying the standards,
procedures, and systems that the agency would be required to maintain
to protect BOI, including security plans. FinCEN explained in the
preamble to the Access NPRM that these requirements are extensive by
necessity given the broad search functionality within the BO IT system
that would be available to this category of authorized recipients.
ii. Foreign Requesters
The second category consists of foreign law enforcement agencies,
judges, prosecutors, central authorities, and competent authorities
(``foreign requesters''), provided their requests come through an
intermediary Federal agency, meet additional criteria, and are made
either (1) under an international treaty, agreement, or convention; or
(2) via a request made by law enforcement, judicial, or prosecutorial
authorities in a trusted foreign country (when no international treaty,
agreement, or convention is available).\47\
---------------------------------------------------------------------------
\47\ See 31 U.S.C. 5336(c)(2)(B)(ii).
---------------------------------------------------------------------------
[[Page 88737]]
FinCEN generally did not propose to identify in the Access NPRM any
specific Federal agencies that would serve as intermediaries with
foreign governments.\48\ FinCEN instead indicated that it would work
with Federal agencies to identify those that are well positioned to be
intermediaries, based on several factors, including: the level of
engagement with foreign law enforcement agencies, judges, prosecutors,
central authorities, or competent authorities; responsibility under
international treaties, agreements, or conventions; and capacity to
process requests for BOI while managing risks of unauthorized
disclosure. The Access NPRM proposed to permit intermediary Federal
agencies to use BOI obtained from FinCEN at the behest of a foreign
requester only to facilitate a response to that foreign requester.
---------------------------------------------------------------------------
\48\ Given its longstanding relationships and relevant
experience as the financial intelligence unit of the United States,
FinCEN proposed to directly receive, evaluate, and respond to
requests for BOI from foreign financial intelligence units.
---------------------------------------------------------------------------
With respect to the requirement that a foreign request be made
under an ``international treaty, agreement, or convention,'' FinCEN
explained that it understood those terms to cover a legally binding
agreement governed by international law. FinCEN did not propose to
identify specific countries it would treat as ``trusted'' in situations
when no international treaty, agreement, or convention applied. The
Access NPRM explained that to define ``trusted foreign country'' would
have risked arbitrarily excluding foreign requesters with whom sharing
BOI might be appropriate in some cases but not others. FinCEN instead
proposed to conduct case-by-case assessments in consultation with
relevant U.S. government agencies to determine whether to disclose BOI
to a foreign requester in a particular instance.
In the Access NPRM, FinCEN explained that it did not expect foreign
requesters to have direct access to the BO IT system, but rather that
intermediary Federal agencies would perform BOI searches in the system
on a foreign requester's behalf. Before acting as intermediaries,
Federal agencies would first have to fulfill several requirements,
including: (1) ensuring that they have secure systems for BOI storage;
(2) entering into MOUs with FinCEN outlining expectations and
responsibilities; (3) incorporating the CTA foreign sharing
requirements into evaluation criteria with which to review BOI requests
from foreign requesters; (4) integrating the evaluation criteria into
their existing information-sharing policies and procedures; (5)
developing additional security protocols and systems as required under
the CTA and this rule; and (6) ensuring that their personnel have
sufficient training on BOI security and use requirements and
restrictions.
Under the Access NPRM, an intermediary Federal agency would be
authorized to submit foreign requests for BOI to FinCEN only after
meeting these requirements. Such requests would need to include certain
information, including: (1) the names of both the individual within the
intermediary Federal agency making the request and the individual
affiliated with the foreign requester on whose behalf the request was
being made; and (2) either the international treaty, agreement, or
convention under which the request was being made, or a statement that
no such instrument governs along with an explanation of the
information's intended use. Intermediary Federal agencies would also
need to certify that a request meets applicable eligibility criteria.
After doing so, an intermediary Federal agency could then search for
and retrieve requested BOI from the system and respond to the foreign
requester in a manner consistent with either the international treaty,
agreement, or convention, or the request from the trusted foreign
country. Intermediary Federal agencies would be required to maintain
records documenting specified elements of each search, both for the
agency's own internal auditing and for FinCEN audits as required under
the CTA.
Recognizing the importance that all authorized BOI recipients--
including foreign requesters--take appropriate steps to keep BOI
confidential and secure and to prevent misuse, FinCEN also proposed
requiring foreign requesters to handle, disclose, and use BOI
consistent with the requirements of the applicable international
treaty, agreement, or convention under which it is requested. When no
treaty, agreement, or convention applies, the Access NPRM proposed that
the head of an intermediary Federal agency, acting on behalf of a
foreign requester, or their designee, would need to submit to FinCEN a
written explanation of the specific purpose for which the foreign
requester is requesting BOI. The intermediary Federal agency in such
cases would have also needed to provide FinCEN with a certification
that the requested BOI would be: (1) used in furtherance of a law
enforcement investigation or prosecution, or for a national security or
intelligence activity that is authorized under the laws of the relevant
foreign country; (2) only used for the particular purpose or activity
for which it was requested; and (3) handled in accordance with
specified security and confidentiality requirements. Under the proposed
rule, the certification would reflect what the head of the intermediary
Federal agency head or their designee understands to be the intended
use for the BOI, rather than a guarantee from the intermediary Federal
agency that the foreign requester would not use the information for
unauthorized purposes. The Access NPRM further specified that FinCEN
could request additional information from the requester to support
FinCEN's evaluation of whether to disclose BOI to a foreign requester
when the request is not pursuant to an international treaty, agreement,
or convention.
iii. Financial Institutions With Customer Due Diligence Compliance
Obligations Under Applicable Law
The third authorized recipient category under the CTA is financial
institutions that use BOI ``to facilitate compliance with customer due
diligence requirements under applicable law.'' \49\ FinCEN proposed to
define the term ``customer due diligence requirements under applicable
law'' to mean FinCEN's customer due diligence regulations at 31 CFR
1010.230, which require covered financial institutions to identify and
verify beneficial owners of legal entity customers. FinCEN considered
other approaches, but concluded that focusing on its 2016 CDD Rule
alone would make this access category easier to administer, reduce
uncertainty about which financial institutions could access BOI under
the proposed rule, and better protect the security and confidentiality
of sensitive BOI by limiting the circumstances under which financial
institutions could access the information. There also did not appear to
be any State, local, or Tribal customer due diligence requirements
comparable in substance to FinCEN's 2016 CDD Rule.\50\
---------------------------------------------------------------------------
\49\ 31 U.S.C. 5336(c)(2)(B)(iii).
\50\ In the Access NPRM, FinCEN specifically asked commenters to
identify any Federal, State, local, or Tribal law requirements
comparable to the 2016 CDD Rule regarding financial institutions
identifying and verifying beneficial owners of legal entity
customers. FinCEN received no responses to that request.
---------------------------------------------------------------------------
The CTA further requires that a reporting company's consent is
necessary in order for a financial institution to obtain BOI from
FinCEN. FinCEN proposed to make financial institutions responsible for
obtaining this consent. That proposal reflected FinCEN's assessment
that financial institutions are best positioned to obtain and manage
consent through existing
[[Page 88738]]
processes and by virtue of having direct relationship with reporting
companies as customers. Although certain certifications would be
required, the Access NPRM did not propose that financial institutions
submit proof of a reporting company's consent. FinCEN recognized that
it would not have the capacity to review, verify, and store consent
forms, and additional FinCEN involvement would create undue delays for
the ability of financial institutions to onboard customers. FinCEN also
explained that a financial institution's compliance with these
requirements would be assessed by Federal functional regulators in the
ordinary course during examinations, or by financial SROs during their
routine BSA examinations.\51\
---------------------------------------------------------------------------
\51\ The CTA requirements financial institutions must satisfy to
qualify for BOI disclosure from FinCEN are part of the BSA, a
statute enacted in pertinent part in Chapter X of the Code of
Federal Regulations. FinCEN has delegated its authority to examine
financial institutions for compliance with Chapter X to the Federal
functional regulators. See 31 CFR 1010.810. Separately, the FBAs
have their own authority to examine the financial institutions that
they supervise for compliance with the BSA. See 12 U.S.C.
1786(q)(2), 1818(s)(2).
---------------------------------------------------------------------------
FinCEN described in the Access NPRM its plan to establish for
financial institutions a more circumscribed BO IT system interface than
would be available to most Federal agencies and State, local, and
Tribal law enforcement agencies. This would be based on the defined
purposes for which financial institutions can use BOI under the CTA and
the proposed requirement that they obtain reporting company consent
before requesting the information from FinCEN. The interface would
require financial institutions to submit identifying information
specific to a particular reporting company (for example, the company
name and tax identification number). In return, the financial
institution would receive an electronic transcript with that reporting
company's BOI at the time of the request. The transcript would not
include any previously submitted BOI for the reporting company.
Although the CTA does not specifically address the safeguards that
financial institutions must implement as a condition for requesting
BOI, the CTA authorizes FinCEN to prescribe by regulation any other
safeguards determined to be necessary or appropriate to protect the
confidentiality of BOI.\52\ In exercising this authority, FinCEN
proposed a principles-based approach by requiring that financial
institutions develop and implement administrative, technical, and
physical safeguards reasonably designed to protect BOI as a
precondition for receiving the information. The proposed regulations
would establish that the security and information handling procedures
necessary to comply with section 501 of the Gramm-Leach-Bliley Act
(Gramm-Leach-Bliley) \53\ and related regulations to protect nonpublic
customer personal information, if applied to BOI under the control of
the financial institution, would satisfy this requirement. Financial
institutions not subject to regulations issued pursuant to section 501
of Gramm-Leach-Bliley would be held to these same substantive standards
under the proposed rules.
---------------------------------------------------------------------------
\52\ 31 U.S.C. 5336(c)(3)(K).
\53\ Public Law 106-102, 113 Stat. 1338, 1436-37 (1999).
---------------------------------------------------------------------------
Subject to certain conditions, the Access NPRM proposed to
authorize financial institutions to share BOI that they obtained from
FinCEN for use in fulfilling customer due diligence obligations with:
(1) their Federal functional regulators, (2) qualifying SROs, or (3)
any other appropriate regulatory agency. FinCEN proposed this
authorization for the sake of efficiency and to more easily provide
regulators with a complete picture of how financial institutions are
obtaining and using BOI for customer due diligence compliance, thereby
supporting the aims and purposes of the CTA, as well as helping them
detect compliance failures.
iv. Regulatory Agencies
The fourth category of authorized recipient under the proposed
regulations is Federal functional regulators and other appropriate
regulatory agencies that (1) are authorized to assess, supervise,
enforce, or otherwise determine financial institution compliance with
customer due diligence requirements under applicable law; (2) use BOI
solely to conduct an assessment, supervision, or authorized
investigation or activity under 31 U.S.C. 5336(c)(2)(C)(i); and (3)
enter into an agreement with FinCEN describing appropriate protocols
for obtaining BOI.
The proposed regulations also incorporated the CTA's limitation on
the scope of access by these agencies. The CTA states that BOI that
FinCEN discloses to financial institutions should ``also be available
to [their qualifying regulators].'' \54\ The Access NPRM therefore
proposed to allow only qualifying regulators to obtain from FinCEN BOI
that financial institutions that they supervise for customer due
diligence compliance had already obtained under the CTA and its
implementing regulations. Obtaining BOI from FinCEN would require
Federal functional regulators and other appropriate regulatory agencies
to certify to FinCEN when requesting BOI that the agency (1) is
authorized by law to assess, supervise, enforce, or otherwise determine
the relevant financial institution's compliance with customer due
diligence requirements under applicable law, and (2) would use the
information solely for that activity.
---------------------------------------------------------------------------
\54\ 31 U.S.C. 5336(c)(2)(C) (emphasis added).
---------------------------------------------------------------------------
FinCEN made clear in the Access NPRM that it did not believe this
customer due diligence-specific authorization was the exclusive means
through which one of these regulators could obtain BOI. The access
provision for Federal agencies engaged in national security,
intelligence, or law enforcement activities focuses on activity
categories, not agency types. To the extent that a Federal functional
regulator, like the Securities and Exchange Commission (SEC), engages
in civil law enforcement activities, agency officers, employees,
contractors, and agents responsible for those activities could obtain
BOI under the access provision for Federal law enforcement activity.
The same principle applies to other agencies with both supervisory
responsibility and authority to engage in other covered activity,
including, potentially, State, local, and Tribal law enforcement
agencies.
In the Access NPRM, FinCEN clarified that it would adopt its
existing regulatory definition of ``Federal functional regulators'' to
minimize the risk of confusion.\55\ FinCEN did not propose to define
``other appropriate regulatory agencies,'' because it assessed that the
requirement that an agency be authorized by law to supervise financial
institutions for customer due diligence compliance sufficiently
circumscribed the category.
---------------------------------------------------------------------------
\55\ Under this definition, the six Federal functional
regulators that supervise financial institutions with customer due
diligence obligations are the Board of Governors of the Federal
Reserve System (FRB), the Office of the Comptroller of the Currency
(OCC), the Federal Deposit Insurance Corporation (FDIC), the
National Credit Union Administration (NCUA), the SEC, and the
Commodity Futures Trading Commission (CFTC). See 31 CFR 1010.100(r).
---------------------------------------------------------------------------
In the Access NPRM, FinCEN considered whether SROs registered with
or designated by a Federal functional regulator pursuant to Federal
statute \56\ (``qualifying SROs'') should qualify as ``other
appropriate regulatory agencies.'' These organizations--like the
Financial Industry Regulatory Authority (FINRA) or the National Futures
Association (NFA)--are not traditionally
[[Page 88739]]
understood to be agencies of the U.S. government,\57\ but they do
exercise self-regulatory authority within the framework of Federal law,
and work under the supervision of Federal functional regulators to
assess, supervise, and enforce financial institution compliance with,
among other things, customer due diligence requirements.\58\ These
qualifying SROs also are subject to extensive oversight by Federal
agencies.\59\
---------------------------------------------------------------------------
\56\ See, e.g., 7 U.S.C. 21; 15 U.S.C. 78o-3.
\57\ See, e.g., In re William H. Murphy & Co., SEC Release No.
34-90759, 2020 WL 7496228, *17 (Dec. 21, 2020) (explaining that
FINRA ``is not a part of the government or otherwise a [S]tate
actor'' to which constitutional requirements apply).
\58\ See, e.g., FINRA Rule 3310(f); NFA Compliance Rule 2-
9(c)(5).
\59\ See, e.g., Scottsdale Cap. Advisors Corp. v. FINRA, 844
F.3d 414, 418 (4th Cir. 2016) (``Before any FINRA rule goes into
effect, the SEC must approve the rule and specifically determine
that it is consistent with the purposes of the Exchange Act. The SEC
may also amend any existing rule to ensure it comports with the
purposes and requirements of the Exchange Act.'' (citations
omitted); Birkelbach v. SEC, 751 F.3d 472, 475 (7th Cir. 2014) (``A
[FINRA] member can appeal the disposition of a FINRA disciplinary
proceeding to the SEC, which performs a de novo review of the record
and issues a decision of its own.'').
---------------------------------------------------------------------------
FinCEN believed that qualifying SROs fulfill a critical role in
overseeing participants in the financial services sector which
justified their limited and derivative access to BOI: Without this
level of access, qualifying SROs would not be able to effectively
evaluate a financial institution's customer due diligence compliance.
The CTA provides FinCEN broad discretion to specify the conditions
under which authorized recipients of BOI may re-disclose that
information to others. Consequently, the Access NPRM proposed to permit
both financial institutions and Federal functional regulators to re-
disclose to qualifying SROs any BOI they obtained from FinCEN for use
in complying with customer due diligence requirements under applicable
law. A qualifying SRO would (1) need to satisfy the same three
conditions applicable to Federal functional regulators and other
appropriate regulatory agencies, and (2) be permitted to use the
information for the limited purpose of examining compliance with
applicable customer due diligence obligations.
The Access NPRM further proposed that Federal functional regulators
would also be permitted to disclose BOI to DOJ for purposes of making a
referral to DOJ or for use in litigation related to the activity for
which the requesting agency requested the information.
v. Department of the Treasury Access
The CTA includes separate, Treasury-specific provisions for
accessing BOI, tying the access to a Treasury officer's or employee's
official duties requiring BOI inspection or disclosure,\60\ including
for tax administration purposes.\61\ Proposed 31 CFR 1010.955(b)(5)
tracked these authorizations, and provided that Treasury officers and
employees may receive BOI where their official duties require such
access, or for tax administration, consistent with procedures and
safeguards established by the Director of FinCEN. The proposed
regulations also clarified the term ``tax administration purposes'' by
adding a reference to the definition of ``tax administration'' in the
Internal Revenue Code.\62\
---------------------------------------------------------------------------
\60\ See 31 U.S.C. 5336(c)(5)(A).
\61\ See 31 U.S.C. 5336(c)(5)(B).
\62\ 26 U.S.C. 6103(b)(4).
---------------------------------------------------------------------------
The Access NPRM explained that FinCEN envisioned Treasury
components having broad search functionality comparable to that of
Federal agencies engaged in national security, intelligence, or law
enforcement activity. This would include using BOI for enforcement
actions, intelligence and analytical purposes, sanctions-related
investigations, and identifying property blocked pursuant to sanctions,
as well as for activities unique to Treasury, such as for tax
administration and administration of the BOI framework, including
audits, enforcement, and oversight. As with other Federal agencies
requesting BOI for their own use, Treasury would also be permitted to
disclose BOI for purposes of making a referral to DOJ or for use in
litigation related to the activity for which Treasury officers,
employees, contractors, or agents requested the information.
The Access NPRM further explained that FinCEN expected to work with
other Treasury components to establish internal policies and procedures
governing Treasury access to BOI. FinCEN noted that it anticipated that
the security and confidentiality protocols in those policies and
procedures would include elements of the protocols described in
proposed 31 CFR 1010.955(d)(1) as applicable to Treasury activities and
organization. Furthermore, officers and employees identified as having
duties potentially requiring access to BOI would receive training on,
among other topics, determining when their duties require access to
BOI, what they can do with the information, and how to handle and
safeguard it. Their activities would also be subject to audit.
D. CTA Implementation Efforts
i. Beneficial Ownership IT System
The CTA directs the Secretary to maintain BOI ``in a secure,
nonpublic database, using information security methods and techniques
that are appropriate to protect nonclassified information security
systems at the highest security level . . . .'' \63\ FinCEN is
implementing this requirement by developing a secure BO IT system to
receive, store, and maintain BOI. Consistent with the CTA's requirement
\64\ and FinCEN's recognition that BOI is sensitive information
warranting stringent security, the system will be cloud-based and will
meet the highest Federal Information Security Management Act (FISMA)
\65\ level (FISMA High).\66\ A FISMA High rating indicates that losing
the confidentiality, integrity, or availability of information within a
system would have a severe or catastrophic adverse effect on the
organization maintaining the system, including on organizational assets
or individuals.\67\ The rating carries with it a requirement to
implement certain baseline controls to protect the relevant
information.\68\ System functionality will vary by recipient category
consistent with statutory requirements, limitations on BOI disclosure,
and FinCEN's objective of minimizing access to the data as much as
practicable to minimize the risk of unauthorized disclosure. The target
date for the system to begin accepting BOI reports is January 1, 2024,
the same day on which the Reporting Rule takes effect.
---------------------------------------------------------------------------
\63\ CTA, section 6402(7).
\64\ 31 U.S.C. 5336(c)(8).
\65\ 44 U.S.C. 3541 et seq.
\66\ See U.S. Department of Commerce, Federal Information
Processing Standards Publication: Standards for Security
Categorization of Federal Information and Information Systems
(``FIPS Pub 199'') (Feb. 2004), available at https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf.
\67\ Id. at 3.
\68\ Id.
---------------------------------------------------------------------------
ii. Additional CTA Implementation Efforts
In addition to continuing development of the BO IT system, FinCEN
is working across several other CTA implementation efforts. First, it
is working intensively to develop guidance and other educational
materials to ensure that small businesses have the information they
need to comply and that reporting beneficial ownership information is
as streamlined and straightforward as possible. On March 24, 2023, for
example, FinCEN published its first set
[[Page 88740]]
of guidance materials to aid the public, and in particular the small
business community, in understanding the BOI reporting requirements
taking effect on January 1, 2024.\69\ That guidance, available on
FinCEN's website, includes Frequently Asked Questions (FAQs), guidance
on BOI filing dates, and informational videos.\70\ FinCEN published a
Small Entity Compliance Guide on September 18, 2023, as well as
additional guidance to address more complex topics around BOI
reporting. FinCEN is also developing the infrastructure to respond to
queries, conduct audit and oversight, and provide partner agencies and
financial institutions with access to BOI.
---------------------------------------------------------------------------
\69\ FinCEN, FinCEN Issues Initial Beneficial Ownership
Information Reporting Guidance (Mar. 24, 2023), available at https://www.fincen.gov/news/news-releases/fincen-issues-initial-beneficial-ownership-information-reporting-guidance.
\70\ FinCEN, Beneficial Ownership Information Reporting,
available at https://www.fincen.gov/boi.
---------------------------------------------------------------------------
FinCEN is particularly focused on providing helpful customer
service to reporting companies in the first year and beyond as they
file their BOI. FinCEN currently fields approximately 13,000 inquiries
a year through its Regulatory Support Section, and approximately 70,000
external technical inquiries a year through the IT Systems Helpdesk.
FinCEN has estimated that there will be approximately 32 million
reporting companies in Year 1 of the reporting requirement and
approximately 5 million new reporting companies each year
thereafter.\71\ Given the expected increase in incoming inquiries,
FinCEN is working to stand up a dedicated beneficial ownership contact
center to respond to inquiries about the beneficial ownership reporting
requirements, and to provide assistance to users encountering technical
issues with the BO IT system. FinCEN expects the contact center to
begin operations prior to January 1, 2024.
---------------------------------------------------------------------------
\71\ 87 FR 59498, 59549 (Sept. 30, 2022).
---------------------------------------------------------------------------
FinCEN is also working to establish internal policies and
procedures governing Treasury officer and employee access to BOI, as
well as to draft and negotiate MOUs for access to BOI and related
materials. In keeping with protocols described in this final rule,
Federal, State, local and Tribal agencies outside of Treasury will be
required to enter into MOUs with FinCEN specifying the standards,
procedures, and systems they will be required to maintain to protect
BOI. Agency MOUs will, among other things, memorialize and implement
requirements regarding reports and certifications, periodic training of
individual recipients of BOI, personnel access restrictions, re-
disclosure limitations, and access to audit and oversight mechanisms.
MOUs will also include security plans covering topics related to
personnel security (e.g., eligibility limitations, screening standards,
and certification and notification requirements); physical security
(i.e., system connections and use, conditions of access, and data
maintenance); computer security (i.e., use and access policies,
standards related to passwords, transmission, storage, and encryption);
and inspections and compliance. Agencies will be able to rely on
existing databases and related IT infrastructure to satisfy the
requirement to ``establish and maintain'' secure systems in which to
store BOI where those systems have appropriate security and
confidentiality protocols, and FinCEN will engage with recipient
agencies on these protocols during the MOU development process.
iii. Administration of Access to BOI
For any given user agency, the administrative steps described in
the preceding section will need to be completed before authorized users
obtain access to the BO IT system. These steps will require resources
to complete. Every Federal, State, local, and tribal user agency will
need to enter into an MOU with FinCEN for access to the BO IT system
and put in place the policies and procedures required under the final
Access Rule and the MOU. FinCEN will also need to establish BO IT
system individual user accounts for all personnel who are authorized to
access the system at agencies and financial institutions.
To smoothly manage the draw on resources that this process will
demand, FinCEN will take a phased approach to providing access to the
BO IT system. The first stage will be a pilot program for a handful of
key Federal agency users starting in 2024, as required MOUs and
policies and procedures are completed. The second stage will extend
access to Treasury Department offices and certain Federal agencies
engaged in law enforcement and national security activities that
already have Bank Secrecy Act MOUs (e.g., FBI, IRS-CI, HSI, DEA,
Federal banking agencies (FBAs)). Subsequent stages will extend access
to additional Federal agencies engaged in law enforcement, national
security, and intelligence activities, as well as key State, local, and
Tribal law enforcement partners; to additional State, local, and Tribal
law enforcement partners; in connection with foreign government
requests; and finally, to financial institutions and their supervisors.
FinCEN believes that starting with a small pilot program of users
in 2024 will help test the system and ensure that any issues can be
addressed before expanding access to other users. Making access more
broadly available in the four subsequent stages outlined above will
help ensure the orderly onboarding of authorized users and will space
out the timing of the annual audits of agency users that FinCEN is
required to conduct under the CTA. Additionally, there is a good reason
for FinCEN's sequencing of access, making financial institutions and
their supervisors the last category of users that will receive access
to the BO IT system: FinCEN expects that the timing of their access
will roughly coincide with the upcoming revision of FinCEN's 2016 CDD
Rule. This will allow financial institutions to enjoy certain
administrative efficiencies by bundling system and compliance changes.
FinCEN anticipates providing additional information on the timing and
details regarding this phased implementation approach in early 2024.
E. Comments Received
In response to the NPRM, FinCEN received over 80 comments.
Submissions came from a broad array of individuals and organizations,
including members of Congress, the financial industry and related trade
associations, groups representing small business interests, corporate
transparency advocacy groups, law enforcement representatives,
regulatory associations, legal associations, and other interested
groups and individuals.
In general, many commenters expressed support for the proposed
regulations. These commenters agreed that the proposed regulations were
a significant step forward in improving the ability of law enforcement
and national security agencies to identify illicit actors hiding behind
anonymous shell and front companies. One of the commenters stated that
the proposed regulations would confer benefits to both the United
States and its overseas partners and bring the United States in line
with emerging global practices relating to beneficial ownership
information reporting. These commenters viewed the proposed regulations
as being consistent with the statutory text. They supported the
approach taken to provide access to BOI to authorized recipients and
were encouraged by the proposed limitations and security provisions to
protect the BOI and prevent unauthorized disclosure. These commenters
were
[[Page 88741]]
particularly supportive of the proposed regulations with respect to
U.S. Federal agencies' access to the BOI database. Supportive
commenters agreed that U.S. Federal agencies accessing the database for
law enforcement, intelligence, and national security purposes should
have broad access, and that foreign requesters should be able to
request BOI for similar purposes.
Other commenters expressed general opposition to the proposed
regulations, arguing that the proposed regulations deviate from the CTA
and congressional intent. These commenters argued that the proposed
regulations, if finalized without significant changes, would impose
unnecessary requirements, limitations, and burdens with respect to
certain types of access. Commenters also argued that the proposed
regulations would be too costly and burdensome for small businesses. In
particular, commenters expressed concern over the access provisions
relating to State, local, and Tribal law enforcement authorities and
financial institutions. Some commenters stated that certain
requirements for law enforcement access to BOI, such as the requirement
to submit ``a copy of a court order'' and ``written justification'' in
proposed 31 CFR 1010.955(d)(1)(ii)(B)(2), would create undue barriers
for State, local and Tribal law enforcement and contradict the
statutory text. Other commenters argued that the proposed restrictions
on access by financial institutions and their regulators would
significantly limit the utility of the database. These commenters
argued that proposed regulations interpreted ``customer due diligence
requirements under applicable law'' in 31 U.S.C. 5336(c)(2)(B)(iii) too
narrowly and objected to the requirement that individuals with access
to BOI be located in the United States (31 CFR 1010.955(c)(2)(ii)).
These commenters suggested that FinCEN adopt a broader approach to
financial institutions' access to BOI and asked for clarification on a
number of related provisions, including, for example, expectations
around customer consent, database usage, and discrepancy reporting. One
commenter suggested that FinCEN withdraw the proposed regulations and
engage with the financial services industry and small businesses to
develop a new proposal to better achieve the objectives of the CTA and
the AML Act.
Many commenters, regardless of their overarching views, suggested
specific modifications to the proposed regulations to enhance clarity,
refine policy expectations, ensure technical accuracy, and improve
implementation more broadly. Commenters sought clarification on
specific definitions, use cases, technical requirements and processes,
and database functionality, among other things. Several commenters
advocated for providing certain additional categories of users access
to BOI, while others shared views on the sensitivity of BOI. Several
commenters emphasized their view that BOI needed to be verified and
suggested ways to improve the quality of the database.
Commenters also shared views on future revisions to the 2016 CDD
Rule, highlighting the ways in which they anticipated the proposed
regulations with respect to access would interact with the 2016 CDD
Rule. Among other things, these commenters expressed concerns about
potential inconsistencies between BOI in the database and the customer
information that financial institutions maintain pursuant to customer
due diligence obligations. Many of these commenters urged FinCEN to
address these concerns before 2016 CDD Rule revisions are finalized;
some suggested that these concerns be addressed as part of the final
Access Rule. Several commenters expressed frustration over the
sequencing of the CTA rulemakings, stating, for example, that it is
difficult to provide meaningful comments on the proposed regulations
given uncertainties about revisions to the 2016 CDD Rule.
Commenters shared views on the proposed regulations on FinCEN
identifiers for reporting companies. While some commenters were
supportive of FinCEN's approach, others found the proposal complex and
confusing. Whether or not generally supportive, commenters suggested
specific modifications to the proposal and asked for clarification on
the availability of the information underlying FinCEN identifiers. One
commenter expressed generalized concern about the availability of
FinCEN identifiers and their potential misuse.
FinCEN also received comments on topics not directly related to the
proposed regulations. Some of these comments focused on elements of the
Reporting Rule, e.g., information to be reported, company applicants,
enforcement mechanism, and the proposed BOI report form. Others
identified typographical errors, offered specific recommendations with
respect to MSBs and mutual funds, and urged FinCEN to take steps to
prevent the creation of fraudulent FinCEN websites. One commenter
suggested that FinCEN should be designated as part of the intelligence
community, while another suggested that Congress should repeal the USA
PATRIOT Act. Finally, one commenter highlighted that some individuals
may feel discouraged from submitting comments on proposed regulations
if their views do not align with those of their employer.
FinCEN carefully reviewed and considered each comment submitted.
Many specific proposals will be discussed in more detail in section III
below. FinCEN's analysis and approach has been guided by the statutory
text, including the statutory obligations to disclose BOI to authorized
users for specified purposes while following strict security and
confidentiality protocols and minimizing burdens on stakeholders.
In implementing this final rule, FinCEN took into account the many
comments and suggestions intended to clarify and refine the scope of
the rule and to reduce burdens on authorized users to the greatest
extent practicable. FinCEN further notes that implementation of the
final rule will require additional engagement with stakeholders to
ensure a clear understanding of the rule's requirements, including
through additional guidance, FAQs, and help lines. FinCEN intends to
work within Treasury and with interagency partners to inform these
specific efforts and the broader implementation of this final rule.
III. Discussion of Final Rule
This final rule builds on the Access NPRM and is the next step
after the Reporting Rule in FinCEN's implementation of the CTA. The
final rule aims to ensure that: (1) only authorized recipients have
access to BOI; (2) authorized recipients use that access only for
purposes permitted by the CTA; and (3) authorized recipients only re-
disclose BOI in ways that balance protecting its security and
confidentiality with the CTA objective of making BOI available to users
for a range of authorized purposes. The regulations also provide a
robust framework to ensure that BOI reported to FinCEN, and received by
authorized recipients, is subject to strict cybersecurity controls,
confidentiality protections and restrictions, and robust audit and
oversight measures.
FinCEN is adopting the proposed rule largely as proposed, but with
certain modifications that are responsive to comments received and
intended to reduce barriers to the effective use of BOI, while
maintaining appropriate protections for the information. Among other
things, the final rule broadens the purposes for which financial
institutions may use BOI, and
[[Page 88742]]
streamlines the requirements for State, local, and Tribal law
enforcement access to BOI. FinCEN believes that these changes will help
to ensure that the database is highly useful to relevant stakeholders
who are authorized to access BOI. FinCEN has made certain other
clarifying and technical revisions throughout the rule. We discuss
specific comments, modifications, revisions, and the shape of the final
rule section by section here.
We discuss the elements of the final rule under seven headings: (A)
availability of information--general; (B) prohibition on disclosure;
(C) disclosure of information by FinCEN; (D) use of information; (E)
security and confidentiality requirements; (F) administration of
requests for information reported pursuant to 31 CFR 1010.380; and (G)
violations. In addition, this section discusses general implementation
efforts as they apply to the development of the IT system.
A. Availability of Information--General
Proposed Rule. FinCEN proposed to amend 31 CFR 1010.950(a) to
clarify that the disclosure of BOI would not be governed by Sec.
1010.950(a) but instead by proposed 31 CFR 1010.955.
Comments Received. FinCEN did not receive comments on this
proposal.
Final Rule. The final rule adopts the amendments to 31 CFR
1010.950(a) as proposed. The amendments clarify that the disclosure of
BOI is governed by a new provision, 31 CFR 1010.955, rather than 31 CFR
1010.950(a). Section 1010.950(a) governs disclosure of other BSA
information by Treasury and states that ``[t]he Secretary may within
his discretion disclose information reported under this chapter for any
reason consistent with the purposes of the Bank Secrecy Act, including
those set forth in paragraphs (b) through (d) of this section.'' In
contrast, the CTA authorizes FinCEN to disclose BOI only in limited and
specified circumstances.\72\ As these CTA provisions are separate and
distinct from provisions authorizing disclosure of other BSA
information, distinct regulatory treatment is warranted.\73\
---------------------------------------------------------------------------
\72\ See 31 U.S.C. 5336(c)(2), (5).
\73\ See, e.g., 31 U.S.C. 5319.
---------------------------------------------------------------------------
B. Prohibition on Disclosure
Proposed Rule. Proposed 31 CFR 1010.955(a) would implement the
broad prohibition in the CTA on the disclosure of information reported
to FinCEN pursuant to 31 CFR 1010.380, except as authorized under the
proposed rule. Specifically, the CTA provides that, except as
authorized by 31 U.S.C. 5336(c) and the protocols promulgated
thereunder, BOI reported to FinCEN by reporting companies is
confidential and shall not be disclosed by (1) an officer or employee
of the United States, (2) an officer or employee of any State, local,
or Tribal agency, or (3) an officer or employee of any financial
institution or regulatory agency receiving information under this
subsection of the CTA.\74\ The proposed rule adopted this broad
prohibition on disclosure but extended it in two ways. First, it
extended the prohibition to any of the officers or employees described
in (1) through (3) above regardless of whether they continue to serve
in the position through which they were authorized to receive BOI.
Second, it extended the prohibition on disclosure to any individual who
receives BOI as a contractor or agent of the United States; as a
contractor or agent of a State, local, or Tribal agency; or as a member
of the board of directors, contractor, or agent of a financial
institution.
---------------------------------------------------------------------------
\74\ See 31 U.S.C. 5336(c)(2)(A).
---------------------------------------------------------------------------
Comments Received. One commenter supported the proposed extension
of the prohibition on disclosure of BOI to contractors or agents of the
United States and State, local or Tribal law enforcement agencies, and
to contractors, agents, and directors of financial institutions. The
commenter noted that this extension furthers the purpose of the CTA and
would close potential loopholes around prohibited disclosures of BOI.
Several commenters requested greater clarity on the prohibition on
disclosure or further extension of the prohibition to additional
individuals. One commenter opposed extending the prohibition to agents,
contractors, and, in the case of financial institutions, directors,
arguing that the existing prohibition in the statute was already overly
protective of BOI. One commenter did not believe that the proposed rule
adequately clarifies that the prohibition on disclosure covers
individuals who receive BOI even after they leave the position in which
they were authorized to receive the BOI. This commenter suggested that
the rule should include language that explicitly addresses this
scenario. This commenter also asked that the prohibition on disclosure
explicitly extend to an officer, employee, contactor, or agent of
foreign law enforcement agencies, foreign law enforcement agencies,
foreign judges, foreign prosecutors, or other foreign authorities.
Another commenter suggested adding a provision to prohibit disclosure
by attorneys or parties who may receive BOI in the context of a civil
or criminal proceeding. Another commenter suggested extending access
requirements (which would include the prohibition on disclosure of BOI)
to any individual under contract or under the remit of an entity
authorized to access BOI (non-employee agents), such as consultants,
auditors, and third-party service providers.
Final Rule. The final rule adopts 31 CFR 1010.955(a) as proposed.
FinCEN believes that the proposed rule, including the extension of the
disclosure prohibition to certain specified individuals, is necessary
to fully carry out the CTA's intent to protect sensitive BOI and
prevent unauthorized disclosure of this information. FinCEN proposed
these extensions pursuant to 31 U.S.C. 5336(c)(3)(K), which provides
that ``the Secretary of the Treasury shall establish by regulation
protocols described in [31 U.S.C. 5336(2)(A)] that . . . provide such
other safeguards which the Secretary determines (and which the
Secretary prescribes in regulations) to be necessary or appropriate to
protect the confidentiality of the beneficial ownership information.''
Further, after considering the comments to this provision, FinCEN has
concluded that this provision is sufficiently clear, in terms of the
prohibition on disclosure applying to those individuals who leave a
position in which they were previously authorized to receive BOI. The
proposed rule stated that, except as authorized, BOI is confidential
and ``shall not be disclosed by any individual who receives such
information as'' an officer, employee, contractor, agent, or director.
This prohibition means that individuals who receive BOI when acting in
these specified roles cannot disclose BOI (except as authorized in the
rule) regardless of whether they continue in or leave these roles.
FinCEN has also determined not to add language extending the
prohibition on disclosure to an officer, employee, contactor, or agent
of foreign law enforcement agencies, foreign law enforcement agencies,
foreign judges, foreign prosecutors, or other foreign authorities.
FinCEN believes there are existing mechanisms in place under the CTA
that would appropriately protect BOI in these circumstances. For
example, in the context of foreign access to BOI through a request made
under an international treaty, agreement, or convention, the handling
and use of BOI would be governed by the disclosure and use provisions
of the relevant international treaty, agreement, or
[[Page 88743]]
convention.\75\ As for trusted foreign countries, the CTA explicitly
limits the use of BOI ``for any purpose other than the authorized
investigation or national security or intelligence activity'' \76\ and
proposed 31 CFR 1010.955(c)(2)(ix) (now renumbered as 31 CFR
1010.955(c)(2)(x)) provided that ``any information disclosed by FinCEN
under paragraph (b) of this section shall not be further disclosed to
any other person for any purpose without the prior written consent of
FinCEN, or as authorized by applicable protocols or guidance that
FinCEN may issue.'' In the event of improper disclosure of BOI by a
trusted foreign country, FinCEN would consider all available remedies
including FinCEN's authority to reject a request for BOI or suspend a
requesting party's access to such information.\77\
---------------------------------------------------------------------------
\75\ See 31 U.S.C. 5336(c)(2)(B)(ii)(I)(aa).
\76\ 31 U.S.C. 5336(c)(2)(B)(ii)(II)(bb).
\77\ See proposed 31 CFR 1010.955(e)(3).
---------------------------------------------------------------------------
FinCEN has also decided not to specifically extend the prohibition
on disclosure to parties in a civil and criminal proceeding because it
views this scenario as being covered by the regulations, specifically
by the provision prohibiting redisclosure without the prior consent of
FinCEN.\78\ FinCEN will consider, however, whether to issue guidance or
FAQs to further address issues relating to public disclosure of BOI in
civil or criminal proceedings. With respect to the commenter suggesting
that FinCEN add language to specify that individuals under contract or
under the remit of an entity authorized to access BOI (including
consultants, auditors, and third-party service providers) are covered
by the prohibition on disclosure, FinCEN believes that proposed 31 CFR
1010.955(a) sufficiently covers these individuals as contractors or
agents.
---------------------------------------------------------------------------
\78\ 31 CFR 1010.955(c)(2)(ix).
---------------------------------------------------------------------------
C. Disclosure of Information by FinCEN
As discussed in the proposed rule, the CTA authorizes FinCEN to
disclose BOI to five categories of recipients. The first category
consists of recipients in Federal, State, local and Tribal government
agencies.\79\ Within this category, FinCEN may disclose BOI to Federal
agencies engaged in national security, intelligence, or law enforcement
activity if the requested BOI is for use in furtherance of such
activity.\80\ FinCEN may also disclose BOI to State, local, and Tribal
law enforcement agencies if ``a court of competent jurisdiction'' has
authorized the law enforcement agency to seek the information in a
criminal or civil investigation.\81\
---------------------------------------------------------------------------
\79\ 31 U.S.C. 5336(c)(2)(B) and 31 U.S.C. 5336(c)(5).
\80\ 31 U.S.C. 5336(c)(2)(B)(i)(I).
\81\ 31 U.S.C. 5336(c)(2)(B)(i)(II).
---------------------------------------------------------------------------
The second category consists of foreign law enforcement agencies,
judges, prosecutors, central authorities, and competent authorities
(``foreign requesters''), provided their requests come through an
intermediary Federal agency, meet certain additional criteria, and are
made either (1) under an international treaty, agreement, or
convention, or (2) via a request made by law enforcement, judicial, or
prosecutorial authorities in a trusted foreign country (when no
international treaty, agreement, or convention is available).\82\
---------------------------------------------------------------------------
\82\ 31 U.S.C. 5336(c)(2)(B)(ii).
---------------------------------------------------------------------------
The third authorized recipient category are financial institutions
using BOI to facilitate compliance with customer due diligence
requirements under applicable law, provided the financial institution
requesting the BOI has the relevant reporting company's consent for
such disclosure.\83\
---------------------------------------------------------------------------
\83\ 31 U.S.C. 5336(c)(2)(B)(iii).
---------------------------------------------------------------------------
The fourth category is Federal functional regulators and other
appropriate regulatory agencies acting in a supervisory capacity
assessing financial institutions for compliance with customer due
diligence requirements.\84\ These agencies may access the BOI
information that financial institutions they supervise received from
FinCEN.
---------------------------------------------------------------------------
\84\ 31 U.S.C. 5336(c)(2)(B)(iv).
---------------------------------------------------------------------------
The fifth and final category of authorized BOI recipients is the
Treasury itself, for which the CTA provides access to BOI tied to an
officer or employee's official duties requiring BOI inspection or
disclosure, including for tax administration.\85\
---------------------------------------------------------------------------
\85\ 31 U.S.C. 5336(c)(5).
---------------------------------------------------------------------------
i. Disclosure to Federal Agencies for Use in Furtherance of National
Security, Intelligence, or Law Enforcement Activity
a. Definition of National Security Activity
Proposed Rule. Proposed 31 CFR 1010.955(b)(1)(i) specified that
national security activity includes activity pertaining to the national
defense or foreign relations of the United States, as well as activity
to protect against threats to the safety and security of the United
States.
Comments Received. Commenters generally provided broad support for
the definition of national security activity in proposed 31 CFR
1010.955(b)(1)(i), stating that the activity-based approach is
reasonable, clear, and adequately justified. Some commenters expressed
the view that the definition should not be further delimited or
narrowed, as this may impede the intent of the CTA. One recommended
that FinCEN clarify that the proposed definition is not meant to limit
Congress's language identifying specific national security threats in
the CTA's Sense-of-Congress provision.\86\ Another commenter suggested
adding a reference in the preamble to the illicit finance strategy, as
defined in the 2021 Memorandum on Establishing the Fight Against
Corruption as a Core United States National Security Interest. One
commenter urged FinCEN to include the words ``threats to'' before
``national defense or foreign relations,'' and two commenters suggested
substituting the word ``means'' for ``includes'' to clarify that the
definition is finite. In particular, one of those two commenters noted
that replacing ``includes'' with ``means'' would be consistent with the
statute cited in support of the proposed regulation, 8 U.S.C.
1189(d)(2), which provides that national security ``means'' the
national defense, foreign relations, or economic interests of the
United States.
---------------------------------------------------------------------------
\86\ See CTA, section 6402(3).
---------------------------------------------------------------------------
Final Rule. The final rule largely adopts the proposed rule, but
substitutes ``means'' for ``includes'' in definition in the final rule.
FinCEN agrees that changing ``includes'' to ``means'' will provide
additional clarity while still retaining the approach described by the
proposed rule that draws, in large part, from 8 U.S.C. 1189(d)(2).
Section 1189(d)(2) defines ``national security'' for purposes of
designating foreign terrorist organizations (FTOs) that threaten U.S.
national security. As stated in the proposed rule, FinCEN believes this
definition is appropriate for several reasons. First, the FTO statute
covers a broad range of national security threats to the United States,
including those with an economic dimension. That scope is consonant
with the CTA's goal to combat national security threats that are
financial in nature, such as money laundering, terrorist financing,
counterfeiting, fraud, and foreign corruption.\87\ Second, the FTO
statute arises in a related context insofar as it involves efforts to
hinder illicit actors' economic activities. FinCEN does not intend this
definition to exclude any national security threats that Congress
identified in the CTA. FinCEN also notes that it will determine whether
an agency's activities are ``national security activities'' that
qualify the agency for
[[Page 88744]]
access to BOI during the process to establish a MOU governing access
between the agency and FinCEN. Some undertakings, such as vetting
potential recipients of foreign assistance and procurement contract
awards, might constitute ``national security activities'' depending on
the particular facts and circumstances, and therefore may be evaluated
as part of that process. FinCEN declines to incorporate into the final
rule reference to specific strategies to counter corruption or other
types of specific national security threats. Acts of foreign corruption
are specifically mentioned in the CTA as acts that harm the national
security interests of the United States, and as discussed above, are
already contemplated by the final rule. Referencing specific strategy
documents is therefore unnecessary and could cause confusion.
---------------------------------------------------------------------------
\87\ See CTA, section 6402(3)-(6).
---------------------------------------------------------------------------
b. Definition of Intelligence Activity
Proposed Rule. Proposed 31 CFR 1010.955(b)(1)(ii) defines
intelligence activity to include ``all activities conducted by elements
of the United States Intelligence Community that are authorized
pursuant to Executive Order 12333 (``E.O. 12333''), as amended, or any
succeeding executive order.''
Comments Received. A number of commenters supported the proposed
rule's definition of ``intelligence activity,'' and noted the approach
taken by FinCEN is reasonable. Some commenters expressed that the
definition should not be further delimited or narrowed, as this may
impede the intent of the CTA. Three commenters suggested that the use
of the word ``includes'' was too broad, and it should be replaced with
``means'' to clarify that the definition is finite. One commenter
argued that ``includes'' implies that the proposed rule might allow
sharing BOI under the intelligence activity provisions of 31 U.S.C.
5336, outside of the authorization provided by E.O. 12333. This
commenter also argued that the definition of ``intelligence activity''
in proposed 31 CFR 1010.955(b)(1)(ii) conflicts with proposed 31 CFR
1010.955(b)(3)(i), which refers to disclosures of BOI by FinCEN to an
intermediary Federal agency for transmission to a foreign agency for
assistance in intelligence activity authorized under the laws of a
foreign country. The commenter suggested that FinCEN should revise
Sec. 1010.955(b)(1)(ii) to read ``(ii) intelligence activity, when
used in this section in reference to an activity of the United States,
means all activities that elements of the United States intelligence
community are authorized to conduct pursuant to E.O. 12333, as amended,
or any successor [E]xecutive order.'' A different commenter recommended
that FinCEN make clear that E.O. 12333's limitation on the use of
United States person information by the Intelligence Community would
not constrain use of BOI, if the use was otherwise permitted by the
CTA. One commenter, while concurring with the proposed rule as sensible
and workable, suggested it should include a reference to the 2021 U.S.
Strategy on Countering Corruption and its calls for increasing
intelligence activity on corrupt actors and bolstering information
sharing between the Intelligence Community and law enforcement.
Final Rule. The final rule adopts the proposed rule with two
clarifying edits. First, FinCEN adopts the recommendation to substitute
``means'' for ``includes'' within the definition, in order to clarify
that ``intelligence activity'' covers only those activities conducted
by elements of the United States Intelligence Community that are
authorized pursuant to E.O. 12333, as amended, or any succeeding
executive order. Second, FinCEN agrees that the definition of
``intelligence activity'' in proposed 31 CFR 1010.955(b)(1)(ii) was
incompatible with the authorization for sharing of BOI with foreign
requesters in proposed 31 CFR 1010.955(b)(3)(i), as it proposed to
define intelligence activities throughout the rule exclusively by
reference to U.S. legal authorities. The final rule corrects this
mistake by inserting new 31 CFR 1010.955(b)(3)(iv), a definition of the
term ``intelligence activity authorized under the laws of a foreign
country'' that clearly relates such activity to foreign legal
authorities that establish what constitute legally acceptable
intelligence activities under the laws of another country, as E.O.
12333 does for U.S. law.\88\
---------------------------------------------------------------------------
\88\ FinCEN has addressed an analogous drafting problem in
proposed 31 CFR 1010.955(b)(1)(i) with reference to the term
``national security activity'' by defining the term ``national
security activity authorized under the laws of a foreign country''
in new 31 CFR 1010.955(b)(3)(iii).
---------------------------------------------------------------------------
FinCEN does not believe that additional clarifications are
necessary regarding the scope of access to BOI by Federal agencies
engaged in intelligence activity, to the extent the activity relates to
United States persons. E.O. 12333 sets out the scope of authorized
activity and, among other things, provides that agencies shall,
consistent with the provisions of the Order, prepare and provide
intelligence in a manner that ``allows the full and free exchange of
information, consistent with applicable law and presidential
guidance.'' Internal procedures established pursuant to the Order
further govern the handling of information relating to U.S. persons.
Finally, FinCEN declines to incorporate into the final rule reference
to specific strategies to counter corruption or other national security
threats, while noting that acts of foreign corruption are specifically
mentioned in the CTA as acts that harm the national security interests
of the United States.
c. Definition of Law Enforcement Activity
Proposed Rule. Proposed 31 CFR 1010.955(b)(1)(iii) defined ``law
enforcement activity'' to include ``investigative and enforcement
activities relating to civil or criminal violations of law.'' The
proposed rule specified that such activity does not include routine
supervision or examination of a financial institution by a Federal
regulatory agency with authority described in 31 CFR
1010.955(b)(4)(ii)(A). The inclusion of both investigation and
enforcement as ``law enforcement activity'' was based on FinCEN's view
that it is consistent with the CTA to authorize Federal agencies to
access BOI at all stages of the law enforcement process.
Comments Received. Commenters generally agreed with the definition
in 31 CFR 1010.955(b)(1)(iii), stating that the proposed rule is
reasonable and workable. One commenter emphasized the need for law
enforcement to have access to BOI during all stages of criminal or
civil investigations. Two commenters suggested that the use of the word
``includes'' was too broad, and it should be replaced with ``means'' to
clarify that the definition is finite. Some commenters expressed that
the definition should not be further delimited or narrowed, as this may
impede the intent of the CTA. One commenter concurred with the
exclusion of routine supervision and examination by Federal regulator
agencies, as these activities are covered by a separate section of the
CTA, and the proposed rule also recognizes that Federal functional
regulators engage in law enforcement activities that will enable them
to request BOI. However, two commenters took an opposite view, arguing
that the proposed rule should be modified either at 31 CFR
1010.955(b)(1) or 31 CFR 1010.955(b)(1)(iii) to explicitly include
disclosure to Federal regulatory agencies for law enforcement purposes
as a disclosure governed by 1010.955(b)(1). Another commenter supported
the broad definition of law enforcement activity but sought an explicit
extension of the definition to State, local, and Tribal authorities, as
[[Page 88745]]
well as the inclusion of specific exemplar criminal violations related
to taxes, wages, theft, forgery, insurance fraud, and human
trafficking.
Final Rule. The final rule adopts the proposed rule with the
exception of one clarifying edit. Specifically, FinCEN adopts the
recommendation to substitute ``means'' for ``includes'' within the
definition to further clarify the definition, while retaining the
approach from the proposed rule. FinCEN also notes that it will
determine whether an agency's activities are ``law enforcement
activities'' qualifying it for access to BOI during the process to
establish a MOU between the agency and FinCEN governing such access.
FinCEN declines to incorporate into the final rule reference to
specific criminal violations, as this is redundant considering the
existing language regarding civil or criminal violations of law.
Regarding the role of Federal regulatory agencies, FinCEN does not
believe that a change to the proposed language is warranted. As stated
in the proposed rule, the access provision for Federal agencies engaged
in national security, intelligence, or law enforcement activities
focuses on activity categories, not agency types. To the extent a
Federal functional regulator engages in civil law enforcement
activities, those activities would be covered by the law enforcement
access provision.
ii. Disclosure to State, local, and Tribal Law Enforcement Agencies for
Use in Criminal or Civil Investigations
a. A Court of Competent Jurisdiction
Proposed Rule. The CTA permits FinCEN to disclose BOI upon receipt
of a request, through appropriate protocols, ``from a State, local, or
Tribal law enforcement agency, if a court of competent jurisdiction,
including any officer of such a court, has authorized the law
enforcement agency to seek the information in a criminal or civil
investigation.'' \89\ Proposed 31 CFR 1010.955(b)(2) implements this
provision and would allow FinCEN to disclose BOI to a State, local, or
Tribal law enforcement agency that requests this information if a court
of competent jurisdiction has authorized the agency's request for the
BOI for use in a criminal or civil investigation. Proposed 31 CFR
1010.955(b)(2)(i) further provided that a court of competent
jurisdiction is ``any court'' with jurisdiction over the criminal or
civil investigation for which a State, local, or Tribal agency requests
BOI.
---------------------------------------------------------------------------
\89\ 31 U.S.C. 5336(c)(2)(B)(i)(II).
---------------------------------------------------------------------------
Comments Received. Commenters were generally supportive of the
definition of the phrase ``court of competent jurisdiction'' in
proposed 31 CFR 1010.955(b)(2)(i). These commenters noted that the
proposed definition is flexible enough to encompass a wide variety of
courts and will facilitate the ability of State, local, or Tribal law
enforcement agencies to seek court authorization for the purpose of
requesting BOI from FinCEN. Several commenters requested that FinCEN
explicitly include administrative courts and adjudicatory bodies such
as boards and commissions. One commenter noted that state and local
governments allow civil law enforcement proceedings to occur in
hearings before adjudicators that are independent of law enforcement,
such as administrative law judges. Some commenters also recommended
that ``court of competent jurisdiction'' should explicitly account for
jurisdiction over an investigation or a ``case'' because BOI may be
relevant to both.
Final Rule. The final rule adopts 31 CFR 1010.955(b)(2)(i) as
proposed. FinCEN agrees with the commenters who thought the level of
clarity provided by this provision is sufficient to encompass the
various types of courts and adjudicatory bodies that exist in State,
local, and Tribal jurisdictions, including those which some commenters
suggested that FinCEN explicitly reference. The reference in this
provision to ``any court'' that has jurisdiction over an investigation
provides broad and, in FinCEN's view, sufficiently clear applicability.
As such, FinCEN believes it is unnecessary to list specific types of
adjudicatory bodies that would qualify as a court of competent
jurisdiction. Further, in response to the comments that requested that
FinCEN clarify that a court of competent jurisdiction includes an
adjudicative body with jurisdiction over both investigations and
``cases'' (understood as ongoing civil or criminal court proceedings),
FinCEN has followed the formulation in the CTA, which uses the term
``criminal or civil investigation.'' \90\ However, FinCEN does not
believe that this clause excludes State, local, or Tribal agencies from
seeking a request for BOI as part of an ongoing ``case,'' whether that
be a civil proceeding or a criminal prosecution following an initial
investigation.
---------------------------------------------------------------------------
\90\ See 31 U.S.C. 5336(c)(2)(B)(i)(II).
---------------------------------------------------------------------------
b. State, Local, or Tribal Law Enforcement Agencies
Proposed Rule. Proposed 31 CFR 1010.955(b)(2)(ii) defined a
``State, local, or Tribal law enforcement agency'' as ``an agency of a
State, local, or Tribal government that is authorized by law to engage
in the investigation or enforcement of civil or criminal violations of
law.'' The proposed rule defined this term in a manner similar to the
proposed definition of ``law enforcement activity'' for Federal
agencies to ensure consistency regardless of whether law enforcement
activity occurs at the Federal, State, local, or Tribal, level.
Comments Received. Several commenters argued that FinCEN should
clarify in the final rule that State, local, and Tribal law enforcement
agencies include various types of administrative and regulatory bodies
covering a range of subject areas such as labor and employment,
contracting, tax, unemployment insurance, and workers' compensation,
among others. One commenter recommended that FinCEN amend 31 CFR
1010.955(b)(2)(ii) to state that a State, local or Tribal law
enforcement agency is one that is authorized by law to investigate or
enforce civil, criminal, ``or administrative'' violations of law. Some
commenters noted that many State, local, and Tribal regulatory agencies
also have law enforcement functions insofar as they have the authority
to both issue regulations and enforce compliance with regulations. One
of these commenters believed that proposed 31 CFR 1010.955(b)(2)(ii)
already covers these regulatory agencies. Finally, one commenter
suggested that FinCEN clarify that local enforcement agencies include
non-Federal agencies within the government of the District of Columbia.
Final Rule. FinCEN is adopting 31 CFR 1010.955(b)(2)(ii) as
proposed. FinCEN believes that this provision is adequately clear and
sufficiently flexible to encompass the many varieties of State, local,
and Tribal law enforcement agencies that engage in the investigation or
enforcement of civil or criminal violations of law, including
regulatory violations. As a result, it is not necessary, in FinCEN's
view, to specifically list examples of State, local, and Tribal law
enforcement agencies, as some commenters requested. Furthermore, in
response to the commenter's request that the final rule explicitly
include non-Federal agencies within the District of Columbia, FinCEN
believes this is unnecessary because the
[[Page 88746]]
definition of ``State'' in the CTA includes the District of
Columbia.\91\
---------------------------------------------------------------------------
\91\ 31 U.S.C. 5336(a)(12); see also supra note 5.
---------------------------------------------------------------------------
c. Court Authorization and Written Certification
Proposed Rule. The CTA provides that FinCEN may disclose BOI to a
State, local, or Tribal law enforcement agency ``if a court of
competent jurisdiction, including any officer of such a court, has
authorized the law enforcement agency to seek the information in a
criminal or civil investigation.'' \92\ Proposed 31 CFR 1010.955(b)(2)
would implement this provision of the CTA by allowing FinCEN to
disclose BOI to a State, local, or Tribal law enforcement agency that
requests this information if a court of competent jurisdiction
authorizes the agency's request for the BOI for use in a criminal or
civil investigation. FinCEN did not propose to identify every kind of
court authorization that would satisfy the CTA, and it did not propose
to specify which officers of a court may provide authorization. That is
because FinCEN recognized that State, local, and Tribal practices are
likely to be varied with respect to how law enforcement agencies may be
authorized by a court to seek information in connection with an
investigation or prosecution.
---------------------------------------------------------------------------
\92\ See 31 U.S.C. 5336(c)(2)(B)(i)(II).
---------------------------------------------------------------------------
In addition, the proposed rule included safeguards designed to
protect the confidentiality of BOI and ensure it is not misused. These
requirements were also meant to ensure that FinCEN could properly audit
requests for BOI from State, local, and Tribal law enforcement
agencies, consistent with the CTA's audit requirements.\93\ As a
result, proposed 31 CFR 1010.955(d)(1)(ii)(B)(2) required that when a
State, local, or Tribal law enforcement agency requests BOI from
FinCEN, the head of such an agency or their designee would have to
submit to FinCEN, ``in the form and manner as FinCEN shall prescribe:''
(i) a copy of a court order from a court of competent jurisdiction
authorizing the agency to seek the BOI in a criminal or civil
investigation, and (ii) a written justification explaining why the
request for BOI is relevant to the civil or criminal investigation. The
proposed rule further explained that after FinCEN reviewed the relevant
authorization for sufficiency and approved the request, an agency could
then conduct searches using multiple search fields consistent in scope
with the court authorization and subject to audit by FinCEN.\94\ Thus,
the court order and written justification requirements in the proposed
rule were meant to serve multiple purposes--i.e., to ensure that a
court of competent jurisdiction has authorized an agency's request for
the BOI, protect the security of confidential BOI, and enable FinCEN to
conduct required audits of searches by State, local, or Tribal law
enforcement agencies.
---------------------------------------------------------------------------
\93\ See 31 U.S.C. 5336(c)(3)(J).
\94\ 87 FR at 77409-10.
---------------------------------------------------------------------------
These requirements were proposed alongside other security and
confidentiality requirements applicable to all domestic government
requesters of BOI. For example, the proposed rule explained that
Federal agency users of FinCEN's BOI database would be required to
submit brief justifications to FinCEN for their searches, explaining
how their searches further a particular qualifying activity, and these
justifications would be subject to oversight and audit by FinCEN.
Additionally, the proposed rule required a Federal, State, local, or
Tribal agency requesting BOI to minimize to the greatest practicable
extent the scope of BOI it seeks, consistent with the agency's purpose
in requesting BOI.
Comments Received. Commenters generally opposed the requirements in
proposed 31 CFR 1010.955(d)(1)(ii)(B)(2)(i) that the head of a State,
local, or Tribal law enforcement agency, or their designee, must obtain
and submit a copy of a court order to FinCEN authorizing the agency to
seek BOI in a criminal or civil investigation. Commenters opposed the
court order requirements for two broad reasons: they argued that,
first, these requirements conflict with the plain language of the CTA
as well as with congressional intent; and second, these requirements
would create burdens on State, local, and Tribal agencies that would
impede their ability to access BOI in a timely manner, which would be
contrary to the goals of the CTA. In general, commenters encouraged
FinCEN to take a more flexible approach in specifying the manner in
which a court authorizes a request for BOI, which court personnel can
provide that authorization, and at what stage in an investigation or
proceeding agencies may seek the BOI from FinCEN. In sum, these
commenters argued that the final rule should adopt the broader concept
of court authorization from the CTA.
Commenters also generally opposed for largely the same reasons the
requirement in proposed 31 CFR 1010.955(d)(1)(ii)(B)(2)(i) that the
agency head must also submit a written justification to FinCEN
explaining the relevance of the BOI for the investigation.
Specifically, some commenters noted that the CTA does not contain such
a requirement, expressed concerns that this requirement would unduly
delay requests by agencies for BOI, and highlighted the challenges
involved in FinCEN reviewing each justification provided by an agency
that requests BOI.
In the first category of objections to the court order requirement,
several commenters argued that the proposed rule conflicts with the
plain language of the CTA which does not require a court order for
State, local, or Tribal law enforcement agencies seeking access to BOI.
Instead, these commenters pointed out that the CTA uses the general
concept of court authorization, which could also include other kinds of
authorization. Commenters also cited the legislative history of the CTA
in arguing that Congress intended to create a less formal and more
flexible process. These commenters noted that Congress had considered
and rejected a narrower concept than court authorization when debating
the CTA's provision concerning State, local, and Tribal law enforcement
agency access to BOI.
In the second category of objections to the proposed court order
requirement, commenters argued that a court order requirement would
place unnecessary burdens on State, local, and Tribal law enforcement
agencies as well as the courts involved because of the need to take
additional efforts to obtain a court order. These burdens would be
exacerbated because these agencies often face greater resource
constraints compared to their Federal counterparts. The result would be
delays in investigations. One commenter noted that the requirement
could give some courts the impression that formal pleadings, evidence-
based standards, or a hearing is necessary to authorize a request for
BOI.
Furthermore, commenters argued that a court order requirement would
effectively restrict agencies to working only with a narrow category of
court officers, most likely a judge, rather than ``any officer of such
court'' as the CTA permits. These commenters also argued that, as a
result, the court order requirement conflicts with the CTA. One
commenter recommended that the final rule should clearly state that a
court officer includes any individual who exercises court authority,
including a judge, magistrate, clerk, bailiff, sheriff, prosecutor,
clerk assistant, or other personnel that the court designates to
authorize a request for BOI. A few commenters argued that since an
attorney is commonly considered a ``court officer,'' and many
jurisdictions allow attorneys to issue subpoenas,
[[Page 88747]]
attorneys should be able to authorize a request for BOI. However, one
commenter disagreed with this view, arguing that only court personnel
should be allowed to authorize an agency's request for BOI. In
addition, one commenter requested that FinCEN provide guidance to court
officials who are involved in authorizing an agency's request for BOI,
setting forth the proper procedures for reviewing these requests as
well as potentially providing an authorization form for agencies and
courts to use. Commenters also recommended that FinCEN provide
flexibility in how the court order was reported to FinCEN.
Several commenters also highlighted the need for flexibility
regarding when in the course of a civil or criminal investigation
courts may authorize a State, local, or Tribal law enforcement agency
to seek BOI. For example, some commenters requested that FinCEN clarify
in the final rule that a grand jury subpoena qualifies as court
authorization under the CTA. Some commenters also argued that the final
rule should provide more clarity regarding how prosecutors can draft
grand jury subpoenas to ensure that they would satisfy the court
authorization requirement. Commenters also requested that the final
rule clarify that courts should be permitted to authorize BOI requests
throughout the full life cycle of an investigation, including after the
initiation of a civil or criminal proceeding.
As for the written justification requirement in the proposed rule,
commenters argued that it could limit the ability of State, local, and
Tribal law enforcement agencies to access BOI, and commenters noted
that there is no such requirement in the text of the CTA. Several
commenters argued that the written justification requirement would
create a double review process in which these agencies would first have
to obtain approval from a court for their request for BOI, and then
they would need to gain a second level of approval from FinCEN.
According to these commenters, FinCEN would compare the written
justification to the court order, and based on its review, could reject
the court's decision to authorize an agency's request for BOI. Some
commenters argued that such case-by-case review of justifications by
FinCEN would overwhelm FinCEN's resources and cause significant delays
in the ability of State, local, and Tribal law enforcement agencies to
access BOI.\95\ The result, according to several commenters, is that
the written justification requirement would undermine the CTA's policy
goal that the database be ``highly useful'' to law enforcement.\96\
---------------------------------------------------------------------------
\95\ Commenters made several other arguments against the written
justification requirement. For example, another commenter argued
that it would be inappropriate for FinCEN to require
``justification'' from State, local, or Tribal law enforcement
agencies because the CTA only required ``certifications'' from
Federal agency heads; that FinCEN does not have the required subject
matter expertise to evaluate justifications; and that the term
``justification'' implied a level of persuasiveness that would be
required in the written statements that State, local, or Tribal law
enforcement agencies provide when they request BOI.
\96\ See CTA, section 6402(8)(C).
---------------------------------------------------------------------------
Finally, some commenters focused on alternative approaches to
State, local, and Tribal law enforcement access to BOI. One commenter
argued that the final rule should require that State, local, and Tribal
law enforcement agencies obtain a grand jury subpoena in order to
request BOI, and this commenter also supported the written
justification requirement. One commenter raised concerns about whether
courts could adequately protect the privacy of BOI and argued that a
separate government agency should be responsible for managing BOI
access requests on behalf of State, local, and Tribal agencies.
Further, one commenter noted that the CTA itself had imposed stricter
requirements on State, local, and Tribal agencies than it imposed upon
their Federal counterparts since the CTA imposed a court authorization
requirement on the former agencies. This commenter believed that
statutory changes would be necessary to remove the court authorization
requirement in order to make it simpler for State, local, and Tribal
agencies to access the BOI database.
Final Rule. The final rule adopts the requirements for State,
local, and Tribal law enforcement agencies' access to BOI in proposed
31 CFR 1010.955(b)(2) without change. However, FinCEN was persuaded by
comments that were critical of the requirements in proposed 31 CFR
1010.955(d)(1)(ii)(B)(2) that State, local, and Tribal law enforcement
agencies submit a copy of a court order and written justification for
FinCEN review prior to searching for BOI. Accordingly, FinCEN has made
several changes to that provision in the final rule. These revisions
are intended to streamline State, local, and Tribal law enforcement
agency access to BOI and reduce burdens on these agencies and courts as
well as on FinCEN, while at the same time maintaining robust
confidentiality and security requirements for these agencies and FinCEN
oversight and audit of these requests.
First, Sec. 1010.955(d)(1)(ii)(B)(2)(i) will no longer require
that these agencies obtain a specific form of court authorization, such
as a court order. Instead, the final rule requires only that State,
local, and Tribal law enforcement agencies obtain ``court
authorization'' to seek BOI from FinCEN as part of a civil or criminal
investigation. As the preamble to the proposed rule noted, FinCEN
requested comment on the various types of relevant court authorization
that exist at the State, local, and Tribal level, and requested that
commenters explain what role courts or court officers play in
authorizing evidence-gathering activities, what existing practices
involve court authorization, and the extent to which new court
processes could be developed and integrated into existing practices to
satisfy the CTA's authorization requirement. FinCEN also requested
comment on the need for access to BOI at different stages of an
investigation, as well as the privacy interests that may be implicated
by such access. In requesting comment on these topics, FinCEN sought
greater clarity on the various mechanisms in which courts might satisfy
the CTA standard of ``court authorization.'' The comments that FinCEN
received provided greater clarity on how State, local, and Tribal law
enforcement agencies could satisfy the CTA's court authorization
requirement while also meeting FinCEN's obligations under the CTA to
protect the confidentiality of BOI and prevent potential misuse,
including by being able to audit requests by agencies for BOI.
FinCEN agrees that requiring State, local, and Tribal law
enforcement agencies to obtain a court order may create unnecessary
burdens. FinCEN further agrees that the statutory language concerning
court authorization would maintain sufficient flexibility and
facilitate access to BOI by State, local, and Tribal law enforcement
agencies while still protecting against unauthorized use or disclosure.
FinCEN intends the final rule to provide enough flexibility so that a
variety of court officers--such as a judge, clerk of the court, or
magistrate--could provide authorization at appropriate stages of the
investigation process. FinCEN may issue guidance or FAQs on this
subject in the future if needed, including, for example, on how the
court authorization requirement would apply to grand jury proceedings.
Such guidance may also further address questions about court personnel,
stages of the investigation, court procedures
[[Page 88748]]
for reviewing requests for BOI, and other topics concerning court
authorization in the context of specific factual circumstances.
However, FinCEN agrees with those commenters who argued that being
an attorney, by itself, is not sufficient to empower an individual to
grant the required court authorization under the CTA. As discussed in
the proposed rule, FinCEN does not believe the CTA, which includes
numerous provisions limiting who may access BOI, permits any individual
with a license to practice law to authorize the disclosure of BOI, even
if they are sometimes referred to as ``officers of the court'' in other
contexts. FinCEN further does not agree with the commenter that
suggested that a separate government agency, apart from a court of
competent jurisdiction, should handle BOI requests from State, local,
or Tribal law enforcement agencies. The CTA is clear that these
agencies must seek court authorization in order to request BOI from
FinCEN, and FinCEN believes that the security and confidentiality
requirements reflected in the final rule will be sufficient to protect
against unauthorized use or disclosure.
Second, rather than submit a copy of the authorization (such as a
copy of a court order) to FinCEN, Sec. 1010.955(d)(1)(ii)(B)(2) now
only requires that State, local, and Tribal law enforcement agencies
(1) certify that they have received authorization to seek BOI from a
court of competent jurisdiction and that the BOI is relevant to a civil
or criminal investigation, and (2) provide a description of the
information the court has authorized the agency to seek.\97\ FinCEN is
persuaded by comments stating that the requirement in the proposed rule
would have set more stringent requirements for State, local, and Tribal
law enforcement agencies than would apply to their Federal
counterparts. FinCEN is further persuaded by comments that FinCEN
should instead allow these agencies to certify that they have obtained
appropriate authorization from a court of competent jurisdiction.
---------------------------------------------------------------------------
\97\ FinCEN will specify the precise method of certification at
a later date.
---------------------------------------------------------------------------
FinCEN does not intend to look behind these certifications to
assess the sufficiency of a court's authorization at the time a request
is submitted. Instead, the final rule clearly reflects FinCEN's role in
auditing requesting agencies' BOI requests, which requires a process to
ensure that a request for BOI by a State, local, or Tribal law
enforcement agency remains within the terms of the court authorization.
FinCEN believes that the certification requirement, along with the
requirement to provide a description of the information the court has
authorized the agency to seek, will provide FinCEN with a sufficiently
robust means to effectively conduct oversight and audit of such access.
Third, in response to commenters' concerns, the final rule
eliminates the written justification requirement in proposed 31 CFR
1010.955(d)(1)(ii)(B)(2)(ii). Moreover, after considering commenters'
concerns about potential delays associated with a case-by-case review
of written justifications from these agencies in connection with BOI
requests, and taking into account available resources, FinCEN has
determined that, as a policy matter, it will not conduct individual
reviews of each request for BOI by State, local, or Tribal law
enforcement agencies when they are submitted. Rather, consistent with
requirements of the CTA, FinCEN will conduct robust audit and oversight
of State, local, and Tribal law enforcement agency searches for BOI to
ensure that BOI is requested for authorized purposes by authorized
recipients. Finally, by adopting the broad notion of court
authorization that the CTA uses, FinCEN is also choosing not to further
specify in the rule the particular stages of an investigation during
which courts could authorize a request for BOI by State, local, or
Tribal agencies.
iii. Disclosure for Use in Furtherance of Foreign National Security,
Intelligence, or Law Enforcement Activity
a. General
Proposed Rule. Proposed 31 CFR 1010.955(b)(3) authorized FinCEN to
disclose BOI to foreign requesters when certain criteria were
satisfied. The criteria were that the foreign request for BOI must (1)
come to FinCEN through an intermediary Federal agency; (2) be for
assistance in a law enforcement investigation or prosecution, or for a
national security or intelligence activity, authorized under the laws
of the foreign country; and (3) either be made under an international
treaty, agreement, or convention, or, when no such instrument was
available, be an official request by a law enforcement, judicial, or
prosecutorial authority of a trusted foreign country.
Comments Received. A few commenters supported both foreign
requester access to BOI and the threshold requirements for that access.
Another commenter stated that the proposed rule should specify
timelines for processing and responding to foreign requests. One
commenter stated that BOI should not be shared with foreign requesters
at all.
Final Rule. FinCEN adopts the proposed rule without changes. The
final rule is consistent with the letter, spirit, and purposes of the
CTA by permitting foreign requesters to obtain BOI for, and use it in,
the full range of activities contemplated by 31 U.S.C.
5336(c)(2)(B)(ii) (i.e., law enforcement, national security, and
intelligence activities). The rule also resolves ambiguities arising
from inconsistent statutory language. Specifically, one part of the
CTA's foreign access provision appears to require a request to arise
from a foreign ``investigation or prosecution,'' \98\ while another
appears to allow a foreign requester to use BOI to further any
``authorized investigation or national security or intelligence
activity.'' \99\ The final rule resolves this discrepancy by clarifying
that authorized national security and intelligence activities, as well
as law enforcement investigations or prosecutions, could be a basis for
a BOI request.
---------------------------------------------------------------------------
\98\ 31 U.S.C. 5336(c)(2)(B)(ii)(I).
\99\ 31 U.S.C. 5336(c)(2)(B)(ii)(II)(bb).
---------------------------------------------------------------------------
FinCEN declines to specify timelines for processing and responding
to foreign requests. At this juncture, FinCEN does not have sufficient
data to support a prediction about the average amount of time it will
take to issue a response to a foreign request. Average response times
for requests from foreign countries when no international treaty,
agreement, or convention applies are particularly hard to predict.
These may often require highly fact-intensive assessments of both the
requester and the request, require broad analysis of U.S. interests and
priorities, and involve consultation with other relevant U.S.
government agencies. Such assessments could take a matter of days or
significantly longer. While sharing under international treaties,
conventions, or agreements might follow more predictable timelines,
unforeseeable procedural, legal, or inter-governmental impediments
hurdles could create delays. FinCEN commits to processing requests as
quickly as practicable with available resources rather than establish
deadlines based on limited data.
b. Intermediary Federal Agency
Proposed Rule. Proposed 31 CFR 1010.955(b)(3) authorized FinCEN to
disclose BOI to foreign requesters when certain criteria were
satisfied. One criterion identified by the CTA and the proposed
regulation was that requests for BOI must come to FinCEN through an
intermediary Federal agency.
[[Page 88749]]
The CTA did not identify particular intermediary Federal agencies,
and FinCEN did not propose to identify any by regulation. FinCEN
instead stated its intention to work with Federal agencies to identify
agencies suited to serving as intermediaries between FinCEN and foreign
requesters. For example, one indicator of potential suitability
identified by FinCEN in the Access NPRM was a Federal agency having
regular engagement and familiarity with foreign law enforcement
agencies, judges, prosecutors, central authorities, or competent
authorities on matters related to law enforcement, national security,
or intelligence activity. Other factors would include whether a
prospective intermediary Federal agency has established policies,
procedures, and communication channels for sharing information with
those foreign parties, and whether the prospective intermediary Federal
agency represents the U.S. government in relevant international
treaties, agreements, or conventions; other factors include the
expected number of requests that the agency could receive, and the
ability of the agency to efficiently process requests while managing
risks of unauthorized disclosure.
In the Access NPRM, FinCEN stated that it would work with potential
intermediary Federal agencies to: (1) ensure that they have secure
systems for BOI storage; (2) enter into MOUs outlining expectations and
responsibilities; (3) translate the CTA foreign sharing requirements
into evaluation criteria against which intermediary Federal agencies
could review requests from foreign requesters; (4) integrate the
evaluation criteria into the intermediary Federal agencies' existing
information-sharing policies and procedures; (5) develop additional
security protocols and systems as required under the CTA and its
implementing regulations; and (6) ensure that intermediary Federal
agency personnel have sufficient training on applicable requirements
under the CTA and its implementing regulations. Under the proposal,
FinCEN would exercise oversight and audit functions to ensure that
intermediary Federal agencies adhere to requirements and take
appropriate measures to mitigate the risk of foreign requesters abusing
the information.
Given its longstanding relationships and relevant experience as the
financial intelligence unit (FIU) of the United States, FinCEN proposed
to directly receive, evaluate, and respond to requests for BOI from
foreign FIUs.
Comments Received. One commenter expressed surprise that the
proposed rule did not include examples of intermediary Federal
agencies, while another commenter supported the potential for any
Federal agency to become an intermediary Federal agency. There were
varying perspectives on the proposal that FinCEN should act as an
intermediary Federal agency for BOI requests from foreign FIUs. One
commenter stated that foreign requesters might funnel all requests for
BOI through their FIUs if FinCEN served as an intermediary Federal
agency for foreign FIU requests, which would significantly increase
FinCEN's workload. That commenter also said that exchanges through FIUs
were not admissible in court. In contrast, one commenter indicated that
FinCEN's role should be broadened to include receiving, reviewing, and
evaluating all foreign requests, not just those from foreign FIUs.
Another commenter asked FinCEN to clarify that, when reviewing and
responding to requests for BOI from foreign FIUs, FinCEN would adhere
to the proposed requirements applicable to other intermediary Federal
agencies.
Final Rule. FinCEN adopts the proposed rule without any changes.
FinCEN is still in the early stages of working to identify intermediary
Federal agencies, and therefore is not in a position to list those
agencies in a regulation. FinCEN can anticipate several Federal
agencies that likely could serve as intermediary Federal agencies given
that (1) the rule contemplates FinCEN taking indirect requests for BOI
from foreign requesters; (2) requests will be for assistance in law
enforcement investigations or prosecutions, or for a national security
or intelligence activity, authorized under the laws of the relevant
foreign country; and (3) many requests for BOI will come under
international treaties, agreements, and conventions. Federal agencies
that are likely to meet these criteria include the U.S. Departments of
State and Justice, the Federal Bureau of Investigation, U.S. Customs
and Border Protection, the IRS, and member agencies of the Intelligence
Community. This list only provides examples of Federal agencies whose
activities seem to align with the functions of an intermediary Federal
agency and is not intended to create expectations regarding possible
intermediary Federal agencies.
FinCEN itself will very likely act as the intermediary Federal
agency for requests for BOI from foreign FIUs. As the FIU for the
United States, FinCEN already has policies and procedures for, and
extensive experience in, sharing information related to national
security, intelligence, and law enforcement activities with foreign
FIUs through the Egmont Group. Accordingly, FinCEN could leverage
existing processes and relationships to fulfill the requirements of the
CTA and its implementing regulations.
FinCEN does not expect that foreign requesters will funnel all
requests for BOI through their FIUs and overwhelm FinCEN. The rule
permits foreign FIUs to request BOI in two scenarios. The first
scenario is when two conditions apply: (1) the request is for
assistance in a law enforcement investigation or prosecution, or for a
national security or intelligence activity, authorized under the laws
of the foreign country, and (2) a governing international treaty,
agreement, or convention identifies the foreign FIU as the central or
competent authority in the matter or otherwise dictates that the
foreign FIU should request BOI from FinCEN. The second scenario in
which a foreign FIU may request BOI is when there is no international
treaty, agreement, or convention available. In this scenario, the
foreign FIU may request BOI from FinCEN when (1) the request is for
assistance in a law enforcement investigation or prosecution, or for a
national security or intelligence activity, authorized under the laws
of the foreign country, and (2) the FIU qualifies as a law enforcement
(i.e., authorized by law to engage in the investigation or enforcement
of civil or criminal violations of law), judicial, or prosecutorial
authority of a trusted foreign country. Both scenarios involve multiple
requirements that a foreign FIU must satisfy to request BOI from FinCEN
and are unlikely to result in a large number of potential requests from
foreign FIUs.
On the question of BOI admissibility, FinCEN does not agree with
the claim by one commenter that information exchanges through FIUs
necessarily render the disclosed information inadmissible in courts
around the world with enough frequency to warrant concern. Furthermore,
if information exchanges between FIUs do render information
inadmissible in some foreign courts, the CTA and this final rule
provide means other than FIU exchanges by which foreign requesters may
obtain BOI, namely through foreign judges, prosecutors, law enforcement
agencies, and other central and competent authorities.\100\ FinCEN is
confident that foreign requesters that require admissible BOI, that are
[[Page 88750]]
authorized to receive BOI under the terms set forth in the CTA and this
final rule, and that satisfy all applicable criteria for BOI disclosure
will be able to obtain the information they need in an admissible form
through an intermediary Federal agency.
---------------------------------------------------------------------------
\100\ See 31 U.S.C. 5336(c)(2)(B)(ii); 31 CFR 1010.955(b)(3).
---------------------------------------------------------------------------
Nonetheless, FinCEN believes it should act as an intermediary
Federal agency for BOI requests from foreign FIUs. Receiving,
reviewing, and responding to requests for BOI from all foreign
requesters would not be feasible, given FinCEN's resource limitations.
c. Foreign Central or Competent Authority
Proposed Rule. Proposed 31 CFR 1010.955(b)(3) authorized FinCEN to
disclose BOI to foreign requesters when certain criteria were
satisfied. The CTA did not define central or competent authorities, and
so FinCEN proposed to make clear that ``[a] relevant `foreign central
authority or foreign competent authority' would be the agency
identified in an international treaty, agreement, or convention under
which a foreign request is made'' (emphasis added.) This decision was
based on FinCEN's understanding that ``foreign central authority'' and
``foreign competent authority'' are terms of art typically defined
within the context of a particular agreement. FinCEN's goal was to
remove any ambiguity around the terms without unduly excluding
appropriate foreign requesters from access to BOI.
Comments Received. One commenter pointed to the FATF and the Egmont
Group as potential means of identifying foreign central and competent
authorities. Specifically, the commenter stated that, because the
United States is a member of both organizations, either body's method
of designating foreign central or competent authorities (with
appropriate safeguards) should allow an agency designated through that
method to qualify as a foreign central or competent authority for the
purposes of the CTA.
Another commenter stated that requiring foreign central and
competent authorities to be identified as such in a governing
international treaty, agreement, or convention was overly restrictive.
The commenter's concern stems from the word ``in.'' To support its
position, the commenter points to the Hague Convention for Service
Abroad of Judicial and Extrajudicial Documents in Civil or Commercial
Matters and the Hague Convention on the Taking of Evidence Abroad in
Civil or Commercial Matters. The commenter states that both agreements
provide for the use of a central authority for the receipt of requests
for service or evidence by requiring a contracting state to designate a
central authority and organize the central authority in accordance with
its own law. Requiring designation of that central authority upfront in
the treaty itself, the commenter claims, would remove some level of
flexibility, and would require cumbersome treaty amendment processes
were a party to change the specified central authority.
As an alternative, this same commenter suggested looking to the
service provisions of the Foreign Sovereign Immunities Act, and in
particular 28 U.S.C. 1608, to allow for largely undefined ``special
arrangements'' to govern BOI disclosure through agencies other than
central authorities. The commenter again pointed to the difficulty of
changing treaties to reflect new central authorities, and viewed
``special arrangements'' as possibly providing ``an approach to better
manage the foreign access provisions of the CTA on a case-by-case
basis.''
Final Rule. FinCEN adopts the proposed rule, but with a
clarification about its meaning.
In the course of drafting the Access NPRM, FinCEN conducted
extensive outreach to the Department of State, the Department of
Justice, and other Federal agencies that participate in international
affairs on behalf of the United States. As a result, Treasury
understands that ``central authority'' and ``competent authority'' are
referents that may be reliant on international treaties, agreements,
and conventions for context and meaning. If an institution derives its
status as a central and competent authority pursuant to an
international treaty, agreement, or convention, then by definition
requiring foreign central and competent authorities to be identified as
such under governing international treaties, agreements, or conventions
is not overly restrictive. In contrast, FATF and the Egmont Group are
not international bodies established by treaty, agreement, or
convention, nor do they issue, implement, or administer any of the
international treaties, agreements, or conventions that make an
institution a central or competent authority. That said, information
from both bodies could be useful in determining whether foreign
countries are ``trusted'' in situations when no international treaty,
agreement, or convention is available.
When such an agreement is available, a commenter makes a reasonable
point that the instrument might not specifically identify particular
central or competent authorities, but might instead direct contracting
states to identify them through other means. The Hague conventions,
which the commenter points to as examples, are instructive. As the
commenter notes, both conventions require contracting states to
identify central authorities to administer convention obligations, but
do not themselves identify specific institutions of any particular
governments as central authorities. That work is left to implementing
statutes and regulations in contracting states. FinCEN understands that
this is a common arrangement in international agreements. Consequently,
for purposes of 31 CFR 1010.955(b)(3), a foreign central or competent
authority may be identified as such either directly by a governing
treaty, agreement, or convention, or by the statutes, regulations, or
other legal means by which the relevant foreign requester country has
implemented the agreement.
With this clarification, FinCEN sees no need to resort to ``special
arrangements'' under 28 U.S.C. 1608 of the Foreign Sovereign Immunities
Act to disclose BOI to foreign requesters. The CTA is clear about which
foreign requesters may obtain BOI from FinCEN, as well as the criteria
they must satisfy and the general process they must follow to obtain
it. The resulting framework reflects the requirements of the CTA but
remains flexible enough to accomplish the stated aims and purposes of
the CTA without need for supplemental measures.
d. Trusted Foreign Country
Proposed Rule. Proposed 31 CFR 1010.955(b)(3)(ii)(B) authorized
FinCEN to disclose BOI in response to official requests by law
enforcement, judicial, or prosecutorial authorities of ``trusted''
foreign countries when other criteria are satisfied. The other criteria
were that the request for BOI must (1) come to FinCEN through an
intermediary Federal agency; and (2) be for assistance in a law
enforcement investigation or prosecution, or for a national security or
intelligence activity, authorized under the laws of the foreign
country. In keeping with the CTA, the ``trusted foreign country''
requirement would come into play when there is no international treaty,
agreement, or convention available under which the relevant foreign
country could make the request.
The CTA does not provide criteria for determining whether a
particular foreign country is ``trusted,'' leaving FinCEN with
flexibility to make the determination. FinCEN considered identifying
particular countries or groups of countries as ``trusted'' for the
[[Page 88751]]
purposes of receiving BOI, but determined that such a restrictive
approach could arbitrarily exclude foreign requesters with whom sharing
BOI might be appropriate in some cases but not others. FinCEN proposed
in the Access NPRM to instead consult with relevant U.S. government
agencies on a case-by-case basis to determine whether to disclose BOI
to foreign requesters when no international treaty, agreement, or
convention applies. In making these determinations, FinCEN and the
consulting agencies would consider U.S. priorities and interests, as
well as the ability of a foreign requester to maintain the security and
confidentiality of requested BOI.
Comments Received. Commenters generally wanted to know either which
foreign countries would be ``trusted'' or the criteria by which FinCEN
would identify trusted foreign countries. One commenter wanted a
searchable list of trusted foreign countries. Multiple commenters
suggested that FinCEN publicly define its trust criteria, with some
arguing that a non-transparent case-by-case determination process could
yield unjustifiably disparate treatment. One commenter suggested either
defining ``trusted'' or dropping the term entirely and relying solely
on treaties, agreements, and conventions. Another commenter noted a
FinCEN definition would promote consistency of access.
A few commenters argued that FinCEN should not have sole discretion
to determine which countries are trusted, as such decisions have
implications for national security and foreign relations. One commenter
supported FinCEN's decision not to develop a prior list of trusted
foreign countries because such a list would inevitably change over
time. That same commenter further argued, however, that FinCEN should
define the ``relevant U.S. government agencies'' with which it would
consult to make trust determinations as including the Departments of
State and Justice, and should announce that, at a minimum, FinCEN will
treat members of NATO, the EU, and the G7 group of nations as trusted
foreign countries absent special circumstances. Another commenter
stated that FinCEN had taken a sensible approach regarding the trusted
foreign country requirements, but might consider giving advance notice
to countries that would explicitly not be trusted.
Final Rule. FinCEN adopts the proposed rule with limited
clarifications. FinCEN agrees with the commenter that the rule would
benefit from identifying particular agencies with which FinCEN is
likely to consult when no international treaty, agreement, or
convention applies to a foreign request for BOI and FinCEN needs to
determine whether the country at issue is ``trusted.'' FinCEN is
therefore specifying in the rule that, in determining whether a request
is from a ``trusted foreign country,'' FinCEN will make such
determination with the concurrence of the Department of State, and in
consultation with the Department of Justice or other agencies as
necessary and appropriate. Specifying that FinCEN will seek the
Department of State's concurrence on these determinations reflects the
Department of State's central role in conducting U.S. foreign policy
and foreign relations. FinCEN has also explicitly identified the
Department of Justice to reflect the major role that the Department
Justice plays in U.S. relations with other countries in law
enforcement, national security, and intelligence activities, and the
commensurate likelihood that FinCEN will regularly consult it when
making trust determinations. However, identifying these two agencies
within the regulation does not mean that FinCEN will only consult them
when making trust determinations, or that FinCEN is delegating its
authority to make those determinations. Indeed, FinCEN will consult
with agencies other than the Departments of State and Justice when
appropriate, e.g., when those agencies have relevant equities,
expertise, or relationships with foreign governments.
While FinCEN is choosing to clarify the interagency coordination
element of its trust determination process, it is not defining
``trusted'' or enumerating criteria it will use to assess requests for
BOI when no international treaty, agreement, or convention applies.
There are likely too many situations in which providing other countries
with BOI might be in the best interest of the United States to reduce
that complexity to a single definition or list. That same variability
also weighs against preemptively identifying certain countries as
either wholly trusted or not. Particular facts and circumstances are
relevant to the determination and may result in different outcomes
where the same foreign requester is involved. These are dynamic
situations to which FinCEN must be able to respond flexibly, in
consultation with relevant Federal agencies. At this time, FinCEN
believes that it is important to retain appropriate discretion in
making determinations regarding ``trusted'' foreign countries in
particular circumstances, and declines to adopt restrictive definitions
or criteria that could be detrimental to broader U.S. interests.
e. Training
Proposed Rule. Proposed 31 CFR 1010.955(d)(3)(i) required foreign
requesters to handle, disclose, and use BOI consistent with the
requirements of the applicable treaty, agreement, or convention under
which it was requested. 31 CFR 1010.955(d)(3)(ii), meanwhile, applied
to situations in which there was no applicable treaty, agreement, or
convention, and would have imposed on foreign BOI requesters certain
general requirements that the CTA imposes on all requesting
agencies.\101\ FinCEN believed these measures were necessary to protect
the security and confidentiality of BOI provided to foreign
requesters.\102\ Proposed requirements applicable to foreign requesters
when no treaty, agreement, or convention applies included having
security standards and procedures, maintaining a secure storage system
that complies with the security standards that the foreign requester
applies to the most sensitive unclassified information it handles,
minimizing the amount of information requested, and restricting
personnel access to BOI to persons ``[w]ho have undergone training on
the appropriate handling and safeguarding [BOI].'' Foreign requesters
that request and receive BOI under an applicable international treaty,
agreement, or convention would not have these requirements under the
proposed rule, given that such requesters would be governed by
standards and procedures prescribed by the applicable international
treaty, agreement, or convention.
---------------------------------------------------------------------------
\101\ In the Access NPRM, FinCEN misnumbered this provision as a
duplicate 31 CFR 1010.955(d)(3)(i).
\102\ See 31 U.S.C. 5336(c)(3)(A), (K).
---------------------------------------------------------------------------
Comments Received. Several commenters indicated that FinCEN should
revise the requirement that foreign requesters limit access to BOI to
persons ``[w]ho have undergone training on the appropriate handling and
safeguarding of [BOI].'' One commenter expressed the view that the
training requirement was stricter than the one proposed for domestic
agencies, under which personnel with access to BOI either had to
receive training on its handling and safeguarding or received the
information from someone who had undergone such training. Another
commenter suggested that FinCEN adopt this domestic agency standard for
[[Page 88752]]
foreign requesters. Other commenters variously stated that training in
this context is superfluous given the other requirements applicable to
foreign requesters, that training requirements would exceed reciprocal
standards imposed by foreign partners when U.S. government agencies
obtained beneficial ownership information from foreign BOI databases,
and that FinCEN should define with greater precision the requirements
for foreign requester training.
Final Rule. FinCEN adopts the proposed rule with changes. First,
FinCEN fixed the typographical error in 31 CFR 1010.955(d)(3)(ii) to
reflect the provision's correct numbering. Second, FinCEN has removed
the proposed rule's requirement that an individual from an intermediary
Federal agency submit personal details when making each request on
behalf of a foreign requester. That is because the individual will
submit identifying information to FinCEN at the time they create an
account to access FinCEN's BO IT system, which will be necessary to
make requests on behalf of foreign governments. FinCEN will provide
guidance to intermediary Federal agencies at a later time on how users
of the BO IT system will set up these accounts.
The third change to the proposed provision pertains to
certification requirements in situations involving ``trusted'' foreign
countries. FinCEN originally proposed to require each intermediary
Federal agency requesting BOI on behalf of a foreign requester under
proposed 31 CFR 1010.955(b)(3)(ii)(B) to submit to FinCEN ``[a] written
explanation of the specific purpose for which the foreign person is
seeking information . . . along with an accompanying certification that
the information is for use in furtherance of a law enforcement
investigation or prosecution, or for a national security or
intelligence activity, that is authorized under the laws of the
relevant foreign country; will be used only for the particular purpose
or activity for which it is requested; and will be handled consistent
with [applicable security and confidentiality requirements].'' FinCEN
is modifying the certification requirement to avoid unintentionally
imposing on intermediary Federal agencies a requirement to certify to a
foreign requester's future behavior with respect to the BOI obtained,
which the agency could not know with certainty. Under the final rule,
such agencies must still certify to FinCEN that the information is for
use in furtherance of a law enforcement investigation or prosecution,
or for a national security or intelligence activity, that is authorized
under the laws of the relevant foreign country. However, the remainder
of the original certification has been modified to require only that
the intermediary Federal agency certify that the foreign requester has
been informed that BOI disclosed to it may only be used for the
particular purpose or activity for which it was requested and must be
handled consistent with applicable requirements. This modified
certification better reflects what an intermediary Federal agency can
know and practically control. FinCEN's expectation that foreign
requesters will handle BOI in accordance with applicable requirements
and protect it to the best of their ability remains unchanged, as does
FinCEN's willingness to withhold BOI from requesters that fail to meet
that expectation.
FinCEN declines to make additional revisions suggested by comments.
The requirement that foreign requesters apply appropriate standards and
procedures to protect BOI and limit BOI dissemination to trained
individuals is reasonable under the circumstances and unlikely to place
undue burden on foreign requesters. It is critical that all authorized
BOI recipients-including foreign requesters-take steps to keep BOI
confidential and secure and to prevent its misuse given the sensitivity
of the personal information to be reported to the BO IT system. The
application of BOI security standards and procedures, including the
training requirement, effectuates these underlying objectives,
including by requiring individual foreign recipients to have knowledge
of those requirements. FinCEN also declines to prescribe specific
requirements on the structure and content of any training. FinCEN
recognizes that standards and procedures will vary by foreign requester
to reflect organizational and resource differences. At root, every
individual with access to BOI should understand the purposes for which
BOI can be used, the persons with whom they can share BOI with and for
what purpose, and the manner in which they must secure it.
The differences between the application of BOI security standards
and procedures for domestic and foreign requesters reflect legal and
practical considerations. First, the CTA specifically prescribes
certain standards for domestic agencies that have access to BOI, but
not for foreign requesters. Second, the Access NPRM proposed standards
and procedures that are tailored to particular circumstances and
challenges involving foreign requesters, and are arguably less
burdensome that those required of domestic agencies. For example,
FinCEN decided not to propose an MOU requirement for foreign requesters
because (1) foreign requesters will not have direct access to the BO IT
system, and (2) FinCEN anticipates a significantly lower volume of
foreign requests in general relative to other stakeholders. In
contrast, the MOUs with domestic agencies are appropriate to mitigate
the risks inherent in the expected volume and frequency of searches in
the BO IT system. FinCEN anticipates that these MOUs will, among other
things, memorialize and implement requirements regarding reports and
certifications, periodic training of individual recipients of BOI,
personnel access restrictions, re-disclosure limitations, and access to
audit and oversight mechanisms. The MOUs will also include security
plans covering topics related to personnel security (e.g., eligibility
limitations, screening standards, certifications and notification
requirements); physical security (system connections and use,
conditions of access, data maintenance); computer security (use and
access policies, standards related to passwords, transmission, storage,
and encryption); and inspections and compliance.
Foreign BOI requesters will only receive BOI through intermediary
Federal agencies that will themselves be subject to the detailed MOUs
described above. Those intermediary Federal agencies will in turn work
with foreign requesters either in accordance with applicable
international treaties, conventions, or agreements or under standards
and protocols that ``trusted'' foreign countries would be required to
develop and implement.
FinCEN also decided against the imposition of audit requirements on
foreign requesters because of practical considerations. First, for the
sharing of BOI governed by international treaties, agreements, or
conventions, the relevant treaty, agreement, or convention would govern
whether audits would be permissible. If no treaty, agreement, or
convention applied, practical challenges would limit FinCEN's ability
to conduct audits of a foreign requester's BOI systems and practices.
In order to conduct such an audit, FinCEN would need to negotiate
appropriate audit mechanisms, likely on a reciprocal basis, given that
foreign governments will likely be reluctant to allow FinCEN extensive
access to comprehensively audit their secure IT systems and records.
FinCEN would also likely need to commit substantial staff and personnel
to conduct either remote or
[[Page 88753]]
in-person audits in foreign countries. While FinCEN could refrain from
sharing BOI with foreign requesters that refuse to be subject to
audits, it would likely degrade international cooperation on law
enforcement and national security efforts and constrain the United
States' ability to combat cross-border illicit finance and criminal
activity, including fentanyl trafficking, fraud, and sanctions evasion,
among other crimes.
f. Re-Disclosure of BOI in the Context of Foreign Requests
Proposed Rule. The Access NPRM proposed rules that effectuated the
foreign government access provisions in a series of steps that, first,
would have authorized FinCEN to disclose BOI to intermediary Federal
agencies; would have then authorized those agencies to redisclose BOI
to the foreign requester; and would have authorized the foreign
requester to use the BOI, including through re-disclosure, consistent
with the applicable treaty.
Specifically, proposed 31 CFR 1010.955(b)(3) authorized FinCEN to
disclose BOI to intermediary Federal agencies for transmission to the
foreign requester where (1) an intermediary Federal agency provides
FinCEN with the foreign request; (2) the requested BOI is for
assistance in a law enforcement investigation or prosecution, or for a
national security or intelligence activity, authorized under the laws
of the foreign country; and (3) the request is made under an
international treaty, agreement, or convention, or, when no such
instrument is available, is an official request by a law enforcement,
judicial, or prosecutorial authority of a trusted foreign country.
Proposed 31 CFR 1010.955(c)(2)(v) would further authorize the
intermediary Federal agency to disclose the BOI to the foreign
requester, consistent with the CTA's foreign government provisions.
Lastly, proposed 31 CFR 1010.955(c)(2)(viii) allowed a foreign
requester that receives BOI pursuant to a request made under an
international treaty, agreement, or convention to re-disclose and use
that BOI in accordance with the requirements of the relevant agreement.
This approach accords with the CTA's preference for disclosing BOI to
foreign requesters under international agreements and allowing the
agreements to govern how the information is used, as indicated in the
introductory paragraph in 31 U.S.C. 5336(c)(2)(B)(ii). For foreign
requests that are not governed by an international treaty, agreement,
or convention, FinCEN proposed reviewing re-disclosure requests from
foreign requesters either on a case-by-case basis or pursuant to
alternative arrangements with intermediary Federal agencies where those
intermediary Federal agencies have ongoing relationships with the
particular foreign requester. This would occur under former 31 CFR
1010.955(c)(2)(ix), now 31 CFR 1010.955(c)(2)(x), discussed in section
III.D.ii.
Comments Received. Commenters noted several concerns regarding the
re-disclosure of BOI by intermediary Federal agencies to foreign
requesters. One commenter indicated that the proposed rule conflicted
with section 2.3 of E.O. 12333 of December 4, 1981, as amended, by
authorizing U.S. intelligence agencies to share information about U.S.
persons with other countries' intelligence agencies without regard to
the Executive Order's restrictions on collecting, retaining, and
disseminating U.S. person information.\103\ Another commenter
criticized the proposed rule as unduly vague about the foreign
recipient of BOI, the scope of application of the proposed 31 CFR
1010.955(c)(2)(viii), and whether re-disclosure would be consistent
with the CTA where no international treaty, agreement, or convention is
available. A third commenter observed that FinCEN could broaden Sec.
1010.955(c)(2)(v) to allow intermediary Federal agencies to share BOI
with ``relevant countries'' without first obtaining FinCEN's
permission, while a fourth warned FinCEN to ensure that foreign
countries do not use their tax authorities to obtain BOI for non-tax
related reasons under the pretense of tax administration.
---------------------------------------------------------------------------
\103\ E.O. 12333, 46 FR 59941 (Dec. 4, 1981) (``United States
Intelligence Activities'').
---------------------------------------------------------------------------
Final Rule. FinCEN views the proposed rules to be sufficiently
clear and adopts the provisions as proposed, though the related
provision at new 31 CFR 1010.955(c)(2)(x) is revised as discussed in
section III.D.ii. Proposed 31 CFR 1010.955(c)(2)(v) makes clear that an
intermediary Federal agency may disclose BOI only ``to the foreign
person on whose behalf the Federal agency made the request'' to FinCEN
(emphasis added). The provision is sufficiently specific as to the
foreign recipient that receives BOI. The rule also is not in conflict
with E.O. 12333, section 2.3 and, in particular, the requirement that
elements of the Intelligence Community disseminate information
concerning U.S. persons only in accordance with certain established
procedures. FinCEN expects that intermediary Federal agency requests,
and transmission of BOI to foreign requesters will be in accordance
with any legal requirements, and internal protocols, applicable to the
intermediary Federal agency. For instance, the guidelines of the Office
of the Director of National Intelligence require that, for
dissemination of information regarding U.S. persons to foreign
governments, those entities must agree to restrictions on the use and
dissemination of that information as necessary.\104\ Furthermore,
consistent with the rule, an agency's internal protocols might place
certain process requirements on the agency in making the request to
FinCEN for BOI or on the re-disclosure of the information to the
foreign requester.
---------------------------------------------------------------------------
\104\ See Office of the Direct of National Intelligence,
Attorney General (AG) Guidelines, Approved December 23, 2020,
available at https://www.intel.gov/assets/documents/702%20Documents/declassified/AGGs/ODNI%20guidelines%20as%20approved%20by%20AG%2012.23.20_OCR.pdf.
---------------------------------------------------------------------------
Former 31 CFR 1010.955(c)(2)(viii)--now renumbered as 31 CFR
1010.955(c)(2)(ix)--permits foreign requesters to re-disclose BOI
consistent with the terms of the applicable international treaty,
agreement, or convention, but does not authorize disclosure in any
other contexts.
Relying on the general authority in 31 CFR 1010.955(c)(2)(x) for
FinCEN to authorize by prior written authorization, protocols, or
guidance redisclosures in furtherance of an authorized purpose or
activity, FinCEN will review redisclosure requests from foreign
requesters that did not request BOI pursuant to an international
treaty, agreement, or convention.
FinCEN also declines to permit intermediary Federal agencies to re-
disclose BOI to a defined list of countries, without either a governing
international treaty, agreement, or convention or separate FinCEN
authorization. The scenario the proposal seems to contemplate involves
an intermediary Federal agency requesting BOI from FinCEN on behalf of
one foreign requester, storing the information in the intermediary
Federal agency's own database, and then later re-disclosing that same
BOI to a different foreign requester that wants the information and
satisfies the eligibility criteria that would qualify it to have the
intermediary Federal agency request the information from FinCEN on its
behalf. In this case, however, the intermediary Federal agency would
not need to retrieve the BOI from FinCEN's BO IT system or involve
FinCEN at all because it would already have the relevant BOI in its own
system.
[[Page 88754]]
FinCEN views this proposal as infeasible for a number of reasons.
First, a reporting company might update its reported BOI in the interim
between the times when two foreign requesters want the information. The
intermediary Federal agency's stored BOI would not reflect those
updates and would be out of date and potentially useless or confounding
in an investigation or prosecution if passed to a foreign requester.
Having foreign requesters receive outdated BOI would undercut the CTA's
objective of providing useful information to authorized BOI recipients.
The second consideration weighing against the proposal has to do
with auditing. FinCEN has extensive audit requirements with respect to
Federal agencies that receive BOI under the CTA. While an intermediary
Federal agency will not need FinCEN's explicit and case-specific
``permission'' to retrieve BOI from the BO IT system on a foreign
requester's behalf, the intermediary will need to submit to FinCEN
certain information about itself, the request, and the requester.
FinCEN will in turn rely on this information to satisfy those audit
requirements. The act of an intermediary Federal agency retrieving BOI
from the BO IT system will also serve as information upon which FinCEN
will rely as a proxy record indicating that a corresponding disclosure
to a foreign requester occurred. Were FinCEN to authorize intermediary
Federal agencies to store and disseminate FinCEN-derived BOI from their
own databases instead of responding to foreign requests for BOI with
information retrieved from FinCEN's BO IT system on a one-for-one
basis, all of that information would be lost, more difficult to
collect, or more subject to tampering. All of these considerations lead
FinCEN to reject this proposal.
Finally, FinCEN takes seriously concerns about foreign requesters
and other authorized BOI recipients requesting BOI for one purpose and
using it for other purposes the CTA does not permit. This includes
concerns about pretextual requests made under the guise of activities
related to the enforcement of tax laws, a relatively narrow aspect of
``tax administration,'' as defined in 26 U.S.C. 6103(b)(4), for which
the CTA authorizes BOI disclosure to foreign requesters.\105\ These
concerns are why FinCEN is requiring intermediary Federal agencies to
certify that requests for BOI from foreign requesters satisfy
applicable CTA requirements, including the requirement that requests be
for use in furtherance of a law enforcement investigation or
prosecution, or for a national security or intelligence activity, that
is authorized under the laws of the relevant foreign country.
---------------------------------------------------------------------------
\105\ The CTA does not authorize FinCEN to provide BOI to
foreign requestors for any and all tax administration purposes. Some
foreign tax-related activities, however, including enforcement of
tax laws, may qualify as law enforcement, national security, or
intelligence activities under the CTA, 31 U.S.C. 5336(c)(2)(B)(ii),
permitting BOI to be disclosed under appropriate circumstances.
---------------------------------------------------------------------------
That said, a foreign requester that originally obtained BOI for use
in furtherance of an authorized law enforcement investigation or
prosecution (including those related to tax laws), or for an authorized
national security or intelligence activity, would not necessarily be
prohibited from also using that BOI for other purposes when the BOI was
obtained pursuant to a treaty, agreement, or convention. As explained
previously, if a foreign requester obtains BOI pursuant to a treaty,
agreement, or convention for use in an activity authorized by the CTA,
then the requester is authorized to subsequently use or re-disclose the
information in any way permitted by that treaty, agreement, or
convention. This allowance reflects the general deference to treaties,
agreements, and conventions exhibited by the CTA's foreign sharing
provision. In all cases, FinCEN will work with intermediary Federal
agencies to ensure that foreign requesters understand and agree to
abide by the restrictions and requirements associated with BOI, as well
as the potential consequences for failing to honor those commitments.
iv. Disclosure To Facilitate Compliance With Customer Due Diligence
Requirements
The Access NPRM proposed to authorize disclosure of BOI to
facilitate compliance with ``customer due diligence requirements under
applicable law'' \106\ to: (1) ``financial institutions'' subject to
such customer due diligence requirements, and (2) ``Federal functional
regulator[s] or other appropriate regulatory agenc[ies] . . .
authorized by law to assess, supervise, enforce, or otherwise determine
the compliance'' of financial institutions with such requirements.\107\
FinCEN therefore discusses the proposed terms of financial institution
and regulator access to BOI separately.
---------------------------------------------------------------------------
\106\ 31 U.S.C. 5336(c)(2)(B)(iii); proposed 31 CFR
1010.955(b)(4).
\107\ Id.; 31 U.S.C. 5336(c)(2)(B)(iii), (C)(i).
---------------------------------------------------------------------------
a. Financial Institutions
The Access NPRM proposed provisions specifying which financial
institutions \108\ could access BOI, the uses to which they could put
BOI, and the prerequisites for their access and terms of use. The
NPRM's treatment of financial institution access was the focus of many
comments. Numerous comments focused both on FinCEN's proposal to limit
the financial institutions authorized to obtain BOI to those with
responsibilities under FinCEN's 2016 CDD Rule and on FinCEN's proposal
to limit those financial institutions' use of BOI to facilitating
compliance with 31 CFR 1010.230 of the 2016 CDD Rule. Both of those
subjects are discussed here. Other issues raised by commenters on
financial institution access and use of BOI were tied to larger
systemic concerns and less closely associated with financial
institutions per se, including the consent requirement, confidentiality
and security protocols, and redisclosure of BOI. These more systemic
comments are addressed elsewhere in this document.
---------------------------------------------------------------------------
\108\ FinCEN regulations generally define ``financial
institution,'' including for the purposes of this rule, at 31 CFR
1010.100(t). This general definition is distinct from that of
``covered financial institution,'' as used in the 2016 CDD Rule and
this preamble. Under the 2016 CDD Rule (specifically, 31 CFR
1010.230(f)), ``covered financial institution'' has the meaning set
forth in 31 CFR 1010.605(e)(1).
---------------------------------------------------------------------------
Proposed Rule. The CTA authorizes FinCEN to disclose BOI upon
receipt of a request ``made by a financial institution subject to
customer due diligence requirements, with the consent of the reporting
company, to facilitate the compliance of the financial institution with
customer due diligence requirements under applicable law.'' \109\ The
CTA neither defines ``financial institution subject to customer due
diligence requirements'' nor ``customer due diligence requirements
under applicable law.'' Proposed 31 CFR 1010.955(b)(4)(i) described
both the types of financial institutions entitled to request BOI and
the purposes for which those financial institutions could use that BOI.
Under the rule, FinCEN would disclose BOI to financial institutions
``subject to customer due diligence requirements under applicable
law,'' and that BOI could be used ``in facilitating . . . compliance''
with those customer due diligence requirements.
---------------------------------------------------------------------------
\109\ 31 U.S.C. 5336(c)(2)(B)(iii).
---------------------------------------------------------------------------
Section 1010.955(b)(4)(i) further defined the phrase ``customer due
diligence requirements under applicable law'' to mean the requirement
imposed on ``covered financial institutions'' under 31 CFR 1010.230 to
identify and
[[Page 88755]]
verify beneficial owners of their ``legal entity customers,'' primarily
at account opening.\110\ These ``covered financial institutions'' are
limited to: banks (including credit unions); brokers or dealers in
securities registered, or required to be registered, with the SEC;
futures commission merchants and introducing brokers in commodities
registered, or required to be registered, with the CFTC; and mutual
funds.\111\ In contrast, other types of financial institutions, such as
money services businesses (MSBs) and insurance companies, would not be
able to access BOI from FinCEN in light of the 2016 CDD Rule
definition. Additionally, under the proposed rule, these financial
institutions would be able to use BOI only to comply with 31 CFR
1010.230, but not for other purposes. This approach was designed to
enhance security and confidentiality, and facilitate audit and
oversight, of the BOI database by describing a defined set of financial
institutions and limiting opportunities for unauthorized use or
intentional or inadvertent breaches.
---------------------------------------------------------------------------
\110\ 31 CFR 1010.230(b). Under the 2016 CDD Rule, ``legal
entity customer means a corporation, limited liability company, or
other entity that is created by the filing of a public document with
a Secretary of State or similar office, a general partnership, and
any similar entity formed under the laws of a foreign jurisdiction
that opens an account,'' with certain exceptions. Id. 1010.230(e).
This definition of ``legal entity customer'' overlaps with, but is
distinct from, the definition of ``reporting company'' in 31 CFR
1010.380(c) of the Reporting Rule.
\111\ 31 CFR 1010.230(f) (cross-referencing the definition of
``covered financial institutions'' in 31 CFR 1010.605(e)(1)).
---------------------------------------------------------------------------
FinCEN also considered a broader approach that would permit
financial institutions with CIP obligations \112\ to access the
database. A broader approach would have permitted more financial
institutions to use BOI for a wider range of compliance activities,
such as compliance with CIP regulations. FinCEN specifically requested
comments on the interpretation of the phrase ``customer due diligence
requirements under applicable law,'' including whether FinCEN should
adopt a broader definition, how to best provide regulatory clarity, and
how to maintain the security and confidentiality of BOI if a broader
definition were adopted.\113\
---------------------------------------------------------------------------
\112\ See 31 CFR 1020.220, 1023.220, 1024.220, 1026.220.
\113\ The preamble to the proposed rule noted that FinCEN also
had considered defining ``customer due diligence requirements under
applicable law'' to include State, local, and Tribal customer due
diligence requirements similar in substance to the 2016 CDD Rule.
However, FinCEN chose not to do so, noting that it was unaware of
any such requirements. FinCEN invited comments about any State,
local, or Tribal laws or regulations that require financial
institutions to identify and verify the beneficial owners of legal
entity customers. One commenter noted that some states, such as New
York, require financial institutions operating in the state to
implement AML programs that include general customer identification
and customer due diligence requirements. However, this commenter did
not cite to any requirements to identify and verify beneficial
owners of legal entities, as FinCEN's 2016 CDD Rule requires.
---------------------------------------------------------------------------
Comments Received. FinCEN received many comments that were critical
of FinCEN's proposed approach. First, commenters asserted that FinCEN's
interpretation ran counter to the plain text of the CTA. Several
commenters pointed to the CTA provision directing the Secretary to
promulgate regulations that ``facilitate the compliance of [] financial
institutions with anti-money laundering, countering the financing of
terrorism, and customer due diligence requirements under applicable
law.'' \114\ In order to implement this provision, one commenter noted
that FinCEN should allow financial institutions to access BOI for more
uses than compliance with 31 CFR 1010.230, and pointed to contrasting
references in the CTA to 31 CFR 1010.230 and ``customer due diligence
requirements under applicable law'' as indicative of Congressional
intent.\115\ Another commenter stated that FinCEN erred when it pointed
to the Sense of Congress as evidence that Congress understood
``customer due diligence requirements under applicable law'' did not
include ``anti-money laundering, [and] countering the financing of
terrorism.'' \116\
---------------------------------------------------------------------------
\114\ 31 U.S.C. 5336(b)(1)(F)(iv)(II).
\115\ CTA, section 6403(d)(1) (directing the Secretary of the
Treasury to revise the 2016 CDD Rule).
\116\ CTA, section 6402(6)(B).
---------------------------------------------------------------------------
Second, commenters argued that the proposed rule's approach would
be burdensome for financial institutions and undermine the usefulness
of the BOI database. In particular, commenters claimed that the
proposed approach conflicted with the core CTA objectives that the BOI
database be ``highly useful'' to financial institutions,\117\ and that
burdens on financial institutions should be minimized.\118\ In this
respect, one commenter listed the variety of AML/CFT compliance and
sanctions-related tasks for which banks relied on the BOI obtained from
legal entity customers under the 2016 CDD Rule, including, for example,
compliance with CIP requirements, customer risk ratings, transaction
monitoring, sanctions screening, identifying politically exposed
persons, and filing SARs or sanctions-related reports.\119\ The
commenter reiterated that the proposed rule would not provide financial
institutions with any additional AML/CFT compliance value if financial
institutions could use FinCEN-collected BOI only as described in the
proposed rule; in fact, the commenter confirmed that financial
institutions would be unlikely to use the database at all. Other
commenters pointed to likely implementation burdens and duplicative
requirements, such as the likely need to create a firewall and systems
to separate FinCEN-obtained BOI from BOI obtained under the 2016 CDD
Rule, given the different purposes for which those two types of BOI
could be used. This, in turn, would also impose duplicative
requirements on reporting companies, given their need to provide BOI to
both FinCEN and to financial institutions.
---------------------------------------------------------------------------
\117\ See 31 U.S.C. 5336(b)(1)(F)(iv).
\118\ See CTA, section 6403(d)(1)(C) (directing that the 2016
CDD Rule be revised to ``reduce any burdens on financial
institutions and legal entity customers that are, in light of the
enactment of this division and the amendments made by this division,
unnecessary or duplicative'').
\119\ The commenter noted, and FinCEN agrees, that the 2016 CDD
Rule itself imposed no specific limits on how financial institutions
could use the BOI collected under that rule, including for AML/CFT
compliance purposes.
---------------------------------------------------------------------------
Third, commenters maintained that the proposed approach conflicts
with the broader AML/CFT regulatory framework, including supervisory
expectations and FinCEN guidance on the role of customer due diligence
in a financial institution's AML program. Several commenters stated
squarely that the phrase ``customer due diligence requirements under
applicable law'' clearly encompassed AML/CFT requirements beyond the
identification and verification requirements of the 2016 CDD Rule. For
example, commenters noted that the 2016 CDD Rule itself interprets
``customer due diligence'' broadly to encompass ongoing monitoring for
reporting suspicious transactions,\120\ and amends AML program rules to
require financial institutions to implement risk-based
---------------------------------------------------------------------------
\120\ See 2016 CDD Rule, 81 FR at 29398 (``FinCEN believes that
there are four core elements of customer due diligence, and that
they should be explicit requirements in the anti-money laundering
(AML) program for all covered financial institutions, in order to
ensure clarity and consistency across sectors: (1) Customer
identification and verification; (2) beneficial ownership
identification and verification; (3) understanding the nature and
purpose of customer relationships to develop a customer risk
profile; and (4) ongoing monitoring for reporting suspicious
transactions and, on a risk-basis, maintaining and updating customer
information.'').
---------------------------------------------------------------------------
[[Page 88756]]
procedures for doing so.121 122 Other commenters invoked
supervisory expectations around the use of BOI, noting that the Federal
Financial Institutions Examination Council (FFIEC) BSA/AML Examination
Manual \123\ states that banks should specify in their policies,
procedures, and processes how BOI will be used to meet other regulatory
obligations, such as identifying suspicious activity and identifying
parties sanctioned by Treasury's Office of Foreign Asset Control
(OFAC).\124\ Commenters also provided specific suggestions to broaden
the scope of use of BOI, for example, including CIP requirements under
31 CFR 1010.220 and the ongoing customer due diligence requirements
under 31 CFR 1010.210 to facilitate the compliance with AML/CFT and
customer due diligence requirements under applicable law.\125\ Finally,
some commenters claimed that the proposed approach would make it
challenging for financial institutions to comply with other legal or
regulatory requirements, such as sanctions screening, and urged FinCEN
to broaden the permitted uses of BOI.
---------------------------------------------------------------------------
\121\ See 2016 CDD Rule, 81 FR at 29457-29458, codified, as
amended, at 31 CFR 1020.210(a)(2)(v), 1023.21(b)(5), 1024.210(b)(5),
1026.210(b)(5).
\122\ One commenter also noted that banks have built their
compliance systems to be consistent with the preamble to the 2016
CDD Rule. The commenter indicated that limiting the purposes for
which BOI obtained from the database can be used thus would hurt
such compliance efforts.
\123\ FFIEC BSA/AML Examination Manual, available at https://bsaaml.ffiec.gov/manual.
\124\ Relatedly, another commenter urged FinCEN to consider
allowing broad BOI access for purely practical reasons, taking into
account the value that BOI provides for financial institutions in
meeting their regulatory obligations beyond the 2016 CDD Rule, such
as fraud detection, customer identification and verification, and
OFAC sanctions screening.
\125\ In contrast, another commenter asked that FinCEN itemize
exactly how financial institutions can use BOI, rather than cross-
referencing 31 CFR 1010.230 or any other regulatory provision.
---------------------------------------------------------------------------
Fourth, commenters also expressed concerns about the policy reasons
for choosing a narrower interpretation of ``customer due diligence
requirements under applicable law,'' for example, easing administration
of the BOI database and protecting BOI security and confidentiality.
One commenter stated that ease of administration is not a sufficient
justification to limit the ways financial institutions can use BOI to
combat illicit finance. Several commenters noted that both the CTA, and
laws requiring banks to protect the vast amounts of PII for which they
are responsible, such as Gramm-Leach-Bliley, provide multiple
safeguards to ensure the confidentiality and security of BOI, including
substantial protocols that financial institutions must follow to access
the BOI database.
Fifth, while a few commenters expressed support for the limitation
on the types of financial institutions with access to BOI, many
commenters argued that certain types of financial institutions not
subject to the 2016 CDD Rule--in particular, MSBs--would benefit from
access to the BOI and that FinCEN's definition of ``customer due
diligence requirements under applicable law'' thus should be changed to
allow these other financial institutions to access FinCEN-collected
BOI.\126\ One commenter noted that MSBs--which are required to
implement AML compliance programs with ``policies, procedures, and
internal controls reasonably designed'' to ensure compliance with the
BSA \127\--may be required by those programs to identify and verify the
beneficial owners of legal entity customers and authorized agents
during onboarding. In this context, the commenter identified FinCEN's
2016 guidance to MSBs concerning agent monitoring that required MSB
principals to identify the owners of an MSB's agents as a reason for
interpreting the term ``customer due diligence requirements under
applicable law'' to include such MSB requirements.\128\ Lastly, one
commenter urged FinCEN to allow any financial institution that has AML
program obligations to have access to the BOI database, subject to
appropriate security requirements and other access protocols, in order
to enhance overall transparency in the U.S. financial system and to
effectively fight illicit finance.
---------------------------------------------------------------------------
\126\ Additionally, two commenters agreed with FinCEN's proposed
definition of ``customer due diligence under applicable law'' but
claimed that this did not lead to the limitations that FinCEN
proposed to place on the use of BOI by financial institutions. These
commenters asserted that FinCEN's proposed definition was consistent
with a broader authorization for financial institutions to use BOI
for any purpose consistent with a financial institution's anti-
financial crimes program, including (but not limited to) AML,
sanctions, anti-bribery, and anti-corruption procedures.
\127\ See 31 CFR 1022.210(d)(1)(i).
\128\ FIN-2016-G001, Guidance on Existing AML Program Rule
Compliance Obligations for MSB Principals with Respect to Agent
Monitoring (Mar. 11, 2016).
---------------------------------------------------------------------------
Final Rule. In light of the comments received, FinCEN has revised
its proposed approach towards the financial institutions that will have
access to the BOI database and the purposes for which that BOI may be
used. The revised regulation now specifies that the clause ``customer
due diligence requirements under applicable law'' includes ``any legal
requirement or prohibition designed to counter money laundering or the
financing of terrorism, or to safeguard the national security of the
United States, to comply with which it is reasonably necessary for a
financial institution to obtain or verify beneficial ownership
information of a legal entity customer.'' Accordingly, the final
regulations would permit a broader range of financial institutions to
access BOI from the FinCEN database for a broader range of purposes
than described in the proposed rule should FinCEN choose to afford such
access. As discussed below in this section, however, FinCEN, in the
exercise of its discretion, intends to permit only financial
institutions with obligations under the 2016 CDD Rule to have access to
the BOI database at this time.
Under this approach, a financial institution can use BOI obtained
from FinCEN to help discharge its AML/CFT obligations under the BSA,
including its AML program, customer identification, SAR filing, and
enhanced due diligence requirements. It can also use BOI to satisfy
other requirements, so long as those requirements are designed to
counter money laundering or the financing of terrorism or safeguard
U.S. national security, and so long as it is reasonably necessary to
obtain or verify BOI of legal entity customers to satisfy those
requirements. For example, a financial institution may use BOI obtained
from FinCEN (with the consent of the reporting company) to facilitate
compliance with sanctions imposed by OFAC on individuals and legal
entities under the International Emergency Economic Powers Act \129\
and other legal authorities, such as the Foreign Narcotics Kingpin
Designation Act \130\ and the Global Magnitsky Human Rights
Accountability Act.\131\ These sanctions can have national security and
anti-money laundering purposes. Financial institutions regularly use
BOI to comply with these sanctions, often through OFAC sanctions
screening, including in ascertaining whether sanctions are applicable
to persons by virtue of the so-called ``50-percent'' rule.\132\
---------------------------------------------------------------------------
\129\ 50 U.S.C. 1701-1706.
\130\ 21 U.S.C. 1901-1908.
\131\ 22 U.S.C. 10101-10103.
\132\ The ``50 percent rule'' subjects to U.S. sanctions any
entity that is 50 percent owned by a blocked person is itself
blocked, and U.S. persons, including domestic financial
institutions, are prohibited from transacting business with such an
entity. See, e.g., OFAC, Addition of General Licenses for the
Official Business of the United States Government and Certain
International Organizations and Entities and Updates to the 50
Percent Rule Interpretive in OFAC Sanctions Regulations, 87 FR 78470
(Dec. 21, 2022).
---------------------------------------------------------------------------
At the same time, there are bounds to the uses of BOI by financial
institutions under the final rule. As a threshold matter, the use of
BOI should be directly
[[Page 88757]]
related to a financial institution's compliance with a legal obligation
that is designed to counter money laundering or the financing of
terrorism, or to safeguard the national security of the United States.
For example, the final rule does not permit financial institutions to
use BOI from FinCEN in assessing whether to extend credit to a legal
entity, or in establishing the price of that credit, when credit
decisions are unrelated to AML/CFT or national security purposes.
Moreover, FinCEN does not consider general business or commercial uses
of BOI, such as client development, to be consistent with AML/CFT or
national security purposes.
The broader approach taken in the final rule is motivated by both
legal and policy considerations. First, FinCEN is persuaded that both
the statutory framework and congressional intent are properly read to
encompass uses broader than compliance with the 2016 CDD Rule. The CTA
provision governing the 2016 CDD Rule revisions directs that the
revised rule needs to take into account financial institution access to
BOI ``to facilitate the compliance of those financial institutions with
anti-money laundering, countering the financing of terrorism, and
customer due diligence requirements under applicable law.'' \133\ The
Sense of Congress similarly states that BOI should be available to
``facilitate the compliance of the financial institutions with anti-
money laundering, countering the financing of terrorism, and customer
due diligence requirements under applicable law.'' \134\ This
terminology is broader than a reference to the 2016 CDD Rule. Moreover,
commenters correctly point out that the CTA's specific references to
the 2016 CDD Rule contrast with those more general references to
customer due diligence requirements elsewhere in the CTA.\135\
---------------------------------------------------------------------------
\133\ CTA, section 6402(d)(1)(B).
\134\ CTA, section 6402(6).
\135\ CTA, section 6403(d)(1).
---------------------------------------------------------------------------
Second, as noted by many commenters, the revised approach will
further the overarching purposes of the CTA to combat illicit activity
by enabling financial institutions to use BOI for AML/CFT and national
security purposes. The revised approach will allow a financial
institution to integrate and leverage BOI obtained from FinCEN with
other information that the financial institution uses for their full
range of customer due diligence activities. It will also reduce the
burdens on financial institutions in handling and using BOI, and
correspondingly, increase its practical value.
The final rule also authorizes FinCEN to disclose BOI to a broader
range of financial institutions consistent with the revised approach
taken with respect to the meaning of ``customer due diligence
requirements under applicable law.'' Accordingly, MSBs and other
financial institutions with AML program requirements, such as casinos,
along with ``covered financial institutions'' as defined in the 2016
CDD Rule, would be eligible under the final rule to access the database
subject to appropriate security and confidentiality protocols. The
final rule, however, accords FinCEN with discretion regarding the scope
and timing of access by financial institutions. The CTA does not direct
FinCEN to provide access to financial institutions, but rather states
that FinCEN ``may disclose'' BOI to qualifying financial institutions,
consistent with the CTA's security, confidentiality, and provisions
regarding the usefulness of the database.\136\ The final rule, 31 CFR
1010.955(b)(4)(i), likewise preserves this discretion accorded to
FinCEN.
---------------------------------------------------------------------------
\136\ 31 U.S.C. 5336(c)(2)(B).
---------------------------------------------------------------------------
In the exercise of this discretion, FinCEN intends to provide
access as an initial matter to financial institutions that are covered
financial institutions under the 2016 CDD Rule. The initial focus on
covered financial institutions under the 2016 CDD Rule will allow
FinCEN to work towards timely access for those institutions with
comprehensive security and confidentiality protocols and compliance and
supervisory frameworks regarding the use of that information, while
working to further evaluate whether it is appropriate and feasible to
expand access to other financial institutions, such as MSBs or casinos,
after an initial implementation period.
Against the backdrop of the comments received on this provision,
FinCEN notes that two core considerations motivate access: the
importance of BOI access for effective AML/CFT compliance and the need
for security and confidentiality in the handing and use of such BOI.
There are estimated to be over 300,000 financial institutions regulated
under the BSA that are diverse in size, business types, complexity, and
supervisory and regulatory frameworks, in particular, with differences
in security and confidentiality requirements. Covered financial
institutions under the 2016 CDD Rule are subject to the Gramm-Leach-
Bliley security requirements and a national supervisory framework with
respect to implementation of those requirements. In contrast, other
financial institutions that are not subject to the 2016 CDD Rule, such
as casinos, MSBs, and dealers in precious metals, precious stones, or
jewels, are subject to more fragmented security standards that require
additional time to evaluate and determine the extent to which standards
and oversight mechanisms are required. Along with the development of
new, and additional, standards, FinCEN will need to identify and
implement additional outreach, help desk training, audit, oversight and
other resources to ensure that this larger group of financial
institutions complies with the security, confidentiality, and use
requirements under the final rule. Lastly, FinCEN will continue to
evaluate the usefulness of BOI access to particular industry sectors
based on a range of factors, e.g., which financial institutions with
AML program requirements have legal entity customers,\137\ the size of
this customer base, and the related illicit finance risks, as it
considers further expanding access to additional financial
institutions.
---------------------------------------------------------------------------
\137\ As defined at 31 CFR 1010.230(e).
---------------------------------------------------------------------------
b. Regulatory Agencies
1. Scope of Regulatory Agency Access to BOI
Proposed Rule. The CTA authorizes Federal functional regulators and
``other appropriate regulatory agencies'' to access ``the information''
previously made available to financial institutions subject to customer
due diligence requirements under applicable law.\138\ Consistent with
this provision, proposed 31 CFR 1010.955(b)(4)(ii) would allow FinCEN
to disclose BOI that has been previously provided to a financial
institution to a ``Federal functional regulator or other appropriate
regulatory agency'' if the regulator requests it, is authorized by law
to assess, supervise, enforce, or otherwise determine the compliance of
such financial institution with ``customer due diligence requirements
under applicable law'' (proposed Sec. 1010.955(b)(4)(ii)(A)); will use
the BOI solely for that purpose (proposed Sec. 1010.955(b)(4)(ii)(B));
and has entered into an agreement with FinCEN to properly safeguard BOI
(proposed Sec. 1010.955(b)(4)(ii)(C)). As discussed in the preceding
section (III.C.iv.a), in view of the proposed rule's approach towards
the phrase ``customer due diligence requirements under applicable
law,'' Federal functional regulators and other regulatory agencies
would have been authorized to access BOI only to assess, supervise,
enforce, or otherwise
[[Page 88758]]
determine a financial institution's compliance with 31 CFR 1010.230.
---------------------------------------------------------------------------
\138\ 31 U.S.C. 5336(c)(2)(C).
---------------------------------------------------------------------------
Comments Received. Two commenters raised concerns that the
limitations on access for regulators were overly restrictive. The
comments argued that the proposed rule did not adequately justify why
supervisory access should be limited for the sole purpose of
determining financial institution compliance with the requirements of
31 CFR 1010.230, and that regulators should have access to the database
to assess a financial institution's compliance with customer due
diligence obligations over which regulators broadly have regulatory
authority.\139\
---------------------------------------------------------------------------
\139\ This commenter supported FinCEN's separate statement in
the NPRM, 87 FR at 77411, that regulators engaged in national
security or law enforcement activities would be able to access BOI
under proposed 31 CFR 1010.955(b)(1) in addition to proposed 31 CFR
1010.955(b)(4)(ii), subject to specific conditions and limitations.
The commenter viewed this position as partly correcting the
limitation of regulatory access to supervising compliance with Sec.
1010.230.
---------------------------------------------------------------------------
In contrast, one commenter noted skepticism as to whether Federal
or state regulators even needed to access the BOI database if financial
institutions would not be subject to a requirement to use the database.
Absent such a requirement, the commenter noted that financial
institutions would likely obtain beneficial ownership information
directly from their customers under the 2016 CDD Rule. The commenter
further stated that financial institutions should not be responsible
for resolving any discrepancies between the BOI reported to FinCEN and
the BOI that financial institutions received from their customers.
Final Rule. FinCEN retains proposed 31 CFR 1010.955(b)(4)(ii) in
the final rule, but the scope of this provision has changed. In light
of the revised approach to the phrase ``customer due diligence
requirements under applicable law'' in 31 CFR 1010.955(b)(4)(i), Sec.
1010.955(b)(4)(ii)(A) now provides access to BOI obtained from FinCEN
to those regulatory agencies that ``assess, supervise, enforce, or
otherwise determine'' compliance of financial institutions with AML/
CFT- or national security-related legal requirements for which BOI
access is reasonably necessary. Relatedly, final rule Sec.
1010.955(b)(4)(ii)(B)--which also remains identical to the proposed
rule--prescribes that regulatory agencies can now use that BOI obtained
from FinCEN to conduct ``the assessment, supervision, or authorized
investigation'' in connection with a financial institution's use of BOI
obtained from FinCEN to comply with legal requirements to counter money
laundering or the financing of terrorism, or to safeguard the national
security of the United States. FinCEN does not expect the number of
regulatory agencies with access to BOI under this provision to change
significantly under the final rule's approach, but believes that the
supervisory scope will be better matched to effectively supervise
financial institutions for AML program implementation. Supervisory
agencies that seek to retrieve BOI under Sec. 1010.955(b)(4)(ii)(A)
and (B) will continue to be required to enter into an agreement with
FinCEN for such access under final rule Sec. 1010.955(b)(4)(ii)(C).
FinCEN adopts this provision without change, consistent with the CTA
itself.\140\
---------------------------------------------------------------------------
\140\ 31 U.S.C. 5336(c)(2)(C)(iii).
---------------------------------------------------------------------------
FinCEN regards the comment which stated that regulatory access to
the BOI database under these provisions will have no value if financial
institution use of BOI obtained from FinCEN is not mandatory as
incorrect in its understanding. First, the CTA expressly requires
FinCEN to provide Federal functional regulators or other appropriate
regulatory agencies with access to BOI provided to a financial
institution.\141\ It is true that if financial institutions in fact do
not access BOI, regulatory access will be commensurately limited. But
less access does not mean no utility: at the very least, regulatory
agencies will be able to use their access to gauge the intensity of
financial institution use of BOI, and therefore regulatory agency
access will aid their understanding of financial institution activity.
Likewise, as a policy matter, if financial institutions were to access
BOI, supervisory agencies should have access to the same BOI for
supervisory purposes to better understand the use and handling of BOI
obtained from by financial institutions.
---------------------------------------------------------------------------
\141\ 31 U.S.C 5336(c)(2)(C).
---------------------------------------------------------------------------
FinCEN notes, however, that neither the CTA nor the final rule
requires financial institutions to access the BOI database. Under the
final rule, the decision whether to access the database is left to the
discretion of financial institutions, with the understanding that
financial institutions that choose to access the BOI database will make
use of such access subject to the use limitations and security and
confidentiality requirements of the final rule itself. Accordingly,
FinCEN notes that the final rule neither creates nor establishes
supervisory expectations with respect to whether and the extent to
which financial institutions access the BOI database, or report
discrepancies between the BOI obtained from the database and BOI the
financial institution may collect through other channels, including,
for example, directly from its customers under the 2016 CDD Rule. In
summary, the final rule does not create a new regulatory requirement
for financial institutions to access BOI from the BO IT System or a
supervisory expectation that they do so. The final rule also does not
make any changes to the requirements of the 2016 CDD Rule. As such, the
Access Rule does not necessitate changes to BSA/AML compliance programs
designed to comply with the (unchanged) 2016 CDD Rule, and other
existing BSA requirements, such as customer identification program
requirements,\142\ and suspicious activity reporting.\143\ However, any
access to and use of BOI obtained from the BO IT System must comply
with the requirements of the CTA and the Access Rule. FinCEN will
address whether, and if so how, financial institutions should access
BOI for CDD Rule compliance purposes in its revision of the 2016 CDD
Rule.
---------------------------------------------------------------------------
\142\ 31 CFR 1010.220.
\143\ 31 CFR 1010.320.
---------------------------------------------------------------------------
2. Meaning of ``Other Appropriate Regulatory Agencies''
Proposed Rule. Proposed 31 CFR 1010.955(b)(4)(ii) would permit
FinCEN to disclose BOI to either a ``Federal functional regulator'' or
an ``other appropriate regulatory agency . . . [that] assessed,
supervised, enforced, or otherwise determined the compliance of such
financial institution with customer due diligence requirements under
applicable law.'' While ``Federal functional regulator'' is a defined
term,\144\ the proposed rule did not define ``other appropriate
regulatory agency.'' \145\ The preamble, however, provided illustrative
examples, and invited comment. For example, the preamble noted that
``other appropriate regulatory agencies'' could ``include State banking
regulators,'' \146\ but that it was ``unclear'' whether SROs registered
with or designated by a Federal functional regulator (i.e., qualifying
SROs) should be considered ``other appropriate regulatory agencies''.
---------------------------------------------------------------------------
\144\ 31 CFR 1010.100(r). Under this definition, the Federal
functional regulators are the Board of Governors of the Federal
Reserve System (FRB), the Office of the Comptroller of the Currency
(OCC), the Federal Deposit Insurance Corporation (FDIC), the Office
of Thrift Supervision, the NCUA, the SEC, and the CFTC.
\145\ 87 FR at 77416.
\146\ Id.
---------------------------------------------------------------------------
Comments Received. Several comments requested that FinCEN define
``other appropriate regulatory agency'' to
[[Page 88759]]
include specified entities. Three commenters suggested that state
regulatory agencies be expressly included. These commenters variously
recommended that the term ``State bank supervisor,'' as used in the AML
Act,\147\ state credit union regulators, and other state supervisory
authorities should be expressly incorporated into the meaning of
``other appropriate regulatory agency'' in order to ensure consistent
database access for state regulators supervising customer due diligence
compliance and to avoid confusion. Another commenter argued that some
SROs, including FINRA, should be considered to be ``other appropriate
regulatory agencies,'' given that those SROs have broad AML/CFT
oversight and that limiting SRO access to BOI would undermine the CTA's
objectives.
---------------------------------------------------------------------------
\147\ See AML Act, section 6003(8), 6304 (cross-referencing 12
U.S.C. 1813); 12 U.S.C. 1813(r)(1) (``The term `State bank
supervisor' means any officer, agency, or other entity of any State
which has primary regulatory authority over State banks or State
savings associations in such State.'').
---------------------------------------------------------------------------
Final Rule. The final rule does not provide the specificity in the
regulatory definition of ``other appropriate regulatory agencies''
requested by commenters given that the rule provides sufficient clarity
regarding the agencies that are entitled to BOI access under Sec.
1010.955(b)(4)(ii).\148\ FinCEN notes that ``State bank supervisors,''
as defined in the AML Act, as well as state credit union regulators and
other state supervisory authorities that meet the criteria of the final
rule may have access to the BOI database. Moreover, the term ``other
appropriate regulatory agency'' does not include SROs because the term
``agency'' is generally understood to mean a governmental entity,
rather than a private organization regardless of whether it performs
governmental functions.149 150 FinCEN recognizes that SROs
perform critical oversight functions with respect to AML/CFT
compliance. The final rule retains the ability for qualifying SROs to
receive BOI redisclosed to them from a financial institution or Federal
functional regulator under Sec. 1010.955(c)(2)(iii) and (iv).
---------------------------------------------------------------------------
\148\ 31 U.S.C. 5336(c)(2)(C).
\149\ See, e.g., 5 U.S.C. 551(1) (`` `agency' means each
authority of the Government of the United States . . .'').
\150\ See, e.g., In re William H. Murphy & Co., SEC Release No.
34-90759, 2020 WL 7496228, *17 (Dec. 21, 2020) (explaining that
FINRA ``is not a part of the government or otherwise a [S]tate
actor'' to which constitutional requirements apply).
---------------------------------------------------------------------------
3. Redisclosure of BOI to SROs
Proposed Rule. Proposed Sec. 1010.955(c)(2)(iii) and (iv) \151\
would allow financial institutions and Federal functional regulators to
re-disclose BOI obtained from the BOI database to a qualifying SRO
provided that it meets the requirements of proposed Sec.
1010.955(b)(4)(ii). Under this provision, the qualifying SRO would have
had to be authorized by law to determine compliance with customer due
diligence requirements under appliable law; it would have been able to
use BOI obtained from FinCEN only to determine such compliance; and it
would have had to enter into an agreement with FinCEN to safeguard the
information. The proposed rule noted that qualifying SROs play an
important role, working under oversight of Federal functional
regulators, in assessing, supervising, and enforcing compliance with
customer due diligence requirements under applicable law, among other
requirements.\152\
---------------------------------------------------------------------------
\151\ These provisions are discussed in greater depth in section
III.D.ii.
\152\ 87 FR at 77416.
---------------------------------------------------------------------------
Comments Received. One commenter agreed that it is sufficient for
qualifying SROs to receive BOI obtained from FinCEN through the re-
disclosure provisions given the limited purposes for which that BOI
could be used by regulators. However, the commenter noted that those
limitations were too narrow and could interfere with other SRO
oversight responsibilities, including investigations of fraud and other
illicit activity.\153\ Another commenter suggested that any SRO with
market regulation functions, regardless of whether registered with or
designated by a Federal functional regulator--beyond the two qualifying
SROs (FINRA and NFA) specifically named in the NPRM--be permitted to
receive BOI obtained from the BO IT system by financial
institutions.\154\
---------------------------------------------------------------------------
\153\ The SRO also expressed concern that the proposed rule
could be interpreted to prohibit financial institutions from
collecting BOI or similar information from any source other than the
BOI database. FinCEN does not believe that this is a reasonable
reading of the regulatory text and thus does not believe the text
needs revision. Regardless, to avoid any confusion, FinCEN clarifies
that this rule does not restrict SROs' ability to acquire BOI from
other sources.
\154\ This commenter cited the CME Group as one example of an
SRO that should have such access. CME Group, however, is an SRO that
has been designated by a Federal functional regulator (CFTC)
pursuant to Federal statute, i.e., a qualifying SRO. See, e.g.,
CFTC, Final Rule, Financial Surveillance Examination Program
Requirements for Self-Regulatory Organizations, 84 FR 12882, 12884
n. 22 (Apr. 3, 2019). Thus, these provisions would not prohibit
financial institutions or Federal functional regulators from
redisclosing BOI to the CME Group if the provisions' other
requirements were met.
---------------------------------------------------------------------------
Final Rule. FinCEN is adopting Sec. 1010.955(c)(2)(iii) and (iv)
as proposed.\155\ In light of the revised approach to the scope of
``customer due diligence requirements under applicable law,'' however,
qualifying SROs would be able to use BOI redisclosed to them to conduct
``the assessment, supervision, or authorized investigation'' in
connection with a financial institution's use of BOI obtained from
FinCEN to comply with legal requirements to counter money laundering or
the financing of terrorism, or to safeguard the national security of
the United States. Even if the CTA could be read to permit qualifying
SROs to use BOI for purposes beyond these under the re-disclosure
provision, however, such an approach would be inconsistent with the use
limitations imposed on Federal functional regulators and other
appropriate regulatory agencies and the CTA's emphasis on safeguarding
BOI.
---------------------------------------------------------------------------
\155\ Comments regarding re-disclosure under Sec.
1010.955(c)(2) more broadly are discussed in section III.D.ii FinCEN
has made several changes to proposed Sec. 1010.955(c)(2) in
response to these comments, but these changes do not include any
alterations to Sec. 1010.955(c)(2)(iii) or (iv).
---------------------------------------------------------------------------
FinCEN also is not extending the re-disclosure provisions to SROs
that have not registered with or been designated by a Federal
functional regulator. Qualifying SROs exercise unique regulatory
authority within the framework of Federal law and under the oversight
of Federal functional regulators to assess, supervise, and enforce
financial institution compliance with customer due diligence and other
requirements.156 157 In light of their unique role, and the
oversight provided by the Federal functional regulators, in particular,
with respect to security and confidentiality requirements, FinCEN
determined that qualifying SROs are appropriate authorized recipients
for BOI re-disclosures under FinCEN's discretionary authority. In
contrast, non-qualifying SROs do not play the same unique role within
the Federal regulatory framework and are not subject to the same
extensive government oversight as qualifying SROs.
---------------------------------------------------------------------------
\156\ See, e.g., FINRA Rule 3310(f); NFA Compliance Rule 2-
9(c)(5).
\157\ See, e.g., Scottsdale Cap. Advisors Corp., 844 F.3d at 418
(``Before any FINRA rule goes into effect, the SEC must approve the
rule and specifically determine that it is consistent with the
purposes of the Exchange Act. The SEC may also amend any existing
rule to ensure it comports with the purposes and requirements of the
Exchange Act.'' (citations omitted); Birkelbach, 751 F.3d at 475
(``A [FINRA] member can appeal the disposition of a FINRA
disciplinary proceeding to the SEC, which performs a de novo review
of the record and issues a decision of its own.'').
---------------------------------------------------------------------------
v. Department of the Treasury Access
a. Disclosure to Officers or Employees of the Department of the
Treasury
Proposed Rule. Proposed 31 CFR 1010.955(b)(5)(i) permits officers
or
[[Page 88760]]
employees of the U.S. Department of the Treasury to access BOI when
official duties require such inspection or disclosure, subject to
internal procedures and safeguards.
Comments Received. Multiple comments supported the proposed access
for Treasury officers and employees. Commenters suggested a few
clarifications, e.g., listing the official duties that justify access
such as Treasury's role in auditing and reporting on BOI. Other
comments suggested that FinCEN should apprise the public of, or
clarify, the internal Treasury procedures to ensure the confidentiality
and security of BOI. Some commenters proposed that BOI be treated as
``return information'' subject to the same protections as tax
information under 26 U.S.C. 6103, particularly when it is obtained by
IRS. One commenter stated that there should be coordinating regulations
issued to ensure that BOI disclosed to Treasury's officers and
employees, including those at the IRS, is ``protected to at least the
same degree'' as BOI that is disclosed to other agencies and that these
regulations should be coordinated with 26 U.S.C. 6103.\158\
---------------------------------------------------------------------------
\158\ The commenter also requested clarification on the sharing
of BOI by Treasury with state or foreign requesters for tax
administration purposes, as well as how FinCEN would ensure that any
BOI shared is adequately protected. FinCEN notes that state-level
and foreign requesters will obtain BOI pursuant to other provisions
of 31 CFR 1010.955(b)--specifically, 31 CFR 1010.955(b)(2) and
(b)(3). In contrast, 31 CFR 1010.955(b)(5) is specific to access by
officers or employees of the Department of the Treasury;
1010.955(b)(5) does not itself authorize these Treasury officers or
employees to share BOI with state or foreign requestors for tax
administration purposes. 31 CFR 1010.955(d) provides security and
confidentiality requirements for BOI shared with state or foreign
requestors pursuant to (b)(2) and (b)(3).
---------------------------------------------------------------------------
Final Rule. FinCEN adopts the proposed rule. FinCEN declines to add
to the rule a list of official duties that would require access to BOI
because those duties may change over time, and because, consistent with
the CTA, Treasury access to BOI will be governed by internal procedures
and safeguards. As noted in the proposed rule, however, FinCEN expects
that Treasury officers and employees will access and use BOI for a
range of appropriate purposes, including: tax administration,
enforcement actions, intelligence and analytical purposes, use in
sanctions -related investigations, and identifying property blocked
pursuant to sanctions, as well as for administration of the BOI
framework, such as for audits, enforcement, and oversight. This will
include access to BOI necessary to complete the reports required by
section 6502 of the AML Act and audit and oversight activities,
including access by the Treasury OIG. FinCEN will work with other
Treasury components to establish internal policies and procedures
governing Treasury officer and employee access to BOI. These policies
and procedures will ensure that FinCEN discloses BOI only to Treasury
officers or employees with official duties requiring BOI access, or for
tax administration.
Furthermore, FinCEN does not believe that BOI reported to it is
``return information'' subject to the disclosure limitations on tax-
related information under the Internal Revenue Code (26 U.S.C. 6103).
Since BOI is information reported to FinCEN to fulfill a reporting
requirement under Title 31 of the United States Code, it does not fall
within the definition of ``return information'' at 26 U.S.C.
6103(b)(2), which is defined to include information received by the
Secretary in connection with determining ``a person's liability (or the
amount thereof) . . . under this title''--i.e., Title 26 containing the
Internal Revenue Code. The CTA instead provides particular security and
confidentiality requirements to govern the protection and disclosure of
BOI, which this final rule implements.
In accordance with the detailed security and confidentiality
requirements in the CTA, the final rule expressly imposes robust
requirements on ``requesting agencies'' outside of the Treasury
Department. Similarly, Treasury access to BOI will be governed by
internal procedures and safeguards consistent with the CTA. FinCEN
anticipates that these internal procedures and safeguards will be
comparable to, and include elements of, the security and
confidentiality requirements in 31 CFR 1010.955(d)(1) taking into
account Treasury's unique role in administering the BO IT system and
framework. Officers and employees identified as having duties
potentially requiring access to BOI would receive training on, among
other topics, determining when their duties require access to BOI, what
they can do with the information, and how to handle and safeguard it.
Their activities would also be subject to audit.
b. Disclosure for Tax Administration Purposes
Proposed Rule. Proposed 31 CFR 1010.955(b)(5)(ii) permits
disclosure of BOI to officers or employees of the Department of the
Treasury for tax administration as defined in 26 U.S.C. 6103(b)(4),
subject to internal procedures and safeguards.
Comments Received. Several commenters suggested that use of BOI for
tax administration purposes should be further clarified. Comments asked
for greater specificity on tax administration uses, and one commenter
requested clarification on the ``analytical'' use of BOI referenced in
the NPRM, as applied to tax administration. Another commenter stated
that use by Treasury should be limited to the purposes of the CTA.
Final Rule. FinCEN adopts the proposed rule. As explained in the
NPRM, FinCEN interprets the term ``tax administration,'' as employed in
the CTA, to have the meaning provided for in 26 U.S.C. 6103(b)(4).
Accordingly, in the context of tax administration, use of BOI in an
``analytical'' capacity would be delimited by this definition. Further,
as explained in the NPRM, FinCEN believes that adopting the 26 U.S.C.
6103(b)(4) definition of tax administration is appropriate because
Treasury officers and employees who administer tax laws are already
familiar with it and have a clear understanding of the activity it
covers. FinCEN also believes the definition is broad enough to avoid
inadvertently excluding a tax administration-related activity that
would be undermined by lack of access to BOI. In response to the
proposal that FinCEN limit access to matters within the scope of the
CTA, FinCEN declines to make this proposed amendment and notes that the
CTA specifically provides that officers and employees of the Treasury
may obtain access to beneficial ownership information for ``tax
administration purposes'' generally.
vi. Other Disclosures and Related Issues
Proposed Rule. Consistent with the CTA, proposed 31 CFR 1010.955(b)
limits disclosure of BOI by FinCEN, and corresponding access to BOI, to
certain categories of recipients. The NPRM included a question for
comment about whether there are additional circumstances not reflected
in this proposed rule when the CTA would authorize FinCEN to disclose
BOI.
Comments Received. Commenters suggested additional categories of
authorized recipients and additional recipients within categories
already proposed in the NPRM. Within government channels, commenters
proposed that FinCEN should make BOI available to public authorities
involved in public procurement at both the Federal and state level and
to those with audit authority over BOI--the Government Accountability
Office (GAO) and Treasury OIG. Commenters also stated that additional
financial institutions should have access to BOI, including money
services businesses (MSBs). Another commenter, however,
[[Page 88761]]
asked for confirmation that financial institutions with access to BOI
will be limited to ``covered financial institutions'' as defined in 31
CFR 1010.230(f). Several commenters stated that real estate
professionals, such as land title agencies and real estate settlement
agents, should be permitted to access BOI. These commenters stated such
access would facilitate compliance with laws regarding foreign
ownership of agricultural land and FinCEN's real estate geographic
targeting orders (GTOs), among other common business practices.
Commenters also stated that entities that assist financial institutions
with customer due diligence and beneficial ownership data analysis,
such as regulatory technology (RegTech) firms and beneficial ownership
data service providers, should be able to access and request BOI from
FinCEN on behalf of a financial institution. One commenter noted that
such entities are ``contractors'' or ``agents'' of financial
institutions. Another commenter noted that access should be broadened
to include non-governmental organizations, journalists, and eventually
the public, to align with global standards.
Several commenters asked whether and how BOI would be authenticated
before disclosure for purposes of a proceeding governed by rules of
evidence. Two commenters focused their concern on authentication in
foreign courts, focusing on a statement in the preamble to the NPRM
regarding the authentication of BOI in international sharing
arrangements. That statement indicated that ``[w]here a request for BOI
includes a request that the information be authenticated for use in a
legal proceeding in the foreign country making the request, FinCEN may
establish a process for providing such authentication via MOU with the
relevant intermediary Federal agency.'' These commenters conveyed that
FinCEN should issue a blanket rule authorizing all Federal agencies
that transmit BOI to authenticate such records, rather than doing so
through ad hoc agreements.
One of the same commenters asked that the rule be clarified to
allow Federal, State, local, and Tribal agencies to themselves
authenticate BOI obtained from FinCEN, rather than requiring FinCEN to
authenticate the records in each case. The commenter was concerned that
if FinCEN must certify the authenticity of these records in every case,
then it could create an administrative chokepoint that could impede
civil and criminal actions.
Final Rule. FinCEN declines to make further changes to the
categories of recipients to which BOI may be disclosed. The proposed
rule aligns with the CTA in limiting disclosure to the categories of
recipients FinCEN has already identified. The CTA does not provide for
FinCEN to disclose BOI to non-governmental organizations, journalists,
or the public.
FinCEN notes, however, that the CTA and the final rule permit
disclosure to some of the specific recipients commenters suggested
within those categories. Regarding additional disclosures for
government users, FinCEN reiterates that authorities with audit
requirements such as the GAO and Treasury OIG will have the ability to
complete these statutorily mandated activities. FinCEN anticipates
working with the GAO to ensure access to BOI as required by the
CTA,\159\ and as permitted by 31 U.S.C. 716(a).\160\ Treasury OIG will
have access to BOI under the specific CTA and final rule provision for
employees and officers of the Department of the Treasury.\161\
Regarding access for procurement-related purposes, FinCEN expects that
it will be able to disclose BOI to government agencies for such
purposes when the procurement or the review of the procurement is an
activity for which FinCEN is otherwise authorized to disclose BOI,
e.g., a national security, law enforcement, or intelligence activity.
---------------------------------------------------------------------------
\159\ See 31 U.S.C. 5336(c)(10); see also Anti-Money Laundering
Act of 2020, section 6502.
\160\ 31 U.S.C. 716(a) entitles GAO to ``obtain such agency
records as . . . require[d] to discharge [its] duties . . . .'' Only
certain foreign intelligence records and agency records
``specifically exempted from disclosure to the Comptroller General
by a statute'' fall outside this requirement. Id. at 716(d)(1).
Indeed, 31 U.S.C. 716 expressly contemplates agencies' disclosure of
confidential information to GAO, requiring GAO to ``maintain the
same level of confidentiality'' over records disclosed to it as is
required of the agency responsible for the record. Id. at 716(e)(1).
\161\ See 31 U.S.C. 5336(c)(5).
---------------------------------------------------------------------------
Discussion about which types of financial institutions will have
access to BOI is included in section III.C.iv.a. With respect to the
question of whether FinCEN may disclose BOI to RegTech firms,
beneficial ownership data service providers, due diligence vendors, or
other third-party service providers to financial institutions, FinCEN
believes that the final rule authorizes the disclosure of FinCEN BOI to
such services providers provided that they and their employees are
``agents'' or ``contractors'' of a financial institution with access to
BOI and are performing a function on behalf of the financial
institution that requires direct access to it. If a financial
institution relies on a service provider or other contractor to
request, obtain, and access BOI, the financial institution will
ultimately be responsible for the activity of any service provider or
contractor accessing BOI on its behalf. Service providers that are
agents or contractors of a financial institution authorized to access
BOI will be able to request and access BOI through accounts associated
with that financial institution. It will be the financial institution's
responsibility to ensure that its service providers or other such
contractors comply with all applicable obligations, including
requirements to protect and store BOI in compliance with the rule, and
ensuring that BOI is used for appropriate purposes. Additionally,
service providers and other contractors will not be permitted to use
the BOI accessed on behalf of a financial institution for any purpose
not authorized by the CTA or FinCEN's regulations. For example, BOI
requested by a service provider on a financial institution's behalf
cannot be integrated into downstream services that the service provider
makes accessible to other financial institutions. When requesting BOI
for a financial institution, a service provider or contractor is acting
for or on behalf of this specific financial institution; it cannot
repurpose BOI for the contractor's own use, such as data aggregation,
or for the use of other financial institutions.
Regarding authentication of BOI, FinCEN declines to add a specific
regulatory provision to address this issue. With respect to foreign
countries, foreign laws will govern what constitutes an authenticated
record in a particular legal proceeding. Many foreign countries have
developed information sharing arrangements for criminal, civil, or
other investigations or proceedings. These arrangements include Mutual
Legal Assistance Treaties (MLATs), multilateral conventions, and other
agreements that are typically consistent with a foreign country's rules
concerning authentication. In most such international arrangements, the
U.S. Department of Justice's Office of International Affairs (DOJ/OIA)
is the intermediary Federal agency that would receive information from
FinCEN and transmit it to the requesting foreign authority.
In some cases, a foreign country's laws may require FinCEN, as the
records custodian of BOI, to certify the information's authenticity.
Some foreign countries may require that DOJ/OIA certify the
authenticity of the BOI, while others still might require that both
agencies provide a certification. The preamble to the NPRM explained:
[[Page 88762]]
Where a request for BOI includes a request that the information
be authenticated for use in a legal proceeding in the foreign
country making the request, FinCEN may establish a process for
providing such authentication via MOU with the relevant intermediary
Federal agency. Such process may include an arrangement where FinCEN
searches the beneficial ownership IT system and provides the
information and related authentication to the intermediary Federal
agency consistent with the terms of the relevant MOU.\162\
---------------------------------------------------------------------------
\162\ 87 FR at 77414-15.
This approach allows for variations in the requests for
authentication that may come from foreign countries. All government
agencies obtaining BOI from FinCEN, including those transmitting BOI to
foreign countries, will be required to enter into an MOU with FinCEN in
order to ensure that all domestic agencies have appropriate protocols
in place to ensure the proper handling and use of BOI. FinCEN will take
into consideration the question of authentication in crafting its MOUs
with intermediary Federal agencies such as OIA.
FinCEN did not accept the proposal that the regulation should be
altered to allow State, local, and Tribal agencies to themselves
authenticate BOI they obtain from FinCEN, that is, without obtaining a
certificate of authenticity or other form of evidentiary authentication
from FinCEN. The authentication of evidence depends on the operation of
applicable law. For example, state-level rules of evidence often
require documents maintained by Federal agencies to be authenticated by
the affixing of the official seal of the agency, a statement or
testimony by a designated custodian of those records by the agency, or
some other certification of authenticity by the agency.\163\ Each
jurisdiction has its own applicable rules of evidence, however, and may
not require certification by a Federal agency. FinCEN declines to issue
a blanket rule on authentication, as such a rule would be hard to craft
given the variation in State, local, and Tribal procedures and would
invite needless confusion on the interaction between State, local, or
Tribal rules of evidence and FinCEN's rule. FinCEN believes that
existing laws will suffice to provide for authentication of BOI.
---------------------------------------------------------------------------
\163\ See, e.g., Fed. R. Evid. 902(1)-(2), (4).
---------------------------------------------------------------------------
D. Use of Information
i. Use of Information by Authorized Recipients
Proposed Rule. Proposed 31 CFR 1010.955(c)(1) provided generally
that authorized recipients shall use BOI received from FinCEN ``only
for the particular purpose or activity for which such information was
disclosed,'' unless otherwise authorized by FinCEN. In the unique case
of a Federal agency that receives information pursuant to 31 CFR
1010.955(b)(3) (Disclosure for Use in Furtherance of Foreign National
Security, Intelligence, or Law Enforcement Activity), the rule more
specifically provided that the Federal agency shall only use it to
facilitate a response to that foreign request for assistance. In other
words, the proposed rule limits the use of BOI by an intermediary
Federal agency to facilitating a response to a proper request for BOI
from a foreign requester.
Comments Received. One commenter suggested deleting the word
``only'' from proposed 31 CFR 1010.955(c)(1) and adding language that
would allow BOI to be used for any CTA-authorized purpose for that
agency once FinCEN disclosed it. This commenter raised practical
concerns about the restriction that BOI obtained from FinCEN only be
used for the particular purpose or activity for which the information
was disclosed, noting that this could lead to multiple requests to
FinCEN for the same information by the same agency. They then provided
the example of a Federal functional regulator obtaining BOI, and then
realizing it would be critical for a legal action.
Final Rule. FinCEN adopts the proposed rule with two revisions to
the first sentence of 31 CFR 1010.955(c)(1). First, FinCEN amends this
sentence to begin ``[e]xcept as permitted under paragraph (c)(2) of
this section,'' instead of ``[u]nless otherwise authorized by FinCEN.''
Second, FinCEN has added the phrase ``shall not further disclose such
information to any other person'' to this sentence, so that the first
sentence of 31 CFR 1010.955(c)(1) of the final rule reads: ``Except as
permitted under paragraph (c)(2) of this section, any person who
receives information disclosed by FinCEN under paragraph (b) of this
section shall not further disclose such information to any other
person, and shall use such information only for the particular purpose
or activity for which such information was disclosed.''
Both of these newly added phrases were (with minor, non-substantive
differences) previously contained in proposed 31 CFR
1010.955(c)(2)(ix), the last provision of proposed Sec. 1010.955(c),
and establish that recipients of BOI under Sec. 1010.955(b) may only
re-disclose that BOI when authorized under Sec. 1010.955(c)(2). Given
the importance of this limitation to BOI use generally, FinCEN
determined that this text should be given greater prominence at the
beginning, rather than placed at the end, of Sec. 1010.955(c)'s
provisions governing the use of BOI.\164\ FinCEN also continues to
believe that limiting the use of BOI by authorized recipients to the
``particular purpose or activity for which such information was
disclosed'' is necessary to reflect the general expectation in the CTA
that authorized recipients should not obtain BOI for one authorized
activity and then use it for another, unrelated purpose. Thus, for
example, a Federal agency officer, employee, contractor, or agent who
obtains BOI from FinCEN for use in furtherance of national security
activity would be authorized to use that BOI only for the particular
national security activity for which the request was made. With respect
to the commenter's suggestion to delete the word ``only'' from this
paragraph, FinCEN believes such a change is unnecessary. With respect
to the commenter's suggestion to add language to allow BOI to be used
for any CTA-authorized purpose for that agency, FinCEN declines to
adopt this suggestion. FinCEN believes that such an authorization would
be overbroad and would run counter to the disclosure framework and
oversight, audit, and access protocols of the CTA and the proposed
rule. Further, as described in proposed 31 CFR 1010.955(c)(2), FinCEN
has proposed to allow the re-disclosure of BOI in certain specified
circumstances to further the goals of the CTA, subject to applicable
security and confidentiality requirements.
---------------------------------------------------------------------------
\164\ As discussed below in section III.D.ii.e. (Re-Disclosure
with Written Consent of FinCEN), FinCEN's decision to move this
language to 31 CFR 1010.955(c)(1) was also based in part on FinCEN's
consideration of a commenter recommending an alteration to proposed
1010.955(c)(2)(ix).
---------------------------------------------------------------------------
ii. Disclosure of Information by Authorized Recipients
Proposed Rule. Proposed 31 CFR 1010.955(c)(1) would establish a
blanket prohibition on the ``re-disclosure'' of BOI by an authorized
recipient unless such disclosure is authorized by FinCEN. However,
provided that the authorized recipient abides by applicable security
and confidentiality requirements, the proposed rule would permit
authorized recipients to re-disclose BOI in eight circumstances, as
summarized here:
1. Officers, employees, contractors, or agents of a Federal, State,
local or Tribal agency may disclose BOI to other officers, employees,
contractors, or agents within the same organization for the particular
purpose or activity for which the BOI was requested (proposed Sec.
1010.955(c)(2)(i)).
2. Officers, employees, contractors, or agents of a financial
institution may
[[Page 88763]]
disclose BOI to other officers, employees, contractors, or agents
within the United States of the same financial institution for the
particular purpose or activity for which the BOI was requested
(proposed Sec. 1010.955(c)(2)(ii)).
3. Officers, employees, contractors, or agents of a financial
institution may disclose BOI to the financial institution's Federal
functional regulator, a self-regulatory organization that is registered
with or designated by a Federal functional regulator pursuant to
Federal statute, or other appropriate regulatory agency, that meets the
requirements identified in proposed 31 CFR 1010.955(b)(4)(ii)(A)
through (C) (proposed Sec. 1010.955(c)(2)(iii)).\165\
---------------------------------------------------------------------------
\165\ Proposed 31 CFR 1010.955(b)(4)(ii)(A) through (C) provide
that the agency--
``(A) [i]s authorized by law to assess, supervise, enforce, or
otherwise determine the compliance of such financial institution
with customer due diligence requirements under applicable law; (B)
[w]ill use the information solely for the purpose of conducting the
assessment, supervision, or authorized investigation or activity
described in paragraph (b)(4)(ii)(A) of this section; and (C) [h]as
entered into an agreement with FinCEN providing for appropriate
protocols governing the safekeeping of the information.''
---------------------------------------------------------------------------
4. Any officer, employee, contractor, or agent of a Federal
functional regulator may disclose BOI to a self-regulatory organization
that is registered with or designated by the Federal functional
regulator, provided that the self-regulatory organization meets the
requirements of proposed 31 CFR 1010.955(b)(4)(ii)(A) through (C)
(proposed Sec. 1010.955(c)(2)(iv)).
5. Any officer, employee, contractor, or agent of a Federal agency
that receives BOI from FinCEN after requesting it on behalf of a
foreign authority pursuant to proposed Sec. 1010.955(b)(3) may
disclose the BOI to the foreign person on whose behalf the Federal
agency made the request (proposed Sec. 1010.955(c)(2)(v)).
6. Any officer, employee, contractor, or agent of a Federal agency
engaged in a national security, intelligence, or law enforcement
activity, or any officer, employee, contractor, or agent of a State,
local, or Tribal law enforcement agency may disclose BOI to a court of
competent jurisdiction or parties to a civil or criminal proceeding
(proposed Sec. 1010.955(c)(2)(vi)).
7. Any officer, employee, contractor, or agent of a Federal agency
that receives BOI from FinCEN pursuant to 31 CFR 1010.955(b)(1)
(Federal agencies engaged in national security, intelligence, or law
enforcement activity), (b)(4)(ii) (Federal functional regulators or
other appropriate regulatory agencies), or (b)(5) (The Department of
the Treasury) may disclose BOI to the United States Department of
Justice for purposes of making a referral to the Department of Justice
or for use in litigation related to the activity for which the
requesting agency requested the information (proposed Sec.
1010.955(c)(2)(vii)).
8. A foreign authority specified in proposed Sec. 1010.955(b)(3)
may disclose and use BOI consistent with the international treaty,
agreement, or convention under which the request for BOI was made
(proposed Sec. 1010.955(c)(2)(viii)).
In addition to these eight circumstances, the proposed rule
contains a catch-all, proposed 31 CFR 1010.955(c)(2)(ix), that would
permit FinCEN to authorize the re-disclosure of BOI by an authorized
recipient, so long as the re-disclosure is for an authorized purpose.
To this end, proposed 31 CFR 1010.955(c)(2)(ix) specified that, except
as described above, any information disclosed by FinCEN under proposed
31 CFR 1010.955(b) shall not be further disclosed to any other person
for any purpose without the prior written consent of FinCEN, or as
authorized by applicable protocols or guidance that FinCEN may issue.
In sum, the proposed rule would permit the re-disclosure of BOI by
authorized recipients in limited circumstances that further the core
underlying national security, intelligence, and law enforcement
objectives of the CTA while at the same time ensuring that BOI is
disclosed only where appropriate for those purposes. Generally,
authorized re-disclosures would be subject to protocols designed, as
with those applicable to initial disclosures of BOI from the BO IT
system, to protect the security and confidentiality of BOI.
a. Re-Disclosure--In General
Comments Received. Several commenters approved of the approach in
the proposed rule permitting certain broad categories of re-disclosure,
and not requiring a case-by-case determination by FinCEN. On the other
hand, several commenters felt that, as written, the scope of the
authorized re-disclosure of BOI was too limiting. One commenter
proposed that FinCEN consider creating a special ``amended request''
form for situations in which an agency or a financial institution
requests BOI and then comes back to FinCEN to request authorization to
re-disclose that BOI, rather than requiring separate requests for the
BOI and subsequent re-disclosure authorization.
Several commenters felt that the proposed re-disclosure provisions
would unduly restrict the use of the BOI. They raised concerns about
repeatedly needing to return to FinCEN for requests to use the same BOI
for one purpose, then another, in the course of, for example, a
regulatory examination. Two commenters expressed concern that the
proposed rule might not permit re-disclosure in open court.
Commenters raised several other, more specific issues related to
re-disclosure that are discussed elsewhere in this preamble.\166\
---------------------------------------------------------------------------
\166\ Such topics include re-disclosure to outside contractors
and agents, re-disclosure to state examiners, re-disclosure within a
financial institution to persons and directors responsible for
monitoring compliance with customer due diligence rules, re-
disclosure related to 314(b) sharing, and geographic limitations on
re-disclosure.
---------------------------------------------------------------------------
Final Rule. FinCEN adopts the proposed rule with several
modifications described in subsections below. Specifically, FinCEN
inserted a new 31 CFR 1010.955(c)(2)(viii) to allow a re-disclosure of
BOI by State, local, and Tribal law enforcement agencies to State,
local, and Tribal agencies for the purpose of making a referral for
possible prosecution by that agency, or for use in litigation related
to the activity for which the requesting agency requested the
information (discussed in greater detail below). FinCEN also renumbered
31 CFR 1010.955(c)(2)(ix) as 31 CFR 1010.955(c)(2)(x) to account for
the insertion of the new paragraph (c)(2)(viii) and revised the text of
that paragraph.
Concerning comments that the proposed rule might not permit re-
disclosure in open court, proposed 31 CFR 1010.955(c)(2)(vi) would
permit re-disclosure ``to a court of competent jurisdiction or parties
to a civil or criminal proceeding,'' including, in the appropriate
circumstance, in open court. Further, this rule would also permit re-
disclosure to a court of competent jurisdiction in broader settings
such as in an application for a search warrant or a warrant pursuant to
the Foreign Intelligence Surveillance Act. Thus, no changes to the
proposed rule are needed to allow for the disclosure of BOI in these
circumstances.
As to the comment that FinCEN consider an ``amended request'' form,
FinCEN will consider the appropriate process for requesting
authorization to re-disclose BOI and will issue guidance for such
requests when implementing the final rule.
b. Re-Disclosure--Law Enforcement
Proposed Rule. As described above, the proposed rule would permit
re-
[[Page 88764]]
disclosure of BOI for law enforcement purposes by Federal, State,
local, or Tribal agencies in several contexts. As relevant here, under
the proposed rule, Federal, State, local, or Tribal agencies that
receive BOI from FinCEN pursuant to a request under 31 CFR
1010.955(b)(1) or (2) would be permitted to re-disclose BOI to a court
of competent jurisdiction or parties to a civil or criminal proceeding
(proposed Sec. 1010.955(c)(2)(vi)); and agencies that receive BOI
under 31 CFR 1010.955(b)(1) (Federal agencies engaged in national
security, intelligence, or law enforcement activities), (b)(4)(ii)
(Federal functional regulators or other appropriate regulatory
agencies), or (b)(5) (the Department of the Treasury) would be
permitted to re-disclose BOI to the United States Department of Justice
(DOJ) for purposes of making a referral to DOJ or for use in litigation
related to the activity for which the requesting agency requested the
information (proposed Sec. 1010.955(c)(2)(vii)).
Comments Received. One commenter noted that State, local, and
Tribal law enforcement agencies did not have a rule analogous to Sec.
1010.955(c)(2)(vii) that would permit re-disclosure of BOI to State,
local, or Tribal prosecutors for purposes of making a case referral,
and recommended the addition of such a rule. The commenter suggested
amending proposed 31 CFR 1010.955(c)(2)(vi) to insert ``to any officer,
employee, contractor, or agent of an attorney general, district
attorney'' after the word ``jurisdiction,'' in order to enable such re-
disclosure.
Another commenter noted that, at times, law enforcement and
regulatory agencies engage in joint investigations--that is, multiple
agencies investigate a single fact pattern, sharing information among
themselves. The commenter proposed that FinCEN clarify that
authorization from FinCEN is not needed for re-disclosure within a
joint investigation.
Commenters expressed concern that the re-disclosure rules would
prevent effective use of BOI by law enforcement. For example,
authorized recipients outside of law enforcement would be prohibited
from providing the information to law enforcement without first going
to FinCEN to obtain permission to re-disclose that information. One
commenter suggested an edit to proposed 31 CFR 1010.955(c)(2)(ix), the
catch-all provision permitting FinCEN to authorize re-disclosure of
BOI, to permit an authorized recipient to disclose BOI to a Federal
agency engaged in national security, intelligence, law enforcement
activities, or a Federal regulatory agency when in the judgment of that
person re-disclosure would be in the public interest and would assist
in combatting illicit finance.
Final Rule. FinCEN modifies the proposed rule to include an
additional re-disclosure authorization for State, local, and Tribal law
enforcement agencies, what is now 31 CFR 1010.955(c)(2)(viii), as noted
above. FinCEN agrees that State, local, and Tribal law enforcement
agencies should be permitted to disclose BOI for the purpose of making
a referral to another State, local, or Tribal agency for possible
prosecution. Although such disclosures may be covered by proposed 31
CFR 1010.955(c)(2)(vi) in certain contexts, FinCEN is electing to
expand 31 CFR 1010.955(c)(2) to include a new provision, 31 CFR
1010.955(c)(2)(viii), to explicitly address such disclosures. FinCEN
declines the proposed edits to 31 CFR 1010.955(c)(2)(vi) as that
paragraph is intended to apply to active litigation matters.
FinCEN recognizes that at times agencies engage in joint
investigations; that is, multiple agencies work together on a single
investigation. Federal agencies that are a part of a task force to
target specific criminal activity, such as drug trafficking or
corruption, may also need to share BOI within the task force. In such
cases, it would be more efficient for the agencies involved to share
BOI directly among themselves instead of each agency having to
separately request the same BOI from FinCEN.\167\ FinCEN did not
include a provision permitting re-disclosure in joint investigations or
task forces in the proposed rule, but it did explicitly address joint
investigations and task forces in the preamble to the proposed rule.
There, FinCEN indicated that it would evaluate requests to share BOI in
the context of a joint investigation or task force under its
discretionary re-disclosure authority under proposed 31 CFR
1010.955(c)(2)(ix).
---------------------------------------------------------------------------
\167\ 87 FR at 77419.
---------------------------------------------------------------------------
FinCEN recognizes that sharing between agencies in the context of
joint investigations or task forces is consistent with the CTA's
direction that BOI should be used to advance law enforcement interests.
However, joint investigations and task forces come in many potential
permutations--for example, multiple Federal agencies, a mix of Federal
and state agencies, state and Tribal agencies, multiple state agencies,
etc. Each such permutation raises unique issues. For example, in a
joint investigation between Federal and state law enforcement agencies,
do the agencies have to provide FinCEN both a request from Federal law
enforcement under 31 CFR 1010.955(b)(1) and a court authorization under
31 CFR 1010.955(b)(2), or would one type of process suffice? If a
Federal law enforcement agency obtained BOI for the purpose of
investigating Federal crimes, could it re-disclose that information to
a state law enforcement agency for its purpose in investigating state
crimes? Does a task force consisting of both state and Tribal law
enforcement agencies need to obtain a court authorization from multiple
courts of competent jurisdiction, or just one? It would be difficult to
establish a regulation that would resolve all of these issues, and even
attempting to do so in a regulation runs the risk of further
complicating the issue.
For these reasons, FinCEN is not creating a specific re-disclosure
provision in 31 CFR 1010.955(c)(2) that would address these scenarios.
Instead, FinCEN will address joint investigations and task forces in
future guidance, with an eye toward issuing guidance that captures the
most common or straightforward circumstances, and in more unusual or
complex situations evaluating specific re-disclosure requests on a
case-by-case basis under its 31 CFR 1010.955(c)(2)(x) authority to
approve in writing re-disclosure of BOI in furtherance of an authorized
purpose or activity. This approach permits FinCEN greater flexibility
in crafting appropriate rules for varied circumstances.
As noted, one commenter stated that FinCEN should permit an
authorized recipient to re-disclose BOI to a Federal agency engaged in
national security, intelligence, law enforcement activities, or a
Federal regulatory agency, when in the judgment of that person, re-
disclosure would be in the public interest and would assist in
combating illicit finance. FinCEN finds such a provision to be too
vague and subjective to be implementable. The CTA prohibits re-
disclosure of beneficial ownership information except as authorized in
the protocols promulgated by regulation, thereby leaving it to FinCEN
to establish the appropriate re-disclosure rules.\168\ FinCEN is
promulgating rules to permit the re-disclosure of beneficial ownership
information under certain, limited circumstances that would further the
core underlying national security, intelligence, and law
[[Page 88765]]
enforcement objectives of the CTA while at the same time ensuring that
BOI is disclosed only where appropriate for those purposes. However,
the proposed change suggests supplementing objective standards with the
subjective judgment of any person in receipt of BOI. This proposal is
beyond the confines of the CTA's disclosure provisions. Although the
number of cases in which BOI would need to be disclosed to law
enforcement as a matter of emergency is likely to be quite low, FinCEN
will consider future guidance on this topic.
---------------------------------------------------------------------------
\168\ 31 U.S.C. 5336(c)(2)(A). The CTA appears to presume that
some re-disclosure will be permitted when it requires requesting
agencies to keep records related to their requests, including of
``any disclosure of beneficial information made by . . . the
agency.'' 31 U.S.C. 5336(c)(3)(H).
---------------------------------------------------------------------------
c. Re-Disclosure--Financial Institutions
Proposed Rule. Proposed 31 CFR 1010.955(c)(2)(ii) would authorize
any director, officer, employee, contractor, or agent of a financial
institution who received BOI from FinCEN to re-disclose the information
to another director, officer, employee, contractor, or agent within the
United States of the same financial institution for the particular
purpose or activity for which the BOI was requested, consistent with
the security and confidentiality requirements of 31 CFR 1010.955(d)(2).
Proposed 31 CFR 1010.955(c)(2)(iii) would further authorize financial
institutions to re-disclose BOI received from FinCEN to regulators--
specifically, Federal functional regulators, specified SROs, and other
appropriate regulatory agencies--that meet the requirements identified
in paragraphs (b)(4)(ii)(A) through (C) of the proposed rule. Financial
institutions would be able to rely on a Federal functional regulator,
SRO, or other appropriate regulatory agency's representation that it
meets the requirements.
Comments Received. Commenters generally opposed the requirement in
proposed 31 CFR 1010.955(c)(2)(ii) and 31 CFR 1010.955(d)(2)(i) that
financial institutions limit disclosure of BOI obtained from FinCEN
under the CTA to directors, officers, employees, contractors, and
agents physically present within the United States. These comments and
FinCEN's response to them are consolidated in the discussion of
proposed 31 CFR 1010.955(d)(2)(i) in section III.E.ii.a below.
Several comments interpreted these proposed authorizations as
prohibitions against financial institutions disclosing BOI to
directors, officers, employees, contractors, or agents. One commenter
asked FinCEN to include safe harbor provisions to permit employees to
share BOI within their institutions according to that institution's
policies and procedures. Other comments asked FinCEN to state
explicitly that the proposed rule would authorize BOI disclosure
``enterprise-wide,'' as well as to certain specific parties. These
specific parties were (1) internal and external auditors; (2) legal and
compliance personnel; (3) state regulators; (4) affiliated financial
institutions and other financial institutions involved in syndicated
loans; (5) other financial institutions under USA PATRIOT Act section
314(b); and (6) third-party service providers, including RegTech
companies.
Final Rule. FinCEN adopts proposed 31 CFR1010.955(c)(2)(ii) and
(iii) without change, other than deletion of the phrase ``within the
United States,'' the reasons for which will be discussed in section
III.E.ii.a below. As indicated above, 31 CFR 1010.955(c)(2)(ii) does
not prohibit financial institution directors, officers, employees,
contractors, or agents from re-disclosing BOI received from FinCEN to
one another, but rather authorizes them to do so, provided re-
disclosure is for the particular purpose or activity for which the BOI
was requested. ``Employees'' might include, among others, a financial
institution's internal legal and compliance personnel. ``Contractors''
and ``agents'' might include any individual or entity providing
services by contract, including, for example, outside counsel,
auditors, and providers of data analysis software tools.
FinCEN views state regulators that meet the requirements identified
in paragraphs (b)(4)(ii)(A) through (C) of the final rule as ``other
appropriate regulatory agencies'' to which financial institutions may
re-disclose BOI from FinCEN under 31 CFR 1010.955(c)(2)(iii).
FinCEN understands that financial institutions might want or need
to re-disclose BOI from FinCEN to parties that are not their directors,
officers, employees, contractors, agents, or regulators. Examples
provided in comments include affiliated financial institutions, other
financial institutions involved in syndicated loan agreements, and
other financial institutions eligible to participate in section 314(b)
information sharing. Another example might be an external compliance
monitor appointed as part of a civil or criminal enforcement matter.
These are typically complex arrangements with highly variable facts and
circumstances that do not lend themselves well to one broad regulation.
FinCEN will therefore address these issues in future guidance, with an
eye toward evaluating specific re-disclosure requests on a case-by-case
basis under its 31 CFR 1010.955(c)(2)(x) authority to approve in
writing re-disclosure of BOI in furtherance of an authorized purpose or
activity.
d. Re-Disclosure Required by Law
Proposed Rule. The proposed rule did not provide for explicit
directions for responding to legal demands for BOI.
Comments Received. Several commenters requested that the rule
contain specific processes for responding to legal demands for BOI. For
example, a commenter asked how a financial institution should respond
to a law enforcement subpoena for BOI obtained from FinCEN. Another
commenter asked that FinCEN treat BOI like SAR information and issue a
prohibition on re-disclosure of BOI by financial institutions in
response to legal process.
Final Rule. FinCEN recognizes the issues that may be raised when
compulsory legal process--such as a court order or grand jury
subpoena--calls for the production of BOI obtained from FinCEN. The
resolution of these issues is most appropriate for post-rule guidance.
FinCEN will seek to address these issues in future guidance or through
specific re-disclosure requests under its 31 CFR 1010.955(c)(2)(x)
authority to approve in writing re-disclosure of BOI in furtherance of
an authorized purpose or activity.
e. Re-Disclosure With Written Consent of FinCEN
Proposed Rule. Proposed 31 CFR 1010.955(c)(2)(ix) would prohibit
the re-disclosure of BOI obtained under proposed 31 CFR 1010.955(b)
other than as permitted in proposed 31 CFR 1010.955(c)(2), and would
permit FinCEN to authorize the re-disclosure of BOI in other
circumstances via written consent, or through applicable protocols or
guidance that FinCEN may issue.
Comments Received. One commenter recommended removing the first
sentence of proposed Sec. 1010.955(c)(2)(ix) as redundant given
proposed 31 CFR 1010.955(a), the baseline prohibition on re-disclosure.
The language the commenter suggested removing reads, ``[e]xcept as
described in this paragraph (c)(2), any information disclosed by FinCEN
under paragraph (b) of this section shall not be further disclosed to
any other person for any purpose without the prior written consent of
FinCEN, or as authorized by applicable protocols or guidance that
FinCEN may issue.''
Final Rule. FinCEN adopts proposed 31 CFR 1010.955(c)(2)(ix) with
technical and organizational changes. First, FinCEN made a minor
technical update to renumber 31 CFR 1010.955(c)(2)(ix) as 31 CFR
1010.955(c)(2)(x) to reflect the insertion of the new 31 CFR
1010.955(c)(2)(viii). Second, FinCEN
[[Page 88766]]
considered the comment which suggested the removal of the first
sentence of proposed 31 CFR 1010.955(c)(2)(ix). Although there is some
overlap with 31 CFR 1010.955(a), FinCEN believes that the first
sentence of this provision is important to clarify the obligations of
authorized recipients of BOI with respect to the re-disclosure of such
information once they have obtained it. However, as described above in
section III.D.i (Use of Information by Authorized Recipients), FinCEN
concluded that language describing this obligation was better placed in
31 CFR 1010.955(c)(1) given its importance and general applicability.
Accordingly, FinCEN removed the portions of the first sentence of
proposed 31 CFR 1010.955(c)(2)(ix) prohibiting re-disclosure of BOI,
except as permitted in Sec. 1010.955(c)(2), and inserted them into the
first sentence of 31 CFR 1010.955(c)(1).
FinCEN retained the proposed provision providing that FinCEN may
authorize further re-disclosures of BOI not otherwise permitted under
Sec. 1010.955(c)(2) by prior written consent or ``by applicable
protocols or guidance that FinCEN may issue,'' but moved this
limitation into the remaining sentence in new 31 CFR 1010.955(c)(2)(x).
This part now reads, ``FinCEN may by prior written authorization, or by
protocols or guidance that FinCEN may issue, authorize persons to
disclose information obtained pursuant to paragraph (b) of this section
in furtherance of a purpose or activity described in that paragraph.''
This provision gives FinCEN the ability to authorize, either on a case-
by-case basis or categorically through written protocols, guidance, or
regulations, the re-disclosure of BOI in limited cases to further the
purposes of the CTA.
As stated in the proposed rule, this provision could be used to
address situations involving sharing of BOI by government agencies as
part of a joint investigation or within a task force. The requirements
that an agency would need to satisfy to obtain BOI through re-
disclosure are the same as those an agency would need to satisfy to
obtain BOI from FinCEN directly under this proposed rule. FinCEN also
envisions including re-disclosure limitations in the BOI disclosure
MOUs it enters into with recipient agencies. These provisions would
make clear that it would be the responsibility of a recipient agency to
take necessary steps to ensure that BOI is made available for purposes
specifically authorized by the CTA, and not for the general purposes of
the agency. Such agency-to-agency agreements can be effective at
creating and enforcing standards on use, reuse, and redistribution of
sensitive information.
E. Security and Confidentiality Requirements
The CTA directs the Secretary to establish by regulation protocols
to protect the security and confidentiality of any BOI provided
directly by FinCEN.\169\ It then prescribes specific security and
confidentiality requirements that FinCEN must impose on ``requesting
agencies'' and grants the Secretary authority to ``provide such other
safeguards which the Secretary determines (and which the Secretary
prescribes in regulations) to be necessary or appropriate to protect
the confidentiality of the beneficial ownership information.'' \170\
---------------------------------------------------------------------------
\169\ 31 U.S.C. 5336(c)(3)(A).
\170\ 31 U.S.C. 5336(c)(3)(B)-(K).
---------------------------------------------------------------------------
i. Security and Confidentiality Requirements for Domestic Agencies
a. General
Proposed Rule. Proposed 31 CFR 1010.955(d)(1)(i) addressed general
security and confidentiality requirements applicable to Federal, State,
local, and Tribal requesting agencies, including intermediary Federal
agencies acting on behalf of authorized foreign requesters, Federal
functional regulators, and other appropriate regulatory agencies
(collectively, ``requesting agencies''). These general requirements
would need to be satisfied by a requesting agency for it to be eligible
to receive BOI from FinCEN. Proposed 31 CFR 1010.955(d)(1)(i) required
that each requesting agency:
(1) Enter into an agreement with FinCEN specifying the
standards, procedures, and systems to be maintained by the agency,
and any other requirements FinCEN might specify, to protect the
security and confidentiality of such information;
(2) Establish standards and procedures, approved by the head of
the agency, to protect the security and confidentiality of BOI;
(3) Provide FinCEN with an initial report that describes these
standards and procedures established and includes a certification
from the head of the agency that the standards and procedures
implement the requirements of this paragraph;
(4) Establish and maintain a secure system for storing BOI which
complies with information security standards prescribed by FinCEN;
(5) Establish and maintain a permanent, auditable system of
standardized records of the agency's BOI requests;
(6) Restrict access to BOI to personnel meeting specified
criteria, which would include meeting the training requirements of
the proposed rule;
(7) Conduct an annual audit to verify that information obtained
from FinCEN has been accessed and used appropriately, provide FinCEN
with the results of the audit upon FinCEN's request, and cooperate
with FinCEN's annual audit of requesting agencies' adherence to the
requirements established under this paragraph;
(8) Provide a semi-annual certification from the head of the
agency, on a non-delegable basis, that the agency's standards and
procedures are in compliance with the security and confidentiality
requirements of this provision; and
(9) Provide FinCEN an annual report that describes the standards
and procedures the agency uses to ensure the security and
confidentiality of the BOI it receives from FinCEN.
The preamble to the proposed rule explained that the agreement
required by 31 CFR 1010.955(d)(1)(i)(A) would be a MOU that each
requesting agency would enter into with FinCEN before being able to
request any BOI.
Comments Received. FinCEN received several comments on security and
confidentiality requirements for all authorized users, as well as
comments focused more specifically on security and confidentiality
requirements for domestic requesting agencies. For all authorized
users, one commenter expressed support for the proposed rule's general
security and confidentiality requirements, noting that these align with
the CTA. Several other commenters expressed appreciation for FinCEN's
efforts to balance the interests of those requesting BOI against the
protections and restrictions mandated by the CTA. One commenter viewed
these requirements as adequate and argued that FinCEN should not add
any new requirements that were not included in the CTA.
As for the requirements applicable to requesting agencies, one
commenter argued that the proposed requirements would be so strict that
they could hinder the agencies' access to BOI. However, this commenter
recognized that in proposing these requirements, FinCEN was simply
implementing statutory requirements, and that any change to these
requirements would have to come from Congress. With respect to the
requirement that agencies establish and maintain secure systems for BOI
storage, one commenter welcomed the clarification in the Access NPRM
preamble that agencies may rely on existing databases and related IT
infrastructure to satisfy this requirement. This commenter proposed
additional points of clarification with respect to these systems--for
example, on how FinCEN would coordinate with
[[Page 88767]]
agencies to develop technology-enabled access that ``maximize[s] the
utility of access and minimize[s] additional development costs,'' and
whether agencies would be able to pool their resources and collaborate
to satisfy this requirement.
There were several comments requesting additional clarifications or
changes to proposed 31 CFR 1010.955(d)(1)(i). Two commenters asked that
FinCEN clarify in the final rule that certain security and
confidentiality requirements for requesting agencies apply to the
entire information-sharing relationship between FinCEN and the
requesting agency, instead of applying on what one commenter referred
to as an ``iterative'' basis, which FinCEN understands to mean case-by-
case or request-by-request. One commenter cited the provisions of the
CTA contained in sections 5336(c)(2)(C)(iii) and 5336(c)(3)(B)-(D),
(H), and (I), which 31 CFR 1010.955(d)(1)(i) implements, as examples of
provisions that should apply at the relationship rather than the case-
by-case level. These commenters argued that applying certain of these
requirements for each individual request would be impractical and would
effectively undermine the usability of the BOI database. These same
commenters asked FinCEN to further clarify that it does not intend to
review access determinations on a case-by-case basis prior to
authorized users accessing the BOI database.
There were also several comments related to the proposed rule's
audit requirements. One commenter suggested that FinCEN should expand
the audit requirements in the final rule to require that agencies
verify that requests for BOI are appropriate under proposed 31 CFR
1010.955(b) and that records of BOI requests are kept in accordance
with proposed 31 CFR 1010.955(d)(1)(i)(E), which requires agencies to
maintain an auditable record of requests. This commenter also suggested
that the final rule should include audit requirements specifically for
Federal agencies that are making requests on behalf of foreign persons,
i.e., for intermediary Federal agencies. These requirements would
include ensuring that the information required of intermediary Federal
agencies under 31 CFR 1010.955(d)(1)(ii)(B)(3) and (4) has been
maintained and that these agencies are compliant with 31 CFR
1010.955(d)(3), the security and confidentiality requirements for
foreign persons on whose behalf an intermediary Federal agency requests
BOI. A different commenter also requested that FinCEN audit BOI
requests from foreign requesters. Another commenter recommended that
FinCEN modify the audit and annual report requirements to be completed
by requesting agencies to also include data relevant for evaluating the
accuracy, completeness, and usefulness of the BOI database.
One commenter requested that FinCEN provide for greater involvement
by the head of a requesting agency in satisfying the agency's security
and confidentiality requirements. For example, this commenter suggested
that the final rule should specify that only the head of an agency, on
a non-delegable basis, could enter into the agreement with FinCEN, or
acknowledge the final audit report satisfying the requirements under
5336(c)(3)(B) and (H). In addition, one commenter asked FinCEN to add a
provision requiring that agencies specify which agency personnel can
make requests to FinCEN for BOI and access BOI. Finally, one commenter
suggested that FinCEN could develop a series of model MOUs for each
agency type (local law enforcement agency, state law enforcement
agency, etc.).
Final Rule. The final rule adopts proposed 31 CFR 1010.955(d)(1)(i)
with only minor technical changes. FinCEN agrees with the commenter
that the general security and confidentiality requirements for domestic
agencies are statutory requirements, and any change to these
requirements would have to be mandated by Congress. FinCEN believes
these requirements are reasonable given the sensitive nature of BOI and
expects that once a requesting agency meets the general security and
confidentiality requirements, it should be able to use the BO IT system
to access BOI in a rapid and efficient manner. With respect to requests
for additional clarifications on the requirement that agencies
establish and maintain a secure system for BOI storage, FinCEN
appreciates these suggestions and will give them due consideration in
the context of entering into MOUs with domestic agencies. FinCEN
believes that agencies will likely be able to leverage existing
databases and related IT infrastructure to meet this requirement, and
has included the statutory language ``to the satisfaction of the
Secretary'' in the regulatory text to ensure sufficient flexibility to
implement this approach.\171\ FinCEN may also choose to provide
additional guidance on these topics in the future.
---------------------------------------------------------------------------
\171\ With the addition of the statutory language ``to the
satisfaction of the Secretary'' to the regulatory text, FinCEN also
removed as unnecessary the proposed language that would have
required any agency's secure system for BOI storage to ``compl[y]
with information security standards prescribed by FinCEN.''
---------------------------------------------------------------------------
As for the comments requesting clarification that the requirements
in this provision apply generally and not on a request-by-request
basis, FinCEN believes that the rule text, and the heading ``general
requirements,'' made it sufficiently clear that these requirements
apply to requesting agencies generally, and that the requirements of 31
CFR 1010.955(d)(1)(ii), as the heading ``requirements for requests for
disclosure'' suggests, are request-by-request requirements. Several of
the general requirements, such as the audit, certification, and report
requirements, explicitly state that these requirements apply on an
annual or semi-annual basis. Other requirements, such as the
requirement that requesting agencies establish and maintain a secure
system to store BOI, would by their nature apply on an ongoing basis.
FinCEN also considered comments suggesting that additional audit
requirements are necessary. Regarding the commenter suggesting that
FinCEN include audit requirements to ensure that BOI requests are
appropriate under proposed 31 CFR 1010.955(b) and that requesting
agencies have properly maintained an auditable record of requests,
FinCEN believes that the proposed audit requirements sufficiently cover
these areas. FinCEN also declines to accept this commenter's proposal
to add specific requirements concerning the audit of requests by
intermediary Federal agencies on behalf of foreign persons. In FinCEN's
view, when a request for BOI is made under an international treaty,
agreement, or convention, the arrangements set forth in (or authorized
by) that treaty, agreement, or convention would govern. When no such
treaty, agreement, or convention is involved, and a trusted foreign
country is involved, FinCEN will work closely with the intermediary
Federal agency and will take measures to confirm compliance with
proposed 31 CFR 1010.955(d)(3).
In response to the commenter recommending that the audit and
reporting requirements for requesting agencies should also address the
accuracy, completeness, and usefulness of the BOI database, FinCEN does
not view these issues as relevant to the security and confidentiality
provisions of the regulation, which FinCEN adopted directly from the
CTA. FinCEN may consider these requirements in the context of MOUs with
relevant agencies to establish feedback mechanisms to facilitate
evaluation of the quality of the
[[Page 88768]]
database with a view to improving compliance and enforcement.
As for the commenter suggesting an additional requirement for
agencies to specify which personnel may request and access BOI, FinCEN
does not believe a rule change is necessary but will consider this
suggestion further and potentially address it in future guidance. In
response to the commenter suggesting an expanded role in the security
and confidentiality requirements for agency heads, FinCEN believes that
the involvement of agency heads in these requirements is already
significant, and that greater involvement would create burdens on
agencies without clear benefits. Lastly, concerning the comment
regarding MOUs, FinCEN appreciates this feedback and will consider
developing template MOUs for different types of BOI user agencies.
FinCEN will also consider further tailoring MOUs as needed for specific
agencies and will work with agencies on MOUs when appropriate.
b. Minimization and Requirements for Individual Requests for BOI by
Domestic Agencies
Proposed Rule. Proposed 31 CFR 1010.955(d)(1)(ii) includes
requirements that would apply to each individual request for BOI from
requesting agencies. This provision includes two general requirements.
First, agencies must minimize, to the greatest practicable extent, the
scope of the BOI they request consistent with the purpose of the
request (the NPRM referred to this as the ``minimization''
requirement). Second, the head of a Federal agency, or their designee,
must provide written certifications to FinCEN, in the form and manner
that FinCEN prescribes, (1) that the agency is engaged in a national
security, intelligence, or law enforcement activity, and (2) that the
BOI requested is for use in such activity, along with the specific
reasons why the BOI is relevant to the activity.
Comments Received. FinCEN did not receive comments concerning the
minimization requirement. FinCEN received several comments relating to
FinCEN's review process for BOI requests from authorized users
generally, and these comments also apply to proposed 31 CFR
1010.955(d)(1)(ii)(B) on the requirements for written certification by
Federal agencies. Commenters generally requested that FinCEN clarify in
the final rule that FinCEN will not review the agency requests for BOI
on a case-by-case basis. One commenter claimed that case-by-case review
of the purpose of an agency's requests would not be worth the costs
given FinCEN's resource constraints. This commenter focused on the
general security and confidentiality requirements that the CTA imposes
on requesting agencies and argued that additional oversight on a case-
by-case basis would be unnecessary. Another commenter argued that case-
by-case review would create administrative hurdles for agencies in
accessing BOI, thereby undermining the usefulness of the BOI database.
This commenter also argued that the CTA was not meant to give FinCEN
the authority to question requesting agencies' substantive reasons for
requesting BOI. Thus, this commenter urged FinCEN to clarify in the
final rule that FinCEN will not evaluate the purpose of agencies'
requests in deciding whether to grant requests for BOI.
Separately, one commenter recommended that FinCEN should further
strengthen the safeguards concerning individual requests for BOI by
requiring senior-level review and written approvals by requesting
agencies for each BOI request. While this commenter did not specify
which provision of the rule text should be changed, the commenter
appeared to suggest adding additional requirements to proposed 31 CFR
1010.955(d)(1)(ii). This commenter argued that because of the highly
sensitive nature of BOI and the importance of securing it, FinCEN
should require senior-level officials of agencies to provide written
approval for each BOI request to FinCEN by an agency. These senior-
level officials, the commenter argued, should be Senate-confirmed
Presidential appointees of Federal agencies and chief executives or
their designees for State, local, or Tribal agencies.
Final Rule. The final rule adopts 31 CFR 1010.955(d)(1)(ii) largely
as proposed. Although not specifically suggested by comments, FinCEN is
removing the proposed requirement at 31 CFR
1010.955(d)(1)(ii)(B)(3)(ii) that intermediary Federal agencies
identify the date of the international treaty, agreement, or convention
under which a request for BOI is being made; FinCEN believes that
identification of the date is unnecessary. Regarding the comments
expressing concerns that FinCEN will be reviewing each agency's
requests for BOI on a case-by-case basis, FinCEN does not believe it is
necessary to change the rule to address this concern. Instead, FinCEN
reiterates here that it has no intention of reviewing each individual
request for BOI from a requesting agency. The requirement for
certifications from requesting agencies is sufficient to establish a
basis for FinCEN to know which agencies are accessing the BOI database,
and the basis on which they are doing so. This is important for
purposes of meeting FinCEN's audit requirements. FinCEN, however, will
not review each individual request from these agencies in real time. As
for the commenter who argued that FinCEN should add a requirement that
senior-level officials at requesting agencies must approve each BOI
request, FinCEN declines to adopt this recommendation. Such a
requirement would add an unwarranted burden on requesting agencies and
would not be outweighed by sufficient benefits.
ii. Security and Confidentiality Requirements for Financial
Institutions
a. Restriction on Personnel Access to Information
Proposed Rule. FinCEN proposed to require financial institutions to
limit access to BOI obtained from FinCEN to the financial institutions'
directors, officers, employees, contractors, and agents within the
United States. Proposed 31 CFR 1010.955(d)(2)(i) explicitly imposed
this limitation, while proposed 31 CFR 1010.955(c)(2)(ii) made clear
that it not only applied to initial BOI recipients, but continued to
apply when directors, officers, employees, contractors, and agents of a
financial institution wanted to re-disclose BOI to directors, officers,
employees, contractors, and agents within the same financial
institution for the particular purpose or activity for which the
financial institution requested the information.
Comments Received. Commenters generally opposed the requirement
that financial institutions limit disclosure of BOI obtained from
FinCEN to directors, officers, employees, contractors, and agents
physically present within the United States. One commenter supported
the limitation, but many more did not. Comments stated that the
limitation would cause a disruption in the financial industry and run
counter to current business practices. Commenters indicated that
contracting with foreign workers is common for AML/CFT purposes, and
financial institution personnel outside of the United States (including
contractors and agents) routinely have access to customer information.
Commenters further argued that the limitation would decrease the
utility of BOI. Some stated that financial institutions may choose to
continue to collect BOI from customers under the 2016 CDD Rule and
forego accessing FinCEN's BO IT system altogether to avoid the BOI
handling requirements set
[[Page 88769]]
out in the NPRM. One commenter stated that the limitation would result
in less effective risk management, while others indicated that it would
increase compliance costs. One commenter estimated that it will take
years and millions of dollars to ``onshore'' job functions tasked with
handling BOI from FinCEN. Further, commenters asserted that the
limitation is not included in the CTA and that it contradicts other
portions of the AML Act. Commenters also claimed that the proposed
limitation is inconsistent with U.S. and international regulatory
expectations for enterprise-wide risk management. Comments pointed to
previous Treasury, FinCEN, and other regulatory guidance about sharing
information across borders within enterprises. A commenter stated that
FinCEN did not give a specific reason for the limitation.
Some comments proposed alternatives, such as allowing re-disclosure
to individuals outside of the United States and relying on
technological safeguards and security requirements to protect the
information. Another suggestion was to limit access to the BO IT system
to personnel within the United States, but allow re-disclosure to
directors, officers, employees, contractors, and agents in other
countries. A few comments suggested those counterparts could be limited
to ``trusted foreign countries'' or other specified destinations.
Finally, one commenter asked FinCEN to define ``physically present in
the United States.''
Final Rule. The final rule at 31 CFR 1010.955(d)(2)(i) and (ii)
revises the limitation on sending BOI outside the United States so that
it is less stringent than the proposed rule. Under the final rule,
financial institutions do not need to keep BOI confined to the United
States, but rather are prohibited from sending BOI to certain foreign
jurisdictions and categories of jurisdictions. As articulated in the
Access NPRM, the CTA describes a framework for disclosures of BOI to
foreign governments, and the regulations should seek to ensure
consistency with the broader CTA framework. At the same time, FinCEN
takes seriously commenters' argument that a flat prohibition on sending
BOI abroad is too blunt a mechanism that would impose significant
costs.\172\ FinCEN has determined that it is not necessary to prohibit
all offshoring of BOI in order to address the threat posed by sending
BOI to jurisdictions of greatest concern. Instead, 31 CFR
1010.955(d)(2)(i) prohibits BOI from being sent to Russia, China, any
jurisdiction designated as a state sponsor of terrorism, and any
jurisdiction that is subject to comprehensive sanctions under U.S. law,
which are the jurisdictions SARs cannot be sent to pursuant to 31
U.S.C. 5318(g)(8)(C)(i). While the information contained in SARs is
clearly different from BOI in many respects, FinCEN considers the
selection of these jurisdictions to be a strong indicator of a broader
congressional perspective on the acceptability of exposing sensitive
information filed with the U.S. government to the legal processes of
these foreign jurisdictions. As the selection of these jurisdictions
indicates, Congress clearly regards the exposure of such sensitive
information as more acceptable when it involves some jurisdictions than
when it involves others. FinCEN has used this list of jurisdictions
based on that understanding of the general congressional perspective on
offshoring of information. The Secretary is authorized to add to this
list to ensure compliance with the CTA or for national security
reasons.
---------------------------------------------------------------------------
\172\ At least one commenter suggested that any such limitation
is in conflict with the FFIEC manual's recognition that ``[a] bank
may choose to implement customer due diligence policies, procedures
and processes on an enterprise-wide basis.'' Such a choice, however,
as the manual itself acknowledges, is permissible only ``to the
extent permitted by law.'' FFIEC BSA/AML Examination Manual,
Assessing Compliance with BSA Regulatory Requirements, Customer Due
Diligence--Overview (May 5, 2018), p. 4, https://www.ffiec.gov/press/pdf/Customer%20Due%20Diligence%20-%20Overview%20and%20Exam%20Procedures-FINAL.pdf. Here, the CTA
establishes the legal parameters under which an institution can
choose its enterprise-wide policies by authorizing FinCEN to
prescribe by regulation any safeguards it determines to be necessary
or appropriate to protect the confidentiality of BOI. 31 U.S.C.
5336(c)(3)(K).
---------------------------------------------------------------------------
FinCEN acknowledges that allowing BOI to be used and disseminated
offshore creates a risk of unauthorized disclosure and misuse, and
entails translating U.S. legal requirements for non-U.S. personnel and
training them to understand and comply with those requirements. FinCEN
weighed these risks against the burden that limiting BOI to directors,
officers, employees, contractors, and agents within the United States
would impose on some financial institutions. Many financial
institutions operate global compliance programs that apportion
responsibilities among different regions and reduce compliance
expenses. Relocating certain compliance functions to the United States
simply to allow them to obtain BOI from FinCEN could be very costly,
and in many cases might be financially infeasible. FinCEN assesses that
the cost of the targeted offshoring limitation should be de minimis: it
is FinCEN's understanding that U.S financial institutions currently do
not send a significant volume of customer information to Russia, China,
any jurisdiction designated as a state sponsor of terrorism, or any
jurisdiction that is subject to comprehensive sanctions under U.S. law,
and with respect to jurisdictions that are state sponsors of terrorism,
sending such information is already prohibited by other law.
In addition, in order for FinCEN to monitor foreign government
interest in obtaining BOI, the final rule requires that financial
institutions notify FinCEN within three business days of receiving a
demand from a foreign government for BOI obtained from FinCEN. FinCEN
assesses that this offshoring limitation with notification requirement
addresses the legitimate issues regarding security and conformity with
the CTA raised by sending BOI outside the United States, without
resorting to a blanket onshoring requirement.
b. Safeguards and Security Standards
Proposed Rule. Proposed 31 CFR 1010.955(d)(2)(ii) described
safeguards applicable to financial institutions that were designed to
maintain the security and confidentiality of BOI while preserving
accessibility and usefulness.\173\ Proposed 31 CFR
1010.955(d)(2)(ii)(A) required financial institutions to develop and
implement administrative, technical, and physical safeguards reasonably
designed to protect BOI as a precondition for receiving BOI. The
provision did not prescribe specific safeguards or security
requirements. Rather, proposed 31 CFR 1010.955(d)(2)(ii)(A) provided
that the application to BOI obtained from FinCEN of security and
information handling procedures established by a financial institution
to comply with section 501 of the Gramm-Leach-Bliley Act (Gramm-Leach-
Bliley) \174\ and its implementing regulations, with regard to the
protection of its customers' nonpublic personal information, would
satisfy the requirement.
---------------------------------------------------------------------------
\173\ See 31 U.S.C. 5336(c)(3)(K).
\174\ Public Law 106-102, 113 Stat. 1338, 1436-37 (1999).
---------------------------------------------------------------------------
Gramm-Leach-Bliley provides general baseline expectations for
keeping data secure and confidential, while each agency's implementing
regulations take into account factors unique to the financial
institutions the agency supervises. Section 501 of Gramm-Leach-Bliley,
codified at 15 U.S.C.
[[Page 88770]]
6801(b) and 6805, requires each Federal functional regulator to
establish appropriate standards relating to administrative, technical,
and physical safeguards for financial institutions it regulates to: (1)
ensure the security and confidentiality of customer records and
information; (2) protect against any anticipated threats or hazards to
the security or integrity of such records; and (3) protect against
unauthorized access to or use of such records or information that could
result in substantial harm or inconvenience to any customer. The
Federal functional regulators have implemented these requirements in
different ways. The OCC, FRB, FDIC, and the NCUA incorporated into
their regulations the Interagency Guidelines Establishing Interagency
Security Standards (Interagency Guidelines).\175\ The Interagency
Guidelines add detail to the more general Gramm-Leach-Bliley
requirements, covering specific subjects related to identifying,
managing, and controlling risk (e.g., physical and electronic access
controls, encryption and training requirements, and testing). The CFTC
has incorporated the Gramm-Leach-Bliley expectations of financial
institutions into its regulations \176\ and recommended best practices
for meeting them that are ``designed to be generally consistent with''
the Interagency Guidelines.\177\ The SEC has also incorporated the
Gramm-Leach-Bliley expectations of financial institutions into its
regulations,\178\ and has instituted enforcement actions for violations
of such regulations.\179\
---------------------------------------------------------------------------
\175\ See Interagency Guidelines Establishing Standards for
Safeguarding Customer Information and Rescission of Year 2000
Standards for Safety and Soundness, 66 FR 8616 (Feb. 1, 2001). The
agencies' implementing regulations are at 12 CFR part 30, app. B
(OCC); 12 CFR part 208, app. D-2 and part 225, app. F (FRB); 12 CFR
part 364, app. B (FDIC); and 12 CFR part 748, apps. A & B (NCUA).
\176\ See 17 CFR 160.
\177\ See CFTC Staff Advisory No. 14-21 (Feb. 16, 2014).
\178\ See 17 CFR 248.1-248.100.
\179\ See, e.g., Morgan Stanley Smith Barney LLC, SEC Exchange
Act Release No. 95832 (Sept. 20, 2022).
---------------------------------------------------------------------------
Under proposed 31 CFR 1010.955(d)(2)(ii)(B), financial institutions
that were not subject to the requirements of section 501 of Gramm-
Leach-Bliley could apply security and handling procedures that were
``at least as protective of the security and confidentiality of
customer information'' as procedures that satisfy the standards set out
in Gramm-Leach-Bliley. For these financial institutions, the proposed
rule suggested that the Interagency Guidelines might serve as a useful
checklist against which to evaluate existing security and
confidentiality practices, as well as a useful guide for possible
information security program modifications.
Comments Received. Commenters generally concurred with the proposal
to anchor BOI security and confidentiality requirements to Gramm-Leach-
Bliley, noting that the information security program requirements under
that statute and its implementing regulations were sufficient to secure
BOI received by financial institutions. Commenters observed that these
requirements are already familiar to financial institutions and
integrated into business practices.
Commenters further encouraged FinCEN not to impose additional
security and information handling protocols on financial institutions
that could be duplicative of, inconsistent with, or more burdensome
than these existing requirements. A commenter requested that FinCEN
create a safe harbor provision for all employees of a financial
institution that is compliant with Gramm-Leach-Bliley to further
minimize compliance burden. Regarding information security requirements
generally, commenters requested clarification on whether background
checks would be required for any employees, and whether a ``firewall''
would be required to block access to BOI by employees not involved in
opening accounts for new customers.
Final Rule. The final rule adopts the proposed rule without change.
Allowing financial institutions to satisfy the requirement to safeguard
BOI by applying the security and information handling procedures used
to comply with Gramm-Leach-Bliley and its implementing regulations is
intended to avoid duplicative or inconsistent requirements and reduce
burdens, while maintaining a high degree of security and
confidentiality. As commenters pointed out, many financial institutions
are generally familiar with the Gramm-Leach-Bliley requirements and
already have policies, procedures, and infrastructure in place to
comply with its requirements. In addition, Federal functional
regulators currently assess financial institutions for compliance with
Gramm-Leach-Bliley, which reduces burdens on supervisors while ensuring
continued predictability for financial institutions. Lastly, for
financial institutions not subject to Gramm-Leach-Bliley, the
Interagency Guidelines provide a blueprint for establishing or
benchmarking existing compliance systems so that those financial
institutions can access the BO IT system and manage BOI securely.
FinCEN is not extending a safe harbor to employees of a financial
institution that is compliant with Gramm-Leach-Bliley standards. It is
important for FinCEN to retain discretion to evaluate individual
conduct by a director, officer, employee, contractor, or agent and
related facts and circumstances on a case-by-case basis where there are
unauthorized disclosures or uses by a financial institution, and to
consider potential enforcement action.
On the question of background checks and firewalls, the final rule
does not include additional safeguards or other requirements. FinCEN
views the security and information handling procedures implemented by
financial institutions to comply with Gramm-Leach-Bliley to be
sufficient. Additional requirements could create inconsistencies with
existing security and information handling programs and create
unnecessary burdens on both financial institutions and their
supervisors, without a clear security benefit given the absence of
specific concerns from commenters on the sufficiency of the Gramm-
Leach-Bliley requirements.
FinCEN also declines to impose specific, additional safeguards on
financial institutions that are not subject to Gramm-Leach-Bliley
because such requirements could result in unintended consequences.
These financial institutions can vary significantly in size,
organizational structure, client base, risk profile, resources, and
other characteristics. Many of these financial institutions could face
significant costs and technical challenges in implementing uniform,
additional standards, or FinCEN would need to expend resources to
consider case-by-case modifications to address the diversity of unique
circumstances.
c. Protocols and Training
Proposed Rule. For each BOI request, proposed 31 CFR
1010.955(d)(2)(iii) would require a financial institution to certify in
writing that it fulfilled information security and other requirements
set out in that section. The proposed rule explained that FinCEN
expected that financial institutions would establish protocols to
satisfy these information security requirements, including appropriate
recordkeeping, to enable FinCEN to fulfill its audit and oversight
responsibilities. The proposed rule also indicated that financial
institutions would need to develop a training program that would ensure
that BO IT system users at the financial institution received training
on the protocols and completed FinCEN-provided online training as a
condition
[[Page 88771]]
for creating and maintaining system accounts.
Comments Received. One commenter was skeptical that financial
institutions would act in accordance with FinCEN's expectations for
protocols and training without specific regulatory requirements. The
commenter suggested expressly setting out in the regulations the
expectations regarding protocols and training. Another commenter
expressed appreciation that FinCEN planned to provide training on the
BO IT system when it becomes available. A third commenter asked FinCEN
to confirm that only financial institution employees who will access
the system would need to take this training, and not employees who may
view and use BOI retained on the financial institution's system in
accordance with applicable requirements.
Final Rule. FinCEN adopts the proposed rule without change given
that the imposition of additional requirements regarding protocols and
training would likely be duplicative and potentially confusing.
Financial institutions can satisfy the requirements of 31 CFR
1010.955(d)(2)(ii) by either applying to BOI security and information
handling procedures designed to comply with section 501 of Gramm-Leach-
Bliley Act or by implementing procedures that are ``at least'' as
protective of customer information as procedures that satisfy Gramm-
Leach-Bliley standards. The different materials promulgated by the
Federal functional regulators to implement Gramm-Leach-Bliley have in
common requirements to (1) establish policies and procedures that
govern security; and (2) provide related training.\180\ Additional
requirements to establish protocols and training could create confusion
and inconsistencies in implementation, and likely impose additional
burdens on financial institutions and FinCEN.
---------------------------------------------------------------------------
\180\ See generally Interagency Guidelines, supra note 168, p.
138.
---------------------------------------------------------------------------
Moreover, the final rule imposes on the director, officer,
employee, contractor, or agent of a financial institution the
individual responsibility for ensuring compliance with BOI security and
information handling requirements. Accordingly, FinCEN believes that
financial institutions have appropriate incentives to develop protocols
and training programs that adequately train relevant financial
institution staff on requirements for handing BOI based on the nature,
scope, and risks presented in particular circumstances.
d. Consent To Obtain Information
Proposed Rule. The CTA authorizes FinCEN to disclose a reporting
company's BOI to a financial institution only if the reporting company
consents to the disclosure.\181\ Proposed 31 CFR 1010.955(b)(4) would
have allowed FinCEN to disclose a reporting company's BOI to a
financial institution only if the reporting company consented to the
disclosure. In addition, proposed 31 CFR 1010.955(d)(2)(iii) would have
required a financial institution that wanted a reporting company's BOI
to obtain and document the company's consent to having its BOI
disclosed before requesting the BOI from FinCEN.
---------------------------------------------------------------------------
\181\ 31 U.S.C. 5336(c)(2)(B)(iii).
---------------------------------------------------------------------------
Comments Received. FinCEN received comments for and against
requiring financial institutions to obtain consent from reporting
companies. It also received comments addressing specific aspects of how
the consent process should be managed.
Commenters in favor of imposing the requirement on financial
institutions to obtain consent generally agreed with the rationale
articulated in the proposed rule. In the preamble, the proposed rule
reasoned that financial institutions are best positioned to obtain
consent because they have (1) direct customer relationships with
reporting companies, and (2) existing policies and procedures to obtain
and document consent on other matters. Commenters agreed that financial
institutions can leverage these existing relationships and processes to
fulfill the consent requirement and did not view the additional
requirement to be overly burdensome. Several commenters noted concerns,
however, that a request by a financial institution to a reporting
company for consent could be perceived to be ``tipping off'' reporting
companies if the financial institution was investigating the company
for suspicious activity. Two commenters recommended that FinCEN add
provisions to prevent tipping off reporting company prospects or
customers.
Other commenters argued that FinCEN, rather than financial
institutions, should obtain a reporting company's consent. One
commenter stated that FinCEN's role as the central U.S. repository for
BOI made FinCEN the appropriate choice for collecting consent and
revocations of that consent. Another noted that FinCEN would have a
direct relationship with reporting companies through the collection of
BOI reports and could use the reporting mechanism to obtain and
document consent. Commenters also suggested ways that FinCEN could
facilitate reporting company consent at the time the company submits a
BOI report. For example, FinCEN could generate a blanket notice to a
reporting company at the time it submits a BOI report stating that
government agencies and financial institutions can request the
reporting company's information for specific purposes. A related
suggestion was to allow reporting companies to pre-authorize financial
institutions to access their BOI at the submission of the BOI report,
as a way to reduce burdens on the reporting companies.
Commenters covered additional subjects. One commenter noted that
financial institutions already collect BOI from customers under
existing requirements and argued that requiring explicit consent to
retrieve the same information from another source--in this case
FinCEN's BO IT system--adds unnecessary complexity. Another commenter
recommended delaying the consent requirement until FinCEN finalizes
revisions to the 2016 CDD Rule. Two commenters stated that money
launderers and other illicit actors who deliberately form shell
companies to engage in criminal activity will see the consent
requirement as an opportunity to further obscure their identity, noting
that it is difficult to imagine a shell company providing consent to
retrieve its BOI.
Two commenters noted that the consent requirement could have
unintended consequences on reporting company access to financial
services. One commenter stated that reporting companies risk losing
financial services if they do not provide consent. Another commenter
stated that the consent requirement may push reporting companies to
seek out alternative financing rather than provide financial
institutions with consent to retrieve their BOI.
FinCEN also received numerous comments about when and how reporting
company consent should be obtained. Several commenters stated that
consent should be obtained at account opening in a customer-
acknowledged agreement, not as a standalone document. Commenters also
likewise requested that FinCEN expressly allow financial institutions
to obtain consent in conjunction with other required consents and
certifications, and through normal account opening and customer
onboarding processes. Numerous commenters requested that FinCEN clarify
that consent need only be obtained once at account opening and that it
does not expire unless expressly revoked. One commenter stated that
[[Page 88772]]
consent should remain valid for the length of the customer
relationship, and that a financial institution should not need to renew
consent or notify a reporting company each time the financial
institution retrieves its BOI. One commenter asked whether a reporting
company changing its structure would affect its consent. That commenter
also asked whether a new consent is required each time a reporting
company customer opens a new account. Several commenters requested that
FinCEN create standardized consent language for financial institutions
to use to obtain a reporting company's consent. One commenter requested
that FinCEN explicitly permit reporting companies to grant consent on
behalf of their parent companies.
Several commenters proposed alternatives to requiring a reporting
company to provide affirmative consent. Two commenters suggested
permitting a reporting company to opt-out if it did not want to consent
to its BOI being obtained by a financial institution. One commenter
suggested that financial institutions be allowed to provide disclosures
of intent to obtain a reporting company's BOI from FinCEN that would be
acknowledged by the reporting company, instead of requiring affirmative
consent.
Other commenters proposed alternatives to written affirmative
consent, with one commenter suggesting a checkbox and another commenter
suggesting replacing the term ``written'' with ``documented'' or
defining ``written'' in a way that provides financial institutions with
flexibility about how to implement the requirement. Several commenters
suggested that any consent that satisfies these requirements should
benefit from a safe harbor under which such consent is deemed
effective.
Two commenters stated that consent should be in writing and
financial institutions should furnish a copy of that written consent to
FinCEN when requesting the relevant BOI. Two other commenters expressed
the opposite view that FinCEN should not require financial institutions
to submit proof of consent.
A few commenters requested clarification on how consent may be
provided and by whom. Several commenters stated that FinCEN should
expressly permit a financial institution to obtain consent from a
reporting company customer authorizing the financial institution to use
that customer's BOI for broader purposes. Another commenter stated that
financial institutions should be able to rely on their affiliates to
obtain consent, providing the example of futures commission merchants
often relying on introducing brokers to engage with customers as a way
of arguing that the former should be able to obtain a reporting
company's BOI based on consent obtained by the latter.
One commenter requested a clear definition of what constitutes
customer consent and sought guidance on when customer consent is deemed
revoked. Several commenters requested clarification on how revocation
should be documented, while others recommended that FinCEN issue
guidance to financial institutions on what to do if a customer refuses
to provide consent.
Final Rule. FinCEN adopts the proposed rule with the clarification
that reporting company consent must be documented but need not
specifically be in writing. FinCEN cannot eliminate the consent
requirement as suggested by commenters given that the CTA authorizes
FinCEN to disclose a reporting company's BOI to a financial institution
only if the reporting company consents to the disclosure.\182\ Nor can
FinCEN side-step the consent requirement by notifying reporting
companies that financial institutions can request their BOI for
specific purposes or treat the submission of a BOI report as implied
consent.
---------------------------------------------------------------------------
\182\ 31 U.S.C. 5336(c)(2)(B)(iii).
---------------------------------------------------------------------------
After carefully considering comments and the relative burdens and
options, FinCEN continues to believe that financial institutions are
better positioned to obtain and document a reporting company's consent.
As explained in the proposed rule, financial institutions are well-
positioned to obtain consent--and to track any revocation of such
consent--given that they maintain direct customer relationships and are
able to leverage existing onboarding and account maintenance processes
to obtain reporting company consent. By contrast, considerable delay
and burdens on reporting companies could result if FinCEN were to
administer the consent process. For example, it would be impractical
for FinCEN to administer a process through which a reporting company
could consent to the disclosure of BOI to some financial institutions,
but not others. It would also be administratively complex for FinCEN to
establish a mechanism to timely verify and respond to consent requests,
which could result in delays in a reporting company's ability to access
financial services.
The final rule does not prescribe any particular means by which a
financial institution must obtain a reporting company's consent.
Rather, the final rule affords financial institutions substantial
discretion in the manner in which they obtain consent. FinCEN
recognizes that financial institutions vary greatly in customer bases,
risk tolerance, and resources. All financial institutions obtain
customer consent on a range of subjects and have existing policies and
procedures for doing so that reflect their unique attributes. Those
policies and procedures also reflect different legal requirements,
including those involving consent in the data privacy context at the
Federal and state levels.
Additionally, in response to comments that suggested replacing the
term ``written'' with ``documented'' to provide financial institutions
with more flexibility in how to implement the requirement (e.g., via a
checkbox), the final rule no longer requires consent to be in writing;
it only requires that the consent be documented.
FinCEN also believes that providing financial institutions with
flexibility in how they implement this requirement will help minimize
the burden associated with obtaining consent from reporting company
customers. Financial institutions may satisfy this requirement through
any lawful method of obtaining meaningful consent from a customer. As a
consequence of offering this flexibility, however, FinCEN cannot offer
a safe harbor for any particular method used to obtain consent.
The final rule does not require a financial institution to notify a
reporting company each time the financial institution retrieves the
reporting company's BOI from FinCEN, nor does it require financial
institutions to submit proof of consent to FinCEN, unless otherwise
required by law. The final rule only requires the financial institution
to obtain a reporting company's consent at a time prior to an initial
request for the reporting company's BOI from FinCEN, and it may rely on
that consent to retrieve the same reporting company's BOI on subsequent
occasions, including to open additional accounts for that reporting
company, unless the consent is revoked. The ability of financial
institutions to broadly obtain reporting company consent is expected to
alleviate concerns regarding ``tipping off'' reporting companies about
investigations that require the retrieval of BOI.
The final rule also does not address either revocation or
expiration of consent. Rather, the final rule provides
[[Page 88773]]
flexibility to financial institutions to develop appropriate procedures
and mechanisms with respect to the revocation of consent or the
expiration of consent. This flexibility will allow financial
institutions to develop processes appropriate to their size, business
lines, and customer types, among other considerations, and provide
reporting companies greater flexibility regarding the manner in which
they provide and revoke consent--in contrast, a FinCEN mechanism will
likely provide less flexibility and disadvantage both financial
institutions and reporting companies. For example, if needed, financial
institution may set terms through contract or otherwise to provide for
the expiration of consent or revocation given that the final rule does
not specify any time frames for expiration of consent.
The final rule also does not articulate specific procedures or
mechanisms through which a reporting company can provide or revoke
consent, e.g., what forms or mechanisms a financial institution should
use, which company representatives may provide or revoke consent,
whether affiliates can consent on behalf of one another, when corporate
changes would require obtaining new consent, or how financial
institutions should handle customers who refuse to provide consent.
Rather, FinCEN believes that it is appropriate to provide flexibility
to a financial institution based on its practices and circumstances, as
well as its extensive experience in implementing consent procedures in
other contexts and subject to different legal requirements. FinCEN will
consider additional guidance or FAQs if additional clarification is
required.
Lastly, FinCEN does not share concerns that the consent requirement
could drive customers with legitimate business away from financial
institutions. FinCEN's 2016 CDD Rule already requires financial
institutions to identify the beneficial owners of legal entity
customers, and financial institutions regularly seek information from
reporting companies regarding beneficial ownership information. As
such, FinCEN does not expect reporting companies to systemically
decline financial services because of the consent requirement and the
availability of the FinCEN database to confirm reporting company BOI.
e. Certification
Proposed Rule. Proposed 31 CFR 1010.955(d)(2)(iv) would require a
financial institution to ``make a written certification to FinCEN'' for
each BOI request that it: (1) is requesting the information to
facilitate its compliance with customer due diligence requirements
under applicable law; (2) obtained the reporting company's ``written
consent'' to request its BOI from FinCEN; and (3) fulfilled the other
security and confidentiality requirements financial institutions must
satisfy to receive BOI from FinCEN (as reflected in other provisions of
Sec. 1010.955(d)(2)). The Access NPRM indicated that a financial
institution would be able to make the certification via a checkbox when
requesting BOI via the BO IT system.\183\
---------------------------------------------------------------------------
\183\ 87 FR at 77422.
---------------------------------------------------------------------------
Comments Received. One commenter suggested that the final rule
should not require a financial institution to obtain a ``written''
certification from financial institutions.
Final Rule. FinCEN is amending the proposed rule to require that
financial institutions provide a certification to FinCEN ``in such form
and manner as FinCEN shall prescribe.'' The revision in the final rule
will allow FinCEN to take a flexible approach towards implementation of
the certification requirement that takes into account a range of
considerations, such as technological feasibility. Accordingly, FinCEN
intends to prescribe a certification mechanism that seeks to minimize
burdens and provide certainty, and may include checkboxes or other
forms. As it develops the BO IT system, FinCEN anticipates that a
financial institution will be able to make the certification via a
simple checkbox when requesting BOI via the BO IT system.
Additionally, FinCEN amends proposed Sec. 1010.955(d)(2)(iv) to
require a financial institution to certify that it has obtained and
``documented'' a reporting company's consent to request the reporting
company's BOI from FinCEN. The revised approach eliminates the
requirement for the financial institution to obtain ``written'' consent
from the reporting company, requiring only that consent be
``documented.''
iii. Sensitivity of Beneficial Ownership Information
Proposed Rule. Proposed 31 CFR 1010.955(a) states that information
reported to FinCEN pursuant to 31 CFR 1010.380 is confidential and may
not be disclosed except in certain enumerated circumstances.\184\ The
draft rule identifies five categories of recipients who may receive
BOI, with each category of disclosure limited to a particular purpose
or purposes, and an additional eight categories of authorized re-
disclosure, plus a catch-all provision permitting FinCEN to authorize
re-disclosure in other circumstances.\185\
---------------------------------------------------------------------------
\184\ 31 U.S.C. 5336(c)(2)(A).
\185\ 31 U.S.C. 5336(c)(2)(B).
---------------------------------------------------------------------------
Comments Received. Commenters provided mixed views on the overall
sensitivity of BOI and the security and confidentiality requirements
that should be applicable to protect BOI from unauthorized use or
disclosure and the privacy interests of beneficial owners and company
applicants. Some commenters felt that the CTA's confidentiality
requirement was too broad, and that individuals should have little or
no privacy interest in such information. One commenter noted that the
CTA never identifies ``privacy'' as a statutory objective, arguing that
while the CTA does direct FinCEN to build a secure database, ensuring
data security is not equivalent to implementing privacy protections for
individuals or entities. Another argued that individuals should not
have any expectation of privacy over BOI because an entity ``exists
only through the public's concession.'' Others felt that the CTA's
confidentiality requirements were too narrow, highlighting the impact
on small businesses. One commenter noted that the proposed rule did not
provide adequate reassurances that the information would be protected;
others felt that the disclosure provisions under proposed 31 CFR
1010.955(b) rendered the idea of confidentiality or privacy
meaningless. Finally, as discussed above in section III.D.v.a, one
commenter felt that the confidentiality requirements for BOI should
mirror those for tax returns and tax return information under 26 U.S.C.
6103 to ensure that BOI is protected.
Final Rule. The final rule adopts proposed 31 CFR 1010.955(a) as
written. FinCEN considered the comments and is sensitive to concerns
about data security and privacy. As discussed throughout this preamble,
the CTA establishes that BOI is ``sensitive information'' and imposes
strict security and confidentiality requirements on BOI. For example,
31 U.S.C. 5336(c)(2)(A) creates a baseline presumption of
confidentiality with a provision on prohibition on disclosure by any
individual who receives it. Other provisions reinforce the sensitivity
of BOI and further limit such disclosures. For example, the CTA
mandates ``appropriate protocols'' in order to disclose BOI to
recipients, and even specifies procedural steps in certain
[[Page 88774]]
cases,\186\ such as the requirement that a State, local, or Tribal law
enforcement agency obtain authorization from a court of competent
jurisdiction to seek the information in a criminal or civil
investigation. FinCEN is following the statutory requirements
prescribed by Congress in the CTA in promulgating the security and
confidentiality provisions in the final rule.
---------------------------------------------------------------------------
\186\ 31 U.S.C. 5336(c)(3).
---------------------------------------------------------------------------
On the other hand, FinCEN agrees with comments that the overarching
goal of the CTA is to make BOI available to help law enforcement and
agencies engaged in national security activities prevent and combat
money laundering, terrorist financing, tax fraud, and other illicit
activity, as well as protect national security. As discussed above in
section III.D.v.a, FinCEN has declined to adopt provisions that mirror
those in 26 U.S.C. 6103. The CTA provides detailed security and
confidentiality requirements tailored to the BO IT system's authorized
uses and authorized recipients, and the final rule adopts these
requirements to ensure the protection of this sensitive information. In
addition, FinCEN believes that the requirements of 26 U.S.C. 6103 would
impose a substantial burden on the overall functionality of the BO IT
system and the requirement to establish a BOI database highly useful to
law enforcement. For example, 26 U.S.C. 6103 at times requires Federal
law enforcement to obtain a court order to access tax returns and tax
return information, while the CTA imposes no such restriction.\187\
Further, the CTA envisions that financial institutions would have
access to BOI for its customers through access to FinCEN's database,
while 26 U.S.C. 6103 has no analogous provision. Ultimately, FinCEN
found this suggestion unworkable in the context of the CTA.
---------------------------------------------------------------------------
\187\ 26 U.S.C. 6013(i).
---------------------------------------------------------------------------
F. Administration of Requests
i. Rejection of Requests
Proposed Rule. Proposed 31 CFR 1010.955(e)(1) provided that
requests for BOI under 31 CFR 1010.955(b) shall be submitted to FinCEN
in such form and manner as FinCEN shall prescribe. Proposed 31 CFR
1010.955(e)(2)(i) states that FinCEN will reject requests for BOI made
under 31 CFR 1010.955(b)(4) (Disclosure to facilitate compliance with
customer due diligence requirements) if such request is not submitted
in the form and manner prescribed by FinCEN. Furthermore, proposed 31
CFR 1010.955(e)(2)(ii) provided that FinCEN may reject requests or
otherwise decline to disclose BOI if FinCEN, in its sole discretion,
finds that, with respect to the request, the requester has failed to
meet any requirements of the rule, the BOI is being requested for an
unlawful purpose, or other good cause exists to deny the request.
Comments Received. FinCEN received several comments relating to the
level of discretion that FinCEN can exercise in determining when to
grant or deny a request for access to BOI. One commenter supported the
proposed rule's provisions related to FinCEN's authority to reject
requests for BOI as a faithful implementation of the CTA. A few
commenters requested that FinCEN remove the words ``sole discretion''
from proposed 31 CFR 1010.955(e)(2)(ii). One commenter argued that
there are significant protocols under the CTA to adequately protect the
security and confidentiality BOI, so it is not consistent with the CTA
for FinCEN to have unlimited discretion to reject or grant access. The
commenter also noted that the CTA does not use the term ``sole
discretion.''
Final Rule. The final rule adopts 31 CFR 1010.955(e)(2) as
proposed. In FinCEN's view, it is important to clearly state in 31 CFR
1010.955(e)(2)(ii) that FinCEN has the sole discretion to approve or
deny requests for access to BOI because FinCEN has obligations under
the CTA to protect the security and confidentiality of BOI, ensure that
BOI is used for authorized purposes by authorized recipients, and to
ensure audit and oversight of the BO IT System. The CTA does not
require that FinCEN consult with any other agency or with those
requesting access to BOI when it decides to grant or reject access.
FinCEN believes it is within its authority under the CTA to decide,
based on its sole discretion, whether to accept or reject a request for
access to BOI.
ii. Suspension of Access
Proposed Rule. In keeping with the CTA,\188\ proposed 31 CFR
1010.955(e)(3)(i) specified that FinCEN could suspend or debar a
requesting agency or financial institution (referred to in the proposed
provision as a ``requesting party'') from access to BOI for (1) failing
to meet applicable regulatory requirements; (2) requesting BOI for an
unlawful purpose; or (3) other good cause. Proposed 31 CFR
1010.955(e)(3)(ii) further specified that FinCEN could reinstate a
suspended or debarred party's access upon the latter satisfying any
terms or conditions that FinCEN deems appropriate. The Access NPRM
explained that suspension of access to BOI would be temporary while
debarment would be permanent. FinCEN alone would determine suspension
periods.\189\
---------------------------------------------------------------------------
\188\ 31 U.S.C. 5336(c)(6)-(7).
\189\ 87 FR at 77423.
---------------------------------------------------------------------------
Comments Received. One commenter asked for more information about
how FinCEN would evaluate whether to suspend or debar a financial
institution. This commenter also asked whether FinCEN or the financial
institution's appropriate state or Federal functional regulator would
make the ultimate suspension or debarment decision, and whether a
financial institution would have an opportunity to rebut a claim that
it improperly used BOI. Several commenters asked how financial
institutions should continue meeting their customer due diligence
obligations if they lose access to BOI from FinCEN. One commenter
viewed the use of the term ``requesting party'' in proposed Sec.
1010.955(e)(3)(i) as limiting FinCEN to permanently debarring or
temporarily suspending only entities rather than individual users as
well. This commenter recommended that FinCEN clarify that there may be
times when FinCEN wants to allow continued access by an agency or
financial institution but disallow continued access by an individual
user from that agency or financial institution.
Final Rule. FinCEN adopts 31 CFR 1010.955(e)(3)(i) and (ii) with
minor modifications. These final regulations as a whole establish the
requirements that a financial institution must satisfy to obtain BOI
from FinCEN, what they may do with the information, and how they must
safeguard it. Section 1010.955(e)(3)(i) makes clear that failing to
abide by these requirements and restrictions, including by requesting
BOI for an unlawful purpose, can result in suspension or debarment from
access to BOI. FinCEN further reserves the right to suspend or debar a
requesting party for good cause involving other circumstances. As
stated in the Access NPRM, the decision to suspend or debar a financial
institution from access to BOI is subject to FinCEN's sole discretion.
Imposing limitations on that discretion as a regulatory matter, such as
by implementing a ``three strikes'' rule on certain conduct while
identifying other activity as grounds for immediate debarment, are
premature and require further evaluation. FinCEN will make
determinations on a case-by-case basis after considering the available
facts and circumstances. FinCEN will continue to consider whether
additional standards or limitations are needed to foster
predictability, provide fairness,
[[Page 88775]]
and enhance compliance after gaining experience.
Questions about how a financial institution temporarily or
permanently losing access to BOI from FinCEN might affect the
institution's ability to meet its customer due diligence obligations
are also premature because they implicate the forthcoming 2016 CDD Rule
revisions. FinCEN may address those issues in that future rulemaking.
FinCEN, however, has decided to make modest changes to 31 CFR
1010.955(e)(3)--changing the term ``requesting party'' in 31 CFR
1010.955(e)(3)(i) and the term ``requester'' in 1010.955(e)(3)(ii) to
``individual requester or requesting entity''--in order to clarify that
FinCEN may permanently debar or temporarily suspend individual users at
an agency or financial institution in addition to the entity itself.
G. Violations--Unauthorized Disclosure or Use
Proposed Rule. Proposed rule 31 CFR 1010.955(f) tracks the CTA's
language making it unlawful for any person to knowingly disclose, or
knowingly use, BOI obtained by that person, except as authorized by the
CTA and these regulations. The rule applies to BOI whether the person
obtained it directly or indirectly, and whether this information was
contained in a report submitted to FinCEN under 31 CFR 1010.380 or
disclosed by FinCEN under 31 CFR 1010.955(b). The rule goes on to
broadly define ``unauthorized use'' to include accessing information
without authorization, or ``any violation'' of the security and
confidentiality requirements described in 31 CFR 1010.955(d) in
connection with any access.
Comments Received. Several commenters stated that they approved of
the enforcement provisions of the proposed rule, largely in the context
of providing comments to other parts of the rule. Otherwise, FinCEN did
not receive substantive comments about the enforcement provisions.
Final Rule. FinCEN adopts the rule as written and notes that the
CTA provides civil penalties in the amount of $500 for each day a
violation continues or has not been remedied. Criminal penalties are a
fine of not more than $250,000 or imprisonment for not more than 5
years, or both.\190\ The CTA also provides for enhanced criminal
penalties, including a fine of up to $500,000, imprisonment of not more
than 10 years, or both, if a person commits a violation while violating
another law of the United States or as part of a pattern of any illegal
activity involving more than $100,000 in a 12-month period.\191\
---------------------------------------------------------------------------
\190\ 31 U.S.C. 5336(h)(3)(B).
\191\ 31 U.S.C. 5336(h)(3)(B)(ii)(II).
---------------------------------------------------------------------------
H. Implementation Efforts
i. Implications for Revision of the 2016 CDD Rule
Proposed Rule. The preamble to the proposed rule discussed the
requirement in section 6403(d) of the CTA that FinCEN revise the 2016
CDD Rule in order to (1) ensure that the rule conforms with the CTA;
(2) address how financial institutions with customer due diligence
obligations will access the database; and (3) reduce burdens on
financial institutions and legal entity customers.\192\ The CTA
requires that FinCEN revise the 2016 CDD Rule within one year of
January 1, 2024, the effective date of the final BOI Reporting Rule, by
rescinding paragraphs (b) through (j) of 31 CFR 1010.230.\193\ The
preamble to the proposed rule noted that FinCEN will revise the 2016
CDD Rule at a later date instead of addressing it in this rulemaking.
The preamble further stated that FinCEN expected that the revision of
the 2016 CDD Rule would likely address the interaction of financial
institutions' existing customer due diligence efforts and the BOI
database. The proposed rule did not otherwise address the required
revision to the 2016 CDD Rule.
---------------------------------------------------------------------------
\192\ See CTA, section 6403(d)(1)(A)-(C).
\193\ CTA, section 6403(d)(1), (2). The CTA orders the
rescission of paragraphs (b) through (j) directly (``the Secretary
of the Treasury shall rescind paragraphs (b) through (j)'') and
orders the retention of paragraph (a) by a negative rule of
construction (``nothing in this section may be construed to
authorize the Secretary of the Treasury to repeal . . . [31 CFR]
1010.230(a)[.]'').
---------------------------------------------------------------------------
Comments Received. Some commenters expressed that it was difficult
to comment comprehensively on the Access NPRM as FinCEN has not yet
issued a notice of proposed rulemaking concerning revisions to the 2016
CDD Rule. Other commenters, however, addressed the future rulemaking
despite FinCEN's express reservation of 2016 CDD Rule issues for
consideration at a later date. In particular, these commenters
identified several issues that they believe a revision of the 2016 CDD
Rule should address in light of financial institution access to the BOI
database. These issues included (1) whether FinCEN should mandate that
financial institutions access the BOI database; (2) the verification
and identification of financial institutions customers' beneficial
owners; (3) how to address discrepancies between the BOI database and
the BOI that financial institutions receive directly from their
customers; (4) whether there should be a safe harbor for financial
institutions in case of such discrepancies; and (5) regulatory
expectations related to financial institutions' use of the BOI
database. FinCEN also received comments on a number of technical issues
related to specific provisions of the 2016 CDD Rule, the desirability
of changes to those provisions, and the overall process of revision.
Final Rule. FinCEN appreciates the comments on the interaction of
the proposed rule with the forthcoming revision to the 2016 CDD Rule
but declines to make modifications in this final rule based on
consideration of the forthcoming revision. Furthermore, comments that
relate to how FinCEN should revise the 2016 CDD Rule are not addressed
in this rule. However, FinCEN will consider these comments in its
development of a notice of proposed rulemaking on this topic in the
future. Covered financial institutions will continue to be subject to
the existing 2016 CDD Rule until a revision of that rule is effective.
In addition, FinCEN, in consultation with the Federal functional
regulators, will issue guidance on this topic as appropriate.
While FinCEN is reserving consideration of certain issues for the
2016 CDD Rule revision, comments on the Access NPRM are addressed
here--in particular those comments that are relevant to the use of the
BOI database by financial institutions in the period between the
effective date of this final rule and the revision to the 2016 CDD
Rule. FinCEN is also addressing comments that requested specific
changes to this final rule in connection with reporting discrepancies
in BOI, as well as those that requested a definitive authorization to
rely on BOI or a definitive exemption from liability (a safe harbor
provision). FinCEN addresses these matters as follows.
Some commenters requested that FinCEN explicitly state in this
final rule that use of the BOI database by financial institutions is
not mandatory. As with the proposed rule, the final rule outlines who
may access the BOI database and for what purpose; however, it does not
require financial institutions to access the BOI database, nor does it
speak to what financial institutions' obligations may be once the 2016
CDD Rule is revised. FinCEN expects to more fully address the question
of the extent to which, and how, financial institutions should access
the BOI database for the purpose of fulfilling their customer due
diligence obligations when FinCEN revises the 2016 CDD Rule. As
[[Page 88776]]
explained in section III.C.iv.b.1, the final rule does not create a new
regulatory requirement for financial institutions to access BOI from
the BO IT System or a supervisory expectation that they do so. Thus,
the Access Rule does not necessitate changes to BSA/AML compliance
programs designed to comply with existing BSA requirements, such as the
2016 CDD Rule, customer identification program requirements,\194\ and
suspicious activity reporting.\195\ However, any access to and use of
BOI obtained from the BO IT System must comply with the requirements of
the CTA and the Access Rule.
---------------------------------------------------------------------------
\194\ 31 CFR 1010.220.
\195\ 31 CFR 1010.320.
---------------------------------------------------------------------------
Similarly, on the issue of discrepancies between the BOI that
financial institutions obtain from FinCEN and the BOI that they obtain
directly from their customers, several commenters asked FinCEN to
clearly state in the final rule that financial institutions would not
be required to report discrepancies. This final rule does not require
financial institutions to access the BOI database, nor does it require
them to report discrepancies between information obtained from
customers and BOI obtained from FinCEN, if any are discovered. This
final rule also does not change a financial institution's obligations
under other provisions of the BSA and implementing regulations,
including the regulatory requirement for financial institutions to
maintain an anti-money laundering program that involves, among other
things, the reporting of suspicious transactions to FinCEN.\196\ FinCEN
declines to follow suggestions from commenters that the final rule
address this subject. If FinCEN finds that additional guidance or
regulatory changes are necessary, it may issue stand-alone guidance or
take up the subject in a later rulemaking such as the revision of the
2016 CDD Rule.
---------------------------------------------------------------------------
\196\ See 31 CFR 1020.320.
---------------------------------------------------------------------------
The issues raised by commenters relating to handling discrepancies
and the provision of a safe harbor are connected to the issue, also
raised by commenters, of the extent to which financial institutions may
rely on BOI obtained from FinCEN for the purpose of fulfilling their
regulatory customer due diligence requirements. As explained above,
revisions to the 2016 CDD Rule and its requirements will be the subject
of a future rulemaking. However, FinCEN appreciates the consideration
of these issues, as reflected in the comments already submitted, and
FinCEN will take them into account in the context of that future
rulemaking.
Finally, with respect to the comments that raised concerns about
regulatory expectations, FinCEN continues to work closely with Federal
functional regulators on how financial institutions are examined with
respect to their use of the BOI database to facilitate compliance with
customer due diligence requirements under applicable law, including the
2016 CDD Rule and its revision. As part of this effort, FinCEN will
continue consulting with the Federal functional regulators on whether
to issue guidance in this area.
ii. Information Technology Systems Issues
a. Access--In General
Comments Received. Several commenters made general comments on
access to beneficial ownership information reported to FinCEN. Two
commenters made statements that access to BOI should be simple,
uncomplicated, and timely. One commenter stated that the beneficial
ownership database should be built so that it maximizes access to
authorized users with eventual public access in mind. Another commenter
stated that the final rule should clarify that the structure and nature
of the access protocols in the CTA are meant to facilitate auditable
and technologically-enabled access to the BOI database, and that access
will generally not be considered by FinCEN on a case-by-case basis. One
commenter stated that any required certifications should be filed
electronically.
Another commenter stated that BOI should be available in bulk,
noting that bulk data formats will allow users to find patterns or red
flags relating to beneficial ownership, or to assess and improve data
quality. Another commenter requested that financial institutions have
the ability to submit required certifications and access BOI on a bulk,
automated basis. This commenter noted that if access to the BO IT
system requires manual submissions on a customer-by-customer basis,
this would be unnecessarily cumbersome and would adversely impact the
ability of financial institutions to use information from the database
effectively and efficiently for illicit finance risk management.
Two commenters requested that FinCEN clarify what information
authorized users will receive from the BO IT system, and that such
information should include the chain of ownership between the reporting
company and the beneficial owners. Several commenters requested
clarification as to whether authorized users will have access to the
underlying BOI when a FinCEN identifier is included in a beneficial
ownership information report in lieu of the personal identifying
information of a beneficial owner or company applicant. One commenter
suggested that this be explicit in the regulatory text. Another
commenter explained that if a bank relies on a BOI report with FinCEN
identifiers in lieu of know-your-customer/customer identification
program information, it will be unable to fully conduct customer due
diligence or enhanced due diligence.
Another commenter noted that FinCEN should provide BOI in a
structured data format, and recommended that FinCEN adopt the
Beneficial Ownership Data Standard (BODS) as the common data standard
for BOI stored in the IT system so that the data is compatible with
other jurisdictions' BOI databases. One commenter suggested that one
authorized access be assigned to each entity, and that each entity
should be held responsible for controlling who uses that access.
Another commenter stated that ensuring limited access to beneficial
ownership data is essential to help with public confidence in the
system and for compliance purposes and encouraged FinCEN to think about
how to prevent, mitigate, and manage potential data breaches that could
occur, including how affected parties will be notified and how remedies
can be implemented within reasonable timelines. This commenter also
suggested that FinCEN should have the highest protective protocols in
place for the database and that access to the database should be
tracked, so that FinCEN is aware at all times of who has access to the
database and who is making requests. Further, given the sensitive
nature of BOI and the limited uses for which BOI obtained from FinCEN
might be used, one commenter requested that FinCEN consider providing
financial institutions with confirmation that BOI was obtained from
FinCEN.
Response. FinCEN appreciates the need to provide automated, user-
friendly access to the BO IT system, and is developing the BO IT system
against those parameters and the requirements set forth in the CTA.
Notably, the CTA does not provide for public access to BOI, and the
modalities for authorized users to access BOI reflect that fact. With
respect to comments regarding bulk access to BOI, FinCEN does not, at
this time, anticipate providing bulk data exports of BOI to authorized
users. However, FinCEN expects that financial
[[Page 88777]]
institutions will use Application Programming Interfaces (APIs) to
access BOI, and that the BO IT system will accommodate the use of APIs
for this purpose (including the submission of required certifications).
Regarding comments that FinCEN should avoid engaging in case-by-
case reviews of BOI access requests, FinCEN notes that this is
generally consistent with the proposed access modalities for the six
categories of authorized users. Although FinCEN had initially proposed
a case-by-case review mechanism for State, local, and Tribal law
enforcement agency requests for BOI, it has eliminated that requirement
from the final rule. FinCEN will review certain requests for BOI from a
``trusted foreign country'' on a case-by-case basis, but believes that
the case-by-case handling of those requests is warranted given their
nature (i.e., they are requests from a foreign government that are not
governed by an existing treaty, agreement, or convention) and the fact
that foreign governments, per the CTA, must submit requests for BOI
through an intermediary Federal agency and will not have direct access
to the BO IT system.
Two commenters requested that FinCEN clarify what information
authorized users will receive from the BO IT system, and that such
information should include the chain of ownership between the reporting
company and the beneficial owners. Other commenters requested
clarification as to whether authorized users will have access to the
underlying BOI when a FinCEN identifier is included in beneficial
ownership information report in lieu of the personal identifying
information of a beneficial owner or company applicant.
FinCEN will disclose to authorized users the information that
reporting companies are required to report under 31 CFR 1010.380(b).
This means that authorized users will receive information about (1) the
reporting company, (2) its beneficial owners, and (3) any company
applicants. For the reporting company, authorized users will receive a
transcript with (1) the full legal name and any trade or ``doing
business as'' names of the reporting company, (2) the complete current
address of the reporting company, (3) the State, Tribal, or foreign
jurisdiction of formation of the reporting company, (4) for a foreign
reporting company, the State or Tribal jurisdiction where the foreign
reporting company first registers, and (5) the IRS Taxpayer
Identification Number or foreign tax identification number of the
reporting company. For beneficial owners or company applicants,
authorized users will receive a transcript with (1) the full legal name
of the individual, (2) the individual's date of birth, (3) a complete
current address, and (4) the unique identifying number and the issuing
jurisdiction from an acceptable identification document (i.e., a non-
expired U.S. passport, a non-expired identification document issued to
the individual by a State, local government, or Indian tribe for the
purpose of identifying the individual, a non-expired driver's license
issued to the individual by a state, or a non-expired passport issued
by a foreign government to the individual). Images of individuals'
identification documents will be made available to Federal agencies
engaged in law enforcement, national security, or intelligence
activities, or to State, local, or Tribal law enforcement agencies.
Information associated with a FinCEN identifier that has been reported
in a beneficial ownership information report will be included in the
BOI transcripts made available to authorized users. Lastly, FinCEN
intends to mark BOI reports to identify them as originating from
FinCEN's BO IT system.
In respect of data format, FinCEN evaluated existing data
standards, which includes Extensible Markup Language (XML), and the
Open Ownership (OO) data standards when developing its beneficial
ownership data standards. To the extent possible, FinCEN did use those
standards in the OO data catalog that could be incorporated consistent
with the CTA.
The BO IT system will adhere to FISMA (Federal Information Security
Management Act) ``High'' standards, which require implementing the
highest level of security controls for a system at the unclassified
level, to help protect against the loss of confidentiality, integrity,
or availability of information. For the BO IT systems, FinCEN is
responsible for implementing Executive Order 14028 (``Improving the
Nation's Cybersecurity''), Treasury's Zero Trust mandates, Continuous
Diagnostic Mitigation Program, and other Federal directives to protect
systems and information. In addition, Treasury has established a Cyber
Review Board, which has established the Treasury Incident Coordination
Process (T-ICP) to appropriately escalate any data breaches and
compromises.
b. IT System Search Capabilities
Comments Received. FinCEN received comments both on how all
authorized users would conduct searches for BOI in the IT system, and
more specific comments about how financial institutions would conduct
searches. Multiple commenters requested that all users be able to
search using a wide range of search fields or that FinCEN adopt a
layered approach in which some users would be able to conduct wider
ranging searches while others would be more limited. One commenter also
requested that users be able to search for historical BOI on a single
reporting company. Commenters also highlighted the need for information
on how authorized users can access BOI and requested that FinCEN
provide guidance for users in conducting searches in the form of pre-
populated forms, templates, guidance documents, FAQs, or an ``access
toolkit.''
With respect to financial institution access, several commenters
argued that the proposed level of financial institution searching
capabilities is far too restrictive and should mirror that of law
enforcement agencies so financial institutions can conduct broad and
open-ended queries. One commenter stated that financial institutions
should be able to broadly search throughout the BOI database to learn
more about a specific customer's beneficial owners and their
connections to other companies in order to strengthen their customer
due diligence compliance.
Many commenters also requested that FinCEN adopt technologies that
would facilitate immediate, on-demand access to BOI that would be
compatible with financial institutions' systems, and the most common
request was for FinCEN to allow the use of APIs to access the IT
system. Some commenters asked FinCEN to clarify that FinCEN would not
manually review and approve each request to search the database, as
this could overwhelm FinCEN's capabilities considering the number of
search requests. Many commenters requested an automated system for
financial institutions to certify their requests for access and be
approved by FinCEN so that they could conduct bulk searches instead of
individual searches, and they argued that the proposal in the NPRM of a
single ``electronic transcript'' per BOI search would be costly and
inefficient. Commenters also requested that FinCEN make changes to the
information FinCEN requires from financial institutions to conduct
searches, and one commenter argued that FinCEN should require that
financial institutions use a reporting company's FinCEN identifier as
an added security measure. Finally, related to financial institution
searches of the database, a few commenters asked that, prior to January
1, 2024, FinCEN clarify how financial institutions would be informed
when their queries match or
[[Page 88778]]
fail to match data in the database, and how FinCEN will handle query
errors and mismatches generally. One commenter provided specific
suggestions for a matching system that FinCEN could use.
Response. As explained in the proposed rule, FinCEN expects that
there will be differing levels of access to the BO IT system, depending
on the type of authorized BOI recipient.
Domestic agency users (i.e., Federal agencies engaged in national
security, intelligence, and law enforcement activity; Treasury officers
and employees who require access to BOI to perform their official
duties or for tax administration; and State, local, and Tribal law
enforcement agencies) will be able to access and query the BO IT system
directly. This type of access would permit authorized individuals
within an authorized recipient agency to log in, run queries using
multiple search fields, and review one or more results returned
immediately. This broad access to the BO IT system will allow domestic
agency users to conduct a wide range of searches using a variety of
search fields. FinCEN believes this broad, flexible access for domestic
agency users is necessary to enable them to use BOI effectively to
facilitate investigations or other activities for which they may obtain
BOI.
As discussed in the proposed rule, such broad search capabilities
within the BO IT system require domestic agencies to clearly understand
the scope of their authorization and their responsibilities under it.
That is why the proposed rule establishes protocols for requirements,
limitations, and expectations with respect to searches by domestic
agencies of the BO IT system. As part of these protocols, each domestic
agency would first need to enter into an MOU with FinCEN before being
allowed access to the system. Several commenters also requested that
FinCEN provide guidance to users on how to conduct searches. FinCEN
expects to offer guidance and training for all authorized users on the
use of the BO IT system, similar to the trainings it provides to law
enforcement and others on access to BSA data.
As noted in the proposed rule, other categories of authorized BOI
recipients will have more limited search capabilities. Foreign BOI
recipients will have no access to the BO IT system, as their requests
will flow through an intermediary Federal agency. Financial
institutions and their regulators (Federal functional regulators and
other appropriate regulatory agencies) would both have direct access to
the BO IT system, albeit in more limited form than domestic agency
users. The difference in access between domestic government agencies
and financial institutions is explained by the provisions of the CTA,
which require the consent of the reporting company before a financial
institution may obtain the company's BOI from FinCEN. FinCEN
anticipates that once a financial institution has obtained that
consent, the financial institution would submit identifying information
specific to that reporting company and receive in return an electronic
transcript with that entity's BOI. FinCEN anticipates that financial
institutions will be able to obtain a transcript immediately after
submitting the search request; financial institutions' search requests
will not be subject to manual review. Because of the need to limit
financial institution access to those BOI transcripts for which it has
reporting company consent, FinCEN believes that it would not be
consistent with this statutory requirement to allow financial
institutions to broadly query the BO IT system, which may result in the
financial institutions obtaining information about other reporting
companies or beneficial owners for which they do not have consent. One
commenter suggested that FinCEN require financial institutions to use a
reporting company's FinCEN identifier for the search as an added
security measure. FinCEN notes, however, that reporting companies are
not required to obtain FinCEN identifiers, and not all reporting
companies will request them.
With respect to Federal functional regulators and other appropriate
regulatory agencies exercising supervisory functions, the CTA allows
these agencies to request from FinCEN BOI that the financial
institutions they supervise have already obtained from FinCEN, but only
for assessing a financial institution's compliance with customer due
diligence requirements under applicable law. FinCEN expects regulators
acting in this supervisory capacity to be able to retrieve any BOI that
the financial institutions they supervise received from FinCEN during a
particular period, but they will not be able to broadly search the BO
IT system. However, Federal functional regulators and other appropriate
regulatory agencies responsible for bringing civil enforcement actions
will be able to avail themselves of the broader search functionality
described above for domestic agency users.
c. Notification of Updates or Changes to BOI
Comments Received. Several commenters argued that the final rule
should provide more clarity on whether FinCEN will provide financial
institutions with the updates to BOI that reporting companies provide
when there are changes to that company's BOI. These commenters
specifically asked that FinCEN create a mechanism for automated updates
of BOI to financial institutions when reporting companies change their
BOI. Commenters argued that such automated updates would meet the
requirements of the CTA that BOI provided to FinCEN is ``highly
useful'' and assists financial institutions in meeting their customer
due diligence and AML/CFT obligations. A few commenters requested that
FinCEN develop a ``push'' notification system for the automated
updates, and others requested a system in which financial institutions
could sign up for updates when they first queried the database for a
reporting company's BOI. Commenters also suggested that financial
institutions could be given a choice to ``opt out'' at any point, such
as when a financial institution's customer withdraws consent for
searches of its BOI.
Response. FinCEN appreciates the commenters' suggestions regarding
the BO IT system functionality. FinCEN will consider these suggestions
as a possible future enhancement to the BO IT system.
d. Inability and Loss of Access
Comments Received. Several commenters asked FinCEN how financial
institutions should continue meeting their customer due diligence
obligations in the event of an unexpected event that results in loss of
access to the BO IT system, such as a system outage or cyberattack that
causes the system to be inaccessible. One commenter asked for FinCEN to
clarify whether access to the system would be limited to business days
and whether financial institutions would be prohibited from opening
accounts during times of inaccessibility.
Response. FinCEN anticipates that the BO IT system will be
available for access 24 hours a day and 7 days a week. When there are
planned system outages for regular maintenance activities or period of
unexpected system unavailability, FinCEN will provide appropriate
notification to users. Questions pertaining to the use of BOI for 2016
CDD rule compliance will be addressed in FinCEN's forthcoming proposed
rule to revise 31 CFR 1010.230.
e. Verification of Beneficial Ownership Information
In the preamble to the proposed rule, FinCEN stated that it
continues to
[[Page 88779]]
review the options available to verify BOI within the legal constraints
in the CTA. It also clarified that in the term ``verification,'' as
FinCEN uses it in this context, means confirming that the reported BOI
submitted to FinCEN is actually associated with a particular
individual.
Comments Received. FinCEN received several comments on the issue of
verification of the beneficial ownership information it will receive
under 31 CFR 1010.380. Commenters argued that FinCEN is required by the
CTA to verify information in the BO IT system, and that such
verification is necessary to ensure the BOI reported to FinCEN is
``accurate, complete, and highly useful'' consistent with the CTA. Some
commenters urged FinCEN itself to verify data in the BOI database,
while others suggested that verification should involve coordination
with other governmental agencies and that such coordination is required
by the CTA. Suggested verification mechanisms included checks against
the Consular Consolidated Database maintained by the Department of
State, the National Law Enforcement Telecommunications System, the U.S.
Postal Service, and Departments of Motor Vehicles. One commenter noted
that any verification method should be efficient and not burdensome to
businesses.
Some commenters noted the experience of other countries in
verifying information in their beneficial ownership registers, and that
FinCEN's proposal did not meet the verification requirements set forth
by FATF. Others noted that FinCEN's definition of ``verification'' was
unduly narrow and should be expanded to include verifying both that
identifying information submitted is for an actual person and that the
BOI is related to the named reporting company. Multiple commenters
argued that verification, by ensuring BOI was accurate and complete,
would reduce burden for financial institutions (or concomitantly, that
failing to verify BOI would increase burden by imposing additional
compliance costs on financial institutions). Commenters also argued
that BOI would not be useful for financial institutions without
verification. Multiple commenters suggested that FinCEN explore
verification using privacy-protected data sharing mechanisms such as a
Zero-Knowledge Proof which match certain data elements without
requiring any of the parties to exchange or disclose the underlying
data.
With respect to the timing of verification, one commenter suggested
that cross-checking information should happen at the time an entity is
formed and that financial institutions should therefore not have to
collect the information but instead access the FinCEN database to
assist in customer due diligence. Other commenters suggested that
information should be verified upon submission to FinCEN. One commenter
noted that FinCEN could increase the usefulness of the database by
sanctions screening BOI against OFAC's Specially Designated Nationals
and Blocked Persons List and alerting users who access such BOI.
Response. Although verification is not addressed in this rule,
FinCEN appreciates the comments on this topic and is carefully
considering the suggestions provided. FinCEN agrees that verification
is an important part of its overall efforts to ensure that the BOI
reported to it is ``accurate, complete, and highly useful'' and
continues to assess options to verify BOI taking into consideration
practical, legal, and resource challenges.
f. Other IT System Issues
Comments Received. FinCEN received additional comments pertaining
to the functionality or use of the BO IT system. Two commenters
suggested that FinCEN should make the BO IT system compatible with
other countries' databases. Others suggested that FinCEN provide a
proof of registration page when a BOI report is successfully filed.
Another commenter noted that the proposed rule does not address whether
authorized users may make copies of the BOI reports they obtain from
the BO IT system. One commenter recommended that FinCEN develop an
interactive database which discloses generic BOI database query trends.
Response. FinCEN appreciates these ideas and will take them into
consideration as it continues to implement the CTA.
iii. The Proposed BOI Reporting Form
Comments Received. While not the subject of this proposed rule,
FinCEN received several comments on the proposed Beneficial Ownership
Information Report (BOIR), which is the form that FinCEN will use to
collect beneficial ownership information from reporting companies
pursuant to 31 CFR 1010.380. Commenters were critical of checkboxes on
the proposed BOIR form that would provide a mechanism for reporting
companies to indicate when they are unable to obtain certain
information about the reporting company's beneficial owners and company
applicants. Several of these commenters requested that FinCEN remove
all such checkboxes. Two commenters expressed concern with the quality
and reliability of BOI if reporting companies are allowed to indicate
that they are unable to identify beneficial owners entirely or provide
only certain information associated with beneficial owners. One
commenter stated that the checkboxes would act as a roadblock to banks'
compliance with customer due diligence obligations and principles. One
commenter stated that inclusion of the checkboxes supports financial
institutions' voluntary use of BOI. One commenter stated that
submission of declarations where the reporting company does not know
who its beneficial owners are should not be permitted outside
exceptional circumstances and that in such circumstances, the reporting
company should submit supporting evidence and an explanation why the
person is anonymous or their identity is unknown.
Response. As part of its obligations under the Paperwork Reduction
Act of 1995 (PRA), FinCEN separately solicited public comment on the
proposed BOIR form through a 60-day PRA notice, issued on January 17,
2023.\197\ Given that the BOIR form is outside the scope of this
rulemaking and was instead the subject of the 60-day PRA notice, FinCEN
considered the comments it received on the form as part of its
consideration of the comments received in response to the 60-day PRA
notice. Pursuant to the PRA, on September 29, 2023, the Department of
the Treasury, on behalf of FinCEN, published a 30-day PRA notice, which
considered these comments and proposed a revised approach to the BOIR
form.\198\ OMB approved the proposed BOIR form on November 27, 2023.
---------------------------------------------------------------------------
\197\ 88 FR 2760 (Jan. 17, 2023).
\198\ 88 FR 67443 (Sept. 29, 2023).
---------------------------------------------------------------------------
iv. Outreach and Guidance
Proposed Rule. FinCEN acknowledged in the proposed rule that
implementation of the final rule will require additional engagement
with stakeholders to ensure a clear understanding of the Access Rule's
requirements, including through guidance and FAQs, help lines, and
other communications. In question 29 in the Access NPRM, FinCEN asked
what specific issues FinCEN should address via public guidance or FAQs
as well as whether there were specific recommendations on engagement
with stakeholders to ensure that the authorized recipients--in
particular, State, local, and Tribal authorities and small and mid-
sized financial
[[Page 88780]]
institutions--are aware of requirements for access to the BO IT system.
Comments Received. FinCEN received a variety of comments in
response to the outreach questions in the Access NPRM. Commenters noted
that a Small Entity Compliance Guide and FAQs, available well in
advance of any effective date, would be useful for authorized users of
the BO IT system. Training videos and step-by-step guides for each type
of authorized recipient, including an online tip platform, would also
improve CTA effectiveness. Commenters also suggested the importance of
having educational materials for foreign requesters available in as
many languages as feasible. Those commenters stated that the guidance
on foreign access should include examples, templates, forms, and other
materials that can streamline the process as much as possible. Several
commenters suggested developing guidance and educational materials for
financial institutions, Certified Public Accountants, and Secretary of
State offices that could be provided to their customers and
constituents. One commenter specifically highlighted a variety of
national law enforcement and tribal association annual conferences
where FinCEN should present and be available to educate participants on
access to, and the utility of, the BO IT system. Regarding engagement
with potential foreign requesters, one commenter suggested that FinCEN
consider discussing access requirements with the key foreign partners
of Federal agencies. One commenter recommended that FinCEN use clear
font styles and sizes, avoid small footnotes and legalese, and use
contrasting colors.
Final Rule. As with the Reporting Rule published on September 30,
2022,\199\ FinCEN envisions committing significant resources upon
publication of the final Access Rule to prepare for and enable
successful implementation. FinCEN anticipates that these resources will
be used to conduct outreach, as well as draft and issue guidance, user
guides, FAQs, and other educational materials. FinCEN recognizes the
need to ensure that reporting companies, authorized users, and other
stakeholders have a thorough understanding of the beneficial ownership
Reporting and Access Rules and their requirements, both before and
after the effective date of the rules. FinCEN also remains mindful of
the imperative to minimize burdens on reporting companies, financial
institutions, and authorized users while also fulfilling the CTA's
directives for establishing an effective reporting and access
framework. FinCEN appreciates that outreach and education is an
important element of the effort to reduce compliance burdens and
enhance the utility of the BO IT system. In addition to its planned
outreach and educational efforts, FinCEN continues to track inquiries
coming into its Regulatory Support Section and will draw on those
inquiries when planning outreach and drafting future guidance and
educational materials.
---------------------------------------------------------------------------
\199\ 87 FR at 59548.
---------------------------------------------------------------------------
FinCEN notes that 31 U.S.C. 5336(g) requires the Director of
FinCEN, in promulgating regulations carrying out the CTA, to reach out
to the small business community and other appropriate parties to ensure
efficiency and effectiveness of the process for the entities subject to
the CTA's requirements. FinCEN has engaged in such outreach throughout
the Access rulemaking processes. As noted in the Access NPRM, FinCEN
conducted more than 30 outreach sessions to solicit input on how best
to implement the statutory authorizations and limitations regarding BOI
disclosure. Participants included representatives from Federal
agencies, state courts, state and local prosecutors' offices, Tribal
governments, financial institutions, financial SROs, and government
offices that had established BOI databases. Topics discussed included
how stakeholders might use BOI, potential IT system features,
circumstances in which potential stakeholders might need to re-
disseminate BOI, and how different approaches might help further the
purposes of the CTA. These conversations helped FinCEN refine its
thinking about how to create a useful database for stakeholders while
protecting BOI and individual privacy.
FinCEN intends to continue its substantial outreach to
stakeholders, including Federal and state law enforcement officials,
Indian Tribes, trade groups, and others, to ensure coordinated efforts
to provide notice and sufficient guidance to all potential authorized
users. FinCEN will also provide guidance materials and training
materials for authorized users of the BO IT system.
FinCEN appreciates the suggestions on how to minimize burden to
State, local, and Tribal authorities and make the use of the BO IT
system as effective as possible. FinCEN currently administers access to
the FinCEN Query system and would build on its experience and contacts
with law enforcement agencies and others in administering access to and
providing training on BOI access.
I. Other Access NPRM Comments
i. Inspector General Complaint Process
Comments received. One commenter stated that the proposed rule
lacked any acknowledgement of the user complaint process established in
the CTA.\200\ The CTA provides that the Inspector General of the
Department of the Treasury, in coordination with the Secretary of the
Treasury, shall provide public contact information to receive external
comments or complaints regarding the beneficial ownership information
notification and collection process or regarding the accuracy,
completeness, or timeliness of such information. The CTA also requires
the Inspector General to make a periodic report to Congress on user
complaints and any resulting recommendations to ensure the beneficial
ownership information reported to FinCEN is accurate, complete, and
highly useful.\201\
---------------------------------------------------------------------------
\200\ 31 U.S.C. 5336(h)(4).
\201\ Id.
---------------------------------------------------------------------------
Response. FinCEN is cognizant of the CTA's requirements with
respect to the user complaint process. FinCEN acknowledged Treasury
OIG's role in this process in the final beneficial ownership Reporting
Rule, noting that the Treasury OIG had established an email inbox
([email protected]) to receive such complaints.\202\
FinCEN expects that officers and employees of OIG, as officers and
employees of the Department of the Treasury, would have access to BOI
in the BO IT system for any official duties that require access to
information in that system, including for purposes of fulfilling the
Treasury OIG's responsibilities under the user complaint process as
outlined in the CTA.
---------------------------------------------------------------------------
\202\ 87 FR 59498, 59508.
---------------------------------------------------------------------------
ii. Effective Date
Proposed Rule. FinCEN proposed an effective date for the Access
Rule of January 1, 2024, to align with the date on which the Reporting
Rule at 31 CFR 1010.380 becomes effective.\203\ FinCEN explained in the
proposed rule that a January 1, 2024, effective date is intended to
provide the public and authorized users of BOI with sufficient time to
review and prepare for implementation of the rule.\204\
---------------------------------------------------------------------------
\203\ 87 FR 77404, 77425.
\204\ Id.
---------------------------------------------------------------------------
Comments Received. Several commenters expressed concern about the
January 1, 2024, effective date. One commenter stated that it is
unlikely that FinCEN will be able to promulgate a final access rule by
the end of 2023 or
[[Page 88781]]
that the related BO IT system will be built, tested, and operational by
the end of 2023. The commenter noted that it is unlikely that
authorized users will have met the regulatory obligations that are
prerequisites to their ability to access BOI by that date. The
commenter suggested that FinCEN should set out a manageable, realistic
timeline extending past January 1, 2024, and communicate this timeline
to all stakeholders. Another commenter expressed concern about a ``go
live'' date of January 1, 2024,\205\ and the ability of FinCEN and
financial institutions to make the necessary implementation
preparations by that date given resource constraints. This commenter
suggested that FinCEN delay the effective date of the beneficial
ownership rules and consider a staged implementation approach. Finally,
another commenter expressed concern that the effective date of FinCEN's
beneficial ownership rules will coincide with a regulatory action by
the Consumer Financial Protection Bureau, which would overwhelm
financial institution compliance staff.
---------------------------------------------------------------------------
\205\ The commenter actually referred to January 1, 2025, but
FinCEN believes this was a typographical error intended to refer to
January 1, 2024.
---------------------------------------------------------------------------
Final Rule. This final rule will be effective February 20, 2024.
However, the effective date of the Reporting Rule remains January 1,
2024, and FinCEN continues to target January 1, 2024, for the release
of the BO IT system. Given the publication date of this final rule in
advance of January 1, 2024, and FinCEN's phased implementation approach
outlined in section II.D.iii, FinCEN believes authorized users will
have sufficient advance notice of the requirements of this rule. FinCEN
appreciates these comments and pragmatic suggestions and will make
adjustments to its implementation plans if circumstances warrant.
With respect to concerns about potential overlap with another
significant regulatory action, FinCEN notes that under the Reporting
Rule, existing reporting companies will have one year (until January 1,
2025) to file their initial beneficial ownership reports. FinCEN also
notes that there is no requirement in the rule that authorized users of
the BO IT system access the system immediately upon the effective date
of this rule. The final CTA-related rulemaking to revise FinCEN's
customer due diligence rule must occur no later than one year after the
effective date of the Reporting Rule, or January 1, 2025, and this
process will likely extend into 2024.\206\
---------------------------------------------------------------------------
\206\ CTA, section 6304(d).
---------------------------------------------------------------------------
iii. Budget and Staffing
Proposed Rule. The preamble of the proposed rule included a
discussion of FinCEN's resource constraints with respect to
implementation of the CTA.\207\ FinCEN noted in that discussion that
without the availability of additional appropriated funds to support
this project and other mission-critical services, FinCEN may need to
identify trade-offs, including with respect to guidance and outreach
activities, and the staged access by different authorized users to the
database.
---------------------------------------------------------------------------
\207\ 87 FR 77404, 77408.
---------------------------------------------------------------------------
Comments Received. One commenter made note of this discussion in
the proposed rule and requested a fuller explanation of the staged
access approach. This same commenter also observed that FinCEN would
likely receive an exponentially greater number of inquiries and
requests for technical support from filers and users of the BO IT
system than it currently handles and that FinCEN will need to hire and
train hundreds of support personnel in the next twelve months. Another
asked what ``staged access'' means and noted that the final rule should
address specifics about this and how it will impact community banks.
Finally, one commenter suggested that FinCEN address its resource
constraints by considering a professional internship program to address
short term staffing needs to support CTA implementation.
Response. As previewed in the proposed rule, FinCEN has undertaken
efforts to identify options to implement the requirements of the CTA
within its current resources. One of several options to manage
implementation in the current resource-constrained environment is to
implement a phased rollout of access to the BO IT system--meaning that
different groups of authorized users would obtain access to the system
at different times in a set timeframe. As discussed further in section
II.D.iii, to manage smoothly the draw on resources that this process
will demand, FinCEN will take a phased approach to providing access to
the BO IT system.
FinCEN continues to move expeditiously to put in place the
necessary infrastructure to implement the CTA and to provide adequate
guidance and support to reporting companies and authorized users of the
BO IT system. To this end, FinCEN is currently working to implement and
staff a dedicated beneficial ownership contact center to field both
substantive and IT-related inquiries. FinCEN has also hired additional
full-time staff who will be assigned to support the beneficial
ownership portfolio and has procured additional contractor support for
FinCEN's CTA implementation efforts. Any changes to FinCEN's plans to
implement the CTA will be clearly communicated to the public and
stakeholders.
IV. Severability
If any of the provisions of this rule, or the application thereof
to any person or circumstance, is held to be invalid, such invalidity
shall not affect other provisions or application of such provisions to
other persons or circumstances that can be given effect without the
invalid provision or application.
V. Regulatory Analysis
This section contains the final regulatory impact analysis (RIA)
for this final rule; it estimates the anticipated cost of the BOI
access requirements to the public, among other items. The final rule
imposes requirements on domestic agencies, foreign requesters, and
financial institutions when they elect to access FinCEN's BOI database.
The requirements and the associated costs vary depending on whether the
affected entity is a domestic agency, foreign requester, or financial
institution. To estimate costs associated with accessing beneficial
ownership information in accordance with the final rule, FinCEN assigns
an hourly burden to each requirement in the rule and uses an estimated
wage rate to determine a per-entity expected cost of following that
requirement. Where appropriate, FinCEN varies the hourly burden and
wage according to the entity type and the size of the entity. To
approximate an upper bound of aggregate expected costs, FinCEN
multiplies the per entity costs computed as described by the total
number of expected affected entities. These expected costs do not
represent fees that affected entities need to pay to access beneficial
ownership information, as no such fees are imposed by the final rule.
Instead, the costs as estimated below reflect the dollar value FinCEN
assigned, where possible, to the estimated time burden associated with
the rule's requirements.
Many of the rule's benefits are not as readily quantifiable, in
part because the rule sets forth access requirements for obtaining BOI
that is not yet available,\208\ and because expected use (and hence
benefits) by at least some
[[Page 88782]]
parties cannot be reliably estimated before the CTA's required revision
to the 2016 CDD Rule has been finalized.\209\ Other important expected
benefits of the rule are not reliably quantifiable because an attempt
to isolate the incremental benefits uniquely attributable to this rule
would be inherently speculative, and even if such discrete increments
could be identified, assigning a dollar value to items such as national
security or public faith in the integrity of the U.S. financial system
is impracticable. The rule, nevertheless, is generally expected to
improve investigations by law enforcement and assist other authorized
users in a variety of activities. To the extent that this increased
efficiency in information gathering can be proxied by reduced search
costs,\210\ FinCEN quantified these expected benefits to certain
affected parties in the NPRM and in the RIA below. The potential
improvements in the breadth, scope, and efficiency of investigations
and other activities by authorized users should in turn strengthen
national security, enhance financial system transparency and integrity,
and align the United States more closely with international AML/CFT
standards. The RIA includes a discussion of these qualitative benefits
and quantifiable efficiency gains which may accrue to domestic agencies
alongside the quantitative discussion of costs.
---------------------------------------------------------------------------
\208\ BOI will be collected pursuant to 31 CFR 1010.380,
finalized under the Reporting Rule, which will be effective January
1, 2024.
\209\ FinCEN would need to know how access to BOI under the rule
will impact financial institutions' customer due diligence
obligations, which FinCEN will not be able to assess until its
revises the 2016 CDD Rule. Thus, FinCEN will instead assess the
value that BOI access has to financial institutions in the
regulatory analysis of FinCEN's upcoming revisions to the 2016 CDD
Rule. Throughout the analysis, FinCEN notes issues that may be
affected by the required revision to the CDD rule.
\210\ In this analysis, ``search cost'' refers to the cost
associated with obtaining beneficial ownership information. See.
discussion in section V.A.ii.g. about monetizing the time component
of search costs.
---------------------------------------------------------------------------
FinCEN has made efforts to assess the expected costs and benefits
of the rule realistically, but notes that the rule relates to access to
newly required information that is not yet available; thus, the
estimates are based on several assumptions where FinCEN lacks certain
direct supporting data. FinCEN further notes that the analysis of
expected costs and benefits, as previewed in the NPRM and discussed
below, is performed over annual increments that assume a fully
operational framework, one in which all potentially affected parties
access a database that includes BOI reports from all reporting
companies that are in existence as of the Reporting Rule's effective
date.\211\ This framing is not expected to specifically depict the
costs or benefits corresponding to the first, or subsequent, calendar
year(s) following the adoption of the final rule, given the phased
nature of related regulatory implementation.\212\ However, FinCEN is
utilizing this approach because it imposes the fewest extraneous
assumptions about how phased regulatory implementation impacts the
expected economic effects.
---------------------------------------------------------------------------
\211\ The Reporting Rule requires such entities to report BOI
within one year of the effective date.
\212\ The phased implementation is discussed in section
II.D.iii. of the preamble.
---------------------------------------------------------------------------
FinCEN acknowledges that during initial implementation, while
entities begin to gain access to BOI and initial BOI reports are
populated in the database, the anticipated aggregate costs and benefits
of the rule may be lower that the estimates presented below. FinCEN
further acknowledges that during this period, the balance of costs to
benefits may also differ such that the relative economic value
(benefits scaled by costs) of the rule as discussed below could be
overestimated. However, as the methodological approach of the RIA, in
the NPRM and below, conservatively ascribes no quantifiable benefits to
financial institutions as a subgroup of authorized users while
nevertheless incorporating an estimated full cost burden of access to
them, it is unlikely that the aggregate net benefits in the RIA are
overstated because in practice the benefit to participating financial
institutions is expected to be nonzero.
FinCEN has described its cost estimates in detail to inform the
public about the rule and its impact and has analyzed the final rule as
required under Executive Orders (E.O.s) 12866, 13563, and 14094, the
Regulatory Flexibility Act, the Unfunded Mandates Reform Act, and the
Paperwork Reduction Act. FinCEN's analysis assumes the baseline
scenario is the current regulatory framework, in which there is no
general Federal beneficial ownership information disclosure requirement
and therefore no access to this information. Thus, any estimated costs
and benefits as a result of the rule are new relative to maintaining
the current framework. It has been determined that this regulation is a
``significant regulatory action'' under section 3(f)(1) of E.O. 12866,
as amended. Pursuant to the Regulatory Flexibility Act, FinCEN's
analysis concluded that the rule will have a significant economic
impact on a substantial number of small entities. Furthermore, pursuant
to the Unfunded Mandates Reform Act, FinCEN concluded that the rule
will result in an expenditure of $177 million or more annually by
State, local, and Tribal governments or by the private sector.\213\
---------------------------------------------------------------------------
\213\ The Unfunded Mandates Reform Act requires an assessment of
mandates that will result in an annual expenditure of $100 million
or more, adjusted for inflation. The U.S. Bureau of Economic
Analysis reports the annual value of the gross domestic product
(GDP) deflator in 1995, the year of the Unfunded Mandates Reform
Act, as 71.823, and as 127.224 in 2022. See U.S. Bureau of Economic
Analysis, ``Table 1.1.9. Implicit Price Deflators for Gross Domestic
Product'' (accessed Friday, June 2, 2023). Thus, the inflation
adjusted estimate for $100 million is 127.224/71.823 x 100 = $177
million.
---------------------------------------------------------------------------
Because the rule is a significant regulatory action under section
3(f)(1) of E.O. 12866, FinCEN prepared and made public a preliminary
RIA, along with an Initial Regulatory Flexibility Analysis (IRFA)
pursuant to the Regulatory Flexibility Act, on December 16, 2022.\214\
FinCEN received multiple comments about the RIA and the IRFA, which are
addressed in this section. FinCEN has incorporated additional data
points, additional cost considerations, and responses to other points
raised by commenters into the final RIA, which is published in its
entirety following a narrative response to the comments.
---------------------------------------------------------------------------
\214\ See 87 FR 77426-77454.
---------------------------------------------------------------------------
A. Executive Orders 12866, 13563, and 14094
E.O.s 12866, 13563, and 14094 direct agencies to assess costs and
benefits of available regulatory alternatives and, if regulation is
necessary, to select regulatory approaches that maximize net benefits
(including potential economic, environmental, and public health and
safety effects; distributive impacts; and equity). E.O. 13563
emphasizes the importance of quantifying both costs and benefits,
reducing costs, harmonizing rules, and promoting flexibility. It has
been determined that this regulation is a significant regulatory action
under section 3(f)(1) of E.O. 12866, as amended. Accordingly, this
final rule has been reviewed by the Office of Management and Budget
(OMB).
i. Discussion of Comments to the RIA
FinCEN received several comments related to the Access NPRM RIA.
The majority of these comments focused on the estimated costs for
financial institutions to comply with the proposed access requirements.
A smaller group of comments raised points on other aspects of the
NPRM's RIA, primarily on the cost analysis.
[[Page 88783]]
a. Comments Related to Costs to Financial Institutions
Comments generally stated that the access requirements will be
burdensome for financial institutions. Time and resources will be
required to adjust to the rule's requirements for financial
institutions to access BOI. In particular, a comment noted that
compliance costs will include training relevant staff, changing
policies and procedures, enhancing information security, and educating
senior management and customers, and that these costs are significant
and should not be overlooked or underestimated. Comments also stated
that banks would need to hire or reallocate personnel if the rule is
implemented as proposed. FinCEN generally agrees with comments
observing that time and resources that will be required for financial
institutions to adjust to the rule's requirements. FinCEN aims in this
analysis to accurately estimate the burden of implementing requirements
to access BOI.
Comments also discussed the estimates in the NPRM for financial
institution costs. One comment stated that the estimates were generally
inaccurate and were not reasonable. Comments provided specific feedback
on the following financial institution cost estimates:
Administrative, Technical, and Physical Safeguards. A few
commenters stated that the NPRM's estimate of the costs for financial
institutions to establish administrative and physical safeguards to
protect accessed BOI was far too low--one comment called it
``exponentially off''--and needed to be revisited. One commenter stated
that financial institutions would need to spend vastly more than
estimated to develop and implement new systems, with ongoing costs that
would include training on how to treat BOI from FinCEN differently than
other BOI a financial institution may collect. The commenter estimated
it would cost between $1 million and $3 million to develop new systems
or adapt existing systems to comply with the proposed rule and to
prevent BOI obtained from FinCEN from ``flowing'' into other financial
institution monitoring systems or to affiliates outside of the United
States. The commenter notes this cost could double if financial
institutions are only able to access BOI on a manual, and not
automated, basis.
Relatedly, a commenter stated that FinCEN significantly
underestimates the costs financial institutions will incur to update
processes and IT systems to comply with the proposed rule. The
commenter stated that financial institutions would need to
``reengineer'' their existing processes and technology to comply with
the limitations on sharing outside of the United States and to
segregate BOI from FinCEN from standard customer documentation. The
commenter did not provide a cost estimate. A commenter reminded FinCEN
to be mindful that modifying existing procedures to accommodate
requests and other related issues will take time and resources and
requested FinCEN write the final rule in a clear and straightforward
manner.
Finally, a commenter expressed concern that BOI reported to FinCEN
will not be accurate or reliable, forcing banks to shoulder the
majority of the burden in implementing the CTA by acting as
``regulatory quality control.'' Commenters stated that if financial
institutions are required to rely on BOI reported to FinCEN, the
quality and reliability of customer risk profiles would be undermined
unless the financial institutions maintain duplicate systems of BOI
financial institutions receive directly from their customers and
identify discrepancies between the two data sources.
In response to these comments, FinCEN increased the burden estimate
of financial institutions establishing administrative and physical
safeguards. FinCEN retains its estimate for IT costs.
As explained in section III.H.ii.e. although this rule does not
address the verification of BOI reported to FinCEN, FinCEN agrees that
verification is an important part of its overall efforts to ensure that
the BOI reported is ``accurate, complete, and highly useful'' and
continues to assess options to verify BOI taking into consideration
practical, legal, and resource challenges. Regardless of exactly how
FinCEN ultimately addresses verification, FinCEN does not anticipate
that the final rule will require financial institutions to need to
separate BOI obtained from FinCEN and BOI obtained from customers under
their existing customer due diligence processes, as some commenters
suggested would be necessary if FinCEN retained a strict prohibition on
financial institutions using or storing BOI obtained from FinCEN
outside the United States; therefore, FinCEN is not estimating the
burden for financial institutions to reallocate resources or create
duplicative systems to separately store BOI obtained from FinCEN.
FinCEN also notes that financial institutions will have the ability to
submit multiple search requests simultaneously through an automated
process, lessening costs associated with manual searches by financial
institutions.
Customer Consent. Under the rule, financial institutions must
obtain and document the consent of a reporting company customer prior
to accessing BOI about that customer. Multiple commenters stated that
FinCEN's estimate for the burden of obtaining this customer consent was
too low and not reasonable; one comment called the estimate ``patently
absurd.'' Commenters noted that this process would involve multiple
steps, including identifying all applicable forms, drafting and
reviewing appropriate consent language, and updating or establishing
new processes and procedures. A commenter noted that updating online
forms, which is the format that many banks use for account opening
documents, requires technical development work and testing, among other
tasks. The commenter stated that small banks will require less than the
estimated 10 hours, but the majority of institutions will require
significantly more time to implement the requirement. Another commenter
stated that the NPRM estimate disregarded the time and attention
necessary to devote on an ongoing basis to meeting this requirement.
Another commenter noted that costs could also arise if a customer does
not give consent or revokes consent, because the financial institution
would be required to expend resources to monitor on an ongoing basis
which customers have consented. A commenter estimated it would take
10,000 hours of personnel time, and potentially 100,000 hours in the
largest institutions, to update account opening policies, procedures,
processes, and forms to include the customer consent requirement. A
commenter noted that large banks will be able to absorb these costs but
predicted small and mid-sized banks will turn to service providers.
FinCEN changed the burden estimate for obtaining customer consent
based on these comments. FinCEN increased the initial burden for
updating forms and procedures to account for this requirement and
considered the multiple steps this will require based on comments.
FinCEN also added an ongoing maintenance cost for this requirement to
account for the necessity to change or update procedures. FinCEN
assesses, however, that this ongoing maintenance cost is relatively
minimal. FinCEN is not estimating costs related to obtaining customer
consent more than once, but will assess if such a cost should be
considered in the future CDD Rule revision. FinCEN is not assessing a
cost related to a customer not providing or revoking consent. FinCEN
[[Page 88784]]
believes that the tracking of such information would be included in the
existing cost estimates related to customer consent. Additionally,
FinCEN expects that few customers will not provide consent given that
providing BOI and general consent for financial institutions to access
information from other sources are both routine requirements that
customers anticipate and accept.
Customer consent was the focus of one of the regulatory
alternatives analyzed in the NPRM. Under this alternative, FinCEN,
rather than financial institutions, would have obtained the required
consent from reporting companies before financial institutions could
access those companies' BOI.\215\ A commenter stated that the cost
savings to financial institutions would be much larger in practice than
FinCEN estimated in the NPRM's alternative analysis, and that FinCEN's
reason for rejecting this alternative--that financial institutions are
better positioned to obtain consent (and track consent revocation)
given their direct customer relationships and ability to leverage
existing onboarding and account maintenance processes--does not make
sense. FinCEN retains this alternative scenario but notes that the
related cost savings estimate has changed given the changes to the
financial institution burden estimates throughout the analysis.
---------------------------------------------------------------------------
\215\ See 87 FR 77427-77428.
---------------------------------------------------------------------------
FinCEN, however, rejects the commenter's claim that the NPRM's
reasoning was nonsensical. As explained in section III.E.ii.d above,
FinCEN remains convinced that financial institutions are better
situated than FinCEN to obtain and document a reporting company's
consent given financial institutions' direct customer relationships. By
contrast, FinCEN believes considerable delay could result if it were
itself to take on direct management of the consent process. For this
reason and as further explained in section III.E.ii.d above, FinCEN
declines to adopt the alternative of FinCEN collecting customer
consent.
Training. A few commenters stated that the estimated cost of
training financial institution employees who will access BOI under the
rule was underestimated. A commenter stated that the NPRM estimates did
not account for lost productivity to the financial institution while
employees are attending training sessions. However, FinCEN notes the
use of a wage rate for financial institution employees implicitly
accounts for lost productivity to the institution of employees working
on the rule's requirements rather than other items.
Commenters stated that in addition to those directly accessing
FinCEN's BOI database, all employees that interact with BOI through
account opening or customer interactions would also need to participate
in training. This training would most likely not be centralized and
would be spread over departments and branches in financial
institutions. A commenter stated that the increased cost due to
training contradicts Congress' intent for the CTA to minimize burden on
financial institutions. A commenter stated this burden could be
alleviated by keeping the registration and requirements simple. A
commenter also stated that training would be necessary to inform
financial institution employees on how to treat BOI obtained from
FinCEN separately from BOI obtained through other means.
FinCEN has concluded that these comments overstate the burden
imposed by the rule. The final rule (31 CFR 1010.955(d)(2)(ii))
requires financial institutions to develop and implement
administrative, technical, and physical safeguards reasonably designed
to protect BOI as a precondition for receiving BOI. But, as explained
in section III.E.ii.c, FinCEN is authorizing financial institutions to
satisfy this requirement by applying security and information handling
procedures under section 501 of Gramm-Leach-Bliley Act and applicable
regulations for nonpublic customer personal information to BOI. The
Federal functional regulators have implemented the requirements of the
Gramm-Leach-Bliley Act in different ways, but they all generally
reference providing related training.\216\ Thus, FinCEN does not expect
BOI training to be unduly burdensome because training to protect
nonpublic customer personal information is already part of a financial
institutions' Gramm-Leach-Bliley Act requirements.\217\ As explained in
section III.E.ii.c, FinCEN thus anticipates that financial institutions
will determine how best to train personnel who will have access to BOI
but who will not interact with the BO IT system.
---------------------------------------------------------------------------
\216\ See generally Interagency Guidelines, supra note 91, p.
95.
\217\ As discussed, the final rule does not require financial
institutions to separate BOI obtained from FinCEN and BOI obtained
from customers under their existing customer due diligence
processes. Thus, training on how to segregate BOI obtained from
different sources should not be necessary, and FinCEN accordingly
does not need to account for the costs of such training.
---------------------------------------------------------------------------
Nonetheless, financial institutions will need to provide some
training to ensure that relevant financial institution personnel access
BOI in a manner consistent with this rule. As part of estimating the
cost of this training, the NPRM included an estimate of the number of
employees that would access BOI at both small and large financial
institutions. Commenters stated that these estimates were too low and
depended on many assumptions, including an assumption that the
connection to the BO IT system is fast and easy for the user with
minimal manual intervention. Commenters proposed alternative estimates.
A commenter assumed that banks would have between 5 and 15 percent of
employees involved in customer due diligence processes (the percentage
varied depending on financial institution size), and used December 2021
FDIC bank data to estimate that 3,586 small banks will have between 1.5
to 10 people, and an average of 4 to 5 people, performing customer due
diligence, and 1,263 large banks will have between 5 and 5,000 people,
and an average of 26 to 27 people, performing customer due diligence.
Another comment from a bank industry representative stated that a
member estimated it has hired 50 full-time equivalent employees to
address the existing CDD Rule requirements, and additional employees
would be needed for the proposed rule. Similarly, another commenter
estimated that some large banks will need to hire up to 40 or 50
additional staff to manage the technical process associated with BOI. A
financial institution comment stated that they would like to have at
least 20 or 25 staff members (out of 40 full-time staff) available to
access this data, which would be a minimum of 3 staff per location.
FinCEN appreciates the estimates provided by commenters and has
incorporated changes to the analysis based on these comments. However,
FinCEN notes that the assumption that connection to the BO IT system is
fast and easy for the user is in line with FinCEN's expectations.
Financial institutions will also not need to access the BO IT system
manually if they access via API.
Requests for BOI and Related Certification Costs. Commenters raised
questions about the assumptions related to the NPRM's estimate of the
number of annual requests for BOI from financial institutions. The NPRM
included this estimate to calculate the cost burden of the proposed
rule's requirement that financial institutions certify that each
request for BOI meets certain requirements. A commenter stated that
FinCEN's reliance on
[[Page 88785]]
estimates of annual new entity accounts from the 2016 CDD Rule was
wrong because: (1) the CDD Rule requires the collection and
verification of BOI for every new customer and every existing customer
opening a new account; (2) the definition of legal entity customer
under the CDD Rule is broader than the definition of reporting company
under the CTA; and (3) the use of an average for a diverse set of
financial institutions may not be appropriate. Another commenter
questioned the assumption that financial institutions will seek to
access BOI every time a new legal entity customer that qualifies as a
reporting company opens a new account because another part of the NPRM
stated that the proposed rule would not impose an obligation to access
BOI. Another commenter claimed that most banks expect that the total
annual costs of certifying their compliance when making BOI requests
will be significantly higher than FinCEN's estimate, but did not
provide an alternative cost estimate.
FinCEN retains the methodology used in the NPRM, which results in
an estimated range of 5 million to 6 million annual requests for BOI
from financial institutions. FinCEN proposed the upper bound of 6
million based on the 2016 CDD Rule's regulatory analysis. The comments
identified several reasons why the actual number of requests may
differ, but FinCEN maintains it is appropriate to provide an upper
bound estimate based on the CDD Rule. FinCEN agrees with commenters
that this final rule does not impose an obligation to access BOI.
However, FinCEN uses this upper bound estimate to illustrate potential
costs to financial institutions if the financial institutions access
BOI at the rate estimated in the current CDD Rule. FinCEN also
acknowledges the point raised by another commenter regarding
differences between the CDD Rule and Reporting Rule. If the future CDD
Rule revision includes a different estimate for the number of annual
requests for BOI per year, FinCEN will note that change, and its effect
on financial institution costs, in that revision.
Other Financial Institution Costs. Commenters recommended that
audit and legal review costs to financial institutions be incorporated
into the RIA. There are no audit requirements for financial
institutions in the rule; however, FinCEN understands that in practice
financial institution audits will include reviewing the safeguards
implemented to protect accessed BOI. FinCEN clarifies in the analysis
that the administrative safeguards burden estimate includes audit and
legal review of such safeguards, and increases the burden estimate
accordingly. A commenter also stated that the costs to financial
institutions should be presented on a per account basis, and that the
amount per account would be a few hours of an operations specialist
work (at $50 per hour rate) to access BOI, corroborate it, address any
remediation of errors in the BOI, and supervise the process, totaling
$100-$200 per account opening in maintenance fees. FinCEN believes that
the per institution cost estimate methodology used in the NPRM is
appropriate and retains it here. The per account cost estimate would
not capture fixed costs of establishing new procedures, and other
requirements, that are necessary at the institutional level to comply
with the rule.
A commenter noted that complying with the rule's security and
confidentiality requirements for BOI access will require significant
time and resources for small businesses (presumably meaning small
financial institutions), and that this will put such small businesses
at a disadvantage compared to large companies with more resources.
FinCEN considers the cost of the rule to small financial institutions
in the Regulatory Flexibility Act section of the analysis, below. A
commenter requested that FinCEN publish Small Entity Compliance Guides
and FAQs to assist such entities with compliance. FinCEN anticipates
issuing a Small Entity Compliance Guide pursuant to section 212 of
Small Business Regulatory Enforcement Fairness Act (SBREFA) to assist
small entities in complying with the BOI access requirements.
b. Comments Related to Government and Reporting Company Costs
A handful of commenters raised other cost issues outside of those
that pertained specifically to financial institutions. Regarding other
estimates in the NPRM's RIA, one commenter stated that the cost
estimate for State, local, and Tribal law enforcement agencies failed
to include the number of hours such agencies would spend on the
proposed written justification requirement. FinCEN did consider this
burden in the NPRM and estimated that submitting a request to FinCEN
for BOI would take one employee approximately 15 minutes, or 0.25
hours, per request. For State, local, and Tribal agencies, FinCEN
estimated an additional 20 to 30 hours of burden per request to obtain
a court authorization in the NPRM. Therefore, State, local, and Tribal
requests were estimated to have 20.25 to 30.25 hours of burden per
request because of the court authorization and written certification
requirements.\218\ FinCEN changed this estimate in the analysis given
changes to the final rule's requirements.\219\
---------------------------------------------------------------------------
\218\ FinCEN clarifies that this requirement is a certification
and not a justification.
\219\ 31 CFR 1010.955(d)(1)(ii)(B)(2).
---------------------------------------------------------------------------
A commenter stated that the NPRM RIA did not address significant
burdens on reporting companies that would have to provide BOI to both
financial institutions and FinCEN. The commenter stated that such a
burden would be duplicative and unnecessary. FinCEN expects that
consideration of such burden will be included in the future CDD Rule
revision, which will discuss the current requirements that financial
institutions identify and verify the beneficial ownership information
of their legal entity customers. Finally, a commenter agreed with the
estimates of FinCEN's costs in the NPRM, noting the estimates appeared
reasonable.
c. Comments Related to Benefits
A few commenters stated that access to BOI would not have a benefit
for financial institutions. These commenters stated that the
requirements would impose additional compliance costs without enhancing
customer due diligence processes and could result in duplicative
processes. A commenter stated this would result in an inefficient
allocation of resources across AML compliance programs. Another
commenter stated that resources would be reallocated away from risk-
based activities that more effectively mitigate illicit finance risks.
As in the NPRM, FinCEN is not attempting to estimate the benefits
of this rule to financial institutions. To do so, FinCEN would need to
know how access to BOI under the rule will impact financial
institutions' customer due diligence obligations, which FinCEN will not
be able to assess until its revises the 2016 CDD Rule. Thus, FinCEN
will instead assess the value that BOI access has to financial
institutions in the regulatory analysis of FinCEN's upcoming revisions
to the 2016 CDD Rule.\220\ As explained in section II.B, mandatory
revisions to the 2016 CDD Rule include: (1) bringing the rule into
conformity with the AML Act as a whole, including the CTA; (2)
accounting for financial institutions' access to BOI reported to FinCEN
``in order to confirm the beneficial ownership information provided
directly to'' financial institutions for AML/CFT and customer due
diligence purposes; and (3) reducing unnecessary
[[Page 88786]]
or duplicative burdens on financial institutions and legal entity
customers.\221\
---------------------------------------------------------------------------
\220\ CTA, Section 6403(d)(1).
\221\ CTA, Section 6403(d)(1)(A)-(C).
---------------------------------------------------------------------------
d. Comments on Other Topics
A commenter recommended that FinCEN require secretaries of state
and similar offices to incorporate collection of BOI into their
registration processes, and then submit this information to FinCEN. The
commenter noted that while this option was explored and rejected in the
Reporting Rule, it could possibly be implemented in the long term and
would minimize burden. As noted in the Reporting Rule, FinCEN rejected
this alternative in part due to concerns raised by comments from
several State authorities.\222\ FinCEN will continue to explore other
avenues to coordinate with secretaries of state and similar offices on
beneficial ownership matters and to minimize burden.
---------------------------------------------------------------------------
\222\ 87 FR 59559 (Sept. 30, 2022).
---------------------------------------------------------------------------
ii. Final Regulatory Impact Analysis
a. Overview of the RIA
The RIA begins with a summary of the rationale for the final rule,
three regulatory alternatives to the final rule, and findings from the
cost and benefit analysis (sections (b)-(d)). Section (e) describes the
type and number of entities expected to be affected by the rule.
Section (f) provides a detailed cost analysis (including discussions of
each requirement's quantifiable costs) that considers costs to domestic
agencies (including SROs), foreign requesters, financial institutions,
and FinCEN. Section (g) is a detailed discussion of benefits. Section
(h) summarizes the overall impact of the quantifiable portions of the
rule.
Changes to the analysis or assumptions are clearly specified, as
well as references to comments that are incorporated into the RIA. In
the course of this discussion, FinCEN describes its estimates, along
with any non-quantifiable costs and benefits.\223\ In response to
comments, FinCEN has made the following changes to its estimates:
increased the number of SROs that may access BOI; increased the hourly
burden for financial institutions to establish administrative and
physical safeguards by 200 percent; increased the hourly burden for
financial institutions to obtain and document customer consent by 400-
600 percent in year 1 \224\ and an additional 10 to 20 hours in
subsequent years; \225\ and increased the expected number of financial
institution employees requiring training to 4 to 5 for small financial
institutions and 25 to 30 for large financial institutions. FinCEN also
decreased the hourly burden estimate for written certification of
requests by State, local, and Tribal law enforcement agencies, and
described additional requirements for financial institutions,
consistent with changes made to this requirement in the final rule.
FinCEN also made changes to update data, underlying sources, and
estimates with more recent information, if available.
---------------------------------------------------------------------------
\223\ Throughout the analysis, FinCEN rounds estimates for
entity counts to the nearest whole number, and any wage and growth
estimates to the nearest 1 or 2 decimal places. Calculations may not
be precise due to rounding, but FinCEN expects this rounding method
produces no meaningful difference in the magnitude of FinCEN's
estimates or conclusions.
\224\ As discussed in section V above, Year 1 in this analysis
is the first year in which all potentially affected parties access a
database that includes BOI reports from reporting companies that are
in existence as of the Reporting Rule's effective date.
\225\ Subsequent years (sometimes referred to as ``Years 2+'')
in this analysis are the years after the first year in which all
potentially affected parties access a database that includes BOI
reports from reporting companies that are in existence as of the
Reporting Rule's effective date.
---------------------------------------------------------------------------
b. Rationale for the Final Rule
This rule is necessary to comply with and implement the CTA. As
described in section I, this rule is consistent with the CTA's
statutory mandate that FinCEN issue regulations regarding access to
beneficial ownership information. Specifically, the final rule
implements the provisions in the CTA, codified at 31 U.S.C. 5336(c),
that authorize FinCEN to disclose identifying information associated
with reporting companies, their beneficial owners, and their company
applicants (together, BOI) to certain recipients.
c. Discussion of Regulatory Alternatives to the Final Rule
The rule is statutorily mandated, and therefore FinCEN has limited
ability to implement alternatives. However, FinCEN considered certain
significant alternatives in the NPRM that were available under the
statute. FinCEN replicated some of those alternatives here, with
adjustments for clarity and for incorporated changes to the RIA, and
added another alternative. The sources and analysis underlying the
burden and cost estimates cited in these alternatives are explained in
the RIA.
1. Change Customer Consent Requirement
FinCEN considered altering the customer consent requirement for
financial institutions. Under the final rule, financial institutions
are required to obtain and document customer consent once for a given
customer. FinCEN considered an alternative approach in which FinCEN
would directly obtain the reporting company's consent. Under this
scenario, financial institutions would not need to spend time and
resources on drafting or modifying customer consent forms, ensuring
legal compliance, and testing the forms.\226\ Using an hourly wage
estimate of $106 per hour for financial institutions, FinCEN estimates
this would result in a savings per financial institution of
approximately $5,300 to $7,420 in year 1 and $1,060 to $2,120 in
subsequent years. FinCEN estimates an aggregate savings of $83.3 to
$116.6 million in year 1 and $16.7 to $33.3 million in subsequent
years. To estimate the potential range of aggregate savings under this
scenario, FinCEN multiplies the respective estimates of yearly savings
by the number of financial institutions (e.g., $7,420 per institution x
15,716 financial institutions = $116,612,720, to estimate the upper
bound). The cost savings for small financial institutions under this
scenario would be approximately $72.6 million ($5,300 per institution x
13,699 small financial institutions = $72,604,700), assuming the lower
bound of the estimated time burden applies. Though this alternative
results in a savings to financial institutions, including small
entities, FinCEN believes that financial institutions are better
positioned to obtain consent--and to track consent revocation--given
their direct customer relationships and ability to leverage existing
onboarding and account maintenance processes, as also discussed in
sections III.E.ii.d and V.A.i.a above. Therefore, FinCEN decided not to
adopt this alternative.
---------------------------------------------------------------------------
\226\ FinCEN expects this process to require approximately 50 to
70 hours in year 1 and 10 to 20 hours in subsequent years for
ongoing forms maintenance.
---------------------------------------------------------------------------
2. Impose Court Authorization Requirement on Federal Agencies
Another alternative extends the requirement that State, local, and
Tribal law enforcement agencies provide a court authorization with each
BOI request to 201 Federal agencies. FinCEN estimates that requests
submitted by State, local, and Tribal law enforcement agencies have an
additional 8 to 10 hours of burden owing to an additional requirement
that a court of competent jurisdiction, including any officer of such a
court, authorizes the agency to seek the information in a criminal or
civil investigation. Therefore, FinCEN applies this additional 8 to 10
hours of burden per BOI request to the estimated BOI requests submitted
by Federal
[[Page 88787]]
agencies and by State regulators. Using FinCEN's internal BSA request
data as a proxy, FinCEN anticipates that Federal agencies could submit
as many as approximately 2 million total BOI requests annually.\227\
Using an hourly wage estimate of $110 per hour for Federal employees,
this requirement would result in additional aggregate annual costs in
the first year between approximately $1.76 and $2.2 billion ((2 million
Federal requests x 8 hours x $110 per hour = $1.76 billion) and (2
million Federal requests x 10 hours x $110 per hour = $2.2 billion))
and between $1.32 billion and $1.76 billion in subsequent years ((2
million Federal requests x 6 hours x $110 per hour = $1.32 billion) and
(2 million Federal requests x 8 hours x $110 per hour = $1.76
billion)). This alternative could minimize the potential for broad or
non-specific searches by any agency not currently subject to the
requirement because of the higher initial barrier to accessing the
data. However, FinCEN believes that imposing this requirement on
authorized recipients for whom such a requirement is not statutorily
mandated could lead to unnecessary delays for Federal agencies in
obtaining BOI and impose unjustified burdens. For these reasons, FinCEN
decided not to adopt this alternative.
---------------------------------------------------------------------------
\227\ While FinCEN's estimates do not incorporate an estimated
growth rate in the number of requests throughout the 10-year time
horizon of this analysis, it is nevertheless possible that the
number of BOI requests could increase significantly in the years
following initial implementation of the BOI reporting requirements
as awareness of the ability to access and the utility of BOI
increases.
---------------------------------------------------------------------------
3. Require Court Order for State, Local, and Tribal Law Enforcement
Requests
This alternative would require State, local, and Tribal law
enforcement agencies to provide a copy of a court order for each BOI
request, which was required in the proposed rule. In the NPRM RIA,
FinCEN estimated that State, local, and Tribal law enforcement agencies
would have a per request hourly burden between 20 to 30 hours to obtain
a court order for each BOI request. Considering comments received,
FinCEN changed this requirement in the final rule. The final rule
requires that State, local, and Tribal law enforcement agencies obtain
authorization from a court of competent jurisdiction to request BOI.
FinCEN estimates that State, local, and Tribal law enforcement agencies
will have a per request hourly burden of 8 to 10 hours in year 1 and 6
to 8 hours in subsequent years to obtain a court authorization. Thus,
in rejecting the alternative proposed in the NPRM, FinCEN estimates a
reduction in hourly burden per request between 12 to 20 hours in year 1
and 14 to 22 hours in subsequent years. Using FinCEN's internal BSA
request data as a proxy, FinCEN anticipates that State, local, and
Tribal law enforcement agencies will submit between 1 and 23,000 BOI
requests per agency and, in total, as many as approximately 200,000 BOI
requests annually. Using an hourly wage estimate of $80 per hour for
State, local, and Tribal agency employees, FinCEN estimates adopting
this alternative would result in a range of additional costs per State,
local, and Tribal law enforcement agency of approximately $960 to $36.8
million in year 1 ((1 request x 12 hours x $80 per hour = $960) and
(23,000 x 20 hours x $80 per hour = $36.8 million)) and $1,120 to
$40.48 million in subsequent years ((1 request x 14 hours x $80 per
hour = $1,120) and (23,000 x 22 hours x $80 per hour = $40.48
million)). In total, adopting this alternative would have resulted in
additional aggregate annual costs in the first year between
approximately $192 and $320 million ((200,000 requests x 12 hours x $80
per hour = $192 million) and (200,000 x 20 hours x $80 per hour = $320
million)) and between $224 million and $352 million in subsequent years
((200,000 requests x 14 hours x $80 per hour = $224 million) and
(200,000 x 22 hours x $80 per hour = $352 million)). Given the concerns
raised by commenters and the reasons outlined in section III.C.ii,
FinCEN decided not to adopt this alternative, which results in a burden
reduction to State, local, and Tribal law enforcement agencies.
d. Summary of Findings
1. Costs
The cost analysis estimates costs to domestic agencies (including
SROs), foreign requesters, financial institutions, and FinCEN. Each of
the affected entities will have costs associated with the rule if it
elects to access FinCEN BOI. The costs vary based on the access
procedures for the authorized recipients. The rule requires different
access procedures for domestic agencies, foreign requesters, and
financial institutions. Whether the costs of these requirements are
one-time, ongoing, or recurring, and whether the costs accrue on a per
recipient or per request basis varies from requirement to requirement.
Additionally, some requirements are administrative and involve the
creation of documents, while others involve IT.
The estimated average per agency cost in year 1 is between $2,888
and $10.1 million per Federal agency, between $2,100 and $.5 million
per State and local regulator, between $2,740 and $18.9 million per
State, local, and Tribal law enforcement agency, and between $2,783 to
$662,500 per SRO. The estimated average per agency cost each year after
the first year is between $1,238 and $10 million per Federal agency,
between $900 and $.5 million per State and local regulator, between
$1,380 and $15.2 million per State, local, and Tribal law enforcement
agency, and between $1,193 to $662,500 per SRO. The total estimated
aggregate cost to domestic agencies in year 1 is between $190.1 million
and $260.4 million, and then between $157.5 million and $197.4 million
each year thereafter.
FinCEN is unable to estimate aggregate costs on foreign requesters
given the lack of data on the number of foreign requesters that may
access BOI, but FinCEN provides partial cost estimates of the
requirements on a foreign requester. FinCEN's estimates annual cost to
foreign requesters as between approximately $16,600 and $74,700. FinCEN
also assumes that Federal agencies that submit BOI requests on behalf
of foreign requesters to FinCEN will incur additional costs; FinCEN
itself expects to incur costs from the submission of such requests.
Therefore, FinCEN estimates that BOI requests on behalf of foreign
requesters result in a cost per request of approximately $220 to
Federal agencies, and a total annual cost to Federal agencies between
approximately $44,000 and $198,000.
The estimated average cost per financial institution in year 1 is
between approximately $27,161 and $43,668 and between approximately
$10,201 and $12,928 each year thereafter. The estimated aggregate cost
for financial institutions is between approximately $426.9 and $686.3
million in the first year, and then between approximately $160.4 and
$203.2 million each year thereafter.
In addition to the costs of accessing BOI data as a domestic
agency, FinCEN will incur costs from managing the access of other
authorized recipients. FinCEN's estimated annual cost for such
activities is $13 million.
2. Benefits
The rule will result in benefits for authorized recipients,
including through improving the effectiveness and efficiency of U.S.
national security, intelligence, and law enforcement activity by
providing access to BOI. FinCEN has quantitatively estimated a portion
of such benefits in this analysis.
[[Page 88788]]
The rule will also have non-quantifiable benefits to authorized
recipients of BOI and to society more widely. FinCEN estimates
quantifiable benefits attributable to enhanced BOI search efficiency
between $33,000 and $2.2 million per Federal agency and similar
benefits between $24,000 and $1.6 million per State, local, and Tribal
agency. In aggregate, FinCEN estimates quantifiable benefits between
$10.6 million and $708.2 million.
e. Affected Entities
In order to analyze cost and benefits, the number of entities
affected by the rule must first be estimated. Authorized recipients of
BOI are affected by this rulemaking if they elect to access BOI because
they are required to meet certain criteria to receive that BOI. The
criteria vary depending on the type of authorized recipient.
Federal agencies engaged in national security, intelligence, and
law enforcement activity will have access to BOI in furtherance of such
activities if they establish the appropriate protocols prescribed for
them in the rule. Additionally, Treasury officers and employees who
require access to BOI to perform their official duties or for tax
administration will have access. The number of agencies that could
qualify under these categories is large and difficult to quantify.
FinCEN uses the number of Federal agencies that are active entities
\228\ with BSA data access \229\ as a proxy for the number of Federal
agencies that may access BOI. FinCEN believes this proxy is apt. While
the criteria for access to BSA data are somewhat different outside of
the CTA context, Federal agencies that have access to BSA data will
generally also meet the criteria for access to BOI under the CTA.
FinCEN believes that Federal agencies that have access to BSA data will
most likely want access to BOI as well and will generally be able to
access it under the parameters specified by the rule. FinCEN includes
offices within the U.S. Department of the Treasury, such as FinCEN
itself,\230\ in this proxy count. As of June 2023, 201 Federal agencies
and agency subcomponents are active entities with BSA data access.
---------------------------------------------------------------------------
\228\ For purposes of this analysis, an agency has active access
to BSA data if the official duties of any agency employee or
contractor includes authorized access to the FinCEN Query system, a
web-based application that provides access to BSA reports maintained
by FinCEN.
\229\ [thinsp]For purposes of this analysis, BSA data consists
of all of the reports submitted to FinCEN by financial institutions
and individuals pursuant to obligations that currently arise under
the BSA, 31 U.S.C. 5311 et seq., and its implementing regulations.
These include reports of cash transactions over $10,000, reports of
suspicious transactions by persons obtaining services from financial
institutions, reports of the transportation of currency and other
monetary instruments in amounts over $10,000 into or out of the
United States, and reports of U.S. persons' foreign financial
accounts. In fiscal year 2019, more than 20 million BSA reports were
filed. See Financial Crimes Enforcement Network, ``What is the BSA
data?,'' available at https://www.fincen.gov/what-bsa-data.
\230\ In addition to incurring costs as an authorized recipient
of BOI, FinCEN expects to incur costs from administering data to
other authorized recipients.
---------------------------------------------------------------------------
State, local, and Tribal law enforcement agencies will have access
to BOI for use in criminal and civil investigations if they follow the
process prescribed for them in the rule. FinCEN uses the number of
State and local law enforcement agencies that are active entities with
BSA data access as a proxy for the number of State, local, and Tribal
law enforcement agencies that may access BOI, for the reasons discussed
in the Federal agency context. As of June 2023, 158 State and local law
enforcement agencies and agency subcomponents are active entities with
access to BSA data.\231\ The process that the rule sets forth involves
these agencies obtaining a court authorization for each BOI request.
Courts of competent jurisdiction that issue such authorizations may
therefore also be affected by the rule; FinCEN has not estimated the
burden that may be imposed on such entities because of a lack of
relevant data and because such burden will depend on choices made by
courts in authorizing BOI requests that they receive from agencies.
---------------------------------------------------------------------------
\231\ No Tribal law enforcement agencies currently have access
to BSA data through the FinCEN Query system.
---------------------------------------------------------------------------
Foreign government entities, such as law enforcement, prosecutors,
judges or other competent or central authorities, will be able to
access BOI after submitting a request as described in the rule. FinCEN
does not estimate the number of different foreign requesters that may
request BOI, but instead estimates a range of the total number of
annual requests for BOI that FinCEN may receive from all foreign
requesters. The rule requires that foreign requests be made through an
intermediary Federal agency. Therefore, Federal agencies will also be
affected by foreign requests.
The six Federal functional regulators that supervise financial
institutions with customer due diligence obligations--the FRB, the OCC,
the FDIC, the NCUA, the SEC, and the CFTC--may access BOI for purposes
of supervising a FI's compliance with those obligations. Additionally,
other appropriate regulatory agencies may access BOI under the rule.
FinCEN uses the number of regulators that both supervise entities with
requirements under FinCEN's CDD Rule and are active entities with
access to BSA data as a proxy for the number of regulatory agencies
that may access BOI. As of June 2023, 63 regulatory agencies satisfy
both criteria.\232\ FinCEN adds three SROs to this count, \233\ which
totals to 66 regulatory agencies. Although SROs are not government
agencies and they will not have direct access to the BO IT system under
the rule, they may receive BOI through re-disclosure and will be
subject to the same security and confidentiality requirements as other
regulatory agencies under the rule.
---------------------------------------------------------------------------
\232\ This includes the six Federal functional regulators. The
remaining 57 entities are State regulators that supervise banks,
securities dealers, and other entities that currently have customer
due diligence obligations under FinCEN regulations. FinCEN did not
include State regulatory agencies that have active access to BSA
data but do not regulate entities with FinCEN customer due diligence
obligations, such as State gaming authorities or State tax
authorities.
\233\ FinCEN included two SROs in the NPRM but added an
additional SRO based on a comment.
---------------------------------------------------------------------------
As discussed further in section III.C.iv.a, FinCEN intends to
provide access to BOI as an initial matter only to financial
institutions that are ``covered financial institutions'' as defined in
31 CFR 1010.230. Assuming that all such financial institutions will
access BOI, FinCEN estimates the number of affected financial
institutions in Table 1.\234\
---------------------------------------------------------------------------
\234\ To reiterate a point made on this subject in section
III.C.iv.b.1 above, this rule does not create an obligation for
financial institutions to access BOI. However, for FinCEN's own
regulatory compliance purposes, it is necessary to make assumptions
about the number of financial institutions that will choose to do
so, and FinCEN wishes to avoid inadvertently underestimating that
number.
---------------------------------------------------------------------------
BILLING CODE 4810-02-P
[[Page 88789]]
[GRAPHIC] [TIFF OMITTED] TR22DE23.000
BILLING CODE 4810-02-C
Totaling these estimates results in 15,716 financial institutions
that may access BOI pursuant to the rule. Of these financial
institutions, 13,699 are small entities. To identify whether a
financial institution is small, FinCEN uses the Small Business
Administration's (SBA) latest annual size standards for small entities
in a given industry.\235\ FinCEN also uses the U.S. Census Bureau's
publicly available 2017 Statistics of U.S. Businesses survey data
(Census survey data).\236\ FinCEN applies SBA size standards to the
corresponding industry's receipts in the 2017 Census survey data and
determines what proportion of a given industry is deemed small, on
average. FinCEN considers a financial institution to be small if it has
total annual receipts less than the annual SBA small entity size
standard for the FI's industry. FinCEN applies these estimated
proportions to FinCEN's current financial institution counts for
brokers or dealers in securities, mutual funds, and futures commission
merchants and introducing brokers in commodities to determine the
proportion of current small financial institutions in those industries.
FinCEN does not apply population proportions to banks or credit unions.
Because data accessed through FFIEC and NCUA Call Report data provides
information about asset size for banks, trusts, savings and loans,
credit unions, etc., FinCEN is able to directly determine how many
banks and credit unions are small by SBA size standards. \237\ Because
the Call Report data does not include institutions that
[[Page 88790]]
are not insured, are insured under non-FDIC deposit insurance regimes,
or that do not have a Federal financial regulator, FinCEN assumes that
all such entities listed in the FDIC's Research Information System data
are small, unless they are controlled by a holding company that does
not meet the SBA's definition of a small entity, and includes them in
the count of small banks. Using this methodology and data from the
FFIEC and the NCUA, approximately 13,699 small financial institutions
could be affected by the proposed rule, as summarized in Table 1.
---------------------------------------------------------------------------
\235\ The SBA currently defines small entity size standards for
affected financial institutions as follows: less than $850 million
in total assets for commercial banks, savings institutions, and
credit unions; less than $47 million in annual receipts for trust
companies; less than $47 million in annual receipts for broker-
dealers; less than $47 million in annual receipts for portfolio
management; less than $40 million in annual receipts for open-end
investment funds; and less than $47 million in annual receipts for
futures commission merchants and introducing brokers in commodities.
See U.S. Small Business Administration's Table of Size Standards,
available athttps://www.sba.gov/sites/sbagov/files/2023-03/Table%20of%20Size%20Standards_Effective%20March%2017%2C%202023%20%281%29%20%281%29_0.pdf.
\236\ See U.S. Census Bureau, U.S. & states, NAICS, detailed
employment sizes (U.S., 6-digit and states, NAICS sectors) (2017),
available at https://www.census.gov/data/tables/2017/econ/susb/2017-susb-annual.html. The Census survey documents the number of firms
and establishments, employment numbers, and annual payroll by State,
industry, and enterprise every year. Receipts data, which FinCEN
uses as a proxy for revenues, is available only once every five
years, with 2017 being the most recent survey year with receipt
data.
\237\ Consistent with the SBA's General Principles of
Affiliation, 13 CFR 121.103(a), FinCEN aggregates the assets of
affiliated financial institutions using FFIEC financial data
reported by bank holding companies on forms Y-9C, Y-9LP, and Y-9SP
(available at https://www.ffiec.gov/npw/FinancialReport/FinancialDataDownload) and ownership data (available at https://www.ffiec.gov/npw/FinancialReport/DataDownload) when determining if
an institution should be classified as small. FinCEN uses four
quarters of data reported by holding companies, banks, and credit
unions because a ``financial institution's assets are determined by
averaging the assets reported on its four quarterly financial
statements for the preceding year.'' See U.S. Small Business
Administration's Table of Size Standards, p. 38 n.8, available at
https://www.sba.gov/sites/sbagov/files/2023-03/Table%20of%20Size%20Standards_Effective%20March%2017%2C%202023%20%281%29%20%281%29_0.pdf. FinCEN recognizes that using SBA size standards
to identify small credit unions differs from the size standards
applied by the NCUA. However, for consistency in this analysis,
FinCEN applies the SBA-defined size standards.
---------------------------------------------------------------------------
Table 2 summarizes the counts of entities by category that will
have access to BOI data.
[GRAPHIC] [TIFF OMITTED] TR22DE23.001
As shown in Table 2, FinCEN anticipates that as many as 16,141
different domestic agencies and financial institutions could elect to
access BOI. Of these, FinCEN believes the only entity category that
will have small entities affected is financial institutions.\238\
---------------------------------------------------------------------------
\238\ FinCEN provides more detail about this conclusion in the
Regulatory Flexibility Act analysis.
---------------------------------------------------------------------------
f. Detailed Discussion of Costs
The rule imposes requirements on domestic agencies, foreign
requesters, and financial institutions. To estimate costs, FinCEN
assigns an hourly burden to each requirement and uses an estimated wage
rate to determine the per entity cost of that requirement. Where
appropriate, FinCEN varies the hourly burden and wage according to the
entity type and the size of the entity. To estimate total costs, FinCEN
multiplies the per entity costs by the number of entities.
In this analysis, FinCEN uses an estimated compensation rate of
approximately $110 per hour for Federal agencies and foreign
requesters, approximately $80 per hour for State, local, and Tribal
agencies, and approximately $106 per hour for financial institutions.
This is based on occupational wage data from the U.S. Bureau of Labor
Statistics (BLS).\239\ The most recent occupational wage data from the
BLS corresponds to May 2022, released in May 2023. To obtain these
three wage rates, FinCEN calculated the average reported hourly wages
of six specific occupation codes assessed to be likely authorized
recipients at Federal agencies, State, local, and Tribal agencies, and
financial institutions.\240\ Included financial industries were
identified at the most granular North American Industry Classification
System (NAICS) code available and are the types of financial
institutions that are subject to regulation under the BSA, even if
these financial institutions are not entities that are affected by the
rule, including: banks; casinos; money service businesses; brokers or
dealers in securities; mutual funds; insurance companies; futures
commission merchants and introducing brokers in commodities; dealers in
precious metals, precious stones, or jewels; operators of credit card
systems; and loan or finance companies. This results in a Federal
agency hourly wage estimate of $68.34; a State, local, and Tribal
agency hourly wage estimate of $49.61; \241\ and a financial
institution hourly wage estimate of $74.86. Multiplying these hourly
wage estimates by their corresponding benefits factor (1.61 \242\ for
government agencies and 1.42 \243\ for private industry) produces fully
loaded hourly compensation amounts of approximately $110 for
[[Page 88791]]
Federal agencies, $80 for State, local, and Tribal agencies, and $106
per hour for financial institutions. These wage estimates are
summarized in Table 3:
---------------------------------------------------------------------------
\239\ See U.S. Bureau of Labor Statistics, National Occupational
Employment and Wage Estimates (May 2022), available at https://www.bls.gov/oes/current/oessrci.htm.
\240\ To estimate government hourly wages, FinCEN modifies the
burden analysis in FinCEN's publication ``Renewal without Change of
Anti-Money Laundering Programs for Certain Financial Institutions.''
See 85 FR 49418 (Aug. 13, 2020). Specifically, FinCEN uses hourly
wage data from the following six occupations to estimate an average
hourly government employee wage: chief executives (i.e., agency
heads), first-line supervisors of law enforcement workers, law
enforcement workers, financial examiners, lawyers and judicial
clerks, and computer and information systems managers. FinCEN uses
hourly wage data for the following occupations to estimate an
average hourly financial institution employee wage: chief
executives, financial managers, compliance officers, and financial
clerks. FinCEN also includes the hourly wages for lawyers and
judicial clerks, as well as for computer and information systems
managers.
\241\ To estimate a single hourly wage estimate for State,
local, and Tribal agencies, FinCEN calculated an average of the May
2022 mean hourly wage estimates for State government agencies and
for local government agencies (($47.55 + $51.66)/2 = $49.61), as
wages are available for both of these types of government workers in
the BLS occupational wage data. BLS data does not include an
estimate for Tribal government worker and thus FinCEN does not
include a Tribal government worker wage estimate in this average.
\242\ The ratio between benefits and wages for State and local
government workers is $21.91 (hourly benefits)/$35.69 (hourly wages)
= 0.61, as of March 2023. The benefit factor is 1 plus the benefit/
wages ratio, or 1.61. See U.S. Bureau of Labor Statistics, Employer
Costs for Employee Compensation Historical Listing, available at
https://www.bls.gov/web/ecec/ececqrtn.pdf. The State and local
government workers series data for March 2023 is available at
https://www.bls.gov/web/ecec/ecec-government-dataset.xlsx. FinCEN
applies the same benefits factor to Federal workers.
\243\ The ratio between benefits and wages for private industry
workers is $11.86 (hourly benefits)/$28.37 (hourly wages) = 0.42, as
of March 2023. The benefit factor is 1 plus the benefit/wages ratio,
or 1.42. See U.S. Bureau of Labor Statistics, Employer Costs for
Employee Compensation: Private industry dataset (Mar. 2023),
available at https://www.bls.gov/web/ecec/ecec-private-dataset.xlsx.
[GRAPHIC] [TIFF OMITTED] TR22DE23.002
Each of the affected entities will have costs associated with the
rule if it elects to access FinCEN BOI. The costs vary based on the
access procedures for the authorized recipients. The costs also vary by
institution size and investigation caseload, but for simplicity, FinCEN
estimates an average impact by category of authorized recipient
throughout the analysis. The rule requires different access procedures
for domestic agencies, foreign requesters, and financial institutions.
FinCEN will also incur costs for administering access to authorized
recipients.
1. Domestic Agencies
Domestic agencies must meet multiple requirements to receive BOI.
Whether the costs of these requirements are one-time, ongoing, or
recurring, and whether the costs accrue on a per-recipient or per
request basis varies from requirement to requirement. Additionally,
some requirements are administrative and involve the creation of
documents, while others involve IT. To estimate the costs for meeting
these requirements, FinCEN consulted with multiple Federal agencies and
utilized statistics regarding active entities with BSA data access.
Requirements are summarized in Table 4, which is followed by more
detailed analysis and cost estimates. Table 4 does not specifically
reflect the requirement that domestic agencies shall limit, to the
greatest extent practicable, the scope of BOI it seeks. However, FinCEN
does not anticipate this limitation to impose meaningful costs, and
thus there is no associated cost estimated for this requirement.
[[Page 88792]]
[GRAPHIC] [TIFF OMITTED] TR22DE23.003
Enter Into an Agreement with FinCEN and Establish Standards and
Procedures. For requirement #1, FinCEN assumes that domestic agencies
will incur costs during the first year. In alignment with the feedback
FinCEN received during outreach efforts, which is detailed in the NPRM,
FinCEN assumes it will take a domestic agency, on average, between 15
and 300 business hours to complete this one-time task. Using an hourly
wage estimate of $110 per hour for Federal agencies results in a one-
time cost between approximately $1,650 and $33,000 per Federal agency
((15 hours x $110 per hour = $1,650) and (300 hours x $110 per hour =
$33,000)). Using an hourly wage estimate of $80 per hour for State,
local, and Tribal agencies results in a one-time cost between
approximately $1,200 and $24,000 per State, local, and Tribal agency
((15 hours x $80 per hour = $1,200) and (300 hours x $80 per hour =
$24,000)). To estimate aggregate costs, FinCEN multiplies these ranges
by 207 total Federal agencies \244\ and 215 State, local, and Tribal
agencies,\245\ resulting in a total one-time cost between approximately
$0.6 and $12 million ((207 Federal agencies x $1,650 per Federal agency
+ 215 State, local, and Tribal agencies x $1,200 per State, local, and
Tribal agency = $599,550) and (207 Federal agencies x $33,000 per
Federal agency + 215 State, local, and Tribal agencies x $24,000 per
State, local, and Tribal agency = $11,991,000)).
---------------------------------------------------------------------------
\244\ This is 201 Federal law enforcement, national security,
and intelligence agencies and agency subcomponents and six Federal
regulators.
\245\ This is 158 State and local law enforcement agencies and
57 State regulators that supervise entities with customer due
diligence requirements.
---------------------------------------------------------------------------
Establish and Maintain a Secure System to Store BOI. The cost of
requirement #2 will vary depending on the existing IT infrastructure of
the domestic agency. Some agencies will be able to build upon existing
systems that generally meet the security and confidentiality
requirements. Other agencies will need to create new systems.
Consistent with feedback from agencies that is detailed in the NPRM,
FinCEN expects that certain agencies (in particular, Federal agencies)
will bear de minimis IT costs because Federal agencies already have
secure systems and networks in place as well as sufficient storage
capacity in accordance with Federal Information Security Management Act
(FISMA) standards.\246\ Therefore, FinCEN assumes a range of burden for
requirement #2 in year 1 of de minimis to 300 hours, and an ongoing
burden of de minimis to 4 hours.
---------------------------------------------------------------------------
\246\ Under FISMA, Federal agencies need to provide information
security protections commensurate with the risk and magnitude of the
harm resulting from unauthorized access, use, disclosure,
disruption, modification, or destruction of information collected or
maintained by an agency. Federal agencies also need to comply with
the information security standards and guidelines developed by NIST.
44 U.S.C. 3553.
---------------------------------------------------------------------------
Using an hourly wage estimate of $110 per hour for Federal agencies
results in an initial cost between approximately de minimis costs and
$33,000 (300 hours x $110 per hour = $33,000), and $440 annually
thereafter (4 hours x $110 per hour = $440) per Federal agency. Using
an hourly wage estimate of $80 per hour for State, local, and Tribal
agencies results in an initial cost between approximately de minimis
costs and $24,000 (300 hours x $80 per hour = $24,000), and $320
annually thereafter (4 hours x $80 per hour = $320) per State, local,
and Tribal agency. To estimate aggregate costs, FinCEN multiplies these
ranges by 207 total Federal agencies, and 215 State, local, and Tribal
agencies, resulting in a total year 1 cost between approximately
[[Page 88793]]
de minimis and $12.0 million (207 Federal agencies x $33,000 per
Federal agency + 215 State, local, and Tribal agencies x $24,000 per
State, local, and Tribal agency = $11,991,000). The ongoing annual cost
will be between approximately de minimis and $.2 million (207 Federal
agencies x $440 per Federal agency + 215 State, local, and Tribal
agencies x $320 per State, local, and Tribal agency = $159,880).
Establish and Maintain an Auditable System of Standardized Records
for Requests. As with requirement #2, the ongoing IT costs from
requirement #3 will vary depending on the existing IT infrastructure of
the domestic agency. FinCEN again expects that certain agencies (in
particular, Federal agencies) will bear de minimis IT costs because
Federal agencies already have secure systems and networks in place as
well as sufficient storage capacity in accordance with FISMA standards.
Based on this expectation and agency feedback explained in the NPRM,
FinCEN assumes a range of burden for requirement #3 in year 1 of de
minimis to 200 hours, and an ongoing burden of de minimis to 20 hours.
Using an hourly wage estimate of $110 per hour for Federal agencies
results in an initial cost between approximately de minimis costs and
$22,000 (200 hours x $110 per hour = $22,000), and $2,200 annually
thereafter (20 hours x $110 per hour = $2,200) per Federal agency.
Using an hourly wage estimate of $80 per hour for State, local, and
Tribal agencies results in an initial cost between approximately de
minimis costs and $16,000 (200 hours x $80 per hour = $16,000), and
$1,600 annually thereafter (20 hours x $80 per hour = $1,600) per
State, local, and Tribal agency. To estimate aggregate costs, FinCEN
multiplies these ranges by 207 total Federal agencies, and 215 State,
local, and Tribal agencies, resulting in a total year 1 cost between
approximately de minimis and $8.0 million (207 Federal agencies x
$22,000 per Federal agency + 215 State, local, and Tribal agencies x
$16,000 per State, local, and Tribal agency = $7,994,000). The ongoing
annual cost will between approximately de minimis and $.8 million (207
Federal agencies x $2,200 per Federal agency + 215 State, local, and
Tribal agencies x $1,600 per State, local, and Tribal agency =
$799,400).
Restrict Access to Appropriate Persons Within the Agency, Some of
Whom Must Undergo Training. FinCEN assumes that to comply with this
requirement, agencies will provide training to certain employees that
receive BOI access. The number of authorized recipients that have BOI
access at a given agency will vary. Using the active entities with
access to BSA data as of June 2023 as a proxy, and consistent with
information provided by a number of agencies, FinCEN anticipates that
each Federal agency could have anywhere between approximately 1 and
1,900 recipients of BOI data while each State, local, and Tribal agency
could have anywhere between 1 and 80 recipients of BOI.\247\
---------------------------------------------------------------------------
\247\ The range provided is an estimate of the lowest and
highest number of users for Federal agencies and for State and local
agencies respectively as of a given date in June 2023 with access to
BSA data through FinCEN's database.
---------------------------------------------------------------------------
To estimate the cost of this training, FinCEN assumes that each
employee that accesses BOI data will undergo 1 hour of training per
year. Using an hourly wage estimate of $110 per hour for Federal
agencies results in an annual cost between approximately $110 and
$209,000 (1 employee x 1 hour x $110 per hour = $110) and (1,900
employees x 1 hour x $110 per hour = $209,000)) per Federal agency.
Using an hourly wage estimate of $80 per hour for State, local, and
Tribal agencies results in an annual cost between approximately $80 and
$6,400 (1 employee x 1 hour x $80 per hour = $80) and (80 employees x 1
hour x $80 per hour = $6,400)) per State, local, and Tribal agency.
To estimate the aggregate annual costs, FinCEN uses aggregate user
counts of active BSA data users based on internal FinCEN data from June
2023, which provides a more reasonable estimate of the likely number of
authorized recipients than assuming the previously estimated ranges
will apply to each domestic agency. Therefore, based on internal data,
FinCEN expects that approximately 12,000 Federal employees and 2,000
employees of State, local, and Tribal agencies will undergo annual
training to access BOI data.\248\ This results in an aggregate annual
training cost of approximately $1.5 million ((12,000 Federal employees
x 1 hour x $110 per hour) + (2,000 State, local, and Tribal employees x
1 hour x $80 per hour) = $1,480,000).
---------------------------------------------------------------------------
\248\ These estimates are based on the number of users that
directly access BSA data through FinCEN's internal system; there are
a limited number of other ways that users may access BSA data, which
are not accounted for here. Furthermore, while FinCEN does not
incorporate an anticipated growth rate into the estimate of BOI
authorized recipients throughout the 10-year time horizon of this
analysis, the number of BOI authorized recipients could increase
significantly after the first fully operational year of the BOI
reporting requirements as awareness of the ability to access and
utility of accessing BOI increases.
---------------------------------------------------------------------------
Conduct an Annual Audit and Cooperate with FinCEN's Annual Audit;
Initially and then Semi-Annually Certify Standards and Procedures by
the Head of the Agency; Annually Provide a Report on Procedures.
Requirements #5-7 are administrative costs that a domestic agency will
incur on an annual or semi-annual basis. Specifically, they require an
agency to: (1) conduct an annual audit and cooperate with FinCEN's
annual audit; (2) certify standards and procedures by the head of the
agency semi-annually; and (3) provide an annual report on procedures to
FinCEN. Based on feedback from outreach as explained in the NPRM,
FinCEN assumes it will take a given agency between 10 hours and 160
hours per year to meet these three requirements.
Using an hourly wage estimate of $110 per hour for Federal agencies
results in annual costs between approximately $1,100 and $17,600 per
Federal agency ((10 hours x $110 per hour = $1,100) and (160 hours x
$110 per hour = $17,600)). Using an hourly wage estimate of $80 per
hour for State, local, and Tribal agencies results in annual costs
between approximately $800 and $12,800 per State, local, and Tribal
agency ((10 hours x $80 per hour = $800) and (160 hours x $80 per hour
= $12,800)). To estimate annual aggregate costs, FinCEN multiplies
these ranges by 207 total Federal agencies and 215 State, local, and
Tribal agencies, resulting in a total annual cost between approximately
$.4 million and $6.4 million ((207 Federal agencies x $1,100 per
Federal agency + 215 State, local, and Tribal agencies x $800 per
State, local, and Tribal agency = $399,700) and (207 Federal agencies x
$17,600 per Federal agency + 215 State, local, and Tribal agencies x
$12,800 per State, local, and Tribal agency = $6,395,200)).
Submit Written Certification for Each Request that it Meets Certain
Agency Requirements. Finally, for requirement #8, domestic agencies are
required to submit a written certification for each request for BOI.
The written certification will be in the form and manner prescribed by
FinCEN. This certification will be submitted to FinCEN via an
electronic form. The number of requests for BOI submitted to FinCEN by
domestic agencies in any given year will vary.
FinCEN assumes that submitting a request to FinCEN for BOI will
take one employee approximately 15 minutes, or 0.25 hours, per request.
This is based on FinCEN's experience with submitting requests for BSA
data in FinCEN Query, which similarly require a written description for
a search request. Certification requirements vary by authorized
recipient type under the rule. Federal and regulatory agencies must
certify that their request is related
[[Page 88794]]
to specific activities. State, local, and Tribal law enforcement
agencies must certify that a court of competent jurisdiction, including
any officer of such a court, has authorized the agency to seek the BOI
in a criminal or civil investigation. FinCEN expects that requests
submitted by State, local, and Tribal law enforcement agencies will
take an additional 8 to 10 hours in year 1 and 6 to 8 hours in
subsequent years to the due to the additional court authorization
requirement. The hourly burden decline in subsequent years reflects
FinCEN's expectation that agencies (and courts) will improve their
processes for meeting BOI request requirements. FinCEN expects many
agencies will access BOI repeatedly year after year as they do with BSA
data. For purposes of estimating the cost of these additional hours of
burden, FinCEN applies the hourly wage estimate for State, local, and
Tribal employees and assumes that this cost will be incurred by the
State, local or Tribal law enforcement agency. In practice, employees
within the court system may also incur costs related to this
requirement. However, FinCEN has not estimated the burden that may be
imposed on such entities because of the lack of relevant data and
because such burden will vary depending on how courts choose to
authorize BOI requests.
Using an hourly wage estimate of $110 per hour for Federal
employees results in a per request cost of approximately $28 per
Federal agency (0.25 hours x $110 per hour = $27.50). Using an hourly
wage estimate of $80 per hour for State, local, and Tribal employees
results in a per request cost of approximately $20 per State and local
regulator (0.25 hours x $80 per hour = $20), between approximately $660
and $820 per State, local, and Tribal law enforcement agency in year 1
((8.25 hours x $80 per hour = $660) and (10.25 hours x $80 per hour =
$820)) and $500 and $660 in subsequent years ((6.25 hours x $80 per
hour = $500) and (8.25 hours x $80 per hour = $660)).
To estimate a per agency annual cost, FinCEN uses BSA data request
statistics from recent years as a proxy. Using these data, FinCEN
estimates that each Federal agency could submit between 1 and 350,000
requests for BOI annually while each State, local, and Tribal agency
could submit between 1 and 23,000 requests for BOI annually.\249\
Therefore, the estimated annual cost is between $28 and $9.8 million
(($28 per request x 1 request) and ($28 per request x 350,000 requests
= $9,800,000)) per Federal agency. The annual cost is between $20 and
$.5 million (($20 per request x 1 request) and ($20 per request x
23,000 requests = $460,000)) per State and local regulator. For State,
local, and Tribal law enforcement agencies, the annual cost is between
$660 and $18.9 million in year 1 (($660 per request x 1 request = $660)
and ($820 per request x 23,000 requests = $18,860,000)) and $500 and
$15.2 million in subsequent years (($500 per request x 1 request =
$500) and ($660 per request x 23,000 requests = $15,180,000)).
---------------------------------------------------------------------------
\249\ The range is an estimate of the lowest and highest number
of BSA data requests received through FinCEN's database from Federal
agencies and for State and local agencies respectively during recent
years.
---------------------------------------------------------------------------
Using FinCEN's internal BSA request data as a proxy, FinCEN
anticipates that Federal agencies could submit as many as 2 million
total BOI requests annually and that State, local, and Tribal agencies
could submit as many as 230,000 total BOI requests annually.\250\ The
internal number of BSA requests provides a more reasonable estimate of
the likely number of aggregate requests than assuming the previously
estimated ranges will apply to each domestic agency. This results in
aggregate costs in year 1 between $187.6 and $219.6 million ((2 million
Federal requests x $28 per request + 30,000 State and local regulatory
requests x $20 per request + 200,000 State, local, and Tribal law
enforcement requests x $660 per request = $187,600,000) and (2 million
Federal requests x $28 per request + 30,000 State and local regulatory
requests x $30 per request + 200,000 State, local, and Tribal law
enforcement requests x $820 per request = $219,600,000)). In subsequent
years, the aggregate annual costs range between $155.6 million and
$187.6 million ((2 million Federal requests x $28 per request + 30,000
State and local regulatory requests x $20 per request + 200,000 State,
local, and Tribal law enforcement requests x $500 per request =
$155,600,000) and ((2 million Federal requests x $28 per request +
30,000 State and local regulatory requests x $20 per request + 200,000
State, local, and Tribal law enforcement requests x $660 per request =
$187,600,000)).
---------------------------------------------------------------------------
\250\ Of the 230,000 anticipated total annual State, local, and
Tribal BOI requests, approximately 30,000 are expected from State
regulators and approximately 200,000 from State, local, and Tribal
law enforcement agencies.
---------------------------------------------------------------------------
Totaling the estimated costs for requirements #1-8, the estimated
average per agency cost in year 1 is between $2,888 and $10.1 million
per Federal agency, between $2,100 and $.5 million per State and local
regulator, between $2,740 and $18.9 million per State, local, and
Tribal law enforcement agency, and between $2,783 to $662,500 per
SRO.\251\ The estimated average per agency cost each year after the
first year is between $1,238 and $10 million per Federal agency,
between $900 and $.5 million per State and local regulator, between
$1,380 and $15.2 million per State, local, and Tribal law enforcement
agency, and between $1,193 to $662,500 per SRO. The total estimated
aggregate cost to domestic agencies in year 1 is between $190.1 million
and $260.2 million, and then between $157.5 million and $197.2 million
each year thereafter.
---------------------------------------------------------------------------
\251\ To calculate total costs to SROs, FinCEN calculated a
ratio that applied the estimated costs to State regulators (which
have access requirements similar to SROs) to the wage rate estimated
herein for financial institutions, since SROs are private
organizations. As noted previously, SROs will not have direct access
to the BO IT system, but may receive BOI through re-disclosure.
---------------------------------------------------------------------------
Federal agencies may incur costs related to submitting requests on
behalf of foreign requesters. These costs are estimated in the next
section. Federal agencies may also bear costs related to enforcement in
cases of unauthorized disclosure and use of BOI; however, these costs
have not been estimated in this analysis, as the level of compliance
with the rule is unknown.
2. Foreign Requesters
Foreign requesters must meet multiple requirements to receive BOI.
FinCEN does not have an estimate of the number of foreign requesters
that may elect to request and access BOI, or which requesters will do
so under an applicable international treaty, agreement, or convention,
or through another channel available under the rule. Foreign requesters
that request and receive BOI under an applicable international treaty,
agreement, or convention do not have certain requirements under the
rule, given that such requesters are governed by standards and
procedures under the applicable international treaty, agreement, or
convention. However, FinCEN does not differentiate between types of
foreign requesters in this analysis, given the lack of data. Though
FinCEN is unable to estimate aggregate costs on foreign requesters
given the lack of data on the number of foreign requesters that may
access BOI, FinCEN provides partial cost estimates of the requirements
on a foreign requester. Requirements are summarized in Table 5, which
is followed by a more detailed analysis and cost estimates. Table 5
does not specifically reflect the requirement that a foreign requester
shall limit, to the greatest extent practicable, the scope of BOI it
seeks. However, FinCEN does not expect this
[[Page 88795]]
limitation to impose meaningful costs, and thus there is no associated
cost estimated for this requirement.
[GRAPHIC] [TIFF OMITTED] TR22DE23.004
Establish Standards and Procedures. For requirement #1, FinCEN
assumes that foreign requesters will incur costs during the first year.
FinCEN assumes it will take a foreign requester, on average, between
one and two full business weeks (or, between 40 and 80 business hours)
to establish standards and procedures. This estimate is a FinCEN
assumption based on its experience coordinating with foreign partners.
Using an hourly wage estimate of $110 per hour for Federal agencies,
which FinCEN assumes is a comparable hourly wage estimate for foreign
requesters, FinCEN estimates this one-time cost will be between
approximately $4,400 and $8,800 per foreign requester ((40 hours x $110
per hour) and (80 hours x $110 per hour)). Foreign requesters that
request and receive BOI under an applicable international treaty,
agreement, or convention do not have this requirement under the rule,
given that such requesters are governed by standards and procedures
under the applicable international treaty, agreement, or convention.
However, FinCEN does not differentiate between types of foreign
requesters in this analysis, given the lack of data.
Maintain a Secure System to Store BOI. For requirement #2, the cost
of the ongoing IT requirement will vary depending on the existing
infrastructure of the foreign requester. FinCEN believes that foreign
requesters already have secure systems and networks in place as well as
sufficient storage capacity, given their ongoing coordination with the
U.S. government on a variety of matters, which likely adhere to
applicable data security standards. Therefore, FinCEN assumes de
minimis IT costs. Foreign requesters that request and receive BOI under
an applicable international treaty, agreement, or convention do not
have this requirement under the rule, given that such requesters are
governed by security standards under the applicable international
treaty, agreement, or convention. However, FinCEN does not
differentiate between types of foreign requesters in this analysis,
given the lack of data.
Restrict Access to Appropriate Persons, Who Will Undergo Training.
For requirement #3, FinCEN assumes that each foreign requester that
accesses BOI data will undergo 1 hour of training per year; FinCEN does
not impose specific requirements on the content or structure of this
training. Using an estimated hourly wage amount of $110, this results
in an annual training cost of approximately $110 per foreign requester.
Provide Information for Each Request to an Intermediary Federal
Agency. For requirement #4, FinCEN assumes that providing information
for a BOI request to an intermediary Federal agency will take one
foreign requester approximately 45 minutes, or 0.75 hours, per request.
This estimate is based on FinCEN's assumption that a request for BOI
submitted directly by a Federal agency on its own behalf will take
approximately 15 minutes. Given the additional information required for
a foreign-initiated request, FinCEN triples that estimate for foreign
requests. Using an hourly wage estimate of $110 per hour, this will
result in a per request cost of approximately $83 per foreign requester
(0.75 hours x $110 per hour = $83). Based on feedback from agencies,
FinCEN believes that the total number of foreign requests will range
between approximately 200 and 900 per year.\252\ This results in an
aggregate annual cost to foreign requesters between approximately
$16,600 and $74,700 ((200 requests x $83 per request = $16,600) and
(900 requests x $83 per request = $74,700)).
---------------------------------------------------------------------------
\252\ [thinsp]FinCEN recognizes that the number of BOI requests
from foreign requesters may be higher, as no such U.S. beneficial
ownership IT system currently exists. The existence of a centralized
U.S. BOI source may in fact result in a higher number of annual
requests by foreign requesters.
---------------------------------------------------------------------------
FinCEN also assumes that Federal agencies that submit requests on
behalf of foreign requesters to FinCEN will incur additional costs;
FinCEN itself expects to incur costs from the submission of such
requests. Therefore, FinCEN estimates that processing BOI requests on
behalf of foreign requesters require approximately two hours of one
Federal employee's time, resulting in a cost per request of
approximately $220 (2 hours x $110 per hour). This results in a total
annual cost to Federal agencies between approximately $44,000 and
$198,000 ((200 requests x 2 hours x $110 per hour = $44,000) and (900
requests x 2 hours x $110 per hour = $198,000)).
3. Financial Institutions
Financial institutions must meet multiple requirements to access
BOI. Requirements are summarized in Table 6, which is followed by a
more detailed analysis and cost estimates. It should be noted that
Table 6 includes a training requirement. FinCEN assumes authorized
recipients of BOI at financial institutions will undergo training in
order to comply with the safeguards in the rule. Additionally, FinCEN
anticipates that access to the BO IT system will be conditioned on
recipients of BOI undergoing training.
[[Page 88796]]
[GRAPHIC] [TIFF OMITTED] TR22DE23.005
Develop and Implement Administrative and Physical Safeguards. For
requirement #1, FinCEN estimates an average burden per financial
institution between 120 and 240 hours to develop and implement
administrative and physical safeguards. This estimate increased from
the NPRM based on comments that stated that estimate was too low, and
those that noted that audit and legal review will be included in the
burden for developing and implementing these safeguards. Using an
hourly wage estimate of $106 per hour for financial institutions,
FinCEN estimates this one-time cost will be between approximately
$12,720 and $25,440 per financial institution. To estimate aggregate
costs, FinCEN multiplies this range by 15,716 total financial
institutions resulting in a total cost between approximately $199.9 and
$399.8. million (($12,720 per financial institution x 15,716 financial
institutions = $199,907,520) and ($25,440 per financial institution x
15,716 financial institutions = $399,815,040)).
Develop and Implement Technical Safeguards. For requirement #2, the
cost of the ongoing IT requirement will vary depending on the existing
infrastructure of the financial institution. FinCEN believes that most
financial institutions already have secure systems and networks in
place as well as sufficient storage capacity, given existing
requirements with regard to protection of customers' nonpublic personal
information.\253\ Therefore, FinCEN assumes de minimis IT costs.
---------------------------------------------------------------------------
\253\ As noted in the rule, financial institutions may have
established information procedures to satisfy the requirements of
section 501 of the Gramm-Leach-Bliley Act, and applicable
regulations issued thereunder, with regard to the protection of
customers' nonpublic personal information. If a financial
institution is not subject to section 501 of the Gramm-Leach-Bliley
Act, such institutions may be required, recommended, or authorized
under applicable Federal or State law to have similar information
procedures with regard to protection of customer information.
---------------------------------------------------------------------------
Obtain and Document Customer Consent. For requirement #3, FinCEN
estimates that establishing processes to obtain and document customer
consent will require between 50 and 70 hours of burden per financial
institution. This estimate includes burden of drafting new language
regarding customer consent for inclusion in financial institution
documents, legal review of the language, and testing to integrate
changes into IT systems. This estimate incorporates feedback from
commenters that the NPRM estimate was too low and that it does
incorporate the full range of activity necessary to complete this
requirement. In addition, based on commenter feedback, FinCEN estimates
an ongoing annual burden between 10 and 20 hours per financial
institution to maintain records of customer consent. Using an hourly
wage estimate of $106 per hour for financial institutions, FinCEN
estimates the one-time cost is between approximately $5,300 to $7,420
per financial institution in year 1 and between $1,060 to $2,120 in
ongoing costs each year thereafter. To estimate aggregate costs, FinCEN
multiplies this estimate by 15,716 total financial institutions,
resulting in a total cost between approximately $83.3 and $116.6
million in year 1 (($5,300 per financial institution x 15,716 financial
institutions = $83,294,800) and ($7,420 per financial institution x
15,716 financial institutions = $116,612,720)) and $16.7 and $33.3
million in ongoing years (($1,060 per financial institution x 15,716
financial institutions = $16,658,960) and ($2,120 per financial
institution x 15,716 financial institutions = $33,317,920)).
Submit Certification for Each Request that it Meets Certain
Requirements. For requirement #4, the certifications are submitted in
the form and manner prescribed by FinCEN via an electronic form. FinCEN
estimates that submitting a request to FinCEN for BOI will take one
employee approximately 15 minutes, or 0.25 hours, per request.\254\ For
purposes of this analysis, FinCEN assumes a range of approximately 5
million to 6 million total requests from financial institutions per
year. The minimum amount assumes that the number of BOI requests from
financial institutions each year equals the number of new entities that
qualify as ``reporting company'' required to submit BOI. As estimated
in the Reporting Rule's RIA, this is approximately 5 million entities
annually.\255\ The maximum amount assumes that financial institutions
request BOI for each new legal entity customer at the time of account
opening, in alignment with the 2016 CDD Rule,\256\ resulting in
approximately 6 million entities.\257\ Therefore, the
[[Page 88797]]
estimated aggregate annual cost of this requirement is between
approximately $132.5 and $156.2 million ((5 million total requests x
0.25 hours per request x $106 per hour = $132,500,000) and (5,893,500
total requests x 0.25 hours per request x $106 per hour =
$156,177,750)). The per institution annual cost of requirement #4 is
between approximately $8,431 and $9,938 (($132,500,000/15,716 financial
institutions) and ($156,177,750/15,716 financial institutions)).
---------------------------------------------------------------------------
\254\ FinCEN anticipates that financial institutions will also
be able to request BOI through an Application Programming Interface
(API) which will make this process less burdensome.
\255\ In the Reporting Rule's RIA, the analysis assumes 13.1
percent growth in new entities from 2020 through 2024, and then a
stable same number of approximately 5 million new entities each year
thereafter through 2033.
\256\ The CTA requires that the 2016 CDD Rule be revised given
FinCEN's BOI reporting and access requirements. Therefore, this
estimate and assumption may change after that revision.
\257\ The 2016 CDD Rule estimated that each financial
institution with customer due diligence requirements will open, on
average, 1.5 new legal entity accounts per business day. The rule
also assumed there are 250 business days per year. Therefore, FinCEN
estimates that financial institutions would need to conduct customer
due diligence requirements for a minimum of approximately 6 million
legal entities per year (15,716 financial institutions x 1.5
accounts per day x 250 business days per year = 5,893,500 new legal
entity accounts opened per year).
---------------------------------------------------------------------------
Undergo Training. Requirement #5 pertains to training for
individuals that access BOI. FinCEN assumes authorized recipients of
BOI at financial institutions will undergo training in order to comply
with the safeguards in the rule. To estimate the cost of this training,
FinCEN assumes a range of authorized recipients per financial
institution. FinCEN believes a range is appropriate given the variation
in institution size, complexity, and business models across the 15,716
financial institutions. Based on information provided by comments,
FinCEN assumes 4 to 5 employees per small financial institution and 25
to 30 employees per large financial institution will undergo annual BOI
training. This estimate differs from the NPRM because FinCEN integrated
feedback from commenters that stated the NPRM estimate was too low.
Using an hourly wage rate of $106 per hour, and assuming each
authorized recipient has one hour of training each year, FinCEN
estimates a per institution annual training cost between approximately
$424 and $3,180 ((4 employees x 1 hour x $106 per hour = $424) and (30
employees x 1 hour x $106 per hour = $3,180)). To estimate aggregate
costs, FinCEN uses SBA size standards and identifies approximately
13,699 small financial institutions and 2,017 large financial
institutions (15,716 total financial institutions -13,699 small
financial institutions). This results in an estimated minimum average
annual per-institution cost of $710 ((13,699 small institutions x 4
employees x $106 per hour + 2,017 large institutions x 25 employees x
$106 per hour)/15,716 total financial institutions) and a maximum
average annual cost of $870 ((13,699 small institutions x 5 employees x
$106 per hour + 2,017 large institutions x 30 employees x $106 per
hour)/15,716 total financial institutions). The estimated aggregate
training cost is between approximately $11.2 and $13.7 million per year
((13,699 small institutions x 4 employees x 1 training hour per person
x $106 per hour + 2,017 large institutions x 25 employees x 1 hour x
$106 per hour = $11,153,426) and (13,699 small institutions x 5
employees x 1 hour x $106 per hour + 2,017 large institutions x 30
employees x 1 hour x $106 per hour = $13,674,530)).
Geographic Restrictions. Requirement #6 pertains to the final
rule's inclusion of certain geographic restrictions for financial
institutions on the use and storage of BOI. The proposed rule
restricted this use and storage to within the United States; the final
rule does not include this limitation, but instead states that BOI
cannot be made available or stored in specific jurisdictions.
Commenters expressed concern the geographic restrictions in the
proposed rule would conflict with existing IT systems and information
handling procedures but did not provide quantitative feedback regarding
additional burden specific to the geographic restriction.\258\ The
final rule allows greater flexibility regarding geographic access in
only requiring financial institutions to restrict access for select
jurisdictions, lowering the burden of this requirement. Because
financial institutions already face restrictions to operating in those
jurisdictions, FinCEN expects this limitation to impose de minimis
costs.
---------------------------------------------------------------------------
\258\ One commenter estimated it would cost between $1 million
and $3 million to develop new systems or adapt existing systems to
comply with the various aspects of the proposed rule, including
preventing BOI obtained from FinCEN from ``flowing'' into other
financial institution monitoring systems and to affiliates outside
of the United States. This commenter, however, did not indicate how
much of this estimated $1-3 million in costs was attributable to the
geographic restriction as opposed to other aspects of the proposed
rule.
---------------------------------------------------------------------------
Notification of Information Demand. Requirement #7 obligates
financial institutions to notify FinCEN within three business days if
they receive a subpoena or legal demand from a foreign government for
BOI obtained from FinCEN. FinCEN expects financial institutions to
receive zero information demand requests and thus assumes de minimis
costs. Foreign governments should request BOI through the available
government channels rather than by demanding information from financial
institutions; this requirement intends to ensure that foreign
governments leverage the proper BOI request channels.
Together, the estimated average cost per financial institution for
completing the 7 requirements in Table 6 in year 1 is between
approximately $27,161 and $43,668, and between approximately $10,201
and $12,928 each year thereafter. The estimated aggregate costs from
requirements #1-7 for financial institutions are between approximately
$426.9 and $686.3 million in the first year, and then between
approximately $160.3 and $203.2 million each year thereafter.
4. FinCEN
In addition to the costs of accessing BOI data as a domestic
agency, FinCEN will incur costs from managing the access of other
authorized recipients. To administer BOI access, FinCEN will develop
training materials and agreements with domestic agencies; conduct
ongoing outreach with authorized recipients on the access requirements
and respond to inquiries and notifications from authorized recipients;
conduct audits of authorized responsibilities; develop procedures to
review authorized recipients' standards and procedures, and requests as
needed; and potentially reject requests or suspend access if
requirements are not met. FinCEN currently administers access to the
FinCEN Query system, which involves similar considerations; therefore,
FinCEN will build on its experience to administer BOI access. FinCEN
will also incur an initial cost in setting up internal processes and
procedures for administering BOI access.\259\ FinCEN retains its $10
million annual personnel cost estimate from the NPRM. In addition,
FinCEN has determined the volume of activity associated with managing
access to BOI requires contract staff to support this new program,
which FinCEN estimates will cost approximately $3 million annually.
Therefore, FinCEN's estimated annual costs are $13 million.
---------------------------------------------------------------------------
\259\ FinCEN also is developing the BO IT system that will allow
for the varying types of access. The costs associated with
developing and maintaining this IT system are addressed in the
Reporting Rule's RIA.
---------------------------------------------------------------------------
g. Detailed Discussion of Benefits
The rule is expected to yield benefits for authorized recipients.
Currently, authorized recipients may obtain BOI through a variety of
means; however, the rule will put in place a centralized system that,
by virtue of providing more direct access to the information, is
expected to reduce related search costs. FinCEN has quantitatively
estimated some such benefits in this analysis. The rule will also have
non-quantifiable benefits to authorized recipients of BOI and to
society more widely. This rule will facilitate U.S. national security,
intelligence, and law enforcement activity by providing access to BOI
which, as noted in the Reporting Rule's RIA, will make these activities
more effective and efficient. These activities will be more effective
and efficient because the improved ownership
[[Page 88798]]
transparency will enhance Federal agencies' ability to investigate,
prosecute, and disrupt the financing of terrorism, other transnational
security threats, and other types of domestic and transnational
financial crimes. Additionally, Treasury anticipates that it will gain
efficiencies in its efforts to identify the ownership of legal
entities, resulting in improved analysis, investigations, and policy
decisions on a variety of subjects. The Internal Revenue Service will
be able to obtain access to BOI for tax administration purposes, which
may provide benefits for tax compliance. Federal regulators may also
obtain benefits by accessing BOI in civil law enforcement matters.
Similarly, the rule is expected to facilitate and make more efficient
investigations by State, local, and Tribal law enforcement agencies.
Access to BOI through FinCEN is expected to obviate the need for such
agencies to spend additional time and resources identifying BOI using
other, potentially costlier, methods. Foreign requesters may also reap
similar benefits.
While FinCEN further expects that financial institutions could also
benefit from gaining access to key information (including potentially
additional beneficial owners, for their customer due diligence
processes), given the pending revisions to the CDD Rule, FinCEN is not
quantifying expected benefits for financial institutions at this time.
FinCEN anticipates that the benefits to financial institutions in
meeting their customer due diligence obligations will be discussed in
that rulemaking. Additionally, that rulemaking will consider costs and
benefits to regulatory agencies that supervise financial institutions'
compliance with customer due diligence requirements.
This rule's estimates of benefits to domestic agencies are in
alignment with feedback FinCEN has received from a number of agencies
as part of the outreach efforts FinCEN conducted in formulating the
rule. This feedback on qualitative and quantitative benefits of
accessing BOI is summarized in the NPRM. Based on this feedback, FinCEN
anticipates a potential quantifiable benefit range attributable to
efficiency gains of between 300 and 20,000 hours annually, per domestic
agency.\260\ This is equivalent to a per Federal agency dollar savings
between $33,000 and $2.2 million ((300 hours x $110 per hour = $33,000)
and (20,000 hours x $110 per hour = $2,200,000)) and a per State,
local, and Tribal agency dollar savings between $24,000 and $1.6
million ((300 hours x $80 per hour = $24,000 and 20,000 hours x $80 per
hour = $1,600,000)), depending on the number and complexity of the
investigations.
---------------------------------------------------------------------------
\260\ Regarding Federal regulators, FinCEN assumes that the
benefit would relate to civil law enforcement activities rather than
examination activities. The estimated direct benefits from reduced
investigation time and resources does not account for any potential
benefits in the form of efficiency gains to financial institutions
that access BOI. Any potential benefits to financial institutions
for accessing BOI will be accounted for in the forthcoming CDD Rule
revision.
---------------------------------------------------------------------------
The minimum dollar value of the benefits of the rule implied by
these assumptions in year 1 is $10.6 million ((207 Federal agencies x
300 hours per agency x $110 per hour) + (158 State, local, and Tribal
law enforcement agencies x 300 hours per agency x $80 per hour) =
$10,623,000). The maximum estimated aggregate annual quantified benefit
is $708.2 million ((207 Federal agencies x 20,000 hours per agency x
$110 per hour) + (158 State, local, and Tribal law enforcement agencies
x 20,000 hours per agency x $80 per hour) = 708,200,000). These
estimates only pertain to quantifiable benefits in the form of enhanced
BOI search efficiency; agencies can also gain other benefits from
accessing BOI, such as investigative law enforcement value, that are
not quantified in this analysis. Therefore, FinCEN believes the
benefits can be greater than the cost savings attributable to enhanced
search efficiency estimated here.
FinCEN assumes that no Federal agency or State, local or Tribal law
enforcement agency will access BOI unless the benefits of doing so are
at least equal to the costs, given that BOI access is optional for
these agencies. In cases where quantifiable costs exceed quantified
benefits, but a Federal agency or State, local or Tribal law
enforcement agency elects to access BOI, certain non-quantifiable
benefits must exist that outweigh the quantified net cost. FinCEN takes
these kinds of non-quantifiable benefits into consideration, as well as
the quantifiable benefits estimated in the analysis. In addition to the
direct benefits that will accrue to agencies, such as saving time,
accessing BOI will lead to other secondary benefits, as discussed in
the Reporting Rule's RIA.\261\ BOI will also further the missions of
the agencies to combat crime, as well as contribute to national
security, intelligence, and law enforcement, and other activities.
Therefore, the expected benefits to agencies of accessing BOI are more
than just the efficiency gains with respect to search costs; FinCEN
expects more streamlined access to BOI will lead to more effective and
efficient investigations. Enabling effective and efficient
investigations has the additional secondary benefit of making it more
difficult to launder money through shell companies and other entities,
in turn strengthening national security and enhancing financial system
transparency and integrity. Barriers to money laundering encourage a
more secure economy and can generate more economic activity when
businesses have more trust in the legitimacy of new business partners.
Finally, the sharing of BOI with foreign partners, subject to
appropriate protocols consistent with the CTA, may further
transnational investigations, tax enforcement, and the identification
of national and international security threats. These secondary
benefits are not accounted for in this analysis since they are
accounted for in the Reporting Rule RIA. However, these benefits cannot
come to fruition without authorized recipients gaining access to BOI,
as implemented by this rule. Therefore, the benefits between the
Reporting Rule and this rule are inextricably linked.
---------------------------------------------------------------------------
\261\ See 87 FR 59579-59580 (Sept. 30, 2022).
---------------------------------------------------------------------------
h. Overall Impact
Overall, FinCEN estimates the potential quantifiable impact of the
rule will be between $78.2 million in quantifiable net benefits and
$949.2 million in net costs in the first year of the rule, and then
from $377.3 million in quantifiable net benefits to $403.0 million in
net costs on an ongoing annual basis. Table 7 summarizes the estimated
aggregate yearly impact of the rule.
[[Page 88799]]
[GRAPHIC] [TIFF OMITTED] TR22DE23.006
The estimated, quantifiable, aggregate annual benefits of the rule,
which only reflect potential quantifiable benefits to agencies, will be
between approximately $10.6 and $708.2 million. Likewise, FinCEN
expects that the aggregate annual quantifiable costs of the rule will
be somewhere between approximately $630.0 and $959.8 million in year 1,
and between approximately $330.9 and $413.6 million each year
thereafter. FinCEN believes that, in practice, entities will choose to
access BOI only if the benefits to the entity's operational needs,
which includes both quantifiable and non-quantifiable benefits,
outweigh the costs associated with the requirements for accessing BOI.
This analysis assumes financial institutions can choose whether or not
to access BOI. The question of whether financial institutions are
required to access BOI as part of their CDD Rule obligations will be
addressed in FinCEN's forthcoming revisions to the 2016 CDD Rule. For
other users, there are and will be no requirements to access BOI.
Using the maximum net cost impact estimates from Table 7 as an
upper bound of the impact of this rule, FinCEN determines the present
value over a 10-year horizon of approximately $4 billion at the three
percent discount rate and approximately $3.3 billion at the seven
percent discount rate.
B. Final Regulatory Flexibility Act Analysis
When an agency issues a rule proposal, the Regulatory Flexibility
Act (RFA) requires the agency to either provide an IRFA or, in lieu of
preparing an analysis, to certify that the proposed rule is not
expected to have a significant economic impact on a substantial number
of small entities.\262\ When FinCEN issued its NPRM, FinCEN believed
that the proposed rule would have a significant economic impact on a
substantial number of small entities, and provided an IRFA.\263\ FinCEN
received numerous comments related to the RIA. Some of the comments
related to the RIA were from small entities and associations
representing small entities. FinCEN has discussed those comments
relating to specific provisions in the proposed rule in section III
above, and those relating to the RIA in section V.A. above.
---------------------------------------------------------------------------
\262\ 5 U.S.C. 601-612.
\263\ 87 FR 77445-77447.
---------------------------------------------------------------------------
The RFA requires each Final Regulatory Flexibility Analysis (FRFA)
to contain:
A succinct statement of the need for, and objectives of,
the rule;
A summary of the significant issues raised by the public
comments in response to the IRFA, a summary of the assessment of the
agency of such issues, and a statement of any changes made in the
proposed rule as a result of such comments;
A description of and an estimate of the number of small
entities to which the proposed rule would apply;
A description of the projected reporting, recordkeeping,
and other compliance requirements of the proposed rule, including an
estimate of the classes of small entities which will be subject to the
requirement and the type of professional skills necessary for the
preparation of the report or record; and
A description of the steps the agency has taken to
minimize the significant economic impact on small entities consistent
with the stated objectives of applicable statutes, including a
statement of the factual, policy, and legal reasons for selecting the
alternative adopted in the final rule and why each one of the other
significant alternatives to the rule considered by the agency which
affect the impact on small entities was rejected.\264\
---------------------------------------------------------------------------
\264\ 5 U.S.C. 604(a).
---------------------------------------------------------------------------
[[Page 88800]]
i. Statement of the Reasons for, and Objectives of, the Rule
The rule is necessary to implement section 6403 of the CTA. The
purpose of the rule is to implement the disclosure requirements of
section 6403 and to establish appropriate protocols to protect the
security and confidentiality of the BOI.
ii. A Summary of the Significant Issues Raised by the Public Comments
in Response to the IRFA, a Summary of the Assessment of the Agency of
Such Issues, and a Statement of Any Changes Made in the Proposed Rule
as a Result of Such Comments
FinCEN has carefully considered the comments received in response
to the NPRM. Section III provides a general overview of the comments
and discusses the significant issues raised by comments. In addition,
section V.A includes a discussion of the comments received with respect
to the preliminary RIA and IRFA, including those with respect to the
estimated cost that the rule will impose on financial institutions,
which will include small entities. FinCEN has considered the comments
received from small entities and from associations representing them,
regardless of whether the comments referred to the IRFA. Commenters
expressed concern about the costs that the rule's requirements for BOI
access would impose on financial institutions, which include small
entities. FinCEN considered the burden and costs of the specific
requirements throughout the final rule and has adjusted the analysis
appropriately.
Many comments were critical of FinCEN's interpretation of
``customer due diligence requirements under applicable law'' in the
proposed rule and the limited use of BOI by financial institutions that
this definition would require. Some comments argued that if financial
institutions could only use BOI reported to FinCEN to comply with the
31 CFR 1010.230 instead of the broader purposes, this would add burdens
to financial institutions. Commenters noted that financial institutions
already use BOI obtained from their customers for broad purposes.
Commenters explained that if an financial institution is limited to
using BOI obtained from FinCEN merely for purposes of compliance with
31 CFR 1010.230, then the financial institution would need to create a
``firewall'' between the BOI obtained from FinCEN and the BOI that an
financial institution obtains directly from its legal entity customers,
so that the financial institution could still use the BOI it obtained
directly from customers in the range of ways to which it has become
accustomed. This firewalling would be a significant additional burden,
according to these commenters. Several commenters claimed that if banks
can only use BOI from FinCEN for compliance with 31 CFR 1010.230, this
would create duplicative requirements for financial institutions.
The final rule revises the proposed rule's definition of ``customer
due diligence requirements under applicable law,'' which was limited to
the requirements under 31 CFR 1010.230, to allow the use of BOI more
broadly to counter money laundering and the financing of terrorism, as
well as to comply with certain other measures that safeguard national
security. This change reflects FinCEN's conclusion that the phrase
should encompass a financial institution's AML/CFT obligations under
the BSA, including suspicious activity monitoring and SAR filing, as
well as related activities such as sanctions screening, anti-fraud, and
anti-bribery controls and other activities pursuant to the financial
institution's legal requirements for AML/CFT.
FinCEN found persuasive comments that argued that if BOI from
FinCEN could only be used for compliance with 31 CFR 1010.230 instead
of the broader purposes for which financial institutions are already
using BOI for, this would add burdens to financial institutions that
would not be justified by the potential gains in protecting the
security and confidentiality of BOI.
Commenters expressed concern that the proposed rule's geographic
restrictions limiting access to BOI to within the United States would
conflict with existing IT systems and information handling processes
but did not provide quantitative feedback regarding additional
burden.\265\ The final rule allows greater flexibility regarding
geographic access in only requiring financial institutions to restrict
access for select jurisdictions in which financial institutions already
face restrictions, lowering the likelihood a financial institution will
be burdened by this requirement.
---------------------------------------------------------------------------
\265\ One commenter estimated it would cost between $1 million
and $3 million to develop new systems or adapt existing systems to
comply with the various aspects of the proposed rule, including
preventing BOI obtained from FinCEN from ``flowing'' into other
financial institution monitoring systems and to affiliates outside
of the United States. This commenter, however, did not indicate how
much of this estimated $1-3 million in costs was attributable to the
geographic restriction as opposed to other aspects of the proposed
rule.
---------------------------------------------------------------------------
Comments also suggested options to decrease burden for financial
institutions through technological means. A commenter requested that
financial institutions submit required certifications and access BOI on
a bulk, automated basis. This commenter noted that if access to the BO
IT system requires manual submissions on a customer-by-customer basis,
this would be unnecessarily cumbersome and would adversely impact the
ability of financial institutions to use the information effectively
and efficiently for illicit finance risk management.
FinCEN agrees with these comments and notes that financial
institutions will have the ability to submit search requests through an
automated process, lessening costs associated with manual searches by
financial institutions. FinCEN expects that financial institutions will
use Application Programming Interfaces (APIs) to access BOI, and that
the BO IT system will accommodate the use of APIs for this purpose
(including the submission of required certifications).
In addition, more specific information regarding the estimated
costs for small entities resulting from the final rule is set forth in
section V.B.v below, and other steps FinCEN has taken to minimize the
economic impact of the rule on small entities are set forth in section
V.B.vi below.
iii. The Response of the Agency to a Comment Filed by the Chief Counsel
for Advocacy of the Small Business Administration in Response to the
Proposed Rule, and a Detailed Statement of Any Change Made to the
Proposed Rule in the Final Rule as a Result of the Comment
The Chief Counsel for Advocacy of the Small Business Administration
(``Advocacy'') filed a comment to the NPRM on February 14, 2023, that
acknowledges that the proposed rule will be economically burdensome for
small businesses. Advocacy notes that FinCEN prepared an IRFA for the
NPRM.
Advocacy urged FinCEN to clarify certain provisions of the proposed
rule because small entities claimed the proposed rule was unclear. For
example, the IRFA stated that the proposed rule's requirements to
access BOI would not be mandatory (because accessing BOI reported to
FinCEN is not itself currently mandatory), but small entity groups have
stated that the rule itself is unclear as to whether the requirements
of the rulemaking are mandatory. Lack of clarity could lead to small
entities incurring unnecessary costs in trying to comply with the
rulemaking. There are also concerns
[[Page 88801]]
about the scope of the proposed rulemaking.
FinCEN clarified with Advocacy that the phrase ``scope of the
proposed rulemaking'' refers to the scope of authorized users that will
be permitted access to BOI and the permitted uses of that information.
Section III.C.iv.a.1 above clarifies that the types of financial
institutions that FinCEN will under its discretionary authority permit
to access BOI will initially be those that are ``covered financial
institutions'' under the 2016 CDD Rule. Section III.C.iv.a.2 clarifies
the scope of permitted uses for BOI by those financial institutions.
Advocacy also encourages FinCEN to provide a clear compliance guide
for this rulemaking, and references a similar request in Advocacy's
February 4, 2022 comment letter to the Reporting Rule. Section 212 of
the Small Business Regulatory Enforcement Fairness Act (SBREFA)
requires agencies to provide a compliance guide for each rule (or
related series of rules) that requires a final regulatory flexibility
analysis.\266\ Agencies are required to publish the guides with
publication of the final rule, post them to websites, distribute them
to industry contacts, and report annually to Congress.\267\ FinCEN
anticipates issuing a Small Entity Compliance Guide, pursuant to
section 212 of SBREFA, in order to assist small entities in complying
with the BOI access requirements.
---------------------------------------------------------------------------
\266\ Small Business Regulatory Enforcement Fairness Act of
1996, Public Law 104-121, 212, 110 Stat. 857, 858 (1996).
\267\ The Small Business and Work Opportunity Tax Act of 2007
added these additional requirements for agency compliance to SBREFA.
See Small Business and Work Opportunity Tax Act of 2007, Public Law
110-28, 121 Stat. 190 (2007).
---------------------------------------------------------------------------
iv. Description and Estimate of the Number of Small Entities to Which
the Rule Will Apply
To assess the number of small entities affected by the rule, FinCEN
separately considered whether any small businesses, small
organizations, or small governmental jurisdictions, as defined by the
RFA, will be impacted. FinCEN concludes that a substantial number of
small businesses will be significantly impacted by the rule, which is
consistent with the IRFA.
In defining ``small business,'' the RFA points to the definition of
``small business concern'' from the Small Business Act.\268\ This small
business definition is based on size standards (either average annual
receipts or number of employees) matched to industries.\269\ Assuming
maximum non-mandated participation by small financial institutions, the
rule will affect approximately all 13,699 small financial institutions.
All of these small financial institutions will have a significant
economic impact in the first year of implementation, which FinCEN
believes meets the threshold for a substantial number. Therefore,
FinCEN concludes the rule will have a significant economic impact on a
substantial number of small entities.
---------------------------------------------------------------------------
\268\ 5 U.S.C. 601(3).
\269\ See U.S. Small Business Administration, Table of Small
Business Size Standards Matched to North American Industry
Classification System Codes (Mar. 17, 2023), available at https://www.sba.gov/sites/sbagov/files/2023-03/Table%20of%20Size%20Standards_Effective%20March%2017%2C%202023%20%281%29%20%281%29_0.pdf.
---------------------------------------------------------------------------
FinCEN assumes the economic impact on an individual small entity is
significant if the total estimated impact in a given year is greater
than 1 percent of the small entity's total receipts for that year.
FinCEN estimates the cost for small financial institutions to comply
with the sections of the rule addressing BOI access will be between
approximately $26,875 and $43,328 in year 1, and approximately $9,915
and $12,588 annually in subsequent years.\270\ FinCEN then compares
these per financial institution cost estimates to the average total
receipts for the smallest size category for each type of financial
institution from the 2017 Census survey data, adjusted for
inflation.\271\ The analysis indicates that, even when considering the
minimum year 1 impact of $26,875, the smallest entities of all types of
financial institutions will incur an economic impact that exceeds 1
percent of receipts for that industry. Therefore, FinCEN expects that
the rule will have a significant economic impact on a substantial
number of small entities.
---------------------------------------------------------------------------
\270\ The minimum and maximum costs for small entities can be
determined by using $424 (4 employee x $106 per hour) as the minimum
cost for training and using $530 (5 employees x $106 per hour) as
the maximum cost for training.
\271\ FinCEN inflation adjusted the 2017 Census survey data
using Implicit Price Deflators for Gross Domestic Product quarterly
data from the U.S. Bureau of Economic Analysis, available at https://apps.bea.gov/iTable/?reqid=19&step=2&isuri=1&categories=survey#eyJhcHBpZCI6MTksInN0ZXBzIjpbMSwyLDMsM10sImRhdGEiOltbIkNhdGVnb3JpZXMiLCJTdXJ2ZXkiXSxbIk5JUEFfVGFibGVfTGlzdCIsIjEzIl0sWyJGaXJzdF9ZZWFyIiwiMTk5NSJdLFsiTGFzdF9ZZWFyIiwiMjAyMiJdLFsiU2NhbGUiLCIwIl0sWyJTZXJpZXMiLCJBIl1dfQ==. FinCEN
estimated an inflation factor of approximately 1.18 (the gross
domestic product deflator in 2017 is 107.749, while in 2022 it was
127.224; hence, the inflation factor is 127.224/107.749= 1.18).
FinCEN then applied this inflation adjustment factor of 1.18 to the
1 percent of average annual receipts in the 2017 Census survey data
for each financial industry affected by this proposed rule to
estimate the latest inflation-adjusted dollar value threshold of 1
percent of annual receipts.
---------------------------------------------------------------------------
In defining ``small organization,'' the RFA generally defines it as
any not-for-profit enterprise that is independently owned and operated
and is not dominant in its field.\272\ FinCEN assesses that the rule
will not affect ``small organizations'' as defined by the RFA.
---------------------------------------------------------------------------
\272\ 5 U.S.C. 601(4).
---------------------------------------------------------------------------
The RFA generally defines ``small governmental jurisdiction[s]'' as
governments of cities, counties, towns, townships, villages, school
districts, or special districts, with a population of less than
50,000.\273\ While State, local, and Tribal government agencies may be
affected by the rule, FinCEN does not believe that government agencies
of jurisdictions with a population of less than 50,000 will be included
in such agencies.\274\ Therefore, no ``small governmental
jurisdictions'' are expected to be affected.
---------------------------------------------------------------------------
\273\ 5 U.S.C. 601(5).
\274\ FinCEN made this assumption in the NPRM and requested
public comment; it did not receive any comments that addressed this
specific point.
---------------------------------------------------------------------------
v. Description of the Projected Reporting, Recordkeeping, and Other
Compliance Requirements of the Rule, Including an Estimate of the
Classes of Small Entities Which Will Be Subject to the Requirements and
the Type of Professional Skills Necessary for the Preparation of the
Report or Record
Under the rule, accessing BOI is not currently mandatory;
therefore, the rule will not impose requirements in the strictest
sense.\275\ However, the rule will require those that elect to access
BOI to establish standards and procedures or safeguards, and to comply
with other requirements. In particular, financial institutions will be
required to develop and implement administrative, technical, and
physical safeguards reasonably designed to protect the security,
confidentiality, and integrity of BOI. Financial institutions will also
be required to obtain and document customer consent to access their
BOI, as well as maintain a record of such consent for five years after
it was last relied upon, which may require updates to existing policies
and procedures. Financial institutions will also be required to comply
with certain geographic restrictions and notify FinCEN if they receive
an information demand from a foreign government. The rule will also
require those that access BOI provide a certification for each BOI
[[Page 88802]]
request, in the form and manner prescribed by FinCEN. FinCEN intends to
provide additional detail regarding the form and manner of BOI requests
for all categories of authorized recipients through specific
instructions and guidance as it continues developing the BO IT system.
To the extent required by the PRA, FinCEN will publish for notice and
comment any proposed information collection associated with BOI
requests.
---------------------------------------------------------------------------
\275\ FinCEN anticipates considering whether to require
financial institutions to access BOI reported to FinCEN in the
future, potentially as part of its revisions to the 2016 CDD Rule.
---------------------------------------------------------------------------
Small entities affected by the rule, which FinCEN assesses to be
small financial institutions, will be required to comply with these
requirements if they access BOI. FinCEN assumes that the professional
expertise needed to comply with such requirements already exists at
small financial institutions with customer due diligence obligations.
vi. Description of the Steps the Agency Has Taken To Minimize the
Significant Economic Impact on Small Entities Consistent With the
Stated Objectives of Applicable Statutes, Including a Statement of the
Factual, Policy, and Legal Reasons for Selecting the Alternative
Adopted in the Final Rule and Why Each One of the Other Significant
Alternatives to the Rule Considered by the Agency Which Affect the
Impact on the Small Entities Was Rejected
The steps FinCEN has taken to minimize the significant economic
impact on small entities and the factual, policy, and legal reasons for
selecting the final rule are described throughout section III. This
section of the FRFA includes one of the alternative scenarios
considered in the RIA. The rule is statutorily mandated, and therefore
FinCEN has limited ability to implement alternatives. However, FinCEN
considered the following significant alternative which affected the
impact on small entities. The sources and analysis underlying the
burden and cost estimates cited in this alternative are explained in
the RIA.
FinCEN considered altering the customer consent requirement for
financial institutions. Under the final rule, financial institutions
are required to obtain and document customer consent once for a given
customer. FinCEN considered an alternative approach in which FinCEN
would directly obtain the reporting company's consent. Under this
scenario, financial institutions would not need to spend time and
resources on drafting or modifying customer consent forms, ensuring
legal compliance, and testing the forms which FinCEN expects to require
approximately 50 to 70 hours in year 1 and 10 to 20 hours in subsequent
years for ongoing forms maintenance. Using an hourly wage estimate of
$106 per hour for financial institutions, FinCEN estimates this would
result in an initial savings per financial institution of approximately
$5,300 to $7,420 in year 1 and $1,060 to $2,120 in subsequent years.
FinCEN estimates an aggregate savings of $83.3 to $116.6 million in
year 1 and $16.7 to $33.3 million in subsequent years. To estimate
aggregate savings under this scenario, FinCEN multiplies the yearly
savings by the number of financial institutions (e.g., $5,300 per
financial institution x 15,716 financial institutions = $83,294,800).
The cost savings for small financial institutions under this scenario
would be approximately $72.6 million ($5,300 per financial institution
x 13,699 small financial institutions = $72,604,700). Though this
alternative results in a savings to financial institutions, including
small entities, FinCEN believes that financial institutions are better
positioned to obtain consent--and to track consent revocation--given
their direct customer relationships and ability to leverage existing
onboarding and account maintenance processes, as also discussed in
sections III.E.ii.d and V.A.i.a above. Therefore, FinCEN decided not to
adopt this alternative.
C. Unfunded Mandates Reform Act
Section 202 of the Unfunded Mandates Reform Act of 1995, Public Law
104-4 (Unfunded Mandates Reform Act) requires that an agency prepare a
budgetary impact statement before promulgating a rule that includes a
Federal mandate that may result in expenditure by State, local, and
Tribal governments, in the aggregate, or by the private sector, of $100
million or more in any one year, adjusted for inflation. FinCEN
believes that the RIA provides the analysis required by the Unfunded
Mandates Reform Act.
D. Paperwork Reduction Act
The new reporting and recordkeeping requirements contained in this
rule (31 CFR 1010.955) have been approved by OMB in accordance with the
Paperwork Reduction Act of 1995 (PRA), 44 U.S.C. 3501 et seq., under
control number 1506-0077. The PRA imposes certain requirements on
Federal agencies in connection with their conducting or sponsoring any
collection of information as defined by the PRA. Under the PRA, an
agency may not conduct or sponsor, and a person is not required to
respond to, a collection of information unless it displays a valid OMB
control number.
As discussed in the RIA, FinCEN revised estimates for the
requirements based on comments received in the NPRM and updates to the
final rule and underlying data sources. All revisions to the estimates
are explained in the RIA.
Reporting and Recordkeeping Requirements: The rule requires State,
local, and Tribal agencies and financial institutions that access BOI
to conduct the following activities: establish standards and
procedures, and develop and implement safeguards. FinCEN assumes
authorized recipients of BOI at financial institutions will undergo
annual training in order to comply with the safeguards in the rule.
Financial institutions are also required to obtain and document
customer consent, maintaining a record of such consent for five years
after it was last relied upon, which may require updates to existing
processes and creation of consent forms. The rule also requires State,
local, and Tribal agencies and financial institutions that access BOI
to provide a certification for each BOI request. FinCEN intends to
provide additional detail regarding the form and manner of BOI requests
for all categories of authorized users through specific instructions
and guidance as it continues developing the BO IT system. To the extent
required by the PRA, FinCEN will publish for notice and comment any
proposed information collection associated with BOI requests. The rule
also requires financial institutions to comply with certain geographic
restrictions and notify FinCEN if they receive an information demand
from a foreign government for BOI. In addition, the rule requires
State, local, and Tribal agencies to establish and maintain a secure
system to store BOI, as well as an auditable system of standardized
records for requests, conduct an annual audit, certify standards and
procedures by the agency head semi-annually, and provide an annual
report on procedures, resulting in additional recordkeeping and
reporting requirements. Finally, the rule requires that SROs follow the
same security and confidentiality requirements outlined herein for
State, local, and Tribal agencies, if they obtain BOI through re-
disclosure by a Federal functional regulator or financial institution.
OMB Control Number: 1506-0077.
Frequency: As required; varies depending on the requirement.
Description of Affected Public: State, local and Tribal agencies,
SROs, and financial institutions with customer due diligence
obligations, as defined in the rule. While others from Federal and
foreign requesters are able to access BOI after meeting specific
requirements, FinCEN does not include them in the
[[Page 88803]]
PRA analysis because the regulations implementing the PRA define
``person'' as an individual, partnership, association, corporation
(including operations of government-owned contractor-operated
facilities), business trust, or legal representative, an organized
group of individuals, a State, territorial, tribal, or local government
or branch thereof, or a political subdivision of a State, territory,
Tribal, or local government or a branch of a political
subdivision.\276\ For foreign requesters in particular, FinCEN assumes
that such requests will be made at the national level.
---------------------------------------------------------------------------
\276\ See 5 CFR 1320.3(k).
---------------------------------------------------------------------------
Estimated Number of Respondents: 15,934 entities. This total is
composed of an estimated 215 State, local, and Tribal agencies, of
which 158 are State, local, and Tribal law enforcement agencies and 57
are State regulatory agencies, 3 SROs, and 15,716 financial
institutions.\277\ While the requirements in the rule are only imposed
on those that optionally access BOI, for purposes of PRA burden
analysis FinCEN assumes maximum participation from State, local, and
Tribal agencies, SROs, and financial institutions.
---------------------------------------------------------------------------
\277\ See Table 1 for the types of financial institutions
covered by this notice.
---------------------------------------------------------------------------
Estimated Total Annual Reporting and Recordkeeping Burden: FinCEN
estimates that during year 1 the annual hourly burden will be 8,743,781
hours. In year 2 and onward, FinCEN estimates that the annual hourly
burden will be 3,616,964 hours. The annual estimated burden hours for
State, local, and Tribal entities as well as SROs is 2,268,789 hours in
the first year, and 1,699,612 hours in year 2 and onward. As shown in
Table 8, the hourly burden in year 1 for State, local, and Tribal
entities and SROs includes the hourly burden associated with the
following requirements in the rule: enter into an agreement with FinCEN
and establish standards and procedures (Action B); establish a secure
system to store BOI (Action D); establish and maintain an auditable
system of standardized records for requests (Action E); submit written
certification for each request that it meets certain requirements
(Action G); restrict access to appropriate persons within the entity
(Action H); conduct an annual audit and cooperate with FinCEN's annual
audit (Action I); obtain certification of standards and procedures,
initially and then semi-annually, by the head of the entity (Action J);
and provide annual reports on procedures (Action K). The hourly burden
in year 2 and onward for State, local, and Tribal entities and SROs is
associated with the same requirements as year 1, with the exception of
Action B because FinCEN expects this action will result in costs for
these entities in year 1 only.
The annual estimated hourly burden for financial institutions is
6,474,992 hours in the first year and 1,917,352 hours in year 2 and
onward. The hourly burden for financial institutions in year 1 is
associated with the following: develop and implement administrative and
physical safeguards (Action A); develop and implement technical
safeguards (Action C); obtain and document customer consent (Action F);
submit certification for each request that it meets certain
requirements (Action G); undergo training (Action H); comply with
certain geographic restrictions (Action L); and notify FinCEN if they
receive an information demand from a foreign government (Action M). The
hourly burden in year 2 and onward for financial institutions is
associated only with the requirements for Actions F, G and H because
FinCEN expects the other actions will result in costs for these
entities in year 1 only.
Annual estimated burden declines in year 2 and onward because
State, local, and Tribal agencies, SROs, and financial institutions no
longer need to complete Actions A and B, and have a lower hourly burden
for Actions E and F. State, local, and Tribal law enforcement agencies
have a lower hourly burden for Action G. Table 8 lists the type of
entity, the number of entities, the hours per entity, and the total
hourly burden by action. For Actions A, B, C, D, E, F, I, J, K, L, and
M the hours per entity are the maximum of the range estimated in the
cost analysis of the RIA. For Action G and H, the hours per entity
calculations are specified in footnotes to Table 8. Total annual hourly
burden is calculated by multiplying the number of entities by the hours
per entity for each action. In each subsequent year after initial
implementation, FinCEN estimates that the total hourly annual burden is
3,616,964. This results in a 5-year average burden estimate of
approximately 4,642,327 hours.\278\
---------------------------------------------------------------------------
\278\ The 5-year average equals the sum of (Year 1 burden hours
of 8,743,781 + Year 2 burden hours of 3,616,964 + Year 3 burden
hours of 3,616,964 + Year 4 burden hours of 3,616,964 + Year 5
burden hours of 3,616,964) divided by 5.
---------------------------------------------------------------------------
BILLING CODE 4810-02-P
[[Page 88804]]
[GRAPHIC] [TIFF OMITTED] TR22DE23.007
[[Page 88805]]
[GRAPHIC] [TIFF OMITTED] TR22DE23.008
[[Page 88806]]
[GRAPHIC] [TIFF OMITTED] TR22DE23.009
Estimated Total Annual Reporting and Recordkeeping Cost: As
describd in Table 3, FinCEN calculated the fully loaded hourly wage for
each type of affected entity type. Using these estimated wages, the
total cost of the annual bureden in year 1 is $868,200,270. In year 2
and onward, FinCEN estimates that the total cost of the annual burden
is $339,309,502, owing to Actions A and B only imposing burens in year
1, Actions D and E having lower annual per entity burdens, and Actions
G having lower burden per request for State, local and Tribal law
enforcement agencies. The annual estimated cost for State, local, and
Tribal agencies and SROs is $181,851,118 in the first and $13,070,190
in year 2 and onward. The annual estimated cost for financial
institutions is $686,349,152 in the first year and $203,239,312 in year
2 and onward. The 5-year average annual cost estimate is
$445,087,656.\279\
---------------------------------------------------------------------------
\279\ The 5-year average equals the sum of (year 1 costs of
$868,200,270 + Year 2 costs of $339,309,502 + Year 3 costs of
$339,309,502 + Year 4 costs of $339,309,502 + Year 5 costs of
$339,309,502) divided by 5.
[GRAPHIC] [TIFF OMITTED] TR22DE23.010
[[Page 88807]]
[GRAPHIC] [TIFF OMITTED] TR22DE23.011
[[Page 88808]]
[GRAPHIC] [TIFF OMITTED] TR22DE23.012
BILLING CODE 4810-02-C
E. Congressional Review Act
Pursuant to Subtitle E of the Small Business Regulatory Enforcement
and Fairness Act of 1996 (also known as the Congressional Review Act or
CRA)), OMB's Office of Information and Regulatory Affairs has
determined that this action meets the criteria set forth in 5 U.S.C.
804(2).\280\
---------------------------------------------------------------------------
\280\ 5 U.S.C. 804(2) et seq.
---------------------------------------------------------------------------
List of Subjects in 31 CFR Part 1010
Administrative practice and procedure, Aliens, Authority
delegations (Government agencies), Banks and banking, Brokers, Business
and industry, Commodity futures, Currency, Citizenship and
naturalization, Electronic filing, Federal savings associations,
Federal-States relations, Federally recognized tribes, Foreign persons,
Holding companies, Indian law, Indians, Insurance companies, Investment
advisers, Investment companies, Investigations, Law enforcement,
Penalties, Reporting and recordkeeping requirements, Small businesses,
Securities, Terrorism, Tribal government, Time.
Authority and Issuance
For the reasons set forth in the preamble, the U.S. Department of
the Treasury and Financial Crimes Enforcement Network amend 31 CFR part
1010 as follows:
PART 1010--GENERAL PROVISIONS
0
1. The authority citation for part 1010 continues to read as follows:
Authority: 12 U.S.C. 1829b and 1951-1959; 31 U.S.C. 5311-5314
and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307;
sec. 2006, Pub. L. 114-41, 129 Stat. 458-459; sec. 701, Pub. L. 114-
74, 129 Stat. 599.
0
2. In Sec. 1010.950, revise the section heading and paragraph (a) to
read as follows:
Sec. 1010.950 Availability of information--general.
(a) The Secretary has the discretion to disclose information
reported under this chapter, other than information reported pursuant
to Sec. 1010.380, for any reason consistent with the purposes of the
Bank Secrecy Act, including those set forth in paragraphs (b) through
(d) of this section. FinCEN may disclose information reported pursuant
to Sec. 1010.380 only as set forth in Sec. 1010.955, and paragraphs
(b) through (f) of this section shall not apply to the disclosure of
such information.
* * * * *
0
3. Add Sec. 1010.955 to read as follows:
[[Page 88809]]
Sec. 1010.955 Availability of beneficial ownership information
reported under this part.
(a) Prohibition on disclosure. Except as authorized in paragraphs
(b), (c), and (d) of this section, information reported to FinCEN
pursuant to Sec. 1010.380 is confidential and shall not be disclosed
by any individual who receives such information as--
(1) An officer, employee, contractor, or agent of the United
States;
(2) An officer, employee, contractor, or agent of any State, local,
or Tribal agency; or
(3) A director, officer, employee, contractor, or agent of any
financial institution.
(b) Disclosure of information by FinCEN--(1) Disclosure to Federal
agencies for use in furtherance of national security, intelligence, or
law enforcement activity. Upon receipt of a request from a Federal
agency engaged in national security, intelligence, or law enforcement
activity for information reported pursuant to Sec. 1010.380 to be used
in furtherance of such activity, FinCEN may disclose such information
to such agency. For purposes of this paragraph (b)(1)--
(i) National security activity means activity pertaining to the
national defense or foreign relations of the United States, as well as
activity to protect against threats to the safety and security of the
United States;
(ii) Intelligence activity means all activities conducted by
elements of the United States Intelligence Community that are
authorized pursuant to Executive Order 12333, as amended, or any
succeeding executive order; and
(iii) Law enforcement activity means investigative and enforcement
activities relating to civil or criminal violations of law. Such
activity does not include the routine supervision or examination of a
financial institution by a Federal regulatory agency with authority
described in paragraph (b)(4)(ii)(A) of this section.
(2) Disclosure to State, local, and Tribal law enforcement agencies
for use in criminal or civil investigations. Upon receipt of a request
from a State, local, or Tribal law enforcement agency for information
reported pursuant to Sec. 1010.380 to be used in a criminal or civil
investigation, FinCEN may disclose such information to such agency if a
court of competent jurisdiction has authorized the agency to seek the
information in a criminal or civil investigation. For purposes of this
section--
(i) A court of competent jurisdiction is any court with
jurisdiction over the investigation for which a State, local, or Tribal
law enforcement agency requests information under this paragraph.
(ii) A State, local, or Tribal law enforcement agency is an agency
of a State, local, or Tribal government that is authorized by law to
engage in the investigation or enforcement of civil or criminal
violations of law.
(3) Disclosure for use in furtherance of foreign national security,
intelligence, or law enforcement activity. Upon receipt of a request
for information reported pursuant to Sec. 1010.380 from a Federal
agency on behalf of a law enforcement agency, prosecutor, or judge of
another country, or on behalf of a foreign central authority or foreign
competent authority (or like designation) under an applicable
international treaty, agreement, or convention, FinCEN may disclose
such information to such Federal agency for transmission to the foreign
law enforcement agency, prosecutor, judge, foreign central authority,
or foreign competent authority who initiated the request, provided
that:
(i) The request is for assistance in a law enforcement
investigation or prosecution, or for a national security or
intelligence activity, that is authorized under the laws of the foreign
country; and
(ii) The request is:
(A) Made under an international treaty, agreement, or convention;
or
(B) Made, when no such treaty, agreement, or convention is
available, as an official request by a law enforcement, judicial, or
prosecutorial authority of a foreign country determined by FinCEN, with
the concurrence of the Secretary of State and in consultation with the
Attorney General or other agencies as necessary and appropriate, to be
a trusted foreign country.
(iii) For purposes of this paragraph (b)(3), a national security
activity authorized under the laws of a foreign country is an activity
pertaining to the national defense or foreign relations of a country
other than the United States, as well as activity to protect against
threats to the safety and security of that country.
(iv) For purposes of this paragraph (b)(3), an intelligence
activity authorized under the laws of a foreign country is an activity
conducted by a foreign government agency that is authorized under a
foreign legal authority comparable to Executive Order 12333 that is
applicable to the agency.
(4) Disclosure to facilitate compliance with customer due diligence
requirements--(i) Financial institutions. Upon receipt of a request
from a financial institution subject to customer due diligence
requirements under applicable law for information reported pursuant to
Sec. 1010.380 to be used in facilitating compliance with such
requirements, FinCEN may disclose the information to the financial
institution for that use, provided that the reporting company that
reported the information to FinCEN consents to such disclosure. For
purposes of this paragraph, customer due diligence requirements under
applicable law mean any legal requirement or prohibition designed to
counter money laundering or the financing of terrorism, or to safeguard
the national security of the United States, to comply with which it is
reasonably necessary for a financial institution to obtain or verify
beneficial ownership information of a legal entity customer.
(ii) Regulatory agencies. Upon receipt of a request by a Federal
functional regulator or other appropriate regulatory agency, FinCEN
shall disclose to such agency any information disclosed to a financial
institution pursuant to paragraph (b)(4)(i) of this section if the
agency--
(A) Is authorized by law to assess, supervise, enforce, or
otherwise determine the compliance of such financial institution with
customer due diligence requirements under applicable law;
(B) Will use the information solely for the purpose of conducting
the assessment, supervision, or authorized investigation or activity
described in paragraph (b)(4)(ii)(A) of this section; and
(C) Has entered into an agreement with FinCEN providing for
appropriate protocols governing the safekeeping of the information.
(5) Disclosure to officers or employees of the Department of the
Treasury. Consistent with procedures and safeguards established by the
Secretary--
(i) Information reported pursuant to Sec. 1010.380 shall be
accessible for inspection or disclosure to officers and employees of
the Department of the Treasury whose official duties the Secretary
determines require such inspection or disclosure.
(ii) Officers and employees of the Department of the Treasury may
obtain information reported pursuant to Sec. 1010.380 for tax
administration as defined in 26 U.S.C. 6103(b)(4).
(c) Use of information--(1) Use of information by authorized
recipients. Except as permitted under paragraph (c)(2) of this section,
any person who receives information disclosed by FinCEN under paragraph
(b) of this section shall not further disclose such information to any
other person, and
[[Page 88810]]
shall use such information only for the particular purpose or activity
for which such information was disclosed. A Federal agency that
receives information pursuant to paragraph (b)(3) of this section shall
only use it to facilitate a response to a request for assistance
pursuant to that paragraph.
(2) Disclosure of information by authorized recipients. (i) Any
officer, employee, contractor, or agent of a requesting agency who
receives information disclosed by FinCEN pursuant to a request under
paragraph (b)(1) or (2) or (b)(4)(ii) of this section may disclose such
information to another officer, employee, contractor, or agent of the
same requesting agency for the particular purpose or activity for which
such information was requested, consistent with the requirements of
paragraph (d)(1)(i)(F) of this section, as applicable. Any officer,
employee, contractor, or agent of the U.S. Department of the Treasury
who receives information disclosed by FinCEN pursuant to a request
under paragraph (b)(5) of this section may disclose such information to
another Treasury officer, employee, contractor, or agent for the
particular purpose or activity for which such information was requested
consistent with internal Treasury policies, procedures, orders or
directives.
(ii) Any director, officer, employee, contractor, or agent of a
financial institution who receives information disclosed by FinCEN
pursuant to a request under paragraph (b)(4)(i) of this section may
disclose such information to another director, officer, employee,
contractor, or agent of the same financial institution for the
particular purpose or activity for which such information was
requested, consistent with the requirements of paragraph (d)(2) of this
section.
(iii) Any director, officer, employee, contractor, or agent of a
financial institution that receives information disclosed by FinCEN
pursuant to paragraph (b)(4)(i) of this section may disclose such
information to the financial institution's Federal functional
regulator, a self-regulatory organization that is registered with or
designated by a Federal functional regulator pursuant to Federal
statute, or other appropriate regulatory agency, provided that the
Federal functional regulator, self-regulatory organization, or other
appropriate regulatory agency meets the requirements identified in
paragraphs (b)(4)(ii)(A) through (C) of this section. A financial
institution may rely on a Federal functional regulator, self-regulatory
organization, or other appropriate regulatory agency's representation
that it meets the requirements.
(iv) Any officer, employee, contractor, or agent of a Federal
functional regulator that receives information disclosed by FinCEN
pursuant to paragraph (b)(4)(ii) of this section may disclose such
information to a self-regulatory organization that is registered with
or designated by the Federal functional regulator, provided that the
self-regulatory organization meets the requirements of paragraphs
(b)(4)(ii)(A) through (C) of this section.
(v) Any officer, employee, contractor, or agent of a Federal agency
that receives information from FinCEN pursuant to a request made under
paragraph (b)(3) of this section may disclose such information to the
foreign person on whose behalf the Federal agency made the request.
(vi) Any officer, employee, contractor, or agent of a Federal
agency engaged in a national security, intelligence, or law enforcement
activity, or any officer, employee, contractor, or agent of a State,
local, or Tribal law enforcement agency, may disclose information
reported pursuant to Sec. 1010.380 that it has obtained directly from
FinCEN pursuant to a request under paragraph (b)(1) or (2) of this
section to a court of competent jurisdiction or parties to a civil or
criminal proceeding.
(vii) Any officer, employee, contractor, or agent of a requesting
agency who receives information disclosed by FinCEN pursuant to a
request under paragraph (b)(1), (b)(4)(ii), or (b)(5) of this section
may disclose such information to any officer, employee, contractor, or
agent of the United States Department of Justice for purposes of making
a referral to the Department of Justice or for use in litigation
related to the activity for which the requesting agency requested the
information.
(viii) Any officer, employee, contractor, or agent of a State,
local, or Tribal law enforcement agency who receives information
disclosed by FinCEN pursuant to a request under paragraph (b)(2) of
this section may disclose such information to any officer, employee,
contractor, or agent of another State, local, or Tribal agency for
purposes of making a referral for possible prosecution by that agency,
or for use in litigation related to the activity for which the
requesting agency requested the information.
(ix) A law enforcement agency, prosecutor, judge, foreign central
authority, or foreign competent authority of another country that
receives information from a Federal agency pursuant to a request under
paragraph (b)(3)(ii)(A) of this section may disclose and use such
information consistent with the international treaty, agreement, or
convention under which the request was made.
(x) FinCEN may by prior written authorization, or by protocols or
guidance that FinCEN may issue, authorize persons to disclose
information obtained pursuant to paragraph (b) of this section in
furtherance of a purpose or activity described in that paragraph.
(d) Security and confidentiality requirements--(1) Security and
confidentiality requirements for domestic agencies--(i) General
requirements. To receive information under paragraph (b)(1), (2), or
(3) or (b)(4)(ii) of this section, a Federal, State, local, or Tribal
agency shall satisfy the following requirements:
(A) Agreement. The agency shall enter into an agreement with FinCEN
specifying the standards, procedures, and systems to be maintained by
the agency, and any other requirements FinCEN may specify, to protect
the security and confidentiality of such information. Agreements shall
include, at a minimum, descriptions of the information to which an
agency will have access, specific limitations on electronic access to
that information, discretionary conditions of access, requirements and
limitations related to re-disclosure, audit and inspection
requirements, and security plans outlining requirements and standards
for personnel security, physical security, and computer security.
(B) Standards and procedures. The agency shall establish standards
and procedures to protect the security and confidentiality of such
information, including procedures for training agency personnel on the
appropriate handling and safeguarding of such information. The head of
the agency, on a non-delegable basis, shall approve these standards and
procedures.
(C) Initial report and certification. The agency shall provide
FinCEN a report that describes the standards and procedures established
pursuant to paragraph (d)(1)(i)(B) of this section and that includes a
certification by the head of the agency, on a non-delegable basis, that
the standards and procedures implement the requirements of this
paragraph (d)(1).
(D) Secure system for beneficial ownership information storage. The
agency shall, to the satisfaction of the Secretary, establish and
maintain a secure system in which such information shall be stored.
(E) Auditability. The agency shall establish and maintain a
permanent,
[[Page 88811]]
auditable system of standardized records for requests pursuant to
paragraph (b) of this section, including, for each request, the date of
the request, the name of the individual who makes the request, the
reason for the request, any disclosure of such information made by or
to the requesting agency, and information or references to such
information sufficient to reconstruct the reasons for the request.
(F) Restrictions on personnel access to information. The agency
shall restrict access to information obtained from FinCEN pursuant to
this section to personnel--
(1) Who are directly engaged in the activity for which the
information was requested;
(2) Whose duties or responsibilities require such access;
(3) Who have received training pursuant to paragraph (d)(1)(i)(B)
of this section or have obtained the information requested directly
from persons who both received such training and received the
information directly from FinCEN;
(4) Who use appropriate identity verification mechanisms to obtain
access to the information; and
(5) Who are authorized by agreement between the agency and FinCEN
to access the information.
(G) Audit requirements. The agency shall:
(1) Conduct an annual audit to verify that information obtained
from FinCEN pursuant to this section has been accessed and used
appropriately and in accordance with the standards and procedures
established pursuant to paragraph (d)(1)(i)(B) of this section;
(2) Provide the results of that audit to FinCEN upon request; and
(3) Cooperate with FinCEN's annual audit of the adherence of
agencies to the requirements established under this paragraph to ensure
that agencies are requesting and using the information obtained under
this section appropriately, including by promptly providing any
information FinCEN requests in support of its annual audit.
(H) Semi-annual certification. The head of the agency, on a non-
delegable basis, shall certify to FinCEN semi-annually that the
agency's standards and procedures established pursuant to paragraph
(d)(1)(i)(B) of this section are in compliance with the requirements of
this paragraph (d)(1). One of the semi-annual certifications may be
included in the annual report required under paragraph (d)(1)(i)(I) of
this section.
(I) Annual report on procedures. The agency shall provide FinCEN a
report annually that describes the standards and procedures that the
agency uses to ensure the security and confidentiality of any
information received pursuant to paragraph (b) of this section.
(ii) Requirements for requests for disclosure. A Federal, State,
local, or Tribal agency that makes a request under paragraph (b)(1),
(2), or (3) or (b)(4)(ii) of this section shall satisfy the following
requirements in connection with each request that it makes and in
connection with all such information it receives.
(A) Minimization. The requesting agency shall limit, to the
greatest extent practicable, the scope of such information it seeks,
consistent with the agency's purposes for seeking such information.
(B) Certifications and other requirements. (1) The head of a
Federal agency that makes a request under paragraph (b)(1) of this
section or their designee shall make a written certification to FinCEN,
in the form and manner as FinCEN shall prescribe, that:
(i) The agency is engaged in a national security, intelligence, or
law enforcement activity; and
(ii) The information requested is for use in furtherance of such
activity, setting forth specific reasons why the requested information
is relevant to the activity.
(2) The head of a State, local, or Tribal agency, or their
designee, who makes a request under paragraph (b)(2) of this section
shall submit to FinCEN a written certification, in the form and manner
as FinCEN shall prescribe, that:
(i) A court of competent jurisdiction has authorized the agency to
seek the information in a criminal or civil investigation; and
(ii) The requested information is relevant to the criminal or civil
investigation, setting forth a description of the information the court
has authorized the agency to seek.
(3) The head of a Federal agency, or their designee, who makes a
request under paragraph (b)(3)(ii)(A) of this section shall:
(i) Retain for the agency's records the request for information
under the applicable international treaty, agreement, or convention;
(ii) Submit to FinCEN, in the form and manner as FinCEN shall
prescribe: the name, title, agency, and country of the foreign person
on whose behalf the Federal agency is making the request; the title of
the international treaty, agreement, or convention under which the
request is being made; and a certification that the requested
information is for use in furtherance of a law enforcement
investigation or prosecution, or for a national security or
intelligence activity, that is authorized under the laws of the
relevant foreign country.
(4) The head of a Federal agency, or their designee, who makes a
request under paragraph (b)(3)(ii)(B) of this section shall submit to
FinCEN, in the form and manner as FinCEN shall prescribe:
(i) A written explanation of the specific purpose for which the
foreign person is seeking information under paragraph (b)(3)(ii)(B) of
this section, along with an accompanying certification that the
information is for use in furtherance of a law enforcement
investigation or prosecution, or for a national security or
intelligence activity, that is authorized under the laws of the
relevant foreign country and that the foreign person seeking
information under paragraph (b)(3)(ii)(B) has been informed that the
information may only be used only for the particular purpose or
activity for which it is requested and must be handled consistent with
the requirements of paragraph (d)(3) of this section;
(ii) The name, title, agency, and country of the foreign person on
whose behalf the Federal agency is making the request; and
(iii) Any other information that FinCEN requests in order to
evaluate the request.
(5) The head of a Federal functional regulator or other appropriate
regulatory agency, or their designee, who makes a request under
paragraph (b)(4)(ii) of this section shall make a written certification
to FinCEN, in the form and manner as FinCEN shall prescribe, that:
(i) The agency is authorized by law to assess, supervise, enforce,
or otherwise determine the compliance of a relevant financial
institution with customer due diligence requirements under applicable
law; and
(ii) The agency will use the information solely for the purpose of
conducting the assessment, supervision, or authorized investigation or
activity described in paragraph (b)(4)(ii)(A) of this section.
(2) Security and confidentiality requirements for financial
institutions. To receive information under paragraph (b)(4)(i) of this
section, a financial institution shall satisfy the following
requirements:
(i) Geographic restrictions on information. The financial
institution shall not make information obtained from FinCEN under
paragraph (b)(4)(i) of this section available to persons physically
located in, and shall not store such information in, any of the
following jurisdictions:
(A) The People's Republic of China;
(B) The Russian Federation; or
[[Page 88812]]
(C) A jurisdiction:
(1) That is a state sponsor of terrorism, as determined by the U.S.
Department of State;
(2) That is the subject of comprehensive financial and economic
sanctions imposed by the Federal Government, i.e., is a jurisdiction
with a government whose property and interests in property within U.S.
jurisdiction are blocked pursuant to U.S. sanctions authorities, or a
jurisdiction subject to broad-based prohibitions on transactions by
U.S. persons involving that jurisdiction, such as prohibitions on
importing or exporting goods, services, or technology to the
jurisdiction or dealing in goods or services originating from the
jurisdiction, pursuant to U.S. sanctions authorities; or
(3) To which the Secretary has determined that allowing information
obtained from FinCEN under paragraph (b)(4)(i) of this section to be
made available would undermine the enforcement of the requirements of
paragraph (d)(2) of this section or the national security of the United
States.
(ii) Safeguards. The financial institution shall develop and
implement administrative, technical, and physical safeguards reasonably
designed to protect the security, confidentiality, and integrity of
such information. These shall include:
(A) Information procedures. The financial institution shall:
(1) Apply such information procedures as the institution has
established to satisfy the requirements of section 501 of the Gramm-
Leach-Bliley Act (15 U.S.C. 6801 et seq.), and applicable regulations
issued thereunder, with regard to the protection of its customers'
nonpublic personal information, modified as needed to account for any
unique requirements imposed under this section; or
(2) If the institution is not subject to section 501 of the Gramm-
Leach-Bliley Act, apply such information procedures with regard to the
protection of its customers' nonpublic personal information as are
required, recommended, or authorized under applicable law and are at
least as protective of the security and confidentiality of customer
information as procedures that satisfy the standards of section 501 of
the Gramm-Leach-Bliley Act.
(B) Notification of information demand. The financial institution
shall notify FinCEN within three business days of receipt of any
foreign government subpoena or legal demand under which the financial
institution would have to disclose any information the financial
institution has received pursuant to a request under paragraph
(b)(4)(i) of this section.
(iii) Consent to obtain information. Before making a request for
information regarding a reporting company under paragraph (b)(4)(i) of
this section, the financial institution shall obtain and document the
consent of the reporting company to request such information. The
documentation of the reporting company's consent shall be maintained
for 5 years after it is last relied upon in connection with a request
for information under paragraph (b)(4)(i) of this section.
(iv) Certification. For each request for information regarding a
reporting company under paragraph (b)(4)(i) of this section, the
financial institution shall make a certification to FinCEN in such form
and manner as FinCEN shall prescribe that the financial institution:
(A) Is requesting the information to facilitate its compliance with
customer due diligence requirements under applicable law;
(B) Has obtained and documented the consent of the reporting
company to request the information from FinCEN; and
(C) Has fulfilled all other requirements of paragraph (d)(2) of
this section.
(3) Security and confidentiality requirements for foreign
recipients of information. (i) To receive information under paragraph
(b)(3)(ii)(A) of this section, a foreign person on whose behalf a
Federal agency made the request under that paragraph shall comply with
all applicable handling, disclosure, and use requirements of the
international treaty, agreement, or convention under which the request
was made.
(ii) To receive information under paragraph (b)(3)(ii)(B) of this
section, a foreign person on whose behalf a Federal agency made the
request under that paragraph shall ensure that the following
requirements are satisfied:
(A) Standards and procedures. A foreign person who receives
information pursuant to paragraph (b)(3)(ii)(B) of this section shall
establish standards and procedures to protect the security and
confidentiality of such information, including procedures for training
personnel who will have access to it on the appropriate handling and
safeguarding of such information.
(B) Secure system for beneficial ownership information storage.
Such information shall be maintained in a secure system that complies
with the security standards the foreign person applies to the most
sensitive unclassified information it handles.
(C) Minimization. To the greatest extent practicable, the scope of
information sought shall be limited, consistent with the purposes for
seeking such information.
(D) Restrictions on personnel access to information. Access to such
information shall be limited to persons--
(1) Who are directly engaged in the activity described in paragraph
(b)(3) of this section for which the information was requested;
(2) Whose duties or responsibilities require such access; and
(3) Who have undergone training on the appropriate handling and
safeguarding of information obtained pursuant to this section.
(e) Administration of requests--(1) Form and manner of requests.
Requests for information under paragraph (b) of this section shall be
submitted to FinCEN in such form and manner as FinCEN shall prescribe.
(2) Rejection of requests. (i) FinCEN will reject a request under
paragraph (b)(4) of this section, and may reject any other request made
pursuant to this section, if such request is not submitted in the form
and manner prescribed by FinCEN.
(ii) FinCEN may reject any request, or otherwise decline to
disclose any information in response to a request made under this
section, if FinCEN, in its sole discretion, finds that, with respect to
the request:
(A) The requester has failed to meet any requirement of this
section;
(B) The information is being requested for an unlawful purpose; or
(C) Other good cause exists to deny the request.
(3) Suspension of access. (i) FinCEN may permanently debar or
temporarily suspend, for any period of time, any individual requester
or requesting entity from receiving or accessing information under
paragraph (b) of this section if FinCEN, in its sole discretion, finds
that:
(A) The individual requester or requesting entity has failed to
meet any requirement of this section;
(B) The individual requester or requesting entity has requested
information for an unlawful purpose; or
(C) Other good cause exists for such debarment or suspension.
(ii) FinCEN may reinstate the access of any individual requester or
requesting entity that has been suspended or debarred under this
paragraph (e)(3) upon satisfaction of any terms or conditions that
FinCEN deems appropriate.
[[Page 88813]]
(f) Violations--(1) Unauthorized disclosure or use. Except as
authorized by this section, it shall be unlawful for any person to
knowingly disclose, or knowingly use, the beneficial ownership
information obtained by the person, directly or indirectly, through:
(i) A report submitted to FinCEN under Sec. 1010.380; or
(ii) A disclosure made by FinCEN pursuant to paragraph (b) of this
section.
(2) For purposes of paragraph (f)(1) of this section, unauthorized
use shall include accessing information without authorization, and
shall include any violation of the requirements described in paragraph
(d) of this section in connection with any access.
Andrea M. Gacki,
Director, Financial Crimes Enforcement Network.
[FR Doc. 2023-27973 Filed 12-21-23; 8:45 am]
BILLING CODE 4810-02-P